Exploits Make You More Secure – PSW #830

This is one of my favorite things I've found on the Internet in quite some time. I just love everything about this:

• It uses an exploit to patch a vulnerability that has no patch from the vendor
• The name is amazing
• The description and disclaimer is on point and funny
• References to code that is so insecure it needs to be re-written
• I have not dug in to see if both vulnerabilities are remediated, or just the system() call (also has hardcoded creds)

This is a great nerdy read!

Great read, and I wish I had smart controls for my own water heater at home (but also kind of glad that I don't given the vulnerabilities that were present). Also, I believe its code where I live that a hardware-based temp regulator be installed that prevents water hotter than 120 F from coming out, at least that's how my system is setup.

This is a supply chain security nightmare example.

This is a great technique (and I see many tools and techniques each week, this one is a home run): "Bloodhound session data isn’t as reliable as it used to be, and, in modern Windows environments, session enumeration tends to get caught. What about cataloging users with active RDP sessions? Squeegee can help in both of these situations. The first step is to collect RDP screen captures using a tool like NCC Group’s scrying. Once you have the RDP screen captures, you can process the entire group of results using Squeegee by just pointing the tool at the correct folder."

Free laundry for all: "CSC quietly wiped out the researchers’ account balance of several million dollars after they reported their findings, but the researchers said the bug remains unfixed and it’s still possible for users to “freely” give themselves any amount of money." - The researchers added $1 million dollars to their account, and the company's response was to just wipe out their funds. That's not all, you don't need funds in your account to activate the washer (or dryer for that matter) as the API has vulnerabilities, which are not fixed despite going through US CERT.

Creative: "Once installed, you just need to hook up your PS4 to the TV via the Ethernet port. Then, with the exploit running on the TV, telling the PS4 to set up the LAN via PPPoE will be enough to complete the jailbreak."

Texas-based WebTPA Employer Services says that a cybersecurity incident has compromised personal information of more than 2.4 million individuals. WebTPA is a third-party administrator for health insurance and benefits plans. WebTPA discovered the incident in late December. The compromised data include contact information, dates of birth, insurance information and Social Security numbers.

The investigation showed the data was exfiltrated in April 2023, but the attack was not discovered until December, and customer notifications just started this April. While healthcare breaches continue to be a challenge, indications are that there will be numerous lawsuits designed to force the industry to raise the bar on protecting healthcare data. Don’t wait for the lawsuit to make sure your house is in order, leverage your ISAC or CISA resources to make sure that you’re on top of things, don’t wait for that demand to report to the board or comment to the media on your incident.

The US Cybersecurity and Infrastructure Security Agency (CISA) has added a pair of vulnerabilities affecting end-of-life D-Link routers to their Known Exploited Vulnerabilities (KEV) catalog. One of the flaws (CVE-2014-100005) is a cross-site request forgery issue affecting D-Link DIR-600 routers; the other (CVE-2021-40655) in an information disclosure issue affecting D-Link DIR-605 routers. The vulnerabilities have been exploited in the wild. CISA advises that the vulnerable equipment be retired or replaced.

The KEV lists a remediation date of 6/10/24, whereby agencies are expected to either discontinue use of or secure the affected products. In this case these are EOL devices, the right move is to replace them. Even if you’re not bound by the KEV, you still need to replace these if you have any.

Alternately consider Paul's Dinkleberry story above.

A memory corruption vulnerability in the Fluent Bit logging utility could be exploited to create denial-of-service conditions, allow information disclosure, and possibly allow remote code execution according to a report from Tenable. Fluent Bity has been downloaded billions of times. The vulnerability affects versions 2.0.7 through 3.0.3, and has been fixed in Fluent Bit version 3.0.4.

If you’re using Fluent Bit, make sure you’ve updated to 3.0.4. The harder question will be asking your cloud providers if they are and which version is in place. If you’re referencing a provided SBOM, make sure that it is both current and that you’re checking the Vulnerability-Exploitability eXchange (VEX) data for applicability of vulnerabilities.

Australian digital prescription services company MediSecure has disclosed a ransomware attack that compromised patient data through November 2023. Once MediSecure became aware of the incident, they took their website offline. The incident appears to have originated through a third-party vendor. MediSecure was one of two companies that provided digital prescription services through Australia’s public digital health network until last November.

Of note here is that MediSecure’s contract with Australia’s health network was awarded to another provider last May, and the transition completed in November. It appears customer data was still available in their systems.

A US Environmental Protection Agency (EPA) Enforcement Alert provides information for community water systems (CWSs) to help them comply with Safe Drinking Water Act (SDWA) Section 1433, which requires most CWSs to conduct Risk and Resilience Assessments (RRAs), develop Emergency Response Plans (ERPs) and certify their completion to EPA. According to the Enforcement Alert, 70 percent of CWSs EPA has inspected since September 2023 did not meet all of the SDWA Section 1433 requirements.

While the 1433 section only applies to systems with over 3300 users, it’s still a good idea to have your arms around where your risks are and what you can do to keep from being a victim. Regardless of size, leverage the Water ISAC resources. - https://waqterisac.org. Membership is based on customer base, starting at $105/year, and even has a 60 day trial so you can see if it is a fit. Given that critical infrastructure like this is a constant target, opting out or ignoring your security posture really isn’t an option.

Researchers at Check Point have detected a design flaw in the Foxit PDF Reader that can be exploited to deliver malware. The flaw is being actively exploited by multiple threat actors to deliver a range of malware including Agent Tesla, AsyncRAT, DCRat, and XWorm. The issue does not affect Adobe Acrobat Reader.

Foxit positions themselves as more affordable drop-in replacement for Acrobat. This attack relies on social engineering, prompting the user to enable/allow behavior which may seem innocuous, but in totality allows for the malware to be installed and executed. The root cause is in how Foxit is designed rather than a coding error. Even so, educating users on how to handle the unexpected prompts for privilege or command execution, similar to your existing social engineering preventative training, are your current best mitigations.

According to a report from the Pew Research Center, 25 percent of web pages that existed between 2013 and 2023 were not accessible as of October 2023. Most of the instances of what Pew researchers are calling digital decay, are due to pages being removed from websites that are still functioning. The study looked at government and news websites and social media posts. Local government websites had the highest inci9dence of broken links.

This is an interesting observation. If you own a site, you control the lifecycle and have the say on what is left vs archived/deleted. The question is what is the obligation to sites referencing that content? How far should sites go to maintain continuity/pointers to the most current versions? This is something you should discuss and document at your shop. Having a consistent approach which is written down is more important than the decision you make. Give consideration to publishing that on your site.

The American Radio Relay League (ARRL) has disclosed a cybersecurity incident that affected some of their services, including the Logbook of The World® and the ARRL Learning Center. (ARRL is the National Association for Amateur Radio.) The organization does not store payment card information and does not collect Social Security numbers. Their membership database contains publicly available information, including names, addresses, call signs, and email preferences.

ARRL is saying they don’t believe the member database is affected. And while the information is public, much is available from the FCC, that database represents an authoritative connection of that information to the member. If you’re an ARRL member, be on the watch for phishing emails leveraging your information.

On May 15, 2024, the US Securities and Exchange Commission (SEC) has adopted changes to their Regulation S-P, which requires financial organizations “to adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.” The amendments require certain financial institutions to report breaches within 30 days of detection.

Expeditious reporting may not be on your radar when you’re focused on detection and reducing dwell times. Make sure that you’re partnering with folks like your CFO who are tracking SEC requirements so you can work together to meet them.

She compromised the identities of more than 60 people living in the US and used their personal information to get North Koreans IT jobs across more than 300 US companies. She operated a "laptop farm"; the laptops were issued by the employers. By using proxies and VPNs, the overseas workers appeared to be connecting from US-based IP addresses.

The Hive Expedition weighs 400 pounds and can operate twelve or more drones depending on their size. The Hive XL is a 13,000-pound trailer which can house and deploy up to 80 drones. Both types of Hive allow a single operator to control the entire fleet via a simple tablet interface, and they remove the need for any physical drone handling. According to Sentien, an operator can drive a Hive to a location and have a pop-up security system running in five minutes.

The design is smaller than regular aircraft carriers, with a flight deck approximately one third the length and half the width of a super carrier. The flight deck is wide enough to comfortably operate aircraft or drones with a wingspan of around 20 meters (65 feet) such as Chinese equivalents of the Predator drone.

The Radio Frequency Directed Energy Weapon, or RFDEW, uses radio waves to detect, track, and disable electronic components at a range of up to 1000 meters. "The war in Ukraine has shown us the importance of deploying uncrewed systems, but we must be able to defend against them too"

Researchers rely on tree rings, glaciers, and fossil records to put our current climate in context.

I gave it a screenshot of a game of Pong and asked it to help me find a way to play the game. Within about 30 seconds it generated all the necessary code for a fully functional game of Pong and instructions on how to run that code. It worked perfectly so I tried it with Breakout, the block-breaking game, and it created a perfect replica of that classic as well. It even created a version of Space Invaders and so I’ve put all three on GitHub. It struggled with Asteroids but got it right after I shared the error code.

ChatGPT 4o performs much better than Gemini 1.5 Pro in a variety of tasks including reasoning, code generation, multimodal understanding, and more. In one of my tests, ChatGPT 4o created a Python game within seconds, but Gemini 1.5 Pro failed to generate the correct code.

Backlogs at the NVD have reached crisis proportions, prompting federal agencies to seek help from the private sector. It appears that the NVD has completely given up on adding CPE-matches to CVEs since sometime around February 15. A big contributor to the NVD backlog is the flood of vulnerabilities reported to the repository — more than 100 per day in 2024. There were more than 4,000 critical severity vulnerabilities reported in 2022, up more than 59% over the previous year.

BM has agreed to sell the QRadar SaaS portfolio to Palo Alto Networks. IBM's QRadar is the third largest next-generation SIEM provider based on revenue, behind Microsoft and Splunk. "For IBM to then turn around and sell QRadar to Palo Alto Networks, seemingly with little to no warning for customers, is shocking and frankly not in line with the customer-centric ethos IBM is known for. I would imagine there are many confused and frustrated QRadar customers [now] looking for answers."

QRadar SaaS SIEM Customers Will Be Migrated to XSIAM. The "much larger prize" is QRadar's on premise customer base, and IBM has incentive to encourage those customers to migrate to Palo Alto Networks' cloud-based offering.

Fluent Bit is a logging utility heavily used by all major cloud providers. This heap buffer overflow allows DoS attacks and possibly RCE under some circumstances. A patched version is available.

Secured-core PCs provide advanced firmware safeguards and dynamic root-of-trust measurement to help protect from chip to cloud, using a Microsoft Pluton security processor. Pluton is a chip-to-cloud security technology. NTLM will be deprecated in the second half of 2024. Smart App Control uses AI to decide whether an app is safe.

Recall uses AI features "to take images of your active screen every few seconds." Someone with access to your Windows account could potentially use Recall to see everything you've been doing recently on your PC, which might extend beyond the embarrassing implications of pornography viewing and actually threaten the lives of journalists or perceived enemies of the state.

You need to enable DisableAIDataAnalysis to switch it off. Why is this a feature at all, and why is it enabled by default? Every security expert is saying Microsoft has lost its mind.

Modern techniques used by malware: Exploitation of COM interfaces with the Auto-Elevate property Modification of the ms-settings registry branch Infinite UAC Prompt Loop (social engineering)

Four unidentified LLMs were tested, finding that they can solve high-school level CTF problems, but not college-level ones, and that they are all still vulnerable to prompt injection jailbreaks. Several very good charts present the results.

DNSBomb is a new practical and powerful pulsing DoS attack. It exploits multiple widely-implemented DNS mechanisms to accumulate DNS queries that are sent at a low rate, amplify queries into large-sized responses, and concentrate all DNS responses into a short, high-volume periodic pulsing burst to simultaneously overwhelm target systems. Through an extensive evaluation on 10 mainstream DNS software, 46 public DNS services, and around 1.8M open DNS resolvers, we demonstrate all DNS resolvers could be exploited.

Tesla's cars are fully autonomous, but make errors, requiring a human driver. But Google's Waymo cars have remote human operators to handle situations too complex for the onboard AI systems, which seems to be working out far better than the Tesla system.

Pedestrians are three times as likely to be injured by an electric or hybrid (E-HE) car than by one with an internal combustion engine (ICE) in cities and towns.

Apple collects and publicly shares information about the precise location of all Wi-Fi access points seen by its devices. Apple collects this location data to give Apple devices a crowdsourced, low-power alternative to constantly requesting global positioning system (GPS) coordinates. But Apple’s API will return the geolocations of up to 400 more BSSIDs that are nearby the one requested. Researchers spent a month early in their research continuously querying the API, asking it for the location of more than a billion BSSIDs generated at random. They found that by geofencing active conflict zones in Ukraine, they were able to determine the location and movement of Starlink devices used by both Ukrainian and Russian forces.

A "git clone" operation on Windows can execute arbitrary code included in a malicious Git repository. Patches are now available.