cRyPtHoN™ INFOSEC (EN)

2022-05-25 14:16:54 What’s wrong with automotive mobile apps?

The recent story about the 19-year-old hacker who took control of several dozen Tesla cars has become something of a sensation. We already know that there was an issue with a third-party app that enabled access to data from Teslas. This made it possible for the security researcher to lock and unlock the cars, turn the lights on and off, and even enable keyless driving. All the functions in the native Tesla application became available due to a misconfiguration in third-party data logging software. So, let’s try to get a better understanding of what these apps are, why they appear on the market, and the risks they pose.

https://securelist.com/third-party-automotive-app-security/106538/

@cRyPtHoN_INFOSEC_IT
@cRyPtHoN_INFOSEC_FR
@cRyPtHoN_INFOSEC_EN
@cRyPtHoN_INFOSEC_DE
@BlackBox_Archiv Open / Comment

2022-05-25 14:15:12 Google Assistant is ready to keep your accounts safe with Password Checkup on Android.

It's included in the most recent Play Services update

Password management might sound like a chore, but it's vital to make sure you're keeping your online accounts as safe and secure as possible. To speed things up, Google has built password tracking into Chrome, automatically alerting users when one of their passwords has been caught up in a breach. A few weeks ago, the company brought this feature to Android through Assistant, and as of today, it's been confirmed as a new addition to your smartphone.

Password Checkup for Android is now listed among Google's updates to System Services for the month of May. According to today's patch notes, you'll need to be running Play Services v22.18, first released on May 23, to access this tool.

https://www.androidpolice.com/google-assistant-password-checkup-android/

@cRyPtHoN_INFOSEC_IT
@cRyPtHoN_INFOSEC_FR
@cRyPtHoN_INFOSEC_EN
@cRyPtHoN_INFOSEC_DE
@BlackBox_Archiv Open / Comment

2022-05-25 14:12:29 Pre-hijacked accounts: An Empirical Study of Security Failures in User Account Creation on the Web.

The ubiquity of user accounts in websites and online services makes account hijacking a serious security concern. Although previous research has studied various techniques through which an attacker can gain access to a victim's account, relatively little attention has been directed towards the process of account creation. The current trend towards federated authentication (e.g., Single Sign-On) adds an additional layer of complexity because many services now support both the classic approach in which the user directly sets a password, and the federated approach in which the user authenticates via an identity provider.

https://arxiv.org/abs/2205.10174

@cRyPtHoN_INFOSEC_IT
@cRyPtHoN_INFOSEC_FR
@cRyPtHoN_INFOSEC_EN
@cRyPtHoN_INFOSEC_DE
@BlackBox_Archiv Open / Comment

2022-05-25 14:08:29 Zoom patches XMPP vulnerability chain that could lead to remote code execution.

Google Project Zero researcher finds holes in the different ways XML was parsed on the Zoom client and server.

Zoom users are advised to update their clients to version 5.10.0 to patch a number of holes found by Google Project Zero security researcher Ivan Fratric.

"User interaction is not required for a successful attack. The only ability an attacker needs is to be able to send messages to the victim over Zoom chat over XMPP protocol," Fratric said in a bug tracker description of the chain.

If a specially crafted message was sent, Fratric was able to trigger clients into connecting to a man-in-the-middle server that served up an old version of the Zoom client from mid-2019.

https://www.zdnet.com/article/zoom-patches-xmpp-vulnerability-chain-that-could-lead-to-remote-code-execution/

@cRyPtHoN_INFOSEC_IT
@cRyPtHoN_INFOSEC_FR
@cRyPtHoN_INFOSEC_EN
@cRyPtHoN_INFOSEC_DE
@BlackBox_Archiv Open / Comment

2022-05-24 17:17:01 Critical Argo CD vulnerability could allow attackers admin privileges.

Luckily for users, application is secure in its default settings

The maintainers of Argo CD, the continuous delivery tool for Kubernetes, have patched a critical vulnerability that enabled attackers to forge JSON Web Tokens (JWTs) and become administrators.

The privilege escalation flaw arises because the open source GitOps platform erroneously trusts invalid JSON Web Tokens (JWTs) if anonymous access is enabled.

Fortunately for users, although the bug has been given the highest possible severity rating – a CVSS score of 10 – anonymous access is deactivated by default.

https://portswigger.net/daily-swig/critical-argo-cd-vulnerability-could-allow-attackers-admin-privileges

@cRyPtHoN_INFOSEC_IT
@cRyPtHoN_INFOSEC_FR
@cRyPtHoN_INFOSEC_EN
@cRyPtHoN_INFOSEC_DE
@BlackBox_Archiv Open / Comment

2022-05-24 17:15:16 Nation-state malware could become a commodity on dark web soon, Interpol warns.

Interpol Secretary warns that nation-state malware will become available on the cybercrime underground in a couple of years.

Interpol Secretary General Jurgen Stock declared that nation-state malwre will become available on the darknet in a couple of years.

In the ongoing conflict between Russia and Ukraine, the malware developed by both nation-state actors and non state actors represents a serious risk for critical infrastructure and organizations worldwide.

Threat actors could perform reverse engineering of military-made malicious code and use their own versions in attacks in the wild.

https://securityaffairs.co/wordpress/131618/cyber-crime/nation-state-malware-dark-web.html

@cRyPtHoN_INFOSEC_IT
@cRyPtHoN_INFOSEC_FR
@cRyPtHoN_INFOSEC_EN
@cRyPtHoN_INFOSEC_DE
@BlackBox_Archiv Open / Comment

2022-05-24 17:13:35 Pre-hijacking Attacks of user accounts are on the rise.

Most computer users are aware that criminals may gain access to their online accounts, for instance, by stealing or guessing the password, through phishing or other forms of attack.

Many may not be aware of a new attack type that is creating accounts with a user's email address before the user does so. Malicious actors use account pre-hijacking attacks to prepare user accounts for full takeovers. The attacker creates accounts on sites and services using a victim's email address. Various techniques are then used to "put the account into a pre-hijacked state". Once a victim has recovered access to the account, after finding out during sign-up that an account with the victim's email address exists already, attacks are carried out to take over the account fully.

https://www.ghacks.net/2022/05/24/pre-hijacking-attacks-of-user-accounts-are-on-the-rise/

@cRyPtHoN_INFOSEC_IT
@cRyPtHoN_INFOSEC_FR
@cRyPtHoN_INFOSEC_EN
@cRyPtHoN_INFOSEC_DE
@BlackBox_Archiv Open / Comment

2022-05-24 17:10:16 Over 194K patients added to ongoing Eye Care Leaders breach tally.

A breach notice from West Virginia-based Regional Eye Associates informs 194,035 patients that their data was accessed and deleted from their third-party vendor’s system in December 2021, ahead of a ransomware attack.

Although Eye Care Leaders is not named directly, the notice mirrors several other provider notices tied to a ransomware attack on the cloud-based electronic medical record vendor. ECL has been embroiled in a provider-based lawsuit after a year of alleged outages tied to multiple ransomware attacks and claims of an insider-incident, in addition to the December incident.

https://www.scmagazine.com/analysis/ransomware/over-194k-patients-added-to-ongoing-eye-care-leaders-breach-tally

@cRyPtHoN_INFOSEC_IT
@cRyPtHoN_INFOSEC_FR
@cRyPtHoN_INFOSEC_EN
@cRyPtHoN_INFOSEC_DE
@BlackBox_Archiv Open / Comment

2022-05-24 17:08:31 Hackers breach Zola wedding registry accounts and make fraudulent purchases.

The company says that cash transfers were blocked but that it is aware of unauthorized gift card orders

The popular wedding planning website Zola, known for its online gift registries, guest list management, and wedding websites, confirmed Monday that hackers had managed to access the accounts of a number of its users and tried to initiate fraudulent cash transfers.

Over the weekend, some Zola users posted on social media that linked bank accounts had been used to purchase gift cards. One tweet flagged by a Reddit user claimed to show cracked Zola accounts being resold on the black market and used to buy gift vouchers.

https://www.theverge.com/2022/5/23/23137944/zola-wedding-hack-gift-card-fraudulent-transfer

@cRyPtHoN_INFOSEC_IT
@cRyPtHoN_INFOSEC_FR
@cRyPtHoN_INFOSEC_EN
@cRyPtHoN_INFOSEC_DE
@BlackBox_Archiv Open / Comment

2022-05-24 17:06:48 Covert-Control : Google Drive, OneDrive And Youtube As Covert-Channels – Control Systems Remotely By Uploading Files To Google Drive, OneDrive, Youtube Or Telegram.

Covert-Control systems remotely by uploading files to Google Drive, OneDrive, Youtube or Telegram using Python to create the files and the listeners. It allows to create text files, images, audio or videos, with the commands in cleartext or encrypted using AES.

covert-googledrive.py – Control systems uploading files to a public folder in Google Drive.

covert-onedrive.py – Control systems uploading files to a public folder in OneDrive.

covert-youtube.py – Control systems uploading videos to Youtube (updated from covert-tube).

covert-telegram.py – Control systems with a Telegram bot.

https://github.com/ricardojoserf/covert-control

@cRyPtHoN_INFOSEC_IT
@cRyPtHoN_INFOSEC_FR
@cRyPtHoN_INFOSEC_EN
@cRyPtHoN_INFOSEC_DE
@BlackBox_Archiv Open / Comment