Weekly in Security is a summary of the cybersecurity news from the past week. This post covers 2022-08-22 to 2022-08-29.
Modzero disclosed a minor security issue in a CrowdStrike agent. The researchers did not want to participate in a bug bounty program. After some back-and-forth, they provided a draft advisory together with the poc. CrowdStrike could not reproduce the issue and did not provide a trial license to test the vulnerability with an updated agent. So, after finding a suitable test agent the researcher found that the vulnerability was detected on the latest version. However, they were able to circumvent the countermeasures with small adjustments to the exploit.
This underlines two key aspects. First, a lack of CVEs is not indicative of software quality. Many bug bounty reports never are never published. This is also the second important aspect. Non-disclosure agreements restrict the flow of important information. Especially for information security, security through obscurity has proven bad practice many many times.
A security researcher bought a 2021 Hyundai Ioniq SEL. The typical challenge would be to run Doom on the In-Vehicle Infotainment (IVI) system. In a really good article he does include dead ends and issues on his journey. At the end of which he achieved root access on the IVI.
After the initial research phase the identified the IVI software D-Audio2V. The updates were distributed as password-protected ZIP archives. ZIP archives are vulnerable to a known-plaintext attack can be executed with bkcrack. After some digging and debugging bcrack was able to find the key. Further down the line he discovered, that the password was present in the repo all along. It was listed in a shell script. The script also included an AES encryption key. A quick search revealed that is was the AES 128bit CBC example key listed in the NIST document SP800-38A. Also, the RSA public key for signing was present. A quick search revealed, that if was taken directly from the tutorial RSA Encryption & Decryption Example with OpenSSL in C”.
Peiter “Mudge” Zatko has a long history in the area of information security. He was the chief security officer at Twitter until he was fired this January. Now he filed a whistleblower complaint with the SEC against Twitter. Multiple newspapers provide additional details.
The disclosure paints a picture of a chaotic and reckless environment at a mismanaged company that allows too many of its staff access to the platform’s central controls and most sensitive information without adequate oversight. It also alleges that some of the company’s senior-most executives have been trying to cover up Twitter’s serious vulnerabilities, and that one or more current employees may be working for a foreign intelligence service.
This complaint comes at a very unfortunate timing for the legal battle with Elon Musk.
Patrick Hillmann, Chief Communications Officer at Binance, has been at the heart of a “deep fake” based scam . The criminals were able to create a deep fake of Patrick Then, they targeted unsuspecting crypto projects into a video call and lured them with Binance listings. One comment from Patrick stands out.
Other than the 15 pounds that I gained during COVID being noticeably absent, this deep fake was refined enough […]
There have already been reports on code-signed rootkits like Netfilter, FiveSys, and Fire Chili. These rootkits are usually signed with stolen certificates or are falsely validated. However, when a legitimate driver is used as a rootkit, that’s a different story. Such is the case of mhyprot2.sys, a vulnerable anti-cheat driver for the popular role-playing game Genshin Impact. The driver is currently being abused by a ransomware actor to kill antivirus processes and services for mass-deploying ransomware. Trend Micro published a detailed analysis.
Israeli researcher Mordechai Guri has published his paper ETHERLED. ETHERLED is a new technique that allows attackers to leak data from air-gapped devices by controlling the status LEDs. This attack can be used on a wide range of devices, including PCs, printers, network cameras, and embedded controllers. Data can be encoded and modulated over the optical signals generated by the LEDs. An attacker with line-of-sight to the device can intercept and decode these signals. Defensive countermeasures for this attack include physically obscuring the LEDs or monitoring for unusual activity.
Python library with CLI allowing to remotely dump domain user credentials via an ADCS without dumping the LSASS process memory
Scans SBoMs for security vulnerabilities
A vulnerability scanner for container images and filesystems