Bricking PCs and IoT Hacking – PSW #832
Skyrocketing IoT vulnerabilities, bricked computers?, MACBORG!, raw dogging source code, PHP strikes again and again, if you have a Netgear WNR614 replace it now, Arm Mali, new OpenSSH feature, weird headphones, decrypting firmware, and VPNs are still being hacked!
Announcements
Stay up-to-date with us on X (formerly known as Twitter) for the latest show clips and updates! Find us @SecWeekly and stay connected with our cybersecurity community.
Guest
Aubrey King is a Community Evangelist at F5 DevCentral, PR Lead for the OWASP Top 10 for Large Language Model Applications project, and Host of the ‘AppSec Monthly’ podcast. With a solid foundation in System Architecture and Security, followed by 12 years as an F5 pre-sales engineer, Aubrey has built a reputation for his technical expertise in high availability and application security solutions across various market segments including Commercial, Public, and Service Provider sectors. His insights into AI security are rooted in practical experience, making his perspective both valuable and unique. Outside of the tech sphere, Aubrey is a passionate musician, devoted comic book enthusiast, and proud father.
Hosts
- 1. China state hackers infected 20,000 Fortinet VPNs, Dutch spy service says
Silently fixing vulnerabilities helps a little, but disclosing the fix helps even more: "It carries a severity rating of 9.8 out of 10. A maker of network security software, Fortinet silently fixed the vulnerability on November 28, 2022, but failed to mention the threat until December 12 of that year, when the company said it became aware of an “instance where this vulnerability was exploited in the wild.” On January 11, 2023—more than six weeks after the vulnerability was fixed—Fortinet warned a threat actor was exploiting it" - I'm not sure why Fortinet decided not to disclose the fix until the vulnerability was being exploited in the wild, perhaps they did not want attackers to reverse the fix knowing there was a vulnerability in there, but even at that its not an excuse. I'm a fan of full disclosure, leveling the playing field, especially when there is a fix available that people can install! If the exploit will just cause harm and people cannot be readily or easily remediated, then withholding information is warranted. Also, Dan writes this: Fortinet officials have never explained why they didn’t disclose the critical vulnerability when it was fixed. They have also declined to disclose what the company policy is for the disclosure of security vulnerabilities. Company representatives didn’t immediately respond to an email seeking comment for this post." - Not saying things sometimes makes things worse, allows people to speculate, and generates bad press. I'm not going to slam Fortinet, but suggest they disclose vulnerabilities in the future and comment on their actions, we may not agree, but transparency will build more trust.
- 2. StarkeBlog – Thecus NAS Firmware Decryption
I always appreciate it when people post how to decrypt firmware. In this case, the firmware decryption tool stopped working because openssl deprecated some functions. Props to Nicholas Starke who updated the tool (re-implementing portions in Python) and published it. Decrypting firmware can be a PITA, so thank you Nicholas!
- 3. Command Injection Vulnerability Discovered in PHP: CVE-2024-5585
Yet another PHP vulnerability that is based on an older vulnerability but the new vulnerability uses a different technique.
- 4. Some Cheap Wired Headphones Are Actually Using Bluetooth
This is from the "What the actual..." department: "What’s going on is this: The plug on the buds using this workaround goes into the Lightning slot, which then doubles as a Bluetooth receiver that receives power from the port but routes its signal through the phone’s Bluetooth. That means your wired connection is actually wireless." - Clever trick to get around Apple's licensing fees.
- 5. Ukraine’s nuclear regulator confirms Chernobyl’s post-invasion radiation spikes had an ‘abnormal origin’.
Interesting research! Summary: "Since the beginning of my research I had the feeling that I was facing a striking example of a PSYOP. However, I'll leave the task of speculating about it as an optional exercise for the reader."
- 6. OpenSSH Introduces Options to Penalize Undesirable Behavior
After reading articles on this (which were really bad) and the official documentation (which was good, but, well, its documentation) ChatGPT came up with the best description:
PerSourcePenalties is an OpenSSH server configuration option that helps mitigate brute-force attacks and password-guessing attempts. When enabled, it imposes penalties on IP addresses that repeatedly fail authentication attempts within a certain time frame.
Here's how it works:
- Penalties for Failed Authentication Attempts: Whenever an IP address fails to authenticate successfully, OpenSSH imposes a penalty on that IP address. This penalty typically involves increasing the delay before responding to subsequent authentication attempts from that IP. *Penalty Gradation: The penalties can escalate based on the number of failed attempts within a specified time window. For example, the delay may increase exponentially with each subsequent failed attempt.
- Time Window: OpenSSH considers a certain time window for assessing penalties. If the failed authentication attempts occur within this window, the penalties apply. However, if there's a gap beyond this window, the penalty count resets.
- Configurability: Administrators can configure various parameters related to PerSourcePenalties, such as the duration of the time window, the initial delay, and the rate at which the penalty increases.
- Effectiveness: This feature helps in reducing the effectiveness of brute-force attacks by making them significantly slower. Attackers trying to guess passwords or keys would face increasing delays after each failed attempt, making the attack less feasible.
- 7. CVE-2024-4610 – Arm Mali GPU Zero-Day Under Active Exploit: Millions of Devices at Risk
Update your phones!
- 8. Security Advisory: Multiple Vulnerabilities in Netgear WNR614 Router
I spent a little time trying to figure this out: "The Netgear WNR614 router’s weak authentication, allowing Base64 credential cracking, poses a serious security risk." - The screenshots show a Base64 encoded password being decoded and a decompressed file system pointing to a file PWD_password.htm. I grabbed the firmware and decompressed it using Binwalk, then ChatGPT'd the code to look for vulnerabilities. Nothing obvious and they have left out some details that require more work to figure out. However, these vulnerabilities are not being patched. This router is not supported by OpenWRT (though I did find an old Github repo with an OpenWRT build environment for this hardware, but have not tested or validated it). Long story short, buy a new router.
- 9. No Way, PHP Strikes Again! (CVE-2024-4577)
This is a new exploitation path based on a command injection from 2012 in PHP. The new one works like this: "Well. It turns out that, as part of unicode processing, PHP will apply what’s known as a ‘best fit’ mapping, and helpfully assume that, when the user entered a soft hyphen, they actually intended to type a real hyphen, and interpret it as such. Herein lies our vulnerability - if we supply a CGI handler with a soft hyphen (0xAD), the CGI handler won’t feel the need to escape it, and will pass it to PHP. PHP, however, will interpret it as if it were a real hyphen, which allows an attacker to sneak extra command line arguments, which begin with hyphens, into the PHP process." - And this one is being attacked in the wild, ended up on the CISA KEV, and from what I can gather affects PHP on Windows systems. Patch now.
- 10. Dailydave: GDB Dances and the Moon
Dave has such a way with words: "Like, people are out there just raw dogging source code from random other open source developers, with their local environment running tokens that give them access to everything they could possibly need from their Google account."
- 11. TALOS-2024-1942
This is one of the coolest vulnerabilities! Step 1 is to telnet to the device and enter the magic word "MACBORG". The device will then spit back the MAC address and the date. Turns out that the passphrase to enter debug mode, giving you full access to the PLC, is generated using a crypto algorithm based on, you guessed it, the MAC address and the date. Rather than reversing the crypto the Talos researcher just found the code that generates the passphrase and replicated it. Now you can telnet to the device, grab the MAC and date, then generate the passphrase and enter the debugging mode that allows you to all sorts of things, including interfacing with other PLCs on the backplane.
- 12. HP bricks ProBook laptops with bad BIOS delivered via automatic updates — many users face black screen after Windows pushes new firmware
HP is working with customers to get the PCs and laptops fixed after a Windows update pushed a bad BIOS image and "bricked" computers. Yes, you can use a SPI flash programmer to attempt to fix your PC, however, you need to restore a known good BIOS/UEFI image (or a block copy of the SPI flash). Not all users have this. Some are floating around on forums. I am warning users to use caution when installing random BIOS images from the Internet, they could be backdoored and grant an attacker super privs on your device. Also, use the proper hardware for this, avoid de-soldering the chip, and use a clip, even better if it's on a DIP connector as you can pull it off (preferably with tweezers, not your hands like I do). Also, applying the proper voltage to the correct pins is very important.
- 1. StarkeBlog – iGoat Challenge Write up
- 2. A Crash Course in Hardware Hacking Methodology: The Ones and Zeros
- 3. How China’s 1980s PC industry hacked dot-matrix printers
- 4. Analygence chosen as company to help NIST address backlog at NVD
- 5.
- 6. Samsung WB850F Firmware Reverse-Engineering
- 7. Google Leak Reveals Thousands of Privacy Incidents
- 8. Hacking Millions of Modems (and Investigating Who Hacked My Modem)
- 9. IoT Vulnerabilities Skyrocket, Becoming Key Entry Point for Attackers
- 10. An Atmega328 + SI5351 Based WSPR Beacon
- 11. A Look at the Riskiest Connected Devices of 2024
- 1. Arm Warns of Actively Exploited Zero-Day Vulnerability in Mali GPU Drivers
A zero-day (0-day) vulnerability exists in Arm's Mali GPU drivers, specifically, the Bifrost GPU Kernel driver and the Valhall GPU Kernel driver. Tracked as CVE-2024-4610, the flaw is a use-after-free and allows local access to freed memory. Arm reports the vulnerability has been exploited in the wild, but to date has not released any details of the exploitation. Arm has released new versions of the products as a resolution.
- 2. Snowflake: Detecting and Preventing Unauthorized User Access
Don't be lulled into a false sense of security that Snowflake is the only environment where compromised, reusable credentials are being targeted. Verify that you're enabling and enforcing MFA for your outsourced and cloud services, regardless of the service providers requirement. Then the harder task, requiring MFA for your services. The good news is with the IDP you had to deploy for cloud authentication, you can leverage that on your services. Start with low hanging fruit, then move to more challenging use cases.
- 3. New York Times Responds to Source Code Leak
The New York Times (NYT) has confirmed that some of its internal source code and data were stolen and leaked on the Internet. The theft occurred in January 2024; the information was leaked on Thursday, June 6. NYT said the breach occurred after GitHub credentials were inadvertently exposed.
Not to sound like a broken record, but a compromised reusable token was used to access the repositories and exfiltrate data. In this case 273GB of data was pilfered. (5 thousand repos, 3.6 million files.) In addition to source code (which included the Wordle game), IT documentation and infrastructure tools were taken. So yay for all the work to document and put that information online, but boo for having one credential to rule them all. As easy as it is to branch into a conversation about credential rotation, it's better to pull the MFA thread as well as talk about session timeout/expiration.
- 4. London hospitals face blood shortage after Synnovis ransomware attack
The UK’s National Health Service (NHS) is calling for donation of Type O blood following a cyberattack that disrupted systems at Synnovis, a company that provides pathology services for hospitals and other healthcare organizations in London. Because Synnovis cannot match blood as quickly as it could prior to the attack, doctors have been giving patients O-type blood, resulting in a shortage of both O-positive and O-negative blood.
Type O negative blood is the universal blood type needed for emergency transfusions and can be donated to patients regardless of blood types, while O positive can be donated to anyone with positive blood type, about 3 out of 4 patients. With IT systems relating to typing and matching impacted, having a healthy store of both O negative and positive is a really good (bloody brilliant) risk mitigation. Even if you're not in the healthcare industry, this is a call to consider where having a "generic" option for service impacts could help you weather that storm.
- 5. LastPass says 12-hour outage caused by bad Chrome extension update
The LastPass password manager experienced a 12-hour outage last week. LastPass attributes the problem to a bad update to its Chrome extension places too much stress on their servers. For 12 hours starting just after noon ET on Thursday, June 6, users trying to access their password vaults or to log into their accounts were greeted with “404 Not Found” error messages. LastPass said they has resolved the issue on Thursday evening.
A bad update for a browser plugin isn't something you can easily roll back, let alone fix, QA and distribute an updated version.
- 6. Cyber incident forces Cleveland to shut down city hall
Cleveland shut its city hall Monday as officials investigate a cyber incident affecting some systems. Cleveland’s 911 system, along with police, fire, and emergency medical services are functioning. A city spokesperson told Recorded Future News that “All internal systems and software platforms will be shut down until further notice.”
While 911 was offline, emergency responder radio systems were still operating, allowing emergency services to be delivered. City phone services have been restored as of Monday. Cleveland's 311 daytime calls are being handled by after-hours operators. 311 is the number to call for information about the City's programs and services, as well as submit a non-emergency service request. What I'm not finding is any sort of outage/incident announcement on the city's web site. Make sure your plans include outage notification/status updates on services where you manage the message.
- 7. Two people arrested in connection with investigation into homemade mobile antenna used to send thousands of smishing text messages to the public
Last month, police in the UK arrested two people for allegedly setting up a homemade cellphone tower and using it to bypass mobile phone networks’ systems to block suspicious messages. The homemade mobile antenna was reportedly used to send thousands of malicious SMS messages. The messages pretend to be communications from banks and other organizations.
Imagine if you would, the fake AP attack but with a cell tower. The attack leveraged weaknesses in the protocols which require the devices to authenticate to the cell network, but not validate that network. This allowed the hackers to bypass the cell network anti-smishing defenses. The UK has a service which allows users to forward SMS message to 7726 for analysis. Other carriers are implementing junk SMS reporting. Investigate options provided by your carrier to identify junk SMS messages. Decide if you want a send-all or a send-suspect/on-demand model.
- 8. SolarWinds Flaw Flagged by NATO Pen Tester
SolarWinds has released SolarWinds Platform version 2024.2, which addresses three vulnerabilities: a high-severity SWQL injection vulnerability, a high-severity stored cross-site scription (XSS) vulnerability, and a medium-severity race condition vulnerability. SolarWinds has also released an update for SolarWinds Serv-U to address a high-severity directory traversal vulnerability.
Today's contestants for SolarWinds Platform flaws are: CVE-2024-28996, SWQL Injection, CVSS 3 score of 8.1, is a high complexity attack, CVE-2024-28999, a race condition, CVSS 3 score of 8.1 and CVE-2024-29004, stored XSS, CVSS 3 scroe of 4.8. They imnpact the SolarWinds Platform 2024.1 SR1 and before, the fix is to update to 2024.2. Don't overlook the need to update their Serv-U product, CVE-2024-28995, a directory traversal flaw, CVSS score of 8.6, affects Serv-U FTP Server, Serv-U Gateway, and Serv-U MFT Server. The fix is to deploy Serv-U 15.4.1 hotfix 2. While there is not any indication these are being exploited in the wild, given SolarWinds, and how easy it is to discover vulnerable products exposed to the Internet, expect that not to change.
- 9. Vulnerability Reports – Latest network security threats and zeroday discoveries
Researchers at Cisco Talos have discovered 15 vulnerabilities in AutomationDirect programmable logic controllers (PLCs). The flaws in the Automation Direct Productivity series PLCs are all rated critical or high severity. They can be exploited to achieve remote code execution or cause denial-of-service conditions. The US Cybersecurity and Infrastructure Security Agency (CISA) released an advisory about the vulnerabilities in late May. Updates are available to address the vulnerabilities.
These vulnerabilities which include out of bounds writes, stack and heap-based buffer overflows, active debug code and insufficient input validation, have a collective CVSS 4 score of 9.3. Beyond the obvious verification that you don't have PLCs directly exposed to the internet, make sure you update both the PLC firmware and the Productivity Suite to the newest versions. Also, verify network access is limited to only devices which are supposed to interact with them.
- 10. Microsoft reverses course, makes Recall feature opt-in only after security backlash
In a bow to outcry over security concerns, Microsoft now says that the Recall feature on Copilot+ Windows PCs will be opt-in. Recall takes screenshots every five seconds for local AI analysis.
Recall seems to (inadvertently) cross the line between continuous differential backups and Orwellian oversight. Microsoft is responding to feedback and is making a few changes to Recall. The first being to make it opt-in, versus the prior always-on setting. Second, the snapshots it takes will be encrypted using Windows Hello Enhanced Sign-in Security (ESS) so the user has to authenticate before those snapshots are decrypted and available, which also means this is only as good as the strength of user authentication.
- 11. US secures Microsoft, Google commitments for free rural hospital cyber services
Microsoft and Google have committed to provide free and low-cost cybersecurity services to roughly 2,100 rural US hospitals. Deputy national security advisor for cyber and emerging technology Anne Neuberger announced the commitments on Monday, June 10. The announcement comes in the wake of a series of cyberattack targeting healthcare organizations, including the Change Healthcare breach, which reportedly affected more than one of every three insurance claims in the country. This is huge! Microsoft is going to be offering non-profit pricing, including a year of their security suite to existing customers while Google is going to be providing endpoint security advice at no cost, and a pool of funding to support software migration. Google is also launching a pilot program to develop a package of security capabilities which fit each hospital's needs.