Browser automation script.
Roundup Let’s check out some of the more recent security happenings beyond what we’ve already covered.
Chrome bugs cleaned up
Anyone running Chrome will want to update and restart their browser in order to make sure they have the latest build, as usual. Google has patched a bunch of flaws including a use-after-free() vulnerability (CVE-2019-13720) that was being actively exploited in the wild against victims. Make sure you’re running version 78.0.3904.87 or higher for Windows, Mac, and Linux to be safe.
Crypto-miner spreads via BlueKeep hole
We hope you’ve all patched your Windows systems for the BlueKeep RDP flaw, which can be exploited to achieve remote-code execution on vulnerable machines. It appears Monero-mining malware is spreading among un-patched boxes via the security flaw. Microsoft patched the bug way back in May.
Marcus Hutchins, with help from Kevin Beaumont, has detailed the spread of the BlueKeep-exploiting nasty here for Kryptos Logic.
All the more reason to ensure you’re patched.
ClamAV zero-day lands but don’t panic
Someone has popped onto Pastebin a zero-day code-execution exploit that can hijack systems running the open-source antivirus engine ClamAV. While this software is used quite widely, and thus such a bug could prove disastrous, the danger isn’t very great: exploitation is limited to a very narrow configuration, as discussed here on Twitter.
Azure Sphere gets a release date
Microsoft’s planned hardware-to-cloud Azure Sphere platform now has a general availability date. Microsoft says that the first devices embedded with the tech will be arriving in February of 2020.
For those unfamiliar, Azure Sphere is Microsoft’s bid for a secure IoT platform. Redmond is combining on-chip secure enclave tech with a custom-made Linux kernel and its Azure cloud service. The idea is to offer embedded device makers an all-in-one security package that goes from the silicon level to the cloud management tools.
NAS-ty malware surfaces
Last week, authorities in Finland warned of a newly discovered piece of malware targeting QNAP network storage boxes.
Known as QSnatch, the software nasty connects infected boxes to a command-and-control server and harvests usernames and passwords. The infection also has the potential to load up other modules should the attackers decide to do more with their botnet. According to Germany’s CERT, the malware is already spreading rapidly and has got into at least 7,000 machines in that country alone.
Ensure you’re running the latest version of the QNAS firmware to avoid being compromised. The exploited bug was addressed in February this year, though it looks like malware is finally spreading via the hole on unpatched boxes.
Pwn2Own gets new targets
The popular Pwn2Own competition is set to add a new category, as Trend Micro says it will be adding industrial control systems to the roster of target devices. Those who can hack the hardware will get a cash reward and, if tradition holds, will also be able to take home the hacked kit.
PHP stands for “patch hella pronto”
Anyone running PHP, particularly PHP with the Nginx webserver and FastCGI, will want to take the time out to update their boxes following the discovery and patching of a vulnerability in the software stack. Discovered during a capture the flag competition, the bug can be potentially exploited remotely to achieve code execution, depending on your configuration.
The core problem (CVE-2019-11043) lies in PHP, it seems, so make sure you’ve updated to the latest versions listed here.
LabKey software found to contain RCE hole
Admins in the medical field will want to pay attention to these bugs in LabKey, a software platform used with biomed research gear. If chained together, the flaws would potentially allow for remote code execution.
Fortunately, given how niche the software is, the chances of active exploits targeting the bugs are not particularly high. Still, it would be a good idea to get a patch installed as soon as possible.
India nuclear plants report malware infection
A nuclear power plant in India discovered a malware infection believed to be linked to North Korea. Fortunately, the software nasty, we’re told, was not found near any of the reactor controls.
Credit cards for sale on the internet, gasp
Infosec outfit Group-IB says it has uncovered an estimated 1.3 million cards offered for sale on the internet at a total estimated value of more than $130m. The card data largely belonged to bank customers in India.
Meanwhile, a website called BriansCub that was selling more than 26 million credit and debit card records to fraudsters was hacked, and its contents leaked, allowing banks to cancel the compromised cards.
Domain registrars warns of data thief
Customers of NetworkSolutions, Web.com, and Register.com were warned at the turn of this month that some of their data was exposed to hackers who managed to gain access to the trio’s internal databases.
There were no payment cards nor passwords in the data store, though the miscreants would have been able to see basic contact information, such physical addresses, phone numbers, and email addresses. Those exposed would be wise to keep an eye out for spear-phishing attacks that might use that information to appear more authentic.
Camgirl websites’ security lapse
A network of websites through which netizens – mainly those in Spain and Europe – can watch people, typically women, strip off live over the web left a back-end database open to the internet, exposing some 13 million records including users and camgirls’ email addresses, IP addresses, chat logs, and more. The system has since been secured and hidden from view. One group of security researchers, who contacted El Reg on Friday, planned to go public with the details this week, though they were seemingly beaten to it by cyber-biz Condition:Black over the weekend. It is understood no payment data was exposed.
FireEye details SMS-stealing Chinese malware
FireEye says that the China-based APT41 crew is using a piece of malware known as Messagetap to spy on text messages. The malware is said to be installed on the SMS servers at telco providers and gives the attackers the ability to pull select messages from surveillance subjects. ®