Category Archives: cyber security news

CyberNews: Top Vulnerabilities this week

Following Vulnerabilities: 

CVE-2020-16898 — There’s an RCE in the Windows TCP/IP stack related to the handling of ICMPv6 Router Advertisements More 

CVE-2020-16898 Highlights

  • Do not disable IPv6 entirely unless you want to break Windows in interesting ways.
  • This can only be exploited from the local subnet.
  • But it may lead to remote code execution / BSOD
  • PoC exploit is easy, but actual RCE is hard.
  • Patch

Almost 800,000 internet-accessible SonicWall VPN appliances will need to be updated and patched for a major new vulnerability that was disclosed on Wednesday. 800,000 SonicWall VPNs are vulnerable to an RCE.

Discord Desktop app RCE

A few months ago, I discovered a remote code execution issue in the Discord desktop application and I reported it via their Bug Bounty Program.

The RCE I found was an interesting one because it is achieved by combining multiple bugs. In this article, I’d like to share the details.. More

Multiple vulnerabilities have been discovered in #Magento CMS, the most severe of which could allow for arbitrary code execution. More

Weekly updates: Top of The News

Coronavirus: More Companies Backing Out of RSA Conferences

AT&T Cybersecurity and Verizon have decided not to attend the RSA Conference in San Francisco this week, citing concerns about the coronavirus. IBM announced its decision not to attend RSA on February 15. The conference is taking place this week as scheduled. Sony and Facebook’s Oculus have pulled out of the Game Developer Conference scheduled for March 16-20 in San Francisco. Coronavirus worries have already caused the cancellation of the World Mobile Congress that was to have taken place in in Barcelona February 24-27. Black Hat Asia 2020 has been postponed to fall 2020, and Cisco has cancelled its Cisco Live! Conference that was scheduled to be held in Melbourne, Australia early next month.

Read more in:
– www.scmagazine.com: AT&T, Verizon join RSA exodus over Coronavirus fears

Car Thieves Disabling OnStar, Replacing Vehicle Computers(February 11, 2020)
 In “a recent string of stolen Chevrolet Silverado pickups,” thieves disabled the OnStar anti-theft technology almost immediately, reducing the likelihood of the vehicles’ recovery. Surveillance video has shown how fast the thieves operate – pop the lock, open the hood, change the computer, and disable OnStar tracking.
Read more in:
– gmauthority.com
: Chevrolet Silverado Thieves Disable OnStar Tracking

Median Dwell Time for Breaches is Falling Worldwide

According to the M-Trends 2020 Report, the global median “dwell time” – the time from initial intrusion to detection – fell from 78 days to 56 days in just one year. The report also found that while intrusions are being detected more quickly, they are more often discovered by third parties rather than internally.

Read more in:
– content.fireeye.com: M-Trends 2020 (PDF)
– www.zdnet.com: Cybersecurity: Hacking victims are uncovering cyberattacks faster – and GDPR is the reason why

U.S. Defense of Department DISA Breach Exposed PII of 200,000 People(February 20 & 24, 2020)
 The US Department of Defense’s (DoD’s) Defense Information Systems Agency (DISA) has acknowledged a network breach that compromised the personal information of at least 200,000 individuals. On February 11, 2020, DISA sent letters to the people whose data were compromised, telling them that the breach occurred between May and June 2019. DISA secures and manages White House communications.
Read more in:
– threatpost.com: Data Breach Occurs at Agency in Charge of Secure White House Communications

Wyden Pushing for Release of ShiftState Voatz Audit Results

US Senator Ron Wyden (D-Oregon) is asking a company that conducted an audit on the Voatz mobile voting app to disclose the results. While ShiftState’s audit gave Voatz “high marks,” researchers at MIT recently published a paper enumerating security concerns present in Voatz. Specifically, Wyden wants to know how many “ShiftState personnel that audited Voatz [have] experience in election security, cryptographic protocol design and analysis, side channel analysis, and blockchain security;” whether ShiftState detected the same flaws the MIT researchers found; and whether the company agrees or disagrees with the MIT findings and why.

Read more in:
– www.meritalk.com
: Sen. Wyden Questions ShiftState on Voatz Audit

CyberNews: Top of the News

Huawei Backdoors Confirmed in Vodaphone Documents(April 30, 2019)

Vodafone Group Plc has acknowledged that it found vulnerabilities going back years with equipment supplied by Shenzhen-based Huawei for the carrier’s Italian business. While Vodafone says the issues were resolved, the revelation may further damage the reputation of a major symbol of China’s global technology prowess. This is the first time such serious Huawei security issues have been made public.
– www.bloomberg.com
: Vodafone Found Hidden Backdoors in Huawei Equipment

Maersk Head of Security on Lessons Learned from NotPetya(April 29, 2019)
 In late June 2017, international shipping container company Moller-Maersk was hit with the NotPetya malware. Speaking in a keynote session at CYBER UK 19, Maersk’s head of cybersecurity compliance said he was stunned by “the sheer ferocity and the speed and scale of the attack and the impact it had.” He said that the attack was a reminder that companies can become unintended victims, and that while it is important to protect systems and networks, companies also need to ensure that they have a solid recovery plan in place.

Read more in:
– www.zdnet.com
: Ransomware: The key lesson Maersk learned from battling the NotPetya attack

Greenville, North Carolina, Recovering from Ransomware(April 26, 2019)
 The city of Greenville, North Carolina is in the process of recovering from a ransomware attack that infected its systems on April 10. Officials say the city’s website is operational again and that some employees have email. The city said it never planned to pay the ransom. IT staff is reimaging all of the city’s computers.

Read more in:
– www.scmagazine.com
: Greenville in recovery phase from Robbinhood ransomware attack
– www.wnct.com: City of Greenville bouncing back from ransomware attack

Cleveland Airport Malware Update(April 29, 2019)

Flight and baggage information monitors are once again operational at Cleveland’s Hopkins International Airport. Last week, city officials said that the problems were not caused by ransomware. At a press conference on Monday, April 29 Cleveland’s Chief Information Officer says that the malware that infected computers at the airport was indeed ransomware. Airport officials did not respond to the ransomware demands. The FBI is investigating.
Read more in:
– www.cleveland.com
: Cleveland acknowledges for first time Hopkins airport hack involved ransomware
– www.wkyc.com: Flight screens working again at Cleveland Hopkins Airport after going dark amid malware discovery

CyberSecurity: The Rest of the Week’s Cyber News

Bitcoin Stolen From Electrum Wallets (December 27, 2018)
  More than 200 bitcoin has been stolen from Electrum wallets since December 21. The attacker or attackers exploited a vulnerability in the Electrum architecture that allows Electrum servers to trigger custom pop-ups in users’ wallets. The attack involves adding malicious servers to the Electrum network. When legitimate transactions initiated by other users reached one of the malicious servers, they would display a message urging them to download a malicious wallet update from an unauthorized GitHub repository. GitHub admins have taken down the repository, but the pop-up issue has not been fixed.
 
Read more in:
– www.zdnet.com
: Article Users report losing Bitcoin in clever hack of Electrum wallets
Shamoon Sample Signed with Expired Baidu Certificate (December 27, 2018)
  A new sample of the Shamoon disk-wiping malware was uploaded to VirusTotal. It uses an expired digital certificate issued by Baidu. The Shamoon sample is disguised as a Baidu system optimization tool.
 
Read more in:
– www.bleepingcomputer.com
: New Shamoon Sample from France Signed with Baidu Certificate
FBI Warns of Port 1911 Vulnerability in Buildings’ Control Systems (December 27, 2018)
  In a recent industry advisory, the FBI warned that port 1911, which is used to communicate with control systems in buildings could be used to access unpatched devices on those networks. The report warns that “successful exploitation could lead to data leakage and possible privilege escalation.”
  Read more in:
– www.cyberscoop.com
: FBI warns industry that hackers could probe vulnerable connections in building systems
Guardzilla Home Security System Has Hard-Coded Credentials (December 27, 2018)
  A vulnerability in the GZ501W Guardzilla home security device could be exploited to access stored video data. The device uses a shared Amazon S3 credential for storing video in the cloud. Guardzilla learned of the vulnerability on October 24.
 
Editor’s Note

[Neely]
The hard-coded credentials provide access to multiple Guardzilla S3 buckets, rather than a device specific storage location. The additional buckets include free and premium storage as well as development and test buckets. The device firmware root account had an easily cracked DES encoded password. The root password and AWS have been published. Mitigation is dependent on a firmware update from Guardzilla. Changing the firmware to use an intermediate system to limit devices to specific storage with end-user supplied credentials as well as resolving any vulnerabilities in supporting software will be a significant change for Guardzilla, who is keeping tight-lipped about their response to the issue.
Read more in:
– www.cyberscoop.com
: Flaw in Guardzilla home security devices allows outsiders to view stored video, researchers say
– www.forbes.com: 0DayAllDay Hackers Go Godzilla On Guardzilla To Reveal A Real Video Nasty
– blog.rapid7.com: R7-2018-52: Guardzilla IoT Video Camera Hard-Coded Credential (CVE-2018-5560)
San Diego Unified School District Discloses Data Breach (December 25 & 26, 2018)
  On Friday, December 21, the San Diego (California) Unified School District has posted a notice on its website acknowledging that a hacker stole personally identifiable information of 500,000 students and staff members from its network. The hacker was able to gain access to the school district’s system through a phishing attack. Some staff members reported the suspicious emails to the IT department, which discovered the breach in October. The system was compromised from January 2018 through November 1, 2018. The hacker stole data dating back to the 2008-2009 school year. A suspect has been identified.
 
Editor’s Note

[Neely]
A concern here is that the school district data may be used to pressure parents to respond to false threats against their children. The school district is notifying those impacted and advising them to take measures to prevent fraud and identity-theft.

[Northcutt]
If you read to the bottom of the data safety note, they lost control of fairly sensitive data on minors and aren’t doing anything to help the victims. It gives weak advice in the form of “you can”.

[Murray]
In a world of “advanced persistent threat,” one person taking bait should not be sufficient to compromise so much sensitive data. I do not like the term “zero trusts” security but its principle, “never trust, always verify,” and the measures that it identifies, e.g., least privilege, strong authentication, end-to-end application layer encryption, are now essential practices. New tools, including network defined security services, make this more convenient than it sounds.
Read more in:
– www.zdnet.com
: Hacker steals ten years worth of data from San Diego school district
– www.scmagazine.com: San Diego Unified School District data breach exposed 500,000 students, staff, parents
– www.sandiegounified.org: Data Safety
Schneider Fixes EVLink Parking Charging Station Flaws (December 24, 2018)
  Schneider Electric has fixed a critical vulnerability affecting its EVLink Parking electric vehicle charging stations. The hard-coded credential flaw could be exploited to gain access to the device. Schneider fixed two other flaws in EVLink Parking: a code injection vulnerability and an SQL injection vulnerability.
  Read more in:
– threatpost.com
: Critical Bug Patched in Schneider Electric Vehicle Charging Station
– download.schneider-electric.com: Security Notification – EVLink Parking (PDF)
Orange LiveBox ADSL Modems Leak Credentials (December 24 & 26, 2018)
  A vulnerability affecting Orange LiveBox ADSL modems can be exploited to obtain the devices’ SSIDs and WiFi passwords with a simple GET request. More than 19,000 modems in France and Spain are affected.
 
Editor’s Note

[Neely]
Many of these routers are using default credentials (admin/admin) and are discoverable in Shodan. Once you have the credentials for the targeted SSID, a service such as WiGLE can be used to obtain the exact geolocation of that network. Possible mitigations for this threat include changing both the default credentials as well as the WiFi passwords or possibly moving to a separate WiFi access point and ADSL modem.

Read more in:
– www.zdnet.com
: Over 19,000 Orange modems are leaking WiFi credentials
– threatpost.com: 19K Orange Livebox Modems Open to Attack
– www.bleepingcomputer.com: Orange LiveBox Modems Targeted for SSID and WiFi Info
Indian Government Gives Agencies Authority to Intercept, Monitor, and Decrypt Data (December 21, 2018)
  The Indian government has issued an order that gives ten agencies the authority “to intercept, monitor or decrypt information generated, transmitted, received or stored in any computer.” Individuals and organizations that refuse to comply with an interception, monitoring and access requests could face fines or prison sentences of up to seven years.
  Read more in:
– www.zdnet.com
: India authorizes 10 agencies to intercept, monitor, and decrypt citizens’ data
– twitter.com: MHA authorizes following agencies for the purpose of interception, monitoring & decryption of any Information

CyberSecurity: Another Facebook data (photo) breach

Abstract

The Facebook internal team discovered a photo API bug that may have affected people who used Facebook Login and granted permission to third-party apps to access their photos. We have fixed the issue but, because of this bug, some third-party apps may have had access to a broader set of photos than usual for 12 days between September 13 to September 25, 2018.

Affected Facebooks Users?

Currently, we believe this may have affected up to 6.8 million users and up to 1,500 apps built by 876 developers. The only apps affected by this bug were ones that Facebook approved to access the photos API and that individuals had authorized to access their photos.

Reference of full stories by the facebook team

https://developers.facebook.com/blog/post/2018/12/14/notifying-our-developer-ecosystem-about-a-photo-api-bug/