Malware Trends – Anuj Soni – PSW #801
Full Audio
View Show IndexSegments
1. Malware Trends – Anuj Soni – PSW #801
Anuj joins us to discuss recent trends in malware. What are the malware authors up to lately? What are the latest techniques for reverse engineering malware? Learn about the latest tools and techniques from Anuj! Anuj is a Principal Threat Researcher at Blackberry, where he performs malware research and reverse engineering. He has more than 15 years of experience in malware analysis and incident response. Anuj also brings his problem-solving abilities to his position as a SANS Certified Instructor and author, which gives him the opportunity to impart his deep technical knowledge and practical skills to students.
Segment Resources: https://www.youtube.com/@sonianuj
Announcements
Security Weekly Listeners: We are celebrating the milestone of reaching over 1,000 members of our CISO community. The Cybersecurity Collaboration Forum is a one-stop shop for executive collaboration comprised of CISOs across various industries. If you want to be part of this growing community of CISOs, join us as a member or technology partner. To learn more, visit: securityweekly.com/cybersecuritycollaboration
Join PSW host Larry Pesce at an upcoming event! He’ll be speaking at the 2023 State of Cybersecurity for Medical Devices and Healthcare Webinar on September 23rd. Register at https://tinyurl.com/fs-meddev ! He’ll also be presenting in-person at the 7th annual Cyber Security Summit on Securing the Automotive Software Supply Chain. Learn more about this event at https://tinyurl.com/fs-aisac .
Guest
Anuj is a Principal Threat Researcher at Blackberry, where he performs malware research and reverse engineering. He has more than 15 years of experience in malware analysis and incident response. Anuj is also a SANS Certified Instructor and author, where he is grateful for the opportunity to share his technical knowledge and practical skillset with students. He is the author of the SANS course FOR710: Reverse-Engineering Malware: Advanced Code Analysis and co-author of FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques. He is also a YouTube noob (youtube.com/@sonianuj), but persists in trying to create helpful malware analysis videos for anyone interested in watching. When Anuj is away from his computer, you’ll find him working out at the local gym, or with his kids – which is also a workout.
Hosts
2. Fake Dead Grandma’s, No Flipper Zero, Looney Tunables, & $20 Mil For Zero Days – PSW #801
In the Security News: No Flipper Zero for you!, your glibc is hanging out and other Looney Tunables, and it vulnerable, for no reasons, other than the obvious ones, a Russian firm will pay $20m for Android or iPhone 0days, you do what you do and other Exim vulnerability stories, yet another way to become root on Linux, if you ever wanted to read the source code for Sub7, well, now you can, more people want to trash bug bounties (and they are wrong), Curl has something coming, and its not good, tricking AI with your dead grandma’s locket, GPU driver vulnerabilities could lead to something, and the path to the cloud is filled with holes. All that and more on this episode of Paul’s Security Weekly!
Announcements
Join our cybersecurity community on Discord! Connect directly with our expert hosts, join discussions with fellow audience members, and customize your notifications to receive alerts every time an episode of your favorite show publishes. Get your invite at securityweekly.com/discord!
Hosts
- 1. Airport seizes of Flipper Zero from passenger’s luggage over security concerns
Dude, just tell them it's a digital pet dolphin..
- 2. Qualcomm says hackers exploit 3 zero-days in its GPU, DSP drivers
- 3. Qualys Security Advisory
- 4. Exploit available for critical WS_FTP bug exploited in attacks
""From our analysis of WS_FTP, we found that there are about 2.9k hosts on the internet that are running WS_FTP (and also have their webserver exposed, which is necessary for exploitation). Most of these online assets belong to large enterprises, governments and educational institutions." - Also interesting that WS_FTP is owned by Progress Software, same one that has MoveIT.
- 5. 13 Years Ago, Someone Created 184.5 Million BTC Via A Bug Exploit, But…
- 6. The Marvin Attack
What is old is new again: The Marvin Attack is a return of a 25 year old vulnerability that allows performing RSA decryption and signing operations as an attacker with the ability to observe only the time of the decryption operation performed with the private key. In 1998, Daniel Bleichenbacher discovered that the error messages given by SSL servers for errors in the PKCS #1 v1.5 padding allowed an adaptive-chosen ciphertext attack; this attack fully breaks the confidentiality of TLS when used with RSA encryption. In 2018, Hanno Böck, Juraj Somorovsky, and Craig Young have shown 19 years later that many internet servers were still vulnerable to slight variations of the original attack.We show that many implementations previously thought immune, are vulnerable to the timing variant of the same attack."
- 7. A Practical Approach to SBOM in CI/CD Part II — Deploying Dependency-Track
- 8. The Path to the Cloud is Filled with Holes: Exploiting 4G Edge Routers
"MQTT is a publisher-subscriber protocol (pub-sub) aimed at allowing distributed remote communication. Two entities reside within the MQTT protocol: a client that sends and receives messages, and a broker that distributes received messages and routes them to appropriate clients." - When you see MQTT think: "This thing is vulnerable as fudge".
- 9. Retired Device called Home
- 10. Wifi without internet on a Southwest flight
- 11. Six 0day exploits were filed against Exim.
- 12. illwill / Sub7 · GitLab
- 13. (Research) Exploiting HTTP Parsers Inconsistencies
- 14. Russian zero-day seller offers $20M for hacking Android and iPhones
- 15. Robots.txt
- 16. Millions of Exim mail servers exposed to zero-day RCE attacks
""The ZDI reached out multiple times to the developers regarding multiple bug reports with little progress to show for it. After our disclosure timeline was exceeded by many months, we notified the maintainer of our intent to publicly disclose these bugs, at which time we were told, "you do what you do," the ZDI representative said."
- 17. Ransomware group claims it’s “compromised all of Sony systems”
- 18. Vulnerable Arm GPU drivers under active exploitation. Patches may not be available
- 19. Emulating and Exploiting UEFI Firmware
- 20. Progress warns of maximum severity WS_FTP Server vulnerability
- 21. Detroit man steals 800 gallons using Bluetooth to hack gas pumps at station
- 22. root with a single command: sudo logrotate
- 23. AWS Using MadPot Decoy System to Disrupt APTs, Botnets
- 24. BinDiff
- 25. VULNERABLE Kernel Drivers for Security Research
- 26. Bounties Damage Open Source Projects ⚡ Zig Programming Language
- 27. Do Bounties Hurt FOSS?
- 28. Input Validation: Necessary but Not Sufficient; It Doesn’t Target the Fundamental Issue – AppSec & DevSecOps – Discuss
- 29. Russian Zero-Day Acquisition Firm Offers $20 Million for Android, iOS Exploits
- 1. Building automation giant Johnson Controls hit by ransomware attack
- 2. Looney Tunables: New Linux Flaw Enables Privilege Escalation on Major Distributions
- 3. updated cURL coming… this is bad.
- 4. Why Cybersecurity Insurance Matters
- 5. API Security Common Mistakes
- 6. Exploit available for critical WS_FTP bug exploited in attacks
- 1. Windows 11 Update Includes Integrated Passkeys
The most recent update for Windows 11 includes support for passkeys across the platform. The feature was introduced in June for the Windows Insider program. The passkeys will be created through the Windows Hello biometric authentication tool.
- 2. US State Department Says 60,000 Emails Taken in Alleged Chinese Hack
The US State Department said that hackers took around 60,000 emails in an attack which Microsoft has blamed on China.
Protect sensitive conversations in email with encryption. Encryption of stored email provides need to know protection beyond the encryption in transit already in place.
- 3. ETSI faced a cyberattack
The European Telecommunications Standards Institute (ETSI) has disclosed that it experienced a cybersecurity incident which affected the system dedicated to members’ work. ETSI believes that the attackers exfiltrated a database containing information about its online users.
This body is responsible for the development and testing of technical standards for information and communication including GSM. 3G, 4G, 5G and others, so don't be too hard on them for flaws in their IT system security.
- 4. LinkedIn Messaging used by APT to phish aerospace target and plant novel malware
The malware was disguised as a coding challenge in an executable, which was protected to only decrypted on the intended victim's system, making detection/sandboxing much more difficult. Even so, remind users to beware of recruiters bearing executables, noting that many threat actors, such as the Lazarus group, are really good at social engineering and will work to convince users the payload is benign.
- 5. FBI Warns of New Trends in Ransomware Attacks
The FBI has published a Private Industry Notification (PIN) warning of new trends in ransomware attacks: an increase in organizations being impacted by two or more ransomware variants in quick succession, and new data destruction tactics.
- 6. Mali GPU Driver Vulnerabilities
Arm has released advisories for three vulnerabilities affect its Mali GPU Kernel Driver. One of the vulnerabilities is reportedly being actively exploited. Arm describes the issue as allowing “a local non-privileged user [to] make improper GPU memory processing operations to gain access to already freed memory.” Fixes are available for affected products. Google released fixes for CVE-2023-4211 in September for affected Pixel and Chromebook devices. The issue also impacts Samsung S20/21, Motorola Edge 40, and other Android devices.
For Linux or other systems with the chipset, make sure that you have the appropriate ARM Bifrost, Valhall and Arm 5th Gen GPU Architecture Kernel Driver r43p0.
- 7. Mass exploitation attempts against WS_FTP have begun
It appears that criminals are now actively exploiting vulnerabilities in Progress Software’s WSFTP Server. Progress released updates to address eight vulnerabilities in the software last week. On September 30, researchers from Rapid7 noticed “exploitation of one or more recently disclosed WSFTP vulnerabilities in multiple customer environments.”
https://www.rapid7.com/blog/post/2023/09/29/etr-critical-vulnerabilities-in-ws_ftp-server/
- 8. Critical vulnerabilities in Exim threaten over 250k email servers worldwide
In June 2022, researchers from Google’s Zero Day Initiative reported six vulnerabilities in Exim email transfer agent to the vendor. The most serious of the issues is an AUTH out-of-bounds write remote code execution vulnerability. Exim has recently begun developing fixes for the flaws. As of 10/3/23, Exim has released fixes for three of the vulnerabilities.
- 9. SSA spooked after daring cyber attack
South Africa's State Security Agency (SSA) alleges that the U.S. CIA and Britain's MI6 hacked its systems to access sensitive and compromising information.
Consider that to them the CIA and MI6 are the state sponsored hackers. Later they say they weren't really sure who hacked.
- 1. Man known for duping sexual predators online killed in confrontation
Robert Wayne Lee, 40, went by “Boopac Shakur” to his nearly 50,000 followers on social media, where he conducted extrajudicial investigations by posing online as a 15-year-old girl to lure alleged predators into meetings. Lee approached two young men at a restaurant about 10:30 p.m. Friday, according to the news release. He accused one of the men of being a pedophile and punched him, prompting the man to pull out a knife, officials said. The other man pulled out a pistol and shot Lee several times, officials said. A recent uptick in the practice has been fueled by right-wing rhetoric about people grooming children and the need to “save the children.”
- 2. Ten Wild Ways People Are Using ChatGPT’s New Vision Feature
It can do kids' homework, and it can also code an app based on a simple handwritten block diagram. This is amazing stuff.
- 3. Researchers show how easy it is to defeat AI watermarks
This summer, OpenAI, Alphabet, Meta, Amazon, and several other major AI players pledged to develop watermarking technology to combat misinformation. But the professor is blunt when he sums up the current state of watermarking AI images. “We don’t have any reliable watermarking at this point,” he says. “We broke all of them.”
- 4. The Path to the Cloud is Filled with Holes: Exploiting 4G Edge Routers
Team82 disclosed critical vulnerabilities in ConnectedIO’s ER2000 edge routers. which act as gateways, connecting IoT devices to the internet. The vulnerabilities affected not only the edge routers, but also the cloud-based device management platform, and the communication protocol used between devices and the cloud An attacker could have leveraged these flaws to fully compromise the cloud infrastructure, remotely execute code, and leak all customer and device information.
- 5. ShellTorch: Multiple Critical Vulnerabilities in PyTorch Model Server (TorchServe) (CVSS 9.9, CVSS 9.8) Threatens Countless AI Users – Immediate Action Required
This led to a full chain Remote Code Execution (RCE). There are thousands of vulnerable instances publicly exposed, including of some of the world’s largest organizations — Google, Amazon, Meta, and others. The default configuration of TorchServe accidentally exposes the management interface to the entire world, without any form of authentication, allowing unauthorized access. A new critical (NVD, CVSS 9.8) SSRF vulnerability (CVE-2023-43654) in the management interface allows remote code execution (RCE), supporting configuration uploads from any domain. They can also be hacked remotely with Remote Code Execution while unsafely deserializing a malicious model (GHSA, CVSS 9.9).
- 6. Unzipping Dangers: OpenRefine Zip Slip Vulnerability
OpenRefine is a Java-based open-source data cleaning and transformation tool. With almost 10k stars and ~1.8k forks, it is one of the more popular GitHub projects. We found a Zip Slip vulnerability, caused by inadequate path validation when extracting archives, which may allow attackers to overwrite existing files or extract files to unintended locations. The attacker can execute arbitrary code on the user’s machine:
- 7. CVE-2023-4911: Looney Tunables – Local Privilege Escalation in the glibc’s ld.so
The Qualys Threat Research Unit (TRU) has discovered a buffer overflow vulnerability in GNU C Library’s dynamic loader’s processing of the GLIBC_TUNABLES environment variable. We have successfully identified and exploited this vulnerability (a local privilege escalation that grants full root privileges) on the default installations of Fedora 37 and 38, Ubuntu 22.04 and 23.04, and Debian 12 and 13.
- 8. State of the Software Supply Chain
It's bad. Really bad. The number of malicious packages is 245,000--2X all previous years combined. 18.6% of open source projects across Java and JavaScript that were maintained in 2022, are no longer maintained today
- 9. X (Twitter) partners with Google Ad Manager
Elon Musk's embrace of the alt-right has scared away his advertisers, who don't want their ads appearing next to Nazi content. Now Google is partnering with X to bring in more ads, tying Google's reputation to X's. "This is an opportunity to reach X’s vast audience of over 200 million actively engaged daily users using Google Ads’ familiar campaign set-up and targeting tools. It’s worth noting that X doesn’t have the same strict advertising guidelines and practices in place around ad placement, and there is a risk your campaign could appear alongside unrestricted and even offensive content."
- 10. Dead grandma locket request tricks Bing Chat’s AI into solving CAPTCHA
Bing Chat allows users to upload images for the AI model to examine or discuss. Normally, Bing Chat refuses to solve CAPTCHAs. X-user Denis Shiryaev devised a visual jailbreak that circumvents Bing Chat's CAPTCHA filter by tricking it into reading the inscription on his imaginary deceased grandmother's locket.
- 11. Researchers find LLMs like ChatGPT output sensitive data even after it’s been ‘deleted’
According to the scientists, there’s no universal method by which data can be deleted from a pretrained large language model. If an LLM was trained on sensitive banking information, there’s typically no way for the AI’s creator to find those files and delete them. Instead, AI devs use guardrails such as hard-coded prompts that inhibit specific behaviors or reinforcement learning from human feedback (RLHF). But the sensitive data can still be extracted 38% of the time by whitebox attacks and 29% of the time by blackbox attacks.
- 12. An AI dating app claims to find your perfect match using only your face
Rather than create an entire dating profile, all the app requires is one selfie from users. It then uses an AI algorithm to examine personality traits it identifies in your face and recommends potential partners based on their compatible traits. It had an accuracy rate of around 87%, adding that the 77% response rate of SciMatch's users was also higher than that of Tinder.
- 13. KubeHound: Identifying attack paths in Kubernetes clusters
"Defenders think in lists, attackers think in graphs; as long as this is true, attackers win." KubeHound is a toolkit for visualizing attack paths in Kubernetes deployments. The aim is to shift the mental model of Kubernetes security from list-based thinking to graph-based thinking and help defenders to regain the advantage.
- 14. After being demoted and forced to retire, mRNA researcher wins Nobel
Biochemist Katalin Karikó and immunologist Drew Weissman won the Nobel Prize in Physiology or Medicine for mRNA work crucial to the rapid development of the life-saving mRNA COVID-19 vaccines. However, their early work was unappreciated and she had difficulty getting grants, leading U Penn to demote her, and finally force her to retire.
- 15. ‘IDK what to do’: Thousands of teen boys are being extorted in sexting scams
Predators befriend victims online under false pretenses, entice them to send incriminating photos and then demand payment under threat that they’ll expose the photos to family and friends. The number of sextortion cases targeting young people “has exploded in the past couple of years,” with teen boys being specific targets, said Lauren Coffren, executive director of the Exploited Children Division at the National Center for Missing and Exploited Children (NCMEC). “They’re using shame, embarrassment and fear, and they’re tapping into that,” Coffren said. “They’re exploiting children’s worst nightmares.”
- 16. $260 Million AI Company Releases Undeletable Chatbot That Gives Detailed Instructions on Murder, Ethnic Cleansing
Mistral, an AI company founded by former Google and Meta alums pushed an “unmoderated” model into the world that will readily tell users how to kill their wives or restore Jim Crow-style discrimination. It's distributed as a magnet link to a torrent file, so it cannot be taken down. Safety was not evaluated or even mentioned in their public comms. If the intention was to share an ‘unmoderated’ LLM, then it would have been important to be explicit about that from the get go. “As a well-funded org releasing a big model that is likely to be widely-used, I think they have a responsibility to be open about safety, or lack thereof. Especially because they are framing their model as an alternative to Llama2, where safety was a key design principle.”