This posting is here to collect cyber security news in October 2024.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in October 2024.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
108 Comments
Tomi Engdahl says:
Endpoint Security
Microsoft’s Take on Kernel Access and Safe Deployment Following CrowdStrike Incident
SecurityWeek talked to David Weston, VP enterprise and OS security at Microsoft, to discuss Windows kernel access and safe deployment practices
https://www.securityweek.com/microsofts-take-on-kernel-access-and-safe-deployment-practices-following-crowdstrike-incident/
As the dust settles following the massive Windows BSOD tech outages caused by CrowdStrike in July 2024, the question is now, how do we prevent this happening again? Microsoft convened a summit with members of its Microsoft Virus Initiative (MVI – of which CrowdStrike is one) to discuss a problem that has no simple solution.
SecurityWeek talked to David Weston, VP enterprise and OS security at Microsoft, for a better understanding of Microsoft’s current thinking and plans.
The CrowdStrike incident
Simplistically, back in February 2024, CrowdStrike introduced a new InterProcess Communication (IPC) Template Type with Falcon sensor version 7.1 that defined 21 input fields. CrowdStrike’s rapid response mechanism uses content delivered via Channel Files. The content interpreter for the Channel File 291 provided only 20 input values to match against.
David Weston, Microsoft
David Weston, VP enterprise and OS security at Microsoft.
On July 19, 2024, two additional IPC Template Instances were deployed. This required a comparison against the 21st value when only 20 were expected. In CrowdStrike’s words, “The attempt to access the 21st value produced an out-of-bounds memory read beyond the end of the input data array and resulted in a system crash.”
From a technical perspective, Microsoft was as much a victim of this incident as were the endpoints that suffered the BSOD – Microsoft had no direct involvement. The CrowdStrike kernel driver had been evaluated and signed by the Microsoft Windows Hardware Quality Labs (WHQL) after a full evaluation. The cause of the crash was not the driver per se, but the content passed from outside of the kernel to the driver.
“That’s something Microsoft would never have seen. It traversed Microsoft. It’s not documented. Microsoft doesn’t know what’s in that file. It’s a binary code that only CrowdStrike knows how to interpret,” explained Weston.
While there was no current way Microsoft could have prevented this incident, the OS firm is obviously keen to prevent anything similar happening in the future.
The advantage of having a driver within the kernel for third party security providers is clear: greater security for themselves (and by extension, the users) and better performance. The disadvantage is the damage that can be done from a failure in the kernel is more extensive and less easy to reverse.
“is that if you crash in the kernel, you take down the whole machine. If you crash an app in user mode, we can generally recover it.” This is an argument for maximizing the use of user mode and minimizing the use of kernel mode. It would benefit Microsoft’s own Windows customers, but Weston further suggests that some of the third party software vendors would also welcome the opportunity to employ a user mode component. “Microsoft is now investing in a capability to do that.”
This has already raised several concerns. Is Microsoft intending to increase user mode as an option, or is it intending to phase out third party kernel drivers? Noticeably, ESET (one of the MVI summit attendees), commented at the time, “It remains imperative that kernel access remains an option for use by cybersecurity products.”
Pressed on this, Weston admitted that some vendors are concerned that Microsoft may kick them out of the kernel. “Can user mode framework be as good as the access they currently have in terms of performance, etcetera? These are valid concerns. But at this point, we have no plans to revoke kernel access from anyone. It doesn’t mean that can’t change in the future, but we have no plans to do that. Our goal is to create an equivalent, and an option, for user mode.”
While ‘to kernel or not to kernel’ may be the issue that catches attention, Weston believes it is the smaller part of a two-part problem. Of greater importance is software testing prior to deployment – and the use of safe deployment practices (SDP).
Safe Deployment Practices
“Whether your security product is in the kernel or operating as an app,” explained Weston, “you can still destroy the machine or make it unavailable. If you’re operating as an app and you delete the wrong file, you can cause the machine not to boot. That alone proves the argument that effective SDP is the better ROI in terms of protecting an incident, because whether you’re in kernel or user mode, you must have SDP to avoid accidental outage.”
SDPs are not a new idea. USENIX published a paper out of Utrecht university in 2004 titled ‘A Safe and Policy-Free System for Software Deployment’. Its opening line reads, “Existing systems for software deployment are neither safe nor sufficiently flexible.” This problem with SDPs has yet to be solved, and such a solution is an important aspect of Microsoft’s plans to limit future outages.
This was discussed at some length at the MVI summit. “We face a common set of challenges in safely rolling out updates to the large Windows ecosystem, from deciding how to do measured rollouts with a diverse set of endpoints to being able to pause or rollback if needed. A core SDP principle is gradual and staged deployment of updates sent to customers,” comments Weston in a blog on the summit.
Agreeing and requiring a minimum set of safe deployment practices from partners is one thing; ensuring that those partners employ the agreed SDP is another. “Technical enforcement would be a challenge,” he said. “Transparency and accountability seem to be the best methodology for now.”
It’s not like Microsoft has no teeth. If it finds that a partner has ignored the SDP, it can withdraw signing any kernel driver.
“My TLDR,” Weston told SecurityWeek, “is that SDP is the best tool we have in the toolbox for stopping outages. Kernel mode, user mode – not saying those are invalid, just saying those are a much smaller part of the problem. SDP can help prevent outages both inside and outside of the kernel.”
Tomi Engdahl says:
Toimitusjohtaja: Fortum kohtaa päivittäin kyberhyökkäyksiä
Fortumiin kohdistuu päivittäin kyberhyökkäyksiä ja tietomurtoyrityksiä sekä Suomessa että Ruotsissa.
https://www.iltalehti.fi/digiuutiset/a/d636452f-e693-4a3d-9f9a-4ce0c063e660
Fortumiin kohdistuu kyberhyökkäyksiä päivittäin.
Fortumin toimintoihin sekä Suomessa että Ruotsissa kohdistuu jatkuvasti kyberhyökkäyksiä ja tietomurtoyrityksiä, toimitusjohtaja Markus Rauramo kertoo Reutersille.
Aiemmin tänä vuonna häirittiin myös voimalaitosten satelliittiyhteyksiä. Tämän lisäksi laitosten lähettyvillä on havaittu drooneja, joista on ilmoitettu viranomaisille.
Vaikka hyökkäysten määrä on noussut, ei se ole juurikaan vaikuttanut Fortumin kykyyn toimia. Rauramo kertoo yhtiön panostaneen kyberuhkien aiheuttamien haittojen lieventämiseen ja torjumiseen. Yhteistyötä tehdään myös viranomaisten kanssa.
Suojelupoliisin mukaan erinäisten kriittiseen infrastruktuuriin kohdistuvien kyberhyökkäysten ja operaatioiden määrä on noussut kevään 2022 jälkeen, jolloin suhteet Venäjän kanssa heikkenivät. Myös Ruotsin suojelupoliisi Säpo kertoo Reutersille Venäjän tiedustelun lisääntyneen ja tulleen aggressiivisemmaksi ja rohkeammaksi.
Tomi Engdahl says:
The Register: US and UK govts warn: Russia scanning for your unpatched vulnerabilities > https://go.theregister.com/feed/www.theregister.com/2024/10/12/russia_is_targeting_you_for/, 2024-10-12 03:05:11 +0000
#2600net #irc #secnews #cybersecurity #patch
Tomi Engdahl says:
OpenAI confirms threat actors use ChatGPT to write malware
https://www.bleepingcomputer.com/news/security/openai-confirms-threat-actors-use-chatgpt-to-write-malware/?fbclid=IwZXh0bgNhZW0CMTEAAR10pJvi-YZuSm-HzK3hsSlFF79hkFw9AVLUaLdlWYBHJTMNlw-Pk6XotyI_aem_317dZ4NZ-dgS3fuzvgdB_A
OpenAI has disrupted over 20 malicious cyber operations abusing its AI-powered chatbot, ChatGPT, for debugging and developing malware, spreading misinformation, evading detection, and conducting spear-phishing attacks.
The report, which focuses on operations since the beginning of the year, constitutes the first official confirmation that generative mainstream AI tools are used to enhance offensive cyber operations.
The first signs of such activity were reported by Proofpoint in April, who suspected TA547 (aka “Scully Spider”) of deploying an AI-written PowerShell loader for their final payload, Rhadamanthys info-stealer.
Tomi Engdahl says:
It’s 2024 And Your Laptop Can Be Hacked With A BBQ Lighter
https://www.forbes.com/sites/daveywinder/2024/10/12/its-2024-and-your-laptop-can-be-hacked-with-a-bbq-lighter/?fbclid=IwY2xjawF4PsFleHRuA2FlbQIxMQABHQ7L0o4zoqCeX1sULE4sZeg-m-4J2gQbATx3H-rjU0Pdeb9AbLVlJZ5A8Q_aem_0x5ChurcrKTZHNJb73ubhQ
What’s the first thing you think of in 2024 when someone talks about the tools needed to hack your laptop? Malware, probably. A hardware device, possibly. A piezo-electric BBQ lighter, err, what? No, seriously, one hacker has detailed exactly how they managed to get root using just such a device. Here’s how it was done.
Can You Get Root With Only A Cigarette Lighter?
TL;DR. Yes, yes, you can. But please don’t stop here, as this really is a fascinating exploration into how the hacking mindset works.
“Before you can write an exploit,” Buchanan said, “you need a bug.” But what if, as unlikely as it may sound to regular readers, there are no bugs? “When there are no bugs,” Buchanan continued, “we have to get creative—that’s where Fault Injection comes in.” So, what is fault injection? Simply put, it can be anything that you introduce to the target system that can be exploited, including software-controlled data corruption, power glitching and, importantly in the case of the BBQ lighter hack, electromagnetic pulses.
Buchanan opted to use an Intel i3-powered Samsung S3520 laptop from his junk pile as the target device for this hacking experiment. Let’s be clear from the get-go: this is not a new laptop, it dates from 2011. That said, running a desktop Linux installation, Arch in this case, is perfect as a test case.
the hacker decided to inject a fault on one of the 64 DQ pins (the data-in pin is usually called D and the data-out one Q) on the laptop memory module. “I figured that if I could inject faults on one of these pins,” Buchanan said, “I could do something interesting.”
And interesting it was.
He soldered single resistor and wire to DQ pin 26. That was it. This created a simple antenna which is capable of picking up nearby electromagnetic interference.
Buchanan discovered that clicking the lighter in the general vicinity of the antenna wire he had created was enough to reliably trigger the memory errors he was looking to exploit.
Tomi Engdahl says:
https://www.reddit.com/r/hardwarehacking/comments/1fyytp2/can_you_get_root_with_only_a_cigarette_lighter/
Tomi Engdahl says:
https://www.da.vidbuchanan.co.uk/blog/dram-emfi.html
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/cisa-says-critical-fortinet-rce-flaw-now-exploited-in-attacks/?fbclid=IwZXh0bgNhZW0CMTEAAR1a_LOMEAR5zecTbQY4jrv2F1HCDnifDBpGGy_vjtU7sltikEZ_Li5uAZ8_aem_gjoMOeFN6mlzPOuI4onSoQ