Cyber Directors (& Tsars!), Replace Your Hardware, Drink For PCI, & Handheld Gaming – PSW #788

The last part is the best: "Stykas said the vulnerability allowed anyone to sign up as a new user and assign that account to any other group of users, including a “root” group, which has access to all of the smart alarm systems connected to Eaton’s cloud. The vulnerability is known as an insecure direct object reference, or IDOR, a class of security bug that allows unchecked access to files, data, or user accounts because of weak or lacking access controls on a server. Stykas said the bug was easy to exploit using man-in-the-middle tools like Burp Suite by intercepting the new user’s group number and swapping it with the number of the root group, which was simply “1”." - I am consistently impressed with how poor the security of consumer-grade alarms can be. We've covered a few stories; they all seem to have major security issues. And not issues that are all that complex; it's like they just left out security entirely of a home SECURITY system. Much like car hacking, I believe we'll start to see things like this make it into mainstream crime, where physical break-ins will incorporate digital attacks. I know you may be thinking that you are able to defend yourself, your family, and your home from a break-in. This only applies if you are home when it happens, so having an alarm system and cameras is important. I much prefer cameras and cover as much of my house as possible.

More IoT fail: "The main vulnerability in the Dogness smart feeder is the Telnet server allowing remote root access through the default port. At the same time, the superuser password is hard-coded in the firmware and cannot be changed, meaning that an attacker who extracts the firmware can easily recover the password and gain full access to the device — and in fact any device of the same model, since they all have the same root password." - And there's more, like an insecure video transmission and shockingly using HTTP to update firmware.

"Vendors may remotely access the environment intermittently or at unusual times, making it difficult for the information security team to establish an activity baseline for those accounts. How would an organization detect a time-of-day authentication anomaly if their contracted development team had members around the world working their own unique shifts? What about for a contractor who only connects remotely a few times a month based on their schedule? Or one that only logs in for ad hoc troubleshooting?" - Identity management is hard, should it be though?

Turns out this is a mini-embedded device that runs Linux, and the manufacturer did nothing in terms of security. Go figure.

This could be one of to things, or perhaps both: 1) The attackers embedded themselves so deep in the software on these devices that you just have to replace it rather than rebuild it 2) The attackers got into the firmware for these devices. I just want to point out there are a ton of these for sale on Ebay cheap. Some models even have an MSI motherboard, like this one: https://www.ebay.com/itm/304958249729 - Yikes!

I've watched this video. I really hope the person had permission to do this. Equipment was damaged. In a typical test, you do not damage equipment. Having said that, there is now evidence this was a hoax. Go figure.

The hardware always supported it; now we get Bluetooth support from a software update. What is your favorite Pico project? Specifically, hacking ones? I'm curious...

Disable Secure Boot they said. It will be fine they said. Keep in mind this all depends on which keys were pre-installed from Asus, if they did not include one for the MS 3rd party CA, you will have to install keys yourself, which means you have to configure SB yourself, which is a PITA.

There are many CVEs being thrown around for a series of events. If you have Fortinet gear my advice is to get patching fast.

Really neat and a great write-up here: https://blog.cybercx.co.nz/bypassing-bios-password. Reminds me of the times Larry and I used to short pins on the WRT54G to get it to revert to factory default settings. Please note, do not try this at home! Shorting pins can damage the hardware, ask me how I know.

Really neat research, however, it seems the fix is pretty straight forward: "The researchers recommend several countermeasures that manufacturers can take to harden devices against video-based cryptanalysis. Chief among them is avoiding the use of indicative power LEDs by integrating a capacitor that functions as a "low pass filter." Another option is to integrate an operational amplifier between the power line and the power LED. It's not clear if or when manufacturers of affected devices might add such countermeasures. For now, people who are unsure about the vulnerability of their devices should consider placing opaque tape on power LEDs or using other means to block them from view."

A threat group tracked as APT28 and linked to Russia's General Staff Main Intelligence Directorate (GRU) has breached Roundcube email servers belonging to multiple Ukrainian organizations, including government entities.

In these attacks, the cyber-espionage group (also known as BlueDelta, Fancy Bear, Sednit, and Sofacy) leveraged news about the ongoing conflict between Russia and Ukraine to trick recipients into opening malicious emails that would exploit Roundcube Webmail vulnerabilities to hack into unpatched servers.

Business Wire Tue, June 20, 2023 at 11:00 AM GMT+1·3 min read

NEW YORK, June 20, 2023--(BUSINESS WIRE)--Cyware, a leading provider of threat intelligence management and cyber fusion solutions, announced today a strategic technology partnership with Mimecast, an advanced email and collaboration security company. This technology alliance brings together Mimecast's advanced secure email gateway with Cyware's cutting-edge security automation and collaboration platform. The joint solution will provide customers with proactive defense against ransomware, malware, phishing, and other evolving cyberthreats.

Cyware's Cyber Fusion Platform uniquely combines TIP, SOAR, and security collaboration tools, helping organizations prioritize threats and incidents, automate any type of security workflow, and automatically disseminate alerts to threat sharing communities. Mimecast's robust secure email gateway provides comprehensive cloud-based secure email services that stop known and emerging threats before they reach customer networks.

The pro-Russian "hacktivist" group, Anonymous Sudan, has been linked to expensive online infrastructure used in distributed denial-of-service (DDoS) attacks, according to a report by Australian cybersecurity firm CyberCX. The group, which purports to operate from Sudan, appears to use a large number of paid proxies to hide the source of its attack traffic, which undermines its claims of being a volunteer group. The cost of the proxy infrastructure is estimated to be at least AU$4,000 per month.

Anonymous Sudan emerged in January, claiming to retaliate for a Quran-burning incident in Stockholm by a far-right politician. However, CyberCX notes that the group's creation predates the incident by three days.

Microsoft has acknowledged that Anonymous Sudan is responsible for recent outages affecting Azure and Microsoft 365. There's growing consensus among cybersecurity firms that Anonymous Sudan is likely a Russian information operation, possibly a subgroup of the pro-Russian threat actor group Killnet. CyberCX also notes that the group's communications are primarily in English and Russian, and it occasionally attempts to monetize its activities.

A government-backed hacker group exploited a nearly six-year-old Telerik vulnerability to break into a US federal agency's Microsoft IIS web server, gaining access to the Document Manager component and establishing persistence on the government network. This follows a similar intrusion into a different federal agency's server earlier this year using a separate Telerik flaw.

The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI had warned about the first intrusion in March, attributing it to multiple threat actors, including an Advanced Persistent Threat (APT) group, who exploited a .NET deserialization vulnerability (CVE-2019-18935) in the Telerik UI for ASP.NET AJAX.

However, a recent update to the alert reveals a separate intrusion into a different agency's server in April, exploiting a vulnerability (CVE-2017-9248) that has been known since 2017. The agency was running an outdated version of the software, despite a proof-of-concept exploit being publicly available since January 2018.

After gaining access, the threat actors uploaded malicious scripts, modified and deleted sensitive files, and uploaded webshells for backdoor access. While no privilege escalation, lateral movement, or data exfiltration was detected, the presence of webshells indicated potential for further malicious activity. The incidents underscore the critical importance of timely patching of known vulnerabilities.

A phishing scam targeting DoorDash drivers has resulted in the loss of around $950k in total. The scam, allegedly orchestrated by a 21-year-old named David Smith from Connecticut, involved placing a bogus DoorDash order, receiving the driver details, and then contacting the driver pretending to be DoorDash support. The drivers were then tricked into providing their banking details or logging into a fake portal, resulting in the loss of funds and potentially their ability to work.

The scam, which started back in 2020 when Smith was only 18, has affected a significant number of gig economy workers, particularly during the pandemic. Despite DoorDash's efforts to train drivers to spot scams and attacks, this particular scam was successful in deceiving many, with some drivers losing thousands of dollars.

Smith, who was discovered by law enforcement following an unrelated incident, faces charges including first-degree larceny, third-degree identity theft, and first-degree computer crime. It is currently unclear whether all affected drivers will be able to recover their lost funds. The case underscores the importance of vigilance and thorough security measures in the gig economy sector.

Western Digital has cut off cloud access for devices with firmware versions vulnerable to a critical security flaw, CVE-2022-36327, affecting several of its My Cloud and SanDisk products. The decision, effective from June 15, follows the company's firmware updates in May to fix this and other vulnerabilities. Devices with firmware versions earlier than 5.26.202 or 9.4.1-101 are now unable to connect to Western Digital's cloud services. Users of My Cloud Home, My Cloud Home Duo, and SanDisk ibi cannot access their data until they update their firmware. The move aims to protect unpatched devices from potential cyberattacks leading to serious data breaches.

I've met Chris Inglis and would agree with anyone that he left a void when he stepped down from his role as National Cyber Director in February. Not sure what the hold up is for nominating a replacement...maybe nobody wants the job?

PwC impacted by the MOVEit breach. This happens, but it always looks bad when the "cybersecurity experts" are impacted by a breach.

EY impacted, too? But they aren't owning it yet...or maybe they weren't impacted after all.

Assuming CISA gave fair notice (and time) to Enphase before issuing its advisories, why isn't Enphase being responsive?

"Kaspersky disclosed the iOS zero-click attacks against its network on the same day that Russia’s Federal Security Service (FSB) blamed US intelligence agencies, specifically the NSA, for a spy campaign targeting thousands of iOS devices belonging to local users and foreign diplomatic missions." I can neither confirm nor deny...

Happened to see this the other day and did a double take....

couple thoughts: Isn't this what all the ISACs are supposed to be doing? Is there a form of cross-industry ISAC needed? What about the fact that so many organizations don't know what is happening to them until some external party points it out to them?

A fascinating and somewhat disturbing study. If you need empirical FUD data, here it is. Key takeaways include: Vulnerable assets are discovered rapidly: Misconfigured and vulnerable assets are literally discovered within minutes (GitHub – 2 minutes, HTTP – 3 minutes, SSH – 4 minutes, S3 Buckets – 1 hour).

Because everybody knows there's really no such thing as unskilled entry level jobs in cyber security!

Participants have two paths to choose from on the Cyber Million platform: a Cyber Fundamentals Collection, which includes introductory courses in cybersecurity, and a Defense Security Operations Collection that includes exercises for participants to learn and demonstrate the cybersecurity skills they’ve developed.

This one hits close to home since Johns Hopkins is where my granddaughter underwent treatment for cancer. They haven't disclosed the cause yet - but the inference is they are another MOVEit victim.

Technically, this should be rising to infamy.

Yours truly contributed to this series. Apologies for having to give up your contact info - but worth it!

One of the new books coming out for PCI DSS v4.0 - this one happens to include me as the technical editor.

I'm sure this is already out of date.

Apple is improving privacy and security protections in a range of its products. Link tracking protection in Messages, Mail, and Safari Private browsing will remove tracking data from shared links. A new iOS feature will allow users to share specific pictures with apps while keeping other private. Lockdown Mode will get new features and will be supported on watchOS.

Expect these improvements to arrive with iOS/iPadOS 17, watchOS 10 and macOS 14. Sensitive content warnings as well as more information on requested permissions/data use should help guide users. Note that Apple is working to have default-deny if you click the alert without agreeing to the access.

The US Office of Management and Budget (OMB) has extended the deadline for agencies to obtain software security self-attestation letters from contractors. Originally, agencies had until June 12 to collect self-attestations from providers of critical software and until September 14 to collect the letters from all vendors. The deadline has now been extended to three months after OMB creates a common self-attestation form for critical products, and six months for non-critical products. According to the updated guidance from OMB, agencies will not need to collect self-attestation letters for open-source software.

Microsoft had DDoS protections dialed in for a layer 3 or 4 attack. Subsequently Microsoft turned up their protections at layer 7. There is no such thing as being completely immune to DDoS attacks, but the lessons learned from Microsoft can help you raise the bar and weather the storm.

More organizations are disclosing that their networks have been compromised through vulnerabilities in Progress MOVEit file transfer software. Breaches have affected agencies that issue driver’s licenses and state ID cards in Louisiana and Oregon; the US Department of Energy; Aer Lingus; Ireland’s Health Service Executive; the BBC; British Airways. Nova Scotia’s government; and the American Board of Internal Medicine. Progress used to be IPswitch - remember WS-FTP? Maybe it's time to move on from MOVEit?

The Windows 11 Win32 App Isolation security feature is now in public preview. Microsoft writes, “Win32 app isolation is built on the foundation of AppContainers (and more).

Limited to Win32 apps that have the "isolatedWin32-promptForAccess" capability, are able to use the virtualized registry and file system, and are running at a low privilege level.

Consider what running all your desktop apps in containers would be like...

On June 15, Western Digital began blocking devices running unpatched firmware from accessing its cloud services. Western Digital released firmware updates to address multiple vulnerabilities in mid-May. Among the issues those updates address is a critical path traversal vulnerability that affects Western Digital’s My Cloud Home, My Cloud Home Duo, SanDisk ibi, and My Cloud OS 5 devices.

ASUS is urging users to update their devices with firmware that includes cumulative security updates to fix vulnerabilities in several of its router models. The new firmware addresses nine vulnerabilities, including a critical memory corruption issue and a critical out-of-bounds write issue. The latter vulnerability is nearly five years old. This recommendation should be followed weather or not you apply the updates: ASUS “strongly recommend[s] disabling services accessible from the WAN side to avoid potential unwanted intrusions.”

Under a proposed US Federal Trade Commission (FTC) consent order, genetic testing company 1health.io, will make changes to the way it handles data and pay a $75,000 penalty. According to the FTC, 1health.io “left sensitive genetic and health data unsecured, deceived consumers about their ability to get their data deleted, and changed its privacy policy retroactively without adequately notifying and obtaining consent from consumers whose data the company had already collected.”

Beware claims of "rock-solid security" without proof. If you're making those claims, you need to be able to back them up. In this case, 1health.io, formerly Vitagene, broke promises of security, limiting data sharing and storage. The changes to the privacy policy, made retroactively to previously collected data, without customer notification and consent, is a big no-no to the FTC.

CISA has released BOD 23-02, Mitigating the Risk From Internet-Exposed Management Interfaces. The directive “requires agencies to take steps to reduce the attack surface created by insecure or misconfigured management interfaces across certain classes of devices.”

We have repeatedly advised to not expose management interfaces directly to the Internet. It's time to get that cleaned up. Even if not directly exposed, consider who can interact with them and look at limiting that to the bare minimum. https://www.scworld.com/news/device-security/cisa-orders-agencies-to-harden-networked-management-devices

While not the only institution so affected, this still makes me sad. St. Margaret’s Health (SMH) will shut down multiple facilities in Spring Valley and Peru, Illinois, on Friday, June 16 due to several factors, including a ransomware attack that began in February 2021. SMH has been serving the community since 1903. The ransomware attack impacted SMH systems for four months, impeding their ability to collect payments from insurers. Other factors cited in the decision to close the facilities were COVID-19 expenses and staff shortages.

The US Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have jointly published guidance for hardening baseboard management controllers (BMCs). The security information sheet notes that “BMC firmware is highly privileged, executes outside the scope of operating system (OS) controls, and has access to all resources of the server-class platform on which it resides.” The document includes potential threats to BMCs and suggested actions for making them more secure. https://media.defense.gov/2023/Jun/14/2003241405/-1/-1/0/CSIHARDENBMCS.PDF

The US Securities And Exchange Commission’s (SEC’s) proposed four-day deadline for reporting data breaches will not take effect until at least October of this year. There is an existing requirement pending to report these breaches to CISA, which is not a public disclosure. Contrast that to the SEC proposal to report in a Form 8-K within four days of determining a breach was material, which is public, and could result in unwanted behavior, from both attackers and investors, and may be sufficient time to both quantify the breach as well as shape the messages to investors and customers. Make plans for direct notifications to these groups, not waiting for them to discover an issue in your latest 8-K filing.

A zero-day vulnerability in the MOVEit Transfer managed file transfer software is being actively exploited to steal data. The critical SQL injection flaw can be exploited to allow database access without authentication. Progress Software has released fixes for supported versions of MOVEit Transfer. They have also deployed a fix for MOVEit Cloud.

Gigabyte has released BIOS updates to mitigate a backdoor vulnerability in 270 models of their motherboards. The backdoor, detected by researchers at Eclypsium, exists in the Unified Extensible Firmware Interface (UEFI) firmware. When computers with vulnerable motherboards restart, the firmware in question "initiates an updater program that runs on the computer and in turn downloads and executes another piece of software."

Verizon has published its 2023 Data Breach Investigations Report (DBIR). No surprise, ransomware remains a concern, albeit possibly reaching a plateau, in contrast to DDOS attacks which are growing in frequency and impact. Also, it reminds us that our insider threats are probably more impactful than watching for APTs, noting about 1 in 5 breaches involved some sort of insider, intentional or deliberate, to enable them. The good news is you can address insider threat, it is far less nebulous than some nation state actor who may or may not care about your enterprise and there are lots of tools to help secure the humans.

In August, some DEF CON hackers may have the opportunity to break into and hijack a satellite. Previous Hack-A-Sat events utilized simulations; Hack-A-Sat 4 will be “the world’s first CTF competition in space.” Moonlighter, which was manufactured by The Aerospace Corporation, in partnership with the US Space Systems Command and the Air Force Research Laboratory, is being called “the world’s first and only hacking sandbox in space.”

Researchers from ReversingLabs have detected an attack on the Python Package Index (PyPI) that hides malware in compiled Python code to evade detection.

The trick is being cautious with compiled Python code (.PYC files). Code scanners don't currently decompile them, and they are easily incorporated into a small python script using importlib.util - which looks completely innocuous.

According to a report from the US Government Accountability Office (GAO), the Department of Energy (DoE) has failed to adopt security practices to protect the agency from insider threats.

Apple released updates including iOS/iPad OS 16.5.1, 15.7.7, macOS 11.7.8, 12.6.7, 13.4.1, watchOS 9.5.2 and 8.8.1. Three CVEs - CVE-2023-32434 (Kernel flaw, allowing privilege escalation), CVE-2023-32439 (Webkit flaw allowing arbitrary code execution), CVE-2023-32435 (Webkit memory corruption flaw). Apple claims these are actively being exploited.