QNAP announces OpenSSL bugs fallout
On Monday, QNAP put out two security advisories about OpenSSL remote-code execution and denial-of-service (DoS) bugs, fixed last week, that affect its network-attached storage (NAS) devices. The vulnerabilities are tracked as CVE-2021-3711 – a high-severity buffer overflow related to SM2 decryption– and CVE-2021-3712, a medium-severity flaw that can be exploited for DoS attacks and possibly for the disclosure of private memory contents. If successfully exploited, the flaws could allow remote attackers to execute arbitrary code with the permissions of the user running the application.
Cyberattackers are now quietly selling off their victim’s internet bandwidth
Cyberattackers are now targeting their victim’s internet connection to quietly generate illicit revenue following a malware infection. Researchers from Cisco Talos said yesterday that “proxyware” is becoming twisted for illegal purposes. Proxyware, also known as internet-sharing applications, are legitimate services that allow users to portion out part of their internet connection for other devices, and may also include firewalls and antivirus programs. Other apps will allow users to ‘host’ a hotspot internet connection, providing them with cash every time a user connects to it. The criminals are piggybacking off legitimate services including Honeygain, PacketStream, and Nanowire, to redirect passive income to their own coffers.
Indonesian government’s Covid-19 app accidentally exposes over 1 million people
eHAC is a mandatory ‘test and trace’ app for people entering Indonesia to ensure they’re not carrying the virus into the country. It was established in 2021 by the Indonesian Ministry of Health. However, the app developers failed to implement adequate data privacy protocols and left the data of over 1 million people exposed on an open server. The discovery of the 2 Gig fie was made by researchers at VPNMentor, who then alerted the Indonesian Ministry of Health. After receiving no reply from the ministry, they contacted Indonesia’s CERT* agency and, eventually, Google – eHAC’s hosting provider. The data leaked included a wide range of PII, medical and Covid-specific information on 1.3 million travelers to and citizens of Indonesia.
Cybercriminal sells tool to hide malware in AMD, NVIDIA GPUs
Cybercriminals are making strides towards attacks with malware that can execute code from the graphics processing unit (GPU) of a compromised system. Earlier this month, the proof-of-concept (PoC) was sold on a hacker forum, or a technique they say keeps malicious code safe from security solutions scanning the system RAM. The seller provided only an overview of their method, saying that it uses the GPU memory buffer to store malicious code and to execute it from there. According to the advertiser, the project works only on Windows systems that support versions 2.0 and above of the OpenCL framework for executing code on various processors, GPUs included.
Thanks to our episode sponsor, Semperis
Coinbase seeds panic among users with erroneous 2FA change alerts
The world’s second-largest cryptocurrency exchange with approximately 68 million users from over 100 countries, accidentally alerted around 125,000 customers last weekend that their 2FA settings had been changed. Coinbase later explained that the notifications were sent in error and that customers are not required to take any action to restore their 2FA settings. While they did not share why the erroneous alerts were sent, it did say that it was not a malicious actor or an intern and pointed at “an issue with our notification services that unfortunately caused some real concern for our customers.”
Threat actors can remotely disable Fortress home security system
Vulnerabilities discovered in Fortress S03 Wi-Fi Home Security System could be abused by a malicious party to alter system behavior, including disarming the devices without the victim’s knowledge. The Fortress S03 Wi-Fi Home Security System allows users to build their own alarm system to secure their homes and small businesses. Researchers at cybersecurity firm Rapid7 discovered two vulnerabilities, which they called “trivially easy to exploit” – one of which is an insecure cloud API deployment that can be exploited just by knowing the user’s email address, while the other can allow anyone within Radio Frequency (RF) signal range to capture and replay RF signals to alter systems behavior. Rapid7 said it notified Fortress Security of the bugs on May 13, 2021, and the company to close the report 11 days later on May 24, the issues continue to persist.
CISA adds single-factor authentication to the list of bad practices
Single-factor authentication, the use of username and password to log in to a system, was added to CISA’s short list of “exceptionally risky” cybersecurity practices that could expose critical infrastructure, government and private sector entities to cyberattack. The rest of the list currently includes: Use of unsupported (or end-of-life) software, use of known/fixed/default passwords and credentials, and, use of single-factor authentication for remote or administrative access to systems. This list will soon get longer with CISA considering adding weak cryptographic functions, flat network topologies, mingling of IT and OT networks, lack of least privilege, use of previously compromised systems without sanitization, transmission of unauthenticated traffic over uncontrolled networks, and poor physical controls
Zoom-call gaffes led to someone getting axed, 1 in 4 bosses say
Nearly 1 in 4 executives have fired a staffer for slipping up during a video or audio conference, and most have levied some sort of disciplinary action for gaffes made in virtual meetings, a survey of 200 managers at large companies found. The survey, commissioned by Vyopta Inc., which helps companies manage their workplace collaboration and communication systems, identified the top four career ending mistakes as joining a call late, having a bad Internet connection, accidentally sharing sensitive information, and of course, not knowing when to mute yourself.