There has been a rash of cryptocurrency thefts targeting some unexpected victims. Over $35 million has been drained from just over 150 individuals, and the list reads like a who’s-who of the least likely to fall for the normal crypto scams. There is a pattern that has been noticed, that almost all of them had a seed phrase stored in LastPass this past November when the entire LastPass database was breached.

The bulletproof security of the LastPass system depends in part on the rate limiting of authenticating with the LastPass web service. Additionally, accounts created before security improvements in 2018 may have had master passwords shorter than 12 characters, and the hash iterations on those accounts may have been set distressingly low. Since attackers have had unrestricted access to the database, they’ve been able to run offline attacks against accounts with very low iterations, and apparently that approach has been successful.

Microsoft’s Signing Key

You may remember a story from a couple months ago, where Microsoft found the Chinese threat group, Storm-0558, forging authentication tokens using a stolen signing key. There was a big open question at that point, as to how exactly an outside group managed to access such a signing key.

This week we finally get the answer. A crash log from 2021 unintentionally included the key, and Microsoft’s automated redaction system didn’t catch it. That crash dump was brought into development systems, and an engineer’s account was later accessed by Storm-0558. That key should not have worked for enterprise accounts, but a bug in a Microsoft key validation allowed the consumer systems key to work for enterprise accounts. Those issues have been fixed, but after quite a wild ride.

MSI Keys Demonstrated

In March MSI suffered a major breach, and among the pilfered data was MSI’s BootGuard private key. The Hardcore Matrix team has put together an attack chain that uses these keys to inject a custom module into the UEFI boot image.

Forgot The Key Generation

If there’s anything worse than losing your keys, it’s forgetting to generate them in the first place. VMware Aria has a CVSS 9.8 vulnerability, which boils down to a shared SSH key across all installs from version 6.0 to 6.10.

Proton

Researchers at Sonar set their sights on Proton Mail, and found some impressive issues, that chained together results in running unsanitized JavaScript from inside an incoming email, with access to the entire logged-in account. Proton Mail is carefully built to avoid exactly this sort of attack, so it takes some clever work to pull it off.

The first observation is that tags in incoming emails get replaced with — after the code has run through the HTML sanitizer. SVG data is very different from normal HTML, and making that change has some unexpected effects. Inside SVG tags, quotation marks are absolute, and additional tags inside of quotes are ignored. But in regular old HTML, tags are absolute, and quotation marks are mere suggestions. This means that JavaScript can be smuggled inside of an SVG element.

It’s not that easy, as Proton Mail also uses iframe sandboxing and Content Security Policy (CSP). One of the allowed contents, however, is the script-src blob. That’s intended to be used for temporary content that uses a random UUID to refer to it. The key to making use of this is to send two emails to the victim. One email has a JavaScript file as an attachment, which automatically gets converted into a blob, but not executed. That email also has CSS in it, that uses the cross-fade() function to leak the temporary name of the blob one byte at a time, by making a series of requests back to a malicious server. Using the leaked name, the attacker sends a second email, that executed the blob from the first.

If the victim is running Safari, the CSP is written to allow access to the entire page at this point. On other browsers, Further user interaction is required, in the form of following a link to open a new tab. The flaw was reported in June, and a fix went live in July. The solution was the simple one, to just turn off SVG support altogether.

Oof Barracuda

We missed this update last week, but the Barracuda saga continues. The latest is this FBI warning (pdf), that as of August 23, fully patched Barracuda ESG appliances were still being compromised. This vulnerability is triggered by these email gateways unpacking a compressed file to scan it for malware, and as such doesn’t require any special configuration or open ports.

This leads us to the unfortunate situation where Barracuda has announced that every ESG appliance in production should be assumed to be compromised. There’s a bit of disagreement from Mandiant, who maintain that there have been no confirmed compromises of patched devices after the May 20th update.

Train whistle Cap’n Crunch Style

You may have seen headlines about a cyber-attack against Poland’s rail network, with statements like “Hackers broke into railway frequencies to disrupt traffic”. Except, this has more in common with phone phreaking than anything cyber. Rather than breaking into radio frequencies with some elaborate attack, this is just transmitting three audio tones over a 150.100 MHz radio signal. No encryption, no authentication. No word on whether the audio was produced using a toy whistle found in cereal boxes.

Bits and Bytes

If you’re one of the many fans of Notepad++, you’ll want to be a bit extra careful about opening untrusted files with this beloved text editor. A set of four vulnerabilities have been found in the program, with the worst having the potential to lead to remote code execution (RCE). Unfortunately, fixes have not landed in the project, and these issues are being released by Github’s Security Lab due to 90+ days having passed since disclosure.

The Openfire chat server has an authentication bypass issue in its admin console, and while patches are available, this vulnerability is actively being exploited in the wild, but this vulnerability apparently isn’t sufficiently enterprise to have garnered much attention.

Someone has apparently had enough of spyware, as two separate mobile-centric spyware operations were breached, wiped, and shut down last month.

If you make kids’ snacks, and put a URL on the box, please make sure you don’t let the domain expire. Because otherwise, someone will come along and claim the domain, and maybe put something really nasty there. That’s the basic story behind a recall of Paw Patrol snacks in the UK. The original manufacturer ceased business in 2022, and when their old domain expired and got bought by a porn site, the inevitable happened.

And finally, the DEA has fallen for a classic cryptocurrency scam. In moving seized cryptocurrency around, DEA agents sent a small value from one account to another. A scammer quickly created an address where the first five and last four values matched the legitimate address — two addresses that would look identical at a quick assessment. And the bait was taken, losing the DEA around $50,000. Oops!