Teenage Masterminds, Hacking Civics, Journalists Sued, UPS Attacks, & Spyware – PSW #734

We are not already doing this? - "By blending military intel with commercial data, publicly available information on foreign adversaries and certain national intelligence systems, it will provide insight necessary for Army Cyber Command to operate and defend networks and influence foreign audiences, the spokesperson added."

"While the API supports authentication, and the thick client performs this authentication, while capturing the SOAP requests, it was observed that the specific request to extract an address book, `POST /ws/km-wsdl/setting/address_book` does not require an authenticated session to submit. Those address books, in turn, contain stored email addresses, usernames, and passwords, which are normally used to store scanned documents on external services or send to users over email."

Haven't gone through all the technical details, but this seems to be the point: "This also demonstrates that even very small race conditions can still be exploitable if someone sinks enough time into writing an exploit, so be careful if you dismiss very small race windows as unexploitable or don't treat such issues as security bugs."

Weird, they just closed up shop, perhaps burning it down to re-emerge and not be under fire from German authorities? "The company, which is known for its powerful and invasive malware “FinSpy,” has been under investigation by the German government since 2019 over allegations that it illegally sold spyware to the government of Turkey without acquiring the requisite export license. The spyware, which was allegedly used to monitor the phones of political activists in the country, is known for its ability to pilfer data and listen-in on mobile users."

Marty summed it up nicely right here: "As environments grow noisier with context-free security alerts and a constant flood of log data, it becomes easier for attackers to intentionally create distractions that make it possible for them to conceal their activities inside the network."

So yea, like we know this works, so does Lapsus$: "“No limit is placed on the amount of calls that can be made,” a member of Lapsus$ wrote on the group’s official Telegram channel. “Call the employee 100 times at 1 am while he is trying to sleep, and he will more than likely accept it. Once the employee accepts the initial call, you can access the MFA enrollment portal and enroll another device.”" - Does simply rate-limiting this fix it?

Great explanations of Spring and the exploit path in this post: "If the person calling your Java function via the web (to look up a username in a database, for example, or to check if a specific SKU is in stock) inserts a specific HTTP header into their web request, and if that header contains Spring code structured in the right way… …then the code in that header gets executed on the server, right inside the Spring Cloud server world. In other words, unauthenticated, uncomplicated remote code execution (RCE)."

"The hacker’s crypto wallet, which is available to view on Etherscan, shows that most of the funds haven’t been moved since they were extracted from the Ronin Network. But there’s evidence the hacker is trying to move tiny amounts of crypto in several transactions, perhaps a way to figure out what avenue might be safe for extracting the wealth."

From the Google post: "Many of our security bugs are detected using AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, or AFL." (https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_29.html) - I really like how Google is not afraid to list out the tools that people use to find vulnerabilities in their own products, nice!

I think this is a stretch: "Ubiquiti said it promptly notified customers of the attack and instructed them to take additional security precautions to protect their information. Ubiquiti then notified the public in the next filing it made with the SEC, but they claim Krebs intentionally disregarded the steps the company took to target Ubiquiti and increase ad revenue by driving traffic to his website" - at least the "intentionally disregarded" on Krebs part, I'm on team Krebs. And oh look, there's this too: "Corey Quinn, chief cloud economist at the Duckbill Group calls into question the Ubiquiti lawsuit and pointed out that the law firm representing Ubiquiti, Clare Locke LLP in Alexandria, Virginia, has a long history of suing media companies. " (https://twitter.com/QuinnyPig/status/1508965090019577856)

"For instance, bad actors can use them as a jumping-off point to breach a company’s internal network and steal data. Or, in a grimmer scenario, they could be used to cut power for mission-critical appliances, equipment or services, which could cause physical injury in an industrial environment, or disrupt business services, leading to significant financial losses." - Also, it seems default credentials are the way attackers are getting in, which is bad.

Damn, I had high hopes for Azure for IoT too, hopefully MS can turn it around: "Given that Defender for IoT is a security product itself, SentinelLabs says that is research “raises serious questions about the security of security products themselves and their overall effect on the security posture of vulnerable sectors.”"

"The boy's father told the BBC his family was concerned and was trying to keep him away from his computers. Under his online moniker "White" or "Breachbase" the teenager, who has autism, is said to be behind the prolific Lapsus$ hacker crew, which is believed to be based in South America."

An Estonian man was sentenced today to more than five years in a U.S. prison for his role in at least 13 ransomware attacks that caused losses of approximately $53 million. He is also ordered to pay $36 million in restitution.

Researchers have found a vulnerability that can be exploited through a replay attack to unlock and remotely start certain Honda and Acura vehicles made between 2016 and 2020. The attack captures radio frequency signals sent to the car from a key fob and replays them at a later time. The researchers recommend that the car manufacturers use “rolling” or “hopping” codes.

Microsoft is adding a Vulnerable Driver Blocklist to Windows Defender on Windows 10, Windows 11, and Windows Server 2016 or newer. The blocklist will comprise information from Microsoft and from OEM partners.

The FBI has issued a TLP: White Private Industry Notification warning that Triton malware, also known as Trisis, is still a threat to critical infrastructure industrial control systems (ICS) around the world. The bulletin describes the threat, including the 2017 Triton attacks targeting a petrochemical company in the Middle East.

The Ukrainian Security Service (SSU) has revealed it has shuttered more than 100,000 bogus social media accounts that were part of a bot farm operated out of Kharkiv, Cherkasy, Ternopil, and Zakarpattia that was spreading fake news over social media designed to instill fear and discourage Ukrainian citizens from defending their country.

Ukrainian national telecommunications operator Ukrtelecom says it is now trying to restore Internet service in Ukraine after being hit by a "major cyber-attack" that resulted in connectivity dropping to just 13 percent of pre-war levels throughout the country. Service is being restored on a priority basis. What would you do if your ISP was offline? Do you know where you fit on their service restoration plan?

Google on 3/25 shipped an out-of-band security update to address a high severity vulnerability in its Chrome browser that it said is being actively exploited. Updates are also available for chromium browsers such as Brave and Edge.

While Twitter suspends some Anonymous accounts, the collective hacked All-Russia State Television and Radio Broadcasting Company (VGTRK).

Sophos has addressed a critical vulnerability, tracked as CVE-2022-1040, in its Sophos Firewall that allows remote code execution (RCE). Sophos has released a hotfix that can be automatically installed. There are no mitigations for this flaw. Make sure you're on a supported firmware revision.

The Federal Air Transport Agency Rosaviatsiya is responsible for overseeing the civil aviation industry in Russia. Its website favt.ru went offline on Monday and has been unreachable since. "Due to the temporary lack of access to the Internet and a malfunction in the electronic document management system of the Federal Air Transport Agency, the Federal Air Transport Agency is switching to a paper version," reads the Rosaviatsiya statement signed by the agency's head Alexander Neradko.

EMBER BEAR is an adversary group aimed at creating public mistrust in targeted institutions and degrading government ability to counter Russian cyber operations

Actions Critical Infrastructure Organizations Should Implement to Immediately Strengthen Their Cyber Posture. • Patch all systems. Prioritize patching known exploited vulnerabilities. • Implement multi-factor authentication. • Use antivirus software.• Develop internal contact lists and surge support.

Munich-based spyware company FinFisher declared insolvency last month, Bloomberg reported Monday, amid an ongoing investigation into its business dealings.

Mitigate attacks against UPS devices by immediately removing management interfaces from the internet.

The active attacks could result in critical-infrastructure damage, business disruption, lateral movement and more.