Analyzing Malware at Scale – John Hammond – PSW #845

Quick review leads me to believe this firmware is based on OpenWrt. We have a supply chain issue where people borrow and modify code, making it difficult to know what else may be vulnerable and how when comes to IoT devices. SBOMs are great, but not deep enough to know if code was borrowed and slightly modified, but also contains the vulnerability.

Something to look into more deeply, a stack-based buffer overflow on devices via DHCP, you don't say? - "An implementation of DHCP in ASF fails input validation, thereby creating conditions for a stack-based overflow. The software is no longer supported by the vendor. Because this vulnerability is in IoT-centric code, it is likely to surface in many places in the wild. CVE-2024-7490 There exists a vulnerability in all publicly available examples of the ASF codebase that allows for a specially crafted DHCP request to cause a stack-based overflow that could lead to remote code execution."

This report is eye-opening: "An advisory jointly issued Wednesday by the FBI, the Cyber National Mission Force, and the National Security Agency said that China-based company Integrity Technology Group controlled and managed Raptor Train. The company has ties to the People's Republic of China, officials said. The company, they said, has also used the state-controlled China Unicom Beijing Province Network IP addresses to control and manage the botnet. Researchers and law enforcement track the China-state group that worked with Integrity Technology as Flax Typhoon. More than half of the infected Raptor Train devices were located in North America and another 25 percent in Europe." - China is infecting IoT and network devices at an alarming rate.

When the attacker becomes the victim: "Overall, in the course of this exploration I learned a few things. C2 frameworks are designed to help you run commands on other people’s computers, but ironically many C2 frameworks are vulnerable to having unauthorized commands run on them. In some cases, simply launching these frameworks with the default options on a public network (such as the HackTheBox VPN) leaves you open to RCE. I see this as important to highlight, as many users are hobbyists experimenting and playing CTFs with their buddies, and won’t be doing an advanced operational deployment of the teamservers."

This article was pulled down due to some disclosure issues, however, the Internet never forgets and I pulled it from archive.org. Essentially, the QR code menus link back to central services that have API vulnerabilities. These vulnerabilities allow people to snoop on where you are eating, what you are eating, and how much you are spending, and in turn, how much revenue the restaurants are making from these orders. Creepy.

This is a remote code execution vulnerability in the web interface for Supermicro BMCs. Exploitation gives the attacker root access to the BMC. While there are some safeguards to prevent modification of the BMC, simply controlling the BMC provides the attacker with the MOST privilege possible on the system. This is not only before the operating system, this is even more privileged than UEFI. While you should not be exposing BMC management ports to the Internet, and tightly controlling them in your environment, the BMC is useless if you do not provide some level of access on the network. Patch now.

I didn't think it could be easier to steal a Kia, until now: "On June 11th, 2024, we discovered a set of vulnerabilities in Kia vehicles that allowed remote control over key functions using only a license plate. These attacks could be executed remotely on any hardware-equipped vehicle in about 30 seconds, regardless of whether it had an active Kia Connect subscription. Additionally, an attacker could silently obtain personal information, including the victim's name, phone number, email address, and physical address. This would allow the attacker to add themselves as an invisible second user on the victim's vehicle without their knowledge."

Jericho has provided some amazing evidence that backs up some of the things we've been talking about this year about vulnerability tracking and specifically the KEV. Tracking vulnerabilities is hard, tracking exploits is hard, and determining which ones are actively being exploited is even more difficult.

I like Jericho's recommendation here: "CISA should publish a second list of vulnerabilities under investigation so organizations can use it as a secondary list for risk and triage. Easily disclaimed as such, federal stakeholders don’t need to jump to fixing, but it gives them a better opportunity to intelligently patch. If one vulnerability affecting a product is newly added to a KEV catalog, and two more are on the investigation list, it is easier and more efficient to patch all of them to be safe." - I am also on board with not just believing when people say there are only a small number of vulnerabilities being exploited. We can't possibly know this without being 100% certain we are monitoring and detecting every single intrusion of a computer system on the planet. We're not. I will also add my two points (and apologies if Jericho covered these already):

• We do not have a great way to track chained vulnerabilities and exploitation of said chain. I've asked this of many people, and today, we just don't have a great way to do this (at least as part of a public project).
• We do not track supply chain vulnerabilities very well. For example, a vulnerability in a component will go undetected until someone analyzes the software/firmware and identifies the component. Commercial components are even more difficult to track as we don't have the source code available publically like we do in open-source.

Therefore, you have to drink all the booze and patch all the things.

A Rust version of binwalk! Some analysis: After speaking with my new friend Edwin from Finnite State we recognize that the original binwalk has not been updated, it was forked and development continued. The original binwalk has some amazing ways to determine magic bytes. unblob is awesome, but has lots of dependencies and best to run in a container (but has less magic bytes). The new binwalk written in rust is very fast, but does not have the coverage for magic bytes or filesystems, yet. My personal take is to have all 3 and use them.

Installed in a box high up on a pole somewhere in the Mission of San Francisco is a crappy Android phone, set to Shazam constantly, 24 hours a day, 7 days a week. It's solar powered, and the mic is pointed down at the street below. Heard of Shot Spotter? Microphones are installed across cities across the United States by police to detect gunshots, purported to not be very accurate. This is that, but for music.

It doesn't matter any more if Doom can run. The real question is "yeah but does it run Quake?"

Does it do any good? Does it just confirm that your number is real?

A 2023 Ferrari, valued at $575,000, was stolen from Greenwich on Sept. 16, according to police. WPD identified and pulled over the stolen car, at which point the driver fled…The owner of the car left a pair of their AirPod headphones inside the vehicle. Waterbury’s Auto Theft Task Force was then able to track the headphones and the car to a gas station on South Main Street.

Interview A hacker walked into a "very big city" building on a Wednesday morning with no keys to any doors or elevators, determined to steal sensitive data by breaking into both the physical space and the corporate Wi-Fi network.

Hurricane Helene has caused massive damage and taken over 100 lives across several US states. Many thousands of people are without power and/or cell service. But in the wake of the storm, reports have surfaced about a key iOS 18 feature that has been a lifeline for survivors: Messages via satellite.

Nvidia has released a powerful open-source artificial intelligence model that competes with proprietary systems from industry leaders like OpenAI and Google.

Simply enter the URL of the article and click the archive buttons to remove any paywall.

How do QR codes work? The checkerboard patterns taking over the world, demystified.

Marques Brownlee wants us to pay $50 a year for dumb wallpapers so he can harvest and sell our data. All while using a garbage unsecure api? yea ok

Powershell function to download them all for free ????

Bob Jones High School has been renamed "James Clemens Hawk Tuah High School"

James Clemens High School has been renamed "Diddy University"

and my personal favorite: Duncanville Middle School has been renamed "Duncandeeznutsindwightsmouth Middle School"

A federal court Thursday granted preliminary approval for a $21 million settlement in a class-action case against Arthur J. Gallagher & Co. over a 2020 cyber breach at the brokerage.

"A Michigan Medicine employee accepted an unsolicited multifactor authentication prompt, which allowed the cyberattacker to access the employee’s email account and its contents,"

The telecom will pay half in the form of a fine, while the other half will serve as a down payment for improvements to data security and cybersecurity.

Hackers linked to the Chinese government have broken into a handful of U.S. internet-service providers in recent months in pursuit of sensitive information, according to people familiar with the matter.

On the security improvement front, the FCC said T-Mobile has agreed to “move toward a modern zero trust architecture and segment its networks.

Abuse of authentication methods, for example through the leakage, theft, or deliberate sale of credentials, is the number one way that breaches and ransomware attacks begin,” the FCC said, adding, “Consistent application of best practice identity and access methods will do more to improve a cybersecurity posture than almost any other single change.

Star Health reportedly fell victim to a data breach via Telegram chatbots.

"Salt Typhoon" has reportedly infiltrated Internet service provider (ISP) networks in the US, looking to steal information and potentially set up a launchpad for disruptive attacks.

The latest draft version of NIST's password guidelines simplifies password management best practices and eliminates those that did not promote stronger security.

NVIDIA lists CVE-2024-0132, container escape, with a CVSS score of 9.0 and CVE-2024-0133, Time-of-check Time-of-use race condition, with a score of 4.1, both of which affect Container Toolkit versions 1.16.1 and below as well as GPU Operator versions 24.6.1. The fix is to update to version 1.16.2 and 24.6.2 respectively.

Cybersecurity agencies from Australia, Canada, New Zealand, the UK, and the US have published joint guidance for detecting and mitigating Active Directory compromises. The document describes 17 common techniques threat actors have used to compromise Active Directory, and suggests mitigation strategies for each technique. The guidance notes that “every user in Active Directory has sufficient permission to enable them to both identify and exploit weaknesses. These permissions make Active Directory’s attack surface exceptionally large and difficult to defend against.” This should become required reading for our AD admins. As well as the cyber team so they are on the same page.

Special Publication 800-63-4 is the second public draft of guidelines on "the authentication of subjects who interact with government information systems over networks" published by the National Institute of Standards and Technology (NIST). Notably the draft redefines what Credential Service Providers (CSPs) may and may not require in password composition. Hard rules include an 8-character minimum (15 minimum and 64 maximum recommended); no special character rules; no arbitrary scheduled password changes; no publicly visible password hint, and no knowledge-based credentials or security questions.

A botnet comprising a “constantly fluctuating” multi-tiered infrastructure of Small Office/Home Office (SOHO) and Internet of Things (IoT) devices may have been active since 2020, according to researchers, and as of June 2024 included over a quarter of a million devices on six continents. Lumen’s Black Lotus Labs found that devices are compromised both by known and zero-day exploits, and are in use for an average of 17 days before being rotated out. The botnet’s base tier malware is Nosedive, a difficult to detect variety of Mirai that operates entirely in system memory. IOC's for RaptorTrain are in Black Lotus Lab's full report. The good news is that mitigations are straight forward and center around updates, lifecycle management, using strong credentials and not allowing unauthorized devices access to management capabilities, which is not terrible for a business, but harder for many "set it and forget it" home users.

On July 19, a problematic CrowdStrike rapid response content update disabled more than 8.5 million Windows devices, causing outages for airport, airline, government, and business operations around the world. In testimony before US legislators on Tuesday, September 24, CrowdStrike Senior VP, Counter Adversary operations Adam Meyers said the company has “taken steps to help ensure that this issue cannot recur.” Among the changes: Customers will have the option of choosing whether they receive updates as soon as they are available or schedule them for a later date; and the content updates will now be treated as code.

Cyber threat actors with ties to North Korea’s government have allegedly broken into the network of German air defense system manufacturer Diehl Defence. According to Der Spiegel, the hackers gained access to Diehl’s network through a spear phishing attack with a malicious PDF attachment that purported to be job offers from US defense contractors. Mandiant investigated the incident and found that the threat actors had conducted reconnaissance prior to the attack.

The attack is attributed to the Kimsuky APT, aka APT43, Velvet Chollima, Emerald Street, TA406 and Black Banshee which focuses on intelligence gathering, including support for the North Korean Government's nuclear and strategic efforts. Spear phishing attacks with a jacked-up PDF, as was used here, are tricky to protect against. On top of that, the attackers leveraged a legitimate login server to capture credentials. The good news is we can do more than advisors not to click. Make sure that you've got in-line attachment checking, MFA to help mitigate credential harvesting, and if possible protective DNS.

Microsoft has added some security and privacy features to the controversial Recall feature on Copilot+ machines. The initial version of Recall, announced in late May of this year, was on by default. It took screenshots of everything users did on the machines, and it stored that information, unencrypted, on disk. The revised version of Recall, announced on Friday, September 27, will be off by default (opt-in) and will include the option to delete the feature from the machine’s operating system.

Microsoft is attempting to recover and regroup with Recall, adding security, opt-in and regular re-validation of opt-in status. Recall is now encrypting sensitive information using the system's TPM chip which is tied to the user's Windows Hello Enhanced Sign-In Identity and can only be accessed in a secure VBS Enclave which should prevent other users from accessing this information. Even so, read the Windows Blog on Recall security before enabling it.

The University Medical Center (UMC) Health System in Lubbock, Texas, has confirmed that they have been experiencing an IT outage due to a ransomware attack. While all UMC Health facilities are open, they are “temporarily divert[ing] incoming emergency and non-emergency patients via ambulance to nearby health facilities until this issue is resolved.” UMC is a level 1 trauma center; the nearest level 1 trauma center is 400 miles away.

While UMC isn't releasing a full-service restoration date, they are now diverting only a few patients. They are reaching out to patients with scheduled appointments to advise them on the modified procedures and what to expect. As if the stakes aren't already high enough, UMC Children's Hospital is a Pediatric Level 2 Trauma Center with the region's only verified burn center for children.

With the help of the FBI, the city of Richardson, Texas is managing the aftermath of a ransomware attack. On Wednesday, September 25, the city disclosed that “an external party temporarily gained access to the City’s servers and attempted to encrypt data files within the network.” While the damage was contained “to a small number of files,” the city took the precautionary measure of shutting down internal access to their servers. Richardson is replacing affected equipment and restoring systems from backups.

The city, which has 120,000 residents, is working to rapidly restore services first, and secondly working to determine what data was exfiltrated. Richardson continues to post status updates as well as providing a 24-hour response center backup number as the primary number was suffering intermittent outages. They have also engaged the FBI and notified DHS. They are progressing rapidly, and it may be worth taking a look to see if you can emulate their success.

An inquiry launched in 2019 by the Irish Data Protection Commission (DPC) has concluded Meta must pay €91 million (approximately $101.3 million) for storing millions of user passwords in plaintext. DPC found that Meta infringed under four articles of the GDPR: failure to document the breach, failure to properly notify DPC, failure to “ensure appropriate security,” and failure to meet the level of risk to users with appropriate protection. Meta had reported “some user passwords” had been stored “inadvertently” without encryption; contemporary investigation by Brian Krebs estimated "2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords," including credentials dating back to 2012.

If you're storing passwords, make sure that they are not in plain text. Ideally use a strong salted hash (Bcrypt, SHA512, PBKDF2, etc.) don't create your own. While Meta took action to notify users and correct passwords stored in the clear, if you've not changed your Meta (Facebook) password since before 2019, you should look into that, as well as enabling 2FA on that account.

Hewlett Packard Enterprise has released fixes to address three CVEs that affect HPE Aruba Access points running AOS-8 and AOS-10. All three vulnerabilities (CVE-2024-42505, CVE-2024-42506, and CVE-2024-42507) are critical command injection issues. The current NVD descriptions of the flaws are identical: ”Command injection vulnerabilities in the underlying CLI service could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's Access Point management protocol) UDP port (8211). Successful exploitation of these vulnerabilities results in the ability to execute arbitrary code as a privileged user on the underlying operating system.” The vulnerabilities also affect certain end-of-life software versions; these are listed in the HPE advisory. Users are urged update and/or upgrade to fixed versions.

All three vulnerabilities have a CVSS score of 9.8. Make sure that you're running a supported/patched version of AOS-10 or Instant AOS-8. Then for AOS-10 restrict access to UDP port 8211 and enable cluster-security if you're on Instant AOS-8.

Two US Senators have introduced legislation that would require hospitals and other organizations in the healthcare sector to implement minimum cybersecurity standards and undergo annual independent audits. The Health Infrastructure Security and Accountability Act would allocate $1.3 billion to the Department of Health and Human Services (HHS) to support these efforts and establish meaningful consequences for organization that do not meet established standards.

With the ongoing plethora of healthcare ransomware attacks, the industry needs help raising the bar. One hopes the proposed funding to accompany this legislation will help seed those efforts. The bill applies to healthcare providers, health plans, clearinghouses and business associates. It adds stress tests and annual audits for accountability, as well as removing caps on fines HHS can dole out. If passed the legislation will go into effect two years after enactment. Supporting regulations will be in place at most 18 months after enactment with supporting standards from NIST.

The US Securities and Exchange Commission (SEC) has filed civil charges against a UK citizen for allegedly breaking into computer networks at five US companies and stealing privileged corporate earnings information that he later used to his advantage when conducting financial trades. Robert B. Westbrook allegedly reset account passwords for senior executives at the targeted companies. Westbrook is charged with violating antifraud provisions of the Securities Exchange Act of 1934. The SEC is seeking civil penalties, the return of the ill-gotten gains with interest, and enjoining Westbrook from future violations of the law.

Not quite the intelligence gathering in support of investing which is considered legal. Seriously, if you're a publicly traded company, this is a great example of why you want to implement strong MFA and possibly DLP types of measures to prevent misuse of proprietary information. The businesses appeared to get lucky in that he didn't leverage information obtained with their competitors or for extortion.

The US Senate and House of Representatives are considering bills that would direct federal agencies to study and begin regulating AI in the interest of cybersecurity. Both bills primarily address the National Institute of Standards and Technology (NIST) and the National Vulnerability Database (NVD), calling for AI vulnerability tracking, as well as consultation with other agencies and industrial and civil organizations to set up standard definitions and reporting guidelines. Conversely, these bills straddle a US Supreme Court ruling that diminishes agencies’ ability to interpret definitions and statutes in federal court – a dissenting Justice cited AI as a potential policy struggle for Congress without the authority of expert agencies. 2023’s Executive Order on “Safe, Secure, and Trustworthy Artificial Intelligence” also leans on NIST in collaboration with other agencies to “develop standards, tools, and tests to help ensure that AI systems are safe, secure, and trustworthy.” The House bill stipulates that its directives are “subject to the availability of appropriations;” the introducing representatives are “actively exploring solutions” to ensure NIST and NVD are adequately supported.

On Thursday, September 26, the Linux Openprinting project released updates fixing four vulnerabilities in components of CUPS, the Linux printer framework. The underlying vulnerabilities turned out to be less severe than anticipated.

Initially, around September 23rd, a disclosure of an unauthenticated RCE flaw with a CVSS score of 9.9 rating which affected multiple Linux distributions was made. When the dust settled, this became vulnerabilities which affect CUPS. Four vulnerabilities were released for CUPS, CVSS scores ranging from 8.4 to 9.1. The exploit consists of sending a carefully crafted packet to UDP port 631. Odds are you don't need to allow UDP 631 inbound through your firewall, also you're going to want to disable cups-browsed. cups-library patches are starting to appear - apply them.

This happened to me when I was commuting in the East Bay. I had to pull over and find some free Wi-Fi to get my navigation to work. I was motivated to learn how to download a local map so it can operate in offline mode.

Microsoft has announced security and privacy upgrades to its AI-powered Windows Recall feature, which now can be removed and has stronger default protection for user data and tighter access controls. Recall is always opt-in, automatically filters sensitive content, allows users to exclude specific apps, websites, or in-private browsing sessions, and can be removed if needed.

Researchers used 16 popular LLMs, both commercial and open source, to generate 576,000 code samples in JavaScript and Python. The percentage of hallucinated packages is at least 5.2 percent for commercial models and 21.7 percent for open source models.

The "most extensive real-world test of Tesla's FSD ever conducted by an independent third party," covering more than 1,000 miles of real-world driving, found that drivers had to intervene over 75 times during the evaluation; an average of once every 13 miles. Errors are frequent, and when they occur they're often "sudden, dramatic and dangerous."

The much-hyped CUPS flaw in Linux appears to be less serious than anticipated. One of its components is the cups-browsed daemon, which is not on by default. Also, the code execution payload will only get triggered when a user schedules a print job to the newly added printer.

OpenAI is working on a plan to restructure its core business into a for-profit benefit corporation, moving away from control by its nonprofit board. I see this as honesty, removing the silly pretense of sharing the benefits of advanced AI with "all of humanity". It's a corporation, formed to make money, like all the others.

A GAO report said 51 of the FAA's 138 ATC systems – more than a third – were unsustainable due to a lack of parts, shortfalls in funding to sustain them, or a lack of technology refresh funding to replace them. A further 54 systems were described as "potentially unsustainable" for similar reasons, with the added caveat that tech refresh funding was available to them. The first of them won't be modernized until 2030 at the earliest. Of the systems on the list, two are more than 40 years old, and a further seven have been in service for more than 30 years.

The Resource Public Key Infrastructure (RPKI) protocol has "software vulnerabilities, inconsistent specifications, and operational challenges." RPKI was designed to fix problems caused by the fact that Border Gateway Protocol (BGP) – the protocol that manages the routes traffic can traverse across the internet – was not secure by design. The newer protocol theoretically fixes that by adding Route Origin Validation (ROV) and Route Origin Authorization (ROA) – techniques that let network operators verify that advertised routes are authentic and represent accurate BGP announcements.

He created his AI agent himself. It's a Python wrapper consisting of a few hundred lines of code that allows Anthropic's powerful large language model Claude to generate some commands to run in bash based on an input prompt, run those commands on Shlegeris' laptop, and then access, analyze, and act on the output with more commands. He asked his AI agent to try to SSH from his laptop to his desktop Ubuntu Linux machine; but it then updated the kernel, edited Grub, and rendered the computer unbootable.

NIST blew its self-imposed September 30 deadline. As of September 21, NVD still has 18,358 CVEs (72.4 percent of new reported vulnerabilities) that need to be analyzed. At the time of publication, the number has dropped slightly to 17,873.