LANtennas, ESXi & Python, Twitch Leaks, Facebook BGP, & iPhone Is Always On – PSW #713
This week in the Security Weekly News: Brushing that data breach under the rug? Get sued by the US Government!, all your text messages belong to someone else, beware of the Python in your ESXi, Twitch leaks, when LANtennas attack, zero-trust fixes everything, recalled insulin pumps, Apache 0-day, you iPhone is always turned on, Apple pay hacked, & more!
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
In an overabundance of caution, we have decided to flip this year’s SW Unlocked to a virtual format. The safety of our listeners and hosts is our number one priority. We will miss seeing you all in person, but we hope you can still join us at Security Weekly Unlocked Virtual! The event will now take place on Thursday, Dec 16 from 9am-6pm ET. You can still register for free at https://securityweekly.com/unlocked.
- 1. Creating Wireless Signals with Ethernet Cable to Steal Data from Air-Gapped Systems - So much for air-gapped: "Dubbed "LANtenna Attack," the novel technique enables malicious code in air-gapped computers to amass sensitive data and then encode it over radio waves emanating from Ethernet cables just as if they are antennas. The transmitted signals can then be intercepted by a nearby software-defined radio (SDR) receiver wirelessly, the data decoded, and sent to an attacker who is in an adjacent room."
- 2. The Rising Costs of Data Breaches - Zero-Trust fixes this? - "Significantly, the report found that data breach costs for companies with mature Zero Trust deployments were $1.7 million lower than costs for companies that had not deployed any Zero Trust solutions ($3.3 million vs. $5 million). These statistics, of course, do not – cannot — account for the greatest advantage of implementing Zero Trust security: the fact that organizations that have are much less likely to fall victim to a data breach in the first place."
- 3. PoC exploit for 2 flaws in Dahua cameras leaked online - Looks like setting certain values in the request simply bypasses authentication (https://packetstormsecurity.com/files/164423/Dahua-Authentication-Bypass.html).
- 4. Medtronic recalls insulin pump controllers over life-threatening flaws - "Using specialized equipment, an unauthorized person could instruct the pump to either over-deliver insulin to a patient, leading to low blood sugar (hypoglycemia), or stop insulin delivery, leading to high blood sugar and diabetic ketoacidosis, even death,” the FDA noted." "Furthermore, the attacker should be close to the victim, and the victim should ignore the pump’s alerts indicating that a remote bolus is being delivered. " - Recalled a medical device due to vulnerabilities, I believe this is progress my friends.
- 5. Apache fixes actively exploited zero-day vulnerability, patch now - "The actively exploited zero-day vulnerability is tracked as CVE-2021-41773 and it enables actors to map URLs to files outside the expected document root by launching a path traversal attack. Path traversal attacks involve sending requests to access backend or sensitive server directories that should be out of reach. Normally, these requests are blocked, but in this case, the filters are bypassed by using encoded characters (ASCII) for the URLs." - This could be useful for reading configuration files that contain credentials and/or API keys...
- 6. Who Is Hunting For Your IPTV Set-Top Box? - "The main purpose of these requests is likely not to compromise the device but to steal content or use the device remotely, for example, to find devices with subscriptions that can stream content from other countries? "
- 7. NSO Group’s Pegasus malware used to spy on lawyers - If you've ever developed a cool tool or exploit, then shared it with a friend, then find out they did something awful with it, that's how NSO should feel. "Hey, that exploit you gave me works great, I just hacked the pentagon!". Oh. Shit.
- 8. Researchers discover ransomware that encrypts virtual machines hosted on an ESXi hypervisor – Help Net Security - Python FTW: "“Python is a coding language not commonly used for ransomware. However, Python is pre-installed on Linux-based systems such as ESXi, and this makes Python-based attacks possible on such systems. ESXi servers represent an attractive target for ransomware threat actors because they can attack multiple virtual machines at once, where each of the virtual machines could be running business-critical applications or services. Attacks on hypervisors can be both fast and highly disruptive. Ransomware operators including DarkSide and REvil have targeted ESXi servers in attacks.”"
- 9. Company That Routes Billions of Text Messages Quietly Says It Was Hacked - What a great quote! Anyone know this guy? ""Seems like a state-sponsored wet dream," Adrian Sanabria, a cybersecurity expert and founder of Security Weekly Labs, told Motherboard in an online chat. "Can't imagine [Syniverse] being a target for anyone else at that scale." "
- 10. Always-on Processor magic: How Find My works while iPhone is powered off - "The scariest part might be that the maybe the AOP and definitely NFC and Bluetooth LPM enable a new vector of hardware persistence. Broadcom Bluetooth firmware is not signed. Thus, an attacker with control over an iPhone can craft and install Bluetooth LPM malware. Since LPM is a hardware-based feature, there is no way to disable LPM on a potentially hacked device." - Great article.
- 11. Ransomware gangs are complaining that other crooks are stealing their ransoms - "One forum user claimed to have had suspicions of REvil's tactics, and said their own plans to extort $7 million from a victim was abruptly ended. They believe that one of the REvil authors took over the negotiations using the backdoor and made off with the money." - A great example of "There is no honor among thieves".
- 12. Apple Pay with Visa Hacked to Make Payments via Locked iPhones - "The attackers would need to set up a terminal that emulates a legitimate ticket barrier for transit. This can be done using a cheap, commercially available piece of radio equipment, researchers said. This tricks the iPhone into believing it’s connecting to a legitimate Express Transit option, and so, therefore, it doesn’t need to be unlocked. “If a non-standard sequence of bytes (Magic Bytes) precedes the standard ISO 14443-A WakeUp command, Apple Pay will consider this [to be] a transaction with a transport EMV reader,” the team explained."
- 1. CISA Releases New Tool to Help Organizations Guard Against Insider Threats - CISA has produced/released a free self-assessment tool that can be used to gauge a company/agency’s risk posture by answering a series of questions. CISA especially recommends their tool be used by small to medium-sized businesses to identify cybersecurity shortcomings that could devastate their company should a disgruntled employee go rogue.
- 2. DOJ Poised to Sue Contractors Who Don’t Report Cyber Breaches - The Deputy Director stated that the DOJ is ready to sue government contractors and any U.S. company who receives U.S. government grant money if they fail to notify the U.S. government of their computer network being breached. They will also be sued if they misrepresent their company’s cybersecurity processes. The DOJ will leverage the “False Claims Act” for their lawsuits.
- 3. U.S. to tell critical rail, air companies to report hacks, name cyber chiefs - The Transportation Security Administration will introduce regulations that compel most U.S. railroad and airport industries to do three things: (1) improve their cybersecurity processes; (2) identify a chief cyber official and (3) inform the government when their network has been breached and have a draft cyber recovery plan on-hand to recover from the incident.
- 4. Text Message Giant Reveals Five-Year Breach - Telecommunications provider Syniverse, which routes text messages for hundreds of telecom customers, has disclosed it was the target of a five-year data breach that has been ongoing since May 2016 and resulted in the exposure of personally identifiable information (PII) belonging to more than 200 Electronic Data Transfer (EDT) customers.
- 5. NSA, CISA share guidelines for securing VPNs as hacking groups keep busy – CyberScoop - Cautioning that foreign government-backed hackers are actively exploiting vulnerabilities in virtual private network devices, the National Security Agency and the Department of Homeland Security’s cyber wing on Tuesday published guidelines for securing VPNs. The Guidance: https://media.defense.gov/2021/Sep/28/2002863184/-1/-1/0/CSI_SELECTING-HARDENING-REMOTE-ACCESS-VPNS-20210928.PDF
- 6. Unnamed Ransomware gang uses a Python script to encrypt VMware ESXi servers - An unnamed ransomware gang used a custom Python script to target VMware ESXi and encrypt all the virtual machines hosted on the server. According to Sophos researchers, attackers gained access to the targeted network by first logging into a TeamViewer account running on a device on which a domain admin was already logged in, and then leveraged the Advanced IP Scanner to scan the network and identify other potential targets. After identifying potential targets, attackers then used the "Bitvis" SSH client to log onto an ESXi server.
- 7. Thousands of Coinbase Users Hit by Phishing Attack — Here’s How to Protect Yourself - Coinbase experienced a breach in the spring of 2021. Nearly six months later, now their customers are being targeted with phishing emails that contain fake embedded URLs to inform the customer that their cryptocurrency account had been locked out and required immediate action. To date, nearly 6000 customers have lost money to this phishing scam, which leveraged flaws in the password recovery, when using SMS, which didn't fully authenticate the request.
- 8. Twitch’s source code and streamer payment figures have been leaked following hack - Hackers have accessed Twitch and leaked a vast amount of company data, including proprietary code, creator payouts and the "entirety of Twitch.tv." Twitch confirmed the breach in a tweet Wednesday morning, but did not provide further details. It doesn't appear that information like user passwords, addresses and banking information were revealed, but that can't be ruled out in a future drop. If you have a Twitch account, you should activate two-factor authentication so that bad actors can't log into your account if your password has been stolen.
- 9. More details about the October 4 FaceBook outage - FB Engineering's report on what happened. In layperson's terms. BGB/DNS/Physical Access fails - oh my! During one of these routine maintenance jobs, a command was issued with the intention to assess the availability of global backbone capacity, which unintentionally took down all the connections in our backbone network, effectively disconnecting Facebook data centers globally. Our systems are designed to audit commands like these to prevent mistakes like this, but a bug in that audit tool prevented it from properly stopping the command. Our primary and out-of-band network access was down, so we sent engineers onsite to the data centers to have them debug the issue and restart the systems. But this took time, because these facilities are designed with high levels of physical and system security in mind. They’re hard to get into, and once you’re inside, the hardware and routers are designed to be difficult to modify even when you have physical access to them.