Today a collection of security incidents that have come to my attention these days. Data leaks and updates included. Also included: A Windows vulnerability in JScript.
Advertising
Honda India: Customer data leaked on open AWS
Honda India has been leaking customer data on an Amazon AWS-Server (S3 Bucket), because they forget to secure this S3 Bucket. Therefore, 50,000 customer data were open available to the public via internet. This includes the name, password and more from users who had downloaded a Honda app. Kromtech Security reported here, Bleeping Computer has a summary. The case shows again, how quickly data can be disclosed in the cloud.
Google Groups are Leaking Data
Many organizations are using Google Groud mailing lists, that are accessing publicly and are indexed by Google. KrebsonSecurity undertook with several researchers Google Groups a review. Their finding: thousands of companies that are using thousands of companies that are using public Google Groups lists to manage customer support and in some cases sensitive internal communications.
Many Google Groups leak emails for example, that should probably not be public but are nevertheless searchable on Google. This includes personal information such as passwords and financial data, and in many cases comprehensive lists of company employee names, addresses and emails. More details may be read at KrebsonSecurity. Google has published this post to remind users to configure Google Groups in the right way.
Windows: Remote Code Execution vulnerability in JScript
This remote code execution vulnerability in JScript affects Windows systems. The vulnerability exists in the JScript component of the Windows operating system and allows an attacker to execute malicious code on a user's computer.
Dmitri Kaslov of Telspace Systems has discovered this error and informed Trend Micro's Zero-Day Initiative (ZDI). This project mediates the process of vulnerability disclosure between independent researchers and larger companies.
Advertising
ZDI reported the problem to Microsoft in January 2018. However, Microsoft has not yet released a patch for this vulnerability. Here ZDI published a summary of the 0-Day Use-After-Free Remote Code Execution vulnerability in the Microsoft Windows JScript Error Object. Attackers can use pointer manipulations to control memory. Then visiting a web page would be enough for remote code execution. The technical details about the error are deliberately vague, as no patch is available yet. A summary can be found at Bleeping Computer. It can be seen there that remote code execution is limited to the sandbox of the browser that executes JScript. Real attacks are not known at the moment. It is still unclear when the whole thing will be patched.
Next generation Intel CPUs without Spectre mitigation
Vulnerabilities such as Meltdown and Spectre have been occupying us for quite some time. In January 2018 I postulated that the processor manufacturers need years to change their designs so that Spectre or Meltdown can no longer be used. In the short term, it looked as if my statement (which was based on expert opinions) was nonsense. Intel announced that new generations of processors would already be protected against Spectre in 2018.
A few days ago, I read at neowin.net, that CPUs released by Intel in 2018 will probably not have consistent spectre protection. This applies to the last disclosed Spectre V4 gaps (see Google and Microsoft unveil Spectre V4 CPU vulnerability).
Hackers use cameras with vulnerabilities
IoT devices with vulnerabilities such as cameras connected to the Internet can be misused by cybercriminals for their own purposes (DDoS attacks, crypto-mining and more). Trend Micro now warns that hackers can buy group memberships in underground forums. With these memberships you get access to compromised cameras.
Underground actors can use vulnerable cameras for malicious acts such as #DDoS attacks, #cryptocurrency mining, and even financial crimes. https://t.co/Ro0cL8DuBw #infosec pic.twitter.com/DEsJ4yrwaq
— Trend Micro (@TrendMicro) 27. Mai 2018
Details may be read in the Trend Micro blog article Exposed Video Streams: How Hackers Abuse Surveillance Cameras.
Security holes in BMW cars
Chinese security firm Tencent Keen Lab found several security flaws in BMW cars during a year-long experiment carried out between January 2017 and February 2018. BMW is working now on firmware updates for some of its cars after researchers from the Tencent Keen Security Lab informed the company about the discovery of 14 flaws affecting high-profile car models such as BMW i Series, BMW X Series, BMW 3 Series, BMW 5 Series, and BMW 7 Series. Details may be read at The Hackers News.
FBI warns of new malware from North Korea
US-CERT has issued a joint technical warning from the Deputy of Homeland Security (DHS) and the FBI warning of two newly identified malware samples.
HS and FBI identified Internet Protocol (IP) addresses and other indicators of compromise (IOCs) associated with two families of malware used by the North Korean government:
- a remote access tool (RAT), commonly known as Joanap; and
- a Server Message Block (SMB) worm, commonly known as Brambul.
The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit.
