Android TVs (Malware Included), Patch Netscaler, Fixing Legacy Auth, & GNOME Bugs! – PSW #802
In the Security News: Windows 11 tries to fix legacy authentication, Rapid resets and the world’s largest DDoS attack, we finally get to see the cURL vulnerability, and its pretty ugly, turns out Android TV boxes with pre-installed malware are a hot topic, patch your Netscaler, root for everyone with emergency responder software, learn THIS hacking Tools First, long live Wayland, how to actually hack a WiFi device with a Flipper Zero, scanning open source packages, GNOME bugs and a bonus, security is a great idea until there is a bypass in apparmor,a tool that everyone should have in their kit, and we could talk for hours about 25 hard hitting lessons from Cybersecurity! All that and more on this episode of Paul’s Security Weekly!
Announcements
Security Weekly Listeners: We are celebrating the milestone of reaching over 1,000 members of our CISO community. The Cybersecurity Collaboration Forum is a one-stop shop for executive collaboration comprised of CISOs across various industries. If you want to be part of this growing community of CISOs, join us as a member or technology partner. To learn more, visit: securityweekly.com/cybersecuritycollaboration
Hosts
- 1. Thousands of WordPress sites have been hacked through tagDiv plugin vulnerability
"The vulnerable plugin, known as tagDiv Composer, is a mandatory requirement for using two WordPress themes: Newspaper and Newsmag. The themes are available through the Theme Forest and Envato marketplaces and have more than 155,000 downloads." - I hate that this plugin is a requirement for the theme. This makes it a supply chain problem and not a good one.
- 2. Cisco warns of critical flaw in Emergency Responder code
This is bad: "A vulnerability in Cisco Emergency Responder could allow an unauthenticated, remote attacker to log in to an affected device using the root account, which has default, static credentials that cannot be changed or deleted." - Appears to be an appliance that can be deployed physically and or virtually? I've not worked with the platform, but it sounds like it has its own OS, and is obviously poorly configured.
- 3. Ubuntu Linux 23.10 is adding an important new security feature
This is a great idea, in theory, and applying AppArmor to things like browsers is a step in the right direction. However, as always, there are bypasses: https://bugs.launchpad.net/apparmor/+bug/1911431 (it does not protect scripts with shebang). Also, it looks like this bug has not been fixed...
- 4. GNOME Linux bug hunt leads to surprise double disclosure
Here's how it works: "More importantly, another application that uses libcue is tracker-miners, which is included in GNOME-based Linux distros and is responsible for indexing files in the user's directory so they appear in search results. The tracker-miners application initializes automatically when a file is either added or modified in a subdirectory of the home directory. This means the exploit can be executed as soon as the user downloads a maliciously crafted .cue file, since tracker-miners uses libcue to pass the cue sheets file." - So download a file to your home directory, then tracker-miners will read the file and trigger the exploit. Oh, and speaking of breaking out of sandboxes, this vulnerability also included a bonus: you can break out of a seccomp sandbox. More details: https://thehackernews.com/2023/10/libcue-library-flaw-opens-gnome-linux.html and here https://github.blog/2023-10-09-coordinated-disclosure-1-click-rce-on-gnome-cve-2023-43641/
- 5. Shufflecake – Hidden Linux Filesystems to Store Sensitive Data
- 6. Yet More Unauth Remote Command Execution Vulns in Firewalls – Sangfor Edition
- 7. 25 Hard-Hitting Lessons from 17 Years in Cybersecurity
We could do an entire segment on each of these topics:
*"Most companies don't pay for security; they pay to avoid fines.
In the theater of business, cybersecurity is a supporting actor, not the main character.
Hate on GRC functions all you want, but they're the conductors of the cybersecurity orchestra.
There's no talent shortage; there's an imagination shortage on the hiring side.
Cybersecurity is 10% tech and 90% diplomacy."*
- 8. Overlay – Scanning OSS Packages
I like this: "Overlay is a browser extension that helps developers evaluate open source packages before picking them. It gathers data from various sources, such as Snyk Advisor, Debricked, Socket.dev, and Deps.dev, and displays them on the package pages of popular registries like npm, PyPI, and Go." - I want to say some commercial software offers something similar, nice to have it available to anyone. Also, Microsoft released free tools that do similar things: https://github.com/microsoft/OSSGadget ("OSS Gadget is a collection of tools that can help analyze open source projects. These are intended to make it simple to perform low-level tasks, like locating the source code of a given package, downloading it, performing basic analyses on it, or estimating its health. The tools included in OSS Gadget will grow over time.")
- 9. Android Devices With Backdoored Firmware Found in US Schools
"Finally, because of the backdoor’s connection to C2 servers on BadBox-infected smartphones, tablets, and CTV boxes, new apps or code can be remotely installed by the threat actors without the device owner’s permission. The threat actors behind BadBox could develop entirely new schemes and deploy them on BadBox-infected devices without any interaction from the devices’ owners," - This is the part that scares me the most. Read the original research here: https://www.humansecurity.com/hubfs/HUMANReportBADBOX-and-PEACHPIT.pdf
- 10. D-Link WiFi range extender vulnerable to command injection attacks
This is one you could actually exploit easily with a Flipper Zero, original research here: https://www.redteam-pentesting.de/en/advisories/rt-sa-2023-006/-d-link-dap-x1860-remote-command-injection - Exploit? Create an SSID like this: "$ create_ap -n wlan0 "Test' && uname -a &&" randompw98zwrd8g283d3"
- 11. X.Org Hit By New Security Vulnerabilities – Two Date Back To 1988 With X11R2 – Phoronix
In case you were looking for reasons to switch to Wayland: "It was a decade ago that a security researcher commented on X.Org Server security being even "worse than it looks" and that the GLX code for example was "80,000 lines of sheer terror" and hundreds of bugs being uncovered throughout the codebase. In 2023 new X.Org security vulnerabilities continue to be uncovered, two of which were made public today and date back to X11R2 code from the year 1988." - The 2013 research is here: https://lists.x.org/archives/xorg-devel/2013-December/039773.html
- 12. New ‘HTTP/2 Rapid Reset’ zero-day attack breaks DDoS records
New DDoS record: "Since late August, Cloudflare has detected and mitigated over a thousand 'HTTP/2 Rapid Reset' DDoS attacks that surpassed 10 million rps, with 184 breaking the previous 71 million rps record."
- 13. Ventoy 1.0.96
I built one of these this week, and it's very handy. Sure, you could build your own, but Ventoy makes it dead easy to have a USB thumb drive that can boot from a list of multiple ISOs you just load on a partition.
- 14. X-Force uncovers global NetScaler Gateway credential harvesting campaign
Wow, this seems too easy for attackers not to exploit: "X-Force identified the campaign through an incident response engagement where a client had discovered the script after investigating reports of slow authentications on the NetScaler device. The script which is appended to the legitimate “index.html” file loads an additional remote JavaScript file that attaches a function to the “Log On” element in the VPN authentication page that collects the username and password information and sends it to a remote server during authentication."
- 1. Cisco Plugs Gaping Hole in Emergency Responder Software
- 2. Announcing the $12k NIST Elliptic Curves Seeds Bounty
- 3. QR Code Red: Quishing Attacks and How to Prevent Them – Perception Point
- 4. Summary of the Paper “Zombie Awakening: Stealthy Hijacking of Active Domains through DNS Hosting…
- 5. Quishing on the rise: How to prevent QR code phishing
- 6. curl – SOCKS5 heap buffer overflow – CVE-2023-38545
- 7. Gaza Conflict: How Israeli Cybersecurity Will Respond
- 8. Beginner in Cybersecurity? Learn THIS Hacking Tools First
- 9. Navigating the Terrain of Recent cURL Vulnerabilities: A Proactive Approach to Software Supply Chain Security
- 10. Israeli Tech CEOs Are Leaving Their Startups to Join the War Following Hamas’ attack, Israel has called on 300,000 reservists to join its war effort,
- 1. ‘Predator Files’ report prompts call for worldwide ban on spyware
A report from Amnesty International based on its own disclosures “and the findings of the new Predator Files investigation coordinated by European Investigative Collaborations (EIC) media network, have laid bare how government action has been inadequate and ineffective in ending spyware abuse. Fundamentally, the beef is that there is no control over spyware use, in this case they are using the use case of the Predator spyware, which appears to be readily available to anyone who wants it. It's a similar argument to making a tool that only a certain group (e.g., law enforcement) will have access to, which turns out to be available to a much larger group.
- 2. IZ1H9 Campaign Enhances Its Arsenal with Scores of Exploits
The IZ1H9 campaign targets routers and Internet of Things (IoT) devices from multiple vendors, including D-Link, Zyxel, and TOTOLINK and adds them to a botnet that is used to launch DDoS attacks. The researchers enumerated 13 new payloads being used to infect these devices, all of which are part of the IZ1H9 campaign. The attack is aimed at Linux-based network devices, which starts by leveraging a known weakness to deploy a payload which installs a shell script downloader, deleting all logs, then modifying the device iptables to obscure and enable their desired communication. The primary mitigation is to keep devices aggressively updated as well as limit access to their management services.
- 3. X-Force uncovers global NetScaler Gateway credential harvesting campaign
Cyber criminals are exploiting a recently-disclosed vulnerability in Citrix NetScaler Gateways to steal user credentials. The vulnerability (CVE-2023-3519) was disclosed in July 2023, and updates to fix the issue were released at that time. The flaw has been under exploit since June 2023.
- 4. Your Cheap Android TV Streaming Box May Have a Dangerous Backdoor
In January, security researcher Daniel Milisic discovered that a cheap Android TV streaming box called the T95 was infected with malware right out of the box, with multiple other researchers confirming the findings. But it was just the tip of the iceberg. Today, cybersecurity firm Human Security is revealing new details about the scope of the infected devices and the hidden, interconnected web of fraud schemes linked to the streaming boxes. https://www.humansecurity.com/hubfs/HUMANReportBADBOX-and-PEACHPIT.pdf
- 5. GitHub’s Secret Scanning Feature Now Covers AWS, Microsoft, Google, and Slack
GitHub has announced an improvement to its secret scanning feature that extends validity checks to popular services such as Amazon Web Services (AWS). Token validity checks will alert users whether exposed tokens found by secret scanning are active, thereby allowing for effective remediation measures.
To toggle the setting, enterprise or organization owners and repository administrators can head to Settings > Code security and analysis > Secret scanning and check the option "Automatically verify if a secret is valid by sending it to the relevant partner."
- 6. Patches Prepared for ‘Probably Worst’ cURL Vulnerability
The maintainers of the cURL data transfer project are working on patching two vulnerabilities in the software, including a high-severity bug impacting both libcurl and curl. The two issues are tracked as CVE-2023-38545 and CVE-2023-38546, and the maintainers are warning that the former has a ‘high severity’ rating and could be considered one of the most severe flaws in the open source tool.
“We are cutting the release cycle short and will release curl 8.4.0 on October 11, including fixes for a severity HIGH CVE and one severity LOW. The one rated HIGH is probably the worst curl security flaw in a long time,” the maintainers note in an advisory.
- 7. HTTP/2 Zero-Day Vulnerability Results in Record-Breaking DDoS Attacks
On October 10th, Cloudflare, along with Google and Amazon AWS, disclosed the existence of a novel zero-day vulnerability dubbed the “HTTP/2 Rapid Reset” attack. This attack exploits a weakness in the HTTP/2 protocol to generate enormous, hyper-volumetric Distributed Denial of Service (DDoS) attacks. https://aws.amazon.com/blogs/security/how-aws-protects-customers-from-ddos-events/ https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack
- 8. Microsoft Digital Defense Report 2023 (MDDR)
According to Microsoft’s recently published Digital Defense Report, “80-90 percent of all successful ransomware compromises originate through unmanaged devices.” Microsoft offers suggestions to improve security at organizations that allow bring your own device (BYOD); The UK’s National Cyber Security Centre also has BYOD guidance.
- 9. AI: Voice cloning tech emerges in Sudan civil war
A campaign using artificial intelligence to impersonate Omar al-Bashir, the former leader of Sudan, has received hundreds of thousands of views on TikTok, adding online confusion to a country torn apart by civil war.
- 10. Israel’s Government, Media Websites Hit with Cyberattacks
As the kinetic battle between the Palestinian militant group Hamas and Israel enters its third day and casualties continue, cyber warriors are joining the fray.
- 11. Rs 16,180 Crore Heist! How This Ex-Banker Hacked A Payment Gateway to Steal Funds
A group of cyber criminals, including an ex-banker, breached the account of Safex Payout, a payment gateway service provider, and stole ₹16,180 crore (approximately $2 billion USD) in what is being called the "largest cyber heist" in India. The theft was discovered during an investigation into a smaller heist of ₹25 crore from the payment gateway giant, and as many as 260 accounts were involved in the theft.
- 12. Old-School Attacks Are Still a Danger, Despite Newer Techniques
The cold, hard truth? Cybercriminals are still perpetuating plenty of unsophisticated attacks for a simple reason: They work.
Plenty of cybercriminals are still perpetuating plenty of non-sophisticated attacks for the simple reason that they work. These are the scams and fraud that prey on the unsuspecting and the unknowing. In other words, they are the attacks that prey on human behavior. This includes basic phishing attacks and credential harvesting.
For instance, a recent Cybersecurity and Infrastructure Security Agency (CISA) report found that:
Valid account credentials are at the root of most successful threat actor intrusions of critical infrastructure networks and state and local agencies
Valid credential compromise combined with spear-phishing attacks accounted for nearly 90% of infiltrations last year
Valid accounts were responsible for 54% of all attacks studied in the agency's annual risk and vulnerability assessment
- 1. The evolution of Windows authentication
For Windows 11, we are introducing two major features to Kerberos to expand when it can be used—addressing two of the biggest reasons why Kerberos falls back to NTLM today. The first, IAKerb, allows clients to authenticate with Kerberos in more diverse network topologies. The second, a local KDC for Kerberos, adds Kerberos support to local accounts. Reducing the use of NTLM will ultimately culminate in it being disabled in Windows 11.
- 2. Toward metropolitan free-space quantum networks
Scientists developed an entanglement-based, free-space quantum network. The platform offered a practical and efficient alternative for metropolitan applications. The team introduced a free-space quantum key distribution system to demonstrate its use in realistic applications in anticipation of the work to establish free-space networks as a viable solution for metropolitan applications in the future global quantum internet.
- 3. Artificial General Intelligence Is Already Here
The authors are not crackpots: they are Blaise Agüera y Arcas, a vice president and fellow at Google Research, and Peter Norvig, a computer scientist at the Stanford Institute for Human-Centered AI. They claim that today's AI systems, which perform competently even on novel tasks they were not trained for, cross a threshold that previous generations of AI and supervised deep learning systems never managed. Decades from now, they will be recognized as the first true examples of AGI, just as the 1945 ENIAC is now recognized as the first true general-purpose electronic computer.
- 4. Microsoft deprecates VBScript
VBScript has been made a "Feature on Demand" (FoD), and Microsoft plans to remove it completely in a future version of Windows.
- 5. Google is making their weak, flawed passkey system the default login method — I urge you NOT to use it!
Google admitted that their implementation, by depending completely on device authentication security which for many users is extremely weak, will put many users at risk of their Google accounts being compromised. However, they feel that overall this will be an improvement for users who have strong authentication on their devices.