CyberSecurity News Byte

Hosted ByJim Guckin

Welcome to CyberSecurity News Byte with Jim Guckin, your one-stop resource for the latest cybersecurity news, updates, and discussions. Our podcast is a vital tool for CyberSecurity and IT professionals, as well as technology leaders, who need to stay on top of the ever-evolving digital landscape.

Episode 75: November 20 2023







RSA keys extracted from signing errors

  • Paper Published
    • Keegan Ryan, Kaiwen He, Nadia Heninger, and George Arnold Sullivan
    • academic researchers from universities in California and Massachusetts
      • under certain conditions to retrieve secret RSA keys
      • naturally occurring errors leading to failed SSH (secure shell) connection attempts
    • Definitions
      • SSH is a cryptographic network protocol for secure communication, widely employed in remote system access, file transfers, and system administration tasks.
      • RSA is a public-key cryptosystem used in SSH for user authentication. It uses a private, secret key to decrypt communication that is encrypted with a public, shareable key.
      • Chinese Remainder Theorem (CRT) is used with the RSA algorithm to lower the bit size for the public key and speed up the decryption time.
    • Attack
      • using CRT-RSA
        • has a fault
          • during signature computation
        • may be able to compute the signer’s private key
      • Errors like this are rare
      • unavoidable due to hardware flaws
      • Does not impact
        • RSA-1024
        • SHA512
          • number of unknown bits in the hash
        • Similar
          • known problem that impacts older of TLS versions
            • addressed in TLS 1.3
            • encrypting the handshake that establishes the connection
            • preventing passive eavesdroppers from reading the signatures.
          • SSH was previously assumed to be safe

Shadowy Hack-for-Hire Group Behind Sprawling Web of Global Cyberattacks

  • Reuters Journalist
    • Went through non-public records
    • collected detailed information on Appin operations and clients
      • multiple sources
        • logs connected to an Appin site called “MyCommando”.
          • clients used the site to order services
        • menu of options
          • breaking into
            • emails, phones, computers of targeted entities.
          • Appin
            • “No longer Exists”
            • New Delhi-based group
            • starting around 2009
            • Targets
              • businesses and business executives, politicians, high-value individuals, and government and military officials worldwide
            • Clients
              • private investigators, detectives, government organizations, corporate clients, and often entities engaged in major litigation battles from the US, UK, Israel, India, Switzerland, and several other countries.
            • Attacks
              • leakage of private emails
                • derailed a lucrative casino deal for a small Native American tribe in New York
              • network intrusion
                • Zurich-based consultant attempting to bring the 2012 soccer world cup to Australia
              • using a third-party outside contractor to acquire and manage the infrastructure
            • Now a Days
              • It no longer exists as Appin
                • As many groups do
                  • Rebranding
                  • employee transitions
                  • dissemination of skills
                • Several other groups
                  • hack-for-hire enterprises
                • Hack for Hire
                  • India, Russia, and the United Arab Emirates

Over a Dozen Exploitable Vulnerabilities Found in AI/ML Tools

  • Huntr bug bounty platform
    • August 2023
    • AI (Artificial Intelligence) and ML (Machine Learning)
  • Vulnerabilities
    • takeover and sensitive information theft.
    • Impact the entire AI/ML supply chain
  • Tools
    • Popular
      • H2O-3, MLflow, and Ray,
    • H2O-3
      • low-code machine learning platform
      • creation and deployment of ML models via a web interface.
      • Default configuration
        • exposed to the network
        • no authentication
        • attackers to supply malicious Java objects
      • CVE-2023-6016 (CVSS score of 10)
        • Remote Code Execution RCE
        • completely take over the server and steal models, credentials, and other data.
      • local file include flaw (CVE-2023-6038)
      • cross-site scripting (XSS) bug (CVE-2023-6013),
      • high-severity S3 bucket takeover vulnerability (CVE-2023-6017).
    • MLflow
      • open-source platform for the management of the end-to-end ML lifecycle
      • (CVE-2023-6018 and CVE-2023-6015, CVSS score of 10)
        • unauthenticated attacker to overwrite arbitrary files on the operating system
        • arbitrary file inclusion (CVE-2023-1177) and authentication bypass (CVE-2023-6014) vulnerabilities.
      • The Ray project
        • open-source framework for the distributed training of ML models
        • lacks default authentication set up
        • Code injection flaw in Ray’s cpu_profile format parameter (CVE-2023-6019, CVSS score of 10)
          • System compromise
        • read any files on the Ray system. The security defects are tracked as CVE-2023-6020 and CVE-2023-6021.

Cyber-Criminals Exploit Gaza Crisis With Fake Charity

  • charity attack
    • exploiting the ongoing events in Gaza and Israel
    • targeted 212 individuals.
      • 88 organizations
    • sympathy for children in Palestine to solicit fraudulent donations.
    • Set up website
      • “help-palestine[.]com
        • Links to news articles
          • Attempt to “legitimize”
        • Crypto
          • cryptocurrency donations
          • ranging from $100 to $5000
          • wallet addresses
            • Bitcoin
            • Litecoin
            • Ethereum
          • Social Engineering
            • exploits the heightened emotional response
              • emotionally charged language
              • challenges faced by children in Palestine
              • using inclusive terms to establish a shared identity with the recipients.
                • Not you but we
              • Tactics
                • multiple tactics
                • spoofing a legitimate email address
                  • Goodwill Wealth Management
                  • India-based stock brokerage
                  • a non-existent domain