Select Page
OnePlus Suffers New Data Breach Impacting Its Online Store Customers

OnePlus Suffers New Data Breach Impacting Its Online Store Customers

Chinese smartphone maker OnePlus has suffered a new data breach exposing personal and order information of an undisclosed number of its customers, likely, as a result of a vulnerability in its online store website.

The breach came to light after OnePlus started informing affected customers via email and published a brief FAQ page to disclose information about the security incident.

According to OnePlus, the company discovered the breach just last week after an unauthorized party accessed order information of its customers, including their names, contact numbers, emails, and shipping addresses.

“Last week while monitoring our systems, our security team discovered that some of our users’ order information was accessed by an unauthorized party,” the company said.

OnePlus also assured that not all customers were affected and that the attackers were not able to access any payment information, passwords, and associated accounts.

“Impacted users may receive spam and phishing emails as a result of this incident.”

images from Hacker News

New ZombieLoad v2 Attack Affects Intel’s Latest Cascade Lake CPUs

New ZombieLoad v2 Attack Affects Intel’s Latest Cascade Lake CPUs

Zombieload is back.

This time a new variant (v2) of the data-leaking side-channel vulnerability also affects the most recent Intel CPUs, including the latest Cascade Lake, which are otherwise resistant against attacks like MeltdownForeshadow and other MDS variants (RIDL and Fallout).

Initially discovered in May this year, ZombieLoad is one of the three novel types of microarchitectural data sampling (MDS) speculative execution vulnerabilities that affect Intel processor generations released from 2011 onwards.

The first variant of ZombieLoad is a Meltdown-type attack that targets the fill-buffer logic allowing attackers to steal sensitive data not only from other applications and the operating system but also from virtual machines running in the cloud with common hardware.

ZombieLoad v2 Affects Latest Intel CPUs

Now, the same group of researchers has disclosed details of a second variant of the vulnerability, dubbed ZombieLoad v2 and tracked as CVE-2019-11135, that resides in Intel’s Transactional Synchronization Extensions (TSX).

Intel TSX provides transactional memory support in hardware, aiming to improve the performance of the CPU by speeding up the execution of multi-threaded software and aborting a transaction when a conflict memory access was found.

images from Hacker News

First Cyber Attack ‘Mass Exploiting’ BlueKeep RDP Flaw Spotted in the Wild

First Cyber Attack ‘Mass Exploiting’ BlueKeep RDP Flaw Spotted in the Wild

Cybersecurity researchers have spotted a new cyberattack that is believed to be the very first but an amateur attempt to weaponize the infamous BlueKeep RDP vulnerability in the wild to mass compromise vulnerable systems for cryptocurrency mining.

In May this year, Microsoft released a patch for a highly-critical remote code execution flaw, dubbed BlueKeep, in its Windows Remote Desktop Services that could be exploited remotely to take full control over vulnerable systems just by sending specially crafted requests over RDP.

BlueKeep, tracked as CVE-2019-0708, is a wormable vulnerability because it can be weaponized by potential malware to propagate itself from one vulnerable computer to another automatically without requiring victims’ interaction.

BlueKeep has been considered to be such a serious threat that since its discovery, Microsoft and even government agencies [NSA and GCHQ] had continuously been encouraging Windows users and admins to apply security patches before hackers gain hold onto their systems.

Even many security firms and individual cybersecurity researchers who successfully developed a fully working exploit for BlueKeep pledged not to release it to the public for a greater good—especially because nearly 1 million systems were found vulnerable even a month after patches were released.

This is why amateur hackers took almost six months to come up with a BlueKeep exploit that is still unreliable and doesn’t even have a wormable component.

BlueKeep Exploit Spreads Cryptocurrency Malware

The BlueKeep exploitation in the wild was first speculated by Kevin Beaumont on Saturday when his multiple EternalPot RDP honeypot systems got crashed and rebooted suddenly.​

images from Hacker News

Watch Out IT Admins! Two Unpatched Critical RCE Flaws Disclosed in rConfig

Watch Out IT Admins! Two Unpatched Critical RCE Flaws Disclosed in rConfig

If you’re using the popular rConfig network configuration management utility to protect and manage your network devices, here we have an important and urgent warning for you.

A cybersecurity researcher has recently published details and proof-of-concept exploits for two unpatched, critical remote code execution vulnerabilities in the rConfig utility, at least one of which could allow unauthenticated remote attackers to compromise targeted servers, and connected network devices.

Written in native PHP, rConfig is a free, open source network device configuration management utility that allows network engineers to configure and take frequent configuration snapshots of their network devices.

According to the project website, rConfig is being used to manage more than 3.3 million network devices, including switches, routers, firewalls, load-balancer, WAN optimizers.

What’s more worrisome? Both vulnerabilities affect all versions of rConfig, including the latest rConfig version 3.9.2, with no security patch available at the time of writing.

Discovered by Mohammad Askar, each flaw resides in a separate file of rConfig—one, tracked as CVE-2019-16662, can be exploited remotely without requiring pre-authentication, while the other, tracked as CVE-2019-16663, requires authentication before its exploitation.

  • Unauthenticated RCE (CVE-2019-16662) in ajaxServerSettingsChk.php
  • Authenticated RCE (CVE-2019-16663) in search.crud.php

In both cases, to exploit the flaw, all an attacker needs to do is access the vulnerable files with a malformed GET parameter designed to execute malicious OS commands on the targeted server.

images from Hacker News

Targeted Ransomware Attacks Hit Several Spanish Companies

Targeted Ransomware Attacks Hit Several Spanish Companies

Everis, one of the largest IT consulting companies in Spain, suffered a targeted ransomware attack on Monday, forcing the company to shut down all its computer systems until the issue gets resolved completely.

Ransomware is a computer virus that encrypts files on an infected system until a ransom is paid.

According to several local media, Everis informed its employees about the devastating widespread ransomware attack, saying:

“We are suffering a massive virus attack on the Everis network. Please keep the PCs off. The network has been disconnected with clients and between offices. We will keep you updated.”

 

“Please, urgently transfer the message directly to your teams and colleagues due to standard communication problems.”

According to cybersecurity consultant Arnau Estebanell Castellví, the malware encrypted files on Everis’s computers with an extension name resembling the company’s name, i.e., “.3v3r1s,” which suggests the attack was highly targeted.

At this moment, it’s unknown which specific ransomware family was used to target the company, but the attackers behind the attack reportedly demanded €750,000 (~USD 835,000) in ransom for the decryptor, a company insider informed bitcoin.es site.

However, considering the highly targeted nature of the attack, the founder of VirusTotal in a tweet suggests the type of ransomware could be BitPaymer/IEncrypt, the same malware that was recently found exploiting a zero-day vulnerability in Apple’s iTunes and iCloud software.

Here’s the ransomware message that was displayed on the screens of the infected computers across the company:

Hi Everis, your network was hacked and encrypted.
No free decryption software is available on the web.
Email us at sydney.wiley@protonmail.com or evangelina.mathews@tutanota.com to get the ransom amount.
Keep our contacts safe.
Disclosure can lead to the impossibility of decryption.

What’s more? It seems like Everis is not the only company that suffered a ransomware attack this morning.​

images from Hacker News

Hackers Can Silently Control Your Google Home, Alexa, Siri With Laser Light

Hackers Can Silently Control Your Google Home, Alexa, Siri With Laser Light

A team of cybersecurity researchers has discovered a clever technique to remotely inject inaudible and invisible commands into voice-controlled devices — all just by shining a laser at the targeted device instead of using spoken words.

Dubbed ‘Light Commands,’ the hack relies on a vulnerability in MEMS microphones embedded in widely-used popular voice-controllable systems that unintentionally respond to light as if it were sound.

According to experiments done by a team of researchers from Japanese and Michigan Universities, a remote attacker standing at a distance of several meters away from a device can covertly trigger the attack by simply modulating the amplitude of laser light to produce an acoustic pressure wave.

“By modulating an electrical signal in the intensity of a light beam, attackers can trick microphones into producing electrical signals as if they are receiving genuine audio,” the researchers said in their paper [PDF].

Doesn’t this sound creepy? Now read this part carefully…

Smart voice assistants in your phones, tablets, and other smart devices, such as Google Home and Nest Cam IQ, Amazon Alexa and Echo, Facebook Portal, Apple Siri devices, are all vulnerable to this new light-based signal injection attack.

“As such, any system that uses MEMS microphones and acts on this data without additional user confirmation might be vulnerable,” the researchers said.

Since the technique ultimately allows attackers to inject commands as a legitimate user, the impact of such an attack can be evaluated based on the level of access your voice assistants have over other connected devices or services.

Therefore, with the light commands attack, the attackers can also hijack any digital smart systems attached to the targeted voice-controlled assistants, for example:

  • Control smart home switches,
  • Open smart garage doors,
  • Make online purchases,
  • Remotely unlock and start certain vehicles,
  • Open smart locks by stealthily brute-forcing the user’s PIN number.

As shown in the video demonstration listed below: In one of their experiments, researchers simply injected “OK Google, open the garage door” command to a Google Home by shooting a laser beam at Google Home that was connected to it and successfully opened a garage door.​

images from Hacker News