ChatGPT Articles, What the Zimbra, Burp Plugins, & Vocal Passports – PSW #774

So. Many. Big. Words. "Our construction of undetectable backdoors also sheds light on the related issue of robustness to adversarial examples. In particular, by constructing undetectable backdoor for an “adversarially-robust” learning algorithm, we can produce a classifier that is indistinguishable from a robust classifier, but where every input has an adversarial example! In this way, the existence of undetectable backdoors represent a significant theoretical roadblock to certifying adversarial robustness." - I think this means you can trick ML into always recommending Bud Light to people who are looking for beer...

This is a pretty neat trick, can't wait to test it: "The Github tool created an AVI file with the malicious HLS playlist. To process the playlist, ffmpeg concatenates all segments and processes it as a single file. It then tries to show a screen capture of a TTY printing of this file. I then uploaded the malicious payload outt.avi file to the server. (An outt.avi file is the output file from the tool.) After the file was uploaded, all of the contents of /etc/passwd were retrieved from the server and rendered in the video."

A nicely done walkthrough of a vulnerability and exploit creation (not too advanced): "In this What the Vuln blog post, we dove into the Zimbra CVE-2022-27925/CVE-2022-37042 Zimbra Zip Path Traversal vulnerability and discovered how issues such as this one can be exploited from scratch, from target reconnaissance to an automated proof of concept exploit script. Additionally, these techniques can be applied to other kinds of vulnerabilities and can serve as a starting point for vulnerability discovery and exploit development."

This class (free) sounds amazing: "In the OST2 Arch4001: Intel Firmware Attack & Defense class, as we deep-dive into how an OS-resident attacker can attempt to rewrite the SPI flash chip where the UEFI BIOS lives, we stop our deep dive at the Intel Memory Mapped Input/Output (MMIO) interface. This is a special memory range containing registers, which if poked in just the right way, cause reads and writes to the SPI flash chip to "magically" happen. But wouldn't it be nice to see what's behind the magic?"

This sounds amazing: "It's a Burp Suite's extension to allow for recursive crawling and scanning of Single Page Applications. It runs a Chromium browser to scan the webpage for DOM-based XSS. It can also collect all the requests (XHR, fetch, websockets, etc) issued during the crawling allowing them to be forwarded to Burp's Proxy, Repeater and Intruder."

"I had used an AI-powered replica of a voice to break into a bank account. After that, I had access to the account information, including balances and a list of recent transactions and transfers." - Oh God, make it stop. Someone, please outlaw banks from doing this. Please? It is 100% not secure, and those of us podcasters with thousands of hours of audio on the Internet greatly appreciate it, thanks.

"The current project provides a Burp Suite extension to allow users to include Semgrep results to extend the checks in use by the passive scanner. By visiting repositories that collect Semgrep rules, it is possible to verify the large number of rules related to the front-end environment written by the community, such as: https://github.com/returntocorp/semgrep-rules/tree/develop/javascript. By using this plugin, Burp Suite users can include the Semgrep rules YAML files and define the scope of the analysis"

Just when we catch ourselves saying "Software is harder to exploit today", then we look at firmware. This is one example and this https://www.malwarebytes.com/blog/news/2023/02/arris-vulnerability-found-in-commonly-used-router-could-result-in-complete-take-over is another example. In both cases, exploitation is super easy. Sigh. We can talk about how to fix this problem all we want, but then again we'd just be talking about it, again.

I think ChatGPT wrote this: "Meeting security requirements requires careful design and implementation of the firmware, including the use of secure communication protocols, encryption, and access control mechanisms. Developers must also consider the threat landscape, including the potential for cyber-attacks, and design the firmware to mitigate these threats."

Section 230 as I see it: Companies make hammers. Some people use hammers to build beautiful homes. Other people use hammers to hurt people. Don't sue the hammer company because bad people use it to hurt people.

This is a great post, very simple but effective hack: "If we can create a process using the token from this TrustedInstaller.exe, we might become TrustedInstaller, and then we can delete the Defender Directory."

This is a must read and covers Trusted Boot and the attack timeline very well. Also, there is this: "One of the best ways to make your device tamper-evident is very low-tech: (rainbow) glitter nail polish." Also, from Trammel: "Normal glitter polish works as well, although the features are smaller and have lower contrast than the Fuzzy Coat shown above. You can do your nails with it, too, and look fabulous while you're coding."

This is an older project, but came up this week (likely from the other article I referenced this week): "Heads is a configuration for laptops and servers that tries to bring more security to commodity hardware. Among its goals are: Use free software on the boot path, Move the root of trust into hardware (or at least the ROM bootblock), Measure and attest to the state of the firmware, Measure and verify all filesystems"

Neat trick: "The technique used by Frebniis involves injecting malicious code into the memory of a DLL file (iisfreb.dll) related to an IIS feature used to troubleshoot and analyze failed web page requests. This allows the malware to stealthily monitor all HTTP requests and recognize specially formatted HTTP requests sent by the attacker, allowing for remote code execution. In order to use this technique, an attacker needs to gain access to the Windows system running the IIS server by some other means. In this particular case, it is unclear how this access was achieved." Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/frebniis-malware-iis

We thought this might just be a hoax, but it's not. This article confirms (with some good evidence) that the BLacklotus bootkit being sold on the underground is real, and folks have found it in the wild. Turns out it uses Baton Drop (https://github.com/Wack0/CVE-2022-21894) to bypass Secure Boot (I was really hoping it would use Mickey and Jesse's research, but who knows, that could be an add-on for later). Basically the attackers introduce signed, but vulnerable, bootloaders that allow them to remove the Secure Boot policy and infect the system.

Mass media and publishing giant News Corporation (News Corp) says that attackers behind a breach disclosed in 2022 breach managed to successfully access its email and document storage systems that are used by various News Corp businesses in February 2020, allowing them to ultimately access some employees' personally identifiable information and personal health information.

The CERT of Ukraine (CERT-UA) revealed that the Russia-linked UAC-0056 (DEV-0586, unc2589, Nodaria, Lorec53) advanced persistent threat group successfully breached multiple Ukrainian government websites.

The producers of fruit and vegetables Dole Food Company disclosed a ransomware attack that impacted its operations. The breach also prevented some stores in New Mexico and Texas from restocking Dole products for several days.

White House issued an order that gives all Federal agencies 30 days to remove the hugely popular social media app from all of their agency-managed devices. The White House had already ordered its staff to remove TikTok from their devices. House Republicans are expected to introduce a bill sometime today that – if passed – would provide the U.S. President with the authority to declare a national ban of TikTok.

The Danish parliament on Tuesday urged lawmakers and employees with the 179-member assembly against having TikTok on work phones as a cybersecurity measure, saying “there is a risk of espionage.”

LastPass DevOp engineer’s home computer hacked and implanted with keylogging malware as part of a sustained cyberattack.. The smoking gun is: “…the threat actor was able to leverage valid credentials stolen from a senior DevOps engineer to access a shared cloud-storage environment, which initially made it difficult for investigators to differentiate between threat actor activity and ongoing legitimate activity.”

Nearly 200,000 new mobile banking Trojans emerged in 2022 — a 100% increase from the year before and the biggest acceleration of mobile malware development seen in the last six years.

Microsoft is expanding the public preview of its automatic attack disruption capabilities to include business email compromise (BEC) and human-operated ransomware attacks.

Microsoft is moving from IOCs to AI for detection and response. For BEC detection, users are automatically suspended if you're using Microsoft Defender for Identity, and if using Defender for Endpoint, enrolled devices are not able to communicate with compromised devices. This service is in preview, and requires Defender pre-requisites, including Defender for Cloud Apps, and Defender for Identity.

Students say they are getting ‘screwed over’ for sticking to the rules. Professors say students are acting like ‘tyrants.’ Then came ChatGPT . . .

If allowed by the user, Bing Chat can see currently open websites. We show that an attacker can plant an injection in a website the user is visiting, which silently turns Bing Chat into a Social Engineer who seeks out and exfiltrates personal information.

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST in July 2022 for post-quantum cryptography has been broken. Researchers used recursive training AI combined with side channel attacks. Quantum computers are not the only threat to encryption. Rapidly improving artificial intelligence may be a significant and more imminent threat to both classical and post-quantum encryption algorithms.

The researcher is René Mayrhofer, a professor at Johannes Kepler University Linz and Director of Android Platform Security at Google. The video was "Cloning Credit Cards" (#research published in @usenix WOOT'13). Infosec educators should be warned that Youtube may cancel you at any time.

The Cisco AnyConnect client can be used to run code on a client, by tricking them into connecting to a malicious server. The server can send a VBS or BAT file to the client that runs on connect or disconnect. The defense against this is to limit the AnyConnect client to only connect to known good servers with AppLocker or firewalling.

The attackers target public-facing web apps running in containers to infiltrate cloud services and steal sensitive data. They deploy a cryptominer as a distraction, and then use advanced expertise in AWS cloud mechanics to burrow further into the company's cloud infrastructure.