Hacking Honda, Insider Threat Galore, ChaosDB, USB File Weight, & Linux 5.14 – PSW #709

Does the "TVA is just like a SoC" analogy hold up?

Darknet Diaries has a great episode with details on this (though despite amazing effort, was not able to interview NSO, which speaks volumes): "NSO has come under widespread criticism over reports that its flagship spyware product, Pegasus, has been misused by governments to spy on dissidents, journalists, human rights workers and possibly even heads of state. Pegasus is able to stealthily infiltrate a target’s mobile phone, giving users access to data, email, contacts and even their cameras and microphones."

"Many companies have a prevailing practice regarding information security — that they need to do only the bare minimum to get by. They do that while millions of consumer records are breached weekly."

Congrats Ed!

"If a malicious actor knows a user’s email address, they can use it to query the cloud-based API to return an International Mobile Equipment Identity (IMEI) number, which appears to also serve as the device's serial number." - And with the email and the IMEI, you can use the API to disarm the system. Also, I feel like this is 20-years-ago behavior from a vendor: "Rapid7 revealed details of the two vulnerabilities on Tuesday after not hearing from Fortress in three months, the standard window of time that security researchers give companies to fix bugs before details are made public. Rapid7 said its only acknowledgment of its email was when Fortress closed its support ticket a week later without commenting. Fortress owner Michael Hofeditz opened but did not respond to several emails sent by TechCrunch with an email open tracker. An email from Bottone Reiling, a Massachusetts law firm representing Fortress, called the claims “false, purposely misleading and defamatory,” but did not provide specifics that it claims are false, or if Fortress has mitigated the vulnerabilities."

Actually...

"The use of single-factor authentication for remote or administrative access to systems supporting the operation of Critical Infrastructure and National Critical Functions (NCF) is dangerous and significantly elevates risk to national security, national economic security, and national public health and safety. This dangerous practice is especially egregious in technologies accessible from the Internet. "

And they are just either discovering or disclosing this now? SBOM anyone? - "The Aruba AirWave management platform is HPE’s real-time monitoring and security alert system for wired and wireless infrastructures. The Sudo bug (CVE-2021-3156) was reported in January by Qualys researchers and is believed to impact millions of endpoint devices and systems."

" The crux of the allegations are that simply recording signals from a Honda or Acura keyfob is enough to compromise the vehicle. Reportedly, no rolling code system is implemented and commands can easily be replayed."

Interesting, we seem to be really destroying the basic concepts of permissions and rings: "memfd_secret lets applications create an area of memory that only that application can access. Not even the kernel can access the designated area of memory. Which matters, because Spectre and Meltdown meant cached data could be accessed. memfd_secret is designed to provide a safe place for secrets like cryptographic keys or passwords to reside."

Yikes: "While she was being terminated, and just before she was escorted from the building, CALONGE was observed by two employees of Employee-1 repeatedly hitting the delete key on her desktop computer. Several hours later, CALONGE logged into a system (“System-1”) used by Employer?1 to receive and manage applications for employment with the company, which the company had invested two years and over $100,000 to build. During the next two days, CALONGE rampaged through System-1, deleting over 17,000 job applications and resumes, and leaving messages with profanities inside the system."

"By exploiting a chain of vulnerabilities in the Jupyter Notebook feature of Cosmos DB, a malicious actor can query information about the target Cosmos DB Jupyter Notebook. By doing so, the attacker will obtain a set of credentials related to the target Cosmos DB account, the Jupyter Notebook compute, and the Jupyter Notebook Storage account, including the Primary Key. Using these credentials, it is possible to view, modify, and delete data in the target Cosmos DB account via multiple channels. Below is a diagram that illustrates the attack."

Juliana Barile, the former employee of a New York credit union, pleaded guilty to accessing the financial institution's computer systems without authorization and destroying over 21 gigabytes of data in revenge 40 minutes after being fired.

More than nine in 10 (91%) industrial organizations are vulnerable to cyber-attacks, according to a new report by Positive Technologies. Their penetration testers gained access to the technological segment of the network of 75% of organizations. This then enabled them to access industrial control systems (ICS) in 56% of cases. Report: https://www.ptsecurity.com/ww-en/analytics/ics-risks-2021/

The names and home addresses of 111,000 British firearm owners have been dumped online as a Google Earth-compatible CSV file that pinpoints domestic homes as likely firearm storage locations – a worst-case scenario for victims of the breach.

Network-attached storage (NAS) maker QNAP is investigating and working on security updates to address remote code execution (RCE) and denial-of-service (DoS). Synology customers also still waiting on updates.

Technical details have emerged on a serious vulnerability in Microsoft Exchange Server dubbed ProxyToken that does not require authentication to access emails. Tracked as CVE-2021-33766, ProxyToken gives unauthenticated attackers access to the configuration options of user mailboxes, where they can define an email forwarding rule. Fixed in July CU and SA updates.

The onetime CEO of ARM China, Allen Wu, has reportedly seized control of ARM’s Chinese business venture, ARM China. Mr. Wu is accused of attempting to launch his own company, Alphatecture, by leveraging his position at ARM China to do so.

F5 has fixed more than a dozen high-severity security vulnerabilities in its networking device, with one of them being elevated to critical severity and CVSS score of 9.9 under specific conditions. All vulnerabilities are part of this month’s delivery of security updates, addressing almost 30 vulnerabilities for multiple F5 devices.

Opponents of the Belarus government said they have pulled off an audacious hack that has compromised dozens of police and interior ministry databases as part of a broad effort to overthrow President Alexander Lukashenko's regime.

Trend Micro has uncovered a cyberespionage campaign by Earth Baku, or APT41, against organizations in the Indo-Pacific region. The campaign has been continuing since July 2020.

Microsoft has been tracking a widespread credential phishing campaign using open redirector links combined with social engineering lures that spoof known productivity tools to trick users. Attackers also use a CAPTCHA verification page to add a sense of legitimacy to the campaign.

Microsoft has warned thousands of Azure customers that a now-fixed critical vulnerability found in Cosmos DB allowed any user to remotely take over other users' databases by giving them full admin access without requiring authorization. Microsoft advises users to regenerate their Cosmos DB primary keys, and leverage a vNET or firewall to further protect their Cosmos DB Accounts.

A Chinese national pleaded guilty today in federal court in Boston in connection with illegally procuring and causing the illegal export of $100,000 worth of U.S. origin goods to Northwestern Polytechnical University (NWPU), a Chinese military university that is heavily involved in military research and works closely with the People’s Liberation Army on the advancement of its military capabilities.