Security news weekly round-up - 2nd July 2021

6 weeks?, Yeah!. Let the streak continue!

Introduction

Hello, and welcome to this week's security review. I am your host Habdul Hazeez.

In this week's review, we'll look at some really scary news, like seriously scary, from printers going AWOL to Artificial Intelligence systems being fooled into identifying someone else as Elon Musk and ATM being hacked by .... wait for it....waving a phone 🤤.

I told you it was scary 😨.

Let's begin.

NFC is short for Near Field Communications, and like all tech developed by man, it can be manipulated and abused.

In this scenario, security researchers used it to hack an Automated Teller Machine popularly known as an ATM.

Excerpt:

One researcher has found a collection of bugs that allow him to hack ATMs—along with a wide variety of point-of-sale terminals—in a new way: with a wave of his phone over a contactless credit card reader.

The researcher built an Android app that made the following possible:

With a wave of his phone, he can exploit a variety of bugs to crash point-of-sale devices, hack them to collect and transmit credit card data, invisibly change the value of transactions, and even lock the devices while displaying a ransomware message. 

Not so innocent 😓.

The excerpt says it all:

Now a well-intentioned mechanism to easily update the firmware of Dell computers is itself vulnerable as the result of four rudimentary bugs. And these vulnerabilities could be exploited to gain full access to target devices.

"These vulnerabilities are on easy mode to exploit. It's essentially like traveling back in time—it's almost like the '90s again," says Jesse Michael, principal analyst at Eclypsium."

The industry has achieved all this maturity of security features in the application and operating system-level code, but they're not following best practices in new firmware security features."

Bugs, bugs, Oh No! Bugs!

Excerpt from the article:

Tracked as CVE-2021-34506 (CVSS score: 5.4), the weakness stems from a universal cross-site scripting (UXSS) issue that's triggered when automatically translating web pages using the browser's built-in feature via Microsoft Translator.

You just read that correctly.

Excerpt from the article:

Microsoft gave its digital imprimatur to a rootkit that decrypted encrypted communications and sent them to attacker-controlled servers, the company and outside researchers said.

The blunder allowed the malware to be installed on Windows machines without users receiving a security warning or needing to take additional steps.

The VPN in question is DoubleVPN.

Excerpt from the article:

Servers were seized across the world where DoubleVPN had hosted content, and the web domains were replaced with a law enforcement splash page. This coordinated takedown was carried out in the framework of the European Multidisciplinary Platform Against Criminal Threats (EMPACT)

Printers? 👀

Excerpt from the article:

A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations.

An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges.

Here we have it, I saved the scariest of stories for the last.

Quick summary: It's an attack developed by Adversa.ai that fooled PimEyes, a database of over 900 million images into believing that Alex Polyakov (CEO and Cofounder of Adversa.ai) is Elon Musk.

The reality is, it could have been anyone else.

Now, think about this scenario: A global hunt for an alleged criminal who happens to use this attack method to divert the authorities to another person in another country.

Yeah, let that sink in for a while.

Where is the excerpt? An excerpt won't do justice to what is contained in the article. I'll implore you to read the whole article, but, if you don't have that time, the quick summary above is enough to send shivers down your spine.

Credits

Cover photo by Debby Hudson on Unsplash.

That's it for this week, I'll see you next Friday.

27