DCNextGen, Memory Safety And More! – PSW #819

"In the event Lazarus or another threat actor has already cleared the admin hurdle and has identified a vulnerability in an approved driver, they can install it and exploit the vulnerability to gain access to the Windows kernel. This technique—known as BYOVD (bring your own vulnerable driver)—comes at a cost, however, because it provides ample opportunity for defenders to detect an attack in progress." - Summarized very nicely. This particular vulnerability is pretty devastating: "If an attacker, despite all of these hurdles, manages to exploit a zero-day vulnerability in a built-in driver, they will be rewarded with a level of stealth that cannot be matched by standard BYOVD exploitation. By exploiting such a vulnerability, the attacker is in a sense living off the land with no need to bring, drop, or load any custom drivers, making it possible for a kernel attack to be truly fileless. This not only evades most detection mechanisms but also enables the attack on systems where driver allowlisting is in place (which might seem a bit ironic, given that CVE-2024-21338 concerns an AppLocker driver)." Some have been critical of MS for this: https://cyberplace.social/@GossiTheDog/112027038989119814

Purism represents the folks who love coffee and take it so far that they grow their own plants, roast their own beans, and don't use any electronics when making a cup of Joe. This statement really struck me: "Code is Malware if You Cannot Verify The Source".

Building upon several previously documented attacks, researchers are able to comprise PLCs via the exposed web APIs. The research is great, and a lot to unpack. They've demonstrated several different types of attacks and state that the techniques can be applied to several different vendors.

Interesting interview, curious to see what is next!

Yep, that’s right. In 2024, an unsigned, random executable running a Cobalt Strike Beacon can dump LSASS using a 2019-era technique without MDE batting an eye, provided you don’t write the dump file to disk.

Doesn't appear to have a new bypasses, but makes it easy to test for a suite of 403 bypasses.

Time to update your graphics drivers, which if you are running Linux, is always a fun time!

Do your research before buying things such as doorbells: " the most impactful issue is that if someone is in close proximity to an EKEN doorbell camera, they can take “full control” of it by simply downloading its official app — called Aiwit — and putting the camera in pairing mode by simply holding down the doorbell’s button for eight seconds. Aiwit’s app has more than a million downloads on Google Play, suggesting it is widely used."

Neat to see this in action, still today. The research is from 2016, however, as is evidenced by this post, people still have devices vulnerable to mousejacking (https://www.bastille.net/research/vulnerabilities/mousejack/affected-devices). If you do, find them and update the firmware on them or replace them with something that is not vulnerable. Why? This article shows how you can use a Flipper Zero with an NRF24 add-on and inject a ducky script. Sweet! Note: I have this NRF24 add-on for my Flipper: https://www.tindie.com/products/tehrabbitt/flipper-zero-5v-nrf24-miniboard-by-rabbit-labstm/ (There are two versions, one with an external antenna connector, and one without).

I had fun telling a story in this blog post. However, its a nice segway into rugged computing, where its used, and why Secure Boot is especially important.

It should be noted that while CISA is recommending Ivanti appliances be re-built from scratch and the ICT be run, there are caveats. Thanks to my co-worker Nate Warfield, we know that the ICT can be tricked and attackers can implant malicious scripts in appliance backups (https://eclypsium.com/research/pwned-balancers-commandeering-f5-and-citrix-for-persistent-access-c2/).

In a data breach notification filed with the state of Massachusetts under "American Express Travel Related Services Company," the company warned customers their credit cards may have been stolen.

"We became aware that a third party service provider engaged by numerous merchants experienced unauthorized access to its system," explains the data breach notification.

VMware is urging customers to patch critical vulnerabilities that make it possible for hackers to break out of sandbox and hypervisor protections in all versions, including out-of-support ones, of VMware ESXi, Workstation, Fusion, and Cloud Foundation products.

A US federal judge in California has ordered spyware maker NSO Group to share its source code with WhatsApp. The order came about because of a lawsuit filed by WhatsApp against NSO Group over the company’s spyware being used to snoop on 1,400 WhatsApp users. The order does not require NSO Group to reveal their client list or information about their server architecture.

This goes back to 2018/2019 where the NSO group created messaging accounts, setup proxy and relay servers, which sent messages to mobile devices to exploit CVE-2019-3568, a buffer overflow app in the WhatsApp, present in iOS, Android, Windows Phone and Tizen devices. NSO is also facing similar charges from Apple and the Kinght First Amendment Institute and has lost bids for their cases to be dismissed due to foreign state status, or that it is only licensed for national lawful surveillance.

The Cybersecurity and Infrastructure Security Agency (CISA) and the following partners (hereafter referred to as the authoring organizations) are releasing this joint Cybersecurity Advisory to warn that cyber threat actors are exploiting previously identified vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways.

Actions: 1 Limit outbound internet connections from SSL VPN appliances to restrict access to required services. 2 Keep all operating systems and firmware up to date. 3 Limit SSL VPN connections to unprivileged accounts.

The ransomware attack targeting medical firm Change Healthcare has been one of the most disruptive in years, crippling pharmacies across the US—including those in hospitals—and leading to serious snags in the delivery of prescription drugs nationwide for 10 days and counting. Now, a dispute within the criminal underground has revealed a new development in that unfolding debacle: One of the partners of the hackers behind the attack points out that those hackers, a group known as AlphV or BlackCat, received a $22 million transaction that looks very much like a large ransom payment.

ALPHV/BlackCat affiliates are sabre rattliing about getting cheated out of their share of the Change Healthcare ransom payment, leading many to coclude that is what this transaction was. ALPHV lists 28 companies they are extorting in addition to Change Healthcare, so it's not a given they paid.

Law enforcement authorities in Germany have taken down the Crimemarket website and arrested six people in connection with the “biggest illegal, German-speaking online trading platform.” Crimemarket had an estimated 180,000 registered users. The investigation has been active for several years, and culminated in the February 29, execution of more than 100 search warrants. German police also seized evidence, including technological devices, narcotics, and cash.

German law enforcement is not just investigating the operators, they are also including traders and users. They have been monitoring the platform over an extended period, allowing the platform to operate after they had compromised it to support collecting incriminating information including identification, login credentials and other information.

Chinese video surveillance equipment manufacturer Hikvision has announced patches for two vulnerabilities in its security management system HikCentral Professional. CVE=2024-25063 and CVE-2024-25064 have CVSS scores of 7.5 and 4.3 respectively. While no evidence yet shows these are being exploited in the field, the fix is to update to the latest version of the software. Be sure to go to the Hikvision system relevant for your country/region, also review their security best practices to optomize your installation.

Researchers from Lookout have detected a phishing kit they call CryptoChameleon that is being used to target US Federal Communications Commission (FCC) employees as well as users and employees of cryptocurrency platforms. The campaign uses cloned single sign-on pages to trick targeted users into sharing their account access credentials on mobile devices. This campaign captured usernames, passwords, password reset URLs and even photo IDs.

The government of Fulton County, George, has not fully recovered from a late-January cyberattack against their IT systems. The incident took down the office phone system and prevented clerks from issuing vehicle registrations, marriage licenses, and other permits. The attackers have also threated to leak sensitive data they claim to have taken from Fulton County systems.

Fulton County was a LockBit victim and was one of the sites targeted after the LockBit takedown/re-emergence saying the attackers still had their data and demanded payment, Interestingly, even though the deadline passed without payment, no data was released. Meanwhile, the county is using paper forms to process jail detainees, residents cannot pay utility bills or access property records online, and clerks are unable to issue marriage licenses or firearm permits.

North Korean hackers breached at least two South Korean microchip equipment companies in recent months, stealing product design drawings and facility site photos, according to South Korea’s spy agency. NIS says the attacks targeted Internet-exposed servers through known vulnerabilities to gain initial access to corporate networks. NIS says the cyber espionage groups used “living-off-the-land” techniques to hide from tools that might have detected their presence in the networks.

Have you had a strategy discussion on detecting, and thwarting, a living-of-the-land attack?

Researchers from JFrog have detected more than 100 malicious artificial intelligence/ machine learning (AI/ML) models in the Hugging Face platform. When downloaded and, the malicious code installs backdoors and other malware on end-user devices. Most of what JFrog detected seem to be proof-of-concepts; just 10 were discovered to actually be malicious.

The challenge is detecting the malicious capabilities of these AI/ML models. While it appears they were caught flat footed, Hugging Face has since added process to do malware, pickle and secrets scanning for every file in every reposittory for malicious code, unsafe deserialization or sensitive information and alert moderators/users. Additionally Hugging Face developed a new model for securely storing model data called "safetensors."

The US Cybersecurity and Infrastructure Security Agency (CISA) , the FBI, and the Multi -State Information Sharing and Analysis Center (MS-ISAC) have published a joint cybersecurity advisory warning that Phobos ransomware is being used to attack networks at government and critical infrastructure organizations. The document includes a list of tactics, techniques, and procedures (TTPs) used by the ransomware actors, as well as indicators of compromise (IOCs) Phobos operates on a ransomware-as-a-service (RaaS) model. The advisory recommends securing RDP ports, prioritizing the remediation of known exploited vulnerabilities, and implementing EDR solutions.

Make sure you're keeping an eye on all remote-access/RDP solutions in play, not just MS RDP and VNC.

We utilize a single optical fiber to mimic the computational power of numerous neural networks. Data are encoded onto the color channels of ultrashort light pulses. These pulses carry the information through the fiber, undergoing various combinations, amplifications, or attenuations.

We see no realistic path for an evolution of C++ into a language with rigorous memory safety guarantees that include temporal safety. At the same time, a large-scale rewrite of existing C++ code into a different, memory-safe language appears very difficult and will likely remain impractical. This means that we will likely be operating a very substantial C++ codebase for quite some time. We thus consider it important to complement a transition to memory safe languages for new code and particularly at-risk components with safety improvements for existing C++ code. Memory safety bugs are responsible for the majority (~70%) of severe vulnerabilities in large C/C++ code bases. Android 13 introduced 1.5M lines of Rust with zero memory safety vulnerabilities. This prevented an estimated hundreds of memory safety vulnerabilities.

Phishing emails attach unique (per victim) ZIP archives containing HTML files that use META refresh HTML tags to trigger an automatic connection to a text file on an external Server Message Block (SMB) server..

The ALPHV/BlackCat ransomware gang has shut down its servers amid claims that they scammed the affiliate responsible for the attack on Optum, the operator of the Change Healthcare platform, of $22 million. The affiliate says that they still have 4TB of Optum's “critical data,” describing it as “production data that will affect all Change Healthcare and Optum clients.”

Attackers who hack Ivanti VPN appliances using one of multiple actively exploited vulnerabilities may be able to maintain root persistence even after performing factory resets. Furthermore, they can also evade detection by Ivanti's internal and external Integrity Checker Tool (ICT). CISA urged all Ivanti customers today to "consider the significant risk of adversary access to, and persistence on, Ivanti Connect Secure and Ivanti Policy Secure gateways when determining whether to continue operating these devices in an enterprise environment"

“Firewall for AI” includes two capabilities: Advanced Rate Limiting, and Sensitive Data Detection. In coming months, Cloudflare plans to test a prompt validation feature to prevent prompt injection attacks.