Security Certification – Rohit Misuriya, Sumit Siddharth – PSW #791

"In its blog post, Microsoft said the hackers acquired one of its consumer signing keys, or MSA key, which the company uses to secure consumer email accounts, like for accessing Outlook.com. Microsoft said it initially thought the hackers were forging authentication tokens using an acquired enterprise signing key, which is used to secure corporate and enterprise email accounts. But, Microsoft found that the hackers were using that consumer MSA key to forge tokens that allowed them to break into enterprise inboxes. Microsoft said this was because of a “validation error in Microsoft code." - The debate whether or not this is a Zero Day threat, or at least is classified as one, is very interesting. I believe we need a separate classification for stolen or lost keys. It's worse than a zero-day in my opinion. An attacker with the right keys can forge software in a much more reproducible and stable manner than, say an 0-day for a buffer overflow vulnerability. There are protections against exploits, albeit there are known workaround, protections exist. If an attacker has a key it's tougher to defend against.

This is pretty awesome: "LolDriverScan is a golang tool that allows users to discover vulnerable drivers on their system. This tool fetches the loldrivers.io list from their APIs and scans the system for any vulnerable drivers This project is implemented in Go and does not require elevated privileges to run." - You are looking for these drivers on your systems, right? If not, you should be. There are several ways to do this. For example, there is a Sigma rule for SIEMs on the loldrivers.io site. There are also some YARA rules on the project's Github. This is "new to me" so some may already know about this project, and if you do, and you're using it, share with friends!

"After hiding from discovery attacks, the next biggest 'win' will come from detecting and blocking port scanners. Since I couldn't find any open source code that does this, I built it myself: Nuzzle. This is a lightweight, fast, and efficient packet sniffer that logs every port scan attempt. It watches for ICMP, TCP, UDP, traceroute, and more! It can be used to monitor incoming network traffic, function as an intrusion detection system (IDS), or block scans as an intrusion prevention system (IPS). And best of all, it's one "C" file with no special dependencies. (If you're into vetting with a software bill of materials (SBOM), then this is an easy audit.)" - I think you should do this. I also believe this is a great solution for individuals and small organizations. If you are a small enterprise or greater, take a look at the ASM (Attack Surface Monitoring) market. This is the "what if Paul were CSO" kind of thing, having an ASM would be a must-have, not a should-have.

"A US Department of Justice press release gives no explanations or possible motive for Gallo's alleged actions. However, if the claims are true, then it would suggest that once again an organisation has failed to control who has access to sensitive systems properly. When a member of staff or contractor either leaves the organisation or is assigned a different role within the company, it is essential that rights to systems that they should no longer be able to access are revoked." - Well, obviously he was pissed off about something. Before you go blaming people, I think its super hard to run an organization and never have someone leave who isn't a little bit bitter (or mentally unstable, or just in a bad place, etc..). This is why it's important to have a solid process to remove access when someone leaves.

*"“The fact that somebody else down the road — another child — was bright enough to go, ‘Hey, look, my friend is online, and she's been missing, and I need to tell somebody’” was pivotal, retired Arizona DPS Director Frank Milstead, explained to ABC15. Remember, the poster campaign by Hear Their Voices will have helped raise this local awareness.

After the digital breadcrumbs were picked up, on day 10, the FBI and Nintendo worked to locate the girl’s Switch console via its IP address. She was freed from Roberts’ apartment the next day, and is now at home in Virginia recovering from her ordeal."* - Glad this story ended on a positive note. Monitor your child's Internet communications, I know this is creepy, and I am not telling you how to parent, but its a safety issue. Manually inspecting kid's devices may be the best way to keep them safe. Yes, there is software that can help. In my experience, raising hackers, this stuff will get turned off. Education is essential, the Internet is full of creeps, and your kids need to understand this. There is an Instagram channel where a former MMA fighter confronts child sex preditors after his cohorts pretend to be minors online. It's astonishing just how people creeps there are. Be safe out there!

Neat dictionary attack against Android phones. Cool hardware hack too.

Really cool: "The idea behind USBValve is to have the onboard microcontroller advertise itself as a storage device, pretending to have a filesystem with some common files available. When an unknown USB device is first inserted into the USB port on the USBValve tool, USBValve displays usage information, via the attached OLED screen, on whether the USB device is accessing files it shouldn’t be or immediately trying to write to the filesystem, which is a clear sign of malicious behavior."

"The vulnerability for this oscilloscope starts with an analysis of the firmware, which includes the web control application. To prevent potentially bricking a real oscilloscope, this firmware was emulated using QEMU. The vulnerability exists in the part of the code which involves changing the password, where an attacker can bypass authentication by injecting commands into the password fields. In the end, the only thing that needs to be done to gain arbitrary code execution on the oscilloscope is to issue a curl command directed at the oscilloscope." - Emulating firmware in QEMU is a long process, I applaud the dedication!

"Video gamers know about cheat codes, but assembly language programmers are often in search of undocumented instructions. One way to find them is to map out all of a CPU’s opcodes and where there are holes, try those values, and see what happens. Not good enough for [Ken Shirriff]. He prefers examining the CPU’s microcode and deducing what each part of it does. Microcode is a feature of many modern CPUs. The CPU runs several “microcode” instructions to process a single opcode. For the Intel 8086, there are 512 micro instructions, each with 21 bits. Each instruction has two parts: a part that moves a source to a destination and another that performs some other operation, such as an ALU operation. [Ken] explains it all in the post, including several hidden registers you can’t see, but the microcode can." - Rather than fuzz the known opcodes, basically the researcher reversed the microcode and found undocumented ones. Neat research. Also, I did not know this: "You don’t hear much about undocumented instructions anymore. Why? Because modern CPUs have enough circuitry to dedicate some to detecting illegal instructions and halting the CPU. But the 8086 was squeezed too tight to allow for such a luxury."

"In this work, we perform a case study of applying recent embedded firmware analysis techniques to satellite payload data handling systems. We explore whether FUZZWARE, a state-of-theart firmware fuzz testing system, can be used to these firmware images. During this case study, we also describe and apply the process of manually optimizing FUZZWARE configurations for firmware targets, and measure the impact of different optimizations. Finally, we identify challenging aspects of fuzz testing satellite firmware and directions for future work to optimize fuzz testing performance in a fully automated manner. As part of our case study, we identified and responsibly disclosed 6 bugs in 3 satellite firmware images."

Great work: "We assess the purpose of the campaign appears to be the creation of a covert network to quietly enable a range of criminal activities from password spraying to digital advertising fraud. Due to the surreptitious nature of the malware, owners of infected machines rarely notice any service disruption or loss of bandwidth. This assessment is based on observed telemetry and the analysis of functionality in the binary that allows the actor to interact with a remote shell and deploy subsequent binaries. Using Lumen’s global network visibility, Black Lotus Labs has determined the composition of a network that has infiltrated more than 70,000 machines, gaining a persistent hold in more than 40,000 IPs in more than 20 countries. The use of encryption prevents us from commenting on the results of successful password spraying attempts; however, we have null-routed the command and control (C2) nodes and impeded traffic through the proxy servers, which rendered the botnet inert across the Lumen backbone." - I stand by my statements that IoT devices are great places to hide. This attack was undiscovered for two years!

Great idea: "The Penetration Testing Findings Repository is a collection of Active Directory, phishing, mobile technology, system, service, web application, and wireless technology weaknesses that may be discovered during a penetration test. Weaknesses that are identified and validated become findings in an engagement report." - Wish there were more findings...

This is crazy: "For over 10 years, millions of emails associated with the US military have been getting sent to Mali, a West African country allied with Russia, due to a typo, according to a report from the Financial Times. Instead of appending the military’s .MIL domain to their recipient’s email address, people frequently type .ML, the country identifier for Mali, by mistake."

Oops I pwned myself again: "As it turns out, while infecting computers, La_Citrix accidentally infected his own computer and likely ended up selling it without noticing. We identified La_Citrix while looking at other hackers who were infected by info-stealers and had access to prominent cybercrime forums." - Then he sold access, to his own machine! LOL.

Interesting read, I lost track of all of the shady behavior that all parties involved exhibited.

If its too good to be true, it probably is. This is the case with PoC exploits that contain "malware" (more like malicious behavior). As a researcher, you really want the latest PoC. Attackers also really want access to your system. Have some good opesec though, read code before you run it, do it in a VM, etc... Oh, and monitor for changes to critical files, like authorized_keys.

I still believe this is using people involved with Silk Road as an example. So don't go creating an underground marketplace or you will go to prison for the rest of your life (which doesn't seem fair).

TOMRA, the Norwegian mining and recycling giant, experienced an extensive cyberattack on July 16. The company disconnected selected services to contain the attack and enlisted a team of internal and external resources to work on resolving the situation.

This incident highlights the importance of cybersecurity in the context of critical infrastructure and the potential financial and operational impacts of such attacks. The move towards digital transformation and interconnected systems only increases the potential risk and underscores the need for robust cybersecurity measures.

Exposure of sensitive personal data of numerous professional drivers participating in the FIA World Endurance Championship (FIA WEC).

This incident underscores the importance of proper configuration and security measures for data storage, particularly when handling sensitive personal data. It also highlights the potential for significant harm when such data is exposed, both to the individuals involved and the organization responsible for the breach.

The report underscores the technical intricacies and risks of downloading pirated content, specifically referring to the case of malware embedded within the pirated version of Universal Pictures' The Super Mario Bros. Movie.

This case study underscores the importance of understanding the technical pathways through which malware infections can occur, reinforcing the need for robust cybersecurity hygiene practices and a cautious approach to sourcing online content.

FortiGuard Labs' Global Threat Landscape Report 2022 indicates a growing trend of threat actors using .ZIP top-level domains (TLDs) for phishing attacks. When visited, these domains automatically download a malicious executable file, posing a significant cybersecurity risk.

FortiGuard Labs advises blocking .ZIP domains at the firewall level, using web filters and browser extensions for authenticity checks, double-checking URLs before clicking, and maintaining updated antivirus programs, operating systems, and web browsers.

The findings underscore the importance of understanding the evolving threat landscape, staying updated on emerging threats, and taking proactive steps to mitigate such risks.

Cybersecurity Implications: As AI advances, it introduces new attack vectors. Therefore, it's crucial to implement strong preventive measures, including updated training programs to counter AI-enhanced BEC attacks and stringent email verification processes to guard against AI-driven phishing and BEC attacks. This situation highlights the need for proactive security practices and continuous learning in the face of rapidly evolving cyber threats.

A new generative AI cybercrime tool called WormGPT has been spotted, allowing adversaries to launch sophisticated phishing and BEC attacks. The tool automates the creation of highly convincing fake emails personalized to the recipient, increasing the chances of success for the attack.

Diving into details

WormGPT, an AI module built upon the GPTJ language model, was developed in 2021 and possesses several noteworthy functionalities. These include extensive character support, retention of chat memory, and the ability to format code.

When in the possession of threat actors, tools such as WormGPT can become potent weapons, particularly as OpenAI ChatGPT and Google Bard are increasingly implementing measures to combat the misuse of Large Language Models (LLMs) for creating deceptive phishing emails and generating harmful code.

According to a recent report by Check Point, Bard's security measures against abuse in the realm of cybersecurity are considerably lower compared to those of ChatGPT. As a result, Bard's capabilities make it easier to produce malicious content.

1. Incident Overview: Ashley Liles, a 28-year-old former IT security analyst, has been sentenced to over three years in prison for attempting to extort his employer during a ransomware attack by impersonating the ransomware gang.
2. Execution of the Attack: Leveraging his role at an Oxford-based company, Liles tried to redirect a ransomware payment to his own cryptocurrency wallet by pretending to be the ransomware gang. He intercepted a board member's private emails over 300 times and modified the original blackmail email to change the payment address. Liles also created an email address similar to the attackers' to put more pressure on his employer.
3. Discovery of the Attack: The company did not comply with the ransomware demands, and internal investigations revealed Liles' unauthorized access to confidential emails using his home internet connection.
4. Investigation and Evidence: Liles erased all data from his personal devices upon becoming aware of the investigations. However, the South East Regional Organised Crime Unit (SEROCU) was able to seize his computer and recover incriminating evidence.
5. Legal Proceedings: Initially, Liles denied involvement. However, during a recent court hearing at Reading Crown Court, he pleaded guilty. He was sentenced to three years and seven months for blackmail and unauthorized computer access with intent to commit other offenses.

A threat actor infected their own computer with an information stealer, which has allowed Israeli threat intelligence company Hudson Rock to uncover their real identity.

Using the online moniker ‘La_Citrix’, the threat actor has been active on Russian speaking cybercrime forums since 2020, offering access to hacked companies and info-stealer logs from active infections.

La_Citrix, Hudson Rock says, has been observed hacking into organizations and compromising Citrix, VPN, and RDP servers to sell illicit access to them.

The hacker, the cybersecurity firm says, was careless enough to infect their own computer with an information stealer and to sell access to the machine without noticing.

This allowed Hudson Rock to explore the cybercriminal’s computer, which had been used to perpetrate intrusions at hundreds of companies. The computer contained employee credentials at almost 300 organizations, and the browser stored corporate credentials used to perform hacks.

Five weeks after the mass MOVEit breach, new vulnerabilities in the file transfer tool are coming to light as the Clop cyber crime group continues to terrorize victims.

In short a pirated copy of the new Mario Brothers movie was posted online, laden with malware. Click-bait maybe. Reminder any file type can be a malware delivery mechanism - for sure!

Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to vpnMentor about a non-password protected database that contained approximately 2.3 million users.

A suspected scammer who used scareware to trick hundreds of thousands of global victims into handing over money has been arrested by Spanish police. The unnamed Ukrainian national was apprehended at Barcelona’s El Prat airport after managing to evade capture for over a decade, according to the Policia Nacional. They were apparently supported by the FBI and Interpol, which had issued a red notice for the individual’s capture.

A new discussion paper has set out recommendations for the European Union (EU) on how to ensure member states are protected against quantum-enabled cyber-attacks.

The paper emphasized the urgent need for a new EU Coordinated Action Plan to facilitate quantum-secured technologies before ‘Q-Day’ – the point at which quantum computers are able to break existing cryptographic algorithms.

Experts believe this will occur in the next five to 10 years, potentially leaving all digital information vulnerable to cyber-threat actors under current encryption protocols.

Microsoft Word documents exploiting known remote code execution flaws are being used as phishing lures to drop malware called LokiBot on compromised systems.

Two ColdFusion vulnerabilities are currently being exploited by hackers to bypass authentication and remotely execute commands to install webshells on exposed servers. On July 11, Adobe disclosed a ColdFusion authentication bypass (CVE-2023-29298) and a pre-auth remote code execution (RCE) vulnerability (CVE-2023-29300). CVE-2023-29300 can be used by unauthenticated visitors to remotely execute commands on vulnerable versions of ColdFusion servers in low-complexity attacks.

Cyber attacks using infected USB infection drives as an initial access vector have witnessed a three-fold increase in the first half of 2023, That's according to new findings from Mandiant, which detailed two such campaigns – SOGU and SNOWYDRIVE – targeting both public and private sector entities across the world.

Cybercriminals have developed a generative AI tool called WormGPT designed to help grammatically challenged criminals craft convincing business email compromise (BEC) missives. The crimeware tool has been in development since 2021, but starting last month it is now being promoted on illicit online forums.