3 Layers of App Security to Keep Hackers Out, Let Customers In – Aviad Mizrachi – PSW #807

Paul Asadoorian

1. In a first, cryptographic keys protecting SSH connections stolen in new attack

   OpenSSH is safe, however, other implementations (from Zyxel and Cisco) are not: "The countermeasure to the attacks we describe in this paper is well known: implementations should validate signatures before sending them. OpenSSH, the most common SSH implementation we observed in this data, implements this countermeasure because it uses OpenSSL to generate signatures, and OpenSSL has included countermeasures against RSA fault attacks since 2001."

2. 21 Vulnerabilities Discovered in Crucial IT-OT Connective Routers

   I can't wait to get the details on this one: "We will demonstrate how one of these vulnerabilities allows for full control of the device. We will also discuss how these open-source components were missed by some commercial SBoM tools that rely on firmware analysis. We found more than 80,000 of these devices exposed via the Internet and potentially affected by past and present vulnerabilities. To better understand the threat landscape, we deployed high-interaction honeypots and a real physical device on the public Internet. We will cover the analysis of the attempted port scans and exploitation trials." From: https://www.blackhat.com/eu-23/briefings/schedule/#old-code-dies-hard-finding-new-vulnerabilities-in-old-third-party-software-components-and-the-importance-of-having-sbom-for-iotot-devices-35349

3. Did iOS 17.1.1 fix Flipper Zero attack problem on iPhones? Not according to my tests

   "However, there's also bad news, and that is that despite the popups seemingly being throttled, now all the Bluetooth attacks the Flipper Zero can generate can lock up the attacked iPhone solid, requiring a reboot. Previously only an attack specifically designed to lock up an iPhone could achieve this."

4. Denial of Pleasure: Attacking Unusual BLE Targets with a Flipper Zero

   "By playing around with the Love Spouse application, we can easily see that there is a startup packet for each expected vibration command and a single stop packet. There is no differentiation even between models. With this information, we are ready to develop an app for Flipper Zero that replicates the behavior of the app regarding startup and can create a Denial of Pleasure by continuously broadcasting the stop packet." - This is a supply chain issue as toys use the same chipset and respond to the same commands?

5. A Tale of 2 Vulnerability Disclosures

   "this is not a sales message. Your blog storage is open to the Internet" - Amazing effort, and yet their blob storage is still open to the Internet. Sigh.

6. 50 Shades of Vulnerabilities: Uncovering Flaws in Open-Source Vulnerability Disclosures

   This is amazing work: "By utilizing the NVD API to fetch recently pushed CVEs and searching for GitHub references, we can then check if the commit/PR referenced by NVD has a release on GitHub that includes them. If not, this often presents a 'Half-Day' scenario, where a vulnerability is exposed without a patch at that stage." - There is a lot to unpack, but I go back to my previous comments on the difficulty of hiding vulnerabilities in open-source code once a vulnerability has been discovered.

7. CVE Half-Day Watcher

   This is the code referenced above that you can run and collect "Half-Day" vulnerabilities.

8. Tapping into a telecommunications company’s office cameras

   Let's write something ourselves to allow us to see all the cameras: "The company maintains a custom-built platform/website that certain employees use to manage the camera system. It lets them manage the cameras, download noteworthy “incident” videos, and view the live feeds. It is a React-based platform that interacts with a server using APIs. The website is publicly accessible, but all functionality is locked behind a corporate login page."

9. Executing from Memory Using ActiveMQ CVE-2023-46604 – Blog – VulnCheck
10. sshx
11. Usurping Mastodon instances – mastodon.so/cial (CVE-2023-42451)
12. Legitimate exfiltration tools : summary and detection for incident response and threat hunting
13. Supply chain threats

    These are basically all examples of the thermal exhaust port vulnerability.

14. efchatz/pandora: A red team tool that assists into extracting/dumping master credentials and/or entries from different password managers.
15. Abusing Slack for Offensive Operations
16. Restaurant Owners Are Fed Up With Reservation-Hoarding Bots

    "Platforms like Resy and Tock are searching for ways around algorithms that snatch up prime-time reservations and then re-sell them to desperate diners."

17. GPTs & Assistants API – Code Interpreter Data Exfiltration
18. Using Nuclear Decay As Random Number Generator Source For An MCU

    "using a commercial handheld Geiger counter (GMC-320+) and its audio output as a generic input for any MCU. The (pulsed) audio signal is amplified with an opamp (left unspecified) that connects to a GPIO pin of the MCU (RP2040-based Pico W). Here the same algorithm is used to create a continuous queue of randomly picked numbers, which can also be queried via the WiFi interface with a custom protocol, essentially making it a network-connected RNG that could be used by other network-connected appliances."

19. CacheWarp
20. Reptar
21. Running Malware Below the OS – The State of UEFI Firmware Exploitation
22. Deprecation of Squid Add-On Package For pfSense Software

    Your software is so bad we will no longer include it. Supply chain security!

23. Our Pwn2Own journey against time and randomness (part 2)
24. OST2, Zephyr RTOS, and a bunch of CVEs – hn security
25. Baldur
26. The controversy behind Apple BLE Spam

    Larry is famous. Also, this site may cause nausea and/or vomiting. You can turn off animations in the settings in the upper right.

27. The Best Explanation Of Threats Ever

    From Casey Ellis (@cje): * threat actor = someone who wants to punch you in the face * threat = the punch being thrown * vulnerability = your inability to defend against the punch * risk = the likelihood of getting punched in the face

Larry Pesce

1. Unlucky Kamran: Android malware spying on Urdu-speaking residents of Gilgit-Baltistan
2. The Linux kernel scheduler has been accidentally hardcoded to a maximum of 8 cores for the past 15 years and nobody noticed
3. The controversy behind Apple BLE Spam
4. Understanding OWASP’s Bill of Material Maturity Model: Not all SBOMs are created equal
5. Zero-Days in Edge Devices Become China’s Cyber Warfare Tactic of Choice

Lee Neely

1. Cyber ops linked to Israel-Hamas conflict largely improvised, researchers say

   In the wake of Hamas’s attack on Israel, researchers and cybersecurity firms observed an uptick in operations by hacktivists and state-sponsored hacking groups. But more than one month into the conflict, researchers are increasingly concluding that cyberoperations linked to the war have been mostly opportunistic in nature and frequently exaggerated in terms of their impact.

2. The attack against Danish critical infrastructure

   In May of this year, more than 20 critical infrastructure organizations in Denmark were targeted with cyberattacks. A report published by SektorCERT, the Danish cybersecurity organization for critical infrastructure sectors details the attacks, which were carried out through two known vulnerabilities in Zyxel firewalls. Report: https://dd80b675424c132b90b3-e48385e382d2e5d17821a5e1d8e4c86b.ssl.cf1.rackcdn.com/external/sektorcert-the-attack-against-danish-critical-infrastructure-tlp-clear.pdf

3. DP World cyberattack blocks thousands of containers in ports

   DP World was able to contain the attacks to their Australian components. They have roughly 10% of the shipping worldwide and operate 82 inland and marine terminals in 40 countries. Further, they executed their response plan, bringing things back online in three days.

4. Maine.gov: MOVEit Global Security Incident

   The government of the state of Maine has disclosed that its MOVEit server was breached earlier this year: intruders had access to files on the server on May 28 and 29. The incident affects 1.3 million people; the compromised data include names, Social Security numbers (SSNs), dates of birth, driver's license/state ID numbers, taxpayer ID numbers, and some medical and health insurance information. As of the 2020 census, the population of Maine was 1.3 million.

5. Hackers breach healthcare orgs via ScreenConnect remote access

   Researchers at Huntress say that cyberthreat actors are gaining unauthorized access to US healthcare organizations through locally-hosted instances of the ScreenConnect remote access tool, used by Transaction Data Systems. Huntress has provided a list of observed tactics, techniques, and procedures used in the attacks.

   Don't expose any form of RDP to the Internet. Report: https://www.huntress.com/blog/third-party-pharmaceutical-vendor-linked-to-pharmacy-and-health-clinic-cyberattack

6. CISA’s New SBOM Guidance Faces Implementation Challenges

   The US Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI) and the National Security Agency (NSA) have published software supply chain security guidance for vendors. The document focuses on software bill of materials (SBOM) consumption. https://media.defense.gov/2023/Nov/09/2003338086/-1/-1/0/SECURING%20THE%20SOFTWARE%20SUPPLY%20CHAIN%20RECOMMENDED%20PRACTICES%20FOR%20SOFTWARE%20BILL%20OF%20MATERIALS%20CONSUMPTION.PDF

7. CISA warns of actively exploited Juniper pre-auth RCE exploit chain

   CISA warned federal agencies today to secure Juniper devices on their networks by Friday against four vulnerabilities now used in remote code execution (RCE) The alert comes one week after Juniper updated its advisory to notify customers that the flaws found in Juniper's J-Web interface (tracked as CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, and CVE-2023-36847) have been successfully exploited in the wild.

   Fix: limit access to or disable J-Web, apply the software update

   The Juniper CVE's are listed CISA's KEV catalog with due dates of 11/17.

8. City of Huber Heights – Ransomware Attack UPDATE

   The government of the City of Huber Heights, Ohio, is recovering from a ransomware attack. The city notified residents of the situation on the morning of Sunday, November 12, noting that “while public safety services are not impacted the following city divisions are affected: Zoning, Engineering, Tax, Finance, Utilities, Human Resources, and Economic Development.”

   Of note: Providing updates every day at 2PM, City Manager steps up as POC.

9. ICBC hit by ransomware impacting global trades

   China's largest bank, ICBC, was hit by ransomware that resulted in disruption of financial services (FS) systems on Thursday Beijing time. ICBC is the largest commercial bank in the world based on revenue. As they cannot connect to DTCC/NSCC they are unable to clear transactions, which is having impacts on US Treasury trades, which is why they are sending messengers to manually do so.

   The attackers appear to have leveraged Citrix Bleed to own the bank's unpatched Citrix server. To abuse an old story - but for a patch, the battle was lost.

Sam Bowne

1. Dissecting Intel’s Explanation of Key Usage in Integrated Firmware Images (IFWI)

   The Intel OEM private key was leaked, causing an impact on the entire ecosystem. The reality is that Intel Boot Guard may not be effective on certain devices based on the 11th Tiger Lake, 12th Adler Lake, and 13th Raptor Lake. It affects many different device vendors, including Intel, Lenovo, Supermicro, and many others across the entire industry.

2. How digital twins may enable personalised health treatment

   What a digital twin is doing is using your data inside a model that represents how your physiology and pathology is working. It is not making decisions about you based on a population that might be completely unrepresentative. It is genuinely personalised.

3. Giant AI Platform Introduces ‘Bounties’ for Deepfakes of Real People

   Civitai, an online marketplace for sharing AI models that enables the creation of nonconsensual sexual images of real people, has introduced a new feature that allows users to post “bounties.” These bounties allow users to ask the Civitai community to create AI models that generate images of specific styles, compositions, or specific real people, and reward the best AI model that does so.

4. European Standards Body Votes to Release Secret Algorithms

   They will make the proprietary algorithms it created for the TETRA radio protocol public.
   This will mean independent researchers and government agencies that rely on the algorithms to protect their communications can examine them for security flaws.

5. How a Harvard AI model could make COVID the last pandemic

   A new AI model called EVEscape predicts how viruses mutate. To showcase EVEscape's potential, scientists provided it with the original genome sequence of SARS-CoV-2, and the AI correctly predicted nearly all the mutations that would come to dominate during the pandemic.

6. Google’s traffic light system has shocking impact on major cities: ‘We’re going to have to answer some big questions’

   Project Green Light uses artificial intelligence to optimize and alter intersections in order to minimize vehicles’ stopping and starting. Google reported that at busy intersections in cities, pollution can be 29 times higher than it is on open roads, due to the environmental toll of cars stopping and starting again.

7. Chinese team creates drones with ‘human brains’ able to tackle complex tasks through group chats

   Drone swarms talk, collaborate and split up duties using human language, making it easier for operators to understand the machines’ behaviour. The technology has potential for use in security patrols, rescue operations and aerial logistics and transport.

8. How to build your own custom ChatGPT with OpenAI’s GPT builder

   OpenAI recently released a way for anyone to create their own version of ChatGPT. They're calling them GPTs, and you can build one, catered to your company or personal goals, in a matter of minutes.

9. AI Models Ranked By Hallucinations: ChatGPT is Best, Palm-Chat Needs to Sober Up

   GPT 4 hallucinated 3% of the time, while Google's Palm Chat hallucinated 27% of the time.

10. Giskard’s open source framework evaluates AI models before they’re pushed into production

    Giskard is a French startup working on an open source testing framework for large language models. It can alert developers of risks of biases, security holes and a model’s ability to generate harmful or toxic content. Tests cover a wide range of issues, such as performance, hallucinations, misinformation, non-factual output, biases, data leakage, harmful content generation and prompt injections.

11. AI could predict heart attack risk up to 10 years in the future, finds Oxford study

    The AI system provides an accurate picture of risk to clinicians. This can alter, and potentially improve, the course of treatment for many heart patients. The technology could save thousands of lives while improving treatment for almost half of patients.

12. Randstorm: You Can’t Patch a House of Cards

    BitcoinJS, a popular package for the browser based generation of cryptocurrency wallets, used insufficiently random numbers, so the private keys can be guessed. Vulnerable wallets were created between 2011 and 2015.

13. Wallet Drainers Starts Using Create2 Bypass Wallet Security Alert

    Wallet Drainers are using Create2 to bypass security alerts in certain wallets. By exploiting Create2’s ability to pre-calculate contract addresses, the Drainers can generate new addresses for each malicious signature. These addresses pass the wallet's tests and are not flagged as malicious.

14. Reptar: A CPU Flaw in Microcode.

    Many x86 processors have a flaw in the microcode which can be triggered by assembly language instructions with multiple prefixes. This can cause branches to unexpected locations, unconditional branches being ignored and the processor no longer accurately recording the instruction pointer. This may lead to privilege escalation, but that exploit has not been developed yet. There is a PoC tool used to demonstrate the flaw.

    Some of the processors that have this feature include:

    Ice Lake Rocket Lake Tiger Lake Raptor Lake Alder Lake Sapphire Rapids

15. ChatGPT’s New Code Interpreter Has Giant Security Hole, Allows Hackers to Steal Your Data

    The new feature lets you upload files, but it also makes them vulnerable to exposure. An attacker would need to trick the ChatGPT user into entering a prompt containing a malicious third-party URL which can exfiltrate data from the files. This amounts to a high-level version of cross-site scripting.

16. Keybleed

    Check if your Cryptocurrency Wallet is Vulnerable to Known Exploits. Submit your Public Key and our automated wallet checker will let you know if your wallet is vulnerable or becomes vulnerable in the future.