3D Printing For Hackers – David Johnson – PSW #835
Full Audio
View Show IndexSegments
1. 3D Printing For Hackers – David Johnson – PSW #835
Thinking about getting a 3D printer or have one and need a good primer? Check out this segment, we live 3D print a Captain Crunch whistle and talk all about 3D printing for hackers!
Segment Resources:
- Slides used in this segment: https://cms.cyberriskalliance.com/wp-content/uploads/2024/07/3D-Printing-for-Hackers.pdf
Major 3D Printer Websites:
- https://vorondesign.com/
- https://www.prusa3d.com/
- https://www.creality.com/
- https://bambulab.com/
- https://elegoo.com
Major 3D File libraries:
- https://printables.com (Prusa)
- https://thingiverse.com
- https://thangs.com
- https://makerworld.com (Bambu Labs)
- https://cults3d.com
Youtube Channels:
- Uncle Jessy
- CnC Kitchen
- The Edge of Tech
- Makers Muse
Announcements
Maximize your investment at BlackHat 2024 with a 1:1 on-site interview. Drive thought leadership and boost brand awareness with CyberRisk Alliance's expert editorial team from Security Weekly and SC Media. Act now, limited interview slots available - secure yours today at https://securityweekly.com/blackhat2024
Guest
Dave has spent the past 2 decades helping people solve their cybersecurity problems, maker problems, and developing solutions to all kinds of things. He also enjoys testing new and emerging tech. In short, if it’s new and nerdy, he’ll be at the front of the line to grab a sample, see what it can do, and share it with the rest of the community.
Hosts
2. Vulnerability Chains – PSW #835
Find new flaws in UEFI using STASE, combining vulnerabilities to exploit Sonicwall Devices, remote BMC exploits, Netgear patches, and not a lot of information, 22 minutes before exploited, if the secrets were lost, we'd all be in screwed, Exim has not been replaced by something better and its vulnerable, CISA's red team reports, and attackers use drivers to attack EDR, the saga continues!
Announcements
You're invited to InfoSec World 2024 at Disney’s Coronado Springs Resort in Lake Buena Vista, FL, from September 23-25. Join top cybersecurity experts for this premier event! Save 25% on your pass by using code ISW24-SW25 when you register at securityweekly.com/infosecworld2024. Don’t miss out on this exclusive opportunity!
Guest
Dave has spent the past 2 decades helping people solve their cybersecurity problems, maker problems, and developing solutions to all kinds of things. He also enjoys testing new and emerging tech. In short, if it’s new and nerdy, he’ll be at the front of the line to grab a sample, see what it can do, and share it with the rest of the community.
Hosts
- 1. CVE-2024-38112: Void Banshee Targets Windows Users Through Zombie Internet Explorer in Zero-Day Attacks
- 2. Reverse-Engineering an IP camera – Part 6
- 3. Exploited Unauthenticated RCE Vulnerability CVE-2023-6548 in Citrix NetScaler ADC and NetScaler Gateway – NHS England Digital
- 4. How to Install LineageOS on Your Android Device – Black Hills Information Security
- 5. PySkyWiFi: completely free, unbelievably stupid wi-fi on long-haul flights
- 6. Exploiting Enterprise Backup Software For Privilege Escalation: Part Two
- 7. Pwn2Own: WAN-to-LAN Exploit Showcase, Part 1
- 8. Hardware Hacking with a Raspberry Pi – Configuring the PiFex
- 9. Squarespace migration linked to DNS hijacking, claims report
- 10. UEFI Vulnerability Signature Generation using Static and Symbolic Analysis
"This paper introduces a method called STASE (STatic Analysis guided Symbolic Execution) to identify and characterize vulnerabilities in UEFI firmware, which is crucial for computer security. The approach combines scalable static analysis with precise symbolic execution to detect vulnerabilities more effectively. By using rule-based static analysis to find potential targets and then applying symbolic execution for precise detection, STASE overcomes the limitations of each individual technique. The method has been tested on UEFI code, successfully identifying multiple known and new vulnerabilities."
- 11. SSD Advisory – SonicWall SMA100 Stored XSS to RCE – SSD Secure Disclosure
"There are pre-auth stored XSS and post-auth remote command injection vulnerabilities in SonicWall SMA100. These vulnerabilities allow unauthenticated attackers to execute arbitrary command when an authenticated user is exposed to the stored XSS. The vulnerabilities were silently patched without any CVE assignment. The whole feature named Classic mode, where stored XSS vulnerability exists, was removed, and a new user input filtering code was added against command injection vulnerability." - Regardless of how its fixed, this should have been two separate CVE entries. Its really neat how the two vulnerabilities are combined, first the unauthenticated stored XSS places a payload in the UI that steals the session token, then the attacker can login and exploit the post-authentication command injection. Current scoring systems do not take this into account, the combined severity of two or more different vulnerabilities chained together.
- 12. Supermicro Motherboards Vulnerable to Critical RCE Flaw (CVE-2024-36435)
I'm surprised this has not gotten more coverage: "This potential vulnerability in Supermicro BMC may come from a buffer overflow in the “GetValue” function of the firmware that is caused by a lack of checking the input value. An unauthenticated user can post specially crafted data to the interface, which will trigger a stack buffer overflow and may lead to arbitrary remote code execution on a BMC." Of course, the first thing people will say is "Don't explode your BMC to the Internet". This is rubbish. You still need to patch and you still need to assign a high priority to this one. Why? Because an attacker with a successful RCE on the BMC has super high privileges on the server. They can do things such as lock you out of all of your servers by causing a continuous reboot. I know this because one of Eclypsium's researchers has proven this using different vulnerabilities to access a BMC.
- 13. Netgear Patches Multiple Vulnerabilities in CAX30, XR1000, and R7000 Routers
I believe Netgear is trying to do the right thing here. They have one of the few bug bounties for firmware on the Bugcrowd platform, which is why I believe we are seeing vulnerabilities get patched. However, if you dig into the firmware there is a ton of outdated and vulnerable software, including a 4.x Linux kernel. There exist vulnerabilities that have published exploits. I'm also concerned at the lack of transparency, there are just not enough details to make any decisions about upgrading firmware, e.g.:
- PSV-2023-0122 - "NETGEAR has released fixes for a stored cross site scripting security vulnerability"
- PSV-2023-0119 - "NETGEAR has released fixes for a post-authentication command injection security vulnerability"
- PSV-2023-0116 "NETGEAR has released fixes for a security misconfiguration security vulnerability" - What does this even mean?
- PSV-2023-0113 - "NETGEAR has released fixes for a authentication bypass security vulnerability" - I am assuming this is pre-auth?
We need better vulnerability reporting standards!
- 14. Mirai DDoS Attack
And all this leads to this: "The Mirai botnet was discovered targeting 22 different known vulnerabilities within D-Link, Zyxel and Netgear devices for the purposes of distributed denial-of-service (DDoS) attacks intended to disrupt or stall targeted networks. Signs of a compromise within a device have been identified as persistent issues with slow connection, device overheating and significant changes within the device’s configuration."
- 15. Hackers Exploiting Vulnerabilities Within 22 Minutes Of PoC Release
Okay, well, there was one vulnerability observed being exploited quickly: "A notable example is the exploitation attempt of CVE-2024-27198 (JetBrains TeamCity authentication bypass) occurring just 22 minutes after the PoC was published." Not all, so read the details and not the sensational headline.
- 16. Uncoordinated Vulnerability Disclosure: The Continuing Issues with CVD
This is the best part of this article: "Vendors want researchers to trust them, but they aren’t taking the necessary steps to earn our trust. What’s sad is that we aren’t asking for a lot. Tell us you’ve received the report. Confirm or deny our findings. Tell us when a patch is coming. Acknowledge us appropriately (and spell our name right). And finally, once the patch is available, tell us where we can find the patch. Strangely, one of the biggest problems we have at the ZDI is just getting vendors to tell us when something is fixed."
- 17. Binary secret scanning helped us prevent (what might have been) the worst supply chain attack you can imagine
This is crazy, had they not caught this, it could have been bad: " The holder of such a token would have had administrator access to all of Python’s, PyPI’s and Python Software Foundation’s repositories, supposedly making it possible to carry out an extremely large scale supply chain attack. Various forms of supply chain attacks were possible in this scenario. One such possible attack would be hiding malicious code in CPython, which is a repository of some of the basic libraries which stand at the core of the Python programming language and are compiled from C code. Due to the popularity of Python, inserting malicious code that would eventually end up in Python’s distributables could mean spreading your backdoor to tens of millions of machines worldwide!"
- 18. Exim vulnerability affecting 1.5M servers lets attackers attach malicious files
"Tracked as CVE-2024-39929 and carrying a severity rating of 9.1 out of 10, the vulnerability makes it trivial for threat actors to bypass protections that normally prevent the sending of attachments that install apps or execute code. Such protections are a first line of defense against malicious emails designed to install malware on end-user devices." - It is the first line of defense, and I would be shocked if malicious attachments weren't caught further downstream or filtered out by an email protection service. I also really love this comment: "If Debian would finally just throw in the towel and replace exim as their default mta this kind of issue wouldn't be important enough to merit being a news story on Ars." - Why not Qmail or Postfix?
- 19. CISA Red Team’s Operations Against a Federal Civilian Executive Branch Organization Highlights the Necessity of Defense-in-Depth
This is interesting, what do you think about the lesson's learned, straight from the report they are:
- The assessed organization had insufficient controls to prevent and detect malicious activity.
- The organization did not effectively or efficiently collect, retain, and analyze logs.
- Bureaucratic processes and decentralized teams hindered the organization’s network defenders.
- A “known-bad” detection approach hampered detection of alternate TTPs.
- 20. Technical Analysis: Killer Ultra Malware Targeting EDR Products in Ransomware Attacks
My prediction is that once either Microsoft or EDR vendors can really nail the Windows driver threats, we will continue to see this as a way to get around defenses. Once we get better detections and prevention for malicious/LOL drivers, attackers will continue to drive deeper into things such as the bootloader, Secure Boot bypasses, and UEFI.
- 1. CISA Red Team’s Operations Against a Federal Civilian Executive Branch Organization Highlights the Necessity of Defense-in-Depth
The US Cybersecurity and Infrastructure Security Agency (CISA) has published a report detailing a cybersecurity assessment of an unnamed US Federal Civilian Executive Branch (FCEB) agency. The SILENTSHIELD red-team assessment was conducted over an eight-month period, starting with a “no-notice, long-term simulation of nation-state cyber operations,” and culminating three months of collaboration with agency staff and technical personnel to address their cybersecurity posture.
CISA is emulating the behavior of a nation-state attacker, to include attempting to exploit trust relationships with third parties. In this case, they not only compromised an unpatched Solaris web server, they also used phishing to obtain Windows credentials, elevated to an unsecured administrator account, obtained domain admin, and pivot into their partner networks, while remaining undetected in the first phase.
- 2. Singapore’s banks to ditch texted one-time passwords
After around two decades of allowing one-time passwords (OTPs) delivered by text message to assist log ins to bank accounts in Singapore, the city-state will move from SMS based OTP to mobile app based OTP.
While this does raise the bar, it's best to ensure that your solution is both phishing and authenticator fatigue resistant. Consider that smartphones are also able to support passkeys and other stronger authenticators.
- 3. Info of 2,3+ million individuals stolen in Advance Auto Parts data breach – Help Net Security
Advance Auto Parts has begun notifying 2.3 million people that their personal information was compromised in a breach of the automotive parts company’s Snowflake account. Other companies impacted by breaches of inadequately protected Snowflake accounts include Neiman Marcus, State Farm, and Anheuser-Busch.
It's trivial to stand up a cloud service using reusable passwords, to include skipping implementing the provider's security best practices. Your cloud service approval process should include both (regular) verification of the security profile and adherence to company security standards, such as MFA and logging/monitoring and BC/DR.
- 4. How did the auto dealer outage end? CDK almost certainly paid a $25 million ransom
CDK Global, the car dealership software company that experienced a ransomware attack in June, reportedly paid the ransomware operators roughly US$25 million. While CDK Global has not commented, analysis of blockchain data indicates that on June 21, 387 bitcoin (US$24.5 million at the time) was sent to a known ransomware group. A week later, CDK Global began restoring service.
Indications are CDK paid the ransom within two days of the attack and was able to commence service restoration immediately. Given that the estimated financial impact of the outage is estimated at least $600 million, payment makes financial sence in hindsight
- 5. Massive AT&T breach linked to cloud IT service provider Snowflake
Late last week, telecommunications company AT&T disclosed that they experienced a data breach affecting call and text records of nearly all of their customers. AT&T has begun notifying approximately 110 million people that their communications data were compromised. The breach appears to be yet another that was conducted through inadequately protected Snowflake accounts.
Note that the data compromised was from May 1 to October 31, 2022, as well as January 2, 2023. While the breach doesn't seem to include decrypted message bodies, it does include not only the meta-data about the messages/calls but also often the cell tower location data. While the dataset doesn't include subscriber names, it's not difficult to map that using OSINT, allowing mapping of not only who is talking to who, but from where, which makes the data set attractive.
- 6. AT&T reportedly paid ransom for deletion of stolen call logs after culprit allegedly detained
A member of a hacking group told Wired journalists that in May, AT&T paid them 5.7 bitcoins (roughly US$ 380,000 at the time) to delete the stolen data and provide a video demonstrating proof of their deletion. The ransomware operators initially demanded USD$1 million, but agreed to reduce the demand by two-thirds.
While it's tempting to hire someone to help clean up such a mess, it's important to remember that transactions can be tracked through the blockchain, so consider that arrangement will not remain confidential, you may want to be completely transparent with all such actions, paid removal, paid ransom, rather than awkward damage control post-discovery.
- 7. CVE-2024-6387: RCE in OpenSSH’s server, on glibc-based Linux systems
Openwall founder and CTO Alexander Peslyak has detected a race condition in the core sshd daemon in RHEL 9.x and related releases. The flaw (CVE-2024-6409) was discovered during analysis of the RegreSSHion OpenSSH vulnerability (CVE-2024-6387), disclosed several weeks ago; the disclosure was delayed until vendors had time to prepare fixes.
This particular flaw is specific to the RedHat change to OpenSSH, which affects Fedora 36 & 37 (both are EOL) and RHEL 9.x and its offshoots (or RHELatives) like AmaLinux.
- 8. NHS England » Update on cyber incident: clinical impact in South East London – Thursday 11 July
In the six weeks since the Synnovis breach, two of the UK National Health Service’s trusts has cancelled, postponed, or referred to other facilities nearly 8,000 medical appointments and procedures, including organ transplants and cancer treatments. The June 3 breach has had significant impacts on London's King's College Hospital NHS Foundation Trust and Guy’s and St Thomas' NHS Foundation Trust.
In addition to cancelled or rescheduled services, NHS is still calling for type O donations, which are universal, to bridge the gap in blood type matching operations. Time to reflect on how long your planned mitigations in such an outage are viable.
- 9. Threat Spotlight: Attackers abuse URL protection services to mask phishing links
esearchers at Barracuda have detected phishing campaigns that leverage URL protection services to obfuscate malicious links. Since the middle of May, the researchers have seen the campaigns target hundreds of companies. The researchers surmise that the attackers have obtained access to the URL protection services by compromising legitimate accounts.
Many enterprises use URL security servcies which encapsulate URL's in email and restrict access to kown malicious sites by wrapping links to route through their security services when accessed. The hackers are turning these services on themselves by compromising the URL protection service to allow their services or by using their own protected version of the phishing link, allowing a bypass.
- 10. July 10, 2024 Advisory: Vulnerability in Exim MTA Could Allow Malicious Email Attachments Past Filters [CVE-2024-39929]
A critical vulnerability in the Exim mail transfer agent could be exploited to bypass filename extension blocking protections and deliver malicious attachments to inboxes. The issue is due to a bug in RFC 2231 header parsing. The vulnerability is fixed in Exim version 4.98. CVE-2024-39929, mis parsing RFC 2231 headers, CVSS score 5.4, has no workaround, and applies if you are using a block list leveraging $mime_filename as a multiline filename isn't parsed properly and the last part is omitted.