🎓️ Vulnerable U | #047

Best of AI Security 2023, Global Risk Report, Misinformation Campaigns on Taiwan and US Elections, Supply Chain Attack on PyTorch, SonicWall, SharePoint, Chrome, 0-days, and more!

Author

Matt Johansen
January 18, 2024

Read Time: 10 minutes

Howdy friends!

Did everyone survive the freeze? Seems most of the USA was covered in a massive cold front this week. Lots of friends and colleagues writing me about burst pipes, downed trees, lost power, and car spinouts. Hope the worst of it is behind us.

I put more pictures and a YouTube embed in this one so I’m getting a warning that Gmail will most likely clip the message. 👉 Continue reading online to avoid the email cutoff issue 👈

A bit different for my blog of the week. Started a project and looking for nominations! Check it out:

I was reminded recently of a project I used to hold near and dear to my heart and was a major part of my early career - the Top 10 Web Hacking Techniques of the year. Jeremiah Grossman started this project way back in 2006 and I started collaborating with him on it in 2010 and took it over fully from him in 2013, along with my colleague and friend Johnathan Kuskos, we ran it for a few years before I moved on in my career from WhiteHat and so did Jeremiah and Kuskos. When we all left the company the project never really got picked up by anyone else on the team.

I noticed recently that the team over at PortSwigger, makers of Burp Suite, picked it up after they missed the project so much and have been carrying the torch ever since. They were kind enough to give me and Jeremiah a shout out for starting the project and gaining its popularity.

If you’re unfamiliar with it here is a link to what its all about and the archive links of all the years past, it is a fun ride through memory lane if you’re into AppSec at all - Top 10 Web Hacking Techniques

TL;DR - We would collect community submissions for the new web hacking techniques of the previous year, then run a vote for which of those techniques folks thought were the coolest, then with a panel of expert judges widdle down the list and order it into a definitive Top 10 of the year.

I’ve decided that since PortSwigger is kindly running the AppSec version of this, and my career has evolved some, I’d like to pivot a bit.

I’m officially announcing this year as the first annual Best of AI Security project

ICYMI

🖊️ Something I wrote: I’ve had a number of strangers DM me across a few social media about my last piece on Obsession and how it got them thinking.

🎧️ Something I heard: A good friend of mine who is brilliant and rarely makes public experiences, Corin Imai, was on the Breaking Through in Cybersecurity Marketing podcast. Talked career advice for marketers in cyber and also a better way to do it for companies making a name for their brand.

🎤 Something I said: I had a great conversation with Adrian over at Security Weekly

🔖 Something I read: “Having the U.S. Navy engaging many targets for hours on end using much of what it has in its quiver allows for adversaries to watch and especially listen across the electromagnetic spectrum” - Red Sea Shoot-Downs Offer Hugely Valuable Lessons, Also Pose Big Intel Risk

Vulnerable News

Well, this is super interesting to me. The World Economic Forum has rated Cyber insecurity (I find that phrasing interesting) and Misinformation as some of the top risks facing the world right now as of 2024.

Cyber INsecurity. A higher risk than wars, inflation, economic downturns, or pollution. It also seems the rise in risk rating for mis/disinformation is all surrounding the proliferation of AI-generated content.

“State-backed campaigns could deteriorate interstate relations, by way of strengthened sanctions regimes, cyber offense operations with related spillover risks, and detention of individuals (including targeting primarily based on nationality, ethnicity, and religion).”

Just a reminder that we’re on the front lines of an industry with real-world consequences that are sometimes easy to forget in the 1s and 0s of our day jobs. (read more)

China’s meddling in Taiwan election presages year of misinformation threats

Case in point from the last story. This is a fantastic article on how China uses Taiwan as a testing ground for its propaganda campaigns.

  • Advanced AI tools are increasingly used in misinformation campaigns.

  • Social media platforms struggle to manage the sophisticated spread of fake news.

  • Cross-platform coordination is crucial yet challenging in combating misinformation. (read more)

He did what to that crypto?!

Seems like this involved a lot of high-level law enforcement officials internationally cooperating with an unnamed cloud provider to get this takedown in the bag.

According to the report, the attacker brute-forced his way into 1500 accounts on the cloud provider, using them to spin up over 1,000,000 VMs to mine cryptocurrencies. He profited over $2 million before he was caught and arrested. (read more)

This is a cool bug that my brilliant colleague Marcus Young got a bounty for last year that it seems some folks found a variation on. (here is Marcus’s original post: https://marcyoung.us/post/zuckerpunch/)

The gist is that you hide some malicious code in a PR that a CI/CD pipeline will autorun things on due to a GitHub actions configuration. That autorun does the dirty business for you, and you get some persistent access on the other side of that pipeline.

Marcus did it to hack Meta, these researchers are going further to poison the PyTorch supply chain. Great bug, great read. (read more)

Calling all threat hunters! - TeleTracker is a set of Python scripts designed for investigating Telegram channels. This tool could be particularly intriguing for cybersecurity professionals and investigators for several reasons:

  • Ease of Use: It simplifies the process of sending messages and gathering channel information on Telegram.

  • Investigation Aid: Offers valuable assistance in digital investigations, particularly for those involving Telegram communication.

This repository contains Python scripts, TeleTexter.py and TeleGatherer.py, designed to assist analysts in tracking and disrupting active malware campaigns that use Telegram for command and control (C2) communications. (read more)

If you’re reading this, you’ve heard me say it before: Don’t leave your management portals exposed on the Internet. And if you do, you better be fast to patch.

“SonicWall next-generation firewall (NGFW) series 6 and 7 devices are affected by two unauthenticated denial-of-service vulnerabilities with the potential for remote code execution.”

“We scanned SonicWall firewalls with management interfaces exposed to the internet and found that 76% (178,637 of 233,984) are vulnerable to one or both issues," (read more)

Gunnar is a real rising star in this industry I’ve been lucky enough to get to know this year. This repo is super helpful for you bug hunters in the audience.

“This project is aimed to help new (and seasoned) application security testers when testing enterprise web applications. Often, you can land on a large web application and feel lost as to what to test. The sus_paramaters project is a project aimed at giving you insight into parameters or routes that are commonly vulnerable to certain vulnerabilities.” (read more)

The most important variable in if a vulnerability will be used by attacker is if public exploit code is available. This SharePoint bug was patched in June 2023 but just this week we’re seeing at least one ransomware gang use it in the wild due to some PoC code hitting GitHub.

Even more fun, the bug came out of the Pwn2Own contest back in March. - “Tracked as CVE-2023-29357, the SharePoint vulnerability in question was first identified by Nguyễn Tiến Giang (Jang) of Singaporean security house STAR Labs. Back in March 2023, during Vancouver's Pwn2Own contest, he chained it with another bug to achieve unauthenticated RCE on a SharePoint server.” (read more)

Since there have been WAFs, there have been WAF bypasses. I used to make a living finding web bugs, and part of that was not letting WAFs slow me down. They’ve come a long way in the last decade, and the ease of deploying one on AWS instead of rack and stacking a pizza box. Sysdig published a good write-up on using a fuzzer to find bypasses! (read more)

I’m a sucker for a great malware write-up, and this fits the bill. Here is their exec summary:

  • FBot is a Python-based hacking tool distinct from other cloud malware families, targeting web servers, cloud services, and SaaS platforms like AWS, Office365, PayPal, Sendgrid, and Twilio.

  • FBot does not utilize the widely-used Androxgh0st code but shares similarities with the Legion cloud infostealer in functionality and design.

  • Key features include credential harvesting for spamming attacks, AWS account hijacking tools, and functions to enable attacks against PayPal and various SaaS accounts.

  • FBot is characterized by a smaller footprint compared to similar tools, indicating possible private development and a more targeted distribution approach. (read more)

When Matthew Green writes, I read. He’s one of the utmost experts on crypto, where crypto means cryptography. “this week’s news brings an exciting story with both technical and political dimensions: new reports claim that Chinese security agencies have developed a technique to trace the sender of AirDrop transmissions.”

  • AirDrop Vulnerability: Explores how AirDrop's design makes it vulnerable to privacy breaches.

  • Wireless Communication Protocols: Analyzes the weaknesses in the protocols used by AirDrop.

  • Data Exchange Mechanisms: Discusses the technicalities of how data is exchanged and where vulnerabilities lie.

  • Privacy Implications: Highlights the potential risks to user privacy due to this vulnerability.

“This is a big deal since AirDrop is apparently one of a few channels that can still be used to disseminate unauthorized protest materials” (read more)

This was an epic Shmoocon talk of a way this researcher found out how to get Android phones to accept any Bluetooth keyboard within range and, within a few seconds, do a whole lot of baddie stuff on the device. Steal info, photos, install an app, etc.

@trufflesecurity

Bluetooth hacking, new research by Marc Newlin allows for attackers to connect to a terrifying number of devices without authentication #h... See more

My buddy Dylan over at Truffle Security made a video about this and even showed some serious dedication by flying a drone near Twitter HQ, scanning for Bluetooth devices to prove to his comments section that it was a feasible attack.

“Data broker X-Mode Social and its successor Outlogic will be prohibited from sharing or selling any sensitive location data to settle Federal Trade Commission allegations that the company sold precise location data that could be used to track people’s visits to sensitive locations such as medical and reproductive health clinics, places of religious worship and domestic abuse shelters.”

Yeah, come on. This is just obviously not a good idea. I'm glad to see privacy still being a trend growing popular support. (read more)

SentinelOne with 2 writeups in today’s newsletter?! Both are fantastic malware deep dives. Here is one that goes into a few macOS infostealers and even includes some IoCs you can load up if you’re hunting them.

“The continued prevalence and adaptation of macOS infostealers like KeySteal, Atomic InfoStealer, and CherryPie underscores the ongoing challenges facing macOS enterprise users. Despite solid efforts by Apple to update its XProtect signature database, these rapidly evolving malware strains continue to evade.” (read more)

Ivanti just generally can’t catch a break. Did I already mention don’t include your management portals on the Internet?

This is one of those bugs that, from the data we’re seeing on active exploitation, if you haven’t patched yet, you’re most likely already owned. Check this article for details on the bug and how to check if you’re popped. (read more)

This is some of the coolest research I’ve seen in months.

“By recovering local memory—an optimized GPU memory region—we were able to build a PoC where an attacker can listen into another user’s interactive LLM session (e.g., llama.cpp) across process or container boundaries”

Check the full write-up or watch the demo for the awesome details on this one. (read more)

This is getting to be the fairly common way Google responds to these reports; not a lot of detail, but it is definitely being actively exploited.

“The exploited zero-day, tagged as CVE-2024-0519, is described as an out-of-bounds memory access issue in the V8 JavaScript engine.

A barebones advisory simply notes: “Google is aware of reports that an exploit for CVE-2024-0519 exists in the wild.”

The company said the zero-day was reported anonymously.” (read more)

….Guess what? Thats right! Don’t expose your management interfaces on the Internet! - “The two zero-days (tracked as CVE-2023-6548 and CVE-2023-6549) impact the Netscaler management interface and expose unpatched Netscaler instances to remote code execution and denial-of-service attacks, respectively.” (read more)

This is a topic I’m watching extremely closely. 2016 and 2020 were absolute shitshows of misinformation and disinformation campaigns on social networks. I’m glad to see that they’re all making some sort of public statements about how they’ll be handling it this year. I still think we’re in for a wild ride but I like the accountability and the transparency.

I’m not sure anybody will get it right, but I’m at least optimistic they’re trying harder this year than in the past. (read more)

What a great write-up. Obfuscated JavaScript is always an interesting problem to solve if you have a need to reverse it. Maybe you’re analyzing some malware, or maybe you are looking into a supply chain threat, either way when JavaScript is obfuscated it makes it difficult to analyze.

Well in this case, we can leave it to a the bug bounty hunters for getting creative. “I was hacking on a bug bounty program recently and discovered that the website is signing every request, preventing you from modifying the URL, including GET parameter values. I wanted to discover how they were doing this and find a way around it”

Spoiler alert: they figured it out and even used ChatGPT to write a Burp Plugin to assist in the manipulation of the signed requests right in the proxy. (read more)

If TAG (Google’s Threat Analysis Group) writes something, you should read it.

“Over the years, TAG has analyzed a range of persistent threats including COLDRIVER (also known as UNC4057, Star Blizzard and Callisto), a Russian threat group focused on credential phishing activities against high profile individuals in NGOs, former intelligence and military officers, and NATO governments. For years, TAG has been countering and reporting on this group’s efforts to conduct espionage aligned with the interests of the Russian government. To add to the community’s understanding of COLDRIVER activity, we’re shining light on their extended capabilities which now includes the use of malware.” (read more)

Miscellaneous mattjay

Upcoming Appearances

Got to record with the Co-Founder of Tines on their podcast this week. Not sure when it goes live but the feed is here:

Podcast: The Future of Security Operations | Tines

The Future of Security Operations podcast is dedicated to empowering SecOps leaders to reimagine how their teams work.

www.tines.com/podcast

How'd I do this edition?

It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.

Login or Subscribe to participate in polls.

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay