Destructive Firmware, Keys to the Kingdom, the Device Level, & 5 CyberSec Myths – PSW #746
In the Security News for this week: ICS training bill, 5 myths, VoIP devices and ransomware, miracle exploits, UnRAR and Zimbra, guess what the most common weakness is, security at the device level is NOT simple, keys to the kingdom, and HP says Destructive firmware attacks pose a significant threat to businesses!
Announcements
We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!
Hosts
Paul Asadoorian
Principal Security Researcher at Eclypsium
- 1. House Passes ICS Cybersecurity Training Act"CISA must ensure its efforts include: Virtual and in-person training and courses provided at no cost to participants; Training and courses available for different skill levels, including introductory-level courses; Training and courses that cover cybersecurity defense strategies for industrial control systems, including an understanding of the unique cybersecurity threats facing industrial control systems and the mitigation of security vulnerabilities in industrial control systems technology..."
- 2. Top 5 Myths Of Cyber Security Debunked"I have a firewall, so I’m safe from attacks."
- 3. CrowdStrike: Ransomware Actor Caught Exploiting Mitel VOIP Zero-Day"According to CrowdStrike researcher Patrick Bennett, the ransomware actor performed a novel remote code execution exploit on the Mitel MiVoice Connect appliance and went to lengths to perform anti-forensic techniques on the VOIP appliance to cover their tracks. The vulnerability, patched by Mitel without acknowledgement of the zero-day exploitation, is rated “critical” and affects a component of Mitel’s MiVoice Connect"
- 4. Mitel VoIP Bug Exploited in Ransomware Attacks
- 5. Oracle patches ‘miracle exploit’ impacting Middleware Fusion, cloud services"Oracle has patched a remote code execution (RCE) vulnerability impacting Oracle Fusion Middleware and various other Oracle systems. Security researchers ‘Peterjson’ and ‘Jang’ reported a pair of severe flaws to Oracle that can be chained to achieve RCE, which they dubbed the ‘Miracle Exploit’."
- 6. New UnRAR Vulnerability Could Let Attackers Hack Zimbra Webmail Servers"This also includes Zimbra collaboration suite, wherein the vulnerability could lead to pre-authenticated remote code execution on a vulnerable instance, giving the attacker complete access to an email server and even abuse it to access or overwrite other internal resources within the organization's network. The vulnerability, at its heart, relates to a symbolic link attack in which a RAR archive is crafted such that it contains a symlink that's a mix of both forward slashes and backslashes (e.g., "......tmp/shell") so as to bypass current checks and extract it outside of the expected directory."
- 7. New ‘FabricScape’ Bug in Microsoft Azure Service Fabric Impacts Linux Workloads
- 8. Cyberattack halted the production at the Iranian state-owned Khuzestan Steel company
- 9. The curious tale of a fake Carrier.app
- 10. NSA, CISA say: Don’t block PowerShell, here’s what to do instead
- 11. Hidden Anti-Cryptography Provisions in Internet Anti-Trust Bills – Schneier on Security
- 12. SEC Proposes New Cybersecurity Rules for Public Companies
- 13. 7-Zip Now Includes Mark-of-the-Web Security Feature Support
- 14. A wide range of routers are under attack by new, unusually sophisticated malware
- 15. FCC commissioner wants Apple, Google to remove TikTok from App Stores
- 16. Firefox 102 fixes address bar spoofing security hole (and helps with Follina!)
- 17. Cybersecurity Researchers Launch New Malware Hunting Tool YARAify
- 18. LockBit 3.0 Ransomware Launches ‘Bug Bounty Program’
- 19. Mitre shared 2022 CWE Top 25 most dangerous software weaknessesAnd the winner is, still, and you guessed it: Out-Of-Bounds Write (e.g. memory corruption, buffer overflow) https://cwe.mitre.org/data/definitions/787.html
- 20. Implementing Zero-Trust? Don’t Forget About PrintersYea no, this is like advice from 20+ years ago, and its not complete zero trust: "Unlike other IT systems, zero-trust for printing primarily involves putting printers into a separate, controlled environment (network) and closely regulating and monitoring who has access to those printers." Fight me.
- 21. How APTs Are Achieving Persistence Through IoT, OT, and Network Devices"The good news is that security at the device level is simple to achieve. While new vulnerabilities will constantly emerge, most of these security issues can be addressed through password, credential, and firmware management, as well as through basic device hardening. " Except when you can't do any or all of those things because you can't change the password (esp. if its a backdoor in the firmware), the device does not have authentication at all, there is a web application vulnerability (or 10), and you can't update the firmware because its no longer supported by the vendor and they stopped making updates.
- 22. The Keys to the Kingdom"The signature check was performed only on the code region specified in the header. As long as the original header, code, and signature were unmodified, the bootloader would boot the image. A quick test proved this to be the case. An image with extra data appended booted successfully, with the extra data being ignored. Since all flash memory on this device is executable, I could simply jump to extra code appended to a valid update image." and then: "My payload was simple: Erase the original public key from flash and write the new key in its place. On subsequent reboots, the bootloader would accept new firmware images signed with the new key—one the client now keeps in a couple of safe places." - nice hack!
- 23. Destructive firmware attacks pose a significant threat to businesses – Help Net SecurityAccording to an HP survey: "(83%) IT leaders say firmware attacks against laptops and PCs now pose a significant threat, while 76% of ITDMs said firmware attacks against printers pose a significant threat." and "More than two-thirds (67%) of IT leaders say protecting against, detecting, and recovering from firmware attacks has become more difficult and time-consuming due to the increase in home working, with 64% saying the same of analyzing the security of firmware configuration." and "Despite the clear risks that destructive firmware attacks pose to organizations, device security is not always a major consideration in the hardware procurement process, with many organizations continuing to use technologies that are not built with security in mind. " - Like my MSI laptop, which has not seen a firmware update in years, because well, they haven't made one. Talk to me about updating the DBX...
Joshua Marpet
Executive Director at Guardedrisk
Tom Lonardo
Associate Professor at Roger Williams University
Tyler Robinson
Director of Offensive Security & Research at Trimarc Security, Founder & CEO at Dark Element