Smashing Security podcast #326: Right Royal security threats and MOVEit mayhem
There are shocking revelations about a US Government data suck-up, historic security breaches at Windsor Castle, and the MOVEit hack causes consternation.
All this and much much more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by The Cyberwire’s Dave Bittner. Read More
Sonos Smart Speaker Vulnerability Let Attackers Execute Remote Code
In the beginning of August 2024, Sonos released a security advisory in which they fixed two security vulnerabilities that were associated with Remote Code Execution. These vulnerabilities have been assigned with CVE-2023-50810 and CVE-2023-50809.
These vulnerabilities were existing in Sonos One and Sonos Era-100 Bluetooth speakers which could allow a threat actor to record the microphone and obtain covert audio capture.
In addition to this, these vulnerabilities can also be leveraged to compromise the kernel over the air and also turn the device into a wiretap capturing all the audio within the device’s range.
However, this particular exploitation method was presented in the Black Hat USA 2024 conference.
Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot
Sonos Smart Speaker Vulnerability
According to the reports shared with Cyber Security News, CVE-2023-50809 was associated with WPA2 Handshake in which the KeyData parameter used in the function has a gtk_length parameter that is given the value 255.
However, there was no maximum bound limit set for the parameter. This particular lack of check was used for Overflow attacks.
In order to trigger the bug, there were several conditions such as
Keydata must be successfully decrypted which cannot be done in WPA2 until the Snonce and Anonce are exchanged
The Vulnerable function must be triggered in Message 3 (M3) and
The wpa_supplicant can be used in AP mode.
On successfully bypassing and truing all these conditions, the Sonos device resulted in a Crash that led to the PC being controlled. The Downstream corruption was mitigated by adding extra IEs to exit function early.
Sonos One – Over-The-Air Vulnerability
Multiple vulnerable design patterns were identified within the code path that handled and parsed WPA key material.
One of the notable design pattern issues was the WpaParseEapolKeyData function which was used in the WPA2 four-way handshake process.
This consists of several vulnerabilities that can be chained together to achieve a stack buffer overflow. Two issues made this possible.
One was an improper input validation of IE length and the other was the unchecked maximum length of the GTK IE Length.
To provide a brief overview, the KdenLen variable was not checked for integer overflow, which led to the condition that the information element’s length field was smaller than 6.
This also caused a copy much larger than the 32-byte GTK stack buffer, resulting in stack buffer overflow.
The second issue exists due to the keyData parameter that was copied into the gtk_buf stack buffer which did not validate to check if the value is less than or equal to gtk_buf‘s maximum size (32-bytes).
Crashdump (Source: NCCGroup)
On chaining these two issues, a malformed information element was created that used the underflow and improper validation conditions to trigger a copy of a value that exceeds the maximum GTK buffer length.
Background Of This Attack
Attack Methodology (Source: NCCGroup)
The WPA2 four-way handshake consists of a total of 4 packets that are exchanged between client and the access point.
Some of the important information involved in these devices’ handshake are Anonce and Snonce (random values generated by both devices), the SSID, and the pre-shared Key (PSA).
Among these the PSA is not shared over the air but indirectly used by the client and the access point to compute Pairwise Master Key (PMK) using PBKDF2.
As a matter of fact, once a minimum required information was exchanged between the client and the router (Anonce, Snonce), the subsequent handshake contained additional information elements that were encrypted with the computed key material.
Pivoting The Permission
Once the remote code execution was achieved, the researchers tested for pivoting their access to gain additional permissions and capabilities over the compromised device.
This was done by acquiring the Pointer EAPOL (Extensible Authentication Protocol over LAN), Adjusting the stack pointer and EAPOL pointer and pivoting with the modified stack pointer.
Once inside, the researchers used the set_memory_x which was an arbitrary virtual address space that can be marked as executable. This set_memory_x function was supplied with the EAPOL pointer that will execute the Heap.
The code execution and shellcode was obtained by using the call_usermodehelper in the kernel with the run_cmd.
However, post-exploitation techniques involved, telnetting the payload into busybox which provided the capability to covertly capture the audio from the device’s proximity.
A demo of the exploit and Rust implant can be found here.
Exploited Sonos Device with UI to Capture and Download Microphone (Source: NCCGroup)
Sonos Era-100 – Secure Boot Bypass
This vulnerability exists due to three issues in the Sonos Era-100 U-Boot. The issue wre related to the use of modified U-boot implementation which uses locked down with password and restricted commands.
Additionally, the Era-100 U-Boot is encrypted using keys in EL3 that doesn’t yet have R/W capability on eMMC (embedded MultiMediaCard).
The first issue was trying to load env from flash at offset 0x500000 where the CONFIG_ENV_IS_NOWHERE is not set and allows setting of “bootcmd”.
The second issue was associated with sonosboot that was responsible for loading and validating kernel and then passing to “bootm“. Further, the bootm uses u-boot env and passes to the linux kernel.
The third issue was linked to the abuse of Custom Sonos image header which is always loaded at address 0x100000. Additionally, the kernel_offset is normally 0x40 but not enforced by u-boot and also allows the signature check to pass resulting in a shell in the context of /init (root).
Furthermore, a complete presentation that was presented at Black Hat USA 2024 can be found here. The whitepaper published by the researchers of NCCGroup can be found in this link.
Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access
PEACHPIT: Massive Ad Fraud Botnet Powered by Millions of Hacked Android and iOS
An ad fraud botnet dubbed PEACHPIT leveraged an army of hundreds of thousands of Android and iOS devices to generate illicit profits for the threat actors behind the scheme.
The botnet is part of a larger China-based operation codenamed BADBOX, which also entails selling off-brand mobile and connected TV (CTV) devices on popular online retailers and resale sites that are backdoored with an Read More
The Hacker News | #1 Trusted Cybersecurity News Site
The Future of Email Security With AI : Guide To Combat Sophisticated Email Threats 2023
The precautions and techniques that have been put in place for the protection of email messages from unauthorized access, interception or manipulation is regarded as email security.
This includes the protection of confidential information, integrity, and availability of email communications while at the same time complying with cyber security threats like spam, phishing attacks, malware, or data breaches.
Encryption, authentication, spam filtering, phishing protection, malware detection, data loss prevention, and user awareness are a whole range of disciplines that cover the subject of email security.
Individuals and organizations can benefit from the protection of confidentiality, integrity, or accessibility of their email messages, as well as mitigating risks to information exchange if they apply a comprehensive set of e.g. mail security measures.
Email security is of paramount importance due to the following reasons:
Confidentiality: Without adequate email security measures in place, unauthorized people or organizations can intercept and access this data, resulting in privacy violations, identity theft, or business espionage.
Data Protection and Compliance: Adequate email security measures help ensure compliance with legal regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) in the healthcare industry.
Intellectual Property Protection: In order to protect the competitive advantage and innovation of an enterprise, proper email security safeguards the company’s important intellectual property assets such as blueprints, patents, etc. against unauthorized access or theft.
Business Continuity: A breach in email security can disrupt normal operations, leading to financial losses, reputational damage, and loss of customer trust.
Phishing and Malware Defense: Effective email security solutions can recognize and filter phishing emails, shielding staff members and people from con artists and unintentional system compromise.
Spam Management: Implementing spam filtering techniques helps clear up email inbox congestion, enabling users to concentrate on important correspondence and lowering the chance of coming into contact with hazardous information.
Reputation Protection: The danger of becoming involved in harmful actions is decreased by using robust email security measures, such as authentication procedures and encryption, protecting reputation and trustworthiness.
Evolving Email Threat Landscape: Challenges and Risks
Organizations and individuals must handle a number of risks and challenges posed by the changing email threat landscape in order to maintain effective email security.
Use a strong email security solution to address the issues and lower the risks in order to do this. The complete email security platform Trustifi provides a number of options to improve your email security.
The main challenges and risks that constitute email threats are listed below:
Sophisticated Phishing Attacks: Cybercriminals employ advanced social engineering techniques, creating highly convincing phishing emails that mimic legitimate organizations or individuals.
By detecting phishing attempts and malicious content, email security solutions like Trustifi help users avoid falling victim to scams.
Business Email Compromise (BEC): Business email compromise, commonly referred to as CEO fraud or whaling, attacks businesses by impersonating senior executives or reliable partners.
BEC assaults employ a strategy called social engineering in order to take advantage of the authority and trust inside the company.
Malware and Ransomware: Email is the most frequent method of propagating malware or ransomware to an unknown user.
Organizations can rely on solutions like Trustifi to detect and prevent these types of Phishing as well as Malware threats, with the help of modern technologies.
Insider Threats: Insider threats involve individuals within an organization misusing their authorized access to compromise email security.
This can include intentionally leaking sensitive information, conducting unauthorized activities, or engaging in fraudulent activities using their email accounts.
Mobile Device Vulnerabilities: Mobile devices may lack security measures, making them more susceptible to attacks. Lost or stolen devices can lead to unauthorized access to email accounts and potential data breaches.
Compliance and Regulatory Challenges: To protect sensitive data, businesses must comply with several rules and laws, such as the General Data Protection Regulation (GDPR) and industry-related regulations.
Organizations should adopt efficient incident response plans, regularly monitor email traffic for anomalies, and stay updated on emerging threats to stay ahead of the evolving email threat landscape with AI-powered solutions like Trustifi.
What AI Powered in Email Security
AI-powered technology plays a significant role in improving standard email security by taking advantage of advanced algorithms and machine learning techniques.
AI algorithms can analyze large amounts of data and identify patterns, anomalies, indicators of malicious activity, etc.
This enables AI-powered systems to proactively block and prevent such threats from reaching users’ inboxes. for example, utilizes AI algorithms to provide robust threat intelligence and proactive detection, ensuring potentially harmful emails are identified and intercepted.
70% of global employees have noticed a surge in the frequency of scam emails and texts in the last few months.
AI-powered technology can also analyze user behavior, email content, and communication patterns to establish a baseline of normal activity.
By continuously monitoring and learning from these patterns, the algorithms can identify anomalies that may indicate suspicious or malicious behavior.
For example, if an email account suddenly starts sending an unusually high volume of emails or exhibits unusual patterns of activity, AI can flag it as a potential compromise.
AI-powered Natural Language Processing algorithms can analyze the content of emails to identify potentially malicious or suspicious elements.
These algorithms can understand and interpret the context and intent of email communications, enabling them to detect hidden phishing URLs, deceptive language, or malicious attachments.
As the algorithms analyze large volumes of email data, it allows them to evolve their threat detection capabilities and stay ahead of evolving email security challenges.
AI-powered capabilities help mitigate the risks associated with email-based attacks, protect sensitive information, and ensure a safer email communication environment.
The Role of Email Security Providers With AI
Email security providers (ESPs) play a crucial role in ensuring email security for organizations and individuals. ESPs offer a range of solutions and features to protect against email-based threats and create a secure communication environment.
Trustifi, as an example of an ESP, exemplifies the role of ESPs in email security.
With the increasing sophistication of phishing attacks and malware threats, ESPs employ advanced technologies to detect and prevent these risks.
It includes real-time scanning and analysis of email content, attachments, and links to identify and block suspicious emails.
ESPs like Trustifi provide email tracking that enables senders to receive notifications when their emails are opened or read, enhancing transparency and accountability.
They also incorporate effective data loss prevention (DLP) measures. It scans email content for predefined patterns or sensitive data types, such as credit card numbers or social security numbers, and applies appropriate security controls, such as encryption or access restrictions, to prevent data breaches.
ESPs employ advanced algorithms and technologies to analyze email content, sender reputation, and other factors to identify and block spam emails.
By implementing powerful spam filters, ESPs like Trustifi can prevent unwanted and potentially malicious emails from reaching users’ inboxes, reducing the risk of falling victim to scams or malware.
ESPs often provide encryption mechanisms, such as Transport Layer Security (TLS) and Secure/Multipurpose Internet Mail Extensions (S/MIME), to encrypt email messages and attachments.
Trustifi, for example, offers end-to-end email encryption, providing an additional layer of security for sensitive communications.
Furthermore, ESPs deploy secure email gateways to intercept and analyze incoming and outgoing email traffic. These gateways act as a barrier between the email server and external networks, scanning email content for threats and vulnerabilities.
By implementing secure email gateways, ESPs like Trustifi can detect and block malicious emails, preventing them from reaching the intended recipients and reducing the risk of email-based attacks.
Key Challenges in Email Security: Addressing Vulnerabilities
Email security faces various key challenges that need to be addressed to ensure the protection of sensitive information and mitigate the risks associated with cyber threats.
Trustifi, as an email security provider leveraging AI-powered technology, offers many solutions to tackle these challenges.
Phishing remains a prevalent challenge, with cybercriminals attempting to trick users into divulging sensitive information.
AI-powered solutions like Trustifi.com use advanced algorithms to analyze email content, URLs, and sender reputation to identify and block phishing attempts.
Emails are commonly used to deliver malware and ransomware, which can compromise systems and data.
AI-powered email security solutions can identify malicious attachments, links, and suspicious behavior indicative of malware or ransomware.
Trustifi utilizes AI algorithms to detect and block such threats, ensuring that users’ systems and data remain protected from malware infections and ransomware attacks.
Preventing unauthorized access to sensitive information and addressing the risk of data leakage is crucial.
AI-powered email security solutions employ techniques like data loss prevention and user behavior analysis to identify and prevent the unauthorized transmission of data.
Trustifi.com’s AI algorithms monitor email activity, detect potential leaks, and provide real-time alerts to mitigate the risk of unauthorized access and leakage.
AI-powered solutions can monitor user behavior, identify unusual activity, and detect potential insider threats. Compliance with regulatory requirements and industry standards is essential for organizations.
AI-powered email security solutions can also assist in meeting compliance obligations by providing features such as email archiving, tamper-proof certified email delivery, and secure email storage.
AI algorithms enable the detection of phishing attempts, malware threats, data leakage, insider threats, and support compliance requirements.
With the continuous learning capabilities of AI, ESPs like Trustifi evolve their threat detection mechanisms to stay ahead of emerging email security risks and provide users with a robust defense against cyber threats.
Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware
Future Trends in Email Security
Email security is an ever-evolving field, and as technology advances and new threats emerge, email security measures must also evolve.
To keep pace with hackers, organizations needAI-based threat detection and response technology to defend against known, emerging, and never-before-seen email-borne threats.
AI and machine learning technologies can help to identify patterns and anomalies in email traffic, which can be used to detect and prevent attacks such as phishing, malware, and spam.
As these technologies become more advanced, they will likely become more widely used in email security.
Email security is just one part of an organization’s overall security strategy. In the future, we may see greater integration between email security and other security systems, such as firewalls, intrusion detection systems, and security information and event management (SIEM) platforms, to provide a more comprehensive approach to security.
With the increasing importance of data protection and privacy regulations, such as GDPR and CCPA, organizations will need to focus more on securing sensitive data in their emails.
This may include implementing encryption, access controls, and data loss prevention (DLP) technologies.
Traditional authentication methods, such as passwords and two-factor authentication, are becoming less secure as attackers find new ways to steal credentials.
In the future, we may see more advanced authentication methods, such as biometrics and behavioral authentication, to provide better security.
The adoption of zero-trust security models is gaining momentum and will play a significant role in securing email communications.
Zero-trust security is an approach that assumes no trust, even for users and devices within the internal network.
It emphasizes continuous verification and strict access controls to protect sensitive data.
In the context of email security, a zero-trust model requires authentication and authorization for every access request, regardless of the user’s location or network.
This means that users and devices are not automatically trusted based on their network location but must authenticate themselves before gaining access to email systems and data.
Implementing AI-Powered Email security solutions can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware – Request Free Demo.