Lots of Star Wars, David Walden, Vulnerable Contractors, & Pirate Streaming – PSW #739

Lots of speculation here: "One customer said they'd invited the Salesforce incident handler to provide a "statement that confirms whether or not config variables and secrets were accessed, or that you're not sure." According to the post, they received the reply: "We currently have no evidence that Heroku customers' secrets stored in config Var were accessed. If we find any evidence of unauthorized access to customer secrets, we will notify affected customers without undue delay.""

Interesting (https://github.com/dievus/lnkbomb) - "Lnkbomb is used for uploading malicious shortcut files to insecure file shares. The vulnerability exists due to Windows looking for an icon file to associate with the shortcut file. This icon file can be directed to a penetration tester's machine running Responder or smbserver to gather NTLMv1 or NTLMv2 hashes (depending on configuration of the victim host machine)."

Looking forward to this one: "That's why I'm really excited to go in depth and take these lessons to the next level with my next book, Threats: What Every Engineer Should Learn from Star Wars, coming this fall. For all the fun, we need engineers to know what threats to consider, and what they mean. If we want people to build more secure systems ... it's our only hope!"

"The Spanish government has said the mobile phones of the prime minister, Pedro Sánchez, and the defence minister, Margarita Robles, were both infected last year with the Pegasus spyware that its manufacturers claim is available only to state agencies."

"The new PyScript project lets you embed Python programs directly in HTML pages and execute them within the browser without any server-based requirements." - This is really cool, we'll see if it catches on though and what the security fallout may be.

This is neat, I have to read up on it: "More recently, Spanish researcher arget13 shared DDexec, their take on code injection, via the commonly available Linux LOLBin (installed by default as part of GNU coreutils) dd" Then they use /dev/shm to create an in-memory filesystem, so the attack works like this: "Deployed our Redis exploit, Written our script and shellcode to two temporary files, Used bash to execute our script, giving the shellcode as input, Evaded multiple defenses and detections (MITRE T1211) – the process listing (ps) and the read-only filesystem" - Neat!

Not much in the way of details, however, it looks like there is a captive portal breakdown and a VLAN breakout that is possible using the five vulnerabilities disclosed by Armis being dubbed TLStorm 2.0.

"The vulnerability in uClibc and uClibc-ng is the result of having a predictable transaction ID assigned to each DNS lookup and their static use of source port 53, effectively defeating source port randomization protections." Well yeah: "This vulnerability remains unpatched, however we are working with the maintainer of the library and the broader community in support of finding a solution. Because this vulnerability remains unpatched, for the safety of the community we cannot disclose the specific devices we tested on. We can, however, disclose that they were a range of well-known IoT devices running the latest firmware versions with a high chance of them being deployed throughout all critical infrastructure." - And basically an uninitialized variable, leading to the transaction ID always being incremented by 1.

Like how? Talk about a game of Whack-A-Mole. More info here: https://torrentfreak.com/us-court-orders-every-isp-in-the-united-states-to-block-illegal-streaming-sites-220502/

"While the investigation continues, the college says all classes will be canceled until the school can safely reopen, hopefully later this week. In addition to canceling classes, the school says that all students, faculty and staff will be forced to reset their passwords." The statement reads: “We want to reassure our faculty and students that we will take any actions necessary for students to complete course work in a timely manner and appreciate your patience and support in the meantime,” - Except classes are currently cancelled and everyone has to reset their password.

Did they expect to find less vulnerabilities? "“[The program] has long since recognized the benefits of utilizing crowdsourced ethical hackers to add defense-in-depth protection to the DoD Information Networks,” Melissa Vice, interim director of the vulnerability disclosure program, said in a statement. Vice added that the pilot was intended to identify whether similar critical and high-severity vulnerabilities existed for small-to-medium-cleared and non-cleared defense-industrial base companies with potential risks for critical infrastructure and the U.S. supply chain."

"The threat actor evaded detection by operating from devices in the victim environment’s blind spots, including servers running uncommon versions of Linux and network appliances running opaque OSes. These devices and appliances were running versions of operating systems that were unsupported by agent-based security tools, and often had an expected level of network traffic that allowed the attackers to blend in. The threat actor’s use of the QUIETEXIT tunneler allowed them to largely live off the land, without the need to bring in additional tools,"

https://flip.it/K6aPNn