Palo Alto gateway security alert, FSB hack, scourge of data-stealing web plugins, and more

Roundup Let's catch up with all the recent infosec news beyond what we've already covered.

Palo Alto Networks gateway apps vulnerable to hijacking

If you're using Palo Alto Network's GlobalProtect Portal or Gateway, ensure you're using the latest version of the software. The biz quietly issued a maintenance update to close a security hole – a trivial string formatting vulnerability no less – that can be potentially exploited by miscreants to hijack installations of the code over the network or internet.

This is a pre-authentication remote-code execution flaw, and it's present in software that's typically used on public-facing Palo-Alto-powered firewalls and VPN-based gateways into corporate networks. Thus, the whole situation is un-good: it could be leveraged to infiltrate organisations.

According to Palo Alto Networks this week, here's the list of affected products: PAN-OS 7.1.18 and earlier, PAN-OS 8.0.11 and earlier, and PAN-OS 8.1.2 and earlier releases. PAN-OS 9.0 is not affected. The "critical" security hole is labelled PAN-SA-2019-0020 aka CVE-2019-1579.

"Successful exploitation of this issue allows an unauthenticated attacker to execute arbitrary code," Palo Alto noted.

"If you have not already upgraded ... we recommend that you update to content release 8173, or a later version, and confirm threat prevention is enabled and enforced on traffic that passes through the GlobalProtect portal and GlobalProtect Gateway interface. You are not affected if you do not have GlobalProtect enabled."

See this write-up, and this Twitter thread for more information and details of a proof-of-concept exploit. The vulnerability was even used to break into Uber by two researchers who found the flaw.

FSB contractor hacked, secret files swiped

A contractor for Russian intelligence agency the FSB was hacked on July 13, with about 7.5TB of data stolen, it was reported this week.

It's understood a hacker gang calling itself 0v1ru$ compromised systems operated by FSB IT provider SyTech, and an archive of data siphoned from the biz was passed to journalists to pore over.

Among the swiped files, we're told, were blueprints for a Tor deanonymizing effort dubbed Nautilus-S, as well as a project to map out Russia's internet links to the outside world. There were also documents on the surveillance of selected Russian corporate email accounts, attempts to spy on peer-to-peer file-sharing networks (including BitTorrent), and a project to harvest social network profiles in 2009 to 2010 (think Facebook, LinkedIn, MySpace, and their ilk).

Blighty's plod web hack shock

A website belonging to London's Met Police was hijacked on Friday night by miscreants who proceeded to publish nonsensical announcements to the world until officers regained control. The site, news.met.police.uk, normally carries press releases, but was compromised to spam out garbage. The publishing system also automatically emitted the fake news as tweets to the Met's 1,220,000 Twitter followers, and in emails to journalists.

Naughty extensions turn browsers in data siphons

Shady web browser plugins have been collecting and uploading personal details on millions of people, it has been learned.

Reg alumnus Dan Goodin, along with security researcher Sam Jadali, uncovered how an operation nicknamed DataSpii has collected personal details on more than four million users by distributing spyware-laced browser plugins for Chrome and Firefox.

The collected information is said to include everything from credit card numbers and GPS coordinates to income tax returns and travel plans. In short: only install highly trusted extensions.

"This leak exposed personal identifiable information (PII) and corporate information (CI) on an unprecedented scale, impacting millions of individuals," noted Jadali. "The collected data was then made available to members of an unnamed service, which we refer to in our report as Company X. Both paid and trial members of this service had access to the leaked data."

Oh, ship! US Coast Guard warns of hackers at sea

The US Coast Guard is warning private cargo ships to beef up their on-board security after one such vessel was hit with a malware infection earlier this year.

The military said in its alert this month [PDF] that back in February a Coast Guard crew responded to a report of a New York-bound shipping vessel that was having problems with its on-board systems. A post-incident analysis eventually concluded that a malware infection had struck the ship and taken out some of its systems.

"The team concluded that although the malware significantly degraded the functionality of the onboard computer system, essential vessel control systems had not been impacted," the Coast Guard said. "Nevertheless, the interagency response found that the vessel was operating without effective cybersecurity measures in place, exposing critical vessel control systems to significant vulnerabilities."

While the report does not pinpoint the exact source of the infection, the Coast Guard notes two key findings from the investigation: crew members could use the ship's network for personal use (i.e. checking emails or managing bank accounts) and USB devices were routinely used to transfer cargo data to and from the ship's systems.

Accounting cloud firm Insynq hit by ransomware

Cloud biz Insynq, which provides Quickbooks accounting software to businesses, has been offline since July 16, after a ransomware attack crippled its servers. Security breach connoisseur Brian Krebs reports that the hosting house has turned off some of its servers and called in outside help in response to the outbreak.

Colleges attacked through ERP flaw

A vulnerability in the Ellucian Banner ERP software is being blamed for network intrusions at more than 60 US universities.

The attackers exploited a known flaw in the application that was patched back in May. Any university admins (or anyone else, for that matter) running Ellucian Banner ERP should update their software ASAP.

Contractor charged for threatening Congresswoman over vaccine bill

A government IT contractor is facing serious charges after threatening to kill a member of Congress who supported a bill to mandate vaccinations.

Darryl Varnum, a cybersecurity contractor (formerly) with the Department of Defense was charged with leaving a threatening voicemail at the office of Frederica Wilson, a Florida Democrat who sponsored the bill. He faces one felony count of threatening an official.

Bluetooth haircare is hot, hot, hot

You might want to think twice before springing for a connected hair appliance.

This after researchers with PenTest Partners found that several brands of Bluetooth hair straighteners posed fire hazards. The team was able to manipulate the mobile applications on paired smartphones to cause the appliances to heat up to dangerous levels.

Maybe just stick with the old fashioned dumb-irons for now.

Nvidia Tegra bugs revealed

A new patch has been issued by Nvidia to address a potentially serious flaw in the Tegra chipset, used by loads of gadgets including drones. Researcher Triszka Balázs says the vulnerability, designated CVE-2019-5680, could potentially allow an attacker to bypass secure boot checks, and achieve arbitrary code execution.

LLVM Arm stack protections rendered potentially useless by security hole

The LLVM compiler's stack protection mechanism for Arm software can be potentially evaded, making it easier for miscreants to pull off buffer-overflow exploits and the like.

Apple researchers Jeffrey Crowell and Will Estes found that the stack protections in LLVM Arm can be manipulated in such a way that the stack protection fails to properly detect and thwart overflows.

"When the stack protection feature is rendered ineffective, it leaves the function vulnerable to stack-based buffer overflows," the duo write.

"It is possible that the return address could be overwritten due to a local buffer overflow and is not caught when the cookie is checked at the end. It is also possible that the cookie itself could be overwritten since it resides on the stack, causing an unintended value to pass the check."

Yet another medical company blames AMCA for loss of customer records

US medical bill collectors AMCA are once again being blamed for a massive loss of personal medical data.

A filing from Clinical Pathology Laboratories says that the pwned AMCA server that leaked LabCorp and Quest Diagnostics data also allowed 2.2 million of its patient records to be exposed. 34,500 of those records included payment card information.

WikiLeaks source cries foul over early disclosure

One of the hackers credited for providing WikiLeaks with confidential intel says the secret-sharing site jumped the gun on a document dump and jeopardized an ongoing operation.

Phineas Fisher, source of the 2016 Erdogan emails leak, claims that the massive Turkish government data heist would have been even larger, had WikiLeaks not published the information early, tipping Erdogan's camp off to the hack and allowing them to lock down their systems before more damning evidence could be collected.

DropBox gaffe drops unwanted update on machines

Some DropBox users got an unexpected update last week when the cloud storage house accidentally sent one of its test applications out to regular users.

The cloud storage biz says it accidentally posted the new version of its desktop file manager app, currently in early access phase, to regular users who were alarmed at the new application suddenly appearing on their machines. Dropbox says it has since resolved the matter.

Tesla owner finds flaw in naming system

A security researcher and Tesla owner discovered the leccy automaker's naming system for customers' cars was insecure. Bug-hunter Sam Curry snuck some JavaScript code into the name field on his auto, in its configuration settings, and forgot about it, only to have the code trigger when a Tesla support agent viewed the name of the car in an internal system several weeks later when servicing a cracked windshield.

Curry would eventually get credit for discovering the bug, and earned a $10,000 bounty. ®