Contents

Säkerhetspodcasten #265 - Ostrukturerat V.34

Lyssna

  • mp3, längd: 01:10:58

CrowdStrike

8.5 miljoner Windows Datorer som körde CrowdStrike blåskärmade.

Man hade under en timme tryckt ut en dålig Channel File 291 som fick kundernas CrowdStrike drivis att krasha inne i Windows kernel mode.

Denna historien har ALLT: RegExp, null pointers, minnesmappning, kernel mode, CI/CD, Continous Delivery, DevOps, risk analys …

Officiella svar från CrowdStrike:

CrowdStrike Lingo:

The processing of regex-based Rapid Response Content on the sensor involves several components:

  • Content Interpreter: Part of the sensor C++ code, which can test input strings against regexes.
  • Template Types: Contain predefined fields for threat detection engineers to leverage in Rapid Response Content. Template Types are expressed in code and compiled into the sensor at build time.
  • Template Type Definitions file: Defines the parameters of each Template Type. Definitions in this file include information about which Channel File will deliver the Rapid Response Content for each Template Type, how many inputs the Template Type is meant to use and what kind of data is required for each input.
  • Sensor Content: Determines how to combine security-relevant data with Rapid Response Content in order to make certain detection decisions. Sensor Content includes on-sensor AI and machine learning models as well as Template Types. It is compiled as part of the sensor release.
  • Template Instances: Matching criteria developed by detection engineers. Template Instances consist of regex content intended for use with a specific Template Type. Template Instances identify specific data for use in security operations. Template Instances are defined using a UI driven by the Template Type Definitions file.
  • Rapid Response Content: Consists of multiple Template Instances bundled together. Rapid Response Content is delivered by channel file.
  • Content Validator: Checks the validity of channel files against their definition in the Template Type Definitions file.
  • Content Configuration System: Used to create Template Instances, which are validated and deployed to the sensor through a mechanism called Channel Files.

Andra källor:

RegreSSHion

SSH återintroducerade ett race condition där signal (SIG_ALARM) hanterare kan orsaka en heap-corruption.

ASLR gör buggen ineffektiv att exploitera utan någon info-läcka.

Polyfill

Polyfill-domänen bakdörrad och angripit sårbara klienter.

Hårdvara: ARM magiska pekare är inte magiska

TikTag-v2 hittar “färgen” på en pekare via SPECTRE-liknande gadgets.

Experimental results show that TIKTAG gadgets can successfully leak an MTE tag with a success rate higher than 95% in less than 4 seconds.

TikTag gadgets kan fås från v8/JavaScript, så “exploiterbart på riktigt”(TM) !

Hårdvara: 200+ SecureBoot platformar litar på DO NOT TRUST nycklarna

Det är nästan som om CN=DO NOT TRUST - AMI Test PK certifikatet inte borde användas för root-of-trust?

Github glömmer aldrig

E-mail bedrägeri på USD 60M

Orion tappat bort USD 60M, cirka 620 MSEK, i bedrägeri.

Item 8.01 Other Events.

On August 10, 2024, Orion S.A. (the “Company”) determined that a Company employee, who is not a Named Executive Officer, was the target of a criminal scheme that resulted in multiple fraudulently induced outbound wire transfers to accounts controlled by unknown third parties.

As a result of this incident, and if no further recoveries of transferred funds occur, the Company expects to record a one-time pre-tax charge of approximately $60 million for the unrecovered fraudulent wire transfers.

The Company has cooperated, and will continue to cooperate, with law enforcement as appropriate, and intends to pursue recovery of these funds through all legally available means, including potentially available insurance coverage.

To date, the Company has not found any evidence of additional fraudulent activity and currently does not believe the incident resulted in any unauthorized access to data or systems maintained by the Company.

However, the Company’s investigation into the incident and its impacts on the Company, including its internal controls, remains ongoing.

The business and operations were not affected.

Ariklar:

E-mail addresser är onda

MailCleaner använder e-mail addresser i filsystemet, system() anropp med mera.

E-mail kan innehålla typ nästan alla addresser…

Jenkins!

  • Jenkins Security Advisory 2024-08-07
    • Arbitrary file read vulnerability through agent connections can lead to RCE SECURITY-3430 / CVE-2024-43044 Critical
    • Missing permission check allows accessing other users’ “My Views” SECURITY-3349 / CVE-2024-43045 Medium

ESXi Ransomware

Ransomware grupper ute i det vilda tagit över ESX miljöer från Windows, genom att skapa gruppen “ESX Admins” eller byta namn på existerande grupper.

net group "ESX Admins" /domain /add
net group "ESX Admins" username /domain /add