INFOSEC Featured

Secjuice Squeeze 75

Welcome to the Secjuice Squeeze, a curated selection of interesting security articles and infosec news that you may have missed, lovingly curated for you every week.

Bhumish Gajjar

Jan 28, 2022 • 5 min read

Welcome to the Secjuice Squeeze, a curated selection of interesting security articles and infosec news that you may have missed, lovingly curated for you every week. This week's volume was curated by Secjuice writer @Bhumish Gajjar.

Polkit Vulnerability Provides Root Privileges on Linux Systems

Qualys security researchers warn of an easily exploitable privilege escalation vulnerability in polkit’s pkexec, a SUID-root program found in all Linux distributions. Qualys has verified that default installations of CentOS, Debian, Fedora, and Ubuntu are vulnerable and warns that other Linux distributions might be vulnerable as well.

Hackers Planted Secret Backdoor in Dozens of WordPress Plugins and Themes

Dozens of WordPress themes and plugins hosted on a developer's website were backdoored with malicious code with the goal of infecting further sites. The backdoor gave the attackers full administrative control over websites that used 40 themes and 53 plugins belonging to AccessPress Themes.

Cracking a 2 million Crypto Wallet

This is the story of how a hardware hacker named Joe Grand helped up someone to crack their crypto wallet for getting Theta tokens worth 2 million. The owner of hardware wallet Trezor One had lost their 5-digit PIN and Grand did deep research on extracting the PIN from the wallet's RAM.

Millions of Routers, IoT Devices at Risk as Malware Source Code Surfaces on GitHub

The authors of a dangerous malware sample targeting millions of routers and Internet of Things (IoT) devices have uploaded its source code to GitHub, meaning other criminals can now quickly spin up new variants of the tool. The malware comes packed with exploits for more than 30 different vulnerabilities in products from multiple vendors, including Linksys, D-Link, Netgear, and ZTE.

‘Dark Herring’ Billing Malware Swims onto 105M Android Devices

Nearly 500 malicious apps lurking on the Google Play Store have successfully installed Dark Herring malware — a cash-stealer intended to add sneaky charges onto mobile carrier bills — on more than 100 million Android devices across the globe. The group behind Dark Herring managed to stand up 470 high-quality applications that passed official app store muster, which demonstrates that this is a sophisticated operation.

Crypto.com confirms 483 accounts hacked, $34 million withdrawn

Crypto.com has confirmed that a multi-million dollar cyber attack led to the compromise of around 400 of its customer accounts. The total amount of unauthorized withdrawals across different cryptocurrencies at approximately US$34 million. Following the detection of the suspicious activity, the withdrawal infrastructure was shut down for approximately 14 hours as a caution.

Read more at bleepingcomputer.com

Linux Servers at Risk of RCE Due to Critical CWP Bugs

The two flaws in Control Web Panel – a popular web hosting management software used by 200K+ servers – allow code execution as root on Linux servers. The problems are found in parts of CWP panel that are available without authentication.

Microsoft mitigated a record 3.47 Tbps DDoS attack on Azure users

Microsoft says its Azure DDoS protection platform mitigated a massive 3.47 Tbps distributed denial of service (DDoS) attack targeting an Azure customer. This was a distributed attack originating from approximately 10,000 sources and from multiple countries across the globe, including the United States, China, South Korea, Russia, Thailand, India, Vietnam, Iran, Indonesia, and Taiwan.

Read more at bleepingcomputer.com

McAfee Bug Can Be Exploited to Gain Windows SYSTEM Privileges

McAfee has patched two high-severity vulnerabilities in a component of its McAfee Enterprise product that attackers can use to escalate privileges, including up to SYSTEM. McAfee Agent “contains a privileged service that uses this OpenSSL component. A user who can place a specially crafted openssl.cnf file at an appropriate path may be able to achieve arbitrary code execution with SYSTEM privileges.”

OpenSubtitles Hacked - Data Breach Affected 7 Million Subscribers

OpenSubTitles revealed that they didn’t implement robust security measures as cybersecurity wasn’t such a critical issue back in 2006 when the website was launched. In the preceding years, they didn’t improve the site’s security. That’s why attackers could compromise the website by hacking a SuperAdmin’s low-security password and accessing user data after performing SQL injection.

Beijing 2022 Winter Olympics app bursting with privacy risks

The official app for Beijing 2022 Winter Olympics, 'My 2022,' was found to be insecure when it comes to protecting the sensitive data of its users. The app's encryption system carries a significant flaw that enables middle-men to access documents, audio, and files in cleartext form.

Read more at bleepingcomputer.com

Box's SMS based MFA can be bypassed

Cybersecurity researchers have disclosed details of a now-patched bug in Box's MFA mechanism that could be abused to completely sidestep SMS-based login verification. The bypass occurs when an attacker signs in with the victim's credentials and abandons the SMS-based authentication in favor of a different process that uses, say, the authenticator app to successfully complete the login simply by furnishing the TOTP associated with their own Box account.

Researchers Discover Dangerous Firmware-Level Rootkit

The malicious implant, dubbed "MoonBounce," was found planted in UEFI firmware within the SPI flash storage on the infected computer's motherboard, rather than on the hard disk like some other UEFI bootkits. This meant the implant could persist on the system even if the hard disk had been formatted or replaced.

Europol Shuts Down VPNLab, Cybercriminals' Favourite VPN Service

VPNLab.net, a VPN provider that was used by malicious actors to deploy ransomware and facilitate other cybercrimes, was taken offline following a coordinated law enforcement operation. VPNLab.net is said to have caught the attention of law enforcement officials when its infrastructure began to be widely used to disseminate malware, with the investigators uncovering evidence of the illicit service being advertised on the dark web.

‘Anomalous’ spyware stealing credentials in industrial firms

Researchers have uncovered several spyware campaigns that target industrial enterprises, aiming to steal email account credentials and conduct financial fraud or resell them to other actors. Kaspersky calls these spyware attacks ‘anomalous’ because of their very short-lived nature compared to what is considered typical in the field.

Read more at bleepingcomputer.com

FireEye & McAfee Enterprise Renamed as Trellix

The company created from the merger of security firms McAfee Enterprise and FireEye will be called Trellix, with an aim to become a force in the field of extended detection and response (XDR). Trellix's approach focuses on what it calls "living security," or the ability to create technology that learns and adapts to protect against advanced threats. The name is a reference to a garden trellis due to the way it supports plants as they grow.

Zoom vulnerabilities impact clients, MMR servers

Google's Project Zero researcher Natalie Silvanovich published an analysis of the security flaws, the results of an investigation inspired by a zero-click attack against the videoconferencing tool demonstrated at Pwn2Own. Silvanovich found two different bugs, a buffer overflow issue that impacted both Zoom clients and Zoom Multimedia Routers (MMRs), and the other was an information leak security flaw central to MMR servers.

Hackers Have Been Sending Malware-Filled USB Sticks to U.S. Companies Disguised as Presents

The FBI warned that a hacker group has been using the US mail to send malware-laden USB drives to companies in the defense, transportation and insurance industries. The criminals’ hope is that employees will be gullible enough to stick them into their computers, thus creating the opportunity for ransomware attacks or the deployment of other malicious software.