China fires back at US after Exchange hack accusations

Following up on a story Cyber Security Headlines covered yesterday, where US and its allies pinned a Microsoft Exchange attack on hackers affiliated with China’s Ministry of State Security, Chinese foreign-ministry spokesman Zhao Lijian rejected the accusations and proceeded to accuse the US of being the largest purveyor of cyberattacks targeting Chinese aerospace, science and research institutions, oil industry, government agencies, and internet companies over the last 11 years. He accused the US of carrying out targeted attacks on Chinese devices, wiretapping its competitors and allies and pushing NATO for a cybersecurity alliance that Zhao claims will, “undermine international peace and security.”

(The Record)

Unpatched iPhone bug allows remote device takeover

An Apple iOS bug previously believed to cause low-risk denial-of-service issues turns out to be much nastier. The original DoS issue was addressed in iOS 14.6, however, researchers from ZecOps, successfully exploited a Remote Code Execution (RCE) bug they have dubbed “WiFiDemon,” which allows an attacker to set up a rogue Wi-Fi hotspot to take over the phone, install malware and steal data, even on an updated iOS. The researchers explained the vuln is caused by the “wifid” daemon, which runs as root and misinterprets certain strings containing % and @ symbols. The vulnerability is expected to be patched within the next week, until which time users are urged to disable the Wi-Fi Auto-Join feature via their iPhone Settings and avoid connecting to unknown Wi-Fi hotspots, especially any that contain the @ symbol.

(Threatpost)

16-year-old bug in printer software gives hackers admin rights

According to a SentinelOne report published on Tuesday, a high severity vulnerability found in an HP, Xerox, and Samsung printer driver is estimated to affect hundreds of millions of devices and millions of users worldwide. The buggy driver, first introduced in 2005, automatically gets loaded by Windows after each system reboot, meaning the bug can be abused even when the printer is not connected to the target device. Successful exploitation requires threat actors to first get a foothold on a device after which they could elevate their privileges and run code in kernel mode, potentially evading detection and delivering malicious payloads. So far there are no indicators of exploitation in the wild, however due to the vulns widespread impact, researchers urge customers to apply patches as soon as possible.

(BleepingComputer)

New scams emerge as child tax credit payments are released

According to a new report from DomainTools, cybercriminals are taking advantage of the latest round of IRS payments being sent out US families by launching dozens of credential harvesting sites masquerading as American Rescue Plan Act signup sites. While IRS payments will be sent automatically without required registration, cybercriminals have created a maze of websites pretending to be associated with child tax credit payments in order to trick people into entering their personal information. DomainTools was able to tie the scam to GoldenWaves Innovations, a web development firm based in Nigeria which has a functioning website and a CEO who has a full LinkedIn profile. ZDNet called and emailed GoldenWaves for comment but has not received a response.

(ZDNet)

Thanks to our episode sponsor,
Varonis

The first time we got hit with ransomware it took us weeks to recover. The second time we got hit, it took us two hours. Why? Because we had Varonis. Varonis reduces the ransomware blast radius and monitors our most important data, automatically. Hear more at varonis.com/risk

Windows 10 and 11 vuln allows anyone to get admin privileges

Security researchers have discovered a vulnerability in Windows 10 and Windows 11 which allows users in the low privileged “Users” group to access Registry database files. The Windows Registry should be restricted from non-privileged users, as it stores sensitive information such as hashed passwords, app configuration options, and system decryption keys. Therefore a threat actor could extract and crack the hashed passwords to gain elevated privileges. For unknown reasons, Microsoft introduced the permission changes in Windows 10 version 1809 but CERT/CC vulnerability analyst, Will Dormann, noted that the vulnerability was not present upon installing a fresh version of Windows 10 version 20H2. BleepingComputer is awaiting further fix information from Microsoft.  

(BleepingComputer)

Linux kernel bug surrenders root on most modern distros

Researchers at Qualys have discovered that unprivileged attackers can gain root privileges by exploiting a vulnerability in default configurations of the Linux Kernel’s filesystem layer. The security flaw tracked as CVE-2021-33909 (dubbed Sequoia) impacts all Linux kernel versions released since 2014. Once successfully exploited on a vulnerable system, the attackers get full root privileges on default installations of many modern distributions. Since the attack surface exposed by the Sequoia vulnerability is widespread, Linux users are urged to immediately apply patches released on Tuesday.

(BleepingComputer)

Ransomware incident at major cloud provider disrupts real estate and title industry

The Florida-based cloud service company, CloudStar, announced that it suffered a ransomware attack on Friday that forced it to take down the vast majority of its services, except for its encrypted email services. Cloudstar operates several data centers across the US and provides its managed cloud services to the mortgage, title insurance, real estate, legal, finance, and local government sectors. The company did not name the ransomware gang behind the attack but said on Sunday that it has already started negotiations with the hackers in order to restore its services.

(The Record)

Gamer spills classified military docs in effort to win online argument

Last week, a user of the War Thunder combat simulator, developed by Hungary-based Gaijin Entertainment, shared what appeared to be classified documents in the company’s game forums, in an attempt to win an online argument over the game’s representation of the British Challenger 2 main battle tank. The user, named _Fear_Naught_, posted a number of pages from the tank’s Army Equipment Support Publication (AESP), which is a user manual used by military personnel.  _Fear_Naught_’s avatar on Gaijin’s forums has been linked to a 40-year-old male from Tidworth, Wiltshire, UK, the same location which hosts a UK base for various elements of the Royal Armoured Corp, some of which use the Challenger 2 tank. Gaijin has removed the content and contacted Britain’s Ministry of Defence (MoD).

(The Register)