Don’t Hack Russia – PSW #864

I've had my own scripts for updating Linux systems for years now. None of them were that good. I had planned on updating my latest version to be more robust and add features. The goal being to not just update the OS, but Snaps, Flatpaks, Containers, Firmware, and more. Then, I clicked my heels 3 times and searched for a tool that existed on the Internet. I found one called "Topgrade". Written in Rust, it has all the features I wanted and more! I've been testing it for a few weeks now, here's the rundown: * It supports all versions of Linux I encountered, including Raspberry PIs (though I had to update them to the latest OS release to get it to run). * If Topgrade is not in the package repo you can download it from the releases page and the binary will auto-upgrade itself * It has support for LVFS to upgrade firmware, scans for file changes that need review post-upgrade, and even updated containers and PlatformIO. * If you configure SSH to remotely login to all your systems you can specify a list of targets and topgrade will connect to them and upgrade them (you have to install topgrade on the target first). This makes updating all my systems much easier, just run one command and it cycles through all of my boxes. * Bonus: If you configure all of your hosts on Tailscale you can do this from pretty much any machine (depending on your configuration)

Check it out and let me know what you think! What are you using to automate updates across your Linux systems?

Patlite NH-FB series

"In January 2025, Silk Typhoon was also observed exploiting a zero-day vulnerability in the public facing Ivanti Pulse Connect VPN (CVE-2025-0282). Microsoft Threat Intelligence Center reported the activity to Ivanti, which led to a rapid resolution of the critical exploit, significantly reducing the period that highly skilled and sophisticated threat actors could leverage the exploit." - Also, this was actively exploited post-patch as well, stressing the need to patch all the things as fast as you can. The Black Basta chat logs leak gives us even more evidence that threat actors will exploit devices, such as VPN appliances, as much as they can and whether or not they are exposed to the Internet (or not). In this case, the VPN is likely exposed to the Internet for VPN clients. You can't just rely on "not exposing to the Internet" for management interfaces either as attackers will quickly pivot in search of a "beach head" and places to grab credentials to use in other pivots, such as ransomeware.

"This week, Microsoft announced that it will shut down Skype on May 5. At this point, Skype is a fringe app. In 2023, Microsoft said it still had 36 million users, a far cry from its peak of 300 million users." - Before you go knocking Skype, it was one of the first end-to-end encrypted messaging/Voice/Video apps back in 2003. Microsoft, in my opinion, really dropped the ball on this one, focusing on the crappy Teams client instead. Skype then fell by the wayside. We used Skype quite a bit over the years for the podcast, and it was at certain times the best video/voice app around, offering great quality, speed, and security. It even had a commercial offering for broadcasters called SkypeTX, which we also used for some time. Not only that, it always had end-to-end encryption. Users will not be migrated to Teams. Linux users like me are sad as Skype runs great on Linux and Microsoft discontinued the Teams for Linux client years ago (it was pretty crappy). RIP Skype.

"These devices are marketed towards the short-term rental market thus the intended use case is for possible attackers to have physical access, and the attack can be performed through the externally accessible USB-C port. The attack gives full persistent control over the device and can be used to invalidate the intended notifications for the short-term rental host regarding noise levels and occupancy by guests. It's also possible for an attacker to persist surveillance code that will spy on other guests and/or the host and exfiltrate over the network." - This is a case where physical access and exploits do not mix. Let's say you want to get an AirBnB and throw a party. Typically, this is frowned upon. Amlisoft makes IoT devices that can detect crowds, noise, smoke, etc... Select firmware versions allow an attacker to gain control over the device and essentially blind them. Party on dudes...

This is a great article, especially if you are into ESP32 software development. I learned some things! However, while this is neat, I would recommend pi-hole instead. I recently setup two pihole servers on a cloud provider for a total of like $12 / month. I don't have to worry about hardware, power issues, etc... The smallest cloud instance runs pihole just fine (in fact, it's probably overkill!). You then get all the benefits of pihole, implementations can include several different block lists. I even configured mine to query the root DNS servers (using unbound) as I don't trust the major providers DNS systems. While some claim it will be slower to query the root, I haven't noticed any issues. Don't forget to apply some firewall rules (I used iptables) to limit who can query the DNS servers recursively. I also used Tailscale as well, though I am still working on the configuration of DNS with Tailscale and such.

Pay not attention to Russian cyber threats or cease all offensive operations against Russia? Those are two different things, and it is unclear exactly what is happening. Many agencies have reported that this is crazy and will not comply. In either case, we'd lose valuable intelligence. Offensive nation-state operations are not always run with the goal of disruption but also spying. We can see what an adversary does just by dwelling and listening/watching. Stopping this activity would have grave consequences for national security. Of course, this is just my opinion... Then again, there is this I will present as evidence: https://www.inversecos.com/2025/02/an-inside-look-at-nsa-equation-group.html (It's China, but still)

I love Mobile Hacker's tutorials, great stuff. This is an interesting project. I do find the screens to be too small to do much with, and then you need some type of console access anyhow if you're going to type anything (the small touchscreen is hard to use). I am building one with an m.2 hat and NVME on a RPI 5. Trying to figure out how to get the heat syncs and fans going with the m.2 hat, and then figure out if I can put a touchscreen on top of all that. I did 3d print a case that works with the m.2 hat. I believe the best way to get the m.2 going is to put Raspbian on an SD card, boot the OS, then use utilities to format and install Kali on the m.2. I am currently stuck because Rasbian does not see the m.2 drive. I'm thinking its a compatibility issue, so I bought the official $30 256GB m.2 from Raspberry PI (actually from Sparkfun, great site). I will keep everyone updated :)

I thought I had heard of reference to a weapon such as this in the real-world when I watched the "Zero-Day" show: The psychological symptoms that Mullen experiences, including memory loss, disorientation, and auditory hallucinations, draw strong parallels to the real-world cases of Havana Syndrome, where U.S. diplomats and intelligence officers reportedly experienced, to this day, unexplained neurological issues believed to be caused by targeted attacks. Like Havana Syndrome, the fictional NSA weapon in Zero Day operates covertly, leaving no physical trace, which amplifies the paranoia and uncertainty surrounding Mullen’s condition. This resemblance adds a layer of realism to the show’s central mystery, blurring the lines between conspiracy and plausible threat."

I really want to run some jamming attacks with my Flipper Zero and ESP32 devices, then see if I can detect them with this. I definitely want to build this and take it to the next conference as well.

I'd like to point out that this research shows attackers exploiting Cisco Small Business devices using an exploit for CVE-2023-20118. If you read the Cisco advisory, Cisco states: "Cisco has not released and will not release software updates to address the vulnerabilities described in this advisory. Cisco Small Business RV016, RV042, RV042G, RV082, RV320 and RV325 Routers have entered the end-of-life process. " - These appear to be MIPS-based devices running Linux, though I did not do a thorough investigation. Cisco Small business systems are a favorite target for threat actors and often cannot be patched. I don't recommend people use them, but if you do, disable ALL management interfaces and just connect to the serial ports...

There is also a part II. Amazing research! I believe this is the first exploit for the Xbox 360 that does not require hardware, software only rooting. Given this product has been available on the market for 18 years, this is an impressive security achievement for Microsoft.

"A malicious PyPi package named 'automslc' has been downloaded over 100,000 times from the Python Package Index since 2019, abusing hard-coded credentials to pirate music from the Deezer streaming service." - The 'for years" really got me. People were pirating music by backdooring a Python library for years! Neat.

I think this could be an interesting topic, but the author relied on hyperbole rather than actual facts. In short, there was not any evidence or examples of how regulations weaken security.. Oh, and clearly he wasn't talking about PCI.

Speaking of PCI...a couple weeks ago the PCI Council dropped a major bombshell (at the 11th hour) concerning how eCommerce merchants report on thier adherence to the PCI DSS (via SAQ A) and what are the applicable requirements for those merchants that rely on outsourcing the payment function to a third party service provider. The change did NOT go over well and raised a ton of questions from merchants and practitioners, particularly those of us who have to explain it all to our merhant clients. The Council felt compelled to release an FAQ designed to clear things up. (hint: it doesn't).

What was compromised? A log server containing "unspecified access information". Hmmmm.....

Yes, I'm lazy. Pretend these are nine separate news article links:

Contents:

Meta confirms WhatsApp spyware hack
DOD and defense contractors’ credentials stolen
IoT data breach exposes 2.7 billion records
HCRG Care Group suffers ransomware attack
Trimble Cityworks vulnerability actively exploited
DISA Global data breach impacts over 3 million people
Palo Alto confirms exploitation of firewalls
GrubHub discloses third party data breach
Lazarus Group uses LinkedIn to steal credentials and deploy malware

We can't NOT talk about this.... I have too many friends in the Intel community that are flabbergasted by this announcement.

A report from the US Multi-State Information Sharing and Analysis Center (MS-ISAC) describes the threats facing US state, local, tribal, and territorial (SLTT) governments in defending the country’s critical infrastructure. The report urges SLTT to adopt a “whole-of-state” cybersecurity practice to protect the country’s critical infrastructure. The report notes that “Adversaries attack SLTT organizations through cyber, physical, and foreign malign influence operations to reap financial rewards, disrupt operations, sow discord, and erode public trust,” and lists priorities and critical services for the future, including “enhanc[ing] resilience of critical infrastructure through consolidated and coordinated information sharing; build[ing] trust in public institutions through communication, public engagement, and transparency; strengthen[ing] overall security with targeted resources and scalable solutions for small and rural communities; mitigat[ing] insider threats to reduce risk and enhance trust; and invest[ing] in drivers of workforce productivity, development, recruitment, and retention to address talent shortages.”

A paper authored by 21 security researchers and other experts “explore[s] memory-safety standardization, which we argue is an essential step to promoting universal strong memory safety in government and industry, and, in turn, to ensure access to more secure software for all.” The paper “propose[s] potential approaches to standardization – likely a task not limited to any one institution or standards body – and conclude with an illustrative universal memory-safety adoption timeline proposing a realistic path to universal adoption given suitable incentivization.” The paper: https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-996.pdf

Having a standardized approach, beyond “move to a memory safe language,” is going to be more effective as changing languages is not always possible or practical. Having a framework which works with existing languages is definitely worth a deep dive to see where you can raise the bar.

The California Privacy Protection Agency (CPPA) has ordered data broker Background Alert, Inc. to shut down for three years as a penalty for failing to register and pay annual fees as required by California’s Delete Act. Failure to comply with the penalty will result in a fine.

From 2020 to 2023, the California Attorney General maintained the registry the Delete act shifted this responsibility to the CCPA Enforcement Devision as of January 1st, 2024. Data Brokers who failed to register face a penalty of $200/day, which can increase. Data Brokers are also required to disclose the number of customer deletion requests and mean-time to respond, report on specific data type collection, and include a link on their website to consumer rights under CCPA. In this case, Background Alert must shutdown for three years or face a $50,000 fine. That fine seems insufficient to be motivating. Even at $200/day for three years, plus $50,000, you’re only at $270,000.

CISA has warned US federal agencies to secure their systems against attacks exploiting vulnerabilities in Cisco and Windows systems. While the cybersecurity agency has tagged these flaws as actively exploited in the wild, it has yet to provide specific details regarding this malicious activity and who is behind it. CVE-2018-8639, CVSS score 7.8, allows an attacker logged on to a Windows system to run arbitrary code in kernel mode by exploiting the Win32k component's failure to properly handle objects in memory, leading to privilege elevation; this affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, and Windows 10 Servers.

CVE-2023-20118, CVSS score 7.2, allows a remote attacker with administrative credentials to gain root-level privileges, access data, and execute arbitrary commands on Cisco routers by exploiting improper validation of user input within incoming HTTP packets, using a crafted HTTP request to the web-based management interface; this affects Cisco Small Business Router models RV016, RV042, RV042G, RV082, RV320, and RV325. Cisco's advisory recommends device migration, stating that they have not and will not release updates to address the flaw, and there are no workarounds.

Director of National Intelligence Tulsi Gabbard has responded to the February 13 missive from Senator Ron Wyden (D-Ore.) and Representative Andy Biggs (R-Ariz.) that urged action and answers to inquiries in light of reports that the UK government ordered a backdoor into Apple users' encrypted cloud data. Gabbard states that such an order "would be a clear and egregious violation of Americans’ privacy and civil liberties, and open up a serious vulnerability for cyber exploitation by adversarial actors," also saying she was not aware of the order before media reported it. She has asked several US intelligence and defense agencies "to provide insights," and has requested investigation into the legal and intelligence implications of such an order. Under the Clarifying Lawful Overseas Use of Data (CLOUD) Act, the UK may not issue demands for data belonging to "US persons," and vice versa.

DNI is siding with Apple that providing that backdoor is unacceptable, and Apple is denying requests to create such a back door, now or ever, both of which are good for our privacy.

Amnesty International has uncovered evidence that a zero-day exploit sold by Cellebrite has been used to spy on an activist in Serbia. Amnesty’s “technical blog post provides a detailed analysis of how the Android phone of one student protester was exploited and unlocked by a sophisticated zero-day exploit chain targeting Android USB drivers, developed by Cellebrite.” In a December 2024 report, Amnesty “documented widespread misuse of Cellebrite’s technology by Serbian authorities.” In response, Cellebrite announced on February 25, “We found it appropriate to stop the use of our products by the relevant customers at this time.”

Read the blog for the timeline on what Serbian authorities did to the device.

The zero-day, used by Servian authorities, took advantage of a flaw in Android USB drivers. There is a patch for CVE-2024-53104, out-of-bound write to USB Video Class Driver inn the February 2025 Android security bulletin. This comes down to using memory safe drivers. Future Android updates are expected to include Linux kernel updates which address this.

Mozilla announced new terms of use (TOU) for the Firefox web browser, effective February 28, which elicited criticism from users over a now-modified clause perhaps implying Mozilla owns users' data: "When you upload or input information through Firefox, you hereby grant us a nonexclusive, royalty-free, worldwide license to use that information to help you navigate, experience, and interact with online content as you indicate with your use of Firefox." However, the company has since amended the text to specify the TOU "does not give Mozilla any ownership" in users' content, maintaining the same license "for the purpose of doing as [users] request" with input data.

This is a good time to review your browser privacy and security settings. Make sure that you’ve set them to minimize the amount of data shared, under Firefox Data Collection and Use, as well as review which services the browser can access, e.g., location, camera, mic, VR, etc. Make sure that installing plugins or extensions requires explicit permission.

SSA National Slam the Scam Day - March 6, 2025.

SSA is providing tips on preventing scams, including reporting for social security-related scams.

US Defense Secretary Pete Hegseth has reportedly ordered US Cyber Command to pause offensive operations against Russia.

Foreign adversaries including Russia and China have recently directed their intelligence services to ramp up recruiting of US federal employees working in national security, targeting those who have been fired or feel they could be soon.

But it doesn't hallucinate as much as the company's other LLMs. GPT-4o, a purportedly advanced "reasoning" model, hallucinates 61.8 percent of the time on the SimpleQA benchmark. OpenAI's o3-mini, a cheaper and smaller version of its reasoning model, was found to hallucinate a whopping 80.3 percent of the time.

Diffusion-based models like Mercury produce entire responses simultaneously, refining them from an initially masked state into coherent text. This allows the model to refine outputs and address mistakes because it isn't limited to considering only previously generated text. The results are comparable to GPT-4o Mini, but are generated 19 times faster.

Police officers and employees misusing access to police database now account for over half of all cybercrime prosecutions in the UK. The harms this can cause are considerable. Yet police continue to call for encryption to be weakened to allow for greater access to communication data.