TV Hacking, Nvidia, Nation States, NASA, & WMware – PSW #684

Agree or disagree? - "Until passwords go the way of the dodo you need to keep them protected, safe, and accessible. Whether you use a paid, free, or homegrown password manager, use something to keep these most valuable keys protected. Personally, I feel paying a small amount to a company gives me the right to demand better services and improvements, something being a free user does not."

"A number of big questions remain: SolarWinds still hasn’t determined how the hackers originally got into its systems, nobody has fully settled debates on whether the incident amount to espionage, or something worse, and suspicions abound that more victims remain unrevealed." - So many questions and theories.

This wreaks of "we want to put a limitation on our products". And when you do that, people just want to hack it. Why? Because you put a limitation on your products.

We have 17 Samsung TVs in the studio now (and several more in other parts of the office and studios). Naturally, I've been curious about hacking them. My intentions are to gain some more control over them, e.g. I don't need any "Smart" features! Also, I don't need audio. Initial research led me here. Mute -> 1-8-2 -> Power is a fairly well-known way to access a "secret" service menu. However, this site details so many more hacks and hidden menus. My goal is to really just turn the TVs into monitors. So much more is possible!

I was investigating this product. I found that the default password is "Admin/Admin" by guessing as it was not documented. The IP configuration asked for a default gateway, however, I could find no evidence of firmware updates. In fact, there were no firmware updates posted to the vendor site and no way to apply firmware updates via the web interface or via the serial connection. There is a USB-C port, but the documentation does not mention it. The device runs Telnet on port 23, however, the default credentials do not work on that service.

Check your jsonpickle.

"Wednesday’s statement came two days after Ukraine’s National Coordination Center for Cybersecurity reported what it said were “massive DDoS attacks on the Ukrainian segment of the Internet, mainly on the websites of the security and defense sector.” An analysis revealed that the attacks used a new mechanism that hadn’t been seen before. DDoS attacks take down targeted servers by bombarding them with more data than they can process." - Nothing new here, just more Russia hacking Ukraine and everyone else in the world turning a blind eye.

Attribution is hard doesn't even begin to cover. When are we going to dig deeper and start identifying which groups were responsible for each phase of the attacks?

Some of my favorite hacking/security books in here (and some are not my favorites).

"After sending an unauthorized request to /ui/vropspluginui/rest/services/*, I discovered that it did not in fact require any authentication." - That's your problem right there...

"This library is still work in progress. It is supposed to be used as a backend/server-side library (will definitely not work within a browser)," states the developer behind the component." - We cannot just blindly trust all our components and libraries. A human, sometimes, has to read the documentation and performs a risk assessment, that is until the deadline is approaching and you can save 5 days by implementing an experimental library someone else wrote.

If you leave missiles laying around and they fall into the wrong hands, it's a bigger deal than "cyber" weapons.

"The Ukrainian authorities did not attribute the attack to a specific threat actor." - This does not mean they don't know, they just don't want to say and show their hand. If they know who, it tips them off, and potentially any/all tactics and methods used to observe the attackers.

"The bug occurs because "sprintf" is used unsafely. The impact is broad because Python is pre-installed with multiple Linux distributions and Windows 10."

https://flip.it/F8VAjg

https://flip.it/qAlsMl

https://flip.it/Cm19ID

https://flip.it/SFR7xq

"Microsoft, which was also breached by the bad Orion update, assigned 500 engineers to investigate the attack said Smith, but the (most likely Russia-backed) team behind the attack had more than double the engineering resources. "When we analyzed everything that we saw at Microsoft, we asked ourselves how many engineers have probably worked on these attacks. And the answer we came to was, well, certainly more than 1,000," said Smith."

"Remarkably, ANSSI says the intrusion campaign dates back to late 2017 and continued until 2020. In those breaches, the hackers appear to have compromised servers running Centreon, sold by the firm of the same name based in Paris. Though ANSSI says it hasn't been able to identify how those servers were hacked, it found on them two different pieces of malware: one publicly available backdoor called PAS, and another known as Exaramel, which Slovakian cybersecurity firm ESET has spotted Sandworm using in previous intrusions. While hacking groups do reuse each other's malware—sometimes intentionally to mislead investigators—the French agency also says it's seen overlap in command and control servers used in the Centreon hacking campaign and previous Sandworm hacking incidents." - Supply chain attack?

Cybersecurity is included in this mandate to examine the whole infrastructure in the wake of Solarwinds.

Drink more Ovaltine!

Not wanting to get political or anything, but it's Star Wars...

A WOPR of a story?

I was interviewed recently on Airgap's "Ransomware Battleground" podcast. Different venue, but a good discussion about recent ransomware attacks.

Ron Gula asked me to chat with him about a whole variety of topics. We will do this again.

Must watch episode for everyone who has an interest in hacker history, hacker culture, hip hop, and more.

Second part of the John Threat interview, and also the guys from Hacker Valley Studio.

VMware has addressed a critical remote code execution (RCE) vulnerability in the vCenter Server virtual infrastructure management platform, tracked as CVE-2021-21972, that could be exploited by attackers to potentially take control of affected systems. CVE-2021-21972 rated as high risk due to arbitrary command execution potential.

Attackers have been spotted leveraging phishing emails that purport to be a FedEx online document share and an email from DHL, both sharing shipping details in two phishing attacks targeting some 10,000 mailboxes at DHL Express and FedEx in an effort to steal victims' work email credentials.

The California Department of Motor Vehicles (DMV) has announced it has ceased all data transfers after Seattle, Wash.-based third-party funds transfer service provider Automatic Funds Transfer Services, Inc. (AFTS) suffered a ransomware attack that compromised data belonging to millions of California drivers.

Hackers abuse Google Apps Script business application development platform to steal credit cards, bypass CSP

Security researcher Patrick Wardle detailed a Safari adware extension called GoSearch22 that was originally written to run on Intel x86 chips but has since been ported to run on ARM-based M1 chips. The rogue extension, which is a variant of the Pirrit advertising malware, was first seen in the wild on November 23, 2020, according to a sample uploaded to VirusTotal on December 27.

A previously undetected piece of malware found on almost 30,000 Macs worldwide is generating intrigue in security circles. Read Red Canary report https://redcanary.com/blog/clipping-silver-sparrows-wings/

Earlier this month, Red Canary detection engineers Wes Hurd and Jason Killam came across a strain of macOS malware using a LaunchAgent to establish persistence.

US retail giant Kroger has become the latest big-name brand to admit it suffered a data breach via legacy file transfer software. The supermarket chain, America’s largest by revenue, posted the notice late last week. It revealed that some of the firm’s customers and employees may have had their data compromised by a malicious third party who exploited a vulnerability in Accellion’s FTA platform

It is not clear how the China-linked malware analysed by Check Point was used.

Daycare camera product NurseryCam was hacked late last week with the person behind the digital break-in coming forward to tip us off. A hacker contacted El Reg on Friday to say they had obtained real names, usernames, what appeared to be SHA-1 hashed passwords, and email addresses for 12,000 NurseryCam users' accounts – and had then dumped them online.

Accellion has identified cyber actors targeting FTA customers by leveraging the following additional vulnerabilities. CVE-2021-27101 – Structured Query Language (SQL) injection via a crafted HOST header (affects FTA 9_12_370 and earlier) CVE-2021-27102 – Operating system command execution via a local web service call (affects FTA versions 9_12_411 and earlier) CVE-2021-27103 – Server-side request forgery via a crafted POST request (affects FTA 9_12_411 and earlier) CVE-2021-27104 – Operating system command execution via a crafted POST request (affects FTA 9_12_370 and earlier)

Transport for NSW has joined a growing list of global organisations to fall victim to the Accellion data breach after confirming that data from the file-sharing system was stolen. Acellion has patched all FTA vulnerabilities known to be exploited by threat actors and has added new monitoring and alerting capabilities to flag anomalies associated with these attack vectors.

FireEye says it has linked the recent string of attacks exploiting vulnerabilities in the Accellion legacy file transfer product (tracked as UNC2546) to financial crime group "FIN11." Note the overlaps between FIN11, UNC2546, and UNC2582 are compelling but not yet conclusively determined how they are connected

The Python Software Foundation (PSF) has released Python 3.9.2 and 3.8.8 in order to address a remotely exploitable remote code execution (RCE) vulnerability (CVE-2021-3177) and a web cache poisoning vulnerability (CVE-2021-23336) that could be exploited by attackers to take targeted systems offline.