TV Hacking, Nvidia, Nation States, NASA, & WMware – PSW #684
This week In the Security News, Nvidia tries to throttle cryptocurrency mining, Digging deeper into the SolarWinds breach, now with executive orders, NASA's secret message on Mars, vulnerabilities in Python and Node.js, hacking TVs and AV gear, nation state hacking galore, patch your VMWare vCenter, and is a password manager worth your money!?!
Announcements
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
If you missed Security Weekly Unlocked, you can now access all of the content on-demand, whether you registered before the live event or not, by visiting https://securityweekly.com/unlocked and clicking either the button to register or the button to login!
Hosts
- 1. CVSS as a Framework, Not a Score
- 2. Is a password manager worth your money?Agree or disagree? - "Until passwords go the way of the dodo you need to keep them protected, safe, and accessible. Whether you use a paid, free, or homegrown password manager, use something to keep these most valuable keys protected. Personally, I feel paying a small amount to a company gives me the right to demand better services and improvements, something being a free user does not."
- 3. Senate hearing on SolarWinds hack lays bare US shortcomings, remaining mysteries – CyberScoop"A number of big questions remain: SolarWinds still hasn’t determined how the hackers originally got into its systems, nobody has fully settled debates on whether the incident amount to espionage, or something worse, and suspicions abound that more victims remain unrevealed." - So many questions and theories.
- 4. Nvidia’s Anti-Cryptomining Chip May Not Discourage AttacksThis wreaks of "we want to put a limitation on our products". And when you do that, people just want to hack it. Why? Because you put a limitation on your products.
- 5. SamyGOWe have 17 Samsung TVs in the studio now (and several more in other parts of the office and studios). Naturally, I've been curious about hacking them. My intentions are to gain some more control over them, e.g. I don't need any "Smart" features! Also, I don't need audio. Initial research led me here. Mute -> 1-8-2 -> Power is a fairly well-known way to access a "secret" service menu. However, this site details so many more hacks and hidden menus. My goal is to really just turn the TVs into monitors. So much more is possible!
- 6. HDMI 8X8 Matrix 4K@60Hz 4:4:4 Control4 Driver – J-Tech DigitalI was investigating this product. I found that the default password is "Admin/Admin" by guessing as it was not documented. The IP configuration asked for a default gateway, however, I could find no evidence of firmware updates. In fact, there were no firmware updates posted to the vendor site and no way to apply firmware updates via the web interface or via the serial connection. There is a USB-C port, but the documentation does not mention it. The device runs Telnet on port 23, however, the default credentials do not work on that service.
- 7. Python jsonpickle 2.0.0 Remote Code ExecutionCheck your jsonpickle.
- 8. Ukraine says Russia hacked its document portal and planted malicious files"Wednesday’s statement came two days after Ukraine’s National Coordination Center for Cybersecurity reported what it said were “massive DDoS attacks on the Ukrainian segment of the Internet, mainly on the websites of the security and defense sector.” An analysis revealed that the attacks used a new mechanism that hadn’t been seen before. DDoS attacks take down targeted servers by bombarding them with more data than they can process." - Nothing new here, just more Russia hacking Ukraine and everyone else in the world turning a blind eye.
- 9. This chart shows the connections between cybercrime groupsAttribution is hard doesn't even begin to cover. When are we going to dig deeper and start identifying which groups were responsible for each phase of the attacks?
- 10. Cisco Warns of Critical Auth-Bypass Security Flaw
- 11. Cybersecurity CanonSome of my favorite hacking/security books in here (and some are not my favorites).
- 12. Unauthorized RCE in VMware vCenter"After sending an unauthorized request to /ui/vropspluginui/rest/services/*, I discovered that it did not in fact require any authentication." - That's your problem right there...
- 13. Heavily used Node.js package has a code injection vulnerability"This library is still work in progress. It is supposed to be used as a backend/server-side library (will definitely not work within a browser)," states the developer behind the component." - We cannot just blindly trust all our components and libraries. A human, sometimes, has to read the documentation and performs a risk assessment, that is until the deadline is approaching and you can save 5 days by implementing an experimental library someone else wrote.
- 14. Chinese spyware code was copied from America’s NSA ResearchersIf you leave missiles laying around and they fall into the wrong hands, it's a bigger deal than "cyber" weapons.
- 15. Ukraine sites suffered massive attacks launched from Russian networks"The Ukrainian authorities did not attribute the attack to a specific threat actor." - This does not mean they don't know, they just don't want to say and show their hand. If they know who, it tips them off, and potentially any/all tactics and methods used to observe the attackers.
- 16. Python programming language hurries out update to tackle remote code vulnerability"The bug occurs because "sprintf" is used unsafely. The impact is broad because Python is pre-installed with multiple Linux distributions and Windows 10."
- 17. Clubhouse Chats Are Breached, Raising Concerns Over Securityhttps://flip.it/F8VAjg
- 18. John Deere Lied For Years About Making Its Tractors Easier To Servicehttps://flip.it/qAlsMl
- 19. Zombie infection threat as country unlocks 50,000-year-old viruseshttps://flip.it/Cm19ID
- 20. New type of supply-chain attack hit Apple, Microsoft and 33 other companieshttps://flip.it/SFR7xq
- 21. Microsoft: SolarWinds attack took more than 1,000 engineers to create"Microsoft, which was also breached by the bad Orion update, assigned 500 engineers to investigate the attack said Smith, but the (most likely Russia-backed) team behind the attack had more than double the engineering resources. "When we analyzed everything that we saw at Microsoft, we asked ourselves how many engineers have probably worked on these attacks. And the answer we came to was, well, certainly more than 1,000," said Smith."
- 22. France Ties Russia’s Sandworm to a Multiyear Hacking Spree"Remarkably, ANSSI says the intrusion campaign dates back to late 2017 and continued until 2020. In those breaches, the hackers appear to have compromised servers running Centreon, sold by the firm of the same name based in Paris. Though ANSSI says it hasn't been able to identify how those servers were hacked, it found on them two different pieces of malware: one publicly available backdoor called PAS, and another known as Exaramel, which Slovakian cybersecurity firm ESET has spotted Sandworm using in previous intrusions. While hacking groups do reuse each other's malware—sometimes intentionally to mislead investigators—the French agency also says it's seen overlap in command and control servers used in the Centreon hacking campaign and previous Sandworm hacking incidents." - Supply chain attack?
- 1. President Biden’s Supply Chain Executive OrderCybersecurity is included in this mandate to examine the whole infrastructure in the wake of Solarwinds.
- 2. Nvidia throttles Ethereum mining on the RTX 3060
- 3. President Biden’s Executive Order on Supply Chain
- 1. NASA Sent a Secret Message to Mars. Meet the People Who Decoded ItDrink more Ovaltine!
- 2. Why America would not survive a real first strike cyberattack today
- 3. Heavily used Node.js package has a code injection vulnerability
- 4. Hackers Tied to Russia’s GRU Targeted the US Grid for Years
- 5. Daisy Ridley fires back at Ted Cruz after he defends Gina Carano over ‘Mandalorian’ firingNot wanting to get political or anything, but it's Star Wars...
- 6. Google Cloud puts its Kubernetes Engine on autopilotA WOPR of a story?
- 7. Kroger joins victims of Accellion data breach
- 8. Clubhouse suffers data breach
- 9. Wawa Reaches Proposed $12M Settlement in Data Breach Litigation
- 10. Students’ Information Compromised by Data Breach at Harvard Business School
- 11. Massive SolarWinds Hack Prompts Calls for U.S. Law Requiring Cyber Breach Reporting
- 12. Tactics & Measures for Ransomware in Enterprise Workplace 2021I was interviewed recently on Airgap's "Ransomware Battleground" podcast. Different venue, but a good discussion about recent ransomware attacks.
- 13. Gula Tech Cyber Fiction Show: Episode #7 – Jeff Man – Cybersecurity EvangelismRon Gula asked me to chat with him about a whole variety of topics. We will do this again.
- 14. SCW Ep #62: Interview with John Threat, Part 1Must watch episode for everyone who has an interest in hacker history, hacker culture, hip hop, and more.
- 15. SCW Ep #62: Interview with John Threat, Part 2Second part of the John Threat interview, and also the guys from Hacker Valley Studio.
- 1. VMware addresses a critical RCE issue in vCenter ServerVMware has addressed a critical remote code execution (RCE) vulnerability in the vCenter Server virtual infrastructure management platform, tracked as CVE-2021-21972, that could be exploited by attackers to potentially take control of affected systems. CVE-2021-21972 rated as high risk due to arbitrary command execution potential.
- 2. 10,000 mailboxes hit in phishing attacks on FedEx and DHL ExpressAttackers have been spotted leveraging phishing emails that purport to be a FedEx online document share and an email from DHL, both sharing shipping details in two phishing attacks targeting some 10,000 mailboxes at DHL Express and FedEx in an effort to steal victims' work email credentials.
- 3. California DMV Halts Data Transfers After Vendor BreachThe California Department of Motor Vehicles (DMV) has announced it has ceased all data transfers after Seattle, Wash.-based third-party funds transfer service provider Automatic Funds Transfer Services, Inc. (AFTS) suffered a ransomware attack that compromised data belonging to millions of California drivers.
- 4. Hackers steal credit card data abusing Google’s Apps ScriptHackers abuse Google Apps Script business application development platform to steal credit cards, bypass CSP
- 5. First Malware Designed for Apple M1 Chip Discovered in the WildSecurity researcher Patrick Wardle detailed a Safari adware extension called GoSearch22 that was originally written to run on Intel x86 chips but has since been ported to run on ARM-based M1 chips. The rogue extension, which is a variant of the Pirrit advertising malware, was first seen in the wild on November 23, 2020, according to a sample uploaded to VirusTotal on December 27.
- 6. New malware found on 30,000 Macs has security pros stumpedA previously undetected piece of malware found on almost 30,000 Macs worldwide is generating intrigue in security circles. Read Red Canary report https://redcanary.com/blog/clipping-silver-sparrows-wings/
- 7. Silver Sparrow macOS malware with M1 compatibilityEarlier this month, Red Canary detection engineers Wes Hurd and Jason Killam came across a strain of macOS malware using a LaunchAgent to establish persistence.
- 8. US Retailer Kroger Admits Accellion BreachUS retail giant Kroger has become the latest big-name brand to admit it suffered a data breach via legacy file transfer software. The supermarket chain, America’s largest by revenue, posted the notice late last week. It revealed that some of the firm’s customers and employees may have had their data compromised by a malicious third party who exploited a vulnerability in Accellion’s FTA platform
- 9. Chinese spies ‘used code copied from America’s NSA’ for hacking operationsIt is not clear how the China-linked malware analysed by Check Point was used.
- 10. NurseryCam hacked, company shuts down IoT camera serviceDaycare camera product NurseryCam was hacked late last week with the person behind the digital break-in coming forward to tip us off. A hacker contacted El Reg on Friday to say they had obtained real names, usernames, what appeared to be SHA-1 hashed passwords, and email addresses for 12,000 NurseryCam users' accounts – and had then dumped them online.
- 11. Exploitation of Accellion File Transfer ApplianceAccellion has identified cyber actors targeting FTA customers by leveraging the following additional vulnerabilities. CVE-2021-27101 – Structured Query Language (SQL) injection via a crafted HOST header (affects FTA 9_12_370 and earlier) CVE-2021-27102 – Operating system command execution via a local web service call (affects FTA versions 9_12_411 and earlier) CVE-2021-27103 – Server-side request forgery via a crafted POST request (affects FTA 9_12_411 and earlier) CVE-2021-27104 – Operating system command execution via a crafted POST request (affects FTA 9_12_370 and earlier)
- 12. Transport for NSW data stolen in Accellion breachTransport for NSW has joined a growing list of global organisations to fall victim to the Accellion data breach after confirming that data from the file-sharing system was stolen. Acellion has patched all FTA vulnerabilities known to be exploited by threat actors and has added new monitoring and alerting capabilities to flag anomalies associated with these attack vectors.
- 13. FireEye Links Accellion Attacks to FIN11FireEye says it has linked the recent string of attacks exploiting vulnerabilities in the Accellion legacy file transfer product (tracked as UNC2546) to financial crime group "FIN11." Note the overlaps between FIN11, UNC2546, and UNC2582 are compelling but not yet conclusively determined how they are connected
- 14. Python programming language hurries out update to tackle remote code vulnerabilityThe Python Software Foundation (PSF) has released Python 3.9.2 and 3.8.8 in order to address a remotely exploitable remote code execution (RCE) vulnerability (CVE-2021-3177) and a web cache poisoning vulnerability (CVE-2021-23336) that could be exploited by attackers to take targeted systems offline.