Whose Vulnerability Is It Anyway? – Josh Bressers – PSW #831

Accepting upstream Linux Kernel security patches is important, Google does this with Android, I hope other distros catch on, but they are stubborn, which is how we end up with this: "This vulnerability was present only in Debian 11 due to a lack of backporting of the patch to the affected Kernel. The vulnerability was patched only in July 2023."

But not for firewall appliances? This is weird, perhaps they heard me and now they are changing their tune. Whatever, I'll take it as a win! Perhaps its not as hard as it seems to release patches for EOL gear?

Really neat stuff here, supports Rasberry PIs, specialized kernels that improve performance, and a management framework based on MS Azure IoT. I love this platform as it addressed many of the issues with IoT devices not being managed properly.

Sam provides a very detailed account of identifying that his router (from Cox) was hacked. The behavior was weird, HTTP requests being replayed from an unknown IP address. He exchanged the router for a new one, and was no longer compromised. Fast forward years later much research was conducted into hacking the management application used by Cox to manage people's routers. Turns out he can control all of them! So many twists and turns and detailed accounts of using Burp Suite to attack the application. I am concerned that we still don't know the who/what/how of the original compromise. We don't believe it was firmware. Perhaps there has been a long history of vulnerabilities in the management interfaces and protocols used by ISPs.

This is a great start to understanding this attack vector: "In general, fault injection attacks against hardware attempt to produce some sort of gain for an attacker by injecting faults into a device under attack by manipulating clock pulses, supply voltages, temperature, electromagnetic fields around the device, and aiming short light pulses at certain locations on the device. Of these vectors, EMFI stands out as probably the only attack approach that requires close to no modifications of the device under attack, with all action being conducted at a quite short distance. The attack then proceeds by moving an EM probe above the device in very small increments and triggering an EM pulse. With any luck, this would disturb the normal operation of the device under attack in just the right way to cause the desired effect." - The article goes on to explore how we can decap the chips to gain more direct access to the underlying surface area to conduct fault injection attacks, using everyone's favorite reverse engineering tool: Sulfuric Acid. Look, don't try this at home, and don't say you tried it and got hurt or permanently injured because you heard us talking about it!

This is the best summary I could grab: "Consequently, any attacker with a file read vulnerability and a controlled prefix on a PHP application can achieve RCE. Similarly, forcing PHP to call iconv() with controlled parameters grants the attacker the same capability." - Outside of that the original research is amazing and very technical (ref: https://www.ambionics.io/blog/iconv-cve-2024-2961-p1)

I found it interesting that the Dell Powerstore line of storage appears to run Linux under the covers and just patched a large number of supply chain vulnerabilities, covering all sorts of different CVEs (some dating back to 2018, which is weird because Powerstore was released in 2020). ChatGPT says that Powerstore is "Dell PowerStore is a modern storage solution developed by Dell Technologies, introduced in May 2020. It was designed to meet the evolving demands of enterprise storage, providing a flexible and scalable architecture that can handle diverse workloads. The PowerStore series represents Dell's next-generation storage platform, combining hardware and software innovations." - Which is weird, because Dell owns EMC, but that is different storage?

ZDI had to get involved to get a response from VMWare, which is scary: "The security researcher, @sinsinology declined to share any vulnerability details with The Stack out of concern that this could give a clue to threat actors looking to weaponise exploits – other than saying bluntly that the product is “always vulnerable to all six exploits, no configuration needed, no ports need to get opened; just straight-up RCEs, no fuss, no muss."

If you get your hands on one of these I've heard they are fun to play with. IR signals from the Flipper can be used to control the device. Kinda neat!

Hack A Day's This Week In Security is a must read weekly post on all things cybersecurity and hacking. Jonathan Bennett breaks things down nicely, and often includes articles and the "things you might have missed". This week the C-level DNS servers dropped off the Internet, here's the explanation: "Cogent gave a statement that an “unrelated routing policy change” both affected the zone updates, and the system that should have alerted them to the problem. It seems there might room for an independent organization, monitoring some of this critical Internet Infrastructure."

Interesting local attack vector using ANSI escape sequences in a comment inside a RAR file. The demo uses a payload from a 2023 Blackhat talk (https://i.blackhat.com/BH-US-23/Presentations/US-23-stok-weponizing-plain-text-ansi-escape-sequences-as-a-forensic-nightmare-appendix.pdf). From the article: "This vulnerability, tracked as CVE-2024–33899 for Linux and Unix systems and CVE-2024–36052 for the Windows, allowed attackers to spoof screen output or cause denial of service (in Linux and Unix)".

This is an amazing blog post series, in a nutshell: " how to use a Raspberry Pi Pico as a USB rubber duck and extended its capability using an attached LoRa modem to allow for over-the-air execution of DuckyScript files." - I've always been enamored with techniques that use RF exfil as it is super difficult to detect over-the-air unless you are monitoring for all LoRa communications in all of your locations.

This was the work of malicious actors, but what exactly bricked the routers remains a mystery: "A report published Thursday by security firm Lumen Technologies’ Black Lotus Labs may shed new light on the incident, which Windstream has yet to explain. Black Lotus Labs researchers said that over a 72-hour period beginning on October 25, malware took out more than 600,000 routers connected to a single autonomous system number, or ASN, belonging to an unnamed ISP." - Full report here: https://blog.lumen.com/the-pumpkin-eclipse/ - I have so many thoughts and comments on this...

Leak reportedly includes names, addresses, phone numbers and some credit card details of Ticketmaster customers, so yes - this is PCI related.

An infamous hacking collective claims to have 1.3 terabytes of customer data stolen from the entertainment giant, as Home Affairs confirms it is on the case.

The hackers also shared a sample of the data, which includes hashed credit card numbers, the last four digits of credit cards, credit card expiration dates, and fraud details, as well as customer names, addresses, and emails.

Since the PAN data was obfuscated (hashed) this would not necessarily result in a finding of non-compliance.

A lawsuit was filed last week against Live Nation and Ticketmaster accusing the companies of negligence and allowing a third party company to gain access to private information belonging to 560 million customers. But they protected the credit card data...

Cloud computing company Snowflake warned its customers over the weekend that hackers appear to be targeting accounts that don't use multifactor authentication (MFA). Not a good sign...

"On May 20, 2024, Live Nation Entertainment, Inc. (the “Company” or “we”) identified unauthorized activity within a third-party cloud database environment containing Company data (primarily from its Ticketmaster L.L.C. subsidiary) and launched an investigation with industry-leading forensic investigators to understand what happened. On May 27, 2024, a criminal threat actor offered what it alleged to be Company user data for sale via the dark web."

The Justice Department filed a long-awaited antitrust lawsuit against Ticketmaster and parent company Live Nation on Thursday, seeking to break up what officials call an unlawful monopoly that’s squeezing artists, promoters and venues while jacking up prices for fans.

All in all, a bad week for LIve Nation and Ticketmaster.

Ticketmaster parent Live Nation has filed a voluntary SEC data breach notification, while one of its cloud providers, Snowflake, also confirmed targeted cyberactivity against some of its customers.

Snowflake CISO Brad Jones hit back at claims the Ticketmaster and Santander data breaches were caused by platform vulnerabilities. But wait, there's more...

Santander Bank recently issued a breach notification letter saying that following a supply chain attack, an unauthorized third party had accessed a database with sensitive customer information. It was later discovered that the attackers stole data from Santander’s banks in Chile, Spain, and Uruguay, while the rest of the world was not affected. The infamous ShinyHunters hacking collective is selling the database on the dark web, BleepingComputer reports. As per the hackers’ sales ad, the database contains personal information of 30 million customers and employees, as well as 28 million credit card numbers, as well as 6 million account numbers and balances. The asking price is $2 million. Guess what type of organization does NOT have to report on PCI compliance????

TikTok reportedly dealt with a recent security breach when hackers targeted well-known brands and celebrities on the platform.The hackers sent malicious links through private messages to hijack prominent accounts on the social media platform.

TikTok has taken measures to stop a cyberattack targeting several brand and celebrity accounts, including news network CNN and Paris Hilton, a spokesperson for the company said on Tuesday.

This is just a normal ransomware attack...except the company refused to pay, so it became a data theft-based extortion attack.

In recent days, both Ticketek Australia and Ticketmaster have experienced breaches which have exposed customer details to hackers. They join a growing list of high-profile data breaches that have put the privacy of millions at risk. Despite advancements in technology and increased awareness of cybersecurity threats, companies continue to fall victim to breach attacks.

Among the findings of Entrust’s 2024 State of Zero Trust & Encryption Study: the primary (reason) given for investing in security is to reduce the risk of breaches and other cybersecurity incidents; in past years, the primary (reason) was compliance; while overall, 62 percent of organizations have begun adoption of zero-trust, that figure is 48 percent in the US. For the study, Entrust surveyed more than 4,000 IT practitioners worldwide.

Zero Trust is burdened by both technology and culture change. It's not as simple as dropping the firewall and requiring MFA on every entry point. The pillars which support Zero Trust include base improvements to cyber security posture which have benefits even if you're not going full ZTA. Go through the NIST's Zero Trust Maturity Model to look at where you can raise the bar. Look to existing capabilities which are already included in products and services, such as encryption at rest and in transit from IaaS and SaaS providers, information protection, classification and monitoring from your office productivity suite and MFA capabilities in your IDP which may have been overlooked.

The contractor selected to help the US National Institute of Standards and Technology (NIST) manage the backlog of National Vulnerability Database (NVD) CVEs is Analygence, a company already contracted to perform other IT and security-related work for NIST. Analygence will help NIST with both the CVE backlog and new NVD submissions.

Seems like it was just yesterday they said they were going to hire a company for this. That they moved this quickly indicates how seriously they are taking solving this problem. A big advantage here is that Anaalygence can use their hiring practices rahter than the somewhat more onerous agency processes to rapidly staff up, or down, as is required to absorb the workload. Even so, don't expect the backlog to be resolved before September. My guess is the target is September 30th, the end of the federal fiscal year.

POC exploit code for a zero-day arbitrary file read vulnerability in Check Point Security Gateway has been released. Check Point published hotfixes last week to remediate the vulnerability, which affects Security Gateway with IPSec VPN or Mobile Access blades enabled. Check Point’s support page includes a procedure to identify vulnerable gateways. Censys has observed nearly 14,000 Internet-facing devices running the products, but it is not clear how many of these are actually vulnerable. The US Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its KEV on May 30. Federal Civilian Executive Branch (FCEB) agencies have until June 20 to address the vulnerability.

If you were putting off deploying the hotfixes, that window has closed with the POC Attackers are focused on compromising old local accounts with password-only authentication. You need to make sure that you not only follow the post-hotfix(Important extra measures) instructions on the CheckPoint site, which addresses local accounts, but also check for IOCs to make sure you're clean. CheckPoint is helping affected customers resolve any exploitation, and the severity has been raised from 7.5 to 8.6.

The US Department of Health and Human Services will now allow Change Healthcare to file health insurance portability and accountability act (HIPAA) breach notices on behalf of organizations affected by the massive ransomware attack earlier this year. HHS initially required every affected organization to file their own notices. On Friday, May 31, HHS Office for Civil Rights (OCR) amended the Change Healthcare cybersecurity incident FAQ to reflect the change. Organizations wishing Change Healthcare to file the HIPAA notices on their behalf must contact Change Healthcare.

My understanding is that Change Healthcare handled 1 in 3 medical records and processed half of all medical claims in the US at the time of the breach. Change Healthcare's parent, UnitedHealth told congress that about one-third of Americans had information accessed by the hackers. Having Change Healthcare file the breach notification on behalf of others will help with a consistent and likely non-redundant message. Given that there is a one-in-three chance your information was compromised, don't stop at go, go directly to credit monitoring/data validation.

Atlassian has released updates to address a high-severity remote code execution vulnerability in their Confluence Data Center and Server. The flaw was introduced in Confluence Data Center and Server version 5.2. The vulnerability is fixed in versions 8.9.1, 8.5.9, and 7.19.22.

Exploiting the flaw requires network access to the system as well as privileges to add new macro languages. Even if none of your users have those privileges, apply the update to remove the vulnerable code, future you will appreciate this. It's also a good time to revisit the choice to host Confluence locally. make sure those drivers haven't changed. Note that FedHIVE offers a FedRAMP High Jira/Confluence SaaS environment.

CISA is warning that a vulnerability in the Linux kernel is being actively exploited. The use-after-free issue in the ‘netfilter: nf_tables’ component can be exploited to achieve privilege elevation. Users are urged to apply mitigations if available, or discontinue use of the product. Federal Civilian Executive Branch (FCEB) agencies have until June 20 to mitigate the vulnerability.

This affects kernel versions between 5.14 and 6.6, which means your RHEL 9 systems as wel;l as AlmaLinux, Debian, Gentoo, Suse and Ubuntu need to be updated. The good news is that patches were made availalable in February, so you push those updates if you haven't already. The not so good news is POC code was published in March, which claimed 99.4% success rate as well as the vulnerability being trivial to exploit.

Hugging Face says they have detected unauthorized access to their Spaces platform that may have compromised “a subset of Spaces’ secrets.” They have revoked some Hugging Face tokens “as a first step of remediation;” affected users have been notified.

Hugging Face has also made the new default fine-grained access tokens, which they strongly suggest switching to. They have also eliminated org tokens which will help with audit and traceability as well as implemented a key management service for Spaces secrets, which will improve their ability to revoke and manage these.

A critical vulnerability in a Cox Communications API may have been used to alter the configuration or firmware of Cox managed cable modems. Cable modem ISPs load custom firmware and settings to customer modems in order to configure them to interoperate with a particular cable system. The API used to manage these settings did not authenticate properly and allowed anybody to retrieve or alter settings.

Google has begun phasing out Manifest V2 extensions in Chrome. As of Monday, June 3, users with Manifest V2 extensions on the Chrome beta, Dev, and Canary channels will start to see warning banners when they visit their extension management page that tell them some of their Manifest V2 extensions will no longer be supported. Eventually, users will be directed to the Chrome Web store, where Manifest V3 extensions will be recommended to replace those that are no longer being supported.

Manifest V3 is intended to improve security, privacy, performance and trustworthiness of extensions. V3 limits extension access to user network requests, forces user to include all functions locally (no more remote code), move request modifications and background page requests to service workers in the browser. This has impacts on extension behavior, particularly those which were updating content/functionality dynamically. Check the extension developer page for information on how their Manifest V3 version will work.

A data security breach at cloud provider Snowflake has affected several organizations, including Ticketmaster and Santander. In an SEC filing last week, Ticketmaster parent company Live Nation disclosed that they “identified unauthorized activity within a third-party cloud database environment containing Company data.” In mid-May, Santander released a statement noting that they “recently became aware of an unauthorized access to a Santander database hosted by a third-party provider.” In a recent update about the incident, Snowflake indicated that it believed the attack to be the result of credential-stuffing, while also noting that they discovered evidence that a threat actor obtained access credentials belonging to a former Snowflake employee.

Rotate those TicketMaster credentials and enable two-factor authentication. While some of the details about how data was breached are changing, the constant is that reusable credentials were compromised. Your task is to vedrify that you require MFA for all access to third-party services, as well as understand their level of access and access control mechanisms. Make sure you have access control rules to only allow authorized users and systems to access these services. Are you getting logs to your SIEM? Verify you have plans for rotating credentials if required/compromised.

Researchers at Fastly have observed active exploitation of three high-severity vulnerabilities cross-site scripting in WordPress plugins. The researchers note that the script used to exploit each of the three flaws is identical. The affected plugins are the WP Statistics plugin (version 14.5 and earlier), the WP Meta SEO plugin (version 4.5.12 and earlier), and the LiteSpeed Cache plugin (version 5.7.0.1 and earlier).

CVE-2024-2194, CVSS score of 7l.2, CVE-2023-6961, CVSS score of 7.1 and CVE-2024-40000, no CVSS score are all XSS flaws. The root cause for all three vulnerabilities is lack of input sanitization. After you've verified the plugins are updatrd, you need to make sure you're not compromised. Review user accounts, particularly those with admin privileges, check for files with unexpected modifications, particularly injected scripts, and look for outbound requests to Yandex tracking links or pixels.

China-backed cyber espionage actors are increasingly using operational relay box (ORB) networks to conceal the source of their attacks. Similar to botnets, ORB networks consist of virtual private servers (VPS), compromised Internet of Things (IoT) devices, and insecure routers. This diverse infrastructure makes it difficult for defenders to track and attribute attacks, as the traffic between the attackers' command-and-control systems and their targets is obfuscated.

On May 20, the blockchain gaming platform Gala Games was targeted in a cryptocurrency heist that took advantage of its lax internal controls and cost the platform $22.2 million in cryptocurrency. According to the platform's founder Eric Schiermeyer, "We identified the compromise and within 45 minutes we secured and removed unauthorized access to the $GALA contract."

Gipy is a new phishing campaign in which victims believe they are downloading a legitimate AI voice-altering application. And while the application works as expected, Gipy malware is also being distributed in the background, which can be used to steal data, mine cryptocurrency, and install additional malware.

Scattered Spider (aka UNC3944) is an aggressive cyber crime group that has skirted law enforcement while targeting multiple high-profile companies, such as identity management company Okta and casino giant MGM Resorts. The group is known for its successful social engineering tactics to breach networks and its skill at exfiltrating data and collaborating with ransomware groups.

An unknown actor planted a backdoor in an application update of the software JAVS Viewer 8, an audio/video application package used by more than 10,000 courtrooms throughout the U.S. and 11 other countries.

Kaspersky has reported another ransomware using Microsoft BitLocker to encrypt files, steal the decryption key, and extort payment from victims. The malware, dubbed "ShrinkLocker", has been observed being used in Mexico, Indonesia, and Jordan by an unknown operator targeting steel and vaccine manufacturers.