Managing Bug Bounty Programs At Scale – Dr. Jared DeMott – PSW #796

Basically comes down to this: "Instead of editing every NSE file to implicitly set a low timeout or nselib/comm.lua, we can edit the l_set_timeout function in nse_nsock.cc to set a maximum of a 500ms timeout." - Your welcome (And thank you to Joshua Rogers for this great post)

This is something you need to patch ASAP.

"An adversary appears to have exploited CVE-2023-3519 in an automated fashion, placing webshells on vulnerable NetScalers to gain persistent access. The adversary can execute arbitrary commands with this webshell, even when a NetScaler is patched and/or rebooted. At the time of writing, more than 1900 NetScalers remain backdoored." I think they stole this from our playbook: https://eclypsium.com/research/pwned-balancers-commandeering-f5-and-citrix-for-persistent-access-c2/ - Nate's research shows how you can hide in backup files for the devices and persist upgrades.

"ScrutisWeb is accessible from any browser and helps organizations worldwide monitor ATMs and reduce response time if there are problems, according to its developer, Iagona. ATM fleets can include sensitive equipment like check deposit machines as well as payment terminals in a restaurant chain." - Turns out the server responsible for management implements a web site that is full of easily exploitable holes. They've all been fixed, but concerning that such easily exploitable features existed in the first place.

It is touted as the latest privilege escalation in Windows. Also of note: "This research was reported to Microsoft Security Response Center. According to Microsoft this behavior is by design." Github: https://github.com/deepinstinct/NoFilter

Sneaky: "The only difference between a legitimate package and a malicious one was that a malicious payload was put inside a separate file, postinstall.js, that is called after installation of the main npm package is complete. This was a clever move on the malicious actors' part. That's because the original noblox.js package also contains a postinstall.js script that displays a thank-you and some useful information to the users who installed it."

"Microsoft announced back in May that it was adding support for RAR files into Windows, along with support for other archive formats, including tar, 7-zip, gz and others, thanks to the addition of the libarchive open-source library, but presumably only for Windows 11. Redmond has had native support for zip files since the last century, when Windows 98 debuted." - Are we better off, security-wise, having this natively in the OS or relying on a 3rd party vendor to supply secure software?

This is a reminder for me to note that if you are staying up-to-date with Linux you likely got a patch for Zenbleed. I tested this and Zenbleed no longer works on my system.

New updates are neat, and I have on my list to get Kali Nethunter on one of my Pixel devices I have laying around. This is not new, however, there are some new models supported with the latest update.

Interesting LOLDriver: "If this driver is truly an integral part of this product, we’re going to have a really powerful tool for Bring Your Own Vulnerable Driver attacks. While the driver is in the LOLDrivers project, it is not in the Microsoft driver blocklist (at the time of writing)."

Dropping 0-day: "Today I will discuss the details of the bypass, not because it's been fixed in macOS—in fact it hasn't been fixed yet—but rather because I've lost all confidence in Apple to address the issue in a timely manner. In other words, I'm dropping a 0day. We're at ten months and counting, with no end in sight, and I feel that's absurd. It should be noted that by disclosing the issue publicly, I'm sacrificing the opportunity to receive an Apple Security Bounty."

Interesting, but maybe not as earth-shattering as described in the cybersecurity news: "Using the acquired credentials, the attacker can launch a man-in-the-middle attack to intercept the session keys during bulb setup and escalate the malicious potential with exposed Wi-Fi credentials."

This is a must-read: "I conducted a thorough analysis of some of the prominent security benchmarks/guidelines for my GitHub repository and I discovered some fascinating insights. By analysis, I mean that I examined every single recommendation in them and compared them with my own suggestions and Microsoft Security Baselines. The majority of the recommendations in the security benchmarks align with the Microsoft Security Baselines, which are a set of best practices for securing various products and services. Only a small fraction of the recommendations deviate from the baselines, and they are either additional enhancements (rarely), redundant suggestions or erroneous advice that undermine security!"

Complete takeover of VoIP devices, complete with backdoored firmware to eavesdrop: "An external attacker who leverages the vulnerabilities discovered in AudioCodes Ltd.’s desk phones and Zoom’s Zero Touch Provisioning feature can gain full remote control of the devices, potentially allowing the attacker e.g. to: eavesdrop on rooms or phone calls, pivot through the devices and attack corporate networks, build a bot net of compromised devices In addition, we were able to analyze and reconstruct cryptographic routines of AudioCodes devices, and to decrypt sensitive information such as passwords and configuration files. Due to improper authentication, a remote attacker is able to access such files and data."

reverse-engineer the LoRa standard for years with projects such as GR-LoRa

This is a carry over from last week. I'm hoping some discussion can help lure more info about it into the wild.

Another carry over from last week, that deserves some lip service, especially when we consider the implications to WiFi network security.

Tracked as CVE-2023-24489, the critical Citrix vulnerability has a 9.8 CVSS score and, if exploited, could let an unauthenticated attacker remotely compromise the customer-managed ShareFile storage zones controller. ShareFile told SC Media that the fix for the CVE was released one month prior to public disclosure and that ShareFile worked with its customers to get them upgraded during that month.

Starting in Chrome 117, Chrome will proactively highlight to users when an extension they have installed is no longer in the Chrome Web Store. This is limited to three specific cases:

• The extension has been unpublished by the developer.
• The extension has been taken down for violating Chrome Web Store policy.
• The item was marked as malware.

Under Settings, Privacy & Security

Beginning on September 1, 2023, all federally insured credit unions must notify the NCUA as soon as possible, and no later than 72 hours, after the credit union reasonably believes it has experienced a reportable cyber incident or received a notification from a third party regarding a reportable cyber incident.

This vulnerability allows remote attackers to execute arbitrary code on affected installations of RARLAB WinRAR. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the processing of recovery volumes. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. RARLAB has issued an update to correct this vulnerability. More details can be found at: https://www.win-rar.com/singlenewsview.html?&L=0&txttnews%5Bttnews%5D=232&cHash=c5bf79590657e32554c6683296a8e8aa

A misconfigured Hotmail DNS Sender Policy Framework (SPF) record prevented recipient services from determining that the messages came from a trusted source. Hotmail users noticed last Thursday evening that messages were being returned with errors related to SPF. Now that we've implemented SPF, DKIM and DMARC, it's important to keep those updated and configured properly so legitimate email flows, as well as bogus messages are rejected.

LinkedIn users are reporting account takeovers. In some cases, the hackers are demanding payment to return control of the accounts and threatening to permanently delete them if payment is not made. Researchers from Cyberint say that the attacks are affecting people around the world and that analysis of Google Trends data indicates “a significant surge [in account takeovers] in the past 90 days.”

Enable 2FA on your LinkedIn account, use strong password, eliminate old email/phone numbers for validation.

A threat actor has compromised close to 2,000 thousand Citrix NetScaler servers in a massive campaign exploiting the critical-severity remote code execution tracked as CVE-2023-3519.

More than 1,200 servers were backdoored before administrators installed the patch for the vulnerability and continue to be compromised because they have not been checked for signs of successful exploitation, the researchers say.