Welcome to the news roundup for 28 June 2019. As the world prepares for another mass worm invasion in the form of BlueKeep, we see more zero days, breaches of privacy and epic fails.
A New Phishing Scam States ‘Encrypted Message Received’ To Trick The Victim:
Phishing scams are among the most diversified and dynamic cyber attacks that depict the creativity of scammers. Since most phishing scams are seemingly easy to detect, the perpetrators utilise ever changing tactics to trick users. Once again, a new phishing scam has surfaced online that lures users by generating an ‘encrypted message received’ alert.
EA Games Login Flaw Exposed Accounts of 300 Million Gamers:
Researchers have discovered a chain of flaws in EA Games' login process that could allow an attacker to take over the accounts of any or multiple EA games, and there are 300 million of these around the globe. Stolen gaming credentials are valuable and frequently sold on the internet but more importantly, around 1 in 10 gamer ID’s are the same as a users work network password.
Firefox Zero Day:
Several zero day vulnerabilities were found in Mozilla's Firefox this month, and were publicly disclosed with CVEs this week. Updating to the current version of the browser will keep your machine from being exploited, but chances are minimal unless you worked at a cryptocurrency organization, as those were the main targets.
Amazon filed a patent for drones that offer surveillance as a service. Their patent was granted this month. This should have anyone who is concerned with privacy pretty concerned, even though Amazon claim the technology will only be used for folks that opt-in.
Linux vulnerabilities are rarely exploited but are still important to patch. If you run any of the affected distros or servers, make sure to patch.
WiFi Extenders Vulnerable:
Attacking WiFi Extenders is one of my favorite ways to breaking into networks during penetration tests. They are almost never patched. Quick hit! TP-Link has been proven to be have vulnerable WiFi range extenders, which can be taken over by an attacker. Update the firmware to stay protected.
Patch Those Dells:
Dell are one of the most common hardware providers I come across in Europe on engagements. And with SupportAssist being prepackaged on many Dell PCs and OEM devices owning an enterprise has gotten even easier. SupportAssist has a DLL Hijacking vulnerability which can under certain circumstances allow an attacker, or a pentester, to take control of the system.
Samsung just told people to manually scan for viruses on their smart TVs? Yes, it is true. Samsung uses a built in virus-scanner called McAfee Security for TV.
MongoDB Medical Prescription database left open:
Over 390,000 Vascepa prescriptions and 78,000 patients had data left publicly accessible over the internet. It seems like everyone leaves databases open without any kind of protection, whether they're MongoDB or Amazon AWS. The leaked data included full names and addresses, phone numbers, email addresses, and prescription information.
Leaks of Military Vet Medical Data
X Social Media is an ad agency out of Florida who does legal advertising on instagram and facebook for medical malpractice lawsuits, lawyers, and class action injury related lawsuits. This was yet another story of an exposed database, this one containing responses from target customers of ads, such as people in medical malpractice cases or even US military veterans with combat injuries.
Cellebrite can unlock any iphone:
According to Cellebrite, any iPhone from iOS7 up to iOS 12.3 can be unlocked with their software. Yikes!
Tor browser issues:
Quick Hit! Tor Browser updated to 8.5.2 to fix a critical security flaw that could allow full system takeovers. This related to the Firefox vulnerability talked about in the show this week.
IoT devices flawed:
I talked about 2 million IoT devices being vulnerable to botnets or other attacks way back in April. Manufacturers still haven't patched their firmware for the devices (including baby monitors, security cameras and more), so the researcher who disclosed the flaw is sounding the alarms.
Bluekeep is dangerous:
Yes, Bluekeep is dangerous. Yes, you should patch because the DHS says so.