The Linkielist

Linking ideas with the world

The Linkielist

Daily Archives: March 9, 2024

Hackers exploited Windows 0-day for 6 months after Microsoft knew of it

Posted on by

[…]

Even after Microsoft patched the vulnerability last month, the company made no mention that the North Korean threat group Lazarus had been using the vulnerability since at least August to install a stealthy rootkit on vulnerable computers. The vulnerability provided an easy and stealthy means for malware that had already gained administrative system rights to interact with the Windows kernel. Lazarus used the vulnerability for just that. Even so, Microsoft has long said that such admin-to-kernel elevations don’t represent the crossing of a security boundary, a possible explanation for the time Microsoft took to fix the vulnerability.

A rootkit “holy grail”

“When it comes to Windows security, there is a thin line between admin and kernel,” Jan Vojtěšek, a researcher with security firm Avast, explained last week. “Microsoft’s security servicing criteria have long asserted that ‘[a]dministrator-to-kernel is not a security boundary,’ meaning that Microsoft reserves the right to patch admin-to-kernel vulnerabilities at its own discretion. As a result, the Windows security model does not guarantee that it will prevent an admin-level attacker from directly accessing the kernel.”

The Microsoft policy proved to be a boon to Lazarus in installing “FudModule,” a custom rootkit that Avast said was exceptionally stealthy and advanced.

[…]

In years past, Lazarus and other threat groups have reached this last threshold mainly by exploiting third-party system drivers, which by definition already have kernel access. To work with supported versions of Windows, third-party drivers must first be digitally signed by Microsoft to certify that they are trustworthy and meet security requirements. In the event Lazarus or another threat actor has already cleared the admin hurdle and has identified a vulnerability in an approved driver, they can install it and exploit the vulnerability to gain access to the Windows kernel. This technique—known as BYOVD (bring your own vulnerable driver)—comes at a cost, however, because it provides ample opportunity for defenders to detect an attack in progress.

The vulnerability Lazarus exploited, tracked as CVE-2024-21338, offered considerably more stealth than BYOVD because it exploited appid.sys, a driver enabling the Windows AppLocker service, which comes preinstalled in the Microsoft OS. Avast said such vulnerabilities represent the “holy grail,” as compared to BYOVD.

In August, Avast researchers sent Microsoft a description of the zero-day, along with proof-of-concept code that demonstrated what it did when exploited. Microsoft didn’t patch the vulnerability until last month. Even then, the disclosure of the active exploitation of CVE-2024-21338 and details of the Lazarus rootkit came not from Microsoft in February but from Avast 15 days later. A day later, Microsoft updated its patch bulletin to note the exploitation.

[…]

Source: Hackers exploited Windows 0-day for 6 months after Microsoft knew of it | Ars Technica

Millions of research papers at risk of disappearing from the Internet

Posted on by

More than one-quarter of scholarly articles are not being properly archived and preserved, a study of more than seven million digital publications suggests. The findings, published in the Journal of Librarianship and Scholarly Communication on 24 January1, indicate that systems to preserve papers online have failed to keep pace with the growth of research output.

“Our entire epistemology of science and research relies on the chain of footnotes,” explains author Martin Eve, a researcher in literature, technology and publishing at Birkbeck, University of London. “If you can’t verify what someone else has said at some other point, you’re just trusting to blind faith for artefacts that you can no longer read yourself.”

[…]

The sample of DOIs included in the study was made up of a random selection of up to 1,000 registered to each member organization. Twenty-eight per cent of these works — more than two million articles — did not appear in a major digital archive, despite having an active DOI. Only 58% of the DOIs referenced works that had been stored in at least one archive. The other 14% were excluded from the study because they were published too recently, were not journal articles or did not have an identifiable source.

Preservation challenge

Eve notes that the study has limitations: namely that it tracked only articles with DOIs, and that it did not search every digital repository for articles (he did not check whether items with a DOI were stored in institutional repositories, for example).

[…]

“Everybody thinks of the immediate gains they might get from having a paper out somewhere, but we really should be thinking about the long-term sustainability of the research ecosystem,” Eve says. “After you’ve been dead for 100 years, are people going to be able to get access to the things you’ve worked on?”

doi: https://doi.org/10.1038/d41586-024-00616-5

Source: Millions of research papers at risk of disappearing from the Internet

Want to Steal a Tesla? set up a guest wifi with a fake site, steal the password and make your own key

Posted on by

Security researchers report they uncovered a design flaw that let them hijack a Tesla using a Flipper Zero, a controversial $169 hacking tool. Partners Tommy Mysk and Talal Haj Bakry of Mysk Inc. said the attack is as simple as swiping a Tesla owner’s login information, opening the Tesla app, and driving away. The victim would have no idea they lost their $40,000 vehicle. Mysk said the exploit takes minutes, and to prove it all works, he stole his own car.

The issue isn’t “hacking” in the sense of breaking into software, it’s a social engineering attack that fools a user into handing over their information. Using a Flipper, the researchers set up a WiFi network called “Tesla Guest,” the name Tesla uses for its guest networks at service centers. Mysk then created a website that looks like Tesla’s login page.

The process is simple. In this scenario, hackers could broadcast the network near a charging station, where a bored driver might be looking for entertainment. The victim connects to the WiFi network and enters their username and password on the fake Tesla website. The hacker then uses the credentials to log in to the real Tesla app, which triggers a two-factor authentication code. The victim enters that code into the fake website, and the thief gains access to their account. Once you’re logged into the Tesla app, you can set up a “phone key” which lets you unlock and control the car over Bluetooth with a smartphone. From there, the car is yours.

You can see Mysk’s demonstration of the attack in the video below.

Cybersecurity: Can a Tesla stop phishing and social engineering attacks?

According to Mysk, Tesla doesn’t notify users when new keys are created, so the victim wouldn’t know they’ve been compromised. Mysk said the bad guys wouldn’t need to steal the car right away, either, because the app shows you the physical location of the vehicle. The Tesla owner could finish charging the car and drive off to go shopping or park outside their house. The thief would just watch the car’s location using the app, and then waltz up at an opportune moment and drive away.

“This means with a leaked email and password, an owner could lose their Tesla vehicle.

[…]

Source: Want to Steal a Tesla? Try Using a Flipper Zero

EU fines Apple nearly $2B over in-app music purchases

Posted on by

Apple’s anti-steering provisions that prevent music streaming apps from directing users outside the App Store for paid services were smacked down in the European Union today and earned the iGiant a fine of more than €1.8 billion ($1.95 billion).

The European Commission said Apple’s policies “amount to unfair trading conditions” and “are neither necessary nor proportionate for the protection of Apple’s commercial interests.”

“Apple will have to open the gates to its ecosystem, to allow end users to easily find the apps they want, pay for them in any way they want, and use them on any device they want,” EU antitrust chief Margrethe Vestager said of the decision.

Apple’s anti-steering rules have prevented developers from directing users outside the App Store – thereby circumventing Apple’s 30 percent commission – for in-app purchases and subscriptions. As part of the EC decision, Apple is being forced to end the use of anti-steering provisions in the bloc, but this restriction applies only to music streaming apps, an EC spokesperson told The Register.

Vestager described Apple’s anti-competitive conduct as having gone on for nearly a decade, resulting in iOS users paying “significantly higher prices for music streaming subscriptions.” The anti-steering provisions also led to a “degraded user experience,” Vestager said, as users were forced to “engage in a cumbersome search” to find cheaper prices outside the App Store because the anti-steering rule also prevented developers from telling users about cheaper prices available elsewhere.

[…]

Source: EU fines Apple nearly $2B over in-app purchases • The Register

Satellites Step Up After Red Sea Internet Cables Get Severed

Posted on by

[…] Earlier this week, four out of 15 communication cables were cut, disrupting network traffic that flows through the Red Sea. The damaged cables affected 25% of traffic between Asia, Europe, and the Middle East, according to Hong Kong telecoms company HGC Global Communications. The cause of the damage is still unknown, and the company is working on a fix, which it referred to as an “exceptionally rare occurrence.” Although HGC did not reveal the cause behind the damaged cables, a U.S. National Security Council spokesperson blamed it on the anchor of a cargo ship that was sunk by the Houthi group in Yemen. The Houthis, however, issued a statement denying its involvement.

Regardless of the cause, satellite companies have stepped up by beaming connectivity from space to reroute some of that impacted traffic. Satellite operators such as Intelsat are providing back up connectivity to fill in the gaps for the severed cables, SpaceNews reported.

Intelsat has a fleet of 52 communication satellites in orbit, providing broadband internet and offering airline passengers inflight connectivity. Other companies, like Eutelsat OneWeb, SES, and, more famously, SpaceX are also in the business of beaming connectivity from Earth orbit.

The recent incident, although rare, does offer a glimpse into what a hybrid connectivity solution would look like, providing internet from both underwater cables, as well as orbital satellites. Subsea customers, or those getting internet from both ends, can restore their connectivity within 15 minutes should there be an issue with a terrestrial provider, Rhys Morgan, regional vice president for Intelsat, told SpaceNews.

[…]

Source: Satellites Step Up After Red Sea Internet Cables Get Severed