Roundup Let's catch you up on infosec news beyond the bits and bytes we've already reported.
Leasing outfit's leaky database exposes big names
A leasing company left a poorly secured database facing the open internet for anyone to find and freely access – and it contained records on assets used by big names, such as Samsung, Rolls-Royce, Tesco, Computacenter, Link Group, Capita, Freightliner, and MC Group, we're told.
The team at TurgenSec informed El Reg over the weekend it found the publicly accessible data cache, operated by an outfit called LeaseSolution, and privately tipped off the firm. The database has since vanished from view.
The records included basic contact information for the biz's customers, so things like job titles, postal and email addresses, phone numbers, and so on. More interestingly, they included a list of assets the clients had leased – think offices, corporate jets, and even industrial machinery.
The data doesn't at first glance seem terribly damaging in the wrong hands. There was no personal information – beyond work contact details – nor any financial data, so you wouldn't expect to see it fetch much of a price on dark-web markets.
To someone wanting to perform a targeted swindle, such as impersonating a supplier or client to redirect payment to another bank account, however, it would be quite useful. A crook wanting to re-route an invoice, or get a malware foothold on the corporate network, would know exactly who to target and what to tell them in a social engineering scenario.
"If one of our clients was targeted in a breach like this," said one TurgenSec researcher, "it would sound all my bells and I would be really worried."
Officials collared after Pegasus buy goes awry
Three ex-g-men in Ghana have been handed prison terms for wasting taxpayer money in a case related to the sale of the NSO Group's Pegasus smartphone surveillance tools.
The three men, all former officials involved in national communications and security in the West African nation, were sent down for five to six years each, after a court found that, in their roles, they spent $4m of government money on purchasing Pegasus hardware and software. The software didn't show up, though, and documentation about the purchase was absent, so in effect, the trio were locked up for blundering a multi-million-dollar deal.
It should be noted that this case was not about any wrongdoing by the Israeli NSO Group. Another defendant – the local sales rep who brokered the deal – was acquitted, while a fifth suspect was released without further prison time.
Hidden Cobra gets a new malware trick
US-CERT said a new piece of Windows malware dubbed Pebbledash is the work of Hidden Cobra, the North Korean hacking crew responsible for stealing millions of dollars in cyber-heists.
"This report looks at a full-featured beacon implant. This sample uses FakeTLS for session authentication and for network encoding utilizing RC4," US-CERT said. "It has the capability to download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes; and perform target system enumeration."
The recommendations for users and admins are standard best practices: keep software up to date, disable file and printer sharing, and don't open any suspicious emails or attachments.
Hackers drop gigs on Gaga
Last week we had the story of miscreants stealing a massive trove of data from the computers of an American law firm representing a galaxy of showbiz stars. The hackers have promised to release the 750GB haul of swiped contracts, agreements, and personal info.
El Reg understands that 2GB of the cache has been dropped onto the dark web, and contain documents and correspondence involving pop siren Lady Gaga. We won't link to the Tor-hidden dumping ground, though it can be found easily enough.
The hacking crew also claims to have pilfered information related to President Trump, although so far there hasn't been much posted to back that up.
Microsoft emits Stormspotter for customers to suss out their Azure holes
Red teams rejoice! Microsoft has released an offensive security tool called Stormspotter that identifies potential weaknesses in an organization's Azure deployments – which a miscreant could exploit to gain access to data or drill further into a network.
The idea here, as with all offensive security tools, is to speed up the process of penetration-testing Azure deployments, and allow IT admins to shore up weak points before they can be targeted by criminals. Redmond has made the tools available through its open-source program, and welcomes contributors.
PrintSpooler bugs take center stage
Now that everyone has had a chance to test out and install this month's Patch Tuesday bundle, researchers are providing a closer look at some of the flaws. Among those is CVE-2020-1048, a privilege escalation bug in Windows Print Spooler.
Experts Yarden Shafir and Alex Ionescu showed how a rogue user or malware on a computer could use a specially crafted printer driver to take advantage of weak security controls in Print Spooler and elevate their privileges to take over the system – all using a basic user account with no need for administrative access, thanks to some holes in how printer drivers are handled.
The duo notes the attack can be pulled off with just a few lines of C code. All of this is to say: install your Windows updates.
Adobe macOS flaws allow miscreants, malware to get root on Apple boxes
While we're on the subject of this month's security fixes, Yuebin Sun has taken a detailed look at three Adobe Reader flaws in macOS that, when chained together, can achieve arbitrary code execution as root – providing total control over a Mac.
The bugs (CVE-2020-9615, CVE-2020-9614, CVE-2020-9613) involve an insecure client check, a root bypass with temporary directories, and a race condition, and are exploited locally.
"The only requirement needed to trigger the vulnerabilities is that Adobe Acrobat Reader DC has been installed," said Sun. "A normal user on macOS (with SIP enabled) can locally exploit this vulnerabilities chain to elevate privilege to root without a user being aware."
Scumbags turn their focus to APIs
The team at Cequence said its customers have experienced an unusually high level of attacks on API endpoints from botnets lately.
"API endpoints seem to be taking more of the brunt of the attacks than normal; in one case, 24 million events occurred in total against web and API, representing 4.5 million events in legitimate traffic with 19.5 million events being attack traffic," said Cequence hacker in residence Jason Kent. "The lion’s share of the attack traffic, 15 million events, was aimed at one login API endpoint for the Android application. This attack has been ongoing since lockdown orders began going into place and has changed very little."
The biz believes attacks are in part caused by boredom. Miscreants are in coronavirus lockdown just like everyone else, and with more time on their hands, bot herders are getting more creative and probing a wider set of services.
WordPress plugin open to XSS attacks
Sucuri said it has found an easy-to-exploit cross-site scripting bug in a WordPress extension that is present in some 40,000 sites.
The flaw is located in a plugin for the CMS called WP Product Review. The plugin lets website owners earn a commission by posting links to gear in their reviews, and collecting money when readers buy something through those links. Unfortunately, the plugin fails to do security checks on user input.
"All user input data is sanitized but the WordPress function used can be bypassed when the parameter is set inside an HTML attribute," we're told. "A successful attack results in malicious scripts being injected in all the site’s products."
Site owners are advised to update the plugin to version 3.7.6 or later to clear up the flaw.
US Congress mulls bill to pay out for security research
The US Senate is kicking around a bill that would see money earmarked to reward security research.
NextGov reports that the 2020 Cyber Leap Act would allow the Commerce Secretary to authorize funds that would pay out for hacking competitions and crowdsource projects, including those conducted by state, local, and tribal governments.
While the bill is in its early phases, it does have bipartisan support of senators from Mississippi, Nevada, and Colorado, so there is some hope it may be passed.
COMpfun creeps targeting visa applicants
The COMpfun hacking crew, a long-running malware operation, has a nasty new trick: targeting immigration visa applicants.
Kaspersky said the trojan is being spread via bogus forms aimed at people in Europe. Aside from the normal tracking functions, the trojan is notable for its ability to get into external drives.
"It's functions include the ability to acquire the target’s geolocation, gathering host- and network-related data, keylogging and screenshots," said Kaspersky.
"In other words, it’s a normal full-fledged Trojan that is also capable of propagating itself to removable devices."
Don't panic but the US government says 'high-risk' chemical facilities have lousy security in place
The US Government Accountability Office (GAO) has issued its report [PDF] on network security at the nation's dangerous chemical manufacturing facilities and, unfortunately, it is a little grim.
The report said that, among other failings in their network and data protections, facilities aren't getting updated standards from the government on what they should be doing to protect against hackers.
"GAO found that the [Chemical Facilty Anti-Terrorism Standards] program has guidance designed to help the estimated 3,300 CFATS-covered facilities comply with cybersecurity and other standards, but the guidance has not been updated in more than 10 years, in contrast with internal control standards which recommend periodic review." ®