Notices by Dan Goodin (dangoodin@infosec.exchange)

Emails, documents, and other untrusted content can plant malicious memories ChatGPT will recall forever

https://arstechnica.com/security/2024/09/false-memories-planted-in-chatgpt-give-hacker-persistent-exfiltration-channel/

Over at the bad place, @evilsocket has reported an unauthenticated RCE in all GNU/Linux systems.

Canonical, RedHat and others have confirmed the severity, rating it a 9.9. Despite this, no working fix or CVE has been issued. Simone says the devs responsible are being defensive and dragging their feet.

Are things really as bad as Simone says?

It’s not every day that a security researcher acquires the ability to generate counterfeit HTTPS certificates, track email activity, and execute code of his choice on thousands of servers—all in a single blow that cost only $20 and a few minutes to land. But that’s exactly what happened recently to Benjamin Harris.

https://arstechnica.com/security/2024/09/rogue-whois-server-gives-researcher-superpowers-no-one-should-ever-have/

The YubiKey 5, the most widely used hardware token for two-factor authentication based on the FIDO standard, contains a cryptographic flaw that makes the finger-size device vulnerable to cloning when an attacker gains brief physical access to it, researchers said Tuesday.

The cryptographic flaw, known as a side channel, resides in a small microcontroller that’s used in a vast number of other authentication devices, including smartcards used in banking, electronic passports, and the accessing of secure areas. While the researchers have confirmed all YubiKey 5 series models can be cloned, they haven’t tested other devices using the microcontroller, which is SLE78 made by Infineon and successor microcontrollers known as the Infineon Optiga Trust M and the Infineon Optiga TPM. The researchers suspect that any device using any of these three microcontrollers and the Infineon cryptographic library contains the same vulnerability.

https://arstechnica.com/security/2024/09/yubikeys-are-vulnerable-to-cloning-attacks-thanks-to-newly-discovered-side-channel/

Malicious hackers likely working on behalf of the Chinese government have been exploiting a high-severity zero-day vulnerability that allowed them to infect at least four US-based ISPs with malware that steals credentials used by downstream customers.

https://arstechnica.com/security/2024/08/hackers-infect-isps-with-malware-that-steals-customers-credentials/

The government has sued Georgia Tech for failing to use antivirus software as mandated by a DoD grant for years, knowing it wasn't in compliance, and then submitting invoices for DoD projects anyway.

https://arstechnica.com/security/2024/08/oh-your-cybersecurity-researchers-wont-use-antivirus-tools-heres-a-federal-lawsuit/

@lauren has discovered that Chrome 128, released in the past 24 hours, no longer works on Ubuntu 18.04, a release that Canonical is supporting until 2028. Can anyone point me to Chrome 128 not working on other OS versions still in support?

(Please boost.)

@ryanc

When you put it like that ("boil down to 'requests html forms could make in the early 2000s") it sounds like there is NOT a lot of harm that can result from exploits. Am I understanding you correctly?

@ryanc

So the ability of a website to send requests to 0.0.0.0 might be riskier for people who use that IP in their hosts file?

What about people who don't use host files, or use 127.0.0.1?

@ryanc

https://www.techdirt.com/2017/12/21/keeper-security-files-bullshit-slapp-suit-against-ars-technica-letting-many-more-people-know-not-to-use-software/

@ryanc

It seems wrong to favorite your post, because what you're saying certainly isn't anything to celebrate. I did anyway to bring visibility.

Paging @GossiTheDog

This one looks bad.. Global Affairs Canada, the Canadian agency that handles diplomatic relations, just got hacked to the core. One detail in this article is that the hack exploited some sort of VPN. Who wants to bet it's Ivanti?

https://www.cbc.ca/news/politics/global-affairs-security-breach-1.7099290

The hackers who recently broke into Microsoft’s network and monitored top executives’ email for two months did so by gaining access to an aging test account with administrative privileges, a major gaffe on the company's part, a researcher said.

The new detail was provided in vaguely worded language included in a post Microsoft published on Thursday. It expanded on a disclosure Microsoft published late last Friday. Russia-state hackers, Microsoft said, used a technique known as password spraying to exploit a weak credential for logging into a “legacy non-production test tenant account” that wasn’t protected by multifactor authentication. From there, they somehow acquired the ability to access email accounts that belonged to senior executives and employees working in security and legal teams.

In Thursday’s post updating customers on findings from its ongoing investigation, Microsoft provided more details on how the hackers achieved this monumental escalation of access. The hackers, part of a group Microsoft tracks as Midnight Blizzard, gained persistent access to the privileged email accounts by abusing the OAuth authorization protcol, which is used industry-wide to allow an array of apps to access resources on a network. After compromising the test tenant, Midnight Blizzard used it to create a malicious app and assign it rights to access every email address on Microsoft’s Office 365 email service.

In Thursday’s update, Microsoft officials said as much, although in language that largely obscured the extent of the major blunder.

https://arstechnica.com/security/2024/01/in-major-gaffe-hacked-microsoft-test-account-was-assigned-admin-privileges/

@GossiTheDog

I found this image floating around on that wretched bird site. Am I interpreting it wrong or does it indicate there's a way to allow non-admins to read all inboxes? If not, can you show me an appropriate screenshot? (No need for the screenshot if too much of a hassle. Just an answer will suffice.)

@GossiTheDog

Doesn't the post say as much in the following:

Threat actors like Midnight Blizzard compromise user accounts to create, modify, and grant high permissions to OAuth applications that they can misuse to hide malicious activity. The misuse of OAuth also enables threat actors to maintain access to applications, even if they lose access to the initially compromised account. Midnight Blizzard leveraged their initial access to identify and compromise a LEGACY TEST OAUTH APPLICATION THAT HAD ELEVATED ACCESS TO THE MICROSOFT CORPORATE ENVIRONMENT. The actor created additional malicious OAuth applications. They created a new user account to grant consent in the Microsoft corporate environment to the actor controlled malicious OAuth applications. THE THREAT ACTOR THEN USED THE LEGACY TEST OAUTH APPLICATION TO GRANT THEM THE OFFICE 365 EXCHANGE ONLINE FULL_ACCESS_AS_APP ROLE, WHICH ALLOWS ACCESS TO MAILBOXES."

Or does being the tenant admin go beyond the above? If it does, can you or someone explain how?

I'm curious to know what security professionals think of the new intelligence assessment from the UK about AI increasing the number and impact of cyber attacks in the next 2 years.

Do you buy this assessment, or is it wrong? Why or why not?

https://www.ncsc.gov.uk/report/impact-of-ai-on-cyber-threat

Key points:

-- AI will almost certainly increase the volume and heighten the impact of cyber attacks over the next two years. However, the impact on the cyber threat will be uneven (see table 1).

-- The threat to 2025 comes from evolution and enhancement of existing tactics, techniques and procedures (TTPs).

-- All types of cyber threat actor – state and non-state, skilled and less skilled – are already using AI, to varying degrees.

-- AI provides capability uplift in reconnaissance and social engineering, almost certainly making both more effective, efficient, and harder to detect.

-- More sophisticated uses of AI in cyber operations are highly likely to be restricted to threat actors with access to quality training data, significant expertise (in both AI and cyber), and resources. More advanced uses are unlikely to be realised before 2025.

-- AI will almost certainly make cyber attacks against the UK more impactful because threat actors will be able to analyse exfiltrated data faster and more effectively, and use it to train AI models.

-- AI lowers the barrier for novice cyber criminals, hackers-for-hire and hacktivists to carry out effective access and information gathering operations. This enhanced access will likely contribute to the global ransomware threat over the next two years.

-- Moving towards 2025 and beyond, commoditisation of AI-enabled capability in criminal and commercial markets will almost certainly make improved capability available to cyber crime and state actors.

Current or former zerodays currently under mass exploitation:

-- Ivanti Policy Secure and Ivanti Connect Secure (CVE-2023-2023-46805 and CVE-2024-21887)

-- VMware Vcenter Server (CVE-2023-34048 )

Are there any major others I'm forgetting?

@GossiTheDog

The real headline here should be:

"Even after being purged with no explanation, prominent journalists cling to toxic platform hellbent on undermining a free press"

https://www.vice.com/en/article/5d948x/x-purges-prominent-journalists-leftists-with-no-explanation

@briankrebs

I miss the days when @mmasnick regularly posted to the fedi. Mike, please come back. We need you here.