In Brief Cisco this week emitted fixes for potentially serious vulnerabilities, one of which is already being exploited in the wild.
The under-attack bug is CVE-2020-3452, a path-traversal flaw in Switchzilla's Adaptive Security Appliance and Firepower Threat Defense software that can be used to "read sensitive files on a targeted system." While there was no publicly available exploit code for the high-severity bug when first publicized, a day after issuing its advisory, Cisco said the flaw was being targeted in the wild.
The second patch is for CVE-2020-11896, CVE-2020-11897, and CVE-2020-11898. The trio are collectively known as Ripple20. The vulnerabilities lie within the Treck IP stack used in Cisco gear, and, if exploited, allow complete takeover of a vulnerable device. Cisco ASR 5000 and 5500 routers are vulnerable, as is the Virtual Packet Core and StarOS.
Admins are advised to test and deploy the patches as soon as possible.
If you're operating in China, and using mandated tax-filing software from Baiwang and Aisino, which both have links to the Chinese military, be aware it may contain malware dubbed GoldenHelper that opens a hidden backdoor to your network, warns Trustwave. This is a followup to the GoldenSpy malware hidden in tax software in 2018 and 2019.
Suspected Adafruit hacker extradited to US
A 21-year-old alleged hacker has become the first Cypriot to be extradited to America.
Joshua Polloso Epifaniou faces various charges in a federal district court in northern Georgia: they are wire fraud, extortion, and conspiracy to commit computer fraud and identity theft. His first court appearance is set for July 20. He is also facing 24 separate charges in Arizona.
It is alleged that as a teenager between 2014 and 2016 Epifaniou was part of a crew that specialized in breaking into company websites, stealing employee or customer account details, and then threatening to release the info unless the victims paid a ransom demand.
His target are said to include games publisher Armor Games, computing hobbyist site Adafruit, employment website Snagajob, and sports news site Bleacher Report. It is estimated that these attacks netted him about $56,850 in Bitcoin payouts.
Uncle Sam warns of industrial system attacks
US Homeland Security and the Cybersecurity and Infrastructure Security Agency teamed up to warn companies of heightened attacks against operational technology (OT) networks – the systems that monitor and control industrial equipment. The two organizations issued an advisory [PDF] this month.
The government agencies say miscreants are using weak points in IT networks to then move onto networks containing controllers and machinery using poorly secured sensors and monitoring chips. While these two types of network are ideally isolated from one another, on occasion there are link-ups that allow hackers through.
Admins are urged to draw up a threat model, as well as make a detailed map of their OT networks so that, should an attacker manage to slip through via IT, they will know where and what to lock down. And these blueprints should be used to identify and shore up weak points in the network and implement a "continuous and vigilant" monitoring system.
North Korean hackers' framework exposed
The team at Kaspersky Lab uncovered a framework being used by North Korea's Lazarus hacking crew to infect, manage, and loot PCs.
Dubbed MATA, the framework covers everything from malicious code used to first infect victims all the way through to orchestration tools that link up with command-and-control servers, plus various plugins the hackers use to perform the dirty work of pulling data from the infected machines.
Impressively, it appears MATA is a multi-platform tool. In addition to a version for Windows, there are also frameworks used for managing macOS and Linux hosts.
Privacy commissioners team up in videoconferencing push
The respective privacy commissioners of the UK, Canada, Switzerland, Australia, Hong Kong, and Gibraltar have all signed an open letter asking the makers of teleconferencing software and services to do more to protect user privacy amid the global coronavirus pandemic.
In addition to basic steps such as improved security and privacy-by-design, they are asking companies to take a more nuanced approach in how they safeguard customer data. For example, they ask the vendors to consider that, under the pandemic, children and less technical users may be relying on their software to stay in touch as they shelter at home, and adjust management and privacy policies accordingly.
"We recognise that VTC companies offer a valuable service allowing us all to stay connected regardless of where we are in the world; something that is especially important in the midst of the current Covid-19 pandemic," they write.
"But ease of staying in touch must not come at the expense of people’s data protection and privacy rights."
Chinese drone software sets off alarm bells
Chinese drone maker DJI is scrambling to defend itself after its Android app sparked privacy concerns.
Two separate sets of infosec research concluded that DJI's software was harvesting, among other things, phone SIM and SD card info. Additionally, it was found that the application could download other apps and automatically turn itself on.
DJI has denied it is doing anything untoward, and said the code was present to prevent tampering with the software and drone hardware. The US government disagrees. ®