Weekly in Security 202234

2022-08-22 to 2022-08-29

4 min read - 830 words


Weekly in Security is a summary of the cybersecurity news from the past week. This post covers 2022-08-22 to 2022-08-29.


Interesting Reads

Ridiculous vulnerability disclosure process with CrowdStrike Falcon Sensor

Modzero disclosed a minor security issue in a CrowdStrike agent. The researchers did not want to participate in a bug bounty program. After some back-and-forth, they provided a draft advisory together with the poc. CrowdStrike could not reproduce the issue and did not provide a trial license to test the vulnerability with an updated agent. So, after finding a suitable test agent the researcher found that the vulnerability was detected on the latest version. However, they were able to circumvent the countermeasures with small adjustments to the exploit.

This underlines two key aspects. First, a lack of CVEs is not indicative of software quality. Many bug bounty reports never are never published. This is also the second important aspect. Non-disclosure agreements restrict the flow of important information. Especially for information security, security through obscurity has proven bad practice many many times.

A security researcher bought a 2021 Hyundai Ioniq SEL. The typical challenge would be to run Doom on the In-Vehicle Infotainment (IVI) system. In a really good article he does include dead ends and issues on his journey. At the end of which he achieved root access on the IVI.

After the initial research phase the identified the IVI software D-Audio2V. The updates were distributed as password-protected ZIP archives. ZIP archives are vulnerable to a known-plaintext attack can be executed with bkcrack. After some digging and debugging bcrack was able to find the key. Further down the line he discovered, that the password was present in the repo all along. It was listed in a shell script. The script also included an AES encryption key. A quick search revealed that is was the AES 128bit CBC example key listed in the NIST document SP800-38A. Also, the RSA public key for signing was present. A quick search revealed, that if was taken directly from the tutorial RSA Encryption & Decryption Example with OpenSSL in C”.

Ex-Twitter exec blows the whistle, alleging reckless and negligent cybersecurity policies

Peiter “Mudge” Zatko has a long history in the area of information security. He was the chief security officer at Twitter until he was fired this January. Now he filed a whistleblower complaint with the SEC against Twitter. Multiple newspapers provide additional details.

The disclosure paints a picture of a chaotic and reckless environment at a mismanaged company that allows too many of its staff access to the platform’s central controls and most sensitive information without adequate oversight. It also alleges that some of the company’s senior-most executives have been trying to cover up Twitter’s serious vulnerabilities, and that one or more current employees may be working for a foreign intelligence service.

This complaint comes at a very unfortunate timing for the legal battle with Elon Musk.

Technical Write-Up for CVE-2022-22715 Dirty Pipe

Scammers Created an Deep Fake to Scam Unsuspecting Crypto Projects

Patrick Hillmann, Chief Communications Officer at Binance, has been at the heart of a “deep fake” based scam . The criminals were able to create a deep fake of Patrick Then, they targeted unsuspecting crypto projects into a video call and lured them with Binance listings. One comment from Patrick stands out.

Other than the 15 pounds that I gained during COVID being noticeably absent, this deep fake was refined enough […]

Ransomware Actor Abuses Genshin Impact Anti-Cheat Driver to Kill Antivirus

There have already been reports on code-signed rootkits like Netfilter, FiveSys, and Fire Chili. These rootkits are usually signed with stolen certificates or are falsely validated. However, when a legitimate driver is used as a rootkit, that’s a different story. Such is the case of mhyprot2.sys, a vulnerable anti-cheat driver for the popular role-playing game Genshin Impact. The driver is currently being abused by a ransomware actor to kill antivirus processes and services for mass-deploying ransomware. Trend Micro published a detailed analysis.

ETHERLED: Sending Covert Morse Signals from Air-Gapped Devices via Network Card (NIC) LEDs

Israeli researcher Mordechai Guri has published his paper ETHERLED. ETHERLED is a new technique that allows attackers to leak data from air-gapped devices by controlling the status LEDs. This attack can be used on a wide range of devices, including PCs, printers, network cameras, and embedded controllers. Data can be encoded and modulated over the optical signals generated by the LEDs. An attacker with line-of-sight to the device can intercept and decode these signals. Defensive countermeasures for this attack include physically obscuring the LEDs or monitoring for unusual activity.



Python library with CLI allowing to remotely dump domain user credentials via an ADCS without dumping the LSASS process memory


Scans SBoMs for security vulnerabilities


A vulnerability scanner for container images and filesystems