Ubiquiti Breach, Tesla, PHP, & More Sagas – PSW #689
npm netmask library has a critical bug, when AI attacks, firmware attacks on the rise, Microsoft Hololens and order 66, a real executive order 13694, The Ubiquity breach saga, the FreeBSD and wireguard saga, is the cloud more secure? Hopefully for PHP it is, software updates limit muscle car to 3 HP, a brand new Windows 95 easter egg just in time for, well, easter, and aging wine in space, does it make a difference?
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
- 1. Critical netmask networking bug impacts thousands of applications - "The root cause of the problem turned out to be Netmask’s incorrect evaluation “of individual IPv4 octets that contain octal strings as left-stripped integers, leading to an inordinate attack surface on hundreds of thousands of projects that rely on Netmask to filter or evaluate IPv4 block ranges, both inbound and outbound" (https://portswigger.net/daily-swig/ssrf-vulnerability-in-npm-package-netmask-impacts-up-to-279k-projects), "For example, a remote unauthenticated attacker can request local resources using input data 0184.108.40.206 (127.0.0.1), which netmask evaluates as public IP 220.127.116.11. Contrastingly, a remote authenticated or unauthenticated attacker can input the data 0127.0.0.01 (18.104.22.168) as localhost, yet the input data is a public IP and potentially cause local and remote file inclusion (LFI/RFI)" (https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-011.md)
- 2. Will AI Short Circuit Cybersecurity? - Basically, how do we prevent creating Skynet? - "The article describes how engineers discovered a surprising feature relating to the now defunct Google Project Loon, which was intended to make the Internet universally available using balloons rather than satellites. They observed that, on a trip from Puerto Rico to Peru, the balloon began tacking, which is the method used with sailboats for changing direction. Not that that is particularly startling, except that they had never taught the AI how to do that—it did it all by itself! While this was a “gee whiz moment,” it portends what might be one of the greatest dangers of AI (artificial Intelligence) systems, namely, acting autonomously in unanticipated and possibly dangerous ways."
- 3. Alan Turing, WWII Cryptanalyst and Computer Pioneer, on New £50 Note – Security Boulevard - "Turing was selected to appear on the note?…?in recognition of his groundbreaking work in mathematics and computer science, as well as his role in cracking the Enigma code?…?in World War II. … [It] incorporates a number of designs linked to Turing’s life and legacy. These include technical drawings for the bombe, a decryption device used during WWII; a string of ticker tape with Turing’s birthday rendered in binary?…?a green and gold security foil resembling a microchip; and a table and mathematical formulae taken from one of Turing’s most famous papers." Also: "It’s a way to let the UK honor historic people. But don’t pretend like it’s some big feat or victory for oppressed people. Pardoning and putting a him on a note doesn’t undo that."
- 4. The Importance of Cybersecurity to SEO - Recovering from the SEO hits you take from a website compromise could be impactful: "When a business website become a victim of hackers, it can have below mentioned impacts, Website traffic can be redirected to third party servers., Error 50X, internal server error can be generated., Massive 404 errors, content not found can be caused across the website.,Websites can be infected with malicious code, which can spread infections to all visitors., Websites can be infected by phishing attacks to trick visitors."
- 5. Serious Vulnerability In Netmask npm Package Risked 270K+ Projects
- 6. Two Linux Vulnerabilities Could Allow Bypassing Spectre Attack Mitigations - So many privilege abuses in the Linux Kernel: "Unprivileged BPF programs running on affected systems can bypass the protection and execute speculatively out-of-bounds loads from any location within the kernel memory. This can be abused to extract contents of kernel memory via side-channel."
- 7. Blind XPath Injections: The Path Less Travelled - Awesome article explaining XPath injections, with examples from a CTF.
- 8. 83% of Businesses Hit With a Firmware Attack in Past Two Years - "Microsoft last year released a line of "Secured-Core" Windows 10 PCs as part of a partnership with Intel, Qualcomm, and AMD, to help businesses better defend against attacks that attempt to interfere with the boot process. Last June, it added a UEFI scanner to Microsoft Defender Advanced Threat Protection to assess the security posture inside of a firmware file system. However, even though Microsoft working to expose firmware visibility, "I don't think we yet have the total picture," he says, and it's a challenge to observe attacks taking place below the operating system. What's more, not all businesses can shift to new hardware in the near term, and many security teams are juggling too many other issues to prioritize firmware."
- 9. President Biden extended Executive Order 13694 regarding cyberattack sanctions
- 10. Microsoft Wins $22 Billion Deal Making Headsets for US Army - Interesting to think about hacking these, like in a battle, executing order 66! - "The technology is based on Microsoft’s HoloLens headsets, which were originally intended for the video game and entertainment industries. Pentagon officials have described the futuristic technology — which the Army calls its Integrated Visual Augmentation System — as a way of boosting soldiers’ awareness of their surroundings and their ability to spot targets and dangers."
- 11. Top 5 Attack Techniques May Be Easier to Detect Than You Think
- 12. How I “Hacked” a Popular Illicit Website Accidentally. - Interesting story, crime doesn't pay (though as a criminal you may have to pay): "Hey, it’s been a while, but Sammy just got sent a cease and desist from Chick-Fil-A. He has to pay restitution."
- 13. DD-WRT 45723 Buffer Overflow – Exploitalert
- 14. Whistleblower: Ubiquiti Breach “Catastrophic” — Krebs on Security - Holy crap, what a saga...
- 15. Buffer overruns, license violations, and bad code: FreeBSD 13’s close call - Holy crap, what another saga!
- 16. Universal “netmask” npm package, used by 270,000+ projects, vulnerable to octal input data: server-side request forg
- 17. PHP’s Git server hacked to add backdoors to PHP source code - So, moral of the story, the cloud is more security?
- 18. OpenSSL fixes severe DoS, certificate validation vulnerabilities
- 19. Dodge Offers Software Update For Chargers And Challengers That Limits Them To 3 HP Of Raw Hemi Power - "The way the engine manages to restrict the power so effectively from 485 HP/475 pound-feet or 707 HP and 650 lb of torque is by limiting the engines to a 675 rpm idle."
- 20. Google’s unusual move to shut down an active counterterrorism operation being conducted by a Western democracy
- 21. Windows 95 Easter egg discovered after being hidden for 25 years - "You have to open its About window, select one of the files, and type MORTIMER. Names of the program's developers will start scrolling"
- 22. Tasting experts sample wine aged for a year in space - I feel like this is a hacker thing like someone asked the question: "What would wine taste like if it were aged in zero gravity?".
- 1. Police say they found mafia fugitive on YouTube, posting cooking tutorials
- 2. Update on campaign targeting security researchers
- 3. Child tweets gibberish from US nuclear-agency account
- 4. Buffer overruns, license violations, and bad code: FreeBSD 13’s close call
- 5. Activision Forces Online Check DRM Into New Game, Which Gets Cracked In One Day
- 6. SpaceX seemingly takes steps to protect telemetry data after leak
- 7. Whistleblower: Ubiquiti Breach “Catastrophic” — Krebs on Security
- 8. Recovering a full PEM Private Key when half of it is redacted
- 9. PHP Compromised: What WordPress Users Need to Know
- 1. Cars Have Your Location. This Spy Firm Wants to Sell It to the U.S. Military - Charleston, S.C.-based surveillance contractor The Ulysses Group is reportedly looking to sell the U.S. military a new product it asserts is capable of obtaining the real-time locations of specific vehicles anywhere on earth leveraging data collected and sent by car sensors.
- 2. China Bans Tesla Cars From Entering Military Locations and Housing Compounds - China has decided that Tesla vehicles pose a threat following concern over the multiple cameras each contains and the sensitive data they are capable of recording. With that in mind, the military has banned Elon Musk's cars from entering any Chinese military complexes or housing compounds.
- 3. PHP’s Git server hacked to add backdoors to PHP source code - Malicious actors pushed two malicious commits to the "php-src" Git repository maintained by the PHP team on its "git.php.net" server Sunday in an attempt to add backdoors to and compromise the PHP code base. PHP maintainers have migrated the official PHP source code repository to GitHub.
- 4. Whistleblower claims Ubiquiti Networks data breach was ‘catastrophic’ - The whistleblower said that attackers were able to obtain administrative access to AWS Ubiquiti databases using credentials stored in and stolen from an employee's LastPass account, which allowed them to access AWS accounts, S3 buckets, app logs, SSO cookie secrets, and all databases, including those containing user credentials.
- 5. OpenSSL fixes severe DoS, certificate validation vulnerabilities - OpenSSL has released an advisory about two high-severity vulnerabilities (CVE-2021-3449 and CVE-2021-3450) affecting its products that could be leveraged by attackers to create a denial-of-service (DoS) condition or prevent the Certificate Authority (CA) from issuing certificates.
- 6. This Android malware hides as a System Update app to spy on you - A new, "sophisticated" Android spyware app disguising itself as a software update has been discovered by researchers. Once installed on a device, the compromised device is registered with a Firebase C&C server that issues commands while a dedicated C&C server manages data exfiltration. Information collected by the RAT is said to include GPS data, SMS messages, contact lists, call logs, images and video files, and microphone audio.
- 7. Tax scammers hack government-run facial recognition system - A group of tax scammers has been identified leveraging manipulated personal information, high-definition photos, and a fake video to hack the government-run facial recognition system used by the State Taxation Administration, which allowed their registered shell company to issue bogus tax returns to clients. $500M Yuan ($76.2M USD)
- 8. FBI published a flash alert on Mamba Ransomware attacks - "Mamba" ransomware has been identified abusing the "DiskCryptor" (HDDCryptor, HDD Cryptor) open-source tool to encrypt entire hard drives.
- 9. Evil Corp switches to Hades ransomware to evade sanctions - The "Evil Corp" cybercrime gang has been spotted using the "Hades" ransomware to evade sanctions levied in December 2019 by the U.S. Department of Treasury's (Treasury) Office of Foreign Assets Control (OFAC).