Stopping The Bad Things – Rob Allen – PSW #857

Sent to me by Casey Ellis, this is a great article and an interesting read. I like the part where he built a supercomputer out of TVs, and the Secret Service was impressed after they seized it.

I believe part of the problem in our industry today is some folks like to believe everything is roses and sunshine. I'm here to tell you its not. For example, vendors believe that a 10-year old product that is no longer supported should not be in use still, or if it is, no one should care because its so old. People also believe that no one would compromise a router using an RCE vulnerability and use it to mine cryptocurrency. This article proves you wrong. We tend to believe that "everything is fine", when its not, especially when it comes to IoT security. The fact remains: people are still using really old hardware and firmware, its exposed to the Internet, and malicious actors are exploiting it. We still have no good solution to this problem. Throwing it away and getting a new one is clearly not the answer, if it were, people would be doing it more often. They only throw it away when it stops working or has degraded performance. There is no incentive to replace it otherwise. We need better solutions, such as funded replacement programs, discounts for those that upgrade, etc..

Well, this is interesting: "Many backup programs, such as Rclone, DeltaCopy, and ChronoSync use Rsync as backend software for file synchronization. Rsync can also be used in Daemon mode and is widely used in in public mirrors to synchronize and distribute files efficiently across multiple servers." The vulnerability descriptions are also interesting, and the impact is summarized as: "When combined, the first two vulnerabilities (heap buffer overflow and information leak) allow a client to execute arbitrary code on a device that has an Rsync server running. The client requires only anonymous read-access to the server, such as public mirrors. Additionally, attackers can take control of a malicious server and read/write arbitrary files of any connected client. Sensitive data, such as SSH keys, can be extracted, and malicious code can be executed by overwriting files such as ~/.bashrc or ~/.popt." - Yikes! The watering hole attack has not gone unnoticed when reading the vulnerability descriptions. Hopefully, we caught this and fixed it before attackers caught on and targeted any large products or services that rely on the rsync daemon.

I have not looked at this awesome project in some time. The team has been hard at work! New features I want to check out:

• BLE support - Now discovers AirTags (I think we know a thing or two about this now)
• Nzyme Connect - A new API that you can register for and connect up to give you information such as the vendor and GeoIP
• More detection of "hacking" devices - O.M.g cables,
• This is neat: "Trilateration is the process of determining the physical location of the source of a radio frequency signal using the recorded signal strength. Nzyme can now automatically perform trilateration if you have at least three taps placed on the same floor of a building."
• Bandits - 'The previous alpha release re-introduced WiFi bandits: Known fingerprinted attack platforms that are immediately detected they moment they come into range of your taps." You can also add your own fingerprints!

I'm not sure why you would want to do this: "The hardware inside the Flipper Box includes a CC1101 sub-GHz radio transceiver with amplifier, an nRF24L01+ 2.4GHz transceiver, a W5500 Ethernet interface, a Raspberry Pi Pico for the VGM (Video Game Module), a flip board (buttons and NeoPixels), an ESP32-CAM, an OLED screen, a GPIO header set for additional modules, three ESP32 microcontrollers (two for different firmware options, plus one with GPS), a DHT22 temperature and humidity sensor, and a cooling fan." - There is something to be said for breaking out the functionality. Is this cool? Yes. Is this practical? Not really. There are so many platforms out there for creating RF hacking tools and general hacking tools that this is not really needed. Also, I still believe a laptop with the right dongle(s) is a much better option. Check out the CYD, Lillygo, and M5 Stack platforms, there are even more options for doing everything this device can do, and more (Like LoRa).

Two authenticated RCE vulnerabilities were discovered in the Aruba 501 Wireless Client Bridge. Check out this quote from the datasheet of that device: "This bridge provides the benefits of wireless mobility for devices like electronic cash registers, scales, servers, printers, medical equipment and other devices. It can be deployed in any location where a WLAN signal is available—saving the time and expense of installing Ethernet cables for wired network access."

I fear that many will not patch this because:

• An attacker would have to be able to reach the device over the network (e.g. "We don't have these facing the Internet")
• An attacker would need to know the credentials

These are weak arguments and make a lot of assumptions. We have to prioritize these patches!

• Not sure if this is a the old exploit or the new one, but I found an exploit written back in August: https://www.exploit-db.com/exploits/52074

This is one of my favorite quotes and needs discussion: "We've seen a number of security executives and leaders tell the world how unfair it is that people could possibly criticize Ivanti and their continuous spate of mission critical vulnerabilities in mission critical appliances - because "attackers always use new [in 1999] techniques" and zero-day can happen to anyone :^) We believe this is a real-world example of stockholm syndrome - get help. We agree - modern security engineering is hard - but none of this is modern. We are discussing vulnerability classes - with no sophisticated trigger mechanisms that fuzzing couldnt find - discovered in the 1990s, that can be trivially discovered via basic fuzzing, SAST (the things product security teams do with real code access). As an industry, should we really be communicating that these vulnerability classes are simply too complex for a multi-billion dollar technology company that builds enterprise-grade, enterprise-priced network security solutions to proactively resolve?"

A few things:

• I am not knocking Ivanti, they make products and they have vulnerabilities
• In general, there are spaces in our industry where the problems introduced are preventable. In other words, we know how to make it so we don't ship vulnerable products, my gripe is that in the space of network and security appliances not enough is being done to design and build a secure product
• Quick example: I did not criticize Apple when they had a zero-click SMS vulnerability because they made it super hard for the attackers. The same goes for Google, they put so much effort into Chrome security that when someone creates an exploit, we're impressed
• When you ship a product with several out-of-bounds memory vulnerabilities and command injection flaws, I'm not impressed, we can do better.

This write-up is insane (in a good way). If you want to learn about laser fault injection, this is the place. I believe that when physical access is in play, its very hard to defend compute technology. Some insights:

• "Considering that the Boot ROM of the RP2350 has been audited before the opening of the challenge, I did not attempt to find logic bugs in it and quickly considered a hardware attack, such as a fault injection attack. However, online comments tend to show that the glitch detector system implemented in the RP2350 was rather efficient in mitigating simple voltage fault injection attacks. Hence, I quickly decided to tackle the challenge with laser fault injection, assuming that focusing a laser beam away from the glitch detector circuits could allow for injecting faults without triggering them."

• '''What if we were to live in a world where the management interfaces on security and network appliances could not talk to the Internet by default? This is similar to MS turning the firewall on by default, and OpenWrt getting rid of the default passwords.''' Could we explore this for a moment We can do better on the advice as I believe we should have a more resilient product when we pay a vendor for enterprise gear. The guidance typically reads like this:

• The customer should have applied all the latest patches as soon as they came out

• The customer should not expose the management interfaces to the Internet

What we're saying is: We don't have products available to us that are resilient enough to be exposed to the Internet. Really? Can we maybe ship a more resilient product rather than tell people not to use it in a certain way? The analogy I have here is Kia saying: "So yea, we didn't include the security controls that were available to us, so make sure you don't park your car where someone could break into it and make sure you don't leave anything valuable inside, oh and also you should use the club, yea that steering wheel lock that was popular in the 90s".

The vulnerabilities (I counted at least 29) are pretty bad, a listing is here: https://cybersecuritynews.com/fortinet-security-updates/ and a great write-up of the attacker behavior is here: https://arcticwolf.com/resources/blog/console-chaos-targets-fortinet-fortigate-firewalls/

After several successful tests over New Jersey, DJI will no longer enforce “No-Fly Zones,” instead only offering a dismissible warning — meaning only common sense, empathy, and the fear of getting caught by authorities will prevent people from flying where they shouldn’t.

The end of an era. It was great to see so many folks there this past weekend.

Cybercrime History Teaches That Paying a Ransom for Data Deletion Is Foolish

compromised credentials and the target was apparently a Jira server. I don't remember us ever talking about Jira before.

Why Rhode Island? Again. I can only think it is because G-Unit Studios is located in Rhode Island.

Remember the good old days when Apple was exempt from PCI DSS requirements for antivirus/antimalware becase you only had to protect systems "commonly affected by malicious software"? I do.

I hope the URL doesn't indicate that these are common problems that we still haven't solved.

Interesting take on the new year prediction article. Summary of the categories: - Cybercrime and cybersecurity statistics - Cybersecurity issues and threats - The cost of cybercrime - Headlines from the cybersecurity industry (the GenAI nod) - The skills shortage

Not too many surprises, and yeah - this article could be from 2020.

Shmoocon Slides: Lighting Up Shmoocon 2025 * Challenge #1: Explanation of the protocol & Sample code * Group Buy for Light Wands (Spring 2025): Light Wand Manufacturer Site: Small Qty Light Wand / Transmitter Orders Flipper Zero Captures HackRF One Captures CMT2210LC Receiver Data Sheet Controlling Light Wands with Xlights Christmas Lights Resources Xlights Software Xlights Support Group Falcon Co

Chinese cyber-spies who broke into the US Treasury Department also stole documents from officials investigating real-estate sales near American military bases, it's reported. Citing three folks familiar with the matter, CNN said the Chinese government-backed snoops compromised the computer security of the Committee on Foreign Investment in the US (CFIUS), which reviews foreign money funneled into foreign investments.

There was also a similarly motivated attack targeteting OFAC. The trick will be focusing on remediation and prevention of recurrence. The Treasury compromise leveraged an API key for the BeyondTrust remote support agent as well as a corresponding zero-day.

Telefonica, the multinational telecommunications company headquartered in Madrid, has confirmed that its internal systems were breached by hackers, leading to the theft of more than 236,000 lines of customer data and close to a half-million Jira tickets.

The breach resulted in exfiltrating about 2.3GB of documents, tickets and data. Make sure you're tied into credential breach notification for proactive password changing, better still, move away from reusable passwords. As this internal Jira system was compromised with compromised credentials, I would ask what other controls should have been in place to prevent external access to an internal system.

CVE-2024-50603 is a critical code execution vulnerability impacting Aviatrix Controller with the maximum CVSS score of 10.0. This command injection flaw allows unauthenticated attackers to execute arbitrary commands on the system remotely. The vulnerability stems from the improper neutralization of user-supplied input, and has been addressed in patched versions 7.1.4191 and 7.2.4996. When the Aviatrix Controller is deployed to AWS, it allows privilege escalation by default.

You need to take three steps here: First upgrade to the latest version, second restrict access to the controller regardless of how implemented, and lastly, forensicate your environment looking for the IOCs in the WIZ blog.

The United Nations’ (UN’s) International Civil Aviation Organization (ICAO) has acknowledged that a data breach compromised more than 42,000 recruitment-related documents. ICAO has determined that the incident affects 11,929 people who applied to the agency between April 2016 and July 2024; compromised data include names, dates of birth, email addresses, and employment history.

This appears to be work of the Natohub threat actor, who is claiming to have released the information. ICAO is reaching out to the affected individuals directly. While it is common to have resume/CV data online, during an application or background check additional sensitive data is combined with that information, and as an individual you should be prepared in case that data gets compromised.

Researchers at Sucuri have identified payment card skimming malware that is being used to target WordPress websites by injecting JavaScript code into database tables. Sucuri writes that “the malicious code was embedded in the WordPress database under the wp_options table,” which allows it to evade detection by file-scanning tools and to maintain persistence on compromised sites.

This is a database compromise, where malicious code is injected into the wp_options table, which isn't where you're normally looking for issues. Beyond looking for the IOC in the table, make sure you've got an active/enabled WAF, are actively keeping plugins updated, enforcing MFA on your WordPress accounts, and lastly, this is the hard one, remove and replace deprecated/abandoned/no-longer-supported plugins.

The Office of Geodesy, Cartography and Cadastre of the Slovak Republic (UGKK), the country’s land registry, suffered a cyberattack last week. The agency’s system has been temporarily removed from the internet while restoration is underway; it is not clear how long the recovery will take.

This appears to be another politically motivated attack; in this case indications are it came from the Ukraine. The bigger concern is how long it will take to restore systems. Make sure that you have clear understanding of your RTO and RPO, and that both your backups and team are sufficient (training, experience and equipment) to meet these. Be sure you've executed restorations, not just tabletops, which included running dummy transactions, you don't want to figure this out when the chips are down.

Microsoft sues service for creating illicit content with its AI platform Service used undocumented APIs and other tricks to bypass safety guardrails.

The actors appear to have used API keys obtained from code repositories to access the Microsoft AI services. Microsoft provides guidance to not include these in code repositories, and states that advice is regularly ignored. Make sure that you're not including these in your code repositories. When discovered, have required procedures to not only purge them but also update these keys.

Researchers from TrendMicro have detected a fake proof-of-concept (PoC) exploit for a known vulnerability Windows Lightweight Directory Access Protocol (LDAP) that is being used to install an infostealer.

] There are two issues. First, CVE-2024-49113, LDAP denial of service flaw, CVSS score 7.5, which needs to be patched. Second, the fake POC exploit for CVE-2024-49113, dubbed LDAPNightmare, which installs an infostealer on your system. Address the LDAP flaw by rolling the December 2024 patch bundle, which also addresses CVE-2024-49112, a remote code execution flaw. Next, get the IOCs from the TrendMicro blog post to check for LDAPNightmare activity. Make sure your eploite POC researchers are using reputable/validated sources as well as sufficiently isolated environments.

A deceptive proof-of-concept (PoC) exploit for CVE-2024-49113 (aka "LDAPNightmare") on GitHub infects users with infostealer malware that exfiltrates sensitive data to an external FTP server. The tactic isn't novel, as there have been multiple documented cases of malicious tools disguised as PoC exploits on GitHub. There are two issues. First, CVE-2024-49113, LDAP denial of service flaw, CVSS score 7.5, which needs to be patched. Second, the fake POC exploit for CVE-2024-49113, dubbed LDAPNightmare, which installs an infostealer on your system. Address the LDAP flaw by rolling the December 2024 patch bundle, which also addresses CVE-2024-49112, a remote code execution flaw. Next, get the IOCs from the TrendMicro blog post to check for LDAPNightmare activity. Make sure your eploite POC researchers are using reputable/validated sources as well as sufficiently isolated environments. Consider not only reviewing the POC code but also uploading binaries to VirusTotal before executing.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a second security flaw impacting BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) products to the Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. The vulnerability in question is CVE-2024-12686 (CVSS score: 6.6), a medium-severity bug that could allow an attacker with existing administrative privileges to inject commands and run as a site user. BeyondTrust applied a patch to all their cloud hosted RS/RPA customers on December 16th. On premises RS/RPA environments need to apply the patch, which fixes all versions 22.1.x and higher. If you're running versions older than 22.1, you'll need to upgrade before you'll be able to apply the patch.

Plan is to summarize key points, trying a video vs article

Would like explanation on as many parts of this as possible, including how useful the info in the tor link is and how to use that for good.

This seems more serious than the rating. Discuss input on why rated as is.

"Impact This vulnerability can be tested by sending a single DHCP Request packet to a multicast address. This vulnerability exists in the current version of ASF 3.52.0.2574 and all previous versions of the software. There are also multiple forks of the tinydhcp software in github that are also potentially susceptible to this vulnerability."

Overall explanation desired.

Repugnant. The impact of the attack caused outrage locally as the Ministry of Finance said there would be a delay in payments provided to people participating in several welfare programs.

The delays took place just days before Christmas, and by Christmas Eve the government confirmed that “several segments of [the government’s] network has been compromised.”

Want to know more on what bad actors did.

The data includes summaries of internal Jira issues, which can reveal sensitive operational details, project plans and vulnerabilities within Telefonica's infrastructure," Hudson Rock warned. "This poses a significant risk as it could be used to map out internal workflows and exploit weaknesses."

Hate crimes, love this approach for mapping company. Discuss advantages, technique, and/or mitigation.

Threat actors used compromised AWS credentials to locate victim's keys with 's3:GetObject' and 's3:PutObject' privileges. Then they encrypts Amazon S3 buckets using AWS's Server-Side Encryption with Customer Provided Keys (SSE-C) known only to the threat actor, demanding ransoms to receive the decryption key. This is Living-Off-The-Land cloud ransomware.

On Monday, the Supreme Court declined to decide whether to block lawsuits that Honolulu filed to seek billions in damages from oil and gas companies over allegedly deceptive marketing campaigns that hid the effects of climate change.

Defendants Sunoco and Shell, along with 15 other energy companies, argued that interstate pollution is governed by federal law and the Clean Air Act. The oil and gas companies continue to argue that greenhouse gas emissions "flow from billions of daily choices, over more than a century, by governments, companies, and individuals about what types of fuels to use, and how to use them."

The Biden administration suggested it was too soon for SCOTUS review, urging the court to kick the cases back to Hawaii state courts. Apparently, the justices agreed.

The technique asks the target LLM to act as a judge scoring the harmfulness of a given response using the Likert scale, a rating scale measuring a respondent’s agreement or disagreement with a statement. It then asks the LLM to generate responses that contain examples that align with the scales. The example that has the highest Likert scale can potentially contain the harmful content.

Shares in some publicly traded QC companies saw steep declines today, following Nvidia CEO Jensen Huang's CES rather reasonable remark that practical quantum systems may still be 20 years away. D-Wave, Quantum Computing Inc, Rigetti, and IONQ are all down nearly 50 percent as of writing.

Adding only 0.01 percent percentage of misinformation to accurate training data still resulted in over 10 percent of the answers containing wrong information. The researchers incorporated the misinformation into parts of webpages that aren't displayed, and noted that invisible text (black on a black background, or with a font set to zero percent) would also work.