Secure Bytes Insight IT by Edi Rimkus

Hacking Kia: Remotely Hijacking a Car Using Only Its License Plate Image Source: Maya Posch In a world where our cars are becoming increasingly connected, the convenience of modern technology can sometimes come with unexpected risks. Recently, cybersecurity researchers uncovered a critical vulnerability in Kia’s connected car system that allowed attackers to remotely hijack a vehicle using only its license plate number. This discovery has raised significant concerns about automotive cybersecurity and the safety of connected vehicles. The Vulnerability Explained The vulnerability was found in Kia’s dealer portal, a system used by dealerships to manage and activate connected car features. By exploiting this portal, attackers could gain unauthorized access to a vehicle’s controls. The attack was alarmingly simple: all the attackers needed was the car’s license plate number. Once they had the license plate number, the attackers could manipulate the dealer portal to switch the email ass...

Critical TeamViewer Vulnerability: What You Need to Know Introduction In the ever-evolving landscape of cybersecurity, staying informed about potential threats is crucial. Recently, a significant vulnerability was discovered in TeamViewer's Remote client software for Windows, posing a serious risk to users. This blog post delves into the details of this vulnerability, its implications, and how you can protect yourself. Understanding the Vulnerability The vulnerability, identified as CVE-2024-7479 and CVE-2024-7481 , affects the `TeamViewer_service.exe` component. This flaw stems from improper verification of cryptographic signatures, allowing attackers with local, unprivileged access to escalate their privileges on the affected system. With a high CVSS3.1 base score of 8.8 , this issue is considered critical. Affected Versions The vulnerability impacts several versions of TeamViewer, including: TeamViewer Remote Full Client (Windows) versions earlier than 15.58.4 Older major versi...

Critical FreeBSD Hypervisor Vulnerability (CVE-2024-41721). A high-severity vulnerability in the FreeBSD hypervisor, bhyve, has been discovered, allowing malicious software running in a guest virtual machine (VM) to potentially execute arbitrary code on the host system. The vulnerability, identified as CVE-2024-41721, affects all supported versions of  FreeBSD  and has been patched by the FreeBSD Project. bhyve is a hypervisor that runs guest operating systems inside a virtual machine. The vulnerability arises from an insufficient boundary validation in the USB code, which could lead to an out-of-bounds read on the heap, potentially resulting in an arbitrary write and remote code execution. A malicious, privileged software running in a guest VM can exploit this vulnerability to crash the hypervisor process or potentially achieve code execution on the host in the bhyve userspace process, which typically runs as root. However, bhyve runs in a Capsicum  sandbox , which const...

Understanding CVE-2024-40711: A Critical RCE Vulnerability in Veeam Backup & Replication In the ever-evolving landscape of cybersecurity, staying informed about the latest vulnerabilities is crucial. One such critical vulnerability that has recently come to light is CVE-2024-40711 . This post will delve into the details of this vulnerability, its impact, and the steps you can take to protect your systems. What is CVE-2024-40711? CVE-2024-40711 is a critical Remote Code Execution (RCE) vulnerability identified in Veeam Backup & Replication (VBR) software. This flaw, caused by the deserialization of untrusted data, allows attackers to execute arbitrary code on a vulnerable system without needing to authenticate. The vulnerability affects VBR version 12.1.2.172 and earlier, and has a CVSS score of 9.8, indicating its high severity. The Impact of CVE-2024-40711 The potential impact of this vulnerability is significant. Exploiting CVE-2024-40711 can allow attackers to: Execute Arbi...

Overview: CVE-2024-8190 is an OS command injection vulnerability found in Ivanti Cloud Services Appliance (CSA) versions 4.6 (before Patch 519) and earlier. The flaw allows a remote authenticated attacker with admin-level privileges to execute arbitrary code on the affected system. Attack Scenario: The attacker must first log into the CSA’s admin login page. While this initial login may seem like a hurdle, it’s not insurmountable in some cases. Dual-homed CSA configurations (where eth0 serves as an internal network) are less vulnerable, as recommended by Ivanti. However, not everyone follows these best practices. Users who accidentally misconfigure interfaces or have weak passwords are at risk. For instance, if an admin swaps the interfaces or configures only one interface, the CSA console could be exposed to the internet. Default login credentials (username: admin, password: admin) should be changed upon initial login. However, weak passwords and the lack of rate limiting for login at...

Introduction In the ever-evolving landscape of cybersecurity, threat actors are constantly finding new ways to exploit vulnerabilities. Recently, the Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about a Windows flaw that allowed attackers to hide their malicious intent behind innocent-looking files. Let’s dive into the details. The Windows MSHTML Spoofing Vulnerability (CVE-2024-43461) What Is It? The vulnerability, tracked as CVE-2024-43461 , was dubbed the “Windows MSHTML spoofing vulnerability.” It allowed threat actors to manipulate file extensions, making malicious files appear harmless to users. How Was It Exploited? The hacking group Void Banshee leveraged this flaw to deploy an infostealer called Atlantida. Here’s their clever approach: They created a malicious HTML Application (.HTA) file. Unlike regular web pages, .HTA files run with elevated privileges, similar to desktop applications. They added encoded braille whitespace characters to the file’s...

Introduction In the ever-evolving world of cybersecurity, there’s a new player on the scene: StealC. This crafty malware has a straightforward yet effective method for gaining access to Google account credentials. Buckle up—we’re about to explore how StealC operates and how you can protect yourself. NurPhoto via Getty Images The StealC Approach Browser Lockdown Attack: Imagine your Chrome browser suddenly acting like an overbearing parent, insisting that you hand over your Google account credentials. That’s StealC’s game. It bombards users with pop-ups, notifications, and prompts until they’re practically begging to enter their passwords just to make it stop. Annoying? Absolutely. Effective? Unfortunately, yes Credential Flushing Campaign: Researchers from the Open Analysis Lab have been tracking StealC since at least August 22. During this time, the malware has been orchestrating what they call a “credential flushing campaign.” In plain English, it flushes out those precious login cre...

Hadooken: New Linux Malware Exploiting Oracle WebLogic Servers Introduction In the ever-evolving landscape of cybersecurity threats, a new player has emerged: Hadooken. This Linux malware specifically targets Oracle WebLogic servers, which are widely used for running critical applications in enterprises. Let’s dive into the details. What Is Hadooken? Attack Vector: Hadooken gains unauthorized access to WebLogic servers by exploiting weak passwords. Once inside, it remotely executes malicious code. Attack flow (Source – Aquasec) Payload Components: A shell script named “c” A Python script called “y” Cryptominer and DDoS Botnet Hadooken doesn’t stop at infiltration. It includes: A cryptominer: Hijacking server resources for cryptocurrency mining. The Tsunami malware: A DDoS botnet and backdoor, giving attackers full control. Persistence and Lateral Movement Hadooken ensures persistence by creating cron jobs. It can steal user credentials, allowing lateral movement within networks. But t...