Homeland Security issues rare emergency alert over ‘critical’ Windows bug

Homeland Security’s cybersecurity advisory unit has issued a rare emergency alert to government departments after the recent disclosure of a “critical”-rated security vulnerability in server versions of Microsoft Windows.

The Cybersecurity and Infrastructure Security Agency, better known as CISA, issued an alert late on Friday requiring all federal departments and agencies to “immediately” patch any Windows servers vulnerable to the so-called Zerologon attack by Monday, citing an “unacceptable risk” to government networks.

It’s the third emergency alert issued by CISA this year.

The Zerologon vulnerability, rated the maximum 10.0 in severity, could allow an attacker to take control of any or all computers on a vulnerable network, including domain controllers, the servers that manage a network’s security. The bug was appropriately called “Zerologon,” because an attacker doesn’t need to steal or use any network passwords to gain access to the domain controllers, only gain a foothold on the network, such as by exploiting a vulnerable device connected to the network.

With complete access to a network, an attacker could deploy malware, ransomware, or steal sensitive internal files.

Security company Secura, which discovered the bug, said it takes “about three seconds in practice” to exploit the vulnerability.

Microsoft pushed out an initial fix in August to prevent exploitation. But given the complexity of the bug, Microsoft said it would have to roll out a second patch early next year to eradicate the issue completely.

But the race is on to patch systems after researchers reportedly released proof-of-concept code, potentially allowing attackers use the code to launch attacks. CISA said that Friday that it “assumes active exploitation of this vulnerability is occurring in the wild.”

Although the CISA alert only applies to federal government networks, the agency said it “strongly” urges companies and consumers to patch their systems as soon as possible if not already.

How to respond to a data breach

I cover a lot of data breaches. From inadvertent exposures to data-exfiltrating hacks, I’ve seen it all. But not every data breach is the same. How a company responds to a data breach — whether it was their fault — can make or break its reputation.

I’ve seen some of the worst responses: legal threats, denials and pretending there isn’t a problem at all. In fact, some companies claim they take security “seriously” when they clearly don’t, while other companies see it merely as an exercise in crisis communications.

But once in a while, a company’s response almost makes up for the daily deluge of hypocrisy, obfuscation and downright lies.

Last week, Assist Wireless, a U.S. cell carrier that provides free government-subsidized cell phones and plans to low-income households, had a security lapse that exposed tens of thousands of customer IDs — driver’s licenses, passports and Social Security cards — used to verify a person’s income and eligibility.

A misconfigured plugin for resizing images on the carrier’s website was blamed for the inadvertent data leak of customer IDs to the open web. Security researcher John Wethington found the exposed data through a simple Google search. He reported the bug to TechCrunch so we could alert the company.

Make no mistake, the bug was bad and the exposure of customer data was far from ideal. But the company’s response to the incident was one of the best I’ve seen in years.

Take notes, because this is how to handle a data breach.

Their response was quick. Assist immediately responded to acknowledge the receipt of my initial email. That’s already a positive sign, knowing that the company was looking into the issue.

WhatsApp reveals six previously undisclosed vulnerabilities on new security site

Facebook-owned WhatsApp has revealed six previously undisclosed vulnerabilities, which the company has now fixed. The vulnerabilities are being reported on a dedicated security advisory website that will serve as the new resource providing a comprehensive list of WhatsApp security updates and associated Common Vulnerabilities and Exposures (CVE).

WhatsApp said five of the six vulnerabilities were fixed in the same day, while the remaining bug took a couple of days to remediate. Although some of the bugs could have been remotely triggered, the company said it found no evidence of hackers actively exploiting the vulnerabilities.

Around one-third of the new vulnerabilities were reported through the company’s Bug Bounty Program, while the others were discovered in routine code reviews and by using automated systems, as would be expected.

WhatsApp is one of the world’s most popular apps, with more than two billion users around the world. But it’s also a persistent target for hackers, who try to find and exploit vulnerabilities in the platform.

The new website was launched as part of the company’s efforts to be more transparent about vulnerabilities targeting the messaging app, and in response to user feedback. The company says the WhatsApp community has been asking for a centralized location for tracking security vulnerabilities, as WhatsApp isn’t always able to detail its security advisories in an app’s release notes due to app store policies.

The new dashboard will update monthly, or sooner if it has to warn users of an active attack. It will also offer an archive of past CVEs dating back to 2018. While the website’s main focus will be on CVEs in WhatsApp’s code, if the company files a CVE with the public database MITRE for a vulnerability it found in third-party code, it will denote that on the WhatsApp Security Advisory page, as well.

Last year, WhatsApp went public after fixing a vulnerability allegedly used by Israeli spyware maker NSO Group. WhatsApp sued the spyware maker, alleging the company used the vulnerability to covertly deliver its Pegasus spyware to some 1,400 devices — including more than 100 human rights defenders and journalists.

NSO denied the allegations.

John Scott-Railton, a senior researcher at Citizen Lab, whose work has included investigating NSO Group, welcomed the news.

“This is good, and we know that bad actors make use of extensive resources to acquire and weaponize vulnerabilities,” he told TechCrunch. “WhatsApp sending the signal that it’s going to move regularly to identify and patch in this way seems like yet another way to raise the cost for bad actors.”

In a blog post, WhatsApp said: “We are very committed to transparency and this resource is intended to help the broader technology community benefit from the latest advances in our security efforts. We strongly encourage all users to ensure they keep their WhatsApp up-to-date from their respective app stores and update their mobile operating systems whenever updates are available.”

Facebook also said Thursday that it has codified its vulnerability disclosure policy, allowing the company to warn developers of security vulnerabilities in third-party code that Facebook and WhatsApp rely on.

Security bugs let these car hackers remotely control a Mercedes-Benz

Few could ever forget back in 2015 when security researchers Charlie Miller and Chris Valasek remotely killed a Jeep’s engine on a highway with a Wired reporter at the wheel.

Since then, the car hacking world has bustled with security researchers looking to find new bugs — and ways to exploit them — in a new wave of internet-connected cars that have only existed the past decade.

This year’s Black Hat security conference — albeit virtual, thanks to the coronavirus pandemic — is no different.

Security researchers at the Sky-Go Team, the car hacking unit at Qihoo 360, found more than a dozen vulnerabilities in a Mercedes-Benz E-Class car that allowed them to remotely open its doors and start the engine.

Most modern cars are equipped with an internet connection, giving passengers access to in-car entertainment, navigation and directions, and more radio stations than you can choose from. But hooking up a car to the internet puts it at greater risk of remote attacks — precisely how Miller and Valasek hijacked that Jeep, which ended up in a ditch.

Although vehicle security has gotten better over the past half-decade, Sky-Go’s researchers showed that not even one of the most recent Mercedes-Benz models are impervious to attacks.

In a talk this week, Minrui Yan, head of Sky-Go’s security research team, said the 19 security vulnerabilities were now fixed, but could have affected as many as two million Mercedes-Benz connected cars in China.

Katharina Becker, a spokesperson for Mercedes’ parent company Daimler, pointed to a company statement published late last year after it patched the security issues. The spokesperson said Daimler could not corroborate the estimated number of affected vehicles.

“We addressed all findings and fixed all vulnerabilities that could be exploited before any vehicle in the market was affected,” said the spokesperson.

After more than a year of research, the end result was a series of vulnerabilities that formed an attack chain that could remotely control the vehicle.

To start, the researchers built a testbench to reverse-engineer the car’s components to look for vulnerabilities, dumping the car’s software and analyzing the car’s internals for vulnerabilities.

The researchers then obtained a Series-E car to verify their findings.

At the heart of the research is the E-Series’ telematics control unit, or TCU, which Yan said is the “most crucial” component of the car, as it allows the vehicle to communicate with the internet.

By tampering with the TCU’s file system, the researchers got access to a root shell — a way to run commands with the highest level of access to the vehicle’s internals. With root shell access, the researchers could remotely open the car’s doors.

The TCU file system also stores the car’s secrets, like passwords and certificates, which protect the vehicle from being accessed or modified without proper authorization. But the researchers were able to extract the passwords of several certificates for several different regions, including Europe and China. By obtaining the vehicle’s certificates and their passwords, the researchers could gain deep access to the vehicle’s internal network. The car’s certificate for the China region had a weak password, Yan said, making it easier to hijack a vulnerable car in the country.

Yan said the goal was to get access to the car’s back end, the core of the vehicle’s internal network. As long as the car’s back-end services can be accessed externally, the car is at risk of attacks, the researchers said.

The way the researchers did this was by tearing down the vehicle’s embedded SIM card, which allows the car to talk to the cell networks. A security feature meant the researchers couldn’t plug the SIM into a router without freezing access to the cell network. The researchers modified their router to spoof the vehicle, effectively making the cell network think it was the car.

With the vehicle’s firmware dumped, the networking protocols understood and its certificates obtained and cracked, the researchers say they could remotely control an affected vehicle.

The researchers said the car’s security design was tough and able to withstand a number of attacks, but it was not impervious.

“Making every back-end component secure all the time is hard,” the researchers said. “No company can make this perfect.”

But at least in the case of Mercedes-Benz, its cars are a lot more secure than they were a year ago.


Send tips securely over Signal and WhatsApp to +1 646-755-8849 or send an encrypted email to: [email protected]

Hackers say ‘jackpotting’ flaws tricked popular ATMs into spitting out cash

In 2010, the late Barnaby Jack, a world-renowned security researcher, hacked an ATM live onstage at the Black Hat conference by tricking the cash dispenser into spitting out a stream of dollar bills. The technique was appropriately named “jackpotting.”

A decade on from Jack’s blockbuster demo, security researchers are presenting two new vulnerabilities in Nautilus ATMs, albeit virtually, thanks to the coronavirus pandemic.

Security researchers Brenda So and Trey Keown at New York-based security firm Red Balloon say their pair of vulnerabilities allowed them to trick a popular standalone retail ATM, commonly found in stores rather than at banks, into dispensing cash at their command.

A hacker would need to be on the same network as the ATM, making it more difficult to launch a successful jackpotting attack. But their findings highlight that ATMs often have vulnerabilities that lie dormant for years — in some cases since they were first built.

Barnaby Jack, the late security researcher credited with the first ATM “jackpotting” attacks. Now, 10 years later, two security researchers have found two new ATM cash-spitting attacks. Credit: YouTube

So and Keown said their new vulnerabilities target the Nautilus ATM’s underlying software, a decade-old version of Windows that is no longer supported by Microsoft. To begin with, the pair bought an ATM to examine. But with little documentation, the duo had to reverse-engineer the software inside to understand how it worked.

The first vulnerability was found in a software layer known as XFS — or Extensions for Financial Services — which the ATM uses to talk to its various hardware components, such as the card reader and the cash dispensing unit. The bug wasn’t in XFS itself, rather in how the ATM manufacturer implemented the software layer into its ATMs. The researchers found that sending a specially crafted malicious request over the network could effectively trigger the ATM’s cash dispenser and dump the cash inside, Keown told TechCrunch.

The second vulnerability was found in the ATM’s remote management software, an in-built tool that lets owners manage their fleet of ATMs by updating the software and checking how much cash is left. Triggering the bug would grant a hacker access to a vulnerable ATM’s settings.

So told TechCrunch it was possible to switch the ATM’s payment processor with a malicious, hacker-controlled server to siphon off banking data. “By pointing an ATM to a malicious server, we can extract credit card numbers,” she said.

Bloomberg first reported the vulnerabilities last year when the researchers privately reported their findings to Nautilus. About 80,000 Nautilus ATMs in the U.S. were vulnerable prior to the fix, Bloomberg reported. We contacted Nautilus with questions but did not hear back.

Successful jackpotting attacks are rare but not unheard of. In recent years, hackers have used a number of techniques. In 2017, an active jackpotting group was discovered operating across Europe, netting millions of euros in cash.

More recently, hackers have stolen proprietary software from ATM manufacturers to build their own jackpotting tools.


Send tips securely over Signal and WhatsApp to +1 646-755-8849 or send an encrypted email to: [email protected]

Homeland Security warns over ‘wormable’ Windows 10 bug

Homeland Security’s cybersecurity advisory unit is warning Windows 10 users to make sure that their systems are fully patched, after exploit code for a “wormable” bug was published online last week.

The code takes advantage of a security vulnerability patched by Microsoft back in March. The bug caused confusion and concern after details of the “critical”-rated bug were initially published but quickly pulled offline.

The exploit code, known as SMBGhost, exploits a bug in the server message block — or SMB — component that lets Windows talk with other devices, like printers and file servers. Once exploited, the bug gives the attacker unfettered access to a Windows computer to run malicious code, like malware or ransomware, remotely from the internet.

Worse, because the code is “wormable” it can spread across networks, similar to how the NotPetya and WannaCry ransomware attacks spread across the world, causing billions of dollars in damage.

Even though Microsoft published a patch months ago, tens of thousands of internet-facing computers are still vulnerable, prompting the advisory.

In the advisory, Homeland Security’s Cybersecurity and Infrastructure Security Agency said hackers are “targeting unpatched systems” using the new code and advise users to install updates immediately.

The researcher who published the code, a GitHub user who goes by the handle Chompie1337, said by their own admittance that their proof-of-concept code was “written quickly and needs some work to be more reliable,” but warned that the code, if used maliciously, could cause considerable damage.

“Using this for any purpose other than self education is an extremely bad idea. Your computer will burst in flames. Puppies will die,” said the researcher.

If you haven’t updated Windows recently, now would be a good time.

Ex-NSA hacker drops new zero-day doom for Zoom

Zoom’s troubled year just got worse.

Now that a large portion of the world is working from home to ride out the coronavirus pandemic, Zoom’s popularity has rocketed, but also has led to an increased focus on the company’s security practices and privacy promises. Hot on the heels of two security researchers finding a Zoom bug that can be abused to steal Windows passwords, another security researcher found two new bugs that can be used to take over a Zoom user’s Mac, including tapping into the webcam and microphone.

Patrick Wardle, a former NSA hacker and now principle security researcher at Jamf, dropped the two previously undisclosed flaws on his blog Wednesday, which he shared with TechCrunch.

The two bugs, Wardle said, can be launched by a local attacker — that’s where someone has physical control of a vulnerable computer. Once exploited, the attacker can gain and maintain persistent access to the innards of a victim’s computer, allowing them to install malware or spyware.

Wardle’s first bug piggybacks off a previous finding. Zoom uses a “shady” technique — one that’s also used by Mac malware — to install the Mac app without user interaction. Wardle found that a local attacker with low-level user privileges can inject the Zoom installer with malicious code to obtain the highest level of user privileges, known as “root.”

Those root-level user privileges mean the attacker can access the underlying macOS operating system, which are typically off-limits to most users, making it easier to run malware or spyware without the user noticing.

The second bug exploits a flaw in how Zoom handles the webcam and microphone on Macs. Zoom, like any app that needs the webcam and microphone, first requires consent from the user. But Wardle said an attacker can inject malicious code into Zoom to trick it into giving the attacker the same access to the webcam and microphone that Zoom already has. Once Wardle tricked Zoom into loading his malicious code, the code will “automatically inherit” any or all of Zoom’s access rights, he said — and that includes Zoom’s access to the webcam and microphone.

“No additional prompts will be displayed, and the injected code was able to arbitrarily record audio and video,” wrote Wardle.

Because Wardle dropped detail of the vulnerabilities on his blog, Zoom has not yet provided a fix. Zoom also did not respond to TechCrunch’s request for comment.

In the meanwhile, Wardle said, “if you care about your security and privacy, perhaps stop using Zoom.”

Microsoft and NSA say a security bug affects millions of Windows 10 computers

Microsoft has released a security patch for a dangerous vulnerability affecting hundreds of millions of computers running Windows 10.

The vulnerability is found in a decades-old Windows cryptographic component, known as CryptoAPI. The component has a range of functions, one of which allows developers to digitally sign their software, proving that the software has not been tampered with. But the bug may allow attackers to spoof legitimate software, potentially making it easier to run malicious software — like ransomware — on a vulnerable computer.

“The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider,” Microsoft said.

CERT-CC, the the vulnerability disclosure center at Carnegie Mellon University, said in its advisory that the bug can also be used to intercept and modify HTTPS (or TLS) communications.

Microsoft said it found no evidence to show that the bug has been actively exploited by attackers, and classified the bug as “important.”

Independent security journalist Brian Krebs first reported details of the bug.

The National Security Agency confirmed in a call with reporters that it found the vulnerability and turned over the details to Microsoft, allowing the company to build and ready a fix.

Only two years ago the spy agency was criticized for finding and using a Windows vulnerability to conduct surveillance instead of alerting Microsoft to the flaw. The agency used the vulnerability to create an exploit, known as EternalBlue, as a way to secretly backdoor vulnerable computers. But the exploit was later leaked and was used to infect thousands of computers with the WannaCry ransomware, causing millions of dollars’ worth of damage.

Anne Neuberger, NSA’s director of cybersecurity, told TechCrunch that once the vulnerability was discovered, it went through the vulnerabilities equities process, a decision-making process used by the government to determine if it should retain control of the flaw for use in offensive security operations or if it should be disclosed to the vendor. It’s not known if the NSA used the bug for offensive operations before it was reported to Microsoft.

“It’s encouraging to see such a critical vulnerability turned over to vendors rather than weaponized.”

Neuberger confirmed Microsoft’s findings that NSA had not seen attackers actively exploiting the bug.

Jake Williams, a former NSA hacker and founder of Rendition Infosec, told TechCrunch that it was “encouraging” that the flaw was turned over “rather than weaponized.”

“This one is a bug that would likely be easier for governments to use than the common hacker,” he said. “This would have been an ideal exploit to couple with man in the middle network access.”

Microsoft is said to have released patches for Windows 10 and Windows Server 2016, which is also affected, to the U.S. government, military and other high-profile companies ahead of Tuesday’s release to the wider public, amid fears that the bug would be abused and vulnerable computers could come under active attack.

The software giant kept a tight circle around the details of the vulnerabilities, with few at the company fully aware of their existence, sources told TechCrunch. Only a few outside the company and the NSA — such as the government’s cybersecurity advisory unit Cybersecurity and Infrastructure Security Agency — were briefed.

CISA also issued a directive, compelling federal agencies to patch the vulnerabilities.

Williams said this now-patched flaw is like “a skeleton key for bypassing any number of endpoint security controls,” he told TechCrunch.

Skilled attackers have long tried to pass off their malware as legitimate software, in some cases by obtaining and stealing certificates. Last year, attackers stole a certificate belonging to computer maker Asus to sign a backdoored version of its software update tool. By pushing the tool to the company’s own servers, “hundreds of thousands” of Asus customers were compromised as a result.

When certificates are lost or stolen, they can be used to impersonate the app maker, allowing them to sign malicious software and make it look like it came from the original developer.

Dmitri Alperovitch, co-founder and chief technology officer at security firm CrowdStrike, said in a tweet that the NSA-discovered bug was a “critical issue.”

“Everyone should patch. Do not wait,” he said.

Mozilla says a new Firefox security bug is under active attack

Mozilla has warned Firefox users to update their browser to the latest version after security researchers found a vulnerability that hackers were actively exploiting in “targeted attacks” against users.

The vulnerability, found by Chinese security company Qihoo 360, was found in Firefox’s just-in-time compiler. The compiler is tasked with speeding up performance of JavaScript to make websites load faster. But researchers found that the bug could allow malicious JavaScript to run outside of the browser on the host computer.

In practical terms, that means an attacker can quietly break into a victim’s computer by tricking the victim into accessing a website running malicious JavaScript code.

But Qihoo did not say precisely how the bug was exploited, who the attackers were, or who was targeted.

Browser vulnerabilities are a hot commodity in security circles as they can be used to infect vulnerable computers — often silently and without the user noticing — and be used to deliver malware or ransomware. Browsers are also a target for nation states and governments and their use of surveillance tools, known as network investigative techniques — or NITs. These vulnerability-exploiting tools have been used by federal agents to spy on and catch criminals. But these tools have drawn ire from the security community because the feds’ failure to disclose the bugs to the software makers could result in bad actors exploiting the same vulnerabilities for malicious purposes.

Mozilla issued the security advisory for Firefox 72, which had only been out for two days before the vulnerability was found.

Homeland Security’s cyber advisory unit, the Cybersecurity and Infrastructure Security Agency, also issued a security warning, advising users to update to Firefox 72.0.1, which fixes the vulnerability. Little information was given about the bug, only that it could be used to “take control of an affected system.”

Firefox users can update their browser from the settings.

A ton of Ruckus Wireless routers are vulnerable to hackers

A security researcher has found several vulnerabilities in a number of Ruckus Wireless routers, which the networking giant has since patched.

Gal Zror told TechCrunch that the vulnerabilities he found lie inside in the web user interface software that runs on the company’s Unleashed line of routers.

The flaws can be exploited without needing a router’s password, and can be used to take complete control of affected routers from over the internet.

Routers act as a gateway between a home or office network and the wider internet. Routers are also a major line of defense against unauthorized access to that network. But routers can be a single point of failure. If attackers find and take advantage of vulnerabilities in the router’s software, they can control the device and gain access to the wider internal network, exposing computers and other devices to hacks and data theft.

Zror said his three vulnerabilities can be used to to gain “root” privileges on the router — the highest level of access — allowing the attacker unfettered access to the device and the network.

Although the three vulnerabilities vary by difficulty to exploit, the easiest of the vulnerabilities uses just a single line of code, Zror said.

With complete control of a router, an attacker can see all of the network’s unencrypted internet traffic. An attacker can also silently re-route traffic from users on the network to malicious pages that are designed to steal usernames and passwords.

Zror said that because many of the router are accessible from the internet, they make “very good candidates for botnets” That’s when an attacker forcibly enlists a vulnerable router — or any other internet-connected device — into its own distributed network, controlled by a malicious actor, which can be collectively told to pummel websites and other networks with massive amounts of junk traffic, knocking them offline.

There are “thousands” of vulnerable Ruckus routers on the internet, said Zror. He revealed his findings at the annual Chaos Communication Congress conference in Germany.

Ruckus told TechCrunch it fixed the vulnerabilities in the 200.7.10.202.92 software update, but said that customers have to update their vulnerable devices themselves.

“By design our devices do not fetch and install software automatically to ensure our customers can manage their networks appropriately,” said Ruckus spokesperson Aharon Etengoff. “We are strongly advising our customers and partners to deploy the latest firmware releases as soon as possible to mitigate these vulnerabilities,” he said.

Ruckus confirmed its SmartZone-enabled devices and Ruckus Cloud access points are not vulnerable.

“It’s very important for the customers to know that if they’re running an old version [of the software], they might be super vulnerable to this very simple attack,” said Zror.