SSH Under Attack, IoT Routers, BLE Spam, & Patching a House of Cards – PSW #807

OpenSSH is safe, however, other implementations (from Zyxel and Cisco) are not: "The countermeasure to the attacks we describe in this paper is well known: implementations should validate signatures before sending them. OpenSSH, the most common SSH implementation we observed in this data, implements this countermeasure because it uses OpenSSL to generate signatures, and OpenSSL has included countermeasures against RSA fault attacks since 2001."

I can't wait to get the details on this one: "We will demonstrate how one of these vulnerabilities allows for full control of the device. We will also discuss how these open-source components were missed by some commercial SBoM tools that rely on firmware analysis. We found more than 80,000 of these devices exposed via the Internet and potentially affected by past and present vulnerabilities. To better understand the threat landscape, we deployed high-interaction honeypots and a real physical device on the public Internet. We will cover the analysis of the attempted port scans and exploitation trials." From: https://www.blackhat.com/eu-23/briefings/schedule/#old-code-dies-hard-finding-new-vulnerabilities-in-old-third-party-software-components-and-the-importance-of-having-sbom-for-iotot-devices-35349

"However, there's also bad news, and that is that despite the popups seemingly being throttled, now all the Bluetooth attacks the Flipper Zero can generate can lock up the attacked iPhone solid, requiring a reboot. Previously only an attack specifically designed to lock up an iPhone could achieve this."

"By playing around with the Love Spouse application, we can easily see that there is a startup packet for each expected vibration command and a single stop packet. There is no differentiation even between models. With this information, we are ready to develop an app for Flipper Zero that replicates the behavior of the app regarding startup and can create a Denial of Pleasure by continuously broadcasting the stop packet." - This is a supply chain issue as toys use the same chipset and respond to the same commands?

"this is not a sales message. Your blog storage is open to the Internet" - Amazing effort, and yet their blob storage is still open to the Internet. Sigh.

This is amazing work: "By utilizing the NVD API to fetch recently pushed CVEs and searching for GitHub references, we can then check if the commit/PR referenced by NVD has a release on GitHub that includes them. If not, this often presents a 'Half-Day' scenario, where a vulnerability is exposed without a patch at that stage." - There is a lot to unpack, but I go back to my previous comments on the difficulty of hiding vulnerabilities in open-source code once a vulnerability has been discovered.

This is the code referenced above that you can run and collect "Half-Day" vulnerabilities.

Let's write something ourselves to allow us to see all the cameras: "The company maintains a custom-built platform/website that certain employees use to manage the camera system. It lets them manage the cameras, download noteworthy “incident” videos, and view the live feeds. It is a React-based platform that interacts with a server using APIs. The website is publicly accessible, but all functionality is locked behind a corporate login page."

These are basically all examples of the thermal exhaust port vulnerability.

"Platforms like Resy and Tock are searching for ways around algorithms that snatch up prime-time reservations and then re-sell them to desperate diners."

"using a commercial handheld Geiger counter (GMC-320+) and its audio output as a generic input for any MCU. The (pulsed) audio signal is amplified with an opamp (left unspecified) that connects to a GPIO pin of the MCU (RP2040-based Pico W). Here the same algorithm is used to create a continuous queue of randomly picked numbers, which can also be queried via the WiFi interface with a custom protocol, essentially making it a network-connected RNG that could be used by other network-connected appliances."

Your software is so bad we will no longer include it. Supply chain security!

Larry is famous. Also, this site may cause nausea and/or vomiting. You can turn off animations in the settings in the upper right.

From Casey Ellis (@cje): * threat actor = someone who wants to punch you in the face * threat = the punch being thrown * vulnerability = your inability to defend against the punch * risk = the likelihood of getting punched in the face

In the wake of Hamas’s attack on Israel, researchers and cybersecurity firms observed an uptick in operations by hacktivists and state-sponsored hacking groups. But more than one month into the conflict, researchers are increasingly concluding that cyberoperations linked to the war have been mostly opportunistic in nature and frequently exaggerated in terms of their impact.

In May of this year, more than 20 critical infrastructure organizations in Denmark were targeted with cyberattacks. A report published by SektorCERT, the Danish cybersecurity organization for critical infrastructure sectors details the attacks, which were carried out through two known vulnerabilities in Zyxel firewalls. Report: https://dd80b675424c132b90b3-e48385e382d2e5d17821a5e1d8e4c86b.ssl.cf1.rackcdn.com/external/sektorcert-the-attack-against-danish-critical-infrastructure-tlp-clear.pdf

DP World was able to contain the attacks to their Australian components. They have roughly 10% of the shipping worldwide and operate 82 inland and marine terminals in 40 countries. Further, they executed their response plan, bringing things back online in three days.

The government of the state of Maine has disclosed that its MOVEit server was breached earlier this year: intruders had access to files on the server on May 28 and 29. The incident affects 1.3 million people; the compromised data include names, Social Security numbers (SSNs), dates of birth, driver's license/state ID numbers, taxpayer ID numbers, and some medical and health insurance information. As of the 2020 census, the population of Maine was 1.3 million.

Researchers at Huntress say that cyberthreat actors are gaining unauthorized access to US healthcare organizations through locally-hosted instances of the ScreenConnect remote access tool, used by Transaction Data Systems. Huntress has provided a list of observed tactics, techniques, and procedures used in the attacks.

Don't expose any form of RDP to the Internet. Report: https://www.huntress.com/blog/third-party-pharmaceutical-vendor-linked-to-pharmacy-and-health-clinic-cyberattack

The US Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI) and the National Security Agency (NSA) have published software supply chain security guidance for vendors. The document focuses on software bill of materials (SBOM) consumption. https://media.defense.gov/2023/Nov/09/2003338086/-1/-1/0/SECURING%20THE%20SOFTWARE%20SUPPLY%20CHAIN%20RECOMMENDED%20PRACTICES%20FOR%20SOFTWARE%20BILL%20OF%20MATERIALS%20CONSUMPTION.PDF

CISA warned federal agencies today to secure Juniper devices on their networks by Friday against four vulnerabilities now used in remote code execution (RCE) The alert comes one week after Juniper updated its advisory to notify customers that the flaws found in Juniper's J-Web interface (tracked as CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, and CVE-2023-36847) have been successfully exploited in the wild.

Fix: limit access to or disable J-Web, apply the software update

The Juniper CVE's are listed CISA's KEV catalog with due dates of 11/17.

The government of the City of Huber Heights, Ohio, is recovering from a ransomware attack. The city notified residents of the situation on the morning of Sunday, November 12, noting that “while public safety services are not impacted the following city divisions are affected: Zoning, Engineering, Tax, Finance, Utilities, Human Resources, and Economic Development.”

Of note: Providing updates every day at 2PM, City Manager steps up as POC.

China's largest bank, ICBC, was hit by ransomware that resulted in disruption of financial services (FS) systems on Thursday Beijing time. ICBC is the largest commercial bank in the world based on revenue. As they cannot connect to DTCC/NSCC they are unable to clear transactions, which is having impacts on US Treasury trades, which is why they are sending messengers to manually do so.

The attackers appear to have leveraged Citrix Bleed to own the bank's unpatched Citrix server. To abuse an old story - but for a patch, the battle was lost.

The Intel OEM private key was leaked, causing an impact on the entire ecosystem. The reality is that Intel Boot Guard may not be effective on certain devices based on the 11th Tiger Lake, 12th Adler Lake, and 13th Raptor Lake. It affects many different device vendors, including Intel, Lenovo, Supermicro, and many others across the entire industry.

What a digital twin is doing is using your data inside a model that represents how your physiology and pathology is working. It is not making decisions about you based on a population that might be completely unrepresentative. It is genuinely personalised.

Civitai, an online marketplace for sharing AI models that enables the creation of nonconsensual sexual images of real people, has introduced a new feature that allows users to post “bounties.” These bounties allow users to ask the Civitai community to create AI models that generate images of specific styles, compositions, or specific real people, and reward the best AI model that does so.

They will make the proprietary algorithms it created for the TETRA radio protocol public.
This will mean independent researchers and government agencies that rely on the algorithms to protect their communications can examine them for security flaws.

A new AI model called EVEscape predicts how viruses mutate. To showcase EVEscape's potential, scientists provided it with the original genome sequence of SARS-CoV-2, and the AI correctly predicted nearly all the mutations that would come to dominate during the pandemic.

Project Green Light uses artificial intelligence to optimize and alter intersections in order to minimize vehicles’ stopping and starting. Google reported that at busy intersections in cities, pollution can be 29 times higher than it is on open roads, due to the environmental toll of cars stopping and starting again.

Drone swarms talk, collaborate and split up duties using human language, making it easier for operators to understand the machines’ behaviour. The technology has potential for use in security patrols, rescue operations and aerial logistics and transport.

OpenAI recently released a way for anyone to create their own version of ChatGPT. They're calling them GPTs, and you can build one, catered to your company or personal goals, in a matter of minutes.

GPT 4 hallucinated 3% of the time, while Google's Palm Chat hallucinated 27% of the time.

Giskard is a French startup working on an open source testing framework for large language models. It can alert developers of risks of biases, security holes and a model’s ability to generate harmful or toxic content. Tests cover a wide range of issues, such as performance, hallucinations, misinformation, non-factual output, biases, data leakage, harmful content generation and prompt injections.

The AI system provides an accurate picture of risk to clinicians. This can alter, and potentially improve, the course of treatment for many heart patients. The technology could save thousands of lives while improving treatment for almost half of patients.

BitcoinJS, a popular package for the browser based generation of cryptocurrency wallets, used insufficiently random numbers, so the private keys can be guessed. Vulnerable wallets were created between 2011 and 2015.

Wallet Drainers are using Create2 to bypass security alerts in certain wallets. By exploiting Create2’s ability to pre-calculate contract addresses, the Drainers can generate new addresses for each malicious signature. These addresses pass the wallet's tests and are not flagged as malicious.

Many x86 processors have a flaw in the microcode which can be triggered by assembly language instructions with multiple prefixes. This can cause branches to unexpected locations, unconditional branches being ignored and the processor no longer accurately recording the instruction pointer. This may lead to privilege escalation, but that exploit has not been developed yet. There is a PoC tool used to demonstrate the flaw.

Some of the processors that have this feature include:

Ice Lake Rocket Lake Tiger Lake Raptor Lake Alder Lake Sapphire Rapids

The new feature lets you upload files, but it also makes them vulnerable to exposure. An attacker would need to trick the ChatGPT user into entering a prompt containing a malicious third-party URL which can exfiltrate data from the files. This amounts to a high-level version of cross-site scripting.

Check if your Cryptocurrency Wallet is Vulnerable to Known Exploits. Submit your Public Key and our automated wallet checker will let you know if your wallet is vulnerable or becomes vulnerable in the future.