Mailing USBs, DoS in DoorLock, Moxie Resigns, QR Code Mystery, & Jarring Revelations – PSW #723

Seems they are getting hammered on this point: "It’s not even that Signal is choosing to tie itself to a specific blockchain currency. It’s that adding a cryptocurrency to an end-to-end encrypted app muddies the morality of the product, and invites all sorts of government investigative and regulatory meddling: by the IRS, the SEC, FinCEN, and probably the FBI." - I don't believe this is why Moxie left, I think he created something truly awesome (and private AND secure) and needs to move on to find another challenge...

"Lacework Labs researcher Greg Foss (@35Foss) spent some time analyzing the Automox Windows agent and ultimately discovered a local privilege escalation flaw with a CVSS score of 7.8 (High) due to how the agent handles PowerShell script execution at run-time."

What could go wrong? Buffer overflow for one: "The module enables remote devices to connect to routers over IP and access any USB devices (such as printers, speakers, webcams, flash drives and other peripherals) that are plugged into them. This is made possible using the proprietary NetUSB protocol and a Linux kernel driver that launches a server, which makes the USB devices available via the network. For remote users, it’s as if the USB devices are physically plugged into their local systems."

"The QR codes found by Austin police department directed unsuspecting users to a fraudulent website which would ask for payment details with the false promise that their parking session would be paid for. The City of Austin checked its parking meters after being notified of a similar QR code scam by officials in San Antonio. They had discovered over 100 parking meters similarly stickered in late December."

"This vulnerability enables any standard unprivileged user connected to a remote machine via remote desktop to gain file system access to the client machines of other connected users, to view and modify clipboard data of other connected users, and to impersonate the identity of other users logged on to the machine using smart cards. This could lead to data privacy issues, lateral movement and privilege escalation."

"According to reports, the cryptocurrency miner was included in the Norton antivirus in June last year to help Norton 360 users earn some extra bucks from their graphics card. The tool is called Norton Crypto, and it mines Ethereum. Users can keep 85% of the cut while the remaining goes to NortonLifeLock."

Oops: "However, it was also discovered that the hacking group had managed to also infect its own development machine, and the RAT had captured the criminals’ own keystrokes alongside screenshots of their own computers."

Sounds like a challenge: "Pluton is designed to fix all of that. It’s integrated directly into a CPU die, where it stores crypto keys and other secrets in a walled-off garden that is completely isolated from other system components. Microsoft has said that the data stored there can’t be removed, even when an attacker has installed malware or has full physical possession of the PC."

A persistent denial of service vulnerability affecting iOS 15.2 - iOS 14.7 (and likely through 14.0), triggered via HomeKit

iOS 15.2.1 and iPadOS 15.2.1 released 1/12/22 address HomeKit vulnerability. (CVE-2022-22588)

A persistent denial of service vulnerability affecting iOS 15.2 - iOS 14.7 (and likely through 14.0), triggered via HomeKit. That could be triggered by changing a HomeKit device's name to a string longer than 500,000 characters. According to Trevor Spiniolas, who uncovered the flaw, once the string is loaded, iOS and iPadOS will reboot and become unusable.

Attackers are still targeting NAS devices. QNAP publishes steps to secure their NAS devices. Repeat after me: I solemnly swear not to expose NAS to the Internet.

Users of QNAP network-attached storage (NAS) devices are reporting attacks on their systems with the eCh0raix ransomware, also known as QNAPCrypt.

Storage devices manufactured by various vendors are reportedly affected by two vulnerabilities (CVE-2021-36750 and CVE-2021-36751) that were uncovered in third-party encryption software used by all the manufactures and could be exploited to conduct brute-force attacks and obtain users' passwords. Potential for brute forcing accounts. Requires local access.

Researchers say that after conducting a study of 16 different Uniform Resource Locator (URL) parsing libraries, they found that those libraries contained "inconsistencies and confusions" that could be exploited by attackers to bypass validations and create a variety of attack vectors. Report: https://claroty.com/wp-content/uploads/2022/01/Exploiting-URL-Parsing-Confusion.pdf

A vulnerability in Uber's email system allows just about anyone to send emails on behalf of Uber. The vulnerability is in one of Uber's servers which isn't properly sanitizing input, rather than their email servers.

Four million outdated Log4j downloads were served from Apache Maven Central alone despite vuln publicity blitz. Make sure your development and CI processes are using up-to-date libraries. Don't wait to qualify new versions.

Apache has released another Log4j version, 2.17.1 fixing a newly discovered remote code execution (RCE) vulnerability in 2.17.0, tracked as CVE-2021-44832. Apache is urging customers to upgrade as soon as possible to prevent exploitation. According to reports, the moderate-severity issue results from a lack of additional controls on JDNI access in Log4j.

Credential stuffing attacks, where credentials are obtained from third-party breachs not relating to Lastpass, result in valid credentials used from unusual locations which are blocked. Use unique passwords and enable MFA...

T-Mobile has been the victim of multiple data breaches over the last four years, users should remain vigilant.

Shutterfly said on Dec. 26 that it was hit by a ransomware attack that struck portions of its network and interrupted elements of its Groovebook app, Lifetouch and BorrowLenses business, manufacturing operations, and some internal systems.

Fisher Price's Bluetooth reboot of pre-school play phone has adult privacy flaw ‘Chatter’ can be bugged thanks to kindergarten-grade security.

U.K. Minister of State Security and Borders Damian Hinds has accused China, Iran, and Russia of conducting disinformation campaigns and of being involved in various ways in terms of spies on the ground, cyber attacks, soldiers on standby, and disinformation operations.