🔓 [CyberFacts Weekly - Issue 0x06] Notes from Black Hat Locknote

New Hacker-for-hire Group Discovered by Trend Micro / Vulns in Critical Network Protocol / Practical HTTP Header Smuggling / BusyBox Affected by 14 New Vulns / PS5 Unlock Keys Extracted / INTERPOL Hits Prolific Ransomware Ring / Flash Beams Reboot RPi2s / Pwn2Own Austin 2021

Nov 13, 2021

Greetings! 👋

Just back from Black Hat Europe, which was great as it’s been more than 2 years without an on-site conference (at least for me). Was a very nice get-together among those review-board members who could attend, who haven’t been meeting for what seemed to be forever.

Unfortunately, due to capacity and travel restriction, the event felt a bit emptier than usual, but we’re all looking forward to Black Hat USA 2022!

I jotted down some notes from my favorite session, the Locknote (vs Keynote), with Daniel Cuthbert, Meadow Ellis, James Kettle, Marina Krotofil, and Thomas Brandstetter. I “live” tweeted some notes in this thread, but since I’m far from being a professional tweeter, I revised them here, along with some comments.

Where are we, as an industry?

“If I buy a toaster I’m sure I’m not expected to get shocked when I plug it in. Why doesn’t the same happen with software? You can get shocked pretty quickly if you make basic deployment mistakes.”

True. But we’re years behind the car, electronics, or home appliance industry. Despite one day we’ll have a Software Bill of Material ( SBOM) attached to each software product (maybe), we’re still unable to give a precise characterization of a software product, which is fundamental to provide warranties or safety regulations around them. Furthermore, the environment where a software can be used is so uncertain, that it’s impossible to predict consequences or specify any requirements. However, there’s something we can do without a SBOM: We could start tracking when a software includes an unmaintained component. Is that, alone, a vulnerability? For sure it’s a great weakness, so I think we should use CWE-1104 when we encounter such cases.

In the intro @thedarktangent explained how ransomware + insurances create an ecology, a viable marketplace. Is this a healthy situation for us?

In 2016 I spoke at Black Hat Europe about mobile ransomware ( video). Ransomware (mobile or not) wasn’t remotely comparable to what we’re witnessing nowadays, but some cyber-security vendors have already started bundling insurance products with their tech solutions. You know, just in case. I had an immediate repulsion about this idea. I mean, what can possibly go wrong if you “tell” ransomware actors that their victims are even insured? I had a chat with a friend working in macro-economics, who explained me that financially-motivated criminal activities are moved, among other things, by “the possibility of getting caught.” It’s pretty intuitive, and I can understand that my little rambling during my talk wasn’t given any weight at all (I’m just a random researcher in the world). But, how have we gotten to the point where we have ransomware negotiators and tax-deducible ransom payments?

“We still not have a culture on how we communicate downtime, even to customers” @Marmusha “How to actually fight the fire is still an afterthought” “We’re creating a fantastic soil for this criminal economy to grow” “for sure we’ve invested a lot in negotiating ransomware payments, but is that the real place to invest?” @Marmusha

It took our industry more than 20 years to go from (1) undisclosed or fully-disclosed vulnerabilities to (2) responsibly and coordinately disclosed vulnerabilities. It’s unsurprising that not all organizations (including our industry, admittedly) have a good culture of “communicating failures” or “communicating breaches”. Things have changed in the past 5 years, probably thanks to continuous monitoring and disclosure of breaches (e.g, HIBP, LeakIX), and we’ve started to transition away from a “shaming” approach to a “respect” approach, because we’ve understood that’s just a matter of “when” and “how to remediate”.

“It was eye opening to hear talks about how human factors can positively impact security, and not just negatively like we usually hear.”

How many anecdotes we have about human errors? Countless. How many success stories we know about how creating a positive working environment can make the difference when responding to incidents? Off the top of my head: very, very few. Let’s reflect on this.

How have COVID contributed to shape our industry?

“During this lockdown lots of people became sourdough masters but…what do hackers do when they’re in lockdown? Suddenly they have time, so they hack more!”

This is true for both attackers and defenders. We’ve indeed noticed an overall increase in cyber-criminal activity, paralleled by an explosion of great research work by security folks, favored by the increased speaking opportunities due to travel restrictions.

“We’ve seen interesting trends as review board members. Vulnerabilities are harder and harder to find, but it’s great to see new techniques and tools to finally unfold them.” @albinowax “HTTP/2 is still not getting adopted, and the same is for IPv6. They seem around the corner, but one day we’ll wake up they will be there. We should anticipate security research on such technologies” @notameadow

“Pick some random ancient technology and you’ll find some really good bugs in there. Take the recent findings on sudo!” @dcuthbert “A lot depends on certificates nowadays, but certificates need an accurate notion of time, but this morning @rfidiot taught us how not to take time for granted!”

“The DDS talk was eye opening to me” @notameadow

“Being in this ICS industry for over a decade I’m shocked to have discovered DDS only now, and see how much there is left to find in there” @Marmusha

“In the academic world we’re seeing ICS security courses to bridge the skill gap.” @plctom

Indeed, there’s lots of fundamental technology that is now finally getting adopted widely that have accumulated years of security research debt. However:

“It still takes pressure to get some critical bugs fixed” @albinowax

Finding bugs and shifting security to the left

“We’ve had lots of good fuzzing talks. How many people here in their organizations embrace fuzzing to find security bugs?” @dcuthbert “Why we still see professionalized fuzzing services not being fully used? Because it’s damn hard to set them up. People should invest time to convert their unit tests into fuzz harnesses.” @Marmusha

Every time I hear about a new fuzzing tool or read about a new integration I’m impressed by how much fuzzing research is progressing and how fast it’s (finally!) getting adopted. However, it’s still hard from a software developer viewpoint to approach fuzzing. In my humble experience, software engineers and developers understand quite well the concept of “test units”, and I’ve found that unit testing is a great common ground to educate them to fuzzing and continuous security testing. Finding bugs is just one part:

“It’s very difficult for asset owners to understand the impact of a vulnerability, despite CVSS and similar contextual information usually attached to the report” @Marmusha “The attack against the Colonial Pipeline is the loudest example of how much concrete impact a cyber attack can have in the real, physical world” @dcuthbert “Can we stop with the logos and fancy names for bugs? 😊” @dcuthbert - could not agree more to this my friend!

I chose to lump the previous two tweets together because I personally don’t like to push too much the “impact” part of vulnerability research, but I can understand the position of an asset owner who needs to prioritize (patching) vulnerabilities. The reason why I don’t like it is because security researchers are more and more expected to “give a fancy name” to their findings and “show a cool demo video” or the general public won’t give them attention. Will we get burned out of this at some point?

“We have to care more about ourselves and our employees because at some point security experts may decide to retire in the mountains and enjoy their time.“ @notameadow

I think this was the perfect way to conclude the Locknote session. I can definitely picture myself retiring in the mountains 😊 Thanks for reading this far, and consider subscribing if you like this!

Top Picks

Multiple Vulnerabilities Affecting Unknown but Pervasive, Critical Network Protocol

by CISA // CISA

Trend Micro, TXOne, ADLINK and Alias Robotics discovered 12 vulnerabilities across the top 6 DDS implementations, both closed and open source, plus 1 vulnerability in the standard specifications.

DDS is a middleware technology that enables crucial technologies like autonomous driving, healthcare machinery, military tactical systems, or missile launch stations.

More: details and PoC.

New Hacker-for-Hire Group Infected Notable Victims

by Thomas Brewster // Forbes

An unprecedented peek inside an underground hacker-for-hire operation reveals 3,500 targets, including Belarusian presidential candidates, Uzbek human rights activists and a cryptocurrency exchange. Their primary targets? Gmail, Protonmail and Telegram accounts belonging to anyone on whom their paymasters want to spy.

Practical HTTP Header Smuggling

by Daniel Thatcher // Intruder Blog

At Black Hat Europe 2021 researchers from Intruder present a new technique for identifying header smuggling and demonstrate how header smuggling can lead to cache poisoning, IP restriction bypasses, and request smuggling.

BusyBox Affected by 14 New Vulnerabilities

by Elizabeth Montalbano // Threatpost

14 vulnerabilities tracked as CVE-2021-42373 through CVE-2021-42386 affect BusyBox ranging from 1.16-1.33.1, depending on the flaw.

Seriously, who’s going to ever patch BusyBox? It’s deployed everywhere, from home routers to remote embedded systems used for ICS/OT applications.

Keys to Unlock the PS5 Unveiled

by Kyle Orland // Ars Technica

Hacking group Fail0verflow announced Sunday evening that it had obtained the encryption “root keys” for the PlayStation 5.

Additionally, signing keys to sign software have been extracted, which would allow to run custom applications, which the OS will recognize as valid.

INTERPOL Hits Prolific Cybercrime Ring Specialized in Ransomware

by INTERPOL // INTERPOL News

A 30-month transcontinental investigation […] with the assistance of information provided by its private partners Trend Micro, CDI, Kaspersky Lab, Palo Alto Networks, Fortinet and Group-IB through INTERPOL’s Gateway project.

The six suspects are believed to be tightly linked to a Russian-language cybercriminal gang known for naming-and-shaming its victims on a Tor leak site, and for moving more than USD 500 million in funds linked to multiple ransomware activities.

Pwn2Own Austin 2021 Results

by Dustin Childs // Zero Day Initiative

Congratulations to the top 3 teams (Synactiv, DEVCORE, and STARLabs) and to Synacktiv team for being crowned Master of Pwn ($197,500 and 20 points)!

A Xenon Flash Can Make an RPi2 Reboot

by Liz Upton // Raspberry Pi

Due to the photoelectric effect—by which, when a light hits a metal surface, electrons are given enough energy to escape from the surface—if you photograph a RPi2 with a xenon flash, you’ll trigger a reboot.

the device that is responsible for regulating the processor core power […] to get confused and make the core voltage drop.

Also Noteworthy

How to Choose an Interesting Research Project

by Trent Brunson // Trail of Bits Blog

Thinking of a good research project isn’t easy! It’s the art of finding the sweet spot between skills, time, career stage, team, environment, and impact.

BotenaGo: New IoT Malware Found

by Ofer Caspi // AlienLabs Research Blog

Written in Go, it is yet unclear which threat actor is behind the malware and number of infected devices.

Booking.com Reportedly Breached in 2016

by Dan Goodin // Ars Technica

Did US intelligence agency breached Booking.com in 2016 and stole user data related to the Middle East?

Booking.com wasn’t legally required to do so because no sensitive or financial information was accessed [although] IT specialists working for Booking.com told a different story, according to the book “The Machine: Under the Spell of Booking.com” […] the internal name for the breach was the “PIN-leak,” because the breach involved stolen PINs from reservations.

Time is Not as Accurate as You May Think

by Kelly Jackson Higgins // Dark Reading

In his keynote at Black Hat Europe 2021, hardware-security expert Adam Laurie shows the the risk and dangers of cyberattackers targeting the current time-synchronization infrastructure. And also shows a nice little demo on how to spoof RF-based time broadcasting.

SyzScope: Finding the Impact of Fuzzer-Exposed Kernel Bugs

by Xiaochen Zou, Guoren Li, Weiteng Chen, Hang Zhang, Zhiyun Qian // arXiv:2111.06002 [cs]

SyzScope [is] a system that can automatically uncover new “high-risk” impacts given a bug with seemingly “low-risk” impacts. From analyzing over a thousand low-risk bugs on syzbot, SyzScope successfully determined that 183 low-risk bugs (more than 15%) in fact contain high-risk impacts, e.g., control flow hijack and arbitrary memory write.

by Tim Starks // CyberScoop

the hackers used tools and tactics similar to those of a Chinese hacking group alternately known as Emissary Panda, APT27 and Threat Group 3390 […] compromised nine organizations in the defense, education, energy and health care industries across the globe beginning in September, according to new research.

Europol Arrests 2 People Using REvil Ransomware to Infect 5,000 Victims

by Thomas Brewster // Forbes

The European policing body said on Monday that the pair, who hired ransomware software from ReEvil, had made as much as a $500,000 in ransom payments.

Robinhood Data Breached via Social Engineering Customer Support

by Robinhood // Under the Hood

the unauthorized party obtained a list of email addresses for approximately five million people, and full names for a different group of approximately two million people. We also believe that for a more limited number of people—approximately 310 in total—additional personal information, including name, date of birth, and zip code, was exposed, with a subset of approximately 10 customers having more extensive account details revealed.

Threat Actor Infiltrated US Defense Contractor Since Aug 2021 and Exfiltrated Data

by Bill Toulas // BleepingComputer

US defense contractor Electronic Warfare Associates (EWA) has disclosed a data breach after threat actors hacked their email system and stole files containing personal information.

Read more in the breach notification.

Tools

ClusterFuzzLite is Fuzzing Right Into the CI/CD

by Google Security // Google Online Security Blog

a continuous fuzzing solution that runs as part of CI/CD workflows to find vulnerabilities faster than ever before. With just a few lines of code, GitHub users can integrate ClusterFuzzLite into their workflow

I’d say there are no more excuses for not fuzzing our projects, as most of the languages are supported! Check it out here.

A Spicy protocol analyzer for WireGuard.

by Jeff Atkinson // GitHub

The tool can identify and analyze WireGuard traffic at wire speed with Zeek.

CyberFacts Weekly is a digest of my hand-picked readings from the cyber-security world.

CyberFacts Weekly is intended mostly for myself, to have a place to archive and keep public notes of what I read and deem as noteworthy.

If you like it, consider subscribing or forwarding this email to peers and friends. If newsletters aren’t really your thing, maybe you’d prefer to follow the @CyberFactsIT Twitter account, which I use to publish the real-time feed of my selected readings (also available via RSS).

Hope you enjoyed this issue…and see you reading the next one! 🙃

Thanks! Cheers, Fede