Post-Exploit, Vocal Passports, Will it Run DOOM!?!, & Coldplay Lyrics in Firmware – PSW #786

Serious reverse engineering went into this effort. My question: Is it worth it for a printer or multi-function device?

Mythic is: "A cross-platform, post-exploit, red teaming framework designed to provide a collaborative and user friendly interface for operators." - Some serious design and engineering went into this project: "Fundamentally, Mythic uses a web-based front end (React) and Docker containers for the back-end. A GoLang server handles the bulk of the web requests via GraphQL APIs and WebSockets. This server then handles connections to the PostgreSQL database and communicates to the other Docker containers via RabbitMQ. This enables the individual components to be on separate physical computers or in different virtual machines if desired." - Pretty neat stuff, I've not checked it out yet, have you?

Things just got real: "New user and new project name registration on PyPI is temporarily suspended. The volume of malicious users and malicious projects being created on the index in the past week has outpaced our ability to respond to it in a timely fashion, especially with multiple PyPI administrators on leave.” reads the Incident Report for Python Infrastructure published by the maintainers. “While we re-group over the weekend, new user and new project registration is temporarily suspended."

Are bug bounties broken? This article makes a good case. I think there is one detail that needs some light shed on it: The vulnerability found was a kernel DoS condition. I believe this led to the researcher; unfairly, I might add, being shuffled around and suffering from a mess of a disclosure process and bug bounty process. Still, I feel we can collectively do better. Instead of finger-pointing and silence, why not just fix the damn bug?

We push for automated updates, until things go wrong: "The ASD is a built-in security daemon supplied by Trend Micro, and it is used in a wide range of router models for real-time protection against emerging threats. However, this component is updated regardless of whether the user has automatic security (firmware) updates enabled on their device or not. Reportedly, the corrupted definition file for ASD was automatically pushed to all impacted routers, causing them to run out of filesystem space and memory and eventually crash."

This has been known for some time: "It enables an attacker with administrative privileges to remotely force a system to start in safe mode, thereby disabling any AV, EDR or another cybersecurity solutions with antitampering mechanism and allowing them to perform various malicious actions."

NA means there is no security update: "Unfortunately, Intel isn’t being forthcoming about what exactly the patch does. Its purpose was simply listed as “security updates for Intel-SA-NA,” which many, including Phoronix, took to the NA to mean it was a security update with a release advisory “not available.” We now know it meant “not applicable,” and that the update simply contains “functional updates.”"

Attackers are just using you: "Learning from history, router implants are often installed on arbitrary devices with no particular interest, with the aim to create a chain of nodes between the main infections and real command and control,” Check Point researchers wrote in a shorter write-up. “In other words, infecting a home router does not mean that the homeowner was specifically targeted, but rather that they are only a means to a goal.” This is the more interesting part: "Due to its firmware-agnostic design, the implant’s components can be integrated into various firmware by different vendors. The deployment method of the firmware images on the infected routers is still unclear, as well as its usage and involvement in actual intrusions." - The supply chain strikes again, perhaps?

Cisco did not put enough effort into the web interface on these devices as this is common: 'The four security flaws are tracked as CVE-2023-20159, CVE-2023-20160, CVE-2023-20161, and CVE-2023-20189 and all carry CVSS severity ratings of 9.8 out of 10. All are caused by improper validation of requests sent to the targeted switches' web interfaces." - At least they listened to me on a previous episode and are patching these now, at least for these issues...

Who doesn't want the ability to boot directly into DOOM? - "So, there we have it!  The UEFI Shell also runs DOOM.  In fact, we could probably add DOOM direct to the boot menu — boot to DOOM!"

It runs DOOM! Also, this person developed their OWN operating system, then created a Gameboy emulator for it. I'm impressed (and that doesn't happen too often as I get older). Also, this post describes very nicely what happens once the CPU is initialized and the boot process continues (or tries to). In case you're curious: "With that knowledge in hand, it gets a lot easier to answer our question about how the boot ROM is executed: the MMU on the GameBoy has things set up such that when the CPU reads address 0, it will receive the first of the boot ROM’s bytes that were etched into the silicon when the GameBoy was manufactured."

I referenced this work in my Shmoo presentation: "This latest power management tampering, or PMFault, can be carried out by a privileged software adversary who doesn't have access to Board Management Controller (BMC) login credentials. It allows the same data extraction as its predecessor attacks, but through the BMC flash memory chip. In other words, you need to be able to update the BMC firmware to include malicious code to perform the attack, which means you'll need root access pretty much." - And yea, it works, without physical access. Though, you do need to be able to write new firmware to the BMC, which can be tricky depending on the architecture. This may also mean you need to find a vulnerability that allows you to write firmware to the BMC, which in turn would allow you to permanently brick the device. But hey, if you want to test it out, do so at your own risk: https://github.com/zt-chen/PMFault (WARNING: The code in this repo can cause PERMANENT DAMAGE to your server. Use at your own risk.) Please note I am not recommending or instructing anyone to run this code on your devices or anyone else's. But, if you do, please tell me all about the results!

I had no idea this rabbit hole existed, but if you want to dive into Hyperspace, Quickweb and the world of "instant on" OSes and boot sequences, this is a place to start. If you're after sub-10-second boot times, I mean, I guess that's a thing people could be into. I also found other very weird things that likely should never have existed, and certainly we shouldn't be reading about or talking about on the show, yet here we are: "QuickLook is an email and calendar app that you can launch directly instead of booting a normal OS. I need to stress that, as far as I can tell, this is not Linux, this is not DOS, this is not anything. This is a bespoke standalone program, written in C (there are .c files mentioned all throughout the .EFI, which is just a Windows-format .EXE with a different name.)" OMG, the horrors continue: "When you install QuickLook, it installs a plugin for Outlook (only supported on 2003 and 2007) which periodically, at a configurable interval, copies the entire contents of your inbox and calendar to an XML file in HP_TOOLS. If you send an email or edit a calendar event from QuickLook, it just writes it to an XML file, and when you boot into Windows again, the Outlook plugin reads it and replicates those actions within the real user DB." - I don't even know if I want to keep reading at this point. I kept reading. I should not have: "Daystarter purports to show you your calendar while Windows is booting. And, okay, so what - they're just replacing the bootsplash image, like we all did on Windows 98 and XP when we were 13. No. It steps through your week as it boots. And you can hit keyboard shortcuts to pause or clear it. This is a program that runs while Windows boots." What the holy hell have I stumbled across? Now I am cursing my co-worker Ed for sending me this link. It gets worse: "As Windows is starting, it keeps updating the VGA framebuffer to move the progress bar. Daystarter traps that event, throws it away, and instead writes its own content to the framebuffer. It also uses this opportunity to check the keyboard buffer for an F4 or F3, so it can take user input." And, I saved the best for last: "Daystarter runs from goddamn System Management Mode." - Developers should be punished severely.

The only thing stranger than this may be the music video for the Coldplay song in question...

The ransomware threat is still very much alive, with 85% of organizations having suffered from at least one such attack over the past 12 months, according to Veeam’s 2023 Ransomware Trends Report.

If this trend continues, “more organizations will suffer a ransomware attack than turn a profit,” warns the report.

Veeam also found that in 93% of ransomware incidents, the threat actors target the backup repositories, resulting in 75% of victims losing at least some of their backups during the attack, and more than one-third (39%) of backup repositories being completely lost.

The report showed that organizations are still ill-prepared to face this threat.

First, most (80%) continue to pay the ransom despite multiple advisories against it. They primarily do that to get their data back, yet 21% don’t, even after paying the ransom.

As Russia and China plow millions, if not billions of dollars, into disinformation, blackmail and bribery campaigns, Western nations need to step up and realize they are under attack.

This is according to Jessica Berlin, an independent policy and security consultant, who called for Western nations to recognize that these adversaries are playing the long game and need to step up.

“We need, from our side, the free world side, to be willing to also invest in the defense of our democracies,” she said, speaking at WithSecure’s Sphere 2023 conference in Helsinki.

She noted that there is no international security without cybersecurity and called for a private sector task force to defend democracies in general elections and public information.

Read more: White House Shifts US Cybersecurity Strategy Towards International Cooperation

From a public-private perspective, Berlin called for the cybersecurity industry to be wagging the dog of international cybersecurity policy.

She said there is a need to see companies that can be agile, test and then scale and create a toolbox to defend democracy.

“This is your key to long-term survival as a company,” she said to the Sphere 2023 audience before adding that these efforts are key to “our collective long-term survival as democracies.”

She also said companies must consider helping secure more fragile, young democracies. She later noted that creating toolboxed resources and helping protect elections in these types of nations will “build a runway” for business development in those countries and markets.

Coming from Germany, she said that progress was slow and, in some cases, cumbersome. Whereas in countries like Finland, Estonia and Lithuania, the markets can be much more agile.

“You guys are smaller markets that really punch above your weight in tech,” she said. “There’s really an opportunity here in the region to get started on projects like this, especially if you collaborate with the Ukrainians.”

Read more: Cyber-Attacks on Civilian Infrastructure Should Be War Crimes, says Ukraine Official

Having spent a lot of time in Ukraine over the past 18 months, Berlin said that the community must also be willing to take the lead and learn from the example of Ukraine in its cybersecurity response since February 2022.

She noted that this is long-term funding available from governing bodies like the European Union

The iRecorder app has been removed from the Google Play Store, but it is still available on third-party app stores, so be careful!

iRecorder – Screen Recorder, a once legitimate Android application, has now been found to harbour a dangerous Android remote access Trojan (RAT). Cybersecurity experts from ESET made this discovery, uncovering a variant of AhMyth, an open-source remote administration tool capable of extracting sensitive data from Android devices.

Initially launched in September 2021 and boasting over 50,000 installs, iRecorder – Screen Recorder appeared to be a harmless screen-recording app. However, the latest analysis by ESET has revealed the presence of a malicious code, referred to as AhRat by the researchers, within the app’s recent update to version 1.3.8 in August 2022.

Highly realistic AI-generated images depicting an explosion near the Pentagon that went viral on Twitter caused the stock market to dip briefly earlier today.

Tweets with images supposedly depicting an explosion near the Pentagon building in Arlington, Virginia, were amplified by many verified Twitter accounts, including a Russian state media one with millions of followers and a verified account impersonating the Bloomberg news agency.

30% of adults have fallen victim or know someone who has fallen victim to an online scam while trying to save money when booking travel, according to McAfee.

34% of those who had money stolen have lost over $1,000 before their trip has even begun, while 66% lost up to $1,000.

Too good to be true 62% of all vacationers will travel domestically this year and 42% will do so internationally. With inflation and the cost-of-living crisis, the research reveals new concerns for leisure-seekers who, in their quest for a good deal, may be more likely to fall for a scam.

With 94% of people booking travel online this year, it can be easy to get lured into a deal that’s too good to be true. In today’s economic environment, adults are more likely to seek out a bargain deal online (56%), move quickly to snap up a deal (45%), try a new booking site (35%) and even a new destination (36%), in order to save money. However, travel seekers need to stay vigilant to avoid falling for a scam.

Online travel scams can take many forms, with the research finding 14% of all adults have been tricked into making payments through fraudulent platforms and 18% have had their identity stolen when booking online. Of this portion, 7% entered passport information and 11% provided other personally identifiable information to a fake website.

The ever-growing boom in AI-based tools is increasingly attracting cybercriminals. Experts have observed an increase in the availability of Voice Cloning-as-a-Service (VCaaS) offerings, which power deepfake frauds. These tools and services are capable of spreading misinformation in highly effective ways and can defeat voice-based MFA systems easily.

Impersonating celebrity voices Recorded Future researchers have revealed that several attackers are offering out-of-the-box voice cloning platforms, thus, helping other cyber criminals carry out attacks effectively without any sound technical know-how. These voice-cloning tools are often intended to create fake voices of popular celebrities, politicians, and other influencers. These fake audio recordings can be used to spread disinformation or to carry out social engineering fraud. Some of these automated voice cloning platforms are being offered for free, while others cost a minimal amount of money.

The European Union slapped Meta with a record $1.3 billion privacy fine Monday and ordered it to stop transferring user data across the Atlantic, the latest salvo in a decadelong case sparked by U.S. cybersnooping fears.

The penalty fine of 1.2 billion euros from Ireland’s Data Protection Commission is the biggest since the EU’s strict data privacy regime took effect five years ago, surpassing Amazon’s 746 million euro penalty in 2021 for data protection violations.

The Irish watchdog is Meta’s lead privacy regulator in the 27-nation bloc because the Silicon Valley tech giant’s European headquarters is based in Dublin.

Meta, which had previously warned that services for its users in Europe could be cut off, vowed to appeal and ask courts to immediately put the decision on hold.

“There is no immediate disruption to Facebook in Europe,” the company said.

“This decision is flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the EU and U.S.,” Nick Clegg, Meta’s president of global and affairs, and Chief Legal Officer Jennifer Newstead said in a statement.

It’s yet another twist in a legal battle that began in 2013 when Austrian lawyer and privacy activist Max Schrems filed a complaint about Facebook’s handling of his data following former National Security Agency contractor Edward Snowden’s revelations about U.S. cybersnooping.

But as leaders for the event, and active participants in the hacker community, we are not comfortable with our personal moral and ethical questions in asking volunteers and speakers to take what we believe are significant risks to their long term health to come and participate in Skytalks. Long COVID is still a thing, and given how many of our organizers and speakers already have other long term health issues that could be complicated by long-term COVID issues, we feel it irresponsible of us to ask them, or any of us, to assume that risk right now.

Using a middleman called "Blueprint" to bypass attempt limits and hijack fingerprint images, they were able to brute-force Fingerprint Authentication on 10 representative smartphones from top-5 vendors and 3 typical types of applications involving screen lock, payment, and privacy. As all of them are vulnerable to some extent, fingerprint brute-force attack is validated on on all devices except iPhone.

Meta on Monday was fined a record 1.2 billion euros ($1.3 billion) and ordered to stop transferring data collected from Facebook users in Europe to the United States. But it remains unclear if or when Meta will ever need to cordon off the data of Facebook users in Europe. Meta said it would appeal the decision, setting up a potentially lengthy legal process. Meta faces the prospect of having to delete vast amounts of data about Facebook users in the EU. That would present technical difficulties given the interconnected nature of internet companies.

Starting in Q3 2023, Chrome will include these APIs: Topics, Protected Audience, Attribution Reporting, Private Aggregation, Shared Storage, and Fenced Frames . The Topics API generates signals for interest-based advertising without third-party cookies or other user identifiers that track individuals across sites. Chrome will begin phase out third-party cookies in Q1 2024.

There are now about 5,300 miles of CO2 pipelines in the U.S., but in the next few decades, that number could grow to more than 65,000 miles. The expected growth in CO2 pipelines is tied to a nationwide push for more carbon capture and storage. When a pipe leaks, it can create a cloud of CO2 that can sometimes hang in the air for hours. Exposure causes a thirst for oxygen, disorientation and heart malfunction. Extreme exposures to carbon dioxide can lead to death by asphyxiation. People have ended up with long-term respiratory and brain damage.

China's cyberspace regulator said on Sunday that products made by U.S. memory chipmaker Micron Technology Inc (MU.O) had failed its network security review and it would bar operators of key infrastructure from buying from the company. The CAC neither provided details on what risks it had found nor what Micron products would be affected.

Tactical High-power Operational Responder (THOR) is a high-powered microwave counter drone weapon. During a trial, the THOR team “flew numerous drones at the THOR system to simulate a real-world swarm attack,” and THOR “was exceptionally effective at disabling the swarm".

Incident Report for Python Infrastructure: The volume of malicious users and malicious projects being created on the index in the past week has outpaced our ability to respond to it in a timely fashion.

The exploit allows an attacker to steal a KeePass user’s master password in plain text from the target computer’s memory, even when the database is locked. "No code execution on the target system is required, just a memory dump. It doesn't matter where the memory comes from - can be the process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys) or RAM dump of the entire system."

A new quantum compass that could replace GPS on ships has been tested on water for the first time. Military chiefs have been warning for years of the dangers of relying on GPS, due to the potential for adversaries to jam and manipulate trackers. Quantum accelerometers work by measuring how an object’s speed changes over time. It uses this velocity and the object’s starting point to calculate the new position. In order to get the precision for long periods of time, the device measures the properties of supercool atoms.

Hackers using advanced AI software reportedly convinced a man in northern China to transfer 4.3 million Yuan ($622,000) to his friend, but instead directed it to a fraudulent account. In the UK, the CEO of a local energy firm wired €220,000 (approx. $243,000) to a Hungarian suppliers bank account after receiving a phone call from his supposed boss. The voice actually belonged to a scammer who used AI voice technology to replicate the boss’s voice, and the CEO told The Wall Street Journal that he recognized the subtle German accent and said it carried the “melody” of his voice. A similar attack was reported in Milwaukee.

AirJet is a micro-electromechanical system that shoots air out of a solid-state chip, cooling with a device thinner and quieter than most fans could manage. There are vibrating membranes inside the chip. When they vibrate they create a suction force that pulls air from the top through the dust guard into the inlet vents, and then pushes it down at very high velocities.

Putin has harnessed digital technology to track, censor and control the population, building what some call a “cyber gulag.” An activist can't ride the subway without being recognized by facial recognition and detained. More than 610,000 web pages were blocked or removed by authorities in 2022 -– the highest annual total in 15 years — and 779 people faced criminal charges over online comments and posts, also a record. AI systems scan social networks for banned content.

A UK IT Security Analyst tried to hijack a ransomware payment by altering the payment address in a blackmail email. No payment was made and the unauthorised access to the private emails was noticed. He had wiped all data from his devices just days before his arrest in order to try to hide his involvement, however the data was recovered and this provided direct evidence of his crimes.