Search This Blog

Showing posts with label Attacker. Show all posts

Microsoft Launches New External Attack Surface Audit Tool


Microsoft has released a new security solution that enables security teams to identify Internet-exposed resources in their organization's environment that attackers may use to access their networks. The emphasis is on unmanaged or unknown assets that have been introduced to the environment as a result of mergers or acquisitions, generated by shadow IT, are absent from inventory owing to insufficient cataloguing, or have been overlooked due to rapid corporate expansion. 

This new tool, dubbed Microsoft Defender External Attack Surface Management, offers users an overview of their organisations' attack surface, making it easier to uncover vulnerabilities and prevent possible attack routes. This tool will develop a database of the organization's full environment, including unmanaged and agentless devices, by continually scanning Internet connections. 

Microsoft Corporate VP for Security Vasu Jakkal said, "The new Defender External Attack Surface Management gives security teams the ability to discover unknown and unmanaged resources that are visible and accessible from the internet – essentially, the same view an attacker has when selecting a target. Defender External Attack Surface Management helps customers discover unmanaged resources that could be potential entry points for an attacker." 

Microsoft Defender External Attack Surface Management helps security teams to see their environment as an attacker does and uncover exploitable flaws before they do by continually watching connections and hunting for unsecured devices vulnerable to Internet assaults. 

Microsoft also introduced Microsoft Defender Threat Information, a second security solution that will provide threat intelligence to security operations (SecOps) teams in order to uncover attacker infrastructure and accelerate attack investigations and remediation efforts. It will also provide SecOps team members with real-time data from Microsoft's large database of 43 trillion daily security signals, allowing them to actively seek threats in their surroundings. The data is offered as a library of raw threat intelligence containing information on enemies' identities as well as correlations between their tools, strategies, and techniques. 

"This depth of threat intelligence is created from the security research teams formerly at RiskIQ with Microsoft's nation-state tracking team, Microsoft Threat Intelligence Center (MSTIC) and the Microsoft 365 Defender security research teams," Jakkal added. 

"The volume, scale and depth of intelligence is designed to empower Security Operations Centers to understand the specific threats their organization faces and to harden their security posture accordingly." 

According to Microsoft, all of this additional information about threat actors' TTPs and infrastructure will assist customers' security teams in detecting, removing, and blocking hidden adversary tools within their organization's environment.

Hacker Offers 5.4 million Twitter Account Details for $30,000


A threat actor acquired data from 5.4 million Twitter accounts by exploiting a now-patched vulnerability in the popular social networking site. Hacker is currently selling the stolen information on the prominent hacker site Breached Forums. 

In January, a Hacker report claimed the discovery of a vulnerability that may be used by an attacker to identify a Twitter account using the linked phone number/email, even if the user has elected to avoid this in the privacy settings. 

“The vulnerability allows any party without any authentication to obtain a Twitter ID(which is almost equal to getting the username of an account) of any user by submitting a phone number/email even though the user has prohibited this action in the privacy settings. The bug exists due to the process of authorization used in the Android Client of Twitter, specifically in the process of checking the duplication of a Twitter account,” reads the description in the report submitted by Zhirinovskiy via bug bounty platform HackerOne. 

“This is a serious threat, as people can not only find users who have restricted the ability to be found by email/phone number but an attacker with a basic knowledge of scripting/coding can enumerate a big chunk of the Twitter user base unavailable to enumeration prior (create a database with phone/email to username connections). Such bases can be sold to malicious parties for advertising purposes, or for the purposes of targeting celebrities in different malicious activities” Twitter acknowledged the vulnerability and rewarded Zhirinovskiy with a $5,040 prize. 

The website Restore Privacy uncovered the advertising for the massive data trove on Breached Forums. A hacker has published a database of 5.4 million Twitter users. 

Database of 5.4 million Twitter users

According to the seller, the database comprises data (email addresses and phone numbers) from people ranging from celebrities to businesses. The vendor additionally included a data sample in the form of a csv file. 

“A few hours after the post was made, the owner of Breach Forums verified the authenticity of the leak and also pointed out that it was extracted via the vulnerability from the HackerOne report above.” reads the post published by RestorePrivacy. 

“We downloaded the sample database for verification and analysis. It includes people from around the world, with public profile information as well as the Twitter user’s email or phone number used with the account.” 

The seller told RestorePrivacy that he is asking for at least $30,000 for the entire database.

Vulnerabilities in the ExpressLRS Protocol Enable the Takeover of Drones


The ExpressLRS protocol for radio-controlled (RC) drones is vulnerable to flaws that might allow device takeover. Researchers warn of vulnerabilities in the ExpressLRS protocol for radio-controlled (RC) drones, which may be exploited to take control of unmanned vehicles. 

ExpressLRS is a high-performance open-source radio control link that achieves maximum range while maintaining minimal latency. An attacker may take control of any receiver by watching the communication from the connected transmitter, according to a recently released alert. After watching traffic from a similar transmitter, it is feasible to take control of any receiver using merely a normal ExpressLRS compatible transmitter. 

An attacker may be able to extract a portion of the identity shared by the receiver and transmitter due to security flaws in the binding process. The examination of this section, along with a brute force attack, can lead to the discovery of the remaining part of the identifier. Once the attacker has acquired the whole identifier, it may use a transmitter to take control of the craft holding the receiver without knowing the binding phrase. This attack scenario is software-capable when utilising typical ExpressLRS compliant hardware. 

“ExpressLRS uses a ‘binding phrase’, built into the firmware at compile time to bind a transmitter to a receiver. ExpressLRS states that the binding phrase is not for security, it is anti-collision.” reads a bulletin published by NccGroup. 

“Due to weaknesses related to the binding phase, it is possible to extract part of the identifier shared between the receiver and transmitter. A combination of analysis and brute force can be utilised to determine the remaining portion of the identifier. Once the full identifier is discovered, it is then possible to use an attacker’s transmitter to control the craft containing the receiver with no knowledge of the binding phrase. This is possible entirely in software using standard ExpressLRS compatible hardware.” 

The ExpressLRS protocol encrypts the phrase using the hashing technique MD5, which is known to be cryptographically weak. The experts discovered that the "sync packets" that are transferred at regular intervals between transmitter and receiver for synchronisation reasons leak a significant portion of the binding phrase's unique identity (UID). The remaining portion may be determined via brute-force assaults or by watching packets over the air without brute-forcing the sequences. 

The advisory read, “Three weaknesses were identified, which allow for the discovery of the four bytes of the required UID to take control of the link. Two of these issues relate to the contents of the sync packet.”

“(i) The sync packet contains the final three bytes of the UID. These bytes are used to verify that the transmitter has the same binding phrase as the receiver, to avoid a collision. Observation of a single sync packet, therefore, gives 75% of the bytes required to take over the link. (ii) The CRC initialiser uses the final two bytes of the UID sent with the sync packet, making it extremely easy to create a CRC check.” 

The third weakness occurs in the FHSS sequence generation. 

“Due to weaknesses in the random number generator, the second 128 values of the final byte of the 4-byte seed produce the same FHSS sequence as the first 128,” the advisory concludes. 

Experts advised the users against transmitting the UID via the control connection while adding that the data used to construct the FHSS sequence should not be sent wirelessly. They also suggest that the random number generator be improved by employing a more secure approach or modifying the present algorithm to deal with repeated sequences.

Researcher Demonstrated How Tesla Key Card Feature Can be Exploited to Steal Cars


A researcher demonstrated how a Tesla key card functionality launched last year might be misused to add an unauthorised key that enables an attacker to access and start a vehicle. 

Martin Herfurt, an Austria-based member of the Trifinite research group that specialises in Bluetooth security, conducted the study. Herfurt's research focused on key card access modifications made by Tesla in August 2021, which removed the necessity for customers to place the key card on the central console after using it to open the vehicle. 

The researcher discovered that when a Tesla is opened through NFC using the key card, there is a 130-second window during which an attacker within the Bluetooth range of the targeted vehicle may add their own key. The attack exploits Tesla's VCSEC protocol, which manages communication between the automobile, the phone app, and the key fob. 

Findings by the researcher: 

During such an assault, the infotainment system makes no attempt to warn the victim that a new key has been inserted. According to the researcher, he tried the attack on the Tesla Model 3 and Model Y, but he believes it should also work on the newer Model S and Model X. At the recent Pwn2Own 2022 hacking competition, hackers won $75,000 for an attack targeting Tesla's infotainment system. Herfurt intended to show off his attack at Pwn2Own, but relay attacks were not permitted. 

In reality, he claimed to have identified the authorisation timer attack vector in September 2021 but had been keeping it for Pwn2Own. The researcher stated that he did not inform Tesla about his recent findings before revealing them since he considered the company needed to be aware of the problem. 
Following his disclosure, he received confirmation from others who reported a very issue to Tesla months ago that Tesla was aware of the vulnerability. 

According to the researcher, Tesla recommends using the PIN2Drive function, which requires customers to input a PIN before driving away, but he produced a video last week demonstrating how an attacker may overcome PIN2Drive. Tesla is yet to react to a comment request.

Herfurt is working on TeslaKee, a new smartphone application that is said to safeguard Tesla vehicles from these sorts of relay attacks. Herfurt demonstrated another approach to stealing a Tesla in May. The attacker utilised two Raspberry Pi devices to relay the radio signal between the Phone Key and an automobile over a considerable distance.