🎓️ Vulnerable U | #032
Getting Hacked Slowly, Dark-Money Group Fighting iPhone Encryption, Google Giving Your Location to Police, A Giant Pile of Zero Days, & More!
Read Time: 10 minutes
Happy October! Texas is just now getting its first “cold front” and dropping below 90. Which is making me happy, and it is time to get spooky.
I’ve been kicking around the idea for this week’s blog for a bit. Glad I could get some of it down. Sneak Peek:
In this episode:
New Group Attacking iPhone Encryption Backed By U.S. Political Dark-Money Network
Google User Data Has Become a Favorite Police Shortcut
Qualys Security Advisory - Looney Tunables: Local Privilege Escalation in the glibc’s ld.so
Critical Vulnerabilities in WS_FTP Server
DHS investigating whether floor plans and other security information were exposed in ransomware attack on contractor
FBI warns - "Phantom Hacker" Scams Target Senior Citizens and Result in Victims Losing their Life Savings
How Google Alters Search Queries to Get at Your Wallet
and a Pile of Zero Days and Breaches!
🖊️ Something I wrote: Been thinking about this post of mine lately: They Myth of Arrival - I need to remind myself of some of its key points constantly.
🎧️ Something I heard: Been slowly making my way through DEFCON talks from this year. Here is a good one - Private Keys in Public Places
🎤 Something I said: Our YouTube - Highlights from the news in about 10 minutes
🔖 Something I read: This great writeup on a macOS vulnerability - DirtyNIB
I’ve said it before, and I’ll say it again. There is no way to break encryption “just for the good guys.” This is just not how math works. If we give the “good guys” a backdoor, there just is a backdoor. Also, the quotes around “good guys” are doing some seriously heavy lifting when talking about law enforcement who have proven time and again to abuse their privileges to stalk exes or otherwise infringe on citizen privacy.
Why It's Important:
Encryption Debate: The Heat Initiative's campaign against Apple's encryption brings to the forefront the ongoing debate between privacy rights and public safety. This debate, known as the "Crypto Wars," has seen privacy advocates and tech companies on one side and law enforcement and governments on the other.
Opaque Funding: The association with the Hopewell Fund and its dark-money network raises questions about the true motives and interests behind the Heat Initiative's campaign against Apple's privacy measures.
Impact on Privacy: The campaign's push for Apple to weaken its encryption could have far-reaching implications for user privacy, potentially opening the door for surveillance and misuse by various entities, from hackers to authoritarian governments.
This is the latest in an attempt to undermine cryptography and privacy rights that is again using the emotionally charged “but think of the children” excuse to get what they want. This report is fantastic at diving into the dark money behind this latest push which included a full-page NYT ad, a plane flying over Apple HQ with a banner behind it, and several billboards.
Also, kudos for interviewing Matthew Green, who is a top cryptography expert. He said it best: “I’m uncomfortable with anonymous rich people with unknown agendas pushing these massive invasions of our privacy,” and “In the hierarchy of human privacy, your private files and photos should be your most important confidential possessions, we even wrote this into the U.S. Constitution.”
Side note: I hate that I can’t write “crypto” anymore without people thinking I mean Bitcoin. (read more)
Google received a record 60,472 search warrants in the US in the previous year, and they complied with about 80% of them. However, the broad nature of these warrants and the potential for misuse are concerning. Also, most of the data returned to the police is about individuals with absolutely no connection to a crime.
Why It’s Important:
Privacy vs. Security: With the increasing reliance on Google's vast data repositories by law enforcement, where should the line be drawn between ensuring public safety and protecting individual privacy?
Potential for Misuse: Given that these Google warrants can return data on individuals not connected to a crime, how can the system be refined to minimize potential harm and wrongful accusations?
Legal Implications: As the use of such data becomes more commonplace in investigations, what legal frameworks or reforms are needed to ensure that the process remains transparent, accountable and respects individual rights? (read more)
I’ll let Rob Graham summarize why this is a big deal: “As somebody whose made a career of spying on the Internet, I'm here to tell you this is a Big F***ing Deal. At most, the only thing you can reliably determine from traffic is whether it goes to CloudFlare, Akamai, Google, or Apple.”
The article delves into the Encrypted Client Hello (ECH), an extension for the Transport Layer Security (TLS) handshake that aims to enhance the privacy of this essential Internet protocol. Currently, several privacy-sensitive parameters of the TLS connection are negotiated openly, making a wealth of metadata available to network observers. ECH encrypts the entire handshake, ensuring this metadata remains confidential.
Why It’s Important:
The Importance of ECH: Given that many privacy-sensitive parameters of the TLS connection are currently negotiated openly, how transformative could the full adoption of ECH be in ensuring online privacy?
Challenges with ESNI: ESNI, the predecessor to ECH, had its own set of challenges, especially with DNS for key distribution. How does ECH address these challenges, and what lessons can be learned from the ESNI experience?
Future of ECH: With the potential challenges of network ossification and the need for wide-scale deployment, what strategies should be adopted to ensure the successful implementation and acceptance of ECH across the internet? (read more)
I started reading this and got to “We successfully exploited this vulnerability and obtained full root privileges on the default installations of Fedora 37 and 38, Ubuntu 22.04 and 23.04, Debian 12 and 13,” and thought, “Well shit.”
The GNU C Library's dynamic loader, which is responsible for loading shared libraries for programs, has a vulnerability in its processing of the
GLIBC_TUNABLES environment variable. This vulnerability, identified as CVE-2023-4911, was introduced in April 2021 and can lead to a buffer overflow.
Why It's Important:
Widespread Impact: The vulnerability affects major Linux distributions, making a large number of systems potentially at risk.
Elevated Privileges: Successful exploitation can grant an attacker full root privileges, providing them with complete control over the affected system.
Potential for Rapid Exploitation: Given the ease of exploitation and the detailed analysis provided, there's a high likelihood that malicious actors will develop and use exploits targeting this vulnerability in the near future.
The same vendor that puts out MOVEit, is now chasing a new CVSS 10/10 CVE in their WS_FTP software. The report from Rapid7 also makes sure to indicate that they have evidence of active exploitation of this vulnerability.
Why It's Important:
Widespread Usage: WS_FTP Server is a widely used FTP solution, meaning a significant number of organizations could be at risk.
Remote Code Execution: One of the vulnerabilities allows for potential remote code execution, granting attackers the ability to run arbitrary commands on the affected server.
From Rapid7: “The process execution chain looks the same across all observed instances, indicating possible mass exploitation of vulnerable WS_FTP servers. Additionally, our MDR team has observed the same Burpsuite domain used across all incidents, which may point to a single threat actor behind the activity we've seen.” - The report contains a great overview and good indicators of compromise to look out for. (read more)
The Department of Homeland Security (DHS) is investigating a ransomware attack on Johnson Controls International, a government contractor. The concern is that this attack might have exposed sensitive physical security details, including DHS floor plans. Johnson Controls, known for its alarm and building automation systems, has contracts with DHS that detail the physical security of numerous DHS facilities.
Why It's Important:
Security of Government Facilities at Risk: The potential exposure of DHS floor plans and other security details could pose a significant threat to the safety of these facilities.
Highlight on Contractor Vulnerabilities: This incident emphasizes the cybersecurity challenges when the government relies on private contractors for essential services. It's a call for stricter cybersecurity measures for such collaborations.
While the full extent of the damage is still unknown, the incident underscores the cybersecurity risks associated with government-private contractor collaborations. (read more)
These scams make me super angry, and I LOVE YouTube channels and Twitch streamers that dox these folks and waste their time. Targeting elderly people and robbing them of their life savings is just the lowest of the low.
The FBI has issued a warning about a significant increase in "phantom hacker" scams, particularly targeting the elderly. In these scams, victims receive a call from fraudsters claiming to be tech support or cybersecurity experts. The scammers allege that the victim's device has been hacked and demand payment to "fix" the non-existent issue.
Why It's Important:
Targeting the Vulnerable: Scammers are exploiting the elderly, a demographic that might not be as tech-savvy, making them easy targets for such deceptive tactics.
Rising Trend: The increasing frequency of these scams indicates a larger trend of cybercriminals using social engineering techniques to exploit individuals.
They often use scare tactics, suggesting that personal data will be leaked or funds will be stolen if the victim doesn't comply. Let’s do our part to raise awareness of how we and our family members react to these kinds of phone call scams. (read more)
Have you noticed that Google’s search results have been getting worse for years? I know I have. It turns out we’re not crazy.
Google has been altering search queries to generate more commercial results, a revelation that came to light during an ongoing antitrust case. Instead of providing organic results based on user input, Google has been manipulating queries to produce results that are more likely to generate revenue for the company. For instance, a search for "children’s clothing" might be covertly changed to "NIKOLAI-brand kidswear," leading to results that the user wasn't originally looking for.
Why It's Important:
Advertisers Beware: Businesses advertising on Google should understand the implications of these manipulations, as they could affect the visibility and relevance of their ads.
Demand Transparency: Users and advertisers alike should demand more transparency from search engines about how results are generated and presented.
This manipulation is designed to drive user behavior towards more commercial actions, such as clicking on ads, which in turn fills Google's coffers. (read more)
Oligo Security has identified multiple critical vulnerabilities in TorchServe, a widely-used PyTorch Model Server. These vulnerabilities, including CVE-2023-43654, can lead to a full chain Remote Code Execution (RCE). Thousands of instances, including those of major global organizations, are exposed and at risk of unauthorized access, malicious AI model insertion, and potential full server takeover. (read more)
The MOVEit breaches keep on coming. This one happened back on May 28th, but Sony just now confirmed it. cl0p ransomware group has been busy for months now, and 6,800 people’s data was stolen from Sony.
Apparently, Sony only became aware of the breach when Progress Software (the vendor for MOVEit) told them about the vulnerability. They went digging and realized they had been popped 3 days before that. This is the 2nd breach Sony has dealt with in the last few months. (read more)
“US chip giant Qualcomm this week announced patches for more than two dozen vulnerabilities found in its products, including three zero-days reported to the company by Google cybersecurity units.” (read more)
Honestly, this article sucks, but the story is interesting. Just read the headline, and I'll tell you what you need to know. There is apparently a device that is allowing folks to have gas pumps start dispensing gas for free. Once the station employee notices, they can’t even override it and stop the pump without turning off the whole system.
This news article says Bluetooth, but the police report mentions nothing of the sort. I couldn’t find a single other source that talks about the technique being Bluetooth-related. BUT there are devices out there that can help achieve this, and I’m super interested to see how widespread this becomes or if these pump manufacturers are putting out software with remote control capabilities that folks are taking advantage of. (read more)
Krebs hits it out of the park as usual. This week he posts an in-depth analysis of the Snatch Data Ransom Group, a cybercriminal gang notorious for its aggressive ransomware attacks. The group, active since 2018, is known for its "big game hunting" strategy, targeting large organizations with high ransom demands.
The article sheds light on the group's tactics, techniques, procedures, and even their internal communications, revealing insights into their operations and motivations. (read more)
"Unauthenticated, remote attacker can log into the device using the root account, which has default, static credentials that cannot be changed or deleted.” - Well, that sounds less than ideal. (read more)
“Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.6,” the company said without providing additional details.
If I’m a betting man, a Citizen Lab post will follow as most of these “actively exploited 0days” in iOS this year have been tied to government spyware. (read more)
We covered both the Clorox breach and the Casino hacks in recent editions. Wanted to include a quick update that they’ve tied the two to the same threat actors. (read more)
Supermicro servers equipped with baseboard management controllers (BMCs) are vulnerable to seven high-severity exploits. BMCs, which are chips on server motherboards, allow for remote management of servers. These vulnerabilities can be exploited to gain control of servers, with one of them allowing malicious code execution inside the BMC.
The vulnerabilities were discovered in the IPMI firmware for older Supermicro BMCs. While one vulnerability requires administrative privileges in the BMC Web Interface, the others can be used in combination with it to exploit the system. The vulnerabilities were found in IPMI firmware developed by third-party developer ATEN for Supermicro. (read more)
Big fan of Andrew and GreyNoise and love this overview of AWS getting into the honeypot threat intel game:
AWS HAS ENTERED THE HUGE HONEYPOT NETWORK GAME LETS GOOOOOOOOOOO
stoked to see @awscloud finding success with honeypots. I continue to carry an incredibly healthy respect for the excellent folks at @AWS_Security.
BLUF: huge, adaptive honeypot networks… twitter.com/i/web/status/1…
— Andrew Morris (@Andrew___Morris)
Sep 28, 2023
Bracing for impact on curl:
"The worst security problem found in curl in a long time"
— Matt Johansen (@mattjay)
Oct 3, 2023
This was a fun thread about how Reddit feels about some security vendors:
Let's ruffle some feathers.
Here are the top answers to a r/cybersecurity Reddit thread titled:
"What vendor looks really good but is actually terrible?"
— Matt Johansen (@mattjay)
Oct 3, 2023
How'd I do this edition?
It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.
Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.
Stay safe, Matt Johansen