Using visitor's browsers to perform brute-force attacks. Google engineer caught stealing AI secrets. Tesla phishing and car stealing.  

News

Hi folks!

I'm back from a lovely snowboarding trip, and enjoying a few days off to catch up on some sleep :-)

Nothing Earth-shattering this week in security world, which is a good thing. But plenty of interesting articles to read and learn from. Enjoy!

P.S.: I'm looking around for a new sponsor. If your company wants to be featured next to the awesome 1Password, give me a shout.

Dieter Van der Stock

Hacked WordPress sites use visitors' browsers to hack other sites

Good explanation of an interesting attack. Hacked sites will load a script in your browser which will retrieve a brute-forcing task from a C&C server. As long as the window is open, your browser will continue to brute force targets. Over 1,700 sites are infected with these scripts so far.

bleepingcomputer.com

Google engineer caught stealing AI tech secrets for Chinese firms

Nice example of a corporate espionage case. The U.S. Department of Justice released information on a case involving Linwei (Leon) Ding, a former software engineer at Google, suspected of stealing Google AI trade secrets for Chinese companies. He secretely worked for two Chinese companies, while also working at Google.

Over the course of a year he uploaded over 500 files to his personal Google account to exfiltrate them. He even asked a colleague to scan his entrance badge to make it appear like he was working in the US office, while he was actually travelling to China. He now faces a prison sentence of up to 10 years and a fine of $1 million.

bleepingcomputer.com

MiTM phishing attack can let attackers unlock and steal a Tesla

I was ready to more or less dismiss this, because it starts out as just a phishing attack to get someone's Tesla account credentials. But it goes on to make some good points.

As it stands, having someone's Tesla credentials, combined with being close to the car, is enough to be able to drive away with that car. That's not good, especially as the researchers demonstrate their phishing attack by setting up a malicious Wifi access point at a Tesla charging station where being close to the car is a given.

The researchers point out that there should be a requirement for the physical rfid card to be present in the car before you can add a phone key, or at least get a notification once a new key was added to your car. Neither of which exists at the moment.

bleepingcomputer.com

White House advisory group says market forces ‘insufficient’ to drive cybersecurity in critical infrastructure

From the article: "An industry-led group is calling for the federal government to develop economic incentives for small and medium-sized businesses, simplify cyber regulations and provide clear liability protections around information sharing.". Can't add much to that. Here, here. Now make it happen.

cyberscoop.com

How CISA fights cyber threats during election primary season

Good overview of current threats to election processes and what is being done to defend against them.

darkreading.com

1Password for developers: secrets, SSH keys, and more

I don't think most developers realise how valuable 1Password can be. It doesn't just hold passwords, it also hold your SSH keys, signs your Git commits, injects token and other secrets in CLI scripts when you want, and much more. Worth trying out. (Sponsored)

1password.com

Quick links

  • GitHub enables push protection by default to stop secrets leak: link.
  • Germany takes down cybercrime market with over 180,000 users: link.
  • NSA shares zero-trust guidance to limit adversaries on the network: link.
  • CISA, NSA share best practices for securing cloud services: link.
  • Americans lost a record $12.5 billion to online fraud last year: link.
  • Cloudflare announces Firewall for AI: link.
  • A beginner's guide to tracking malware infrastructure: link.
Dieter Van der Stock

Breaches and leaks

  • North Korea hacks two South Korean chip firms to steal engineering data: link.
  • Ukraine claims it hacked Russian Ministry of Defense servers: link.
  • PetSmart warns of credential stuffing attacks trying to hack accounts (see, 23AndMe, you -can- actually detect and defend against credential stuffing attacks. Kudos PetSmart): link.
  • Stormous ransomware gang takes credit for attack on Belgian brewer Duvel: link.
  • Play ransomware leaked 65,000 Swiss government documents, investigation finds: link.
  • Iowa electric, water utility says info of nearly 37,000 leaked in January ransomware attack: link.
  • 20 million Cutout.Pro user records leaked on data breach forum: link.
  • Golden Corral restaurant chain data breach impacts 183,000 people: link.
  • Canada's anti-money laundering agency offline after cyberattack: link.
  • Switzerland: Play ransomware leaked 65,000 government documents: link.
  • Amex cardholder data exposed in merchant processor hack: link.
  • Capita says cyberattack contributed to annual loss of more than £106 million: link.
  • Fulton County services coming back on ‘rolling basis’ after LockBit attack: link.
  • Law firm reports data breach affecting more than 325,000 people: link.
Dieter Van der Stock

Issues and fixes

  • Critical TeamCity flaw now widely exploited to create admin accounts: link
  • VMware sandbox escape bugs are so critical, patches are released for end-of-life products: link.
  • CISA cautions against using hacked Ivanti VPN gateways even after factory resets: link.
  • CISA warns of Microsoft Streaming bug exploited in malware attacks: link.
  • Apple fixes two new iOS zero-days exploited in attacks on iPhones: link.
  • AnyCubic fixes exploited 3D printer zero day flaw with new firmware: link.
Dieter Van der Stock

Sponsorship slots available

If you want to be featured in the newsletter, like 1Password is every week, just reply to this e-mail and let me know.

Dieter Van der Stock

No spam, ever. We'll never share your email address and you can opt out at any time.