Wifi Vulns, Yubikeys, and Firmware – PSW #842

Some cool new updates such as a dynamic app loader (which was supported before, but now more official?), NFC update, JavaScript, and more. The unofficial firmware distributions should be updating as well, but navigating these waters has proven difficult. I do not like updating my Flippers from the web, I want to download the release tarball, read the release notes, and do some validation before installing. This website was helpful to list all the unofficial firmware options and which features they support: https://awesome-flipper.com/firmware/ - I highly recommend using one of the unofficial firmware to get more features and unlock extra functionality (Such as different RF bands, though you will be violating FCC regulations). I will have to update my scripts to update my Flippers. This is a good resource as well: https://github.com/djsime1/awesome-flipperzero (though 6 months since last updated).

I disagree with the unpatchable, I bet with a little more time one could unpack the firmware and remove the vulnerable code. Though when I looked, this required a little more digging.

Really neat: "As an example, I recently put together the SAO Plank: a small adapter that lets me connect three Simple Add-Ons to the Bus Pirate. This is not only a convenient way of powering the badge expansions and monitoring their current consumption using the Bus Pirate’s onboard display, but it also provides a way to debug and test I2C communications between several SAOs — a capability that will become more useful as we get closer to Supercon 2024." Pirate plank, get it.

Summary: You can, in certain circumstances, run a program and change the name of the program being run. In some cases this allows you to bypass EDR and other protections that try to prevent certain programs from being invoked. Worth a read!

This is not good: "In 2022, my comprehensive scan of the entire Internet (0.0.0.0/0) revealed over 21,000 unprotected container registries. These were not minor oversights; I discovered sensitive data ranging from TPLink's cloud service code to payment service credentials. Shockingly, a follow-up scan in 2024 still showed more than 10,000 unsecured registries. Despite increased awareness of cybersecurity threats, the problem persists, posing a significant risk to the software supply chain." - One of the dangers is that an attacker could download a container image, modify it with malicious code, the push it back up to the container registry. Then, anyone or any system that pulls from that registry will get a malicious container. Please protect your container registries, make them private, don't be part of the problem.

Read the entire series! Awesome examples on how to reverse engineering IoT devices. They even solved a problem I could not solve when trying to get UART RX working on a device. Save this one, you might need it later if you like reversing IoT hardware.

Just an FYI a VU note has been created for PK Fail. We talked about this in detail in a previous episode. Several vendors have released fixes, e.g. Supermicro.

This is crazy: "Students arrested, stripped naked, violated by Police." - What? This website, thanks to Casey Ellis and company at Disclose.io put together this site that represents, in their words: "An ongoing collection of legal threats made against Security Researchers: over-reactions, demands, and cease & desist letters against good faith research. This project is in homage to @attritionorg great work in documenting historical researcher threats."

Calm down, this is not the end of the world. I'm not excited about this one...

If you wish for something, like software, to exist you can click your heels three times and then search for it on the Internet. I was going to create a script that intercepts traffic from IoT devices, but now I don't have to! Thanks Matt Brown!

The EDR bypasses will continue until we figure out a way to step this: "The BIN code unpacks and executes the final payload. This final payload, written in the Go programming language, drops and exploits one of a variety of different vulnerable, legitimate drivers to gain privileges sufficient to unhook an EDR tool’s protection." (Ref: https://news.sophos.com/en-us/2024/08/14/edr-kill-shifter/). Also, this will be a never-ending game of whack-a-mole: "Keep your system updated. Since last year, Microsoft has begun to push updates that de-certify signed drivers known to have been abused in the past." If we don't do something to prevent BYOVD attacks we will be in this horrible situation for the foreseeable future. Microsoft and EDR vendors must work together to help prevent these attacks and make it harder for malicious actors to disable EDR.

Neat supply chain vulnerability: "At the end of last year I discovered and reported a vulnerability in wappd, a network daemon that is a part of the MediaTek MT7622/MT7915 SDK and RTxxxx SoftAP driver bundle. This chipset is commonly used on embedded platforms that support Wifi6 (802.11ax) including Ubiquiti, Xiaomi, and Netgear devices. As is the case for a handful of other bugs I’ve found, I originally came across this code while looking for bugs on an embedded device: the Netgear WAX206 wireless router. The wappd service is primarily used to configure and coordinate the operations of wireless interfaces and access points using Hotspot 2.0 and related technologies. The structure of the application is a bit complex but it’s essentially composed of this network service, a set of local services which interact with the wireless interfaces on the device, and communication channels between the various components, using Unix domain sockets."

• Original research article: 4 exploits, 1 bug: exploiting cve-2024-20017 4 different ways

If you've ever wanted to test RPI "stuff", this is neat: "A raspberry Pi emulator in a Docker image that lets developers easily prepare and flash RPi configurations."

AT&T has filed a lawsuit against Broadcom for “retroactively change existing VMware contracts to match its new corporate strategy.” Broadcom acquires VMware in November 2023 and announced the following month that they were ending sales of perpetual licenses. AT&T has brought the “action for breach of contract, breach of the implied covenant of good faith and fair dealing, declaratory judgment, and injunctive relief.”

In the past movement from one license form to another, e.g., fixed to subscription pricing, have been non-optional, and the prospect of pushing back was not viable. While AT&T may be able to modify the renewal process from Broadcom, the need to move to subscription pricing seems here to stay, as such, it's prudent to research your ongoing cost as well as the viability of alternative solutions, to include cloud migration so you can give management an informed, supported recommendation.

The US Department of Justice has unsealed an indictment against six hackers belonging to a Russian military intelligence unit (GRU 29155) for the 2022 “WhisperGate” malware attacks on Ukrainian and Central European systems. Security services in nine countries have joined with the FBI, CISA, and NSA to issue a security advisory aimed at mitigating risk from similar attacks. Charges include the destruction of both defensive and civilian systems in Ukraine, the exfiltration and sale of Ukrainian civilians’ personal information, wire fraud, and “computer network operations” targeting systems in North America, Latin America, Central Asia, and Europe.

The bulletin is up-front with mitigations for this type of attack. Keep systems updated, remediate known vulnerabilities, implement (phishing-resistant) MFA for anything internet facing, particularly critical systems, email and VPN. Segment your networks. To which I would add monitoring and alerting. Make sure you can track anomalous behavior, verify the breach notification agreement with your cloud and outsource service providers. Make sure you're really on the same page, not just what they are paying lip service to, and address any discrepancies.

An affidavit filed on September 4th in US District Court in Pennsylvania identified thirty-two domains to be seized by the US Justice Department for their use by Russian officials to disseminate propaganda under the guise of legitimate news media. Many of the sites are typosquatted counterfeits of major news brands, their links shared by paid advertisements and purpose-built social media profiles impersonating non-Russian citizens. The domains were leased by sanctioned Russian officials and organizations, which provided grounds for the seizure under US money laundering law.

In case you're wondering what happens when someone who is "sanctioned" continues to interact with the U.S., here is a real example. Note these fake sites are upping their game to include AI to make convincing arguments for the parties or POV they are supporting. Train users to be really vigilant for typo squatting, e.g., washingtonpost.pm vs washingtonpost.com, then support them by enabling available protections on your endpoints and perimeter to reduce or block access to these sites.

Two vulnerabilities in Cisco’s Smart Licensing Utility (CVE-2024-20439 and CVE-2024-20440) both filed with a CVSS score of 9.8, would respectively allow unauthenticated remote login and exposure of credential data via a debug log file. Internal testing by a network security engineer revealed the flaws, which have no workaround and must be patched by updating to fixed release version 2.3.0.

Static credentials and overly verbose logging should be in the distant past, yet they keep turning up. Remember when sites used to provide all sorts of insight via their logs, and we shut all that down? Make sure that your scans trigger on debug information when discovered so you can run that down. While you cannot entirely prevent embedded static credentials, you can block or restrict access to management interfaces where they could be used. Even so, make sure that your SOP includes changing all vendor provided credentials where possible. Trust but verify this is done.

A retired police officer in West Virginia has filed a class action lawsuit against data broker Whitepages for violating of a state law prohibiting the disclosure of active or retired law enforcement personnel’s home addresses and phone numbers “under circumstances in which a reasonable person would believe that providing such information would expose another to harassment or risk of harm to life or property.”

Work continues to put data brokers on notice that privacy needs to be preserved. This violates a West Virginia law known as Daniel's Law. New Jersey has a similar statute of the same name. These are designed to protect the privacy of public-facing professionals, and it is spreading. In May, Maryland passed a similar law. On the other side of the equation, companies like the Atlas Data Privacy Corp. which issues takedown orders for removing this information online, has filed 118 class action lawsuits against data brokers who refused to acknowledge these orders filed on behalf of 20,000 New Jersey law enforcement officers.

The Charles Darwin School in London, UK, was forced to close its doors for three days this week due to the aftereffects of a ransomware attack. All student Microsoft 365 accounts have been disabled as a precaution, and “all staff devices have been removed to be cleansed.” The school has brought in an outside company to investigate. While classes are expected to resume on Thursday, September 12, the school’s Headteacher wrote in a letter to families that they “will be without internet, email and access to other systems in the school for an estimated 3 weeks.”

UK Schools continue to be targeted, with the first quarter of 2024 having more than twice the attacks reported in the same quarter of 2023. The timing, at the beginning of the school year, is unfortunate, and will have the largest impact on teacher devices with the potential loss of lesson plans/etc. This is a good time to make sure you've implemented security best practices, starting with MFA and strong passwords. Many services now have an easy button to enable strong security, which you can test before deploying to everyone, do it, smartly, and don't forget to deploy fully once you have a working configuration.

Kaspersky has announced that roughly one million anti-virus customers in the US will be migrated to Pango Group’s UltraAV later this month. The US Commerce Department banned the sale of Kaspersky products as of July 20, 2024. While existing customers were still permitted to use the products, updates for Kaspersky products will not be permitted in the US after September 29.

If you're a U.S. based Kaspersky customer, make sure that you're getting these notifications, no you didn't miss an opportunity to choose the replacement, they made the decision to move you to UltraAV. Kaspersky started winding down their U.S.-based operations in July, laying off these employees. UltraAV offers near parity in features, minus webcam and online payment protection offered by Kaspersky and the annual cost will be the same as you were paying for Kaspersky. Axios says that customers have little to do here and will be providing instructions as needed via email in the coming weeks.

Researchers at Arctic Wolf have observed a ransomware campaign exploiting a critical improper access control vulnerability in SonicWall SonicOS. The “issue affects SonicWall Firewall Gen 5 and Gen 6 devices, as well as Gen 7 devices running SonicOS 7.0.1-5035 and older versions.” Updates are available and users are urged to patch as soon as possible.

These devices are SOHO class devices, you should check for them regardless and make sure they are updated. In all cases, once updated you need to make sure Internet access to the Firewall and SSLVPN management interface is disabled, or limited to trusted sources. Additionally, if you have Gen 5/6 firewalls with SSLVPN users who have locally managed credentials, those passwords need to be updated as soon as the firmware is upgraded. Enable the "User must change password" option for each of these accounts, then enable MFA (TOTP/Email-based OTP) for all of these users.

The US White House Office of the National Cyber Director has announced an eight-week cyber hiring spring to fill half-a-million cybersecurity positions in government. Among the initiatives: pitching cybersecurity jobs as national service and eliminating unnecessary degree requirements for cyber jobs.

This sprint "Service for America" runs through the end of October, is working to fill the estimated 500K open Cybersecurity positions in both public and private sector employers. This also dovetails into efforts by OPM and ONCD, announced last spring, to rewrite cyber job hiring practices to recognize learned experience and not just degrees obtained. ONCD is also encouraging agencies and private sector companies to use best practices such as removing degree requirements and offer entry level, apprentices and intern level positions. Note that you don't have to have Cyber in your job title to be doing cyber work. These days IT, Cyber, Cloud and AI are intertwined. One hopes this effort continues beyond October.

Journalists and other writers are employed to improve the quality of chatbot replies. The irony of working for an industry that may well make their craft redundant is not lost on them

A Chinese advanced persistent threat (APT) group abused the popular Visual Studio Code software in espionage operations targeting government entities in Southeast Asia. By running the command code.exe tunnel, a reverse shell can be opened using only trusted code from Microsoft.

This article explains the vscode reverse shell method, a technique of Living off the Land.

A timing side-channel attack exposes the private key so YubiKeys can be cloned. The attack requires $11,000 worth of gear and access to the targeted YubiKey. All YubiKeys older than May, 2024 need to be replaced to stop this attack--patching is not possible.

An excellent explanation of Telegram's security by Matthew Green. Telegram's encryption is not end-to-end by default, so Telegram has access to almost all chats. Its claim to be an "encrypted chat app" seems to be misleading marketing.

The new features look unexciting to me, but I'm sure Paul will have a better analysis.

Microsoft demonstrated logical operations using the largest number of error-corrected qubits yet--12 error-corrected qubits on hardware with 56 qubits. Breaking RSA-2048 will require thousands or millions of qubits, so there's no practical threat for the next few decades.