ReportWire

Tag: black hat

  • Your Gym Locker May Be Hackable

    Your Gym Locker May Be Hackable

    Thousands of electronic lockers found in gyms, offices, and schools could be vulnerable to attacks by criminals using cheap hacking tools to access administrator keys, according to new research.

    At the Defcon security conference on Sunday, security researchers Dennis Giese and “braelynn” demonstrated a proof-of-concept attack showing how digital management keys could be extracted from lockers, copied, and then used to open other lockers in the same location. The researchers focused on various models of electronic locks from two of the world’s biggest manufacturers, Digilock and Schulte-Schlagbaum.

    Over the past few years, the researchers, who both have backgrounds in lock picking, have been examining various electronic locks that use numerical keypads, allowing people to set and open them with a PIN. The work comes on the back of various examples of hotel door locks being found to be hackable, vulnerabilities in high-security locks, and commercial safes being alleged to have backdoors.

    For the research, Giese and braelynn purchased electronic locks on eBay, snapping up those sold after some gyms closed during the Covid-19 pandemic and from other failed projects. Giese focused on Digilock, while braelynn looked at Schulte-Schlagbaum. Over the course of the research, they looked at legacy models from Digilock dating from 2015 to 2022 and models from Schulte-Schlagbaum from 2015 to 2020. (They also purchased some physical management keys for Digilock systems.)

    Showing how security flaws could be abused by a prepared hacker, the researchers say they can take the electronic lock apart, then extract the device’s firmware and stored data. This data, Giese says, can contain PINs that have been set, management keys, and programming keys. The manager key ID can be copied to a Flipper Zero or cheap Arduino circuit board and used to open other lockers, Giese says.

    “If you access one lock, we can open all of them in whatever the unit is—the whole university, the whole company,” Giese says. “We can clone and emulate keys very easily, and the tools aren’t that complicated.” Whoever owns the lockers manages them, Giese says.

    Ahead of developing this proof-of-concept attack, Giese says, it took some time and effort to understand how the locker systems function. They took the locks apart and used cheap debugging tools to access the devices’ erasable, programmable read-only memory, known as EEPROM. Often, in the locks they tested, this was not secured, allowing data to be pulled from the system.

    “From the EEPROM, we can pull out the programming key ID, all manager key IDs, and the user PIN/ User RFID UID,” Giese says. “Newer locks erase the set user PIN when the locker is unlocked. But the PIN remains if the locker was opened with a manager key/programming key.”

    The researchers say they reported the findings to both impacted companies, adding they had spoken to Digilock about the findings. Digilock tells WIRED it has issued a fix for vulnerabilities found. The researchers say Schulte-Schlagbaum did not respond to their reports; the company did not respond to WIRED’s request for comment.

    Matt Burgess

    Source link

  • Thousands of Corporate Secrets Were Left Exposed. This Guy Found Them All

    Thousands of Corporate Secrets Were Left Exposed. This Guy Found Them All

    If you know where to look, plenty of secrets can be found online. Since the fall of 2021, independent security researcher Bill Demirkapi has been building ways to tap into huge data sources, which are often overlooked by researchers, to find masses of security problems. This includes automatically finding developer secrets—such as passwords, API keys, and authentication tokens—that could give cybercriminals access to company systems and the ability to steal data.

    Today, at the Defcon security conference in Las Vegas, Demirkapi is unveiling the results of this work, detailing a massive trove of leaked secrets and wider website vulnerabilities. Among at least 15,000 developer secrets hard-coded into software, he found hundreds of username and password details linked to Nebraska’s Supreme Court and its IT systems; the details needed to access Stanford University’s Slack channels; and more than a thousand API keys belonging to OpenAI customers.

    A major smartphone manufacturer, customers of a fintech company, and a multibillion-dollar cybersecurity company are counted among the thousands of organizations that inadvertently exposed secrets. As part of his efforts to stem the tide, Demirkapi hacked together a way to automatically get the details revoked, making them useless to any hackers.

    In a second strand to the research, Demirkapi also scanned data sources to find 66,000 websites with dangling subdomain issues, making them vulnerable to various attacks including hijacking. Some of the world’s biggest websites, including a development domain owned by The New York Times, had the weaknesses.

    While the two security issues he looked into are well-known among researchers, Demirkapi says that turning to unconventional datasets, which are usually reserved for other purposes, allowed thousands of issues to be identified en masse and, if expanded, offers the potential to help protect the web at large. “The goal has been to find ways to discover trivial vulnerability classes at scale,” Demirkapi tells WIRED. “I think that there’s a gap for creative solutions.”

    Spilled Secrets; Vulnerable Websites

    It is relatively trivial for a developer to accidentally include their company’s secrets in software or code. Alon Schindel, the vice president of AI and threat research at the cloud security company Wiz, says there’s a huge variety of secrets that developers can inadvertently hard-code, or expose, throughout the software development pipeline. These can include passwords, encryption keys, API access tokens, cloud provider secrets, and TLS certificates.

    “The most acute risk of leaving secrets hard-coded is that if digital authentication credentials and secrets are exposed, they can grant adversaries unauthorized access to a company’s code bases, databases, and other sensitive digital infrastructure,” Schindel says.

    The risks are high: Exposed secrets can result in data breaches, hackers breaking into networks, and supply chain attacks, Schindel adds. Previous research in 2019 found thousands of secrets were being leaked on GitHub every day. And while various secret scanning tools exist, these largely are focused on specific targets and not the wider web, Demirkapi says.

    During his research, Demirkapi, who first found prominence for his teenage school-hacking exploits five years ago, hunted for these secret keys at scale—as opposed to selecting a company and looking specifically for its secrets. To do this, he turned to VirusTotal, the Google-owned website, which allows developers to upload files—such as apps—and have them scanned for potential malware.

    Matt Burgess

    Source link

  • The Hacker Who Hunts Video Game Speedrunning Cheaters

    The Hacker Who Hunts Video Game Speedrunning Cheaters

    The night before Cecil’s Defcon talk, Maselewski wrote in a final email to WIRED that he believes those alleging that he cheated are using faulty tools with an incomplete picture of Diablo‘s complexities. “Dwango is out to tell a story. Did I cheat? No,” Maselewski writes. “But what is true or not does not matter at this point, because the wonder of exploration has already overstayed its welcome for a small group of people, and the script has already been written.”

    When WIRED reached out to the Guinness Book of World Records to ask if it would take down Maselewski’s record, a spokesperson responded noncommittally that “we value any feedback on our record titles and are committed to maintaining the highest standards of accuracy.” An administrator for Speed Demos Archive or SDA, another speedrun record-keeping website where Maselewski holds a similar Diablo record, seemed to be more persuaded by Cecil’s evidence. That administrator, who goes by the handle “ktwo” and asked that WIRED not include their real name, says that SDA hasn’t officially reached a verdict and is still waiting to hear Maselewski’s explanation.

    Things are not looking good for groobo, however. “To be clear, we have made a preliminary decision, based on the available information,” ktwo writes “The staff agrees that the analysis raises questions about the validity of the run that need to be addressed, or else the run will be unpublished from SDA. The admin team is currently discussing these questions with the runner. Once that discussion has concluded, a final decision will be made.”

    Cecil’s involvement in investigating gaming records began in 2017, when the speedrunner Eric “Omnigamer” Koziel, who was writing a book about speedrunning, began re-examining a record set by Todd Rogers for the Atari 2600 racing game Dragster. Rogers’ record time, 5.51 seconds, had persisted for a remarkable 35 years. But when Koziel reverse engineered Dragster’s code to try to understand how Rogers had achieved that time, he found that tricks Rogers said he’d used—such as starting the game in second gear—wouldn’t have provided the advantage Rogers claimed.

    “The goal was never to point to someone and say, ‘Hey, they’re cheating,’” says Koziel. “It was to try to find the truth.”

    Cecil, who knew Koziel from the speedrun community, offered to help develop a tool-assisted speedrun they could replay via TASbot on a real Atari 2600 to show that, even on that original hardware, Rogers’ record was impossible. They found that TASbot’s theoretically perfect performance was 5.57 seconds, slower than Rogers’ alleged time. Despite Rogers’ objections, his three-and-a-half-decade-old record was erased from the annals of the gaming records keeper Twin Galaxies—along with all his other records on the site—and Guinness stripped his world record for “longest-standing video game record.”

    “Although I disagree with their decision, I must applaud them for their strong stance on the matter of cheating,” Rogers wrote in a lengthy public Facebook post responding to the Twin Galaxies decision.

    Andy Greenberg

    Source link

  • Apple Prototypes and Corporate Secrets Are for Sale Online—If You Know Where to Look

    Apple Prototypes and Corporate Secrets Are for Sale Online—If You Know Where to Look

    It’s probably been a while since anyone thought about Apple’s router and network storage combo called Time Capsule. Released in 2008 and discontinued in 2018, the product has mostly receded into the sands of gadget time. So when independent security researcher Matthew Bryant recently bought a Time Capsule from the United Kingdom on eBay for $38 (plus more than $40 to ship it to the United States), he thought he would just be getting one of the stalwart white monoliths at the end of its earthly journey. Instead he stumbled on something he didn’t expect: a trove of data that appeared to be a copy of the main backup server for all European Apple Stores during the 2010s. The information included service tickets, employee bank account data, internal company documentation, and emails.

    “It had everything you can possibly imagine,” Bryant tells WIRED. “Files had been deleted off the drive, but when I did the forensics on it, it was definitely not empty.”

    Bryant hadn’t stumbled on the Time Capsule completely by accident. At the Defcon security conference in Las Vegas on Saturday, he’s presenting findings from a months-long project in which he scraped secondhand electronics listings from sites like eBay, Facebook Marketplace, and China’s Xianyu, and then ran computer vision analysis on them in an attempt to detect devices that were once part of corporate IT fleets.

    Bryant realized that the sellers hawking office devices, prototypes, and manufacturing equipment often weren’t aware of their products’ significance, so he couldn’t comb tags or descriptions to find enterprise gems. Instead, he devised an optical character recognition processing cluster by chaining together a dozen dilapidated second-generation iPhone SEs and harnessing Apple’s Live Text optical character-recognition feature to find possible inventory tags, barcodes, or other corporate labels in listing photos. The system monitored for new listings, and if it turned up a possible hit, Bryant would get an alert so he could assess the device photos himself.

    In the case of the Time Capsule, the listing photos showed a label on the bottom of the device that said “Property of Apple Computer, Expensed Equipment.” After he evaluated the Time Capsule’s contents, Bryant notified Apple about his findings, and the company’s London security office eventually asked him to ship the Time Capsule back. Apple did not immediately return a request from WIRED for comment about Bryant’s research.

    “The main company in the talk for proofs of concept is Apple, because I view them as the most mature hardware company out there. They have all their hardware specially counted, and they really care about the security of their operations quite a bit,” Bryant says. “But with any Fortune 500 company, it’s basically a guarantee that their stuff will end up on sites like eBay and other secondhand markets eventually. I can’t think of any company where I haven’t seen at least some piece of equipment and got an alert on it from my system.”

    Another alert from his search system led Bryant to purchase a prototype iPhone 14 intended for developer use internally at Apple. Such iPhones are coveted by both bad actors and security researchers because they often run special versions of iOS that are less locked down than the consumer product and include debugging functionality that’s invaluable for gaining insight into the platform. Apple runs a program to give certain researchers access to similar devices, but the company only grants these special iPhones to a limited group, and researchers have told WIRED that they are typically outdated iPhone models. Bryant says he paid $165 for the developer-use iPhone 14.

    Lily Hay Newman

    Source link

  • Google Researchers Found Nearly a Dozen Flaws in Popular Qualcomm Software for Mobile GPUs

    Google Researchers Found Nearly a Dozen Flaws in Popular Qualcomm Software for Mobile GPUs

    Demand for graphics processing units or GPUs has exploded in recent years as video rendering and artificial intelligence systems have expanded the need for processing power. And while most of the most visible shortages (and soaring stock prices) relate to top-tier PC and server chips, mobile graphics processors are the version that everyone with a smartphone is using everyday. So vulnerabilities in these chips or how they’re implemented can have real-world consequences. That’s exactly why Google’s Android vulnerability hunting red team set its sights on open-source software from the chip giant Qualcomm that’s widely used to implement mobile GPUs.

    At the Defcon security conference in Las Vegas on Friday, three Google researchers presented more than nine vulnerabilities—now patched—that they discovered in Qualcomm’s Adreno GPU, a suite of software used to coordinate between GPUs and an operating system like Android on Qualcomm-powered phones. Such “drivers” are crucial to how any computer is designed and have deep privileges in the kernel of an operating system to coordinate between hardware peripherals and software. Attackers could exploit the flaws the researchers found to take full control of a device.

    For years, engineers and attackers alike have been most focused on potential vulnerabilities in a computer’s central processing unit (CPU) and have optimized for efficiency on GPUs, leaning on them for raw processing power. But as GPUs become more central to everything a device does all the time, hackers on both ends of the spectrum are looking at how GPU infrastructure could be exploited.

    “We are a small team compared to the big Android ecosystem—the scope is too big for us to cover everything, so we have to figure out what will have the most impact,” says Xuan Xing, manager of Google’s Android Red Team. “So why did we focus on a GPU driver for this case? It’s because there’s no permission required for untrusted apps to access GPU drivers. This is very important, and I think will attract lots of attackers’ attention.”

    Xing is referring to the fact that applications on Android phones can talk to the Adreno GPU driver directly with “no sandboxing, no additional permission checks,” as he puts it. This doesn’t in itself give applications the ability to go rogue, but it does make GPU drivers a bridge between the regular parts of the operating system (where data and access are carefully controlled), and the system kernel, which has full control over the entire device including its memory. “GPU drivers have all sorts of powerful functions,” Xing says. “That mapping in memory is a powerful primitive attackers want to have.”

    The researchers say the vulnerabilities they uncovered are all flaws that come out of the intricacies and complicated interconnections that GPU drivers must navigate to coordinate everything. To exploit the flaws, attackers would need to first establish access to a target device, perhaps by tricking victims into side-loading malicious apps.

    “There are a lot of moving parts and no access restrictions, so GPU drivers are readily accessible to pretty much every application,” says Eugene Rodionov, technical leader of the Android Red Team. “What really makes things problematic here is complexity of the implementation—that is one item which accounts for a number of vulnerabilities.”

    Qualcomm released patches for the flaws to “original equipment manufacturers” (OEMs) that use Qualcomm chips and software in the Android phones they make. “Regarding the GPU issues disclosed by Android Security Red Team, patches were made available to OEMs in May 2024,” a Qualcomm Spokesperson tells WIRED. “We encourage end users to apply security updates from device makers as they become available.”

    The Android ecosystem is complex, and patches must move from a vendor like Qualcomm to OEMs and then get packaged by each individual device maker and delivered to users’ phones. This trickle-down process sometimes means that devices can be left exposed, but Google has spent years investing to improve these pipelines and streamline communication.

    Still, the findings are yet another reminder that GPUs themselves and the software supporting them have the potential to become a critical battleground in computer security.

    As Rodionov puts it, “combining high complexity of the implementation with wide accessibility makes it a very interesting target for attackers.”

    Lily Hay Newman

    Source link

  • Flaws in Ubiquitous ATM Software Could Have Let Attackers Take Over Cash Machines

    Flaws in Ubiquitous ATM Software Could Have Let Attackers Take Over Cash Machines

    There is a grand tradition at the annual Defcon security conference in Las Vegas of hacking ATMs. Unlocking them with safecracking techniques, rigging them to steal users’ personal data and PINs, crafting and refining ATM malware and, of course, hacking them to spit out all their cash. Many of these projects targeted what are known as retail ATMs, freestanding devices like those you’d find at a gas station or a bar. But on Friday, independent researcher Matt Burch is presenting findings related to the “financial” or “enterprise” ATMs used in banks and other large institutions.

    Burch is demonstrating six vulnerabilities in ATM-maker Diebold Nixdorf’s widely deployed security solution, known as Vynamic Security Suite (VSS). The vulnerabilities, which the company says have all been patched, could be exploited by attackers to bypass an unpatched ATM’s hard drive encryption and take full control of the machine. And while there are fixes available for the bugs, Burch warns that, in practice, the patches may not be widely deployed, potentially leaving some ATMs and cash-out systems exposed.

    “Vynamic Security Suite does a number of things—it has endpoint protection, USB filtering, delegated access, and much more,” Burch tells WIRED. “But the specific attack surface that I’m taking advantage of is the hard drive encryption module. And there are six vulnerabilities, because I would identify a path and files to exploit, and then I would report it to Diebold, they would patch that issue, and then I would find another way to achieve the same outcome. They’re relatively simplistic attacks.”

    The vulnerabilities Burch found are all in VSS’s functionality to turn on disk encryption for ATM hard drives. Burch says that most ATM manufacturers rely on Microsoft’s BitLlocker Windows encryption for this purpose, but Diebold Nixdorf’s VSS uses a third-party integration to run an integrity check. The system is set up in a dual-boot configuration that has both Linux and Windows partitions. Before the operating system boots, the Linux partition runs a signature integrity check to validate that the ATM hasn’t been compromised, and then boots it into Windows for normal operation.

    “The problem is, in order to do all of that, they decrypt the system, which opens up the opportunity,” Burch says. “The core deficiency that I’m exploiting is that the Linux partition was not encrypted.”

    Burch found that he could manipulate the location of critical system validation files to redirect code execution; in other words, grant himself control of the ATM.

    Diebold Nixdorf spokesperson Michael Jacobsen tells WIRED that Burch first disclosed the findings to them in 2022 and that the company has been in touch with Burch about his Defcon talk. The company says that the vulnerabilities Burch is presenting were all addressed with patches in 2022. Burch notes, though, that as he went back to the company with new versions of the vulnerabilities over the past couple of years, his understanding is that the company continued to address some of the findings with patches in 2023. And Burch adds that he believes Diebold Nixdorf addressed the vulnerabilities on a more fundamental level in April with VSS version 4.4 that encrypts the Linux partition.

    Lily Hay Newman

    Source link

  • USPS Text Scammers Duped His Wife, So He Hacked Their Operation

    USPS Text Scammers Duped His Wife, So He Hacked Their Operation

    Smith trawled Reddit and other online sources to find people reporting the scam and find URLs being used, which he subsequently published. Some of the websites running the Smishing Triad’s tools were collecting thousands of people’s personal information per day, Smith says. Among other details, the websites would request people’s names, addresses, payment card numbers and security codes, phone numbers, dates of birth, and bank websites. This level of information can allow a scammer to make purchases online with the credit cards. Smith says his wife quickly canceled her card, but noticed that the scammers still tried to use it, for instance with Uber. The researcher says he would collect data from a website and return to it a few hours later, only to find hundreds of new records.

    The researcher provided the details to a bank that had contacted him after seeing his initial blog posts. Smith declined to name the bank. He also reported the incidents to the FBI and later provided information to the United States Postal Inspection Service (USPIS).

    Michael Martel, a national public information officer at the USPIS, says the information provided by Smith is being used as part of an ongoing USPIS investigation and that the agency cannot comment on specific details. “USPIS is already actively pursuing this type of information to protect the American people, identify victims, and serve justice to the malicious actors behind it all,” Martel says, pointing to advice on spotting and reporting USPS package delivery scams.

    Initially, Smith says, he was wary about going public with his research as this kind of “hacking back” falls into a “gray area”: It may be breaking the Computer Fraud and Abuse Act, a sweeping US computer-crimes law, but he’s doing it against foreign-based criminals. Something he is definitely not the first, or last, to do.

    Multiple Prongs

    The Smishing Triad is prolific. As well as using postal services as lures their scams, the Chinese-speaking group has targeted online banking, e-commerce, and payment systems in the US, Europe, India, Pakistan, and the United Arab Emirates, according to Shawn Loveland, the chief operating officer of Resecurity, which has consistently tracked the group.

    The Smishing Triad sends between 50,000 and 100,000 messages daily, according to Resecurity’s research. Its scam messages are sent using SMS or Apple’s iMessage, the latter is encrypted. Loveland says the Triad is made up of two distinct groups—a small team led by one Chinese hacker that creates, sells, and maintains the smishing kit, and a second group of people who buy the scamming tool. (A backdoor in the kit allows the creator to access details of administrators using the kit, Smith says in a blog post.)

    “It’s very mature,” Loveland says of the operation. The group sells the scamming kit on Telegram for a $200-per month subscription, and this can be customized to show the organization the scammers are trying to impersonate. “The main actor is Chinese communicating in the Chinese language,” Loveland says. “They do not appear to be hacking Chinese language websites or users.” (In communications with the main contact on Telegram, the individual claimed to Smith that they were a computer science student.)

    The relatively low monthly subscription cost for the smishing kit means it’s highly likely, with the number of credit card details scammers are collecting, that those using it are making significant profits. Loveland says that using text messages, which immediately send people a notification, is a more direct and more successful way of phishing, compared to sending emails with malicious links included.

    As a result, smishing has been on the rise in recent years. But there are some tell-tale signs: If you receive a message from a number or email that you don’t recognize; if it contains a link to click on; and wants you to do something urgently, you should be suspicious.

    Matt Burgess

    Source link

  • Inside the Dark World of Doxing for Profit

    Inside the Dark World of Doxing for Profit

    Since the early 1990s, people have used doxing as a toxic way to strike digital revenge—stripping away someone’s anonymity by unmasking their identity online. But in recent years, the poisonous practice has taken on new life, with people being doxed and extorted for cryptocurrency and, in the most extreme cases, potentially facing physical violence.

    For the past year, security researcher Jacob Larsen—who was a victim of doxing around a decade ago when someone tried to extort him for a gaming account—has been monitoring doxing groups, observing the techniques used to unmask people, and interviewing prominent members of the doxing community. Doxing actions have led to incomes of “well over six figures annually,” and methods include making fake law enforcement requests to get people’s data, according to Larsen’s interviews.

    “The primary target of doxing, particularly when it involves a physical extortion component, is for finance,” says Larsen, who leads an offensive security team at cybersecurity company CyberCX but conducted the doxing research in a personal capacity with the support of the company.

    Over several online chat sessions last August and September, Larsen interviewed two members of the doxing community: “Ego” and “Reiko.” While neither of their offline identities is publicly known, Ego is believed to have been a member of the five-person doxing group known as ViLe, and Reiko last year acted as an administrator of the biggest public doxing website, Doxbin, as well as being involved in other groups. (Two other ViLe members pleaded guilty to hacking and identity theft in June.) Larsen says both Ego and Reiko deleted their social media accounts since speaking with him, making it impossible for WIRED to speak with them independently.

    People can be doxed for a full range of reasons—from harassment in online gaming, to inciting political violence. Doxing can “humiliate, harm, and reduce the informational autonomy” of targeted individuals, says Bree Anderson, a digital criminologist at Deakin University in Australia who has researched the subject with colleagues. There are direct “first-order” harms, such as risks to personal safety, and longer-term “second-order harms,” including anxiety around future disclosures of information, Anderson says.

    Larsen’s research mostly focused on those doxing for profit. Doxbin is central to many doxing efforts, with the website hosting more than 176,000 public and private doxes, which can contain names, social media details, Social Security numbers, home addresses, places of work, and similar details belonging to people’s family members. Larsen says he believes most of the doxing on Doxbin is driven by extortion activities, although there can be other motivations and doxing for notoriety. Once information is uploaded, Doxbin will not remove it unless it breaks the website’s terms of service.

    “It is your responsibility to uphold your privacy on the internet,” Reiko said in one of the conversations with Larsen, who has published the transcripts. Ego added: “It’s on the users to keep their online security tight, but let’s be real, no matter how careful you are, someone might still track you down.”

    Impersonating Police, Violence as a Service

    Being entirely anonymous online is almost impossible—and many people don’t try, often using their real names and personal details in online accounts and sharing information on social media. Doxing tactics to gather people’s details, some of which were detailed in charges against ViLe members, can include reusing common passwords to access accounts, accessing public and private databases, and social engineering to launch SIM swapping attacks. There are also more nefarious methods.

    Emergency data requests (EDR) can also be abused, Larsen says. EDRs allow law enforcement officials to ask tech companies for people’s names and contact details without any court orders as they believe there may be danger or risks to people’s lives. These requests are made directly to tech platforms, often through specific online portals, and broadly need to come from official law enforcement or government email addresses.

    Matt Burgess

    Source link

  • A Flaw in Windows Update Opens the Door to Zombie Exploits

    A Flaw in Windows Update Opens the Door to Zombie Exploits

    New research being presented at the Black Hat security conference in Las Vegas today shows that a vulnerability in Windows Update could be exploited to downgrade Windows to older versions, exposing a slew of historical vulnerabilities that then can be exploited to gain full control of a system. Microsoft says that it is working on a complex process to carefully patch the issue, dubbed “Downdate.”

    Alon Leviev, the SafeBreach Labs researcher who discovered the flaw, says he started looking for possible downgrade attack methods after seeing that a startling hacking campaign from last year was using a type of malware (known as the “BlackLotus UEFI bootkit”) that relied on downgrading the Windows boot manager to an old, vulnerable version. After probing the Windows Update flow, Leviev discovered a path to strategically downgrading Windows—either the entire operating system or just specifically chosen components. From there, he developed a proof-of-concept attack that utilized this access to disable the Windows protection known as Virtualization-Based Security (VBS) and ultimately target highly privileged code running in the computer’s core “kernel.”

    “I found a downgrade exploit that is fully undetectable because it is performed by using Windows Update itself,” which the system trusts, Leviev told WIRED ahead of his conference talk. “In terms of invisibility, I didn’t uninstall any update—I basically updated the system even though under the hood it was downgraded. So the system is not aware of the downgrade and still appears up-to-date.”

    Leviev’s downgrade capability comes from a flaw in the components of the Windows Update process. To perform an upgrade, your PC places what is essentially a request to update in a special update folder. It then presents this folder to the Microsoft update server, which checks and confirms its integrity. Next, the server creates an additional update folder for you that only it can control, where it places and finalizes the update and also stores an action list—called “pending.xml”—that includes the steps of the update plan, such as which files will be updated and where the new code will be stored on your computer. When you reboot your PC, it takes the actions from the list and updates the software.

    The idea is that even if your computer, including your update folder, is compromised, a bad actor can’t hijack the update process because the crucial parts of it happen in the server-controlled update folder. Leviev looked closely at the different files in both the user’s update folder and the server’s update folder, though, and he eventually found that while he couldn’t modify the action list in the server’s update folder directly, one of the keys controlling it—called “PoqexecCmdline”—was not locked. This gave Leviev a way to manipulate the action list, and with it the entire update process, without the system realizing that anything was amiss.

    With this control, Leviev then found strategies to downgrade multiple key components of Windows, including drivers, which coordinate with hardware peripherals; dynamic link libraries, which contain system programs and data; and, crucially, the NT kernel, which contains the most core instructions for a computer to run. All of these could be downgraded to older versions that contain known, patched vulnerabilities. And Leviev even cast a wider net from there, to find strategies for downgrading Windows security components including the Windows Secure Kernel; the Windows password and storage component Credential Guard; the hypervisor, which creates and oversees virtual machines on a system; and VBS, the Windows virtualization security mechanism.

    The technique does not include a way to first gain remote access to a victim device, but for an attacker who already has initial access, it could enable a true rampage, because Windows Update is such a trusted mechanism and can reintroduce a vast array of dangerous vulnerabilities that have been fixed by Microsoft over the years. Microsoft says that it has not seen any attempts to exploit the technique.

    “We are actively developing mitigations to protect against these risks while following an extensive process involving a thorough investigation, update development across all affected versions, and compatibility testing, to ensure maximized customer protection with minimized operational disruption,” a Microsoft spokesperson told WIRED in a statement.

    Part of the company’s fix involves revoking vulnerable VBS system files, which must be done carefully and gradually, because it could cause integration issues or reintroduce other, unrelated problems that were previously addressed by those same system files.

    Leviev emphasizes that downgrade attacks are an important threat for the developer community to consider as hackers endlessly seek paths into target systems that are stealthy and difficult to detect.

    Lily Hay Newman

    Source link

  • A New Plan to Break the Cycle of Destructive Critical Infrastructure Hacks

    A New Plan to Break the Cycle of Destructive Critical Infrastructure Hacks

    “It’s not just that the water goes out, it’s that when the sole wastewater facility in your community is down really bad things start to happen. For example, no water means no hospital,” he says. “I really encountered a lot of this during my leadership of the Covid Task Force. There is such interdependence across the basic functions of society.”

    UnDisruptable27 will focus on interacting with communities who aren’t reached by Washington DC-based policy discussions or Information Sharing and Analysis Centers (ISACs), which are meant to represent each infrastructure sector of the US. The project aims to communicate directly with people who actually work on the ground in US critical infrastructure, and grapple together with the reality that cybersecurity-related disasters could impact their daily work.

    “There’s a data breach, you get whatever services like identity protection for some period of time, and life carries on, and people think that there’s no long-term impact,” says Megan Stifel, IST’s chief strategy officer. “There’s this expectation that it’s fine, things will just continue. So we’re very interested in getting after this issue and thinking about how do we tackle critical infrastructure security with perhaps a new approach.”

    Corman notes that even though cybersecurity incidents have become a well-known fact of life, business owners and infrastructure operators are often shaken and caught off guard when a cybersecurity incident actually affects them. Meanwhile, when government entities try to impose cybersecurity standards or become a partner on defense initiatives, communities often balk at the intrusion and perceived overreach. Last year, for example, the US Environmental Protection Agency was forced to rescind new cybersecurity guidelines for water systems after water companies and Republicans in Congress filed a lawsuit over the initiative.

    “Time and time again, trade associations or lobbyists or owners and operators have an allergic reaction to oversight and say, ‘We prefer voluntary, we’re doing fine on our own,’ ” Corman says. “And they really are trying to do the right thing. But then also time and time again, people are just shocked that disruption could happen and feel very blindsided. So you can only conclude that the people who feel the pain of our failures are not included in the conversation. They deserve to understand the risks inherent in this level of connectivity. We’ve tried a lot of things, but we have not tried just leveling with people.”

    UnDisruptable27 is launching this week for visibility among attendees at BSides as well as the other conferences, Black Hat and Defcon, that will run through Sunday in Las Vegas. Corman says that the goal is to combine the hacker mentality and, essentially, a call for volunteers with plans to work with creative collaborators on producing engaging content to fuel discourse and understanding. Information campaigns using memes and social media posts or moonshots like narrative podcasts and even reality TV are all on the table.

    “We must prioritize the security, safety, and resilience of critical infrastructure — including water, health care facilities, and utilities,” Craig Newmark, the Craigslist founder whose philanthropy is funding UnDisruptable27, told WIRED. “The urgency of this issue requires affecting human behavior through storytelling.”

    Lily Hay Newman

    Source link