Posted in Hackaday Columns, News, Security Hacks, Slider Tagged Solarwinds, telegram, This Week in Security Post navigation We were somewhat skeptical when Solarwinds first called this a “sophisticated and novel” hack, but the evidence seems to affirm that opinion. A developer would be hard pressed to discover the modification, because it only exists during compilation, while the developer is out getting coffee anyway. If it is, it modifies one source code file, waits for compilation to complete, and then undoes the malicious change. It checks once a second for MsBuild.exe, and whether it was building Orion. Sunspot was written to very carefully hide from detection, and to only take action when it detects code compiling. This brings to mind the old Trusting Trust attack. This malware, dubbed Sunspot, isn’t the Orion backdoor itself, it is a custom-written piece of malware that modifies source code surreptitiously at compile time. This week, we got Crowdstrike’s write-up of the malware running on Solarwinds machines. The more information is revealed, the more interesting the story becomes. More details on the Solarwinds backdoor is slowly coming to light. So far, Telegram has responded that this is not a bug, and it doesn’t plan to make any changes. Other services have prevented this problem by giving less precise location data. Within a few minutes, it’s possible to precisely locate anyone in the world who has Telegram’s location service turned on. What might not be immediately obvious is that it’s rather trivial to spoof a device’s location to anywhere in the world. That distance updates in real time, which is great for meetups. Telegram gives a very precise and accurate distance to anyone else who is within seven miles. If you’ve opted in, you might consider going and turning that feature off. Just over a year ago, Telegram introduced “People Near Me”, a feature for finding nearby users who have opted in to the service. Telegram is one of the go-to solutions for sending secure messages. It’s possible to mitigate the flaw through disabling IMAP hibernation, but the recommendation is to simply update to the latest release. ![]() This request can allow for limited filesystem access, most notably the downloading of messages from other accounts. The vulnerability allows a client to put its connection in this state, and then send a malicious request to the server. IMAP supports an IDLE command, putting the connection to the server in a holding pattern, ready to push real-time mail notifications to the client. Dovecot Hibernationĭovecot has released version 2.3.13, and there is a fix for a notable vulnerability, CVE-2020-24386. In some cases, this quick response can give administrators around the world time to patch the vulnerability being targeted before they are compromised. When new patterns emerge, volunteers watching the data can quickly identify new attacks as they emerge. The ISC primarily serves as a clearinghouse for data from Intrusion Detection Systems and firewalls around the internet. It’s worth taking a minute to call out the ISC and similar efforts for their invaluable work. The Internet Storm Center (ISC) is reporting that it is already seeing SSH login attempts using those hard-coded credentials. ![]() Remember the Zyxel problem we talked about last week? Well this didn’t take long. The 18.4 GB data dump is still available on the darker corners of the internet, via torrent files. The repository contained code from Nissan mobile apps, marketing information, and code for internal-only services. The researcher who first discovered the issue has remained anonymous, and the primary source for the linked article was caught up in the recent outbreak of Twitter censorship, with an account suspension. That install was still using default credentials for the admin account, and someone finally noticed. ![]() Nissan was hosting a large git repository using Atlassian’s Bitbucket. This event underscores a complaint voiced by Ubiquiti users: Ubiquiti has been making it difficult to administrate hardware without a cloud-enabled account. In any case, updating your password would invalidate the potentially compromised hash. Ubiquiti has mentioned that the database that may have been accessed contains a user’s name, email address, hashed password, and optionally the mailing address and phone number.ĭepending on how the Ubiquiti authentication system is designed, that hashed password may be enough to log in to someone’s account. The email stated that there was an unauthorized access of Ubiquiti systems, and while there wasn’t evidence of user data being accessed, there was also not enough evidence to say emphatically that user data was not accessed. You may have been one of the many of us who received an email from Ubiquiti this week, recommending a password change.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |