There’s yet another 0-day exploit chain discovered as part of NSO Group’s Pegasus malware suite. This one is known as BLASTPASS, and it’s a nasty one. There’s no user interaction required, just receiving an iMessage containing a malicious PassKit attachment.
We have two CVEs issued so far. CVE-2023-41064 is a classic buffer overflow in ImageIO, the Apple framework for universal file format read and write. Then CVE-2023-41061 is a problem in the iOS Wallet implementation. Release 16.6.1 of the mobile OS addresses these issues, and updates have rolled out for macOS 11, 12, and 13.
It’s worth noting that Apple’s Lockdown mode does seem to block this particular exploit chain. Citizen Lab suggests that high-risk users of Apple hardware enable Lockdown Mode for that extra measure of security.
MGM and Scattered Spider
Starting the morning of September 11, MGM Resorts began experiencing systems outages as a result of “a cybersecurity issue”. Apparently it also hits their slot machines and ATMs — try to imagine a worse fate for the Las Vegas casino and hotel chain.
— MGM Resorts (@MGMResortsIntl) September 11, 2023
It turns out, this was the work of Scattered Spider, a group known to use social engineering to crack large networks, and then demand ransom payments to stand down. It’s beginning to look like the initial attack vector here was a simple phone call to the helpdesk, asking for help getting logged in.
China’s CVE Registry
I’ve mused a few times that some companies must have arrangements with their national governments, to turn over vulnerabilities when discovered, and then slow-roll public announcement and fixes. Strictly speaking, that’s a conspiracy theory, but it appears to be the state of play for the Chinese National Vulnerability Database. A 2021 law seems to mandate exactly this, giving companies doing business in China a two day deadline to hand over vulnerabilities.
On the other hand, as several companies point out, it’s not uncommon for governments to have regulations requiring vulnerabilities be reported to a government prior to disclosure. The full report maps out the Chinese government interaction with both discovered vulnerabilities and state-sponsored hacking, and makes a rather compelling case that there is overlap.
iOS Bluetooth Annoyance
There was an annoyance at DEF CON this year — Bluetooth popups on Apple phones. The trick here is to spoof Bluetooth Low Energy proximity actions. This is generally intended to allow pairing devices or sharing contact info, by bringing devices right to next to each other. To determine proximity, the device just uses signal strength, and that’s the gimmic. Just push your broadcast power a little higher than a normal BLE device, and it shows up as being close enough to trigger a proximity action.
Walk around DEF CON with the battery powered setup, and annoy all your new geeky friends! And if you don’t want to build the rig out of a Raspberry Pi, apparently a Flipper Zero can pull off the same trick. Groovy.
Will the Real 345gs5662d34 Please Stand Up?
So this is a bit of a mystery. Honeypots, open SSH services, and all sorts of other services are constantly being bombarded with login attempts. Some clever folks record those attempts, and track some of the data, like the most commonly attempted username and password. And the top five you might be able to guess: root, admin, user, test, and ubuntu. But the sixth most common username is an oddball: 345gs5662d34. And what’s more, all the attempts to guess that username used the same string as the password. And a very similar 3245gs5662d34 shows up often as a password guess for other usernames.
The community has already come up with some plausible explanations, like the values being used as breadcrumbs to track a bot or do honeypot detection. The more interesting guess is that this is how a default username and password combination gets translated into ASCII text when typed on a non-English keyboard. That’s apparently already been observed with the similar string, ji32k7au4a83. If you have any guesses or answers to this mystery, let us know!
Killer Themes
Themebleed has it all. It’s a silly, catchy name, illustrates TOCTOU, MotW, and SMB manipulation, and isn’t actually all that serious. It’s perfect. Loading a .theme file in Windows 10 should load a new system theme, merely changing the desktop’s appearance. Running a theme file downloaded from the Internet would normally invoke the Mark of the Web (MotW), warning about an untrusted file. But stuff a .theme inside a .themepack cab file, and no warning is shown.
A .theme file can call a .msstyles file. If that .msstyle is set to version 999, some legacy handling code gets called, and the file name gets changed to end in _vrf.dll. The file is opened, the signature is checked, and the file is closed. If the signature verifies, the file is re-opened, and a function is called from within the DLL.
And that is the Time Of Check, Time Of Use bug. There is an interruptable slice of time between closing the verified file, and reopening it. Normally a TOCTOU bug is a race condition, but the clever bit here is to use a remote SMB share as the .msstyles location. If that’s an attacker controlled location, it’s trivial to swap out the verified DLL after the signature checks out. And that’s it, a user trying to apply a theme runs arbitrary code with no warnings. For his findings, [Gabe] scored a $5000 bounty from Microsoft, and the version 999 legacy code has been removed, ending the exploit chain.
Bits and Bytes
HPE Aruba 9000 series devices have a pair of high severity issues. The first allows for code execution early in the boot process, and the second allows for booting unsigned kernel images. That’s not really a problem for securely installed systems, but it does mean that an Aruba gateway could be tampered with in such a way that even a factory reset doesn’t properly clear it back to default. Fixes are available.
Cisco has a CVSS 10.0 vulnerability in the Single Sign-On built in to BroadWorks. This can potentially affect quite a few Cisco applications that are part of the BroadWorks cloud calling platform. Cisco has issued updates to fix the problems.
And finally, last week we talked about some unfixed issues in Notepad++. We’re thrilled to see that a new release has been issued with fixes landing, likely partially spurred on by the coverage here and on other news sites.
Slots and ATMs should be on separate networks.
But, having the ATM directly deposit your money into a slot machine saves the gambler time spent in front of the slot machine, and saves the casino 🎰 by not having to supply free drinks to the gambler.
If you have a worm that is spreading through systems, opening holes into them, it won’t do to announce the breakthrough to some central server because then you could follow the lead and find out who’s trying to break in and block the attempt. Instead, the attack silently leaves the hole open by creating a known login/pass and then someone can scan the network to find out which machine lets you in.
If worms are spreading through your systems, may I recommend I Ernestine?
B^)
Darn auto caret!
I wrote Ivermectin, not Ernestine!
And I wrote d-a-m-n, not darn!
Oh that’s nothing. The group behind the MGM attack also hit Caesar’s and got away with $15 million USD.
Must have had good data to cover that, although Caesar’s claims its covered by cyber-attack insurance.
Full story:
https://www.cnbc.com/2023/09/14/caesars-paid-millions-in-ransom-to-cybercrime-group-prior-to-mgm-hack.html
I can’t wait for MGM to explain to their “cyber-insurance” how they botched this by giving out private data. If a car insurer argues over coverage, you can bet that will be an uncomfortable conversation.
*good data to justify that ransom payment.
I IS GOOD ENGLISH SPEAKING