Mailing USBs, DoS in DoorLock, Moxie Resigns, QR Code Mystery, & Jarring Revelations – PSW #723
This week in the Security News: Attacking RDP (from the inside), NetUSB exposed, the old mailing USB drives trick, a persistent DoS in your doorLock, Signal gets a new CEO, attacking the patching software, where does that QR code go, we heard you liked cryptominers, Pluton will fix that and retiring from a jarring career, & more!
Announcements
We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!
We had an absolute blast putting together this year's SW Unlocked virtual event! All presentations are now available on-demand for your viewing pleasure. Please visit https://securityweekly.com/unlocked to register and watch now!
Hosts
- 1. Widespread, Easily Exploitable Windows RDP Bug Opens Users to Data Theft
- 2. Moxie Marlinspike quits as CEO of SignalSeems they are getting hammered on this point: "It’s not even that Signal is choosing to tie itself to a specific blockchain currency. It’s that adding a cryptocurrency to an end-to-end encrypted app muddies the morality of the product, and invites all sorts of government investigative and regulatory meddling: by the IRS, the SEC, FinCEN, and probably the FBI." - I don't believe this is why Moxie left, I think he created something truly awesome (and private AND secure) and needs to move on to find another challenge...
- 3. CVE-2021-43326: Automox Agent Privilege Escalation"Lacework Labs researcher Greg Foss (@35Foss) spent some time analyzing the Automox Windows agent and ultimately discovered a local privilege escalation flaw with a CVSS score of 7.8 (High) due to how the agent handles PowerShell script execution at run-time."
- 4. Is Bluetooth a Cyber Security Liability? – Latest Hacking News
- 5. New macOS vulnerability, “powerdir,” could lead to unauthorized user data access – Microsoft Security Blog
- 6. Wormable Windows HTTP hole – what you need to know
- 7. Bitcoin prices fall to lowest in months after US Fed remarks
- 8. Millions of Routers Exposed to RCE by USB Kernel BugWhat could go wrong? Buffer overflow for one: "The module enables remote devices to connect to routers over IP and access any USB devices (such as printers, speakers, webcams, flash drives and other peripherals) that are plugged into them. This is made possible using the proprietary NetUSB protocol and a Linux kernel driver that launches a server, which makes the USB devices available via the network. For remote users, it’s as if the USB devices are physically plugged into their local systems."
- 9. A Quick CVE-2022-21907 FAQ (work in progress)
- 10. Fake QR Codes on Parking Meters – Schneier on Security"The QR codes found by Austin police department directed unsuspecting users to a fraudulent website which would ask for payment details with the false promise that their parking session would be paid for. The City of Austin checked its parking meters after being notified of a similar QR code scam by officials in San Antonio. They had discovered over 100 parking meters similarly stickered in late December."
- 11. Attacking RDP from Inside: How we abused named pipes for smart-card hijacking, unauthorized file system access to client machines and more"This vulnerability enables any standard unprivileged user connected to a remote machine via remote desktop to gain file system access to the client machines of other connected users, to view and modify clipboard data of other connected users, and to impersonate the identity of other users logged on to the machine using smart cards. This could lead to data privacy issues, lateral movement and privilege escalation."
- 12. Who is the Network Access Broker ‘Wazawaka?’ – Krebs on Security
- 13. ‘Wormable’ Flaw Leads January 2022 Patch Tuesday
- 14. Newly Found SysJoker Backdoor Targets Windows, macOS, and Linux OSs
- 15. Norton antivirus installs cryptominer on devices but there is a way out"According to reports, the cryptocurrency miner was included in the Norton antivirus in June last year to help Norton 360 users earn some extra bucks from their graphics card. The tool is called Norton Crypto, and it mines Ethereum. Users can keep 85% of the cut while the remaining goes to NortonLifeLock."
- 16. Hacking group accidentally infects itself with Remote Access Trojan horseOops: "However, it was also discovered that the hacking group had managed to also infect its own development machine, and the RAT had captured the criminals’ own keystrokes alongside screenshots of their own computers."
- 17. Microsoft Windows Defender / Detection Bypass
- 18. Coming to a laptop near you: A new type of security chip from MicrosoftSounds like a challenge: "Pluton is designed to fix all of that. It’s integrated directly into a CPU die, where it stores crypto keys and other secrets in a walled-off garden that is completely isolated from other system components. Microsoft has said that the data stored there can’t be removed, even when an attacker has installed malware or has full physical possession of the PC."
- 1. ‘90 Day Fiancé’ star retires from selling farts after heart attack scare
- 2. Attacking RDP from Inside: How we abused named pipes for smart-card hijacking, unauthorized file system access to client machines and more
- 3. Attackers are mailing USB sticks to drop ransomware on victims’ computers
- 4. KCodes NetUSB bug exposes millions of routers to RCE attacks
- 5. Researchers used electromagnetic signals to classify malware infecting IoT devices
- 6. Obfuscation Revealed: Leveraging Electromagnetic Signals for Obfuscated Malware Classification
- 7. doorLockA persistent denial of service vulnerability affecting iOS 15.2 - iOS 14.7 (and likely through 14.0), triggered via HomeKit
- 8. US Space Force to Launch Project Moonlighter Cybersecurity Satellite – Via Satellite –
- 9. Lights Out: Cyberattacks Shut Down Building Automation Systems
- 1. Apple Releases iOS 15.2.1 and iPadOS 15.2.1iOS 15.2.1 and iPadOS 15.2.1 released 1/12/22 address HomeKit vulnerability. (CVE-2022-22588)
- 2. doorLock- Persistent Denial of Service VulnerabilityAffecting iOS 15.2-14.7A persistent denial of service vulnerability affecting iOS 15.2 - iOS 14.7 (and likely through 14.0), triggered via HomeKit. That could be triggered by changing a HomeKit device's name to a string longer than 500,000 characters. According to Trevor Spiniolas, who uncovered the flaw, once the string is loaded, iOS and iPadOS will reboot and become unusable.
- 3. Take Immediate Actions to Secure QNAP NASAttackers are still targeting NAS devices. QNAP publishes steps to secure their NAS devices. Repeat after me: I solemnly swear not to expose NAS to the Internet.
- 4. QNAP NAS devices hit in surge of ech0raix ransomware attacksUsers of QNAP network-attached storage (NAS) devices are reporting attacks on their systems with the eCh0raix ransomware, also known as QNAPCrypt.
- 5. Storage Devices of Major Vendors Impacted by Encryption Software FlawsStorage devices manufactured by various vendors are reportedly affected by two vulnerabilities (CVE-2021-36750 and CVE-2021-36751) that were uncovered in third-party encryption software used by all the manufactures and could be exploited to conduct brute-force attacks and obtain users' passwords. Potential for brute forcing accounts. Requires local access.
- 6. Researchers Find Bugs in Over A Dozen Widely Used URL Parser LibrariesResearchers say that after conducting a study of 16 different Uniform Resource Locator (URL) parsing libraries, they found that those libraries contained "inconsistencies and confusions" that could be exploited by attackers to bypass validations and create a variety of attack vectors. Report: https://claroty.com/wp-content/uploads/2022/01/Exploiting-URL-Parsing-Confusion.pdf
- 7. Uber ignores vulnerability that lets you send any email from Uber.comA vulnerability in Uber's email system allows just about anyone to send emails on behalf of Uber. The vulnerability is in one of Uber's servers which isn't properly sanitizing input, rather than their email servers.
- 8. Apache Maven Central serves millions of old Log4j versionsFour million outdated Log4j downloads were served from Apache Maven Central alone despite vuln publicity blitz. Make sure your development and CI processes are using up-to-date libraries. Don't wait to qualify new versions.
- 9. Log4j 2.17.1 out now, fixes new remote code execution bugApache has released another Log4j version, 2.17.1 fixing a newly discovered remote code execution (RCE) vulnerability in 2.17.0, tracked as CVE-2021-44832. Apache is urging customers to upgrade as soon as possible to prevent exploitation. According to reports, the moderate-severity issue results from a lack of additional controls on JDNI access in Log4j.
- 10. LastPass users warned their master passwords are compromisedCredential stuffing attacks, where credentials are obtained from third-party breachs not relating to Lastpass, result in valid credentials used from unusual locations which are blocked. Use unique passwords and enable MFA...
- 11. T-Mobile says new data breach caused by SIM swap attacksT-Mobile has been the victim of multiple data breaches over the last four years, users should remain vigilant.
- 12. Photography site Shutterfly is dealing with a ransomware attack – CyberScoopShutterfly said on Dec. 26 that it was hit by a ransomware attack that struck portions of its network and interrupted elements of its Groovebook app, Lifetouch and BorrowLenses business, manufacturing operations, and some internal systems.
- 13. Bluetooth reboot of pre-school play phone has privacy flawFisher Price's Bluetooth reboot of pre-school play phone has adult privacy flaw ‘Chatter’ can be bugged thanks to kindergarten-grade security.
- 14. UK minister includes Russia, China among ‘hostile nations’U.K. Minister of State Security and Borders Damian Hinds has accused China, Iran, and Russia of conducting disinformation campaigns and of being involved in various ways in terms of spies on the ground, cyber attacks, soldiers on standby, and disinformation operations.
- 15. New Flaws Expose EVlink Electric Vehicle Charging Stations to Remote Hacking