12 Year Linux Bug, Recovering Bitcoin, Lulzsec’s Impact, & Pimp My Cubicle – PSW #725

"The third line of defense is the most interesting one as malware operators have added an anti-debugging script that triggers a memory overload when a security researcher performs a Code Beautifying technique."

"The Qualys researchers aren't the only ones to stumble upon this vulnerability, or at least a very similar bug. In 2013, researcher Ryan Mallon publicly reported much the same bug and even wrote a patch, although he ultimately could find no way to exploit the vulnerability. And last June, Github security researcher Kevin Backhouse also reported a privilege escalation vulnerability. It received the tracking designation of CVE-2021-3560 and a patch from major Linux distributors." - FYI, K. Backhouse bug looks totally different. R. Mallon's discovery analyzed the same code block, but did not publish an exploit. Are we now compelled, give the success of Pwn2Own and Dragos's recent comments, to make sure we weaponize all exploits?

"By the end of the third quarter, the number of data breaches was 17% higher in 2021 than the previous year. The manufacturing and utilities sector was affected the most, followed by healthcare, which saw more than 40 million patient records breached. Ransomware attacks are also seeing a precipitous rise, having earned an estimated $590 million in the first half of 2021, which already surpasses 2020's total estimated earnings of $416 million." - Could it be that we've gotten better at detecting breaches and/or you know your breached because the attackers are using extortion more than before? Are more patient records breached because our records are, more than ever before, being stored digitally? Ransomware payouts have increased due to cyber insurance and breach reporting laws? Not everything, especially statistics, are due to failures in defending networks...perhaps?

"Titled On One-way Functions and Kolmogorov Complexity, the winning paper was published at the 2020 IEEE (Institute of Electrical and Electronics Engineers) Symposium on Foundations of Computer Science. " - Wow, from the paper: "A one-way function [13] (OWF) is a function f that can be efficiently computed (in polynomial time), yet no probabilistic polynomial-time (PPT) algorithm can invert f with inverse polynomial probability for infinitely many input lengths n."

"Because there is no predictability — perhaps that’s a part of their point — there is the idea that they can hit anyone at any time for whatever reason,” Coroneos said. “That seems to be what they are actually trying to show: that they are not restricted to one ideology or cause."

"Also of interest is the fact that the threat actors are embedding the skimmer inside a favicon.ico file. Favicons are small icon images that link to other websites. “If you were to look at it, you’d not notice anything because the image is meant to be preserved,”"

Oh you would be surprised: "However, for the exploit process to work, the attacker needs to leverage an unprivileged namespace or use "unshare" to enter a namespace with the CAP_SYS_ADMIN permission. This capability isn't the default setting on Docker, and using the "–privileged" flag when starting the container isn't common practice."

Apple updated iOS/iPadOS/watchOS/tvOS and macOS to resolve kernel and webkit vulnerabilities. 10 CVEs addressed in iOS and iPadOS. Code reuse means the updates hit many of the product lines.

An update for the Rust programming language fixes a bug that could be exploited to delete files and directories from unpatched systems. This is a TOCTOU (time of check/time of use) race condition. Updating to version 1.58.1 is the only fix, as adding code to check prior to calling the “remove_dir_all” function will not mitigate the problem as those calls will also be subject to the same race condition.

The FBI warned Americans this week that cybercriminals are using maliciously crafted Quick Response (QR) codes in attacks designed to redirect victims to malicious website designed to steal targeted victims' financial information and login credentials.

This week, CISA has added 17 actively exploited vulnerabilities to its "Known Exploited Vulnerabilities" catalog that was established under "Binding Operational Directive (BOD) 22-01" and lists vulnerabilities that have been successfully exploited by hackers and are required to be patched by Federal Civilian Executive Branch (FCEB) agencies.

OpenSubtitles suffered a data breach that affected 6,783,158 subscribers. Exposed data include email and IP addresses, usernames, the country of the user and passwords stored as unsalted MD5 hashes.

Threat actors are actively exploiting a critical flaw (CVE-2021-20038) in SonicWall’s Secure Mobile Access (SMA) series 100 gateways addressed in December. Remember the SMA 100 series of appliances include the SMA 200, 210, 400, 500v products. This is a high risk vulnerability as it allows for remote code execution. Sonicwall Advisory: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026

Threat hunters at Kaspersky have spotted a well-known Chinese government-linked "APT41" (Winnti) APT group has been leveraging a UEFI implant dubbed "MoonBounce" in order to evade detection across system reboots while operators conduct state-sponsored cyber espionage activity.

The Belarusian Cyber-Partisans says it successfully breached and encrypted servers belonging to the state-owned Belarusian Railway after it learned that Russia was using the rail transport network to move military personnel and equipment into Belarus.