Infosec briefly Development Micro’s Zero Day Initiative (ZDI) held its first-ever automotive-focused Pwn2Own occasion in Tokyo final week, and awarded over $1.3 million to the discoverers of 49 vehicle-related zero day vulnerabilities.
Researchers from French safety outfit Synacktiv took house $450,000 after demonstrating six profitable exploits, certainly one of which noticed the corporate’s crew achieve root entry to a Tesla Modem. One other effort discovered a sandbox escape within the Musk-mobiles’ infotainment system.
Different fashionable targets on the three day event included after-market infotainment techniques and, extra troublingly, an entire host of profitable hacks on EV chargers.
5 $60,000 bounties – the second-highest financial awards behind Synacktiv’s $100k Tesla hacks – had been awarded for assaults on EV chargers manufactured by Emporia, ChargePoint, Ubiquiti, Phoenix and JuiceBox.
Three assaults in opposition to Automotive Grade Linux had been additionally tried, with just one succeeding (Synacktiv once more). This vehicular minimize of Linux is used because the spine of infotainment techniques by a number of automotive OEMs, including Subaru, Toyota and Lexus.
Given a lot of the bugs exploited on the occasion had been newly reported zero days, little details about the character of the issues was revealed.
ZDI’s subsequent occasion might be its annual Pwn2Own fete in Vancouver from March 20–24, at which hackers will be capable of reveal their prowess at exploiting vulnerabilities in a brand new class: Cloud native and container software program.
Crucial vulnerabilities: CiscUh-oh
Cisco reported a CVSS 9.9 vulnerability in a number of of its Unified Communications and Contact Heart merchandise (CVE-2024-20253) final week that would permit an attacker to execute arbitrary instructions on the OS beneath the software program. Earlier than you freak out, no – this is not as dangerous because it might sound at first look.
Whereas admittedly critical, Cisco UCM software program isn’t designed to be uncovered to the web, so these techniques needs to be arduous targets for miscreants. Regardless, get these patches put in ASAP.
- CVSS 10.0 – Multiple CVEs: MachineSense FeverWarn temperature checking kiosks include arduous coded credentials, lacking authentication and improper entry management, which may very well be exploited to present an attacker management over gadgets.
- CVSS 9.8 – CVE-2023-7227: SystemK community video recorders within the 504, 508 and 516 sequence include a command injection vulnerability that may very well be used to execute instructions with root privileges.
- CVSS 9.8 – Multiple CVEs: Voltronic Energy ViewPower Professional UPS administration software program model 2.0-22165 accommodates a sequence of vulnerabilities that would permit an attacker to set off DoS, steal admin credentials and execute distant code.
- CVSS 8.8 – CVE-2022-44037: APsystems ECU-C energy management software program accommodates an improper entry management bug that would give an attacker full admin entry with out authenticating.
- CVSS 8.4 – CVE-2023-6926: Crestron AM-300 wi-fi presentation techniques are susceptible to OS command injection that may give attackers root entry.
- CVSS 8.0 – Multiple CVEs: Westermo Lynx 206-F2G layer three industrial ethernet switches operating firmware 4.24 include a sequence of vulnerabilities that an attacker may use to inject code, execute instructions and the like.
Additionally value noting, Apple has recognized a zero day vulnerability in WebKit (CVE-2024-23222) beneath energetic exploit that would set off arbitrary code execution when viewing malicious internet content material. The newest updates to Apple’s varied OSes, and Safari, repair the problem – so patch ASAP.
For disgrace: SEC admits a SIM swapper hijacked its Twitter account
We had our suspicions when Twitter/X blamed the US Securities and Change Fee for the account takeover that led to the untimely launch of stories the regulator would permit Bitcoin exchange-traded funds– and people suspicions have been confirmed.
“The SEC decided that the unauthorized occasion obtained management of the SEC mobile phone quantity related to the account in an obvious ‘SIM swap’ assault,” the Fee admitted final week.
For these unfamiliar with this type of assault, SIM swaps contain convincing a telecom service to switch a cellphone quantity to a brand new SIM card (a shift for which there are a number of respectable causes), giving an attacker management over communications going to and from that quantity – like a second authentication issue.
That did not matter, in fact, as a result of the SEC additionally admitted it disabled multi-factor authentication with Twitter assist in July final yr “resulting from points accessing the account,” however nobody bothered to show it again on.
Time for some remedial safety coaching.
Somebody has compiled what appears like a big assortment of beforehand stolen, brute-forced, leaked, and traded login credentials for an entire bunch of web sites and apps – together with Tencent and Weibo – and dumped them online in an unprotected database. In response to researchers, there’s one thing like 26 billion data in there.
Cautious with these (macOS) cracks, Eugene
Downloaders of cracked macOS apps, beware: A newly found macOS malware household is making the rounds in cracked apps, and it is a doozy.
Spotted by risk researchers at Kaspersky’s Securelist, the malware is hidden in beforehand cracked apps as an “activator” that forces itself to run when apps are put in. As soon as run, it retrieves a payload that features a backdoor permitting controllers to execute arbitrary instructions on contaminated machines, after which delivers an inventory of system info to the C2 server.
The aim of the malware seems to be stealing crypto pockets seed phrases, because the payload script additionally checks for installations of the Exodus cryptocurrency pockets. If detected, the malware swaps the put in model for a malicious alternative that transmits seed phrases to the C2 server as quickly because the contaminated Exodus set up is opened.
“There have been no different new options” added to the contaminated set up, Securelist famous.
Non-cryptobros ought to nonetheless concentrate on this risk – the backdoor provides an attacker loads of alternative to wreak different havoc, and Securelist believes the malware continues to be a piece in progress, so different nastiness may very well be added later. ®