Do We Need Penetration Testing and Vulnerability Scanning? – Josh Bressers, Adrian Sanabria – PSW #833

Paul Asadoorian

1. XZ backdoor behavior inside OpenSSH
2. Zip Slip meets Artifactory: A Bug Bounty Story
3. GitHub – bigb0x/CVE-2024-29973: POC for CVE-2024-29973
4. Five new vulnerabilities found in Zyxel NAS devices (including code execution and privilege escalation)
5. AMD Investigates Possible Breach Amid Hacker’s Sale of Company Data
6. New ARM ‘TIKTAG’ attack impacts Google Chrome, Linux systems
7. ‘Sleepy Pickle’ Exploit Subtly Poisons ML Models
8. Exploiting ML models with pickle file attacks: Part 2
9. On The Button – The Hacker Factor Blog
10. Vulnerabilities of ZKTeco biometric terminals
11. TWCERT/CC Taiwan Computer Emergency Response Team/Coordination Center-D-Link router – Hidden Backdoor

    The release notes state that more vulnerabilities were fixed, including a command injection (no CVE for that one), check it out here: https://www.asus.com/us/networking-iot-servers/wifi-routers/asus-gaming-routers/rt-ax88u/helpdesk_bios?model2Name=RT-AX88U

12. Lemon on X: “I received my first cease and desist..”

    This makes me mad. How would you handle this situation?

13. New Research: The Red Hat Linux Kernel Model Is Broken and Can’t Be Fixed

    Why can't we just take upstream kernel security patches? Do you think you can do it better than the Linux kernel team? 99.99% of the time you can't...

14. IoT Security Regulations: A Compliance Checklist – Part 1

    This should move the needle? "Importantly, the Act prohibits federal agencies from procuring or utilizing IoT devices deemed non-compliant with NIST's standards." - The problem is that most IoT devices are sold to consumers, not the Government.

15. A threat actor claims to be selling a 0-day Linux LPE via the GRUB bootloader

    Some things to note on this type of vulnerability:

    • An attacker with root privileges can change your bootloader, however, you would probably notice
    • If Secure Boot is enabled, the bootloader has to pass the validation checks (its one reason why Secure Boot is important, so attackers can't just backdoor or swap out pre-kernel execution software)
    • An exploit for a vulnerable bootloader gives the attacker pre-kernel access to your system, even if Secure Boot is enabled and when the vulnerable bootloader is not in the DBX
    • An attacker with pre-kernel access to a system can circumvent and/or disable operation system security controls (EDR or anything in the kernel that was meant as a security control)
    • A GRUB exploit gives an attacker some level of persistence, e.g. if you clean up the OS, re-infection can occur
16. Ditch Proprietary BIOS/UEFI: Top 3 Open Source Boot Firmware

    "Today, it's widely known that proprietary firmware, such as BIOS and UEFI, often contains backdoors that compromise user privacy. I believe that hardware manufacturers intentionally integrate these backdoors into their closed-source firmware for obvious reasons. This presents a serious privacy issue, prompting the open-source community and privacy advocates to develop secure, open-source boot firmware. These alternatives prioritize user privacy and enhance hardware security." - I completely disagree. I believe that open-source firmware does improve privacy, but not security. Open-source firmware still contains vulnerabilities and suffers from the same supply chain issues that commercial firmware suffers, there are many dependencies! Yes, open-source firmware by nature allows us all to look at the code and make sure there are no privacy violations. It also allows us to look for vulnerabilities. But who is looking? XZ proved to us all that we could fall victim to supply chain attacks in open-source software. Also, hardware support for UEFI open-source implementation is still very limited.

17. UEFIcanhazbufferoverflow: Widespread Impact from Vulnerability in Popular PC and Server Firmware

    Can you spot the vulnerability in the code? Before you read on, I will leave you with that challenge. Below are some details about this vulnerability as I was involved with the review:

    • If the buffer size was too small they were supposed to allocate a new buffer, instead, they used the original buffer (Which was too small, oops)
    • The overflow occurs in the reading of a UEFI variable, if an attacker can control the value of this variable, exploitation is possible
    • If the variable does not exist, an attacker can create it and control the value
    • If the variable security policy is set to Runtime, and the variable exists, a privileged user can modify the value
    • If the variable security policy is set to BootServices, users in the OS cannot change it (think of these settings as only being changed when you press a key and get into your BIOS)
    • You can't, without another vulnerability, modify or overwrite BootServices variables
    • All of the above depends on the implementation ("It depends")
18. In-Depth Analysis: Velvet Ant’s Prolonged Cyber Attack on a Large Organization

    This is crazy: "This load balancer was not part of previous remediation efforts, because it was not supposed to be operational in the production network. One team in the organization started deploying the F5 solution in the network a long time ago as part of a disaster recovery plan (DRP), but the project was never completed. F5 BIG-IP appliances occupy a trusted position within the network architecture, often placed at the perimeter or between different network segments. By compromising such a device, attackers can exert significant control over network traffic without arousing suspicion."

19. SSH as a sudo replacement

    "This is a summary of an experiment from a few weeks ago where I experimented with using ssh locally to perform the same role as sudo, without exposing this sshd instance to the network." - I have to go back and digest this, but I believe it's super interesting.

20. Zyxel NAS CVE-2024-29973 RCE exploit (GitHub)

    If you are wondering why the exploit is not working, you didn't read the code... (Hint: always read the exploit code)

21. Reconstructing public keys from signatures

    I so want to understand this post, so far all I got was its possible to derive a public key from a signature, which you can glean just from the title LOL!

Lee Neely

1. LockBit claims the hack of the US Federal Reserve

   LockBit claims the hack of the US Federal Reserve. However, LockBit's claims of late appear unfounded and activities seem tied to others using their 3.0 toolkit not the LockBit gang itself. Withhold belief until breach reported

2. Four FIN9 hackers indicted for cyberattacks causing $71M in losses

   A U.S. federal grand jury has indicted four Vietnamese citizens associated with the cyber crime group FIN9 for their alleged participation in numerous cyberattacks that resulted in more than $71 million USD in losses for American businesses.

3. 512,000 radiology patient records accessed in cyber-attack

   Minnesota-based Consulting Radiologists is notifying more than 500,000 patients that their personal information was compromised in a breach earlier this year. The firm detected anomalous activity in February and brought an outside cybersecurity experts. Their investigation concluded in mid-April that the breach compromised sensitive personal data, including “patients' names, addresses, dates of birth, Social Security numbers, and health insurance information and medical records, all belonging to 511,947 people.”

   Both LockBit and Qilin are taking credit for the attack. Russia-based Qilin claims to have made off with more than 70GB of Consulting Radiologist's data. This is the same group behind the politically motivated Synnovis healthcare attack in London, which was intended to cause a crisis, which is consistent with the Russian gang Motus Operandi of causing disruption. Consulting Radiologists is focused on raise-the-bar activities to prevent recurrence and is also offering a year of credit monitoring, credit report and credit score services to affected individuals.

4. Coding error in forgotten API blamed for massive data breach

   The Australian Communications and Media Authority (ACMA) has determined that a September 2022 breach affecting telecommunications firm Optus was due to an API coding error. The issue had been present for four years before the breach. ACMA says Optus failed to protect customer data of millions of individuals.

   The API had two entry points, each of which was secured in 2017. In 2021, a coding error broke one of the ACLs, but the defect was only detected in one of the entry points, despite both being impacted by the same flaw. While the obvious move was to make sure that the same fixes were applied to all entry points, the better move for your future self is to only have one entry point, one set of security controls and one instance to support, secure, document and implement.

5. US adds sanctions of Kaspersky executives to ban on company software

   Following the US Department of Commerce’s announcement of an upcoming ban on Kaspersky products and services due to national security concerns, the Treasury Department imposed sanctions on a dozen people who hold leadership positions at Kaspersky. The company’s CEO and founder, Eugene Kasperksy, has not been sanctioned. The sanctions prohibit US individuals and entities from conducting business with those named. The sanction does not include Eugene Kaspersky. Important Kaspersky ban dates: as of July 20, 2024, Kaspersky may not sell its products or services in the US; as of September 29, 2024, Kaspersky Security Network must cease operating in the US, which means no more Kaspersky software updates and antivirus signatures will be provided as of that date.

   This reminds me of a question my buddy John and I were discussing of which is better, a silent or USG-only ban, which leaves the private sector unprotected, or a public one like this which can be contested/debated. The research and threat profile for both are the same. The sanctions are based on Executive Order 14024, from April 2021, which allows sanctioning against individuals and entities furthering specified harmful foreign activities of the Russian Federation.

6. Change Healthcare Starts Notifying Entities Affected by February Ransomware Attack

   Change Healthcare has begun notifying organizations that their patients’ data were compromised in the February cyberattack. The notifications include more specifics about what type of data were compromised. They include information about health insurance policies, medical records, diagnoses, prescriptions, test results, billing and claims information, financial account information, and ID info, including passport numbers, driver’s license numbers, and Social Security numbers.

   Change Healthcare is still sifting through data to determine who was or was not affected by the breach, telling us this is going to take a bit. I don't fault them for caution to accurately identify affected individuals, in today's environment, both of highly connected information sharing and concentrated attacks, especially on healthcare providers, you really need to be proactive about having credit monitoring and restoration services. Don't wait for the breach notification. When was the last time you checked that your credit was locked/frozen? Trust but verify here, your peace of mind is worth it.

7. The Shadowserver Foundation (@[email protected])

   Just a few weeks after critical vulnerabilities in Zyxel network-attached storage (NAS) devices were disclosed, data gathered by the Shadowserver Foundation indicates that end-of-life (EoL) Zyxel NAS devices are coming under attack. Shadowserver has reported observing instances of attempted compromise of a command injection vulnerability (CVE-2024-29973) “by a Mirai-like botnet.” Timothy Hjort, Student Intern in Vulnerability Research, Outpost24, detected the vulnerabilities and noted in a write-up that “Despite the fact that the device has reached End-of-Life by the end of last year, they still released patches for the three critical vulnerabilities,” including CVE-2024-29973.

   There is a non-zero chance that the EOL devices will remain unpatched for the same reason they are still operating. CVE-2024-29973 has a CVSS score of 9.8. Even with the patches, the best move is to replace these with supported devices. Scan your environment for them, then take actions to patch and decommission them, don't let them go into the rainy-day pile. Make sure you're not exposing NAS to the Internet.

8. Indonesia’s national data center encrypted with LockBit ransomware variant

   Indonesia’s National Data Center hit with ransomware attack. The incident has disrupted multiple services, including immigration document management as well as school and university enrollment services. Indonesia’s Communications Ministry says the data center’s systems were infected with a variant of LockBit and that the attackers have demanded a ransom payment of USD 8 million.

   Indonesia is emphatic they are not paying the ransom. This attack is the Brain Cipher, which is a new variant of the LockBit ransomware, it's not certain they are behind it as many other threat actors are running with the leaked LockBit 3.0 builder, also this attack is not listed on the resurrected LockBit leak site. Entry to systems was due to disabling the Windows Defender security which allowed malware to be installed. While more information is still forthcoming, it'd be a good idea to verify an alert would trigger, and be responded to, when security services were disabled.

9. Japan’s space agency hit by series of cyberattacks since last year, official says

   The Japan Aerospace Exploration Agency (JAXA) has experienced several cyberattacks over the past year. Officials say that the incidents have not compromised sensitive rocket and satellite data. Japan's Chief Cabinet Secretary, Yoshimasa Hayashi, says security officials are taking steps to protect JAXA systems from future attacks.

   Space exploration and research is known for extensive collaboration between the public and private sectors. As such, having reachable servers and services is common. The hard part for all of us supporting wide collaboration is to not only ensure the components involved are patched and secured, but to also move to more secure practices. Beyond moving to modern technology, I know that FTP server still works but..., but also embracing modern security practices, such as MFA, endpoint signaling before allowing connections, and comprehensive logging/monitoring with automated responses. Look for untapped capabilities in existing services which could be good candiates to raise the bar in a non-disruptive fashion.

10. After 2 hacks, CDK Global warns customers of social-engineering attacks

    Automobile dealership software-as-a-service (SaaS) provider CDK Global has set up interactive voice-response lines for customers to obtain information about the ransomware attack that has disrupted operations at its customers’ organizations. A message on that system from CDK says that threat actors are contacting automobile dealerships, claiming to be from CDK and trying to gain deeper access to the dealerships’ systems.

    Seeing blood in the water, attackers are cranking up their social engineering playbook. If you and your team haven't participated in a social engineering village, you need to, even if on video, to see just how effective these techniques are. Don't forget it's not that hard to create legitimate looking correspondence or other communication, encourage staff to verify if they have any doubts about a request for access or information. Remember to call your known-good contact, not the information in the email/document/etc.

11. LivaNova USA Discloses Data Breach Impacting 130,000 Individuals

    UK-based medical device company LivaNova is notifying nearly 130,000 individuals that their personally identifiable information was compromised in a cyberattack in late October 2023. LivaNova became aware of the incident in mid-November 2023, and a subsequent investigation determined that the intruders stole names, addresses, Social Security numbers, medical information, and health insurance information, and other data. LivaNova disclosed the incident in late April, shortly after the extent of the breach was determined.

    LivaNova was still refining the extent of the October 26th breach, which they detected November 19th, in April, during which 2.2 terabytes of data was exfiltrated by LockBit. LockBit claimed responsibility for the attack in December. They were notifying US based individuals in April, and started notifying non-US based individuals in May, they are not offering credit monitoring, but rather pointing folks to free credit monitoring services. While the timeline is tricky to follow, they fixed the vulnerable systems and services right away, but the identification of affected individuals took a lot longer than expected. Make sure you are aware of where your sensitive data is, so you can rapidly identify what is affected in an incident.

12. Push Notification Fatigue Leads to LA County Health Department Data Breach

    According to a breach notification letter the Los Angeles (California) Department of Public Health sent to individuals whose data were compromised in a February 2024 cyberattack, the attackers gained access to the system through “push notification spamming.” The perpetrators inundated an employee with fraudulently-generated multi-factor authentication (MFA) approval requests from their Microsoft 365 account, one of which the recipient approved.

    Push Notification Fatigue is not theoretical, it's a thing, which is why you're getting pushed towards phishing resistanat MFA. Don't throw your existing MFA under the bus, it's better than mere passwords, it's that attack techniques have evolved to circumvent many of the less robust MFA options. The good news is you probably already have staff chomping at the bit to roll out passkeys, FIDO2, Certificate Based Authentication, or other robust options. Let them loose on a POC or two, then pick one to deploy this year.

13. Remove Polyfill.io code from your website immediately

    The polyfill.io domain is being used to infect more than 100,000 websites with malware after a Chinese organization bought the domain earlier this year. Multiple security firms sounded the alarm on Tuesday, warning organizations whose websites use any JavaScript code from the polyfill.io domain to immediately remove it.

    The site offered polyfills – useful bits of JavaScript code that add functionality to older browsers that is built into newer versions. These in-fills make life easier for developers in that by using polyfillers, they know their web code will work across a greater range of browsers.

    Now we're told polyfill.io is serving malicious code hidden in those scripts, meaning anyone visiting a website using the domain will end up running that malware in their browser.

Sam Bowne

1. Phoenix UEFI vulnerability impacts hundreds of Intel PC models

   A newly discovered vulnerability in Phoenix SecureCore UEFI firmware tracked as CVE-2024-0762 impacts devices running numerous Intel CPUs, with Lenovo already releasing new firmware updates to resolve the flaw. The vulnerability, dubbed 'UEFICANHAZBUFFEROVERFLOW,' is a buffer overflow bug in the firmware's Trusted Platform Module (TPM) configuration that could be exploited to perform code execution on vulnerable devices.

   The flaw was discovered by Eclypsium, so I assume Paul knows more about it.

2. Payoff from AI projects is ‘dismal’, biz leaders complain

   The financial benefits of implemented projects have been dismal. Forty-two percent of companies have yet to see a significant benefit from their generative AI initiatives.

3. New Wi-Fi Takeover Attack—All Windows Users Warned To Update Now

   All supported versions of Windows have a buffer overflow vulnerability in the Wi-Fi drivers. CVE-2024-30078 does not require an attacker to have physical access to the targeted computer, although physical proximity is needed. Exploiting this vulnerability can allow an unauthenticated attacker to gain remote code execution on the impacted device.

4. Snowblind malware abuses Android security feature to bypass security

   A novel Android attack vector from a piece of malware tracked as Snowblind is abusing "seccomp", a security feature. Seccomp is a Linux kernel security feature designed to reduce the attack surface of applications by restricting the system calls (syscalls) they can make. It acts as a filter for the syscalls an app is allowed to run, blocking those that have been abused in attacks. Snowblind injects a native library which loads before the anti-tampering code, and installs a seccomp filter to intercept system calls, enabling the attackers to steal sensitive information without alerting the user.

5. ID Verification Service for TikTok, Uber, X Exposed Driver Licenses

   A company that verifies the identities of TikTok, Uber, and X users, sometimes by processing photographs of their faces and pictures of their drivers’ licenses, exposed a set of administrative credentials online for more than a year potentially allowing hackers to access that sensitive data.

6. Researchers upend AI status quo by eliminating matrix multiplication in LLMs

   Running AI models without floating point matrix math could mean far less power consumption. Researchers describe creating a custom 2.7 billion parameter model without using MatMul that features similar performance to conventional large language models (LLMs). By using a custom-programmed FPGA chip that uses about 13 watts of power, this model consumes far less power than traditional LLMs.