- Vulnerable U
- Posts
- đď¸ Vulnerable U | #078
đď¸ Vulnerable U | #078
Hardware Backdoors found in Chinese RFID cards, New PWA app bank hacking technique, Halliburton cybersecurity incident, NPD published their own passwords, TP-Link under scrutiny over China ties, SolarWinds back in the security news, and more!
Read Time: 8 minutes
Howdy friends!
Got absolutely whacked the past week and have been really down for the count. Take your mental health seriously yâall, or itâll force you to. I luckily had some solid incident response and am back on the rails. My lesson learned: be more proactive, less reactive.
Just in time for the hottest days of 2024 here in Texas, weâre getting absolutely cooked. Heat index 115, itâs like Vegas but with humidity for all who just got home from there. Iâm still catching up on talks and research that came out that week, so much good stuff. Hope you all are recovering and can remember what you do for a living.
Anyone else get back from a week off, sit at your computer, and just forget what the hell to do with your hands? Yeah me either.
ICYMI
đď¸ Something I wrote: Was talking about the loneliness epidemic on a podcast the other day, resurfacing some thoughts I wrote about it.
đ§ď¸ Something I heard: Heard how Samy Kamkar used a laser to listen to keystrokes
đ¤ Something I said: Gave a summary of a Defcon talk where a researcher hacked some scammers back and is exposing them.
đŁ Something youâll find cool: I love Tines. I made a video showing how they enable a layered defense to phishing. Also check out this webinar with me where theyâll go over some automations with Cribl and Elastic.
đ Something I read: Some thoughts from my homie Keith Hoodlet on staying technical while getting into leadership.
đŁ Sponsor
Webinar: future-proofing your security infrastructure with automation
Gartner predicts that by 2025, lack of talent or human failure will cause more than 50% of significant cyber incidents.
The solution? Managing, analyzing, and safeguarding your data with the power of workflow automation.
On Tuesday, August 27, experts from Tines, Cribl, and Elastic share their best practices for building a secure data ecosystem â without compromising on efficiency or security.
Get expert insight on how to:
- enhance resilience
- streamline security operations
- effortlessly manage, analyze, and protect your data
- ensure robust protection of your digital assets
Vulnerable News
Iâm not sure why this one hasnât been a bigger story. Turns out millions of RFID cards have a backdoor in them.
Quarkslab researcher Philippe Teuwen found that cards made by Shanghai Fudan Microelectronics (a big Chinese chip maker) can be cloned instantly if you know the trick.
This isn't just a China problem - these cards are used all over the US, Europe, and India. âMany are probably unaware that the MIFARE Classic cards they obtained from their supplier are actually Fudan FM11RF08 or FM11RF08S, as these two chip references are not limited to the Chinese market. For example, we found these cards in numerous hotels across the US, Europe, and India.â (read more)
Hereâs a nasty new technique. Progressive Web Apps (PWA) are a kind of middle ground between App Store and mobile browser site. Youâve probably interacted with a few of these without knowing. They get some native app permissions and capability without all the App Store scrutiny and work cross platform between iOS and Android.
Wait. Permissions? Without scrutiny? Iâm shocked scammers have latched onto this. So theyâre making banking apps that look a whole lot like the real thing and the hard part is just getting people to install their PWA. Theyâve been doing this by social engineering or malvertising offering a fake monetary reward as a promotion for users to download the new version of their banking app. They then of course steal the creds and also can monitor a lot of other information on device. Article has way more screenshots of the attack chain that are super interesting, but hope your Polish good. (read more)
I heard mumblings of this one but Iâm glad some news went public before I sent this weekâs letter. If little olâ me heard mumblings, Iâm assuming this one is going to be rather large. Smells like ransomware, but that is speculation. Reuters is reporting some localized office issues as well as some global connectivity. Weâll see but keep an eye on this one! If it is ransom, I expect the demand will be rather large. (read more)
Remember the 14 Trillion SSNs that got breached last week? (Donât quote me on that number, but its directionally correct) - Well it seems that an NPD record broker just left all their passwords out in the open. âFollowing last weekâs story on the breadth of the NPD breach, a reader alerted KrebsOnSecurity that a sister NPD property â the background search service recordscheck.net â was hosting an archive that included the usernames and password for the siteâs administrator.â
âThe exposed archive, which was named âmembers.zip,â indicates RecordsCheck users were all initially assigned the same six-character password and instructed to change it, but many did not.â
I get that companies this small donât have big security teams or budgets, but itâs hard not to pass a bit of judgment when youâre handling that much data that is THAT sensitive. (read more)
Looks like TP-Link is the latest Chinese tech company in the crosshairs of US lawmakers. Representatives from both sides of the aisle call on the Commerce Department to investigate potential security risks in TP-Link routers. Their main concern is that these devices could be an easy target for Chinese state-sponsored hackers to infiltrate US systems.
The lawmakers are citing the recent Volt Typhoon attacks as an example, even though those primarily targeted Cisco and Netgear routers, not TP-Link. They also point to a Check Point report about a Chinese APT creating malicious firmware for TP-Link routers. Interestingly, TP-Link recently split into two entities, with TP-Link Corporation now based in Singapore and the US. But given the US's history of banning Chinese tech over security concerns (looking at you, Huawei), this could be the start of a lot of troubles for TP-Link in the American market. (read more)
SolarWinds is back in the news, and not in a good way. They left hardcoded credentials in their Web Help Desk product, potentially allowing unauthenticated remote attackers to log in, access internal functionality, and modify sensitive data. This critical flaw (CVE-2024-28987) affects all versions up to 12.8.3 HF1 and scored a 9.1 on the CVSS scale.
Given SolarWinds' customer base in government and enterprise sectors, this is a big deal. They've released a hotfix (12.8.3 HF2), but it requires manual installation. If you're using WHD, you might want to prioritize this patch before we have another... well, SolarWinds situation. Oh, and while you're at it, there's another critical WHD flaw (CVE-2024-28986) that CISA added to its Known Exploited Vulnerabilities list last week. (read more)
I saw some articles calling this guy a hacker so I was interested. It seems he just stole some doctorâs creds, so not exactly going to be wearing a Guy Fawkes mask but still a crazy story.
âAccording to federal prosecutors, the man, Jesse Kipf, 39, of Somerset, Ky., hacked into the Hawaii Death Registry System in January 2023 with the username and password of a doctor living in another state to create and certify his own death certificate.â
They also found searches for âCalifornia child support arrears father diedâ and âRemove California child support for deceasedâ on his laptop. Turns out you should just pay your child support. (read more)
We covered this hack extensively when it happened here on the newsletter. If you missed all that, it is one of the largest ransomware attacks of all time and it took down the payments backbone of an enormous percentage of the healthcare industry.
This is a great post with a lot more information now that weâre on the other side of most of it and it breaks it down into a full timeline of events. (read more)
Looks like Velvet Ant, one of our friendly neighborhood Chinese hacker groups, found a shiny new toy to play with. They've been exploiting a zero-day in Cisco switches (CVE-2024-20399) to gain system control and drop some custom malware. Cisco patched it up last month, but after some active exploitation in the wild.
These guys are getting craftier - they're moving from Windows systems to legacy servers and network devices to stay off the radar. Their latest trick? Breaking into Cisco switches, doing some recon, and then deploying their VELVETSHELL backdoor. It's a mashup of open-source tools that lets them run commands, transfer files, and proxy traffic. (read more)
Oh did you think Recall was going away forever? If you donât remember, this is the feature Microsoft announced on new Copilot machines that will record everything you do on your screen at all times and make it recallable by an AI chat interface. âHey what did Jill ask me to do in that Slack DM last week?â kind of functionality.
Well it also would grab all sorts of sensitive information and store it in a local database that upon breach could be easily snagged instead of having to bring your own keylogger or anything like that. So privacy and security folks got up in arms about it. This forced them to push back release from June until October, but Iâm excited to see first look at it. I think Microsoft will have thrown a lot of effort after the massive PR nightmare and mightâve come up with some interesting solutions to this one. But I may be too optimistic. (read more)
Oh boy was there a lot of ambulance chasing on CrowdStrike after their incident. I saw a lot of their competitors on LinkedIn basically saying it would never happen with them. I personally hate that kind of thing and I saw some other people in the industry having conversations about the incident without kicking CS while they were down. Also respect the CS leaders for still heading to Vegas and getting on stage in front of the community, I think it really helped their perception. Not sure many wouldâve been brave enough to do the same while feeling al that heat. (read more)
Itâs not often hacks actually cause a company to close up shop. In this case, a franchise owner of 23 Subways was hacked, their bank account drained, which forced them to shut their stores. Over 200 people showed up for work one day and the businesses were just no longer operating. The owner said she couldnât order food from the supplier. This just sucks. Seems hacks arenât FDIC insured and this was a complete draining so there was just no backup account to keep things going. (read more)
When they say âactively exploited in the wildâ I listen. And I think you should too. All we got on details is: "Type confusion in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to exploit heap corruption via a crafted HTML page" - Thats enough for me! Run them updates folks. (read more)
Miscellaneous mattjay
Been trying to catch up on all the research coming out of Vegas this month.
Saw this TechCrunch article by @zackwhittaker that I think is a good list:
â Matt Johansen (@mattjay)
8:35 PM ⢠Aug 19, 2024
How'd I do this edition?It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week. |
Parting Thoughts:
Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.
Stay safe, Matt Johansen
@mattjay