Ubiquiti Breach, Tesla, PHP, & More Sagas – PSW #689

"The root cause of the problem turned out to be Netmask’s incorrect evaluation “of individual IPv4 octets that contain octal strings as left-stripped integers, leading to an inordinate attack surface on hundreds of thousands of projects that rely on Netmask to filter or evaluate IPv4 block ranges, both inbound and outbound" (https://portswigger.net/daily-swig/ssrf-vulnerability-in-npm-package-netmask-impacts-up-to-279k-projects), "For example, a remote unauthenticated attacker can request local resources using input data 0177.0.0.1 (127.0.0.1), which netmask evaluates as public IP 177.0.0.1. Contrastingly, a remote authenticated or unauthenticated attacker can input the data 0127.0.0.01 (87.0.0.1) as localhost, yet the input data is a public IP and potentially cause local and remote file inclusion (LFI/RFI)" (https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-011.md)

Basically, how do we prevent creating Skynet? - "The article describes how engineers discovered a surprising feature relating to the now defunct Google Project Loon, which was intended to make the Internet universally available using balloons rather than satellites. They observed that, on a trip from Puerto Rico to Peru, the balloon began tacking, which is the method used with sailboats for changing direction. Not that that is particularly startling, except that they had never taught the AI how to do that—it did it all by itself! While this was a “gee whiz moment,” it portends what might be one of the greatest dangers of AI (artificial Intelligence) systems, namely, acting autonomously in unanticipated and possibly dangerous ways."

"Turing was selected to appear on the note?…?in recognition of his groundbreaking work in mathematics and computer science, as well as his role in cracking the Enigma code?…?in World War II. … [It] incorporates a number of designs linked to Turing’s life and legacy. These include technical drawings for the bombe, a decryption device used during WWII; a string of ticker tape with Turing’s birthday rendered in binary?…?a green and gold security foil resembling a microchip; and a table and mathematical formulae taken from one of Turing’s most famous papers." Also: "It’s a way to let the UK honor historic people. But don’t pretend like it’s some big feat or victory for oppressed people. Pardoning and putting a him on a note doesn’t undo that."

Recovering from the SEO hits you take from a website compromise could be impactful: "When a business website become a victim of hackers, it can have below mentioned impacts, Website traffic can be redirected to third party servers., Error 50X, internal server error can be generated., Massive 404 errors, content not found can be caused across the website.,Websites can be infected with malicious code, which can spread infections to all visitors., Websites can be infected by phishing attacks to trick visitors."

So many privilege abuses in the Linux Kernel: "Unprivileged BPF programs running on affected systems can bypass the protection and execute speculatively out-of-bounds loads from any location within the kernel memory. This can be abused to extract contents of kernel memory via side-channel."

Awesome article explaining XPath injections, with examples from a CTF.

"Microsoft last year released a line of "Secured-Core" Windows 10 PCs as part of a partnership with Intel, Qualcomm, and AMD, to help businesses better defend against attacks that attempt to interfere with the boot process. Last June, it added a UEFI scanner to Microsoft Defender Advanced Threat Protection to assess the security posture inside of a firmware file system. However, even though Microsoft working to expose firmware visibility, "I don't think we yet have the total picture," he says, and it's a challenge to observe attacks taking place below the operating system. What's more, not all businesses can shift to new hardware in the near term, and many security teams are juggling too many other issues to prioritize firmware."

Interesting to think about hacking these, like in a battle, executing order 66! - "The technology is based on Microsoft’s HoloLens headsets, which were originally intended for the video game and entertainment industries. Pentagon officials have described the futuristic technology — which the Army calls its Integrated Visual Augmentation System — as a way of boosting soldiers’ awareness of their surroundings and their ability to spot targets and dangers."

Interesting story, crime doesn't pay (though as a criminal you may have to pay): "Hey, it’s been a while, but Sammy just got sent a cease and desist from Chick-Fil-A. He has to pay restitution."

Holy crap, what a saga...

Holy crap, what another saga!

So, moral of the story, the cloud is more security?

"The way the engine manages to restrict the power so effectively from 485 HP/475 pound-feet or 707 HP and 650 lb of torque is by limiting the engines to a 675 rpm idle."

"You have to open its About window, select one of the files, and type MORTIMER. Names of the program's developers will start scrolling"

I feel like this is a hacker thing like someone asked the question: "What would wine taste like if it were aged in zero gravity?".

Charleston, S.C.-based surveillance contractor The Ulysses Group is reportedly looking to sell the U.S. military a new product it asserts is capable of obtaining the real-time locations of specific vehicles anywhere on earth leveraging data collected and sent by car sensors.

China has decided that Tesla vehicles pose a threat following concern over the multiple cameras each contains and the sensitive data they are capable of recording. With that in mind, the military has banned Elon Musk's cars from entering any Chinese military complexes or housing compounds.

Malicious actors pushed two malicious commits to the "php-src" Git repository maintained by the PHP team on its "git.php.net" server Sunday in an attempt to add backdoors to and compromise the PHP code base. PHP maintainers have migrated the official PHP source code repository to GitHub.

The whistleblower said that attackers were able to obtain administrative access to AWS Ubiquiti databases using credentials stored in and stolen from an employee's LastPass account, which allowed them to access AWS accounts, S3 buckets, app logs, SSO cookie secrets, and all databases, including those containing user credentials.

OpenSSL has released an advisory about two high-severity vulnerabilities (CVE-2021-3449 and CVE-2021-3450) affecting its products that could be leveraged by attackers to create a denial-of-service (DoS) condition or prevent the Certificate Authority (CA) from issuing certificates.

A new, "sophisticated" Android spyware app disguising itself as a software update has been discovered by researchers. Once installed on a device, the compromised device is registered with a Firebase C&C server that issues commands while a dedicated C&C server manages data exfiltration. Information collected by the RAT is said to include GPS data, SMS messages, contact lists, call logs, images and video files, and microphone audio.

A group of tax scammers has been identified leveraging manipulated personal information, high-definition photos, and a fake video to hack the government-run facial recognition system used by the State Taxation Administration, which allowed their registered shell company to issue bogus tax returns to clients. $500M Yuan ($76.2M USD)

"Mamba" ransomware has been identified abusing the "DiskCryptor" (HDDCryptor, HDD Cryptor) open-source tool to encrypt entire hard drives.

The "Evil Corp" cybercrime gang has been spotted using the "Hades" ransomware to evade sanctions levied in December 2019 by the U.S. Department of Treasury's (Treasury) Office of Foreign Assets Control (OFAC).