This month: Kali Purple distribution unveiled, scientists and experts call for AI training to be suspended, BreachForums creator arrested by law enforcers, DJI drones reveal location of their operators, Twitter looking for person who leaked company source codes on GitHub, dangerous vulnerabilities identified in TPM 2.0, and also other interesting events in March.
Kali Purple distribution is designed for security people
Offensive Security has released Kali Linux 2023.1, the first version of 2023 (also dedicated to the tenth anniversary of the project) with the new Kali Purple distribution, which is designed for the blue and purple teams, that is, focused on defensive security.
“Over the years, we have perfected what we specialized in, which is offensive security. Now we are starting to move into a new area – defensive security, – they write in Offensive Security. — We are doing a pre-launch launch of the evaluation technical version of Kali Purple. [The distribution] is still in its infancy and will need time to mature. But you can already see the direction Kali is taking, and you can also take part in shaping that direction!”
Although the distribution is still in its early stages of development, it already includes over 100 security tools, including Malcolm, Suricata, Arkime, TheHive and Zeek, as well as a dedicated Wiki to help you get started.
Kali Purple is already available for download as an ISO image for x64/AMD64 systems.
In addition, it is worth noting that Kali 2023.1 includes eight new tools at once:
Arkime is an open source package capture and search tool;
CyberChef is a real “multi-tool” that allows you to analyze, decrypt, deobfuscate and decode data using a variety of tools;
DefectDojo – open a source tool for security correlation and orchestration and application vulnerability management;
Dscan – wrapper for Nmap for distributed network data collection;
Kubernetes-Helm is an open source Kubernetes package management platform;
PACK2 – a set for analyzing and cracking passwords;
Redeye is a tool designed to help you manage your data during a penetration test in the most efficient and organized way;
Unicrypto is a single interface for a number of crypto algorithms.
42% of companies lack information security specialists According to Kaspersky Lab, more than a third of companies in Russia (42%) are forced to turn to managed IT and information security service providers (MSP/MSSP) due to a lack of in-house specialists. A similar number of respondents (42% each) indicated two other reasons for working with companies in the field of information security on outsourcing: higher efficiency and the need to comply with the requirements of regulators. About a third of respondents noted a lack of experience in the field of cybersecurity within their organization (36%) and financial benefits associated with optimizing the costs of maintaining staff, purchasing licenses, deploying and scaling IT infrastructure (32%).
BreachForums has closed, its creator has been arrested
At the end of March, it became known about the arrest of the owner and founder of the hacker forum BreachForums (known online as Pompompurin), who lives in New York.
BreachForums has been the largest data breach hack forum in recent times and is commonly used by hackers and ransomware to leak information. The resource was launched by Pompompurin last year after the FBI shut down the hacker site RaidForums.
Personally, Pompompurin and other members of BreachForums have been linked to many high-profile hacks and data breaches, including the data theft of millions of Robinhood users, the data breach of 5.4 million Twitte users r, recent attacks on Acer and Activision.
Before the shutdown, BreachForums had more than 340,000 users, according to the Justice Department. As of January 11, 2023, there were 888 datasets in the platform’s database, consisting of more than 14 billion individual records.
Shortly after the arrest of the founder of the resource, the remaining administrator, known by the nickname Baphomet, was forced to close the site permanently, as he discovered that it was not safe to continue working, because it seems that law enforcement officers had already gained access to the BreachForums infrastructure.
The fact is that when the BreachForums infrastructure was disabled, the old CDN server remained on the network, which hosted not very important data.
“During the migration, I checked to see if anything suspicious was going on that might be of concern,” Baphomet wrote. One of the servers I checked was our old CDN server mentioned above. Looks like someone logged in on March 19 at 1:34 AM EST before I logged into the server. Unfortunately, this leads us to the conclusion that it is likely that someone has access to Pom’s machine. Our servers are never used by anyone else, so someone had to know the credentials to be able to log in. Now I feel like I’m in a situation where nothing can be considered safe, be it our configurations, source code, or information about our users – the list is endless.”
Conor Brian FitzPatric, aka Pompompurin, 20, was eventually charged with the theft and sale of sensitive personal information belonging to “millions of U.S. citizens and hundreds of U.S. and foreign companies,” U.S. officials said. organizations and government agencies. Fitzpatrick charged with conspiracy to target access device fraud, and if found guilty, faces up to five years in prison.
Currently, Fitzpatrick has already appeared before the court and was released on bail in the amount of 300 thousand dollars.
In court documents, FBI Special Agent John Longmire says that the FBI gained access to the BreachForums database, which helped establish that Fitzpatrick was indeed Pompompurin.
Law enforcement came to this conclusion based on activity logs and data from the defendant’s Internet service provider, Optimum Online (the account is registered at [email protected]), as well as data received from Verizon, Google and Apple.
Linking Fitzpatrick to the founder of BreachForums was a private conversation in which Fitzpatrick informed the owner of the now closed RaidForums that the stolen ai.type database found on Have I Been Pwned did not contain his old email address [email protected]. Law enforcement officers gained access to this chat after the liquidation of RaidForums and the confiscation of servers.
Longmire writes that, in addition, the FBI found Fitzpatrick’s IP address in Optimum Online (69.115.201.194), which got into the BreachForums database, because he once used it to enter a hack forum, apparently forgetting to use Tor or turn on the VPN (it is also likely that the VPN service failed). The same IP was linked to Fitzpatrick’s personal iCloud account.
In addition, Verizon data showed that the IP addresses previously used to access Pompompurin’s RaidForums account were linked to mobile devices registered to Fitzpatrick, who lives at his father’s home in Peekskill.
During the arrest, the accused himself openly admitted to law enforcement agencies (without the presence of a lawyer) that it was he who was hiding behind the pseudonym Pompomp urin on BreachForums.
“He also admitted to owning and operating BreachForums and previously managed the Pompompurin account on RaidForums. He estimated that he was making about $1,000 a day from BreachForums and used that money to administer the resource and buy other domains,” the documents read.
AI will impact the labor market Researchers from Goldman Sachs have prepared a special report on how AI systems can affect the labor market in the US and Europe. According to them, the advent of generative AI could somehow affect up to 300,000,000 jobs. However, most industries and professions will only be partly affected by automation and are more likely to be augmented rather than replaced by artificial intelligence. Approximately 2/3 of all jobs can be affected by automation using AI, which will remove up to 50% of the burden from workers. It is expected that only 7% of workers may lose their job and be replaced by AI. In another 63% of cases, AI will take on only part of the tasks, making it easier for people to work, and about 30% of working people will not be affected by the development of AI systems at all. About 25% of all work tasks performed in the US and Europe can be automated using artificial intelligence. In the United States, office and administrative workers (46%), lawyers (44%), and architecture and design professionals (37%) are most at risk of being “displaced” from the labor market. Cleaning and maintenance professionals, as well as repair and construction specialists, are the least threatened by AI. If artificial intelligence is widely used, then the overall growth of world GDP could be 7% over the next ten years, experts say.
Team Synacktiv won at Pwn2Own
The Pwn2Own hacker competition ended at the CanSecWest conference. This year, experts have uncovered a total of 27 unique 0-day clues viability, compromising Tesla Model 3, Windows 11, macOS, and Ubuntu, among other things, and taking $1,035,000 and the new Tesla Model 3 with them.
The undisputed leader of the competition was the French team Synacktiv, which this year included Eloi Benoist-Vanderbeken, David Berard, Vincent Dehors, Tanguy Dubroca, Thomas Bouzerard ( Thomas Bouzerar and Thomas Imbert.
The specialists have the following successful hacks and prizes:
$250,000: Exploit chain aimed at overflowing the heap and writing to OOB, allowing you to get free root through the Tesla Model 3 infotainment system;
$100,000: TOCTOU (time-of-check to time-of-use) type attack on Tesla Model 3;
$80,000: A chain of three bugs aimed at privilege escalation on an Oracle VirtualBox host;
$40,000: TOCTOU privilege escalation attack on Apple macOS;
$30,000: Ubuntu Desktop privilege escalation;
$30,000: Attack on UAF in Microsoft Windows 11.
In total, the team took home $530,000 (which is about half of the total prize fund of the competition), Tesla Model 3 and earned 53 Master of Pwn points, overtaking all rivals by a huge margin.
This is the second time Synacktiv has won Pwn2Own. Synacktiv last took first place in 2021 at Pwn2Own Austin.
All vendors must now fix the vulnerabilities demonstrated and disclosed during Pwn2Own within 90 days, and then the Trend Micro Zero Day Initiative will publicly release the technical details of all 0-day exploits used in the competition.
Medvedev supported piracy Deputy Chairman of the Security Council of the Russian Federation Dmitry Medvedev said that he considers it right to download and distribute pirated copies of films and musical works online, which have become are not available in Russia by decision of Western copyright holders. “You know what? Look for the right pirates and download from them. If they left us, all sorts of Netflix and others, then we will download it all, we will use it for free. And I would scatter all this over the Net in order to cause them maximum damage. Maximum damage to make them bankrupt!” – Medvedev said in an interview with Russian media, commenting on the disappearance, in particular, of some Western music from online services in Russia. He also noted that he used to be negative about piracy as a lawyer “and thought it was better to overpay,” even when he was told that “everything is on torrent trackers.”
Experts urged to suspend AI training
More than a thousand people, including professors and AI developers, signed an open letter to all laboratories involved in the development of artificial intelligence. In a message published by the non-profit organization Future of Life, experts call for an immediate suspension of the development and training of AIs more powerful than GPT-4, at least for six months.
The letter was signed by many well-known people involved in AI development and technology, including: OpenAI co-founder Elon Musk, a mathematician, cyberneticist and computer scientist, best known for his work in the field of artificial intelligence, as well as Mila founder Yoshua Bengio, Apple co-founder Steve Wozniak, Head of Stability AI Emad Mostrak, AI research pioneer Stuart Russell, and Geometric Intelligence founder Gary Markus.
The open letter mentions the potential risks to society and humanity arising from the rapid development of advanced AI systems in the absence of common security protocols. The signatories believe that the potential risks of this “revolution” have yet to be fully assessed and taken into account with using an integrated management system, while the positive effect of these technologies is not guaranteed.
“Advanced AI could bring significant changes to the history of life on Earth and should be planned and managed with appropriate care and resources,” the message reads. “Unfortunately, there is no such planning and management taking place, despite the fact that in recent months AI labs have become involved in an uncontrolled race to develop and implement ever more powerful digital intelligences that no one (including their creators) can understand, predict or reliably control”.
The letter also warns that modern AI systems are already directly competing with humans in performing common tasks, which raises a number of existential and ethical questions that humanity still needs to consider, discuss and resolve.
Some of these questions concern the flow of information generated by AI, the uncontrolled automation of workplaces, the development of systems that are superior to humans and which can make people “obsolete”, and the control of civilization in general.
Experts believe that we have reached the point where we should train more advanced AI systems only under strict supervision and only with confidence that the risks associated with their deployment are manageable.
“Therefore, we are calling on all AI labs to immediately suspend the training of AI systems greater than GPT-4 for at least six months,” the letter reads. “This pause should be public and verifiable, and it should involve all key players. If such a pause cannot be taken quickly, governments should intervene and impose a moratorium.”
During this pause, AI developers are invited to come together and agree on the creation of common security protocols, which are then discussed Can be used for audits conducted by external independent experts.
In addition, the signatories believe that politicians should take protective measures and regulate this area. In particular, it is proposed to create a system of “watermarks” that can effectively distinguish genuine content from fake, to work out the possibility of laying responsibility for the harm caused by materials created by AI, and to allocate public funding for the study of risks associated with AI.
The letter does not contain calls to completely stop the development of AI. Instead, it highlights the potential dangers of growing competition between AI developers looking to carve out a niche in a rapidly growing market.
“With AI, humanity can enjoy a wonderful future. By succeeding in building powerful AI systems, we can enjoy the “AI heyday” and reap the rewards by designing these systems for the greater good and giving society a chance to adapt. Society has suspended the development of other technologies with potentially catastrophic consequences. We can do the same here,” the experts conclude.
$2 billion withdrawn from Binance In the last week of March, the outflow of funds from the Binance cryptocurrency exchange amounted to $2.1 billion. This was reported by the Wall Street Journal, citing data from the Nansen analytical platform. The exchange’s public wallets currently hold $63.2 billion. The rate of withdrawals exceeded normal activity and accelerated after the announcement by the US Commodity Futures Trading Commission (CFTC) that it is suing the cryptocurrency exchange, accusing it of illegal activities in the US. The company’s market share has fallen by 30% since March 24, 2023, according to analysts at CryptoCompare. Twitter sources leaked, and the company is looking for the culprits
Twitter has succeeded in removing the internal source codes of its platform and tools from GitHub, which were leaked to the public a few months ago. Twitter is now requiring GitHub to disclose the details of the person who leaked the source and anyone else who accessed it.
At the end of the month, GitHub representatives were forced to respond to a violation of the Digital Millennium Copyright Act (DMCA) and a Twitter complaint that claimed proprietary source codes and internal tools were leaked, which could pose a security risk to the company.
According to the complaint, the source of the leak was the user FreeSpeechEnthusiast, and his nickname is a clear reference to the words of Elon Musk, who often calls himself an absolutist in matters of freedom of speech (free speech absolutist). That is, the information was probably leaked by a disgruntled Twitter employee (most likely fired after Musk bought the company). Currently, the FreeSpeechEnthusiast account is still active, but the user has no other public repositories.
It is not known exactly when the leak occurred, according to the media, but journalists believe that the source files were available online “for at least a few months.”
In its copyright complaint, Twitter is asking GitHub to provide information about the access history of this leak, likely wanting to identify its source.
“Please retain and provide copies of any upload/download/access histories (and any contact information, IP addresses, or other related session data), as well as any logs associated with this repository and any of its forks, before deleting any offending copyright content from GitHub,” the document reads.
Twitter is currently trying to use a subpoena to force GitH ub to provide identifying information about the FreeSpeechEnthusiasm user and anyone else who accessed the leak and distributed the Twitter source codes. The data obtained will be used for further lawsuits.
GitHub representatives did not say how many people accessed or downloaded the leaked Twitter source code, but FreeSpeechEnthusiast had few subscribers. Despite this, it is noted that the leak could have serious consequences for Twitter, as the sources could be carefully examined by outsiders to identify potentially dangerous vulnerabilities.
There are more phishers Group-IB reported that in 2022 it blocked more than 59,000 phishing sites, of which more than 7,000 were detected in the Russian segment of the Internet, which is twice as many as a year earlier. Fraudulent resources stole Russians’ logins and passwords, bank card details, and messenger accounts. If in 2021 the number of blocked CERT-GIB resources on the Internet amounted to 31,455, then in 2022 their number increased to 59,282. In the .ru and .рф zones, the number of blocked sites more than doubled: from 3210 to 7121. last year, only in the .ru and .rf zones, experts detected 20,170 phishing domains (in 2021, their number was 15,363 domains). The attackers used the services of hosting providers located mainly in the US, Russia and Germany. At the same time, every third site of fraudsters was in the .com domain zone (33.8% of the total number of resources). Recommended reading: Xakep #286. Sad Guard Release Content
Subscribe to “Hacker” -60%
aCropalypse vulnerability threatens Windows and Pixel
Microsoft developers have urgently updated the Snipping Tool and Snip and Sketch (“Scissors”) in Windows 10 and 11, fixing a recently discovered vulnerability dubbed aCropalypse. The bug allowed to restore the original l Any image edited with the Scissors.
Initially, aCropalypse (CVE-2023-21036) was found in Google Pixel devices and was associated with the Markup screenshot editor, which appeared on smartphones in 2018 with the release of Android 9.0 Pie.
The essence of the vulnerability was how exactly the image file is opened for editing and saved: the data cropped or painted with Markup still remains in the new saved file, which allows you to restore approximately 80% of the original image.
The researchers warned that aCropalypse could expose users’ sensitive information if they have ever edited an image with Markup and then shared the file with others or posted it online.
Because of the vulnerability, a wide variety of information could leak into the network, including confidential data from documents, location data, sensitive URLs in browser screenshots, bank card numbers, faces and other unwanted details in explicit photos. In a word, everything that is usually cut off and glossed over in photographs and screenshots.
Shortly after the disclosure of the original problem, it turned out that this vulnerability also posed a danger to the Snipping Tool and Snip and Sketch tools in Windows 10 and 11. In this case, it is also possible to partially restore the original appearance of previously cropped images.
Experts have demonstrated the successful recovery of PNG images and assumed that the same can be done with JPG files.
The issue was eventually assigned the ID CVE-2023-28303. In Windows 11, to fix it, you should update the Snipping Tool to version 11.2302.20.0, and in Windows 10, the patch received Snip and Sketch version 10.2008.3001.0.
Now when cropping an image and overwriting the original file, the tool removes unused data gracefully rather than putting it at the end of the file after IEND.
The speed of mobile Internet in the Russian Federation decreased by 7% According to TelecomDaily, in February 2023, the speed of mobile Internet in the regions of Russia decreased by 7% compared to the previous year (to 18.3 Mbps). At the same time, in Moscow, the speed of mobile Internet increased by 32% to 34.7 Mbps. Researchers attribute the deterioration in access to a shortage of network equipment and the installation of new base stations, primarily in large cities. The head of TelecomDaily, Denis Kuskov, notes that network equipment is gradually becoming obsolete and requires modernization, and stocks are not unlimited. That is why the gap in the quality of Internet access between the capital and the regions is growing. Operators are increasing network bandwidth more slowly than Internet traffic is growing.
DJI drones reveal location of operators
Experts from the Ruhr University in Bochum and the Helmholtz Center for Information Security in Germany (CISPA) said that they were able to decipher the signals transmitted by DJI drones. It turned out that the devices broadcast not only their GPS coordinates and the unique ID of the drone, but also the GPS coordinates of their operator.
The researchers write that such devices are becoming increasingly popular in war zones, because they can conduct surveillance at high altitude, conduct reconnaissance and even be used as a weapon, while their operator is reliably hidden at a distance of up to several kilometers from the drone.
However, it turned out that the location of the pilots is not such a big secret. In fact, anyone with simple, cheap radio equipment can intercept drone signals and decode them, thus obtaining the pilot’s coordinates.
In their report, scientists say that they managed to decipher drone radio signals. to DJI and decode the DroneID radio protocol they use. After deconstructing the signals, the researchers saw that each DJI drone transmits not only its GPS coordinates and unique drone ID, but also the GPS coordinates of its operator via the DroneID protocol.
DJI’s DroneID system was originally designed to allow governments, regulators, and law enforcement to control and prevent misuse of drones. But hackers and security researchers have long been saying that DroneID is unencrypted and open to anyone who can receive radio signals.
For example, DroneID was already under fire last spring, when the Ukrainian authorities criticized the company for the fact that the Russian military uses DJI drones to target missiles, and also locate the operators of Ukrainian DJI drones by their radio signals. In response, the company generally declared the inadmissibility of using its consumer drones for military purposes, and then stopped selling devices both in Russia and Ukraine.
At the same time, the Chinese manufacturer has long been selling a special Aeroscope device to government regulators and law enforcement agencies, which allows you to intercept and decode DroneID data, determining the location of any drone and its operator at a distance of up to 48 km.
Previously, the company emphasized that the DroneID protocol is encrypted and therefore inaccessible to those who do not have an Aeroscope device, which simply cannot be purchased by anyone. Later, however, cybersecurity researcher Kevin Finisterre demonstrated the interception of some DroneID data using the freely available Ettus SDR. As a result, a representative of DJI admitted in an interview with reporters that the transmissions are not actually encrypted.
In their report, German scientists demonstrated that drone signals can indeed be decoded and read without any Aeroscope, which allows you to listen to DroneID to accurately determine the position of both the drone itself and its operator.
As proof of their findings, the research team has published a prototype tool for retrieving and decrypting DroneID data on GitHub.
The researchers went even further than Finisterre: they studied the firmware of the DJI drone and its radio communication, reversed DroneID and created a tool that can receive DroneID transmissions using the already mentioned Ettus or the cheaper HackRF, which costs only a few hundred dollars (compared to 1000 + dollars for Ettus devices). As a result, this allows you to perform all the actions available to Aeroscope without him.
Although the researchers have only tested intercepting signals at distances of 15 to 25 feet (4.5 to 7.5 m), they note that they did not even try to increase the distance, since it can be easily extended with additional technical solutions.
Now, security experts and the media are suggesting that, regardless of DJI’s motives for creating the DroneID and advertising the Aeroscop as the only suitable device for intercepting signals, the availability of information about the location of the drone operator and the fact that this data can be easily intercepted (without any Aeroscope) will have a major impact on the use of quadcopters in war zones and other hostile environments.
In the US, they are trying to ban TikTok In early March, a committee of the US House of Representatives passed a bill that could allow the president to completely ban TikTok in the country. At the end of 2022, the social network was already banned from being installed on government devices in more than 20 states, and some universities were blocked. whether it is on the Wi-Fi networks of their campuses. Politicians say TikTok, owned by China’s ByteDance and with 150 million U.S. users, could threaten the country’s national security. “Why let a Trojan horse into your fortress? Why bring this capability to the US when the Chinese can manipulate the data we see and either include what they want to show our population (including socially divisive content) or remove what exposes it in in a bad light and what would they not like to show the American people?” – such questions were asked by Rob Joyce, head of cybersecurity at the NSA, at the Silverado Accelerator Conference, held at the end of March.
The journalist was sent a flash drive with a bomb
Ecuadorian police are investigating a massive attack on media organizations across the country. Journalist and presenter Ecuavisa was injured after a USB flash drive he received in the mail exploded while connected to a computer. The same devices were sent to the editors of at least five more Ecuadorian media outlets.
Xavier Chango Llerena, head of criminal investigations at the Ecuadorian national police, said authorities found envelopes containing suspected bombs in the offices of four other media outlets, two in Guayaquil and two in Quito. Another explosive flash drive was found in the warehouse of a parcel delivery company.
Ecuavisa journalist Lenin Artieda suffered injuries to his hands and face as a result of a USB flash drive explosion. According to the police, Artieda was lucky – only half of the charge embedded in the USB drive exploded, and the outcome could have been more sad if everything had gone as the attackers had planned.
It is also reported that the activation of the explosive device could have occurred from an electric charge that the flash drive received. and when connected. According to Lierena, the accumulator could contain RDX, although this has not yet been confirmed by laboratory analysis.
The press and free speech advocacy group Fundamedios condemned the attack and said at least three other journalists, including those from TC Televisión, Teleamazonas and Exa FM radio, received such USB sticks and threatening letters in the mail.
In particular, Álvaro Rosero, who works at the Exa FM radio station, received an envelope with a similar flash drive on March 15, 2023. He gave the device to his producer, who used a cable with an adapter to connect the flash drive to his computer. This time, the drive did not explode. The police determined that the device contained explosives, but because of the adapter used by the producer, the charge did not activate.
Information security specialist and engineer Michael Grover, also known by the nickname MG, who many know as the author of the malicious O.MG cable, demonstrated exploding USB flash drives back in 2018 (only as a PoC and as a joke), and we then they devoted a large article to MG research.
“Even a small flash drive is dangerous with something like Semtex on board and a fast enough fuse. Your hand will be right on the drive when it’s powered up,” Grover explained now. “I can’t say if such attacks were actually used, but it wouldn’t surprise me at all if they were. I know several publications where all mail is scanned for explosives and other dangerous items.”
The researcher says that such attacks, unfortunately, can be very effective for terrorists. MG hopes that what happened will force more publications to scrutinize incoming mail.
Who exactly sends such a “signal” to journalists remains unclear. fundamedios writes that one of the messages that accompanied the dangerous flash drive was directed against an unidentified political group, another said that the drive contained materials that would expose Correísmo (an Ecuadorian political movement named after former President Rafael Correa). In addition, the country has seen a surge in crime over the past few years, which President Guillermo Lasso attributes to drug trafficking (more precisely, to the activities of drug cartels).
Sale of access to enterprise networks Positive Technologies experts conducted a study of cyber threats in 2022 that are relevant for industrial organizations. It turned out that the number of accesses to the infrastructure of organizations from this area, put up for sale in 2022, increased from 86 to 122 – more than 40%. Access trading accounted for 75% of all industry-related ads and their value typically ranges from $500 to $5,000. The industrial sector attracts even low-skilled criminals with easy money: they get initial access, and then sell it to more competent attackers to further develop the attack. Over the past four years, this sector has been one of the top three most attacked industries: every tenth successful attack on organizations occurs in industrial enterprises. In total, industrial companies recorded 223 incidents caused by malicious attacks, which is 7% more than in 2021. Most of the incidents (75) occurred in the second quarter of 2022, and almost all attacks (97%) on organizations in this sector were targeted. In most attacks (70%), hackers used malware, in almost half (44%) they used social engineering methods, and in another 43% of cases they exploited software vulnerabilities. 56% of all successful attacks in this sphere led to data leaks, which primarily affected information containing trade secrets and personal information.
Vulnerabilities identified in TPM 2.0
Experts from Quarkslab have discovered two serious vulnerabilities in the Trusted Platform Module (TPM) 2.0 library specification. Issues could allow an authenticated local attacker to overwrite protected data in the TPM, as well as execute arbitrary code. The researchers warn that these issues could affect billions of devices.
The vulnerabilities were identified as CVE-2023-1017 (out-of-bounds reading) and CVE-2023-1018 (out-of-bounds writing). Both problems are related to the processing of parameters for some TPM commands, eventually allowing an attacker to exploit them by sending malicious commands to the TPM to execute code.
According to a security bulletin issued by the Trusted Computing Group, the developer of the TPM specification, these buffer overflow vulnerabilities could lead to information disclosure or privilege escalation. The final impact of problems depends on how the manufacturer implemented the work with a particular memory area: whether it is unused or contains live data.
Quarkslab says large tech vendors, organizations that use corporate computers, servers, IoT devices, and embedded systems that include TPM, could be affected by these vulnerabilities. In general, according to the researchers, bugs “can affect billions of devices.”
CERT experts have already said they have been informing vendors about the bugs for several months in an attempt to raise awareness and mitigate the impact. Unfortunately, only a few organizations ended up confirming that they were affected by CVE-2023-1017 and CVE-2023-1018.
While Lenovo is the only major OEM vendor issued its own security advisory and warned that CVE-2023-1017 affects some of the company’s systems running Nuvoton TPM 2.0.
CERT warns that exploiting these vulnerabilities either allows read access to sensitive data or allows overwriting of normally protected data that is only accessible to the TPM (such as cryptographic keys).
All affected vendors need to migrate to the corrected version of the specification:
TMP 2.0 v1.59 Errata version 1.4 or higher;
TMP 2.0 v1.38 Errata version 1.13 or higher;
TMP 2.0 v1.16 Errata version 1.6 or higher.
Users are encouraged to apply updates released by the Trusted Computing Group and other vendors as soon as possible.
In highly trusted computing environments, users are also advised to consider using TPM Remote Attestation to detect any changes and ensure that the TPM is not tampered with.
Malicious objects are blocked on 39% of ICS computers Analysts at Kaspersky ICS CERT have calculated that in the second half of 2022, malicious objects were blocked on 39% of computers in automation systems in Russia. Worse, Russia is among the top three regions in the world in terms of the share of blocked malicious objects on ICS computers. The growth compared to the first half of the year amounted to 9 percentage points – this is the most significant change among all the regions studied. Experts attribute this growth to an increase in the proportion of ICS computers that were attacked by malicious objects from the Internet: their number increased by 12 percentage points compared to the first half of the year. These threats include malicious scripts and phishing pages (JS and HTML). They were blocked on almost every fifth ICS computer (18%).
D SberSpasibo data is publicly available
Information security researchers reported that two parts of the dump appeared in the public domain, presumably obtained from the mobile application of the SberSpasibo bonus program (spasibosberbank.ru).
According to Data Leakage & Breach Intelligence (DLBI) experts, the information was leaked by the same attacker behind the recent SberPravo and SberLogistics data leaks. In total, 51,977,405 unique phone numbers and 3,298,456 unique email addresses were made public.
The structure of both dumps is the same: the dumps contain phone numbers, dates of birth, dates of registration in the service, the date of the last login, as well as hashed (SHA-1 without salt) bank card numbers, both primary and secondary.
Even during the first leak, experts warned that, although bank card numbers are stored in one of the files in the form of a hash, due to the use of the outdated SHA-1 algorithm, it will not be difficult to “restore” the real values of the cards (using a simple enumeration). At the same time, only in the first dump, experts counted 100,092,292 unique hashes.
A selective check of bank card numbers (through card-to-card transfers) showed that some of them are valid and transfers to them are possible, while some cards are apparently already inactive, since transfers are impossible.
Representatives of SberSpasibo told the media that they would check information about a possible leak:
“We check the information and its authenticity. Reports like this are common and are usually associated with scammers who are trying to sell compilations of old databases under the guise of original ones, ”the company said.
* Owned by Meta, whose activities are recognized as extremist and banned in Russia.