It’s Always DNS – PSW #837

This is fascinating: "In this series of blog posts I’ll be discussing my finding dealing with traffic controllers and other traffic systems. I had hoped to present the information at DefCon but my CFP wasn’t accepted. This multi-part series will start with my attempt at responsible disclosure, finding vulnerabilities in traffic controllers, sourcing hardware and getting it running in a lab, and just how broken and behind the technology curve the traffic industry is. " - We covered this a while back, this is the same researcher that got a nasty letter from the legal department. Now we know he was hacking traffic controllers. And now he is publishing a blog post series with all the gory details (like Telnet, SNMP, etc...). I think this would have been a great Defcon talk!

Just when you think you've fixed it, it comes back: "Now tracked as CVE-2024-41110, the privilege escalation bug was originally discovered in 2018 and patched in January 2019's version 18.09.1. However, the fix wasn't carried over in the following updates, meaning versions from 19.03 and newer remained vulnerable." - Also, so many exploits, or just simple bypasses, exist for the Docker native API. Just disable it if you are not using it as it opens up more attack surface, and is very dangerous as it gives attackers access to all the containers.

Super interesting, so many things could be archived on Git (such as the private key that corresponds to the PK from AMI. In case you were wondering, no I could not find it, but yet I did look for a bit LOL).

Support for two things in my life: Framework SD and Raspberry Pi 5 (unofficial).

This is testing that must be done: "Due to paywalls and other obstacles, several vendors and products on the market remain untested and may be vulnerable to the weaknesses we are about to share. We strongly recommend that defenders evaluate their products for these potential issues. Additionally, we encourage vendors who do not currently offer free trials to consider making them available, enabling researchers to conduct this type of research." - Bypasses and LPEs exist for EDR and AV, if they didn't, everyone would just run one and be completely immune to malware and ransomware, which, we are not.

I need this in my life, great price too!

/lib/systemd/system/restapi.service has the wrong permssions, allowing the www-data user to modify it and put in commands that allow you to become root. This is an LPE, but only for those who run RaspAP. I did some testing of RaspAP, was not impressed with the stability. I did get it running, finally, but even with a good supported USB dongle with antennas, after a while my connection just dropped. I think there is a reason I use Ubiquiti.

This is interesting: "A registered domain, or subdomain of a registered domain, uses the authoritative DNS services of a different provider than the domain registrar; this is called name server delegation. A domain is registered with one authoritative DNS provider, and either the domain or a subdomain is configured to use a different DNS provider for authoritative name service. The name server delegation is lame, meaning that the authoritative name server does not have information about the domain and therefore can not resolve queries or subdomains. The DNS provider is exploitable, meaning that the attacker can claim ownership of the domain at the delegated authoritative DNS provider while not having access to the valid owner’s account at the domain registrar." Also a good summary: "Sitting Ducks combines a lame delegation with a vulnerable DNS provider that fails to properly validate that the account holder who claims a domain actually controls it. If you point DNS for your domain to a service, you need to be sure that your account on that service (and only accounts you authorized) claims the domain."

"In the first half of 2024, attacks on IoT devices increased by 107%. On average, these devices were under attack for 52.8 hours. The primary reason for this vulnerability is the low level of security in IoT devices, making them easy targets for cybercriminals."

" In this blog post series, we’ll delve into high-level security controls within Active Directory that can make an adversary cry tears of frustration when attempting to establish their initial foothold. The areas covered in this blog post are SMB null sessions, username enumeration, password spraying, and abusing NTLM authentication." Funny, I wrote an article on Null Sessions in 2002: https://web.archive.org/web/20080515182640/http://www.brown.edu/Facilities/CIS/CIRT/help/netbiosnull.html - And yet here we are... However, I believe there are reasons why this is still enabled on DCs today for backward compatibility. This fix seems easy though, from the Guidepoint article: "To remediate this misconfiguration, remove the “Everyone” and/or “Anonymous Logon” special identity groups from the Pre-Windows 2000 Compatible Access group."

" A vulnerability in the module that could allow an attacker to modify UEFI variables." - Curious if this could bypass the UEFI variable permissions, allowing an attacker to modify variables from the OS (rather than through the BIOS screen when physically present at the machine). When coupled with this: https://eclypsium.com/blog/ueficanhazbufferoverflow-widespread-impact-from-vulnerability-in-popular-pc-and-server-firmware/ - Could allow attackers to chain exploits together to compromise UEFI.

The Minnesota-based Spytech snooped on thousands of devices before it was hacked. The data shows that Spytech’s spyware — Realtime-Spy and SpyAgent, among others — has been used to compromise more than 10,000 devices since the earliest-dated leaked records from 2013, including Android devices, Chromebooks, Macs, and Windows PCs worldwide.

Ten million people thought they were accessing an e-book piracy site called Z-Library. Instead, scammers collected their personal information, passwords, crypto addresses, and, possibly, payments. What’s worse, they leaked all their information, exposing users to other cybercriminals and authorities.

Named TuDoor, the attack uses malformed DNS packets to trigger logic errors inside DNS software. The attack specifically targets the part of the DNS resolver that prepares DNS responses for user queries.

Academics say they can use a quick succession of malformed packets to poison a DNS resolver's cache, cause a denial of service, or increase a server's resource consumption.

So far, patches have been released by Google, Microsoft, Cloudflare, BIND, Knot, AdGuard, and others.

Updated robots.txt file hits Bing and others without a Reddit deal.

Evilginx adversary-in-the-middle (AitM) reverse-proxy attack framework performs downgrade attacks, allowing threat actors to crack into even biometrically protected PCs and laptops.

Today we are announcing our intent to end Online Certificate Status Protocol (OCSP) support in favor of Certificate Revocation Lists (CRLs) as soon as possible. We plan to end support for OCSP primarily because it represents a considerable risk to privacy on the Internet.

Hundreds of UEFI products from 10 vendors are susceptible to compromise due to a critical firmware supply-chain issue known as PKfail, which allows attackers to bypass Secure Boot and install malware.

As the Binarly Research Team found, affected devices use a test Secure Boot "master key"—also known as Platform Key (PK)—generated by American Megatrends International (AMI), which was tagged as "DO NOT TRUST" and that upstream vendors should've replaced with their own securely generated keys.

Data from deleted GitHub repositories (public or private) and from deleted copies (forks) of repositories isn't necessarily deleted. This vulnerability is named Cross Fork Object Reference (CFOR). Clearly this is a problem. But it's not so much of a problem that GitHub considers CFOR a legitimate vulnerability. In fact, the Microsoft-owned code-hosting giant considers it a feature, not a bug.

Brave customers with recent Apple hardware can use AI now. The version of Apple Intelligence in the beta doesn't include all of the service's promised features. At launch, Apple detailed ML-based capabilities such as generating, proofreading, rewriting, and summarizing text, text-to-image and text-to-emoji services, and an upgrade for the Siri digital assistant.

One of the methods used to validate domain ownership is to add a string with a random value in the DNS CNAME record on the certificate and then perform a DNS lookup for the domain to ensure the random values match. Per the CABF baseline requirements, a random value should be separated by the domain name with an underscore. This underscore was omitted for 0.4% of domain validations since 2019, so those customers must generate new Certificate Signing Requests (CSR) for their domains.

Imagine if we could directly investigate the human brain by manipulating each of its individual neurons to examine their roles in perceiving a particular object. “MAIA” (Multimodal Automated Interpretability Agent) automates a variety of neural network interpretability tasks on AI systems. The automated agent is demonstrated to tackle three key tasks: It labels individual components inside vision models and describes the visual concepts that activate them, it cleans up image classifiers by removing irrelevant features to make them more robust to new situations, and it hunts for hidden biases in AI systems to help uncover potential fairness issues in their outputs.

Quantum computing can make Machine Learning faster. This hands-on tutorial shows how to use a Variational Quantum Eigensolver (VQE) in Python on a simulated quantum computer to solve a quantum chemistry problem: finding the ground state energy of the Hydrogen molecule H2. This is amazing and wonderful, and solves a problem I wrote my PhD thesis about 40 years ago. The exact solution was way out of sight then.

Critics say SB-1047, proposed by "AI doomers," could slow innovation and stifle open source AI. Hopefullly his bill won't become law. If it does, all open-source AI models may become impossible to share, because the creators will be liable for all products derived from them.

Prompt injection attacks, the machine learning version of command injection, are a serious risk to all Large Language Models, and there is no known way to completely prevent them. Meta's defense is called Prompt-Guard-86M. However, it can be trivially bypassed by adding spaces between the letters of a prompt.

There is enormous demand for the weight-loss drugs Wegovy and Ozempic. But, given the drugs' daunting prices and supply shortages, many patients are turning to imitations—and those don't always come with the same safety guardrails. However, some of these imitations come with unclear instructions so patients take up to 20 times the recommended dose, risking serious health consequences.

Fiber optic internet cables across France have been cut in an apparent act of sabotage, resulting in outages across the country. This attack comes just days after arsonists targeted France's national rail network.

Infostealer malware is swiping millions of passwords, cookies, and search histories. It’s a gold mine for hackers—and a disaster for anyone who becomes a target. The malware often finds its way onto people’s machines through downloads of pirated software.

“EchoSpoofing” is a critical in-the-wild exploit of Proofpoint’s email protection service, responsible for securing 87 of the Fortune 100 companies. The critical flaw is that email relays accept emails that claim to come from Microsoft's Office365 without verifying ownership of the originating domain. Proofpoint has updated their systems to stop this attack.