Exploding Pagers – Tod Beardsley – PSW #843

Looks like a great update and something worth checking out, I still remember the old ettercap days and seems like there have been many updates since then. In this new release we get: CAN-bus support, Wifi brute forcing for things like printers, and a built-in Web UI. They are also working on re-writing the BLE stack, can't wait!

Nonces: the one-night stands of cryptography. Use 'em once and never again, or you might find your secrets spilled all over the internet. Remember, in the world of encryption, recycling is a big no-no – unless you want your private messages to become a public spectacle.

In a wild twist of fate, researchers accidentally turned a forgotten WHOIS server into their personal playground, snagging control of an expired domain and potentially issuing fake SSL certificates like they were handing out candy. Turns out, even the internet has its share of abandoned properties—just don’t be surprised if a rogue researcher moves in and starts throwing parties! Remember, folks: always keep your digital real estate updated, or you might find yourself on the guest list for a very unwelcome surprise! - Lots of things to parse through, such as vulnerabilities in WHOIS clients that can be exploited easily by attackers who gain control of a WHOIS server, or in this case, manage to register a domain that was once the WHOIS server for the .MOBI top level domain. Turns out tools embed the list of WHOIS servers and do not dynamically update them, so even though the domain they registered was not the current WHOIS server, many sites and tools still used it to perform WHOIS lookups.

I am concerned that we never get to the root source of these infections: "At the moment, the source of the TV boxes’ backdoor infection remains unknown. One possible infection vector could be an attack by an intermediate malware that exploits operating system vulnerabilities to gain root privileges. Another possible vector could be the use of unofficial firmware versions with built-in root access." This is a known problem and has been documented and validated by multiple organizations and people, including myself (Ref: https://eclypsium.com/blog/android-tv-devices-pre-0wned-supply-chain-security-threats/)

My conspiracy theory is that malicious actors targeted them because they keep publishing information on pre-0wned Android TV boxes. Who's with me?

2013 called and wants its Adobe Flash Player exploits back. WTH? How do you even have a browser or software that loads Flash files anymore? If the software you are using is that old, you've got 99 problems and a Flash Player is but one of them.

This is next-level electronic recycling and data wiping: At the 2022 Global Hackathon, a team led by Ranganathan Srikanth created robots that dismantle hard drives, destroy data by destroying platters, and recycle the remaining parts to extract valuable materials, avoiding the current practice of shredding entire hard drives. The robotic system uses computer vision to recognize different HDD types and locate screws for disassembly. It carefully removes components, destroying only the data-carrying platters, while salvaging parts like magnets and printed circuit boards for reuse."

"There are currently no publicly known software-based vulnerabilities that bypass these security mechanisms, and this is where DMA attacks can be useful for hackers as it allows them to bypass these security measures with the help of a specialised DMA device such as the Screamer PCIe Squirrel, LeetDMA, Enigma-x1 and USB3380-EVB to name a few. These devices can easily be purchased online are commonly used for various other purposes such as game hacking and kernel code debugging. The specialised DMA device is plugged into the stolen laptop either via PCI Express capable slot such as a M.2 slot or via a Thunderbolt port. It should be noted that for this attack to work a few security features in the BIOS need to be off which are sometimes set to off by default or can be changed by a hacker if there is no BIOS password. Thus, if your organisation or your personal device does not have a BIOS password, we highly recommend implementing one to prevent a hacker from switching off security features that help protect against various attacks such as DMA attacks." - I find it interesting that gamers are using these techniques. They also use EFI/UEFI exploits to get around anti-cheat modules (I found this video that describes some of the techniques: https://www.youtube.com/watch?v=RwzIq04vd0M&t=1071s). Just a matter of time before we see malicious actors using these techniques? For DMA, these have been around for a while and have required physical access. One point that I believe supports my current concerns: ''If UEFI/EFI exploits are commonly believed to only be used by advanced nation state attackers, why have game cheaters used these methods successfully? Clearly, UEFI/EFI security issues are available, and those that use them have the requirement to get in before the OS!''

Pending court approval, a settlement agreement filed in a San Francisco court on September 12 marks the end of a class action suit against 23andMe for their 2023 data breach. Threat actors had leveraged a credential stuffing attack, gaining five months of access to the personal information of 6.4 million customers in the US, and had sold the stolen data online. Stating that “further conduct of the litigation would be protracted, burdensome and expensive,” 23andMe will pay $30 million to the plaintiff class, and promises a list of “business practice commitments” including checking passwords against known breaches, requiring 2FA, and implementing a more careful policy for retention of PII. The takeaway for the rest of us is that we need to keep an eye on our ability to detect attacks and reduce dwell times. This is unlikely to be the last lawsuit on lost personal data, and the long term effects, beyond cyber improvements and scruitny are not just on stock prices but also on market share. Something to factor into the cyber conversation with the board.

The Port of Seattle (Washington, US) has confirmed that they suffered a ransomware attack in August and that the threat actors stole data. The incident disrupted services at Seattle-Tacoma International Airport; most services were back online within a week. The Port’s external website and internal portals are taking longer to restore. The Port has not and does not intend to pay the ransom demand.

The Rhysida RaaS operation is taking credit for this attack. The Port of Seattle has brought many systems back online, but some remain offline such as their website, SEA Visitor Pass, TSA wait times and the flySEA app. The port is keeping their site updated with status and FAQs, as well as contact guidance to help those impacted by the offline services.

SolarWinds has released an update to their Access Rights Manager (ARM) to address two vulnerabilities: a high-severity hardcoded credentials authentication bypass flaw, and a critical remote code execution issue. Both are fixed in ARM 2024.3.1.

Note that ARM 2024.3.1 SR is the same update, it's a service release. SolarWinds highly recommends ARM be installed on a server which is NOT Internet facing. This is a good time to review their best practices for securing SolarWinds Products. (https://support.solarwinds.com/SuccessCenter/s/article/Best-practices-to-secure-SolarWinds-products?kbloader=SF26374)

D-Link has released updates to address a total of five vulnerabilities affecting three of the company’s router models. The flaws were reported to D-Link by the Taiwan Computer Emergency Response Team (TWCERT). Three of the vulnerabilities are critical; the remaining two are high-severity. Users are urged to upgrade to v1.03B01 for COVR-X1870, v1.04B05 for DIR-X4860, and DIR-X5460A1_V1.11B04 for DIR-X5460.

CVE-2024-45694, stack-based buffer overflow, CVSS score 9.8, CVE-2024-45695, stack-based buffer overflow, CVSS score 9.8, CVE-2024-45696, force enablement of telnet service, CVSS score 8.8, CVE-2024-45697, Telnet enabled when WAN connected/hard coded credentials, CVSS score 9.8 and CVE-2024-45698, improper input on telnet daemon,CVSS score 8.8 are attention grabbing. D-Link has not reported exploitation in the wild, but D-Link is a common target, so you want to treat these as if they have targeted/active exploit attempts. It's 2024, we really need suppliers to knock-off the hard-coded credentials and insecure services like Telnet and FTP.

Kawasaki Motors Europe (KME) has disclosed a cyberattack that took place at the beginning of September. The company’s statement describes a process of isolating and checking each of their servers, but does not describe the nature of the attack other than characterizing it as “not successful.” RansomHub posted 487GB of data allegedly stolen from KME on a Tor-based leak site on September 14, claiming the company refused the ransom demand. At this point KME has restored in excess of 90% of their services, prioritizing systems which support dealers, business administration and third-party suppliers. RansomHub is a Ransomware as a service variant formerly known as Cyclops and Knight, has been active since February and has attacked more than 210 victims by the end of August. RansomHub is described, with mitigations and IOC's, in CISA Alert AA24-0242A (https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-242a) Core mitigations are phishing resistant MFA, keeping systems patched/updated, and train users to recognize/report phishing attempts.

A blog post from Tenable details research into a vulnerability in Google Cloud Platform Composer which would allow a hacker to exploit dependency confusion in Python package management to execute unauthorized code, steal data, and/or create a supply chain attack. Tenable calls this vulnerability “CloudImposer” and tracks it under Tenable Advisory ID TRA-2024-18. Google has addressed the issue by ensuring the vulnerable package is installed only from a private repository and has a verified checksum. This flaw was reported to Google on January 18th and was fixed by Google in May. Google also updated their documentation, recommending developers use the "--index-url" argument instead of the "--extra-index-url" as well as making use of an Artifact Registry virtual repository when requiring multiple repositories. The "--index-url" agrument forces the package to be searched for (and downloaded) from the named repository, reducing the risk of dependency confusion.

The US Cybersecurity and Infrastructure Security Agency (CISA) has published a cybersecurity check list for organizations that are part of the election infrastructure. The checklist is designed as a list of questions broken down into topical sections: phishing attempts targeting your email; distributed denial-of-service (DDoS) targeting your websites; ransomware targeting your network; and known exploited vulnerabilities and your internet facing systems. the elopement also includes a list of resources and cybersecurity quick tips.

If you're hosting/managing election infrastructure, you need to run down this checklist quickly so you have time to remediate any deficiencies. The rest of us need to use this to make sure we're securing our critical infrastructure, this checklist (and resources list) is not specific to election systems encapsulating what has to become table stakes for any internet facing services.

On Monday, September 16, Apple released iOS 18. The updated mobile operating system addresses more than 30 security issues. The fixed vulnerabilities could be exploited to use Siri to access data, control devices, and look at photos; to record the screen without indicating the recording process; bypass device pairing; force a disconnect from a secure network, and other malicious activity.

Apple released both iOS/iPadOS 18 and 17.7. You may want to push 17.7 vs 18 while the first couple of updates to 18 are delivered. 17.7 addresses 16 vulnerabilities, while 18 addresses about 36. Both 17.7 and 18 address a kernel vulnerability which allows VPN bypass, Bluetooth unauthorized access, and Safari private browsing and sandbox bypass. None of these flaws were marked as actively being exploited. iOS 18 introduces Apple Intelligence, Apple's entry into GenAI and requires iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later. Apple also released macOS 15,macOS 14.7, macOS 13.78, tvOS 18, watchOS 11, visionOS 2, Safari 18 and Xcode 16

The upcoming 23rd Annual US-Taiwan Defense Industry Conference has been targeted by a malware campaign aimed at stealing data, according to Cyble Research and Intelligence Labs (CRIL) in a post on September 13. The attack was designed to intercept attendees with a counterfeit registration form delivered as a ZIP file, which when opened would trigger a hidden executable to download and compile malicious code in real time, all within system memory. CRIL enumerates MITRE ATT&CK techniques identified in the attack, and suggests risk mitigation should include anti-phishing tactics, better monitoring of network traffic and in-memory operations, and management of user privileges.

In addition to the attacks being fileless/in-memory and hard to detect, they were also using living off the land mechanisms, so scans for installed tools would have not yield results. This is a good scenario to talk to your EDR provider to see if they can detect and respond/block this behavior.

Apple has moved to drop their 2021 lawsuit against the creators of the Pegasus spyware. The company no longer believes the case is adequate to impact current threats, nor worth the risk to proprietary anti-spyware information, according to a motion filed in San Francisco court on September 13. While Apple stands by the grounds of the suit, they believe "proceeding further with this case has the potential to put vital security information at risk,” and NSO and Pegasus no longer represent a “significant portion of the threat environment.”

This is a case of the ROI of the lawsuit, vs the risk of information about their security disclosed in the course of the suit, which the court may or may not be able to adequately protect. Apple is also now claiming their anti-spyware program is the best in the world, and NSO/Pegasus no longer have a corner on this market. Be careful claiming your solution is the best in the world. Remember unbreakable Linux, or LifeLock's CEO's SSN on bulletin boards?

On Friday, September 13, Ivanti updated an advisory for a vulnerability in their Cloud Service Appliance (CSA) that was originally released on September 10. The high-severity OS command injection vulnerability (CVE-2024-8190) affects CSA version 4.6, which “is End-of-Life, and no longer receives patches for OS or third-party libraries.” While Ivanti has released a fix for CSA 4.6, it is the final patch that will be backported for this version; users are urged to upgrade to CSA 5.0. The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-8190 to their Known Exploited Vulnerabilities Catalog; federal civilian executive branch agencies have until October 4 to remove CSA 4.6 and/or upgrade to CSA 5.0.

The cat is out of the bag, Ivanti CSA is targed and actively being exploited. Check for IOC's on your CSA device, and if found, build a new one, otherwise update to 5.0 now. Also make sure that the management Interface is not Internet accessible. The KEV gives agencies until 10/4 to update, don't wait that long.

"Citizens will be on their best behavior because we are constantly recording and reporting everything that's going on," Ellison said, describing what he sees as the benefits from automated oversight from AI and automated alerts for when crime takes place. "We're going to have supervision," he continued. "Every police officer is going to be supervised at all times, and if there's a problem, AI will report the problem and report it to the appropriate person."

Apple said moving forward in the case would expose critical security information it uses to combat the expanding proliferation of commercial surveillance tools in general. New spyware companies have sprung up, meaning a judgment against the NSO Group would have a limited effect on the industry.

The Intellexa Consortium made the Predator commercial spyware. This group includes people from North Macedonia, Hungary, Greece, and Ireland. As Apple said in the previous article, the commercial spyware industry has expanded and spread so far that using legal actions to stop it has become impractical.

Microsoft and Linux are in the process of replacing critical code with Rust, moving away from C++. But C++ creator Bjarne Stroustrup says "We can now achieve guaranteed perfect type and memory safety in ISO C++." The Safe C++ Extensions proposal aims to do that.

Research challenges conventional wisdom that evidence and arguments rarely help to change believers’ minds. But chatting with customized AI's does help free people from these beliefs. “The AI knew in advance what the person believed and, because of that, it was able to tailor its persuasion to their precise belief system”

Deep Neural Networks run current Large Language Models, but they have an interpretability problem--we don't understand what each neuron is doing, so we can't adjust the model to strictly enforce security policy. Kolmogorov-Arnold networks limit each neuron to only use a small subset of inputs, so it is easier to understand how they work and how to control them.

Microsoft is working on Windows to allow endpoint security solutions to operate effectively outside of the operating system's kernel. This would make the kernel more stable, but it would also cause performance problems and limit anti-tampering protections.

Israel hid explosives inside a batch of pagers destined for Hezbollah. The operation, which left thousands injured across Lebanon, was the result of a joint operation between Israel’s intelligence service, the Mossad, and the Israeli military. At least nine people were killed, including an 8-year-old girl, and at least 2,800 wounded.

The first thing people saw when they searched Google for the artist Hieronymus Bosch was an AI-generated version of his Garden of Earthly Delights, one of the most famous paintings in art history. This demonstrates both the enshittification of Google, and of the Internet at large, where AI-generated content now outnumbers human-generated content.