EDR Is Dead, EDR Is Not Dead – PSW #849

This neat: "A cheap alternative to FlipperZero™ based on Espressif boards" - You have to build it yourself, and I really want to, but time-consuming. I think I would rather acquire specific boards for specific tasks and projects. Found it here: https://hackaday.com/2024/10/20/forget-flipper-how-about-capybara/

This last part is super interesting: "The supply chain attacks from 20 years ago still look like they're viable today, and we're further behind in our defensive posture than we'd all like. Truthfully we've mostly gotten away with it up until now because there's been a steady supply of exploitable vulnerabilities that have enabled the attacker's to achieve their goals in other ways. However in a world where exploitable vulnerabilities become sparse (and there are some initial signs that this is happening), it's not unreasonable to think that attackers will pursue supply chain attacks at a much higher level. If that's the case, we're not prepared for it yet." - Question: Are we just pushing attackers around to use different methods (note I said different, not new) rather than actually fixing security?

While the authenticated part of this advisory may be cause for dismissal, you have to look deeper to realize how easily this can be exploited. First, just taking a quick look at some default credential databases, Xerox devices are in there (e.g. "admin/1111"). Also, an authentication bypass vulnerability also exists (XRX23-020, though details are missing). If you have Xerox printers you may want to change the default credentials and patch them. I have not looked at the firmware (yet), wait, please hold...

Someone analyzed a bunch of firmware and reported the same vulnerability for a bunch of devices, essentially allowing folks to download the firmware: "an Incorrect Access Control vulnerability during the device firmware update process. The app uses HTTPS requests to download firmware updates. By reverse engineering the app, it was possible to identify the firmware download mechanism and the download link. Dynamic testing revealed that the vendor's firmware server lacks proper access control, leading to firmware leakage."

This is a decent option for extending the range on the CC1101 built into the flipper. I have not tested it, though I have a similar one that I cannot find where I bought it. Don't go buying expensive add-ons for the Flipper, its not worth it.

Remind me to explain how the UEFI lock works, its pretty interesting.

Specific to Android, a nice summary of SELinux bypasses. As with similar technologies, if it gets in the attacker's way, one avenue is to just gain more privileges than the process/program that is providing the protection. So many examples...

This is a new feature introduced in the 6.10 kernel, though keep in mind it's not turned on automatically, and developers have to use it in order for it to provide any protections. Protections from what you might ask? This:

• Hardening NX (No-Execute) protection: Prevents attackers from making non-executable memory regions executable, which is often used to run shellcode.
• Mitigating unmapping-based, data-only exploitation: Stops "hole-punching" techniques where attackers unmap and remap memory to inject malicious code or data.

This is specific to Yokto ("The Yocto Project (YP) is an open source collaboration project that helps developers create custom Linux-based systems regardless of the hardware architecture. The project provides a flexible set of tools and a space where embedded developers worldwide can share technologies, software stacks, configurations, and best practices that can be used to create tailored Linux images for embedded and IOT devices, or anywhere a customized Linux OS is needed.") - Though I plan to read the entire series because I love reading about early stage boot processes because I hate myself.

Keep in mind this still requires that you have the user's PIN. Interesting stuff, regardless.

The 3-part series of posts is from the person who ended up not giving a Defcon talk on how to hack traffic lights because his talk was not accepted. Weird, I know. Well, now there are 3 posts to read and digest!

This article discusses multiple vulnerabilities discovered in RtsPer.sys, a Realtek SD card reader driver used by many OEMs, including Dell, Lenovo, and HP. The author found several vulnerabilities that allow non-privileged users to: Leak kernel pool and stack contents, Write to arbitrary kernel memory, and Access physical memory via DMA. This hardware is typically used for built-in SD card readers. Also, this disclosure process was 2 years running, wow!

If you're into WCF and pen testing .NET applications you should read this.

The debate continues as to how much we should worry about quantum computers breaking cryptographic protocols.

Uhm, so apparently, this post has been pulled from the Internet. Out of respect for Greynoise, I will not publish a copy here or discuss the details (or disclose that I have a saved copy for anyone who is interested and a good person).

Why get fancy? Attackers seem to find all sorts of ways to bypass, blind, or disable EDR. It calls into question the effectiveness of EDR tools. Many will say they are a requirement. I believe most pen testers and attackers just sit back and laugh at this notion. Given the complexity of your tech stack and the threat landscape I believe we do have to rely on EDR to thwart some attacks, otherwise we'd be too weak of a target to defend against anything. In any case, attackers may just simply use the Windows firewall (or more specifically Windows Filtering Platform (WFP) , a set of system services and APIs in Windows that allows for filtering and processing network traffic). I see this as not the only method attackers will use to mess with EDR, but a good one to include in a toolkit to prevent the EDR from phoning home.

The technique consists of two main components:

• Dismantle: This program is responsible for creating a new payload. It records uniquely executed instructions and their offsets, then uses this data to generate a header file for the Voidmaw program.
• Voidmaw: This program executes the newly created payload. It uses a Vectored Exception Handler (VEH) to handle exceptions and dynamically decrypt and execute instructions.

One of these things is not like the other in the recommendations section:

• Use Environment Variables: Store sensitive credentials in environment variables, which are loaded at runtime, instead of embedding them directly in the code.
• Implement Secrets Management: Utilize dedicated secrets management tools, such as AWS Secrets Manager or Azure Key Vault, to securely store and access credentials.

Google introduced Application-Bound (App-Bound) encryption in July (Chrome 127) as a new protection mechanism that encrypts cookies. However, by September, multiple information stealers had found ways to bypass the new security feature, and now a researcher has released a tool that bypasses defenses and extract saved credentials from the Chrome web browser.

Microsoft accused Google of "dishonestly" funding groups conducting biased studies to discredit Microsoft and mislead antitrust enforcers and the public. Microsoft says Google is doing this to muddy the antitrust waters, and distract from the intense regulatory scrutiny Google is facing.

Highly confidential movements of Joe Biden, Donald Trump, Kamala Harris, and other world leaders can be easily tracked online through a fitness app that their bodyguards use.

Claude 3.5 Sonnet is Anthropic's "AI agent," a broad term that describes productivity-focused AI models that are designed to perform tasks autonomously. It can now use "computers the way people do," such as moving a cursor and inputting keystrokes and mouse clicks. That means Claude can potentially control your entire desktop, interacting with any software and applications you have installed. But Claude's computer use remains slow and often error-prone.

Atlas Data Privacy Corp. helps its users remove their personal information from the clutches of consumer data brokers. Atlas has sued 151 consumer data brokers on behalf of New Jersey law enforcement officers whose information should have been completely removed from commercial data brokers. One defendant, Babel Street, allows customers to draw a digital polygon around nearly any location on a map of the world, and view a history of the mobile devices seen coming in and out of the specified area. Using a trial version of it, an investigator was able to track visitors to a mosque and employees at an abortion clinic, as well as law enforcement officers.

How is the data collected? Location data also is shared when a smartphone visits a web page with ads. In the few milliseconds before those ads load, the website will send a “bid request” to various ad exchanges, where advertisers can bid on the chance to place their ad in front of users who match the consumer profiles they’re seeking. That bid request contains location data and it's broadcast in the clear to hundreds of entities around the world.

Data brokers can locate roughly 80 percent of Android-based devices, and about 25 percent of Apple phones. The difference comes from Apple's App Tracking Transparency (ATT) that requires apps to get affirmative consent before they can track users.

Sen. Ron Wyden (D-Ore.) said Congress’ failure to regulate data brokers, and the administration’s continued opposition to bipartisan legislation that would limit data sales to law enforcement, have created this current privacy crisis.

Phone users can disable this tracking--instructions are at the end of the article.

Ransomware infected 389 US healthcare organizations this fiscal year, putting patients' lives at risk and costing facilities up to $900,000 a day in downtime alone, according to Microsoft. Stroke code activation at hospitals close to one suffering from a ransomware infection jumped from 59 to 103, cardiac arrests increased 81 percent, and survival rates for out-of-hospital cardiac arrests with favorable neurological outcomes plummeted, from 40 percent pre-ransomware infection to 4.5 percent.

The AI did better than professional mediators at getting people to reach agreement.

This year, we have experienced an astonishing surge in ransomware payments, with the average payment increasing by a staggering 500%. The leading vulnerability across all organizations is the widespread reliance on legacy Multifactor Authentication, which is proving ineffective against modern threats. According to CISA, 90% of successful ransomware attacks start with phishing.

" I drive the Xiaomi," he said. "We flew one from Shanghai to Chicago, and I've been driving it for six months now, and I don't want to give it up." "70 percent of all electric cars made on the globe are made in one country, China," he said.

SynthID provides a hidden way to mark LLM output as artificial. It works by biasing the probability of selecting a word (actually a token) so there's a pattern in the words that can be detected, without significantly lowering the quality of the results.

The 'code sandbox' allows Claude to write and run JavaScript code. This release moves Claude from relying solely on abstract reasoning to becoming a more versatile data analyst. Now Claude has the ability to write and execute code in real-time as well as process and visualize data from CSV files, offer step-by-step insights and verify answers mathematically.