For almost a decade, the US Central Intelligence Agency communicated with informants abroad using a network of websites with hidden communications capabilities.

The idea being: informants could use secret features within innocent-looking sites to quietly pass back information to American agents. So poorly were these 885 front websites designed, though, according to security research group Citizen Lab and Reuters, that they betrayed those using them to spy for the CIA.

Citing a year-long investigation into the CIA’s handling of its informants, Reuters on Thursday reported that Iranian engineer Gholamreza Hosseini had been identified as a spy by Iranian intelligence, thanks to CIA negligence.

“A faulty CIA covert communications system made it easy for Iranian intelligence to identify and capture him,” the Reuters report stated.

Word of a catastrophic failure in CIA operational security initially surfaced in 2018, when Yahoo! News reporters Zach Dorfman and Jenna McLaughlin revealed “a compromise of the agency’s internet-based covert communications system used to interact with its informants.”

The duo’s report indicated that the system involved a website and claimed “more than two dozen sources died in China in 2011 and 2012” as a result of the compromise. Also, 30 operatives in Iran were said to have been identified by Iranian intelligence, fewer of whom were killed as a consequence of discovery than in China.

Blocks of sequential IP addresses registered to apparently fictitious US companies were used to host some of the websites

Reuters found one of the CIA websites, iraniangoals[.]com, in the Internet Archive and told Citizen Lab about the site earlier this year. Bill Marczak, from Citizen Lab, and Zach Edwards, from analytics consultancy Victory Medium, subsequently examined the website and deduced that it had been part of a CIA-run network of nearly 900 websites, localized in at least 29 languages, and intended for viewing in at least 36 countries.

These websites, said to have operated between 2004 and 2013, presented themselves as harmless sources of news, weather, sports, healthcare, or other information. But they are alleged to have facilitated covert communications, and to have done serious harm to the US intelligence community and to those risking their lives to help the United States.

“The websites included similar Java, JavaScript, Adobe Flash, and CGI artifacts that implemented or apparently loaded covert communications apps,” Citizen Lab explains in its report. “In addition, blocks of sequential IP addresses registered to apparently fictitious US companies were used to host some of the websites. All of these flaws would have facilitated discovery by hostile parties.”

The websites were designed to look like common commercial publications but included secret triggering mechanisms to open a covert communication channel. For example, the supposed search box on iraniangoals[.]com is actually a password input field to access such its hidden comms functionality – which you’d never guess unless you inspected the website code to see the input field identified as type="password" or unless the conversion of text input into hidden • characters gave it away.

Entering the appropriate password opened a messaging interface that spies could use to communicate.

The encrypted messaging widgets from CIA can be found on websites in numerous languages, & technical fingerprints made it possible to find more websites within the network, even nearly a decade after they had been taken down, thanks to the @waybackmachine. Did the CCP know too? https://t.co/5CFa11mFbT

— Zach Edwards (@thezedwards) September 29, 2022

Citizen Lab says it has limited the details contained in its report because some of the websites point to former and possibly still active intelligence agents. It says it intends to disclose some details to US government oversight bodies. The security group blames the CIA’s “reckless infrastructure” for the alleged agent deaths. Zach Edwards put it more bluntly on Twitter.

“Sloppy ass website widget architecture plus ridiculous hosting/DNS decisions by CIA/CIA contractors likely resulted in dozens of CIA spies being killed,” he said.

What makes the infrastructure ridiculous or reckless is that many of the websites had similarities with others in the network and that their hosting infrastructure appears to have been purchased in bulk from the same internet providers and to have often shared the same server space.

“The result was that numerical identifiers, or IP addresses, for many of these websites were sequential, much like houses on the same street,” Reuters explained.

Such basic errors continue to trip up spy agencies. Investigative research group Bellingcat, for example, has used the sequential numbering of passports to help identify the fake personas of Russian GRU agents. It described this blunder as “terrible spycraft.”

[…]

Source: CIA betrayed informants with shoddy covert comms websites • The Register

Chrome’s enhanced spellcheck & Edge’s MS Editor are sending data you enter into form fields like username, email, DOB, SSN, basically anything in the fields, to sites you’re logging into from either of those browsers when the features are enabled. Furthermore, if you click on “show password,” the enhanced spellcheck even sends your password, essentially Spell-Jacking your data.

[…]

shows employee credentials(password) being sent to Google while logging into the company’s Alibaba Cloud Account.

otto-js co-founder &  CTO Josh Summitt discovered the spellcheck leak while testing the company’s script behaviors detection.

“If ‘show password’ is enabled, the feature even sends your password to their 3rd-party servers.  While researching for data leaks in different browsers, we found a combination of features that, once enabled, will unnecessarily expose sensitive data to 3rd Parties like Google and Microsoft.  What’s concerning is how easy these features are to enable and that most users will enable these features without really realizing what is happening in the background.” Josh Summitt

[…]

oth security teams from AWS and LastPass have responded to the outreach and both have already mitigated the issue.

• Office 365
• Alibaba – Cloud Service
• Google Cloud – Secret Manager
• AWS – Secrets Manager (UPDATE: has already fully mitigated the issue)
• LastPass (UPDATE: has already fully mitigated the issue) 

[…]

Source: Chrome & Edge Enhanced Spellcheck Features Expose PII, Even Your Passwords | otto

An anonymous reader quotes a report from the New York Times: Morgan Stanley Smith Barney has agreed to pay a $35 million fine to settle claims that it failed to protect the personal information of about 15 million customers, the Securities and Exchange Commission said on Tuesday. In a statement announcing the settlement, the S.E.C. described what it called Morgan Stanley’s “extensive failures,” over a five-year period beginning in 2015, to safeguard customer information, in part by not properly disposing of hard drives and servers that ended up for sale on an internet auction site.

On several occasions, the commission said, Morgan Stanley hired a moving and storage company with no experience or expertise in data destruction services to decommission thousands of hard drives and servers containing the personal information of millions of its customers. The moving company then sold thousands of the devices to a third party, and the devices were then resold on an unnamed internet auction site, the commission said. An information technology consultant in Oklahoma who bought some of the hard drives on the internet chastised Morgan Stanley after he found that he could still access the firm’s data on those devices.

Morgan Stanley is “a major financial institution and should be following some very stringent guidelines on how to deal with retiring hardware,” the consultant wrote in an email to Morgan Stanley in October 2017, according to the S.E.C. The firm should, at a minimum, get “some kind of verification of data destruction from the vendors you sell equipment to,” the consultant wrote, according to the S.E.C. Morgan Stanley eventually bought the hard drives back from the consultant. Morgan Stanley also recovered some of the other devices that it had improperly discarded, but has not recovered the “vast majority” of them, the commission said. The settlement also notes that Morgan Stanley “had not properly disposed of consumer report information when it decommissioned servers from local offices and branches as part of a ‘hardware refresh program’ in 2019,” reports the Times. “Morgan Stanley later learned that the devices had been equipped with encryption capability, but that it had failed to activate the encryption software for years, the commission said.”

Source: Morgan Stanley Hard Drives With Client Data Turn Up On Auction Site – Slashdot

Electronics Arts (EA) is launching a new kernel-level anti-cheat system for its PC games. The EA AntiCheat (EAAC) will debut first in FIFA 23 later this fall and is a custom anti-cheat system developed in-house by EA developers. It’s designed to protect EA games from tampering and cheaters, and EA says it won’t add anti-cheat to every game and treat its implementation on a case-by-case basis.

“PC cheat developers have increasingly moved into the kernel, so we need to have kernel-mode protections to ensure fair play and tackle PC cheat developers on an even playing field,” explains Elise Murphy, senior director of game security and anti-cheat at EA. “As tech-inclined video gamers ourselves, it is important to us to make sure that any kernel anti-cheat included in our games acts with a strong focus on the privacy and security of our gamers that use a PC.”

Kernel-level anti-cheat systems have drawn criticism from privacy and security advocates, as the drivers these systems use are complex and run at such a high level that if there are security issues, then developers have to be very quick to address them.

[…]

EA’s anti-cheat system will run at the kernel level and only runs when a game with EAAC protection is running. EA says its anti-cheat processes shut down once a game does and that the anti-cheat will be limited to what data it collects on a system. “EAAC does not gather any information about your browsing history, applications that are not connected to EA games, or anything that is not directly related to anti-cheat protection,” says Murphy.

[…]

Source: EA announces kernel-level anti-cheat system for PC games – The Verge

The problem is that you can’t actually see what they are doing because it’s kernel level. It’s your OS running on your PC, they have no right to inflitrate your PC at this level – aside from it being dangerous from a security standpoint. This is a bit like putting a guy into each room of your house and saying it’s no problem, hopefully they won’t steal anything and most likely they won’t tell anyone what you are doing and what you are talking about. And they probably leave some when you are not using your house.

[…]

The newly discovered security issue impacts versions of the application for Windows, Linux, and Mac and refers to Microsoft Teams storing user authentication tokens in clear text without protecting access to them.

An attacker with local access on a system where Microsoft Teams is installed could steal the tokens and use them to log into the victim’s account.

[…]

Microsoft Teams is an Electron app, meaning that it runs in a browser window, complete with all the elements required by a regular web page (cookies, session strings, logs, etc.).

Electron does not support encryption or protected file locations by default, so while the software framework is versatile and easy to use, it is not considered secure enough for developing mission-critical products unless extensive customization and additional work is applied.

Vectra analyzed Microsoft Teams while trying to find a way to remove deactivated accounts from client apps, and found an ldb file with access tokens in clear text.

“Upon review, it was determined that these access tokens were active and not an accidental dump of a previous error. These access tokens gave us access to the Outlook and Skype APIs.” – Vectra

Additionally, the analysts discovered that the “Cookies” folder also contained valid authentication tokens, along with account information, session data, and marketing tags.

Finally, Vectra developed an exploit by abusing an API call that allows sending messages to oneself. Using SQLite engine to read the Cookies database, the researchers received the authentication tokens as a message in their chat window.

[…]

Using this type of malware, threat actors will be able to steal Microsoft Teams authentication tokens and remotely login as the user, bypassing MFA and gaining full access to the account.

[…]

With a patch unlikely to be released, Vectra’s recommendation is for users to switch to the browser version of the Microsoft Teams client. By using Microsoft Edge to load the app, users benefit from additional protections against token leaks.

[…]

Source: Microsoft Teams stores auth tokens as cleartext in Windows, Linux, Macs

Cisco patched three security vulnerabilities in its products this week, and said it will leave unpatched a VPN-hijacking flaw that affects four small business routers.

Those small-biz routers – the RV110W Wireless-N VPN Firewall, RV130 VPN Router, RV130W Wireless-N Multifunction VPN Router, and RV215W Wireless-N VPN Router – have reached their end-of-life (EoL) and the networking vendor is recommending customers upgrade to devices that aren’t vulnerable. To give you an idea of the potential age of this kit, Cisco stopped selling the RV110W and RV130 in 2017, and ended support for them this year.

“Cisco has not released and will not release software updates to address the vulnerability described in this advisory,” the supplier wrote in an advisory. “Customers are encouraged to migrate to Cisco Small Business RV132W, RV160, or RV160W Routers.”

It also said that there are no workarounds to mitigate the flaw.

That vulnerability, tracked as CVE-2022-20923 with a severity rating of “medium,” if exploited could enable an unauthenticated remote attacker to bypass authentication checks and freely access the device’s IPSec VPN.

“The attacker may obtain privileges that are the same level as an administrative user, depending on the crafted credentials that are used,” Cisco added. The flaw is the result of the improper implementation of a password validation algorithm, we’re told.

[…]

Source: Dump these routers, says Cisco, because we won’t patch them • The Register

Massive amounts of private data – including more than 300,000 biometric digital fingerprints used by five mobile banking apps – have been put at risk of theft due to hard-coded Amazon Web Services credentials, according to security researchers.

Symantec’s Threat Hunter Team said it discovered 1,859 publicly available apps, both Android and iOS, containing baked-in AWS credentials. That means if someone were to look inside the apps, they would have found the credentials in the code, and could potentially have used that to access the apps’ backend Amazon-hosted servers and steal users’ data. The vast majority (98 percent) were iOS apps.

In all, 77 percent of these apps contained valid AWS access tokens that allowed access to private AWS cloud services, the intelligence team noted in research published today.

Additionally, almost half (47 percent) contained valid AWS tokens providing full access to sometimes millions of private files via Amazon S3 buckets. These hard-coded AWS access tokens would be easy to extract and exploit, and reflect a serious supply-chain issue, Dick O’Brien, principal editor on Symantec’s Threat Hunter Team, told The Register.

[…]

In one case, a provider of B2B services gave out a mobile SDK to its customers to integrate into their applications. It turned out the SDK contained the provider’s cloud infrastructure keys, which potentially exposed all of its data — including financials, employee information, files on more than 15,000 medium and large-sized companies, and other information — that was stored on the platform.

The SDK had a hard-coded AWS token to access an Amazon-powered translation service. However, that token granted full access to the provider’s backend systems, rather than just the translation tool.

[…]

 

Source: Mobile banking apps put 300,000 digital fingerprints at risk • The Register

An MMORPG with cute anime-style characters and maybe a bit too much inspiration taken from another classic Nintento franchise, Genshin Impact is a relatively popular game across the PlayStation, iOS, Android, and PC platforms. That last one has already generated a bit of controversy, since the PC version game includes an anti-cheat kernel driver that runs in the Windows kernel context, and on initial release that module kept running even after the game was closed.

That anti-cheat driver is back in the news, with Trend Micro discovering a ransomware campaign that includes mhyprot2.sys, the anti-cheat driver, as a component of the infection. The module is known to have vulnerabilities, and is still a signed kernel driver, so the malware campaign loads the driver and uses its functions to disable anti-malware protections.

The rest of the campaign is straightforward. Starting with access to a single domain-connected machine, an attacker uses that foothold to gain access to the domain controller. The malicious script is hosted on shared storage, and PsExec is used to run it on all the domain member machines. The real novelty here is the use of the vulnerable anti-cheat kernel driver as the anti-malware bypass. As far as we can tell, this driver is *still* signed and considered trustworthy by Windows. We join the call to Microsoft, to revoke this vulnerable driver, as it’s now actively being used in ongoing malware campaigns. For more on security, check out our weekly column on the topic,

Source: Genshin Security Impact | Hackaday

Last Saturday, I sat in a crowded ballroom at Caesar’s Forum in Las Vegas and watched Sickcodes jailbreak a John Deere tractor’s control unit live, before an audience of cheering Defcon 30 attendees (and, possibly, a few undercover Deere execs, who often attend Sickcodes’s talks).

The presentation was significant because Deere – along with Apple – are the vanguard of the war on repair, a company that has made wild and outlandish claims about the reason that farmers must pay the company hundreds of dollars every time they fix their own tractors, and then wait for days for an authorized technician to come to their farm and type an unlock code.

Deere’s claims have included the astounding statement that the farmers who spend hundreds of thousands of dollars on tractors don’t actually own those tractors, because the software that animates them is only licensed, not sold:

https://memex.craphound.com/2017/04/22/john-deere-just-told-the-copyright-office-that-only-corporations-can-own-property-humans-can-only-license-it/

They’ve also claimed that locking farmers out of their tractors is for their own good, because otherwise hackers could take over those tractors and endanger the food supply. While it’s true that the John Deere tractor monopoly means that defects in the company’s products could affect farms all around the world, it’s also true that John Deere is very, very bad at information security:

https://pluralistic.net/2021/04/23/reputation-laundry/#deere-john

The company’s insistence that they are guardians of farmers and the agricultural sector is a paper-thin cover for monopolistic practices and rent-seeking. Monopolizing the repair and reconfiguration of Deere products gives the company all kinds of little gifts – for example, they can refuse to fix the tractors of dissatisfied customers unless they agree to gag-orders:

https://pluralistic.net/2022/05/31/dealers-choice/#be-a-shame-if-something-were-to-happen-to-it

And because so few of us understand information security, or monopoly, or agribusiness (let alone all three!) they can spin their dangerous, grossly unfair practices as features, not bugs. Remember when they trumpeted the fact that they’d remotely bricked some Ukrainian Deere products that had been looted by Russian soldiers?

https://doctorow.medium.com/about-those-kill-switched-ukrainian-tractors-bc93f471b9c8

What they didn’t say – and what almost no one pointed out – was that this meant that anyone who could hack John Deere’s system could brick any tractor – including, say, the Russian military’s hacking squads. They also didn’t say that Ukrainian farmers had long chafed under Deere’s corporate control, and had developed illegal third-party tractor firmware that farmers all over the world had covertly installed:

https://www.vice.com/en/article/xykkkd/why-american-farmers-are-hacking-their-tractors-with-ukrainian-firmware

And that means that the Russian looters who supposedly were foiled by Deere’s corporate remote killswitches can re-activate their tractors, by using the Ukrainian software developed in response to the company’s monopolistic practices.

Which brings me back to Sickcodes and his awesome presentation at Defcon 30 this weekend. I watched from the front row, sitting next to the repair champion Kyle Wiens, founder of Ifixit, who turned his notes into an excellent Twitter thread:

https://twitter.com/kwiens/status/1558688970799648769

As Kyle points out, Deere has repeatedly told state and federal lawmakers and regulators that farmers can’t be trusted to repair or modify their own tractors. This is obviously nonsense: indeed, for decades, Deere product development consisted of sending engineers out to document the improvements farmers had made to their tractors so the company could copy them:

https://securityledger.com/2019/03/opinion-my-grandfathers-john-deere-would-support-our-right-to-repair/

Writing for Wired, Lily Hay Newman provides some great technical details on the hack, including how Sickcodes acquired (and accidentally broke!) several 2630 and 4240 touchscreen control units, eventually demounting the main controller and soldering it into a new board that he used to probe the system:

https://www.wired.com/story/john-deere-tractor-jailbreak-defcon-2022/

He discovered that the system was designed to send an extraordinary amount of data to John Deere – his control unit tried to exfiltrate 1.5GB worth of data once he brought it online. He also discovered that as soon as he was able to conjure up a terminal, he had root access to the system.

This was great news for Sickcodes, but it raises serious questions about Deere’s information security practices. As Kyle points out, this entire system ran on deprecated, unpatched, elderly GNU/Linux software and Windows CE, an operating system that was end-of-lifed in 2018, and which was so bad that people forced to use it typically called it “Wince.”

Sickcodes discovered all kinds of security worst-practices in John Deere’s security – even in the parts of its security that were intended to secure the company’s profits from its own customers’ best interests. For example, at one point Sickcodes put the control unit into maintenance mode by repeatedly rebooting it, so that it refused to allow him to do anything until he brought it to a dealer. He discovered that all it took to convince the computer that he was a dealer was to create an empty text file on its hard-drive whose filename was something like “IAmADealer.txt” (I didn’t write down the exact filename, alas, but that’s not far off!).

Another revelation from Sickcodes: the company made extensive use of free/open source software but seems to be gravely out-of-compliance with the license terms (I’m told that organizations that do legal enforcement of free/open licenses are now aware of this).

So to recap: the company says it has to block farmers from having the final say over their own tractors because they could create security risks and also threaten Deere’s copyrights (the company even claims that locking down tractors is necessary to preventing music infringement, as though a farmer would spend $600k on a tractor so they could streamrip Spotify tracks).

But in reality, the company itself is a dumpster-fire of information security worst practices, whose unpatched, badly configured, out-of-date tractors are a bonanza of vulnerabilities and unforced errors. What’s more, the company – which claims to be staunch defenders of copyright – use their copyright locks to hide the fact that they are committing serious breaches of software copyright.

In serious information security circles, it’s widely understood that “there is no security in obscurity” – that is, hiding how a system works doesn’t make it secure. Usually, this is understood to be grounded in the fact that if you hide your work, you might make mistakes that others would spot and point out to you:

https://doctorow.medium.com/como-is-infosec-307f87004563

But there’s another problem with security through obscurity: when you don’t have to show your work to others, you can be sloppy. Whereas, if your work is open to inspection, your own aversion to being seen as slapdash will impose a rigor on your process, which will make the whole thing better:

https://doctorow.medium.com/the-memex-method-238c71f2fb46

With Deere’s security through obscurity, we see both pathologies on display. The company uses its opacity to commit sloppy security bugs, and also to cover up its violations of copyright law – and then, of course, it accuses its critics of being guilty of those two exact sins. Takes one to know one:

https://doctorow.medium.com/takes-one-to-know-one-104d7d749408

Sickcodes closed out by saying that while his hack required a lot of fiddling with the hardware, he was already scheming to build a little tool that could access and jailbreak a tractor without ripping chips off a board or doing a lot of soldering.

And then he played a custom, farm-themed version of Doom on his jailbroken tractor controller.

Source: Pluralistic: 15 Aug 2022 – Pluralistic: Daily links from Cory Doctorow

farmers around the world have turned to tractor hacking so they can bypass the digital locks that manufacturers impose on their vehicles. Like insulin pump “looping” and iPhone jailbreaking, this allows farmers to modify and repair the expensive equipment that’s vital to their work, the way they could with analog tractors. At the DefCon security conference in Las Vegas on Saturday, the hacker known as Sick Codes is presenting a new jailbreak for John Deere & Co. tractors that allows him to take control of multiple models through their touchscreens.

The finding underscores the security implications of the right-to-repair movement. The tractor exploitation that Sick Codes uncovered isn’t a remote attack, but the vulnerabilities involved represent fundamental insecurities in the devices that could be exploited by malicious actors or potentially chained with other vulnerabilities.

[…]

Sick Codes, an Australian who lives in Asia, presented at DefCon in 2021 about tractor application programming interfaces and operating system bugs. After he made his research public, tractor companies, including John Deere, started fixing some of the flaws. “The right-to-repair side was a little bit opposed to what I was trying to do,” he tells WIRED. “I heard from some farmers; one guy emailed me and was like ‘You’re fucking up all of our stuff!’ So I figured I would put my money where my mouth is and actually prove to farmers that they can root the devices.”

This year, Sick Codes says that while he is primarily concerned about world food security and the exposure that comes from vulnerable farming equipment, he also sees important value in letting farmers fully control their own equipment. “Liberate the tractors!” he says.

[…]

Facing mounting pressure, John Deere announced in March that it would make more of its repair software available to equipment owners. The company also said at the time that it will release an “enhanced customer solution” next year so customers and mechanics can download and apply official software updates for Deere equipment themselves, rather than having John Deere unilaterally apply the patches remotely or force farmers to bring products to authorized dealerships.

“Farmers prefer the older equipment simply because they want reliability. They don’t want stuff to go wrong at the most important part of the year when they have to pull stuff out of the ground,” Sick Codes says. “So that’s what we should all want too. We want farmers to be able to repair their stuff for when things go wrong, and now that means being able to repair or make decisions about the software in their tractors.”

[…]

He found that when the system thought it was in such an environment, it would offer more than 1.5 GB worth of logs that were meant to help authorized service providers diagnose problems. The logs also revealed the path to another potential timing attack that might grant deeper access. Sick Codes soldered controllers directly onto the circuit board and eventually got his attack to bypass the system’s protections.

“I launched the attack, and two minutes later a terminal pops up,” Sick Codes says of the program used to access a computer’s command-line interface. “I had root access, which is rare in Deere land.”

[…]

 

Source: A New Jailbreak for John Deere Tractors Rides the Right-to-Repair Wave | WIRED

Source: Github / ocsf

Still a lot of work to be done in the schema but it’s a start

[…]

The issue occurred when a user created or revoked a shared invitation link for their workspace. The good news is that the password wasn’t plaintext, and it wasn’t visible in any Slack clients. The bad news is that it could be picked up by monitoring encrypted traffic from Slack’s servers, and it appears that all users who created or revoked those links between April 17, 2017, and July 17, 2022, are affected.

Slack said only 0.5 percent of users were affected, which doesn’t sound too terrible until you consider how many Slack users are out there. While getting a definitive user figure for any chat platform is tricky and varies depending on what measure the vendor is using, it is safe to assume Slack has 10 million or more daily active users, meaning that at least 50,000 could have been affected. We asked the company to confirm this, and will update if there is a response.

Slack lays claim to over 169,000 paid customers and says “millions of people around the world use Slack to connect their teams.”

The company was informed of the issue by an independent security researcher on July 17, and swiftly fixed the issue before assessing the scale of the impact. “We have no reason to believe that anyone was able to obtain plaintext passwords because of this issue,” it insisted, but has still reset the passwords of affected users regardless.

It also recommends the inevitable move to two-factor authentication and the use of unique passwords for every service in use.

[…]

Source: Slack exposed hashed passwords for years • The Register

VMware has fixed a critical authentication bypass vulnerability that hits 9.8 out of 10 on the CVSS severity scale and is present in multiple products.

That flaw is tracked as CVE-2022-31656, and affects VMware’s Workspace ONE Access, Identity Manager, and vRealize Automation. It was addressed along with nine other security holes in this patch batch, published Tuesday.

Here’s the bottom line of the ‘31656 bug, according to VMware: “A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.” Quite a nice way to get admin-level control over a remote system.

The critical vulnerability is similar to, or perhaps even a variant or patch bypass of, an earlier critical authentication bypass vulnerability (CVE-2022-22972) that also rated 9.8 in severity and VMware fixed back in May. Shortly after that update was issued, CISA demanded US government agencies pull the plug on affected VMware products if patches can’t be applied.

While the virtualization giant isn’t aware of any in-the-wild exploits (so far at least) of the newer vulnerability, “it is extremely important that you quickly take steps to patch or mitigate these issues in on-premises deployments,” VMware warned in an advisory. “If your organization uses ITIL methodologies for change management, this would be considered an ’emergency’ change.”

In addition to the software titan and third-party security researchers urging organizations to patch immediately, Petrus Viet, the bug hunter who found and reported the flaw, said he’ll soon release a proof-of-concept exploit for the bug. So to be perfectly clear: stop what you are doing and immediately assess and if necessary patch this flaw before miscreants find and exploit it, which they are wont to do with VMware vulns.

Tenable’s Claire Tills, a senior research engineer with the firm’s security response team, noted that CVE-2022-31656 is especially worrisome in that a miscreant could use it to exploit other bugs that VMware disclosed in this week’s security push.

“It is crucial to note that the authentication bypass achieved with CVE-2022-31656 would allow attackers to exploit the authenticated remote code execution flaws addressed in this release,” she wrote.

She’s referring to two remote code execution (RCE) flaws, CVE-2022-31658 and CVE-2022-31659, also discovered by Petrus Viet that would allow an attacker with admin-level network access to remotely deploy malicious code on a victim’s machine. Thus someone could use the ‘31656 to login with administrative powers, and then exploit the other bugs to pwn a device.

Both of these, ‘31658 and ‘31659, are dubbed “important” by VMware and ranked with a CVSS score of 8.0. And similar to the critical vuln that can be used in tandem with these two RCE, both affect VMware Workspace ONE Access, Identity Manager and vRealize Automation products.

In other patching news, the rsync project released updates to fix a vulnerability, tracked as CVE-2022-29154, that could allow miscreants to write arbitrary files inside directories of connecting peers.

Rsync is a tool for transferring and syncing files between remote and local machines, and exploiting this vulnerability could allow “a malicious rysnc server (or Man-in-The-Middle attacker) [to] overwrite arbitrary files in the rsync client target directory and subdirectories,” according to researchers Ege Balci and Taha Hamad, who discovered the bug.

That means a malicious server or MITM could overwrite, say, a victim’s ssh/authorized_keys file.

While these three VMware vulns deserve top patching priority, there are some other nasty bugs in the bunch. This includes three local privilege-escalation vulnerabilities (CVE-2022-31660, CVE-2022-31661 and CVE-2022-31664) in VMware Workspace ONE Access, Identity Manager, and vRealize Automation.

All three received CVSS scores of 7.8 and successful exploits would allow criminals with local access to escalate privileges to root — and from there, pretty much do whatever they want, such as steal information, install a backdoor, inject a trojan, or shut down the system entirely.

[…]

Source: VMware patches critical admin authentication bypass bug • The Register

Atlassian has warned users of its Bamboo, Bitbucket, Confluence, Fisheye, Crucible, and Jira products that a pair of critical-rated flaws threaten their security.

The company’s July security advisories detail “Servlet Filter dispatcher vulnerabilities.”

One of the flaws – CVE-2022-26136 – is described as an arbitrary Servlet Filter bypass that means an attacker could send a specially crafted HTTP request to bypass custom Servlet Filters used by third-party apps to enforce authentication.

The scary part is that the flaw allows a remote, unauthenticated attacker to bypass authentication used by third-party apps. The really scary part is that Atlassian doesn’t have a definitive list of apps that could be impacted.

“Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability,” it added.

The same CVE can also be exploited in a cross-site scripting attack: a specially crafted HTTP request can bypass the Servlet Filter used to validate legitimate Atlassian Gadgets. “An attacker that can trick a user into requesting a malicious URL can execute arbitrary JavaScript in the user’s browser,” Atlassian explains.

The second flaw – CVE-2022-26137 – is a cross-origin resource sharing (CORS) bypass.

Atlassian explains it as follows: “Sending a specially crafted HTTP request can invoke the Servlet Filter used to respond to CORS requests, resulting in a CORS bypass. An attacker that can trick a user into requesting a malicious URL can access the vulnerable application with the victim’s permissions.”

Confluence users have another flaw to worry about: CVE-2022-26138 reveals that one of its Confluence apps has a hard-coded password in place to help migrations to the cloud. It explained:

Source: Atlassian reveals critical flaws across its product line • The Register

[…]

“The vulnerabilities,” explained the ESET Research team, “can be exploited to achieve arbitrary code execution in the early phases of the platform boot, possibly allowing the attackers to hijack the OS execution flow and disable some important security features.”

“It’s a typical UEFI ‘double GetVariable’ vulnerability,” the team added, before giving a hat tip to efiXplorer.

Lenovo has published an advisory on the matter this week: the CVE identifiers are CVE-2022-1890, CVE-2022-1891, CVE-2022-1892. All are related to buffer overflows and carry the risk that an attacker with local privileges will be able to execute arbitrary code. Their severity was rated as medium.

As for mitigation, updating the firmware is pretty much all customers can do, although not all products are affected by all three vulnerabilities. All of the products, however, do seem to be hit by CVE-2022-1892, a buffer overflow in the SystemBootManagerDxe driver.

The disclosure follows another three vulnerabilities patched in April, also concerned with UEFI on Lenovo kit. UEFI, or Unified Extensible Firmware Interface, is the glue connecting a device’s firmware with the operating system on top. A vulnerability there could potentially be exploited before a device gets a chance to boot its operating system and fire up malware protections, allowing the computer to become deeply infected and compromised.

ESET research noted that the flaws were a result of “insufficient validation of DataSize parameter passed to the UEFI Runtime Services function GetVariable.”

These vulnerabilities were caused by insufficient validation of DataSize parameter passed to the UEFI Runtime Services function GetVariable. An attacker could create a specially crafted NVRAM variable, causing buffer overflow of the Data buffer in the second GetVariable call. 3/6 pic.twitter.com/HC5ow6KTN0

— ESET research (@ESETresearch) July 13, 2022

ThinkPad hardware is not affected, probably to the relief of harassed enterprise administrators around the world. Other Lenovo device users should check the list and perform a firmware update if needed.

[…]

Source: Lenovo fixes trio of UEFI vulnerabilities • The Register

[…] CVE-2022-2319 and CVE-2022-2320 were made public this morning and both deal with the X.Org Server’s Xkb keyboard extension not properly validating input that could lead to out-of-bounds memory writes. Hopefully though in 2022 you aren’t relying on your xorg-server running as root.

Fixes for these XKB vulnerabilities have been patched in X.Org Server Git and xorg-server 21.1.4 point release is expected soon with these fixes. Both vulnerabilities were discovered by Trend Micro’s Zero Day Initiative.

More details in today’s X.Org Security Advisory.

Update: X.Org Server 21.1.4 is now available. In addition to these security fixes there is also a large number of XQuartz fixes from Apple, a GCC 12 build fix in the render code, a possible crash fix in the PRESENT code, and various other small fixes.

Source: X.Org Server Hit By New Local Privilege Escalation, Remote Code Execution Vulnerabilities – Phoronix

The directors of the UK Military Intelligence, Section 5 (MI5) and the US Federal Bureau of Investigation on Wednesday shared a public platform for the first time and warned of China’s increased espionage activity on UK and US intellectual property.

Speaking to an audience of business and academic leaders, MI5 director general Ken McCallum and FBI director Chris Wray argued that Beijing’s Made in China 2025 program and other self-sufficiency tech goals can’t be achieved without a boost from illicit activities.

“This means standing on your shoulders to get ahead of you. It means that if you are involved in cutting-edge tech, AI, advanced research or product development, the chances are your know-how is of material interest to the Chinese Communist Party,” said McCallum.

“And if you have, or are trying for, a presence in the Chinese market, you’ll be subject to more attention than you might think,” he added.

The Chinese Government sees cyber as the pathway to cheat and steal on a massive scale

McCallum described China’s efforts to acquire Western expertise, technology, research as a planned and professional “coordinated campaign on a grand scale” that has been strategically executed across decades.

China’s efforts have stepped up significantly, McCallum said, with MI5 running seven times as many investigations against Chinese activity today than in 2018.

“The most game-changing challenge we face comes from the Chinese Communist Party. It’s covertly applying pressure across the globe,” said McCallum. Threats MI5 is working to counter include covert theft of trade secrets, patient cultivation of contacts, and establishing a “debt of obligation.” Advanced persistent threats are deployed when needed, too.

The MI5 director also warned that China was working to change attitudes to suit the Chinese Communist Party’s interests and support it dominating the international order – and playing the long game to normalize mass theft as “the cost of doing business these days.”

Wray added that in the US, China’s efforts spare none and are visible in both big cities and small towns, Fortune 500s and startups, and across everything from aviation, to AI, to pharma.

The FBI director then referred to China’s hacking program as “lavishly resourced” and “bigger than that of every other major country combined.”

“The Chinese Government sees cyber as the pathway to cheat and steal on a massive scale,” said Wray.

Wray said the efforts were not just big, they were effective, offering the following insight on cyber attacks:

Over the last few years, we’ve seen Chinese state-sponsored hackers relentlessly looking for ways to compromise unpatched network devices and infrastructure.

And Chinese hackers are consistently evolving and adapting their tactics to bypass defenses. They even monitor network defender accounts and then modify their campaign as needed to remain undetected.

They merge their customized hacking toolset with publicly available tools native to the network environment—to obscure their activity by blending into the ‘noise’ and normal activity of a network.

However, he warned, it’s not just through hacking that the Chinese state-backed threats act, but “by making investments and creating partnerships that position their proxies to steal valuable technology.”

Wray described all Chinese companies as beholden to the Chinese Communist Party (CCP) in some form, with the government disguising its intent to obtain influence.

Efforts include creating elaborate shell games to outsmart government investment-screening programs, passing statutes like the 2015 critical infrastructure law that requires companies to store data domestically and convenient for government access. He cited a 2020 law that required malware-laden Chinese software be used by foreign companies filing taxes – forcing the companies into installing their own backdoors – as another example of the CCP at work.

On the same day as the two spook bosses issued their warnings, the US National Counterintelligence and Security Center issued a bulletin [PDF] offering more detail of China’s efforts by detailing tactics used by Beijing to infiltrate US business and government for the purpose of exerting influence.

Know your foe

The FBI, NCSC, and MI5 all warned against confusing the Chinese diaspora with the CCP and Beijing.

“If my remarks today elicit accusations of Sinophobia, from an authoritarian CCP, I trust you’ll see the irony,” said Wray.

Liu Pengyu, spokesperson for China’s embassy in Washington, responded on Wednesday denying interference, accusing the US of cyberattacks itself and characterizing criticism as “US politicians who have been tarnishing China’s image and painting China as a threat with false accusations.”

China’s foreign minister Wang Yi and US secretary of state Antony Blinken are scheduled to meet at the G20 Foreign Ministers’ meeting this week. The agenda, according to Chinese state-sponsored media is “to exchange views on current China-US relations and major international and regional issues.”

Source: FBI and MI5 bosses: China cheats and steals at massive scale • The Register

[…]

Jacuzzi’s SmartTub feature, like most Internet of Things (IoT) systems, lets users connect to their hot tub remotely via a companion Android or iPhone app. Marketed as a “personal hot tub assistant,” users can make use of the app to control water temperature, switch on and off jets, and change the lights.

But as documented by hacker Eaton Zveare, this functionality could also be abused by threat actors to access the personal information of hot tub owners worldwide, including their names and email addresses. It’s unclear how many users are potentially impacted, but the SmartTub app has been downloaded more than 10,000 times on Google Play.

[…]

Eaton first noticed a problem when he tried to log in using the SmartTub web interface, which uses third-party identity provider Auth0, and found that the login page returned an “unauthorized” error. But for the briefest moment Zveare saw the full admin panel populated with user data flash on his screen.

“Blink and you’d miss it. I had to use a screen recorder to capture it,” Zveare said. “I was surprised to discover it was an admin panel populated with user data. Glancing at the data, there is information for multiple brands, and not just from the U.S.” These brands include others under different Jacuzzi brands, including Sundance Spa, D1 Spas and ThermoSpas.

Eaton then tried to bypass the restrictions and obtain full access. He used a tool called Fiddler to intercept and modify some code that told the website that he was an admin rather than an ordinary user. The bypass was successful, enabling Zveare to access the admin panel in full.

“Once into the admin panel, the amount of data I was allowed to [access] was staggering. I could view the details of every spa, see its owner and even remove their ownership,” he said. “It would be trivial to create a script to download all user information. It’s possible it’s already been done.”

Things got worse when Zveare discovered a second admin panel while reviewing the source code of the Android app allowing him to view and modify the serial numbers of products, see a list of licensed hot tub dealers and view manufacturing logs.

[…]

 

Source: Security flaws in internet-connected hot tubs exposed owners’ personal data | TechCrunch

The US FBI issued a warning on Tuesday that it was has received increasing numbers of complaints relating to the use of deepfake videos during interviews for tech jobs that involve access to sensitive systems and information.

The deepfake videos include a video image or recording convincingly manipulated to misrepresent someone as the “applicant” for jobs that can be performed remotely. The Bureau reports the scam has been tried on jobs for developers, “database, and software-related job functions”. Some of the targeted jobs required access to customers’ personal information, financial data, large databases and/or proprietary information.

“In these interviews, the actions and lip movement of the person seen interviewed on-camera do not completely coordinate with the audio of the person speaking. At times, actions such as coughing, sneezing, or other auditory actions are not aligned with what is presented visually,” said the FBI in a public service announcement.

To lend an air of authenticity to their applications, the dodgy job seekers used stolen personal identification information. The victims whose data was stolen reported their identities being used for pre-employment background checks and more.

[…]

Source: FBI warns crooks are using deepfake videos in job interviews • The Register

[…]Cisco has just released fixes for seven flaws, two of which are not great.

First on the priority list should be a critical vulnerability in its enterprise security appliances, and the second concerns another critical bug in some of its outdated small business routers that it’s not going to fix. In other words, junk your kit or somehow mitigate the risk.

[…]

The first security flaw, tracked as CVE-2022-20798, is an authentication bypass vulnerability in the virtual and hardware versions of Cisco Secure Email and Web Manager, and the Cisco Email Security Appliance. It occurs when the device uses Lightweight Directory Access Protocol (LDAP) for external authentication, and the good news is that Cisco disables external authentication by default.

A remote user could exploit the flaw “by entering a specific input on the login page of the affected device,” the networking titan warned in a security advisory this week. Once the intruder has gained unauthorized access, they could perform any number of illicit actions from the web-based interface including crashing the device.

Another high-severity flaw, CVE-2022-20664, in these same virtual and hardware appliances could allow a remote, authenticated user to steal credentials from a LDAP external authentication server connected to a device. However, exploiting this bug would require valid operator-level, or higher, credentials. It received a CVSS score of 7.7, and Cisco issued a software update to fix this bug, too.

More e-waste

The second critical vulnerability exists in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W routers, which the vendor stopped selling [PDF] in 2019. Cisco isn’t issuing a fix for this one, and said there’s no workaround. Instead, customers should upgrade to newer hardware.

The flaw, tracked as CVE-2022-20825, also received a 9.8 CVSS score, and it’s due to insufficient user input validation of incoming HTTP packets.

“An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface,” according to Cisco’s security alert. “A successful exploit could allow the attacker to execute arbitrary commands on an affected device using root-level privileges,” and also stop and restart the device, resulting in a denial of service.

In addition to the two critical and one high-severity vulnerabilities, Cisco disclosed an additional four medium-severity flaws on Wednesday.

[…]

Source: Time to throw out those older, vulnerable Cisco SMB routers • The Register

GitHub has revealed it stored a “number of plaintext user credentials for the npm registry” in internal logs following the integration of the JavaScript package registry into GitHub’s logging systems.

The information came to light when the company today published the results of its investigation into April’s unrelated OAuth token theft attack, where it described how an attacker grabbed data including the details of approximately 100,000 npm users.

The code shack went on to assure users that the relevant log files had not been leaked in any data breach; that it had improved the log cleanup; and that it removed the logs in question “prior to the attack on npm.”

GitHub already sent out notifications for “known victims of third-party OAuth token theft” in April but today said it planned to “directly notify affected users of the plaintext passwords and GitHub Personal Access Tokens based on our available logs.”

Credentials in plaintext, eh? How very last century.

The number of users affected and how long the plaintext storage took place was not mentioned, but we’ve asked Github for more information. GitHub completed its acquisition of NPM Inc on 15 April 2020. Techies have already taken to the Hacker News messaging board to detail emails they received from npm.

[…]

Source: GitHub saved plaintext passwords of npm users in log files • The Register