PSW #769 – Kate Stewart

" A BNL spokesperson declined to comment. LLNL did not respond to a request for comment. An ANL spokesperson referred questions to the U.S. Department of Energy, which declined to comment." and "The U.S. National Security Agency (NSA) declined to comment on Cold River's activities. Britain's Global Communications Headquarters (GCHQ), its NSA equivalent, did not comment. The foreign office declined to comment." - So, no comment then? Also, several security researchers from several security firms implicate Andrey Korinets as one of the main figures behind Cold River. I also find it interesting that Andrey Korinets states he was fined for hacking years ago and now most likely helps operate one of Russia's most forward-leaning cyber operations.

If we have time we'll discuss this one, it could impact many of us working in cybersecurity today.

The TL;DR: Don't worry about this yet. Look, like many, the math is way over my head. Keep in mind while you read through these materials that they reference two papers and associated work that could be used to break RSA: Shor and Schnoor. You will also see QAOA (A Quantum Approximate Optimization Algorithm) referenced as well. This quantum computing algorithm has not yielded faster results, according to experts in this field (again, you can read about that aspect in the materials below). If you like to read about crypto, and you are FAR from an expert like myself, the article below are pretty neat (though the papers are just there for reference, and for the smaller population of people who can understand them).

Other references:

• Will quantum computers break RSA encryption in 2023? - "Thus, it looks like even if you implement this hybrid algorithm on a classical + quantum system, it will take as long to guess RSA keys as with a regular computer."
• What The Heck Is Schnorr - This was a great article to read and get caught up on some basics: "Here in this piece we will explore the idea of digital signatures in-depth, look inside both ECDSA and Schnorr, and judge on our own the special merit of adopting Schnorr signatures."
• Factoring integers with sublinear resources on a superconducting quantum processor - This is the recently published research paper being referenced.
• Cargo Cult Quantum Factoring - Scott Aaronson, Schlumberger Centennial Chair of Computer Science at The University of Texas at Austin, and director of its Quantum Information Center, says: "For those who don’t care to read further, here is my 3-word review: No. Just No."
• Fast Factoring Integers by SVP Algorithms, corrected - This is Schnorr's paper that claims: "This destroys the RSA cryptosystem."
• Algorithms for quantum computation: discrete logarithms and factoring - This is the paper that represents "Shor's algorithm" that Schnier mention in his article and states: "We have long known from Shor’s algorithm that factoring with a quantum computer is easy. But it takes a big quantum computer, on the orders of millions of qbits, to factor anything resembling the key sizes we use today."
• Has RSA been destroyed by a quantum computer??? - The Security. Cryptography. Whatever. episode that talks about this was very good, and hosted Deirdre Connolly, Thomas Ptacek, and David Adrian .

" A driver can access and modify critical security structures. These modifications can lead to attacks such as Privilege Escalation, Arbitrary Read-Write and disabling of security services responsible for the protection of the Operating System." - This is the heart of the issue, and this article serves as a really good primer to lay the foundation to understand kernel drivers and how they are used to attack systems. The authors mentioned some great examples, that for all intents and purposes, represent post-exploitation techniques using drivers:

• Dellicious - "Dellicious is a tool for enabling/disabling LSA protection on arbitrary processes via a vulnerability in Dell's DBUtilDrv2.sys driver (version 2.5 or 2.7). If provided the driver, Dellicious installs it, exploits it, and then removes it. That obviously requires administrator access, but that's fairly normal for LSA Protect bypass techniques."
• evil-mhyprot-cli - "A PoC for Mhyprot2.sys vulnerable driver that allowing read/write memory in kernel/user via unprivileged user process." It contains features such as the ability to "Read/Write any kernel memory with privilege of kernel from usermode"
• Kernel Cactus - An entire project, including extensive documentation that wil "Unlike the other repositories mentioned, we have taken the ability to read and write kernel memory to the next level, creating helper functions to “navigate” the kernel from the user mode". Also, make sure you check out the custom memes in the documentation, they are next level man!

"A simple tool that helps to find domains based on the Google Analytics ID." - I did not get a chance to test this, but seemed like an obvious thing to include in attack surface detection.

"Nuclei offers great number of features that are helpful for security engineers to customise workflow in their organisation. With the varieties of scan capabilities (like DNS, HTTP, TCP), security engineers can easily create their suite of custom checks with Nuclei." - This is a really neat tool! I started testing it this week, I think it can really help automate some basic discovery and scanning tasks.

So many interesting aspects to this story, including UEFI exploitation on ARM via DXE drivers, many different chips used in many different applications are impacted, Microsoft and Lenovo used affected chips (supply chain), and more!

Abusing the setup variable: "If you use UEFITool to search for "Setup" there's a good chance you'll be able to find the component that implements the setup UI. Running IFRExtractor-RS against it will then pull out any IFR data it finds, and decompile that into something resembling the original VFR. And now you have the list of variables and offsets and the configuration associated with them, even if your firmware has chosen to hide those options from you." Yuriy, Alex (The two founders at Eclypsium) and Andrew Furtak talked about abusing variables to bypass Secure Boot in 2013. The high level: NVRAM is a sub-region of the BIOS region on the SPI flash. Users are allowed to write to certain variables in NVRAM to change settings, e.g. if you need to re-write your Secure Boot keys (PK, KEK, DB, and DBX). There are a few different permissions and controls that prevent "bad things", but vendors make mistakes in the implementation (still, even today, as you will see in my upcoming Shmoocon talk).

This is an interesting look at post-exploitation techniques on Intel AMT that Mr. Starke has dubbed "Admin vs. Admin". The ability to upload arbitrary files to AMT, and have them be accessible to all has wide-reaching potential for attacks, especially given the privileged nature of AMT and the fact that it still runs even if the system is powered off (but still plugged into a power source).

I've been on a rant about passwords since the LastPass incident reported over the holiday break. I think this is a fair question to ask, but I don't agree with the rationale presented here, at least in the sense that I think there are better arguments to be made.

I'm also noticing lately that most of the articles I read about why this or that security practice doesn't work, or better, the old compliance /= security argument comes from vendors that are directly/indirectly steering the reader towards their "solution". I find this disingenuous at best and snake oil sales at worst.

Oh, and what they say about PCI DSS v4.0 simply isn't true.

Way over my head, but there has been a fairly lively discussion on the NSA-IA alumni mailing list about this article - all the math weenies that is. Apparently there is such a thing as "smooth numbers".

Good overview of how websites/eCommerce sites are targeted by the bad guys (and yes, this relates to PCI).

Paul's story #6 (about compliance /= security) mentions that there have been $1B fines levied against companies because of a breach. I had to look it up, and here you have it.

You can imagine that neither organization thinks much of PCI SSC. Compliance /= security on display here in force. FWIW - both organizations tout information sharing and collaboration but both are members only.

Antivirus company Bitdefender has released a decryptor for the MegaCortex ransomware family.

This is a cool free tool, can run from wherever you drop it, no install required, and even has email support and instructions (see the No More Ransom link below.) BitDefender's decryptor will handle data encrypted by "LockerGoga" or "MegaCortex." It has options to scan a system automatically and make a backup of the encrypted files in case something goes wrong. If you have encrypted files that didn't previously decrypt properly, you could try again with this tool, assuming you've not already recreated the contents.

Software supply chain security firm Phylum has identified a malicious attack targeting Python Package Index (PyPI) users with the PoweRAT backdoor and information stealer.

Modern farm equipment is packed full of software, and repairs have become a real pain. John Deere Farmers now have the right to repair their John Deere machines.

This is huge. These are very expensive machines, and when needed, they are needed, often running 24x7 during peak seasons. As such, they need to be able to be repaired without waiting for a factory representative to be sent, let alone trying to purchase a replacement or borrow from a neighbor with as much need and time crunch as you have. This should also encourage in-field changes to help them better suit the needs in “the field.” Often these innovations/modifications (hacks) make their way back to mainstream production when discovered in the field. That said, be sure you know what you're doing before offering to alter a $1M combine.

In November 2022, OpenAI released an interface for its large language module known as ChatGPT. In a recent blog post, researchers at Check Point write that people on cybercrime forums have begun using ChatGPT to help them develop malware.

As with many tools, ChatGPT is neither good nor evil. In fact, OpenAI has terms of service which prohibit the use of its technology for illegal or harmful activities. The issue is that while it was expected that ChatGPT could be leveraged to develop malware, it was not expected how rapidly that would happen. The new malware is more convincing/realistic, making it harder to detect. Now we need our defenders (technology and human) to up their game a bit more rapidly than we would have otherwise expected.

Ongoing hacking campaigns orchestrated by the threat actor group Blind Eagle (also known as APT-C-36) have been spotted leveraging a new and advanced toolset as part of its infection chain that includes the use of phishing emails that purport to originate from the Colombian Government in new attacks targeting individuals throughout South America

Mandiant says the Russia-linked "Turla Team" cyber espionage group is now targeting victims in Ukraine by piggybacking off of formerly deployed malware to install backdoors of its own and ultimately steal data. Attackers are targeting victims previously compromised by "Andromeda", leveraging the "Kopiluwak" for recon, then using "QuietCanary"-- Reportedly the accesses are being targeted for resale vs direct access.