PSW #774 – Asaf Cidon

Paul Asadoorian

1. SFTP Port Forwarding: Enabling Suppressed Functionality

2. Putting Undetectable Backdoors in Machine Learning Models – Schneier on Security

   So. Many. Big. Words. "Our construction of undetectable backdoors also sheds light on the related issue of robustness to adversarial examples. In particular, by constructing undetectable backdoor for an “adversarially-robust” learning algorithm, we can produce a classifier that is indistinguishable from a robust classifier, but where every input has an adversarial example! In this way, the existence of undetectable backdoors represent a significant theoretical roadblock to certifying adversarial robustness." - I think this means you can trick ML into always recommending Bud Light to people who are looking for beer...

3. Exploits Explained: Using APIs to Execute a Server-Side Request Forgery

   This is a pretty neat trick, can't wait to test it: "The Github tool created an AVI file with the malicious HLS playlist. To process the playlist, ffmpeg concatenates all segments and processes it as a single file. It then tries to show a screen capture of a TTY printing of this file. I then uploaded the malicious payload outt.avi file to the server. (An outt.avi file is the output file from the tool.) After the file was uploaded, all of the contents of /etc/passwd were retrieved from the server and rendered in the video."

4. What the Vuln: Zimbra

   A nicely done walkthrough of a vulnerability and exploit creation (not too advanced): "In this What the Vuln blog post, we dove into the Zimbra CVE-2022-27925/CVE-2022-37042 Zimbra Zip Path Traversal vulnerability and discovered how issues such as this one can be exploited from scratch, from target reconnaissance to an automated proof of concept exploit script. Additionally, these techniques can be applied to other kinds of vulnerabilities and can serve as a starting point for vulnerability discovery and exploit development."

5. Bypassing Okta MFA Credential Provider for Windows – n00py Blog

6. Hardware 1101: Intel SPI Analysis

   This class (free) sounds amazing: "In the OST2 Arch4001: Intel Firmware Attack & Defense class, as we deep-dive into how an OS-resident attacker can attempt to rewrite the SPI flash chip where the UEFI BIOS lives, we stop our deep dive at the Intel Memory Mapped Input/Output (MMIO) interface. This is a special memory range containing registers, which if poked in just the right way, cause reads and writes to the SPI flash chip to "magically" happen. But wouldn't it be nice to see what's behind the magic?"

7. Burp DOM Scanner

   This sounds amazing: "It's a Burp Suite's extension to allow for recursive crawling and scanning of Single Page Applications. It runs a Chromium browser to scan the webpage for DOM-based XSS. It can also collect all the requests (XHR, fetch, websockets, etc) issued during the crawling allowing them to be forwarded to Burp's Proxy, Repeater and Intruder."

8. OpenEMR – Remote Code Execution in your Healthcare System

9. From Backup to Backdoor: Exploitation of CVE-2022-36537 in R1Soft Server Backup Manager

10. Using CRLF Injection to Bypass a Web App Firewall – Praetorian

11. Forwarding Traffic Through SSH – Black Hills Information Security

12. Chip company loses $250m after ransomware hits supply chain

13. A tale of Phobos – how we almost cracked a ransomware using CUDA

14. Abusing Azure App Service Managed Identity Assignments

15. How I Broke Into a Bank Account With an AI-Generated Voice

    "I had used an AI-powered replica of a voice to break into a bank account. After that, I had access to the account information, including balances and a list of recent transactions and transfers." - Oh God, make it stop. Someone, please outlaw banks from doing this. Please? It is 100% not secure, and those of us podcasters with thousands of hours of audio on the Internet greatly appreciate it, thanks.

16. Server-side prototype pollution: Black-box detection without the DoS

17. Trellix Advanced Research Center Discovers a New Privilege Escalation Bug Class on macOS and iOS

18. Semgrepper

    "The current project provides a Burp Suite extension to allow users to include Semgrep results to extend the checks in use by the passive scanner. By visiting repositories that collect Semgrep rules, it is possible to verify the large number of rules related to the front-end environment written by the community, such as: https://github.com/returntocorp/semgrep-rules/tree/develop/javascript. By using this plugin, Burp Suite users can include the Semgrep rules YAML files and define the scope of the analysis"

19. Vulnerability Spotlight: EIP Stack Group OpENer open to two remote code execution vulnerabilities

20. systemd 253: The future of enterprise Linux boot processes

21. StarkeBlog – CVE Wednesday – CVE-2022-40021

    Just when we catch ourselves saying "Software is harder to exploit today", then we look at firmware. This is one example and this https://www.malwarebytes.com/blog/news/2023/02/arris-vulnerability-found-in-commonly-used-router-could-result-in-complete-take-over is another example. In both cases, exploitation is super easy. Sigh. We can talk about how to fix this problem all we want, but then again we'd just be talking about it, again.

22. StarkeBlog – Determining U-Boot Base Address without uImage

23. The Complexities and Demands of Creating Firmware for the World’s Most Critical Systems

    I think ChatGPT wrote this: "Meeting security requirements requires careful design and implementation of the firmware, including the use of secure communication protocols, encryption, and access control mechanisms. Developers must also consider the threat landscape, including the potential for cyber-attacks, and design the firmware to mitigate these threats."

24. Hacking Apple: Two Successful Exploits and Positive Thoughts on their Bug Bounty Program

25. Two Supreme Court cases could change the Internet as we know it

    Section 230 as I see it: Companies make hammers. Some people use hammers to build beautiful homes. Other people use hammers to hurt people. Don't sue the hammer company because bad people use it to hurt people.

26. Arris router vulnerability could lead to complete takeover

27. No more Access Denied – I am TrustedInstaller

    This is a great post, very simple but effective hack: "If we can create a process using the token from this TrustedInstaller.exe, we might become TrustedInstaller, and then we can delete the Defender Directory."

28. Trusted Boot (Anti-Evil-Maid, Heads, and PureBoot) – Michael Altfield’s Tech Blog

    This is a must read and covers Trusted Boot and the attack timeline very well. Also, there is this: "One of the best ways to make your device tamper-evident is very low-tech: (rainbow) glitter nail polish." Also, from Trammel: "Normal glitter polish works as well, although the features are smaller and have lower contrast than the Fuzzy Coat shown above. You can do your nails with it, too, and look fabulous while you're coding."

29. Heads: the other side of TAILS

    This is an older project, but came up this week (likely from the other article I referenced this week): "Heads is a configuration for laptops and servers that tries to bring more security to commodity hardware. Among its goals are: Use free software on the boot path, Move the root of trust into hardware (or at least the ROM bootblock), Measure and attest to the state of the firmware, Measure and verify all filesystems"

30. Researchers unearth Windows backdoor that’s unusually stealthy

    Neat trick: "The technique used by Frebniis involves injecting malicious code into the memory of a DLL file (iisfreb.dll) related to an IIS feature used to troubleshoot and analyze failed web page requests. This allows the malware to stealthily monitor all HTTP requests and recognize specially formatted HTTP requests sent by the attacker, allowing for remote code execution. In order to use this technique, an attacker needs to gain access to the Windows system running the IIS server by some other means. In this particular case, it is unclear how this access was achieved." Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/frebniis-malware-iis

31. Intel issues patches for SGX vulnerabilities

32. BlackLotus UEFI bootkit: Myth confirmed

    We thought this might just be a hoax, but it's not. This article confirms (with some good evidence) that the BLacklotus bootkit being sold on the underground is real, and folks have found it in the wild. Turns out it uses Baton Drop (https://github.com/Wack0/CVE-2022-21894) to bypass Secure Boot (I was really hoping it would use Mickey and Jesse's research, but who knows, that could be an add-on for later). Basically the attackers introduce signed, but vulnerable, bootloaders that allow them to remove the Secure Boot policy and infect the system.

Larry Pesce

1. Make companies liable software insecurity?

2. Osprey Pump Controller 1.0.1 Unauthenticated Remote Code Execution ≈ Packet Storm

3. Electrify America bug opens hacking vulnerability concerns [Updated]

4. U.S. Marshals Service suffers ‘major’ security breach that compromises sensitive information, senior law enforcement officials say

5. LastPass Reveals Second Attack Resulting in Breach of Encrypted Password Vaults

6. CISA Issues Warning on Active Exploitation of ZK Java Web Framework Vulnerability

7. ‘Ethical hacker’ among ransomware suspects arrested

8. Dish Network goes offline after likely cyberattack, employees cut off

9. 40% of Log4j Downloads Still Vulnerable

10. Grand Theft Auto – A peek of BLE relay attack

11. StarkeBlog – U-Boot HTTP Client

Lee Neely

1. News Corp says state hackers were on its network for two years

   Mass media and publishing giant News Corporation (News Corp) says that attackers behind a breach disclosed in 2022 breach managed to successfully access its email and document storage systems that are used by various News Corp businesses in February 2020, allowing them to ultimately access some employees' personally identifiable information and personal health information.

2. CERT of Ukraine says Russia-linked APT backdoored multiple govt sites

   The CERT of Ukraine (CERT-UA) revealed that the Russia-linked UAC-0056 (DEV-0586, unc2589, Nodaria, Lorec53) advanced persistent threat group successfully breached multiple Ukrainian government websites.

3. Ransomware attack on food giant Dole Food Company blocked North America production

   The producers of fruit and vegetables Dole Food Company disclosed a ransomware attack that impacted its operations. The breach also prevented some stores in New Mexico and Texas from restocking Dole products for several days.

4. White House: No more TikTok on gov’t devices within 30 days

   White House issued an order that gives all Federal agencies 30 days to remove the hugely popular social media app from all of their agency-managed devices. The White House had already ordered its staff to remove TikTok from their devices. House Republicans are expected to introduce a bill sometime today that – if passed – would provide the U.S. President with the authority to declare a national ban of TikTok.

5. Danish parliament urges to remove TikTok over cybersecurity

   The Danish parliament on Tuesday urged lawmakers and employees with the 179-member assembly against having TikTok on work phones as a cybersecurity measure, saying “there is a risk of espionage.”

6. LastPass Says DevOps Engineer Home Computer Hacked

   LastPass DevOp engineer’s home computer hacked and implanted with keylogging malware as part of a sustained cyberattack.. The smoking gun is: “…the threat actor was able to leverage valid credentials stolen from a senior DevOps engineer to access a shared cloud-storage environment, which initially made it difficult for investigators to differentiate between threat actor activity and ongoing legitimate activity.”

7. Mobile Banking Trojans Surge, Doubling in Volume

   Nearly 200,000 new mobile banking Trojans emerged in 2022 — a 100% increase from the year before and the biggest acceleration of mobile malware development seen in the last six years.

8. Automatic disruption of Ransomware and BEC attacks with Microsoft 365 Defender

   Microsoft is expanding the public preview of its automatic attack disruption capabilities to include business email compromise (BEC) and human-operated ransomware attacks.

   Microsoft is moving from IOCs to AI for detection and response. For BEC detection, users are automatically suspended if you're using Microsoft Defender for Identity, and if using Defender for Endpoint, enrolled devices are not able to communicate with compromised devices. This service is in preview, and requires Defender pre-requisites, including Defender for Cloud Apps, and Defender for Identity.

9. Dishonor Code: What Happens When Cheating Becomes the Norm?

   Students say they are getting ‘screwed over’ for sticking to the rules. Professors say students are acting like ‘tyrants.’ Then came ChatGPT . . .

Mandy Logan

1. LastPass says employee’s home computer was hacked and corporate vault taken

2. A sticky story: How, and why, hackers love stickers on laptops

3. 1 in 4 CISOs Wants to Say Sayonara to Security

4. Gartner Predicts Nearly Half of Cybersecurity Leaders Will Change Jobs by 2025

5. Hacker group defaces Russian websites to display the Kremlin on fire

Sam Bowne

1. Indirect Prompt Injection on Bing Chat

   If allowed by the user, Bing Chat can see currently open websites. We show that an attacker can plant an injection in a website the user is visiting, which silently turns Bing Chat into a Social Engineer who seeks out and exfiltrates personal information.

2. AI Helps Crack NIST-Recommended Post-Quantum Encryption Algorithm

   The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST in July 2022 for post-quantum cryptography has been broken. Researchers used recursive training AI combined with side channel attacks. Quantum computers are not the only threat to encryption. Rapidly improving artificial intelligence may be a significant and more imminent threat to both classical and post-quantum encryption algorithms.

3. Youtube suspended a computer scientist’s channel for posting an infosec video

   The researcher is René Mayrhofer, a professor at Johannes Kepler University Linz and Director of Android Platform Security at Google. The video was "Cloning Credit Cards" (#research published in @usenix WOOT'13). Infosec educators should be warned that Youtube may cancel you at any time.

4. Making New Connections – Leveraging Cisco AnyConnect Client to Drop and Run Payloads

   The Cisco AnyConnect client can be used to run code on a client, by tricking them into connecting to a malicious server. The server can send a VBS or BAT file to the client that runs on connect or disconnect. The defense against this is to limit the AnyConnect client to only connect to known good servers with AppLocker or firewalling.

5. SCARLETEEL hackers use advanced cloud skills to steal source code, data

   The attackers target public-facing web apps running in containers to infiltrate cloud services and steal sensitive data. They deploy a cryptominer as a distraction, and then use advanced expertise in AWS cloud mechanics to burrow further into the company's cloud infrastructure.