Secure By Default – How do we get there? – Andy Syrewicze – PSW #848
Full Audio
View Show IndexSegments
1. Secure By Default – How do we get there? – Andy Syrewicze – PSW #848
Andy drops some Microsoft Windows and 365 knowledge as we discuss the details on how we get to secure by default in our Windows and cloud environments.
Guest
Andy is a 20+ year IT Pro specializing in M365, cloud technologies, security, and infrastructure. By day, he’s a Security Evangelist for Hornetsecurity, leading technical content. By night, he shares his IT knowledge online or over a cold beer. He holds the Microsoft MVP award in Security.
Hosts
2. Not The Vulnerabilities You’re Looking For – PSW #848
This week: The USB Army Knife that won't break the budget, I don't want to say EDR is useless (but there I said it), Paul's list of excellent hacking tips, FortiJump - an RCE that took a while to become public, do malware care if it's on a hypervisor?, MicroPython for fun and not for hacking?, an unspecified vulnerability, can you exploit speculative execution bugs?, scanning the Internet and creating a botnet by accident.
Hosts
- 1. Fortinet Warns of Actively Exploited Flaw in FortiManager: CVE-2024-47575 (CVSS 9.8)
- 2. New macOS vulnerability, “HM Surf”, could lead to unauthorized data access
- 3. USB Army Knife
This could be a cheap, I mean less expensive, alternative to a Bash Bunny. This one supports the Lilygo S3 which has a screen. It can emulate storage and network devices and deliver Ducky Script payloads, has an SD card slot, and supports Wifi and Bluetooth on the ESP, and includes Maurader for Wifi attacks. You can buy it for like $12-$15 (as opposed to $120 for a Bash Bunny). Now, I am sure there are some differences, however, its hard to tell at a glance what they are...
- 4. EDR Telemetry
I have not validated this in any way, but on the surface, it checks out. I don't want to say EDR is useless, but sometimes I do...
- 5. Quick Hacking Tips
I found a few neat and interesting things on the Internet that may be interesting to all of you hackers:
- https://github.com/freelawproject/x-ray - Uncover redacted text in PDF files.
- https://github.com/kazet/wpgarlic - A proof-of-concept WordPress plugin fuzzer that led to the discovery of more than 300 vulnerabilities in WordPress plugins installed on almost 30 million sites.
- https://hardenedlinux.org/blog/2024-10-13-container-hardening-process/ - Great article on how to harden containers. I've done this work in the past, this seems like a really awesome guide.
- https://github.com/lozaning/The_Wifydra - The Wifyrda is a wardriving tool for the simulanious monitoring all 2.4Ghz wifi channels for network beacons, and includes the ability to geotag the location of found networks and write all this data to an SD card for uploading to Wigle.net - And it looks amazing!
- https://github.com/hackerschoice/thc-tips-tricks-hacks-cheat-sheet - THC's favourite Tips, Tricks & Hacks (Cheat Sheet) - Tons of tips! Like this: ** ssh -o UserKnownHostsFile=/dev/null -T [email protected] "bash -i" = Stops you from showing up in w or who command and stops logging the host to ~/.ssh/known_hosts.
- https://github.com/7h30th3r0n3/Evil-M5Core2 - Firmware for M5 Stack devices, just keeps adding awesome features! I just checked and they've updated the firmware to include a network scanner. I mean, why not? This is also the firmware I am testing that will link multiple devices to allow you to collect data and execute attacks on multiple 802.11 channels using up to 14 devices.
- 6. FortiGate admins report active exploitation 0-day. Vendor isn’t talking.
So many things here I had to just create a list of random thoughts:
- Fortimanager was designed to manage firewalls that are behind firewalls
- About 60k are on Shodan exposed to the Internet
- The RCE is accessible from the API
- Fortinet communicated with customers for a couple of weeks before going public and getting a CVE assigned
- This vulnerability was seen being exploited in the wild for about a year
- This is important: "Reddit indicated that the zero-day allows attackers to “steal a Fortigate certificate from any Fortigate, register to your FortiManager and gain access to it.” - As you need a certificate to authenticate, but you can just steal one
- FGFM is the protocol, and has had some issues in the past
- Irony: "Carl Windsor, the company’s chief information security officer, published a post in May affirming what he said was a commitment to “being a role model in ethical and responsible product development and vulnerability disclosure.”"
- It was added to the CISA KEV today
- 7. ShadowLogic: The Codeless Backdoor Threatening AI Supply Chains
This sounds amazing: "Unlike traditional methods that target a model’s weights and biases, ShadowLogic works by manipulating the computational graph of a neural network. This graph, which defines how data flows through the model and how operations are applied to that data, can be subtly altered to create malicious outcomes. The key to ShadowLogic is that it allows attackers to implant “no-code logic backdoors in machine learning models“, meaning the backdoor is embedded within the structure of the model itself, making it difficult to detect."
- 8. Linux kernel instrumentation from Qemu and Gdb
Great article: "Techniques for analyzing binaries or kernel modules that may try to monitor themselves, similar to malware behavior. To avoid detection during analysis, one approach is to use an hypervisor like QEMU to conduct research within a virtualized environment. Although the target may realize it is running in a virtual machine, this usually does not trigger suspicion, as hypervisors are common in modern environments. This method allows for detailed analysis while maintaining stealth, making it effective in scenarios where the target must not detect the monitoring." Has malware gotten lazy or adapted to modern environments where it now doesn't care if its being executed in a hypervisor? According to the researchers, yup: "In modern environments, running a Linux server on a hypervisor is quite common, and for most of the targets we analyze, this will not raise any red flags."
- 9. MicroPython for Flipper Zero: Simplify Your Hardware Projects
I believe the key point is small projects. I'm not a huge fan of MicroPython, I believe for many of the projects that we need to take on as hackers and cybersecurity people we need something better. But hey, if you just want tic-tac-toe on your Flipper, this project is for you. However, I am learning that C++ on ESP is much faster and has way better options for doing more advanced things.
- 10. CVE-2024-9537 (CVSS 9.8): Critical Zero-Day in ScienceLogic EM7 Leads to Rackspace Security Incident
It's almost as if they are writing the jokes for us! This is legit a REAL description from a CVE entry: "ScienceLogic SL1 (formerly EM7) is affected by an unspecified vulnerability involving an unspecified third-party component packaged with SL1." - I guess it means that you may have an unspecified vulnerability that is vulnerable to unspecified exploits and your risk is then, unspecified. It is specified on the CISA KEV, though even CISA has unspecified details...
- 11. grsecurity – Cross-Process Spectre Exploitation
It turns out that indirect branch prediction protections do not invalidate all indirect branches, leaving some processes vulnerable to leaking data: "The article describes a cross-process Spectre attack that exploits vulnerabilities in Intel's Golden Cove and Raptor Cove processors due to incomplete implementation of the Indirect Branch Prediction Barrier (IBPB). This barrier is intended to prevent speculative execution from leaking data across processes, but due to microcode bugs, certain return target predictions are not properly invalidated. For systems administrators, this highlights the importance of ensuring that systems are updated with the latest microcode patches from Intel, as these patches address the IBPB issue. Additionally, administrators should be aware that many user-space applications do not implement IBPB, leaving them vulnerable to such attacks, and should consider enabling IBPB where possible to enhance security." - Still, it appears that the password hash could not be stolen consistently, though the exploit did prove the possibility. It could only be a matter of time before this technique improves and we start to see it in the wild. However, I still do not believe CPU branch prediction exploits will significantly alter the threat landscape any time soon.
- 12. I Vulnerability Scanned The Entire Internet And Accidentally Made A Botnet
One 80-byte packet to select vulnerable CUPS instances triggers them to indefinitely send HTTP requests to an HTTP server. Yikes! Also, Marcus does an amazing job of explaining this and producing this video.
- 1. LTESniffer – An Open-source LTE Downlink/Uplink Eavesdropper
LTESniffer is a tool that can capture the LTE wireless messages that are sent between a cell tower and smartphones connected to it. LTESniffer supports capturing the messages in both directions, from the tower to the smartphones, and from the smartphones back to the cell tower.
- 2. Burning Zero Days: FortiJump FortiManager vulnerability used by nation state in espionage via MSPs
I picked this one because the logo is drawn in crayon. FortiNet made a number of errors in how this is implemented. For example, out of the box, by default, FortiManager allows any device, even with an unknown serial number, to register with FortiManager automatically and become a managed device...
- 3. Internet Archive breached again through stolen access tokens
The Internet Archive was breached again, this time on their Zendesk email support platform after repeated warnings that threat actors stole exposed GitLab authentication tokens.
- 4. Using AI Generated Code Will Make You a Bad Programmer
In the early days of the internet, the pejorative "script kiddie" was coined for people who "hack" computer systems without understanding what they're doing or how they're accomplishing it. It's someone who downloads a tool or script that promises to crack a password, access someone else's computer, deface a website, or achieve some other nefarious purpose. Assuming the scripts work as advertised, the kiddies who run them fancy themselves real hackers. You may think it's a stretch comparing developers who use AI generated code to script kiddies using pre-written hacking tools. I don't.
- 5. Over 6,000 WordPress hacked to install plugins pushing infostealers
"The GoDaddy Security team is tracking a new variant of ClickFix (also known as ClearFake) fake browser update malware that is distributed via bogus WordPress plugins," explains GoDaddy security researcher Denis Sinegubko.
- 6. Exploit released for new Windows Server “WinReg” NTLM Relay attack
Proof-of-concept exploit code is now public for a vulnerability in Microsoft's Remote Registry client that could be used to take control of a Windows domain by downgrading the security of the authentication process.
The vulnerability is tracked as CVE-2024-43532 and takes advantage of a fallback mechanism in the Windows Registry (WinReg) client implementation that relies on old transport protocols if the SMB transport is not present.
An attacker exploiting the security issue could relay NTLM authentication to Active Directory Certificate Services (ADCS) to obtain a user certificate for further domain authentication.
- 7. Defcon 32 Videos are being uploaded to YouTube!
You didn't see them while you were there, now is your chance!
- 8. Arm to Scrap Qualcomm Chip Design License in Feud Escalation
Arm Holdings Plc is canceling a license that allowed longtime partner Qualcomm Inc. to use Arm intellectual property to design chips, escalating a legal dispute over vital smartphone technology. Arm has given Qualcomm a mandated 60-day notice of the cancellation of their so-called architectural license agreement. The contract allows Qualcomm to create its own chips based on standards owned by Arm.
The showdown threatens to roil the smartphone and personal computer markets, as well as disrupt the finances and operations of two of the most influential companies in the semiconductor industry.
- 9. Robot vacuum cleaners hacked to spy on, insult owners
ABC news was able to confirm reports of this hack in robot vacuum cleaners of the type Ecovacs Deebot X2, which are manufactured in China. Ecovacs is considered the leading service robotics brand, and is a market leader in robot vacuums.
In 2023, however, two security researchers showed a method to bypass that protection. The weakness of the pin protection is that the app is the only place where the PIN is checked, not on the server or by the robot itself. So, if you have control of the device with the app on it and the necessary technical knowledge, you can have the device send a signal to the server which claims that you have entered the correct pin.
And though Ecovacs claimed to have fixed this flaw, one of the hackers that disclosed the flaw said it had been fixed insufficiently.