PSW #774 – Asaf Cidon
Full Audio
View Show IndexSegments
1. Phishing Attack & Defense – Asaf Cidon – PSW #774
Barracuda published its 2023 Email Security Trends report that shows how email-based security attacks affect organizations around the world. 75% of the organizations surveyed for the report had fallen victim to at least one successful email attack in the last 12 months, with those affected facing average costs of more than $1 million for their most expensive attack. 23% said that the cost of email-based attacks has risen dramatically over the last year.
Segment Resources: https://assets.barracuda.com/assets/docs/dms/2023-email-security-trends.pdf This segment is sponsored by Barracuda. Visit https://securityweekly.com/barracuda to learn more about them!
Announcements
Security Weekly listeners save $100 on their RSA Conference 2023 Full Conference Pass! RSA Conference will take place April 24-27 in San Francisco and on demand. To register using our discount code, please visit https://securityweekly.com/rsac2023 and use the code 53UCYBER! We hope to see you there!
Hosts
2. ChatGPT Articles, What the Zimbra, Burp Plugins, & Vocal Passports – PSW #774
In the Security News for this week: indistinguishable classifiers, screenshot the /etc/passwd file, what the Zimbra, couple of cool Burp plugins, my voice is my passport. verify me, software is harder to exploit, unless its in firmware, when ChatGPT writes an article, becoming a trusted installer, not the last breach for lastpass, getting fried at the charger, and why hackers love stickers!
Announcements
Follow Security Weekly Productions on LinkedIn for exclusive show clips, insights, and updates across our organization! Stay connected with our hosts and fellow community members, and join the conversation that's shaping the future of cybersecurity.
Hosts
- 1. SFTP Port Forwarding: Enabling Suppressed Functionality
- 2. Putting Undetectable Backdoors in Machine Learning Models – Schneier on Security
So. Many. Big. Words. "Our construction of undetectable backdoors also sheds light on the related issue of robustness to adversarial examples. In particular, by constructing undetectable backdoor for an “adversarially-robust” learning algorithm, we can produce a classifier that is indistinguishable from a robust classifier, but where every input has an adversarial example! In this way, the existence of undetectable backdoors represent a significant theoretical roadblock to certifying adversarial robustness." - I think this means you can trick ML into always recommending Bud Light to people who are looking for beer...
- 3. Exploits Explained: Using APIs to Execute a Server-Side Request Forgery
This is a pretty neat trick, can't wait to test it: "The Github tool created an AVI file with the malicious HLS playlist. To process the playlist, ffmpeg concatenates all segments and processes it as a single file. It then tries to show a screen capture of a TTY printing of this file. I then uploaded the malicious payload outt.avi file to the server. (An outt.avi file is the output file from the tool.) After the file was uploaded, all of the contents of /etc/passwd were retrieved from the server and rendered in the video."
- 4. What the Vuln: Zimbra
A nicely done walkthrough of a vulnerability and exploit creation (not too advanced): "In this What the Vuln blog post, we dove into the Zimbra CVE-2022-27925/CVE-2022-37042 Zimbra Zip Path Traversal vulnerability and discovered how issues such as this one can be exploited from scratch, from target reconnaissance to an automated proof of concept exploit script. Additionally, these techniques can be applied to other kinds of vulnerabilities and can serve as a starting point for vulnerability discovery and exploit development."
- 5. Bypassing Okta MFA Credential Provider for Windows – n00py Blog
- 6. Hardware 1101: Intel SPI Analysis
This class (free) sounds amazing: "In the OST2 Arch4001: Intel Firmware Attack & Defense class, as we deep-dive into how an OS-resident attacker can attempt to rewrite the SPI flash chip where the UEFI BIOS lives, we stop our deep dive at the Intel Memory Mapped Input/Output (MMIO) interface. This is a special memory range containing registers, which if poked in just the right way, cause reads and writes to the SPI flash chip to "magically" happen. But wouldn't it be nice to see what's behind the magic?"
- 7. Burp DOM Scanner
This sounds amazing: "It's a Burp Suite's extension to allow for recursive crawling and scanning of Single Page Applications. It runs a Chromium browser to scan the webpage for DOM-based XSS. It can also collect all the requests (XHR, fetch, websockets, etc) issued during the crawling allowing them to be forwarded to Burp's Proxy, Repeater and Intruder."
- 8. OpenEMR – Remote Code Execution in your Healthcare System
- 9. From Backup to Backdoor: Exploitation of CVE-2022-36537 in R1Soft Server Backup Manager
- 10. Using CRLF Injection to Bypass a Web App Firewall – Praetorian
- 11. Forwarding Traffic Through SSH – Black Hills Information Security
- 12. Chip company loses $250m after ransomware hits supply chain
- 13. A tale of Phobos – how we almost cracked a ransomware using CUDA
- 14. Abusing Azure App Service Managed Identity Assignments
- 15. How I Broke Into a Bank Account With an AI-Generated Voice
"I had used an AI-powered replica of a voice to break into a bank account. After that, I had access to the account information, including balances and a list of recent transactions and transfers." - Oh God, make it stop. Someone, please outlaw banks from doing this. Please? It is 100% not secure, and those of us podcasters with thousands of hours of audio on the Internet greatly appreciate it, thanks.
- 16. Server-side prototype pollution: Black-box detection without the DoS
- 17. Trellix Advanced Research Center Discovers a New Privilege Escalation Bug Class on macOS and iOS
- 18. Semgrepper
"The current project provides a Burp Suite extension to allow users to include Semgrep results to extend the checks in use by the passive scanner. By visiting repositories that collect Semgrep rules, it is possible to verify the large number of rules related to the front-end environment written by the community, such as: https://github.com/returntocorp/semgrep-rules/tree/develop/javascript. By using this plugin, Burp Suite users can include the Semgrep rules YAML files and define the scope of the analysis"
- 19. Vulnerability Spotlight: EIP Stack Group OpENer open to two remote code execution vulnerabilities
- 20. systemd 253: The future of enterprise Linux boot processes
- 21. StarkeBlog – CVE Wednesday – CVE-2022-40021
Just when we catch ourselves saying "Software is harder to exploit today", then we look at firmware. This is one example and this https://www.malwarebytes.com/blog/news/2023/02/arris-vulnerability-found-in-commonly-used-router-could-result-in-complete-take-over is another example. In both cases, exploitation is super easy. Sigh. We can talk about how to fix this problem all we want, but then again we'd just be talking about it, again.
- 22. StarkeBlog – Determining U-Boot Base Address without uImage
- 23. The Complexities and Demands of Creating Firmware for the World’s Most Critical Systems
I think ChatGPT wrote this: "Meeting security requirements requires careful design and implementation of the firmware, including the use of secure communication protocols, encryption, and access control mechanisms. Developers must also consider the threat landscape, including the potential for cyber-attacks, and design the firmware to mitigate these threats."
- 24. Hacking Apple: Two Successful Exploits and Positive Thoughts on their Bug Bounty Program
- 25. Two Supreme Court cases could change the Internet as we know it
Section 230 as I see it: Companies make hammers. Some people use hammers to build beautiful homes. Other people use hammers to hurt people. Don't sue the hammer company because bad people use it to hurt people.
- 26. Arris router vulnerability could lead to complete takeover
- 27. No more Access Denied – I am TrustedInstaller
This is a great post, very simple but effective hack: "If we can create a process using the token from this TrustedInstaller.exe, we might become TrustedInstaller, and then we can delete the Defender Directory."
- 28. Trusted Boot (Anti-Evil-Maid, Heads, and PureBoot) – Michael Altfield’s Tech Blog
This is a must read and covers Trusted Boot and the attack timeline very well. Also, there is this: "One of the best ways to make your device tamper-evident is very low-tech: (rainbow) glitter nail polish." Also, from Trammel: "Normal glitter polish works as well, although the features are smaller and have lower contrast than the Fuzzy Coat shown above. You can do your nails with it, too, and look fabulous while you're coding."
- 29. Heads: the other side of TAILS
This is an older project, but came up this week (likely from the other article I referenced this week): "Heads is a configuration for laptops and servers that tries to bring more security to commodity hardware. Among its goals are: Use free software on the boot path, Move the root of trust into hardware (or at least the ROM bootblock), Measure and attest to the state of the firmware, Measure and verify all filesystems"
- 30. Researchers unearth Windows backdoor that’s unusually stealthy
Neat trick: "The technique used by Frebniis involves injecting malicious code into the memory of a DLL file (iisfreb.dll) related to an IIS feature used to troubleshoot and analyze failed web page requests. This allows the malware to stealthily monitor all HTTP requests and recognize specially formatted HTTP requests sent by the attacker, allowing for remote code execution. In order to use this technique, an attacker needs to gain access to the Windows system running the IIS server by some other means. In this particular case, it is unclear how this access was achieved." Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/frebniis-malware-iis
- 31. Intel issues patches for SGX vulnerabilities
- 32. BlackLotus UEFI bootkit: Myth confirmed
We thought this might just be a hoax, but it's not. This article confirms (with some good evidence) that the BLacklotus bootkit being sold on the underground is real, and folks have found it in the wild. Turns out it uses Baton Drop (https://github.com/Wack0/CVE-2022-21894) to bypass Secure Boot (I was really hoping it would use Mickey and Jesse's research, but who knows, that could be an add-on for later). Basically the attackers introduce signed, but vulnerable, bootloaders that allow them to remove the Secure Boot policy and infect the system.
- 1. Make companies liable software insecurity?
- 2. Osprey Pump Controller 1.0.1 Unauthenticated Remote Code Execution ≈ Packet Storm
- 3. Electrify America bug opens hacking vulnerability concerns [Updated]
- 4. U.S. Marshals Service suffers ‘major’ security breach that compromises sensitive information, senior law enforcement officials say
- 5. LastPass Reveals Second Attack Resulting in Breach of Encrypted Password Vaults
- 6. CISA Issues Warning on Active Exploitation of ZK Java Web Framework Vulnerability
- 7. ‘Ethical hacker’ among ransomware suspects arrested
- 8. Dish Network goes offline after likely cyberattack, employees cut off
- 9. 40% of Log4j Downloads Still Vulnerable
- 10. Grand Theft Auto – A peek of BLE relay attack
- 11. StarkeBlog – U-Boot HTTP Client
- 1. News Corp says state hackers were on its network for two years
Mass media and publishing giant News Corporation (News Corp) says that attackers behind a breach disclosed in 2022 breach managed to successfully access its email and document storage systems that are used by various News Corp businesses in February 2020, allowing them to ultimately access some employees' personally identifiable information and personal health information.
- 2. CERT of Ukraine says Russia-linked APT backdoored multiple govt sites
The CERT of Ukraine (CERT-UA) revealed that the Russia-linked UAC-0056 (DEV-0586, unc2589, Nodaria, Lorec53) advanced persistent threat group successfully breached multiple Ukrainian government websites.
- 3. Ransomware attack on food giant Dole Food Company blocked North America production
The producers of fruit and vegetables Dole Food Company disclosed a ransomware attack that impacted its operations. The breach also prevented some stores in New Mexico and Texas from restocking Dole products for several days.
- 4. White House: No more TikTok on gov’t devices within 30 days
White House issued an order that gives all Federal agencies 30 days to remove the hugely popular social media app from all of their agency-managed devices. The White House had already ordered its staff to remove TikTok from their devices. House Republicans are expected to introduce a bill sometime today that – if passed – would provide the U.S. President with the authority to declare a national ban of TikTok.
- 5. Danish parliament urges to remove TikTok over cybersecurity
The Danish parliament on Tuesday urged lawmakers and employees with the 179-member assembly against having TikTok on work phones as a cybersecurity measure, saying “there is a risk of espionage.”
- 6. LastPass Says DevOps Engineer Home Computer Hacked
LastPass DevOp engineer’s home computer hacked and implanted with keylogging malware as part of a sustained cyberattack.. The smoking gun is: “…the threat actor was able to leverage valid credentials stolen from a senior DevOps engineer to access a shared cloud-storage environment, which initially made it difficult for investigators to differentiate between threat actor activity and ongoing legitimate activity.”
- 7. Mobile Banking Trojans Surge, Doubling in Volume
Nearly 200,000 new mobile banking Trojans emerged in 2022 — a 100% increase from the year before and the biggest acceleration of mobile malware development seen in the last six years.
- 8. Automatic disruption of Ransomware and BEC attacks with Microsoft 365 Defender
Microsoft is expanding the public preview of its automatic attack disruption capabilities to include business email compromise (BEC) and human-operated ransomware attacks.
Microsoft is moving from IOCs to AI for detection and response. For BEC detection, users are automatically suspended if you're using Microsoft Defender for Identity, and if using Defender for Endpoint, enrolled devices are not able to communicate with compromised devices. This service is in preview, and requires Defender pre-requisites, including Defender for Cloud Apps, and Defender for Identity.
- 9. Dishonor Code: What Happens When Cheating Becomes the Norm?
Students say they are getting ‘screwed over’ for sticking to the rules. Professors say students are acting like ‘tyrants.’ Then came ChatGPT . . .
- 1. LastPass says employee’s home computer was hacked and corporate vault taken
- 2. A sticky story: How, and why, hackers love stickers on laptops
- 3. 1 in 4 CISOs Wants to Say Sayonara to Security
- 4. Gartner Predicts Nearly Half of Cybersecurity Leaders Will Change Jobs by 2025
- 5. Hacker group defaces Russian websites to display the Kremlin on fire
- 1. Indirect Prompt Injection on Bing Chat
If allowed by the user, Bing Chat can see currently open websites. We show that an attacker can plant an injection in a website the user is visiting, which silently turns Bing Chat into a Social Engineer who seeks out and exfiltrates personal information.
- 2. AI Helps Crack NIST-Recommended Post-Quantum Encryption Algorithm
The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST in July 2022 for post-quantum cryptography has been broken. Researchers used recursive training AI combined with side channel attacks. Quantum computers are not the only threat to encryption. Rapidly improving artificial intelligence may be a significant and more imminent threat to both classical and post-quantum encryption algorithms.
- 3. Youtube suspended a computer scientist’s channel for posting an infosec video
The researcher is René Mayrhofer, a professor at Johannes Kepler University Linz and Director of Android Platform Security at Google. The video was "Cloning Credit Cards" (#research published in @usenix WOOT'13). Infosec educators should be warned that Youtube may cancel you at any time.
- 4. Making New Connections – Leveraging Cisco AnyConnect Client to Drop and Run Payloads
The Cisco AnyConnect client can be used to run code on a client, by tricking them into connecting to a malicious server. The server can send a VBS or BAT file to the client that runs on connect or disconnect. The defense against this is to limit the AnyConnect client to only connect to known good servers with AppLocker or firewalling.
- 5. SCARLETEEL hackers use advanced cloud skills to steal source code, data
The attackers target public-facing web apps running in containers to infiltrate cloud services and steal sensitive data. They deploy a cryptominer as a distraction, and then use advanced expertise in AWS cloud mechanics to burrow further into the company's cloud infrastructure.