Shim Shady and Algorithm Lovers – PSW #816

Though I believe more modern implementations use the TPM on the CPU to do Bitlocker, making this attack MUCH more difficult.

https://www.tomshardware.com/networking/three-million-malware-infected-smart-toothbrushes-used-in-swiss-ddos-attacks-botnet-causes-millions-of-euros-in-damages

Well, this has been a fun journey! I didn't discover this vulnerability nor did the team at Eclypsium. However, there are some pretty major impacts and lots of interesting details to discuss:

• How I came across this vulnerability is a funny story (ADD, oh look, squirrel!)
• You can MiTM to attack a target using HTTP boot
• You can leverage this vulnerability locally to bypass Secure Boot
• You can leverage PXE boot to attack targets (if the attacker is on the same network as PXE)
• Secure Boot DBX has to be updated to include all vulnerable versions of shim
• All Linux distributions using shim have to update the package

"Hi, we're here from the Government to remove the malware from your router"

This is cool, however, this still works on so many systems: docker run -v /:/mnt --rm -it alpine chroot /mnt sh

The Ivanti thing is a dumpster fire. The SSRF vulnerability stems from a supply chain issue in a piece of software that was patched in June 2023. They mitigated one of the RCEs by just filtering out the requests. Turns out you can use the SSRF to reach the RCE (because they didn't fix the RCE, they just filtered it out from the front end, but the SSRF allows you to reach it on the backend). Oh, and the forensics tool they provide requires a reboot of the appliance to take a snapshot. There is no shell. You need a support contract to get the firmware and the tools.

I thought we fumbled through EPSS last week, here's some better information:

• "the EPSS score representing the probability of exploitation in the wild during the next 30 days in the range from 0 to 1"
• "For example, a CVE with EPSS of 0.96 has 96% chance to be exploited in the following 30 days."
• How is it calculated? AI of course! "Behind the scoring system lies a machine learning algorithm that is trained on a dataset of all the exploitations observed during the past day. Additional to that is a dataset of vulnerability details such as the vendor, age, MITRE CVE list, CVSS, Common Weakness Enumeration (CWE), and more. The model learns the connection between the vulnerabilities and the exploitation attempts observed, then generates a prediction based on these findings."
• EPSS and CVSS don't always agree - but you shouldn't rely on either of them (to a certain extent)

Interesting notes:

• "in December 1997 Solar Designer published information about a very similar vulnerability in the vsyslog() of the old Linux libc (https://insecure.org/sploits/linux.libc.5.4.38.vsyslog.html)"
• PoC one-liner: "(exec -a "printf '%0128000x' 1" /usr/bin/su < /dev/null)"

This is some nerdy computer science stuff, but here are the highlights:

• " To be vulnerable, a program must call qsort() with a nontransitive comparison function"
• "All glibc versions from at least September 1992 (glibc 1.04) to the current release (glibc 2.38) are affected"
• There is no CVE for this: "As a result, we are of the opinion that the resulting CVE, if any, should be assigned to any such calling applications and subsequently fixed by passing a valid comparison function to qsort and not to glibc."
• How did they stumble on this? "While browsing through Postfix's HISTORY file, we stumbled across a puzzling entry from February 2002"
• You want transitive comparisons, not non-transitive comparisons (https://flak.tedunangst.com/post/subtraction-is-not-comparison)
• Threat landscape: "We have not tried to find a vulnerable program (i.e., a program that uses a nontransitive comparison function to qsort() attacker-controlled elements); however, vulnerable programs are certain to exist in the real world: - calls to qsort() are extremely common; - nontransitive comparison functions are also common;"

So many interesting things to explore here, there are two vulnerabilities, but only one CVE. Glibc won't issue a CVE for the qsort() vulnerability. Why? Well you have to call the function in a vulnerable way, which, according to them, means we issue CVEs for the vulnerable calling software, not glibc. Except Glibc patched the qsort function.

A new trojan called "Mispadu" is exploiting a flaw tracked as CVE-2023-36025 in Windows SmartScreen to steal banking information. The trojan was discovered by Palo Alto Networks' cybersecurity research arm Unit 42. Mispadu is an infostealer built on Delphi that works by creating a malicious URL file that bypasses SmartScreen's warnings. Stolen information is sent to the attackers via Telegram or their command-and-control server. Microsoft patched the flaw in November 2023.

AnyDesk forced a password reset for all users of its remote access solution after learning that user credentials were leaked. In a public statement, AnyDesk writes, “We have revoked all security-related certificates and systems have been remediated or replaced where necessary. We will be revoking the previous code signing certificate for our binaries shortly and have already started replacing it with a new one.”

AnyDesk is a popular target for threat actors as it provides remote control, VPN and file transfer capabilities, often leveraged in the fake Microsoft Support scam which offers to "clean" malware or other bugs off your system, even if you're on macOS.

On Thanksgiving Day, November 23, 2023, Cloudflare detected a threat actor on our self-hosted Atlassian server. The post is based on information from CrowdStrike’s Forensic team, which Cloudflare brought in to investigate the incident. A threat actor, believed to be state-sponsored, used credentials stolen in an Okta October breach to access Cloudflare’s Atlassian Confluence internal wiki and their Atlassian Jira bug database.

This is a good writeup of the issues analysis and remediation.

Google has given the Rust Foundation a $1 million grant “to support efforts that will improve the ability of Rust code to interoperate with existing legacy C++ codebases.” Google Vice President of Engineering, Android Security & Privacy Dave Kleidermacher noted that “Based on historical vulnerability density statistics, Rust has proactively prevented hundreds of vulnerabilities from impacting the Android ecosystem. This investment aims to expand the adoption of Rust across various components of the platform.”

A slick move on Google's part. Question is: will Rust help move the bar on memory safe coding outside the Android space?

The sanctions mean that all property and interests in property of these Iranian officials in the U.S., or are in clontrol of U.S. persons are blocked and must be reported to the Office of Foreign Assets Control (OFAC.) Additionally, any entities with over 50 percent ownership by these officials are also blocked. In essence all tractions within the U.S. with these assets or entities are prohibited. While this may make things difficult for the Iranian officials, the impact on the threat actors isn't clear, as such you still need to take steps to protect your critical infrastructure.

Joshua Adam Shulte has been sentenced to 40 years in prison for espionage, computer hacking, contempt of court, making false statements to the FBI, and child pornography. Shulte leaked classified CIA information to WikiLeaks in 2016. Shulte was employed as a software developer at the CIA’s Center for Cyber Intelligence.

There really are consequences for unauthorized disclosure of classified information, it's nice to have a current example to reinforce this point. Shulte was able to enable his actions by obtaining admin privileges, as well as granting himself added access.

A global Interpol operation last fall “was launched in response to the clear growth, escalation and professionalisation of transnational cybercrime and the need for coordinated action against new cyber threats.” The operation involved law enforcement agencies from more than 50 countries. More than 1,300 suspicious IP addresses were identified; more than 70 percent of those have been taken down. 31 people have been arrested and 70 additional suspects have been identified.

The operation ran from September through November, which is pretty quick for this broad of a takedown and shows what can be done with broad cooperation. The international cooperation included 60 law enforcement agencies as well as Interpol's gateway partner private sector groups such as Kaspersky, TrendMicro, Shadowserver, Team Cymru and Singapore-based Group-IB. The 30% of servers that weren't taken offline are still under active investigation for their involvement in cybercrime operations. The dismantled infrastructure was used for phishing, banking malware and ransomware attacks.

A Raspberry Pi Pico can be used to gain access to a BitLocker-secured device in under a minute, provided you have physical access to the device. It simply sniffs the key from a data bus connected to the TPM. But he isn't using a preboot authentication PIN, so it's not too surprising that you can get access to the decrypted drive. This attack is not a major weakness, just a way to make a known vulnerability somewhat easier to perform.

Microsoft's description of BitLocker to help contextualize the previous article. The "BitLocker countermeasures" link at the bottom is also useful, explaining preboot authentication, and how it prevents the attack described in the previous article.

HP addressed the company's controversial practice of bricking printers when users load them with third-party ink. "We have seen that you can embed viruses in the cartridges" -- a laughable example of FUD.

Cory Doctorow got scammed by a phone-phisher pretending to be from my bank. The essential weakness that allowed this was hitting him at a vulnerable moment, in a hurry, distracted, at an airport. This is an important social engineering method--create a sense of urgency so normal security measures are overlooked.

Shimming is much different than traditional skimming, which relies on a bulky overlay device. The device is installed inside the ATM. Most businesses aren’t even aware they’ve been hit until it’s too late, he said. Tapping your card instead of inserting it is an effective countermeasure.

Chinese government-backed cyberspies have been homing in on other US energy, satellite and telecommunications systems. But now general ICS attack tools analogous to Cobalt Strike are becoming available, imitating the Pipedream malware. This will make critical infrastructure attacks possible for ordinary criminals, not just state-sponsored attackers.

Caesars abruptly terminated their contract with DEF CON. So it will be held at the Las Vegas Convention Center (LVCC) with workshops and training at the Sahara.

If you force workers to come back to the office, be ready to possibly lose your highest-performing employees. The reason these employees were less likely to stay, the study said, was because they feel a strict policy translates to distrust to do their job. The study also points out that these employees also may have an easier time finding another job — one that gives them the flexibility to work from home.

Last year, 10,000 sham papers had to be retracted by academic journals, but experts think this is just the tip of the iceberg. Paper mills supply fabricated papers to journals, a practice that originated in China and has since spread to India, Iran, Russia, former Soviet Union states and eastern Europe.

Apparently this story is not true. See my article #13.

This sizable army of connected dental cleansing tools was used in a DDoS attack on a Swiss company’s website. The toothbrush botnet was thought to have been vulnerable due to its Java-based OS.

The latest report from Threat Analysis Group documents the rise of commercial surveillance vendors and the industry that threatens free speech, the free press and the open internet. The proliferation of spyware by Commercial Surveillance Vendors (CSVs) causes real world harm. These tools are used in the private sector, not only by governments.

A Mastodon thread from Kevin Beaumont.