Happy 10 years anniversary to IHBP !

Troy Hunt is celebrating 10 years of “I Have Been Pwned?” with a history of everything that happened through the years https://www.troyhunt.com/a-decade-of-have-i-been-pwned/

⚙️ And if you never heard of it, try his “Password Purgatory” for some fun https://github.com/troyhunt/password-purgatory

Generative AI eases the generation of scam websites

An interesting post from Sophos, who tried to generate fake websites with Auto-GPT.

They managed to task several agents (data, image, …) and create fully functional websites that could trick users into entering credentials, card data, … Although the 3 examples are convincing for “simple” e-commerce websites, we don’t know how many retries it took (nor the amount and time spent) to generate these websites.

Hackers didn’t wait the broad availability of LLMs (Large Language Models) to generate fake websites (or just take over an almost abandoned and unpatched Wordpress...) but LLMs could ease the process and make the task harder for defender to identify all these malicious websites.

This FUD post is lacking at least 1-2 practical ideas on how to defend against this “new threat” other than “a new AI co-pilot”, and a reminder that, for attackers, on of their big hurdle is having to manage their infrastructure, something LLMs can’t do…

📰 Head to their blog to see what they were able to generate https://news.sophos.com/en-us/2023/11/27/the-dark-side-of-ai-large-scale-scam-campaigns-made-possible-by-generative-ai/

Thread pools abused to bypass EDRs

SafeBreach Labs Researchers developed 8 new process injection techniques using Windows thread pools: they were able to trigger malicious execution across all processes without limitations nor detections by 5 EDRs (Palo Alto Cortex, SentinelOne EDR, CrowdStrike Falcon, Microsoft Defender For Endpoint and Cybereason EDR). The exploits were disclosed to these vendors to let them fix their products before this announcement.

EDRs are able to detect more attacks than standard EPPs, but this is another example that their detection approach isn’t generic enough and should not be considered bulletproof. You're still relying on the effectiveness of the RD department of your EDR vendor.

📘 The researchers talk at Black Hat Europe 2023 https://www.blackhat.com/eu-23/briefings/schedule/index.html#the-pool-party-you-will-never-forget-new-process-injection-techniques-using-windows-thread-pools-35446

⚙️ Details and code of the exploits https://github.com/SafeBreach-Labs/PoolParty

🧠 The research https://www.safebreach.com/blog/process-injection-using-windows-thread-pools

Push notifications abused to spy on end-users

Senator Ron Wyden warned that (non-US) officials have been demanding data from Apple and Google to track smartphones through push notifications. Indeed, the traffic flowing between apps/servers/smartphones that exchanges push notifications puts the 2 giants in a unique position to facilitate governments surveillance about how users are using particular apps (by at least analysing the metadata), or even collecting sensitive data if notifications display this kind of info…

Users don’t have many avenues to prevent this abuse: limit the amount of notifications and disable the ones with potentially sensitive data.

Other remediations fall into Google, Apple, developers and regulators to provide better transparency of such requests by governments, enhance the privacy of apps, change policies so this requests are fairly limited…

Some articles:

📰 https://www.cnbc.com/2023/12/06/apple-and-google-phone-users-spied-on-through-phone-push-notifications.html

📰 https://www.wyden.senate.gov/news/press-releases/wyden-seeks-answers-from-justice-department-on-alleged-surveillance-of-apple-and-google-mobile-push-notifications

📰 https://www.wired.com/story/apple-google-push-notification-surveillance/

📰 https://www.macrumors.com/2023/12/06/apple-governments-surveil-push-notifications/

What is quishing ?

It’s a new name for a slight variation from attackers’ favourite technique: phishing with QR codes.

Attackers simply create QR codes for malicious purposes in phishing emails, digital ads, social media, or even posters in common areas. These “quishing” attempts work well due to users' trust of QR codes, and their convenience in redirecting users to malicious sites (in order to steal login credentials, financial information, and so on…).

The recommendations to protect specifically against theses attacks are the same as for emails or webpages: be suspicious of QR codes and don’t randomly scan anything that comes around you…

📰 https://slashnext.com/blog/malicious-use-of-qr-codes-on-the-rise-through-quishing-attacks/

Binarly discovers new UEFI vulnerabilities

LogoFAIL is a set of high-impact security vulnerabilities discovered by Binarly, affecting different image parsing libraries used in the system firmware during the device boot process. LogoFAIL targets UEFI specific code, which means it affects both x86 and ARM devices. These vulnerabilities allow attackers to compromise devices using malicious logo images, likely by abusing the firmware update procedure to replace the legitimate logo with a malicious version. Attacks through physical access may also be possible, using an SPI flash programmer.

Binarly states “LogoFAIL differs from BlackLotus or BootHole threats because it doesn’t break runtime integrity by modifying the bootloader or firmware component.” and “an attacker-controlled payload can arbitrarily be executed to hijack the execution flow and bypass security features like Secure Boot, including hardware-based Verified Boot mechanisms (like Intel Boot Guard, AMD Hardware-Validated Boot or ARM TrustZone-based Secure Boot).”

Update your firmware ASAP to remove these vulnerable image parsers !

📰 Head to their post https://binarly.io/posts/The_Far_Reaching_Consequences_of_LogoFAIL/

🧠 The full technical details presented at Black Hat Europe 2023 http://i.blackhat.com/EU-23/Presentations/EU-23-Pagani-LogoFAIL-Security-Implications-of-Image_REV2.pdf