Threat Actors With A Thousand Names – PSW #856

This is frustrating. I agree, we need this 100%. However, this guidance is not what we need. The specification calls for a single word, but not a dictionary word, to describe threat actor groups. This is just part of the problems and solutions. While we can poke at CVE, it does a good job of naming a vulnerability. Perhaps we need something similar for:

• Threat actor groups
• Botnets
• Malware

You could start to build a standard based on using the first letter of the above. For example, T-1100-A is a threat actor group, and so on. Not sure if this is practical, but its where we need to go. The community is not unaware of this problem, the real problem is getting everyone together to agree and adhere to a standard. Also, this standard should have nothing to do with marketing, which has muddied the waters in this regard (e.g. Oh, we know its Microsoft that discovered a thing because its named after weather. Find better ways to market yourselves please.)

The problem with implementing effective Anti-cheat is that someone, or some organization, has to hold the keys to the kingdom. Oh, you want only your code to run and not be influenced by other low-level code? Cool, give us some money and we'll add you to the program and protect your software on our platform. On Linux, it's pretty much open, which means anyone can run code. This game of cat and mouse will continue for now...

I just want to clear the air as I read some reactions to this research (also, I am not picking on Illumina, these are just general statements):

• Yes, an attacker would need privileged access to this system. Trust boundaries, especially on Windows, are made to be broken.
• While these devices should not be connected to the Internet directly, some are and likely will be. And while they should be on a separate network, I can't imagine companies such as 23andme have 100s of people with USB thumb drives moving around genomic data manually. It's 2025, things will be connected to other things.
• You have to secure the platform. You are wrong if you believe that an attacker will never land on a system. If you believe all of your customers will apply the latest firmware/software updates immediately 100% of the time, you are also wrong. For these reasons, you have to deliver systems that are as secure as possible.
• The flaws we are discovering in many different platforms indicate a trend: Security is not a priority below the operating system. This is a dangerous and frustrating approach as companies do not have to develop an entirely new and innovative approach to platform security; you just have to implement what's already available and update firmware/software to the latest versions. Now, you are getting ahead in terms of security.
• Low-level access to appliances and specialty-purpose devices gives the attacker an advantage. They can now be more stealthy, impactful, and persistent. Why give them this advantage?

A nice tutorial (with example code) that walks you through creating a basic Windows bootkit. There is a critical point in the boot process where all of the hardware and early-stage drivers (DXE) are loaded, and the last step is for the bootloader to hand control of the boot process to the kernel (ExitBootServices). If an attacker can hook this function, they can control the system at a critical point: The kernel has not yet loaded (including any protections), but the system's resources are fully available. I predict we will see more of this as time goes on, as evidenced by Bootkitty and other bootkits.

Two researchers set out to reverse engineer the proprietary Wifi/BLE stack on the ESP32 to unlock its full potential by creating an open-source stack: "So we set to work, reverse engineering the proprietary stack and building a new open source one. We soon discovered just how versatile the ESP32 can be, both as a tool for research and IoT SoC, when its capabilities are fully unlocked. This includes using it as a pentesting tool, a B.A.T.M.A.N. mesh router or an AirDrop client." - I did not know this was proprietary to Esspressif, and could unlock a whole new level of projects, especially for hacking/security, on the esp32!

Pretty crazy data breach: "The data exposed in the breach includes vehicle location information such as when EVs were switched on and off, along with location data, email addresses, phone numbers, and home addresses of car owners." - This presentation was in German, but translated on the CCC site. Delivered last month, the researcher discovered that Volkswagon Group was "exposing sensitive personal information of roughly 800,000 electrical vehicle owners across its brands, including Volkswagen, Audi, Seat, and Skoda." (Ref: https://www.darkreading.com/cyberattacks-data-breaches/volkswagen-breach-exposes-data-of-800k-customers). After listening to the latest Darknet Diaries, theft is a major concern.

Mitre added a handful of new CNAs recently, some were disclosed publically, others were not. Weird, but the real problem is the quality of the CVE entries is poor when Jericho evaluated the new entries added by the new CNAs. Mitre needs help! They need to have a program that trains new CNAs and watches the first few CVE entries they submit. I also believe, based on some discussions between Josh Bressers and myself which was based on the interview I did with Mitre and Microsoft on the topic, that Mitre needs a community ambassador. Rather than being a faceless organization, they need a face and to be interfacing with the community, taking in feedback, and making changes, improvements, and working to get more funding and help.

Neat project that executes shellcode on a victim system when authentication happens to any nearby device.

If you were to look on the Internet for web shells that were abandoned by attackers, you'd find this to be true: "So far we’ve found over 4000~ breached systems (three four of which are breached .gov systems). The number keeps going up - as you would expect." - This is a "why didn't I think of that" moment. As the article states, why bother trying to compromise 40k systems your self when you can just just re-use other people's backdoors? This is so much a "Mr. Potato Head! Backdoors are not secrets!" moment.

Just stop using AI to "automagically" find 0-days and report them. It doesn't work like that (right now anyhow).

If you are writing code, especially that one-off script to solve some interesting problem, you need to read this. Unpacking vulnerabilities are common and easy to introduce. This article walks you through it, shows examples, and shows how to do unpacking safely. Nice!

We've said this from the beginning of the pod: Do not download exploits from the Internet and run them without reviewing the code first. This leads to bad things happening.

This is a professionally produced recording of the talk I was giving in 2024 which chronicles my career from my departure from NSA in 1996 until 2004 when I was introduced to some fad compliance regulation called the Payment Card Industry Data Security Standard. Shared for your edification.

I worked indirectly with Amit back in the RIPTech days but never met him in person until he became CEO of Tenable. #fuckcancer

Not as devastating as CrowdStrike but still "it could happen to anyone..."

There are new requirements coming into effect this year in the PCI DSS that will adress this type of problem. Not soon enough for Packers fans though - all three of them!

Since we took a break over the holidays I feel like it's okay to add a couple "older" news iterms...

PSA - refer to PCI DSS v4.0.1 reqs. 6.4.3 and 11.6.1

Yes this is a political discussion, but it's also borne on the technology and medium that we purport to protect. If not a security issue certainly a privacy issue. Let's discuss.

In what's being called a "major cybersecurity incident," Beijing-backed adversaries broke into cyber vendor BeyondTrust to access the US Department of the Treasury workstations and steal unclassified data, according to a letter sent to lawmakers.

More details...

The gift that keeps on giving (well, taken really).

Harley-Davidson, the iconic American motorcycle manufacturer, has reportedly fallen victim to a significant data breach orchestrated by a cybercriminal group known as “888.” "The stolen data reportedly includes:

Full Name (First, Last)
Addresses (Street, City, State, Zip Code)
Email Addresses
Mobile Phone Numbers"

Back when I was a kid in the mid-1900s all of this information was given out to every citizen in what was called the white pages (telephone book).

My question is more philsophical - what makes information sensitive and/or private? and why?

I existed almost entirely on a diet of spicy memes

Researchers at Cyfirma have analyzed malware known as FireScam, which targets Android users using a dropper disguised as Telegram Premium, offered in a counterfeit app store made to resemble the popular Russian marketplace RuStore. The FireScam payload is designed to comprehensively monitor, capture, and exfiltrate data from the device, including "notifications, messages ... screen state changes, e-commerce transactions, clipboard activity, and user engagement." The malware seeks elevated permissions on the device and may phish users' Telegram credentials using a WebView.

Two ruses are afoot. Not only is the dropper disguised as (a free version of) Telegram Premium, but the source is also an App Store disguised as RuStore. FireScam has a number of capaibties, including designating itself as the primary app updater, which ensures persistence. The best mitigation is to make sure that you're only using vetted app stores, uimplement security solutions which detect suspicious permission requeists and app behaviors. Make sure your users are wary of apps offering a Premium service for "free." Cyfirma post: https://www.cyfirma.com/research/inside-firescam-an-information-stealer-with-spyware-capabilities/

Argentina’s airport security police (PSA) have fallen victim to a cyberattack that reportedly compromised the personal and financial data of its officers and civilian personnel. The unknown threat actor gained access to PSA’s payroll records and deducted small amounts of money from employees' salaries.

When was the last time you looked closely at your payroll deductions? This attack added small ($100-$245) deductions using fake labels E.g., "DD Mayor" and "DD seguros," which would likely go unnoticed. It would be an interesting exercize to determine not only how difficult it would be to add such a deduction, but also how you could detect it.

Apple has proposed to settle for $95 million in Lopez v. Apple, Inc., a class-action lawsuit brought to hold the company accountable for ten years of the Siri assistant violating users' privacy by recording audio unprompted and without permission, claimed by some plaintiffs to have triggered targeted advertising. A hearing on February 14 will be held to possibly approve the settlement. A whistleblower in 2019 alleged to The Guardian that "there have been countless instances of recordings featuring private discussions between doctors and patients, business deals, seemingly criminal dealings, sexual encounters and so on. These recordings are accompanied by user data showing location, contact details, and app data." The settlement absolves Apple of any wrongdoing and offers up to $20 per device (up to five devices) to users who "purchased or owned a Siri Device in the United States or its territories, and enabled Siri on that device" between September 17, 2014 and December 31, 2024 and who in that time "experienced at least one unintended Siri activation [that] occurred during a conversation intended to be confidential or private."

The trick is really understanding how voice assistants, Siri, Alexa, Google, are opertating. While they respond to the wake word, they are an open mic, waiting for their phrase, to include variants they have been trained on. Consider carefully allowing these devices unmuted in areas where sensitive conversations are conducted. Don't forget that many smart TVs/screens now include voice command capabilities, both from the remote and included microphones.

The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) has sanctioned a Beijing company, Integrity Technology Group, Incorporated (Integrity Tech) for their alleged support of malicious cyber activity conducted by Flax Typhoon, a state-sponsored cyberthreat group that has been known to target US critical infrastructure organizations. Flax Typhoon has been active since at least 2021. The sanctions freeze any US assets held by Integrity Tech and limits US financial and other interactions with the company.

The FBI lead an effort by multiple agencies to shut down the Flax Typhoon botnet in September 2024, effectively ending their operations. This sanction adds financial impacts to any attempt for them to regain their capabilities. Beware of OFAC sanctions and other regulatory entanglements when considering ransomware payment, you really don't want to get crosswise with them.

Tenable has disabled two Nessus scanner agent versions after discovering that they would go offline when triggering a differential plugin update. On January 2, Tenable wrote that they were “actively working on resolving the Plugin Compilation Issue discovered on Nessus Agent version 10.8.0/10.8.1.” That same day, Tenable released Nessus Agent 10.8.2. On January 3, Tenable resumed the plugin feed. The short version is to deploy Nessus Agent 10.8.2 so your agents stay online and get their plugin feeds. Prepare for plugin resets and possible manual installation of the package. You may want to create a package that removes and installs, including registering, the agent from scratch.

Tenable Nessus: Plugin Updates causing agents to go offline: https://status.tenable.com/incidents/9wjf0gnblhq7

Tenable-Nessus-Agent-10.8.2 docs: https://docs.tenable.com/release-notes/Content/nessus-agent/2025.htm#Tenable-Nessus-Agent-10.8.2-(2025-01-02)

Researchers at Palo Alto Networks Unit 42 have published a blog post about a new technique for bypassing LLM content guardrails, called “Bad Likert Judge” based on the Likert Scale questionnaire format. Likert scales measure opinions ordinally, such as a numbered scale for degrees of agreement with a statement.

So long as we have guardrails, people will try to find ways to bypass them. The trick is understanding the techniques so mitigations can be deployed, if appropriate. LLM Jailbreaks are also referred to as prompt injection, The Bad Likert Judge jailbreak was tested against LLMs from Amazon Web Services, Google, Meta, Microsoft, OpenAI and NVIDIA, which increased the attack success rate by 60% versus other prompt injection techniques. Adding content filters reduced that success rate by an average of 89.2%.

The list of telecommunications victims in the Salt Typhoon cyberattack continues to grow. The newly identified companies are Charter Communications, Consolidated Communications, and Windstream. According to WSJ, Salt Typhoon’s intrusions into the telecoms’ networks began in mid-2023 if not earlier; investigators say the threat actors maintained a foothold in one firm’s network for 18 months. The situation was first disclosed by the FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) in October 2024.

The attacks leveraged unpatched Cisco and Fortinet gear, and in one case they exploited one privileged account which didn't have MFA and provided access to thousands of routers. CISA is reporting that Volt Typhoon continues to target/infect old Cisco routers to access critical infrastruture. The take-away being it's time to get proactive on updating your routers/switches, replacing past-service-life devices and requiring all accounts to have MFA. Lock down access to management interfaces and double check you have visibility to access and exploit attempts.

​Cybersecurity firm ESET is urging Windows 10 users to upgrade to Windows 11 or Linux to avoid a "security fiasco" as the 10-year-old operating system nears the end of support in October 2025. According to ESET, 65 percent of all devices in German households run Windows 10, which will no longer be supported as of October 2025, and StatCounter estimates almost the same proportion of Windows 10 users worldwide.

While October feels a long way from today, make sure you account for the time to not only secure funding for replacement hardware where needed, but also migration to those new systems, followed by decommissioning of the old. While purchasing extended support is an option, its really just postponing the migration, not a long term fix.

Moxa has published a security advisory warning of two vulnerabilities affecting their cellular routers, secure routers, and network security appliances. CVE-2024-9140 is a remotely-exploitable critical OS commend injection vulnerability that could lead to arbitrary code execution. CVE-2024-9138 is a high-severity hard-coded credentials issue that could allow attackers to attain root privileges. Moxa has released firmware updates to address both vulnerabilities.

We need vendors to get proactive on eliminating hard-coded and default credentials, as well as employing ubiquitous input sanitization. CVE-2024-9138, hard-coded credentials, CVSS 3 score 7.2 , CVE-2024-9140 command injection due to improper input sanitization, CVSS 3 score 9.8, can be exploited remotely, CVE-2024-9138 requires authentication. The fix is to update to the latest firmware, in addition limit SSH access to trusted devices/networks, don't make these Internet accessible and use an IDS/IPS to monitor/block exploitation.

Moxa bulletin: https://www.moxa.com/en/support/product-support/security-advisory/mpsa-241155-privilege-escalation-and-os-command-injection-vulnerabilities-in-cellular-routers,-secure-routers,-and-netwo

At this point Deloitte is still working to determine the full scope of the breach, and they were the ones who detected the data on the Dark Web. While Deloitte and Rhode Island work out the details and who is in charge of which aspects of the investigation and response, the advice from Governor Mckee is good for all of us: implement MFA, secure/freeze & monitor your credit, implement fraud alerts and remain vigilent. One thing I'd add to the list is to make sure that you've not only enabled the anti-spam/flitering/etc. capabilities in your email and EDR systems but also review the settings regularly to make sure you're using the most current/effecdtive options.

https://therecord.media/rhode-island-data-breach-deloitte

Microsoft's Bitlocker encryption can be circumvented by "downgrading" a patched vulnerability. This is possible despite protection by Secure Boot because a little-known software vulnerability – bitpixie (CVE-2023-21563) – can be exploited. This vulnerability was patched by Microsoft in November 2022 (it has been known since 2023). But CVE-2023-21563 can still be exploited today with a downgrade attack to decrypt BitLocker. Specifically, an outdated Windows boot loader is loaded under Secure Boot in order to start Windows in safe mode. This causes the Bitlocker recovery key (known as the volume mount key, VMK) to be loaded into the computer's RAM.

Lockdown Mode is almost certainly not for you, and the downside risks outweigh the benefits. This mode and Google’s Advanced Protection equivalent have been designed for politicians, dissidents, journalists, lawyers engaged in sensitive areas of law. When Lockdown Mode is enabled, your device won’t function like it usually would: certain apps, websites and features will be strictly limited for security, and some experiences may not be available at all. Message attachments will be removed, web pages will not display as normal, some calls will be blocked, some photo albums will be unavailable, some wireless connections will be disabled, and some accessories will stop working.

o3 "reasons" through problems using a technique known as test-time compute — as in, it takes more time to "think" and explore multiple possibilities before spitting out an answer. But o3 uses well over $1,000 of computing power per task — over 170 times more compute than a low-power version of o3, and leagues beyond its predecessor, which cost less than $4 per task.

Daily user numbers on Facebook have been plummeting — enough so that they’ve stopped reporting daily active users in their quarterly filings because the number is no longer going up. But Facebook has a plan — they want to simulate a more active service with AI slop so you’ll stay scrolling and clicking! The company literally pays people to generate AI slop, when it could have just banned that.

Aylo has publicly supported age verification of users for years, but we believe that any law to this effect must preserve user safety and privacy and must effectively protect children from accessing content intended for adults. VPN use in Florida jumped by as much as 1,150 percent within hours of the age verification law coming into force on January 1. That's even higher than the 967 percent spike in VPN use that VPNMentor saw in Utah in 2023 and substantially higher than a Texas spike of 234 percent—perhaps indicating that users are getting savvier at quickly securing VPN workarounds.

Apple has agreed to pay $95 million to settle a lawsuit alleging that its voice assistant Siri routinely recorded private conversations that were then shared with third parties and used for targeted ads. Sometimes Siri would be inadvertently activated when an Apple Watch was raised and speech was detected. The only clue that users seemingly had of Siri's alleged spying was eerily accurate targeted ads that appeared after they had just been talking about specific items like Air Jordans or brands like Olive Garden.

Corrections can work, but countering misinformation this way is an uphill battle: people don’t like to be contradicted, and a belief, once accepted, can be difficult to dislodge.

Bypassing works differently. Rather than directly addressing the misinformation, this strategy involves offering accurate information that has an implication opposite to that of the misinformation. For example, faced with the factually incorrect statement “genetically modified foods have health risks,” a bypassing approach might highlight the fact that genetically modified foods help the bee population. This counters the negative implication of the misinformation with positive implications, without taking the difficult path of confrontation.

An interesting opinion piece. Here's its point: We know how deeply rotten things are because Salt Typhoon used the same techniques used in a break-in into another national telco 40 years ago, when the UK's British Telecom's Prestel text message service was attacked. An industry unable to learn something in 40 years has no legitimacy. And there’s no sign it is learning now.

And Microsoft is not alone in this respect. Last year, Amazon reported that it was on track to spend $75 billion in capital expenditure during 2024, and even more in 2025.

The satellite broadband service fell over on December 31, 2024, for 48 hours. "We can confirm that the issue was caused by a leap year problem, related to day 366 in 2024, which impacted the manual calculation for the GPS-to-UTC offset."

Scientists behind the Oxford Covid jab are developing a bubonic plague vaccine amid fears a superbug strain of the Black Death could emerge. There is no vaccine in the UK for the plague, which has killed around 200 million people worldwide throughout history.

Massive ‘Typhoon’ cyberattacks on U.S. infrastructure and telecoms sought to lay groundwork for potential conflict with Beijing, as intruders gathered data and got in position to impede response and sow chaos. In late December, in response to the Salt Typhoon campaign, federal cybersecurity officials published new guidance recommending the public use end-to-end encryption for communications, and said text-based multifactor authentication for account logins should be avoided in favor of app-based methods.

The RP2350 comes with a quartet of new security features, that Raspberry Pi was keen to highlight. These are Secure Boot, TrustZone, Redundancy Coprocessor (RCP), and Glitch Detectors. Raspberry Pi and Hextree hid a secret in the RP2350's OTP (One Time Programmable) memory on the chip, said to be a once-set but never-forget binary code.

Cullen tested injecting power glitches to Pin 53 at certain points in the boot process. The 'permanently disabled' RISC-V cores were woken by the glitch to enable access.