Re-Routing Traffic, Pseudo Keyloggers, TLS Inside, LockBit, Cobalt Strike & Defender – PSW #750

Not cyber criminals: "Deleting the filter caused all possible routes to the internet to pass through the routers, resulting in several of the devices exceeding their memory and processing capacities. This caused the core network to shut down." - I've been there, "we must be under a DDoS attack!", then later, "Oh no, thanks Paul for the hours you spent trying to find a breach, someone made a mistake updating a routing table". Doh.

"A user could thus change the password of the Administrator account and gain total control over the domain. Full loss of confidentiality and integrity would be possible, as well as of availability by denying users access to their accounts."

nala sounds neat, I am skeptical, but apt is not the greatest for so many reasons.

"However, if the traffic was rerouted on purpose, the ordeal would point to Russia carrying out a Border Gateway Protocol (BGP) hijacking." - Huh, perhaps just a mistake? But then I read this part: "While the nature of the accident is unclear, this wouldn’t be the first time Rostelecom had performed a BGP hijacking attack. In April 2020, over 200 content delivery networks were redirected through Rostelecom."

Neat keystroke logger

Nicely done research that shows how 3 different XSS bugs can lead to code execution through other areas of the application (e.g. file upload functionality, SQL queries run through the admin interface, etc...). This makes it difficult to set the priority for an XSS bug, you have to explore each one to understand the impact. Everyone does that right?

"To bypass macros blocking, attackers are increasingly using file formats such as ISO (.iso), RAR (.rar), ZIP (.zip), and IMG (.img) files to send macro-enabled documents, researchers said. This is because that though the files themselves will have the MOTW attribute, the document inside, such as a macro-enabled spreadsheet, will not, researchers noted. “When the document is extracted, the user will still have to enable macros for the malicious code to automatically execute, but the file system will not identify the document as coming from the web,” they wrote in the post. Additionally, threat actors can use container files to distribute payloads directly by adding additional content such as LNKs, DLLs, or executable (.exe) files that can be used to execute a malicious payload, researchers said."

Interesting how they were only targeting Discord tokens...

"Note that many popular applications and programming toolkits either include or may be built to make use of GnuTLS, even though you may not be aware of it, including but by no means limited to: FFmpeg, GnuPG, Mplayer, QEMU, Rdesktop, Samba, Wget, Wireshark and Zlib. Many Linux or *BSD packages that use GnuTLS will rely on a central version managed by your distro itself, so be sure to update as soon as your distro has this version available."

Things are not looking good for SIKE: "NIST advanced four additional algorithms as potential replacements pending further testing in hopes one or more of them may also be suitable encryption alternatives in a post-quantum world. The new attack breaks SIKE, which is one of the latter four additional algorithms." and "SIKE—short for Supersingular Isogeny Key Encapsulation—is now likely out of the running thanks to research that was published over the weekend by researchers from the Computer Security and Industrial Cryptography group at KU Leuven. The paper, titled An Efficient Key Recovery Attack on SIDH (Preliminary Version), described a technique that uses complex mathematics and a single traditional PC to recover the encryption keys protecting the SIKE-protected transactions." - Remember SIKE was attacked using Hertzbleed...

"In this post, we follow up on that incident by describing the use of another legitimate tool used to similar effect by a LockBit operator or affiliate, only this time the tool in question turns out to belong to a security tool: Windows Defender. During a recent investigation, we found that threat actors were abusing the Windows Defender command line tool MpCmdRun.exe to decrypt and load Cobalt Strike payloads." (Ref: https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/)

I use it every time someone comes to my desk now...

"VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate" - I love authentication bypass, it opens so many possibilities.

"One of the most satisfying aspects has been seeing how our research and collaboration with industry-leading OS vendors, chipset manufacturers, and OEMs have helped to improve the overall state of firmware security."