A flaw in MySQL could allow rogue servers to steal files, a state agency exposes 3TB of data including FBI info, how cybercriminals clean their dirty money, a critical RCE flaw in Linux APT allows remote attackers to hack systems, and how to protect against a new breed of cyber attack! Jason Wood from Paladin Security joins us for expert commentary on how Attackers used a LinkedIn job ad and Skype call to breach a bank’s defense!
- A flaw in MySQL could allow rogue servers to steal files from clients – The flaw resides in the file transfer process between a client host and a MySQL server, it could be exploited by an attacker running a rogue MySQL server to access any data that could be read by the client…A client receives file-transfer requests from the MySQL server based on the information it provides in the LOAD DATA statement. A rogue server could send a LOAD DATA LOCAL statement to the client to get access to any file for which the client has read permission.
- 0patch releases micropatch for Windows Contacts RCE zero-day – Help Net Security – It is difficult to trust 3rd party patches, yet here we are: 0patch is a solution that aims to fix 0days, unpatched vulnerabilities, end-of-life and unsupported products, provide patches for legacy operating systems, as well as vulnerable third party components and customized software. Users who want to implement the micropatch have to install and register the 0patch agent.
- State agency exposes 3TB of data, including FBI info and remote logins – Oklahoma’s Department of Securities (ODS) exposed three terabytes of files in plain text on the public internet this month, which contained sensitive data including social security numbers, details of FBI investigations, credentials for remote access to computers, and the names of AIDS patients. Researchers at security company UpGuard found the files using the Shodan search engine, which indexes internet-connected devices. In this case, they ran across an unsecured rsync server registered to ODS.
- Microsoft partner portal ‘exposes ‘every’ support request filed worldwide’ today – Here is a fancy way to describe a situation that Microsoft is fixing and had very little impact: Another Microsoft small biz specialist contacted us to say “Logged on to my Microsoft Partner portal to check status of a ticket I have open with them only to see lots of tickets which are not ours”. With no customer details being visible, it is unlikely this embarrassing SNAFU will get MS in trouble with data protection laws or watchdogs. However, the cockup will leave the American multinational with more than a few red faces.
- Get in the bin: Let’s Encrypt gives admins until February 13 to switch off TLS-SNI – The attack looks like this: In January 2018, Let’s Encrypt discovered that validation based on TLS-SNI-01 and its planned successor TLS-SNI-02 could be abused. As we explained at the time: “A company might have investors.techcorp.com set up and pointed at a cloud-based web host to serve content, but not investor.techcorp.com. An attacker could potentially create an account on said cloud provider, and add a HTTPS server for investor.techcorp.com to that account, allowing the miscreant to masquerade as that business – and with a Let’s Encrypt HTTPS cert, too, via TLS-SNI-01, to make it look totally legit.”
- How Cybercriminals Clean Their Dirty Money – Criminals are a crafty bunch sometimes: According to news accounts, criminals were booking fake Airbnb stays to launder dirty money. They used credit cards and money transfers from mule accounts to book and pay for rooms through this peer-to-peer platform. All of this is conducted online and is a very effective way to turn illicit proceeds into legitimate earnings. Plus, it has the added advantage of moving many of these payments across borders.
- Critical RCE Flaw in Linux APT Allows Remote Attackers to Hack Systems – Get updating, er, but wait, what if your update software is vulnerable? Just today, a security researcher revealed details of a critical remote code execution flaw in Linux APT, exploitation of which could have been mitigated if the software download manager was strictly using HTTPS to communicate securely. Discovered by Max Justicz, the vulnerability (CVE-2019-3462) resides in the APT package manager, a widely used utility that handles installation, update and removal of software on Debian, Ubuntu, and other Linux distributions.
- Beware the man in the cloud: How to protect against a new breed of cyberattack – Help Net Security – So simple: To gain access to cloud accounts, MitC attacks take advantage of the OAuth synchronisation token system used by cloud applications. The majority of popular cloud services – Dropbox, Microsoft OneDrive, Google Drive, and more – each save one of these tokens on a user’s device after initial authentication is completed. This is done to improve usability – users don’t have to enter their password every time they attempt to access an app if they have an OAuth token…Once executed on the victim’s device, this malware installs a new token (belonging to a new account that the attacker created) and moves the victim’s real token into a cloud sync folder. Then, when the victim’s device next syncs, it syncs the victim’s data to the attacker’s account instead of the victim’s.
- Clever Smartphone Malware Concealment Technique – Schneier on Security – This is a cat and mouse game: Malicious apps hosted in the Google Play market are trying a clever trick to avoid detection — they monitor the motion-sensor input of an infected device before installing a powerful banking trojan to make sure it doesn’t load on emulators researchers use to detect attacks. I’m sure you can emulate that, but can you detect the emulation of movement in an emulated environment?
- Attackers used a LinkedIn job ad and Skype call to breach banks defences – The attackers set up a Skype call to conduct an interview during which the individual was tricked into downloading a file called ApplicationPDF.exe, sent via a weblink, which subsequently infected the employee’s computer. There’s a technical side to what happened next which Flashpoint analyses in some detail based on what it knows about the malware used. The malware is said to have executed successfully enough that the attackers were able to explore the network for new security gaps. At some point, this was noticed and further probes were blocked. – Yes, you could block Skype, but playing wack-a-mole is a losing game. Training, awareness, secure file transfer solution, advanced endpoint security and more could have helped much better.
- Bug in widespread Wi-Fi chipset firmware can lead to zero-click code execution – Help Net Security – “A device manufacturer supplies appropriate firmware images and operating system device drivers, so during startup, a driver can upload firmware enabling its main functionality to the Wi-Fi SoC,” he explained. He discovered several vulnerabilities in the ThreadX proprietary firmware, but according to him the most interesting one is a block pool overflow that can be triggered without user interaction as the device scans for available networks. This vulnerability can be exploited when a Wifi device is looking for available networks, requiring no user interaction. The vulnerable chipsets are used in devices such as the Sony PlayStation 4, Microsoft Surface computers, Xbox One, Samsung Chromebooks and more.
Jason Wood – Founder; Primary Consultant, Paladin Security.
- RSA Conference 2019 is the place to be for the latest in cybersecurity data, innovation and thought leadership. From March 4-8, San Francisco will come alive with cybersecurity’s brightest minds as they gather together to discuss the industry’s new
- If you are interested in quality over quantity and having meaningful conversations instead of just a badge scan, join us April 1-3, at Disney’s Contemporary Resort for InfoSec World 2019 where you can connect and network with like-minded individuals