We’re Not Saying “I told you so” – PSW #850

We spent an hour talking about this one on Below The Surface Episode 41 (https://eclypsium.com/podcasts/bts-41-pacific-rim/).

By adding some Unicode characters to the end of a string in a JSON field, the researcher was able to fool the API and change the roles of an administrator. It turns out that JSON parsing and serialization/deserialization are funky processes. And no one reads all the fine print in an RFC.

Excellent example of unsanitized user input that is simply passed to a system() function call. Writing CGI applications for IoT systems in C/C++ is super challenging.

This is an extremely technical article. LLVM is a set of tools to build compilers, and the author found a bug in this process. Sorry I could not explain it better!

I love how strings is still a handy tool for reverse engineering. I've not used Bugprove, but it looks similar to EMBA. At some point I will do a comparison.

Google's Project Zero has taken their Project Naptime to the next level with Big Sleep, a collaboration with Google's DeepMind that's pushing the boundaries of what AI can do in vulnerability discovery. They've managed to use large language models to uncover a real-world, exploitable vulnerability in SQLite - one of the best examples I've seen of using LLMs to find software vulnerabilities. This isn't just theoretical stuff anymore; we're talking about AI finding bugs that traditional fuzzing techniques missed, potentially giving defenders a serious edge in the constant battle against cyber threats. Meta came up with the original model, Naptime (named because bug hunters can take a nap while the LLM finds vulns LOL) was Googles improvement with a 20x performance boost, and Big Sleep is the latest improvement that uncovered the SQLite 0-day.

This is a really in-depth article on how the Trail of Bits folks fuzzed the ZBar barcode open-source software. If you nerd out on fuzzing, this article is for you!

A neat way to hide and persist on Windows systems: Use qemu.exe to load a small Linux VM and conduct all operations from Linux rather than risk getting caught on Windows. The Securonix team was able to gain access to the Tiny Linux virtual image and give us a complete breakdown of the tools. Note to attackers: Please keep leaving your shell history commands in tact so we can all see what commands you ran prior to deployment!

The researchers behind this post get a round of applause! For many reasons:

• They worked hard to setup a lab environment and get devices communicating to each other
• They worked with the protocol enough to replicate registration with a Python script
• Pulled the chip off the hardware to read the SPI flash
• Ran into encryption of the firmware, both the file system and the kernel (!)
• Got the decryption figured out
• Diffed the patches to find the vulnerability

Ultimately they were not able to create a PoC. However, the research is valuable to the community. Some may not have even posted the information if they didn't create a PoC. So glad they posted anyway!

Keep in mind this requires authentication...

This is hacking at its finest, I love it!

I think we all have favorite movies that are so bad they are actually good. Cult classics that you enjoy watching, but perhaps not everyone enjoys watching them 117 times as you do. For me, that movie is How High (2001), don't judge me! There is a scene in the movie where Method Man says: "You Predicted that S**t". Well, here's a story where I believe I predicted that as hacked TP-Link routers are being used in a botnet to conduct password-spraying attacks. Pretty much in the same way I described in my 2010 BruCon talk (https://www.youtube.com/watch?v=CrHifNseIMQ). Now, I don't want to pat myself on the back, quite the contrary. I am displeased that we have not secured IoT devices and allowed this to happen. We can do better.

This is such a great post, and I am glad it is available now (last week, it disappeared from the Internet). Now that it's back, we get to talk about nerd sniping, the cool stuff being done by Greynoise, and crappy security on PTZ cameras exposed to the Internet. You get the full details in this post. Unsurprisingly, both authentication bypass and command injection vulnerabilities exist and are being exploited by attackers.

I'm not really interested in the purported Schneider Electric breach (I think they are great company). I would like to discuss the hilarity of paying a ransom in baguettes. Also, there is this: "However, the hacker(s) indicated, that should Schneider publicly admit to this latest data breach, the ransom would be cut in half. Thus, the ransom demanded would decrease to $62,500 worth of baguettes, we would presume. Even with a 50% deduction, that’s still a lot of dough." - Thanks to Aaron for pointing out this story. Also, Tom's Hardware is on point with the dough comment.

I want to discuss this in particular: "With the rise in cyberattacks, the pressure to stay ahead of these threats is intense. This leads to what some call “Zero-Day FOMO” — a unique fear among cybersecurity teams of missing out on detecting or defending against the next big exploit. It’s a blend of excitement, pressure, and, yes, stress, as defenders aim to stay one step ahead in an unpredictable game of digital cat and mouse." - Is this really a thing? Why is it a thing? Should it be a thing?

After a bad work break-up, Disney did not change credentials to their menu system. Then this happened: "Disney discovered some time later that it had suffered a security breach, and uncovered that several changes had been made to its menu creation software. These included the changing of all fonts in the app to the Windings symbols font which made all of the menus unusable, the redirection of QR codes to a website calling for a boycott of Israel, and the potentially dangerous removal of allergy information. As a consequence, Menu Creator was unusable for 1-2 weeks and manual processes had to be introduced by Disney to create menus for its restaurants." - While some of the activity is hilarious, some is hactivism, the altering of allergy information is dangerous. I don't agree with any of it, but do want to point out the Wingdings font is hilarious. Oh, there was also the DoS attack: "Beginning August 29 2024, 14 Disney employees found themselves blocked from accessing their accounts by a denial-of-service attack which used an automated script to attempt 100,000 logins - causing the accounts to lockdown." This attack was specifically targeting Disney employees he had beef with. But then, it gets even creepier as the former employee visited the home of one of the Disney employees, who for safety reasons stayed in a hotel shortly thereafter. The only good news: "Scheuer remains in federal custody awaiting his motion hearing for bond on 5 November 2024. " - Something tells me that once the judge sees the Ring doorbell footage he may not be eligible for bail.

Even though 90% of organizations have unfilled positions or underskilled workers on their cybersecurity teams, hiring for those jobs has, for the first time in six years, ground to a halt. A full 67% of respondents to the ICS2 survey cited budget as their top cause for staffing shortages, replacing last year's No. 1 cited reason for empty positions, which was a lack of qualified talent.

More than 500 Amazon workers reportedly signed a letter to Amazon Web Services' (AWS) CEO this week, sharing their outrage over Amazon's upcoming return-to-office (RTO) policy that will force workers into offices five days per week. In September, Amazon announced that starting in 2025, workers will no longer be allowed to work remotely twice a week.

Numerous VMware customers I spoke with said their VMware costs rose 300 percent after Broadcom's takeover. Some companies have cited even higher price hikes—including AT&T, which claimed that Broadcom proposed a 1,050 percent price hike. This will force small and medium-sized business to migrate to another solution, while large customers will probably just accept paying more.

For more than five years, the UK cybersecurity firm Sophos engaged in a cat-and-mouse game with a single network of vulnerability researchers in Chengdu, China. Sophos researchers even eventually obtained from the hackers' test machines a specimen of “bootkit” malware designed to hide undetectably in the firewalls' low-level code used to boot up the devices, a trick that has never been seen in the wild.

Several widely-used apps have been found to contain hardcoded and unencrypted cloud service credentials within their codebases, including Amazon Web Services (AWS) and Microsoft Azure Blob Storage credentials.

A Russian court has ruled that Google owes Russian media stations around $20 decillion in fines for blocking their content. The court imposed a fine of 100 thousand rubles ($1,025) per day, with the total fine doubling every week.

Modern infostealers are so powerful that a download of an innocent-looking piece of software by a single person can lead to a data breach at a multibillion-dollar company. The article doesn't discuss ways to protect companies, but I think the best one is zero-trust solution like Zscaler.

Phishing emails include a large 285MB ZIP archive to install a Linux VM with a pre-installed backdoor. Since QEMU is a legitimate tool that is also digitally signed, Windows does not raise any alarms about it running, and security tools cannot scrutinize what malicious programs are running inside the virtual machine.

The vulnerability is fixed now, but Okta said that for three months it could’ve been used to access accounts with usernames stretching at least 52 characters long.

Israel-based Corsight AI has a new service aimed at rooting out what the retail industry calls “sweethearting,”—instances of store employees giving people they know discounts or free items. “When someone is planning a sweethearting theft, they will always go to the same cashier, which is most of the time a relative of theirs, and this is an anomaly in the behavior compared to the other customers. Our system is able to identify this anomaly and alert on that.”

A disgruntled former Disney employee changed allergy information on menus to say that foods that had peanuts in them were safe for people with allergies, added profanity to menus, and at one point changed all fonts used on menus to Wingdings. He did this using passwords that he still had access to on several different systems. How can Disney be using shared passwords these days? Is this a failure of PCI compliance?