No CVE and No Accountability – Ed Skoudis – PSW #851

What happens if someone makes a typo in a CVE number and the wrong vulnerability ends up on the KEV? Turns out, it gets published. Now, thanks to Jericho, this has been resolved. However, moving forward, what types of checks and balances must exist to eliminate or reduce these occurrences?

This is a fun hacking story on building an ESP32 with a captive portal that Rick Roll's people. It's an ASCII art Rick Roll, which is even better! Github repo is here: https://github.com/h0bbel/esp32/

This grinds my gears: When vulnerabilities are discovered in EOL commercial software the trend is to not issue a CVE. Why? And, why can't we issue one anyhow? Then there is this: "Even worse, how many vulnerabilities are present in the outdated commercial software that you have delayed upgrading despite having no released CVEs?" - So, we are just supposed to upgrade and patch software and do as we are told. In some cases, we are supposed to pay money for the latest version or extend the support contract so we can get the patches. This is irresponsible.

Another neat little hacking thing I want. Also, vendors have to know by now if you release something it will be hacked, especially if you have no plans to support it moving forward. Also, why try to hide the Git repo?

This report is interesting as it points out there was an upward trend from 2022 to 2023 in attackers using 0-day exploits. Also, at least 40% of the vulnerabilities are from network device and appliance vendors (I say "At least" because my initial data analysis needs a couple of more revisions).

I've seen this before. This technique is certainly not new, but still effective. Also, unpackers treat this differently, and in one case we won't get a fix: "Perception Point security researchers contacted 7zip developers to address this specific behavior of concatenated ZIP files. The developer confirmed that it is not a bug and is considered intentional functionality – meaning this behavior is unlikely to change, leaving the door open for attackers to continue exploiting it."

VDI is interesting technology, on one hand it gives administrators centralized control and monitoring, on the other hand it gives attackers one place to compromise all the desktops. Watchtowr, as usual, did amazing research. And while I am not big on throwing vendors under the bus, there is this: "Citrix were friendly in communication and took our report seriously, but at the time of writing, we are not currently aware of version numbers for patches or CVE identifiers for the aforementioned weaknesses." - We need better visibility and tracking. This is a step in the wrong direction.

A decent primer on IR signals. I really need to seek out more detailed information and learn more about IR, including how to decode and encode IR signals, how the data is represented on various hardware platforms (e.g. the Flipper has an IR file format to describe it and other formats exist) and how to write the code to implement it on a platform. So, read this for a very high level primer, then stay tuned for more detailed information.

I love this part: "Exploitation of the OS command injection vulnerabilities is relatively straightforward. All the attacker needs to do is create a file on a FAT32-formatted USB mass storage device where the name will contain the OS commands to be executed. The filename must end with .up for it to be recognized by the software update handling code. While all three command injection vulnerabilities are exploited via the file name, the easiest one to exploit is by far the ZDI-CAN-23420 as there are no specific exploitation requirements such as validity of the crafted update file."

While its drama now, I feel like the producers had a time machine, traveled to the future, observed this situation, and reported back.

"This recent patch aims to improve Linux's performance by changing how the kernel handles copying operations from the user space. It mitigates the usage of the barrier_nospec(). This API was designed to thwart speculative execution attacks such as Meltdown and Spectre, which were first made public in 2018. Modern CPUs use speculative execution to increase efficiency. However, it can also expose security vulnerabilities. Torvalds' patch replaces barrier_nospec() with pointer masking. This method returns all 1s when the copy_from_user() attempts to access an invalid address. This approach offers a measurable performance boost while maintaining security." - While this is neat, I've still yet to see any evidence of Spectre or Meltdown-style attacks being exploited in the wild. 6 years and counting, and there is no evidence that I could find, and I ask frequently. It could be that this type of attack is difficult to detect. However, given we can deploy kernel rootkits to attacker owned machines and gather threat actor chat logs, if it were even being considered by attackers we'd likely know about it by now. El Reg says: "The Register reports, "Defending these attacks is a necessary evil. Running web servers and the like is a primary usage of Linux, and such boxes must be locked down against every conceivable attack - even at the cost of disabling performance-enhancing features." - I completely disagree with this statement. Even exploits in a lab struggle to be reliable and are very slow at extracting data from memory. Fight me on it, please, prove me wrong!

Spotify's idea a couple years ago was a car-focused device for those who lacked Apple CarPlay, Android Auto, or built-in Spotify support in their vehicles, or just wanted a dedicated Spotify screen. The Car Thing was a $100 doodad with a 4-inch touchscreen and knob that attached to the dashboard (or into a CD slot drive). All it could do was play Spotify, and only if you were a paying member, but that could be an upgrade for owners of older cars, or people who wanted a little desktop music controller. Spotify has lost all enthusiasm for the little music devices it sold for just half a year. Firmware hackers, as usually happens, have a lot more interest and have stepped in to save, and upgrade, a potentially useful gadget.

A community-driven repository for threat hunting ideas, methodologies, and research that serves as a central gathering place for hunters to share knowledge, collaborate on techniques, and advance the field of threat hunting.

HEARTH incorporates ideas for three distinct types of hunts classified by the PEAK Threat Hunting Framework:

Flames: Hypothesis-driven investigations with clear, testable hypotheses
Embers: Environment baselining and exploratory analysis
Alchemy: Model-assisted and algorithmic approaches to threat detection

???? Why Generating effective hypotheses and ideas for threat hunting is hard. HEARTH provides a collaborative environment where hunters can share, develop, and refine their methodologies while building a comprehensive knowledge base for the security community.

In this guide, I'll walk you through how I create tools to find exploits in video games for bug bounty programs. Specifically, I'll focus on my research into the game Sword of Convallaria. This exploration is purely for educational purposes. As such, I have removed some of the assets as an exercise for the user to find.

All source code can be found on GitHub

Fifteen minutes after buying them, I found out that the device was for all intents and purposes useless, because Apple has region locked the Hearing Aids feature to the US and some other countries. How we bypassed Apple's regulatory restrictions, built a Faraday cages and enabled georestricted features on the Airpods Pro 2 for our grandparents.

VMware made its Fusion and Workstation software that creates and manages virtual machines free for personal use earlier this year. Now, the company announced that as of Monday, it’s free for everyone, including commercial customers. Also, the Fusion (for Macs) and Workstation (for Windows and Linux) Pro versions are no longer available for purchase.

Bjorn is a powerful network scanning and offensive security tool for the Raspberry Pi with a 2.13-inch e-Paper HAT. It discovers network targets, identifies open ports, exposed services, and potential vulnerabilities. Bjorn can perform brute force attacks, file stealing, host zombification, and supports custom attack scripts.

FYI, YubiKey is apparently still selling old stock with firmware vulnerable to the EUCLEAK attack instead of disposing of them, as a reader of Fefe's Blog reported. "So Yubikey will immediately recall and replaced all keys, right? And Infineon as a culprit will have borne the costs? Haha, none of this happened! Infineon is sitting in its money store and counts the dollars, brings out a new software version and finds that the rest is not their problem. Yubikey has drunk Infineon's marketing cooling and did not install a way to the software update because it would compromise the security of the devices.

Now that the devices are compromised without an update option, a buddy of mine has been trying to have swapd his three Yubikeys for a few weeks. Yubikey told him: Lolnope. For this, an attacker needs enormous criminal energy and special hardware!1!! We do not change that."

We’ll write a full 240-page book and deliver it to you It’ll be packed with hilarious AI-generated content and professionally printed, just like a real book. The more specific you are, the more personalized and humorous the book will be.

I used to like Cybereason too...

There's new requirements in the PCI DSS to protect against these attacks, but because they are new there is a grace period. Don't wait - implement 6.4.3 and 11.6.1 today!

This is proving to be a timely topic given recent magecart attacks (see above). Yes, this is a shameless plug for a webinar where I'm co-presenting.

Cisco is issuing a critical alert notice about a flaw that makes its so-called Ultra-Reliable Wireless Backhaul systems easy to subvert.

In a significant development that underscores the lasting impact of 2023's MOVEit vulnerability, Amazon has confirmed that employee data was compromised through a third-party property management vendor.

Watch the video - they are on location at the Stop & Shop in Warwick!

Not too much detail here, but a lengthier discussion of the detection, response, and impact.

Nokia's investigation of recent claims of a data breach found that the source code leaked on a hacker forum belongs to a third party and company and customer data has not been impacted.

Halliburton’s most recent financial report says a cybersecurity incident disclosed earlier this year has cost the company $35 million so far. In August filings with the US Securities and Exchange Commission (SEC), Halliburton noted that the incident forced the energy services company to temporarily shut down IT systems and disconnect customers, and that the threat actors stole information.

The August attack, based on the IOCs, was most likely the work of the RansomHub gang. As neither RansomHub nor any other gang has taken credit for the attack, it's likely that Halliburton paid the ransom. The attack, in combination with the storms in the Gulf of Mexico has cost Halliburton $.02/share in adjusted earnings. As most of us aren't able to absorb a $35 million loss, make sure you've got your ransomware playbook dialed in, remembering not only to verify your position on payment but also where you stand related to any OFAC issues which correspond with making such a payment, if you choose to do so.

In a data security incident notice, Missouri-based law firm Thompson Coburn LLC says that information belonging to patients of one of their clients, New Mexico-based Presbyterian Healthcare Services (PHS), was compromised. Thompson Coburn “became aware of suspicious activity within [their] network” in late May. A subsequent investigation revealed that files viewed and/or taken by intruders included some PHS patients’ protected health information. The law firm has notified the US Department of Health and Human Services Office for Civil Rights; the number of individuals affected by the breach is estimated to be more than 305,000.

The Thompson Coburn is sending breach notices to folks who they have an address for, otherwise the messasge on the TC Notification website covers anyone they missed or don't have addresses for, a nice move which indicates they have good information on where their sensitive data is as well as sufficient information for a forensic analysis. As they haven't determined there is any use of the data, they are providing guidance rather than credit restoration. The PHI came from New Mexico's PHS, if you're a customer, make sure that you're covered for ID theft/credit monitoring & restoration. Consider how well you know where you sensitive data is and what you could do to not only verify it's secured, but also aid a forensic investigation if needed.

On November 7, Anthropic announced a partnership with Amazon Web Services (AWS) and US intelligence and defense contractor Palantir. The deal leverages AWS to integrate Claude AI 3 and 3.5 into the Palantir AI Platform, accredited at DOD Impact Level 6 (IL6), which "handles data critical to national security up to the 'secret' classification level." Claude is expected to automate the processing and analysis of large volumes of documents and data, and in the words of Anthropic CTO Shyam Sankar, to bring "decision advantage to [U.S. defense and intelligence communities'] most critical missions." Authority to make those decisions will still rest with human beings.

This is going to be a LLM with very specific training, and IL6 environment is very restricted, operated only operated by a CSP under contract to DoD or other federal agency in a DoD private community or Federal government community cloud. They are configured to both NIST SP 800-53 and CNSS 1253 requirements and can only operate at the CIA Moderate-Moderate-Low level. This is a visible step along the EO 14028 directive which includes increased cloud adoption, and the order was extended to classified systems by National Security Memorandum (NSM) 8, 1/19/22.

Several US government entities have partnered or continued developing a relationship with OpenAI technology, including the National Gallery of Art, NASA, the Internal Revenue Service, Los Alamos National Laboratory, the Air Force Research Laboratory, and the Defense Advanced Research Projects Agency (DARPA). Many have purchased ChatGPT licenses for a variety of purposes, often to "reduce administrative burdens and increase efficiency." First among ChatGPT's Enterprise customers was the US Agency for International Development (USAID). The Federal Aviation Administration (FAA) has also published documents indicating interest in "machine learning and artificial intelligence to identify safety risks."

Licensing and standing up your own LLM, trained on a data set you're managing, provides a safe way to dive into that world without worry about your data used to enhance another customer's prompt responses. Even so, you're still bound by any restrictions in the LLM's license, such as the prohibition on using the technology to harm people, destroy property or develop weapons.

The US Federal Bureau of Investigation (FBI) has published a Private Industry Notification that warns of an “uptick” in compromised US and foreign government email addresses being used to make “fraudulent emergency data requests to US-based companies, exposing personally identifying information (PII).” Suggested mitigations to help precent exposure of sensitive data include vetting third-party vendors’ security posture, and stepping back to examine elements – including images and referenced legal codes – of requests for sensitive information, particularly when the requests have been fabricated to instill a sense of urgency.

The public sector is as much of a target as the private sector, and both have employees under stress who click the wrong link. Beyond the basics of MFA and technical controls to block malicious sites and attachments, making sure you have required procedures in place for common BEC scenarios, can help break the momentum and hopefully prevent the planned compromise.

The US Transportation Security Administration (TSA) has published a notice of proposed rulemaking that would “impose cyber risk management (CRM) requirements on certain pipeline and rail owner/operators and a more limited requirement, on certain over-the-road bus (OTRB) owner/operators, to report cybersecurity incidents.” TSA is accepting

public comment on the proposed rulemaking through February 5, 2025.

This is not unlike DoD requiring NIST 800-171 for contractors protecting their data. The rules include annual cybersecurity evaluations, independent (non-biased) assessment plans that identify unaddressed vulnerabilities, cybersecurity implementation plan which includes systems and how they are protected, detection measures and incident response plans. The trick is using a risk based approach to scale the requirements for relevance, as well as securing funding for implementation and oversight.

Amazon has confirmed that a security breach of a third-party vendor resulted in the compromise of some Amazon employee data. The breach was among the May 2023 MOVEit incidents; the compromised information includes work contact information, such as work-related email addresses, phone numbers, and building locations.

Third-party security remains a challenge, as they can and will make decisions around solutions, as well as mitigation of vulnerabilities without your involvement. Make sure you have contract language that not only requires your controls to flow down, valid and current security contacts as well as provisions for the validated removal of your data. Make sure these terms are validated regularly. Find out when the security of third-party service providers is assessed and who accepts the risk. Make sure it is sufficiently formalized and at an appropriate level, often risk acceptance involves someone out of the C-suite.

Researchers from Trend Micro’s Zero Day initiative detected six vulnerabilities in the Mazda Connect Connectivity Master Unit (CMU) system, which is used in multiple models of Mazda vehicles. All flaws are due to insufficiently sanitized user-supplied input, and could be exploited by an attackers with physical access to the system. Some of the flaws could be exploited to execute arbitrary code with root privileges. The vulnerabilities are currently unpatched.

Input sanitization and patching aren't new ideas, and the Mazda system assessed does have a history of security updates. Even so, these systems need to be categorized as OT systems with long service lives, so while you could move newer versions to more secure coding practices, you'll still have old systems to maintain, which makes for a challenging support decision, particularly if you move to new languages. Short term, there appears to be an opportunity for researchers to partner with manufacturers to help identify weaknesses they are unable to uncover.

Over the past six months, nearly 250 organizations have signed the US Cybersecurity and Infrastructure Security Agency’s (CISA’s) Secure by Design Pledge. The Pledge comprises seven goals: increasing the use of multi-factor authentication (MFA); reducing default passwords; reducing entire classes of vulnerabilities, such as memory safety, cross-site scripting, and SQL injection vulnerabilities; increasing the level of patch installation; publishing a vulnerability disclosure policy; increasing transparency in vulnerability reporting by publishing CWE and CPE fields in every CVE record; and p” providing artifacts and capabilities to gather evidence of intrusions.” Multiple companies, including Amazon Web Services, Fortinet, Microsoft, Okta, and Sophos, have taken steps to fulfill the pledge.

There are seven goals here, and the signatories are often touting success focused on one or two of them, or nominal progress across all seven. With CISA threatening increasing the number of goals, it's going to be tricky making sure that all are fully met, not just progress made. When assessing a provider's progress against secure by design, make sure you look at the whole picture, with your own measure of acceptable progress/residual risk.

Researchers at Check Point have identified a phishing campaign that attempts to scare people into downloading malware by impersonating media and technology companies and accusing the email recipient of copyright infringement. The phishing emails come from different Gmail accounts each time; they urge recipients to download an archive file, which employs DLL side-loading to deploy an information stealer known as Rhadamantys.

The email accounts used impersonate the legal department of the supposed copyright complainants and contain a password protected Zip file. While the AI here is more of the form machine learning and OCR, it's still prone to errors, notably language errors, so our traditional mitigations help, for now. It'd be a good idea to brief your legal team to be on the lookout for these as users are likely to forward to them for proper handling and response. Then check your (EDR, email, etc.) protections for new features which raise the bar, AI based or otherwise, which you may not have noticed.

Cybercriminals are likely gaining access to compromised US and foreign government email addresses and using them to conduct fraudulent emergency data requests to US based companies. These EDRs largely bypass any official review and do not require the requester to supply any court-approved documents. Also, it is difficult for a company that receives one of these EDRs to immediately determine whether it is legitimate.

The ban includes Instagram, TikTok, Facebook, X and YouTube. They will detect age with biometric facial analysis, voice analysis, and behavioral data to estimate user age without relying solely on traditional identification.

Generative AI can provide turn-by-turn driving directions in New York City with near-perfect accuracy, but it doesn't have an accurate map of the city. By closing some streets and adding detours, researchers found that the New York maps the model implicitly generated had many nonexistent streets curving between the grid and connecting far away intersections.

Consumer Financial Protection Bureau tells workers to reduce use of cellphones for work due to risk from China-linked telecom intrusion. Meetings and conversations that involve nonpublic data should only be held on platforms like Microsoft Teams and Cisco WebEx and not on work-issued or personal phones.

Chinese hackers accessed sensitive cellular logs on a vast number of Americans after penetrating inside a swathe of U.S. telecommunications providers earlier this year. Salt Typhoon “appeared to have had the ability” to access data on almost any American.

They will integrate Claude 3 and 3.5 with Palantir's Artificial Intelligence Platform, hosted on AWS. Both Palantir and AWS have been awarded Impact Level 6 (IL6) certification by the Department of Defense, which allows the processing and storage of classified data up to the Secret level.

The decision to force TikTok to close its doors "was based on the information and evidence collected over the course of the review and on the advice of Canada's security and intelligence community and other government partners," according to the government statement. A government spokesperson declined to answer questions.

iPhones which have been stored securely for forensic examination are somehow rebooting themselves, returning the devices to a state that makes them much harder to unlock. Apple may have introduced a new security feature in iOS 18 that tells nearby iPhones to reboot if they have been disconnected from a cellular network for some time.