Chrome bug squashed, QNAP NAS nasty hits, BlueKeep malware spreads, and more

Including Spanish camgirl sites spill info, domain registrars hacked

Roundup Let's check out some of the more recent security happenings beyond what we've already covered.

Chrome bugs cleaned up

Anyone running Chrome will want to update and restart their browser in order to make sure they have the latest build, as usual. Google has patched a bunch of flaws including a use-after-free() vulnerability (CVE-2019-13720) that was being actively exploited in the wild against victims. Make sure you're running version 78.0.3904.87 or higher for Windows, Mac, and Linux to be safe.

More technical details are here: essentially, a malicious JavaScript file on a webpage can exploit the vulnerability to potentially gain arbitrary code execution and install spyware and other horrible stuff on the computer. Kaspersky reckons the flaw was abused in an attempt to infect Chrome-using visitors of a Korean-language news website, in a campaign dubbed Operation WizardOpium.

Crypto-miner spreads via BlueKeep hole

We hope you've all patched your Windows systems for the BlueKeep RDP flaw, which can be exploited to achieve remote-code execution on vulnerable machines. It appears Monero-mining malware is spreading among un-patched boxes via the security flaw. Microsoft patched the bug way back in May.

Marcus Hutchins, with help from Kevin Beaumont, has detailed the spread of the BlueKeep-exploiting nasty here for Kryptos Logic.

All the more reason to ensure you're patched.

ClamAV zero-day lands but don't panic

Someone has popped onto Pastebin a zero-day code-execution exploit that can hijack systems running the open-source antivirus engine ClamAV. While this software is used quite widely, and thus such a bug could prove disastrous, the danger isn't very great: exploitation is limited to a very narrow configuration, as discussed here on Twitter.

Azure Sphere gets a release date

Microsoft's planned hardware-to-cloud Azure Sphere platform now has a general availability date. Microsoft says that the first devices embedded with the tech will be arriving in February of 2020.

For those unfamiliar, Azure Sphere is Microsoft's bid for a secure IoT platform. Redmond is combining on-chip secure enclave tech with a custom-made Linux kernel and its Azure cloud service. The idea is to offer embedded device makers an all-in-one security package that goes from the silicon level to the cloud management tools.

NAS-ty malware surfaces

Last week, authorities in Finland warned of a newly discovered piece of malware targeting QNAP network storage boxes.

Known as QSnatch, the software nasty connects infected boxes to a command-and-control server and harvests usernames and passwords. The infection also has the potential to load up other modules should the attackers decide to do more with their botnet. According to Germany's CERT, the malware is already spreading rapidly and has got into at least 7,000 machines in that country alone.

Ensure you're running the latest version of the QNAS firmware to avoid being compromised. The exploited bug was addressed in February this year, though it looks like malware is finally spreading via the hole on unpatched boxes.

Pwn2Own gets new targets

The popular Pwn2Own competition is set to add a new category, as Trend Micro says it will be adding industrial control systems to the roster of target devices. Those who can hack the hardware will get a cash reward and, if tradition holds, will also be able to take home the hacked kit.

PHP stands for "patch hella pronto"

Anyone running PHP, particularly PHP with the Nginx webserver and FastCGI, will want to take the time out to update their boxes following the discovery and patching of a vulnerability in the software stack. Discovered during a capture the flag competition, the bug can be potentially exploited remotely to achieve code execution, depending on your configuration.

The core problem (CVE-2019-11043) lies in PHP, it seems, so make sure you've updated to the latest versions listed here.

LabKey software found to contain RCE hole

Admins in the medical field will want to pay attention to these bugs in LabKey, a software platform used with biomed research gear. If chained together, the flaws would potentially allow for remote code execution.

Fortunately, given how niche the software is, the chances of active exploits targeting the bugs are not particularly high. Still, it would be a good idea to get a patch installed as soon as possible.

India nuclear plants report malware infection

A nuclear power plant in India discovered a malware infection believed to be linked to North Korea. Fortunately, the software nasty, we're told, was not found near any of the reactor controls.

Credit cards for sale on the internet, gasp

Infosec outfit Group-IB says it has uncovered an estimated 1.3 million cards offered for sale on the internet at a total estimated value of more than $130m. The card data largely belonged to bank customers in India.

Meanwhile, a website called BriansCub that was selling more than 26 million credit and debit card records to fraudsters was hacked, and its contents leaked, allowing banks to cancel the compromised cards.

Domain registrars warns of data thief

Customers of NetworkSolutions,, and were warned at the turn of this month that some of their data was exposed to hackers who managed to gain access to the trio's internal databases.

There were no payment cards nor passwords in the data store, though the miscreants would have been able to see basic contact information, such physical addresses, phone numbers, and email addresses. Those exposed would be wise to keep an eye out for spear-phishing attacks that might use that information to appear more authentic.

Camgirl websites' security lapse

A network of websites through which netizens – mainly those in Spain and Europe – can watch people, typically women, strip off live over the web left a back-end database open to the internet, exposing some 13 million records including users and camgirls' email addresses, IP addresses, chat logs, and more. The system has since been secured and hidden from view. One group of security researchers, who contacted El Reg on Friday, planned to go public with the details this week, though they were seemingly beaten to it by cyber-biz Condition:Black over the weekend. It is understood no payment data was exposed.

FireEye details SMS-stealing Chinese malware

FireEye says that the China-based APT41 crew is using a piece of malware known as Messagetap to spy on text messages. The malware is said to be installed on the SMS servers at telco providers and gives the attackers the ability to pull select messages from surveillance subjects. ®

Other stories you might like

  • Cheers ransomware hits VMware ESXi systems
    Now we can say extortionware has jumped the shark

    Another ransomware strain is targeting VMware ESXi servers, which have been the focus of extortionists and other miscreants in recent months.

    ESXi, a bare-metal hypervisor used by a broad range of organizations throughout the world, has become the target of such ransomware families as LockBit, Hive, and RansomEXX. The ubiquitous use of the technology, and the size of some companies that use it has made it an efficient way for crooks to infect large numbers of virtualized systems and connected devices and equipment, according to researchers with Trend Micro.

    "ESXi is widely used in enterprise settings for server virtualization," Trend Micro noted in a write-up this week. "It is therefore a popular target for ransomware attacks … Compromising ESXi servers has been a scheme used by some notorious cybercriminal groups because it is a means to swiftly spread the ransomware to many devices."

    Continue reading
  • Twitter founder Dorsey beats hasty retweet from the board
    As shareholders sue the social network amid Elon Musk's takeover scramble

    Twitter has officially entered the post-Dorsey age: its founder and two-time CEO's board term expired Wednesday, marking the first time the social media company hasn't had him around in some capacity.

    Jack Dorsey announced his resignation as Twitter chief exec in November 2021, and passed the baton to Parag Agrawal while remaining on the board. Now that board term has ended, and Dorsey has stepped down as expected. Agrawal has taken Dorsey's board seat; Salesforce co-CEO Bret Taylor has assumed the role of Twitter's board chair. 

    In his resignation announcement, Dorsey – who co-founded and is CEO of Block (formerly Square) – said having founders leading the companies they created can be severely limiting for an organization and can serve as a single point of failure. "I believe it's critical a company can stand on its own, free of its founder's influence or direction," Dorsey said. He didn't respond to a request for further comment today. 

    Continue reading
  • Snowflake stock drops as some top customers cut usage
    You might say its valuation is melting away

    IPO darling Snowflake's share price took a beating in an already bearish market for tech stocks after filing weaker than expected financial guidance amid a slowdown in orders from some of its largest customers.

    For its first quarter of fiscal 2023, ended April 30, Snowflake's revenue grew 85 percent year-on-year to $422.4 million. The company made an operating loss of $188.8 million, albeit down from $205.6 million a year ago.

    Although surpassing revenue expectations, the cloud-based data warehousing business saw its valuation tumble 16 percent in extended trading on Wednesday. Its stock price dived from $133 apiece to $117 in after-hours trading, and today is cruising back at $127. That stumble arrived amid a general tech stock sell-off some observers said was overdue.

    Continue reading
  • Amazon investors nuke proposed ethics overhaul and say yes to $212m CEO pay
    Workplace safety, labor organizing, sustainability and, um, wage 'fairness' all struck down in vote

    Amazon CEO Andy Jassy's first shareholder meeting was a rousing success for Amazon leadership and Jassy's bank account. But for activist investors intent on making Amazon more open and transparent, it was nothing short of a disaster.

    While actual voting results haven't been released yet, Amazon general counsel David Zapolsky told Reuters that stock owners voted down fifteen shareholder resolutions addressing topics including workplace safety, labor organizing, sustainability, and pay fairness. Amazon's board recommended voting no on all of the proposals.

    Jassy and the board scored additional victories in the form of shareholder approval for board appointments, executive compensation and a 20-for-1 stock split. Jassy's executive compensation package, which is tied to Amazon stock price and mostly delivered as stock awards over a multi-year period, was $212 million in 2021. 

    Continue reading
  • Confirmed: Broadcom, VMware agree to $61b merger
    Unless anyone out there can make a better offer. Oh, Elon?

    Broadcom has confirmed it intends to acquire VMware in a deal that looks set to be worth $61 billion, if it goes ahead: the agreement provides for a “go-shop” provision under which the virtualization giant may solicit alternative offers.

    Rumors of the proposed merger emerged earlier this week, amid much speculation, but neither of the companies was prepared to comment on the deal before today, when it was disclosed that the boards of directors of both organizations have unanimously approved the agreement.

    Michael Dell and Silver Lake investors, which own just over half of the outstanding shares in VMware between both, have apparently signed support agreements to vote in favor of the transaction, so long as the VMware board continues to recommend the proposed transaction with chip designer Broadcom.

    Continue reading

Biting the hand that feeds IT © 1998–2022