Cyber Security Headlines: Car API flaws, Experian bypass, ChatGPT malware

API vulnerabilities found across car brands

Yuga Labs security researcher Sam Curry published details of vulnerabilities in car manufacturer APIs, which opened the door to fully unlocking and starting vehicles, accessing mission-critical internal apps, leaking telematic data, and full account takeovers. The flaws varied by manufacturer, but Curry found flaws in APIs from Acura, BMW, Ferrari, Ford, Genesis, Honda, Hyundai, Infiniti, Jaguar, Kia, Land Rover, Mercedes-Benz, Nissan, Porsche, Rolls Royce, and Toyota. The most serious flaw found came from Spireon’s telematics solution. Exploiting it could allow for gaining full admin access, letting a threat actor issue arbitrary commands to over 15 million vehicles and remotely update device firmware. All disclosed flaws were fixed following bug reports from Curry’s team. 

(The Hacker News)

Bypassing Experian Security

Security researcher Brian Krebs passed on a report from researcher Jenya Kushnir, who found that threat actors were able to bypass Experian credit history checks in order to obtain a victim’s full credit history. This still required the person’s name, address, birthday, and Social Security number. When requesting a credit history report, Experian requires this information, as well as several multiple choice questions on financial history. Until the end of 2022, simply changing the URL of the question prompt screen could get past the questions, delivering the full credit report. Krebs alerted Experian to the issue on December 23rd, and seemed to be patched by the 27th. 

(Krebs on Security)

Trying to write malware with ChatGPT

We already know that OpenAI’s ChatGPT text engine can theoretically write malware. Last month a security researcher successfully got it to describe a basic buffer overflow vulnerability, admittedly with critical syntax errors. Now security researchers at Check Point report dark web hacking forums are experimenting using ChatGPT to help facilitate and support malicious attacks. The researchers say this could open the door for actors with very low levels of technical knowledge to launch attacks, or make sophisticated cyber operations much more efficient and easier. OpenAI’s terms of service ban malware generation and it attempts to block requests to create spam. One poster on the forum said they were able to use ChatGPT to create a Python-based information stealer malware, while another showed how they created Java-based malware to exploit PowerShell. 

(ZDNet)

SCOTUS clears the way for Meta to sue NSO Group

The Supreme Court of the United States turned away NSO Group’s appeal of a lower court decision that ruled Meta could proceed with a lawsuit, accusing NSO of exploiting a bug in WhatsApp that installed spyware. NSO argued it could not be sued as it acted as an agent for unidentified foreign governments when it installed the spyware. The White House urged SCOTUS to reject the appeal, saying that the State Department previously never recognized immunity for a private entity acting as a foreign state agent. 

(Reuters)

And now a word from our sponsor, AppOmni 

Can you name all the third party apps connected to your major SaaS platforms like Salseforce and Microsoft? What about the data these apps can access? After all, one compromised 3rd party app could put your entire SaaS ecosystem at risk. 
With AppOmni, you get visibility to all third party apps and SaaS-to-SaaS connections — including which end users have enabled them, and the level of data access they’ve been granted. Visit AppOmni.com to request a free risk assessment.

Serbian government hit with DDoS

Over the weekend, the Serbian government said it got hit by several “massive” distributed denial-of-service attacks, impacting its website as well as the Ministry of Internal Affairs. A spokesperson said the ministry successfully repelled at least five attacks. It cautioned that its enhanced security protocols may lead to slower work and occasional service outages, but that ministry data remained secured. No group or nation claimed credit for the attack, and Serbian officials did not attribute them. 

(The Record)

Russian operations did not impact 2016 election

According to a new paper from researchers at New York University’s Center for Social Media and Politics in the journal Nature Communications, they found “no evidence of a meaningful relationship” between exposure to Russian influence campaigns and changes in voting behavior in the US election. The researchers used a longitudinal survey, asking the same questions to the same group of people at different points in time to observe any changes. The paper found that exposure to posts identified as foreign influence operations paled in volume compared to traditional US media sources. The respondents most exposed to influence materials wer “those arguable least likely to need influencing.” 

(The Record)

Russian-linked APT targeted nuclear labs

Reuter’s sources say the Russian-backed APT known as Cold River targeted the Brookhaven, Argonne, and Lawrence Livermore National Laboratories between August and September 2022. The attackers created fake login pages for the facilities, sending spear-phishing messages to scientists in attempts to get login information. It’s unclear if any of the attacks successfully gained access. This appears to be the latest poltically motivated attack by the group. It previously operated phishing campaigns against NATO,leaked emails related to the UK’s Brexit supporters, and ran cyberespionage campaigns against NGOs investigating war crimes.  

(Security Affairs)

Should private companies follow TikTok bans

Over at CSO Online, Christopher Burgess asked the question that if an increasing number of local, state, and federal government agencies are banning the popular social network app on government devices, why aren’t private companies following suit. While a purely government ban might be construed as political optics, He also points out a number of universities that serve as R&D hubs have also banned the apps on devices and networks. Burgess says CISOs should ask themselves what TikTok could potential harvest from user devices that could put their organization at risk. He cautions that this should be followed by due dilliegence into actual risks, but that a discussion on allowing the app on devices touching a corporate network is well overdue. 

(CSO Online)

Rich Stroffolino is a podcaster, editor and writer based out of Cleveland, Ohio. He's spent the past five years creating media for technology enthusiasts and IT practitioners. He dreams of someday writing the oral history of Transmeta.