OpenBSD bugs, Microsoft's bad update, a new Nork hacking crew, and more

Meanwhile, the DOJ sets its sights on money mules


Welcome to yet another El Reg security roundup. Off we go.

OpenBSD a little too true to its name

The freely available OpenBSD operating system is the host of some annoying security holes.

Researchers at Qualys found and reported authentication bypass flaws that can be exploited locally, and potentially remotely, to log into services without valid credentials.

"We discovered an authentication-bypass vulnerability in OpenBSD's authentication system: this vulnerability is remotely exploitable in smtpd, ldapd, and radiusd, but its real-world impact should be studied on a case-by-case basis," notes Qualys. "For example, sshd is not exploitable thanks to its defense-in-depth mechanisms."

Admins will want to update their systems as soon as possible.

Microsoft update borks databases

Admins running Microsoft Access might want to hold off on installing the latest security patches from Redmond, depending on the version they are running.

This after Microsoft warned that an update for the database tool, released on November 12, was causing SQL queries to fail.

While some versions have been updated with a fix to clean up the issue, two others, Access 2013 C2R and Access 2019 Volume License, will not get their fix until December 10.

For those wondering, things like this are part of the reason why some companies are behind on their patching: security fixes can sometimes bring with them other bugs that can cripple important systems.

IBM breaks down Hive0080

No, that's not the name of the cheesy EDM act your sister's new boyfriend plays in. It's the newest North Korean hacking operation.

The team at IBM's X-Force says that Hive0080 is in many ways like the other APTs operating out of the reclusive dictatorship. The outfit mainly exists to help the sanction-hit nation line its coffers with purloined currency.

"Our analysis of this group’s activity indicates they have been active since at least early 2018 and that their malware and TTPs are linked closely to those employed by North Korean-backed cyber operations groups," X-Force reports.

"These links suggest that this group is financially motivated and, based on their efforts to stage enterprise data for extraction, may also be attempting to steal intellectual property."

Beware orphaned Windows Hello TPM keys

Admins will want to read this Microsoft advisory and make sure they are not vulnerable to a security hole caused by mishandling of orphaned TPM keys in Azure Active Directory.

"After a user sets up Windows Hello for Business (WHfB), the WHfB public key is written to the on-premises Active Directory. The WHfB keys are tied to a user and a device that has been added to Azure AD, and if the device is removed, the corresponding WHfB key is considered orphaned," Microsoft says of the keys.

"However, these orphaned keys are not deleted even when the device it was created on is no longer present."

Bayrob hackers go down for decades

Bogdan Nicolescu and Radu Miclaus, the Romanian duo behind the Bayrob fraud operation, have been sentenced to 20 and 18 years in prison, respectively.

The pair were found to have infected more than 400,000 people's with malware and made off with an estimated $4m using a combination of identity theft, phishing and cryptocurrency mining.

Over in the US, a Sprint contractor left more than 261,300 documents containing phone bills and personal info of AT∓T, Verizon and T-Mobile subscribers on a public-facing Amazon-hosted cloud storage system. The silo has since been taken down.

DOJ takes aim at money mules

The US Department of Justice has launched a campaign to take down money mule networks across the US.

The "mules", sometimes unwitting accomplices, are used as the go-between for cybercriminals to get money out of the accounts of victims and wired overseas to accounts controlled by the bad guys. The DOJ hopes it will be able to identify and stop hundreds of these individuals.

"The Money Mule initiative highlights the importance of partnership to stop fraud schemes, and it sends a message to all who are engaged in money mule activity that they will be caught and prosecuted," FBI director Christopher Wray said of the effort.

Aviatrix VPNs vulnerable

Researchers with Immersive Labs have uncovered a vulnerability in the popular Aviatrix enterprise VPN platform

The elevation of privilege flaw requires the attacker to already have access to the VPN, so it is not a major risk, but admins will still want to update the software as soon as possible, since these bugs can often be chained with other exploits to create a more serious issue.

"Coming hot on the heels of the UK and US Government warnings about VPN vulnerabilities, this underlines that often the technology protecting enterprises needs to be managed as tightly as the people using it," said Alex Seymour, the Immersive Labs researcher who uncovered the bug.

"People tend to think of their VPN as one of the more secure elements of their security posture, so it should be a bit of a wakeup call for the industry." ®

Similar topics


Other stories you might like

  • India reveals home-grown server that won't worry the leading edge

    And a National Blockchain Strategy that calls for gov to host BaaS

    India's government has revealed a home-grown server design that is unlikely to threaten the pacesetters of high tech, but (it hopes) will attract domestic buyers and manufacturers and help to kickstart the nation's hardware industry.

    The "Rudra" design is a two-socket server that can run Intel's Cascade Lake Xeons. The machines are offered in 1U or 2U form factors, each at half-width. A pair of GPUs can be equipped, as can DDR4 RAM.

    Cascade Lake emerged in 2019 and has since been superseded by the Ice Lake architecture launched in April 2021. Indian authorities know Rudra is off the pace, and said a new design capable of supporting four GPUs is already in the works with a reveal planned for June 2022.

    Continue reading
  • Prisons transcribe private phone calls with inmates using speech-to-text AI

    Plus: A drug designed by machine learning algorithms to treat liver disease reaches human clinical trials and more

    In brief Prisons around the US are installing AI speech-to-text models to automatically transcribe conversations with inmates during their phone calls.

    A series of contracts and emails from eight different states revealed how Verus, an AI application developed by LEO Technologies and based on a speech-to-text system offered by Amazon, was used to eavesdrop on prisoners’ phone calls.

    In a sales pitch, LEO’s CEO James Sexton told officials working for a jail in Cook County, Illinois, that one of its customers in Calhoun County, Alabama, uses the software to protect prisons from getting sued, according to an investigation by the Thomson Reuters Foundation.

    Continue reading
  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading

Biting the hand that feeds IT © 1998–2021