SAP bug beatdowns, Apple gets nasty with Mac repairs, Struts woe, and more from infosec

Including: US Marines are looking for a few good bugs


roundup This week we all worried about bugged servers, North Korean APTs, and GRU hacking groups.

But those were far from the only security stories to hit the wires. Here are a handful of other pieces that may have slipped under the radar.

Marketing firm parts with massive trove of customer data

The last time an Apollo effort went this badly, Tom Hanks made a movie about it.

Marketing intelligence (read: data broker) startup Apollo fessed up to being the victim of a massive theft that saw it reveal something in the neighborhood of nine billion points of data and contact information of 212 million people. As per usual, the massive trove was discovered online in a misconfigured database that had mistakenly been set to be accessible by anyone.

Those "data points" include things like addresses and contact information, as well as contacts and connections on services like LinkedIn. Not particularly sensitive information, but a fairly valuable cache of data for marketers or, in the worst case, potential attackers looking to build spear-phishing emails.

FireEye beefs up Helix, reaches out to community

Security intelligence company FireEye has unveiled a new version of Helix security information and event management (SIEM) platform.

This version of the cloud-based service focuses on streamlining the process of detecting malware infections and network intrusions and getting responses in place, whether automated or ordered by an admin.

FireEye says the aim here is to allow companies to be able to actively respond to attacks, not just analyze them after the fact.

"We’re on the frontlines of the cyberwar and to keep pace with the adversaries, we have to automate as much as possible and give analysts the intel to make smarter decisions at key points in the response," said FireEye VP of product management and strategy Paul Nguyen.

"These insights and capabilities are built into Helix to close the gap from detection to resolution and mitigate the impact of an attack."

FireEye is also looking for partners in an effort to create an ecosystem for Helix. The FireEye Market lets customers browse and install plug-ins, add-ons, and services for their Helix installations. Think Salesforce AppExchange, but for incident response.

The idea with the store is to let its partners and developer community come in and do all of the small, specialized tasks that customers want for their specific needs while also letting FireEye focus on developing Helix as a whole rather than creating smaller, specialized versions. In the process, partners get a new market for their services and customers get better tuned software.

Don't be a SAP, patch these bugs from Positive Technologies

Researchers with Positive Technologies have laid claim to six recently-patched vulnerabilities in SAP products.

The flaws range from arbitrary JavaScript code injection to the theft of session IDs and users passwords and elevation of privilege flaws. Fortunately, all of the bugs have been reported directly to SAP and have been patched with recent updates.

This would be a good time for admins to go through their SAP apps and services to make sure everything is up to date.

1-2-3-4, I just hacked the Marine Corps!

From the Halls of Montezuma, to a brand new CVE. The United States Marine Corps has just paid out more than $150k in bug bounties to hackers who participated in a 20-day research project that resulted in the discovery of more than 150 vulnerabilities in public facing sites that made up the Marine Corps Enterprise Network.

The project, known as Hack the Marine Corps, launched at this year's DefCon, is an offshoot of the DoD's "Hack the Pentagon" campaign, where white hats are offered bounties to come in and pwn the hell out of government sites in hopes of hardening defenses before a hostile nation can get to them.

The Corps estimates that around 100 hackers participated in this year's event, including the Def Con kick-off where 75 of the bugs and $80,000 of the bounties were awarded.

Apple tells DIY to DIE

A few years back, iFixit CEO Kyle Wiens told El Reg that Apple had done "everything it can" to kill off third-party repair businesses. Turns out Wiens was wrong; Apple could do even more.

iFixit has now found that the new Mac Pro laptops contain dormant lockouts that, if activated by Apple, would render machines repaired by third-party shops inoperable. Specifically, if the lockout mechanism is enabled, repairs to most major hardware components in the notebooks would need to be validated by a special secret software kit only available to Apple and a handful of authorized repair shops, or the machine won't work.

Fortunately, iFixit said that though these strict controls are in place, they're not yet being enforced. Its lab techs were able to get a new MacBook Pro and swap out a number of the hardware components in question without much of an issue. This has led them to believe that, so far, the lockout defense is a passive system.

"Our guess is that this software tracks serial numbers and other parts data so Apple can verify Apple Authorized Service Providers (AASPs) are correctly completing repairs. It may also perform calibration, or it could simply be a way of keeping their authorized network in line," iFixit said. "Basically it means Apple owns your device, not you, and could conceivably disable it remotely if they detect unauthorized repairs going on."

On the one hand, this lockout system will stop dodgy repair shops from swapping out parts for backdoored versions – such as keyboards that phone home your typed-in passwords to crooks. On the other hand, it's a neat way to shut out legit third-party repair shops that do a better or cheaper job of fixing up busted MacBook Pros than Apple's "geniuses" can.

Meet the new bots, same as the old bots

Thought the Russian bot deluge that erupted prior to the 2016 election had come and gone?

You would be very wrong.

A report from the Knight Foundation tracking the millions of troll accounts since 2016 and concluded that most of them aren't going anywhere.

"The problem persisted in the aftermath of the election with four million tweets to fake and conspiracy news publishers found from mid-March to mid-April 2017," the report reads.

"A large majority of these accounts are still active today."

This is particularly depressing as, with a crucial round of mid-term elections just a few weeks away, we probably shouldn't expect the climate to differ much from what we saw two years ago as far as trolls and disinformation are concerned.

Swat swats swatters with swatting swat

The Seattle police are trying out a new program that would let people create profiles that would flag their residences and places of business as possible targets for "swatting" crimes.

The page would then appear to the emergency dispatcher when a call is made and, if the resident has warned police they might be a swatting victim, a notification would be sent. The idea isn't to cancel any potential emergency responses, but to at least warn the police and, hopefully, avoid any further loss of life

"Nothing about this solution is designed to minimize or slow emergency services," Seattle PD says.

"At the same time, if information is available, it is more useful for responding officers to have it than to not."

Struts, you're stuffed

A newly discovered class of vulnerabilities, dubbed double evaluation, can be potentially exploited to hack websites that rely on Apache Struts. Essentially, it appears to be all too easy for a developer to accidentally execute data supplied by a user as code – if that submitted data is malicious, it can attempt to compromise the system running the web app.

Apache Struts' programmers don’t consider the vulnerability critical enough to merit patching, though, because it's on coders to sanitize user-submitted data.

Man Yue Mo, a researcher at Semmle with a back-catalogue of Apache Struts bug finds, disagrees that the vuln can be so easily dismissed, mainly because it's too easy for web app coders to introduce double evaluation vulnerabilities into their software.

"As the behaviour of double evaluation is fairly counter-intuitive, developers can easily get caught out and expose their Struts applications to RCE [remote code execution]," Man argued.

In a blog post, Man explains the class of flaws in depth alongside suggested remediations. If you're using Apache Struts, audit your code to make sure you're not falling foul of these double evaluation holes. ®

Narrower topics


Other stories you might like

  • Microsoft Defender goes cross-platform for the masses
    Redmond's security brand extended to multiple devices without stomping on other solutions

    Microsoft is extending the Defender brand with a version aimed at families and individuals.

    "Defender" has been the company's name of choice for its anti-malware platform for years. Microsoft Defender for individuals, available for Microsoft 365 Personal and Family subscribers, is a cross-platform application, encompassing macOS, iOS, and Android devices and extending "the protection already built into Windows Security beyond your PC."

    The system comprises a dashboard showing the status of linked devices as well as alerts and suggestions.

    Continue reading
  • Nothing says 2022 quite like this remote-controlled machine gun drone
    GNOM is small, but packs a mighty 7.62mm punch

    The latest drone headed to Ukraine's front lines isn't getting there by air. This one powers over rough terrain, armed with a 7.62mm tank machine gun.

    The GNOM (pronounced gnome), designed and built by a company called Temerland, based in Zaporizhzhia, won't be going far either. Next week it's scheduled to begin combat trials in its home city, which sits in southeastern Ukraine and has faced periods of rocket attacks and more since the beginning of the war.

    Measuring just under two feet in length, a couple inches less in width (57cm L х 60cm W x 38cm H), and weighing around 110lbs (50kg), GNOM is small like its namesake. It's also designed to operate quietly, with an all-electric motor that drives its 4x4 wheels. This particular model forgoes stealth in favor of a machine gun, but Temerland said it's quiet enough to "conduct covert surveillance using a circular survey camera on a telescopic mast."

    Continue reading
  • Emotet malware gang re-emerges with Chrome-based credit card heistware
    Crimeware groups are re-inventing themselves

    The criminals behind the Emotet botnet – which rose to fame as a banking trojan before evolving into spamming and malware delivery – are now using it to target credit card information stored in the Chrome web browser.

    Once the data – including the user's name, the card's numbers and expiration information – is exfiltrated, the malware will send it to command-and-control (C2) servers that are different than the one that the card stealer module uses, according to researchers with cybersecurity vendor Proofpoint's Threat Insight team.

    The new card information module is the latest illustration of Emotet's Lazarus-like return. It's been more than a year since Europol and law enforcement from countries including the United States, the UK and Ukraine tore down the Emotet actors' infrastructure in January 2021 and – they hoped – put the malware threat to rest.

    Continue reading
  • International operation takes down Russian RSOCKS botnet
    $200 a day buys you 90,000 victims

    A Russian operated botnet known as RSOCKS has been shut down by the US Department of Justice acting with law enforcement partners in Germany, the Netherlands and the UK. It is believed to have compromised millions of computers and other devices around the globe.

    The RSOCKS botnet functioned as an IP proxy service, but instead of offering legitimate IP addresses leased from internet service providers, it was providing criminals with access to the IP addresses of devices that had been compromised by malware, according to a statement from the US Attorney’s Office in the Southern District of California.

    It seems that RSOCKS initially targeted a variety of Internet of Things (IoT) devices, such as industrial control systems, routers, audio/video streaming devices and various internet connected appliances, before expanding into other endpoints such as Android devices and computer systems.

    Continue reading

Biting the hand that feeds IT © 1998–2022