Paul's Security WeeklySubscribe
Security Staff Acquisition & Development, Endpoint/Device Security, Vulnerability Management, Malware, Threat Management

PSW #758 – Ang Cui

Full Audio

View Show Index

Segments

1. Device Paradox: Why Security & Criticality Don’t Overlap in Embedded Systems – Ang Cui – PSW #758

Red Balloon Security CEO Ang Cui has spent over a decade looking into the most critical devices supporting our infrastructure. He explains why the insight that launched his company still holds true, and what it will take for security experts, manufacturers and end users to resolve our insecure stasis.

Segment Resources: https://redballoonsecurity.com/ https://ofrak.com/ https://github.com/redballoonsecurity/ofrak https://redballoonsecurity.com/def-con-30-badge-fun-with-ofrak/ https://www.wired.com/story/ofrak-iot-reverse-engineering-tool/ https://www.bloomberg.com/news/articles/2022-01-11/researchers-show-how-hackers-can-cut-the-lights-with-rogue-code

Announcements

  • Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!

Guest

Founder and CEO at Red Balloon Security

Dr. Ang Cui founded Red Balloon Security in 2011, when he was a doctoral student and part of Columbia University’s Intrusion Detection Systems Lab. His doctoral dissertation, “Embedded System Security: A Software-based Approach,” focused exclusively on scientific inquiries concerning the exploitation and defense of embedded systems. Ang is the creator of Firmware Reverse Analysis Konsole (FRAK) — the forerunner of OFRAK — and Symbiote technology, a novel, host-based defense that operates on embedded devices on the binary level. The RBS team’s success in developing embedded security solutions that harden and provide continuous runtime protection and monitoring of device firmware led to a significant multi-year engagement with HP, which installed Symbiote defense on its enterprise printers in 2015

Ang and the RBS team have uncovered numerous, critical vulnerabilities within ubiquitous embedded devices such as Cisco routers, HP printers, and Cisco IP phones. He also has led research efforts that uncovered vulnerabilities in aerospace infrastructure, building automation systems, electrical grid devices, telecommunications equipment, and ATMs. Ang has participated in many government-led and funded engagements, particularly with DARPA, that bring end users, device vendors, and security experts together to find vulnerabilities and devise new security solutions to protect embedded devices in mission-critical environments. He was named a DARPA Riser in 2015, and is a distinguished presenter of the annual Pwnie Awards (which he sometimes makes himself).

Hosts

Principal Security Researcher at Eclypsium
Professor at Roger Williams University
Executive Director at Guardedrisk
Brainstem Hacker and InfoSec Enthusiast at Redacted
Founder at Infosec Decoded, Inc.
Director of Offensive Security & Research at Trimarc Security, Founder & CEO at Dark Element

2. Pig Butchering, Dell Driver FTW, Deep Access, & PHP Supply Chain Attacks – PSW #758

In the Security News: deep access, dell drivers for the win, detecting deep fakes with acoustic tracking, exchanging 0days, I got 99 embedded firmware security problems, executing in SMM, secure boot to the rescue, automation or a crappy pen test, PHP supply chain attacks, pig butchering, fake profiles, & bribing journalists!

Announcements

  • Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.

  • We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!

Hosts

Principal Security Researcher at Eclypsium
  1. 1. Hackers maintained deep access inside military organization’s network, U.S. officials reveal
    This did not seem all that stealthy: "In April 2021, APT actors used Impacket for network exploitation activities. See the Use of Impacket section for additional information. From late July through mid-October 2021, APT actors employed a custom exfiltration tool, CovalentStealer, to exfiltrate the remaining sensitive files"
  2. 2. Amazon‑themed campaigns of Lazarus in the Netherlands and Belgium
    "The most notable tool delivered by the attackers was a user-mode module that gained the ability to read and write kernel memory due to the CVE-2021-21551 vulnerability in a legitimate Dell driver. This is the first ever recorded abuse of this vulnerability in the wild. The attackers then used their kernel memory write access to disable seven mechanisms the Windows operating system offers to monitor its actions, like registry, file system, process creation, event tracing etc., basically blinding security solutions in a very generic and robust way."
  3. 3. Detecting Deepfake Audio by Modeling the Human Acoustic Tract
    "Specifically, we apply fluid dynamics to estimate the arrangement of the human vocal tract during speech generation and show that deepfakes often model impossible or highly-unlikely anatomical arrangements." - That is, until a computer can replicate that...
  4. 4. Microsoft Exchange server zero-day mitigation can be bypassed
  5. 5. How to Solve the Common Problems of Embedded Firmware
    Backup memory drives up the cost of the device though, which is why I believe there are so many devices floating around that will never get updates: "A common problem here is interruptions. Simple devices that lack memory size have to rewrite the firmware as soon as they receive the data. If anything interrupts the process, the firmware will be corrupted: for example, if the power shuts off before the installation is complete. In the worst case scenario, the device will brick, and nothing can fix it. If the device has a bootloader, the firmware can be reinstalled. Nevertheless, when you deal with OTA updates, interruptions can be frequent. The problem is commonly fixed with backup memory. When our team worked on a smart home project, it was clear that the device will be updated over the air. Bricking or malfunctioning because of interruptions were not acceptable. Therefore, the team provided the system with backup memory. In this case, the update file is downloaded to the backup memory first. It can be either a file system or a flash memory area. After that, the device runs a data integrity check to make sure no byte was lost or changed during transmission. Only after that, the update is installed. "
  6. 6. An issue was discovered in Insyde InsydeH2O with kernel 5… · CVE-2022-36338 · GitHub Advisory Database
    Basically, an attacker can execute code in SMM outside of SMRAM: "An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. An SMM callout vulnerability in the SMM driver FwBlockServiceSmm, creating SMM, leads to arbitrary code execution. An attacker can replace the pointer to the UEFI boot service GetVariable with a pointer to malware, and then generate a software SMI." From Binarly: "the handler will try to locate protocol 74d936fa-d8bd-4633-b64d-6424bdd23d24 using the EFI_BOOT_SERVICES which is located outside of SMRAM, hence this call could be hijacked by a possible attacker."
  7. 7. Cyberespionage group developed backdoors tailored for VMware ESXi hypervisors
    "By default, VMware ESXi is configured to accept only the installation of VIBs that are VMWareCertified, VmwareAccepted, or PartnerSupported. At these levels of acceptance, the bundles need to be digitally signed by either VMware or a partner whose signature VMware trusts. However, there is a fourth level of acceptance called CommunitySupported and VIBs in this category do not need to be digitally signed." Secure Boot to the rescue! "When Secure Boot is enabled the use of the ‘CommunitySupported’ acceptance level will be blocked, preventing attackers from installing unsigned and improperly signed VIBs (even with the --force parameter as noted in the report),"
  8. 8. Announcing Our Series B – Eclypsium
    Yep, we can talk about this now :)
  9. 9. Vulnerable ≠ Exploitable: A lesson on prioritization
    An automated pen test vs a crappy pen test, who wins?
  10. 10. The secrets of Schneider Electric’s UMAS protocol – Securelist
  11. 11. Pixel 6 bootloader: Emulation, ROP
  12. 12. Pixel6: Booting up
  13. 13. A flaw in the Packagist PHP repository could have allowed supply chain attacks
  14. 14. Securing Developer Tools: A New Supply Chain Attack on PHP
    We demonstrated how we discovered an argument injection in the backend services of the PHP package manager Composer and could successfully exploit it to compromise any PHP software dependency.
  15. 15. Russian Hacker Arrested in India for Reportedly Helping Students Cheat in JEE-Main Exam
  16. 16. URGENT! Microsoft Exchange double zero-day – “like ProxyShell, only different”
  17. 17. Fake CISO Profiles on LinkedIn Target Fortune 500s – Krebs on Security
  18. 18. Comm100 Chat Service Hacked In A Supply-Chain Attack
  19. 19. Detecting and preventing LSASS credential dumping attacks – Microsoft Security Blog
Professor at Roger Williams University
  1. 1. Political Spam is coming for you.
  2. 2. Tesla has a bit of work to do on Optimus robot
  3. 3. Linux 6.1: Rust to hit mainline kernel
  4. 4. New Android malware ‘RatMilad’ can steal your data, record audio
  5. 5. FBI warns of “Pig Butchering” cryptocurrency investment schemes
Executive Director at Guardedrisk
Brainstem Hacker and InfoSec Enthusiast at Redacted
Founder at Infosec Decoded, Inc.
  1. 1. Tech Journalists Offered Bribes to Write Articles for Major Outlets
    From Dan Goodin at Ars Technica Bribes are $2k - $5k, delivered secretly The marketer claims to have 10-40 writers taking bribes now, publishing on Techcrunch, Forbes and others
  2. 2. Uncle Sam orders federal agencies to step up scans for govt IT security holes
    CISA has ordered federal civilian agencies to scan for and report software vulnerabilities in their IT systems more frequently. They must scan their entire IPv4 space for vulnerabilities every 14 days and update vulnerability detection signatures within 24 hours of availability. This must be working by April 3, 2023.
  3. 3. Never-before-seen malware has infected hundreds of Linux and Windows devices
    Small office routers? FreeBSD machines? Enterprise servers? Chaos infects them all.
Director of Offensive Security & Research at Trimarc Security, Founder & CEO at Dark Element

Related

The 2024 Cybersecurity Market Review – Mike Privette – ESW #387

For our second year now, Mike Privette, from Return on Security and the Security, Funded newsletter joins us to discuss the year's highlights and what's to come in the next 12 months. In some ways, it has been a return to form for funding, though some casualties of a tough market likely had to seek acquisition when they might have otherwise raised...

You can skip this ad in 5 seconds