All posts by rocco

Thousands of enterprise servers are running vulnerable BMCs, researchers find

Read Time:45 Second

Having the ability to remotely manage and monitor servers even when their main operating system becomes unresponsive is vital to enterprise IT administrators. All server manufacturers provide this functionality in firmware through a set of chips that run independent of the rest of the server and OS. These are known as baseboard management controllers (BMCs) and if they’re not secured properly, they can open the door to highly persistent and hard-to-detect rootkits.

Over the years, security researchers have found and demonstrated vulnerabilities in the BMC implementations of different server manufacturers and attackers have taken advantage of some of them. One recent example is iLOBleed, a malicious BMC implant found in the wild by an Iranian cybersecurity company that targets Hewlett Packard Enterprise (HPE) Gen8 and Gen9 servers, but this is not the only such attack found over the years.

To read this article in full, please click here

Read More

Using EM Waves to Detect Malware

Read Time:1 Minute, 21 Second

I don’t even know what I think about this. Researchers have developed a malware detection system that uses EM waves: “Obfuscation Revealed: Leveraging Electromagnetic Signals for Obfuscated Malware Classification.”

Abstract: The Internet of Things (IoT) is constituted of devices that are exponentially growing in number and in complexity. They use numerous customized firmware and hardware, without taking into consideration security issues, which make them a target for cybercriminals, especially malware authors.

We will present a novel approach of using side channel information to identify the kinds of threats that are targeting the device. Using our approach, a malware analyst is able to obtain precise knowledge about malware type and identity, even in the presence of obfuscation techniques which may prevent static or symbolic binary analysis. We recorded 100,000 measurement traces from an IoT device infected by various in-the-wild malware samples and realistic benign activity. Our method does not require any modification on the target device. Thus, it can be deployed independently from the resources available without any overhead. Moreover, our approach has the advantage that it can hardly be detected and evaded by the malware authors. In our experiments, we were able to predict three generic malware types (and one benign class) with an accuracy of 99.82%. Even more, our results show that we are able to classify altered malware samples with unseen obfuscation techniques during the training phase, and to determine what kind of obfuscations were applied to the binary, which makes our approach particularly useful for malware analysts.

This seems impossible. It’s research, not a commercial product. But it’s fascinating if true.

Read More

Using Foreign Nationals to Bypass US Surveillance Restrictions

Read Time:1 Minute, 57 Second

Remember when the US and Australian police surreptitiously owned and operated the encrypted cell phone app ANOM? They arrested 800 people in 2021 based on that operation.

New documents received by Motherboard show that over 100 of those phones were shipped to users in the US, far more than previously believed.

What’s most interesting to me about this new information is how the US used the Australians to get around domestic spying laws:

For legal reasons, the FBI did not monitor outgoing messages from Anom devices determined to be inside the U.S. Instead, the Australian Federal Police (AFP) monitored them on behalf of the FBI, according to previously published court records. In those court records unsealed shortly before the announcement of the Anom operation, FBI Special Agent Nicholas Cheviron wrote that the FBI received Anom user data three times a week, which contained the messages of all of the users of Anom with some exceptions, including “the messages of approximately 15 Anom users in the U.S. sent to any other Anom device.”

[…]

Stewart Baker, partner at Steptoe & Johnson LLP, and Bryce Klehm, associate editor of Lawfare, previously wrote that “The ‘threat to life; standard echoes the provision of U.S. law that allows communications providers to share user data with law enforcement without legal process under 18 U.S.C. § 2702. Whether the AFP was relying on this provision of U.S. law or a more general moral imperative to take action to prevent imminent threats is not clear.” That section of law discusses the voluntary disclosure of customer communications or records.

When asked about the practice of Australian law enforcement monitoring devices inside the U.S. on behalf of the FBI, Senator Ron Wyden told Motherboard in a statement “Multiple intelligence community officials have confirmed to me, in writing, that intelligence agencies cannot ask foreign partners to conduct surveillance that the U.S. would be legally prohibited from doing itself. The FBI should follow this same standard. Allegations that the FBI outsourced warrantless surveillance of Americans to a foreign government raise troubling questions about the Justice Department’s oversight of these practices.”

I and others have long suspected that the NSA uses foreign nationals to get around restrictions that prevent it from spying on Americans. It is interesting to see the FBI using the same trick.

Read More

FBI arrests social engineer who allegedly stole unpublished manuscripts from authors

Read Time:27 Second

On January 5, 2022, the Department of Justice (DoJ) announced the FBI’s arrest of Italian citizen Filippo Bernardini at JFK International Airport in New York for wire fraud and aggravated identity theft. With the arrest of Bernardini, the DoJ unsealed a grand jury indictment dated July 14, 2021, of Bernardini that revealed a “multi-year scheme to impersonate individuals involved in the publishing industry in order to fraudulently obtain hundreds of prepublication manuscripts of novel and other forthcoming books.”

To read this article in full, please click here

Read More

4 ways cybercriminals hide credential stuffing attacks

Read Time:51 Second

Credential stuffing is a cyberattack in which exposed usernames and passwords are used to gain fraudulent access to user accounts through large-scale, automated login requests. High account usage, password reuse, and vast volumes of breached credentials on the dark web create the perfect storm for cybercriminals to carry out credential stuffing campaigns, while tactics used by malicious actors make identifying and preventing credential stuffing attempts a significant challenge for organizations.

Adding to pressures is the fact that attackers purposely disguise credential stuffing to make fraudulent access attempts appear legitimate and escape detection. “Credential stuffing attacks are emulating the sorts of requests that a legitimate user would make,” Troy Hunt, security researcher and founder of data breach notification service Have I Been Pwned, tells CSO. “Attackers are asking: What does it look like to make a legitimate request? How can we emulate that? Where it starts to get really interesting is when we look at the combativeness between defenders and attackers.”

To read this article in full, please click here

Read More

Smashing Security podcast #257: Pokemon-hunting cops and the Spine Collector scammer

Read Time:21 Second

Who has been playing video games rather than hunting down criminals? How is a man alleged to have stolen manuscripts of unpublished books from celebrity authors? Which pot contains an elephant? And why has Graham been listening to podcasts about pest control marketing?

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault.

Read More

[R1] Stand-alone Security Patch Available for Tenable.sc versions 5.16.0 to 5.19.1: Patch 202201.1

Read Time:22 Second
Tenable.sc leverages third-party software to help provide underlying functionality. One of the third-party components (Apache) was found to contain vulnerabilities, and updated versions have been made available by the providers.

Out of caution, and in line with best practice, Tenable has upgraded the bundled components to address the potential impact of these issues. Tenable.sc Patch 202201.1 updates Apache to version 2.4.52 to address the identified vulnerabilities.

Read More

Faking an iPhone Reboot

Read Time:1 Minute, 3 Second

Researchers have figured how how to intercept and fake an iPhone reboot:

We’ll dissect the iOS system and show how it’s possible to alter a shutdown event, tricking a user that got infected into thinking that the phone has been powered off, but in fact, it’s still running. The “NoReboot” approach simulates a real shutdown. The user cannot feel a difference between a real shutdown and a “fake shutdown.” There is no user-interface or any button feedback until the user turns the phone back “on.”

It’s a complicated hack, but it works.

Uses are obvious:

Historically, when malware infects an iOS device, it can be removed simply by restarting the device, which clears the malware from memory.

However, this technique hooks the shutdown and reboot routines to prevent them from ever happening, allowing malware to achieve persistence as the device is never actually turned off.

I see this as another manifestation of the security problems that stem from all controls becoming software controls. Back when the physical buttons actually did things — like turn the power, the Wi-Fi, or the camera on and off — you could actually know that something was on or off. Now that software controls those functions, you can never be sure.

Read More