New ‘CacheOut’ Attack Leaks Data from Intel CPUs, VMs and SGX Enclave
Another month, another speculative execution vulnerability found in Intel processors. If your computer is running any modern Intel CPU built before October 2018, it’s likely vulnerable to a newly discovered hardware issue that could allow attackers to leak sensitive data from the OS kernel, co-resident virtual machines, and even from Intel’s secured SGX enclave. Dubbed CacheOut a.k.a. L1 Data Eviction Sampling (L1DES) and assigned CVE-2020-0549, the new microarchitectural attack allows an attacker to choose which data to leak from the CPU’s L1 Cache, unlike previously demonstrated MDS attacks where attackers need to wait for the targeted data to be available.
Source: The hacker news / Threatpost / Security week / Intel
Vehicle Hacking Part 1: Understanding the Attack Surface
How Do We Even Find The Attack Surface? Lets start with what we see in most cars, we all know that there are CD ports in cars, some cars have USB ports, some of them have a whole interface and a screen, All cars have a electronic outlet to charge things, most cars have key fobs, some vehicles are electric, some have distance sensors, some might also have diagnostic ports, some have GPS or Bluetooth or Internet and finally, most cars have a basic aux or radio interface without a screen. Cars can have a number of these things together and all of these are ways that data can enter the car.
Zoom Bug Could Have Let Uninvited People Join Private Meetings
If you use Zoom to host your remote online meetings, you need to read this piece carefully. The massively popular video conferencing software has patched a security loophole that could have allowed anyone to remotely eavesdrop on unprotected active meetings, potentially exposing private audio, video, and documents shared throughout the session.
Besides hosting password-protected virtual meetings and webinars, Zoom also allows users to set up a session for non-pre-registered participants who can join an active meeting by entering a unique Meeting ID, without requiring a password or going through the Waiting Rooms.
Source: The hacker news / Threatpost / Dark reading / Security week
Ragnarok Ransomware Targets Citrix ADC, Disables Windows Defender
A new ransomware called Ragnarok has been detected being used in targeted attacks against unpatched Citrix ADC servers vulnerable to the CVE-2019-19781 exploit. Last week, FireEye released a report about new attacks exploiting the now patched Citrix ADC vulnerability to install the new Ragnarok Ransomware on vulnerable networks. When attackers can compromise a Citrix ADC device, various scripts would be downloaded and executed that scan for Windows computers vulnerable to the EternalBlue vulnerability.
Source: Bleeping computer
New ‘I Got Phished’ Service Alerts Companies of Phished Employees
A new service called ‘I Got Phished’ has launched that will alert domain and security administrators when an employee in their organization falls for a phishing attack. Phishing attacks are a common vector for a variety of other attacks such as BEC scams, network intrusions, and even ransomware attacks. Therefore organizations must be notified as early as possible about an employee’s login credentials being exposed to prevent even more severe attacks.
Source: Bleeping computer
AlphaBay Dark Web Market Mod Faces 20 Years After Pleading Guilty
Bryan Connor Herrell, a 25-year-old from Fresno, California, pleaded guilty this week in the US to racketeering charges related to the now-defunct dark web marketplace Alphabay. Before AlphaBay was shut down by law enforcement in July 2017, Herrell was a marketplace moderator known under the Penissmith and Botah nicknames. “On AlphaBay, vendors, and purchasers engaged in hundreds of thousands of illicit transactions for guns, drugs, stolen identity information, credit card numbers, and other illegal items,” the DoJ says.
Source: Bleeping computer
Critical Flaws in Magento e-Commerce Platform Allow Code-Execution
Critical vulnerabilities in Adobe’s Magento e-commerce platform – a favorite target of the Magecart cybergang – could lead to arbitrary code execution. Adobe issued patches on Tuesday as part of its overall release of the Magento 2.3.4 upgrade, giving the fixes a “priority 2” rating. In Adobe parlance, priority 2 means that administrators should apply the updates within 30 days. Out of the flaws, Adobe has fixed three that it rates as critical in severity, meaning that successful exploits could “allow malicious native code to execute, potentially without a user being aware.”
Source: Threatpost / Bleeping computer / Magento
Wawa Breach May Have Affected More Than 30 Million Customers
Hefty collection of U.S. and international payment cards from the incident revealed in December found up for sale on dark-web marketplace Joker’s Stash. The Joker’s Stash marketplace–one of the largest and most notorious dark web marketplaces for buying stolen payment card data—began uploading card data Monday from a major breach dubbed “BIGBADABOOM—III,” researchers from New York-based fraud intelligence company Gemini Advisory revealed in a report.
Source: Threatpost / Krebs on security / Dark reading / Security week / Infosecurity magazine
Apple Security Updates Tackle iOS Device Tracking, RCE Flaws
Apple’s latest security fixes, released Tuesday, tackle a wide range of bugs, including several patches for high-risk flaws that could allow for remote code execution (RCE). Of particular interest to privacy-minded iPhone 11 users is an iOS 13.3.1 update that allows users to turn off U1 Ultra-Wideband device tracking.
Source: Threatpost / Bleeping computer / Security week
Ring Android App Sent Sensitive User Data to 3rd Party Trackers
Amazon’s Ring doorbell app for Android is sending to third-party trackers information that can be used to identify customers, research from the Electronic Frontier Foundation (EFF) has found.
Source: Bleeping computer / Threatpost / Security week
ThreatList: Ransomware Costs Double in Q4, Sodinokibi Dominates
Ransomware costs more than doubled in the fourth quarter of 2019, with the average ransom payment skyrocketing to $84,116, a 104 percent surge up from $41,198 in the third quarter. Researchers said that the leap up in ransomware costs are due in large part to some attackers pushing variants such as Ryuk and Sodinokibi harder into the lucrative enterprise space. Here criminals can attempt to extort companies with deep pockets for seven-figure ransom payouts.
Source: Threatpost / Dark reading
Sprint Exposed Customer Support Site to Web
Fresh on the heels of a disclosure that Microsoft Corp. leaked internal customer support data to the Internet, mobile provider Sprint has addressed a mix-up in which posts to a private customer support community were exposed to the Web. KrebsOnSecurity recently contacted Sprint to let the company know that an internal customer support forum called “Social Care” was being indexed by search engines, and that several months worth of postings about customer complaints and other issues were viewable without authentication to anyone with a Web browser.
Source: Krebs on security
Modern Mass Surveillance: Identify, Correlate, Discriminate
Communities across the United States are starting to ban facial recognition technologies. These efforts are well-intentioned, but facial recognition bans are the wrong way to fight against modern surveillance. Focusing on one particular identification method misconstrues the nature of the surveillance society we’re in the process of building. Ubiquitous mass surveillance is increasingly the norm. In countries like China, a surveillance infrastructure is being built by the government for social control. In countries like the United States, it’s being built by corporations in order to influence our buying behavior, and is incidentally used by the government.
Source: Bruce Schneier on security
NSA Shares Guidance on Mitigating Cloud Vulnerabilities
The U.S. National Security Agency (NSA) has published advice on mitigating cloud vulnerabilities. While the advice is primarily designed for government agencies and departments, it nevertheless contains good advice for any commercial organization considering or embarking on — or already deployed in — a cloud environment.
Source: Security week
Leaked Report Shows United Nations Suffered Hack
An internal confidential document from the United Nations, leaked to The New Humanitarian and seen by The Associated Press, says that dozens of servers were “compromised” at offices in Geneva and Vienna. Those include the U.N. human rights office, which has often been a lightning rod of criticism from autocratic governments for its calling-out of rights abuses. One U.N. official told the AP that the hack, which was first detected over the summer, appeared “sophisticated” and that the extent of the damage remains unclear, especially in terms of personal, secret or compromising information that may have been stolen. The official, who spoke only on condition of anonymity to speak freely about the episode, said systems have since been reinforced. The level of sophistication was so high that it was possible a state-backed actor might have been behind it, the official said.
Source: Security week
Major Canadian Military Contractor Compromised in Ransomware Attack
A Canadian construction company that won military and government contracts worth millions of dollars has suffered a ransomware attack. General contractor Bird Construction, which is based in Toronto, was allegedly targeted by cyber-threat group MAZE in December 2019. MAZE claims to have stolen 60 GB of data from the company, which landed 48 contracts worth $406m with Canada’s Department of National Defense between 2006 and 2015.
Source: Infosecurity magazine
Bugs. Easy To Find, Tough To Report
A common complaint that you often hear in infosec is how hard it can be to report vulnerabilities sometimes. This story tells of my journey using OSINT tools to find the right person to responsibly report a bug to. Of course, I enjoyed the journey more than the destination.
Critical Remote Code Execution Bug Fixed in OpenBSD SMTP Server
A critical vulnerability in the free OpenSMTPD email server present in many Unix-based systems can be exploited to run shell commands with root privileges. The s3curity bug, now tracked as CVE-2020-7247, is a local privilege escalation and remote code execution. It is in the ‘smtp_mailaddr()’ function that validates the addresses of the sender and the recipient. It was introduced in the OpenSMTPD code in May 2018 and has been exploitable since. Attackers can leverage it either locally or remotely to run arbitrary commands with root privileges on a vulnerable system.
Source: Bleeping computer / Security week / Helpnet security / Openwall
Emotet Uses Coronavirus Scare to Infect Japanese Targets
To scare the potential victims into opening malicious attachments, the spam emails — camouflaged as official notifications from disability welfare service provider and public health centers — promise to provide more details on preventative measures against coronavirus infections within the attachments.
Source: Bleeping computer