Suing Satoshi, Trojans in IDA, FBI Spam, Beg Bounties, & UPNP Strikes Again – PSW #719

Heh: "Basically, when you requested the confirmation code [it] was generated client-side, then sent to you via a POST Request,” Pompompurin said. “This post request includes the parameters for the email subject and body content."

I love this: "However, for whatever reason, many students don't seem to view their role as investigators, they see their role as, well, attackers. They aren't approaching their targets with the notepad and pipe of a detective, but rather with the bow and quiver of a hunter. If your student seems to be too eager to fire off exploits and then gets frustrated when they don't work, help them realize that their attack can only fail if their model of the machine is wrong. By helping a student "take off their hacker hat", you can give them the space they need to step back and assess the situation more clearly." Also, this is great "Hacking exists in the mind, not in the machine." And when troubleshooting, this question is so important: "Why do you think that your beliefs about the machine are the right beliefs to have?" - I go through this all the time with students and interns. You have beliefs, and you tend to follow them. The beliefs that will always get you in trouble when you are trying to fix something or make something work are: "Nothing changed." and "But this should just work". Just because you believe it, doesn't mean it's true, you need proof. When troubleshooting you will find that 1) Something has changed but you have not observed it (yet) and 2) It doesn't work because you, or another person, has done something incorrectly.

A bit extreme. I do like the recommendations for monitoring and tools, and for small networks these are great (maybe even for larger networks too).

"This is why my email above says "beg bounty" and it's exactly what it sounds like - someone begging for a bounty. Sophos wrote up a bunch of good examples earlier this year and they typically amount to easily discoverable configurations that are publicly observable and minor in nature. DMARC records. A missing CSP. Anything that as Sophos puts it, is "scaremongering for profit". And just to be crystal clear, these are "reports" submitted to website operators who do not have a published bug bounty." - Yep, we get these, best to have a policy for bounties, begs and bugs.

"One of the most fascinating stories in the domain name world is how .tk, the ccTLD of a small Pacific island called Tokelau, became one of the most populous TLDs in the world. Domain registrations contributed at one point one-sixth of Tokelau’s income. Their TLD became popular by providing free domain registrations, where the source of income for the TLD operator is through advertisement rather than domain registration fees. Unfortunately, their domain registration policy also invites abuse, spam and a large amount of sensitive content," - A good case for some quality blocking.

Oh, just patch: "MosesStaff has a specific modus operandi of exploiting vulnerabilities in public-facing servers, then using a combination of unique tools and living-off-the-land maneuvers to leave the targeted network encrypted, with encryption used solely for destruction purposes,” said CPR researchers. “The vulnerabilities exploited in the group’s attacks are not zero days, and therefore all potential victims can protect themselves by immediately patching all publicly-facing systems." - But also, curious about the motive of this group, just to watch stuff crash and burn?

"Using this vulnerability, an attacker can extract the encryption key and gain access to information within the laptop. The bug can also be exploited in targeted attacks across the supply chain. For example, an employee of an Intel processor-based device supplier could, in theory, extract the Intel CSME firmware key and deploy spyware that security software would not detect" (https://www.ptsecurity.com/ww-en/about/news/positive-technologies-discovers-vulnerability-in-intel-processors-used-in-laptops-cars-and-other-devices/)

Wow, so scary: "Second, on November 2 we received a report to our security bug bounty program of a vulnerability that would allow an attacker to publish new versions of any npm package using an account without proper authorization. We quickly validated the report, began our incident response processes, and patched the vulnerability within six hours of receiving the report. We determined that this vulnerability was due to inconsistent authorization checks and validation of data across several microservices that handle requests to the npm registry. In this architecture, the authorization service was properly validating user authorization to packages based on data passed in request URL paths. However, the service that performs underlying updates to the registry data determined which package to publish based on the contents of the uploaded package file. This discrepancy provided an avenue by which requests to publish new versions of a package would be authorized for one package but would actually be performed for a different, and potentially unauthorized, package."

Whew, how do we compete? "This is probably why zero-day sellers have moved their auctions to cybercriminal forums: to fish in this large and wealthy pool. Zero-day exploits are incredibly pricey and we’ve observed threat actors claiming that they could go away for up to $10,000,000 during our investigations. These prices can appear enormous but there‘s a key aspect to keep in mind.” reads the paper published by Digital Shadows experts. “Whatever legitimate bug bounty programs offer (and we’ve often seen them offering multi-million dollar bounties before), cybercriminals must offer more in order to compete with them, given the risks (jail time) and additional requirements needed during illicit activity (i.e. money laundering)." And just who has this kind of dough? Well: "An interesting consideration that emerged from the report is that not only nation-state hackers are able to pay so high prices, cybercriminal organizations have also the same expense capabilities, especially ransomware gangs."

Exploit and full details available here: https://github.com/grimm-co/NotQuite0DayFriday/tree/trunk/2021.11.16-netgear-upnp Also, super interesting that there is a bug in the code that breaks UPnP, and in-turn also fixes the vulnerability: "As a result, all UPnP SUBSCRIBE and UNSUBSCRIBE requests are broken in the R7000 in version 1.0.11.116 and later. Thus, the vulnerable UUID handling code within upnpd cannot be reached and these firmware images are not vulnerable to the UUID stack overflow vulnerability. However, once this functionality is fixed, the vulnerable code will once again be reachable, and the devices will be exploitable again." - So patch your router to be vulnerable?

Too much leaking and exposure...

"We demonstrate that it is possible to trigger Rowhammer bit flips on all DRAM devices today despite deployed mitigations on commodity off-the-shelf systems with little effort. This result has a significant impact on the system’s security as DRAM devices in the wild cannot easily be fixed, and previous work showed real-world Rowhammer attacks are practical, for example, in the browser using JavaScript, on smartphones, across VMs in the cloud, and even over the network."

Interesting: "We find that the handling of ICMP messages (a network diagnostic protocol) in Linux uses shared resources in a predictable manner such that it can be leveraged as a side channel,” researcher Qian wrote in an email. “This allows the attacker to infer the ephemeral port number of a DNS query, and ultimately lead to DNS cache poisoning attacks. It is a serious flaw as Linux is most widely used to host DNS resolvers."

https://flip.it/u9rKCK

Comparing the 4004 with the i9 12900k is really funny: 4004 = 0.074 GHz (740 kHz) and i9 12900k = 5.20 GHz (5,200,000 kHz)

So now we need to run IDA on our own copy of IDA? ""Attackers bundled the original IDA Pro 7.5 software developed by [Hex-Rays] with two malicious components," the Slovak cybersecurity firm said, one of which is an internal module called "win_fw.dll" that's executed during installation of the application. This tampered version is then orchestrated to load a second component named "idahelper.dll" from the IDA plugins folder on the system."

"That is what a Florida jury will try to tackle. The family of David Kleiman is suing his former business partner, a 51-year-old Australian programmer living in London named Craig Wright. Mr. Wright has been arguing since 2016 that he created bitcoin, a claim dismissed by most in the bitcoin community. Mr. Kleiman’s family argues that the two worked on and mined bitcoin together, entitling Mr. Kleiman’s family to half a million bitcoins. "We believe the evidence will show there was a partnership to create and mine over one million bitcoin," said Vel Freedman, a lawyer for the Kleiman family."

WTH? "Sometimes, Blake has even been invited to join in the fun, but has declined such invitations every single time – not for any reason other than to ensure everyone ends up safe. "It's a one-pilot plane and I can't leave the cockpit," he said. "I love sex, but I love flying even more."

It was cilantro, I swear! In this case, probably so.

You really have to have tried A LOT of things to come to "Hey, let's go into VR worlds and have sex as furniture and home appliances". WTAF? "but one day, they decided to explore what it would be like to have sex as objects instead. In their respective bedrooms on different corners of the globe, they strapped on their VR headsets, and embodied two non-human avatars; Smoos chose a chest of drawers, her partner a TV."