Rorschach, QNAP, We Got Hacked, SystemD, UTF-8, & Grub2 Music – PSW #779
In the Security News: Rorschach, QNAP and sudo, why bother signing things, why bother having a password, why bother updating firmware, smart screenshotting, TP-Link oh my, music with Grub2, byte arrays and UTF-8, what is my wifi password, Debian and systemd, opening garage doors, downgrade your firmware to be more secure, exploit databases, this is like a movie, unsolved CTFs, and Near-Ultrasound Inaudible Trojans! All that and more on this episode of Paul’s Security Weekly
Join us at an upcoming Official Cyber Security Summit in a city near you! This series of one-day, invitation-only, executive level conferences are designed to educate senior cyber professionals on the latest threat landscape.
We are pleased to offer our listeners $100 off admission when you use code SecWeek23 to register.
Visit securityweekly.com/cybersecuritysummit to learn more and register today!
- 1. A Compact Camera Running Linux? What’s Not To Like!
Really neat camera hacking with Linux, nerdy firmware stuff.
- 2. Open garage doors anywhere in the world by exploiting this “smart” device
Yes, we can open garage doors; there are several different methods. Don't lose site of the fact that its not just garage doors; vulnerabilities allow attackers in the case to control the entire system, which can incorporate a home security system, which could be disarmed.
- 3. Delving Into Home Assistant — Mark Loveless
"Debian" and "systemd" in the same sentence leads to "bad things". Great post!
- 4. Hey Siri, use this NUIT attack to disarm a smart-home system
"Near-Ultrasound Inaudible Trojan, that exploits vulnerabilities in smart device microphones and voice assistants to silently and remotely access smart phones and home devices." And this: "The attacks work by modulating voice commands into near-ultrasound inaudible signals so that humans can't hear them but the voice assistant will still respond to them. "
- 5. Screenshotting: Can You See What I See? –
I love this so much: *"In a 2011 blog post Neal Krawetz provided a detailed explanation of some of the numerous variations on perceptual hashing, but they mostly look the same if you squint:
- Downsize the input image to a fixed size, ignoring aspect ratio (maybe 64×64)
- Convert the image to grayscale
- Convert the image pixel data into frequency domain, by using a discrete cosine or wavelet transform
- Apply a low-pass filter, throwing out high frequencies
- Summarize remaining values with respect to some property of the remaining values, like median value, to produce a fixed-size bitstring
These algorithms work surprisingly well on web page screenshots. By incorporating an off-the-shelf perceptual hash algorithm as part of Chariot’s external Attack Surface Management, we have seen around a 75x reduction in the number of images a Red Team needs to review. That’s a huge reduction!"*
- 6. TP-Link TL-WR902AC firmware 210730 (V3) Remote Code Execution (RCE) (Authenticated) – CXSecurity.com
I love how they unpack the firmware, copy netcat to the rootfs, then repack the firmware and upload it. Signature checking code needs more checking in this case. CVE reference for the vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2022-48194
- 7. Critical vulnerability CVE-2023-1707 in HP printer firmware, no patch available
Why bother updated firmware? "HP recommends immediately reverting to an earlier version of the firmware (FutureSmart version 188.8.131.52) and downgrading devices to that firmware version."
- 8. StarkeBlog – Grubcore – Music with Grub2
"I decided to use an emulated version of Grub2 in order to effectively capture the audio out without having to use a microphone. This blog post will describe how I went about setting up the Grub2 virtual instance and how I then generated some appropriately formatted numbers to achieve a semi-musical expression." - Also, great post to learn about emulation with Qemu.
- 9. WebSockets are a Pain – A Journey in Learning and Leveraging
- 10. Beware of Java’s String.getBytes
Really interesting how we get here (byte arrays and UTF-8): "In this specific case, what we end up with is a hash collision vulnerability."
- 11. Dragon863 – “Alexa, what is my wifi password?”
Keep in mind the author is only 14: "As for booting modified software, it is difficult but not impossible. Unfortunately, I bricked my echo by carelessly flashing the wrong file, but not before finding some useful information. All mediatek devices use something called a preloader. It is essentially a loader for the bootloader, a very low level piece of software that runs on the cpu each boot. If anybody successfully patches the preloader to bypass checks of the mediatek 'little kernel' (lk) and 'unlock_code', we can write zeros to the start of the preloader and boot from the patched version. However, this would mean using a computer every time you boot your echo. As the device runs fireOS, the command fastboot oem flags fos_flags:0x80 should work to disable dm-verity, which is used to verify the integrity of android images and allow us to run unsigned code. This would be very serious as it would allow devices to be modified to send data to an attacker instead of amazon." - Great hardware/firmware hacking here.
- 12. Multiple vulnerabilities in Aten PE8108 power distribution unit
Why bother having a password? "This vulnerabilty allows an attacker to read configuration, including passwords for SNMP and Telnet, without authentication. These credentials can be abused in further attack steps, for example for switching off infrastructure that is powered by the PDU."
- 13. A Comparison of Exploit-DB and 0day.today – Blog – VulnCheck
In short, use both: "Reports of Exploit-DB’s death were greatly exaggerated. After publishing almost no exploits for four months, Exploit-DB is alive and publishing new exploits with a vengeance. As collectors of exploits, we missed Exploit-DB (EDB) and we’re glad it's back. But while EDB was on hiatus, we found that 0day.today was a reliable stand-in. Now with both projects alive and kicking, we wanted to get a better understanding of these exploit databases, and how they differ." - Also, 0day.today has some methods to purchase exploits that I have not (yet) explored.
- 14. TP-Link AX1800 Firmware Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability
Based on the description you could pretty easily find the vulnerability and exploit it: "The specific flaw exists within the parsing of firmware images. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer."
- 15. PHP filter chains: file read from error-based oracle
This is a very detailed and technical read, but I found it interesting that no one solved it in the CTF: "No one solved this challenge before the end of the CTF, after which its solution was published along the others. Hash_kitten basically explained that the file could be leaked via an error-based oracle. This blogpost details the several filter chain tricks involved in this attack, as well as some optimization from the original writeup."
- 16. ‘This is like a movie’: Ukraine’s secret plan to convince 3 Russian pilots to defect with their planes
They came close, but no cigar. Almost turned 3 Russian pilots.
- 17. 10-year-old Windows bug with ‘opt-in’ fix exploited in 3CX attack
Why bother signing things? "When a signed executable is modified, Windows will display a message stating that the "digital signature of the object did not verify." However, even though we know that the d3dcompiler_47.dll DLL was modified, it still showed as signed in Windows. After contacting Will Dormann, a senior vulnerability analyst at ANALYGENCE, about this behavior and sharing the DLL, we were told that the DLL is exploiting the CVE-2013-3900 flaw, a "WinVerifyTrust Signature Validation Vulnerability.""
- 1. New Rorschach ransomware is the fastest encryptor seen so far
Researchers from Check Point say they discovered what they suspect is a new ransomware strain dubbed "Rorschach" that includes improved capabilities in encryption speed, which the researchers assert makes the ransomware the fastest ransomware threat in existence today.
Rorschach ransomware only encrypts a portion of the file, which could largely account for the malware's alleged fast encryption speed.
- 2. WD says law enforcement probing breach of internal systems
After detecting an intruder Western Digital took several of its services offline. From the MyCloud Status page https://status.mycloud.com/os4 "Western Digital is currently experiencing a service outage impacting the following products: My Cloud, My Cloud Home, My Cloud Home Duo, My Cloud OS5, SanDisk ibi, SanDisk Ixpand Wireless Charger."
- 3. Spyware vendors use exploit chains to take advantage of patch delays in mobile ecosystem
Google Threat Analysis Group researchers detailed several campaigns that used zero-day exploits alongside n-day exploits as part of Android and iOS exploit chains and “took advantage of the large time gap between the fix release and when it was fully deployed on end-user devices.”
- 4. ‘I’ve never seen anything like this:’ One of China’s most popular apps has the ability to spy on its users, say experts
China's "Pinduoduo" shopping app, which is used by more than 750 million users each month, can bypass users' cell phone security in order to monitor other apps' activity, check notifications, read private messages, and alter device settings. They are leveraging weaknesses/flaws in Android to access this information.
- 5. QNAP fixed Sudo privilege escalation bug in NAS devices
QNAP warns customers to update their network-attached storage (NAS) devices to address a high-severity Sudo privilege escalation vulnerability tracked as CVE-2023-22809.
The company states that the vulnerability affects QTS, QuTS hero, QuTScloud, and QVP (QVR Pro appliances) QNAP operating systems.
- 6. Bitcoin ATM maker to refund customers impacted by zero-day hack
Bitcoin ATM manufacturer General Bytes says it is reimbursing its cloud-hosted customers that lost funds in a “security incident” in March that saw its customers’ hot wallets accessed.
- 7. InfoSec Handlers Diary Blog – SANS Internet Storm Center
For at least the last two weeks efile.com, the IRS authorized e-filing provider, website has been serving malicious ake "Browser Updates" to some of its users. This morning, efile.com finally removed the malicious code from their site.
- 8. Exploitation is a Dish Best Served Cold: Winter Vivern Uses Known Zimbra Vulnerability to Target Webmail Portals of NATO-Aligned Governments in Europe
Researchers from Proofpoint say that hackers are exploiting a known vulnerability in Zimbra Collaboration servers to steal email messages from diplomats, governments, military organizations, associated with the North Atlantic Treaty Organization (NATO). Zimbra released a patch for the cross-site scripting vulnerability (CVE 2022-27926) a year ago.
- 9. 3CX decided supply chain attack indicator was false positive
3CX began seeing reports that its app was being flagged as malicious seven days before acknowledging it was the victim of a supply chain attack. 3CX CEO Nick Galea said that they tested the app on VirusTotal after learning of the warnings and decided that they were false positives. Galea noted that they “only realize[d] the extent of the breach after Crowdstrike gave us full details.” The attack was detected by both SentinelOne and Crowdstrike.
Maybe consider human reported issues as more authoritative than VT?
- 10. High severity vulnerability fixed in WordPress Elementor Pro plugin.
Elementor Pro has released a patch to address a broken access control vulnerability in the WordPress plugin.
This issue impacts Elementor Pro when used with the WooComerce plugin through a flaw in their AJAX handler. You can exploit the vulnerability to create a new administrator account. The issue was reported to the authors on March 18th and an updated version (3.11.7) was released March 22nd.
- 11. Microsoft OneNote Starts Blocking Dangerous File Extensions
Microsoft OneNote will automatically block certain file extensions that are often used to spread malware. Before the update, OneNote users attempting to open a file with a suspicious attachment would see a message warning of a potential security risk; after the update, OneNote will not open the suspicious file at all. The update will begin rolling out this month and should be ubiquitous by January 2024.
These file types will also be blocked in Excel, Word, PowerPoint and Outlook. This expands on the default blocking of macros from files with "the mark of the web" as that move resulted in hackers leveraging embedded files to deliver malware.
- 12. GAO Report on US Dept. of Veterans Affairs Level of CIO Approval of IT Procurement
According to a report from the Government Accountability Office (GAO), the Department of Veterans Affairs failed provide evidence of CIO approval for more than 60 percent of the 11,644 new IT contract actions between March 2018 and the end of FY 2021.
The question - shouldn't the CIO (& CISO) be involved in IT contracts, like always?
- 1. ‘A cautionary tale of success’: Taking stock of the latest massive hack (3CS) (no paywall)
North Korean hackers attacked voice-over IP software provider 3CX, in a “supply chain attack.” The number of companies affected by the harmful code remains unclear, but the supply-chain element of the hacking campaign has been effectively “neutered.” While cyber officials believe North Korea is improving its cyber capabilities, they’re not as sophisticated as the Russian hackers allegedly behind the SolarWinds campaign.
- 2. Ethereum Bot Gets Attacked for $20M as Validator Strikes Back
Since Ethereum moved to Proof-of-Stake, transactions are validated by "validator" services. They make money through MEV, "maximal extractable value," which is a method validators use to try to maximize their profits when they validate transactions by including, excluding or changing the order of transactions in a block. The attack happened all within one Ethereum block--a validator appeared to force a series of transactions into the block to steal funds the bot had planned to gain by front-running.
- 3. China seethes as US chip controls threaten tech ambitions
China has its own chip foundries, but they supply only low-end processors used in autos and appliances. The U.S. government is cutting off access to a growing array of tools to make chips for computer servers, AI and other advanced applications. China’s loudest complaint: It is blocked from buying a machine available only from a Dutch company, ASML, that uses ultraviolet light to etch circuits into silicon chips on a scale measured in nanometers, or billionths of a meter. Without that, Chinese efforts to make transistors faster and more efficient by packing them more closely together on fingernail-size slivers of silicon are stalled.
- 4. Google exec says Nest owners should probably warn their guests that their conversations are being recorded
Google devices chief Rick Osterloh said he believes anyone "in proximity" of a microphone-fitted smart device like Google Nest or Amazon Echo should be informed the devices are in use.
- 5. Understanding “longtermism”: Why this suddenly influential philosophy is so toxic
Whatever we may "owe the future," it isn't a bizarre and dangerous ideology fueled by eugenics and capitalism. Longtermism is a quasi-religious worldview, influenced by transhumanism and utilitarian ethics, which asserts that there could be so many digital people living in vast computer simulations millions or billions of years in the future that one of our most important moral obligations today is to take actions that ensure as many of these digital people come into existence as possible.
- 6. The Tor Project’s new privacy-focused browser doesn’t use the Tor network
It’s called the Mullvad browser, named after the Mullvad VPN company it’s partnered with. The Mullvad browser’s main goal is to make it harder for advertisers and other companies to track you across the internet. It does this by working to reduce your browser’s “fingerprint.”
- 7. WinRAR SFX archives can run PowerShell without being detected
Hackers are adding malicious functionality to WinRAR self-extracting archives that contain harmless decoy files, allowing them to plant backdoors without triggering the security agent on the target system.
- 8. We tested a new ChatGPT-detector for teachers. It flagged an innocent student.
Five high school students volunteered to help me test it by creating 16 samples of real, AI-fabricated and mixed-source essays to run past Turnitin’s detector. The result? It got over half of them at least partly wrong.
- 9. Hey Siri, use this ultrasound attack to disarm a smart-home system
Academics in the US have developed an attack dubbed NUIT, for Near-Ultrasound Inaudible Trojan, that exploits vulnerabilities in smart device microphones and voice assistants to silently and remotely access smart phones and home devices. Apple's Siri, Google's Assistant, Microsoft's Cortana, and Amazon's Alexa are all vulnerable to NUIT attacks.
- 10. The Uninvited Guest: IDORs, Garage Doors, and Stolen Secrets
I discovered a series of critical vulnerabilities in Nexx’s smart device product line, which encompasses Smart Garage Door Openers, Alarms, and Plugs. These vulnerabilities enabled remote attackers to open and close garage doors, take control of alarms, and switch smart plugs on and off for any customer. Nexx has not replied to any correspondence from myself, DHS (CISA and US-CERT) or VICE Media Group. I have independently verified Nexx has purposefully ignored all our attempts to assist with remediation and has let these critical flaws continue to affect their customers.
- 11. Researchers claim they can bypass Wi-Fi encryption (briefly, at least)
When a Wi-Fi user disconnects temporarily from the network. access points often save up any reply packets that arrive for requests that were still unanswered at the time that the device powered down or went out of range. The researchers figured out various ways of tricking some access points into releasing those queued-up network packets, either without any encryption at all, or encrypted with a new session key that they chose for the purpose.
- 12. Samsung Fab Workers Leak Confidential Data While Using ChatGPT
After Samsung Semiconductor let its fab engineers use ChatGPT for assistance, they started using it to quickly fix errors in their source code, leaking confidential information like notes from internal meetings and data related to fab performance and yields in the process. The company now plans to develop its own ChatGPT-like AI service for internal use. But for now, it limits the length of questions submitted to the service to 1024 bytes, reports Economist.
- 13. VW and Redwood want to recycle your old laptop and cell phone batteries
Volkswagen dealerships will put out collection bins for old consumer batteries. This is appealing because there's evidence that recycled battery materials can perform better than freshly processed ones and because recycling battery materials in the US satisfies the domestic sourcing of critical minerals requirement in the new clean vehicle tax credit.