PSW #769 – Kate Stewart

Paul Asadoorian

1. Exclusive: Russian hackers targeted U.S. nuclear scientists

   " A BNL spokesperson declined to comment. LLNL did not respond to a request for comment. An ANL spokesperson referred questions to the U.S. Department of Energy, which declined to comment." and "The U.S. National Security Agency (NSA) declined to comment on Cold River's activities. Britain's Global Communications Headquarters (GCHQ), its NSA equivalent, did not comment. The foreign office declined to comment." - So, no comment then? Also, several security researchers from several security firms implicate Andrey Korinets as one of the main figures behind Cold River. I also find it interesting that Andrey Korinets states he was fined for hacking years ago and now most likely helps operate one of Russia's most forward-leaning cyber operations.

2. Amazon S3 Encrypts New Objects By Default

3. U.S. targets non-compete clauses that block workers from better jobs – BONUS

   If we have time we'll discuss this one, it could impact many of us working in cybersecurity today.

4. Breaking RSA with a Quantum Computer – Schneier on Security

   The TL;DR: Don't worry about this yet. Look, like many, the math is way over my head. Keep in mind while you read through these materials that they reference two papers and associated work that could be used to break RSA: Shor and Schnoor. You will also see QAOA (A Quantum Approximate Optimization Algorithm) referenced as well. This quantum computing algorithm has not yielded faster results, according to experts in this field (again, you can read about that aspect in the materials below). If you like to read about crypto, and you are FAR from an expert like myself, the article below are pretty neat (though the papers are just there for reference, and for the smaller population of people who can understand them).

   Other references:

   • Will quantum computers break RSA encryption in 2023? - "Thus, it looks like even if you implement this hybrid algorithm on a classical + quantum system, it will take as long to guess RSA keys as with a regular computer."
   • What The Heck Is Schnorr - This was a great article to read and get caught up on some basics: "Here in this piece we will explore the idea of digital signatures in-depth, look inside both ECDSA and Schnorr, and judge on our own the special merit of adopting Schnorr signatures."
   • Factoring integers with sublinear resources on a superconducting quantum processor - This is the recently published research paper being referenced.
   • Cargo Cult Quantum Factoring - Scott Aaronson, Schlumberger Centennial Chair of Computer Science at The University of Texas at Austin, and director of its Quantum Information Center, says: "For those who don’t care to read further, here is my 3-word review: No. Just No."
   • Fast Factoring Integers by SVP Algorithms, corrected - This is Schnorr's paper that claims: "This destroys the RSA cryptosystem."
   • Algorithms for quantum computation: discrete logarithms and factoring - This is the paper that represents "Shor's algorithm" that Schnier mention in his article and states: "We have long known from Shor’s algorithm that factoring with a quantum computer is easy. But it takes a big quantum computer, on the orders of millions of qbits, to factor anything resembling the key sizes we use today."
   • Has RSA been destroyed by a quantum computer??? - The Security. Cryptography. Whatever. episode that talks about this was very good, and hosted Deirdre Connolly, Thomas Ptacek, and David Adrian .
5. HTML Smuggling Detection

6. Compliance Does Not Equal Cybersecurity

7. Can You Trust Your VSCode Extensions?

8. AmsiBypassHookManagedAPI

9. Red Team Tips January 1st 2023 (New AMSI Bypass)

10. Exploit Party: Bring Your Own Vulnerable Driver Attacks

    " A driver can access and modify critical security structures. These modifications can lead to attacks such as Privilege Escalation, Arbitrary Read-Write and disabling of security services responsible for the protection of the Operating System." - This is the heart of the issue, and this article serves as a really good primer to lay the foundation to understand kernel drivers and how they are used to attack systems. The authors mentioned some great examples, that for all intents and purposes, represent post-exploitation techniques using drivers:

    • Dellicious - "Dellicious is a tool for enabling/disabling LSA protection on arbitrary processes via a vulnerability in Dell's DBUtilDrv2.sys driver (version 2.5 or 2.7). If provided the driver, Dellicious installs it, exploits it, and then removes it. That obviously requires administrator access, but that's fairly normal for LSA Protect bypass techniques."
    • evil-mhyprot-cli - "A PoC for Mhyprot2.sys vulnerable driver that allowing read/write memory in kernel/user via unprivileged user process." It contains features such as the ability to "Read/Write any kernel memory with privilege of kernel from usermode"
    • Kernel Cactus - An entire project, including extensive documentation that wil "Unlike the other repositories mentioned, we have taken the ability to read and write kernel memory to the next level, creating helper functions to “navigate” the kernel from the user mode". Also, make sure you check out the custom memes in the documentation, they are next level man!
11. Hackers Exploiting OpenAI’s ChatGPT to Deploy Malware

12. Disclosing a New Vulnerability in JWT Secret Poisoning (CVE-2022-23529)

13. udon – Domain Discovery Tool

    "A simple tool that helps to find domains based on the Google Analytics ID." - I did not get a chance to test this, but seemed like an obvious thing to include in attack surface detection.

14. Fast and customisable vulnerability scanner based on simple YAML

    "Nuclei offers great number of features that are helpful for security engineers to customise workflow in their organisation. With the varieties of scan capabilities (like DNS, HTTP, TCP), security engineers can easily create their suite of custom checks with Nuclei." - This is a really neat tool! I started testing it this week, I think it can really help automate some basic discovery and scanning tasks.

15. Chip Vulnerabilities Impacting Microsoft, Lenovo, and Samsung Devices

    So many interesting aspects to this story, including UEFI exploitation on ARM via DXE drivers, many different chips used in many different applications are impacted, Microsoft and Lenovo used affected chips (supply chain), and more!

16. mjg59

    Abusing the setup variable: "If you use UEFITool to search for "Setup" there's a good chance you'll be able to find the component that implements the setup UI. Running IFRExtractor-RS against it will then pull out any IFR data it finds, and decompile that into something resembling the original VFR. And now you have the list of variables and offsets and the configuration associated with them, even if your firmware has chosen to hide those options from you." Yuriy, Alex (The two founders at Eclypsium) and Andrew Furtak talked about abusing variables to bypass Secure Boot in 2013. The high level: NVRAM is a sub-region of the BIOS region on the SPI flash. Users are allowed to write to certain variables in NVRAM to change settings, e.g. if you need to re-write your Secure Boot keys (PK, KEK, DB, and DBX). There are a few different permissions and controls that prevent "bad things", but vendors make mistakes in the implementation (still, even today, as you will see in my upcoming Shmoocon talk).

17. Fun and Games with Intel AMT

    This is an interesting look at post-exploitation techniques on Intel AMT that Mr. Starke has dubbed "Admin vs. Admin". The ability to upload arbitrary files to AMT, and have them be accessible to all has wide-reaching potential for attacks, especially given the privileged nature of AMT and the fact that it still runs even if the system is powered off (but still plugged into a power source).

Doug White

1. Live updates: Flights resume after FAA outage causes mass delays

2. PC sales slump to pre-pandemic volumes in Q4

Jeff Man

1. Is mandatory password expiration helping or hurting your password security?

   I've been on a rant about passwords since the LastPass incident reported over the holiday break. I think this is a fair question to ask, but I don't agree with the rationale presented here, at least in the sense that I think there are better arguments to be made.

   I'm also noticing lately that most of the articles I read about why this or that security practice doesn't work, or better, the old compliance /= security argument comes from vendors that are directly/indirectly steering the reader towards their "solution". I find this disingenuous at best and snake oil sales at worst.

   Oh, and what they say about PCI DSS v4.0 simply isn't true.

2. Chinese researchers’ claimed quantum encryption crack looks unlikely

   Way over my head, but there has been a fairly lively discussion on the NSA-IA alumni mailing list about this article - all the math weenies that is. Apparently there is such a thing as "smooth numbers".

3. All About eSkimming Attacks

   Good overview of how websites/eCommerce sites are targeted by the bad guys (and yes, this relates to PCI).

4. The 12 biggest data breach fines, penalties, and settlements so far

   Paul's story #6 (about compliance /= security) mentions that there have been $1B fines levied against companies because of a breach. I had to look it up, and here you have it.

5. Retail & Hospitality ISAC and National Retail Federation Partner to Enhance Cybersecurity in the Retail Industry

   You can imagine that neither organization thinks much of PCI SSC. Compliance /= security on display here in force. FWIW - both organizations tout information sharing and collaboration but both are members only.

Lee Neely

1. Bitdefender releases free MegaCortex ransomware decryptor

   Antivirus company Bitdefender has released a decryptor for the MegaCortex ransomware family.

   This is a cool free tool, can run from wherever you drop it, no install required, and even has email support and instructions (see the No More Ransom link below.) BitDefender's decryptor will handle data encrypted by "LockerGoga" or "MegaCortex." It has options to scan a system automatically and make a backup of the encrypted files in case something goes wrong. If you have encrypted files that didn't previously decrypt properly, you could try again with this tool, assuming you've not already recreated the contents.

2. PyPI Users Targeted With PoweRAT Malware

   Software supply chain security firm Phylum has identified a malicious attack targeting Python Package Index (PyPI) users with the PoweRAT backdoor and information stealer.

3. John Deere relents, says farmers can fix their own tractors after all

   Modern farm equipment is packed full of software, and repairs have become a real pain. John Deere Farmers now have the right to repair their John Deere machines.

   This is huge. These are very expensive machines, and when needed, they are needed, often running 24x7 during peak seasons. As such, they need to be able to be repaired without waiting for a factory representative to be sent, let alone trying to purchase a replacement or borrow from a neighbor with as much need and time crunch as you have. This should also encourage in-field changes to help them better suit the needs in “the field.” Often these innovations/modifications (hacks) make their way back to mainstream production when discovered in the field. That said, be sure you know what you're doing before offering to alter a $1M combine.

4. OPWNAI : Cybercriminals Starting to Use ChatGPT – Check Point Research

   In November 2022, OpenAI released an interface for its large language module known as ChatGPT. In a recent blog post, researchers at Check Point write that people on cybercrime forums have begun using ChatGPT to help them develop malware.

   As with many tools, ChatGPT is neither good nor evil. In fact, OpenAI has terms of service which prohibit the use of its technology for illegal or harmful activities. The issue is that while it was expected that ChatGPT could be leveraged to develop malware, it was not expected how rapidly that would happen. The new malware is more convincing/realistic, making it harder to detect. Now we need our defenders (technology and human) to up their game a bit more rapidly than we would have otherwise expected.

5. Blind Eagle Hacking Group Targets South America With New Tools

   Ongoing hacking campaigns orchestrated by the threat actor group Blind Eagle (also known as APT-C-36) have been spotted leveraging a new and advanced toolset as part of its infection chain that includes the use of phishing emails that purport to originate from the Colombian Government in new attacks targeting individuals throughout South America

6. Russian threat group using other crooks’ malware to target Ukraine, says watchdog

   Mandiant says the Russia-linked "Turla Team" cyber espionage group is now targeting victims in Ukraine by piggybacking off of formerly deployed malware to install backdoors of its own and ultimately steal data. Attackers are targeting victims previously compromised by "Andromeda", leveraging the "Kopiluwak" for recon, then using "QuietCanary"-- Reportedly the accesses are being targeted for resale vs direct access.