STEALIEN Presents
STEALIENEWS
Week -2
Back-to-Back PlayStation 5
Hacks Hit on the Same Day
BY: STEALIEN INDONESIA
A pair of PlayStation 5 breaches shows the
consoles don’t have protection from attackers
taking over its most basic functions.
Both exploits were posted on Twitter on Nov. 7
without disclosure to Sony or specifics, but they
nonetheless signal potential security problems to
come for the gaming giant.
FailOverFlow, which has already earned a
reputation as a prolific PlayStation jailbreaker
group, posted a Nov. 7 tweet which appeared to
contain the PS5 firmware symmetric root keys:
November 15th 2021
In a subsequent tweet, the group claimed that it
“…got all (symmetric) ps5 root keys.”
FlailOverflow wrote,
“They can all be obtained from
software — including per-console
root key, if you look hard enough!”
The message is practically a dare for other
would-be hackers to try to access decrypted
firmware files for themselves.
PS5 Kernel Exploit
The second hack was also posted on Twitter on
Nov. 7 by Google security engineer Andy
Nguyen, who is also known widely in hacker
circles as TheFlow. He was apparently able to
access the PlayStation 5 “Debug Settings”
menu, indicating he has a PS5 kernel exploit.
Wolo, which first reported on both breaches,
pointed out this menu is typically only
on testkit devices and allows quality assurance
and development teams to install package files
on the Sony PlayStation 5.
“But it can be enabled on retail consoles by
patching some flags, located at specific
addresses in the firmware at Runtime,”
according to Wololo’s the Guardian.
Is Securing the PS5 Even Possible?
Both breaches put threat actors well on their
way to installing pirated games, running
emulators and more, according to public-
interest technologist Bruce Schneier.
Page 1
Issue #0211
Cyberattackers stole PS5 root keys and exploited
the kernel, revealing rampant insecurity in gaming
devices.
“Hackers may have just made
some big strides towards
possibly jailbreaking the
PlayStation 5 over the
weekend,”
Schneier wrote about the breaches.
“Decrypted firmware which is
possible through
FailOverFlow’s keys, would
potentially allow for hackers to
further reverse-engineer the PS5
software and potentially develop
the sorts of hacks that allowed
for things like installing Linux,
emulators or even pirated games
on past Sony consoles.”
Schneier added that he doesn’t think
a hack-proof computer system will ever
be a reality.
“Especially when the system is
physically in the hands of the
hackers,” Schneier said. “The
Sony Playstation 5 is the latest
example.”
 Monday November 15, 2021
Critical Citrix DDoS Bug Shuts
Down Network, Cloud App
Access
The distributed computing vendor patched the flaw,
affecting Citrix ADC and Gateway, along with
another flaw impacting availability for SD-WAN
appliances.
BY: STEALIEN INDONESIA
A critical security bug in the Citrix
Application Delivery Controller (ADC) and
Citrix Gateway could allow cyberattackers
to crash entire corporate networks without
needing to authenticate.
The two affected Citrix products (formerly
the NetScaler ADC and Gateway) are used
for application-aware traffic management
and secure remote access, respectively. The
federated working specialist pushed out a
security patch on Tuesday for the
vulnerability, tracked as CVE-2021-22955,
which allows unauthenticated denial of
service (DoS), due to uncontrolled resource
consumption, according to the advisory.
Citrix also addressed a lower-severity bug
that is likewise due to uncontrolled resource
consumption. It impacts both previous
products, as well as the Citrix SD-WAN
WANOP Edition appliance. The latter
provides optimization for Citrix SD-WAN
deployments, which enable secure
connectivity and seamless access to virtual,
cloud and software-as-a-service (SaaS) apps
across enterprise and branch locations.
IT SECURITY TIPS
Social engineering refers to a broad
spectrum of malicious activities using
psychological manipulation to trick users
into giving away sensitive information.
Perpetrators are particularly patient, waiting
in the weeds, collecting data and
background information on their intended
victims.
Then they gain the victim’s trust and
provide seemingly harmless reasons for
their victims to give up sensitive
information.
Page 2
STEALIENEWS
Tracked as CVE-2021-22956, the second
flaw allows temporary disruption of: a
device’s management GUI; the Nitro API for
configuring and monitoring NetScaler
appliances programmatically; and remote
procedure call (RPC) communication, which
is what essentially enables distributed
computing in Citrix settings.
In terms of the impact of exploitation, all
three products are widely deployed globally,
with Gateway and ADC alone installed in at
least 80,000 companies in 158 countries as of
early 2020, according to an assessment from
Positive Technologies at the time.
Disruption to any of the appliances could
prevent remote and branch access to
corporate resources and general blocking of
cloud and virtual assets and apps.
All of this makes them an attractive target for
cybercriminals, and indeed, the Citrix ADC
and Gateway in particular are no spring
chickens when it comes to the critical
vulnerability scene.
In the summer of 2020, multiple
vulnerabilities were discovered that would
allow code injection, information disclosure
and denial of service, with many exploitable
by an unauthenticated, remote attacker. And,
in December of 2019, a critical RCE bug was
disclosed as a zero-day that took the vendor
weeks to patch.
What makes social engineering so dangerous is
that it preys on human error, much more of a
wild card—and much harder to track—than
taking advantage of vulnerabilities in software
and operating systems.
Social Engineering bad guys try to get at users
through human psychology and preying on
curiosity. It’s important to go into all cyber-
situations with your eyes wide open because
only the users and employees can counter these
attacks.
Here are several tips employees can keep in
mind to protect themselves (and your
business):
Issue #0211
Few Technical Details, Many Affected
Products
While Citrix didn’t release technical details on
the latest bugs, VulnDB noted on
Wednesday that for CVE-2021-22955, “the
exploitability is told to be difficult. The attack
can only be initiated within the local network.
The exploitation doesn’t require any form of
authentication.” It assigned a severity score of
5.1 out of 10 to the bug, despite Citrix’ internal
rating of “critical.”
The site also reported that exploits are
calculated to be worth up to $5,000, and noted
that “manipulation with an unknown input
leads to a denial of service vulnerability…This
is going to have an impact on availability.”
The vendor said the vulnerabilities affect the
following supported versions:
Citrix ADC and Citrix Gateway (CVE-2021-
22955 and CVE-2021-22956):
• Citrix ADC and Citrix Gateway 13.0
before 13.0-83.27
• Citrix ADC and Citrix Gateway 12.1
before 12.1-63.22
• Citrix ADC and NetScaler Gateway
11.1 before 11.1-65.23
• Citrix ADC 12.1-FIPS before 12.1-
55.257
Citrix SD-WAN WANOP Edition (CVE-
2021-22956):
• Models 4000-WO, 4100-WO, 5000-
WO and 5100-WO
• Version 11.4 before 11.4.2
• Version 10.2 before 10.2.9c
• The WANOP feature of SD-WAN
Premium Edition is not impacted.
In the case of the first Citrix ADC and
Gateway bug, appliances must be configured
as a VPN or AAA virtual server in order to be
vulnerable.
In the case of the second bug, appliances must
have access to NSIP or SNIP with
management interface access.
Customers using Citrix-managed cloud
services are unaffected.
• Do not open any emails from untrusted
sources. Sound advice under any
circumstances.
• If an offer seems too good to be true, assume
it is.
• Lock your laptop whenever you are away
from your workstation.
• Make sure your antivirus/malware software
is up to date.
• Be vigilant about cyber security.
 Monday November 15, 2021
Indonesia religious council says
crypto trading forbidden for
Muslims
BY STEALIEN INDONESIA
The Indonesian Ulema Council, a top body of
Islamic scholars, said Thursday
cryptocurrency as a means of payment and a
commodity to trade is unlawful for Muslims in
that country that has the world’s largest
Muslim population, according to multiple
reports, a ruling that could affect Muslims’
financial decisions in that country though the
council does not have legal powers.
According to Fortune, the council advises
Indonesia's government, including its finance
ministry, on finance and banking matters for
Muslims—around 87% of Indonesians follow
Islam.
The council’s head of religious decrees,
Asrorun Niam Sholeh, said crypto has
elements of uncertainty and harm, which
forbids it as a payment option under Sharia
law, Reuters reports.
Asrorun added the use of digital tokens as a
commodity to trade is also forbidden, citing
their lack of a clear value and physical
structure.
Crypto is traded and invested in Indonesia’s
commodities and futures market.
Asrorun left room for change, saying the
council could approve cryptocurrency if
modifications are made to comply with Sharia
law, according to Bloomberg.
Total crypto transactions in Indonesia totaled
370 trillion rupiah, or $25.96 billion, between
January and May this year, according to
Indonesia’s trade ministry.
STEALIENEWS
BIG NUMBER
232.3 million. That’s the approximate number
of Muslims in Indonesia, where nearly nine in
ten of its population is Muslim, according to
the U.S. Department of State. Indonesia has the
world’s fourth-largest population and the 10th
largest economy by purchasing power parity,
according to the World Bank.
CONTRA
Other predominantly Muslim countries
support cryptocurrency. In September, the
United Arab Emirates’ financial regulators
agreed to offer the trading of digital tokens in
Dubai’s free zone. In 2019, Bahrain became
the first Arab country to issue rules on crypto
and has since backed crypto.
KEY BACKGROUND
Though the council’s decree has no legal
authority, it could affect Muslims’ decisions
on spending and investing their money. The
council’s presence in Indonesia’s financial
sector has increased after the passage of a law
on Sharia Banking. Under that law, Indonesian
financial institutions are mandated to have a
division that abides by Islamic law, according
to the East Asia Forum.
While the decision from MUI doesn’t mean all
cryptocurrency trading will be stopped in
Indonesia, the decree could deter Muslims
from investing in the assets and make local
institutions reconsider issuing crypto assets.
Bank Indonesia has been mulling a central
bank digital currency, with no decision
announced as yet.
Page 3
Issue #0211
Visualization of world’s largest capital market of
cryptocurrency, Bitcoin
Crypto transactions amounted to 370 trillion
rupiah ($26 billion) in the first five months of
the year in Indonesia, still a fraction of the
global market at around $3 trillion.
The stance of Indonesia’s religious leaders
may diverge from their counterparts in other
Muslim-majority countries. The United Arab
Emirates have allowed crypto trading in
Dubai’s free zone, while Bahrain have backed
crypto assets since 2019.
The Ulema Council advises the country’s
finance ministry and central bank on Islamic
finance issues. It comprises many Indonesian
Muslim groups including Nahdlatul Ulama
(NU), Muhammadiyah, and smaller groups
such as Syarikat Islam, Perti, Al Washliyah,
Mathla’ul Anwar, GUPPI, PTDI, DMI, and Al
Ittihadiyyah.
The MUI decree is not legally binding and does
not mean cryptocurrency is banned in
Indonesia. However, it could deter Muslims
from investing and local institutions from
issuing or providing services in crypto assets.
In October, a provincial branch of one of the
largest Islamic organizations in Indonesia,
Nahdlatul Ulama, similarly declared
cryptocurrency haram under religious law.
However, the Indonesian government has
indicated that the country will not impose an
outright ban on cryptocurrency as China did.
Crypto assets are allowed to trade alongside
commodity futures in Indonesia but cannot be
used as a currency. Meanwhile, the
government is pushing to set up a crypto
exchange by the end of the year and Bank
Indonesia has been exploring a central bank
digital currency (CBDC).