This posting is here to collect cyber security news in August 2020.
I post links to security vulnerability news with short descriptions to comments section of this article.
If you are interested in cyber security trends, read my Cyber security trends 2020 posting.
You are also free to post related links to comments.
240 Comments
Tomi Engdahl says:
SPINNING MAGNETS Open Fingerprint Padlock!
https://www.youtube.com/watch?v=hQTz1OmmHYo
Tomi Engdahl says:
https://www.facebook.com/groups/majordomo/permalink/10160585419634522/
heads up, anyone who’s dealt with SANS.org a cybersecurity training company was compromised by the very thing they teach about…
Tomi Engdahl says:
Just got assigned CVE-2020-1337. Here its Vulnerability description, Root Cause Analysis and PoC for my PrintDemon’s (CVE-2020-1048) Patch Bypass via Junction Directory (TOCTOU). https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/
Tomi Engdahl says:
https://thehackernews.com/2020/08/chrome-csp-bypass.html?m=1
If you haven’t recently updated your Chrome, Opera, or Edge web browser to the latest available version, it would be an excellent idea to do so as quickly as possible.
Cybersecurity researchers on Monday disclosed details about a zero-day flaw in Chromium-based web browsers for Windows, Mac and Android that could have allowed attackers to entirely bypass Content Security Policy (CSP) rules since Chrome 73.
Tracked as CVE-2020-6519 (rated 6.5 on the CVSS scale), the issue stems from a CSP bypass that results in arbitrary execution of malicious code on target websites.
According to PerimeterX, some of the most popular websites, including Facebook, Wells Fargo, Zoom, Gmail, WhatsApp, Investopedia, ESPN, Roblox, Indeed, TikTok, Instagram, Blogger, and Quora, were susceptible to the CSP bypass.
Interestingly, it appears that the same flaw was also highlighted by Tencent Security Xuanwu Lab more than a year ago, just a month after the release of Chrome 73 in March 2019, but was never addressed until PerimeterX reported the issue earlier this March.
Tomi Engdahl says:
Just not even surprised anymore… [https://www.bleepingcomputer.com/news/security/sans-infosec-training-org-suffers-data-breach-after-phishing-attack/](https://www.bleepingcomputer.com/news/security/sans-infosec-training-org-suffers-data-breach-after-phishing-attack/)
Tomi Engdahl says:
This is node joke. Tor battles to fend off swarm of Bitcoin-stealing evil exit relays making up about 25% of outgoing capacity at its height >
This is node joke. Tor battles to fend off swarm of Bitcoin-stealing evil exit relays making up about 25% of outgoing capacity at its height
https://www.theregister.com/2020/08/12/tor_exit_nodes/
Cash-strapped privacy devs face determined miscreants who keep coming back for more
The Tor Project has confirmed someone, or some group, is in control of a large number of Bitcoin-snaffling exit nodes in its anonymizing network, and it’s battling to boot them off.
One observer reckons more than 23 per cent of the entire Tor network’s exit capacity was under the command of one miscreant, or one group of miscreants, at one point in May, with the end goal being the theft of people’s cryptocurrency..
Crucially, whoever is running an exit node can access the traffic flowing through it. Thus it is wise to ensure your connections to websites and other services are wrapped in additional encryption, such as HTTPS or SSH, so that exit node operators cannot snoop on you and alter any information you send over the internet.
It’s one thing to be mindful of a rogue exit node operator eavesdropping on you, it’s another thing when someone successfully adds a large number of exit nodes to Tor, all under their control, because it means some kind of elaborate campaign is underway to undermine Tor’s security.
In this case, it appears someone or some group is adding malicious exit nodes that perform a form of SSL stripping to eavesdrop on visitors to cryptocurrency websites – specifically, Bitcoin mixer services. If any Bitcoin wallet addresses are spotted in the passing unprotected traffic, the addresses are rewritten on the fly so as to funnel transactions into the miscreants’ coffers, thus stealing victims’ digital money.
The malicious exit nodes intercept some of these insecure HTTP requests to prevent them being upgraded to HTTPS-encrypted connections, and tamper with the unprotected data in transit, namely any Bitcoin wallet addresses.
Yes, there are plugins like HTTPS Everywhere that force browsers to use encryption, but not everyone uses them, or they disable them after a while because the extensions complain too much when they can’t establish a connection to non-HTTPS pages.
Ongoing war
The Tor Project confirmed to us it has been trying for months to get the bad actor off its network, including banning the malicious nodes in May and June only to see the surveillance menace return. We’re told the Tor team is hampered right now due to being short-staffed. Back in April, the project had to drop 13 people, about a third of its staff, due to funding shortfalls amid the coronavirus pandemic and economic downturn. That means there’s not enough people monitoring the anonymizing mesh for wrongdoers.
Tomi Engdahl says:
Belarus Has Shut Down the Internet Amid a Controversial Election
Human rights organizations have blamed the Belarusian government for widespread outages.
https://www.wired.com/story/belarus-internet-outage-election/
Tomi Engdahl says:
A Vulnerability in GNU C Library Could Allow for Remote Code Execution
https://www.cisecurity.org/advisory/a-vulnerability-in-gnu-c-library-could-allow-for-remote-code-execution_2020-105/
OVERVIEW:
A vulnerability has been discovered in the GNU C Library (glibc), which could allow for remote code execution. This library is required in all modern distributions of Linux as it defines the system calls and other basic facilities used in the Linux kernel. Successful exploitation of this vulnerability could allow an attacker to execute remote code in the context of the affected application. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploitation could result in a denial-of-service condition.
A vulnerability has been discovered in the GNU C Library (glibc), which could allow for remote code execution. Specifically, this is a stack-based-buffer-overflow due to the ieee754_rem_pio2l() function’s failure to validate pseudo-zero values. This vulnerability can be exploited when the system processes maliciously crafted data.
Successful exploitation of this vulnerability could allow an attacker to execute remote code in the context of the affected application.
Tomi Engdahl says:
Voice over LTE (VoLTE) is a packet-based telephony service seamlessly integrated into the Long Term Evolution (LTE) standard. By now all major telecommunication operators use VoLTE. To secure the phone calls, VoLTE encrypts the voice data between the phone and the network with a stream cipher. The stream cipher shall generate a unique keystream for each call to prevent the problem of keystream reuse.
We introduce ReVoLTE, an attack that exploits an LTE implementation flaw to recover the contents of an encrypted VoLTE call. This enables an adversary to eavesdrop on VoLTE phone calls. ReVoLTE makes use of a predictable keystream reuse. Eventually, the keystream reuse allows an adversary to decrypt a recorded call with minimal resources.
https://revolte-attack.net/
Tomi Engdahl says:
23% of Tor browser relays found to be stealing Bitcoin
https://www.hackread.com/tor-browser-relays-found-to-stealing-bitcoin/
The threat actor was also able to see the user’s transmitted data on the Tor browser in unencrypted format and tamper with it for their own ill-motives.
Tomi Engdahl says:
The quest to liberate $300,000 of bitcoin from an old ZIP file
A few quintillion possible decryption keys stand between a man and his cryptocurrency.
https://arstechnica.com/information-technology/2020/08/the-quest-to-liberate-300000-of-bitcoin-from-an-old-zip-file/?utm_social-type=owned&utm_brand=ars&utm_source=facebook&utm_medium=social
Nineteen years ago, Stay published a paper detailing a technique for breaking into encrypted zip files. The Guy had bought around $10,000 worth of bitcoin in January 2016, well before the boom. He had encrypted the private keys in a zip file and had forgotten the password. He was hoping Stay could help him break in.
In a talk at the Defcon security conference this week, Stay details the epic attempt that ensued.
Zip is a popular file format used for “lossless” compression of large files, like the little drawstring sack that can somehow contain your sleeping bag. Many implementations of zip are known to be insecure, to the point that US senator Ron Wyden of Oregon called on the National Institute of Standards and Technology last summer to investigate the issue. “If we find the password successfully, I will thank you,” The Guy wrote with a smiley face. After an initial analysis, Stay estimated that he would need to charge $100,000 to break into the file. The Guy took the deal. After all, he’d still be turning quite the profit.
“It’s the most fun I’ve had in ages. Every morning I was excited to get to work and wrestle with the problem,” says Stay, who today is the chief technology officer of the blockchain software development firm Pyrofex. “The zip cipher was designed decades ago by an amateur cryptographer—the fact that it has held up so well is remarkable.” But while some zip files can be cracked easily with off-the-shelf tools, The Guy wasn’t so lucky.
That’s partly why the work was priced so high. Newer generations of zip programs use the established and robust cryptographic standard AES, but outdated versions—like the one used in The Guy’s case—use Zip 2.0 Legacy encryption that can often be cracked. The degree of difficulty depends on how it’s implemented, though.
Tomi Engdahl says:
The Secret SIMs Used By Criminals to Spoof Any Number
https://www.vice.com/amp/en_us/article/n7w9pw/russian-sims-encrypted
This SIM card, the caller said, allowed him to spoof any phone number
he wanted. Want to look like you’re calling from a bank in order to
scam a target? Easy. Want to change it to a random series of digits so
that the recipient’s phone won’t record your real number? That just
takes a few seconds to set up, according to tutorials of how to use
the cards available online.. To test the process of obtaining such a
SIM, Motherboard purchased a so-called white SIM, known for not having
any branding or labelling, through a source close to the criminal
world. After sending the supplier around $100 in Bitcoin, a package
arrived the next day.. Essentially, entering this tells a user’s phone
that they want to connect to a particular phone network, one that it
may not ordinarily recognize.. Karsten Nohl, a security researcher
from SRLabs focused on telecommunications security, told Motherboard
in an email that operators of the SIM cards likely run their own
Mobile Virtual Network Operator (MVNO), which is essentially a telecom
company piggy backing off of the infrastructure of a more established
network. . Many MVNOs exist, including Google’s Fi, which runs on top
of T-Mobile’s infrastructure.. In order to obtain SIMs and data to
sell, smaller companies can go to different carriers around the world
and buy the data in bulk, according to a source who currently works in
the secure communications industry.
Tomi Engdahl says:
Call Me Maybe: Eavesdropping Encrypted LTE Calls With ReVoLTE
https://revolte-attack.net/
Voice over LTE (VoLTE) is a packet-based telephony service seamlessly
integrated into the Long Term Evolution (LTE) standard. By now all
major telecommunication operators use VoLTE. To secure the phone
calls, VoLTE encrypts the voice data between the phone and the network
with a stream cipher. . The stream cipher shall generate a unique
keystream for each call to prevent the problem of keystream reuse.. We
introduce ReVoLTE, an attack that exploits an LTE implementation flaw
to recover the contents of an encrypted VoLTE call. This enables an
adversary to eavesdrop on VoLTE phone calls. ReVoLTE makes use of a
predictable keystream reuse, which was discovered by Raza & Lu..
Eventually, the keystream reuse allows an adversary to decrypt a
recorded call with minimal resources.. Read also:
https://revolte-attack.net/media/revolte_camera_ready.pdf. As well as:
https://www.zdnet.com/article/re-vol-te-attack-can-decrypt-4g-lte-calls-to-eavesdrop-on-conversations/
Tomi Engdahl says:
Irony, thy name is SANS: 28k records nicked from infosec training org
after staffer’s email account phished
https://www.theregister.com/2020/08/12/sans_institute_data_breach/
Names, email addresses, phone numbers, job titles, company names,
country of residence etc. pinched. Read also:
https://www.sans.org/dataincident2020
Tomi Engdahl says:
Exclusive: August Smart Lock Flaw Opens Your Wi-Fi Network to Hackers
https://uk.pcmag.com/encryption/128120/exclusive-august-smart-lock-flaw-opens-your-wi-fi-network-to-hackers
Implementing this hack would take a lot of patience. The hacker would
have to find a spot close enough to listen in on the Wi-Fi network,
perhaps a parked car. The attack that forces the doorbell offline
takes time. And the device doesnt reconnect until its owner notices
that it’s offline and initiates the exchange.. Read also:
https://www.bitdefender.com/files/News/CaseStudies/study/363/Bitdefender-PR-Whitepaper-AugustConnect-creat4699-en-EN-GenericUse.pdf
Tomi Engdahl says:
Kr00k, KRACK, and the Seams in Wi-Fi, IoT Encryption
https://www.darkreading.com/iot/kr00k-krack-and-the-seams-in-wi-fi-iot-encryption/d/d-id/1338633
Earlier this year, two ESET researchers disclosed a flaw in processor
chips powering over 1 billion Wi-Fi and Internet of Things (IoT)
devices that would make it easy for attackers to snoop on encrypted
traffic.. Last week at Black Hat, the researchers explained that the
attack surface area for these kinds of flaws is broader than they
initially thought and that the weakness is present in a several other
popular chipsets that could put even more IoT and Wi-Fi devices at
risk.. Dubbed “Kr00k” by researchers Robert Lipovsky and Stefan
Svorencik, the flaw in question occurs in how Wi-Fi chips handle the
four-way handshake process that occurs between a device and an access
point to facilitate WPA2 encryption. . When devices associate and
disassociate with a network, the handshake process governs
authentication and how cryptographic keys are exchanged as connection
is both established and broken between device and access point.. Kr00k
is a flaw in how the chips handle the process of WLAN session
disassociation, in which they overwrite the encryption keys with all
zeros in the expectation that no further data will be transmitted
after disassociation. The expectation is when the device reassociates
with a new session, a new encryption key will be negotiated and
encryption will remain seamless.
Tomi Engdahl says:
NCC Group admits its training data was leaked online after folders
full of Crest pentest certification exam notes posted to Github
https://www.theregister.com/2020/08/11/ncc_group_crest_cheat_sheets/
Exclusive British infosec biz NCC Group has admitted to The Register
that its internal training data was leaked on GitHub after folders
purporting to help people pass the Crest pentest certification exams
appeared online.
Tomi Engdahl says:
Samsung Quietly Fixes Critical Galaxy Flaws Allowing Spying, Data
Wiping
https://threatpost.com/samsung-quietly-fixed-critical-galaxy-flaws-allowing-spying-data-wiping/158241/
Four critical-severity flaws were recently disclosed in the Find My
Mobile feature of Samsung Galaxy smartphones, which if exploited could
allow attackers to force a factory reset on the phones or spy on
users.
Tomi Engdahl says:
A mysterious group has hijacked Tor exit nodes to perform SSL
stripping attacks
https://www.zdnet.com/article/a-mysterious-group-has-hijacked-tor-exit-nodes-to-perform-ssl-stripping-attacks/
At one point, the group ran almost a quarter of all Tor exit nodes.
Group still controls 10% of all Tor exit nodes today.
Tomi Engdahl says:
Homeland Security details new tools for extracting device data at US
borders
https://www.cnet.com/news/homeland-security-details-new-tools-for-extracting-device-data-at-us-borders/
The agency says it can now obtain details including your phone’s
location history, social media information, and photos and videos.
Read also:
https://www.tivi.fi/uutiset/tv/fd853718-ac31-490c-9818-33d26b7a97db
Tomi Engdahl says:
Belarus Has Shut Down the Internet Amid a Controversial Election
https://www.wired.com/story/belarus-internet-outage-election/
Human rights organizations have blamed the Belarusian government for
widespread outages. INTERNET CONNECTIVITY AND cellular service in
Belarus have been down since Sunday evening, after sporadic outages
early that morning and throughout the day. The connectivity blackout,
which also includes landline phones, appears to be a
government-imposed outage that comes amid widespread protests and
increasing social unrest over Belarus’ presidential election Sunday.
Tomi Engdahl says:
Garmin outage caused by confirmed WastedLocker ransomware attack
https://www.bleepingcomputer.com/news/security/garmin-outage-caused-by-confirmed-wastedlocker-ransomware-attack/
Wearable device maker Garmin shut down some of its connected services
and call centers on Thursday following what the company called a
worldwide outage, now confirmed to be caused by a WastedLocker
ransomware attack. Lisäksi
https://www.zdnet.com/article/garmin-services-and-production-go-down-after-ransomware-attack/
ja
https://www.forbes.com/sites/leemathews/2020/07/23/garmins-alleged-ransomware-wastedlocker-evil-corp/
ja https://thehackernews.com/2020/07/garmin-ransomware-attack.html ja
https://threatpost.com/garmin-suffers-ransomware-attack/157698/
Tomi Engdahl says:
New Meow’ attack has deleted almost 4, 000 unsecured databases
https://www.bleepingcomputer.com/news/security/new-meow-attack-has-deleted-almost-4-000-unsecured-databases/
Hundreds of unsecured databases exposed on the public web are the
target of an automated ‘meow’ attack that destroys data without any
explanation. The activity started recently by hitting Elasticsearch
and MongoDB instances without leaving any explanation, or even a
ransom note. Attacks then expanded to other database types and to file
systems open on the web.
Tomi Engdahl says:
Industrial VPN vulnerabilities put critical infrastructure at risk
https://www.bleepingcomputer.com/news/security/industrial-vpn-vulnerabilities-put-critical-infrastructure-at-risk/
Security researchers analyzing popular remote access solutions used
for industrial control systems (ICS) found multiple vulnerabilities
that could let unauthenticated attackers execute arbitrary code and
breach the environment. The flaws are in virtual private network (VPN)
implementations and adversaries could exploit them cause physical
damage by connecting to field devices and programmable logic
controllers (PLCs). Lisäksi
https://www.claroty.com/2020/07/28/vpn-security-flaws/
Tomi Engdahl says:
Today’s mega’ data breaches now cost companies $392 million to recover
from
https://www.zdnet.com/article/todays-mega-data-breaches-now-cost-companies-392-million-in-damages-lawsuits
The average cost of a “mega” data breach has risen astronomically over
the past year and enterprise players impacted by such a security
incident can expect to pay up to $392 million.
Tomi Engdahl says:
WastedLocker: technical analysis
https://securelist.com/wastedlocker-technical-analysis/97944/
The use of crypto-ransomware in targeted attacks has become an
ordinary occurrence lately: new incidents are being reported every
month, sometimes even more often. On July 23, Garmin, a major
manufacturer of navigation equipment and smart devices, including
smart watches and bracelets, experienced a massive service outage. As
confirmed by an official statement later, the cause of the downtime
was a cybersecurity incident involving data encryption.. The situation
was so dire that at the time of writing of this post (7/29) the
operation of the affected online services had not been fully restored.
Tomi Engdahl says:
New Attack Leverages HTTP/2 for Effective Remote Timing Side-Channel
Leaks
https://thehackernews.com/2020/07/http2-timing-side-channel-attacks.html
Security researchers have outlined a new technique that renders a
remote timing-based side-channel attack more effective regardless of
the network congestion between the adversary and the target server.
Remote timing attacks that work over a network connection are
predominantly affected by variations in network transmission time (or
jitter), which, in turn, depends on the load of the network connection
at any given point in time.
Tomi Engdahl says:
Linux warning: TrickBot malware is now infecting your systems
https://www.bleepingcomputer.com/news/security/linux-warning-trickbot-malware-is-now-infecting-your-systems/
TrickBot’s Anchor malware platform has been ported to infect Linux
devices and compromise further high-impact and high-value targets
using covert channels. TrickBot is a multi-purpose Windows malware
platform that uses different modules to perform various malicious
activities, including information stealing, password stealing, Windows
domain infiltration, and malware delivery.
Tomi Engdahl says:
Mirai Botnet Exploit Weaponized to Attack IoT Devices via
CVE-2020-5902
https://blog.trendmicro.com/trendlabs-security-intelligence/mirai-botnet-exploit-weaponized-to-attack-iot-devices-via-cve-2020-5902/?
Following the initial disclosure of two F5 BIG-IP vulnerabilities on
the first week of July, we continued monitoring and analyzing the
vulnerabilities and other related activities to further understand
their severities. Based on the workaround published for CVE-2020-5902,
we found an internet of things (IoT) Mirai botnet downloader (detected
by Trend Micro as Trojan.SH.MIRAI.BOI) that can be added to new
malware variants to scan for exposed Big-IP boxes for intrusion and
deliver the malicious payload.
Tomi Engdahl says:
Confirmed: Garmin received decryptor for WastedLocker ransomware
https://www.bleepingcomputer.com/news/security/confirmed-garmin-received-decryptor-for-wastedlocker-ransomware/
BleepingComputer can confirm that Garmin has received the decryption
key to recover their files encrypted in the WastedLocker Ransomware
attack. On July 23rd, 2020, Garmin suffered a worldwide outage where
customers could not access their connected services, including the
Garmin Connect, flyGarmin, Strava, inReach solutions.
Tomi Engdahl says:
Researchers discovered significant vulnerability in Amazon’s Alexa
https://www.google.com/amp/s/thehill.com/policy/technology/511746-researchers-discovered-significant-vulnerability-in-amazons-alexa%3Famp
Researchers at cybersecurity provider Check Point uncovered a flaw in Amazon’s Alexa virtual assistant that left owner’s personal information vulnerable before it was patched in June.
The researchers detailed the vulnerability in a report released Thursday, saying potential hackers could have hijacked the voice assistant devices using malicious Amazon links.
Tomi Engdahl says:
EU imposes the first ever sanctions against cyber-attacks
https://www.consilium.europa.eu/en/press/press-releases/2020/07/30/eu-imposes-the-first-ever-sanctions-against-cyber-attacks/
The Council today decided to impose restrictive measures against six
individuals and three entities responsible for or involved in various
cyber-attacks. These include the attempted cyber-attack against the
OPCW (Organisation for the Prohibition of Chemical Weapons) and those
publicly known as ‘WannaCry’, ‘NotPetya’, and ‘Operation Cloud
Hopper’.. Read also:
https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32020D1127&from=EN
Tomi Engdahl says:
Microsoft Joins Open Source Security Foundation
https://msrc-blog.microsoft.com/2020/08/03/microsoft-joins-open-source-security-foundation/
Microsoft has invested in the security of open source software for
many years and today Im excited to share that Microsoft is joining
industry partners to create the Open Source Security Foundation
(OpenSSF), a new cross-industry collaboration hosted at the Linux
Foundation. The OpenSSF brings together work from the Linux
Foundation-initiated Core Infrastructure Initiative (CII), the
GitHub-initiated Open Source Security Coalition (OSSC), and other open
source security efforts to improve the security of open source
software by building a broader community, targeted initiatives, and
best practices.
Tomi Engdahl says:
Windows 10: HOSTS file blocking telemetry is now flagged as a risk
https://www.bleepingcomputer.com/news/microsoft/windows-10-hosts-file-blocking-telemetry-is-now-flagged-as-a-risk/
Starting at the end of July, Microsoft has begun detecting HOSTS files
that block Windows 10 telemetry servers as a ‘Severe’ security risk.
The HOSTS file is a text file located at
C:\Windows\system32\driver\etc\HOSTS and can only be edited by a
program with Administrator privileges. This file is used to resolve
hostnames to IP addresses without using the Domain Name System (DNS).
Tomi Engdahl says:
Hackers Could Use IoT Botnets to Manipulate Energy Markets
https://www.wired.com/story/hackers-iot-botnets-manipulate-energy-markets/
ON A FRIDAY morning in the fall of 2016, the Mirai botnet wrecked
havoc on internet infrastructure, causing major website outages across
the United States. It was a wakeup call, revealing the true damage
that zombie armies of malware-infected gadgets could cause. Now,
researchers at the Georgia Institute of Technology are thinking even
farther afield about how the unlikely targets that botnets could
someday disruptsuch as energy markets.
Tomi Engdahl says:
Apple Touch ID Flaw Could Have Let Attackers Hijack iCloud Accounts
https://thehackernews.com/2020/08/apple-touchid-sign-in.html
Apple earlier this year fixed a security vulnerability in iOS and
macOS that could have potentially allowed an attacker to gain
unauthorized access to a user’s iCloud account. Uncovered in February
by Thijs Alkemade, a security specialist at IT security firm
Computest, the flaw resided in Apple’s implementation of TouchID (or
FaceID) biometric feature that authenticated users to log in to
websites on Safari, specifically those that use Apple ID logins.
Tomi Engdahl says:
High-Severity Android RCE Flaw Fixed in August Security Update
https://threatpost.com/high-severity-android-rce-flaw-fixed-in-august-security-update/158049/
Google has released patches addressing a high-severity issue in its
Framework component, which if exploited could enable remote code
execution (RCE) on Android mobile devices. Overall, 54 high-severity
flaws were patched as part of Googles August security updates for the
Android operating system, released on Monday. As part of this,
Qualcomm, whose chips are used in Android devices, patched a mix of
high and critical-severity vulnerabilities tied to 31 CVEs.
Tomi Engdahl says:
Researcher Demonstrates 4 New Variants of HTTP Request Smuggling
Attack
https://thehackernews.com/2020/08/http-request-smuggling.html
A new research has identified four new variants of HTTP request
smuggling attacks that work against various commercial off-the-shelf
web servers and HTTP proxy servers. Amit Klein, VP of Security
Research at SafeBreach who presented the findings today at the Black
Hat security conference, said that the attacks highlight how web
servers and HTTP proxy servers are still susceptible to HTTP request
smuggling even after 15 years since they were first documented.
Tomi Engdahl says:
The Official Facebook Chat Plugin Created Vector for Social
Engineering Attacks
https://www.wordfence.com/blog/2020/08/the-official-facebook-chat-plugin-created-vector-for-social-engineering-attacks/
On June 26, 2020, our Threat Intelligence team discovered a
vulnerability in The Official Facebook Chat Plugin, a WordPress plugin
installed on over 80,000 sites. This flaw made it possible for
low-level authenticated attackers to connect their own Facebook
Messenger account to any site running the vulnerable plugin and engage
in chats with site visitors on affected sites. We initially reached
out to Facebook on June 26, 2020 and included the full disclosure
details at the time of reaching out. They initially responded on June
30, 2020, and after much back and forth, Facebook released a patch on
July 28, 2020
Tomi Engdahl says:
Achilles: Small chip, big peril.
https://blog.checkpoint.com/2020/08/06/achilles-small-chip-big-peril/
Over 400 vulnerabilities on Qualcomms Snapdragon chip threaten mobile
phones usability worldwide. With over 3 billion users globally,
smartphones are an integral, almost inseparable part of our day-to-day
lives. As the mobile market continues to grow, vendors race to provide
new features, new capabilities and better technological innovations in
their latest devices. To support this relentless drive for innovation,
vendors often rely on third parties to provide the required hardware
and software for phones. One of the most common third-party solutions
is the Digital Signal Processor unit, commonly known as DSP chips.
Tomi Engdahl says:
Porn blast disrupts bail hearing of alleged Twitter hacker
https://nakedsecurity.sophos.com/2020/08/06/porn-blast-disrupts-bail-hearing-of-alleged-twitter-hacker/
One of the alleged Twitter hackers faced a bail hearing in a Florida
court yesterday. ICYMI, the Twitter hack were referring to involved
the takeover of 45 prominent Twitter accounts, including those of Joe
Biden, Elon Musk, Apple Computer, Barack Obama, Kim Kardashian and a
laundry list of others with huge numbers of followers
Tomi Engdahl says:
Shellshock In-Depth: Why This Old Vulnerability Wont Go Away
https://securityintelligence.com/articles/shellshock-vulnerability-in-depth/
Shellshock is a bug in the Bash command-line interface shell that has
existed for 30 years and was discovered as a significant threat in
2014. Today, Shellshock still remains a threat to enterprise. The
threat is certainly less risky than in the year of discovery. However,
in a year in which security priorities have recalibrated to keep up
with the chaotic landscape, its a good time to look back at this
threat and the underlying factors that keep these attacks alive today.
Tomi Engdahl says:
Intel, ARM, IBM, AMD Processors Vulnerable to New Side-Channel Attacks
https://thehackernews.com/2020/08/foreshadow-processor-vulnerability.html
The new research explains microarchitectural attacks were actually
caused by speculative dereferencing of user-space registers in the
kernel, which not just impacts the most recent Intel CPUs with the
latest hardware mitigations, but also several modern processors from
ARM, IBM, and AMD previously believed to be unaffected.
Tomi Engdahl says:
Have I Been Pwned to go open source 10bn credentials, not so much,
says creator Hunt
https://www.theregister.com/2020/08/07/hibp_open_source/
Credential breach website Have I Been Pwned (HIBP) will be going open
source, site creator and maintainer Troy Hunt has told the world.
Tomi Engdahl says:
Dutch Hackers Found a Simple Way to Mess With Traffic Lights
https://www.wired.com/story/hacking-traffic-lights-netherlands/
By reverse engineering apps intended for cyclists, security
researchers found they could cause delays in at least 10 cities from
anywhere in the world.
Tomi Engdahl says:
Beyond KrØØk: Even more WiFi chips vulnerable to eavesdropping
https://www.welivesecurity.com/2020/08/06/beyond-kr00k-even-more-wifi-chips-vulnerable-eavesdropping/
At Black Hat USA 2020, ESET researchers delved into details about the
KrØØk vulnerability in Wi-Fi chips and revealed that similar bugs
affect more chip brands than previously thought. KrØØk (formally
CVE-2019-15126) is a vulnerability in Broadcom and Cypress Wi-Fi chips
that allows unauthorized decryption of some WPA2-encrypted traffic.
Specifically, the bug has led to wireless network data being encrypted
with a WPA2 pairwise session key that is all zeros instead of the
proper session key that had previously been established in the 4-way
handshake. This undesirable state occurs on vulnerable Broadcom and
Cypress chips following a Wi-Fi disassociation.
Tomi Engdahl says:
Researchers found another way to hack Android cellphones via Bluetooth
https://www.cyberscoop.com/bluetooth-vulnerability-android-dbappsecurity-black-hat-2020/
Attackers looking to steal sensitive information like contacts, call
history, and SMS verification codes from Android devices only need to
target Bluetooth protocols, according to new DBAPPSecurity research
presented at the 2020 Black Hat conference Wednesday. These exploits,
one of which takes advantage of a zero-day vulnerability, could also
allow hackers to send fake text messages if manipulated properly,
researchers found. The other attack allows researchers to take
advantage of an authentication bypass vulnerability, dubbed
“BlueRepli.” Would-be attackers can bypass authentication by imitating
a device that has previously been connected with a target. Victims do
not need to give permission to a device for the exploit to work. Read
also:
https://media.defense.gov/2020/Aug/04/2002469874/-1/-1/0/CSI_LIMITING_LOCATION_DATA_EXPOSURE_FINAL.PDF
Tomi Engdahl says:
Hacking the PLC via Its Engineering Software
https://www.darkreading.com/vulnerabilities—threats/hacking-the-plc-via-its-engineering-software/d/d-id/1338612
Researcher will demonstrate at DEF CON an emerging threat to
industrial control networks. Attackers don’t need to directly hack
into a programmable logic controller (PLC) to wreak havoc on an
industrial process: they can target its configuration files and pivot
from there.
Tomi Engdahl says:
Nearly 50% of all smartphones affected by Qualcomm Snapdragon bugs
https://csirt.cy/nearly-50-of-all-smartphones-affected-by-qualcomm-snapdragon-bugs/
Several security vulnerabilities found in Qualcomm’s Snapdragon chip
Digital Signal Processor (DSP) chip could allow attackers to take
control of almost 40% of all smartphones, spy on their users, and
create un-removable malware capable of evading detection. Read also:
https://www.kauppalehti.fi/uutiset/tietoturvatutkijat-lahes-kaikki-android-puhelimet-ovat-alttiita-hyokkayksille/3c34aa45-c575-4b84-aa82-b34b2b638c81.
As well as:
https://www.darkreading.com/vulnerabilities—threats/400+-qualcomm-chip-vulnerabilities-threaten-millions-of-android-phones/d/d-id/1338613.
And:
https://threatpost.com/qualcomm-bugs-opens-40-percent-of-android-devices-to-attack/158194/
Tomi Engdahl says:
Evasive Credit Card Skimmers Using Homograph Domains and Infected
Favicon
https://thehackernews.com/2020/08/magecart-homograph-phishing.html
Cybersecurity researchers today highlighted an evasive phishing
technique that attackers are exploiting in the wild to target visitors
of several sites with a quirk in domain names, and leverage modified
favicons to inject e-skimmers and steal payment card information
covertly. Read also:
https://www.zdnet.com/article/magecart-group-uses-homoglyph-attacks-to-fool-you-into-visiting-malicious-websites/