Fried Squid, Flipper Zero BLM Spam, Apple Devices, Signal Vulns? & Android TV Devices – PSW #803
In the Security News: Fried squid is tasty, but the squid proxy is vulnerable, Flipper zero and other tools can now BLE Spam more than just Apple devices, Cisco IOS vulnerability in the web interface, again, is Signal vulnerable?, WinRAR being exploit, still, Math.Random is not really all that random, get your malware samples, and my inside look into Android TV devices, malware, and the horrors of the supply chain! All that and more on this episode of Paul’s Security Weekly!
Announcements
Security Weekly Listeners: We are celebrating the milestone of reaching over 1,000 members of our CISO community. The Cybersecurity Collaboration Forum is a one-stop shop for executive collaboration comprised of CISOs across various industries. If you want to be part of this growing community of CISOs, join us as a member or technology partner. To learn more, visit: securityweekly.com/cybersecuritycollaboration
Hosts
- 1. Twitter glitch allows CIA informant channel to be hijacked
- 2. Reusing PIXMOB Waveband Without Flipper Zero
- 3. Spam iOS, Android and Windows with Bluetooth pairing messages using Flipper Zero or Android smartphone – Mobile Hacker
- 4. Looking for CVE-2023-43261 in the Real World – Blog – VulnCheck
- 5. IoT Bug Hunting – Part 2 – Walkthrough of discovering command injections in firmware binaries
- 6. Dozens of Squid Proxy Vulnerabilities Remain Unpatched 2 Years After Disclosure
The dangers of open source software: "The Squid Team have been helpful and supportive during the process of reporting these issues. However, they are effectively understaffed, and simply do not have the resources to fix the discovered issues. Hammering them with demands to fix the issues won’t get far. If you’re using Squid, feel free to submit patches for any of the unfixed issues to the team: I sent a few in the past where I could." - They just don't have the resources to fix them all. 55 vulnerabilities in total. Some allow for remote code execution. Squid is a popular caching proxy, I used to use it back in the day when Internet was a T1 (or multiple), and caching content helped preserve bandwidth. Its still used today to cache content. And now its vulnerable.
Original research is here: https://joshua.hu/squid-security-audit-35-0days-45-exploits
- 7. Russian Hackers Bypass EDR to Deliver a Weaponized TeamViewer Component
So just use legitimate tools to bypass EDR, neat: "Since OpenSSH is a legitimate white file, it's relatively easy to bypass EDR endpoint detections. In the end, the attackers used sftp-server.exe to deliver the TeamViewer hijacking component to the victim's machine. After analyzing the sample obfuscated with Themida, we discovered it was the MINEBRIDGE RAT. Furthermore, we found the use of AnyDesk and an attempt to propagate laterally using PsExec."
- 8. A flaw in Synology DiskStation Manager allows admin account takeover
In a real-life scenario, threat actors first need to leak the GUIDs, conduct a brute-force attack on the Math.Random state, and retrieve the admin password. The researchers noticed that tven after doing so, by default the builtin admin user account is disabled and most users won’t enable it.
Also: “it’s important to remember that Math.random() does not provide cryptographically secure random numbers. Do not use them for anything related to security."
- 9. Reverse Engineering UEFI with Ghidra
- 10. GitHub – vxunderground/MalwareSourceCode: Collection of malware source code for a variety of platforms in an array of different programming languages.
Someone asked where to find a particular malware sample, this is a good place to check first (There is also a link to the VX website that has more samples).
- 11. Android TV Devices: Pre-0wned Supply Chain Security Threats
I have so much to follow up on from this post, including:
- Does this research also apply to TVs that include Android or other smart TV operating systems?
- Can you look into Roku devices?
- How do you safely capture and/or manipulate network traffic from these devices?
- Where does the malware come from in the first place?
- What harm does this malware do?
- I still can't figure out where the malware stage 0 loader lives (neither could the other researchers looking at this before me)
- 1. New Critical Zero-Day Vulnerability Affects Web UI of Cisco IOS XE Software & Allows Attackers to Compromise Routers
- Critical Zero-Day Vulnerability Discovered: Cisco Talos has identified a new severe zero-day vulnerability in the Web User Interface feature of Cisco IOS XE software. This flaw grants attackers full access to compromised routers, which can then be utilized for additional malicious endeavors.
- Extent of Exposure: ONYPHE's Patrice Auffret indicates that over 74,000 devices have exposed their web UI on the internet. The vulnerability has received a maximum CVSS score of 10 and is actively being exploited.
- Suspicious Activity Detected: Cisco Talos detected unusual activity from suspicious IP addresses in Bulgaria, with unauthorized users creating local user accounts, including one named “ciscotacadmin”. By October, these unauthorized activities expanded, with fraudulent actions including deployment of an implant for arbitrary command execution.
- Details on the Implant: The attackers employed an implant saved under /usr/binos/conf/nginx-conf/cisco_service.conf. This implant, comprised of 29 lines of Lua code, facilitates arbitrary command execution via HTTP POST requests. It can extract details, verify hardcoded strings, and execute commands either at the system level or at the IOS privilege level 15.
- Mitigation Strategies: Cisco suggests disabling the HTTP server feature on all internet-exposed systems, making the Web UI inaccessible. Administrators should apply access lists to the HTTP server feature, ensure that the current configuration settings are saved, and check the presence of the implant. Keeping all systems updated and patched, along with carefully monitoring local user accounts and logs, is paramount.
- 2. Malware crooks find an in with fake browser updates, in case real ones weren’t bad enough
An uptick in cybercriminals masking malicious downloads as fake browser updates is being spotted by security researchers.
Mimicking the success of the tactics adopted by the years-old SocGholish malware, researchers at Proofpoint have drawn attention to cybercriminals increasingly emulating the fake browser update lure.
Researchers have tracked SocGholish for more than five years. In the past five months, three more major campaigns have emerged. All use similar lures but deliver unique payloads.
The fear is that despite only dropping malware now, the proliferation of these campaigns could be a boon to initial access brokers, offering an effective route to infect end users with ransomware.
- 3. Lack of Patching Lets Russian, Chinese Hackers Exploit WinRAR Flaw
A known vulnerability in the file-archiving tool WinRAR continues to proliferate because not enough users are installing the patch, according to Google.
The company today warned that “multiple government-backed hacking groups” have been exploiting the flaw, dubbed CVE-2023-3883, to deliver malware. "The widespread exploitation of the WinRAR bug highlights that exploits for known vulnerabilities can be highly effective, despite a patch being available,” Google wrote in a blog post.
WinRAR actually patched the flaw on Aug. 2 with version 6.23, after hackers had been abusing it since April. The only problem is that WinRAR lacks an auto-update feature, meaning users have to manually download and install updates from WinRAR’s website to stay protected.
“A patch is now available, but many users still seem to be vulnerable,” Google says.
The company has observed state-sponsored hackers taking advantage of the flaw in recent weeks, including “Sandworm,” a Russian-state sponsored group suspected of having ties to the country’s military. Last month, Google uncovered a phishing email that looked like it came from a Ukrainian drone warfare training school targeting Ukrainian users.
- 4. Rumored zero-day exploit dismissed by Signal
Rumored zero-day exploit dismissed by Signal SC Staff SecurityWeek reports that encrypted instant messaging platform Signal has shut down reports regarding a zero-day vulnerability impacting its chat app that became viral over the weekend, saying that further investigation has revealed no evidence to support the legitimacy of the rumored flaw.
Such reports of a zero-day in Signal stemmed from a copy-pasted alert purported to be from the U.S. government that warned potential device takeovers from the exploitation of the messaging app's "generate link preview" functionality.
However, Signal noted on X, formerly Twitter, that it was not able to substantiate claims that the warning came from the federal government. Prior to the rumors, several experts had already warned about the risk of the generate link preview function, which could be leveraged to facilitate IP address and link exposures, as well as unwanted data downloads in the background, with the feature already associated with critical flaws in the WhatsApp messaging app.
- 5. Pro-Iranian Hacktivists Set Sights on Israeli Industrial Control Systems
The hacktivist group SiegedSec has claimed responsibility for a series of attacks against Israeli infrastructure and industrial control systems (ICS), but there is no indication that the listed IP addresses have experienced any attacks.
The hacking group put together a list of what it claims are its Israeli ICS targets, which was recently uncovered by SecurityScorecard's Threat Research, Intelligence, Knowledge, and Engagement (STRIKE) Team. An image of the list — found via analysis of various dark Web groups — shows a series of IP addresses with the claim "we have unleashed mass attacks on Israeli infrastructure."
- 6. TetrisPhantom: Cyber Espionage via Secure USBs Targets APAC Governments
Government entities in the Asia-Pacific (APAC) region are the target of a long-running cyber espionage campaign dubbed TetrisPhantom.
"The attacker covertly spied on and harvested sensitive data from APAC government entities by exploiting a particular type of secure USB drive, protected by hardware encryption to ensure the secure storage and transfer of data between computer systems," Kaspersky said in its APT trends report for Q3 2023.
The Russian cybersecurity firm, which detected the ongoing activity in early 2023, said the USB drives offer hardware encryption and are employed by government organizations worldwide to securely store and transfer data, raising the possibility that the attacks could expand in the future to have a global footprint.
- 1. US Plans to Push Other Countries Not to Pay Hacker Ransoms
The US is pushing a group of governments to publicly commit to not make ransom payments to hackers ahead of an annual meeting of more than 45 nations in Washington later this month.
Anne Neuberger, deputy national security adviser, told Bloomberg News that she is “incredibly hopeful” about enlisting support for such a statement but acknowledged it’s a “hard policy decision.”
Charles Carmakal, chief technology officer at Mandiant Consulting, is among those who argue that an outright ban is still far from feasible.
“There’s so much more that needs to be done before you could outlaw extortion payments,” he told Bloomberg in September. “Law enforcement has to get more aggressive with threat actors and impose pain onto them.”
- 2. AI models can analyze thousands of words at a time. A Google researcher has found a way to increase that by millions.
Right now, ChatGPT can ingest a few thousand words at most. Bigger AI models can handle more, but only up to about 75,000. This Ring Attention method means that we should be able to put millions of words into the context windows of AI models, not just tens of thousands.
Liu goes further, saying that, in theory, many books and even videos can be dropped in one go into context windows in the future, and AI models will analyze them and produce coherent responses.
- 3. Uh-oh! Fine-tuning LLMs compromises their safety, study finds
As the rapid evolution of large language models (LLM) continues, businesses are increasingly interested in “fine-tuning” these models for bespoke applications — including to reduce bias and unwanted responses, such as those sharing harmful information. The researchers discovered that fine-tuning LLMs can inadvertently weaken the safety measures designed to prevent the models from generating harmful content, potentially undermining the very goals of fine-tuning the models in the first place.
- 4. “Low-Resource” Text Classification: A Parameter-Free Classification Method with Compressors
Deep neural networks (DNNs) are often used for text classification due to their high accuracy. In this paper, we propose a non-parametric alternative to DNNs that’s easy, lightweight, and universal in text classification: a combination of a simple compressor like gzip with a k-nearest-neighbor classifier. Without any training parameters, our method achieves results that are competitive with non-pretrained deep learning methods on six in-distribution datasets.It even outperforms BERT.
- 5. Using Goatse to Stop App Theft
Game aggregator" sites hosted my app inside of an iFrame so that they can steal ad revenue. I couldn't abide seeing my code monetized in this way.
The mature and responsible thing to do would have been to add a content security policy to the page. I am not mature so instead what I decided to do was render the early 2000s internet shock image Goatse with a nice message superimposed over it in place of the app if Sqword detects that it is in an iFrame.