Pig Butchering, Dell Driver FTW, Deep Access, & PHP Supply Chain Attacks – PSW #758

This did not seem all that stealthy: "In April 2021, APT actors used Impacket for network exploitation activities. See the Use of Impacket section for additional information. From late July through mid-October 2021, APT actors employed a custom exfiltration tool, CovalentStealer, to exfiltrate the remaining sensitive files"

"The most notable tool delivered by the attackers was a user-mode module that gained the ability to read and write kernel memory due to the CVE-2021-21551 vulnerability in a legitimate Dell driver. This is the first ever recorded abuse of this vulnerability in the wild. The attackers then used their kernel memory write access to disable seven mechanisms the Windows operating system offers to monitor its actions, like registry, file system, process creation, event tracing etc., basically blinding security solutions in a very generic and robust way."

"Specifically, we apply fluid dynamics to estimate the arrangement of the human vocal tract during speech generation and show that deepfakes often model impossible or highly-unlikely anatomical arrangements." - That is, until a computer can replicate that...

Backup memory drives up the cost of the device though, which is why I believe there are so many devices floating around that will never get updates: "A common problem here is interruptions. Simple devices that lack memory size have to rewrite the firmware as soon as they receive the data. If anything interrupts the process, the firmware will be corrupted: for example, if the power shuts off before the installation is complete. In the worst case scenario, the device will brick, and nothing can fix it. If the device has a bootloader, the firmware can be reinstalled. Nevertheless, when you deal with OTA updates, interruptions can be frequent. The problem is commonly fixed with backup memory. When our team worked on a smart home project, it was clear that the device will be updated over the air. Bricking or malfunctioning because of interruptions were not acceptable. Therefore, the team provided the system with backup memory. In this case, the update file is downloaded to the backup memory first. It can be either a file system or a flash memory area. After that, the device runs a data integrity check to make sure no byte was lost or changed during transmission. Only after that, the update is installed. "

Basically, an attacker can execute code in SMM outside of SMRAM: "An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. An SMM callout vulnerability in the SMM driver FwBlockServiceSmm, creating SMM, leads to arbitrary code execution. An attacker can replace the pointer to the UEFI boot service GetVariable with a pointer to malware, and then generate a software SMI." From Binarly: "the handler will try to locate protocol 74d936fa-d8bd-4633-b64d-6424bdd23d24 using the EFI_BOOT_SERVICES which is located outside of SMRAM, hence this call could be hijacked by a possible attacker."

"By default, VMware ESXi is configured to accept only the installation of VIBs that are VMWareCertified, VmwareAccepted, or PartnerSupported. At these levels of acceptance, the bundles need to be digitally signed by either VMware or a partner whose signature VMware trusts. However, there is a fourth level of acceptance called CommunitySupported and VIBs in this category do not need to be digitally signed." Secure Boot to the rescue! "When Secure Boot is enabled the use of the ‘CommunitySupported’ acceptance level will be blocked, preventing attackers from installing unsigned and improperly signed VIBs (even with the --force parameter as noted in the report),"

Yep, we can talk about this now :)

An automated pen test vs a crappy pen test, who wins?

We demonstrated how we discovered an argument injection in the backend services of the PHP package manager Composer and could successfully exploit it to compromise any PHP software dependency.

From Dan Goodin at Ars Technica Bribes are $2k - $5k, delivered secretly The marketer claims to have 10-40 writers taking bribes now, publishing on Techcrunch, Forbes and others

CISA has ordered federal civilian agencies to scan for and report software vulnerabilities in their IT systems more frequently. They must scan their entire IPv4 space for vulnerabilities every 14 days and update vulnerability detection signatures within 24 hours of availability. This must be working by April 3, 2023.

Small office routers? FreeBSD machines? Enterprise servers? Chaos infects them all.