Cyber Security Alerts: Recent Breaches and EDR Software Vulnerabilities - podcast episode cover

Cyber Security Alerts: Recent Breaches and EDR Software Vulnerabilities

Apr 02, 202514 min
--:--
--:--
Listen in podcast apps:
Metacast
Spotify
Youtube
RSS

Episode description

 

In this episode of Cyber Security Today, host Jim Love covers several major cybersecurity incidents and vulnerabilities. Key stories include the compromise of Windows Defender and other Endpoint Detection and Response (EDR) systems, a data breach on X (formerly known as Twitter) exposing over 200 million user records, and a security flaw in several UK-based dating apps that led to the exposure of approximately 1.5 million private images. The discussion highlights how attackers are increasingly using legitimate software tools to bypass security measures, the implications of these breaches for users, and offers practical tips for maintaining robust cybersecurity.

00:00 Introduction to Today's Cyber Security News
00:29 Compromised Endpoint Detection and Response Systems
01:06 Bypassing Windows Defender: Methods and Implications
02:52 Ransomware Tactics and Legitimate Tool Exploits
04:20 Time Traveling Attacks and EDR Limitations
06:33 Massive Data Breach on X (Twitter)
08:30 UK Dating Apps Expose Private Images
10:47 Fraud Alerts and Scams
13:25 Conclusion and Final Thoughts

Transcript

Windows Defender and other endpoint detection and response software is compromised. X or Twitter has a hack that exposes over 200 million records. A UK based dating site is hacked. Revealing well a lot, and a couple of fraud alerts, tips from our listeners. This is Cybersecurity today. I'm your host, Jim Love. I put together from three or more stories that I've seen over the past few days.

They all have a similar theme, . One of the mainstays of protection against cyber attacks is endpoint detection and response or EDR systems. These systems are crucial for detecting and mitigating malicious activities on the endpoint. For many home office workers, these might be the only defense that they have. Indeed, these users might think that if they have this software installed and it's automatically updated, well what could go wrong?

A lot apparently recent reports have highlighted several innovative methods employed by attackers to bypass these security measures, posing significant challenges for organizations and individuals. I. Windows Defender is one of the more popular EDR tools and it has a reasonably good reputation for restricting application execution to trusted software packages. But recently, an article in Forbes confirmed that there's a way to bypass Windows Defender, and it may be being used.

Attackers use a variant of what's been termed living off the Land Binaries, which has an acronym that just rolls off your tongue. LOL bins, which causes many to shorten it to LOL, but it's not funny, not in the slightest. What it means is finding a way to hide an attack in legitimate software and processes to give a high level and simplistic summary. One current attack that Microsoft has acknowledged has the attackers using a trusted binary like MS. Build dot Exe.

It's a standard pre-installed tool for compiling and linking code. Then they would side load a trusted application from an untrusted library, and by modifying the malicious code to appear benign or by fragmenting the payloads to avoid signature detection, the cyber criminals can bypass the analysis and heuristic detection mechanisms that drive Windows Defender. The net effect is Windows. Defender doesn't see this as malware.

And the hackers are free to execute on targeted systems without triggering alerts, compromising the system integrity and the data security. The bottom line is that the user may think they're safe, but they're not. This has been recently reported, and Microsoft has established that there are bypasses for Windows Defender, but it's not new, and nor is it restricted to attacks merely on Windows Defender.

Ransomware groups have increasingly been adopting tactics, exploiting legitimate but vulnerable drivers. Often within the Windows operating systems to disable EDR solutions. By leveraging these drivers, attackers are gaining kernel level access, allowing them to terminate security processes and then operate undetected. They're using tools such as EDR, silencer, EDR, sandblast, and. Terminator and these all make use of legitimate functions and tools.

So their activity may not be seen as a threat and they may fool the endpoint defenses and then facilitate malicious activities like data exfiltration or ransomware deployment. One of these tools, EDR Kill Shifter was first seen deployed by Ransom Hub in August, 2024. It too exploits legitimate, but vulnerable drivers on Windows machines to terminate the EDR products.

but even fully legitimate tools can be compromised and used hR Sword is part of a security software suite developed by China based Huong network technology. It's designed to monitor system activity, and it has been used in ransomware attacks. As one expert noted. It's a legitimate commercial tool, but now threat actors are co-opting it for their own purposes.

But there are other ways used to get past EDR and other security measures, and there was another story on one of these today that I was watching again in Forbes. One of these involves what's been called time traveling using valid but expired security certificates and how manipulate the system clock by altering the system time attackers make expired security certificates appear valid, and they evade the detection mechanisms. Now, does this mean that EDR isn't a valid defense? Of course not.

The problem arises when we treat it as the only line of defense or, and this is also important when it's not configured correctly. EDR unfortunately is not a set it and forget it defense. Ensuring automated updates is critically important. Companies like Microsoft Pay big bounties for people who can crack their EDR software and they'll get patches out as quickly as possible. But some of the patches won't only be in the EDR software.

You may need to keep all of your software up to date and ensuring that your users only load software from legitimate sources. I know we go on about this, but this is important if you're gonna go to places, even legitimate places like GitHub, you need to make sure you really know what you're doing. And of course, never ever load software that doesn't come from a legitimate vendor or where you're not certain or have carefully researched the source.

That's the usual wisdom that we try to follow and impart to our user community. But in a world where EDR can be fooled, you also have to continuously monitor the configuration to ensure that it was done properly at the start, but that also nothing has changed or bypassed it. a favorite trick of hackers is to set the EDR to monitor and alert, but not prevent. So the user gets an alarm, but the attack's not really blocked.

And of course, as much as people might hate us, those of you in corporate roles have to fight like mad to enforce these rules. But also, depending on your budgets and resources, you may wanna start looking at monitoring tools and security solutions that focus on detecting anomalous behavior rather than relying solely on signature based detection. Recent reports indicate a significant data breach involving X, formerly known as Twitter, potentially affecting up to 200 million user profiles.

Just this weekend, a team at Safety Detectives found a post on a hacking message board. Breach forums that came from a poster with the handle ThinkingOne, and this follows on other reports that close to 3 billion affected profiles were leaked earlier this year. But the reality on that one is the estimates of how many people actually use X or Twitter range between 300 and 600 million.

So if that large amount is reported, chances are that they've got a lot of bots in there, or that it's an exaggeration. but the post they found on the weekend, whether it's related to this earlier rumored breach or not, did include a 34 gigabyte CVS file. And that file contained more than 200 million entries of data reportedly belonging to X users. The origin of the breach remains uncertain. Some sources suggest it might be this original big.

Hack that occurred earlier that some said was the result of an insider threat. A disgruntled employee purportedly exfiltrating the data during the mass layoffs following Elon Musk's acquisition of the company in 2022.

But whatever the source, this breach data reportedly involves a vast number of user profiles and contains a lot of metadata, it doesn't have email addresses, but according to one expert, this data could be used in conjunction with an earlier data breach, which might be able to match up this data with emails that would make this a huge source for phishing attacks. At the time we recorded X had still not officially acknowledged the breach.

A little transparency would be welcome from the proponents of free speech, but apparently we'll just have to wait at this point. All we can say is that users are advised to remain vigilant by monitoring their accounts for unusual activity and updating their security settings as a precautionary measure. another significant data breach has exposed approximately 1.5 million private images from several dating apps, catering to, let's just say, open-minded people.

Uh, the affected applications, BDSM people, Chica, trans Love, pink and British, are all developed by UK based MAD or mobile apps developers limited. Due to a coding flaw, these apps stored user images in Google Cloud storage buckets without password protection, leaving sensitive content publicly accessible. BDSM people. AKA Kinky Fetish dating leaked over 541,000 private images, including 90,000 from direct Messages.

Chica, which describes itself as selective dating exposed approximately 133,000 photos. Some again from private chats and trans love. Pink and British collectively leaked over 1.1 million images encompassing profile photos. Private messages and images. The breach was discovered by cybersecurity researchers who found the app's developers had left sensitive data, including the API keys and database details exposed within the application code.

This oversight allowed unauthorized access to user uploaded images, profile photos, and of course private messages. Users of these apps now face increased risks of extortion, identity theft, and some social engineering attacks. , cybersecurity experts warned that malicious actors could exploit this data, especially targeting public figures or individuals in vulnerable situations.

MAD mobile apps developers limited, acknowledges the security flaws, stating the vulnerabilities have been addressed and assures users that their data's now secure. They emphasized that the issue was identified through a controlled experiment by cybersecurity researchers with no evidence of malicious exploitation. so at this point, we don't know a lot about the leaked data, but it is sensitive and it's an important subject.

When people put intensely personal information on any site, they have to presume those sites could be hacked. And a couple of fraud alerts that came from our listeners. Both of these come from Canada, but I'm betting they have parallels in the US and elsewhere. Telephone scammers have been trying to steal credit card and other personal information from Canadians by claiming they're winners of one of the country's biggest and most recognizable charity lotteries.

The scammers call people claiming they're second place winners of a Dodge Ram truck in the Princess Margaret Hospital lottery. a potential target, told me that the scammer who called them asked if they'd be home the next day. when the would-be victim asked questions about this, the caller simply hung up. Probably what they were looking for was the person's credit card number or some other information that they could use, How do we know this?

Well, according to a news report last summer, that's what the scammer was after. When this scam was tried in Stratford, Ontario, and before the scammer hung up, they said they'd come by the next day and the victim should have their credit card ready.

And while all our listeners will know that if someone phones you claiming to be from a lottery or the police or government department, even if they know your home address, you don't give out personal information, especially a credit card number, but other information could be just as dangerous. And there's a parallel note to this, especially for Canadians. During the election, there's been an explosion of fraudulent news pages on Facebook.

In one example, the page was set to look like a news page from the website of the CBC Canada's National Broadcaster, and it looks stunningly authentic. And while these are prevalent in this Canadian election, we've seen similar spoofs on both Facebook and Microsoft Edge's browser. Although the ones on Edge were primarily investment related scams,. But they all follow the same line of attack. They look like an authentic news article.

They feature some well-known individual and they claim that there's a secret that's been revealed, or they want you to call them for a poll, or they feature crypto type investments. The bottom line is they want you to contact them and give them some information.

Now in the case of Canada, due to another argument between our government and meta, we aren't allowed to share any news stories, but apparently Facebook can block those news stories, but it's happy to take money from fraudsters who are putting in fake news stories that can trap individuals and exploit them. It's yet another thing to put into your training information programs, and it's yet another thing to put on the Facebook wall of shame.

. Where there's money involved, there really is something called fake news. And that's our show. Took me longer than usual to write today's show. I kept thinking, had to watch out for April Fool's stories, and I must confess, I almost got fooled by one of them, but I dug around a little more than usual today. . Thank God we'll be back to normal tomorrow, although normal is you. Can't make this stuff up. I'm your host, Jim Love. Thanks for listening. I.

Transcript source: Provided by creator in RSS feed: download file
For the best experience, listen in Metacast app for iOS or Android
Open in Metacast
Cyber Security Alerts: Recent Breaches and EDR Software Vulnerabilities | Cybersecurity Today podcast - Listen or read transcript on Metacast