- 1. On Bypassing eBPF Security Monitoring · Doyensec’s Blog
Pretty awesome article, deep technical, I need to study eBPF and kernel structures more.
- 2. Wi-Fi spy drones used to snoop on financial firm
"The team then took steps to trace the Wi-Fi signal and used a Fluke system to identify the Wi-Fi device. "This led the team to the roof, where a 'modified DJI Matrice 600' and a 'modified DJI Phantom' series were discovered," Linares explained. The Phantom drone was in fine condition and had a modified Wi-Fi Pineapple device" Wow: "The Matrice drone was carrying a case that contained a Raspberry Pi, several batteries, a GPD mini laptop, a 4G modem, and another Wi-Fi device."
- 3. The Race to Native Code Execution in PLCs: Using RCE to Uncover Siemens SIMATIC S7-1200/1500 Hardcoded Cryptographic Keys
"Team82 has developed a new, innovative method to extract heavily guarded, hardcoded, global private cryptographic keys embedded within the Siemens SIMATIC S7-1200/1500 PLC and TIA Portal product lines." Kind of similar to finding that one page on the webapp that doesn't check for auth: "Use [REDACTED] opcode, which has no security memory region checks, to copy an internal struct containing a native pointer to a valid memory area to a writable memory area".
- 4. Hidden DNS resolver insecurity creates widespread website hijack risk
To sum it all up, this is a Kaminsky attack on a closed resolver using an email server as the vector.
- 5. This Thermal Attack Can Crack Your Password in Just a Few Seconds
"Thermal attacks can occur after users type their passcode on a computer keyboard, smartphone screen or ATM keypad before leaving the device unguarded. A passerby equipped with a thermal camera can take a picture that reveals the heat signature of where their fingers have touched the device. The brighter an area appears in the thermal image, the more recently it was touched. By measuring the relative intensity of the warmer areas, it is possible to determine the specific letters, numbers or symbols that make up the password and estimate the order in which they were used. From there, attackers can try different combinations to crack users’ passwords."
- 6. Fortinet warns of critical flaw in its security software
Wow, so basically, if you're vulnerable, it's like having the web interface exposed to the Internet with no password required as you can: "Modify the admin users’ SSH keys to enable the attacker to login to the compromised system, Add new local users, Update networking configurations to reroute traffic, Download the system configuration, Initiate packet captures to capture other sensitive system information."
- 7. No fix in sight for mile-wide loophole plaguing a key Windows defense for years
Wait, could Microsoft fix this problem? - "Given the history, you might think that Microsoft would have created a viable defense to stop BYOVD attacks, but sadly there's no evidence that's the case. The company claims that Windows users can enable a feature that automatically blocks known vulnerable drivers, but I was unable to make it work on my ThinkPad running the latest version of Windows 10, and as I'll get to shortly, Microsoft has no interest in helping me." Oh wait, nope: " turning on the combination of memory integrity and Hypervisor-protected code integrity will offer protection against BYOVD attacks, but at my request, Kálnai enabled both on a system running Windows 10 Enterprise, 10.0.19044 and then attempted to load the vulnerable Dell driver exploited by Lazarus. As the screenshot below shows, the driver loaded just fine." - Also, why can't we get a block list, or even better, a certificate revocation? Of course, if the driver is working as intended, and does not contain vulnerabilities and the key has not leaked, I supposed you wouldn't want to revoke it globally. Can admins get control of the revocation list? Sure, but then an attacker could also control the revocation...
- 8. Never-before-seen malware has infected hundreds of Linux and Windows devices
Interesting: " it is designed to work across several architectures, including: ARM, Intel (i386), MIPS and PowerPC—in addition to both Windows and Linux operating systems. Second, unlike largescale ransomware distribution botnets like Emotet that leverage spam to spread and grow, Chaos propagates through known CVEs and brute forced as well as stolen SSH keys.""
- 9. What can we learn from leaked Insyde’s BIOS for Intel Alder Lake
It appears this leak was a developer that was working on UEFI implementations for, what appears to be, Lennovo. The leak contained binary blobs from different manufacturers, UEFI source code, some keys, and scripts/configs that help OEMs package all this together. As far as I can tell from reading about this the keys that were leaked do not really pose a threat unless the public key was fused into the hardware. There is also a difference between UEFI Secure Boot, BIOSGuard, signed BIOS updates, and BootGuard (essentially they all use different keys). The keys involved were for BootGuard, and I believe these for for testing, meaning production computers that shipped would not use the keys. Two main points, that few are actually talking about: 1) The supply chain for firmware on your computer is a "hot mess" 2) This gives researchers valuable information to conduct further research (e.g. microcode updates).
- 10. The Zero Day Dilemma
I really like this insight: "To sum up, the problem of the zero day attack has not been solved because every approach depends on knowledge of events that have happened in the past, whether it’s known malware or known “normal” network/application behavior that serves as a benchmark for spotting malware-caused anomalies."
- 11. Mark Ermolov on Twitter
This response from @NikolajSchlej is highly accurate: "If that is really a KeyManifest signing key, and there are any machines that have a hash of the public key fused into FPFs, BG on that platform is under nearly full control. I.e. one can generate a new BootPolicy signing key and protect any BG-protectable range, including none."
- 12. Intel Confirms Alder Lake BIOS Source Code Leak
"In fact, famed security researcher Mark Ermolov has already been hard at work analyzing the code. His early reports indicate that he has found secret MSRs (Model Specific Registers) that are typically reserved for privileged code and thus can present a security problem"
- 13. VMware vCenter Server bug disclosed last year still not patched
The workaround sounds like a nightmare: "To block attack attempts, VMware advises admins to switch to Active Directory over LDAPs authentication OR Identity Provider Federation for AD FS (vSphere 7.0 only) from the impacted Integrated Windows Authentication (IWA)."