How do we patch the right things? – Josh Bressers – PSW #840

There are several things wrong with this article, confusing information from Microsoft, and the way Microsoft handled this is very concerning. I will attempt to elaborate on the show, so if you're reading this, make sure you listen to the show. Do people actually read these notes? If you do, ping me on social media :) (All my social links are included above)

Yet another vulnerable (signed) driver. I believe the driver vulnerability landscape will be ripe for attackers for some time until we come up with better solutions to detect and prevent drivers from turning malicious. Then, attackers will move to pre-OS vulnerabilities in bootloaders and UEFI.

Really awesome framework for RF attacks, I've just begun to review the documentation. Its an abstraction layer that creates virtual interfaces to conduct attacks against several different RF implementations including Wifi and Bluetooth. Supports hardware most of us already have as well!

Two key points from this research:

• *"The FM11RF08S backdoor enables any entity with knowledge of it to compromise all user-defined keys on these cards, even when fully diversified, simply by accessing the card for a few minutes."
• "The various tools and attacks developed in the context of this paper have now been merged into the Proxmark3 source code."

What most, perhaps all articles, are missing is that on desktop CPUs you can't apply a microcode update to fix this (like we did with Zenbleed), you need the AGESA update, which to my knowledge typically comes through a UEFI update. This means you have to wait until your OEM releases a UEFI update to patch AGESA. I'm still waiting... Also, I've found it to be difficult to determine which version of hardware/firmware you are running on AMD platforms and where the updates come from, especially for newer processors.

• From ChatGPT, AGESA is: "AMD AGESA (AMD Generic Encapsulated Software Architecture) is a foundational firmware framework developed by AMD. It is primarily used in the initialization of AMD processors, specifically the system-on-chip (SoC) for AMD motherboards. AGESA is responsible for the early stages of booting an AMD system, where it initializes the processor cores, memory, and other critical hardware components, ensuring that the system can successfully transition to more complex operations handled by the BIOS or UEFI firmware."
• Keep in mind AGESA is being phased out in favor of an open-source implementation called OpenSIL: "AMD OpenSIL since its initial open-source publishing earlier this year has targeted AMD EPYC Genoa with one AMD reference server motherboard. But eventually the plan with AMD OpenSIL is to support just not EPYC server processors but also Ryzen -- the complete CPU product stack with the eventual aim in the years ahead to become a replacement to AGESA." (Ref: https://www.phoronix.com/news/AMD-OpenSIL-Autumn-2023)

Why bring your own vulnerable driver (BYOVD) when one already lives on the system? This is what North Korean threat actors were doing, exploiting a Windows vulnerable driver to escalate privileges and bypass Windows protections and EDR. Expect this trend to continue until we do something about the drivers. You can patch all you want, attackers are just going to bring in vulnerable software to exploit the system! I don't believe this is something we talk about enough as we get hung up on VM and patch management and then rely on EDR for everything that falls through the cracks. The crack is really large now...

This is another one no one is talking about, a straightforward network-based heap overflow. The SLDP service is turned on by default in OpenBMC. Its used for service discovery (its cousins with UPnP, and it has a vulnerability? Shocking). Many vendors use OpenBMC as the base for the software/firmware that drives the BMC chips (Aspeed is the most common). Do vendors turn off SLDP? In IBM's case, no, they had to release a patch. An attacker who can reach the network where the BMCs live can exploit this remotely. Yes, some expose this to the Internet (don't do that). Others may have it on various internal networks. Regardless, an attacker with access to the BMC has the highest level of privileges on the system. We typically call this Ring -3. Its woven into the fabric of your hardware. This is how even when a system is powered off, but still plugged in, the board can talk to the network and you could rebuild the system remotely.

Good to see a new issue, I hope they continue to produce new ones. The content looks awesome.

I didn't know this existed. It was created 4 years ago and has not been updated since. How can we help?

I'm not very happy with Google about this one. One of the reasons I like using Pixel phones is the relatively low amount of pre-installed apps. I'm not entirely certain how an APK application is embedded in the firmware (my guess is it's similar to Linux firmware where there are applications on a partition that come with the firmware installed when the firmware is applied to the devices. One of the APKs on the Pixel platform looks like it was intended to allow Verizon to put phones in demo mode, requiring highly privileged access. Well, that app is basically Swiss cheese when it comes to security, applying configuration updates over HTTP and not validating signatures correctly. Unless you root your phone, you can't remove the app. Rooting Pixel devices can be tricky, and there is a risk of bricking the device. The app is not enabled by default, however, attackers with access to a Pixel device could enable it.

First off, do not use .env files to store environment variables for your application. Also, this is easier said than done. I've been here. Typically when you are developing an application this is a quick and easy way to feed credentials and other values to your application. However, you have to be careful not to put .env files with actual data in them into Git. Also, you should never expose a .env file in the web server path. In the real world, things happen. Attackers went on a .env file shopping spree, automating a ransomware campaign that takes advantage of this misconfiguration (remember, misconfiguration leads to compromise). The solution is to use one of the many readily available secret vaults. AWS has a few different ways to do this, and open-source solutions such as Hashicor exist, as well as commercial solutions such as Cyberark. These require some re-factoring, which is why I believe people just never get around to replacing .env files.

A great walk-through on how to set up Kismet to start analyzing wireless traffic. Just saving this for later as I have not set up Kismet in some time, and it's very different from like 10 years ago.

They tried to throw the book at them: "The letter cited alleged violations of U.S. federal laws including the Copyright Act, the Defend Trade Secret Acts, the Computer Fraud and Abuse Act, and the Digital Millennium Copyright Act in calling for Giese and Braelynn to call off the talk." - Luckily the EFF outlined how the researchers were not in violation of any of these laws. Next month we will chat more about this with the amazing Lee Kim!

I just love how TELNET is still a thing on mainframes: "The reconnaissance phase also includes obtaining a list of authorized users. A distinctive feature of the well-known Telnet service when running on a mainframe is that in response to an identification attempt, it returns whether the user has the right to connect. This feature allows you to obtain a list of authorized users without harming the mainframe." - Also, this is probably one of the best tutorials on pen testing mainframes that I have seen in some time.

This looks cool, but I cannot do it justice when trying to explain it.

Read this (and the comments) if you want to go down a rabbit hole of looking at boards and parts to build your own router. Be warned: This is a deep rabbit hole.

Toyota confirmed that customer data was exposed in a third-party data breach after a threat actor leaked an archive of 240GB of stolen data on a hacking forum.

A misconfiguration in Oracle’s NetSuite SuiteCommerce offering could put customer data at risk of exposure.

One month into a ransomware attack against Columbus that the city has now acknowledged may have compromised the personal information of close to half a million private citizens and thousands more city employees, the public still knows precious little about what happened.

T-Mobile will fork over $60 million to settle allegations it failed to disclose and take action against unauthorized access to internal data that occurred after its merger with Sprint in 2020.

A major security breach in Hezbollah's internal communications network led to the death of one of its most secretive and influential commanders.

I'm just gonna say, "Now THIS is offensive security."

Mostly ransomware...statistics come from a report published last week by Arcserve..

Earlier this month , MITRE added Wiz to its list of CVE Naming Authorities, bringing the total numbers of CNAs to 400. This milestone comes at a time when the USR National Institute of Standards and technology (NIST) is struggling to clear a significant backlog of CVEs yet to be analyzed.

While I applaud multiple organizations stepping up here, most are scoped to support their products only, this does give them more skin in the game which is needed. Even so, the bigger need is to support CVE analysis to clear both the current and seven-month backlog. As of June 3, there were 13,358 CVEs waiting to be analyzed, as of August 13th the number was 17,372 and is projected to hit nearly 28,400 by the end of 2024. Fingers crossed the contractor is able to scale up to process 200-300 CVEs/day to overcome the backlog.

Cyber criminals have stolen payment card information from the Oregon Zoo’s website. The incident affects more than 117,000 people. Officials detected unusual activity on the zoo’s online ticketing service earlier this summer, and took the website offline. A subsequent investigation revealed that transactions in the system had been being redirected between December 2023 and June 2024.

The third-party payment site was decommissioned in late June, and a new secure site provisioned. Nevertheless, payment information, including names, card numbers, CVV and expiration dates were exfiltrated for six months. The zoo is notifiying affected parties and offering them a year of credit monitoring.

Microsoft is rolling out mandatory multi-factor authentication (MFA) for Azure starting on October. At that time, “MFA will be required to sign-in to Azure portal, Microsoft Entra admin center, and Intune admin center.” Starting early next year, Microsoft will gradually roll out MFA enforcement for Azure CLI, Azure PowerShell, Azure mobile app, and Infrastructure as Code (IaC) tools.

Microsoft provides multiple MFA options for Entra including FIDO2 security keys, Certificate-based authentication (CAC, PIV, X509), passkeys and the Microsoft authenticator using biometrics, push notifications or OTP. Don't enable SMS/Phone-call based MFA, it's too easily compromised. Talk to your Azure/Entra ID administrators about their plans for MFA, not only about which technical options they will support but also their communication and user-support activities.

Researchers from Juniper Networks have provided details about a vulnerability in the Jenkins Command Line interface that was exploited in a ransomware attack that targeted a digital payment system used by banks in India earlier this summer. On July 31, the National Payments Corporation of India (NCPI) said that the incident affected Brontoo Technology Solutions, which collaborates with C-Edge Technologies. NCPI temporarily prevented C-Edge Technologies from accessing NCPI-operated payment systems. The Juniper researchers say that the attackers leveraged a known path traversal vulnerability in Jenkins (CVE-2024-23897). The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-23897 to their Known Exploited Vulnerabilities catalog.

CVE-2024-23897, parser flaw, has a CVSS 3 base score of 9.8. The command parser replaces @ followed by a pathname with the content of that file, allowing for arbitrary files to be read. CISA has a KEV due date of September 9th. Jenkins 2.442, Jenkins LTS 2.426.3 or LTS 2.440.1 disables the command parser feature which does this. Another workaround is to disable access to the CLI to prevent exploitation entirely.

The attack was detected in October 2023; the subsequent investigation took nine months. The compromised data include names and associated passport, Social Security, and driver’s license numbers, health insurance and medical information, payment card data, and tax identification numbers.

There is nothing quite like the letter from a provider letting you know your data has been breached. Take note of the guidance on their incident web site, it provides in-depth options and contacts for organizations which can aid users both secure their credit as well as help monitor for activity related to the use of their data.

The city of Flint, Michigan, is in the process of recovering from an August 14 ransomware attack that has disrupted the availability of their online services, such as telecommunications and water, sexer, and tax payments. According to a statement on August 15, the city’s emergency services are unaffected by the incident, as are public works, and public health.

Flint residents can only pay for the affected city services via cash or check. Double check with your FI if your online bill-pay electronic payment mechanism needs to fall back to sending a check. Even if you're not in Flint, ask them if they have a protocol for failing back to an analog payment. To date, no ransomware gang is taking credit for this attack and the city doesn't yet have an ETA for service restoration. While it can be hard to get your arms around that timeline, make sure that your tabletop exercises include flushing out how you'd determine a recovery date and how to meet it.

In a filing with Maine’s attorney general, background check company National Public Data confirmed a December 2023 data breach, but says that the compromised personally identifiable information (PII) affects just 1.34 million people, not the nearly 3 billion initially reported. While the breach occurred at the end of 2023, the data started appearing for sale online in April 2024.

National Public Data is downplaying the breach. The data posted by USDoD for sale was analyzied by Troy Hunt (maintainer of HaveIBeenPwned) found the data contains 134 million unique email addresses, as well as criminal record data for 70 million of those addresses. Access Data Privacy analyzed the data and found as many of 272 million unique SSNs, many of which are no longer living. While there is precident for chaning the amount of data exfiltrated as the investigation proceeds, it's important to get this straight rapidly, particularly when others are analyzing the data and find a discrepancy with your reporting. While this gets sorted, double down on ID protection/restoration services and don't forget to freeze your credit.

Columbus, Ohio, city officials said that the threat actors accessed data belonging to city employees and residents during a ransomware attack, and urged citizens to be vigilant. The attackers have leaked information stolen from the Columbus city prosecutor’s office.

This is data from the July 18th ransomware attack by the Rysida gang which claims to have stolen 6.5 terabytes of data. The data appears to have been released on the dark web, and while the average citizen doesn't have access to it, criminals likely do which is why the city attorney is letting city residents, customers and employees know they are ready to support them with needed protection or other civil orders relating to this data being released. Offering to support your customer in a breach, beyond just ID/Credit monitoring/restoration is a classy move to consider for your playbook.

Researchers from Cisco Talos have provided details about eight vulnerabilities in Microsoft apps for macOS. The flaws could be exploited by injecting specially crafted libraries into the apps to access microphones, cameras, folders, input, and other functions. The vulnerabilities affect three different Microsoft Teams apps, as well as Outlook, PowerPoint, OneNote, Excel, and Word.

macOS has a layered security model, including TCC and entitlements which are aimed at protecting usedr privacy and system security. They are not foolproof. These apps included the entitlement to disable library validation, which only allows them to access libraries signed by their developer, which was removed with updates to Teasms and OneNote. Excel, Outlook, PowerPoint and WOrd remain this capability to support plug-ins. Other than pushing updated applications, reviewing their access (user granted, e.g. Camera/Microphone access) is a good idea.