Crappy Exploits, $8 Mil 0-Day, Mac Updates, & Anti-Cheat Is NOT Anti-Hack – PSW #754

The look on the attacker's faces when they realized LastPass does not store the master password and such....lol

More details can be found here: https://www.microsoft.com/security/blog/2022/08/24/magicweb-nobeliums-post-compromise-trick-to-authenticate-as-anyone/

I think he is roommates with 2Pac.

One reason is drivers: "But those drivers may cause just enough problems that Apple doesn't want to deal with continuing to support those older Macs officially." This is important (to me anyhow): "A decade ago, it was definitely more common to consider a computer's performance and capabilities when defining system requirements, not driver or firmware security" and represents another reason why Apple, or other manufacturers, may decide not to support older hardware. As with drivers, they don't want to support older firmware updates. And, of course, everything is a big secret: "Right now, Apple is refusing to communicate anything about its software support timeline, and it's ending support for older Intel Macs years earlier than it was in the very recent past. Apple needs to fix at least one of these problems, lest owners of late-Intel-era Macs come away feeling burned." I will end with my cliche term: "Did I tell you that I use Linux as my daily driver?".

Neat: "This script analyses the Nmap XML scanning results, parses each CPE context and correlates to search CVE on NIST. You can use that to find public vulnerabilities in services."

"Keytap3 is a software developed by Georgi Gerganov that can detect what keys are being pressed simply by listening at a close range with a half-decent microphone, with Gerganov demonstrating this using a mobile phone's built-in microphone in an 'acoustic eavesdropping' test on their YouTube channel."

The Internet has grown to allow so many beautiful things, creative works to thrive, people to communicate across the world and so many other positive things. It has also allowed ShitExpress to set up a website where you can send your friends or enemies a box of literal shit (from animals). They also have a SQL injection vulnerability as they claim you should be anonymous if you send people poo (which is pretty shitty). Gives new meaning to "taking a shit." I suppose this is a legit example of giving a shit, and if you haven't used the site, I imagine you don't give a shit; maybe you should?

"The unnamed hackers are taking advantage of the fact that Genshin Impact’s anti-cheat system has known vulnerabilities, that it’s signed by a legitimate company—meaning Windows will run it—and because it has high privileges, meaning it has access to sensitive parts of the operating system." From Trend: "It is still rare to find a module with code signing as a device driver that can be abused. The point of this case is that a legitimate device driver module with valid code signing has the capability to bypass privileges from user mode to kernel mode. Even if a vendor acknowledges a privilege bypass as a vulnerability and provides a fix, the module cannot be erased once distributed." Also, back to issues with the signing process: " It seems that there is no compromise of the private key, so it is still not known if the certificate will be revoked. It remains valid, at least for now. "

"A new tantalizing features then become available when using fwupd, as we can now read and change firmware settings. One is the ability to emulate the BIOS settings of another machine, which is fairly uninteresting to end users, but allows us the developers to reproduce bugs much easier now that we’re doing cleverer things. One more interesting deployment feature is that we also support reading out a file from /etc and applying those firmware settings at startup. This means you can now deploy a machine using something like Ansible, and have the firmware settings set up in the same way you set up the local machine state. There are lots of docs on how this all works and I encourage you to try this out and let us know how it goes. One caveat is that this doesn’t work if you have a password set on your BIOS settings, but we’re working on this for the next version."

Interesting targeted Phish (https://blog.group-ib.com/0ktapus)

"Intellexa also promised the malware is delivered with just one click and uses the browser to inject the Android and iOS payload to mobile devices. The purchase price also includes data analysis, a "magazine" of 100 other infections, and even a full year's warranty. "

File this under "Neat" and "Projects that I think are cool but will probably not have time to build"

"Microsoft, in conjuncture with partners in the PC ecosystem, has developed a set of capabilities and new operating environment conditions for UEFI based systems. This environment will leverage common, architecturally defined mitigations to improve the device security and boot process. For software running in this environment there are new requirements that must be adhered to. " - I read this as "We didn't do a good enough job making sure software we sign was actually secure, but we signed it anyhow. Now there will be some better requirements before we sign stuff". Also, this is a positive thing.

Apple back ported webkit vulnerability CVE-2022-32893 to iOS 12.5 - install 12.5.6

MERCURY (aka MuddyWater, Cobalt Ulster, Seedworm, static Kitten) was previously targeting VMWare instances with Log4J flaws, has now pivoted to SysAid. SysAid released Log4j patches in January, which appear not to have been applied. After you make sure that you’ve applied updates to SysAid, if you’re using it, make sure that you’re not overlooking other patches, such as VMWare, for fixes to flaws like Log4j. The attack reads like an exercise out of SANS SEC560 - the attackers are using Log4Shell flaws to get an initial footprint, then using PowerShell to drop web shells, then add a user, give it elevated privileges, and add attack tools to startup folders for persistence. From there, they are using Mimikatz for credential theft, RemCom for later movement, and send data to their C2 server using a custom version of the Ligolo tunnel/reverse proxy.

Lloyd’s of London “set out [its] requirements for state backed cyber-attack exclusions in standalone cyber-attack policies.” Lloyd’s syndicates will be required to exclude the attacks from insurance policies starting at the end of March 2023. Can you say look-alike? Accurate attribution is hard...

According to the FCC, 10 of the top 15 mobile carriers collect geolocation data but do not provide a means for customers to opt-out. Most of the carriers said that they do not allow customers to opt-out because of the need to comply with requests from law enforcement and because of FCC rules.

The FTC has filed a lawsuit against data broker Kochava for allegedly selling geolocation data that links users to health clinics, domestic violence shelters, recovery centers, and other sensitive locations. The FTC alleges that Kochava sells data collected from “hundreds of millions of mobile devices” paired with time-stamps and Mobile Advertising IDs.