Thunderstruck with the Jetsons and the IT Privacy and Security Weekly Update for November 16th., 2021


We start this week tunefully with a story we missed out of the Pwn2Own challenge that will have you headbanging in the aisles before fulfilling a request for more oil for r2D2.

In between, we learn why bragging could end up getting you poorly fed, why popular programming languages could be bad for IoT devices, why you can’t really complain if you see giant cutouts of boats in the desert and we wonder if you can help us find Intel another boxing coach.

We end with mice, scorpions, and robots in a trilogy that could have the animal rights league chasing our tails.

All that aside, this really is the most superb IT Privacy and Security Weekly Update yet, so let’s get “Thunderstruck” with George, Jane, daughter Judy, and their boy Elroy!

Global: Pwn2Own: Printer plays AC/DC

The third day of Pwn2Own saw the F-Secure Labs team turning an HP LaserJet printer into a jukebox using a stack-based buffer overflow to play AC/DC’s Thunderstruck.

So what’s the upshot for you? We admit we missed “hearing” this little escapade last week, so with great humility bring you what must be one of the funniest hacks yet. Remember this printer has no speaker as you sing along to AC/DC.

RU: Self-described ‘king of fraud’ is sentenced to 10 years

"Self-described ‘king of fraud’ is sentenced to 10 years.

A Russian man who once described himself as the “king of fraud” for his role in orchestrating a multimillion-dollar crime spree was sentenced Wednesday to 10 years in prison. Aleksandr Zhukov, 41, was convicted in May of defrauding U.S. advertising companies out of $7 million in part by using botnets to artificially inflate web traffic.

Working with a small network of cybercriminals, Zhukov directed bot traffic to inauthentic websites, charging marketing companies to run advertisements on websites that attracted little if any, real visitors. Two of Zhukov’s associates have pleaded guilty to involvement in the 3ve scheme, also known as Methbot, while six others have faced charges for the alleged roles in the effort.

So what’s the upshot for you? Have fun! We hear the food is great.

Global: Millions of Routers, IoT Devices at Risk from BotenaGo Malware

Executive summary: AT&T has found new malware written in the open-source programming language Golang. Deployed with more than 30 exploits, it has the potential of targeting millions of routers and IoT devices.

Key Takeaways: BotenaGo has more than 30 different exploit functions to attack a target.
The malware creates a backdoor and waits to either receive a target to attack from a remote operator through port 19412 or from another related module running on the same machine.

It is yet unclear which threat actor is behind the malware and the number of infected devices.

Background: Golang (also known as Go) is an open-source programming language designed by Google and first published in 2007 that makes it easier for developers to build software.

According to a recent Intezer post, the Go programming language has dramatically increased in its popularity among malware authors in the last few years. The site suggests there has been a 2,000% increase in malware code written in Go being found in the wild.

So what’s the upshot for you? Some of the reasons for its rising popularity relate to the ease of compiling the same code for different systems, making it easier for attackers to spread malware on multiple operating systems.

CN: China builds mockups of U.S. Navy ships in an Area used for Missile Target Practice

If you want to send a message: build mockups in the shape of the U.S. Navy aircraft carriers and other U.S. warships, use them as training targets for ballistic missile testing in the desert of Xinjiang (China) that US satellites will pick that up in their ever-present fly-over surveillance.

So what’s the upshot for you? Neighbouring countries, concerned about the missiles hitting other ships around the target when the testing is done in the open seas, can’t complain about similar testing on dry land.

Global: Knocked for Six? The once-mighty Intel can’t seem to get up off the floor.

Intel has acknowledged two high severity flaws in a range of processors used in laptops, cars, and Internet of Things (IoT) devices that could enable hackers with physical access to gain escalated privileges to those systems.

In a security alert, Intel said both bugs concern BIOS firmware issues. CVD-2021-0157 involves insufficient control flow management” and CVE-2021-0158 encompasses improper input validation.

Both flaws carry a Common Vulnerability Scoring System (CVSS) base score of 8.2.

So what’s the upshot for you? The issues affect the Pentium, Celeron, and Atom processors of the Apollo Lake, Gemini Lake, and Gemini Lake Refresh platforms used in mobile devices, embedded systems, and Internet of Things (IoT) devices, such as smart home appliances and medical equipment. The flaw also affects cars that use the Intel Atom E3900 chip, including the Tesla Model 3. Now if we were betting folk, which we aren’t, we might imagine that most of those buggy bits will never be updated by their manufacturers…

US: Security vendor stirs controversy using undisclosed flaw for months

The reveal of a critical vulnerability, rated as 9.8 out of 10, affecting Palo Alto Networks firewall appliances with the GlobalProtect Portal VPN enabled, is creating controversy in the security industry as it appears one vendor used it for close to a year for “Red Team” penetration testing before disclosing it to the vendor.

Security vendor Randori developed a working exploit for the CVE-2021-3064 flaw that affects multiple versions of PAN-OS that runs the firewalls in question, leaving over 10,000 of the internet-facing devices exposed to exploitation by attackers.

In December 2020, Randori says it began “authorized use of the vulnerability chain” as part of its automated Red Team attack platform.

It wasn’t until September and October this year, however, that Randori disclosed the buffer overflow and HTTP smuggling bugs to Palo Alto Networks, which assigned a Common Vulnerabilities and Exposures identifier to the flaws.

Palo Alto Networks issued patches the following month, but Randori has yet to explain why it took some nine months to report the vulnerabilities to the vendor.

So what’s the upshot for you? This rant explains how most feel about Randori now: "I can’t stop thinking about this, @RandoriAttack can you help me understand the logic behind finding a vulnerability sitting on it AND exploiting your red team customers with it for almost a year before disclosing it to the vendor? I assume I’m missing a perspective here and I’m curious.” — jayjacobs (@jayjacobs) November 10, 2021

CN: China’s next generation of hackers won’t be criminals and that could be a problem.

in 2017, the Central Cyberspace Administration of China announced an award for World-Class Cybersecurity Schools; a program that currently certifies eleven schools in the same way some U.S. government agencies certify universities as Centers of Academic Excellence in cyber defense or operations. But having a new pool of talent untainted by criminal activity is not reason enough to change China’s operational approach.

Efforts to professionalize state hacking teams are also directly linked to President Xi’s political goal of reducing corruption. Xi’s recent purge of China’s state security services demonstrates the risk officials run by enriching themselves using government resources.

The implications of these measures suggest that the Chinese hackers that the world’s companies and intelligence services are accustomed to defending against will be far more professional by the end of the decade.

So what’s the upshot for you? This shift in Chinese cyber capabilities will be felt abroad as the list of targeted countries and entities grow. Espionage priorities that long languished near the bottom of the list are likely to receive renewed attention as the roster of state hackers swells. These campaigns will not be more “sophisticated” than past operations, since China’s hacking teams are already on par with the best. But they will become more frequent.

Remember, spying is not against the rules, so probably other countries need to up their game too???!.
As an example, last Summer NATO identified 500,000 unfilled cybersecurity jobs.

US: Robinhood Announces Data Security Incident -Update

From Robinhood November 16, 2021, at 9:55 AM PT: We’re providing the following update to keep our customers and other members of the Robinhood community informed on the data security incident.

We previously disclosed that, based on our investigation, the unauthorized party obtained a list of email addresses for approximately five million people, as well as full names for a different group of approximately two million people.

We’ve determined that several thousand entries in the list contain phone numbers, and the list also contains other text entries that we’re continuing to analyze.

We continue to believe that the list did not contain Social Security numbers, bank account numbers, or debit card numbers and that there has been no financial loss to any customers as a result of the incident. We’ll continue making appropriate disclosures to affected people.

So what’s the upshot for you? Hmmn…

US: FBI Hacker Offers to Sell Data Allegedly Stolen in Robinhood Breach

The hacker who last week sent out thousands of fake emails from FBI systems is offering to sell data allegedly stolen in the recent breach at mobile stock trading platform Robinhood.

Robinhood noted at the time that the hacker had “demanded an extortion payment, suggesting that the attack was conducted by a profit-driven cybercriminal. Sure enough, a few days after Robinhood disclosed the incident, someone offered to sell the data allegedly stolen from the company on a well-known, publicly accessible hacker forum.

The seller said they were looking to get at least “five figures” for the data, noting that “this is highly profitable if in the right hands.”

The individual who is offering to sell the Robinhood data is known online as pompompurin, the hacker who took credit for sending out thousands of emails last week from an email address belonging to the FBI.

More than 100,000 fake emails were sent out, informing recipients about a threat actor in their systems. The hoax emails claimed the threat actor was a security researcher, who suggested after the incident came to light that the operation was the work of a cybercriminal he had previously exposed.

It’s unclear if pompompurin was indeed involved in the Robinhood hack. The hacker told Bleeping Computer that they had used a RAT in the attack on the trading platform, but the company said no malware was involved.

So what’s the upshot for you? We do demand total honesty of our miscreants.
Was he or was he not involved in both hacks? Only time will tell.

Global: Boom Boom in the Zoom.

“The Keybase Client for Windows before version 5.7.0 contains a path traversal vulnerability when checking the name of a file uploaded to a team folder. A malicious user could upload a file to a shared folder with a specially crafted file name which could allow a user to execute an application which was not intended on their host machine.”

“If a malicious user leveraged this issue with the public folder sharing feature of the Keybase client, this could lead to remote code execution.”

So what’s the upshot for you? Remember that typically Zoom software does not have an automatic update mechanism. Users are urged to manually check for software updates within the Zoom client.

KR: Seoul will be the first city government to join the metaverse

On Nov. 3, the South Korean capital announced a plan to make a variety of public services and cultural events available in the metaverse, an immersive internet that relies on virtual reality. If the plan is successful, Seoul residents can visit a virtual city hall to do everything from touring a historic site to filing a civil complaint by donning virtual reality goggles.

The South Korean city is planning to use artificial intelligence to monitor its sewers and water waste centers. An AI chatbot serves as a public concierge, fielding public questions and complaints related to everything from parking violations to covid-19 protocols. Earlier this year, Seoul rolled out plans for a public internet of things network—a series of sensors and base stations throughout the city that collect data on things like traffic, public safety, and environmental metrics and feed them into a central operations platform managed by city workers.

So what’s the upshot for you? Sounds like the perfect place to wear our new Nikes.

HK: Likely state-based hackers infected Hong Kong websites to spy on Apple users, Google says

Suspected foreign government-backed hackers infected websites belonging to a Hong Kong-based media outlet and a pro-democracy group in a bid to install malware on visitors’ Apple devices, Google researchers say. Google’s Threat Analysis Group discovered the watering hole attack in August, which relied on a previously unreported backdoor, or zero-day flaw.

“Based on our findings, we believe this threat actor to be a well-resourced group, likely state-backed, with access to their own software engineering team based on the quality of the payload code."

While Google didn’t attribute the attackers to a specific nation, China has long been suspected of conducting cyber-espionage and sowing disinformation aimed at democracy advocates in Hong Kong.

So what’s the upshot for you? The vulnerability has been patched by Apple.

Global: GitHub fixes authorization vulnerability in the NPM JavaScript package registry

GitHub said it has fixed a longstanding issue with the NPM (Node Package Manager) JavaScript registry that would allow an attacker to update any package without proper authorization.

Chief security officer Mike Hanley posted yesterday about the issue, which was reported by security researchers on 2 November and patched within six hours. That impressive speed contrasts with the length of time the vulnerability existed, said to be longer than “the timeframe for which we have available telemetry, which goes back to September 2020.”

The vulnerability was based on a familiar insecurity pattern, where the system correctly authenticates a user but then allows access beyond what that user’s permissions should enable. In this case, the NPM service correctly validated that a user was authorized to update a package, but "the service that performs underlying updates to the registry data determined which package to publish based on the contents of the uploaded package file.

“This discrepancy provided an avenue by which requests to publish new versions of a package would be authorized for one package but would actually be performed for a different, and potentially unauthorized, package.”

So what’s the upshot for you? To their credit they fixed it fast, but, “Holy Toledo Batman!!” this vulnerability was in place for a long time!

US: Spend your Crypto going to the movies this holiday Season

AMC Theaters, which is perhaps the king of the meme stocks, promised in August that you’d be able to pay for tickets and concessions with Bitcoin by the end of the year, and now, you can do just that.

Bitcoin isn’t the only cryptocurrency you’ll be able to use; AMC is also accepting Ethereum, Bitcoin Cash, and Litecoin for online purchases.

At checkout on AMC’s website, PayPal is listed as a payment method with the note that it “supports cryptocurrencies.” Presumably, that means you’ll have to log in with your PayPal account and select any cryptocurrency that’s accessible there to pay for tickets or concessions.

So what’s the upshot for you? Alas, if you have any coin jangling around in your pockets, apparently this only works online, but according to the CEO crypto “already accounts for 14 percent of our total online transactions." Oh … and no Dogecoin yet!

US: New Class Of Drug Reverses Paralysis In Mice

US scientists have developed a new form of drug that promotes the regeneration of cells and reversed paralysis in mice with spinal injuries, allowing them to walk again within four weeks of treatment.

The research was published in the journal Science, and the team of Northwestern University scientists behind it hopes to approach the Food and Drug Administration as early as next year to propose human trials.

The N.U. research team used nanofibers to mimic the architecture of the “extracellular matrix” – a naturally occurring network of molecules surrounding tissue that is responsible for supporting cells.

Each fiber is about 10,000 times narrower than a human hair, and they are made up of hundreds of thousands of bioactive molecules called peptides that transmit signals to promote nerve regeneration.

The therapy was injected as a gel into tissue surrounding the spinal cords of lab mice 24 hours after an incision was made in their spines.

The team decided to wait a day because humans who receive devastating spinal injuries from car accidents, gunshots and so on also experience delays in getting treatment.

Four weeks later, mice who received the treatment regained their ability to walk almost as well as before the injury. Those left untreated did not.

So what’s the upshot for you? The upside is that the nervous system is highly similar across mammal species, so testing will move on to human trials quickly. The downside is that this area of research is littered with false starts… and really doesn’t have anything to do with IT Privacy and Security.

EG :egypt: Hundreds stung by scorpions after deadly floods

Egypt is home to fat-tailed scorpions that are among the most deadly in the world. Venom from a black fat-tail can kill humans in under an hour.

Symptoms related to widespread venom effects can include difficulty breathing, muscle twitching, and unusual head movements.

Anti-venom is used as a preventative measure before symptoms arise, but can also work once symptoms start to worsen.

Update 16 November 2021: Egypt’s health ministry said no one was killed by scorpion stings, as had originally been reported."

So what’s the upshot for you? People were urged to stay at home and avoid places with many trees…i.e. Keep working in front of that computer!

US: America is hiring a record number of robots

"Factories and other industrial users ordered 29,000 robots, 37% more than during the same period last year, valued at $1.48 billion, according to data compiled by the industry group the Association for Advancing Automation.

The rush to add robots is part of a larger upswing in investment as companies seek to keep up with strong demand, which in some cases has contributed to shortages of key goods. At the same time, many firms have struggled to lure back workers displaced by the pandemic and view robots as an alternative to adding human muscle to their assembly lines.

In 2020, combined Robot sales to other types of businesses surpassed the auto sector for the first time - and that trend continued this year. In the first nine months of the year, auto-related orders for robots grew 20% to 12,544 units, while orders by non-automotive companies expanded 53% to 16,355.

“It’s not that automotive is slowing down - auto is up…” But other sectors - from metals to food manufacturers - are growing even faster.

Athena Manufacturing, which does metal fabrication for other manufacturers in Austin, Texas, now has seven robots, including four installed this year. It bought its first machine in 2016. Robots have helped Athena respond to a surge in demand, including a 50% jump in orders for parts used by semiconductor equipment manufacturers.
The machines also allowed Athena to move to an around-the-clock operation for the first time last year, he said. The company employs 250 but would have struggled to find workers to fill unpopular overnight shifts."

So what’s the upshot for you? Cue the Jetson’s soundtrack. listen_tiny

Well, that’s it for George and his boy Elroy, but us? We’ll be back with more tantalizing stories of IT Privacy, Security, and maybe even more scorpion stings!

Until then, be kind, stay safe, stay secure and see you in se7en!