Kyle Fox's Security News 2023 in Review - F5 SIRT

Intro

 
I thought we would do a little end of the year roundup of a few subjects I feel are notable from 2023.   I will be publishing an article with some things I am looking out for in 2024 and a list of all my YouTube recommendations from 2023 later in January.
 

Software Bill of Materials

 
Back in 2021 the White House put out an executive order aiming to improve cybersecurity in the United States.   One of the bullet points of that executive order was to improve the Software Supply Chain security of software sold to the Federal Government.   This had been largely spurred by a series of breaches in the Federal Government, most prominently the SolarWinds software supply chain attack.   Previously there had been breaches because of vulnerabilities in software used by companies and government organizations, one such famous breach was the Equifax breach in 2017 that resulted in a 700 Million US Dollar settlement.  This breach was facilitated by the Apache Struts vulnerability CVE-2017-5638, and Equifax neither patched the vulnerability in Apache Struts, nor did Web Application Firewall protections exist or were configured properly.
 
 
So by time 2023 was underway, regulators were putting pressure on the software industry to produce SBOMs and the White House had incorporated this into its ongoing cybersecurity strategy.    We expect SBOMs to be a major part of 2024 as well.
 

What it Means for an Attack to go Mainstream

 
Many of us consider an exploit to be mainstream when a Metasploit module is written for it, and that serves well and good for things that Metasploit does well, such as attacks over a network.    But what about attacks over wireless?   
 
Well, we now have the Flipper.    I have previously written about Flipper exploits, but at that time I did not really dive into what it is, exactly.   The Flipper Zero is a small Tamagotchi like device that incorporates a number of wireless and wired technologies and scripts to do things with those technologies.   Its wireless capabilities consist of a TI CC1101 driven Sub-1Ghz transceiver that can do things like talk to IoT devices and various access control systems.   Also, for even more access control system shenanigans, it incorporates both a 125khz proximity card reader/writer/emulator and a 13.56Mhz NFC module (ST25R3916).   Proximity cards are often used for electronic locks on buildings and provide no security, having been developed using technology that predates microcontrollers small enough to fit on a access badge.    13.56Mhz technology presents a more formidable foe to the Flipper, since most modern access control systems use secure contactless smart cards with technology stacks like MiFARE, but the Flipper is able to conduct brute force and dictionary attacks against some of the simpler cards using this technology.
 
One big feature the Flipper has is Bluetooth, which as I had written in the This Week In Security linked above, allows a Flipper, in that case loaded with special software, to conduct a discovery spam attack that at the time it came out, would crash many Apple iOS devices.    The Bluetooth is implemented using the onboard Bluetooth support in Flippers processor, an STM32WB55RG from ST's new wireless microcontroller lineup.    Other connectivity available on the Flipper is Infrared transmit and receive, allowing it to emulate remote controls, and iButton / 1-Wire support, allowing it to read iButtons, which are sometimes used for access control or security guard tour verification systems.    All of this information and the supported protocols is expanded upon in the Flipper documentation.
 
In the SDR field we had been creeping up on this sorta mainstreaming of RF hacking for a long time, starting a long time ago with an ambitious SDR project called the DSP-10, which used the then contemporary Analog Devices ADSP-2181 Digital Signal Processor.   Later on Matt Ettus developed the Universal Software Radio Peripheral, originally sold as kits by Ettus Research, which was later bought out by test equipment manufacturer National Instruments.   The USRP is often used beside an SDR suite called GNU Radio, which provides a processing block oriented environment allowing quick construction of SDR dataflows between processing blocks, and from that, fast concept to implementation of SDR solutions.     The USRP devices continue to be developed to this day, with devices capable of large RF bandwidths and multiple inputs and outputs topping out the lineup.   This all eventually resulted in a device called the HackRF developed by Great Scott Gadgets.  Which was expanded using the PortaPack to allow portable operation, with expanded software for that called Havoc and Mayhem creating a very capable device.
 
While that was the high end, the low end had its own small revolution when people discovered that you could use a simple DVB-T adapter with the RTL2832 chipset to recieve radio signals and feed them into SDR software such as GNU Radio, SDR++, HDSDR, and Gqrx.    Its also important to mention that there are a ton of SDR platforms out there these days, in addition to all those above there is also LimeSDRBladeRF, and KiwiSDR, to name just a few more.
 

Ransom Attacks Continue

 
 
Probably the most widespread issue with ransomware was the MOVEit critical vulnerability CVE-2023-34362 and its exploit by the  CL0P ransomware gang.   This was such a massive and widespread issue that it affected multiple agencies of the US Federal Government, the UK Government, multitudes of private companies, DMVs in two states and the list keeps going.
 
 
I share the sentiment of Megazone when he wrote in May that he is tired of ransomware.  We can talk endlessly about solutions, either novel things like zero trust or old standbys like quickly patching vulnerabilities, but as long as IT is considered a cost center and something that is not a priority the entire industry will teeter on the brink of disaster.
 
Fortunately we are seeing more agencies announce rules requiring breaches to be disclosed, including the HHS for HIPAA covered information, and the SEC for anything "material" to stockholders.
 

AI Gathers Mindshare and Criticism

 
2023 started out with ChatGPT as one of the fastest growing online applications, with millions of users using it to do things like write letters and research topics, but as people quickly found out, it could hallucinate facts, drawing any facts it provides into question.    This quickly became a problem in the legal sphere when a law firm filed a ChatGPT generated legal brief and was found out.   Many lawyers commented on this, some on youtube as well.
 
Another major conundrum for AI is copyright law, since many of these AI models are trained on copyrighted works most often without the permission of those works' authors, the resulting work could be said to incorporate all those previous works.   The United States Library of Congress Copyright Office is working on examining this question and President Biden issued an Executive Order on the matter.    Not to be left behind, the New York Times has sued OpenAI over its use of NYT articles in training ChatGPT.  Although, its not like human authors are free of this piecemeal copyright infringement.
 
There's also the elephant in the room, the wild ride that was Sam Altman of OpenAI, making a deal with Microsoft, being fired by the OpenAI board, negotiating a position at Microsoft, then being rehired by OpenAI.   That was quite a weekend.
 
Updated Mar 13, 2024
Version 11.0
  • I learnt the hard way in 2004, during Sasser worm attack, that it is very important to install security patches as soon as possible.
    Some Windows computers in the LAN were unpatched but had up to date antivirus, so they are not infected.
    However, these computers were still force restarted by virus attack from already-infected computers.
    They have to be patched to be completely immune.

    Most cybersecurity attacks (wannacry, shell shock, etc.) are based on security bugs which black hackers learnt from patch release notes.
    That's why the best defense is installing security patches as soon as possible because black hackers can create the attack tools in just few days.
    Moreover, these patches are by default automatically installed by operating systems scheduler for NO EXTRA COST.
    Redhat indeed requires subscription for patch access.
    So, if you don't want to pay for enterprise Linux, you can use RHEL derivatives (Oracle Linux, Rocky, etc), Amazon AMI, etc.

    How to get latest security patches without worry of bugs from new features for Microsoft products?
    a. Microsoft Windows: defer Feature Updates for a year. This won't block latest security updates.
    b. Microsoft Office: set update channel to Semi Annual Enterprise
    c. Microsoft Onedrive/Sharepoint: set update channel to Deferred