Robert Grupe's AppSecNewsBits & AI 2024-12-07

This week’s news roundup: Epic Fails Stolli Bankruptcy, Romanian elections, vulnerable gateway services, MOVEIT ongoing, NTLM, malicious coded backdoor, etc.

December 07, 2024

EPIC FAILS in Application Development Security practice processes, training, implementation, and incident response
Vodka Giant Stoli Files for Bankruptcy After Ransomware Attack
Among the contributing factors listed is a serious ransomware attack in August 2024 which caused “severe disruption” to the firm’s IT infrastructure. The attack caused substantial operational issues throughout all companies within the Stoli Group, including Stoli USA and KO, due to the Stoli Group’s enterprise resource planning (ERP) system being disabled and most of the Stoli Group’s internal processes (including accounting functions) being forced into a manual entry mode. These systems will be fully restored no earlier than in the first quarter of 2025.

 

British hospitals hit by cyberattacks still battling to get systems back online
Alder Hey Children's Hospital NHS Trust confirmed the source of the intrusion as an unspecified digital gateway service. Criminals gained unlawful access to data through a digital gateway service shared by Alder Hey and Liverpool Heart and Chest Hospital. This has resulted in the attacker unlawfully getting access to systems containing data from Alder Hey Children's NHS Foundation Trust, Liverpool Heart and Chest Hospital, and a small amount of data from Royal Liverpool University Hospital.

 

 

Backdoor slipped into popular code library, drains ~$155k from digital wallets
The supply-chain attack targeted solana-web3.js, a collection of JavaScript code used by developers of decentralized apps for interacting with the Solana blockchain. These “dapps” allow people to sign smart contracts that, in theory, operate autonomously in executing currency trades among two or more parties when certain agreed-upon conditions are met. The backdoor came in the form of code that collected private keys and wallet addresses when apps that directly handled private keys incorporated solana-web3.js versions 1.95.6 and 1.95.7.
[rG: This could have been prevented by SSDLC release security code reviews. SAST vulnerability scanning alone wouldn’t catch novel malicious functionality.]

 

Micropatchers share 1-instruction fix for NTLM hash leak flaw in Windows 7+
The vulnerability allows an attacker to obtain user's NTLM credentials by simply having the user view a malicious file in Windows Explorer - eg, by opening a shared folder or USB disk with such file, or viewing the Downloads folder where such file was previously automatically downloaded from attacker's web page Leaked NTLM credential hashes can be used to authenticate as users or cracked to reveal their plaintext passwords, potentially. This latest flaw affects all systems from Windows 7 and Server 2008 R2 to the latest Windows 11 v24H2 and Server 2022.

 

  • CyberPanel Incorrect Default Permissions Vulnerability: CyberPanel contains an incorrect default permissions vulnerability that allows for authentication bypass and the execution of arbitrary commands using shell metacharacters in the statusfile property.

  • North Grid Proself Improper Restriction of XML External Entity (XXE) Reference Vulnerability: North Grid Proself Enterprise/Standard, Gateway, and Mail Sanitize contain an improper restriction of XML External Entity (XXE) reference vulnerability, which could allow a remote, unauthenticated attacker to conduct an XXE attack.

  • ProjectSend Improper Authentication Vulnerability: ProjectSend contains an improper authentication vulnerability that allows a remote, unauthenticated attacker to enable unauthorized modification of the application's configuration via crafted HTTP requests to options.php. Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript.

  • Zyxel Multiple Firewalls Path Traversal Vulnerability: Multiple Zyxel firewalls contain a path traversal vulnerability in the web management interface that could allow an attacker to download or upload files via a crafted URL. 

 

HACKING

Romania's election systems targeted in over 85,000 cyberattacks
The Constitutional Court of Romania (CCR), cancelled the results of the first round in the presidential election and decided that new elections will be held. The attacker obtained the logins by either targeting legitimate users or by exploiting vulnerabilities in the training server for operators at voting sections. The Romanian intelligence agency says that the 85,000 attacks continued until November 25th, the night after the first presidential election round, and the goals ranged from gaining access to the election infrastructure and compromising it to altering election information for the public and denying access to the systems. SRI notes in the declassified report that the threat actor tried to breach the systems by exploiting SQL injection and cross-site scripting (XSS) vulnerabilities from devices in more than 33 countries. In another declassified, SRI describes an influence campaign targeting the Romanian presidential election, where more than 100 TikTok Romanian influencers with over 8 million active followers were manipulated to distribute election content promoting presidential candidate Calin Georgescu. The influencers received amounts starting from $100 for 20,000 followers, to distribute videos with hashtags describing Georgescu’s presidential profile.

 

  • Create a secret word or phrase with your family to verify their identity.

  • Look for subtle imperfections in images and videos, such as distorted hands or feet, unrealistic teeth or eyes, indistinct or irregular faces, unrealistic accessories such as glasses or jewelry, inaccurate shadows, watermarks, lag time, voice matching, and unrealistic movements.

  • Listen closely to the tone and word choice to distinguish between a legitimate phone call from a loved one and an AI-generated vocal cloning.

  • If possible, limit online content of your image or voice, make social media accounts private, and limit followers to people you know to minimize fraudsters' capabilities to use generative AI software to create fraudulent identities for social engineering.

  • Verify the identity of the person calling you by hanging up the phone, researching the contact of the bank or organization purporting to call you, and call the phone number directly.

  • Never share sensitive information with people you have met only online or over the phone.

  • Do not send money, gift cards, cryptocurrency, or other assets to people you do not know or have met only online or over the phone.

 

A USB-C cable can hide a lot of malicious hardware, CT scan shows
There is also the potential for USB-C cables to hide malicious circuitry that compromises the security of your device. CT scanning is quickly becoming an important security tool for verifying the integrity of hardware during manufacturing before it has a chance of causing harm to individuals, companies, and critical infrastructure. An undetected supply chain attack can lead to serious consequences, as shown by the recent example of exploding pagers used in Lebanon to target Hezbollah leaders.

 

UK cyber chief warns country is ‘widely underestimating’ risks from cyberattacks
The annual review reveals that the agency’s incident management team handled a record number of cyber incidents over the past 12 months — 430 compared to 371 last year — 89 of which were considered nationally significant incidents. NCSC did not break down how many of these were caused by state-sponsored cyber attackers versus financially-motivated criminals, but said 13 of the 89 incidents were ransomware attacks. Six of the nationally significant incidents were attributed to the exploitation of two zero-day vulnerabilities: CVE-2023-20198 in Cisco IOS XE, which was previously connected to cyberattacks in Norway; and CVE-2024-3400 in Palo Alto Networks PAN OS, a vulnerability that U.S. authorities said was being exploited by the Iranian government in concert with ransomware groups.

 

Why Phishers Love New TLDs Like .shop, .top and .xyz
Phishing attacks increased nearly 40 percent in the year ending August 2024, with much of that growth concentrated at a small number of new generic top-level domains (gTLDs) — such as .shop, .top, .xyz — that attract scammers with rock-bottom prices and no meaningful registration requirements. While .com and .net domains made up approximately half of all domains registered in the past year (more than all of the other TLDs combined) they accounted for just over 40 percent of all cybercrime domains. among the gTLDs with the highest cybercrime domain scores in this year’s study, nine offered registration fees for less than $1, and nearly two dozen offered fees of less than $2.00. By comparison, the cheapest price identified for a .com domain was $5.91. Currently, there are around 2,500 registrars authorized to sell domains by the Internet Corporation for Assigned Names and Numbers (ICANN). Despite years of these reports showing phishers heavily abusing new gTLDs, ICANN is shuffling forward on a plan to introduce even more of them. ICANN’s proposed next round envisions accepting applications for new gTLDs in 2026.

 

There have been reports since early October that Chinese government hackers penetrated the networks of telecoms and may have gained access to systems used for court-authorized wiretaps of communications networks. Impacted telcos reportedly include Verizon, AT&T, T-Mobile, and Lumen (also known as CenturyLink). [rG: “Security Defense In Depth” best practice is to always assume any communication network (e.g. not just mobile, but including any LAN segment) could be compromised, and therefore all communications should be authenticated and encrypted.

 

New website shows you how much Google AI can learn from your photos
Last month, Ente launched https[:]//Theyseeyourphotos[.]com, a website and marketing stunt designed to turn Google’s technology against itself. People can upload any photo to the website, which is then sent to a Google Cloud computer vision program that writes a startlingly thorough three-paragraph description of it. One of the first photos Mohandas tried uploading was a selfie with his wife and daughter in front of a temple in Indonesia. Google’s analysis was exhaustive, even documenting the specific watch model that his wife was wearing, a Casio F-91W. But then, Mohandas says, the AI did something strange: It noted that Casio F-91W watches are commonly associated with Islamic extremists. The same family photo uploaded to Theyseeyourphotos now returns a more generic result that includes the name of the temple and the “partly cloudy sky and lush greenery” surrounding it. But the AI still makes a number of assumptions about Mohandas and his family, like that their faces are expressing “joint contentment” and the “parents are likely of South Asian descent, middle class.” It judges their clothing (“appropriate for sightseeing”) and notes that “the woman's watch displays a time as approximately 2 pm, which corroborates with the image metadata.” Photos snapped of his daughter today reveal who she is and what makes her happy or sad. “This information could be used to manipulate her decades from now by anyone who has access to this data—advertisers, dating websites, employers, and industries that don't exist yet but will benefit from psychological profiles. If Theyseeyourphotos motivates you to switch from Google Photos to another image storage service, the transition might not be totally smooth. Mohandas says that Google makes it difficult for people to transfer their photo library elsewhere by breaking up files and compressing them.

 

APPSEC, DEVSECOPS, DEV

ASD’s ACSC, CISA, and US and International Partners Release Guidance on Choosing Secure and Verifiable Technologies
This guidance aids procuring organizations and manufacturers of digital products and services in choosing and developing technology that is secure by design. This is an update to previously released guidance (Secure by Design Choosing Secure and Verifiable Technologies).
[rG: These principals apply not only to the acquisition of hardware and software solutions, but also application components and services used for internal software development.]

 

 

The Day We Unveiled the Secret Rotation Illusion
Secret rotation, while historically significant, is no longer sufficient as a primary defense mechanism. The threats we face today require us to rethink our approaches and adopt strategies that match the speed and cunning of our adversaries.
By redesigning our security frameworks around these principles, we can create systems that are resilient

  • Zero Trust Architecture: Operate on the principle that no user or system is inherently trusted. Every access request is verified, regardless of its origin.

  • Ephemeral Credentials: Use short-lived, context-aware credentials that expire quickly, minimizing the opportunity for exploitation.

  • Continuous Monitoring: Implement real-time detection mechanisms to identify and respond to suspicious activities immediately.

 

 

Pentesting Salesforce Communities
A lightning-fast journey from Guest User to Account Takeover
Salesforce Lightning is a component-based framework for Salesforce app development.

 

Moonlock’s 2024 macOS threat report
For decades, Apple devices have enjoyed a reputation for being mostly malware-free. However, with a 60 percent increase in market share in the last 3 years alone, macOS has become a prime target for cybercriminals, and the tide is turning.
Now, macOS-targeting malware is on the rise, and stealers have become a critical cybersecurity concern for macOS users. In this 2024 macOS threat report, Moonlock Lab dives into the growing threats facing macOS. 

 

VENDORS & PLATFORMS
Breaking Down Adversarial Machine Learning Attacks Through Red Team Challenges
Learn how to craft and understand adversarial attacks on AI/ML models through hands-on challenges on Dreadnode’s Crucible CTF platform.

 

Exposor
A tool using internet search engines to detect exposed technologies with a unified syntax.

 

OAuth Labs: OAuth 2.0 Vulnerabilites
This lab setup is not just a tool — it’s an immersive learning experience designed to deepen your understanding of OAuth 2.0, explore its common vulnerabilities, and practice exploiting and defending against them in a controlled environment.

 

Starlink's first constellation of direct-to-phone satellites is now in orbit
Each satellite has an LTE modem on board, and these satellites plug into the massive constellation of 6,799 existing Starlink spacecraft. Bandwidth per beam is only ~10 Mb, but future constellations will be much more capable. You'll currently get only text service through the end of 2024; voice and data will become available sometime next year, as will support for IoT devices (such as smart home gadgets). The company hasn't said how much its service will cost. One vaguely relevant reference to consider is Starlink's roaming broadband service, which works with a receiver mounted on your car or RV: that costs US$50 per month for subscribers in the US with a 50-GB cap.

 

$1 phone scanner finds seven Pegasus spyware infections
The mobile device security firm iVerify is publishing findings from a spyware detection feature it launched in May. Of 2,500 device scans that the company's customers elected to submit for inspection, seven revealed infections by the notorious NSO Group malware known as Pegasus. The company’s Mobile Threat Hunting feature uses a combination of malware signature-based detection, heuristics, and machine learning to look for anomalies in iOS and Android device activity or telltale signs of spyware infection. For paying iVerify customers, the tool regularly checks devices for potential compromise. But the company also offers a free version of the feature for anyone who downloads the iVerify Basics app for $1. These users can walk through steps to generate and send a special diagnostic utility file to iVerify and receive analysis within hours. Free users can use the tool once a month.
[rG: Alternatively, users should install top rated smartphone anti-virus solution for continuous scanning and protection.]

 

Certain names make ChatGPT grind to a halt, and we know why
OpenAI's ChatGPT is more than just an AI language model with a fancy interface. It's a system consisting of a stack of AI models and content filters that make sure its outputs don't embarrass OpenAI or get the company into legal trouble when its bot occasionally makes up potentially harmful facts about people. Recently, people discovered that the names "David Mayer", "Jonathan Zittrain", "Jonathan Turley", and “Brian Hood” break ChatGPT. When asked about these names, ChatGPT responds with "I'm unable to produce a response" or "There was an error generating a response" before terminating the chat session. These individuals were involved with legal proceedings against OpenAI, or had been cited in hallucinations.

 

Nvidia’s new AI audio model can synthesize sounds that have never existed 
Researchers start by using an LLM to generate a Python script that can create a large number of template-based and free-form instructions describing different audio "personas" (e.g., "standard, young-crowd, thirty-somethings, professional"). They then generate a set of both absolute (e.g., "synthesize a happy voice") and relative (e.g., "increase the happiness of this voice") instructions that can be applied to those personas. The wide array of open source audio datasets used as the basis for Fugatto generally don't have these kinds of trait measurements embedded in them by default. But the researchers make use of existing audio understanding models to create "synthetic captions" for their training clips based on their prompts, creating natural language descriptions that can automatically quantify traits such as gender, emotion, and speech quality.

 

OpenAI announces full “o1” reasoning model, $200 ChatGPT Pro tier
OpenAI announced a new tier of ChatGPT with higher usage limits for $200 a month and the full version of "o1.” OpenAI is touting pro mode's improved reliability, which is evaluated internally based on whether it can solve a question correctly in four out of four attempts rather than just a single attempt.

 

Google’s Genie 2 “world model” reveal leaves more questions than answers
After training on thousands of hours of 2D run-and-jump video games, the model could generate halfway-passable, interactive impressions of those games based on generic images or text descriptions. Genie 2 model expands that idea into the realm of fully 3D worlds, complete with controllable third- or first-person avatars. Google claims rather grandiosely that Genie 2 puts it on "the path to solving a structural problem of training embodied agents safely while achieving the breadth and generality required to progress towards [artificial general intelligence]." Whether or not that ends up being true, recent research shows that agent learning gained from foundational models can be effectively applied to real-world robotics.

 

 

 

Day after nuclear power vow, Meta announces largest-ever datacenter powered by fossil fuels
Meta has decided to jump the atomic gun with this project by partnering with Entergy instead. The power generation company plans to construct three combined-cycle combustion turbine (CCCT) plants with a total energy generation capacity of 2,262 megawatts. CCCT plants burn natural gas, but are configured (and marketed) as less pollutive than traditional natural gas power plants. Along with burning natural gas to spin a gas turbine, combined cycle plants use waste heat to spin a secondary steam turbine, thus creating more watts for their carbon buck.

 

 

LEGAL & REGULATORY
Russian court sentences kingpin of Hydra drug marketplace to life in prison
The court found that Stanislav Moiseyev oversaw Hydra, a Russian-language market that operated an anonymous website that matched sellers of drugs and other illicit wares with buyers. Hydra was dismantled in 2022 after authorities in Germany seized servers and other infrastructure used by the sprawling billion-dollar enterprise and a stash of bitcoin worth millions of dollars. At the time, Hydra was the largest crime forum, having facilitated $5 billion in transactions for 17 million customers. The market had been in operation since 2015. In addition to the sentence of life in prison, Moiseyev was also fined 4 million rubles, or the equivalent of roughly $38,000. The court also convicted 15 other defendants of being accomplices in the Hydra operations and gave them prison sentences ranging from eight to 23 years and fines totaling 16 million rubles.

 

U.S. Offered $10M for Hacker Just Arrested by Russia
In January 2022, KrebsOnSecurity identified a Russian man named Mikhail Matveev as “Wazawaka,” a cybercriminal who was deeply involved in the formation and operation of multiple ransomware groups. The U.S. government indicted Matveev as a top ransomware purveyor a year later, offering $10 million for information leading to his arrest. Last week, the Russian government reportedly arrested Matveev and charged him with creating malware used to extort companies. The golden rule of cybercrime in Russia has always been that as long as you never hack, extort or steal from Russian citizens or companies, you have little to fear of arrest. Wazawaka claimed he zealously adhered to this rule as a personal and professional mantra. “Don’t shit where you live, travel local, and don’t go abroad. Mother Russia will help you. Love your country, and you will always get away with everything.” Still, Wazawaka may not have always stuck to that rule. At several points throughout his career. Wazawaka claimed he made good money stealing accounts from drug dealers on darknet narcotics bazaars. It’s possible this is a shakedown by Kaliningrad authorities of a local internet thug who has tens of millions of dollars in cryptocurrency,” Intel 471 wrote in an analysis published Dec. 2. The country’s ingrained, institutional corruption dictates that if dues aren’t paid, trouble will come knocking. But it’s usually a problem money can fix.

 

FTC scolds two data brokers for allegedly selling your location to the meter
US data sellers Gravy Analytics and Mobilewalla agreed separate settlements [PDF] with the American consumer watchdog this week over claims they bought and sold highly sensitive personal information without consent. This includes location data that Gravy Analytics claimed had a resolution of one meter and would allow a buyer to track which rooms a person visited within a building. Neither of the companies performed the tracking; instead, they bought logs of people's whereabouts from app developers and other companies that carried out software-based tracking of location, and then resold it. Mobilewalla retained location data on hundreds of millions of devices, while Gravy claimed to have "over 17 billion signals from approximately a billion mobile devices on a daily basis. They have agreed to delete any improperly collected location data, and promised not to distribute location information of people visiting certain sensitive places, such as medical facilities, schools, religious institutions, and military bases. They will also have to introduce strict privacy policies.

 

School did nothing wrong when it punished student for using AI, court rules
Dale and Jennifer Harris sued Hingham High School officials and the School Committee and sought a preliminary injunction requiring the school to change their son's grade and expunge the incident from his disciplinary record before he needs to submit college applications. The parents argued that there was no rule against using AI in the student handbook, but school officials said the student violated multiple policies. The school determined that RNH and another student "had cheated on an AP US History project by attempting to pass off, as their own work, material that they had taken from a generative artificial intelligence ('AI') application. Although students were permitted to use AI to brainstorm topics and identify sources, in this instance the students had indiscriminately copied and pasted text from the AI application, including citations to nonexistent books (i.e., AI hallucinations). They received failing grades on two parts of the multi-part project but were permitted to start from scratch, each working separately, to complete and submit the final project. RNH's discipline included a Saturday detention. He was also barred from selection for the National Honor Society, but he was ultimately allowed into the group after his parents filed the lawsuit.

 

Elon Musk asks court to block OpenAI conversion from nonprofit to for-profit
The motion in US District Court for the Northern District of California is the latest major filing in a lawsuit Musk initiated against OpenAI and its CEO Sam Altman in August. "There can be no serious question that OpenAI's imminent conversion to a for-profit entity violates the terms of Musk's donations," the motion said, referring to $44 million that Musk says he contributed to OpenAI from 2016 to 2020. Musk alleged on Friday that OpenAI and its partner, Microsoft, are "together exploiting Musk's donations so they can build a for-profit monopoly, one now specifically targeting xAI," and that "OpenAI's path from a non-profit to for-profit behemoth is replete with per se anticompetitive practices, flagrant breaches of its charitable mission, and rampant self-dealing." The complaint objected to the OpenAI structure consisting of a nonprofit and several for-profit affiliates that allegedly "drained the non-profit of its valuable technology and personnel." The lawsuit said Musk agreed to fund OpenAI based on "express promises, representations, and reassurances that the venture would be a non-profit devoted to the open-source development of AI for the benefit of humanity."

 

China bans exports to US of gallium, germanium, antimony in response to chip sanctions
China announced it is banning exports to the United States of gallium, germanium, antimony and other key high-tech materials with potential military applications, as a general principle, lashing back at U.S. limits on semiconductor-related exports. The Chinese Commerce Ministry announced the move after the Washington expanded its list of Chinese companies subject to export controls on computer chip-making equipment, software and high-bandwidth memory chips. Such chips are needed for advanced applications.

 

 

And Now For Something Completely Different …
HowStuffWorks founder Marshall Brain sent final email before sudden death Marshall Brain sent a final email to his colleagues at North Carolina State University. "I have just been through one of the most demoralizing, depressing, humiliating, unjust processes possible with the university," wrote the founder of HowStuffWorks[.]com and director of NC State's Engineering Entrepreneurs Program. In the detailed letter, Brain disputed an announcement made by his boss, Stephen Markham, executive director of NC State's Innovation and Entrepreneurship program. Markham had told staff Brain would retire effective December 31, 2024. Brain wrote that he had instead been terminated on October 29 and was forced into retirement as a face-saving option. The termination followed Brain's filing of ethics complaints through the university's EthicsPoint system about an employee at the university's Department of Electrical and Computer Engineering. The complaints stemmed from an August dispute over repurposing the Engineering Entrepreneurs Program meeting space.

 

36-year-old quit 6-figure Wall Street job—now he earns $1,000 an hour working from home as a tutor
In 2023, Menking earned more than $500,000 through private tutoring, a number he’s on track to match in 2024. He started working online with young people all over the U.S., including students at Ivy League universities like Princeton and Yale. Most of Menking’s tutees are in high school or college. Right now, he works with a dozen students, the majority of whom are undergraduates pursuing bachelor’s degrees in finance or a related field. Menking’s current rate is about $1,000 an hour.
[rG: Wow - Average college costs $25k/yr, $90k/yr at Yale, and then there are those who that can afford $1,000/hr for additional tutoring??]

 
Pantone Announces Mocha Mousse as Color of the Year 2025
Every year, under the Pantone Color of the Year program, Pantone selects a color that, according to them, best encapsulates the zeitgeist of the year, expressing a global mood and attitude. For 2024, the selected color was Peach Fuzz, a soft hue between pink and orange, reflecting a sense of community and inner serenity. Pantone Color Institute has selected PANTONE 17-1230 Mocha Mousse as the Color of the Year 2025. The warm, brown hue, reminiscent of chocolate mousse and latte coffee, aims to bring a sense of comfort, intimacy, and elegance. This represents a versatile hue that can be combined in a multitude of pallets, from monochromatic earthy shades to mixtures of soft pastels, or even exotic combinations of vibrant colors balanced out with the rich yet subdued tone of Mocha Mousse.
[rG: For why this matters, I refer you to the explanatory scene in “The Devil Wears Prada”]