🎓️ Vulnerable U | #083

Millions of vehicles hacked just by knowing license plate, CUPS or no CUPS that is the question, NIST new password guidance, Major crypto scams and arrests, and more!

Author

Matt Johansen
September 27, 2024

Read Time: 8 minutes

Howdy friends!

What a week! In case you haven’t noticed yet, I hired a newsroom! We have a handful of writers now besides myself, and we’ll be publishing original news on vulnu.com besides just the email newsletter.

This is an incredibly exciting milestone for me as this week is the first time in over 83 weeks that someone besides myself has written content for Vulnerable U. Appreciate all of your support!

Let’s get vulnerable:

ICYMI

🖊️ Something I wrote: Wild bug found to hack all Kia vehicles via their support portal website while only knowing their license plate number

🎧️ Something I heard: Meta Connect was super interesting. Who upgraded Zuck’s rizz module? He’s unrecognizable and much more human looking. I’m also …impressed? with how much they’re pushing. Not counting them out on this AR/VR thing and they’re continuing to be a major player in AI with Llama.

🎤 Something I said: Broke down Ford’s patent filings to listen into your conversations you have in the car to better advertise to you

🔖 Something I read: I finished The Stormlight Archive book 3 - Oathbringer. Trying to get through book 4 before the 5th comes out in December.

📣 Sponsor

Join Cycode’s ASPM Nation for Insights
on Developing Secure Applications

Security trailblazers! You’re invited to Cycode’s ASPM Nation on Oct 9th. At this global livestream, you’ll hear from expert security leaders who deal with the world’s most complex codebases. Here’s what awaits you:

  • Playbooks from world-class speakers; CISOs at Cisco, Roche, Intermex, and more

  • A packed agenda, which includes a blueprint for your ASPM program, unmissable leadership lessons from industry giants, and bridging the security-developer divide

  • An exciting keynote session with Roland Cloutier, fmr Global CSO of TikTok & ByteDance, ADP, and EMC

Let’s reset application security together.

Vulnerable News

This is just straight-up AppSec business logic brilliance. This crew, headed up by Sam Curry, has been on a tear as I JUST covered them finding the SQLi bug to bypass TSA security checkpoints. They have now found a way via the Kia web app to take a license plate number and control any car they want. Well, not steer it, but unlock it, honk, turn the ignition on, view the camera if it has one, and track the location.

This also doubles as a potential data leak because you can pull the car owner’s name, email, phone number, and navigation history off the site. The bug was reported in June and is fixed as of a few weeks ago. Sams's writeup is great to see how they found and tested the bug, including building a custom PoC app to exploit it.

Andy Greenberg at WIRED always does a good job breaking these kinds of big stories. (read more)

U.S. Cracks Down on Crypto Exchanges Linked to Ransomware Activity

The .gov is cracking down on some shady crypto exchanges that have been playing fast and loose with ransomware money. They've got their sights set on two Russian exchanges, PM2BTC and Cryptex, that have been basically acting like the car wash in Breaking Bad for cybercriminals.

Image: occrp.org

But the feds aren't just seizing domains and slapping sanctions around. They've also put a $10 million bounty on the head of Sergey Sergeevich Ivanov, the Russian dude allegedly behind these sketchy operations. It's all part of a bigger push to squeeze ransomware groups where it hurts. (read more)

I’ve always hated password policies that made you change every 6 months. I always joked, just write a script that adds 1 to the number at the end of your users passwords because that’s just as useful.

Whelp. NIST finally stopped recommending that. Along with a bunch of other archaic password guidance that made no sense in today’s day and age.

The SHALL NOTs are the interesting bits

IMO - MFA or bust. (read more)

Ok this headline has changed a few times since I started gathering links for this week. This bug has been rumored and under embargo for a bit which led to a lot of speculating. It was also billed as a 9.9 CVSS Score RCE in “nearly every” Linux distro so obviously a lot of eyes on this.

Turns out it’s a bug in CUPS, and is only exploitable via an exposed UDP port, 631, and the ability to start a print job. So … don’t expose random ports on the Internet.

Some people are upset this was overblown, but I’ll take that over having to chase ever Linux box on my network this weekend. (read more)

Email security is still a hot mess in 2024. Despite all the fancy tech and billions invested, phishing and business email compromise are still absolutely dominating. The big players like Google and Microsoft are trying, but it's not enough. We're talking $2.9 billion lost to BEC in 2023 alone.

This is pretty obvious but is important to point out. Email's not just about sending messages anymore. It's become this weird combo of identity provider and data goldmine, making it one of the most valuable bad guy targets. What happens when you forget your password? They send your email address on file a reset link. It’s literally the gate for most of us.

Friend of the show, Mike Privette, over at Return on Security, is saying it seems like we really need a total rethink - something that treats email security more like cloud security, constantly checking and rechecking for issues. Maybe then we can finally get ahead of the phishers and scammers instead of always playing catch-up. (read more)

Another case of digital espionage targeting the Kurdish community. Some threat actors have been compromising Kurdish websites for over a year, turning them into watering holes to serve up spyware.

There are 25 different sites impacted, including news outlets and political organizations. The attackers then steal visitors' information and even push malicious Android apps on some victim’s devices.

An interesting bit is that this doesn't seem to be the work of any known hacker group. While the tech isn't super sophisticated, the scale and duration of the campaign are pretty impressive. Some folks are pointing fingers at the Kurdistan Regional Government of Iraq, but that's still up in the air. (read more)

The UK’s Network Rail had their free Wi-Fi get hacked. Someone managed to hijack the landing pages at 20 major UK train stations, displaying some seriously messed up Islamophobic messages to anyone trying to connect. Network Rail and the British Transport Police are investigating, but Wi-Fi's still down while they figure out what happened.

The folks at Telent, who run the Wi-Fi service, are scrambling to fix things. They're saying it was an unauthorized change made through a legit admin account at Global Reach, the company handling the landing pages. No personal data is believed to be stolen as of writing this. (read more)

Looks like NVIDIA's been caught with their GPUs down. Their Container Toolkit, which is basically everywhere AI is running these days, has a nasty bug that could let attackers do whatever they want. All it takes is a malicious container image, and boom - they're in.

NVIDIA's not messing around with this one, calling it a potential free-for-all for code execution, privilege escalation, and data snooping. They've rushed out patches faster than you can say "cryptocurrency mining rig," so if you're running this toolkit, you might want to update pronto. No known exploits in the wild yet, but with AI systems being such juicy targets these days, that probably won't last long. Time to patch! (read more)

Wow, this is a wild one. Some hackers managed to sneak a crypto-draining app onto Google Play by disguising it as a legit WalletConnect tool. They made it seem more legit with fake reviews and some obfuscation. The app stayed under the radar for five months and racked up over 10,000 downloads before getting caught.

The kicker is how they tricked users into connecting their wallets and signing malicious transactions. By exploiting confusion around WalletConnect, they got folks to hand over the keys to their crypto. Over 150 victims lost around $70k total.

Report is a great run-through of the whole operation. (read more)

So much drama in the WordPress world this week that luckily I’ve mostly been able to ignore. But it looks like Automattic and WP Engine are having a full-on fist fight, and poor WordPress users are caught in the crossfire.

Automattic has cut off access for WP Engine to get WordPress updates.

The whole thing stems from some trash talk and legal threats flying back and forth. Now thousands of websites hosted on WP Engine are left without security updates, which is like running Windows XP on the Internet these days.

Overall I’m expecting this gets worse before it gets better. (read more)

Our North Korean hacker friends are at it again with some shiny new toys. They've cooked up two fresh malware strains called KLogEXE and FPSpy, courtesy of the Kimsuky crew (aka a bunch of other names threat intel people like to use). These guys are apparently the "kings of spear phishing.”

The new malware is pretty much what you'd expect - keyloggers, info stealers, the usual spy kit. KLogEXE is like the C++ glow-up of an older PowerShell tool, while FPSpy is the cool new cousin of some previously known backdoors. They're mainly targeting users in South Korea and Japan, which tracks with Kimsuky's usual MO. (read more)

I saw this one because of a Troy Hunt tweet saying CloudFlare is wrapping auth that goes through their systems with a check to haveibeenpwned to stop users reusing passwords that have been part of data leaks.

This is brilliant and a tactic I’ve used and built at multiple places. You should all be running your databases against haveibeenpwned and forcibly resetting any hits.

But this blog post is actually filled with other free security goodies and I’m just impressed with Cloudflare’s direction lately. They were not my favorite company for a long time, but they seem to have really got their head on straight these days and are building some cool stuff. (read more)

Miscellaneous mattjay

How'd I do this edition?

It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.

Login or Subscribe to participate in polls.

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay