Python Bug, Fake Zoom, GPT-3 AI, Optus breach and more - This Week in Security - Sept 18-24
This Week in Security
September 18th to September 24th
"Python Bug, Fake Zoom, GPT-3 AI, Optus breach and more"
An old Python path traversal Bug from a similar named method, Prompt Injection on GPT-3 AI, the recent Optus breach, Fake zoom sites are our headliners in this week's edition. Your editor is Arvin for this week. I picked snippets from the reference news that I found interesting. At the end of this article, I also added some articles related to previous exploits on how these phishing attacks and potential vulnerabilities are used to compromise victims. I added videos/links for tools such as BEEF - Browser Exploitation Framework, how an Apple iOS one click exploit would look like and a recent phishing attempt on content creator and what are the steps done by the researcher to observe the malware execution. I borrowed quite a few videos and links, so definitely credits to the original owners/original posts. Stay Safe and Secure!
old Python path traversal Bug
"Security firm Trellix said its threat researchers had encountered a vulnerability in Python's tarfile module, which provides a way to read and write compressed bundles of files known as tar archives. Initially, the bug hunters thought they'd chanced upon a zero-day.
It turned out to be about a 5,500-day issue: the bug has been living its best life for the past decade-and-a-half while awaiting extinction.
Identified as CVE-2007-4559, the vulnerability surfaced on August 24, 2007, in a Python mailing list post from Jan Matejek, who was at the time the Python package maintainer for SUSE. It can be exploited to potentially overwrite and hijack files on a victim's machine, when a vulnerable application opens a malicious tar archive via tarfile.
"The vulnerability goes basically like this: If you tar a file named "../../../../../etc/passwd" and then make the admin untar it, /etc/passwd gets overwritten," explained Matejek at the time.
the fix did not address the TarFile.extract() method – which Gustäbel said "should not be used at all" – and left open the possibility that extracting data from untrusted archives might cause problems."
Similar methods such as in the case of TarFile.extractall() and the unfixed TarFile.extract() may have similar vulnerabilities and if left unchecked/unfixed, may still be unexpectedly used and open up an application to an exploit. Dont use outdated and unrecommended methods if at all possible.
https://www.theregister.com/2022/09/22/python_vulnerability_tarfile/
https://docs.python.org/3/library/tarfile.html
Note: The extract() method does not take care of several extraction issues. In most cases you should consider using the extractall() method.
Warning: Never extract archives from untrusted sources without prior inspection. It is possible that files are created outside of path, e.g. members that have absolute filenames starting with "/" or filenames with two dots "..".
Optus cyberattack and data breach
Australian telecommunications company Optus has fallen victim to a significant cyberattack and data breach.
Optus said the attack exposed information including customers' names, dates of birth, phone numbers, email addresses, and - for some - physical addresses, ID document numbers such as driving license or passport numbers. Payment details and account passwords were not compromised.
Rosmarin reportedly said the company caught on after noticing "unusual activity" and was trying to discern "who has been accessing the data and for what purpose."
Multiple entities such as the Australian Cyber Security Centre, the Australian Federal Police, and the Office of the Australian Information Commissioner have been notified or are working with Optus to lock down its systems, prevent future breaches, and find the culprits. Those culprits are thought to be either a criminal or state-sponsored organization.
https://www.theregister.com/2022/09/23/cyberattack_optus/
https://www.reuters.com/technology/australias-optus-hit-by-cyber-attack-2022-09-22/
Someone on an underground cybercrime forum is claiming they stole the account data of 11.2 million people from Optus, and they're demanding $1 million in cryptocurrency not to sell the information
https://twitter.com/Jeremy_Kirk/status/1573407117566152704?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1573407117566152704%7Ctwgr%5E539c13491678c61faa638410161fd2073cd9840e%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fwww.theregister.com%2F2022%2F09%2F23%2Fcyberattack_optus%2F
Quoting one of the twitter feeds where this issue was being discussed:
"The Optus hacker says they accessed an unauthenticated API endpoint. This means they didn't have to login. The person says: "No authenticate needed. That is bad access control. All open to internet for any one to use.
"The API endpoint was api[dot]www[.]optus[.]com[.]au. Yes, that looks weird, but the hacker says it worked otherwise a DNS error occurred. That API is now offline, so there is no more risk for Optus. It was used in part to let Optus customers access their own data."
https://twitter.com/Jeremy_Kirk/status/1573652986437726208.
Breaches are never a good thing and the end users/customers are the biggest loser. Identity theft, details that can be used for account takeover are really scary things. Follow government guidelines as initial step to securing your information and be vigilant on potential access attempts to your resources.
https://www.oaic.gov.au/privacy/data-breaches/identity-fraud
Fake Zoom sites for malware distribution
"Beware the Zoom site you don't recognize, as a criminal gang is creating multiple fake versions aimed at luring users to download malware that can steal banking data, IP addresses, and other information.
Threat researchers at cybersecurity firm Cyble found six fake Zoom sites offering applications that, if clicked on, will download the Vidar Stealer malware, which also grabs lots of other goodies. The fake Zoom sites are part of a wider info-stealing effort, according to the Cyble Research and Intelligence Lab (CRIL).
"Based on our recent observations, [criminals] actively run multiple campaigns to spread information stealers," they wrote in a report this week.
Companies like Zoom give attackers a broad user group to prey on. The company's user base has skyrocketed over the past three years due to the COVID-19 pandemic, and that makes it a very attractive target.
They then found the six sites still in operation: zoom-download[.]host; zoom-download[.]space, zoom-download[.]fun, zoomus[.]host, zoomus[.]tech, and zoomus[.]website.
"We found that this malware had overlapping Tactics, Techniques, and Procedures (TTPs) with Vidar Stealer," the researchers wrote, adding that, like Vidar Stealer, "this malware payload hides the C&C IP address in the Telegram description. The rest of the infection techniques appear to be similar." "
Great work by the security researchers. While the technique is not new, using similar name domains to host or redirect potential victims a download site for malware, we should be aware of the links/sites we visit and ensure we are at the legitimate product's site. If the site is suspicious, it usually is. Don't download and install files from unknown/suspicious sites.
https://www.theregister.com/2022/09/22/zoom_malware_infosteal_cyble/
https://blog.cyble.com/2022/09/19/new-malware-campaign-targets-zoom-users/
GPT-3 AI Prompt Injection
"Unlike SQL, however, AI like GPT-3 wasn't designed to use formal syntax like a programming language. Without strict rules to follow, it's much more difficult to determine what's malicious and separate it out.
Days after Willison's blog post, Twitter users attacked a GPT-3 bot designed to help run remote jobs called Remoteli.io, tricking it into doing things like taking responsibility for the Challenge space shuttle disaster, threatening Twitter users or proposing an overthrow of the Biden administration if it doesn't support remote work. The bot's owners took it down to stop the onslaught.
In a post published today, Willison admitted that, while he knows how to beat XSS, SQL injection "and so many other exploits," he has "no idea how to reliably beat prompt injection!"
https://simonwillison.net/2022/Sep/16/prompt-injection-solutions/
Willison said that, for each method to mitigate prompt injection, there no way to know with 100 percent confidence that an unanticipated input won't slip through, because there aren't formal syntactic rules limiting input. To make matters worse, a language model update completely negates any mitigations, Willison said, "because who knows if that new model will have subtle new ways of interpreting prompts that open up brand new holes?""
Interesting prompt injection attack on GPT-3. Because there is no syntax, how exactly you would filter the inputs to "it"? The researcher suggests mitigation as "allowing prompts to be broken up into the "instructional" portion and the "data" portions".
https://twitter.com/simonw/status/1569453308372463616 - suggested mitgation
https://twitter.com/glyph/status/1570795540585271296 - related discussions
Microsoft Edge tech support scam advertisements
"While Google Chrome still dominates as the top browser, Microsoft Edge, which is based on the Chromium source code, is gradually gaining more users. Perhaps more importantly, it is the default browser on the Microsoft Windows platform and as such some segments of its user base are of particular interest to fraudsters.
We have tracked and observed a malvertising campaign on the Microsoft Edge News Feed used to redirect victims to tech support scam pages. The scheme is simple and relies on threat actors inserting their advertisements on the Edge home page and trying to lure users with shocking or bizarre stories."
Interesting and bizarre stories indeed attract attention from curious readers but we need to be aware and careful that these ads/sites pages are potentially harmful and are front for more malicious actors to hook potential victims. So, before clicking. check first the destination site - mouse hover over the link and see where it goes or if you recognize the destination site.
Kernel-mode anticheat software
"Kernel-mode anticheat: It's in the (EA) games
Video game publisher Electronic Arts has announced it's adding kernel-level anti-cheat software to its games, beginning with FIFA 2023 this fall.
Kernel-mode software operates at the hardest level of an operating system to detect and block hidden apps and processes from altering the running code of a video game. Along with offering some of the most thorough cheat prevention, kernel-mode software also widens the attack surface of a video game and makes it a good way to slip a rootkit into a target's computer.
We reported on just such an attack only a few weeks ago when popular online role-playing game Genshin Impact's kernel-mode anti-cheat code was found being used to inject a rootkit able to kill endpoint protection and install further malware."
https://www.ea.com/security/news/eaac-deep-dive
By my read, the Kernel-mode anticheat software is well meaning. However, there are always possibilities of leveraging such a high privilege running software for potential abuse if certain angles are not covered. In the past, EA FIFA game origin client had a DLL hijacking vulnerability that allowed system access to the PC system where its installed/running.
https://www.theregister.com/2020/11/10/ea_games_origin_privesc_vuln_nettitude/
EA FIFA players in twitter are having a day - the game is kind of not working due to the anti cheat software
https://twitter.com/search?q=EA%20fifa%20cheat&src=typed_query&f=top
By the way, its my first time checking out how a potential cheat in FIFA video games and it looks like a glitch. Either way, cheating is bad.
"I don't care about cookies" popup blocker sold to Avast
"I don't care about cookies, a popular browser extension that eliminates GDPR-mandated cookie popup warnings, has taken the potentially unpopular route of selling itself to security software company Avast, which itself is now a subsidiary of NortonLifeLock.
User reaction to Kladnik's move has been unsurprisingly negative, with social media and download page reviewers saying the sale to Avast will kill the extension, as well as expressing regret that another pop-up blocker has been acquired "by a well-known popup creating company."
Recent bad behavior from Avast includes the 2019 removal of its AVG (an Avast subsidiary) Online Security extensions from the Firefox and Chrome stores following news the addons had been snooping on users' web browsing activity."
"IDCAC is a browser extension, meaning that it's a relatively small Javascript applet. It was already open source, and Dutch developer Guus van der Meer has produced a fork. It looks like others may yet follow it."
From the article, its not really confirmed that Avast will stop/remove IDCAC. The counter to it is, at least, is IDCAC has been open sourced and similar extensions possibly created. Use discretion, for this case, when using browser extensions.
https://www.theregister.com/2022/09/21/avast_buys_i_dont_care_about_cookies_addon/
Meta in App browser for Apple iPhone tracking users
"Meta accused of breaking the law by secretly tracking iPhone users
The lawsuit [PDF], filed in a US federal district court in San Francisco, claims that the two applications incorporate use their own browser known as a WKWebView that injects JavaScript code to gather data that would otherwise be unavailable if the apps opened links in the default standalone browser designated by iPhone users.
The claim is based on the findings of security researcher Felix Krause, who last month published an analysis of how WKWebView browsers embedded within native applications can be abused to track people and violate privacy expectations.
"When users click on a link within the Facebook app, Meta automatically directs them to the in-app browser it is monitoring instead of the smartphone’s default browser, without telling users that this is happening or they are being tracked," the complaint says.
"The user information Meta intercepts, monitors and records includes personally identifiable information, private health details, text entries, and other sensitive confidential facts."
Confronted last month with Krause's findings, Meta insisted its code injection was done to respect its users' privacy choices (apart from their choice of default browser).
"We intentionally developed this code to honor people's App Tracking Transparency (ATT) choices on our platforms," a Meta spokesperson told The Register last month. "The code allows us to aggregate data before it is used for targeted advertising or measurement purposes."
Meta communications director Andy Stone offered a similar statement via Twitter."
Privacy is a sensitive topic. As a user, read the fine print so we know what we are sharing when we use applications and visit sites. Then again, being potentially tracked outside the bounds of an agreed policy is not ideal.
https://www.theregister.com/2022/09/23/meta_app_tracking/
and more - BEEF, iPhone One Click exploit sample, phishing attempt walkthrough
Phishing attacks are prevalent and I hope most of us are aware of best practices and trainings to prevent it. However, some are more vulnerable to these attacks and if not prevented, can have real world consequences. Education, secure credentials and access and security awareness are the best mitigation for these phishing attacks - generally, don't fall for it and if in doubt, don't click.
The way I see these phishing attacks happen using current exploitation tools and vulnerabilities:
Entice a victim to click a link that redirects to an attacker site where the backend is BEEFmaybe collect data on the victim and prepare what kind of exploit they'll sendif example, an Apple iPhone device, use some recent zero day vulnerability
or if another system, example a windows system, entice to download an unusual file that bypasses endpoint detection and trigger an installation or execute commands upon opening the file.
BEEF - Browser Exploitation Framework - educational purpose, videos show how potentially an attacker may send a link to a victim to access a fake site, collect data/execute commands on the victim machine and be duped to send credentials using BEEF's modules. All they need is for the victim to access the attacker site - hooked - where the backend is BEEF.
Credit to original owners
https://youtu.be/3ogyS4KOlXc
https://youtu.be/ldwy6Opg-5M
https://beefproject.com/
iPhone One Click exploit sample
Credit to original owner
https://twitter.com/ret2systems/status/1379457891724328964?s=20&t=uA3ePOup-5VLQYeir0OQIwRecent
Apple iOS zero day CVEs - I imagine these are used similar to one/zero click exploits
Kernel - CVE-2022-32894
Impact: An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.
WebKit - CVE-2022-32893
Description: An out-of-bounds write issue was addressed with improved bounds checking.
Phishing attempt on content creators - twitter thread and youtube video walkthrough of the phishing attempt and observing the malware in a sandbox environment
Credit to original owner