Securing Olympians, Hiding in UEFI, ‘Fingerprinting GPUs’, & P4x vs. North Korea – PSW #726

Meh, the problem with a temporary phone is you'll want to install all your social media apps anyhow, and oh I need that email so I can get something I need, or for 2FA. Not sound advice.

"My hack successfully gained unauthorized camera access by exploiting a series of issues with iCloud Sharing and Safari 15. While this bug does require the victim to click "open" on a popup from my website, it results in more than just multimedia permission hijacking. This time, the bug gives the attacker full access to every website ever visited by the victim. That means in addition to turning on your camera, my bug can also hack your iCloud, PayPal, Facebook, Gmail, etc. accounts too." (Ref: https://www.ryanpickren.com/safari-uxss)

This is the type of attack that keeps me up at night: "A whistleblower alleges that the scandal-ridden spyware firm NSO Group once offered a telecom security company “bags of cash” to buy access to its cellular networks, ostensibly so its clients could track specific mobile users within the United States."

We know who you are based on your GPU: "Specifically, the technique involves logging the speed variations between the GPU Execution Units (EU). Such fingerprinting can even distinguish between two fingerprints apparently sharing similar hardware. Also, it is easy to execute via a simple unprivileged JavaScript."

Oh boy: "An independent security researcher recently discovered the flaw in versions 5.0.4 and below of Essential Addons for Elementor and reported the issue to the developer of the plug-in. The developer then released an updated version with a fix for the vulnerability. But researchers at PatchStack, a WordPress plug-in security vendor, tested the patch and found it to be defective. They reported it to the developer, and another version — this one with a fix that worked — was issued on Jan. 28." ugh: "First, $template_info is filled with user input data taken from $_REQUEST, which is taken from the URL or POST payload. This is then concatenated with some other values into a file path. This file path is passed on to the function include_with_variable as part of the HelperClass class. This function takes the file path and includes it which allows for the local file inclusion vulnerability to exist." (Ref: https://patchstack.com/articles/critical-vulnerability-fixed-in-essential-addons-for-elementor-plugin/)

So a crowd-sourced, Government funded, vulnerability scanner? "The NCSC said that the SME project was created to solve this problem by having some of the UK’s leading security experts, from both the government and public sector, either create or review scripts that can be used to scan internal networks. Approved scripts will be made available via the NCSC’s SME GitHub project page, and the agency said it’s also taking submissions from the security community as well."

This is pretty scary: "Note that at the time of writing we lack sufficient evidence to retrace how the UEFI firmware was infected in the first place. The infection itself, however, is assumed to have occurred remotely. While previous UEFI firmware compromises (i.e. LoJax and MosaicRegressor) manifested as additions of DXE drivers to the overall firmware image on the SPI flash, the current case exhibits a much more subtle and stealthy technique where an existing firmware component is modified to alter its behaviour." Also, people don't update UEFI, unless they are trying to solve a non-security problem...

Really neat article. I have read about Susan "Thunder" in various works. I found it even more interesting that the journalist spent about a year tracking her down.

Zero privacy: "The draft law would grant the regime unlimited power to access user data, ban content it dislikes, restrict internet providers and intercept data, and imprison those criticizing the regime online and employees of non-compliant companies."

More info here: https://www.zerodayinitiative.com/blog/2022/2/1/cve-2021-44142-details-on-a-samba-code-execution-bug-demonstrated-at-pwn2own-austin

"The root cause of the problem was found in the reference code associated with InsydeH2O firmware framework code. All of the aforementioned vendors were using Insyde-based firmware SDK to develop their pieces of firmware. We had a short discussion with Fujitsu PSIRT and came to the conclusion that we should report all those issues to CERT/CC to lead an industry-wide disclosure. This is how the VU#796611 was created and how Binarly collaboration with CERT/CC began in September 2021." (Ref: https://www.binarly.io/posts/An_In_Depth_Look_at_the_23_High_Impact_Vulnerabilities/index.html)

The Biden-Harris Administration is expanding the Industrial Control System (ICS) Cybersecurity Initiative to the country’s water sector. The challenge: there are 1000's of water companies, some very small and it's not easy explaining to a Board of Directors that security hygiene does NOT mean washing your hands and that visibility into security does NOT mean how much soap has been used to wash hands before board meetings.

Cyber defenses for US drinking water supplies are "absolutely inadequate" and vulnerable to large-scale disruption by hackers, a senior official said Thursday.

An investigation by Ronen Bergman and Mark Mazzetti, both journalists at The New York Times Magazine, found that, beginning in 2019, the FBI paid millions to NSO as the bureau considered deploying the Pegasus surveillance tool in the U.S.

iOS 15.3 has fixed the flaw this exploited. Don't assume other governments aren't using the NSO tools. Use loaner/burner devices in high risk countries, make sure they're updated with minimal data, strong authentication and use caution with data transferred from them.

The U.S. FTC has revoked China Unicom Americas' license, essentially banning it from providing domestic and international telecommunication services in the U.S. According the order, the Chinese telecom company has just 60-days after the order was released to terminate its domestic and international services. The order finds they are a a subsidiary of a state-owned enterprise, subject to exploitation, influence and control by the Chinese government.

An unsecured Securitas AWS S3 bucket has exposed sensitive data belonging to airport employees across Colombia and Peru.

Ransomware gangs often up their game by extorting their victims on so-called shaming sites, where they dump the stolen information to pressure the victims to pay the ransom. Mandiant researchers say one in seven of those extortion sites also exposed OT information lifted from industrial victims.

The FBI is warning entities associated with the February 2022 Beijing Winter Olympics and March 2022 Paralympics that cyber actors could use a broad range of cyber activities to disrupt these events. These activities include distributed denial of service (DDoS) attacks, ransomware, malware, social engineering, data theft or leaks, phishing campaigns, disinformation campaigns, or insider threats, and when successful, can block or disrupt the live broadcast of the event, steal or leak sensitive data, or impact public or private digital infrastructure supporting the Olympics.

Microsoft's Azure DDoS Protection team said that in November, it fended off what industry experts say is likely the biggest distributed denial-of-service attack ever: a torrent of junk data with a throughput of 3.47 terabits per second. The record DDoS came from more than 10,000 sources located in at least 10 countries around the world.

DDoS attacks on Andorra’s internet linked to Squid Game Minecraft tournament A high-stakes Minecraft tournament is believed to be the cause of a series of DDoS attacks targeting Andorra’s only internet provider for the last four days in what experts believe has been an attempt to prevent local gamers from participating. Attacks interrupted service for home, business and government users.

CVE-2022-44142 Summary: This vulnerability allows remote attackers to execute arbitrary code as root on affected Samba installations that use the VFS module vfs_fruit.

Samba has addressed a critical severity out-of-bounds heap read/write vulnerability that can let attackers gain remote code execution with root privileges on servers running the vfs_fruit module.