Zero-day used to infect Chrome users could pose threat to Edge and Safari users, too

A computer screen filled with ones and zeros also contains a Google logo and the word hacked.

Enlarge (credit: Getty Images)

A secretive seller of cyberattack software recently exploited a previously unknown Chrome vulnerability and two other zero-days in campaigns that covertly infected journalists and other targets with sophisticated spyware, security researchers said.

CVE-2022-2294, as the vulnerability is tracked, stems from memory corruption flaws in Web Real-Time Communications, an open source project that provides JavaScript programming interfaces to enable real-time voice, text, and video communications capabilities between web browsers and devices. Google patched the flaw on July 4 after researchers from security firm Avast privately notified the company it was being exploited in watering hole attacks, which infect targeted websites with malware in hopes of then infecting frequent users. Microsoft and Apple have since patched the same WebRTC flaw in their Edge and Safari browsers, respectively.

Avast said on Thursday that it uncovered multiple attack campaigns, each delivering the exploit in its own way to Chrome users in Lebanon, Turkey, Yemen, and Palestine. The watering hole sites were highly selective in choosing which visitors to infect. Once the watering hole sites successfully exploited the vulnerability, they used their access to install DevilsTongue, the name Microsoft gave last year to advanced malware sold by an Israel-based company named Candiru.

Read 8 remaining paragraphs | Comments

#biz-it, #chrome, #edge, #safari, #vulnerability, #webrtc, #zeroday

Dark Souls servers taken down following discovery of critical vulnerability

Dark Souls servers taken down following discovery of critical vulnerability

Enlarge (credit: The_Grim_Sleeper)

Bandai Namco, publisher of the Dark Souls role-playing game series, has taken down its player-versus-player servers while it investigates reports of a serious vulnerability that allows players to execute malicious code on the PCs of fellow players.

Word of the critical remote-code-execution flaw emerged over the weekend in Reddit threads here and here. An exploit that hit a user named The_Grim_Sleeper was captured in a video stream posted over the weekend. Starting around 1:20:22, the user’s game crashed, and a robotic voice mocked his gameplay and maturity level.

“What the fuck,” The_Grim_Sleeper said in response. “My game just crashed, and immediately Powershell opened up and started narrating a fucking” screed. “I didn’t even know that shit was possible.”

Read 6 remaining paragraphs | Comments

#biz-it, #dark-souls, #exploit, #games, #hack, #vulnerability

Zeroday in ubiquitous Log4j tool poses a grave threat to the Internet

Zeroday in ubiquitous Log4j tool poses a grave threat to the Internet

Enlarge (credit: Getty Images)

Exploit code has been released for a serious code-execution vulnerability in Log4j, an open-source logging utility that’s used in countless apps, including those used by large enterprise organizations and also in Java versions of Minecraft, several website reported on last Thursday.

Word of the vulnerability first came to light on sites catering to users of Minecraft, the best-selling game of all time. The sites warned that hackers could execute malicious code on Minecraft servers or clients by manipulating log messages, including from things typed in chat messages. The picture became more dire still as the Log4j was identified as the source of the vulnerability and exploit code was discovered posted online.

A big deal

“The Minecraft side seems like a perfect storm, but I suspect we are going to see affected applications and devices continue to be identified for a long time,” HD Moore, founder and CTO of network discovery platform Rumble, said. “This is a big deal for environments tied to older Java runtimes: Web front ends for various network appliances, older application environments using legacy APIs, and Minecraft servers, due to their dependency on older versions for mod compatibility.”

Read 11 remaining paragraphs | Comments

#biz-it, #log4j, #minecraft, #open-source, #vulnerability

Microsoft reports SIP-bypassing “Shrootless” vulnerability in macOS

The worm says, "I've got root!"

Enlarge / The worm says, “I’ve got root!” (credit: Andreus / Getty Images)

The Microsoft 365 Defender Research Team released a blog post yesterday describing a newly found macOS vulnerability that can abuse entitlement inheritance in macOS’s System Integrity Protection (SIP) to allow execution of arbitrary code with root-level privilege. The vulnerability is listed as CVE-2021-30892 and has been given the nickname “Shrootless.”

To explain how Shrootless works, we need to review how SIP functions. Introduced back in 2015 with OS X 10.11 El Capitan (and explained in detail on pages eight and nine of our review), SIP attempts to do away with an entire class of vulnerabilities (or at least neuter their effectiveness) by adding kernel-level protections against changing certain files on disk and certain processes in memory, even with root privilege. These protections are (more or less) inviolable unless one disables SIP, which cannot be done without rebooting into recovery mode and executing a terminal command.

The Shrootless exploit takes advantage of the fact that, while root privilege is no longer sufficient to change important system files, the kernel itself still can—and does—alter protected locations as needed. The most obvious example is when installing an application. Apple-signed application install packages have the ability to do things normally prohibited by SIP, and that’s where Shrootless slides in.

Read 5 remaining paragraphs | Comments

#apple, #macos, #microsoft, #tech, #vulnerability

Apple forgot to sanitize the Phone Number field for lost AirTags

A plastic tag hangs from a young person's backpack.

Enlarge / Apple’s AirTags—as seen clipped to a backpack, above—allow users to attempt to find their own device via location rebroadcast from other Apple users. If all else fails, the user can enable a “Lost mode” intended to display their phone number when a finder scans the missing AirTag. (credit: James D. Morgan / Getty Images)

The hits keep coming to Apple’s bug-bounty program, which security researchers say is slow and inconsistent to respond to its vulnerability reports.

This time, the vuln du jour is due to failure to sanitize a user-input field—specifically, the phone number field AirTag owners use to identify their lost devices.

The Good Samaritan attack

Security consultant and penetration tester Bobby Rauch discovered that Apple’s AirTags—tiny devices which can be affixed to frequently lost items like laptops, phones, or car keys—don’t sanitize user input. This oversight opens the door for AirTags to be used in a drop attack. Instead of seeding a target’s parking lot with USB drives loaded with malware, an attacker can drop a maliciously prepared AirTag.

Read 10 remaining paragraphs | Comments

#apple, #biz-it, #bug-bounty, #drop-attack, #infosec, #tech, #vulnerability, #watering-hole-attack

PoC exploit released for Azure AD brute-force bug—here’s what to do

PoC exploit released for Azure AD brute-force bug—here’s what to do

Enlarge (credit: Michael Dziedzic)

A public proof-of-concept (PoC) exploit has been released for the Microsoft Azure Active Directory credentials brute-forcing flaw discovered by Secureworks and first reported by Ars. The exploit enables anyone to perform both username enumeration and password brute-forcing on vulnerable Azure servers. Although Microsoft had initially called the Autologon mechanism a “design” choice, it appears, the company is now working on a solution.

PoC script released on GitHub

Yesterday, a “password spraying” PoC exploit was published for the Azure Active Directory brute-forcing flaw on GitHub. The PowerShell script, just a little over 100 lines of code, is heavily based on previous work by Dr. Nestori Syynimaa, senior principal security researcher at Secureworks.

According to Secureworks’ Counter Threat Unit (CTU), exploiting the flaw, as in confirming users’ passwords via brute-forcing, is quite easy, as demonstrated by the PoC. But, organizations that use Conditional Access policies and multi-factor authentication (MFA) may benefit from blocking access to services via username/password authentication. “So, even when the threat actor is able to get [a] user’s password, they may not be [able to] use it to access the organisation’s data,” Syynimaa told Ars in an email interview.

Read 10 remaining paragraphs | Comments

#active-directory, #azure, #biz-it, #brute-force, #exploit, #microsoft, #poc, #tech, #vulnerability

New Azure Active Directory password brute-forcing flaw has no fix

New Azure Active Directory password brute-forcing flaw has no fix

Enlarge (credit: Michael Dziedzic)

Imagine having unlimited attempts to guess someone’s username and password without getting caught. That would make an ideal scenario for a stealthy threat actor—leaving server admins with little to no visibility into the attacker’s actions, let alone the possibility of blocking them.

A newly discovered bug in Microsoft Azure’s Active Directory (AD) implementation allows just that: single-factor brute-forcing of a user’s AD credentials. And, these attempts aren’t logged on to the server.

Invalid password, try again, and again…

In June this year, researchers at Secureworks Counter Threat Unit (CTU) discovered a flaw in the protocol used by Azure Active Directory Seamless Single Sign-On service.

Read 20 remaining paragraphs | Comments

#active-directory, #azure, #biz-it, #brute-force, #microsoft, #tech, #vulnerability, #zero-days

Exchange/Outlook autodiscover bug exposed 100,000+ email passwords

Lines of code against a black background..

Enlarge / If you own the right domain, you can intercept hundreds of thousands of innocent third parties’ email credentials, just by operating a standard webserver. (credit: Guardicore)

Security researcher Amit Serper of Guardicore discovered a severe flaw in Microsoft’s autodiscover—the protocol which allows automagical configuration of an email account with only the address and password required. The flaw allows attackers who purchase domains named “autodiscover”—for example autodiscover.com, or autodiscover.co.uk—to intercept the clear-text account credentials of users who are having network difficulty (or whose admins incorrectly configured DNS).

Guardicore purchased several such domains and operated them as proof-of-concept credential traps from April 16 to August 25 of this year:

  • Autodiscover.com.br
  • Autodiscover.com.cn
  • Autodiscover.com.co
  • Autodiscover.es
  • Autodiscover.fr
  • Autodiscover.in
  • Autodiscover.it
  • Autodiscover.sg
  • Autodiscover.uk
  • Autodiscover.xyz
  • Autodiscover.online

A web server connected to these domains received hundreds of thousands of email credentials—many of which also double as Windows Active Directory domain credentials—in clear text. The credentials are sent from clients which request the URL /Autodiscover/autodiscover.xml, with an HTTP Basic authentication header which already includes the hapless user’s Base64-encoded credentials.

Read 14 remaining paragraphs | Comments

#autodiscover, #biz-it, #exchange, #outlook, #uncategorized, #vulnerability

Apple users warned: Clicking this attachment will take over your macOS

Apple users warned: Clicking this attachment will take over your macOS

Enlarge (credit: Dmitry Chernyshov)

A code execution bug in Apple’s macOS allows remote attackers to run arbitrary commands on your device. And the worst part is, Apple hasn’t fully patched it yet, as tested by Ars.

Those shortcut files can take over your Mac

Independent security researcher Park Minchan has discovered a vulnerability in the macOS that lets threat actors execute commands on your computer. Shortcut files that have the inetloc extension are capable of embedding commands inside. The flaw impacts macOS Big Sur and prior versions.

“A vulnerability in the way macOS processes inetloc files causes it to run commands embedded inside, the commands it runs can be local to the macOS allowing the execution of arbitrary commands by the user without any warning / prompts,” explains Minchan. “Originally, inetloc files are shortcuts to an Internet location, such as an RSS feed or a telnet location; and contain the server address and possibly a username and password for SSH and telnet connections; can be created by typing a URL in a text editor and dragging the text to the Desktop.”

Read 10 remaining paragraphs | Comments

#apple, #biz-it, #bug, #code-execution, #macos, #rce, #remote-code-execution, #tech, #vulnerability

Travis CI flaw exposed secrets of thousands of open source projects

Travis CI flaw exposed secrets of thousands of open source projects

Enlarge (credit: Getty Images)

A security flaw in Travis CI potentially exposed the secrets of thousands of open source projects that rely on the hosted continuous integration service. Travis CI is a software-testing solution used by over 900,000 open source projects and 600,000 users. A vulnerability in the tool made it possible for secure environment variables—signing keys, access credentials, and API tokens of all public open source projects—to be exfiltrated.

Worse, the dev community is upset about the poor handling of the vulnerability disclosure process and the brief “security bulletin” it had to force out of Travis.

Environment variables injected into pull request builds

Travis CI is a popular software-testing tool due to its seamless integration with GitHub and Bitbucket. As the makers of the tool explain:

Read 15 remaining paragraphs | Comments

#bitbucket, #biz-it, #data-leak, #github, #open-source, #secrets, #tech, #travis-ci, #vulnerability

Apple patches “FORCEDENTRY” zero-day exploited by Pegasus spyware

Apple patches “FORCEDENTRY” zero-day exploited by Pegasus spyware

Enlarge (credit: Aurich Lawson | Getty Images)

Apple has released several security updates this week to patch a “FORCEDENTRY” vulnerability on iOS devices. The “zero-click, zero-day” vulnerability has been actively exploited by Pegasus, a spyware app developed by the Israeli company NSO Group, which has been known to target activists, journalists, and prominent people around the world.

Tracked as CVE-2021-30860, the vulnerability needs little to no interaction by an iPhone user to be exploited—hence the name “FORCEDENTRY.”

Discovered on a Saudi activist’s iPhone

In March, researchers at The Citizen Lab decided to analyze the iPhone of an unnamed Saudi activist who was targeted by NSO Group’s Pegasus spyware. They obtained an iTunes backup of the device, and a review of the dump revealed 27 copies of a mysterious GIF file in various places—except the files were not images.

Read 11 remaining paragraphs | Comments

#apple, #biz-it, #imessage, #ios, #iphone, #nso-group, #pegasus, #security, #spyware, #tech, #vulnerability, #zero-day

Security researchers at Wiz discover another major Azure vulnerability

Storm clouds have been photoshopped to bring lightning down on computer components.

Enlarge / This isn’t how the OMIGOD vulnerability works, of course—but lightning is much more photogenic than maliciously crafted XML. (credit: Aurich Lawson | Getty Images)

Cloud security vendor Wiz—which recently made news by discovering a massive vulnerability in Microsoft Azure’s CosmosDB-managed database service—has found another hole in Azure.

The new vulnerability impacts Linux virtual machines on Azure. They end up with a little-known service called OMI installed as a byproduct of enabling any of several logging reporting and/or management options in Azure’s UI.

At its worst, the vulnerability in OMI could be leveraged into remote root code execution—although thankfully, Azure’s on-by-default, outside-the-VM firewall will limit it to most customers’ internal networks only.

Read 26 remaining paragraphs | Comments

#azure, #biz-it, #cve, #exploit, #infosec, #omigod, #vulnerability

Titanfall 2 video game allegedly hacked via “simple exploit”

Knifin' around. Cutcutcutcutcutcutcutcut.

Enlarge / Knifin’ around. Cutcutcutcutcutcutcutcut.

Popular first-person shooter video game Titanfall 2 has been rumored to have a severe security vulnerability that has been exploited.

The reports of the game having been hacked started circulating on Twitter after Titanfall 2 community members, including Leon Benkovic, were seen urging players to uninstall the game:

Gamers allege that the vulnerability lets attackers gain local code execution abilities from Respawn’s servers, affecting Titanfall 2 players on all platforms—Windows, PlayStation, and Xbox.

Read 11 remaining paragraphs | Comments

#computer-security, #electronic-arts, #exploit, #gaming-culture, #hacked, #respawn-entertainment, #tech, #titanfall-2, #video-game, #vulnerability

A popular smart home security system can be remotely disarmed, researchers say

A cybersecurity company says a popular smart home security system has a pair of vulnerabilities that can be exploited to disarm the system altogether.

Rapid7 found the vulnerabilities in the Fortress S03, a home security system that relies on Wi-Fi to connect cameras, motion sensors, and sirens to the internet, allowing owners to remotely monitor their home anywhere with a mobile app. The security system also uses a radio-controlled key fob to let homeowners arm or disarm their house from outside their front door.

But the cybersecurity company said the vulnerabilities include an unauthenticated API and an unencrypted radio signal that can be easily intercepted.

Rapid7 revealed details of the two vulnerabilities on Tuesday after not hearing from Fortress in three months, the standard window of time that security researchers give to companies to fix bugs before details are made public. Rapid7 said its only acknowledgment of its email was when Fortress closed its support ticket a week later without commenting.

Fortress owner Michael Hofeditz opened but did not respond to several emails sent by TechCrunch with an email open tracker. An email from Bottone Riling, a Massachusetts law firm representing Fortress, called the claims “false, purposely misleading and defamatory,” but did not provide specifics that it claims are false, or if Fortress has mitigated the vulnerabilities.

Rapid7 said that Fortress’ unauthenticated API can be remotely queried over the internet without the server checking if the request is legitimate. The researchers said by knowing a homeowner’s email address, the server would return the device’s unique IMEI, which in turn could be used to remotely disarm the system.

The other flaw takes advantage of the unencrypted radio signals sent between the security system and the homeowner’s key fob. That allowed Rapid7 to capture and replay the signals for “arm” and “disarm” because the radio waves weren’t scrambled properly.

Vishwakarma said homeowners could add a plus-tagged email address with a long, unique string of letters and numbers in place of a password as a stand-in for a password. But there was little for homeowners to do for the radio signal bug until Fortress addresses it.

Fortress has not said if it has fixed or plans to fix the vulnerabilities. It’s not clear if Fortress is able to fix the vulnerabilities without replacing the hardware. It’s not known if Fortress builds the device itself or buys the hardware from another manufacturer.

Read more:

#api, #computer-security, #cryptography, #cyberwarfare, #hacking, #law, #massachusetts, #password, #rapid7, #security, #software-testing, #vulnerability

“Worst cloud vulnerability you can imagine” discovered in Microsoft Azure

Cosmos DB is a managed database service offering—including both relational and noSQL data structures—belonging to Microsoft's Azure cloud infrastructure.

Enlarge / Cosmos DB is a managed database service offering—including both relational and noSQL data structures—belonging to Microsoft’s Azure cloud infrastructure. (credit: Microsoft)

Cloud security vendor Wiz announced yesterday that it found a vulnerability in Microsoft Azure’s managed database service, Cosmos DB, that granted read/write access for every database on the service to any attacker who found and exploited the bug.

Although Wiz only found the vulnerability—which it named “Chaos DB”—two weeks ago, the company says that the vulnerability has been lurking in the system for “at least several months, possibly years.”

A slingshot around Jupyter

In 2019, Microsoft added the open-source Jupyter Notebook functionality to Cosmos DB. Jupyter Notebooks are a particularly user-friendly way to implement machine learning algorithms; Microsoft promoted Notebooks specifically as a useful tool for advanced visualization of data stored in Cosmos DB.

Read 10 remaining paragraphs | Comments

#azure, #biz-it, #chaos-db, #cloud-vulnerability, #cosmos-db, #exploit, #infosec, #managed-database, #vulnerability

Need to get root on a Windows box? Plug in a Razer gaming mouse

This is definitely not a Razer mouse—but you get the idea.

Enlarge / This is definitely not a Razer mouse—but you get the idea. (credit: calvio via Getty Images)

This weekend, security researcher jonhat disclosed a long-standing security bug in the Synapse software associated with Razer gaming mice. During software installation, the wizard produces a clickable link to the location where the software will be installed. Clicking that link opens a File Explorer window to the proposed location—but that File Explorer spawns with SYSTEM process ID, not with the user’s.

Have mouse, will root

By itself, this vulnerability in Razer Synapse sounds like a minor issue—after all, in order to launch a software installer with SYSTEM privileges, a user would normally need to have Administrator privileges themselves. Unfortunately, Synapse is a part of the Windows Catalog—which means that an unprivileged user can just plug in a Razer mouse, and Windows Update will cheerfully download and run the exploitable installer automatically.

Jonhat isn’t the only—or even the first—researcher to discover and publicly disclose this bug. Lee Christensen publicly disclosed the same bug in July, and according to security researcher _MG_, who demonstrated it using an OMG cable to mimic the PCI Device ID of a Razer mouse and exploit the same vulnerability, researchers have been reporting it fruitlessly for more than a year.

Read 2 remaining paragraphs | Comments

#biz-it, #cve, #exploit, #gaming-culture, #infosec, #privilege-escalation, #razer, #tech, #vulnerability

A bug in a medical startup’s website put thousands of COVID-19 test results at risk

A California-based medical startup that provides COVID-19 testing across Los Angeles has pulled down a website it used to allow customers to access their test results after a customer found a vulnerability that allowed access to other people’s personal information.

Total Testing Solutions has ten COVID-19 testing sites across Los Angeles, and processes “thousands” of COVID-19 tests at workplaces, sports venues, and schools each week. When test results are ready, customers get an email with a link to a website to get their results.

But one customer said they found a website vulnerability that allowed them to access other customers’ information by increasing or decreasing a number in the website’s address by a single digit. That allowed the customer to see other customers’ names and the date of their test. The website also only requires a person’s date of birth to access their COVID-19 test results, which the customer who discovered the vulnerability said “wouldn’t take long” to brute-force, or simply guess. (That’s just 11,000 birthday guesses for anyone under age 30.)

Read more on TechCrunch

Although the test results website is protected by a login page that prompts the customer for their email address and password, the vulnerable part of the website that allowed the customer to change the web address and access other customers’ information could be accessed directly from the web, bypassing the sign-in prompt altogether.

The customer passed on details of the vulnerability to TechCrunch to get the vulnerability fixed before someone else finds it or exploits it, if not already.

TechCrunch verified the customer’s findings, but while we did not enumerate each result code, through limited testing found that the vulnerability likely put around 60,000 tests at risk. TechCrunch reported the vulnerability to TTS chief medical officer Geoffrey Trenkle, who did not dispute the number of discovered tests, but said the vulnerability was limited to an on-premise server used to provide legacy test results that has since been shut down and replaced by a new cloud-based system.

“We were recently made aware of a potential security vulnerability in our former on-premises server that could allow access to certain patient names and results using a combination of URL manipulation and date of birth programming codes,” said Trenkle in a statement. “The vulnerability was limited to patient information obtained at public testing sites before the creation of the cloud-based server. In response to this potential threat, we immediately shut down the on-premises software and began migrating that data to the secure cloud-based system to prevent future risk of data breach. We also initiated a vulnerability assessment, including the review of server access logs to detect any unrecognized network activity or unusual authentication failures.”

Trenkle declined to say when the cloud server became active, and why the allegedly legacy server had test results as recently as last month.

“Currently, TTS is not aware of any breach of unsecured protected health information as a result of the issues with its prior server. To our knowledge, no patient health information was actually compromised, and all risk has been mitigated going forward,” said Trenkle.

Trenkle said the company will comply with its legal obligations under state law, but stopped short of explicitly saying if the company plans to notify customers of the vulnerability. Although companies aren’t obliged to report vulnerabilities to their state’s attorney general or to their customers, many do out of an abundance of caution since it’s not always possible to determine if there was improper access.

TTS chief executive Lauren Trenkle, who was copied on an email chain, did not comment.

#attorney-general, #california, #computer-security, #covid-19, #cyberwarfare, #hacking, #health, #jamaica, #los-angeles, #privacy, #security, #software-testing, #tts, #vulnerability

True ‘shift left and extend right’ security requires empowered developers

DevOps is fundamentally about collaboration and agility. Unfortunately, when we add security and compliance to the picture, the message gets distorted.

The term “DevSecOps” has come into fashion the past few years with the intention of seamlessly integrating security and compliance into the DevOps framework. However, the reality is far from the ideal: Security tools have been bolted onto the existing DevOps process along with new layers of automation, and everyone’s calling it “DevSecOps.” This is a misguided approach that fails to embrace the principles of collaboration and agility.

Integrating security into DevOps to deliver DevSecOps demands changed mindsets, processes and technologies. Security and risk management leaders must adhere to the collaborative, agile nature of DevOps for security testing to be seamless in development, making the “Sec” in DevSecOps transparent. — Neil MacDonald, Gartner

In an ideal world, all developers would be trained and experienced in secure coding practices from front end to back end and be skilled in preventing everything from SQL injection to authorization framework exploits. Developers would also have all the information they need to make security-related decisions early in the design phase.

If a developer is working on a type of security control they haven’t worked on before, an organization should provide the appropriate training before there is a security issue.

Once again, the reality falls short of the ideal. While CI/CD automation has given developers ownership over the deployment of their code, those developers are still hampered by a lack of visibility into relevant information that would help them make better decisions before even sitting down to write code.

The entire concept of discovering and remediating vulnerabilities earlier in the development process is already, in some ways, out of date. A better approach is to provide developers with the information and training they need to prevent potential risks from becoming vulnerabilities in the first place.

Consider a developer that is assigned to add PII fields to an internet-facing API. The authorization controls in the cloud API gateway are critical to the security of the new feature. “Shifting left and extending right” doesn’t mean that a scanning tool or security architect should detect a security risk earlier in the process — it means that a developer should have all the context to prevent the vulnerability before it even happens. Continuous feedback is key to up-leveling the security knowledge of developers by orders of magnitude.

#agile-software-development, #api, #column, #computer-security, #computing, #cybersecurity, #developer, #devops, #ec-column, #ec-cybersecurity, #security, #security-testing, #software-development, #software-testing, #sql, #startups, #u-s-securities-and-exchange-commission, #vulnerability

Microsoft confirms it’s buying cybersecurity startup RiskIQ

Microsoft has confirmed it’s buying RiskIQ, a San Francisco-based cybersecurity company that provides threat intelligence and cloud-based software as a service for organizations.

Terms of the deal, which will see RiskIQ’s threat intelligence services integrated into Microsoft’s flagship security offerings, were not disclosed, although Bloomberg previously reported that Microsoft will pay more than $500 million in cash for the company. Microsoft declined to confirm the reported figure.

The announcement comes amid a heightened security landscape as organizations shift to remote and hybrid working strategies.

RiskIQ scours the web, mapping out details about websites and networks, domain name records, certificates and other information, like WHOIS registration data, providing customers visibility into what assets, devices and services can be accessed outside of a company’s firewall. That helps companies lock down their assets and limit their attack surface from malicious actors. It’s that data in large part that helped the company discover and understand Magecart, a collection of groups that inject credit card stealing malware into vulnerable websites.

Microsoft says that by embedding RiskIQ’s technologies into its core products, its customers will be able to build a more comprehensive view of the global threats to their businesses as workforces continue to work outside of the traditional office environment.

The deal will also help organizations to keep an eye on supply-chain risks, Microsoft says. This is likely a growing priority for many: an attack on software provider SolarWinds last year saw affected at least 18,000 of its customers, and just this month IT vendor Kaseya fell victim to a ransomware attack that spread to more than 1,000 downstream businesses.

Eric Doerr, vice president of cloud security at Microsoft, said: “RiskIQ helps customers discover and assess the security of their entire enterprise attack surface — in the Microsoft cloud, AWS, other clouds, on-premises, and from their supply chain. With more than a decade of experience scanning and analyzing the internet, RiskIQ can help enterprises identify and remediate vulnerable assets before an attacker can capitalize on them.”

RiskIQ was founded in 2009 and has raised a total of $83 million over four rounds of funding. Elias Manousos, who co-founded RiskIQ and serves as its chief executive, said he was “thrilled” at the acquisition.

“The vision and mission of RiskIQ is to provide unmatched internet visibility and insights to better protect and inform our customers and partners’ security programs,” said Manousos. “Our combined capabilities will enable best-in-class protection, investigations, and response against today’s threats.”

The acquisition is one of many Microsoft has made recently in the cybersecurity space in recent months. The software giant last year bought Israeli security startup CyberX in a bid to boost its Azure IoT business, and just last month it acquired Internet of Things security firm ReFirm Labs.

#aws, #azure-iot, #cloud-based-software, #cloud-computing, #computer-security, #computing, #cyberx, #kaseya, #microsoft, #ransomware, #riskiq, #san-francisco, #security, #software, #solarwinds, #supply-chain, #technology, #vulnerability

Security flaws found in Samsung’s stock mobile apps

A mobile security startup has found seven security flaws in Samsung’s pre-installed mobile apps, which it says if abused could have allowed attackers broad access to a victim’s personal data.

Oversecured said the vulnerabilities were found in several apps and components bundled with Samsung phones and tablets. Oversecured founder Sergey Toshin told TechCrunch that the vulnerabilities were verified on a Samsung Galaxy S10+ but that all Samsung devices could be potentially affected because the baked-in apps are responsible for system functionality.

Toshin said the vulnerabilities could have allowed a malicious app on the same device to steal a victim’s photos, videos, contacts, call records and messages, and change settings “without any user consent or notice” by hijacking the permissions from Samsung’s stock apps.

One of the flaws could have allowed the theft of data by exploiting a vulnerability in Samsung’s Secure Folder app, which has a “large set” of rights across the device. In a proof-of-concept, Toshin showed the bug could be used to steal contacts data. Another bug in Samsung’s Knox security software could have been abused to install other malicious apps, while a bug in Samsung Dex could have been used to scrape data from user notifications from apps, email inboxes, and messages.

Oversecured published technical details of the vulnerabilities in a blog post, and said it reported the bugs to Samsung, which fixed the flaws.

Samsung confirmed the flaws affected “selected” Galaxy devices but would not provide a list of specific devices. “There have been no known reported issues globally and users should be assured that their sensitive information was not at risk,” but provided no evidence for this claim. “We addressed the potential vulnerability by developing and issuing security patches via software update in April and May, 2021 as soon as we identified this issue.”

The startup, which launched earlier this year after self-funding $1 million in bug bounty payouts, uses automation to search for vulnerabilities in Android code. Toshin has found similar security flaws in TikTok, and Android’s Google Play app.

#android, #apps, #computing, #google-play, #knox, #mobile-phones, #mobile-security, #oversecured, #russia, #samsung, #security, #security-software, #smartphones, #technology, #vulnerability

Echelon exposed riders’ account data, thanks to a leaky API

Image Credits: Echelon (stock image)

Peloton wasn’t the only at-home workout giant exposing private account data. Rival exercise giant Echelon also had a leaky API that let virtually anyone access riders’ account information.

Fitness technology company Echelon, like Peloton, offers a range of workout hardware — bikes, rowers, and a treadmill — as a cheaper alternative for members to exercise at home. Its app also lets members join virtual classes without the need for workout equipment.

But Jan Masters, a security researcher at Pen Test Partners, found that Echelon’s API allowed him to access the account data — including name, city, age, sex, phone number, weight, birthday, and workout statistics and history — of any other member in a live or pre-recorded class. The API also disclosed some information about members’ workout equipment, such as its serial number.

Masters, if you recall, found a similar bug with Peloton’s API, which let him make unauthenticated requests and pull private user account data directly from Peloton’s servers without the server ever checking to make sure he (or anyone else) was allowed to request it.

Echelon’s API allows its members’ devices and apps to talk with Echelon’s servers over the internet. The API was supposed to check if the member’s device was authorized to pull user data by checking for an authorization token. But Masters said the token wasn’t needed to request data.

Masters also found another bug that allowed members to pull data on any other member because of weak access controls on the API. Masters said this bug made it easy to enumerate user account IDs and scrape account data from Echelon’s servers. Facebook, LinkedIn, Peloton and Clubhouse have all fallen victim to scraping attacks that abuse access to APIs to pull in data about users on their platforms.

Ken Munro, founder of Pen Test Partners, disclosed the vulnerabilities to Echelon on January 20 in a Twitter direct message, since the company doesn’t have a public-facing vulnerability disclosure process (which it says is now “under review”). But the researchers did not hear back during the 90 days after the report was submitted, the standard amount of time security researchers give companies to fix flaws before their details are made public.

TechCrunch asked Echelon for comment, and was told that the security flaws identified by Masters — which he wrote up in a blog post — were fixed in January.

“We hired an outside service to perform a penetration test of systems and identify vulnerabilities. We have taken appropriate actions to correct these, most of which were implemented by January 21, 2021. However, Echelon’s position is that the User ID is not PII [personally identifiable information,” said Chris Martin, Echelon’s chief information security officer, in an email.

Echelon did not name the outside security company but said while the company said it keeps detailed logs, it did not say if it had found any evidence of malicious exploitation.

But Munro disputed the company’s claim of when it fixed the vulnerabilities, and provided TechCrunch with evidence that one of the vulnerabilities was not fixed until at least mid-April, and another vulnerability could still be exploited as recently as this week.

When asked for clarity, Echelon did not address the discrepancies. “[The security flaws] have been remediated,” Martin reiterated.

Echelon also confirmed it fixed a bug that allowed users under the age of 13 to sign up. Many companies block access to children under the age of 13 to avoid complying with the Children’s Online Privacy Protection Act, or COPPA, a U.S. law that puts strict rules on what data companies can collect on children. TechCrunch was able to create an Echelon account this week with an age less than 13, despite the page saying: “Minimum age of use is 13 years old.”

#api, #chief-information-security-officer, #computer-security, #computing, #cyberwarfare, #echelon, #facebook, #founder, #health, #peloton, #pen-test-partners, #security, #software, #software-testing, #technology, #united-states, #vulnerability

Peloton’s leaky API let anyone grab rider’s private account data

Halfway through my Monday afternoon workout last week, I got a message from a security researcher with a screenshot of my Peloton account data.

My Peloton profile is set to private and my friend’s list is deliberately zero, so nobody can view my profile, age, city, or workout history. But a bug allowed anyone to pull users’ private account data directly from Peloton’s servers, even with their profile set to private.

Peloton, the at-home fitness brand synonymous with its indoor stationary bike, has more than three million subscribers. Even President Biden is even said to own one. The exercise bike alone costs upwards of $1,800, but anyone can sign up for a monthly subscription to join a broad variety of classes.

As Biden was inaugurated (and his Peloton moved to the White House — assuming the Secret Service let him), Jan Masters, a security researcher at Pen Test Partners, found he could make unauthenticated requests to Peloton’s API for user account data without it checking to make sure the person was allowed to request it. (An API allows two things to talk to each other over the internet, like a Peloton bike and the company’s servers storing user data.)

But the exposed API let him — and anyone else on the internet — access a Peloton user’s age, gender, city, weight, workout statistics, and if it was the user’s birthday, details that are hidden when users’ profile pages are set to private.

Masters reported the leaky API to Peloton on January 20 with a 90-day deadline to fix the bug, the standard window time that security researchers give to companies to fix bugs before details are made public.

But that deadline came and went, the bug wasn’t fixed, and Masters hadn’t heard back from the company, aside from an initial email acknowledging receipt of the bug report. Instead, Peloton only restricted access to its API to its members. But that just meant anyone could sign up with a monthly membership and get access to the API again.

TechCrunch contacted Peloton after the deadline lapsed to ask why the vulnerability report had been ignored, and Peloton confirmed yesterday that it had fixed the vulnerability. (TechCrunch held this story until the bug was fixed in order to prevent misuse.)

Peloton spokesperson Amelise Lane provided the following statement:

It’s a priority for Peloton to keep our platform secure and we’re always looking to improve our approach and process for working with the external security community. Through our Coordinated Vulnerability Disclosure program, a security researcher informed us that he was able to access our API and see information that’s available on a Peloton profile. We took action, and addressed the issues based on his initial submissions, but we were slow to update the researcher about our remediation efforts. Going forward, we will do better to work collaboratively with the security research community and respond more promptly when vulnerabilities are reported. We want to thank Ken Munro for submitting his reports through our CVD program and for being open to working with us to resolve these issues.

Masters has since put up a blog post explaining the vulnerabilities in more detail.

Munro, who founded Pen Test Partners, told TechCrunch: “Peloton had a bit of a fail in responding to the vulnerability report, but after a nudge in the right direction, took appropriate action. A vulnerability disclosure program isn’t just a page on a website; it requires coordinated action across the organisation.”

But questions remain for Peloton. When asked repeatedly, the company declined to say why it had not responded to Masters’ vulnerability report. It’s also not known if anyone maliciously exploited the vulnerabilities, such as mass-scraping account data.

Facebook, LinkedIn, and Clubhouse have all fallen victim to scraping attacks that abuse access to APIs to pull in data about users on their platforms. But Peloton declined to confirm if it had logs to rule out any malicious exploitation of its leaky API.

#api, #gadgets, #hacking, #peloton, #pen-test-partners, #privacy, #security, #vulnerability

Vulcan Cyber raises $21M Series B for its vulnerability remediation platform

Tel Aviv-based Vulcan Cyber, a cybersecurity startup that helps businesses prioritize and fix security vulnerabilities, today announced that it has raised a $21 million Series B funding round led by Dawn Capital. Wipro Ventures and existing investors YL Ventures and Ten Eleven Ventures also participated in this round. The company says it will use the new funding to roll out new remediation solutions and launch a free risk-based vulnerability management platform under the Vulcan Free monicker.

With this new round, Vulcan Cyber’s total funding to date is now $35 million. The company says it saw 500% growth in annual recurring revenue and new customer account metrics in 2020, with each user typically having between 10 and 100 users on the platform.

Image Credits: Vulcan Cyber

The company’s emphasis has always been on not just warning its customers about potential vulnerabilities but also helping them prioritize them based on the severity of the risk and the threat to a company’s business assets. Security teams, after all, are often overwhelmed by alerts and not every vulnerability a scanner represents is a high-priority risk for a business. The promise of Vulcan Cyber’s platform is that it helps these teams figure out where to best focus their resources.

While the funding is the headline news today, Vulcan’s new free offering is also worth a closer look.

Cybersecurity pros have used open-source vulnerability scanners like Nessus for almost two decades. More recently, vulnerability management programs have used risk-based vulnerability management tools to prioritize scan results to determine specific risk to the business and focus the remediation effort. The scan and prioritize functions are fundamental, necessary elements of any mature remediation program,” Yaniv Bar-Dayan, Vulcan Cyber’s CEO and co-founder said about the new free offering. “But now the industry has a free vulnerability prioritization engine to complement the scanners. This round of funding allows us to provide the Vulcan Free service to the cybersecurity industry to help businesses achieve cyber hygiene. This move shifts the economics of our market and will push CISOs and CIOs to dedicate more budget and resources not just on simple scan and prioritize paper pushing, but on driving actual remediation outcomes. We hope this will help the industry get fix done more effectively.”

With this new free offering, Vulcan’s freemium portfolio now includes Vulcan Free, which provides some of the company’s core prioritization and vulnerability management features, and its existing free vulnerability intelligence database.

#computer-security, #cybersecurity, #cyberwarfare, #data-security, #dawn-capital, #hacking, #recent-funding, #security, #software-testing, #startups, #tc, #tel-aviv, #ten-eleven-ventures, #vulcan-cyber, #vulnerability, #wipro-ventures, #yl-ventures

America’s small businesses face the brunt of China’s Exchange server hacks

As the U.S. reportedly readies for retaliation against Russia for hacking into some of the government’s most sensitive federal networks, the U.S. is facing another old adversary in cyberspace: China.

Microsoft last week revealed a new hacking group it calls Hafnium, which operates in, and is backed by, China. Hafnium used four previously unreported vulnerabilities — or zero-days — to break into at least tens of thousands of organizations running vulnerable Microsoft Exchange email servers and steal email mailboxes and address books.

It’s not clear what Hafnium’s motives are. Some liken the activity to espionage — a nation-state gathering intelligence or industrial secrets from larger corporations and governments.

But what makes this particular hacking campaign so damaging is not only the ease with which the flaws can be exploited, but also how many — and how widespread — the victims are.

Security experts say the hackers automated their attacks by scanning the internet for vulnerable servers, hitting a broad range of targets and industries — law firms and policy think tanks, but also defense contractors and infectious disease researchers. Schools, religious institutions, and local governments are among the victims running vulnerable Exchange email servers and caught up by the Hafnium attacks.

While Microsoft has published patches, the U.S. federal cybersecurity advisory agency CISA said the patches only fix the vulnerabilities — and won’t close any backdoors left behind by the hackers.

There is little doubt that larger, well-resourced organizations have a better shot at investigating if their systems were compromised, allowing those victims to prevent further infections, like destructive malware or ransomware.

But that leaves the smaller, rural victims largely on their own to investigate if their networks were breached.

“The types of victims we have seen are quite diverse, many of whom outsource technical support to local IT providers whose expertise is in deploying and managing IT systems, not responding to cyber threats,” said Matthew Meltzer, a security analyst at Volexity, a cybersecurity firm that helped to identify Hafnium.

Without the budget for cybersecurity, victims can always assume they are compromised – but that doesn’t equate to knowing what to do next. Patching the flaws is just one part of the recovery effort. Cleaning up after the hackers will be the most challenging part for smaller businesses that may lack the cybersecurity expertise.

It’s also a race against the clock to prevent other malicious hackers from discovering or using the same vulnerabilities to spread ransomware or launch destructive attacks. Both Red Canary and Huntress said they believe hacking groups beyond Hafnium are exploiting the same vulnerabilities. ESET said at least ten groups were also exploiting the same server flaws.

Katie Nickels, director of intelligence at threat detection firm Red Canary, said there is “clearly widespread activity” exploiting these Exchange server vulnerabilities, but that the number of servers exploited further has been fewer.

“Cleaning up the initial web shells will be much easier for the average IT administrator than it would be to investigate follow-on activity,” said Nickels.

Microsoft has published guidance on what administrators can do, and CISA has both advice and a tool that helps to search server logs for evidence of a compromise. And in a rare statement, the White House’s National Security Council warned that patching alone “is not remediation,” and urged businesses to “take immediate measures.”

How that advice trickles down to smaller businesses will be watched carefully.

Cybersecurity expert Runa Sandvik said many victims, including the mom-and-pop shops, may not even know they are affected, and even if they realize they are, they’ll need step-by-step guidance on what to do next.

“Defending against a threat like this is one thing, but investigating a potential breach and evicting the actor is a larger challenge,” said Sandvik. “Companies have people who can install patches — that’s the first step — but figuring out if you’ve been breached requires time, tools, and logs.”

Security experts say Hafnium primarily targets U.S. businesses, but that the attacks are global. Europe’s banking authority is one of the largest organizations to confirm its Exchange email servers were compromised by the attack.

Norway’s national security authority said that it has “already seen exploitation of these vulnerabilities” in the country and that it would scan for vulnerable servers across Norway’s internet space to notify their owners. Slovenia’s cybersecurity response unit, known as SI-CERT, said in a tweet that it too had notified potential victims in its internet space.

Sandvik said the U.S. government and private sector could do more to better coordinate the response, given the broad reach into U.S. businesses. CISA proposed new powers in 2019 to allow the agency to subpoena internet providers to identify the owners of vulnerable and unpatched systems. The agency just received those new powers in the government’s annual defense bill in December.

“Someone needs to own it,” said Sandvik.


Send tips securely over Signal and WhatsApp to +1 646-755-8849. You can also send files or documents using SecureDrop.

#banking, #china, #cisa, #computer-security, #computing, #cryptography, #cyberattack, #cybercrime, #cyberwarfare, #europe, #fireeye, #government, #law-firms, #microsoft, #norway, #russia, #security, #tor, #united-states, #vulnerability, #zero-day

Microsoft says China-backed hackers are exploiting Exchange zero-days

Microsoft is warning customers that a new China state-sponsored threat actor is exploiting four previously undisclosed security flaws in Exchange Server, an enterprise email product built by the software giant.

The technology company said Tuesday that it believes the hacking group, which it calls Hafnium, tries to steal information from a broad range of U.S.-based organizations, including law firms and defense contractors, but also infectious disease researchers and policy think tanks.

Microsoft said Hafnium used the four newly discovered security vulnerabilities to break into Exchange email servers running on company networks, granting the attackers to steal data from a victim’s organization — such as email accounts and address books — and the ability to plant malware. When used together, the four vulnerabilities create an attack chain that can compromise vulnerable servers running on-premise Exchange 2013 and later.

Hafnium operates out of China, but uses servers located in the U.S. to launch its attacks, the company said. Microsoft said that Hafnium was the only threat group it has detected using these four new vulnerabilities.

Microsoft declined to say how many successful attacks it had seen, but described the number as “limited.”

Patches to fix those four security vulnerabilities are now out, a week earlier than the company’s typical patching schedule, usually reserved for the second Tuesday in each month.

“Even though we’ve worked quickly to deploy an update for the Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems,” said Tom Burt, Microsoft’s vice president for customer security.

The company said it has also briefed U.S. government agencies on its findings, but that the Hafnium attacks are not related to the SolarWinds-related espionage campaign against U.S. federal agencies. In the last days of the Trump administration, the National Security Agency and the FBI said that the SolarWinds campaign was “likely Russian in origin.”

#china, #computer-security, #computing, #cryptography, #cyberattack, #cybercrime, #cyberwarfare, #defense-contractors, #federal-bureau-of-investigation, #internet-security, #law-firms, #microsoft, #national-security-agency, #security, #software, #solarwinds, #technology, #threat, #trump-administration, #u-s-government, #united-states, #vulnerability

Apple says iOS 14.4 fixes three security bugs ‘actively exploited’ by hackers

Apple has released iOS 14.4 with security fixes for three vulnerabilities, said to be under active attack by hackers.

The technology giant said in its security update pages for iOS and iPadOS 14.4 that the three bugs affecting iPhones and iPads “may have been actively exploited.” Details of the vulnerabilities are scarce, and an Apple spokesperson declined to comment beyond what’s in the advisory.

It’s not known who is actively exploiting the vulnerabilities, or who might have fallen victim. Apple did not say if the attack was targeted against a small subset of users or if it was a wider attack. Apple granted anonymity to the individual who submitted the bug, the advisory said.

Two of the bugs were found in WebKit, the browser engine that powers the Safari browser, and the Kernel, the core of the operating system. Some successful exploits use sets of vulnerabilities chained together, rather than a single flaw. It’s not uncommon for attackers to first target vulnerabilities in a device’s browsers as a way to get access to the underlying operating system.

Apple said additional details would be available soon, but did not say when.

It’s a rare admission by Apple, which prides itself on its security image, that its customers might be under active attack by hackers.

In 2019, Google security researchers found a number of malicious websites laced with code that quietly hacked into victims’ iPhones. TechCrunch revealed that the attack was part of an operation, likely by the Chinese government, to spy on Uyghur Muslims. In response, Apple disputed some of Google’s findings in an equally rare public statement, for which Apple faced more criticism for underplaying the severity of the attack.

Last month, internet watchdog Citizen Lab found dozens of journalists had their iPhones hacked with a previously unknown vulnerability to install spyware developed by Israel-based NSO Group.

In the absence of details, iPhone and iPad users should update to iOS 14.4 as soon as possible.

#apple, #apple-inc, #computing, #google, #ipad, #ipads, #iphone, #operating-system, #operating-systems, #safari, #security, #smartphones, #spokesperson, #tablet-computers, #vulnerability

Cybersecurity startup SpiderSilk raises $2.25M to help prevent data breaches

Dubai-based cybersecurity startup SpiderSilk has raised $2.25 million in a pre-Series A round, led by venture firms Global Ventures and STV.

In the past two years, SpiderSilk has discovered some of the biggest data breaches: Blind, the allegedly anonymous social network that exposed private complaints by Silicon Valley employees; a lab leaked highly sensitive Samsung source code; an inadvertently public code repository revealed apps, code, and apartment building camera footage belonging to controversial facial recognition startup Clearview AI; and a massive spill of unencrypted customer card numbers at now-defunct MoviePass may have been the final nail in the already-beleaguered subscription service’s casket.

Much of those discoveries were found from the company’s proprietary internet scanner, SpiderSilk co-founder and chief security officer Mossab Hussein told TechCrunch.

Any company would want their data locked down, but mistakes happen and misconfigurations can leave sensitive internal corporate data accessible from the internet. SpiderSilk helps its customers understand their attack surface by looking for things that are exposed but shouldn’t be.

The cybersecurity startup uses its scanner to map out a company’s assets and attack surfaces to detect vulnerabilities and data exposures, and it also simulates cyberattacks to help customers understand where vulnerabilities are in their defenses.

“The attack surface management and threat detection platform we built scans the open internet on a continuous basis in order to attribute all publicly accessible assets back to organizations that could be affected by them, either directly or indirectly,” SpiderSilk’s co-founder and chief executive Rami El Malak told TechCrunch. “As a result, the platform regularly uncovers exploits and highlights how no organization is immune from infrastructure visibility blind-spots.”

El Malak said the funding will help to build out its security, engineering and data science teams, as well as its marketing and sales. He said the company is expanding its presence to North America with sales and engineering teams.

It’s the company’s second round of funding, after a seed round of $500,000 in November 2019, also led by Global Ventures and several angel investors.

“The SpiderSilk team are outstanding partners, solving a critical problem in the ever-complex world of cybersecurity, and protecting companies online from the increasing threats of malicious activity,” said Basil Moftah, general partner at Global Ventures.

#clearview-ai, #computer-security, #computing, #cybersecurity-startup, #data-security, #dubai, #facial-recognition, #general-partner, #north-america, #open-internet, #samsung, #security, #social-network, #spidersilk, #vulnerability

Google, Cisco, and VMware join Microsoft to oppose NSO Group in WhatsApp spyware case

A coalition of companies have filed an amicus brief in support of a legal case brought by WhatsApp against Israeli intelligence firm NSO Group, accusing the company of using an undisclosed vulnerability in the messaging app to hack into at least 1,400 devices, some of which were owned by journalists and human rights activists.

NSO develops and sells governments access to its Pegasus spyware, allowing its nation state customers to target and stealthily hack into the devices of its targets. Spyware like Pegasus can track a victim’s location, read their messages and listen to their calls, steal their photos and files, and siphon off private information from their device. The spyware is often installed by tricking a target into opening a malicious link, or sometimes by exploiting never-before-seen vulnerabilities in apps or phones to silently infect the victims with the spyware. The company has drawn ire for selling to authoritarian regimes, like Saudi Arabia, Ethiopia, and the United Arab Emirates.

Last year, WhatsApp found and patched a vulnerability that it said was being abused to deliver the government-grade spyware, in some cases without the victim knowing. Months later, WhatsApp sued NSO to understand more about the incident, including which of its government customers was behind the attack.

NSO has repeatedly disputed the allegations, but was unable to convince a U.S. court to drop the case earlier this year. NSO’s main legal defense is that it is afforded legal immunities because it acts on behalf of governments.

But a coalition of tech companies has sided with WhatsApp, and are now asking the court to not allow NSO to claim or be subject to immunity.

Microsoft (including its subsidiaries LinkedIn and GitHub), Google, Cisco, VMware, and the Internet Association, which represents dozens of tech giants including Amazon, Facebook, and Twitter, warned that the development of spyware and espionage tools — including hoarding the vulnerabilities used to deliver them — make ordinary people less safe and secure, and also runs the risk of these tools falling into the wrong hands.

In a blog post, Microsoft’s customer security and trust chief Tom Burt said NSO should be accountable for the tools it builds and the vulnerabilities it exploits.

“Private companies should remain subject to liability when they use their cyber-surveillance tools to break the law, or knowingly permit their use for such purposes, regardless of who their customers are or what they’re trying to achieve,” said Burt. “We hope that standing together with our competitors today through this amicus brief will help protect our collective customers and global digital ecosystem from more indiscriminate attacks.”

A spokesperson for NSO did not immediately comment.

#computer-security, #computing, #espionage, #ethiopia, #government, #internet-association, #nso-group, #privacy, #saudi-arabia, #security, #social-media, #software, #spokesperson, #spyware, #united-arab-emirates, #vulnerability, #whatsapp

Spotify resets passwords after a security bug exposed users’ private account information

Spotify said it has reset an undisclosed number of user passwords after blaming a software vulnerability in its systems for exposing private account information to its business partners.

In a data breach notification filed with the California attorney general’s office, the music streaming giant said the data exposed “may have included email address, your preferred display name, password, gender, and date of birth only to certain business partners of Spotify.” The company did not name the business partners, but added that Spotify “did not make this information publicly accessible.”

Spotify said the vulnerability existed as far back as April 9 but wasn’t discovered until November 12. But like most data breach notices, Spotify did not say what the vulnerability was or how user account data became exposed.

“We have conducted an internal investigation and have contacted all of our business partners that may have had access to your account information to ensure that any personal information that may have been inadvertently disclosed to them has been deleted,” the letter read.

Spotify spokesperson Adam Grossberg confirmed that a “small subset” of Spotify users are affected, but did not provide a specific figure. Spotify has more than 320 million users, and 144 million subscribers.

It’s the second time in as many months that the company has reset user passwords.

Last month security researchers found an unsecured database, likely operated by hackers, allegedly containing around 300,000 stolen user passwords. The database was probably used to launch credential stuffing attacks, in which lists of stolen passwords are matched against different websites that use the same password.

Although in that case the exposed data did not come from Spotify, the company reset the passwords on affected user accounts.

#california, #computer-security, #computing, #credential-stuffing, #cryptography, #data-breach, #microsoft-windows, #security, #spokesperson, #spotify, #vulnerability

Researchers say hardcoded passwords in GE medical imaging devices could put patient data at risk

Dozens of medical imaging devices built by General Electric are secured with hardcoded default passwords that can’t be easily changed, but could be exploited to access sensitive patient scans, according to new findings by security firm CyberMDX.

The researchers said that an attacker would only need to be on the same network to exploit a vulnerable device, such as by tricking an employee into opening an email with malware. From there, the attacker could use those unchanged hardcoded passwords to obtain whatever patient data was left on the device or disrupt the device from operating properly.

CyberMDX said X-ray machines, CT and MRI scanners, and ultrasound and mammography devices are among the affected devices.

GE uses hardcoded passwords to remotely maintain the devices. But Elad Luz, head of research at CyberMDX, said some customers were not aware that their devices had vulnerable devices. Luz described the passwords as “hardcoded,” because although they can be changed, customers have to rely on a GE engineer to change the passwords on-site.

The vulnerability has also prompted an alert by Homeland Security’s cybersecurity advisory unit, CISA. Customers of affected devices should contact GE to change the passwords.

Hannah Huntly, a spokesperson for GE Healthcare, said in a statement: “We are not aware of any incident where this potential vulnerability has been exploited in a clinical situation. We have conducted a full risk assessment and concluded that there is no patient safety concern. Maintaining the safety, quality, and security of our devices is our highest priority.”

It’s the latest find by the New York-based healthcare cybersecurity startup. Last year the startup also reported vulnerabilities in other GE equipment, which the company later admitted could have led to patient injury after initially clearing the device for use.

CyberMDX, which works primarily to secure medical devices and improve hospital network security through its cyber intelligence platform while conducting security research on the side, raised $20 million earlier this year, just a month into the COVID-19 pandemic.

#articles, #computer-security, #cryptography, #cybercrime, #cyberwarfare, #engineer, #ge-healthcare, #health, #malware, #medical-device, #medical-imaging, #new-york, #security, #spokesperson, #ultrasound, #vulnerability, #x-ray

Google fixes two more Chrome zerodays that were under active exploit

The word ZERO-DAY is hidden amidst a screen filled with ones and zeroes.

Enlarge (credit: Getty Images)

Google has patched two zeroday vulnerabilities in its Chrome browser, the third time in two weeks that the company has fixed a Chrome security flaw that’s under active exploit.

According to a Monday tweet from Ben Hawkes, the head of Google’s Project Zero vulnerability and exploit research arm, CVE-2020-16009, as the first vulnerability is tracked, is a remote code-execution bug in V8, Chrome’s open source JavaScript engine. A second security flaw, CVE-2020-16010, is a heap-based buffer overflow in Chrome for Android. Hawkes said it allows attackers to escape the Android sandbox, suggesting that hackers may have been using it in combination with a separate vulnerability.

Hawkes didn’t provide additional details, such as what desktop versions of Chrome were actively targeted, who the victims were, or how long the attacks had been going on. It also wasn’t clear if the same attack group was responsible for all three exploits. CVE-2020-16009 was in part discovered by a member of Google’s Threat Analysis Group, which focuses on government-backed hacking, suggesting that exploits of that vulnerability may be the work of a nation-state. Project Zero was involved in the discovery of all three of the zerodays.

Read 2 remaining paragraphs | Comments

#biz-it, #browser, #chrome, #exploit, #vulnerability, #zeroday

Google reveals a new Windows zero-day bug it says is under active attack

Google has dropped details of a previously undisclosed vulnerability in Windows, which it says hackers are actively exploiting. As a result, Google gave Microsoft just a week to fix the vulnerability. That deadline came and went, and Google published details of the vulnerability this afternoon.

The vulnerability has no name but is labeled CVE-2020-17087, and affects at least Windows 7 and Windows 10.

Google’s Project Zero, the elite group of security bug hunters which made the discovery, said the bug allows an attacker to escalate their level of user access in Windows. Attackers are using the Windows vulnerability in conjunction with a separate bug in Chrome, which Google disclosed and fixed last week. This new bug allows an attacker to escape Chrome’s sandbox, normally isolated from other apps, and run malware on the operating system.

Microsoft did not immediately comment when contacted by TechCrunch, but Project Zero’s technical lead Ben Hawkes said in a tweet that Microsoft plans to issue a patch on November 10.

But it’s unclear who the attackers are or their motives. Google’s director of threat intelligence Shane Huntley said that the attacks were “targeted” and not related to the U.S. election.

It’s the latest in a list of major flaws affecting Windows this year. Microsoft said in January that the National Security Agency helped find a cryptographic bug in Windows 10, though there was no evidence of exploitation. But in June and September, Homeland Security issued alerts over two “critical” Windows bugs — one which had the ability to spread across the internet, and the other could have gained complete access to an entire Windows network.

#chrome-os, #computer-security, #elite, #google, #google-chrome, #malware, #microsoft, #microsoft-windows, #operating-system, #operating-systems, #security, #software, #vulnerability, #windows-7, #windows-xp

Homeland Security issues rare emergency alert over ‘critical’ Windows bug

Homeland Security’s cybersecurity advisory unit has issued a rare emergency alert to government departments after the recent disclosure of a “critical”-rated security vulnerability in server versions of Microsoft Windows.

The Cybersecurity and Infrastructure Security Agency, better known as CISA, issued an alert late on Friday requiring all federal departments and agencies to “immediately” patch any Windows servers vulnerable to the so-called Zerologon attack by Monday, citing an “unacceptable risk” to government networks.

It’s the third emergency alert issued by CISA this year.

The Zerologon vulnerability, rated the maximum 10.0 in severity, could allow an attacker to take control of any or all computers on a vulnerable network, including domain controllers, the servers that manage a network’s security. The bug was appropriately called “Zerologon,” because an attacker doesn’t need to steal or use any network passwords to gain access to the domain controllers, only gain a foothold on the network, such as by exploiting a vulnerable device connected to the network.

With complete access to a network, an attacker could deploy malware, ransomware, or steal sensitive internal files.

Security company Secura, which discovered the bug, said it takes “about three seconds in practice” to exploit the vulnerability.

Microsoft pushed out an initial fix in August to prevent exploitation. But given the complexity of the bug, Microsoft said it would have to roll out a second patch early next year to eradicate the issue completely.

But the race is on to patch systems after researchers reportedly released proof-of-concept code, potentially allowing attackers use the code to launch attacks. CISA said that Friday that it “assumes active exploitation of this vulnerability is occurring in the wild.”

Although the CISA alert only applies to federal government networks, the agency said it “strongly” urges companies and consumers to patch their systems as soon as possible if not already.

#computing, #cybercrime, #exploit, #internet-security, #microsoft, #microsoft-windows, #national-security-agency, #ransomware, #security, #security-breaches, #vulnerability

Sternum raises $6.5M Series A on its IoT security bet

If we have learned anything from the mass production of cheap internet-connected devices is that security was an afterthought. Default passwords are the norm and security flaws aren’t patched, leaving entire fleets of smart devices vulnerable to attack.

But one Israeli security startup is taking a different approach to protect vulnerable Internet of Things devices.

Sternum, headquartered in Tel Aviv, provides an embedded integrity verification technology, known as EIV, which verifies that the app hasn’t been maliciously altered in some way. Its technology detects code vulnerabilities to prevent attacks before they are exploited. Its advanced detection system, or ADS, brings real-time threat detection, allowing companies to respond to attacks in real-time.

It’s a novel idea for when there is no other way to secure a vulnerable device.

Earlier this year, Sternum was first with a fix for a new wave of vulnerabilities that hit millions of Internet of Things devices. Dubbed Ripple20, the vulnerabilities allow hackers to hijack potentially hundreds of millions of affected devices.

“Patching vulnerabilities is an endless game,” Sternum’s founder and chief executive Natali Tshuva told TechCrunch.

“Unlike many other solutions, we are not focused on patching every vulnerability on a device. We are solely focused on the exploitation stage, or the point at which the hacker takes advantage of a vulnerability to execute an attack,” she said.

Tshuva’s roots are as a security researcher, where she found several previously undiscovered vulnerabilities in Linux, Android and other embedded systems.

“I realized that there are real technological and market challenges to securing these devices properly,” she told TechCrunch. “I wanted to apply my know-how in cybersecurity, research, product and managing talented R&D teams to create innovative solutions that will truly solve the problem, end-to-end.”

It’s a bet that’s paying off.

The company revealed its $6.5 million Series A round, the company announced Tuesday. The round was led by Square Peg with participation from Merle Hinrich and European venture firm BTOV.

Philippe Schwartz, a partner at Square Peg, which led the round, said he was “impressed with Sternum’s innovative products and diverse team, whose technologies will power our connected future with uncompromising security protection and rich, data-driven insights.”

#computing, #hacking, #internet-of-things, #security, #smart-devices, #vulnerability

How to respond to a data breach

I cover a lot of data breaches. From inadvertent exposures to data-exfiltrating hacks, I’ve seen it all. But not every data breach is the same. How a company responds to a data breach — whether it was their fault — can make or break its reputation.

I’ve seen some of the worst responses: legal threats, denials and pretending there isn’t a problem at all. In fact, some companies claim they take security “seriously” when they clearly don’t, while other companies see it merely as an exercise in crisis communications.

But once in a while, a company’s response almost makes up for the daily deluge of hypocrisy, obfuscation and downright lies.

Last week, Assist Wireless, a U.S. cell carrier that provides free government-subsidized cell phones and plans to low-income households, had a security lapse that exposed tens of thousands of customer IDs — driver’s licenses, passports and Social Security cards — used to verify a person’s income and eligibility.

A misconfigured plugin for resizing images on the carrier’s website was blamed for the inadvertent data leak of customer IDs to the open web. Security researcher John Wethington found the exposed data through a simple Google search. He reported the bug to TechCrunch so we could alert the company.

Make no mistake, the bug was bad and the exposure of customer data was far from ideal. But the company’s response to the incident was one of the best I’ve seen in years.

Take notes, because this is how to handle a data breach.

Their response was quick. Assist immediately responded to acknowledge the receipt of my initial email. That’s already a positive sign, knowing that the company was looking into the issue.

#data-breach, #driver, #hacking, #internet-security, #security, #startups, #tc, #vulnerability

WhatsApp reveals six previously undisclosed vulnerabilities on new security site

Facebook-owned WhatsApp has revealed six previously undisclosed vulnerabilities, which the company has now fixed. The vulnerabilities are being reported on a dedicated security advisory website that will serve as the new resource providing a comprehensive list of WhatsApp security updates and associated Common Vulnerabilities and Exposures (CVE).

WhatsApp said five of the six vulnerabilities were fixed in the same day, while the remaining bug took a couple of days to remediate. Although some of the bugs could have been remotely triggered, the company said it found no evidence of hackers actively exploiting the vulnerabilities.

Around one-third of the new vulnerabilities were reported through the company’s Bug Bounty Program, while the others were discovered in routine code reviews and by using automated systems, as would be expected.

WhatsApp is one of the world’s most popular apps with more than two billion users around the world. But it’s also a persistent target for hackers, who try to find and exploit vulnerabilities in the platform.

The new website was launched as part of the company’s efforts to be more transparent about vulnerabilities targeting the messaging app, and in response to user feedback. The company says the WhatsApp community has been asking for a centralized location for tracking security vulnerabilities, as WhatsApp isn’t always able to detail its security advisories in an app’s release notes due to app store policies.

The new dashboard will update monthly, or sooner if it has to warn users of an active attack. It will also offer an archive of past CVEs dating back to 2018. While the website’s main focus will be on CVEs in WhatsApp’s code, if the company files a CVE with the public database MITRE for a vulnerability it found in third-party code, it will denote that on the WhatsApp Security Advisory page, as well.

Last year, WhatsApp went public after fixing a vulnerability allegedly used by Israeli spyware maker NSO Group. WhatsApp sued the spyware maker, alleging the company used the vulnerability to covertly deliver its Pegasus spyware to some 1,400 devices — including more than 100 human rights defenders and journalists.

NSO denied the allegations.

John Scott-Railton, a senior researcher at Citizen Lab, whose work has included investigating NSO Group, welcomed the news.

“This is good, and we know that bad actors make use of extensive resources to acquire and weaponize vulnerabilities,” he told TechCrunch. “WhatsApp sending the signal that it’s going to move regularly to identify and patch in this way seems like yet another way to raise the cost for bad actors.”

In a blog post, WhatsApp said: “We are very committed to transparency and this resource is intended to help the broader technology community benefit from the latest advances in our security efforts. We strongly encourage all users to ensure they keep their WhatsApp up-to-date from their respective app stores and update their mobile operating systems whenever updates are available.”

Facebook also said Thursday that it has codified its vulnerability disclosure policy, allowing the company to warn developers of security vulnerabilities in third-party code that Facebook and WhatsApp rely on.

#apps, #computer-security, #nso-group, #security, #social-media, #vulnerability, #whatsapp

Security bugs let these car hackers remotely control a Mercedes-Benz

Few could ever forget back in 2015 when security researchers Charlie Miller and Chris Valasek remotely killed a Jeep’s engine on a highway with a Wired reporter at the wheel.

Since then, the car hacking world has bustled with security researchers looking to find new bugs — and ways to exploit them — in a new wave of internet-connected cars that have only existed the past decade.

This year’s Black Hat security conference — albeit virtual, thanks to the coronavirus pandemic — is no different.

Security researchers at the Sky-Go Team, the car hacking unit at Qihoo 360, found more than a dozen vulnerabilities in a Mercedes-Benz E-Class car that allowed them to remotely open its doors and start the engine.

Most modern cars are equipped with an internet connection, giving passengers access to in-car entertainment, navigation and directions, and more radio stations than you can choose from. But hooking up a car to the internet puts it at greater risk of remote attacks — precisely how Miller and Valasek hijacked that Jeep, which ended up in a ditch.

Although vehicle security has gotten better over the past half-decade, Sky-Go’s researchers showed that not even one of the most recent Mercedes-Benz models are impervious to attacks.

In a talk this week, Minrui Yan, head of Sky-Go’s security research team, said the 19 security vulnerabilities were now fixed, but could have affected as many as two million Mercedes-Benz connected cars in China.

Katharina Becker, a spokesperson for Mercedes’ parent company Daimler, pointed to a company statement published late last year after it patched the security issues. The spokesperson said Daimler could not corroborate the estimated number of affected vehicles.

“We addressed all findings and fixed all vulnerabilities that could be exploited before any vehicle in the market was affected,” said the spokesperson.

After more than a year of research, the end result was a series of vulnerabilities that formed an attack chain that could remotely control the vehicle.

To start, the researchers built a testbench to reverse-engineer the car’s components to look for vulnerabilities, dumping the car’s software and analyzing the car’s internals for vulnerabilities.

The researchers then obtained a Series-E car to verify their findings.

At the heart of the research is the E-Series’ telematics control unit, or TCU, which Yan said is the “most crucial” component of the car, as it allows the vehicle to communicate with the internet.

By tampering with the TCU’s file system, the researchers got access to a root shell — a way to run commands with the highest level of access to the vehicle’s internals. With root shell access, the researchers could remotely open the car’s doors.

The TCU file system also stores the car’s secrets, like passwords and certificates, which protect the vehicle from being accessed or modified without proper authorization. But the researchers were able to extract the passwords of several certificates for several different regions, including Europe and China. By obtaining the vehicle’s certificates and their passwords, the researchers could gain deep access to the vehicle’s internal network. The car’s certificate for the China region had a weak password, Yan said, making it easier to hijack a vulnerable car in the country.

Yan said the goal was to get access to the car’s back end, the core of the vehicle’s internal network. As long as the car’s back-end services can be accessed externally, the car is at risk of attacks, the researchers said.

The way the researchers did this was by tearing down the vehicle’s embedded SIM card, which allows the car to talk to the cell networks. A security feature meant the researchers couldn’t plug the SIM into a router without freezing access to the cell network. The researchers modified their router to spoof the vehicle, effectively making the cell network think it was the car.

With the vehicle’s firmware dumped, the networking protocols understood and its certificates obtained and cracked, the researchers say they could remotely control an affected vehicle.

The researchers said the car’s security design was tough and able to withstand a number of attacks, but it was not impervious.

“Making every back-end component secure all the time is hard,” the researchers said. “No company can make this perfect.”

But at least in the case of Mercedes-Benz, its cars are a lot more secure than they were a year ago.


Send tips securely over Signal and WhatsApp to +1 646-755-8849 or send an encrypted email to: zack.whittaker@protonmail.com

#automotive, #black-hat-2020, #cars, #china, #computer-security, #def-con-2020, #hacking, #in-car-entertainment, #mercedes-benz, #qihoo-360, #security, #sedans, #vulnerability

Hackers say ‘jackpotting’ flaws tricked popular ATMs into spitting out cash

In 2010, the late Barnaby Jack, a world-renowned security researcher, hacked an ATM live on stage at the Black Hat conference by tricking the cash dispenser into spitting out a stream of dollar bills. The technique was appropriately named “jackpotting.”

A decade on from Jack’s blockbuster demo, security researchers are presenting two new vulnerabilities in Nautilus ATMs, albeit virtually, thanks to the coronavirus pandemic.

Security researchers Brenda So and Trey Keown at New York-based security firm Red Balloon say their pair of vulnerabilities allowed them to trick a popular standalone retail ATM, commonly found in stores rather than at banks, into dispensing cash at their command.

A hacker would need to be on the same network as the ATM, making it more difficult to launch a successful jackpotting attack. But their findings highlight that ATMs often have vulnerabilities that lie dormant for years — in some cases since they were first built.

Barnaby Jack, the late security researcher credited with the first ATM “jackpotting” attacks. Now, 10 years later, two security researchers have found two new ATM cash-spitting attacks. Credit: YouTube

So and Keown said their new vulnerabilities target the Nautilus ATM’s underlying software, a decade-old version of Windows that is no longer supported by Microsoft. To begin with, the pair bought an ATM to examine. But with little documentation, the duo had to reverse-engineer the software inside to understand how it worked.

The first vulnerability was found in a software layer known as XFS — or Extensions for Financial Services — which the ATM uses to talk to its various hardware components, such as the card reader and the cash dispensing unit. The bug wasn’t in XFS itself, rather in how the ATM manufacturer implemented the software layer into its ATMs. The researchers found that sending a specially crafted malicious request over the network could effectively trigger the ATM’s cash dispenser and dump the cash inside, Keown told TechCrunch.

The second vulnerability was found in the ATM’s remote management software, an in-built tool that lets owners manage their fleet of ATMs by updating the software and checking how much cash is left. Triggering the bug would grant a hacker access to a vulnerable ATM’s settings.

So told TechCrunch it was possible to switch the ATM’s payment processor with a malicious, hacker-controlled server to siphon off banking data. “By pointing an ATM to a malicious server, we can extract credit card numbers,” she said.

Bloomberg first reported the vulnerabilities last year when the researchers privately reported their findings to Nautilus. About 80,000 Nautilus ATMs in the U.S. were vulnerable prior to the fix, Bloomberg reported. We contacted Nautilus with questions but did not hear back.

Successful jackpotting attacks are rare but not unheard of. In recent years, hackers have used a number of techniques. In 2017, an active jackpotting group was discovered operating across Europe, netting millions of euros in cash.

More recently, hackers have stolen proprietary software from ATM manufacturers to build their own jackpotting tools.


Send tips securely over Signal and WhatsApp to +1 646-755-8849 or send an encrypted email to: zack.whittaker@protonmail.com

#banking, #black-hat-2020, #computing, #def-con-2020, #europe, #hacker, #hacking, #microsoft-windows, #nautilus, #new-york, #payment-processor, #science-and-technology, #security, #technology, #united-states, #vulnerability