Author: Jonathan Bennett

380 Articles

This Week In Security: Blame The Feds, Emergency Patches, And The DMA

March 8, 2024 by No comments

The temptation to “take the money and run” was apparently too much for the leadership of the AlphV ransomware crime ring. You may have heard of this group as being behind the breach of Change Healthcare, and causing payment problems for nearly the entire US Healthcare system. And that hack seems to be key to what’s happened this week.

It’s known that a $22 million payment made it through the bitcoin maze to the AlphV wallet on the 1st. It’s believed that this is a payment from Change Healthcare to recover ransomed files. An important detail here is that AlphV is a ransomware-as-a-service provider, and the actual hacking is done by “affiliates”, who use that service, and AlphV handles the infrastructure, maintaining the actual malware, and serving as a payment processor. That last one is key here.

A couple days after that big payment landed in the AlphV account, a seizure notice went up on the AlphV TOR site, claiming that it had been taken down by the FBI and associated agencies. There was something a bit odd about it, though. See, the FBI did seize the AlphV Tor site back in December. The seizure notice this time was an exact copy, as if someone had just done a “save page as”, and posted the copy.

There is precedent for a ransomware group to close up shop and disappear after hitting a big score. The disruption AlphV enabled in the US health care system painted a big target on them, and it didn’t take a tactical genius to realize it might be good to lay low for a while. Pocketing the entire $22 million ransom probably didn’t hurt either. The particularly nasty part is that the affiliate that actually pulled off the attack still claims to have four terabytes of sensitive data, and no incentive to not release it online. It’s not even entirely clear that Change Healthcare actually received a decryption key for their data. You do not want to deal with these people.

Continue reading “This Week In Security: Blame The Feds, Emergency Patches, And The DMA”

FLOSS Weekly Episode 773: NodeBB — Don’t Do The Math

March 6, 2024 by No comments

This week, Jonathan Bennett and Jeff Massie talk with Julian Lam about NodeBB! It’s modern forum software that actually has some neat tricks up its proverbial sleeves. From forking of forum threads when conversations differ, to new integration with ActivityPub and Mastodon. It’s forums like you’ve never quite seen them.

Continue reading “FLOSS Weekly Episode 773: NodeBB — Don’t Do The Math”

This Week In Security: Forksquatting, RustDesk, And M&Ms

March 1, 2024 by 14 Comments

Github is struggling to keep up with a malware campaign that’s a new twist on typosquatting. The play is straightforward: Clone popular repositories, add malware, and advertise the forks as the original. Some developers mistake the forks for the real projects, and unintentionally run the malware. The obvious naming choice is forksquatting, but the researchers at apiiro went with the safer name of “Repo Confusion”.

The campaign is automated, and GitHub is aware of it, with the vast majority of these malicious repositories getting removed right away. For whatever reason, the GitHub algorithm isn’t catching all of the new repos. The current campaign appears to publishing millions of forks, using code from over 100,000 legitimate projects. It’s beginning to seem that the squatting family of attacks are here to stay.

RustDesk and Odd Certificates

The RustDesk remote access software is interesting, as it’s open source, allows self-hosting, and written in Rust. I’ve had exploring RustDesk as a todo item for a long time, but a bit of concerning drama has just finished playing out. A user pointed out back in November that a test root certificate was installed as part of the RustDesk installation. That root cert is self-signed with SHA1. There is also concern that the RustDesk binaries are signed with a different certificate.

There have been new events since then. First, there was a Hacker News thread about the issue earlier this month. The next day, CVE-2024-25140 was registered with NIST, ranking an insane CVE 9.8 CVSS. Let’s cut through some FUD and talk about what’s really going on.

Continue reading “This Week In Security: Forksquatting, RustDesk, And M&Ms”

FLOSS Weekly Episode 772: Raspberry Pi From The Man Himself

February 28, 2024 by 15 Comments

This week, Jonathan Bennett and Elliot Williams talk with Eben Upton about the Raspberry Pi! The conversation covers the new Pi 5, the upcoming CM5, the possible Pi500, and the Initial Public Offering (IPO) that may happen before too long. There’s also the PCIe port, the RP1, and the unexpected effects of using Broadcom chips. And then we ask the Billion Dollar question: What’s the money from an IPO going to fund? New hardware, software upgrades, better documentation? Nope, and the answer surprised us, too.

Continue reading “FLOSS Weekly Episode 772: Raspberry Pi From The Man Himself”

This Week In Security: Wyze, ScreenConnect, And Untrustworthy Job Postings

February 23, 2024 by 7 Comments

For a smart home company with an emphasis on cloud-connected cameras, what could possibly be worse than accidentally showing active cameras to the wrong users? Doing it again, to far more users, less than 6 months after the previous incident.

The setup for this breach was an AWS problem, that caused a Wyze system outage last Friday morning. As the system was restored, the load spiked and a caching library took the brunt of the unintentional DDoS. This library apparently has a fail state of serving images and videos to the wrong users. An official report from Wyze mentions that this library had been recently added, and that the number of thumbnails shown to unauthorized users was around 13,000. Eek. There’s a reason we recommend picking one of the Open Source NVR systems here at Hackaday.

ScreenConnect Exploit in the Wild

A pair of vulnerabilities in ConnectWise ScreenConnect were announced this week, Proof of Concepts were released, and are already being used in active exploitation. The vulnerabilities are a CVSS 10.0 authentication bypass and a CVSS 8.4 path traversal bypass.

Huntress has a guide out, detailing how embarrassingly easy the vulnerabilities are to exploit. The authentication bypass is a result of a .Net quirk, that adding an additional directory on the end of a .aspx URL doesn’t actually change the destination, but is captured as PathInfo. This allows a bypass of the protections against re-running the initial setup wizard: hostname/SetupWizard.aspx/literallyanything

The second vulnerability triggers during extension unpack, as the unzipping process doesn’t prevent path traversal. The most interesting part is that the unzip happens before the extension installation finishes. So an attacker can compromise the box, cancel the install, and leave very little trace of exploitation. Continue reading “This Week In Security: Wyze, ScreenConnect, And Untrustworthy Job Postings”

FLOSS Weekly Episode 771: Kalpa — Because Nobody Knows What Hysteresis Is

February 21, 2024 by 6 Comments

This week, Jonathan Bennett and Dan Lynch talk with Shawn W Dunn about openSUSE Kalpa, the atomic version of openSUSE Tumbleweed, with a KDE twist. What exactly do we mean by an Atomic desktop? Is ALP going to replace openSUSE Tumbleweed? Are snaps coming to Kalpa?

Shawn gives us the rundown of all the above, and what’s holding back a stable release of Kalpa, what’s up with Project Greybeard, and why Kalpa really doesn’t need a firewall.

Continue reading “FLOSS Weekly Episode 771: Kalpa — Because Nobody Knows What Hysteresis Is”

Making The Commodore SX-64 Mini

February 19, 2024 by 12 Comments

When you find a portable TV from the 1980s, and it reminds you of the portable Commodore 64, there’s only one thing to be done. [Aaron Newcomb] brings us the story of taking an Emerson PC-6 and mating it to the guts of his THEC64 Mini. It’s a bit of a journey, as the process includes modding the TV to include a composite input and trimming some unused PCB off the TV’s mainboard. Then some USB ports and a three-and-a-half inch floppy drive were shoehorned into the chassis, with the rear battery compartment holding the parts from THEC64 Mini.

The build was not entirely without issue. It turns out the degaussing coil connector can plug perfectly into the service port, and Murphy’s law proved itself true again. But no harm was done, and the error was quickly discovered. All that was left was to button the chassis back up and add some paint and 3d-printed trim details. The build looks great! Come back after the break to watch the video from the [Retro Hack Shack] for yourself.

Continue reading “Making The Commodore SX-64 Mini”