SSH Under Attack, IoT Routers, BLE Spam, & Patching a House of Cards – PSW #807
In the Security News: SSH under attack, IoT routers have vulnerabilities, the BLE Spam attacks still work against iPhones, there is a longer story behind BLE spam, and Larry is one of the stars, denial of pleasure via BLE, vulnerability disclosure and your blob is showing, the half-day watcher, tapping into cameras, 50 shades of vulnerabilities, Nuclear decay as a random number generator, cachewarp, reptar, attacking Danish critical infrastructure, you can’t patch a house of cards (and your bitcoin may be at risk), All that and more on this episode of Paul’s Security Weekly!
OpenSSH is safe, however, other implementations (from Zyxel and Cisco) are not: "The countermeasure to the attacks we describe in this paper is well known: implementations should validate signatures before sending them. OpenSSH, the most common SSH implementation we observed in this data, implements this countermeasure because it uses OpenSSL to generate signatures, and OpenSSL has included countermeasures against RSA fault attacks since 2001."
"However, there's also bad news, and that is that despite the popups seemingly being throttled, now all the Bluetooth attacks the Flipper Zero can generate can lock up the attacked iPhone solid, requiring a reboot. Previously only an attack specifically designed to lock up an iPhone could achieve this."
"By playing around with the Love Spouse application, we can easily see that there is a startup packet for each expected vibration command and a single stop packet. There is no differentiation even between models. With this information, we are ready to develop an app for Flipper Zero that replicates the behavior of the app regarding startup and can create a Denial of Pleasure by continuously broadcasting the stop packet." - This is a supply chain issue as toys use the same chipset and respond to the same commands?
This is amazing work: "By utilizing the NVD API to fetch recently pushed CVEs and searching for GitHub references, we can then check if the commit/PR referenced by NVD has a release on GitHub that includes them. If not, this often presents a 'Half-Day' scenario, where a vulnerability is exposed without a patch at that stage." - There is a lot to unpack, but I go back to my previous comments on the difficulty of hiding vulnerabilities in open-source code once a vulnerability has been discovered.
Let's write something ourselves to allow us to see all the cameras: "The company maintains a custom-built platform/website that certain employees use to manage the camera system. It lets them manage the cameras, download noteworthy “incident” videos, and view the live feeds. It is a React-based platform that interacts with a server using APIs. The website is publicly accessible, but all functionality is locked behind a corporate login page."
"using a commercial handheld Geiger counter (GMC-320+) and its audio output as a generic input for any MCU. The (pulsed) audio signal is amplified with an opamp (left unspecified) that connects to a GPIO pin of the MCU (RP2040-based Pico W). Here the same algorithm is used to create a continuous queue of randomly picked numbers, which can also be queried via the WiFi interface with a custom protocol, essentially making it a network-connected RNG that could be used by other network-connected appliances."
From Casey Ellis (@cje):
* threat actor = someone who wants to punch you in the face
* threat = the punch being thrown
* vulnerability = your inability to defend against the punch
* risk = the likelihood of getting punched in the face
Executive Director at RM-ISAO
Product Security Research and Analysis Director at Finite State
In the wake of Hamas’s attack on Israel, researchers and cybersecurity firms observed an uptick in operations by hacktivists and state-sponsored hacking groups. But more than one month into the conflict, researchers are increasingly concluding that cyberoperations linked to the war have been mostly opportunistic in nature and frequently exaggerated in terms of their impact.
DP World was able to contain the attacks to their Australian components. They have roughly 10% of the shipping worldwide and operate 82 inland and marine terminals in 40 countries. Further, they executed their response plan, bringing things back online in three days.
The government of the state of Maine has disclosed that its MOVEit server was breached earlier this year: intruders had access to files on the server on May 28 and 29. The incident affects 1.3 million people; the compromised data include names, Social Security numbers (SSNs), dates of birth, driver's license/state ID numbers, taxpayer ID numbers, and some medical and health insurance information. As of the 2020 census, the population of Maine was 1.3 million.
Researchers at Huntress say that cyberthreat actors are gaining unauthorized access to US healthcare organizations through locally-hosted instances of the ScreenConnect remote access tool, used by Transaction Data Systems. Huntress has provided a list of observed tactics, techniques, and procedures used in the attacks.
CISA warned federal agencies today to secure Juniper devices on their networks by Friday against four vulnerabilities now used in remote code execution (RCE)
The alert comes one week after Juniper updated its advisory to notify customers that the flaws found in Juniper's J-Web interface (tracked as CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, and CVE-2023-36847) have been successfully exploited in the wild.
Fix: limit access to or disable J-Web, apply the software update
The Juniper CVE's are listed CISA's KEV catalog with due dates of 11/17.
The government of the City of Huber Heights, Ohio, is recovering from a ransomware attack. The city notified residents of the situation on the morning of Sunday, November 12, noting that “while public safety services are not impacted the following city divisions are affected: Zoning, Engineering, Tax, Finance, Utilities, Human Resources, and Economic Development.”
Of note: Providing updates every day at 2PM, City Manager steps up as POC.
China's largest bank, ICBC, was hit by ransomware that resulted in disruption of financial services (FS) systems on Thursday Beijing time.
ICBC is the largest commercial bank in the world based on revenue. As they cannot connect to DTCC/NSCC they are unable to clear transactions, which is having impacts on US Treasury trades, which is why they are sending messengers to manually do so.
The attackers appear to have leveraged Citrix Bleed to own the bank's unpatched Citrix server. To abuse an old story - but for a patch, the battle was lost.
The Intel OEM private key was leaked, causing an impact on the entire ecosystem. The reality is that Intel Boot Guard may not be effective on certain devices based on the 11th Tiger Lake, 12th Adler Lake, and 13th Raptor Lake. It affects many different device vendors, including Intel, Lenovo, Supermicro, and many others across the entire industry.
What a digital twin is doing is using your data inside a model that represents how your physiology and pathology is working. It is not making decisions about you based on a population that might be completely unrepresentative. It is genuinely personalised.
Civitai, an online marketplace for sharing AI models that enables the creation of nonconsensual sexual images of real people, has introduced a new feature that allows users to post “bounties.” These bounties allow users to ask the Civitai community to create AI models that generate images of specific styles, compositions, or specific real people, and reward the best AI model that does so.
They will make the proprietary algorithms it created for the TETRA radio protocol public.
This will mean independent researchers and government agencies that rely on the algorithms to protect their communications can examine them for security flaws.
A new AI model called EVEscape predicts how viruses mutate. To showcase EVEscape's potential, scientists provided it with the original genome sequence of SARS-CoV-2, and the AI correctly predicted nearly all the mutations that would come to dominate during the pandemic.
Project Green Light uses artificial intelligence to optimize and alter intersections in order to minimize vehicles’ stopping and starting. Google reported that at busy intersections in cities, pollution can be 29 times higher than it is on open roads, due to the environmental toll of cars stopping and starting again.
Drone swarms talk, collaborate and split up duties using human language, making it easier for operators to understand the machines’ behaviour. The technology has potential for use in security patrols, rescue operations and aerial logistics and transport.
Giskard is a French startup working on an open source testing framework for large language models. It can alert developers of risks of biases, security holes and a model’s ability to generate harmful or toxic content. Tests cover a wide range of issues, such as performance, hallucinations, misinformation, non-factual output, biases, data leakage, harmful content generation and prompt injections.
The AI system provides an accurate picture of risk to clinicians. This can alter, and potentially improve, the course of treatment for many heart patients. The technology could save thousands of lives while improving treatment for almost half of patients.
BitcoinJS, a popular package for the browser based generation of cryptocurrency wallets, used insufficiently random numbers, so the private keys can be guessed. Vulnerable wallets were created between 2011 and 2015.
Wallet Drainers are using Create2 to bypass security alerts in certain wallets. By exploiting Create2’s ability to pre-calculate contract addresses, the Drainers can generate new addresses for each malicious signature. These addresses pass the wallet's tests and are not flagged as malicious.
Many x86 processors have a flaw in the microcode which can be triggered by assembly language instructions with multiple prefixes. This can cause branches to unexpected locations, unconditional branches being ignored and the processor no longer accurately recording the instruction pointer. This may lead to privilege escalation, but that exploit has not been developed yet. There is a PoC tool used to demonstrate the flaw.
Some of the processors that have this feature include:
The new feature lets you upload files, but it also makes them vulnerable to exposure. An attacker would need to trick the ChatGPT user into entering a prompt containing a malicious third-party URL which can exfiltrate data from the files. This amounts to a high-level version of cross-site scripting.
Check if your Cryptocurrency Wallet is Vulnerable to Known Exploits. Submit your Public Key and our automated wallet checker will let you know if your wallet is vulnerable or becomes vulnerable in the future.
Inspired by my co-host, Jason Albuquerque, we get our hands dirty and discuss the challenges of cyber risk management. Why is cyber risk management so elusive and what can we do to solve it?
In part 1, we discuss the challenges of cyber risk management and quantification. Do risk scores really work? What do CEOs and Boards really need to unders...