Infosec in brief Trend Micro’s Zero Day Initiative (ZDI) held its first-ever automotive-focused Pwn2Own event in Tokyo last week, and awarded over $1.3 million to the discoverers of 49 vehicle-related zero day vulnerabilities.
Researchers from French security outfit Synacktiv took home $450,000 after demonstrating six successful exploits, one of which saw the company’s crew gain root access to a Tesla Modem. Another effort found a sandbox escape in the Musk-mobiles’ infotainment system.
Other popular targets at the three day event included after-market infotainment systems and, more troublingly, a whole host of successful hacks on EV chargers.
Five $60,000 bounties – the second-highest monetary awards behind Synacktiv’s $100k Tesla hacks – were awarded for attacks on EV chargers manufactured by Emporia, ChargePoint, Ubiquiti, Phoenix and JuiceBox.
Three attacks against Automotive Grade Linux were also attempted, with only one succeeding (Synacktiv again). This vehicular cut of Linux is used as the backbone of infotainment systems by several automotive OEMs, including Subaru, Toyota and Lexus.
Given most of the bugs exploited at the event were newly reported zero days, little information about the nature of the flaws was revealed.
ZDI’s next event will be its annual Pwn2Own fete in Vancouver from March 20–24, at which hackers will be able to demonstrate their prowess at exploiting vulnerabilities in a new category: Cloud native and container software.
Critical vulnerabilities: CiscUh-oh
Cisco reported a CVSS 9.9 vulnerability in several of its Unified Communications and Contact Center products (CVE-2024-20253) last week that could allow an attacker to execute arbitrary commands on the OS beneath the software. Before you freak out, no – this isn’t as bad as it might seem at first glance.
While admittedly serious, Cisco UCM software isn’t designed to be exposed to the internet, so these systems should be hard targets for miscreants. Regardless, get those patches installed ASAP.
Elsewhere:
- CVSS 10.0 – Multiple CVEs: MachineSense FeverWarn temperature checking kiosks contain hard coded credentials, missing authentication and improper access control, which could be exploited to give an attacker control over devices.
- CVSS 9.8 – CVE-2023-7227: SystemK network video recorders in the 504, 508 and 516 series contain a command injection vulnerability that could be used to execute commands with root privileges.
- CVSS 9.8 – Multiple CVEs: Voltronic Power ViewPower Pro UPS management software version 2.0-22165 contains a series of vulnerabilities that could allow an attacker to trigger DoS, steal admin credentials and execute remote code.
- CVSS 8.8 – CVE-2022-44037: APsystems ECU-C power control software contains an improper access control bug that could give an attacker full admin access without authenticating.
- CVSS 8.4 – CVE-2023-6926: Crestron AM-300 wireless presentation systems are vulnerable to OS command injection that can give attackers root access.
- CVSS 8.0 – Multiple CVEs: Westermo Lynx 206-F2G layer three industrial ethernet switches running firmware 4.24 contain a series of vulnerabilities that an attacker could use to inject code, execute commands and the like.
Also worth noting, Apple has identified a zero day vulnerability in WebKit (CVE-2024-23222) under active exploit that could trigger arbitrary code execution when viewing malicious web content. The latest updates to Apple’s various OSes, and Safari, fix the issue – so patch ASAP.
For shame: SEC admits a SIM swapper hijacked its Twitter account
We had our suspicions when Twitter/X blamed the US Securities and Exchange Commission for the account takeover that led to the premature release of news the regulator would allow Bitcoin exchange-traded funds– and those suspicions have been confirmed.
“The SEC determined that the unauthorized party obtained control of the SEC cell phone number associated with the account in an apparent ‘SIM swap’ attack,” the Commission admitted last week.
For those unfamiliar with this form of attack, SIM swaps involve convincing a telecom carrier to transfer a phone number to a new SIM card (a shift for which there are a variety of legitimate reasons), giving an attacker control over communications going to and from that number – like a second authentication factor.
That didn’t matter, of course, because the SEC also admitted it disabled multi-factor authentication with Twitter support in July last year “due to issues accessing the account,” but no one bothered to turn it back on.
Time for some remedial security training.
FYI …
Someone has compiled what looks like a large collection of previously stolen, brute-forced, leaked, and traded login credentials for a whole bunch of sites and apps – including Tencent and Weibo – and dumped them online in an unprotected database. According to researchers, there’s something like 26 billion records in there.
Careful with those (macOS) cracks, Eugene
Downloaders of cracked macOS apps, beware: A newly discovered macOS malware family is making the rounds in cracked apps, and it’s a doozy.
Spotted by threat researchers at Kaspersky’s Securelist, the malware is hidden in previously cracked apps as an “activator” that forces itself to run when apps are installed. Once run, it retrieves a payload that includes a backdoor allowing controllers to execute arbitrary commands on infected machines, and then delivers a list of system information to the C2 server.
The goal of the malware appears to be stealing crypto wallet seed phrases, as the payload script also checks for installations of the Exodus cryptocurrency wallet. If detected, the malware swaps the installed version for a malicious replacement that transmits seed phrases to the C2 server as soon as the infected Exodus install is opened.
“There were no other new features” added to the infected install, Securelist noted.
Non-cryptobros should still be aware of this threat – the backdoor gives an attacker plenty of opportunity to wreak other havoc, and Securelist believes the malware is still a work in progress, so other nastiness could be added later. ®
——————————————————–