Nissan infosec in the spotlight again after breach affecting more than 50K US employees
PLUS: Connected automakers put on notice; Cisco Talos develops macOS fuzzing technique; Last week's critical vulns
Infosec in brief Nissan has admitted to another data loss – this time involving the theft of personal information belonging to more than 50,000 Nissan employees.
According to the carmaker's disclosure [PDF], filed with the US state of Maine, Nissan was breached back in November 2023 through "a targeted cyber attack" – as the incident is described in a sample letter to be sent to victims, which was included with the breach notification.
According to the disclosure, 53,038 stateside Nissan employees – presumably past and present, since it has a current staff count of around 21,000 – had their social security numbers stolen after "a criminal threat actor" compromised Nissan's external VPN, shut down "certain" Nissan systems and demanded a payment.
According to Nissan, the auto manufacturer initially believed only business information had been stolen. By late February it realized otherwise, and let some employees know that it looked like their SSNs were part of the data accessed by baddies.
Nissan claimed it has no indication that the employee data was among the criminal's targets, nor that it has been misused (yet).
"Since the attack, NNA has taken several steps to strengthen its security environment, including an enterprise-wide password reset, implementation of Carbon Black monitoring on all compatible systems, vulnerability scans, and other actions to address unauthorized access," the biz told the state of Maine.
Nissan also disclosed in March that systems at its Oceania division had been hit by the Akira ransomware gang, making off with more personal information belonging to more than 100,000 customers.
The Akira attack on Nissan Oceania reportedly occurred in December 2023. It's not clear if there's any connection between the Oceania and North American breaches. We've asked Nissan for more details.
Critical vulnerabilities of the week: Even more active Chrome exploitation
Patch Tuesday normally means the critical vulnerabilities section of this roundup is quite small, but it's still been a busy week despite all the other fanfare.
Like the announcement from Google on Wednesday – just a day after it patched one Chrome zero day under active exploit – that there was another one it planned to fix in a hurry. This time it turns out a type confusion issue, aka (CVE-2024-4947) could allow an attacker to execute arbitrary code. Get patched … again.
Elsewhere:
- CVSS 10.0 – Multiple CVEs: Siemens SIMATIC CN 4100 devices are using hard-coded credentials and, oddly, an unrestricted USB port.
- CVSS 10.0 – Multiple CVEs: Siemens SIMATIC RTLS locating manager tool contain a series of vulnerabilities that can be used to gain root access.
- CVSS 10.0 – Multiple CVEs: Siemens Cerberus PRO UL and Desigo Fire Safety UL contain vulnerabilities that allow remote code execution and denial of service attacks.
- CVSS 9.8 – Multiple CVEs: Siemens Ruggedcom Crossbow software can allow an attacker to execute arbitrary database queries and upload files.
- CVSS 9.8 – Multiple CVEs: Mitsubishi Electric MELSEC-Q/L series devices are incorrectly scaling pointers and allowing for integer overflow, opening them to remote code or information disclosure.
- CVSS 9.6 – CVE-2024-34359: Hugging Face's llama_cpp_python package, used to integrate the Llama AI model with Python, contains a vulnerability that could be used to execute arbitrary code on compromised systems.
- CVSS 8.8 – CVE-2024-4609: Rockwell Automation's FactoryTalk View SE is improperly validating input, allowing for malicious SQL input.
- CVSS 8.6 – CVE-2024-28042: Subnet Solutions PowerSYSTEM Center software update 19 and prior is running insecure third-party components that could be used to escalate privileges, deny service and execute arbitrary code.
- CVSS 8.6 – Multiple CVEs: A series of issues in Siemens CPC80, CPCI85, OPUPI0 and SICORE Base systems can lead to remote code execution.
- CVSS 8.4 – Multiple CVEs: Several types of GE Healthcare ultrasound products are failing to correctly manage users or prevent escape to the desktop, opening them to compromise on physical access.
- CVSS 8.2 – CVE-2023-46280: Multiple Siemens Simatic, Sinumerik and TIA products are vulnerable to an out-of-bounds write that can lead to DoS.
Don't make these privacy mistakes with connected car tech in the US
The United States Federal Trade Commission (FTC) wants automakers to know that it's keeping its eyes peeled for signs of privacy violations around the use of connected car technology. Such tech, the FTC noted, could be used to stalk people, affect insurance rates and otherwise harm consumers or endanger national security.
"Connected cars have been on the FTC's radar for years," the FTC revealed in a notice it published last week. "Car manufacturers – and all businesses – should take note that the FTC will take action to protect consumers against the illegal collection, use, and disclosure of their personal data."
The FTC pointed to recent decisions against X-Mode, Rite Aid, and Cerebral, as signs that it's not messing around.
"Firms do not have the free license to monetize people's information beyond purposes needed to provide their requested product or service, and firms shouldn't let business model incentives outweigh the need for meaningful privacy safeguards," the FTC warned.
The Commission urged automakers to build products that include safeguards to protect consumer data. Just a friendly reminder, lest an investigation should come your way.
Cisco Talos manages to fuzz its way into the depths of macOS
Apple can be a tricky customer on the security front, as Cisco has been finding out the fun way.
"Compared to fuzzing for software vulnerabilities on Linux, where most of the code is open source, targeting anything on macOS presents a few difficulties," Cisco Talos's Aleksandar Nikolic wrote in a blog post.
Fuzzing can also provide valuable insight into system vulnerabilities, and for security researchers and penetration testers like the folks at Talos, not being able to do that on macOS is a serious hurdle. Like any good team of hackers, they found a way around it: Snapshots.
"Using a snapshot-based approach enables us to target closed source code without custom harnesses precisely," Nikolic wrote.
Talos built a snapshot fuzzing environment that takes snapshots of macOS executing a program at a given point, records all the processes running on a system, and runs a loop to a predetermined point.
Insert fuzzing test case, run, repeat.
The new kit "enables us to perform precisely targeted fuzz testing of otherwise hard-to-pinpoint chunks of macOS kernel," Nikolic wrote. Even better: all the fuzzing can be performed on a commodity CPU, so feel free to toss those snapshots into a server to run at scale.
The full project is available for other security researchers to test out now. ®
Some last-minute news as the weekend wrapped up
- Google DeepMind published what it calls its Frontier Safety Framework – "a set of protocols for proactively identifying future AI capabilities that could cause severe harm and putting in place mechanisms to detect and mitigate them."
- The US arrested and accused two foreign nationals of laundering more than $73 million through shell companies tied to cryptocurrency-based scams.
- WebTPA, which processes health care plan claims in the US, revealed that "an unauthorized actor may have obtained personal information" belonging to almost 2.5 million people. This info includes full names, contact details, dates of birth and (where applicable) death, SSNs, and health insurance records.