Confessions of a Cyber Criminal Stalker – Ken Westin – PSW #852

Extremely detailed article on hardware fault injection. This is one to save for later if you have not gone down the rabbit hole of fault injection.

I love the way they explain the details in this article, starting with the basics, such as "What is OvrC?" with some background. Then they delve into the details. They discovered 10 vulnerabilities in total. In total, there are 10 million devices being managed by OvrC. Similar to MQTT, the protocol handling and authentication is terrible, allowing attackers to potentially take over EVERYTHING. Which is neat! I really though management frameworks, such as OvrC, could be a solution to the security troubles faced by IoT devices. Turns out, its just more attack surface...

Such a great article. I've always thought that attackers and researchers spend A LOT of time probing Windows and documenting techniques such as process injection. Not enough time is spent translating how these attacks can be conducted on Linux systems. Since Linux is even a more open environment than Windows, and tries to be compatible and interoperate with everything, I believe Linux has more attack surface than Windows. This article is a great step in the right direction to not only understand how exploitation techniques such as process injection work on Linux, but also flipping the script and exploring how we can turn them into defensive techniques as well.

Google has implemented hardened libc++, a modified C++ standard library that adds bounds checking to data structures, across its major server-side production systems. This initiative aims to address spatial memory safety vulnerabilities, which account for 40% of in-the-wild memory safety exploits. The rollout had minimal performance impact (0.30% on average) and has already prevented exploits, reduced segmentation faults by 30%, and uncovered over 1,000 bugs. Google's approach demonstrates that retrofitting spatial safety to large C++ codebases is feasible and effective, potentially setting a new standard for memory safety in the C++ ecosystem.

AI summary: So, our friends at Volexity stumbled upon a zero-day vulnerability in Fortinet's Windows VPN client. Now, get this - after a user authenticates to the VPN, their credentials are just hanging out in process memory like they're at a pool party. Talk about a security facepalm! But wait, it gets better. A Chinese state-affiliated threat actor, dubbed BrazenBamboo, weaponized this vulnerability in their DEEPDATA malware. This bad boy is a modular post-exploitation tool for Windows that's designed to suck up all sorts of juicy data from compromised systems1. Now, let's talk post-exploitation techniques. DEEPDATA is like a Swiss Army knife for hackers. It's got plugins for everything:

• Stealing credentials from 18 different sources
• Collecting data from chat apps like WeChat and WhatsApp
• Recording audio
• Extracting browser data
• Even hooking into Telegram to snag messages

The first "zoom" call occurred in 1916: "This epic event stretched telephone lines over 6,500 km, using 150,000 poles and 5,000 switches, linking major hubs like Atlanta, Boston, Chicago, and San Francisco. John J. Carty banged the gavel at 8:30 p.m., kicking off a meeting in which engineers listened in through seat-mounted receivers—no buffering or “Can you hear me?” moments. Even President Woodrow Wilson joined, sending a congratulatory telegram. "

I came to the same conclusion. After trying to run PI 4s and 5s for even a lightweight desktop experience, I was disappointed in the performance. Browsers are resource-hungry animals. I decided to revive a couple of old Intel NUCs. I also got a fairly powerful computer for podcast streaming. I put Ubuntu desktop on all of them. The user experience on Ubuntu has been great. I tried some other distros that are supposed to be lean. Debian with Xfce (as described in the article) is not a bad choice either. But Ubuntu just works for me and easily allows me to turn off the power management, install Chrome and Slack, support Secure Boot, and, as a bonus, I am familiar with the configuration settings. Also, most software will come packaged in a .deb format for easy installation (check out "input leap," a no-fuss KVM that replaces Synergy). So, this is the first episode brought to you by Ubuntu :)

I have a 3960x (24-core) that I built 4 years ago. It still ROCKS. The one found in the trash is the next model up, a 36-core. This person found a serious PC IN THE TRASH, replaced the power supply, and can run tons of VMs and local LLM models (or perhaps play games and stuff).

This is a really cool tool for passively enumerating URLs from a domain. It's super fast! You can also easily filter results and format the output as JSON. Run it against some domains; you may find something interesting. For example, you can search a device manufacturer's website and use the keyword "download", just as a "Random" example.

Security and performance are again at odds with each other. Preventing against physical attacks is important in some situations, which is why TPM bus encryption is a thing.

Yikes: The author discovered that the Palo Alto Global Protect VPN client stores user credentials in plaintext in memory. This vulnerability affects the Windows version of the client. The credentials can be extracted using a memory dumping tool like ProcDump. The process involves: Launching the VPN client, Using ProcDump to create a memory dump of the pangpa.exe process, Searching the dump file for the string "user=". The author found that the credentials are stored in a simple format: "user=username&passwd=password". This vulnerability allows an attacker with local access to extract VPN credentials. The article suggests that this issue has been present in multiple versions of the client over several years, but there is no mention of a patch from Palo Alto! The author recommends using additional security measures like multi-factor authentication to mitigate the risk.

I agree with the title, however, the article doesn't support both sides of the argument very well. Let's unpack and discuss:

• "In light of recent reports revealing over 500,000 new malicious open-source packages tracked since November 2023, the stakes for making the right choice are very, very high." - Commercial software also uses the very same open-source packages (in many cases). In fact, commercial software may use open-source code and not list which components they are using, leaving you in a worse security posture than if you ran pure open-source. Furthermore, commercial software has vulnerabilities too, in fact, much of the CISA KEV is for commercial software.

• The author states open-source software lacks the following: "Dashboards that don’t make your eyes bleed, Integrations that work, Compliance reporting that auditors will accept, Remediation workflows that make sense, False positive filtering that doesn’t waste your life, Vulnerability prioritization that isn’t just “everything is critical" - Everything except compliance reporting I disagree. Commercial software suffers from all of these issues, especially eye-bleeding dashboards.

• "Think of it like this: You’ve got two fishing boats – open-source and commercial. Both use the same net and catch just as much stuff. But the commercial boat has a processing plant that throws away the trash, sorts the fish by size and tosses out the fish we can’t eat. Both boats caught the same results, but the open-source tool leaves you sorting through the catch manually at 2 a.m. That’s not money, but it’s time." - I agree with this statement and really like the analogy, spot on!

• Choose open-source when: "You have the expertise to validate every component you’re bringing in" - Too many organizations do not do this well. I also believe we need to perform these validation activities on commercial software as well, why blindly trust commercial software?

• Lots of points on how open-source software has many false positives but commercial software does not. I believe these are blanket statements and the details matter here as it depends on which software you are talking about. Commercial software is not always more accurate than open-source software. If you believe differently, lets find some evidence and testing results then have a discussion.

Authentication bypass via an HTTP header value (they literally just set X-PAN-AUTHCHECK to "off"). This allows attackers to bypass authentication and access other PHP scripts on the management interface. The next vulnerability is labeled "privilege escalation", which is true, but also allows for RCE. They also released a Nuclei script for detecting the authentication bypass vulnerability. Another researcher published a full exploit chain: https://github.com/Chocapikk/CVE-2024-9474 (use at your own risk). Watchtowr is doing an amazing job. They are lightening fast at patch diffing to uncover the details on vulnerabilities in appliances, and creating exploits and checks. The posts are well-written and entertaining (the snarkyness and meme game is on point). A+ folks, keep it up!

This malware is CRAZY: "Key features include junk code insertion and metamorphic transformations, which alter the loader’s structure and flow, effectively evading signature-based, Artificial Intelligence, and behavioral detections. Through dynamic API resolution, the loader sidesteps common API monitoring by resolving necessary functions only at runtime, preventing static analysis from identifying telltale Windows APIs. Also bypassing sandbox injected DLLs that hook API calls. Shellcode loading and decryption further obfuscate the payload by embedding and decrypting malicious code in memory, bypassing file-based scanning. Additionally, anti-sandboxing and anti-analysis measures detect virtual environments, impeding sandbox analysis and automated AI defenses." - While not all the techniques are new, some are based on recent security research. The malware authors went through great lengths to keep this one stealthy.

The vulnerabilities, credited to Google’s TAG (Threat Analysis Group), are being actively exploited on Intel-based macOS systems, Apple confirmed in an advisory released on Tuesday. The company urged users across the Apple ecosystem to apply the urgent iOS 18.1.1, macOS Sequoia 15.1.1 and the older iOS 17.7.2.

CVE-2024-44308 — JavaScriptCore — Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems.

CVE-2024-44309 — WebKit — Processing maliciously crafted web content may lead to a cross site scripting attack. Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems.

Generative AI Red-teaming & Assessment Kit garak checks if an LLM can be made to fail in a way we don't want. garak probes for hallucination, data leakage, prompt injection, misinformation, toxicity generation, jailbreaks, and many other weaknesses. If you know nmap, it's nmap for LLMs.

Microsoft plans to let Teams users clone their voices so they can have their sound-alikes speak to others in meetings in different languages. What could possibly go wrong?

The BlueSky (I am hevnsnt.bsky.social btw) firehose in a Window95'ish looking interface.

In June, Meta released an article titled Leveraging AI for efficient incident response on their engineering blog. In this article, engineers outline how they leveraged large language models to improve Meta's incident response capabilities. The headline metric from this report: Meta was able to use LLMs to successfully root cause incidents with 42% accuracy in their web monorepo.

???? Two undersea internet cables in the Baltic Sea have been suddenly disrupted, according to local telecommunications companies, amid fresh warnings of possible Russian interference with global undersea infrastructure.

Newly expanded financial aid will cover tuition costs for admitted students from 80 percent of U.S. families.

More than 50 United Nations member states have issued a joint statement, saying they are “deeply concerned with the frequency, scale, and severity of ransomware attacks against critical infrastructure, in particular hospitals and other healthcare facilities.” The statement calls on all UN members “to collectively work together to strengthen the cybersecurity and resilience of our critical infrastructure and work to confront and disrupt the ransomware threat.”

Healthcare system attacks, over the last few years, have become increasingly common and disruptive. Beyond a national focus on increased cybersecurity, which translates into both guidance and funding, culture change is going to be key to maintaining cyber posture, in an industry which is running to keep up with delivery of the most modern services to aid patient wellness.

According to a report from the US Environmental Protection Agency’s (EPA’s) Office that of Inspector General (OIG), more than 300 drinking water systems in the US have cybersecurity vulnerabilities that could lead to service disruptions. Those systems serve a total of approximately 110 million people. When EPA OIG attempted to notify the EPA about the issues, they discovered that EPA does not have a cybersecurity incident reporting system for water and wastewater systems.

When was the last time you verified your incident reporting process, particularly with third-party (cloud and outsourced) service providers. Check not just for current contacts, but also for the process. Be alert for a process which notifies a third party rather than you, as you'll never get those alerts. The report: https://www.epaoig.gov/sites/default/files/reports/2024-11/fullreport-25-n-0004t1.pdf

The US Federal Communications Commission (FCC) saw “strong interest” in their cybersecurity pilot program for libraries and K-12 schools. The FCC received more than 2,700 applications totaling $3.7 billion in requests; the program has allocated $200 million over three years to provide help with the costs of services and equipment for eligible schools and libraries. The funding, when granted, can be used for securing their netoworks in one of four categories: advanced or next-gen firewalls, identity protection and authentication, endpoint protection; and monitoring, detection and response (MDR). The volume of applicants shows an unmet need in our local schools and libraries, who are facing shrinking budgets with no room to incorporate cybersecurity improvements.

4,000,000 WordPress Sites Using Really Simple Security Free and Pro Versions Affected by Critical Authentication Bypass Vulnerability. The flaw comes down to improper error handling of an invalid nonce, allowing the bypass. Really Simple Security used to be Really Simple SSL, it was renamed with the version 9 release, check for both. Make sure you're updating to the new version, to include enabling auto-updates. Version 9.1.2 was released November 14th, so you should see it deployed. Wordfence released firewall rules for their paid versions November 6th, the free version will get these December 6th.

The vulnerability, tracked as CVE-2024-0012, is an authentication bypass in PAN-OS allowing "an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474." The most effective mitigation is ensuring the PAN-OS management interface is configured properly and is not accessible from the internet. CISA/DHS got it right with BOD-23-02, make sure management interfaces are not exposed to the Internet. Even better, only allow authorized hosts access to those interfaces irrespective of the network, your future self will appreciate this change.

The US Department of Homeland Security (DHS) has released a guidance resource aimed at all levels of AI development and implementation, assigning specific responsibilities for safety and security at each level as the benefits and risks of AI become integrated into critical infrastructure. The framework was created by a DHS AI Safety and Security board comprising many private and public sector members, including the CEO of OpenAI and the Policy Director of the White House Office of Science and Technology. Envisioned as a "living document," the framework identifies five security directives, making a matrix of responsibilities for five types of AI stakeholders (shown in Appendix A). The key directives are: to secure environments; to drive responsible model design; to implement data governance; to ensure safe and secure deployment; and to monitor performance and impact. The stakeholders guided to act are: cloud and compute infrastructure providers; AI developers; critical infrastructure owners and operators; civil society (such as research institutions and consumer groups); and the public sector. Another five items characterize DHS's hopes for the framework's success, briefly: "harmoniz[ed]" security practices; infrastructure safety; AI ecosystem transparency; research advancement; and protection of civil rights. If you're in the critical infrastructure business, this is the droid you're looking for, at 35 pages it's not a bad read, and should drive some interesting conversations, both internally and with your suppliers. Even if you're not in that space, this is good input to consider relating to your AI

The sixth annual report from NordVPN's enterprise password management service suggests that easily-guessed or cracked passwords are still the most common personal and corporate credentials. NordPass studied 2.5TB of anonymized "publicly available sources" of leaked data from 44 countries, differentiating personal and business accounts by email domain. The company highlights the risk of reused credentials, and provides password composition suggestions that notably differ from NIST's revised authentication guidelines drafted in August, 2024: both recommend a high character minimum, 15 and 20 characters respectively, but NordPass emphasizes varying character types while NIST prohibits character type requirements. Seeing little to no improvement in this series of studies, the company looks to passkeys as a safer alternative.

A high-severity authentication bypass vulnerability (CVE-2024-47574) in Fortinet’s FortiClient for Windows could be exploited to gain elevated privileges and execute arbitrary code via spoofed named pipe messages. Two flaws were discovered, CVE-2024-47574, authentication bypass, CVSS score 7.8, as well as a second flaw, no CVE assigned yet, allowing access to the plain text encryption key used to protect sensitive information. Both flaws are addressed in the updates. If you have Fortinet in your shop, updates to the management client are as important as updates to the firmware on the device. While you're looking at your Fortinet environment, make sure that your management interfaces are also protected, limited to authorized hosts only.

According to an advisory update from Broadcom, known vulnerabilities in VMware vCenter Server are being actively exploited. Broadcom first issued patches for the flaws in September, but those fixes did not adequately address the problems. A second round of patches in October did fix the vulnerabilities; at that time, Broadcom said they were not aware of either flaw being exploited in the wild. This flaw was initially discovered five months ago; the update can be tricky. Refer to the Broadcom update for the versions of VMware vCenter Server and VMware Cloud Foundation you should have deployed. Note the Cloud Foundation update is an Async patch. While you're at it, make sure your vCenter management interfaces are only accessible from authorized devices. Broadcom has made VMware Workstation and Fusion free for all, so expect to see more VMware installations, and corresponding virtual machines popping up in your environment, you'll want to be sure both are kept secure and updated. https://blogs.vmware.com/cloud-foundation/2024/11/11/vmware-fusion-and-workstation-are-now-free-for-all-users/

Broadcom has made VMware Workstation and Fusion free for all, so expect to see more VMware installations, and corresponding virtual machines popping up in your environment, you'll want to be sure both are kept secure and updated.

An “adversary” accessed email communications between US congressional legislative staffers and staff in the Library of Congress’s Congressional Research Service. The information theft occurred between January and September of this year. Staff affected by the incident were notified on Friday, November 15.

The intercepted communication included legal advice to congressional staffers from library research staff regarding confidential legislative issues. Beyond work you're doing to mitigate BEC, Phishing and other email scams, make sure that your SMTP services/relays are configured to use TLS to prevent MiTM message interception, this is already required for cabinet level agencies per BOD-18-01.

He wants to eliminate, or severely curtail the powers of, the Cybersecurity and Infrastructure Security Agency, because of its efforts to counter disinformation, particularly around the 2020 U.S. presidential election. The agency came under fire from conservatives in 2020 after it countered narratives about the election being “stolen.” Trump ultimately fired the agency’s leader after it put out a statement that said the 2020 election was secure.

NSO developed a suite of hacking tools to be used against targets using WhatsApp, capable of accessing private data on the target’s phone. Thanks to these hacking tools, NSO installed Pegasus on “between hundreds and tens of thousands” of target devices, including journalists, dissidents, and human rights advocates.

Passkeys and the WebAuthn specification were intended to make public key cryptography accessible to average users, rather than just the domain of the tech-savvy. If done right, they could seriously improve security on the Web. But unless things get a lot more consistent and smooth for the end user, I fear this will end up just like PGP or client certificates in TLS: A technically valid solution that has minimal impact on the majority of users.

In a phshing email, “to access the embedded URL, victims are instructed to hold down the Ctrl key and click, a subtle yet highly effective action designed to evade email security scanners and automated detection tools.”

A critical authentication bypass vulnerability has been discovered impacting the WordPress plugin 'Really Simple Security'. Specifically, the problem lies in the 'checkloginandgetuser()' function that verifies user identities by checking the 'userid' and 'loginnonce' parameters. When 'loginnonce' is invalid, the request isn't rejected, as it should, but instead invokes 'authenticateandredirect(),' which authenticates the user based on the 'userid' alone, effectively allowing authentication bypass.

The problem was made worse due to Microsoft relying on client-side controls to limit the length of messages.

When the safety valve breaks in a hard battery case to release the pressure caused by a chemical reaction within the unit, it makes "a distinctive click-hiss, a little like the sound of cracking open a bottle of soda." NIST reckoned the alarm, once fully developed, could find its way into homes, office buildings, and electric vehicle parking garages. The NIST team noted that the safety valve gave two minutes' notice.

The average fatal crash rate for all cars in the United States is 2.8 per billion vehicle miles driven. The Tesla Model S has a rate more than double than average, at 5.8 per billion vehicle miles driven; meanwhile, the Tesla Model Y -- the best-selling vehicle in the world -- has a fatal crash rate of 10.6, nearly four times the average. It ranked as the sixth worst vehicle overall. (The Hyundai Venue took the top spot overall, with a fatal crash rate of 13.9.)

Locally run bots using specially trained image-recognition models can match human-level performance in this style of CAPTCHA, achieving a 100 percent success rate despite being decidedly not human.

Google's new AI-powered scam protection feature monitors phone call conversations on Google Pixel devices to detect patterns that warn when the caller may be a scammer. The system will work in real time by detecting conversation patterns commonly associated with scams, like callers impersonating companies or urgent phone calls following breach alerts.

TrapC code resembles C/C++ code, but it's memory safe. That is to say, its pointers cannot produce segfaults, buffer overruns, or memory leaks. The TrapC compiler is due to be released as free open source software in 2025.

The cyber security agencies of the UK, US, Canada, Australia, and New Zealand have issued a list of the 15 most exploited vulnerabilities in 2023. The top 5 are all hardware edge devices, not software running on a regular computer!

The top two spots on the list go to Citrix NetScaler ADC and Gateway. Third and fourth positions go to Cisco, and #5 is Fortinet's FortiOS. After that come normal software bugs, like Log4j.

Microsoft is working on a new Windows "Quick Machine Recovery" feature that will allow IT administrators to use Windows Update "targeted fixes" to remotely fix systems rendered unbootable. This new feature is part of a new Windows Resiliency Initiative launched in response to a widespread July 2024 outage caused by a buggy CrowdStrike Falcon update. The company is also working with security vendors as part of the Microsoft Virus Initiative (MVI) to add new Windows features and tools that will allow security software to run outside the Windows kernel to avoid incidents like the July outage in the future.