Pemex hit by ransomware, US Postal Service gets a copycat and new WhatsApp bugs

Plus, 1Password gets a boatload of cash


It's time for another Register security roundup of the week's smaller stories you may have missed.

FedEx says exposed driver database was a 'test system'

US parcel delivery company FedEx has acknowledged that it left an exposed database containing detailed driver and delivery information, but says the infomation was part of a test system.

Security researcher Devin Stokes found and responsibly disclosed the open database to FedEx. Once it was removed (after more than a week of trying to get the company's attention), Stokes exclusively shared with El Reg the details on what was within: detailed information on driver trips and reports on accidents, including the cause.

Stokes said the database also included stats on day-to-day operations, with things like geofencing data and even alerts for when drivers were going over the speed limit in their delivery vehicles.

"[FedEx] can confirm this site was used for testing and contained no sensitive information," a spokesperson told El Reg. "It has since been decommissioned."

We imagine the drivers whose speeding patterns were being tracked might not agree with that assessment. Either way, congrats to Devin on the find.

Pemex popped

One of the largest oil companies in the world had to deal with a ransomware infection recently, as Mexico's Pemex said it fell victim to a malware infection in one of its corporate networks.

The oil giant said that its operations were not impacted by the attack, and none of its industrial systems or any safety gear was touched by the ransomware.

Symantec patches vulnerability in AV offering

Once again, a bug in a popular security suite is, ironically, putting users at risk of malware infections.

This time, it's Symantec's EndPoint Protection software that is vulnerable, according to researchers with SafeBreach.

The flaw is nearly identical to the found earlier in McAfee antivirus and is related to insecure loading of DLL files. An attacker who exploited the flaw could run arbitrary code and commands on the target machine and, more importantly, maintain persistent access even after a restart.

There is one major mitigating factor here: the attacker already has to have access to the machine with admin clearance. If that is the case, there's not much need for this sort of exploit, so while you should update your software with the patch, it shouldn't be a massive security concern.

Checkpoint breaks down Qualcomm's TPM code isolation

Those interested in the intricacies of on-chip security protections should give a look to this report from Checkpoint detailing how its team was able to uncover flaws in the TPM protections of Qualcomm processors.

The in-depth report shows how the researchers were able to uncover the vulnerabilities that would let unprivileged code elevate itself to privileged status, potentially allowing for sensitive information within the secure enclave on the chip to be read.

WhatsApp warns of remote code via video bug

Facebook's WhatsApp has posted notice of a vulnerability in the mobile versions of the messaging app that could potentially allow for remote code execution. The flaw is due to a buffer overflow that is exposed when viewing a specially-crafted MP4 file.

Users can protect themselves against exploits by making sure to update to the latest version of the Android, iOS, or Windows Phone app.

$200m to 1

Security tool 1Password has been around for more than a decade now, but that doesn't mean it can't still kick up some VC bucks. The developer this week revealed that it had just finished up a $200m Series A funding round, giving it more than enough cash for expansion.

US Postal Service the latest malware lure

The team at ProofPoint says that among a series of new scam emails being used to spread malware is a message claiming to come from the US Postal Service.

The fake notices include a Word file that has been poisoned with the exploit code itself. Opening up the file will result in the attempted installation of a banking trojan.

With the holiday shopping season set to kick off, users should be wary of any message claiming to be from the USPS or other delivery service.

Cisco Talos warns of custom dropper malware

Researchers with Talos are warning that a long-running malware campaign has been reinvigorated with the use of customized dropper tools. The hackers are believed to have taken existing malware and slightly modified it, allowing the droppers to potentially skirt detection by security software. ®

Broader topics


Other stories you might like

  • Will this be one of the world's first RISC-V laptops?
    A sneak peek at a notebook that could be revealed this year

    Pic As Apple and Qualcomm push for more Arm adoption in the notebook space, we have come across a photo of what could become one of the world's first laptops to use the open-source RISC-V instruction set architecture.

    In an interview with The Register, Calista Redmond, CEO of RISC-V International, signaled we will see a RISC-V laptop revealed sometime this year as the ISA's governing body works to garner more financial and development support from large companies.

    It turns out Philipp Tomsich, chair of RISC-V International's software committee, dangled a photo of what could likely be the laptop in question earlier this month in front of RISC-V Week attendees in Paris.

    Continue reading
  • Did ID.me hoodwink Americans with IRS facial-recognition tech, senators ask
    Biz tells us: Won't someone please think of the ... fraud we've stopped

    Democrat senators want the FTC to investigate "evidence of deceptive statements" made by ID.me regarding the facial-recognition technology it controversially built for Uncle Sam.

    ID.me made headlines this year when the IRS said US taxpayers would have to enroll in the startup's facial-recognition system to access their tax records in the future. After a public backlash, the IRS reconsidered its plans, and said taxpayers could choose non-biometric methods to verify their identity with the agency online.

    Just before the IRS controversy, ID.me said it uses one-to-one face comparisons. "Our one-to-one face match is comparable to taking a selfie to unlock a smartphone. ID.me does not use one-to-many facial recognition, which is more complex and problematic. Further, privacy is core to our mission and we do not sell the personal information of our users," it said in January.

    Continue reading
  • Meet Wizard Spider, the multimillion-dollar gang behind Conti, Ryuk malware
    Russia-linked crime-as-a-service crew is rich, professional – and investing in R&D

    Analysis Wizard Spider, the Russia-linked crew behind high-profile malware Conti, Ryuk and Trickbot, has grown over the past five years into a multimillion-dollar organization that has built a corporate-like operating model, a year-long study has found.

    In a technical report this week, the folks at Prodaft, which has been tracking the cybercrime gang since 2021, outlined its own findings on Wizard Spider, supplemented by info that leaked about the Conti operation in February after the crooks publicly sided with Russia during the illegal invasion of Ukraine.

    What Prodaft found was a gang sitting on assets worth hundreds of millions of dollars funneled from multiple sophisticated malware variants. Wizard Spider, we're told, runs as a business with a complex network of subgroups and teams that target specific types of software, and has associations with other well-known miscreants, including those behind REvil and Qbot (also known as Qakbot or Pinkslipbot).

    Continue reading

Biting the hand that feeds IT © 1998–2022