How to make a stranger's insecure 3D printer halt-and-catch-fire – plus more alerts from infosec world

Roundup We're one week further along, and we hope everyone is well out there. Time for another security roundup amid the coronavirus lockdown.

3D printing turns red hot

In what was surely a very serious piece of research and not just an excuse to set stuff ablaze, the team at the aptly-named CoalFire have demonstrated how a 3D printer could be tricked into bursting into flames remotely.

By hijacking the firmware update process of a 3D printer called the Flashforge Finder, a miscreant could potentially flash the machine's software to remove its temperature constraints. The next time the printer was used, it could heat up to the point of catching fire.

Scary stuff, but keep in mind you need to be on the same Wi-Fi network as the device, and spoof the online repository it fetches its firmware from in order to send it malicious code to install, which isn't trivial. If you're on the same Wi-Fi network, you could control it via a network port, instead, for mischief. If that port is facing the internet, any stranger who stumbles across it could commandeer the thing using this command interface.

"The Flashforge Finder comes with port 8899 open with no authentication, which appears to be relatively common among IoT 3D printers," says CoalFire's Dan McInerney. "This port takes G-Code commands for performing actions such as increasing the temperature, extruding plastic, and moving the heated extruder tip around."

Bad: TrickBot malware. Worse: Fin6 hacking crew. 2020: TrickBot and Fin6 join up to make the year even worse

A notorious cybercrime operation that targets retailers is now even more dangerous, thanks to an alliance with a second criminal hacking outfit.

Researchers at IBM say the group known as Fin6, or ITG08, has begun using a malware framework borrowed from TrickBot, a crew specializing in the development of banking malware.

This partnership is significant not only because it gives Fin6/ITG08 an entirely new angle of attack that security vendors had not associated with the group, but also because it shows the evolution of the group, which has also been branching out into MageCart-style attacks, into a more organized, capable entity.

"ITG08’s partnership with the TrickBot gang not only provides the group with new malware and potential access to enterprises infected with the TrickBot Trojan; it also reveals additional evidence of the group’s strategy to partner with other threat actors and malware developers," said IBM threat analyst Ole Villadsen.

"These varied relationships with elite cybercriminal actors and those who sell them tools, access and software allow ITG08 to continue to rely on its strengths in post-exploitation tactics, such as lateral movement, privilege escalation and data exfiltration, and outsource other attack vectors as needed."

BitDefender bemoans bigger, badder botnet

The security team at BitDefender says it has uncovered a massive new botnet that will "put to shame" most of the malware's rivals.

Dubbed Dark Nexus, the massive network of compromised gear is capable of screening the processes on infected devices and killing off anything that might pose a threat, such as another piece of malware.

It also appears to be highly customized, not just another Mirai knock-off.

"While it might share some features with previously known IoT botnets, the way some of its modules have been developed makes it significantly more potent and robust," noted researcher Liviu Arsene. "For example, payloads are compiled for 12 different CPU architectures and dynamically delivered based on the victim’s configuration."

NFL coach fears lockdown hackers could take secret data

John Harbaugh, head coach of the NFL's Baltimore Ravens, worries that the league's new remote working rules could pose a data security threat.

With all 32 NFL teams set to conduct this year's player draft remotely (instead of in-person at a large theater or arena), the fear from Harbaugh is that rival teams could get critical scouting and strategy data from his staff.

"Hopefully we'll be OK. I really wouldn't want the opposing coaches to have our playbook or our draft meetings," the coach told ESPN. "That would be preferable, if we can stay away from that."

Least we write Coach Harbs off here, there is some precedent for this sort of thing between pro sports clubs.

Time for yet another 3D printing fingerprints report

This time, it's Cisco Talos who dug into the process of 3D printing fingerprints to fool sensors in laptops and phones, and found that the process is easier than ever, so long as you have a high-enough resolution image of the print to work with.

The team was able to get around an 80 per cent success rate with their synthetic fingerprints, with one glaring exception: Windows 10 machines running the Hello framework.

Marketers leave 95 million emails out

Researchers at CyberNews report that a marketing company known as Maropost exposed around 95 million email records related to its business.

"While the leaked database does not appear to contain truly sensitive information like social security numbers or credit card details, even an email address can be enough for an attacker to cause real damage," argues CyberNews.

The data, left sitting on a Google Cloud instance hosted in the US, has since been taken down.

28 bad Android apps pulled

Also from CyberNews, this report of more than 101 malicious apps from a network of 27 developers in the Play Store, each said to be requesting excessive permissions with the aim of pumping out ads to unsuspecting users.

Want to do some Zoom trolling? The FBI strongly suggests you reconsider

Following word of pranksters running riot on unsecured Zoom meeting channels, the FBI and the US Attorney's Office have issued a warning to would-be Zoom bombers. This word of caution came from the Western Pennsylvania office, but is pretty applicable to federal prosecutors around the country.

"Western Pennsylvania’s chief federal, state, and local law enforcement officials are joining together to warn that anyone who hacks into a teleconference can be charged with state or federal crimes," video-crashers are warned.

"Charges may include: disrupting a public meeting, computer intrusion, using a computer to commit a crime, hate crimes, fraud, or transmitting threatening communications."

Opportunistic malware writers seize on remote workers

As if we didn't have enough to put up with, now comes word that malware writers are impersonating popular video conferencing apps in hopes of snaring careless downloaders.

Kaspersky reports finding around 1,300 different apps being mislabeled as popular video-conferencing software. Most were junk, but around 200 of those were found to be stuffed with malware.

Not surprisingly, Zoom was the most popular lure, followed by WebEx, GotoMeeting, Flock, and Slack.

It's always a good idea to make sure you're downloading software from the vendor's actual site, and run a malware scan on all downloads if possible.

Mandiant serves up guidelines for safe meetings

FireEye's parent company Mandiant has offered up a set of best practices for keeping your remote meetings secure.

They include common-sense practices like being aware of all attendees, disabling content sharing unless vital, preventing attendees from recording (only the organizer should be allowed) and making sure links are kept secure and meetings are password protected if possible.

RigUp cough up customer data

A report from the leak-hunting crew at VPNmentor details how RigUp, a service provider for the energy market, left out records from 75,000 customers.

The exposed data, stored in a misconfigured AWS S3 bucket, included things like human resource files with employee names and identification details. It also included project proposals and designs for industrial equipment.

Windows Net Use flaw disclosed

Researcher John 'Hyp3rlinx' Page passed along this exploit for a vulnerability in the Net Use component of Windows.

While not a serious risk (it requires local admin access, for starters) the issue could be useful for an attacker who is trying to move laterally on a network. It's worth reviewing the code and taking any needed steps.

Travelex coughed up $2m+ for ransomware

The Wall Street Journal reports that Travelex, the exchange service hit hard by a massive ransomware infection, caved in and paid the extortionists' demands of $2.3m several weeks ago, but still encountered problems getting its data back.

Is your Apple gear infected with Fleeceware?

The security team at Sophos reckons that more than three million iOS devices contain what they call 'fleeceware'.

These are shady freemium apps that either offer users free trials of marginally useful features, then rack up exorbitant fees in the neighborhood of $30 or more per month. While not malware, the apps are definitely not something you want on your iPhone or iPad, let alone your monthly bill.

More than half of US phone calls are spam

This according to researchers with Roboshield, who point to a study of 1,000 people in the US in reporting that 54 per cent of the calls they received were unwanted things like robocalls or spam.

Not surprisingly, young people who spend less time on their phones reported lower volumes of calls than older users. Calls with spoofed local numbers were most commonly reported.

"Although many of our respondents admitted to answering the phone if the number looked familiar (55%) or shared their area code (33%), the Federal Trade Commission (FTC) recommends disconnecting the call if you’ve answered and adding the number to your blocked list," noted RoboShield's Alex Lloyd.

"These types of unwanted callers willingly disregard do not call lists and are continuously seeking new ways to prey on vulnerable people."

Darknet vendor charged

Prosecutors have charged a darknet drugs vendor with money laundering and unlawful distribution of medications in the Eastern Virginia US District Court (affectionately known as the 'rocket docket' for its high case turnover)

It is alleged that 32-year-old William Anderson Burgamy, of Maryland, ran a darknet operation called NeverPressedRX. Using hidden markets, it is believed that Burgamy trafficked in thousands of prescription opioid pills.

If convicted, he faces a maximum of 40 years in prison.

Critical VMware bug arises

Admins will want to be sure they get the patch for CVE-2020-3952, a flaw in vCenter Server that could potentially allow an attacker with local access to extract data from the host machine.

San Francisco airport hit by hackers

San Francisco Airport has admitted two of its employee and contractor websites, SFOConnect.com and SFOConstruction.com, were hacked in March so that they harvested login credentials, particularly Windows login creds, from visitors.

If you visited one of these sites with Internet Explorer on a Windows machine, you should change your password: it sounds as though it was stolen via a UNC-style attack. This could have worked by including a malicious link or image URL, say, that connected to a remote SMB server, causing Windows to send on usernames and hashed passwords in an attempt to authenticate with the server.

The airport has reset all of its staff passwords.

Dutch cops catch DDoS merchant

Cops from the Netherlands claim to have taken down a hacker who took down the MijnOverheid.nl and Overheid.nl domains in a denial of service attack on March 19.

The 19-year-old man from the Dutch city of Breda was arrested on Friday on charges he took down the government websites, used to funnel social security and health information.

“By taking a website like this offline, you are denying citizens access to their personal data and important government information,” said Jeroen Niessen of the cybercrime team of the Central Netherlands Police.

"We take this very high, especially now that the corona crisis is causing additional uncertainty and a great need for information by many people. We want to protect people and companies and make it increasingly difficult for cyber criminals to carry out a DDoS attack." ®