Not-So-Secure Boot – Rob Allen – PSW #868

I think its great that we are using AI to find vulnerabilities, this is important research to keep advancing. I also like how Microsoft is being a good citizen and finding bugs in open-source software. Are they doing this out of the goodness of their heart? Based on some recent podcast conversations with Katemo, absolutely not. Katie described the situation, based on her experience, as basically "Microsoft will be blamed for security issues that are not Microsoft's fault, so why not just help fix them?". On other words, when there are security issues with bootloaders and Secure Boot, many will blame Microsoft. Microsoft is continuing to discover vulnerabilities in bootloaders (the first one was Blackhat last year, Bill Demerkapi's presentation).

The problem we have now: This means Secure Boot is useless on all Linux distributions, today, like right now. Here's what has not yet happened:

• Backporting the patches in Grub into the Linux distro's version (and/or building a new version of Grub and slapping a new version number on it). Check your distro, grub is probably on version 2.12, which is vulnerable. Check the release date, if its from last year, they haven't backported any fixes.
• Next step is to update the SBAT. DBX is being phased on in favor of SBAT. Of course, this is complicated by shim, the first stage bootloader than can validate or invalidate the next stage bootload (grub). Point being, you have to enforce a policy in Secure Boot that tells it not to run vulnerable versions of grub.
• For Windows systems, could I bring my own vulnerable grub bootloader? Sure, but I have to change the boot settings and tell it to use grub, exploit a vulnerability, then do whatever I want (like disable Secure Boot). But then I have to put the boot settings back, somehow. This requires a little more research. What would stop all of this? An SBAT policy on Windows as I discussed last weel.

I am uncomfortable with this: "When enabled and a new driver or configuration change prevents Windows 11 from properly starting, the operating system will boot into the Windows Recovery Environment and automatically launch the Quick Machine Recovery Tool. This tool will connect to the Internet through ethernet or Wi-Fi and send crash data to Microsoft's servers. Based on the analysis of this data, Microsoft can remotely apply fixes such as removing problematic drivers or updates and changing configuration settings." - First, there could be sensitive data in the crash dump. Second, I don't want Microsoft remotely doing anything to my system(s). Also, this on the heels of Microsoft requiring accounts:

• https://www.tomshardware.com/software/windows/microsoft-eliminates-workaround-that-circumvents-microsoft-account-requirement-during-windows-11-installation - "The Windows 11 installer is being tightened to force more users to set up the OS with a Microsoft Account. An official blog post accompanying the latest Insider Preview Build 26200.5516 stated that “we’re removing the bypassnro.cmd script.” The reasoning behind this change, according to Microsoft, is that insisting on a Microsoft Account will enhance Windows 11 security and the user experience."

I don't want to create an account to install an operating system. While Apple does not force you to have or create an Apple ID to install the OS or apply OS software updates, it does require an account for things such as app store app installs and updates and any services in iCloud. So you miss out on a bunch of features that represent reasons why you'd choose MacOS. I said all that without mentioning Linux once, ha!

This is a hot mess. CrushFTP did not file for a CVE, so Vulncheck did. Words were exchanged. It's a critical vulnerability (see my other article for more details). If you are not going to file a CVE for your own software, someone else might. Don't be bent out of shape about it. In fact, filing a CVE looks good for the software company, now your customers and the rest of the world can track the vulnerability more easily. Pitch is you are helping your customers. If you are a customer, don't be upset if the software has vulnerabilities, everyone does, its all about how you handle them...

CrushFTP CVE filing

Details on the CrushFTP authentication bypass vulnerability.

Neat escelation bug in CCleaner on MacOS. Privileges will continue to be abused until morale improves. PoC included.

Two different namespaces exist today in Linux, privileged and unprivelged. Docker containers use privileged namespaces, while Flatpak uses unpriveleged ones to create application containers. While namespaces provide security controls, the unprivleged ones expose parts of the Linux kernel that expose MORE attack surface. According to the Internet: "44% of Linux privilege escalation exploits involve unprivileged user namespaces".

Here is an LLM summary of the Qualys findings (may not be accurate): The Qualys report details three ways attackers could circumvent these restrictions:

• aa-exec Exploit - Method: Abusing Ubuntu’s aa-exec tool (used to launch processes under AppArmor profiles) to execute code in an AppArmor profile that still allows unprivileged namespaces. Impact: Lets attackers create namespaces even when default policies block them, enabling privilege escalation.
• busybox + Kernel Flaw - Method: Using busybox (a common utility) to exploit a kernel bug in Ubuntu’s patched restrictions. The kernel incorrectly allowed certain operations in namespaces created via busybox.Impact: Grants full administrative control within the namespace, bypassing Ubuntu’s safeguards.
• OverlayFS Vulnerability - Method: Combining unprivileged namespaces with a flaw in OverlayFS (a filesystem used in containers). Attackers could write files to restricted directories by abusing namespace isolation. Impact: Enables unauthorized file modifications, leading to system compromise.

This is pretty crazy: "Wang's email account, phone number, and profile page at the Luddy School were quietly erased by his employer. Over the same time, Indiana University also removed a profile for his wife, Nianli Ma, who was listed as a Lead Systems Analyst and Programmer at the university's Library Technologies division...a small fleet of unmarked cars driven by government agents descended on the Bloomington home of Wang and Ma on Friday. They spent most of the day going in and out of the house and occasionally transferred boxes from their vehicles. TV station WTHR, meanwhile, reported that a second home owned by Wang and Ma and located in Carmel, Indiana, was also searched."

Interesting: " The shellcode unpacks code that executes a decryption routine on a system’s GPU. The code uses the OpenCL library so there are no external dependencies or specific GPU hardware requirements. The implementation is likely based on an open source proof-of-concept."

This is a really cool attack:

• They install malware on a computer, phone, or some other device running Android, Windows, or Linux, and check the Bluetooth adapter address.
• The attackers’ server receives the information and uses powerful video cards to generate a pair of encryption keys specific to the device’s Bluetooth address and compatible with Apple’s Find My
• The public key is sent back to the infected device, and the malware then starts transmitting a Bluetooth message that mimics AirTag signals and includes this key.
• Any nearby Apple device connected to the internet receives the Bluetooth message and relays it to the Find My
• The attackers’ server uses the private key to request the location of the infected device from Find My and decrypt the data.

Research is here: https://nroottag.github.io/ - "Tracking You from a Thousand Miles Away! Turning a Bluetooth Device into an Apple AirTag Without Root Privileges" - We may have covered this in the past, perhaps before all the details were available as Apple did release a fix late last year.

This is a great 3-part series on hardware hacking and debugging interfaces. Saving this for later.

"GreyNoise has observed a significant surge in login scanning activity targeting Palo Alto Networks PAN-OS GlobalProtect portals. Over the last 30 days, nearly 24,000 unique IP addresses have attempted to access these portals. The pattern suggests a coordinated effort to probe network defenses and identify exposed or vulnerable systems, potentially as a precursor to targeted exploitation." - The last time I counted there were roughly 90,000 GlobalProtect interfaces exposed to the Internet on Shodan. Looks like attackers want to find ALL the GlobalProtect interfaces on the Internet, though not certain they would find many more than Shodan is reporting currently. Why are these exposed to the Internet? Its actually smart on the attackers part because if you want users to access the VPN gateways you have to expose the web service to the Internet.

Here are some recommendations:

• Review your GlobalProtect logs and conduct a threat hunt. Why? Because its too late, malicious actors already found your GlobalProtect instances on the Internet, so we have to check for compromise.
• Make sure you patch - Super important, post-threat hunt, patch your systems
• Moving forward - implement attack surface management to find all of these instances, then check them for vulnerabilities. Do this continuously and try to stay ahead of the threat actors.
• Make sure all accounts have MFA enabled
• Continue to monitor the logs on your devices - I'm not sure how well this actually works, logs are hit or miss.
• I could not find a malware detection/removal tool from Palo Alto. Juniper makes one for its products. If available, this is good to have, however, the limitation is that these are platform specific. There are just no great tools to dive into security appliances, and you've all heard my rant on this before so I will spare you, this time.

I liked this part as we talked about it in the interview: "Was it through direct kernel calls? Clever encoding? Self-inflicted ROP attacks? No! They took strings from a benign program and appended them to their malware file. The Cylance classifier inspected the malware, saw that it had a lot of similarities to benign programs it had seen before, and made that call that the malware was likely benign." - Outside of that, this article is a good primer and I need to spend a little more time understanding each attack described.

This has been fixed, but HOLY CRAP, so simple too: "In order to display your recent history of received calls in the Verizon Call Filter app, a network request is made to a server. That request contains various details such as your phone number and the requested time period for call records. The server then responds with a list of calls and timestamps for each. So surely the server validated that the phone number being requested was tied to the signed in user? Right? Right?? Well…no. It was possible to modify the phone number being sent, and then receive data back for Verizon numbers not associated with the signed in user."

They released a new tool: https://github.com/CyberCX-STA/Peep - This looks like great research. There is a long history of named pipe abuses.

LLM Summary: "The article explores the integration of cyber and physical technologies in weapons of mass destruction (WMD) detection systems, focusing on Chemical, Biological, Radiological, and Nuclear (CBRN) networks. It highlights advancements in these systems, which use sensors, algorithms, and communication frameworks to provide real-time threat detection and situational awareness. The author also discusses vulnerabilities in the SIGMA network, such as exposed endpoints and outdated systems, which could potentially be exploited. By analyzing both hardware and software aspects, the article aims to improve understanding of these systems and their security challenges." - Also, this is scary: "Thirty years ago, the Japanese apocalyptic cult ‘Aum Shinrikyo’ managed to fabricate sarin gas in-house and released it in multiple trains during rush hour on the Tokyo subway system. The deadly nerve agent killed 14 people, injured over 1000, and caused severe health issues for thousands more. Initial reports only mentioned 'an explosion in the subway,' causing the first 30 police officers who arrived at the scene to overlook the possibility of a chemical attack. As a result, they were exposed to and harmed by the sarin gas, which also delayed their ability to provide a timely and proper response to the other victims. Could a similar event happen today in a modern city? Probably yes, but at least in theory, it would be orders of magnitude harder for the perpetrators to achieve their goals. Even if they succeeded, the immediate aftermath (essentially the ability to mitigate the consequences), would (is expected to) be managed much more effectively, due to technological progress in countering Chemical, Biological, Radiological, and Nuclear (CBRN) threats, as well as improved mapping of adversarial activity linked to these illicit activities."

Great research here, and impressive example of chaining vulnerabilities.

If you are doing malware reverse engineering and come across a Go binary, read this.

Attackers are doubling down on the network/security appliance threat landscape: "On March 28, GreyNoise observed a significant spike in activity targeting multiple edge technologies, including SonicWall, Zoho, Zyxel, F5, Linksys, and Ivanti systems. While some of these technologies are edge systems, others are primarily internal management tools.This uptick suggests increased reconnaissance or exploitation attempts, indicating that threat actors may be probing for vulnerabilities or unpatched systems. Security teams should be aware of this trend and assess potential risks." - The attacks will continue until security and visibility improve for devices.

"Microsoft recently updated Windows’ “Vulnerable Driver Block List” (DriverSiPolicy.p7b) to improve security. However, this update mistakenly blocked WinFlash64.exe, a key program used by Lenovo’s BIOS update tools. As a result, many Lenovo users cannot update their firmware. Some even experience boot failures and error messages." - We have to do better in this area. The block/allow list approach is not working. We have to get better at identifying behavior in signed drivers and go deeper than just "bad" or "good".

Code is here: https://github.com/reapermunky/Veriduct - "Overview - Veriduct is a command-line utility designed to chunk and store file data in a “dictionary” of SHA-256–labeled blobs, while generating a compact key file that describes how to reassemble the original files."

Using human crash data, Waymo estimated that human drivers on the same roads would get into 78 crashes serious enough to trigger an airbag. By comparison, Waymo’s driverless vehicles only got into 13 airbag crashes. That represents an 83 percent reduction in airbag crashes relative to typical human drivers.

For the first time, computer-generated prompt injections against Gemini have much higher success rates than manually crafted ones. The new method abuses fine-tuning, a feature Gemini offers free of charge. After 60 hours of compute time, it finds nonsense characters to add to a prompt injection that make it far more effective.

Microsoft used its AI-powered Security Copilot to discover 20 previously unknown vulnerabilities in the GRUB2, U-Boot, and Barebox open-source bootloaders. The newly discovered flaws impact devices relying on UEFI Secure Boot, and allow attackers to execute arbitrary code on the device. Exploiting these flaws would likely need local access to devices.

The majority--86% of 475 respondents—said that simply scaling up current approaches to AI will not be sufficient to yield AGI.

Safely rewriting that COBOL code would take years—DOGE wants it done in months.

Medusa attackers have a signed driver, but its certificate has expired. The malware is effectively changing the system date to a time when the certificate was still valid.

Medusa attackers have a signed driver, but its certificate has expired. The malware is effectively changing the system date to a time when the certificate was still valid.

Data security experts have expressed alarm that U.S. national security professionals are not more readily using the government’s suite of secure encrypted systems for work communications such as JWICS, the Joint Worldwide Intelligence Communications System.

“We are recruiting webshell engineers and teams to penetrate Chinese websites worldwide, with a monthly salary of up to $100,000. Get webshells from Chinese registered domains. There is no specific target. As long as the domain is registered in China, it is our target range. What I need is China’s traffic."

This direct message went to several cybersecurity professionals and researchers on X in the last couple of weeks. “I really can’t think of wtf they’re doing,” The Grugq concluded. “It makes no sense.”

OPKSSH frees users and administrators from the need to manage long-lived SSH keys. In many organizations – even very security-conscious organizations – there are many times more obsolete authorized keys than they have employees. About 10% of the authorized keys grant root or administrator access. SSH keys never expire.

OPKSSH replaces long-lived SSH keys with ephemeral SSH keys that are created on-demand by OPKSSH and expire when they are no longer needed.

This new tool comes in response to the faulty CrowdStrike update that caused millions of Windows devices worldwide to suddenly crash with a Blue Screen of Death (BSOD) and enter reboot loops in July 2024. When a new driver or configuration change prevents Windows 11 from properly starting, the operating system will boot into the Windows Recovery Environment and automatically launch the Quick Machine Recovery Tool. This tool will connect to the Internet through ethernet or Wi-Fi and send crash data to Microsoft's servers. Based on the analysis of this data, Microsoft can remotely apply fixes such as removing problematic drivers or updates and changing configuration settings.