Security News – PSW #853

"As a new Censys report reveals, this is the growing reality, with 145,000 industrial control systems (ICS) exposed, including thousands of unsecured human-machine interfaces (HMIs)." - Can we just not put these on the open Internet? What's missing that allows this to happen? Lack of resources? Lack if skills? VPNs are still too complex? Do we need to fund an organization that monitors the Internet for exposed critical infrastructure and reports it to the responsible parties and/or ISPs?

I love this so much: "All of the behaviors that I talked about here have never had any CVEs assigned. But should they even have had one assigned? The issue is that a lot of these behaviors aren’t necessarily a security vulnerability in itself, but in just the right context and usage they very well may be. A lot of these behaviors can also be avoided by reading the code and understanding the limitations or unique behaviors." - Features that make it easy for developers to make mistakes that lead to security incidents are often overlooked. If we can clean this up, we will end up with less software defects.

Linux malware and attacker techniques continue to be really uninteresting, yet they work!

The link here goes to my full article on Bootkitty (including a list of references to more technical analysis and many other resources on the topic). Here are my key points:

• This was not malware being used by threat actors, turns out it was developed by students in South Korea as part of a research project
• It uses the LogoFAIL vulnerability to get around UEFI Secure Boot (basically copies a MOK so the bootloader and kernel pass verification)
• There were at least two samples floating around, one got labeled "IranuKit" and the other "Bootkitty"
• UEFI bootkits targetted at Linux could use any number of vulnerabilities to bypass Secure Boot
• Bootkitty changes the bootloader on disk, which is easy to detect and recover from (your bootloader should not change that often)
• While you should enable Secure Boot it can be complicated on Linux (especially if you are not using shim). I want to experiment with enabling Linux kernel verification, which basically verifies the kernel drivers and can be run as part of Secure Boot (common) or independent of Secure Boot (less common)

I am interested in this entire series, but only Part 1 is available and covers how to decrypt the SWI file format used by Sonicwall on a couple of their products. Most of the products use a format called SIG, which was not covered. Everyone knows how I feed about encrypted firmware. I don't like how we are forced into trusting security appliances by vendors that are locking customers out of the underlying components. We need ways to validate these components and monitor them.

This is a very detailed post, I will leave it to the reader to consume all of the technical details about the discovery and exploitation of a memory corruption vulnerability. The last part was super thought provoking: "This was another case of a network / security appliance having a pretty serious memory corruption vulnerability. It's also far from the first for FortiGate. As is often the case with these issues the mitigations are known, it's just whether or not they are applied. Stack canaries were present, but ASLR was not. It seems like a lot of effort has been spent on preventing access to the filesystem; setting up the debugger was a significant portion of the time spent on this vulnerability. Would that effort be better spent on auditing and hardening the applications themselves?" - I have several thoughts:

• This is yet another network/security appliance with a memory corruption vulnerability, a vulnerability class we've known about from the beginning of time, yet so prevalent in appliances.
• Mitigations were not applied as ASLR was not present (we know how to reduce the risk of exploitation, but we don't do it).
• The firmware was trying to protect itself from reverse engineering, yet the underlying code has vulnerabilities and missing protections. This speaks to companies putting more effort into protecting their IP than providing a secure product to their customers. The incentives are so backwards here and this is a huge problem.

Oh, this is exciting! It played out exactly how myself and Larry envisioned this attack happening quite some time ago (probably over beers). This being:

• Attackers are going after Organziation A, but Organization A's public facing services require MFA. Perhaps they already have valid credentials from password spraying and MFA bypass is difficult.
• Organization A's Wifi network does not require MFA (and uses the same enterprise credentials).
• Attackers then find nearby organizations that are within Wifi range of Organization A and begin to compromise systems looking for computers that have both Wired and Wifi adapters
• Once such a system is found, the attackers configure the Wifi adapter to connect to Organization A's Wifi network and authenticate. Attackers are now on the internal network.

It is important to note this: At no time are the attackers in physical proximity to Organization A!

Check Point Research has uncovered a new malware technique called GodLoader that exploits the Godot Gaming Engine to deliver malicious payloads. This innovative approach has remained largely undetected since June 2024, potentially infecting over 17,000 machines by utilizing the Stargazers Ghost Network for distribution. The malware employs various anti-sandbox and anti-VM techniques, adds the entire C: drive to Microsoft Defender exclusions, and downloads additional payloads including XMRig (a cryptocurrency miner) and RedLine (an information stealer). It should be noted that the open-source gaming engine is cross-platform and the malicious payloads were not detected by an anti-malware solution at the time.

Creepy: "This repository contains tools that allow getting software control of the webcam LED on ThinkPad X230 without physical access to the laptop. These were created as a practical demonstration that malware can record video through the webcam without the LED indication."

I love this: *"While idly watching an "apt-get upgrade" of one of our Ubuntu Servers, we noticed a message that we had never noticed before: "Scanning processes..." We immediately wondered: What is printing this message? Is it scanning userland processes? As root? Even processes that do not belong to root? We quickly found out that this message is printed by needrestart, a tool that scans the userland for processes that need to be restarted after a package installation, upgrade, or removal. Naturally, needrestart scans all userland processes as root, including unprivileged user processes; i.e., possibly attacker-controlled processes." - Turns out needrestart is a Perl script from 2014 and is included in every Ubuntu server installation since 21.04. Outstanding work by the Qualys research team! I really like how they observe what are to most benign things and turn them into something we have to worry about. We've all seen the message that tells you a reboot is required, and usually just curse because we have to reboot at some point. I would not have guessed that the processes behind this art Perl code dating back to 2014. Welcome to the world of open-source!

I miss E-Zines, this one is pretty good.

Good to see VM breakouts are still a thing. This research looks most excellent.

A key aspect of these security models is the avoidance of JavaScript to prevent vulnerabilities and fingerprinting. Instead, innovative CAPTCHA systems are employed that function without JavaScript, such as image-based challenges where users identify specific patterns. Additionally, these marketplaces implement PGP-based two-factor authentication, requiring users to decrypt messages with their private keys, ensuring that only authorized individuals can access accounts and that users are proficient with encryption tools.

To combat phishing, these platforms emphasize user vigilance by displaying anti-phishing messages and providing PGP-signed mirror lists to verify legitimate URLs. The article highlights the continuous adaptation and learning from past failures, leading to more robust security protocols in current dark web marketplaces.

I was today-years-old when I learned there are CVE ids designated for using as samples.

The article discusses CVE-2021-32030, an authentication bypass vulnerability in ASUS GT-AC2900 devices, which exploits a null byte issue. A security researcher's proof-of-concept was misinterpreted, leading to widespread attempts with an ineffective exploit. Over 379,000 hits were observed on honeypot fleets, all using the incorrect payload. This situation highlights the importance of understanding low-level programming concepts and properly validating exploit code before use. It also raises questions about categorizing ineffective but malicious exploit attempts and emphasizes the need for ongoing education in cybersecurity. The case serves as a reminder of the potential risks in copy-pasting exploit code without proper understanding and the responsibilities of contributors to open-source security tools.

FBI and CISA, the US cyber defense agency, are warning Americans to use responsibly encrypted messaging and phone calls where they can. The backdrop is the Chinese hacking of US networks that is reportedly “ongoing and likely larger in scale than previously understood.”