Texas A&M Prof Fails, Windows Vs. iPhones, Cobalt Strike on Mac, & SHA-1 in Shambles – PSW #785
In the security news: How AI Knows Things No One Told It, Dragos Employee Gets Hacked, VMProtect Source Code Leaks, CISA Vulnerabilities, SHA-1 is a Shambles, Microsoft Scans Inside Password Protected Files, Geacon Brings Cobalt Strike Compatability to MacOS, Google Launches Tools to Identify Misleading & AI Images, Cyberstalkers Use New Windows Feature to Spy on iPhones, Texas A&M Prof Flunks all his Students, Wemo Won’t Fix Smart Plug Vulnerability, Catfishing on an industrial scale, and Hacking the Ocean to store Carbon Dioxide
Our teams from Security Weekly and SC Media were onsite at RSA Conference 2023 delivering in-depth reporting, analysis and interviews from the conference. If you were unable to join us in person, or didn't manage to catch our video livestream from Broadcast Alley, you can access all of our RSAC 2023 coverage at https://securityweekly.com/rsac.
- 1. Dragos Employee Hacked, Revealing Ransomware, Extortion Scheme
- 2. SHA-1 is a Shambles
- 3. CISA Adds Seven Known Exploited Vulnerabilities to Catalog
- 4. Microsoft is scanning the inside of password-protected zip files for malware
- 5. Severe RCE Bugs Open Thousands of Industrial IoT Devices to Cyberattack
- 6. Geacon Brings Cobalt Strike Capabilities to macOS Threat Actors
- 7. Cyberstalkers Using New Windows Feature to Spy on iPhones
- 8. Wemo won’t fix Smart Plug vulnerability allowing remote operation
- 9. ‘FriendlyName’ Buffer Overflow Vulnerability in Wemo Smart Plug V2
- 10. Attackers Target macOS With ‘Geacon’ Cobalt Strike Tool
- 11. Re-Victimization from Police-Auctioned Cell Phones – Krebs on Security
- 12. Deconstructing a Cybersecurity Event
- 1. Ransomware corrupts data, making restoration harder
"They encrypt at excessive speed," Richard Addiscott, a senior director analyst at Gartner told the firm's IT Infrastructure, Operations & Cloud Strategies Conference 2023 in Sydney on Monday. "They encrypt faster than you can run a directory listing."
Ransomware operators therefore encrypt badly and lose some of the data they then try to sell you back.
- 2. China’s Mustang Panda Hackers Exploit TP-Link Routers for Persistent Attacks
An analysis of these intrusions, per Check Point researchers Itay Cohen and Radoslaw Madej, has revealed a custom firmware implant designed explicitly for TP-Link routers.
- 3. Russian Hacker Now Has a $10M Bounty on His Head
It isn’t often that our government is willing to shell out $10 million – but a Russian hacker has joined that elite group. Since early 2020, Mikhail Pavlovich Matveev carried out ransomware attacks against various health care providers and law enforcement agencies. Matveev used ransomware strains from Babuk, Lockbit and Hive against his victims, and pocketed over $200 million via his extortion campaigns. The FBI has issued a coveted Most Wanted poster for Matveev.
- 4. Parental control app with 5 million downloads vulnerable to attacks
Kiddowares 'Parental Control – Kids Place' app for Android is impacted by multiple vulnerabilities that could enable attackers to upload arbitrary files on protected devices, steal user credentials, and allow children to bypass restrictions without the parents noticing.
- 1. How AI Knows Things No One Told It
This is a serious article from Scientific American, not crazy speculation. LLMs are proven to have an internal representation of the world, and they perform tasks they were not trained to do, giving them “emergent abilities.” An AI trained to play Othello developed “neural activity” that matched the game board. The researchers concluded that it was playing Othello roughly like a human: by keeping a game board in its “mind’s eye” and using this model to evaluate moves. "...we are probably not that far off from AGI" (Artificial General Intelligence).
- 2. Risky Biz News: VMProtect source code leaks (again)
Source code for the VMProtect software has leaked online not once but twice over the past year. The first leak happened in August last year, while the second took place last week via a Chinese IT forum. Made by a Russian company, VMProtect is a popular solution for protecting software applications by running an app inside a customized virtual machine. VMProtect has its legitimate uses in the software development community, especially in games and enterprise applications, but it has also been broadly adopted by malware developers to protect malicious payloads—with multiple cybersecurity companies automatically detecting VMProtect-enveloped software as a potential threat.
- 3. The .zip TLD sucks and it needs to be immediately revoked
You might have been tricked into clicking this, assuming that the .zip in the URL was a filename. This is, of course, how it's been for decades. .zip isn't a valid part of a domain name! Except that Google has changed that. You can now purchase .zip and .mov domain names from Google. ICANN has failed all of us by allowing this to happen.
- 4. New ‘MichaelKors’ Ransomware-as-a-Service Targeting Linux and VMware ESXi Systems
The risk is increased because VMware says antivirus is not needed for ESXi and does not support it.
- 5. Google Launching Tools to Identify Misleading and AI Images
Google is adding two new features to its image search to reduce the spread of misinformation: ‘About this image’ serves up additional context like when an image or similar ones were first indexed by Google, where they first appeared and where else they’ve shown up online. Another mark on every AI-generated image will indicate the tool used to create it.
- 6. Confidential computing is the future of targeted advertising
This is Microsoft's version of confidential computing. It revolves around a trusted execution environment (TEE) or secure enclave. This uses hardware-based security mechanisms to protect any code and data placed inside it from everything outside the enclave, including the host operating system and any other application code.
The bad news – if you are a consumer – is that this allows for scenarios where companies can more easily target you with pitches that are tailored to you personally because confidential computing can potentially overcome some of the regulatory and privacy concerns around organizations sharing sensitive data with third parties.
- 7. Share and query encrypted data in AWS Clean Rooms
This is Amazon's version of confidential computing. Where would AWS Clean Rooms be useful? Consider a scenario where two different insurance companies want to identify duplicate claims so they can identify potential fraud. This would be simple if they could compare their claims with each other, but they might not be able to do so due to privacy constraints.
- 8. flAWS challenge–AWS security CTF
- 9. flAWS 2 challenge–AWS security CTF
- 10. Forgetful Browsing
Brave browsers will include a new feature called “Forgetful Browsing,” which allows users to always clear cookies and other storage when the site is closed. Forgetful Browsing can help you: Be automatically logged out of a site when it’s closed, Avoid being rate limited by a site (e.g., “you have X remaining articles to view”), and Generally prevent sites from reidentifying you across visits
- 11. Texas A&M Prof Flunks All His Students After ChatGPT Falsely Claims It Wrote Their Papers
Seniors who have already graduated were denied their diplomas because of an instructor who incorrectly used AI software to detect cheating. Dr. Jared Mumm, a campus rodeo instructor who also teaches agricultural classes, used this process: “I copy and paste your responses in [ChatGPT] and [it] will tell me if the program generated the content”.
- 12. This is catfishing on an industrial scale
Hired as customer service reps, they lure the lovestruck through a network of dating sites. Freelancers employed all over the world animate fake profiles and chat with people who have signed up for dating and hookup sites. “Customer service” staff don’t play a single character on the sites. Instead, they sit in a chat queue to be cycled between virtual characters they occupy for two minutes at a time.
- 13. Threat Group UNC3944 Abusing Azure Serial Console for Total VM Takeover
A financially motivated cyber actor has been observed abusing Microsoft Azure Serial Console on virtual machines (VMs) to install third-party remote management tools within compromised environments. This method of attack was unique in that it avoided many of the traditional detection methods employed within Azure and provided the attacker with full administrative access to the VM. The development is yet another evidence of attackers taking advantage of living-off-the-land (LotL) techniques to sustain and advance an attack, while simultaneously circumventing detection.
- 14. Pentagon Hacking Fears Fueled by Microsoft’s Monopoly on Military IT
The U.S. Department of Defense is quietly abandoning one of its longest running cybersecurity programs protecting its vast global IT network, and replacing it with off-the-shelf tools from Microsoft, despite internal opposition and criticism from experts who say it will make the nation more vulnerable to foreign hackers, enemy cyberwarriors and online spies. Now, the department will use Microsoft Defender,said Deputy CIO David McKeown, one of the Defense Department's top cyber officials. He disputed the suggestion that using Microsoft security tools to protect Microsoft software would make the DOD more vulnerable, saying tools that were built from the ground up to integrate with the software they were protecting would be more secure.
- 15. App Store stopped more than $2 billion in fraudulent transactions in 2022
In 2022, the App Store prevented over $2 billion in potentially fraudulent transactions, and rejected nearly 1.7 million app submissions for failing to meet the App Store’s high standards for privacy, security, and content. In 2021, Apple terminated over 802,000 developer accounts for potentially fraudulent activity. In 2022, that number declined to 428,000 thanks in part to new methods and protocols that allow the App Store to prevent the creation of potentially fraudulent accounts.
- 16. Chat Lock: Making your most intimate conversations even more private
Locking a WhatsApp chat takes that thread out of the inbox and puts it behind its own folder that can only be accessed with your device password or biometric, like a fingerprint. It also automatically hides the contents of that chat in notifications, too. This feature will be great for people who have reason to share their phones from time to time with a family member or those moments where someone else is holding your phone at the exact moment an extra special chat arrives.
- 17. UCLA Says We Can Hack The Ocean To Store Carbon Dioxide
Instead of directly capturing atmospheric carbon dioxide, the technology would extract it from seawater, enabling the seawater to absorb more. Why? Because, per unit volume, seawater holds nearly 150 times more carbon dioxide than air. The seawater would flow through a mesh that allows an electrical charge to pass into the water, rendering it alkaline. This kicks off a set of chemical reactions that ultimately combine dissolved carbon dioxide with calcium and magnesium native to seawater, producing limestone and magnesite by a process similar to how seashells form. The seawater that flows out would then be depleted of dissolved carbon dioxide and ready to take up more. A co-product of the reaction, besides minerals, is hydrogen, which is a clean fuel.
- 18. Large language models’ surprise emergent behavior written off as ‘a mirage’
"Emergent" abilities are "abilities that are not present in smaller-scale models, but which are present in large-scale models" -- increasing the size of a model infuses it with some amazing ability not previously present. These researchers say LLMs don't really have emergent abilities, but only appear to, because poorly chosen methods of measurement were used.
- 19. YouTube Leads Young Gamers to Videos of Guns, School Shootings
YouTube recommended hundreds of videos about guns and gun violence to accounts for boys interested in video games. Many of the videos violated YouTube’s own policies on firearms, violence, and child safety, and YouTube took no apparent steps to age-restrict them.
- 20. Crypto community reacts to Ledger wallet’s secret recovery phrase service
Ledger Recover is a subscription service that allows users to utilize an additional layer of protection for their private keys. This service employs a technique where the user’s seed phrase is divided into three encrypted fragments, each sent to different external entities. Once these fragments are combined and decrypted, they can be used to reconstruct the original seed phrase. Mudit Gupta, the chief information security officer at Polygon Labs, shared, “It’s a horrendous idea, DON’T enable this feature...the problem here is that the encrypted keys parts are sent to 3 corporations and they can reconstruct your keys.”