đ [CyberFacts Weekly - Issue 0x06] Notes from Black Hat Locknote - New Hacker-for-hire Group Discovered by Trend Micro / Vulns in Critical Network Protocol / Practical HTTP Header Smuggling / BusyBox Affected by 14 New Vulns / PS5 Unlock Keys Extracted / INTERPOL Hits Prolific Ransomware Ring / Flash Beams Reboot RPi2s / Pwn2Own Austin 2021
Greetings! đ
Just back from Black Hat Europe, which was great as it's been more than 2 years without an on-site conference (at least for me). Was a very nice get-together among those review-board members who could attend, who haven't been meeting for what seemed to be forever.
Unfortunately, due to capacity and travel restriction, the event felt a bit emptier than usual, but we're all looking forward to Black Hat USA 2022!
I jotted down some notes from my favorite session, the Locknote (vs Keynote), with Daniel Cuthbert, Meadow Ellis, James Kettle, Marina Krotofil, and Thomas Brandstetter. I "live" tweeted some notes in this thread, but since I'm far from being a professional tweeter, I revised them here, along with some comments.
Where are we, as an industry?
âIf I buy a toaster Iâm sure Iâm not expected to get shocked when I plug it in. Why doesnât the same happen with software? You can get shocked pretty quickly if you make basic deployment mistakes.â
True. But we're years behind the car, electronics, or home appliance industry. Despite one day we'll have a Software Bill of Material (SBOM) attached to each software product (maybe), we're still unable to give a precise characterization of a software product, which is fundamental to provide warranties or safety regulations around them. Furthermore, the environment where a software can be used is so uncertain, that it's impossible to predict consequences or specify any requirements. However, there's something we can do without a SBOM: We could start tracking when a software includes an unmaintained component. Is that, alone, a vulnerability? For sure it's a great weakness, so I think we should use CWE-1104 when we encounter such cases.
In the intro @thedarktangent explained how ransomware + insurances create an ecology, a viable marketplace. Is this a healthy situation for us?
In 2016 I spoke at Black Hat Europe about mobile ransomware (video). Ransomware (mobile or not) wasn't remotely comparable to what we're witnessing nowadays, but some cyber-security vendors have already started bundling insurance products with their tech solutions. You know, just in case. I had an immediate repulsion about this idea. I mean, what can possibly go wrong if you "tell" ransomware actors that their victims are even insured? I had a chat with a friend working in macro-economics, who explained me that financially-motivated criminal activities are moved, among other things, by "the possibility of getting caught." It's pretty intuitive, and I can understand that my little rambling during my talk wasn't given any weight at all (I'm just a random researcher in the world). But, how have we gotten to the point where we have ransomware negotiators and tax-deducible ransom payments?
âWe still not have a culture on how we communicate downtime, even to customersâ @Marmusha
âHow to actually fight the fire is still an afterthoughtâ âWeâre creating a fantastic soil for this criminal economy to growâ âfor sure weâve invested a lot in negotiating ransomware payments, but is that the real place to invest?â @Marmusha
It took our industry more than 20 years to go from (1) undisclosed or fully-disclosed vulnerabilities to (2) responsibly and coordinately disclosed vulnerabilities. It's unsurprising that not all organizations (including our industry, admittedly) have a good culture of "communicating failures" or "communicating breaches". Things have changed in the past 5 years, probably thanks to continuous monitoring and disclosure of breaches (e.g, HIBP, LeakIX), and we've started to transition away from a "shaming" approach to a "respect" approach, because we've understood that's just a matter of "when" and "how to remediate".
âIt was eye opening to hear talks about how human factors can positively impact security, and not just negatively like we usually hear.â
How many anecdotes we have about human errors? Countless. How many success stories we know about how creating a positive working environment can make the difference when responding to incidents? Off the top of my head: very, very few. Let's reflect on this.
How have COVID contributed to shape our industry?
âDuring this lockdown lots of people became sourdough masters butâŚwhat do hackers do when theyâre in lockdown? Suddenly they have time, so they hack more!â
This is true for both attackers and defenders. We've indeed noticed an overall increase in cyber-criminal activity, paralleled by an explosion of great research work by security folks, favored by the increased speaking opportunities due to travel restrictions.
âWeâve seen interesting trends as review board members. Vulnerabilities are harder and harder to find, but itâs great to see new techniques and tools to finally unfold them.â @albinowax
âHTTP/2 is still not getting adopted, and the same is for IPv6. They seem around the corner, but one day weâll wake up they will be there. We should anticipate security research on such technologiesâ @notameadow
âPick some random ancient technology and youâll find some really good bugs in there. Take the recent findings on sudo!â @dcuthbert
âA lot depends on certificates nowadays, but certificates need an accurate notion of time, but this morning @rfidiot taught us how not to take time for granted!â
âThe DDS talk was eye opening to meâ @notameadow
âBeing in this ICS industry for over a decade Iâm shocked to have discovered DDS only now, and see how much there is left to find in thereâ @Marmusha
âIn the academic world weâre seeing ICS security courses to bridge the skill gap.â @plctom
Indeed, there's lots of fundamental technology that is now finally getting adopted widely that have accumulated years of security research debt. However:
âIt still takes pressure to get some critical bugs fixedâ @albinowax
Finding bugs and shifting security to the left
âWeâve had lots of good fuzzing talks. How many people here in their organizations embrace fuzzing to find security bugs?â @dcuthbert
âWhy we still see professionalized fuzzing services not being fully used? Because itâs damn hard to set them up. People should invest time to convert their unit tests into fuzz harnesses.â @Marmusha
Every time I hear about a new fuzzing tool or read about a new integration I'm impressed by how much fuzzing research is progressing and how fast it's (finally!) getting adopted. However, it's still hard from a software developer viewpoint to approach fuzzing. In my humble experience, software engineers and developers understand quite well the concept of "test units", and I've found that unit testing is a great common ground to educate them to fuzzing and continuous security testing.
Finding bugs is just one part:
âItâs very difficult for asset owners to understand the impact of a vulnerability, despite CVSS and similar contextual information usually attached to the reportâ @Marmusha
âThe attack against the Colonial Pipeline is the loudest example of how much concrete impact a cyber attack can have in the real, physical worldâ @dcuthbert
âCan we stop with the logos and fancy names for bugs? đâ @dcuthbert - could not agree more to this my friend!
I chose to lump the previous two tweets together because I personally don't like to push too much the "impact" part of vulnerability research, but I can understand the position of an asset owner who needs to prioritize (patching) vulnerabilities. The reason why I don't like it is because security researchers are more and more expected to "give a fancy name" to their findings and "show a cool demo video" or the general public won't give them attention.
Will we get burned out of this at some point?
âWe have to care more about ourselves and our employees because at some point security experts may decide to retire in the mountains and enjoy their time.â @notameadow
I think this was the perfect way to conclude the Locknote session. I can definitely picture myself retiring in the mountains đ
Thanks for reading this far, and consider subscribing if you like this!
- Top Picks
- Multiple Vulnerabilities Affecting Unknown but Pervasive, Critical Network Protocol
- New Hacker-for-Hire Group Infected Notable Victims
- Practical HTTP Header Smuggling
- BusyBox Affected by 14 New Vulnerabilities
- Keys to Unlock the PS5 Unveiled
- INTERPOL Hits Prolific Cybercrime Ring Specialized in Ransomware
- Pwn2Own Austin 2021 Results
- A Xenon Flash Can Make an RPi2 Reboot
- Also Noteworthy
- How to Choose an Interesting Research Project
- BotenaGo: New IoT Malware Found
- Booking.com Reportedly Breached in 2016
- Time is Not as Accurate as You May Think
- SyzScope: Finding the Impact of Fuzzer-Exposed Kernel Bugs
- Threat Actors With TTPs Similar to APT27 Hit Defense and Energy Targets
- Europol Arrests 2 People Using REvil Ransomware to Infect 5,000 Victims
- Robinhood Data Breached via Social Engineering Customer Support
- Threat Actor Infiltrated US Defense Contractor Since Aug 2021 and Exfiltrated Data
- Tools
Top Picks
Multiple Vulnerabilities Affecting Unknown but Pervasive, Critical Network Protocol
by CISA // CISA
Trend Micro, TXOne, ADLINK and Alias Robotics discovered 12 vulnerabilities across the top 6 DDS implementations, both closed and open source, plus 1 vulnerability in the standard specifications.
DDS is a middleware technology that enables crucial technologies like autonomous driving, healthcare machinery, military tactical systems, or missile launch stations.
More: details and PoC.
New Hacker-for-Hire Group Infected Notable Victims
by Thomas Brewster // Forbes
An unprecedented peek inside an underground hacker-for-hire operation reveals 3,500 targets, including Belarusian presidential candidates, Uzbek human rights activists and a cryptocurrency exchange. Their primary targets? Gmail, Protonmail and Telegram accounts belonging to anyone on whom their paymasters want to spy.
Practical HTTP Header Smuggling
by Daniel Thatcher // Intruder Blog
At Black Hat Europe 2021 researchers from Intruder present a new technique for identifying header smuggling and demonstrate how header smuggling can lead to cache poisoning, IP restriction bypasses, and request smuggling.
BusyBox Affected by 14 New Vulnerabilities
by Elizabeth Montalbano // Threatpost
14 vulnerabilities tracked as CVE-2021-42373 through CVE-2021-42386 affect BusyBox ranging from 1.16-1.33.1, depending on the flaw.
Seriously, who's going to ever patch BusyBox? It's deployed everywhere, from home routers to remote embedded systems used for ICS/OT applications.
Keys to Unlock the PS5 Unveiled
by Kyle Orland // Ars Technica
Hacking group Fail0verflow announced Sunday evening that it had obtained the encryption "root keys" for the PlayStation 5.
Additionally, signing keys to sign software have been extracted, which would allow to run custom applications, which the OS will recognize as valid.
INTERPOL Hits Prolific Cybercrime Ring Specialized in Ransomware
by INTERPOL // INTERPOL News
A 30-month transcontinental investigation [...] with the assistance of information provided by its private partners Trend Micro, CDI, Kaspersky Lab, Palo Alto Networks, Fortinet and Group-IB through INTERPOLâs Gateway project.
The six suspects are believed to be tightly linked to a Russian-language cybercriminal gang known for naming-and-shaming its victims on a Tor leak site, and for moving more than USD 500 million in funds linked to multiple ransomware activities.
Pwn2Own Austin 2021 Results
by Dustin Childs // Zero Day Initiative
Congratulations to the top 3 teams (Synactiv, DEVCORE, and STARLabs) and to Synacktiv team for being crowned Master of Pwn ($197,500 and 20 points)!
A Xenon Flash Can Make an RPi2 Reboot
by Liz Upton // Raspberry Pi
Due to the photoelectric effectâby which, when a light hits a metal surface, electrons are given enough energy to escape from the surfaceâif you photograph a RPi2 with a xenon flash, you'll trigger a reboot.
the device that is responsible for regulating the processor core power [...] to get confused and make the core voltage drop.
Also Noteworthy
How to Choose an Interesting Research Project
by Trent Brunson // Trail of Bits Blog
Thinking of a good research project isn't easy! It's the art of finding the sweet spot between skills, time, career stage, team, environment, and impact.
BotenaGo: New IoT Malware Found
by Ofer Caspi // AlienLabs Research Blog
Written in Go, it is yet unclear which threat actor is behind the malware and number of infected devices.
Booking.com Reportedly Breached in 2016
by Dan Goodin // Ars Technica
Did US intelligence agency breached Booking.com in 2016 and stole user data related to the Middle East?
Booking.com wasnât legally required to do so because no sensitive or financial information was accessed [although] IT specialists working for Booking.com told a different story, according to the book "The Machine: Under the Spell of Booking.com" [...] the internal name for the breach was the âPIN-leak,â because the breach involved stolen PINs from reservations.
Time is Not as Accurate as You May Think
by Kelly Jackson Higgins // Dark Reading
In his keynote at Black Hat Europe 2021, hardware-security expert Adam Laurie shows the the risk and dangers of cyberattackers targeting the current time-synchronization infrastructure. And also shows a nice little demo on how to spoof RF-based time broadcasting.
SyzScope: Finding the Impact of Fuzzer-Exposed Kernel Bugs
by Xiaochen Zou, Guoren Li, Weiteng Chen, Hang Zhang, Zhiyun Qian // arXiv:2111.06002 [cs]
SyzScope [is] a system that can automatically uncover new âhigh-riskâ impacts given a bug with seemingly âlow-riskâ impacts. From analyzing over a thousand low-risk bugs on syzbot, SyzScope successfully determined that 183 low-risk bugs (more than 15%) in fact contain high-risk impacts, e.g., control flow hijack and arbitrary memory write.
Threat Actors With TTPs Similar to APT27 Hit Defense and Energy Targets
by Tim Starks // CyberScoop
the hackers used tools and tactics similar to those of a Chinese hacking group alternately known as Emissary Panda, APT27 and Threat Group 3390 [...] compromised nine organizations in the defense, education, energy and health care industries across the globe beginning in September, according to new research.
Europol Arrests 2 People Using REvil Ransomware to Infect 5,000 Victims
by Thomas Brewster // Forbes
The European policing body said on Monday that the pair, who hired ransomware software from ReEvil, had made as much as a $500,000 in ransom payments.
Robinhood Data Breached via Social Engineering Customer Support
by Robinhood // Under the Hood
the unauthorized party obtained a list of email addresses for approximately five million people, and full names for a different group of approximately two million people. We also believe that for a more limited number of peopleâapproximately 310 in totalâadditional personal information, including name, date of birth, and zip code, was exposed, with a subset of approximately 10 customers having more extensive account details revealed.
Threat Actor Infiltrated US Defense Contractor Since Aug 2021 and Exfiltrated Data
by Bill Toulas // BleepingComputer
US defense contractor Electronic Warfare Associates (EWA) has disclosed a data breach after threat actors hacked their email system and stole files containing personal information.
Read more in the breach notification.
Tools
ClusterFuzzLite is Fuzzing Right Into the CI/CD
by Google Security // Google Online Security Blog
a continuous fuzzing solution that runs as part of CI/CD workflows to find vulnerabilities faster than ever before. With just a few lines of code, GitHub users can integrate ClusterFuzzLite into their workflow
I'd say there are no more excuses for not fuzzing our projects, as most of the languages are supported! Check it out here.
A Spicy protocol analyzer for WireGuard.
by Jeff Atkinson // GitHub
The tool can identify and analyze WireGuard traffic at wire speed with Zeek.