I want ALL The Firmware – PSW #841

MJG does an excellent job of explaining the issues that MS caused when updating the SBAT. Worth a read.

This is a really fun research paper and project. Check this out: "We implemented ChkUp and conducted a comprehensive analysis on 12,000 firmware images. Then, we validated the alerts in 150 firmware images from 33 device families, leading to the discovery of both zero-day and n-day vulnerabilities. Our findings were disclosed responsibly, resulting in the assignment of 25 CVE IDs and one PSV ID at the time of writing." - They created a tool that checks how firmware updates are happening and determines if there are vulnerabilities associated with the update process. Make sure you visit the Github repo as they published scripts for downloading 19TB of firmware images, some charts and graphs on the architecture, and more.

"TP-Link is a company established in the People’s Republic of China (PRC) and is the world’s largest provider of Wi-Fi products, selling over 160 million products annually to more than 170 countries. TP-Link and its affiliates are also a leading Wi-Fi router provider in the United States. Because TP-Link routers are made in the PRC with Chinese technology, there are concerns that state-sponsored hackers may be able to more easily compromise the routers and infiltrate U.S. systems. Moreover, TP-Link is subject to draconian ‘national security’ laws in the PRC and can be forced to hand over sensitive U.S. information by Chinese intelligence officials. Alarmingly, just last year, security researchers found that PRC cyber military forces used TP-Link routers as part of a hacking campaign that targeted government officials in European countries." - Valid points, however, TP-Link is only part of the picture. There are millions more devices from several other manufacturers that have the same problems outlined above. In fact, most of the components in your PCs, laptops, and servers contain hardware and firmware that comes from China. We need to do a better job at protecting embedded systems and components from impacting the security of our organizations and our nation.

How often do we issue CVEs for malicious software such as botnets or malware? I think this is pretty awesome as first, it could help defenders take down botnets. It also feels weird because some commercial and open-source software vulnerabilities don't get CVEs, yet here we are issuing them for Mirai. I then wonder what the disclosure policy should be for this, and if there is someone responsible for fixing it. Then again, this is not something we want to get fixed, so why publish a CVE? It begs so many questions on how to handle vulnerabilities in software used by malicious actors. Will they have a bug bounty program?

So much to unpack here: "From insulin pumps to firewalls, the best-case scenario of BTLE security and privacy is abysmal. It is imperative that we educate ourselves and strive to do better as an industry. Problems that are introduced in BTLE devices are likely to be permanent and impossible to resolve after the fact. Until that changes, we must do better from the start." - The technical details are awesome, and I haven't digested them yet. There are many aspects to this article that tackle the challenges we face at a high level with the use of Bluetooth technology, specifically in medical devices. We don't test for Bluetooth in the enterprise, and I don't believe this type of testing is included in many standards. This quote speaks volumes: "“The conclusion is: Bluetooth vulnerability assessment is not even a thing. For those of you that work enterprise security, I’m happy to tell you: Don’t worry, there’s nothing you have to do, because there’s nothing you could do even if you wanted to. I hope that makes you feel better.” - Xeno Kovah"

This reminds me of Hackers (1999), however, in this case, the person was convicted, Jesse Kipf, for bad things: "A press release from the U.S. Department of Justice (DoJ) informs that Jesse Kipf used stolen credentials to access the Hawaii Death Registry System to register himself as a deceased person." and that's just the beginning: "Kipf also accessed private corporate networks and government systems using stolen account credentials and then offered to sell access to the networks on darkweb markets." Kipf has been sentenced to 69 months (over 5.5 years) of prison time and will be placed under supervision for three years after release.

Serial is not always serial: "If you search online these are the two types of serial you’ll see described again and again. You might find the occasional reference to a third type that was popular in the early 1990s. This serial type operates between 0-5V like “TTL serial”, but with inverted data lines like RS-232, allowing it to be connected directly to a PC’s serial port." From: https://terinstock.com/post/2024/08/When-Serial-Isnt-RS-232-and-Geocaching-with-the-Garmin-GPS-95/

"The U.S. Marshals Service (USMS) denies its systems were breached by the Hunters International ransomware gang after being listed as a new victim on the cybercrime group's leak site on Monday." - Basically they are an old victim, not a new one. Interesting.

Why not just install fake RFID badge readers instead of backdooring (through hardware) existing ones, or trying to clone a badge from an employee? Pros and cons are discussed in the article, including: "One of the primary drawbacks of this tool is that (by design) it is visible once it is placed, but more to the point, it is easier to notice than its ESPKey alternative. Arguably the biggest drawback is the fact that the malicious reader will not actually open anything, as the reader is not attached to any other wires, which might cause confusion, or worse, questions. There are a few potential workarounds to lessen the likelihood that a malicious reader is caught, although this can be quite situational. Placing the reader next to a door that is always unlocked seems like one of the most logical options. This however either requires a successful tailgate or other method of entry, as the vast majority of unlocked doors will not be external building doors. This highlights another risk worth considering – exposure to the elements, i.e. rain, wind, etc. – in the event it is placed on an exterior wall, as these pose the potential of damaging the device."

Basically, the RCE in Windows in the IPv6 stack is really hard to exploit. So far, we have not seen a reliable exploit. The danger of this assumption is what happens if/when someone figures this out. If you slacked on applying the patch, especially for a network RCE, you could end up in a bad situation. My advice, as usual, is to apply the patch and not get hung up on how the exploit writers are doing.

Patrick has taken a stab at defining what "weaponized" means in the context of a vulnerability: "Weaponized vulnerabilities are those with explicit malicious intent, historic malware usage, prior reports of exploitation, or inclusion in point-and-click exploitation frameworks or kits. Projects facilitating point-and-click exploitation could include malicious exploit kits, such as those previously tracked by Contagio, or open source or commercial offerings like Metasploit, VulnCheck Initial Access Intelligence, CANVAS, or Core Impact. Additionally, weaponized exploits often have secondary payloads, droppers, or implants. In our State of Exploitation Report published in May, we observed 2% of vulnerabilities over the past decade that have been weaponized." - Thoughts? For me, weaponized means there is a working exploit that can carry a payload that will have some impact on a system. I do believe we need a way to indicate if an exploit can cause a system crash reliably. Perhaps it is not considered fully weaponized but gets some sort of tag that tells us attackers could crash software and/or systems reliably.

And udev rules are now being checked (At least on my systems). I need to back and check to see if tools such as Lynis check for this TTP (quick Google search doesn't reveal much).

The Hacked Existence team is happy to host the PhreakMe CTF. Dial (212) 203-4978 to begin. Follow the white rabbit.

The CEO of Telegram was arrested in France. The hacker group THC stated "He was arrested because he facilitates a wide range of crimes, including drug trafficking and ransomware groups."

A stealthy Linux malware named 'sedexp' has been evading detection since 2022 by using a persistence technique not yet included in the MITRE ATT&CK framework. "At the time of this writing, the persistence technique used (udev rules) is not documented by MITRE ATT&CK," the researchers note, highlighting that sedexp is an advanced threat that hides in plain sight. MALWARE ON LINUX!? CLUTCHES PEARLS

yeah yeah yeah I know we talked about this before. But now you can "down"load and use it.

Macs cannot be hacked, right? Here are some tips and commands if you are ever going on a MacOS engagement.

The Sonic "Operating System" has been dumped to Archive.org, and it seems like there is a pretty active community attempting to get it running on standard hardware. If you have 30mins to spare and want to watch somebody attempt to get it running on a MICROS POS here is a YT link (https://www.youtube.com/watch?v=MmJ8NVLji84)