LANtennas, ESXi & Python, Twitch Leaks, Facebook BGP, & iPhone Is Always On – PSW #713

So much for air-gapped: "Dubbed "LANtenna Attack," the novel technique enables malicious code in air-gapped computers to amass sensitive data and then encode it over radio waves emanating from Ethernet cables just as if they are antennas. The transmitted signals can then be intercepted by a nearby software-defined radio (SDR) receiver wirelessly, the data decoded, and sent to an attacker who is in an adjacent room."

Zero-Trust fixes this? - "Significantly, the report found that data breach costs for companies with mature Zero Trust deployments were $1.7 million lower than costs for companies that had not deployed any Zero Trust solutions ($3.3 million vs. $5 million). These statistics, of course, do not – cannot — account for the greatest advantage of implementing Zero Trust security: the fact that organizations that have are much less likely to fall victim to a data breach in the first place."

Looks like setting certain values in the request simply bypasses authentication (https://packetstormsecurity.com/files/164423/Dahua-Authentication-Bypass.html).

"Using specialized equipment, an unauthorized person could instruct the pump to either over-deliver insulin to a patient, leading to low blood sugar (hypoglycemia), or stop insulin delivery, leading to high blood sugar and diabetic ketoacidosis, even death,” the FDA noted." "Furthermore, the attacker should be close to the victim, and the victim should ignore the pump’s alerts indicating that a remote bolus is being delivered. " - Recalled a medical device due to vulnerabilities, I believe this is progress my friends.

"The actively exploited zero-day vulnerability is tracked as CVE-2021-41773 and it enables actors to map URLs to files outside the expected document root by launching a path traversal attack. Path traversal attacks involve sending requests to access backend or sensitive server directories that should be out of reach. Normally, these requests are blocked, but in this case, the filters are bypassed by using encoded characters (ASCII) for the URLs." - This could be useful for reading configuration files that contain credentials and/or API keys...

"The main purpose of these requests is likely not to compromise the device but to steal content or use the device remotely, for example, to find devices with subscriptions that can stream content from other countries? "

If you've ever developed a cool tool or exploit, then shared it with a friend, then find out they did something awful with it, that's how NSO should feel. "Hey, that exploit you gave me works great, I just hacked the pentagon!". Oh. Shit.

Python FTW: "“Python is a coding language not commonly used for ransomware. However, Python is pre-installed on Linux-based systems such as ESXi, and this makes Python-based attacks possible on such systems. ESXi servers represent an attractive target for ransomware threat actors because they can attack multiple virtual machines at once, where each of the virtual machines could be running business-critical applications or services. Attacks on hypervisors can be both fast and highly disruptive. Ransomware operators including DarkSide and REvil have targeted ESXi servers in attacks.”"

What a great quote! Anyone know this guy? ""Seems like a state-sponsored wet dream," Adrian Sanabria, a cybersecurity expert and founder of Security Weekly Labs, told Motherboard in an online chat. "Can't imagine [Syniverse] being a target for anyone else at that scale." "

"The scariest part might be that the maybe the AOP and definitely NFC and Bluetooth LPM enable a new vector of hardware persistence. Broadcom Bluetooth firmware is not signed. Thus, an attacker with control over an iPhone can craft and install Bluetooth LPM malware. Since LPM is a hardware-based feature, there is no way to disable LPM on a potentially hacked device." - Great article.

"One forum user claimed to have had suspicions of REvil's tactics, and said their own plans to extort $7 million from a victim was abruptly ended. They believe that one of the REvil authors took over the negotiations using the backdoor and made off with the money." - A great example of "There is no honor among thieves".

"The attackers would need to set up a terminal that emulates a legitimate ticket barrier for transit. This can be done using a cheap, commercially available piece of radio equipment, researchers said. This tricks the iPhone into believing it’s connecting to a legitimate Express Transit option, and so, therefore, it doesn’t need to be unlocked. “If a non-standard sequence of bytes (Magic Bytes) precedes the standard ISO 14443-A WakeUp command, Apple Pay will consider this [to be] a transaction with a transport EMV reader,” the team explained."

CISA has produced/released a free self-assessment tool that can be used to gauge a company/agency’s risk posture by answering a series of questions. CISA especially recommends their tool be used by small to medium-sized businesses to identify cybersecurity shortcomings that could devastate their company should a disgruntled employee go rogue.

The Deputy Director stated that the DOJ is ready to sue government contractors and any U.S. company who receives U.S. government grant money if they fail to notify the U.S. government of their computer network being breached. They will also be sued if they misrepresent their company’s cybersecurity processes. The DOJ will leverage the “False Claims Act” for their lawsuits.

The Transportation Security Administration will introduce regulations that compel most U.S. railroad and airport industries to do three things: (1) improve their cybersecurity processes; (2) identify a chief cyber official and (3) inform the government when their network has been breached and have a draft cyber recovery plan on-hand to recover from the incident.

Telecommunications provider Syniverse, which routes text messages for hundreds of telecom customers, has disclosed it was the target of a five-year data breach that has been ongoing since May 2016 and resulted in the exposure of personally identifiable information (PII) belonging to more than 200 Electronic Data Transfer (EDT) customers.

Cautioning that foreign government-backed hackers are actively exploiting vulnerabilities in virtual private network devices, the National Security Agency and the Department of Homeland Security’s cyber wing on Tuesday published guidelines for securing VPNs. The Guidance: https://media.defense.gov/2021/Sep/28/2002863184/-1/-1/0/CSI_SELECTING-HARDENING-REMOTE-ACCESS-VPNS-20210928.PDF

An unnamed ransomware gang used a custom Python script to target VMware ESXi and encrypt all the virtual machines hosted on the server. According to Sophos researchers, attackers gained access to the targeted network by first logging into a TeamViewer account running on a device on which a domain admin was already logged in, and then leveraged the Advanced IP Scanner to scan the network and identify other potential targets. After identifying potential targets, attackers then used the "Bitvis" SSH client to log onto an ESXi server.

Coinbase experienced a breach in the spring of 2021. Nearly six months later, now their customers are being targeted with phishing emails that contain fake embedded URLs to inform the customer that their cryptocurrency account had been locked out and required immediate action. To date, nearly 6000 customers have lost money to this phishing scam, which leveraged flaws in the password recovery, when using SMS, which didn't fully authenticate the request.

Hackers have accessed Twitch and leaked a vast amount of company data, including proprietary code, creator payouts and the "entirety of Twitch.tv." Twitch confirmed the breach in a tweet Wednesday morning, but did not provide further details. It doesn't appear that information like user passwords, addresses and banking information were revealed, but that can't be ruled out in a future drop. If you have a Twitch account, you should activate two-factor authentication so that bad actors can't log into your account if your password has been stolen.

FB Engineering's report on what happened. In layperson's terms. BGB/DNS/Physical Access fails - oh my! During one of these routine maintenance jobs, a command was issued with the intention to assess the availability of global backbone capacity, which unintentionally took down all the connections in our backbone network, effectively disconnecting Facebook data centers globally. Our systems are designed to audit commands like these to prevent mistakes like this, but a bug in that audit tool prevented it from properly stopping the command. Our primary and out-of-band network access was down, so we sent engineers onsite to the data centers to have them debug the issue and restart the systems. But this took time, because these facilities are designed with high levels of physical and system security in mind. They’re hard to get into, and once you’re inside, the hardware and routers are designed to be difficult to modify even when you have physical access to them.