Identifying Bad By Defining Good – Danny Jenkins – PSW #815

Paul Asadoorian

1. Shielder – Hunting for ~~Un~~authenticated n-days in Asus Routers

   This is an amazing post that makes a crucial point: The exploitability of vulnerabilities may depend on the environment. Researchers found that when emulating firmware the RCE vulnerabilities are exploitable pre-authentication. However, due to NVRAM differences in emulated vs. physical devices, the physical devices are not exploitable without authentication. Also, the researchers in the post ported NVRAM emulation from firmadyne to Qiling, which is impressive (and I hope they submitted a pull request for this! Note: A quick peek at the Github repo and it appears they have not, please do!). This also means we cannot trust what's in a CVE entry as the CVE entries call this RCE with no authentication, which is not true for physical devices!

2. Critical Alert: CVE-2023-6200 Exploits Linux Kernel with Code Execution Risk

   This bothers me: "The remedy for CVE-2023-6200 lies in updating to Linux kernel version 6.7-rc7, which contains the necessary fix." I couldn't easily determine which distros are supporting which kernel versions. On Manjaro I finally got my system configured properly so I can boot kernel 6.6, and I have an option to install 6.7. However, 6.7 is not listed as LTS for Manjaro, 6.6 is the latest LTS and recommended kernel version. Does this mean I am vulnerable or is there a workaround? There is! "Users can also mitigate the risk by ensuring the accept_ra parameter is disabled, which can be verified via commands like cat /proc/sys/net/ipv6/conf/default/accept_ra" Any guesses as to whether or not my system is vulnerable?

3. Hotel WiFi, VPNs, And Security
4. Automated Emulation: Open-source breach and attack simulation lab

   "The creator of Automated Emulation, Jason Ostrom, aimed to develop an infrastructure security lab to enhance skills in adversary simulation, focusing on linking TTPs and evaluating various endpoint security products. He envisioned this as a customizable “Security Playground” for personal skill enhancement." - Haven't seen Jason in years! I wanna say he used to do a VoIP security podcast back in the day, which was really good!

5. MS-DOS and Windows 3.11 still run train dashboards at German railway — company listed admin job for 30-year-old operating system

   This is too funny!

6. Many CVE Records Are Listing the Wrong Versions of Software as Being Affected – Plugin Vulnerabilities

   This led me down a rabbit hole and eventually sparked an idea for a conference talk. So, I won't comment at this time :)

7. Lexmark Security Advisory – CVE-2023-50737

   I can find very little about this vulnerability. They reference a ZDI candidate, however, I can find no references to this candidate number. There is an entry for Mitre, but no information can be found and the NVD link is a 404. Yet this is scored as a 9.1 and described as "An input validation vulnerability in the SE Menu allows an attacker to execute arbitrary code.".

8. Firmware key extraction by gaining EL3 – The Cave

   This is an extensive post. I really liked this technique: "Following the tracks, it leads to the usb-c power connector, through some small IC. Adding a pull-up to the SBU pin of the usb-c connector and we have the bootlogs directly on the usb-c connector" Also, this is common, back to Ebay because I want to hack the latest thing: "Then, a challenge came to my mind: "what if I could break into their latest model?" So back to ebay."

9. A christmas tale: pwning GTB Central Console (CVE-2024-22107 & CVE-2024-22108)

   Sometimes when trying to hack something you get lucky and find some information, of all places in this case, on a Turkish website: "I found the credentials in a turkish website (wizard / password!@@@). The user wizard executes a configuration program instead of a shell when you log in:" Great write-up, you should read this and flag it for reference later as it has many good tips.

10. SSD Advisory – Zyxel VPN Series Pre-auth Remote Command Execution

    Hrm: "Due to recent attack surface changes in Zyxel, the chain described below broke and become unusable – we have decided to disclose this even though it is no longer exploitable." - Okay, but my whole thing with this is, and maybe I am missing something, but the vulnerabilities are still exploitable in the affected versions of firmware (listed as 5.21 thru to 5.36). I've got this feeling that Zyxel believes all of their customers upgrade firmware to the latest versions 100% of the time across 100% of their customers. If that's the case I'd fall off my chair.

11. Exploit Released for Critical Jenkins RCE Flaw

    I did a little research on this one, there are 10 exploits available for one of the vulnerabilities:

    • https://github.com/h4x0r-dz/CVE-2024-23897
    • https://github.com/binganao/CVE-2024-23897
    • https://github.com/wjlin0/CVE-2024-23897
    • https://github.com/xaitax/CVE-2024-23897
    • https://github.com/Vozec/CVE-2024-23897
    • https://github.com/jenkinsci-cert/SECURITY-3314-3315
    • https://github.com/viszsec/CVE-2024-23897
    • https://github.com/CKevens/CVE-2024-23897
    • https://github.com/jopraveen/CVE-2024-23897
    • https://github.com/yoryio/CVE-2024-23897

    Proceed with caution, I did not review any of the above source code, so if you get popped from one of these exploits you've been warned! (And by you I mean the one running the exploit, not the Jenkins target). Also if you check the EPSS, its 0.00066, which is low, yet there are 10 exploits in the wild!

12. Owning a Bitcoin ATM

    This just kind of sums up how it went: "Once we gained root access, we could reasonably think that the job was done. However, we looked to the /etc/shadow file, where we were able to crack the root password in less than one minute – and the same password was valid for all of the devices." - Interesting though: When I watched the video of the team accessing the device it was booting LUbuntu. I've seen similar crypto currency ATMs with similar bootup screens and even taken some photos and shared them on my social media. Note: This is not an invitation to commit crimes and hack Bitcoin ATMs!

13. Announcing cvemap from ProjectDiscovery

    I messed around with this tool, I really like it. You can carve out CVE and exploit information pretty easily. I like this command: "cvemap -age 20 -s critical -f kev,poc". That command told me that you should not buy this $46 Wifi Router: https://www.amazon.com/Tenda-RX3-Wireless-Internet-Quad-Core/dp/B08YQTKGPN (Ref: https://grove-laser-8ad.notion.site/Tenda-AX1803-Command-Injection-in-fromAdvSetLanIp-7b2892fac8234cff90ca15af4947a8e7 and a ton more CVEs).

14. Symantec Messaging Gateway libdec2lha.so Stack Buffer Overflow Remote Code Execution

    This disclosure timeline is (I can't say these words but you know where I'm going): "Disclosed to vendor: August 11, 2021, Vendor response to disclosure: June 17, 2022, Disclosed to public: January 25, 2024" - I really want to know the full story.

15. Open Source: The Future of Router Defense?

    Open-source software is often patched/fix more quickly than commercial software (someone should study this, my guess is that "it depends"). In the case of OpenWRT, they are responding more quickly and efficiently than commercial firmware vendors (hundreds of vulnerabilities in commercial routers vs. native OpenWRT).

16. Flipper Zero – Great tool for the penester or an expensive toy for the drawer?

    Look, it's nice to keep a Flipper handy and it does some things really well. For the first two things in this list (cloning an RFID card and reading a credit card), you will have better success with a Proxmark3. While the Flipper is easier to use, the Proxmark3 is more capable (I am still learning the Proxmark3 stuff and will report back, I did manage to get one and put the iceman firmware on it, then read one of my access cards, but that's as far as I've gotten). For IR (Infrared) the Flipper is really awesome, especially with add-ons that extend the IR signal. Things like BadUSB work pretty well too (I've done some limited testing). I also use it as a U2F device and a USB to UART adapter. It throws out the BT SPAM like a champ.

Larry Pesce

1. Hackaday Links: January 28, 2024
2. GPS interference now a major flight safety concern
3. Notorious ransomware gang claims it pulled ‘classified and top secret documents’ from U.S. intelligence agencies
4. MS-DOS and Windows 3.11 still run train dashboards at German railway — company listed admin job for 30-year-old operating system

Lee Neely

1. Midnight Blizzard: Guidance for responders on nation-state attack

   Microsoft has released additional information about the breach that compromised executives’ emails. The intruders accessed the corporate email system through an old test account that had admin privileges but was not protected by multifactor authentication.

2. 23andMe admits it didn’t detect cyberattacks for months

   In a breach notification letter recently filed with regulators, 23andMe disclosed that intruders were accessing customer accounts for about five months before the situation was detected. From April through September of last year, the intruders brute-forced user accounts, stealing both raw genomic and health data.

   Five months to detect a breach that affected 50% of users is not ideal. Subsequently updating terms of service to prevent filing of class action lawsuits, even less so.

3. New Jersey School District Shut Down by Cyberattack

   The Freehold Township (New Jersey) School District schools and offices were closed on Monday, January 29, because of a cyberattack. An investigation into the incident is underway. There has been a spate of cyberattacks targeting K-12 school districts in the US since the beginning of the year.

   What makes this even more painful is that some schools that hired third-party companies to provide security services were themselves not secure and were themselves, subsequently compromised. This is a case where strong consideration should be given to leveraging free services, such as those offered by CISA, to help schools, already on tight budgets, assess their security posture, making tweaks to avoid a me-too scenario.

4. Kansas City public transportation authority hit by ransomware

   A ransomware attack disrupted communications for the Kansas City Area Transportation Authority (KCATA) last week. The incident affected KCATA’s RideKC call centers and all KCATA landlines. KCATA released a statement providing alternate phone numbers for customers who need to schedule rides through KCATA’s Freedom and Freedom-On-Demand Paratransit services.

5. PoC Exploits Heighten Risks Around Critical New Jenkins Vuln

   Users are urged to patch a critical arbitrary file-read vulnerability in the Jenkins command line interface. Proof of concept code has been released and there are reports that the vulnerability is being actively exploited. The vulnerability, CVE-2024-23897, is one of two Jenkins vulnerabilities disclosed last week. Now we have multiple PoC exploits for the vulnerabilities, published in GitHub, most validated, which means that you need to assume compromise if haven't applied the updates or workaround. (Disable the CLI.) The Jenkins advisory lays out all the detail. Packet Storm has published two POC scripts you can use to validate your environment; these are referenced in the NIST NVD details for CVE-2024-23897.

6. Schneider Electric Suffers Ransomware Attack

   The attack, which occurred in mid-January, resulted in the theft of terabytes of data.

   This is a case of the Cactus ransomware gang, first observed in March 2023, which likes to gain access using purchased credentials, phishing, malware distribution and even just exploiting vulnerabilities. They are attempting to extort payment leveraging the terabytes of data exfiltrated from Schneider Electric. The exfiltrated data appears to be relating to their customer's power utilization, ICS and automation systems, and compliance with environment and energy regulations. Customers include Walmart, PepsiCo, Lexmark, PepsiCo, DuPont, Clorox and DHL.

7. Ivanti Struggling to Hit Zero-Day Patch Release Schedule

   Ivanti has acknowledged that it missed a self-imposed deadline for releasing patches for several vulnerabilities that are being actively exploited. Initially, Ivanti planned to begin releasing fixes for the flaws on January 2; an updated advisory cites “the security and quality of” the fixes as the reasons for the delay.

   Ivanti is rightly not pushing out patches until they meet their quality standards. They hope to release updates next week. The rub comes from CISA's KEV deadline of 1/22 to either apply the patches or remove the software from government systems. In the interim, CVE-2023-46805 and CVE-2024-21887 can be mitigated by importing mitigation.release.20240107.1.xml file via the Ivanti download portal.

   CISA has just published updated guidance: https://www.cisa.gov/news-events/alerts/2024/01/30/updated-new-software-updates-and-mitigations-defend-against-exploitation-ivanti-connect-secure-and

8. Police Arrest Teen Said to Be Linked to Hundreds of Swatting Attacks

   Authorities have arrested a 17-year-old individual in connection with a series of swatting attacks. The suspect is awaiting extradition from California to Florida to face four felony charges, including “making false reports concerning the planting of a bomb or the use of firearms, causing a law enforcement response.”

   The suspect is scheduled to be tried as an adult in Florida where swatting is a felony. Lately, swatting attacks are on the rise, particularly directed at prominent politicians. As of May, the FBI launched a collaborative effort to thwart swatting nationwide, which has processed over 550 reports since its inception. Florida's senator Rick Scott introduced a bill that proposes a maximum penalty of up to 20 years for individuals convicted of swatting.

9. Canadian malware spreader gets 2 years in prison

   A Canadian court has sentenced Matthew Philbert to two years in prison for launching ransomware and other cyberattacks. Philbert was arrested in 2021, and pleaded guilty to fraud and unauthorized access to computers in October 2023.

   Philbert's attacks affected about 1,330, with losses of about $49,000, including $15,000 from a small family-run business that thought an employee may have stolen the money. The chilling part is each victim is considered as an opportunity for income, not the effect of the crime on their wellbeing or business. His lawyer proposed sentence was two years, minus a day, to be served out of jail; the judge disagreed, feeling the crimes warranted two years behind bars. Additional court sessions are scheduled in March to discuss restitution to his victims.

10. Trickbot malware developer sentenced to 5 years behind bars

    A US court has sentenced Vladimir Dunaev to more than five years in prison for his role in the development of the Trickbot malware. The malware has been used to disrupt systems at hospitals and other businesses in the US. Dunaev, who is a Russian citizen, was extradited to the US from South Korea in 2021. He pleaded guilty to conspiracy to commit computer fraud and conspiracy to commit wire fraud in November.

    Initially, Trickbot was used to capture banking credentials from PCs to siphon those fees to the gang. It evolved into an expandable ransomware-as-a-service that you could rent for your own nefarious purposes in exchange for a cut of the take. This gang is reported to have extorted at least $180 million from people and organizations worldwide. Trickbot was shut down in 2022, but many of its developers have moved to other criminal organizations, so expect variants in the future.

Sam Bowne

1. Apple Surprise Reveal: Biggest-Ever Shake-Up For Your iPhone Here In Weeks

   In order to comply with the Digital Markets Act, iPhone users in the EU will be able to download and install apps outside the App Store. Apps coming from the alternative app stores will have to go through a notarization process including safety and security checks.

2. Windows 10 and Windows 11 in S mode FAQ

   Windows 11 in S mode is a version of Windows 11 that's streamlined for security and performance, while providing a familiar Windows experience. To increase security, it allows only apps from Microsoft Store, and requires Microsoft Edge for safe browsing. A student had a new machine in S mode, and it has scary warnings against turning it off.

3. In India, an algorithm declares them dead; they have to prove they’re alive

   In June 2020, the state started using a newly built algorithmic system – the PPP database – to determine the eligibility of welfare claimants. It maps every family’s demographic and socioeconomic information by linking several government databases to check their eligibility for welfare schemes. It stopped the pensions of 277,115 elderly citizens and 52,479 widows in a span of three years because they were “dead”.

   However, several thousands of these beneficiaries were actually alive and had been wrongfully declared dead either due to incorrect data fed into the PPP database or wrong predictions made by the algorithm.

4. New Report Shows Electric Vehicles Are Unreliable — These 3 Are the Worst

   Consumer Reports found electric models suffer 79% more maintenance problems than gas-powered cars. Plug-in hybrids fared even worse — with a concerning 146% more issues reported by drivers. Among the three worst models is the Tesla Model 3.

5. How a Group of Israel-Linked Hackers Has Pushed the Limits of Cyberwar

   From repeatedly crippling thousands of gas stations to setting a steel mill on fire, Predatory Sparrow’s offensive hacking has now targeted Iranians with some of history's most aggressive cyberattacks.

6. Cops Used DNA to Predict a Suspect’s Face—and Tried to Run Facial Recognition on It

   Nearly 30 years after a murder, detectives sent genetic information collected at the crime scene to Parabon NanoLabs—a company that says it can turn DNA into a face. They produced a Snapshot Phenotype Report, not a photograph. It was a 3D rendering that bridges the uncanny valley between reality and science fiction; a representation of how the company’s algorithm predicted a person could look given genetic attributes found in the DNA sample. The department published the predicted face in an attempt to solicit tips from the public and asked to have the rendering run through facial recognition software. This has concerned privacy advocates.

7. Notorious Spyware Maker NSO Group Is Quietly Plotting a Comeback

   NSO Group, creator of the infamous Pegasus spyware, is spending millions on lobbying in Washington while taking advantage of the Israel-Hamas war to paint itself as essential for global security.