Social Engineering: AI & Living Off The Land – Jayson E. Street – PSW #818

This is what happens when you blindly pull in code from random Github repos into your commercial appliances that you are selling. The irony here is that its a PHP library meant to protect against CSRF attacks, instead, or maybe in addition to CSRF protection, it has a backdoor that "allows an unauthenticated user to execute arbitrary code with limited permissions (nobody)"!

"The question that remains is, how did the vibrator get infected?" - Supply Whips and Chains attack?

This is interesting: "A charger can be manipulated to control voice assistants via inaudible voice commands, damage devices being charged through overcharging or overheating, and bypass Qi-standard specified foreign-object-detection mechanism to damage valuable items exposed to intense magnetic fields."

"SSH-Snake is a bash shell script which autonomously searches the system it is run on for SSH credentials. Once credentials are found, the script attempts to log into the target system and then copies itself there in order to repeat the process. The results of the worm’s activity are available to the attacker who can use them later in order to continue their operations."

This just baffles me: "If a user suspected that their combination padlock's code was compromised, they could simply change it. However, the hardcoded password of eLinkSmart locks provides no such recourse - there is no mitigation if that password is intercepted. If a user suspected that their lock had been compromised, they would have no intuitive way of protecting themselves." - The same hardcoded password is valid against all locks? Wow, did I read that right?

"While the wpa_supplicant vulnerability only affects WiFi clients that aren’t properly configured to verify the certificate of the authentication server, recent studies show that this is unfortunately often the case, especially with the affected devices." - Certificate management is hard...

"The command-not-found package, is installed by default on Ubuntu, it provides an invaluable service to Linux users: it suggests packages to install when they attempt to execute a command in Bash or Zsh that isn’t available on their system." - I would not say invaluable, it basically saves you from running a Google search. I will still run a Google search as I don't trust anything but my own research when I am finding software to install on my system. Also: "If a command corresponds to both a snap and an apt package, the command-not-found package will suggest both options, as in the case of the mojo command" - Yea, this is one reason I left Ubuntu, so just tell me how many different versions of the same software I can install from 8 different places. Also, I now make it a point to run Wayland, and not X11: "This allows snaps that connect to the X11 interface to eavesdrop on other windows and potentially capture keystrokes from the host machine." Then they go on to show examples of how attackers can get their packages as suggested names. I really liked this research and the article.

I wrote an article about this as well: https://eclypsium.com/blog/glupteba-malware-and-uefi-bootkit-disabling-windows-security-mechanisms/ - I find it interesting that malware is moving towards attacking things such as bootloaders to maintain persistence (to a certain degree) and disable operating system protections (such as PatchGuard and DSE (Driver Signature Enforcement)).

This is a neat explanation (though I am not the one to try to explain it to everyone): "LLL-type algorithms operate in the world of lattices: infinite collections of regularly spaced points. As one way of visualizing this, imagine you’re tiling a floor. You could cover it in square tiles, and the corners of those tiles would make up one lattice. Alternatively, you could choose a different tile shape—say, a long parallelogram—to create a different lattice."

Setting fire to things and blowing stuff up is really fun (in a controlled environment, with permission, etc...): "The mechanism reverses the voltage supplied to the device to around 100 degrees Celsius. However, it may not be hot enough to kill the flash chips, but users can always add a compound for it to self-destruct. Obviously, the creator will not ship any hazardous compound with the Ovrdrive USB." - I'm not sure this will take off due to safety issues though, but fun to experiment with.

This really grinds my gears: "These vulnerabilities are not present in the most recent version of Zyxel firmware (5.37), released last year. Of note, Zyxel has disabled ZTP altogether as of V5.37 patch 1. Eclypsium notified Zyxel of the vulnerabilities but they declined to issue an advisory as the vulnerabilities are not present in the latest version of the firmware. However, since CVEs have not been issued for these vulnerabilities, organizations may not know that they need to update the firmware on their devices." - This is a vulnerability, it has not been fixed, it needs a CVE.

570 files and documents

The customer was kind enough to provide us with the content of the flash drive. On it were a host of XML files and a Microsoft Software Installer file (Mia_Khalifa 18+.msi).

Hundreds of initial access brokers and cybercrime gangs are jumping on the max-critical CVE-2024-1709 authentication bypass, threatening orgs and downstream customers. he ScreenConnect vulnerabilities, CVE-2024-1709, authentication bypass, CVSS score 10, and CVE-2024-1708, path-traversal flaw, CVSS score 8.4, can be mitigated by updating to version 23.9.8. Monitor the ScreenConnect App_Extensions folder for suspicious .aspx and .ashx files. Note CVE-2024-1709 has been added to the CISA KEV catalog with a due date of 2/29.

After a couple of days, LockBit is firing back at the taunts from the FBI, watch from a distance, don't engage. LockBit says they still have customer data, and are posturing about releasing/extorting the data, while that may or may not happen, don't lose site of the protections you're implementing for ransomware, know LockBit decryption keys are available. Expect LockBit look-alike or derivative attacks.

Two techniques warrant consideration. First, after a post-incident password change, SVR actors are going after unused accounts following the password reset instructions. Second, they are capturing Cloud Authorization tokens. In the first case, make sure that idle accounts are not just disabled but deleted after a defined period. In the second, common techniques here are password spraying, MFA bombing (or fatigue) or even circumventing device registration processes. Make sure you're using phishing resistant MFA for cloud accounts, train users on MFA attacks.

Having increased logging for non-FCEB tenants would help, particularly small businesses who can't afford license levels which include the in-depth logging. Make sure you know what level (depth and timeframe) of logging you're getting from our cloud services and dig deep on forwarding those logs to a service where you can control the retention.

AT&T says that last week’s network “outage was caused by the application and execution of an incorrect process used as we were expanding our network, not a cyber attack.” The outage began on Friday morning, February 23, and was resolved later that afternoon.

The good news is it wasn't a cyber attack. The bad news is the configuration team had a really bad day. I have anecdotally been told it was an error of under 10 lines of code. AT&T customers are being provided with a $5 credit on their next bill to compensate for the outage. Among all the recovery and communication efforts, consider what you'd do with the responsible team were you in this position. Is this valuable experience which can be leveraged to prevent recurrence or are they an example of a career limiting move?

The Malawian government has stopped issuing passports following what appears to be a ransomware attack on the country’s immigration service’s network. The attackers are demanding a ransom payment, but the country’s president says they have no intention of paying it. The immigration department has been given three weeks to resume processing passports. The Malawi passport system has had challenges since they changed providers in 2021 after citing irregularities. The country is silent on what data has been breached, and those in Malawi with expired or no passports are unable to get them and therefore unable to leave the country, and citizens are demanding resumption of services. This is a scenario to consider, evaluate transparency, communication as well as resiliency.

The report is encouraging Americans to work together to adopt memory safe programming language supported by improved software measure-ability (SQA) process. The trick is not only selecting these languages, like Rust, for a project but also migrating existing, working, projects to them as well as augmenting the development process to include the modernized measurement. The age old challenge of cost and time to market may undo this plan without pervasive support in the organization and industry.

Attackers continue to target ThyssenKrupp with goals of either disrupt production or industrial espionages. Previous attacks in 2013, 2016, 2020 and 2022 by groups like the Mount Locker and NetWalker ransomware gangs. While no group has stepped up to take credit for this attack, and ThyssenKrupp reports they are in the process of gradually returning to normal operations, this is also an ideal opportunity to pursue means to prevent future attacks.

While comments are being made about the magnitude of the breach, and indications of infections tied to python package install scripts, the exact nature of the event is being held close at this time. RCMP has sufficient mitigations to allow operations to continue event with affected systems offline. I'm hoping I'd come off as unphased and operational if I were in their shoes, how about you?

Back in September 2022, U-Haul had another breach which took five months to detect, this breach was discovered on December 5th and the attackers were in the system from July 20th to October 2nd, 2023. Both attacks used compromised credentials. Affected accounts are required to change their passwords and additional security measures have been implemented. The data breached included names, dates of birth and driver's license numbers. The payment processing system was not affected. If you've got a U-Haul account, you may want to change the password proactively, particularly if you're not sure that it is a strong password unique to U-Haul. Affected users are being offered one year of Experian identity protection, monitoring and restoration. Here is a chance to dig into ways to improve detection and response time.

Network Security Taiwanese networking vendor Zyxel confirms security flaws in firewall and access points put users at risk of remote code execution attacks.

There are no workarounds for these flaws. CVE-2023-6397, CVE-2023-6399 and CVE-2023-6764 only apply to their Firewall products while CVE-2023-6398 applies to both Firewalls and APs. Zyxel published a matrix of CVE's and affected products, generally for their firewalls, apply ZLD V5.37 Patch 2. For APs, apply the model appropriate version of 6.29 or 6.70 to your APs. Note some devices have hotfix which must be obtained directly from Zyxel.

The bounty on this bug was $2063. The query didn't prevent SQL Injection, which can be used to steal information from the database. The flaw only affects configurations which have enabled the custom table for usermeta option in this plugin. The fully patched version of Ultimate Member was released on February 19th, make sure that you've got the updated version. Wordfence firewall rules were released January 30th and again February 29th for the paid and free versions respectively.

One of the trends here, also seen with 800-171, is that CISA is making these frameworks apply to all sizes and types of businesses, not just Federal Agencies or big business. Too often the question, particularly for a SMB, is how to get started with security and while they may wish to hire help to implement, the framework and supporting documents are themselves free. Note that these are coordinated with organizations such as ISO/IEC to support crosswalk for both understanding and leveraging existing practices.

A New York Times tech journalist fell for an elaborate scam, involving several people who convinced her she was under investigation for the illegal things an identity thief did. It's important for people to admit this and bring it out into the open--many people think they are too smart to be fooled, but they are wrong. We're all vulnerable to social engineering.

A line can bisect any two shapes in a plane. A plane can bisect any three objects in three-dimensional space, which gives this theorem its name: two slices of bread and a slice of ham can be all cut in half with a single cut, no matter where they are placed. This has profound implications for gerrymandered voting districts--even requiring simple shapes won't prevent gaming the system. It also applies to AI systems, which are often Support Vector Machines, fitting data to a simple plane in a high-dimensional space.

American drivers have two choices: use high beams so you can see the road, but you blind other drivers, or use weak low beams that don't illuminate the road well. In Europe and Asia, many cars offer adaptive driving beam headlights that shape the light coming from headlights rather than scattering it all over the road. Some ADB headlights work like digital projectors, using a million or more LED pixels to project light patterns on the road. But because the US regulations are so different from those in other countries, with requirements so difficult to meet, automakers still can’t offer it here.

The European Court of Human Rights banned all legal efforts of weakening encryption of secure communications in Europe. "A victory for civil liberties," say privacy experts.

Parents run Instagram accounts with provocative pictures of their underage children, collecting payment from men who subscribe.

"Nearly one in three preteens list influencing as a career goal, and 11 percent of those born in Generation Z, between 1997 and 2012, describe themselves as influencers. The so-called creator economy surpasses $250 billion worldwide, according to Goldman Sachs, with U.S. brands spending more than $5 billion a year on influencers. Health and technology experts have recently cautioned that social media presents a “profound risk of harm” for girls. Constant comparisons to their peers and face-altering filters are driving negative feelings of self-worth and promoting objectification of their bodies, researchers found." "Some of the child influencers earn six-figure incomes, according to interviews."

It disables Just-In-Time compilation for V8, the engine inside Chrome that processes JavaScript and WebAssembly code. More than half of all Chrome/Chromium zero-days exploited in the wild in 2021 were JIT-related issues.

The Swiss proposal, submitted to the United Nations environment assembly that begins next week in Nairobi, focuses on solar radiation modification (SRM). This is a technique that aims to mimic the effect of a large volcanic eruption by filling the atmosphere with sulphur dioxide particles that reflect part of the sun’s heat and light back into space.

A wearable headset records signals when a user hears or thinks of something and this information, in turn, is sent to the machines which use the internet to find answers to what the user is thinking of. Wearing the device is like having Google in your head, with access to anything on the internet.

Operational technology security firm Dragos found 70 percent of all industrial org ransomware infections hit manufacturing companies. It's not so much that they are OT experts, it's just that they know they are impacting the revenue-generation portion of those companies. As a result, the companies are willing to pay and pay faster, and so [the criminals] keep doing that.

Next week Apple will enable sideloading in Europe to comply with the Digital Markets Act. Promon tested 100 of the world's most-downloaded apps for iOS, and found that 93% are vulnerable to a repackaging attack--an adversary obtains a copy of an app, modifies it and maliciously repackages it to successfully run on a device. “As we brace for this new era of heightened risk, it's imperative that Apple implements far greater repackaging prevention strategies to mitigate the proliferation of fake apps before they wreak havoc on unsuspecting users.”