Security Pills - Issue 1

Release Date: Jun 27 2022 | Issue: 1 | Subscribe

The Security Pills newsletter is a hand curated zine (delivered once per week) that highlights security related-news. 10+ hours of reading and analysis condensed into a 5-minute summary every Monday morning.

Greetings all 👋, Welcome to our very first issue, It has been an intense week but here we are. Hope you enjoy this week's newsletter as much as I did!

Your weekly prescription 💊

News

Cryptocurrency crime and anti-money laundering The cryptocurrency market cap went from approximately $135 billion on January 2019, to just under $2.1 trillion on March 2022. Illicit cryptocurrency activity continues to decline as a percentage of overall activity. Nonetheless, shifts in illicit activity characteristics have been noticeable year-over-year. This report highlights the key trends identified for 2021 and year-to-date 2022:

• Increase in DeFi hacks and fraud

• DeFi and NFTs as potential money laundering schemes

• Next generation mixing services

• Ransomware double-extorsion events

• Continued global evolution and roll-out of regulations

• Increase crypto-currency related sanctions

Fig. 1 — Top 10 DeFi hacks (including losses from smart contract errors) of 2021 and 2022 (through Q1) account for USD$2.4 billion.

Leaked Audio From 80 Internal TikTok Meetings Shows That US User Data Has Been Repeatedly Accessed From China

It appears China had access to US TikTok data, according to an independent auditor hired by the company to evaluate the product’s security, as well as multiple internal employees.

TikTok has started migrating all US data to Oracle Cloud, but they will continue sending the data to its servers in Virginia and Singapore. Eventually, the will start deleting that data from their servers and migrate all the information to Oracle’s cloud.

People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices | Report

NSA has published an advisory describing the ways in which People’s Republic of China (PRC) state-sponsored cyber actors continue to exploit publicly known vulnerabilities in order to establish a broad network of compromised infrastructure.

AIVD disrupts activities of Russian Inteligence Officer targeting the International Criminal Court

The Dutch intelligence and security service (AIVD) prevented a Russian spy from gaining access to the International Criminal Court (ICC) in the Hague. AIVD outed Sergey Vladimirovich Cherkasov who used a well-constructed cover. These type of officers are better known as ‘illegal’; an intelligence officer who has received a long and extensive training. As they use a different alias identity, illegals are difficult to uncover and they often remain undetected, allowing to carry out intelligence activities.

Sergey was supposed to start an internship with the ICC, which would mean he would have access to the ICC”s building and systems. If Sergey had succeeded in gaining access to the ICC, he would have been able to provide a significan contribution to the intelligence that the GRU is seeking.

Hundreds arrested and millions seized in global INTERPOL operation

The INTERPOL has conducted a worldwide crackdown operation on social-engineering fraud that has resulted in over 2,000 arrests and the interception of USD$50m of illicit funds after raiding 1,770 locations worldwide. Some people had an awful week.

Articles

A survey on Ethereum systems security: Vulnerabilities, Attacks, and Defenses #blockchainBlockchain technology is believed by many to be a game changer in many application domains. While the first generation of blockchain technology is almost exclusively used for cryptocurrency, the second generation, as represented by Ethereum, is an open an decentralized platform enabling a new paradigm of computing. The rich applications and semantics of DApps (Decentralized Applications) inevitably introduce many security vulnerabilities. Since Ethereum is a new, yet complex system, it is necessary to have a systematic and comprehensive understanding on its security from a holistic perspective. This survey, pretends to fill this void and systematize three aspects of Ethereum systems security: vulnerabilities, attacks, and defenses.

Fig. 2 — A classification of Ethereum vulnerabilities and their state-of-the-art treatments, where a filled box means the vulnerability has been eliminated already, an empty box means the vulnerability is open, and a half-empty half-filled box means the vulnerability can be avoided by best practice.

Look for TLS private keys on Docker Hub #security, #dockerAlfred Berg writes about how one can hunt for secrets over the whole docker hub. During his research he found 1551 certificates for which he obtained a matching private key, and 671 unique AWS access keys with potential secret keys. He also created two images containing canary AWS keys to see if other people were actively looking for AWS keys.

Hack with 'goodfaith': A tool to automate and scale good faith hacking #tool, #securityWhen hacking, one of the toughest parts is to stay in scope. Ryan Elkins knows well about this and has built a new tool that is intended to help hackers and security researchers avoid generating traffic against out-of-scope targets.

Detecting Exploits Before Funds Are Lost Using Attack Simulation #blockchainForta monitors blockchain transactions to identify these attacks in real time. A Forta detection bot could utilize a simulation based approach to mimic the exploit transaction locally before the exploitation occurs on-chain.

Are blockchains decentralized? #blockchainOver the past year, Trail of Bits was engaged by the Defense Advanced Research Projects Agency (DARPA) to examine the fundamental properties of blockchains and the cybersecurity risks associated with them. The resulting report is an overview of what's currently known about blockchain technology.

A hackers guide to finding cybersecurity jobs #infosec, #jobsJason Haddix has shared some advice on getting job opportunities, using traditional methods but also Marcus Carey's Twitter hiring threads, quarterly Reddit hiring threads, and more.

The Android kernel mitigations obstacle race #android, #mobileCVE-2022-22057, a use-after-free in the Qualcomm gpu kernel driver, to gain root and disable SELinux from the untrusted app sandbox on a Samsung Z flip 3. I’ll look at various mitigations that are implemented on modern Android devices and how they affect the exploit.

How SeaFlower installs backdoors in iOS/Android web3 wallets to steal your seed phrase #mobile #blockchainSeaFlower has become the most technically sophisticated threat targeting web3 users, right after the infamous Lazarus Group. Their main current objective is to modify web3 wallets (Coinbase, MetaMask, TokenPocket and imToken) with backdoor code that ultimately exfiltrates the seed phrase. This article explain in detail the techniques used to alter the original applications.

Vulnerabilities and Bug Bounties

Hertzbleed A new family of side-channel attacks which may allow attackers to extract cryptographic keys from remote servers.

Personal Access Token Disclosure in Asana Desktop Application Sensitive credentials were found bundled in Asana Desktop for MacOS. The token recovered granted the researcher with access to internal Asana workspaces used by employees.

Explained: The inverse finance hack (June 2022) In June 2022, Inverse Finance suffered its second hack of the year. This was another example of a price oracle manipulation exploit that resulted in losses of $5.8 million in tokens.

OpenSea Shared Storefront config vulnerability 🧵

Miscellaneous

How To Be SuccessfulThis is a really old blog post (2019) from Sam Altman that I recently discovered. It is a list of 13 thoughts on how to be succesf with a really interesting perspective.

Paywalls are annoying and useless and proof of that is 12ft.io. If you prepend '12ft.io/' to a URL it is very likely that you will end bypassing the paywall.

Resources

🎥 Videos

1. 60 Remote Code Execution in 60 minutes | Slides — @TheLaluka presents in this talk 60 different ways he achieved unauthenticated RCE. The talk is in French, but slides are in English and contain detailed steps explaining the attack vectors.

2. Open House: Real Property OSINT and Researching. Public Records — Alethe Denis gives an interesting webinar explaining what is considered public record with regards to real property in the United States and how to conduct research to learn about real property, owners, and encumbrances on real property.

3. Bug Bounty Redacted #4: Writing to S3 buckets & Insecure JWT implementation — AssetNote has published a series called Bug Bounty Redacted where they go through reports they have submitted to bug bounty programs over the last five years. In this episode, Shubs covers his methodology when testing S3 buckets and goes through a vulnerability where he was able to write files into a S3 bucket and takeover two organization’s subdomains by overriding JavaScript files. The second half of the video explains an insecure JWT implementation issue where Shubs was able to create arbitrary JWTs and obtain additional free coupons.

⌨️ Repositories

1. Crypto-OpSec-SelfGuard-RoadMap — DeFi, Blockchain and crypto-related OpSec researches and data terminals.

2. DeFiHackLabs — Collection of past DeFi exploits reproduced using Foundry.

3. semgrep-rules — Rules for identifying vulnerabilities in Java and Kubernetes.

4. semgrep-smart-contracts — Rules that look for patterns of vulnerabilities in smart contracts based on actual DeFi exploits.

🎙️ Podcasts

1. Darknet Diaries: EP 119 Hot Wallets — In this episode we hear from journalist Geoff White who talks about some of the recent crypto currency heists that have been happening. Geoff has been tracking the Lazarus Group for some time and shares his knowledge on what he's found.

2. Trail of Bits Podcast — Trail of Bits has launched a podcast and the first five-episode season is now available!

   1. Zero Knowledge Proofs and ZKDocs — Developers implemented certain complicated encryption schemes for banks and exchanges to protect billions of dollars. But the procedures the developers followed had a fatal flaw.

   2. Immutable— Are blockchains really decentralized? It turns out that one of the things everybody believes and likes about cryptocurrency is actually wrong.

   3. Internships and Winternships — Meet the internships at Trail of Bits and the new tools they are creating.

   4. It-Depends — Modern software is assembled using open-source code and libraries developed by a community. Those building blocks themselves depend on other pieces of open-source software, which are built atop yet others, and so on. So when you ask whether your software is safe, the answer is, "It Depends".

   5. Future — Companies that make high-assurance software—programs whose failure means catastrophic consequences like the disappearance of a billion dollars or the explosion of a rocket ship on the launch pad—are adopting technologies that are a couple of years ahead of the mainstream.

📖 Books

The Lazarus Heist: From Hollywood to High Finance - Inside North Korea's Global Cyber War — Meet the Lazarus Group, a shadowy cabal of hackers accused of working on behalf of the North Korean state. Considered one of the most effective criminal enterprises on the planet, having stolen more than USD$1 billion in an international crime spree. Their targets include central banks, cryptocurrency companies, film studios, and even the British National Health Service.

Journalist Geoff White examines how the North Korean regime has harnessed cutting-edge technology to launch a decade-long campaign of brazen and merciless raids on its richer, more powerful adversaries

📧 Wrapping up

If you enjoyed this newsletter and think others would too, It would mean a lot for us if you'd forward this email to other people who may enjoy it as well. You can also follow me on Twitter and let me know your feedback or comments, or simply reply to this email, I'd love to get in touch with you.

Thanks,Sebas@0xroot | @secpillsnews

If you liked this newsletter from Security Pills Newsletters, why not share it?