Cable Haunt Vulnerability

Researchers have discovered a vulnerability, codenamed ‘Cable Haunt’, that affects ‘spectrum analyser’ components in Broadcom chips that are used in many modems. This vulnerability puts millions of modems worldwide at risk.

‘Spectrum analyser’ is a hardware and software component that protects the modem from signal surges and disturbances coming via the coax cable. It is often used by internet service providers (ISPs) in debugging connection quality. Access to this component is usually limited for connections from the internal network.

However, the researchers say this component lacks protection against DNS rebinding attacks, uses default credentials, and also contains a programming error in its firmware.

Whilst a hacker would need to be on your local network to exploit it, if this occurs, the hacker could take control, send you to malicious websites, perform a man-in-the-middle attack, or even change the modem’s firmware. Users could be tricked into accessing a malicious page via their browser, which could be used to relay an exploit to the vulnerable component and thereby execute commands on the device.

Find out further information and mitigation strategies here: https://cablehaunt.com/

Mozilla patches Firefox

In January Mozilla launched Firefox 72. The updated browser expanded picture-in-picture video mode to macOS. It also blocked “fingerprinting,” an advanced tracking method practiced by some sites and advertisers.

However, within one day of the launch, Mozilla was forced to issue an update with a patch to fix the vulnerability identified as CVE-2019-17026.

Mozilla characterised the zero-day vulnerability as ‘critical’. Unfixed, it could lead to a ‘type confusion’ or logical bug in the ‘IonMonkey’ JavaScript JIT (Just-in-Time) compiler of ‘SpiderMonkey’, the browser’s JavaScript engine.

Visit Mozilla for updates to fix this vulnerability: https://www.mozilla.org/en-US/security/advisories/mfsa2020-03/

WordPress Vulnerability

Make sure you update the following two WordPress plugins to ensure you’re not exposed to serious security vulnerabilities:

1. InfiniteWP versions below 1.9.4.5 allow a POST request payload with JSON and Base64 encoding to bypass password requirements and log in by knowing only the username of an administrator.
2. WP Time Capsule versions below 1.21.16 contains a functions line that can be exploited by adding a crafted string in a raw POST request to call a function that grabs all available administrator accounts and log in as the first admin on the list.

These two plugins are used by an estimated 320,000 websites.

‘authentipocalypse’ – Microsoft patches both Windows 10 and Windows Server

Microsoft has released details on a potentially serious vulnerability in both Windows 10 and Server that could be exploited to spoof certificates to sign executable files, making malicious code appear as if it comes from a trusted provider.

In its advisory for CVE-2020-0601, Microsoft explained the flaw in the Windows cryptographic application programming interface as provided by the crypt32.dll dynamic link library is due to incomplete validation of elliptic curve cryptography (ECC) certificates.

The vulnerability was discovered by the United States National Security Agency (NSA) intelligence service and reported to Microsoft late last year.

Threat scenarios beyond bogus signing of malicious code include exploiting the flaw in man-in-the-middle attacks to decrypt victim communications, Microsoft said.

Microsoft has issued a security update for the flaw as part of its regular Patch Wednesday set of fixes. While Microsoft rates the severity of the flaw as “important” rather than critical and has not yet found exploitation or prior disclosure of the vulnerability, it notes that it is more likely to be abused by hackers. The NSA, however, “assesses the vulnerability to be severe”.

Zero-Day attack targeting Internet Explorer users

A targeted attack is targeting a previously unknown vulnerability in Internet Explorer to corrupt memory and exploit victims’ Windows systems, Microsoft warned in an advisory published on January 17.

The flaw, described as a scripting engine memory corruption vulnerability and designated CVE-2020-0674, allows an attacker to take control of a Windows system by forcing it to use an older version of Microsoft’s JavaScript that is only present for backward compatibility.

By default, Internet Explorer does not use the vulnerable dynamic library, Microsoft stated. “The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user,” Microsoft stated in Advisory 200001. “An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system.”

The end of the road for Windows 7

Microsoft has ended support for Windows 7, more than a decade after the ageing operating system first arrived on PCs.

From the 14th of January, devices running the OS will no longer receive important patches for any new security vulnerabilities, as well other software updates and technical support. Users and organisations still using Windows 7 have been urged to move to a newer operating system like Windows 10 to avoid future viruses or malware.

Almost a quarter of Windows users worldwide are still thought to be running Windows 7. The Australian Cyber Security Centre (ACSC) warned in October that adversaries could use “unpatched security vulnerabilities” in Windows 7 to target users. It has recommended that organisations yet to upgrade should “review their risk assessments and begin planning for the implementation of mitigation strategies to reduce their risk exposure”.

The UK’s cyber security agency has similarly advised that devices still running the OS should not be used for internet banking or emails from January 14, 2020.

Don’t Hide Hacks

The government is urging businesses not to cover up cyber-attacks. In the interests of securing critical national infrastructure, such as banks and energy grids, the private sector is being urged to cooperate with cyber-security officials in the event of a breach.

This comes as the government develops new laws enabling it to intervene in private enterprises in order to protect assets that are crucial to the economy and wider community.

Whilst businesses are usually co-operative in such circumstances, sometimes companies push back against assistance due to concerns about government meddling in their systems or the exposure of sensitive commercial information and customer data.

Reputational damage is another concern that may lead to companies keeping quiet.

Under the current law, the government’s cyber agencies can usually only intervene on cyber security incidents with the permission of private network owners.

Australian Privacy Foundation ask Google to remove Android bloatware

53 organisations, including the Australian Privacy Foundation, are asking Google to stop Android smartphone vendors who sell devices with unremovable pre-installed applications, also known as bloatware.

Bloatware has a detrimental effect on user privacy, leaving users exposed to having their data collected by unscrupulous phone vendors and application makers without their knowledge or consent.

Most bloatware applications don’t go through Google’s screening process and have privileged custom permissions, letting them operate outside the Android security model. This means permissions can be defined by the application – including access to the microphone, camera and location – without triggering the standard Android security prompts.

Bushfire Donations Targeted

A website gathering donations for the victims of the bushfires in Australia has been hit by a credential-skimming attack, placing the payment information of donors at risk.

The attack, identified as the work of Magecart, injected the ATMZOW skimmer into the charity’s website code, grabbed payment information, and forwarded it to a third-party destination with an obfuscated web address.

According to the research team at MalwareBytes, which discovered the compromise, the destination server has now been taken offline, though the skimmer code is still present on the site. A researcher from Bad Packets Report noted that the same skimmer code is currently in place on 39 additional websites.

Bank Breach Exposes Personally Identifiable Information

P&N Bank in Western Australia (WA) is informing its customers that hackers may have accessed personal information stored on its systems following a cyberattack.

The data, some of it sensitive in nature, was stored on the bank’s customer relationship management (CRM) platform that is completely separated from the core banking system.

The financial organisation says in the breach notification sent to customers that the compromised system contained the following information: names, addresses, emails, age, customer and account numbers, as well as the account balance.

All this counts as personally identifiable information that is protected under the Privacy Act in Australia.

Funds, social security numbers, and data in identification documents (driver’s license, passport) were stored on a different system and are safe.

As many as 100,000 individuals may be impacted by the incident, which was labelled as “sophisticated” where the attack did not target P&N Bank directly. It occurred during a server upgrade around December 12, 2019, at a third-party that was offering hosting services to the organization.