Brief #44: $1.13M Pwn2Own, M-Chip Flaw, 19M Plaintext Passwords

Happy week 12!

This week in cybersecurity: record-breaking Pwn2Own exploits, a critical Apple M-series chip vulnerability, and a 19 million of plaintext passwords exposed by misconfigured firebase instances.

Also I started a debate around cybersecurity certifications on LinkedIn.

Now, let's dive in!

🌐 This Week in Cybersecurity

Pwn2Own Vancouver 2024: Hackers Earn $1.13M for 29 Zero-Days

Record Payout: Participants earned a total of $1,132,500 for demonstrating 29 unique zero-day exploits across multiple products like browsers, operating systems, and virtualization software.
Tesla Hacked: On day one, Team Synacktiv successfully compromised a Tesla car, showcasing the event's expansion into the automotive hacking category.
Master of Pwn: Researcher Manfred Paul (@_manfp) won the top title of Master of Pwn, netting $202,500 and 25 points for his Firefox sandbox escape combining an out-of-bounds write for RCE and a dangerous function exposure bug.
Browser Exploits: Multiple zero-days were demonstrated in Apple Safari, Google Chrome, and Microsoft Edge. Notably, Seunghyun Lee (@0x10n) used a use-after-free flaw to achieve RCE in both Edge and Chrome renderers.
Virtualization Escapes: The competition saw the first-ever Docker Desktop escape via two chained vulnerabilities by Team STAR Labs SG. VMware Workstation and Oracle VirtualBox were also compromised.

Apple M-Series Chips Vulnerability Allows Extraction of Secret Cryptographic Keys

Hardware Flaw: A side-channel vulnerability in Apple's M-series chips allows attackers to extract secret keys when widely used cryptographic operations are performed. The flaw stems from the microarchitectural design of the silicon itself and cannot be directly patched.
Exploiting Data Memory-Dependent Prefetcher (DMP): The vulnerability resides in the chips' DMP hardware optimization. Unlike typical prefetchers, the DMP in M-series chips sometimes confuses memory content (like key material) with pointer values used to load other data. This leads to the DMP reading the data and attempting to treat it as an address, violating constant-time programming principles and leaking information through a side channel.
Mitigation and Performance Impact: Mitigating the vulnerability requires building defenses into third-party cryptographic software, which could significantly degrade the performance of M-series chips when executing cryptographic operations. Effective mitigations like ciphertext blinding can be costly, potentially doubling the computing resources needed in some cases. Running cryptographic processes on efficiency cores without DMP is another option but may also increase operation time.

Phishing Campaign Deploys NetSupport RAT Using Novel OLE Template Injection Technique

New Phishing Campaign: A phishing operation dubbed "PhantomBlu" is targeting U.S. organizations to deploy the NetSupport RAT malware. The campaign uses salary-themed phishing emails sent via the Brevo email marketing platform.
Novel Malware Delivery: Instead of typical NetSupport RAT delivery mechanisms, PhantomBlu exploits Microsoft Office OLE template manipulation to execute malicious code while evading detection. A malicious Word doc leads to a ZIP file containing a PowerShell dropper that retrieves the RAT payload.
Abuse of Cloud Platforms: Threat actors are increasingly leveraging public cloud services like Dropbox, GitHub, IBM Cloud, Oracle Cloud Storage, and IPFS platforms to generate fully undetectable (FUD) phishing URLs. Underground vendors offer these FUD links as a subscription service, further enabled by link distribution tools.

19 Million of Plaintext Passwords Exposed by Misconfigured Firebase Instances

Researchers Discover Exposed Data: Three cybersecurity researchers found nearly 19 million plaintext passwords and over 125 million sensitive user records exposed publicly due to misconfigured Firebase instances. Firebase is a Google platform for hosting databases, cloud computing, and app development.
Improper Security Configuration: The researchers scanned over 5 million domains and identified 916 websites with either no security rules enabled or incorrect configurations on their Firebase instances. This allowed read access to the databases, exposing emails, names, passwords, phone numbers, and billing information with bank details.
Majority of Passwords in Plaintext: Out of the 20+ million exposed passwords, 98% (19.8 million) were stored in plaintext. This indicates that companies deliberately stored passwords in this insecure manner, despite Firebase offering a secure authentication solution that avoids exposing passwords.
Scale of Exposed Records: In total, the researchers discovered 223,172,248 exposed records in misconfigured Firebase databases, with 124,605,664 relating directly to users. They warn that these figures are conservative estimates and the actual exposure could be higher.

Windows Server March 2024 Updates Causing Domain Controller Crashes Due to LSASS Memory Leak

Affected Versions: The KB5035855 update for Windows Server 2016 and KB5035857 update for Windows Server 2022 are causing domain controllers to crash and reboot unexpectedly.
Root Cause: The updates introduce a memory leak in the Local Security Authority Subsystem Service (LSASS) process, which handles security policies, user logins, and access token creation. The LSASS memory usage constantly increases until it consumes all available memory, causing the server to freeze and restart.
Temporary Workaround: Microsoft Support recommends uninstalling the problematic updates (KB5035855 or KB5035857) using the elevated command prompt and hiding them using the 'Show or Hide Updates' troubleshooter to prevent them from reappearing in the available updates list. An official fix from Microsoft is expected soon.

🛠️ Security Tools

Arkime - Powerful tool for indexing and searching network packet captures.
Osquery - Tool for querying endpoint data for security, compliance, and operational purposes.
C3 - Custom Command and Control (C3) tool enabling Red Teams to rapidly develop and use unique command and control channels.

🚀 Startup Watch

CyberSaint, a cyber risk management startup, has raised $21 million in Series A funding to accelerate the development of its CyberStrong platform and expand its market presence. I'm excited to see CyberSaint's continued growth and the potential impact of their automated risk assessment and management solutions.
Blumira, an Ann Arbor-based cybersecurity company, has raised $10.3 million in a Series A financing round to expand its cloud-based SIEM (Security Information and Event Management) solution, which aims to provide enterprise-level security to medium-sized businesses at a more affordable price point.
BotGuard, a Tallinn-based cybersecurity company, has raised €12 million in Series A funding to enhance its technology, expand its team, and scale globally in its mission to protect businesses from malicious web threats, bots and crawlers.

📚 Recommended Reads

The North American Finals of Apex Legends were disrupted by a hacker who compromised the game's integrity by giving pro players aimbots and wallhacks, leading to the event's postponement. While the extent of the breach is unclear, there are concerns that this hack could potentially affect the wider player base, and Respawn and EA need to address this unprecedented situation swiftly to ensure the game's security and restore player confidence.
How to Emulate a Ransomware Attack provides a detailed walkthrough of how to emulate a ransomware attack using SpecterInsight's ransomware emulation capability. Incredibly valuable resource for cybersecurity professionals looking to gain hands-on experience defending against realistic ransomware threats in a safe, controlled manner.
Fixing security vulnerabilities with AI - GitHub has introduced a new feature called code scanning autofix that uses AI to automatically suggest fixes for security vulnerabilities detected by CodeQL in JavaScript and TypeScript code. The behind-the-scenes look at their prompt engineering, testing framework, and infrastructure provides valuable insights into the challenges and best practices for "productionizing" large language models in cybersecurity.

⭐️ 3 Ways I Can Help You

Work with me. I love helping people! Let's discuss your challenges, career, or ask me anything about cybersecurity in 25 minutes.
Get access to Cyber Strategy OS. My curated collection of valuable resources for every cybersecurity professional..
Looking for something different? Reach out.

If this sparked your interest, I'd love to hear from you in the comments. Stay tuned for more and consider following me on LinkedIn and X.

Nikoloz