AI & LLMs – Josh More, Matthew Carpenter – PSW #808

"Its chips are used in iPhones and Apple watches to support advanced near-field communications security mechanisms such as tag originality, tamper detection, and authentication for Apple Pay. NXP also provides chips for the MIFARE card used by transit companies, FIDO-compliant security keys, and tools for relaying data inside the networks of electric vehicles. Some security researchers said it was surprising that NXP officials didn’t inform customers of the two-year intrusion by threat actors, often abbreviated as TAs." - This is a big deal. It represents a potential supply chain attack, and yet there is a lot of denial, and no one is really talking about it. Let's talk about it! - Also, Jake is talking about it (thank you Jake!):https://infosec.exchange/@malwarejake/111477602993876340

Looks to me like there is a remotely exploitable NTP service on NVRs and at least one router module. Details are hard to come by as they are giving vendors time to rollout a patch, but it could also be that this requires a login, and attackers are using default credentials to login, then leverage a vulnerability to gain RCE. I am also concerned about the supply chain as I believe there will be more devices at risk as component re-use is common in IoT and network devices.

We have problems: "These incidents also illustrate how inadequately reporting and cataloging vulnerabilities could lead to a potential cascade of missed opportunities to fix dangerous bugs. Moreover, in some cases, the current opaque bug reporting system can lead to the irreversible overclassification of harmless software bugs as vulnerabilities, leaving software makers with little recourse for correcting these mistakes and forcing them to spend time dealing with the knock-on effects of these errors." - How do we fix them?

This is crazy: "The entities behind the novel spoofing attacks are unknown, but Humphreys said that he and a student have narrowed down possible sources. “Using raw GPS measurements from several spacecraft in low-Earth orbit, my student Zach Clements last week located the source of this spoofing to the eastern periphery of Tehran" and observed in the wild: "In late September, multiple commercial flights near Iran went astray after navigation systems went blind. The planes first received spoofed GPS signals, meaning signals designed to fool planes’ systems into thinking they are flying miles away from their real location. One of the aircraft almost flew into Iranian airspace without permission."

This is not how you handle vulnerability disclosure: "As a last resort to get the issue fixed, Brollo says he again tried to contact administrators via the OpenCart forums. A day later, Kerr gave his first response via email saying: "Ur a fucking tim.e waster!", according to a screenshot Brollo shared in his disclosure blog, which was published three days after Kerr's email. That same day, Brollo took to OpenCart's GitHub and opened a pull request with a hotfix for the issue, but the OpenCart administrator closed it immediately, marking it as spam and a "non vulnerability." - How do you handle it? Its a great question. Should you fix every bug? Probably. Should you have a safe and secure way to handle reports? Yes.

This relates to our discussion of CVE. So we have https://nvd.nist.gov/vuln/detail/CVE-2023-4398 - a recent CVE detailing an integer overflow in QuickSec IPSec software on Zyxel firewalls. The CVE in this case calls out that it exists in QuickSec. The RCE used against the Danish ICS systems was noted as https://nvd.nist.gov/vuln/detail/CVE-2023-28771 - This vulnerability is exploitable remotely for code execution, test it for yourself: https://packetstormsecurity.com/files/172820/Zyxel-IKE-Packet-Decoder-Unauthenticated-Remote-Code-Execution.html. Zyxel is the CNA for both CVEs. However, what we really need is a way to identify this vulnerability as being associated with Quicksec, which is VPN software created by a company that was bought by other companies in a chain of acquisitions that I have yet to fully trace back (references to Safenet, Inside Secure, and Rambus). Which version(s) of QuickSec are vulnerable? Where are those vulnerable versions of software used? Was it only Zyxel or others as well?

Hospitals in multiple states have been forced to divert ambulances and reschedule some elective patient procedures after U.S. hospital owner Ardent Health Services was hit with a ransomware attack.

In late October, the identity management platform Okta began notifying its users of a breach of its customer support system. The company said at the time that about 1 percent of its 18,400 customers were impacted by the incident. But in a massive expansion of this estimate early this morning, Okta said that its investigation has uncovered additional evidence that, in fact, all of its customers had data stolen in the breach two months ago.

Sieged Security, which describes itself as a group of “gay furry hackers,” recently infiltrated a leading U.S. nuclear-research facility (Idaho National Laboratory) and obtained sensitive personal data.

Idaho? Lee? Tyler?

Threats are not risks.. Payment Card Data is not a threat yet alone one of the biggest threats facing retailers this year. Grumble, grumble, grumble.

Last week, open source document sharing software ownCloud released advisories with fixes for three critical vulnerabilities. The first of these vulnerabilities, CVE-2023-49103, allows attackers to access critical credentials. The other vulnerabilities allow arbitrary file deletion and account takeover. The SANS Internet Storm Center detected attacks exploiting CVE-2023-49103 starting this weekend.

The Idaho National Laboratory (INL) nuclear research lab has confirmed a November 19 breach of a system that supports its Human Resources (HR) applications. (Oracle HCM) Compromised data include addresses, Social Security numbers, and financial account information. The politically motivated hacking group SiegedSed is taking credit for the attack. While work to get to the root cause is ongoing, initial indications are a subcontractor account, without MFA was used to access data in their Oracle HCM instance.

Researchers at Akamai’s Security Intelligence Response Team (SIRT) have detected new Mirai botnet activity that exploits two as-yet unpatched vulnerabilities. The flaws target routers and video recorders using default passwords. Both vulnerabilities have been reported to vendors and fixes are expected to be released in December.

An Atlanta tech company's former COO has pleaded guilty to a 2018 incident in which he deliberately launched online attacks on two hospitals, later citing the incidents in sales pitches. Not creepy, not unethical right?

The UK National Cyber Security Centre, the US Cybersecurity and Infrastructure Security Agency (CISA) and similar organizations from 16 other countries have published guidelines for secure AI system development. The guidelines address four stages in the development lifecycle: secure design, secure development, secure deployment, and secure operation and maintenance.

The Kansas Supreme Court has issued a statement about the October 12 ransomware attack against its systems. The incident disrupted access to court information systems, and more than a month later, many of the court[s systems remain offline. The new statement reveals that the perpetrators stole data, including Office of Judicial Administration files, district court case records on appeal, and other confidential information. The statement also expresses sorrow for the suffering the citizens face from the attack, as well as re-affirming they will stick to their core values as they work to resolve this case. Consider the value of the human element and acknowledgement of the impact on customers when planning your incident communication.

CISA has announced a pilot program to broaden its scope of managed security services to non-federal entities that support the country’s critical infrastructure. CISA says it “has acted as a managed service provider to the federal civilian government for years and observed significant risk reduction along with the benefits of cost-savings and standardization.” In short, CISA is looking to offer their services as a MSP to non-federal organizations. While still a pilot, this could provide coverage for many small, privately owned, utilities which may not otherwise be able to afford this sort of cyber support.

Over the weekend, the Municipal Water Authority of Aliquippa (Pennsylvania) disclosed that one of its booster stations that regulates and monitors water pressure for two towns was breached by a state-sponsored threat actor. An alarm alerted the utility to the intrusion, and they took the affected system offline. This appears to be a case of an Internet accessible HMI. These are no longer low risk conveniences, and need to not be Internet accessible.

Google Drive users are reporting that recent files stored in the cloud have suddenly disappeared, with the cloud service reverting to a storage snapshot as it was around April-May 2023

If you're affected, the best action is to not change your Google cloud storage, particularly the root/data folder until this is resolved, instead open a support ticket with Google. If you have room, copy your app data folder to a local hard drive. Google Drive tier one support appears to be volunteers, which means the ticket is needed to escalate to the paid support engineers. Take a look at where you're using non-enterprise cloud services to store enterprise data and revisit the backup and recovery processes for those to make sure that you're not needlessly risking data loss.