Firmware VS. Hardware, Tamper Protection, Hacking Gamers, & Unfortunate Spillage – PSW #756
In the Security News: Bloodhound's blind spots, Interactable Giraffe, don't use open-source, it has too many vulnerabilities, MFA fatigue, tamper protection, use-after-freedom, how not to do software updates, hacking gamers, stealing Teslas, safer Linux, trojan putty, there's money in your account, game leak makes history, GPS jammers, Uber blames LAPSUS, spying on your monitor from a zoom call, next-generation IPS with AI and ML for zero day exploit detection, 3D printed meat, and what to do when the highway is covered with what is usually kept in the nightstand...
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
Do you have a specific guest or topic that you want us to cover on one of the shows? Submit your suggestions for guests by visiting https://securityweekly.com/guests and completing the form! We review suggestions monthly and will reach out to you once reviewed!
- 1. The Blind Spots of BloodHoundCurious how pen testers (and attackers) discover these gaps: "BloodHound focuses on Active Directory and these hypothetical edges are missing, because they represent real escalation paths exploited by real attackers", and the situations are: Same Password (shared accounts), Same Admin Password (admins using the same password), Guest Machine (control the hypervisor), Provides Updates To (Supply chain)
- 2. Developing a VFS that Emulates the Uroburos Rootkit – Praetorian"We are releasing an open source tool, INTRACTABLEGIRAFFE, which is my proof of concept implementation of the Uroburos VFS functionality along with a basic keylogger that writes intercepted keystrokes to the non-volatile/persistent VFS."
- 3. Open-source software usage slowing down for fear of vulnerabilities, exposures, or risks"40% of professional respondents indicated that their organizations scaled back their open-source software usage in the past year due to concerns around security. Additionally, 31% of professionals stated that “security vulnerabilities” were the biggest challenge in the open-source community today." (Full report: https://www.anaconda.com/state-of-data-science-report-2022)
- 4. 3D Printed Steak: Israeli company unveils lab-grown beef chunksThis is pretty amazing: "As opposed to being sourced from slaughtering livestock, the beef for these morsels is derived from "starter cells" or STEM cells of the animal that are left to grow in a petri dish or flash under human-made conditions."
- 5. MFA Fatigue: Hackers’ new favorite tactic in high-profile breachesThere has to be an easy solution to this problem, rate limit MFA requests? Reject the MFA request after so many in a certain time period? Block the sender of the MFA request if rate limit is exceeded?
- 6. Microsoft Defender for Endpoint will turn on tamper protection by default"The company added this feature to its enterprise endpoint security platform in March 2019 to block changes to key security features and prevent attackers or malicious tools from disabling the antimalware solution or deleting security updates. Once toggled on, it locks Microsoft Defender Antivirus to secure default values and will prevent any security settings changes. To do that, it blocks other apps from changing the settings for real-time and cloud-delivered protection, behavior monitoring, and Defender components like IOfficeAntivirus (IOAV) which handles the detection of suspicious files downloaded from the Internet." - But if an attacker is in the kernel, can these protections still be disabled? Does this just force an attacker to Ring 0?
- 7. Use-after-freedom: MiraclePtr"The BackupRefPtr algorithm is based on reference counting. It uses support of Chrome's own heap allocator, PartitionAlloc, which carves out a little extra space for a hidden reference count for each allocation. raw_ptr
increments or decrements the reference count when it’s constructed, destroyed or modified. When the application calls free/delete and the reference count is greater than 0, PartitionAlloc quarantines that memory region instead of immediately releasing it. The memory region is then only made available for reuse once the reference count reaches 0. Quarantined memory is poisoned to further reduce the likelihood that use-after-free accesses will result in exploitable conditions, and in hope that future accesses lead to an easy-to-debug crash, turning these security issues into less-dangerous ones."
- 8. Uber hack linked to hardcoded secrets spotted in powershell scriptThis is a tried and true technique: "The attacker claims they went on to locate a network share containing powershell scripts that included the username and password of a system administrator."
- 9. Quantifying ROI in Cybersecurity Spend"A good day in security is when nothing bad happens,” says Sounil Yu, CISO at JupiterOne. The problem for understanding ROI is why did nothing bad happen? Was it luck, and on that day, you were not attacked by an elite hacker? Was it because you maintain a thorough patching program? Was it because of one or more of your cybersecurity controls – but which one or ones were successful, and how much cost to the firm did they prevent? None of these is easy to explain or quantify if nothing bad happened." - We spent lots of money on Next-Generation security (cost), and we didn't get hacked (ROI), right?
- 10. Netgear Routers impacted by FunJSQ Game Acceleration Module flawSo much fail, and this is just one vulnerability: "insecure communications due to explicit disabling of certificate validation (-k), which allows us to tamper with data returned from the server update packages are simply validated via a hash checksum, packages are not signed in any way arbitrary extraction to the root path with elevated privileges, allowing whoever controls the update package to overwrite anything anywhere on the device (which puts a lot of trust in a third party supplier)". This is how not to do software updates. Then there is a CMD injection in the auth token parameter. Original research: https://onekey.com/blog/security-advisory-netgear-routers-funjsq-vulnerabilities/
- 11. RedLine spreads through ads for cheats and cracks on YouTubeSo, hacker gamers YouTube accounts, post videos with cheats, provide a link to said cheats, which really just downloads malware to more people's machines. Interesting: "In addition to the payload itself, the discovered bundle is of note for its self-propagation functionality. Several files are responsible for this, which receive videos, and post them to the infected users’ YouTube channels along with the links to a password-protected archive with the bundle in the description. The videos advertise cheats and cracks and provide instructions on hacking popular games and software."
- 12. Teslas Hackers Have Found Another Unauthorized Access VulnerabilityNice research: "To successfully carry out the attack, IOActive reverse-engineered the NFC protocol Tesla uses between the NFC card and the vehicle, and we then created custom firmware modifications that allowed a Proxmark RDV4.0 device to relay NFC communications over Bluetooth/Wi -Fi using the Proxmark’s BlueShark module." Paper: https://act-on.ioactive.com/acton/attachment/34793/f-6460b49e-1afe-41c3-8f73-17dc14916847/1/-/-/-/-/NFC-relay-TESlA_JRoriguez.pdf
- 13. NVIDIA Working To Make Linux Safer For Cars, Robots & Other Safety Critical Environments – Phoronix"NVIDIA's address space isolation approach is around asynchronous detection of unsafe events and to block the event before it happens. Their approach involves MMU-based memory coloring and is outlined in more detail via this PDF slide deck from the Open-Source Summit Europe 2022 event."
- 14. He got an unexplained $250,000 payment from Google. The company says it was a mistake"The money was available for Curry to spend, but he said he was simply holding onto it in case Google tried to get it back. He said if Google took too long to get back to him, he might have to move the cash into a separate account to avoid paying taxes on it."
- 15. Trojanized versions of PuTTY utility being used to spread backdoorWhat a scam: "UNC4034 initiated communication with the victim by offering them a job opportunity at Amazon via email. Subsequently, UNC4034 communicated with them over WhatsApp and shared the file amazon_assessment.iso, which the user downloaded using the web version of WhatsApp. The amazon_assessment.iso archive held two files: an executable and a text file. The text file named Readme.txt had connection details for use with the second file: PuTTY.exe." - I'll bring my own SSH software thank you very much.
- 16. Vulnerability allows access to credentials in Microsoft Teams"Turner said in Vectra’s interactions with customers, only those organizations with extreme exposure to sophisticated adversaries (defense contractors, critical infrastructure operators) are seriously considering eliminating the Teams.exe application on endpoints and forcing users to collaborate through Teams via a managed browser." - I am already removing teams from my Linux systems, in favor of the browser...
- 17. Zero-Day Exploit Detection Using Machine LearningThis is pretty cool, see you just need a Next Generation IPS with an AI/ML model to detect zero-day exploits: "Our model has learned more generalizable common patterns in command injection exploits while also being specific enough to avoid false positives. In our latest tests, we achieved a true positive rate of >99% and a false positive rate of <0.025%." - All kidding aside, they presented evidence that they've done this.
- 18. GTA 6 source code and videos leaked after Rockstar Games hackThis is one of the biggest game leaks in history. Also, this: "The hacker hasn’t shared details on how they gained access to the GTA 6 videos and source code other than claiming to have stolen them from Rockstar’s Slack and Confluence servers. The threat actor also claims to be the same hacker, named 'TeaPots,' behind the recent Uber cyberattack, but BleepingComputer could not confirm whether these claims are valid."
- 19. Lens reflections may betray your secrets in Zoom video calls"A variety of factors can affect the legibility of text reflected in a video conference participant's glasses. These include reflectance based on the meeting participant's skin color, environmental light intensity, screen brightness, the contrast of the text with the webpage or application background, and the characteristics of eyeglass lenses. Consequently, not every glasses-wearing person will necessarily provide adversaries with reflected screen sharing." So like don't be browsing porn: "When the goal was to identify just the specific website visible on the screen of a video meeting participant from an eyeglass reflection, the success rate rose to 94 percent among the Alexa top 100 websites."
- 20. Uber Blames LAPSUS$ Hacking Group for Recent Security Breach"This group typically uses similar techniques to target technology companies, and in 2022 alone has breached Microsoft, Cisco, Samsung, NVIDIA, and Okta, among others," the San Francisco-based company said in an update. The financially-motivated extortionist gang was dealt a huge blow in March 2022 when the City of London Police moved to arrest seven individuals aged between 16 and 21 for their alleged connections to the group. Two of those juvenile defendants are facing fraud charges."
- 21. IT giants warn of ongoing Chromeloader malware campaigns"The malware is able to redirect the user’s traffic and hijacking user search queries to popular search engines, including Google, Yahoo, and Bing. The malicious code is also able to use PowerShell to inject itself into the browser and added the extension to the browser." Original research: https://blogs.vmware.com/security/2022/09/the-evolution-of-the-chromeloader-malware.html
- 1. Update on HannahHannah's birthday is today! She's strong, growing her hair back, homeschooling (she's still immuno-compromised), and looking forward to living a normal life!
- 1. AttachMe: critical OCI vulnerability allows unauthorized access to customer cloud storage volumes
- 2. Google, Microsoft can get your passwords via web browser’s spellcheck
- 3. GPS jammers are being used to hijack trucks and down drones: How to stop them
- 4. Bill Demirkapi on Twitter
- 5. Microsoft Teams stores auth tokens as cleartext in Windows, Linux, Macs
- 6. A hacker bought a voting machine on eBay. Michigan officials are now investigating
- 7. Pentagon halts deliveries of F-35 fighter jets after discovering a component manufactured in China
- 8. New wave of data-destroying ransomware attacks hits QNAP NAS devices
- 9. Hackers infiltrate second-largest US school district in growing trend
- 10. Yandex Taxi hack creates huge traffic jam in Moscow
- 11. Hackers create a traffic nightmare by sending hundreds of Moscow taxi cabs to the same address
- 12. Genshin Security Impact
- 13. Wrecked semi shoots load of dildos and lube all over I-40…