Zip Tie Pick, Wifi/Bluetooth Bugs, Domain Controllers, & Beetle Behavior – PSW #722

This is too funny: "As the researchers note, males giving females oral genital stimulation is rare in invertebrates. So they were surprised when they found male darkling desert beetles contacting and orally manipulating female genitalia multiple times prior to copulation." - Also note there are people who are researching this and having discussions about this topic, presumably with a straight face, which is more than you can say for us...

How a $400 grade 1 lock was bypassed with a zip tie: "At about 6 a.m., two hours after he started working on the lock, he pushed his homemade tool through the drain hole, caught the lever, gave a gentle tug, and the lock sprung open. When he reinserted the zip tie and pulled again, it locked. It worked again, and again, and again."

"The vulnerabilities specifically exist in the Garrett iC module, which provides network connectivity to the Garrett PD 6500i or Garrett MZ 6100 walk-through metal detectors commonly used at security checkpoints. An attacker could manipulate this module to remotely monitor statistics on the metal detector, such as whether the alarm has been triggered or how many visitors have walked through. They could also make configuration changes, such as altering the sensitivity level of a device, which potentially poses a security risk to users who rely on these metal detectors."

Well, the Chinese Government will only use these for good, right? - "The move also comes months after the Chinese government issued new stricter vulnerability disclosure regulations that mandate software and networking vendors affected with critical flaws to disclose them first-hand to the government authorities mandatorily."

Pretty neat! The ability to exploit other chips via shared memory: "Once the researchers achieved code execution on one chip, they could perform lateral attacks on the device's other chips using shared memory resources. In their paper, the researchers explain how they could perform OTA (Over-the-Air) denial of service, code execution, extract network passwords, and read sensitive data on chipsets from Broadcom, Cypress, and Silicon Labs."

This is amazing: "JBIG2 doesn't have scripting capabilities, but when combined with a vulnerability, it does have the ability to emulate circuits of arbitrary logic gates operating on arbitrary memory. So why not just use that to build your own computer architecture and script that!? That's exactly what this exploit does. Using over 70,000 segment commands defining logical bit operations, they define a small computer architecture with features such as registers and a full 64-bit adder and comparator which they use to search memory and perform arithmetic operations. It's not as fast as Javascript, but it's fundamentally computationally equivalent."

"Two backdoor passwords were found in the firmware of the COMpact 5500R PBX," researchers from RedTeam Pentesting said in a technical analysis published Monday. "One backdoor password is for the secret user 'Schandelah', the other can be used for the highest-privileged user 'admin.' No way was discovered to disable these backdoors." - Mr. Potato head, backdoors are not secrets! Well, not any longer...

This is one of the better write-ups, start here if you've not done a deep dive into log4j yet.

"WebSockets are not restricted by same-origin policies like a normal cross-domain HTTP request and they expect the server itself to validate the Origin of the request. While they are useful, they also introduce a fair amount of risk as they do not include many security controls to limit their utilization." - Doesn't this mean that many web app vulnerabilities could be triggered via WebSockets?

"While CVE-2021-42278 enables an attacker to tamper with the SAM-Account-Name attribute, which is used to log a user into systems in the Active Directory domain, CVE-2021-42287 makes it possible to impersonate the domain controllers. This effectively grants a bad actor with domain user credentials to gain access as a domain admin user."

After thoroughly reviewing the "FORCEDENTRY" iPhone exploit, researchers at Google's Project Zero say they have uncovered a never-before-seen "hacking roadmap" that includes a PDF file that appears to be a GIF image loaded with a custom-coded virtual CPU constructed out of "Boolean pixel operations." According to Google's Ian Beer and Samuel Groß, "We assess this to be one of the most technically sophisticated exploits we've ever seen." According to Google, after receiving an exploit sample from Citizen Lab, it collaborated with Apple's Security Engineering and Architecture (SEAR) group to perform a technical analysis, which revealed a high degree of technical sophistication in an exploit that was sold to governments worldwide.

Bad things come in threes: Apache reveals another Log4J bug Third major fix in ten days is an infinite recursion flaw. CVE-2021-45105 is a 7.5/10-rated infinite recursion bug that was present in Log4j2 versions 2.0-alpha1 through 2.16.0. The fix is version 2.17.0 of Log4j.

The "Conti" ransomware gang has been spotted exploiting the Log4j vulnerability (CVE-2021-44228) in order to obtain "rapid" access to targeted organizations' internal VMware vCenter Server instances and encrypt virtual machines.

Malicious actors have brought back an old and almost-retired malware family known as TellYouThePass, using it to target Linux and Windows devices vulnerable to the critical remote code execution vulnerability in the Apache Log4j library (CVE-2021-44228)

Malicious actors have been spotted exploiting the Log4j vulnerability (CVE-2021-44228) in order to infect targeted Linux devices with "Meterpreter" and Windows devices with the "Dridex" banking Trojan.

Clop ransomware gang stolen confidential data from the UK police and leaked it in the dark web because the victim refused to pay the ransom. Researchers say the "Clop" ransomware gang managed to access, steal, and leak "confidential" information belonging to some 13 million individuals, which included data belonging to the U.K. police taken from its police national computer (PNC) system.

The FBI's Cyber Division has revealed that state-backed APT actors have been actively exploiting the authentication bypass vulnerability (CVE-2021-44515) affecting Zoho's ManageEngine Desktop Central since at least October 2021 in order to conduct network reconnaissance and move laterally throughout compromised networks.

CISA, the FBI, the NSA, and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom have released a joint Cybersecurity Advisory in response to multiple vulnerabilities in Apache’s Log4j software library. Malicious cyber actors are actively scanning networks to potentially exploit CVE-2021-44228 (known as “Log4Shell”), CVE-2021-45046, and CVE-2021-45105 in vulnerable systems. According to public reporting, Log4Shell and CVE-2021-45046 are being actively exploited.