Android TVs (Malware Included), Patch Netscaler, Fixing Legacy Auth, & GNOME Bugs! – PSW #802

"The vulnerable plugin, known as tagDiv Composer, is a mandatory requirement for using two WordPress themes: Newspaper and Newsmag. The themes are available through the Theme Forest and Envato marketplaces and have more than 155,000 downloads." - I hate that this plugin is a requirement for the theme. This makes it a supply chain problem and not a good one.

This is bad: "A vulnerability in Cisco Emergency Responder could allow an unauthenticated, remote attacker to log in to an affected device using the root account, which has default, static credentials that cannot be changed or deleted." - Appears to be an appliance that can be deployed physically and or virtually? I've not worked with the platform, but it sounds like it has its own OS, and is obviously poorly configured.

This is a great idea, in theory, and applying AppArmor to things like browsers is a step in the right direction. However, as always, there are bypasses: https://bugs.launchpad.net/apparmor/+bug/1911431 (it does not protect scripts with shebang). Also, it looks like this bug has not been fixed...

Here's how it works: "More importantly, another application that uses libcue is tracker-miners, which is included in GNOME-based Linux distros and is responsible for indexing files in the user's directory so they appear in search results. The tracker-miners application initializes automatically when a file is either added or modified in a subdirectory of the home directory. This means the exploit can be executed as soon as the user downloads a maliciously crafted .cue file, since tracker-miners uses libcue to pass the cue sheets file." - So download a file to your home directory, then tracker-miners will read the file and trigger the exploit. Oh, and speaking of breaking out of sandboxes, this vulnerability also included a bonus: you can break out of a seccomp sandbox. More details: https://thehackernews.com/2023/10/libcue-library-flaw-opens-gnome-linux.html and here https://github.blog/2023-10-09-coordinated-disclosure-1-click-rce-on-gnome-cve-2023-43641/

We could do an entire segment on each of these topics:

*"Most companies don't pay for security; they pay to avoid fines.

In the theater of business, cybersecurity is a supporting actor, not the main character.

Hate on GRC functions all you want, but they're the conductors of the cybersecurity orchestra.

There's no talent shortage; there's an imagination shortage on the hiring side.

Cybersecurity is 10% tech and 90% diplomacy."*

I like this: "Overlay is a browser extension that helps developers evaluate open source packages before picking them. It gathers data from various sources, such as Snyk Advisor, Debricked, Socket.dev, and Deps.dev, and displays them on the package pages of popular registries like npm, PyPI, and Go." - I want to say some commercial software offers something similar, nice to have it available to anyone. Also, Microsoft released free tools that do similar things: https://github.com/microsoft/OSSGadget ("OSS Gadget is a collection of tools that can help analyze open source projects. These are intended to make it simple to perform low-level tasks, like locating the source code of a given package, downloading it, performing basic analyses on it, or estimating its health. The tools included in OSS Gadget will grow over time.")

"Finally, because of the backdoor’s connection to C2 servers on BadBox-infected smartphones, tablets, and CTV boxes, new apps or code can be remotely installed by the threat actors without the device owner’s permission. The threat actors behind BadBox could develop entirely new schemes and deploy them on BadBox-infected devices without any interaction from the devices’ owners," - This is the part that scares me the most. Read the original research here: https://www.humansecurity.com/hubfs/HUMANReportBADBOX-and-PEACHPIT.pdf

This is one you could actually exploit easily with a Flipper Zero, original research here: https://www.redteam-pentesting.de/en/advisories/rt-sa-2023-006/-d-link-dap-x1860-remote-command-injection - Exploit? Create an SSID like this: "$ create_ap -n wlan0 "Test' && uname -a &&" randompw98zwrd8g283d3"

In case you were looking for reasons to switch to Wayland: "It was a decade ago that a security researcher commented on X.Org Server security being even "worse than it looks" and that the GLX code for example was "80,000 lines of sheer terror" and hundreds of bugs being uncovered throughout the codebase. In 2023 new X.Org security vulnerabilities continue to be uncovered, two of which were made public today and date back to X11R2 code from the year 1988." - The 2013 research is here: https://lists.x.org/archives/xorg-devel/2013-December/039773.html

New DDoS record: "Since late August, Cloudflare has detected and mitigated over a thousand 'HTTP/2 Rapid Reset' DDoS attacks that surpassed 10 million rps, with 184 breaking the previous 71 million rps record."

I built one of these this week, and it's very handy. Sure, you could build your own, but Ventoy makes it dead easy to have a USB thumb drive that can boot from a list of multiple ISOs you just load on a partition.

Wow, this seems too easy for attackers not to exploit: "X-Force identified the campaign through an incident response engagement where a client had discovered the script after investigating reports of slow authentications on the NetScaler device. The script which is appended to the legitimate “index.html” file loads an additional remote JavaScript file that attaches a function to the “Log On” element in the VPN authentication page that collects the username and password information and sends it to a remote server during authentication."

A report from Amnesty International based on its own disclosures “and the findings of the new Predator Files investigation coordinated by European Investigative Collaborations (EIC) media network, have laid bare how government action has been inadequate and ineffective in ending spyware abuse. Fundamentally, the beef is that there is no control over spyware use, in this case they are using the use case of the Predator spyware, which appears to be readily available to anyone who wants it. It's a similar argument to making a tool that only a certain group (e.g., law enforcement) will have access to, which turns out to be available to a much larger group.

The IZ1H9 campaign targets routers and Internet of Things (IoT) devices from multiple vendors, including D-Link, Zyxel, and TOTOLINK and adds them to a botnet that is used to launch DDoS attacks. The researchers enumerated 13 new payloads being used to infect these devices, all of which are part of the IZ1H9 campaign. The attack is aimed at Linux-based network devices, which starts by leveraging a known weakness to deploy a payload which installs a shell script downloader, deleting all logs, then modifying the device iptables to obscure and enable their desired communication. The primary mitigation is to keep devices aggressively updated as well as limit access to their management services.

Cyber criminals are exploiting a recently-disclosed vulnerability in Citrix NetScaler Gateways to steal user credentials. The vulnerability (CVE-2023-3519) was disclosed in July 2023, and updates to fix the issue were released at that time. The flaw has been under exploit since June 2023.

In January, security researcher Daniel Milisic discovered that a cheap Android TV streaming box called the T95 was infected with malware right out of the box, with multiple other researchers confirming the findings. But it was just the tip of the iceberg. Today, cybersecurity firm Human Security is revealing new details about the scope of the infected devices and the hidden, interconnected web of fraud schemes linked to the streaming boxes. https://www.humansecurity.com/hubfs/HUMANReportBADBOX-and-PEACHPIT.pdf

GitHub has announced an improvement to its secret scanning feature that extends validity checks to popular services such as Amazon Web Services (AWS). Token validity checks will alert users whether exposed tokens found by secret scanning are active, thereby allowing for effective remediation measures.

To toggle the setting, enterprise or organization owners and repository administrators can head to Settings > Code security and analysis > Secret scanning and check the option "Automatically verify if a secret is valid by sending it to the relevant partner."

The maintainers of the cURL data transfer project are working on patching two vulnerabilities in the software, including a high-severity bug impacting both libcurl and curl. The two issues are tracked as CVE-2023-38545 and CVE-2023-38546, and the maintainers are warning that the former has a ‘high severity’ rating and could be considered one of the most severe flaws in the open source tool.

“We are cutting the release cycle short and will release curl 8.4.0 on October 11, including fixes for a severity HIGH CVE and one severity LOW. The one rated HIGH is probably the worst curl security flaw in a long time,” the maintainers note in an advisory.

https://github.com/curl/curl/discussions/12026

On October 10th, Cloudflare, along with Google and Amazon AWS, disclosed the existence of a novel zero-day vulnerability dubbed the “HTTP/2 Rapid Reset” attack. This attack exploits a weakness in the HTTP/2 protocol to generate enormous, hyper-volumetric Distributed Denial of Service (DDoS) attacks. https://aws.amazon.com/blogs/security/how-aws-protects-customers-from-ddos-events/ https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack

According to Microsoft’s recently published Digital Defense Report, “80-90 percent of all successful ransomware compromises originate through unmanaged devices.” Microsoft offers suggestions to improve security at organizations that allow bring your own device (BYOD); The UK’s National Cyber Security Centre also has BYOD guidance.

A campaign using artificial intelligence to impersonate Omar al-Bashir, the former leader of Sudan, has received hundreds of thousands of views on TikTok, adding online confusion to a country torn apart by civil war.

As the kinetic battle between the Palestinian militant group Hamas and Israel enters its third day and casualties continue, cyber warriors are joining the fray.

A group of cyber criminals, including an ex-banker, breached the account of Safex Payout, a payment gateway service provider, and stole ₹16,180 crore (approximately $2 billion USD) in what is being called the "largest cyber heist" in India. The theft was discovered during an investigation into a smaller heist of ₹25 crore from the payment gateway giant, and as many as 260 accounts were involved in the theft.

The cold, hard truth? Cybercriminals are still perpetuating plenty of unsophisticated attacks for a simple reason: They work.

Plenty of cybercriminals are still perpetuating plenty of non-sophisticated attacks for the simple reason that they work. These are the scams and fraud that prey on the unsuspecting and the unknowing. In other words, they are the attacks that prey on human behavior. This includes basic phishing attacks and credential harvesting.

For instance, a recent Cybersecurity and Infrastructure Security Agency (CISA) report found that:

Valid account credentials are at the root of most successful threat actor intrusions of critical infrastructure networks and state and local agencies

Valid credential compromise combined with spear-phishing attacks accounted for nearly 90% of infiltrations last year

Valid accounts were responsible for 54% of all attacks studied in the agency's annual risk and vulnerability assessment

For Windows 11, we are introducing two major features to Kerberos to expand when it can be used—addressing two of the biggest reasons why Kerberos falls back to NTLM today. The first, IAKerb, allows clients to authenticate with Kerberos in more diverse network topologies. The second, a local KDC for Kerberos, adds Kerberos support to local accounts. Reducing the use of NTLM will ultimately culminate in it being disabled in Windows 11.

Scientists developed an entanglement-based, free-space quantum network. The platform offered a practical and efficient alternative for metropolitan applications. The team introduced a free-space quantum key distribution system to demonstrate its use in realistic applications in anticipation of the work to establish free-space networks as a viable solution for metropolitan applications in the future global quantum internet.

The authors are not crackpots: they are Blaise Agüera y Arcas, a vice president and fellow at Google Research, and Peter Norvig, a computer scientist at the Stanford Institute for Human-Centered AI. They claim that today's AI systems, which perform competently even on novel tasks they were not trained for, cross a threshold that previous generations of AI and supervised deep learning systems never managed. Decades from now, they will be recognized as the first true examples of AGI, just as the 1945 ENIAC is now recognized as the first true general-purpose electronic computer.

VBScript has been made a "Feature on Demand" (FoD), and Microsoft plans to remove it completely in a future version of Windows.

Google admitted that their implementation, by depending completely on device authentication security which for many users is extremely weak, will put many users at risk of their Google accounts being compromised. However, they feel that overall this will be an improvement for users who have strong authentication on their devices.