Sophos XG firewalls hacked, hotfix ready. Texts wreck Apple iThings. Yup, business as usual in infosec world
Plus Office 2016, 2019 patches – and a barn-load of other security bits and bytes
Roundup It's time to dig in to another Register security roundup.
Sophos XG Firewall hacked in the wild – hotfix available
Sophos has rushed out a hotfix for its XG Firewall products to close an SQL injection vulnerability – after hackers were spotted exploiting the hole in the wild. The flaw can be abused to steal the firewall's configuration, such as usernames and hashed passwords.
The hotfix will, as well as patching the bug, tell admins if their boxes were compromised by miscreants before the fix could be applied. Ensure automatic hotfix deployment is enabled to receive the update. All physical and virtual XG firewalls are vulnerable, we're told, and all supported versions (SFOS 17.1, 17.5, 18.0) will get a hotfix.
"The attack used a previously unknown SQL injection vulnerability to gain access to exposed XG devices," said Team Sophos.
"It was designed to download payloads intended to exfiltrate XG Firewall-resident data. The data for any specific firewall depends upon the specific configuration and may include usernames and hashed passwords for the local device admin(s), portal admins, and user accounts used for remote access. Passwords associated with external authentication systems such as AD or LDAP are unaffected.
"At this time, there is no indication that the attack accessed anything on the local networks behind any impacted XG Firewall."
Multi-language texts crash Apple iThings
A seemingly random string of text in an SMS can reportedly crash iOS devices that receive it, meaning you can drive an Apple fan bonkers by remotely knackering their handheld by sending them the text. 9to5mac reported the string is a mixture of the Italian flag icon and text in the Sidhi language, and triggers a bug in Messages for iPhone, iPad, Mac and Apple Watch. The flaw's effect is said to vary by device: the crash can cause anything from the chat app unexpectedly quitting to the touchscreen freezing up.
The craziest iOS crash text bug 💀 pic.twitter.com/29LJPb67WP— EverythingApplePro (@EveryApplePro) April 23, 2020
Apple has yet to publicly comment on the issue. What with this and its unpatched Mail flaw, it has not been a good week for Cupertino's security record.
Ransomware masterminds appear to honor vow not to infect hospitals
At the outset of the COVID-19 coronavirus pandemic, a handful of ransomware crooks promised not to target healthcare providers. Yeah, right, we all thought. Well, it seems the malware gangs may be true to their word, kinda, as ransomware attacks in general are way down and infections of file-scrambling nasties at healthcare facilities are almost non-existent, we're told.
Security software maker Emsisoft claimed it clocked just 25 reported attacks on healthcare facilities over the past quarter, a nosedive from the 191 hits it sees on an average per quarter. Sounds nice, but...
"This reduction is entirely due to the fact that, in 2019, many managed service providers (MSPs) were exploited enabling multiple healthcare organizations to be simultaneously compromised in a single incident," Emsisoft pointed out. "So far in 2020, there have been no such attacks affecting healthcare providers."
So, maybe there was something to that pledge after all, sort of.
Prosecutors crack down on COVID-19 scams
The US Justice Department is taking the fight to sketchy peddlers looking to turn a quick buck by scamming the public with bogus coronavirus information and treatments.
Prosecutors have taken down hundreds of scam operations, we're told. These range from bogus donation webpages – with one claiming to be the Red Cross – to phishing pages that impersonated government relief programs.
"The department will continue to collaborate with our law enforcement and private sector partners to combat online COVID-19 related crime," said Brian Benczkowski, assistant attorney general. "We commend the responsible internet companies that are taking swift action to prevent their resources from being used to exploit this pandemic."
Crown Sterling settles case over car-crash Black Hat presentation
One of the more bizarre stories to come out of last year's Black Hat infosec conference in Las Vegas was the one about the paid-for "Time AI" presentation by an outfit called Crown Sterling. The sponsored session went down like a lead balloon: hecklers pulled apart the company's outlandish boasts about encryption and artificial intelligence.
Times being what they are, this led to a lawsuit from Crown Sterling against Black Hat, alleging the conference organizers violated the sponsorship deal by allowing the presentation to be derailed by cheesed-off audience members. That lawsuit was settled recently, though we won't know the terms as everything was kept confidential.
Sadly, there will probably be no presentations this year, at least not in person, as Black Hat is highly likely to be cancelled due to the virus outbreak. BSides Las Vegas called off its event this summer due to the pandemic.
Team Fortress 2, Counter Strike: Global Offensive code leaked
Someone, apparently after a spat between members of the game modding community, leaked online the source code to a previously leaked portion of the engine inside smash-hit video games Team Fortress 2 and Counter Strike: Global Offensive. Shortly after, another claimed to have found a remote code execution bug in the software. As scary as that sounds, there's actually not much to be worried about here.
Bankers fall victim to email scam
Checkpoint has yet another report on scumbags hijacking an email account within an organization to impersonate a staffer to have account numbers changed on invoices and payments to redirect funds to the crooks' pockets. In this latest case, $650,000 was stolen via irretrievable transfers from UK and Israeli-based finance firms by criminals.
PAAY spills card payment logs
Payments biz PAAY inadvertently publicly exposed an estimated 2.5 million card transactions, thanks to a misconfigured internet-facing database. There is some debate as to whether any actual payment card numbers were exposed, and thus far there is no indication any fraudsters accessed it before the data silo was taken offline.
Cyberstalking charge for California man
Carl Bennington, 33, of Covina, has been accused of using multiple social media accounts to stalk the young women over a four-year period up to and including death threats. If convicted, he faces up to five years in prison.
Exercise app Kinomap reveals user info
Elsewhere in badly-secured-databases news, exercise app Kinomap forgot to set a password on one of its internet-facing storage buckets and, as a consequence, some basic user profile information such as names, usernames, email address, and workout timestamps were exposed.
Microsoft posts Office update
Microsoft has issued an out-of-band update for Office 2016 and 2019 thanks to a remote code execution bug found in a bundled AutoDesk library. This can be exploited by opening a file containing a booby-trapped 3D model that triggers malicious code execution.
Autodesk patched the flaw earlier this month, so make sure you're up to date.
Nintendo warns of account thefts
Nintendo has had to reset the credentials of around 160,000 user accounts after it was found miscreants were using a leaked set of logins from an old service called Nintendo Network ID to get into profiles, and, in some cases, rack up fraudulent purchases.
Winnti group blamed for new attack in Germany
The notorious DPRK Winnti hacking crew is said to be at it again. This time, the North Korean hackers are said to have broken into a German company using a technique called DNS tunneling.
"The sophistication of the techniques we uncovered confirms that the Winnti Group is a highly sophisticated, and highly committed Advanced Persistent Group targeting a plethora of different industry sectors in Europe and South Asia," said eggheads at Quo Intelligence, which analyzed the reported break-in.
Researchers show how GPUs can leak system data
Not the most practical attack, but it's worth the time to read this interesting report from Duo security on how malware could program a PC's graphics processor to transmit data wirelessly using its high-frequency shader clock. This leaked information could be received by a miscreant nearby, bypassing any air gapping.
Boffins Mikhail Davidov and Baron Oldenburg produced a setup that could "exfiltrate data out of a radio-less and air-gapped desktop workstation through a wall and 50ft away."
VictoryGate botnet menaces South America
ESET has uncovered a cryptocurrency-mining botnet that appears to be largely focused on South America. Known as VictoryGate, the malware infects a mixture of home and business Windows PCs and Internet-of-Things devices.
"Active since at least May 2019, it is composed mainly of devices in Peru, where over 90 per cent of the infected devices are located," said ESET. "The main activity of the botnet is mining Monero cryptocurrency."
Group-IB spots card cache for sale on darknet market
Group-IB has sounded the alarm following the discovery of a cache of bank card data for sale on the dark web. The cards, which are said to come exclusively from banks in South Korea and the US, are said to number somewhere around 400,000, and are being offered at $5 apiece. And, according to the seller, anywhere from 30 to 40 per cent are still valid.
"It should be noted," said Group-IB, "that it is the biggest sale of South Korean records on the dark web in 2020, which contributes to the growing popularity of APAC-issued card dumps in the underground." ®