Post-Breach: The Hardening Continues – Sean Metcalf – PSW #792

"Because the entire API surface is opened without credential validation, it allows any of the MobileIron API to be used remotely. All you have to do is change the API path by a few characters. The API is publicly documented, the different endpoint path is all you need for exploitation. For example, this allows you run LDAP queries, list user information including potential PII, add administrative users, replace system configuration and change the config of managed mobile devices — including software deployment, device locks and wiping."

So tell me, when an attacker compromises a Peleton at someone's house, just how will they use it to gain access to the corporate/enterprise network? I think this is far-fetched.

AI for firmware reversing? Something to check out.

More Echo Dot "rewting".

This is a crazy story: "CVE-2023-30799 was first disclosed, without a CVE, in June 2022 at REcon by Margin Research employees, Ian Dupont and Harrison Green. At that time, they released an exploit called FOISted that can obtain a root shell on the RouterOS x86 virtual machine. A CVE was assigned last week (July 19, 2023) when VulnCheck researchers published new exploits that attacked a wider range of MikroTik hardware." And this: "In total, Shodan indexes approximately 500,000 and 900,000 RouterOS systems vulnerable to CVE-2023-30799 via their web and/or Winbox interfaces respectively." - You need credentials, but many people do not change the defaults, even newer versions make you change the default creds (which wasn't always the case), when they do it will not enforce any password rules for complexity or length. Which means you can still make it blank.

Amazing work (as usual): "The bug works like this, first of all you need to trigger something called the XMM Register Merge Optimization2, followed by a register rename and a mispredicted vzeroupper. This all has to happen within a precise window to work. We now know that basic operations like strlen, memcpy and strcmp will use the vector registers - so we can effectively spy on those operations happening anywhere on the system! It doesn’t matter if they’re happening in other virtual machines, sandboxes, containers, processes, whatever!"

If you're counting CVEs, there is evidence. There is, of course, many other pieces of evidence. Key people, like Kevin Beuamont, have left Twitter and moved to Mastodon and other alternatives.

Key takeaway: "Whenever a privileged process performs operations on a user modifiable part of the filesystem, there is a potential for privilege escalation. Even if the operations performed are as small as a file deletion, the consequences may be significant."

This is new to me, many sites archive website responses and you can find stuff such as "even more links, developer comments, extra parameters".

So here's the method: "Battery Sleuth bypasses both the wireless communication that key fobs depend on and the standardized onboard communication network that’s used in today’s vehicles. Instead, it authenticates drivers by measuring voltage fluctuations in a vehicle’s electrical system. Drivers interact with it through a keypad device plugged into the auxiliary power outlet." - So regardless of how the car is started, you'd have to authenticate to this device first, with a keypad. The researchers, unfortunately for them, said this: “The great thing about the power outlet is its simplicity—it’s just a wire connected to the battery, so there’s nothing to hack,” - Uhm, except someone could guess or brute force the pin or somehow find a bypass by powering the battery some other way? it says it has some safeguards against this: "Battery Sleuth also has defenses to guard against hacking or physical attacks on the device itself, including a siren that sounds if illegitimate activity is detected and a resistor that shuts down the vehicle’s electrical system if an unauthorized power source is connected to the vehicle." - I am also curious how this would work with an electric car.

I'm not sure this is going to work.

"However, these flaws are important for the users because the firm has confirmed not to address these issues. That’s because the SPA500 IP Phones have reached their end-of-life. Consequently, no workarounds exist to mitigate the issues. Therefore, the only way for users to protect their networks from potential threats is to migrate to other devices." - But can't you just disable the web interface on the phones? Also, can't Cisco just fix the vulnerabilities? What's the big deal with fixing it?

"When combined with the No Auth option as described in CVE-2023-34329, any attacker on the host machine where the BMC chip resides, can POST arbitrary code (effectively achieving code execution). Without the No Auth option enabled, the attacker would also need BMC credentials. When combined with prior CVE-2023-34329 vulnerability, an attacker can POST arbitrary code remotely...When both of these vulnerabilities are chained together, even a remote attacker with network access to BMC management interface and no BMC credentials, can achieve remote code execution by tricking BMC into believing that the http request is coming from the internal interface. As a result the attacker can remotely upload and execute arbitrary code, possibly from the Internet, if the interface is exposed to it." - It should be noted that the advice many are giving is correct: Isolate the BMC network. Note I did not say "Do not expose it to the Internet". What I mean is: DO NOT EXPOSE IT TO ANYTHING. Of course, an attacker on this network can compromise all of your BMCs. You have to patch to really get rid of this vulnerability.

Meta (Facebook) continues to receive fines over data privacy violations. Notable examples include a $5 billion payout to the FTC in 2019, $277 million to Ireland in 2022, $414 million to the EU in Jan 2023 and $1.3 billion to the EU in May 2023. Australia has now fined the company $14 million via a civil lawsuit.

The Securities and Exchange Commission voted 3-2 to adopt new regulations that would require publicly traded companies to notify the government when their IT systems are hacked and periodically disclose details around their cybersecurity risk governance in public filings.

New AI-empowered capabilities come familiar pitfalls, like the unauthorized manipulation of, or outright theft of, existing online artwork and images. Watermarking techniques can help mitigate the latter, while the new "PhotoGuard" technique developed by MIT CSAIL could help prevent the former.

PhotoGuard works by altering select pixels in an image such that they will disrupt an AI's ability to understand what the image is.

One of the country’s newest hacking groups (UNC4899) attacked a Colorado-based software company- JumpCloud (and screwed up). Many hackers use VPN services to mask their identity – but this time they exposed their real world TCP/IP address.

A critical severity 'Super Admin' privilege elevation flaw puts over 900,000 MikroTik RouterOS routers at risk, potentially enabling attackers to take full control over a device and remain undetected.

The flaw, CVE-2023-30799, allows remote attackers with an existing admin account to elevate their privileges to "super-admin" via the device's Winbox or HTTP interface.

In late April, Zyxel released a security advisory for a critical OS command injection vulnerability in its network devices and urged users to apply patches. Five weeks after the fixes were released, Shadowserver said that if devices had not been patched, users/owners should assume compromise.

Seven technology companies – Amazon, Anthropic, Google, Inflection, Meta, Microsoft, and OpenAI – have voluntarily committed to the Biden administration’s trustworthy AI principles. The companies have committed to ensuring products are safe before bringing them to market, prioritizing security in the development process, and being clear about which content is in its original form and which has been altered by AI.

We also need to be fully aware that other AI projects, such as WormGPT, are making no such commitment, and are focused on empowering cyber criminals.

July 24, Apple released updates for tvOS, watchOS, and multiple versions of macOS , iPadOS, and iOS. The update includes a fix for the WebKit vulnerability addressed in a recent Rapid Security Response (RSR) update. The updates address a total of 46 CVEs; of those, six are rated critical.

The average cost associated with a data breach in the healthcare sector was $11 million, up 10 percent over last year. The average cost of a data breach globally was $4.45 million. The report is based on data breaches reported by 553 organizations between March 2022 and March 2023.

The encryption behind TETRA radios has been discovered to have a flaw where those communications can be decrypted. The question - implementation flaw or deliberate weakness?

A vulnerability in AMD Ryzen and Epyc Zen 2 CPUs could be exploited to steal sensitive data at a rate of 30KB/sec per core. Dubbed Zenbleed, the flaw was discovered and reported to AMD in May by Google Project Zero’s Tavis Ormandy. AMD has provided firmware updates to address the vulnerability.

Per AMD: under specific microarchitectural circumstances, a register in “Zen 2” CPUs may not be written to 0 correctly. This may cause data from another process and/or thread to be stored in the YMM register, which may allow an attacker to potentially access sensitive information.