At a glance.
- Vulnerable airliner Wi-Fi.
- Ransomware gang threatens to leak medical records.
- Update on the LAUSD incident.
- Topical phishbait for credential harvesting.
- More on the U-Haul breach.
Vulnerable airliner Wi-Fi.
SecurityWeek reports that two potentially serious vulnerabilities were identified in wireless LAN devices often used for Wi-Fi on airplanes. The vulnerabilities affect the Flexlan FX3000 and FX2000 series made by Contec, Necrum Security Labs researchers Thomas Knudsen and Samy Younsi discovered. “One of the security holes, CVE-2022-36158, is related to a hidden webpage that can be used to execute Linux commands on the device with root privileges. The device’s web-based management interface does not provide a link to this hidden page,” SecurityWeek says. “The second vulnerability, CVE-2022-36159, is related to a backdoor account and the use of a weak hardcoded password. The researchers found a root user account with a default hardcoded password that is likely designed for maintenance purposes. The password is stored as a hash, but it was quickly cracked by the experts. An attacker can use this account to gain control of the device.”
Paul Bischoff, privacy advocate with Comparitech, explains the risk of a man-in-the-middle attack under these circumstances:
“This vulnerability allows a hacker to set up a man in the middle attack that can snoop on and modify users' internet connections. Anyone using a plane's compromised wi-fi could have their online activity spied on and potentially manipulated. The attacker could, for example, see what websites you visit and redirect you to malicious pages. Given that plane wi-fi is often used by government officials and businesspeople to get sensitive work done on the go, these Contec devices are attractive targets. A good VPN can protect users from the most serious threats posed by these vulnerabilities by encrypting data before it leaves your device and using private DNS servers.”
Chris Hauk, consumer privacy champion at Pixel Privacy, points out some device-peculiar issues. “Manufacturers of devices like the Flexlan FX3000 and FX2000 series wireless LAN devices made by Contec, need to work to provide reliable security for their device from the time they are first designed. This is especially true of devices such as the FX3000 and FX2000, where the end user has no control over the device, making them unable to replace the device's default password with a more secure password or to be able to run updates to fix security holes like this.”
Ransomware gang threatens to leak medical records.
Healthcare systems have been the target of recent ransomware attacks, The Register reports. Ransomware gang Daixin Team has claimed responsibility for a ransomware attack against OakBend Medical Center in Texas on September 1st, which shut down the communications and IT systems for the center, while also allowing the gang to exfiltrate data. Criminals claim to have stolen more than a million records that include “names, dates of birth, Social Security numbers, and patient treatment information.” It is unclear if “one million” signifies the amount of patients or the amount of records. Daixin Team has threatened a full release of the data after claiming to have shared employees’ personal information. The center reports that its phone systems are up and running again (without voicemail) and the email systems are functional.
Update on the LAUSD incident.
Fox 11 reports that Tuesday the Los Angeles Unified School District Board of Education approved an emergency declaration following a recent cyberattack. The declaration will allow the superintendent, Alberto Carvalho, to sign contracts to “‘ensure the continuation of public education, and the safety and security of its data, networks and servers’ without advertising or inviting bids for any dollar amount necessary, for a period of one year.”
Topical phishbait for credential harvesting.
As is usually the case with any high-profile event that touches many people, the funeral of Queen Elizabeth II has been exploited by criminals who are using it for phishbait. In a tweeted series of posts, Proofpoint describes a credential phishing campaign in which messages that misrepresent themselves as coming from Microsoft invite recipients to visit an "artificial technology hub" established in Her Majesty's honor. The url redirects to a credential-harvesting site. The threat actors are using the EvilProxy phishing kit.
Sherrod DeGrippo, VP of threat research and detection at Proofpoint, “Just as we first saw threat actors leverage COVID-19 themes in early 2020, they are now turning to the biggest current event to create enticing social engineering lures. The Queen’s passing and accompanying events are front page news around the world, making them perfect social engineering topics for threat actors. Social engineering requires the manipulation of an end target’s emotional state. In this case, the attacker is attempting to elicit a sense of grief, concern, or sadness by providing a place to share memories and comments in honor of the Queen. We expect to see threat actors continue to use themes related to the Queen and the monarchy for some time as the events and mourning period continue.”
More on the U-Haul breach.
We received some additional comment on the U-Haul breach. Ev Kontsevoy, CEO & Co-Founder, Teleport, sees the breach as further evidence of the inherent problems with using passwords to establish a user's bona fides:
“Following U-Haul’s data breach, we are once again reminded passwords are everywhere, compiling the basic infrastructure of IP security. But issues arise when even the strongest, most unique passwords are leaked, intercepted or stolen – and U-Haul isn’t the first time we’re seeing this; take last year’s GoDaddy breach for example.
"As complexity increases, so does the probability of human error, meaning there is no other way to say it: passwords in our infrastructure have to go. But beware — not everything that replaces a password is a better choice. Only relatively simple, purpose-built security devices that use public/private key crypto, and that verify presence and identity through biometrics, are a good-enough replacement for passwords today.
"From headline-catching compromises to everyday annoyances, passwords are long past the end of their usefulness. They are simply too difficult to keep track of and keep secure. As an industry, we need to build responsible systems that protect user data and prevent the critical infrastructure we maintain from being used to expose or compromise such data. Removing passwords from our infrastructure is one step towards this.”