PetitPotam Attack, History of RickRolling, & Foxit PDF Vulns – PSW #704

Adrian dropped this story in our SW chat, really amazing work. Should we still even bother to encrypt our hard drives then?

Sometimes web app hacking is pretty straight forward: "What I had found was a very well known access control vulnerability known as IDOR (Insecure Direct Object Reference). To exploit this IDOR vulnerability, all an attacker needs to identify is how the order numbers are generated, which in this case was incrementally, and that no authentication is required. This exploit example is about as straight forward as web hacking gets, but even if an exploit is simple, it can still be highly impactful." The issue was resolved with a token.

"Safe Links is a feature in Defender for Office 365 (previously known as Office 365 Advanced Threat Protection) that provides URL scanning and "time-of-click verification" of URLs and links in email messages, groups, and other locations." - Is this something that you should just enable as added protection? What are the limitations or potential operational risks?

Sometimes web app hacking is even more simple, like just using the mobile app: "However, Santana’s son discovered that Newegg’s mobile app can let you buy the hot item GPUs from the custom PC builder service individually. Go to PC builder > Build your PC > Video Cards section. You’ll see various RTX 3000 GPUs listed as out of stock. But in some cases, if you add the product to your cart, the app will do so, and let you purchase it. "

Really cool list, and even more fun to dig into the individual CWEs, then scroll down to references. They've done a great job of collecting some of the definitive works that describe each type of vulnerability. For anyone starting out in infosec, this is required reading. Examples: Aleph One. "Smashing The Stack For Fun And Profit". 1996-11-08. (http://phrack.org/issues/49/14.html), Michael Howard, David LeBlanc and John Viega. "24 Deadly Sins of Software Security", David Litchfield, Chris Anley, John Heasman and Bill Grindlay. "The Database Hacker's Handbook: Defending Database Servers". Wiley. 2005-07-14, Katrina Tsipenyuk, Brian Chess and Gary McGraw. "Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors". NIST Workshop on Software Security Assurance Tools Techniques and Metrics. NIST. 2005-11-07. (https://samate.nist.gov/SSATTM_Content/papers/Seven%20Pernicious%20Kingdoms%20-%20Taxonomy%20of%20Sw%20Security%20Errors%20-%20Tsipenyuk%20-%20Chess%20-%20McGraw.pdf).

Whoops: "Turns out the password was "Booth.03" after the number of the commentator's booth."

Moral of the story: don't leave SETUID files laying around owned by root. (find directory -user root -perm -4000 -exec ls -ldb {} ; >/tmp/filename)

Interesting, should we be using automated fuzzing more? "Fuzzing provides a proactive approach to security testing. It is the negative or non-functional testing. It shows whether or not an application can withstand unexpected situations, and it helps uncover zero days. One way to think about (and justify) Advanced Fuzz Testing is that it is penetration testing in a machine. Like pen testing, Advanced Fuzz Testing thinks box. However, there are benefits to Advanced Fuzz Testing not found with pen testing. Unlike pen testing, Advanced Fuzz Testing is continuous, not just a point in time. It can be done at human) speed. It can be performed at machine scale, and with machine accuracy. This coverage than what a human is capable of doing."

This is a really interesting statement from the POTUS: "We reaffirm that a decision as to when a cyber attack would lead to the invocation of Article 5 would be taken by the North Atlantic Council on a case-by-case basis. Allies recognize that the impact of significant malicious cumulative cyber activities might, in certain circumstances, be considered as amounting to an armed attack." Article 5 of the North Atlantic Treaty is: "Article 5 provides that if a NATO Ally is the victim of an armed attack, each and every other member of the Alliance will consider this act of violence as an armed attack against all members and will take the actions it deems necessary to assist the Ally attacked."

Do we just patch what is being exploited? "Based on available data to the U.S. Government, a majority of the top vulnerabilities targeted in 2020 were disclosed during the past two years. Cyber actor exploitation of more recently disclosed software flaws in 2020 probably stems, in part, from the expansion of remote work options amid the COVID-19 pandemic. The rapid shift and increased use of remote work options, such as virtual private networks (VPNs) and cloud-based environments, likely placed additional burden on cyber defenders struggling to maintain and keep pace with routine software patching. Four of the most targeted vulnerabilities in 2020 affected remote work, VPNs, or cloud-based technologies. "

"According to researchers, the group members posed as diet and aerobics instructors on Facebook to inject malware into the devices used by an aerospace defense contractor’s employees."

So PunkSpider is like Shodan, but collects vulnerabilities in websites. Two opposing views, on one hand "Making them public might be the thing that pushes administrators to fix [these vulnerabilities]." but on the other hand: "t is needlessly calling out site insecurities without proof that companies respond accordingly and make necessary changes to protect themselves." - Thoughts?

So once your data is in the cloud its totally safe? "The shift to cloud computing and hardened client-side computing is not just well underway. It’s nearly complete. Until we come up with a better solution, our defense against ransomware is in the clouds. When we work in the cloud, the data is encrypted up there and down here, the client software is easy to replace, and the hardware could be anything with a screen and a keyboard. And I think I can give up root for that." - Look, I'm not ready to give up root. But, that's not really the point. The attackers will go after the data, whether its in the cloud or not. Let's say, as this article proposes, that your data is stored in the cloud. Defending against ransomware attacks now means you have to secure the data in the cloud. The question for attackers is how do they steal, delete, erase and/or encrypt all of your data in the cloud? Certainly possible, we'll probably call it ransomware 2.0 or some crap like that.

Replicating A Rolljam Wireless Vehicle Entry Attack with a Yardstick One and RTL-SDR

Gaming-centric messaging platform Discord has become a favorite tool among cybercriminals, research suggests. A new report from security company Sophos says it uncovered 17,000 unique malware URLs in Discord's content delivery network (CDN), nearly 5,000 of which are still active.

Three vulnerabilities (CVE-2021-35522, CVE-2021-35520, CVSS 6.2, and CVE-2021-35521) affecting biometric access control devices manufactured by IDEMIA that could be exploited by attackers to remotely execute arbitrary code, cause a DoS condition, or read/write arbitrary files on compromised devices. According to researchers from Positive Technologies.

PowerShell based crypto-mining malware has continued to refine and improve upon its techniques to strike both Windows and Linux operating systems by exploiting older vulnerabilities while concurrently using various spreading mechanisms to maximize their campaigns' efficacy.

A threat actor has reportedly posted and offered up for sale a "secret" database belonging to social audio app "Clubhouse" containing some 3.8 billion phone numbers belonging to Clubhouse users, including more than 83 billion numbers belonging to Japanese users. Information compromised in the breach is said to include victims' user IDs, full names, usernames, Twitter handles, Instagram handles, number of followers, number of people followed by the users, accounts' creation dates, and invited by user profile names, but no financial data.

The Cyberspace Administration of China (CAC) has issued new stricter vulnerability disclosure regulations that mandate software and networking vendors affected with critical flaws to mandatorily disclose them first-hand to the government authorities within two days of filing a report.

DOJ has announced the arrest of 22-year-old U.K. national Joseph O’Connor for his role in the 2020 Twitter hack. The criminal complaint alleges that O'Connor was also involved in taking over Snapchat and TikTok accounts.

ANSSI, French National Agency for the Security of Information Systems has revealed it is now dealing with a "massive" hacking campaign being conducted by the China-linked advanced persistent threat (APT) group APT31.

A research group’s analysis determined that the time required for a vendor to learn of, and then release a security update to close a vulnerability has risen from an average of 197 days to 246 days. Further, the group found that within the Utilities sector that more than 65% of their software applications contained at least one serious exploit – the worst statistic across all measured categories.

San Francisco’s 9th Circuit recently ruled that Border Patrol agents positioned at some U.S. checkpoints located across states that they officiate over will, by and large, require a search warrant to access a traveler’s laptop computer or cell phone without the travelers consent. Agents may only search the electronic devices for digital contraband (e.g. child pornography).

Possible former DarkSide affiliate now associated with DarkMatter. While REvil sites were takend down in July, it's not clear that Sodinokibi operations have ceased.