November 5, 2019 – HNN #240

 

 

This week, aggressive IoT malware that’s forcing Wi-Fi routers to join its botnet army, Google discloses Chrome Zero-Day exploited in the wild on Halloween, the first Bluekeep exploit found in the wild, and oC Exploits Published for Unpatched RCE Bugs in rConfig! In the expert commentary, we welcome Sean O’Brien, Founder and CEO of PrivacySafe, to talk about Siri, Alexa, and Google Assistant hacked via Laser Beam!

To learn more about PrivacySafe, visit: https://securityweekly.com/privacysafe

Visit https://www.securityweekly.com/hnn for all the latest episodes!

Full Episode Show Notes

To learn more about our sponsors visit: The Security Weekly Sponsor’s Page

November 5, 2019

  1. Solar, Wind Power Utility Disrupted in Rare Cyberattack – sPower, a Utah-based wind and solar provider, began experiencing a series of lost connections between its main control center and remote power-generation sites. The brief, intermittent periods of downtime were determined to be the result of a denial-of-service (DoS) attack, according to documents obtained via the Freedom of Information Act (FOIA) by E&E News, a utility-industry trade publication. That operational disruption makes the attack the first of its kind in the country. “This disrupted the organization’s ability to monitor the current status of its power-generation systems. The utility industry refers to this type of incident as ‘loss of view,’” explained Phil Neray, vice president of industrial cybersecurity at CyberX, in an interview with Threatpost.
  2. Thousands of Xiaomi FURRYTAIL pet feeders exposed to hack – There are two vulnerabilities here, one seems to be an API that does not have authentication, allowing remote attackers to change the feeding schedule, and an exploitable WiFi driver: The researcher explained that the devices were exposed online without authentication, she was able to change feeding schedules. The expert also discovered that the devices were also using the Wi-Fi ESP8266 chipset that is affected by a flaw that could be exploited by an attacker to download and install new firmware, and reboot Xiaomi FurryTail pet feeders.
  3. QSnatch malware already infected thousands of QNAP NAS devices – Attackers are infecting firmware using techniques I discussed several years ago: “The original infection method remains unknown, but during that phase malicious code is injected to the firmware of the target system, and the code is then run as part of normal operations within the device. After this the device has been compromised. The malware uses domain generation algorithms to retrieve more malicious code from C2 servers.” At the time the infection vector is still unclear, once the malware access to a vulnerable device the malicious code is injected into the firmware to gain reboot persistence.
  4. This aggressive IoT malware is forcing Wi-Fi routers to join its botnet army | ZDNet – And the armies are fighting: In all cases, the malware is using a scanner function to find units facing the open internet before taking advantage of vulnerabilities to compromise them. The new attacks have been detailed by cybersecurity researchers at Palo Alto Networks. The Gafgyt botnet appears to be directly competing with another botnet – JenX – which also targets the Huawei and Realtek routers, but not Zyxel units. Ultimately, the attackers behind Gafgyt want to kill off their competition by replacing JenX with their own malware. “The authors of this malware want to make sure their strain is the only one controlling a compromised device and maximizing the device’s resources when launching attacks,” Asher Davila, security researcher at the Palo Alto Networks Unit 42 research division, told ZDNet. “As a result, it is programmed to kill other botnet malware it finds, like JenX, on a given device so that it has the device’s full resources dedicated to its attack”.
  5. On Halloween night, Google discloses Chrome zero-day exploited in the wild | ZDNet – late Halloween night, Google engineers delivered the best scare of the evening and released an urgent update for the Chrome browser to patch an actively exploited zero-day. “Google is aware of reports that an exploit for CVE-2019-13720 exists in the wild,” Google engineers said in a blog post announcing the new v78.0.3904.87 release. The actively-exploited zero-day was described as a use-after-free bug in Chrome’s audio component. Use-after-free vulnerabilities are memory corruption bugs that occur when an application tries to use memory space that is no longer assigned to it, after being freed and assigned to another app. This usually causes a program to crash, but can also sometimes lead to other, unintended consequences, such as code execution scenarios.
  6. First Bluekeep Exploit Found in the Wild – Bluekeep is, of course, the “RDP vulnerability” is being exploited in the wild: Kevin Beaumont (@GossiTheDog), who discovered Bluekeep, found the exploit when his Bluekeep honeypots began crashing this past weekend. He shared his data with researcher Marcus Hutchins, who verified the results. In analyzing the code crashing the honeypots, Hutchins found the obfuscated payload ultimately installed a cryptocurrency miner on the victim system. “It is curious that this publicly known wormable vulnerability, known to everyone who would care to know for at least six months, took this long to get detectably weaponized,” Hutchins wrote in a blog post sharing the exploit’s analysis.
  7. PoC Exploits Published for Unpatched RCE Bugs in rConfig | SecurityWeek.Com – An open source network device configuration management utility, rConfig provides network engineers with the ability to take snapshots of routing tables, MACs, and running configurations, among others, and can also help improve overall network security. rConfig is impacted by two remote code execution (RCE) vulnerabilities, one unauthenticated (CVE-2019-16662) and another authenticated (CVE-2019-16663), penetration tester Mohammad Askar explains. I’ve reviewed the published exploit code and it appears these are failry simple remote command injection vulnerabilities, of course the unauthenticated one is pretty bad. No patches have been issues and rConfig developers were notified in September.
  8. Alexa, Siri, Google Smart Speakers Hacked Via Laser Beam – The attack, dubbed “light commands,” leverages the design of smart assistants’ microphones. These are called microelectro-mechanical systems (MEMS) microphones, which work by converting sound (voice commands) into electrical signals – but in addition to sound, researchers found that MEMS microphones also react to light being aimed directly at them. Researchers said that they were able to launch inaudible commands by shining lasers – from as far as 110 meters, or 360 feet – at the microphones on various popular voice assistants, including Amazon Alexa, Apple Siri, Facebook Portal, and Google Assistant.

Expert Commentary: Sean O’Brien, PrivacySafe

Sean is a lecturer in cybersecurity at Yale Law School and leads Yale Privacy Lab as a respected voice in global debates about privacy, security, and digital rights. Sean founded PrivacySafe as a hardware 860replacement for untrustworthy cloud storage services.

Segment Topic:
Researchers hack Siri, Alexa, and Google Home by shining lasers at them

Siri, Alexa, and Google Assistant are vulnerable to attacks that use lasers to inject inaudible—and sometimes invisible—commands into the devices and surreptitiously cause them to unlock doors, visit websites, and locate, unlock, and start vehicles, researchers report in a research paper published on Monday. Dubbed Light Commands, the attack works against Facebook Portal and a variety of phones.

Shining a low-powered laser into these voice-activated systems allows attackers to inject commands of their choice from as far away as 360 feet (110m). Because voice-controlled systems often don’t require users to authenticate themselves, the attack can frequently be carried out without the need of a password or PIN. Even when the systems require authentication for certain actions, it may be feasible to brute force the PIN, since many devices don’t limit the number of guesses a user can make. Among other things, light-based commands can be sent from one building to another and penetrate glass when a vulnerable device is kept near a closed window.

The attack exploits a vulnerability in microphones that use micro-electrical-mechanical-systems or MEMS. The microscopic MEMS components of these microphones unintentionally respond to light as if it were sound. While the researchers tested only Siri, Alexa, Google Assistant, Facebook Portal, and a small number of tablets and phones, the researchers believe all devices that use MEMS microphones are susceptible to Light Commands attacks.

Hosts

Paul Asadoorian
Paul Asadoorian – Founder & CTO

Guests

Sean O'Brien
Sean O’Brien – Founder and CEO

Announcements

  • We have exciting news about the Security Weekly webcast program: We are now partnered with (ISC)2 as an official CPE provider! If you attend any of our webcasts, you will be receiving 1 CPE credit per webcast! Register for one of our upcoming webcast with Zane Lackey of Signal Sciences, Ian McShane from Endgame, or Stephen Smith and Jeff Braucher of LogRhythm (or all 3!) by going to securityweekly.com/webcasts If you have missed any of our previously recorded webcasts, you can find our on-demand library at securityweekly.com/ondemand