Ransomware Infection Vectors – Ryan Chapman – PSW #798
Full Audio
View Show IndexSegments
1. Ransomware Infection Vectors – Ryan Chapman – PSW #798
Ryan has his finger on the pulse of ransomware and response. We discuss how the initial infections are occurring, how they've changed over time, and where they are going in the future!
Segment Resources: For folks to see my recent presentations: for528.com/playlist
For folks to see the recordings of our recent Ransomware Summit: for528.com/summit23
For folks to watch my recent (free) ransomware workshop: for528.com/workshop23
Materials: for528.com/workshop
Announcements
Join us at SC Media’s Investing in IAM eSummit September 19th through 20th. This two-day virtual event will provide insights from industry experts with a deep dive into identity and access management. Register now for this free event where you will gain cybersecurity knowledge and receive 6.5 CPE credits just for attending!
Register today: securityweekly.com/IAM
Guest
Ryan Chapman works as a Principal Incident Response Consultant and is the author of the SANS “FOR528: Ransomware for Incident Responders course.” He also chairs the yearly SANS Ransomware Summit, teaches SANS FOR610: Reverse Engineering Malware, is the former lead of the CactusCon security conference in Phoenix, Arizona, USA. Ryan thoroughly enjoys presenting, running workshops, and learning from others.
Hosts
2. Cisco 0-Day, Chrome Vulnerability, MGM Shut Down, & More! – PSW #798
Lots in the Security News this week. Stay tuned!
Announcements
Security Weekly listeners: InfoSec World 2023 is just weeks away! Have you registered to join over 2,500 cybersecurity experts on September 25-27 in Lake Buena Vista, FL? InfoSec World is your gateway to a world of knowledge and growth. Don't miss the chance to enhance your career, connect with industry leaders, and make an impact on the rapidly evolving landscape.
Secure your seat using code ISW23-SECWEEK20 to save 20% off your registration. Register today: securityweekly.com/infosecworld2023
Hosts
- 1. My Favorite Web App Pentesting Extension – Firefox Containers – whitecyberduck’s Blog
- 2. Cisco security appliance 0-day is under attack by ransomware crooks
- 3. Google Rushes to Patch Critical Chrome Vulnerability Exploited in the Wild – Update Now
- 4. How to open a safe
Some great reverse engineering to figure out that just by sending a new unlock code directly to the hardware you can set that as the new code and unlock the safe. Of course, in my recent experience, picking the backup lock is just as fast LOL.
- 5. Boot Unguarded: x86 Trust Anchor Downfalls to The Leaked OEM Internal Tools and Signing Keys
One thing here: This only works for MSI. Intel does not generate and distribute only one Bootgaurd key, each OEM does this. Other than that, this is valid.
- 6. PS5 Release: Kernel Exploit (Webkit – v1.03) compiled for ESP8266 – Wololo.net
"But in the case of PS5 (and PS4) hacks, the device is perfect: loaded with the PS5 exploit, it can act as a fake Wifi router for your PS5, that will help you run the Webkit hack (and the kernel exploit). It has the benefit of being isolated from the Internet, so no risk of a mistaken firmware update. On top of that, its power needs are entirely fulfilled by the PS5’s usb port."
- 7. Mashing Enter to bypass full disk encryption with TPM, Clevis, dracut and systemd
- 8. Lord Of The Ring0 – Part 5
- 9. Annoying Apple Fans: The Flipper Zero Bluetooth Prank Revealed – Techryptic’s Blog
I have done some testing of this one: First, I have it on one of my Flippers. The easiest way is to run the latest RogueMaster firmware as it includes the code and an app to spoof the correct BLE messages. It even includes a random message generator. I also setup a Raspberry PI with Kali and the Bluetooth adapter in the article and installed the Python scripts to do the same thing. It works, with some extended range. Please note two thing: You can do this many ways (even on an ESP32) and you don't need a Flipper Zero. Also, the user will have to lock and unlock their device to see messages more than once and in my limited testing this differs based on the device you are spoofing, the device you are targeting, and likely the firmware version. More testing is required to confirm these details. This is just an annoying thing to my knowledge and does not pose an imminent security threat...
- 10. 4,500 of the Top 1 Million Websites Leaked Source Code, Secrets – Truffle Security
OMG don't do this: "Our research team discovered 4,500 of the most visited websites in the world publicly exposed their git directory (ie https://example.com/.git). These git directories often contained the entire private source code for a given website. Attackers could use this inside knowledge to mount an attack against the victim’s web application or search the code for live credentials to third-party services like AWS." - Attack surface monitoring is important.
- 11. Contain Yourself: Staying Undetected Using the Windows Container Isolation Framework
Curious if this was not prioritized correctly by Microsoft, or if this is not a big deal? "Microsoft has been informed of this research and responded with the following: “This has been determined to be a malware detection evasion technique and not a security vulnerability that would be serviced in a security update."
- 12. shelLM – A New AI-Based Honeypot to Engage Attackers as a Real System
- 13. The Cheap Radio Hack That Disrupted Poland’s Railway System
"because the trains use a radio system that lacks encryption or authentication for those commands, Olejnik says, anyone with as little as $30 of off-the-shelf radio equipment can broadcast the command to a Polish train—sending a series of three acoustic tones at a 150.100 megahertz frequency—and trigger their emergency stop function"
- 14. Software Bill of Materials (SBOM) in Practice
We have a long way to go in order to get SBOMs everywhere: "So, my take-away here is that the shell.efi binary being examined does not contain the necessary metadata required for the EMBA tool to create a CycloneDX-style SBOM. Undeterred, I attempted to run the same EMBA scan on a Coreboot BIOS image for the Lenovo T530 system. There is a project called Skulls that contains pre-built Coreboot BIOS images, more here: https://github.com/merge/skulls. Some progress"
- 15. CVE-2023-3959, CVE-2023-4249 – Multiple critical vulnerabilities in Zavio IP cameras
No patches! Buy new gear from a different company: "BugProve discovered a large number (34+) of different memory corruption and command injection vulnerabilities affecting multiple Zavio products. Since Zavio seems to be out of business as of now, no security updates are expected. We strongly urge users of these devices to change them to a different model." Yikes!
- 16. Demystifying CPU Microcode: Vulnerabilities, Updates, and Remediation – Eclypsium
I learned about microcode updates while researching this post. I don't see attacks in the wild targeting speculative execution bugs, however, its still good to patch them and keep up-to-date with the microcode updates, unless your performance goes to crap. Make sure you check out the resources section as there is some really interesting tid bits here, including the most recent research on tampering with updates (which is hard as they are cryptographically signed and to my knowledge no one has been able to tamper with them, yet).
- 17. Microsoft will block 3rd-party printer drivers in Windows Update
No more 3rd party printer drivers, why wasn't this done sooner?
- 18. Free Download Manager site redirected Linux users to malware for years
Interesting: "Due to this redirection happening only in some cases and not in all instances of attempted downloads from the official site, it is hypothesized that scripts targeted users with malicious downloads based on specific but unknown criteria."
- 1. API Vulnerabilities: 74% of Organizations Report Multiple Breaches
The research also highlights a lack of understanding and confidence in API security. Only 38% of experts felt capable of discerning the nuances of API activities, user behaviors and data flows. Traditional security solutions, including Web Application Firewalls (WAFs), came under scrutiny, with 57% doubting their effectiveness in distinguishing genuine from fraudulent API activity.
- 2. New quantum random number generator could revolutionize encryption
Different types of random number generators provide different levels of randomness and thus security. Hardware is the much safer option as randomness is controlled by physical processes. And the hardware method that provides the best randomness is based on quantum phenomena – what researchers call the Quantum Random Number Generator, QRNG.
“In cryptography, it’s not only important that the numbers are random, but that you’re the only one who knows about them. With QRNG’s, we can certify that a large amount of the generated bits is private and thus completely secure. And if the laws of quantum physics are true, it should be impossible to eavesdrop without the recipient finding out,” says Guilherme B Xavier, researcher at the Department of Electrical Engineering at Linköping University.
- 3. Google rolls out Privacy Sandbox to use Chrome browsing history for ads
Google's Privacy Sandbox The Privacy Sandbox is a new advertising platform created by Google designed to create a more private way of tracking a user's interests for advertising.
Instead of using third-party cookies placed by different advertisers and tracking companies, the Privacy Sandbox will locally compute a user's interests directly within the browser, currently only used in Google Chrome.
Advertisers using the new Privacy Sandbox can request visitors' interests to show a relevant ad, with the browser replying with anonymous data that lists the categories the user is interested in.
These interests are computed from the user's browsing history, where are sites are associated with various subject categories, such as College sports, Razors & shavers, Ice skating, Comics, Bodybuilding, etc.
The Privacy Sandbox is broken up into three components named Ad Topics, Site-suggested ads, and Ad Measurement, as described below.
- 4. MGM Resorts Confirms ‘Cybersecurity Issue’, Shuts Down Systems
Here’s the full MGM Resorts statement:
“MGM Resorts recently identified a cybersecurity issue affecting some of the Company’s systems. Promptly after detecting the issue, we quickly began an investigation with assistance from leading external cybersecurity experts. We also notified law enforcement and took prompt action to protect our systems and data, including shutting down certain systems.
Our investigation is ongoing, and we are working diligently to determine the nature and scope of the matter.”
MGM Resorts properties include the Mandalay Bay (the site of the Black Hat security conference), Bellagio, MGM Grand, Aria, Luxor and the Cosmopolitan.
The incident began sometime on Sunday and affected hotel reservation systems throughout the United States and other IT systems that run the casino floors.
- 5. Vietnamese Hackers Deploy Python-Based Stealer via Facebook Messenger
A new phishing attack is leveraging Facebook Messenger to propagate messages with malicious attachments from a "swarm of fake and hijacked personal accounts" with the ultimate goal of taking over the targets' Business accounts.
"Originating yet again from a Vietnamese-based group, this campaign uses a tiny compressed file attachment that packs a powerful Python-based stealer dropped in a multi-stage process full of simple yet effective obfuscation methods," Guardio Labs researcher Oleg Zaytsev said in an analysis published over the weekend.
In these attacks, dubbed MrTonyScam, potential victims are sent messages that entice them into clicking on the RAR and ZIP archive attachments, leading to the deployment of a dropper that fetches the next-stage from a GitHub or GitLab repository.
This payload is another archive file that contains a CMD file, which, in turn, harbors an obfuscated Python-based stealer to exfiltrate all cookies and login credentials from different web browsers to an actor-controlled Telegram or Discord API endpoint.
- 6. Regulator to Investigate Fertility App Security Concerns
The UK’s data protection regulator is set to review how period and fertility tracking applications process user information, after revealing that many women have concerns.
The Information Commissioner’s Office (ICO) said it has contacted the developers of many of these apps to find out more. It also wants users to come forward and share their experiences.
- 1. Cisco security appliance 0-day is under attack by ransomware crooks
Cisco has acknowledged that there is an unpatched and actively exploited vulnerability in the remote access VPN feature of its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD). Cisco says that the flaw “is due to improper separation of authentication, authorization, and accounting (AAA) between the remote access VPN feature and the HTTPS management and site-to-site VPN features [and] could allow an unauthenticated, remote attacker to conduct a brute force attack in an attempt to identify valid username and password combinations or an authenticated, remote attacker to establish a clientless SSL VPN session with an unauthorized user.” Cisco plans to release fixes to address the issue; in the meantime, they have suggested workarounds.
- 2. Cisco BroadWorks Application Delivery Platform and Xtended Services Platform Authentication Bypass Vulnerability
Cisco has released updates to address an authentication bypass vulnerability affecting the single sign-on (SSO) implementation of Cisco BroadWorks Application Delivery Platform and Cisco BroadWorks Xtended Services Platform. The vulnerability exists in the method used to validate SSO tokens.
CVE-2023-20238 scores a perfect 10 base CVSS score. There are no workarounds, you have to apply the update
- 3. Google Update for Chrome Addresses Zero-Day Vulnerability
Google is updating Chrome to fix a zero-day vulnerability, the fourth since the beginning of the year. Google has acknowledged that an exploit for the flaw, a heap buffer overflow in WebP (CVE-2023-4863), exists in the wild and is rolling out a new version of Chrome to the Stable and Extended stable channels.
- 4. MGM Resorts takes systems offline following cyberattack
Some MGM Resorts systems are down following a cyberattack that began on Sunday, September 10. The company’s website is unavailable, a temporary page lists contact numbers in various cities across the US. According to a statement published on social media, MGM shut down certain systems as a protective measure while the incident is being investigated. MGM-operated hotels in Las Vegas have reportedly been unable to process payment card transactions.
- 5. Mozilla Releases Security Updates for Multiple Products
Mozilla has released security updates to address a vulnerability affecting Firefox, Firefox ESR, and Thunderbird. A cyber threat actor can exploit this vulnerability to take control of an affected system.
CISA encourages users and administrators to review Mozilla’s advisory (MFSA 2023-40) and apply the necessary updates.
- 6. CISA Adds Three Known Vulnerabilities to Catalog
CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2023-35674 Android Framework Privilege Escalation Vulnerability CVE-2023-20269 Cisco Adaptive Security Appliance and Firepower Threat Defense Unauthorized Access Vulnerability CVE-2023-4863 Google Chrome Heap-Based Buffer Overflow Vulnerability
- 7. Adobe Releases Security Updates for Multiple Products
CISA encourages users and administrators to review the following Adobe Security Bulletins and apply the necessary updates.
Adobe Connect: APSB23-33 Adobe Acrobat and Reader: APSB23-34 Adobe Experience Manager: APSB23-43
- 8. Apple patches “clickless” 0-day image processing vulnerability in iOS, macOS
On Sept. 7 Apple released security updates iOS 16.6.1, iPadOS 16.6.1, macOS 13.5.2, and watchOS 9.6.2 that fix zero-day security flaws that can lead to malware installation through a "maliciously crafted image" or attachment.
- 1. Password-Stealing without Hacking: Wi-Fi Enabled Practical Keystroke Eavesdropping
We propose WiKI-Eve to eavesdrop keystrokes on smartphones without the need for hacking. WiKI-Eve exploits a new feature, BFI (beamforming feedback information), offered by latest Wi-Fi hardware: since BFI is transmitted from a smartphone to an AP in clear-text, it can be overheard (hence eavesdropped) by any other Wi-Fi devices switching to monitor mode. WiKI-Eve achieves 88.9% inference accuracy for individual keystrokes and up to 65.8% top-10 accuracy for stealing passwords of mobile applications (e.g., WeChat).
- 2. WhatsApp has reluctantly started work on cross-platform messaging due to EU regulation
A new beta version of WhatsApp features a new screen called “third-party chats” — this represents the first example of the new EU regulatory framework. The idea is that WhatsApp will let you open a dedicated menu to see incoming messages from people who are using other messaging apps.
- 3. NordVPN launches new AI-enabled tool against phishing, and looks for testers
Sonar comes as a browser extension with the aim of harnessing the power of AI to secure users from phishing attacks and protect them from cybercrime. This is the first project to be released under the NordLabs platform.
- 4. Palantir Among First Tech Firms to Promise White House They Won’t Use AI for Evil
Some of the biggest tech firms have agreed to the White House’s voluntary commitment on ethical AI, including some companies that are already using AI to help militaries kill more effectively and to monitor citizens at home. These commitments include that companies will share safety and safeguarding information with other AI makers. They would have to share information with the public about their AI’s capability and limitations and use AI to “help address society’s greatest challenges.”
- 5. Hey Presto! Nvidia pulls software hack out of AI hat and doubles performance of H100 GPU for free
The versatility and dynamism of large language models (LLMs) can make it difficult to batch requests and execute them in parallel, which means some requests finish much earlier than others. To solve this, Nvidia and its partners embedded TensorRT-LLM with a more powerful scheduling technique called in-flight batching. This takes advantage of the fact text generation can be broken down into multiple subtasks.
- 6. 0day in GCC (for AArch64 targets)
On AArch64 targets, GCC's stack smashing protection does not detect or defend against overflows of dynamically-sized local variables.
- 7. Free Download Manager backdoored – a possible supply chain attack on Linux machines
The Linux malware includes a DNS-based backdoor and a Bash stealer. This stealer collects data such as system information, browsing history, saved passwords, cryptocurrency wallet files, as well as credentials for cloud services (AWS, Google Cloud, Oracle Cloud Infrastructure, Azure). This malware has been distributed for three years without being recognized as malicious.
- 8. Prepare yourself. A Donald Trump chatbot is about to be unleashed.
A project called Chat2024 will officially unveil the AI-powered avatars of 17 leading presidential candidates. Each one is a chatbot trained on reams of data generated from at least a hundred sources, like candidates’ video appearances and writings.
- 9. There is a way to install open source (!) apps like Firefox on your locked down Android Automotive powered car.
tl;dr: download source code, change some stuff, create new app in the play store console, upload bundle as an internal beta and enjoy.
- 10. DEFCON 31 – Snoop Unto Them, As They Snoop Unto Us
So, funny story. Every cop's body cam is basically an AirTag. I did a talk at DEFCON explaining how you can detect and ID police body cams with your phone.