Toyota admits to yet another cloud leak
Also, hackers publish RaidForum user data, Google's $180k Chrome bug bounty, and this week's vulnerabilities
infosec in brief Japanese automaker Toyota is again apologizing for spilling customer records online due to a misconfigured cloud environment – the same explanation it gave when the same thing happened a couple of weeks ago. It's like a pattern.
This latest incident – like the last one, in which two million customer records were exposed – "was caused by insufficient dissemination and enforcement of data handling rules," Toyota explained in a statement Wednesday. Toyota said it had no evidence the data had been misused, and that it discovered the misconfigured cloud system while performing a wider investigation of Toyota Connected Corporation's (TC) cloud systems.
As was the case with the previous two cloud exposures, this latest misconfiguration was only discovered years after the fact. Toyota admitted in this instance that records for around 260,000 domestic Japanese service incidents had been exposed to the web since 2015. The data lately exposed was innocuous if you believe Toyota – just vehicle device IDs and some map data update files were included.
Some customer data from other Asian and Oceanic countries was exposed too, but Toyota didn't provide a total number for that part of the breach. It did say that exposed data from non-Japanese customers included addresses, names, phone numbers and other more sensitive information – oh, what a feeling.
Toyota said it implemented a system to monitor its cloud environments after finding the breach last month, and that it would continue to monitor said system to discover any more breaches that may be waiting to be found.
"We will also work to prevent a recurrence by thoroughly educating our employees once again. We sincerely apologize to our customers and all relevant parties for any concern and inconvenience this may have caused," Toyota said.
Affected customers are being notified, and Toyota has also set up a call center to field questions about yet another failure to be a good data steward.
Critical vulnerabilities: Consider these exposed devices pwned
We kick off this week's list of critical vulnerabilities and active exploits with the ongoing exploitation of CVE-2023-28771 – a flaw in Zyxel firewall, VPN and ATP firmware that could let an unauthenticated attacker remotely execute OS commands.
First identified in April, the flaw has been exploited on tens of thousands of affected devices, according to security firm Rapid7. According to Shadowserver, "at this stage if you have a vulnerable device exposed, assume compromise." That's a safe bet, since a patch has been out since April – install it now.
There was one more active exploit singled out this week:
- CVSS 9.8 – CVE-2023-2868: Barracuda Email Security Gateway appliances contain an RCE injection vulnerability due to not properly sanitizing .tar files.
CISA also identified two new ICS vulnerabilities OT teams should be aware of:
- CVSS 9.8 – CVE-2022-3214: Delta Electronics DIAEnergie versions prior to 1.9.03.009 contain hard-coded credentials that, if known, could allow an attacker to perform RCE.
- CVSS 9.1 – Multiple CVEs: Several versions of Mitsubishi Electric FA engineering software contain a collection of bugs that could allow an attacker to execute programs and view project files without permission.
Hacking forum publishes user database from other hacking forum
No, it's not a dark web site vs dark web site war: One of the hacker haunts that emerged in the wake of the shutdown of RaidForum has published what it claims is the member database for that defunct dark web watering hole.
An administrator on the new ExposedForums site posted an SQL file they claimed contained registration information for 478,870 RaidForums members – usernames, email addresses, hashed passwords, and other data collected on members of the deceased domain all included.
BleepingComputer, which reported news of the posting, said several members of ExposedForum verified their data is in the file, indicating that it's at least partially genuine.
RaidForums was taken offline in 2022 after its founder and administrator was arrested in the UK. BreachForums, which arose in the wake of RaidForums' takedown, was busted earlier this year. How long it will take for law enforcement to use that RaidForums data for its own purposes remains to be seen, but former users would be wise to reinvent their online identities before the authorities come knocking.
Google triples Chrome full chain exploit bug bounty
Attention bug bounty hunters: If you've had a full chain Chrome exploit that results in sandbox escape up your sleeve, now's your chance to net a cool $180,000 (£145k) from Google.
Of course, we can't expect Google to be that generous with a triple-value max bounty indefinitely, so you'll have to move fast. This is a one-time offer and applies to only the first such report submitted between now and December 1, 2023.
Still, the bonuses aren't ending there. Google said that once someone submits the grand prize bug any other full chain exploits submitted between now and December will still be eligible for double the full reward amount.
"We're always interested in explorations of new and novel approaches to fully exploit Chrome browser and we want to provide opportunities to better incentivize this type of research," said Google's Amy Ressler, a member of the Chrome security team. ®