It is time once again for El Reg's weekly security roundup. Here's a look at a few of the more interesting stories making the rounds over the past seven days.
Wishbone hit with class-action suit
A few weeks back, hackers dumped limited information on some 40 million people who used Wishbone, a sort of polling app where users choose between two different items.
Now, the lawyers have stepped in and filed a class action suit against Mammoth Media, the company that made the leaky app.
Of particular interest is the fact that many of the victims were teenagers. The US Children's Online Privacy Protection Act (COPPA) is particularly strict in this area, and fines can be very large indeed.
BlackBerry talks up Tycoon ransomware
A particularly nasty strain of ransomware is spreading throughout the networks of schools and software developers.
According to BlackBerry, the Tycoon attack can be difficult to detect, thanks to it being written in Java and deployed within its own Runtime Environment. The infection works with both Windows and Linux systems, but thanks to some sloppy coding, victims may have options other than paying the ransom demand or losing their data.
"The threat actors behind Tycoon were observed using highly targeted delivery mechanisms to infiltrate small to medium sized companies and institutions in education and software industries, where they would proceed to encrypt file servers and demand a ransom," the BlackBerry team explains.
"However, due to the reuse of a common RSA private key it may be possible to recover data without the need for payment in earlier variants."
Apple patches up jailbreak bug
Those using iOS will want to make sure they have their firmware updated, unless they're planning to jailbreak their handsets.
The Cupertino giant has released iOS 13.5.1 to address a single flaw: CVE-2020-9859. The flaw is an arbitrary code execution bug (aka pwnage) but is not particularly serious as it requires an app to be manually installed and running on the target device.
It is, however, particularly useful for jailbreaking via the unc0ver tool used. If you want to use that tool, you may want to hold off on installing the 13.5.1 update.
Cisco posts fix for NX OS bug
Admins of Cisco Nexus and UCS gear should make sure their firmware is updated with the latest NX-OS fix from Switchzilla. The patch addresses a single vulnerability, designated CVE-2020-10136, that would allow for either security bypass or denial of service on vulnerable devices.
"The vulnerability is due to the affected device unexpectedly decapsulating and processing IP in IP packets that are destined to a locally configured IP address," Cisco says of the bug. >"An attacker could exploit this vulnerability by sending a crafted IP in IP packet to an affected device."
SMBGhost gets new PoC sample
Back in March, researchers dropped details on CVE-2020-0796, a remote code execution flaw in SMBv3 also known as 'SMBGhost'. The flaw was addressed by Microsoft in an out-of-band patch.
This week, researchers posted a new proof of concept sample that will allow admins, researchers, and security pros to better see how the flaw works and how it could be abused.
Fortunately, an update for the vulnerability has been out for months now, so as long as you've kept up somewhat with patching, your systems should be protected from any exploits, PoC or otherwise.
Still, this is an interesting read and something that might be fun for the security-minded to dig into.
LG's Android phones prone to 'cold boot' attack
If you haven't updated the firmware on your LG handset lately, now would be the time. The vendor has patched a bootloader vulnerability that would potentially allow an attacker to manipulate the firmware and do all sorts of malicious things.
Sounds bad, but keep in mind that an attacker would need to be able to flash the firmware on the device, meaning they would need physical access to the phone in order to exploit this flaw. Just update your firmware and you should be fine.
Presidential campaigns report phishing attacks
The 2020 Presidential election is in five months, so it would make sense that attacks against the campaigns have also begun.
Google's security team says that both the Biden and Trump campaigns have been targeted by state-sponsored attacks in recent weeks. In the case of Biden, the aggressors were from China, while the Trump camp was targeted by a crew based out of Iran.
Neither attempt was believed to be successful, but given the massive role hackers played in the 2016 election, it is a safe bet that both campaigns will be under constant attack all the way up to November's vote.
StackBlitz tool under attack
The team at zScaler has posted a report on how StackBlitz, a browser-based scripting language IDE, was being abused by miscreants to host phishing pages.
Remember to always avoid following any links in unsolicited emails and, whenever possible, use a bookmark or manually type in the URL of the site you're trying to access rather than rely on links.
QNAP NAS boxes beset by ransomware attack
If you haven't updated the firmware for your QNAP NAS box in a while, now would be a very, very good time to do so.
That's because it has been reported that a ransomware crew known as ech0raix has been targeting and exploiting the vulnerabilities to lock up QNAP devices.
The attacks, which are said to have begun on June 1, brute-force passwords and then exploit a trio of vulnerabilities from 2018 that, when used together, allow for remote code execution. Fortunately, getting the latest version of the firmware will prevent the exploits from working, though it also wouldn't hurt to have a strong password in place and prevent the brute-forcing altogether. ®