Tag Archive for: expose

New Flaws Expose EVlink Electric Vehicle Charging Stations to Remote Hacking

/in


Schneider Electric has patched several new vulnerabilities that expose its EVlink electric vehicle charging stations to remote hacker attacks.

Schneider announced the availability of patches on December 14, when it urged customers to immediately apply patches or mitigations. The flaws have been found to impact EVlink City (EVC1S22P4 and EVC1S7P4), Parking (EVW2, EVF2 and EVP2PE) and Smart Wallbox (EVB1A) devices, as well as some products that have reached end of life.

The vendor has credited researcher Tony Nasr for finding a total of seven vulnerabilities in these charging stations, including one critical and five high-severity issues.

The security holes include cross-site request forgery (CSRF) and cross-site scripting (XSS) bugs that can be exploited to carry out actions on behalf of a legitimate user, and a weakness that can be leveraged to gain access to a charging station’s web interface via brute-force attacks. The most serious issue — based on its CVSS score of 9.3 — is a server-side request forgery (SSRF) vulnerability.

EVlink electric vehicle charging station vulnerabilitiesSchneider warned that failure to take action could lead to “tampering and compromise of the charging station’s settings and accounts.”

“Such tampering could lead to things like denial of service attacks, which could result in unauthorized use of the charging station, service interruptions, failure to send charging data records to the supervision system and the modification and disclosure of the charging station’s configuration,” the industrial giant wrote in its advisory.

The company noted that exploitation of the vulnerabilities requires physical access to the system’s internal communication port, but admitted that attacks can also be launched from the local network and even the internet if the charging station is accessible from the web.

“The exploitation of Internet-connected charging stations does not require having access to the LAN, therefore making the attack vector very powerful and effective,” Nasr told SecurityWeek. “In this case, the adversary would perform Internet-wide scans to search for viable EVCS [electric vehicle charging stations] before attempting to exploit their vulnerabilities. However, it should be noted…

Source…

Ukrainian police expose international phone-hacking gang

/in



Adam Bannister

26 November 2021 at 15:36 UTC

Updated: 26 November 2021 at 16:17 UTC

‘Phoenix’ group laid low following seizure of computing equipment and stolen devices

Ukrainian police expose international phone-hacking gang

Ukrainian police say they have put an end to the activities of an international phone-hacking collective after seizing incriminating evidence in a series of raids.

Dubbed ‘Phoenix’, the cybercrime group stands accused of leveraging phishing schemes to hack into targets’ mobile devices, which then enabled them to harvest banking credentials and withdraw funds from victims’ financial accounts.

Ukrainian law enforcement seized computing equipment, hacking tools, and stolen mobile phones that were being prepared for resale after swooping on five addresses, including offices as well as ‘phone shops’ and suspects homes’ based in Kyiv and Kharkiv.

Several press reports have stated that Phoenix’s five Ukrainian members, which all have a higher technical education, were arrested. However, a Ukrainian language press release published by the Security Service of Ukraine (SSU) on Wednesday (November 24) did not explicitly mention arrests. We have approached the SSU in the hope of clarifying this point.

Ukrainian authorities confiscated computer equipment during a series of raidsUkrainian authorities confiscated computer equipment during a series of raids

Nefarious activities

Victims were fooled into divulging phone account login credentials to websites ostensibly operated by mobile device manufacturers such as Apple and Samsung.

The attackers were then able to remotely access their marks’ mobile devices and sell the personal data subsequently harvested to third parties.

RECOMMENDED Cyberstalking study: UK residents most accepting of spyware to track partners’ movements

They also sold unauthorized access to victims’ mobile phone accounts for an average fee of $200, said the SSU.

The cybercrooks targeted several hundred victims over a period spanning more than two years, the authorities added.

Previous cybercrime scalps

The seizures represent the latest in a string of recent cybercrime successes for Ukrainian police, sometimes with the support of overseas and international law enforcement…

Source…

‘OMIGOD’ Microsoft Azure vulnerabilities expose users to hacking

/in


A range of recently revealed vulnerabilities in Microsoft Corp.’s Azure remain vulnerable to exploitation as customers may be required to apply the patch manually.

Dramatically dubbed OMIGOD by researchers at Wiz Inc. in a notice Tuesday, the vulnerabilities relate to the Open Manage Infrastructure agent that’s deployed when Azure users set up a Linux virtual machine in the cloud and enable certain Azure services. Attackers can use the four vulnerabilities to obtain root privileges and execute malicious code, including ransomware with file encryption.

According to Sophos, one of the vulnerabilities is a bug that boils down to “a laughably easy trick” because it requires no password. Rather than guessing a valid authentication token to insert into a fraudulent OMI web request, simply omitting all mention of the authentication token delivers access.

The vulnerabilities affect users of Azure services, including Automation, Automatic Update, Operations Management Suite, Log Analytics, Configuration Management, Diagnostics and Container Insights.

In a typical case of vulnerabilities being revealed, particularly with cloud-based services, patches would be applied, but this is not a typical case. Microsoft offered a patch in August, but Azure services remain exposed.

The problem is that users may have to apply the patches themselves, even though the issue resides in Azure Linux installs. Complicating the matter further, many users may not be aware that they have OMI installed, since it’s installed when users add one of those Azure services.

The Wiz researchers conservatively estimate that thousands of Azure customers and millions of endpoints are affected. Further, they noted, it might not just be those using Azure who are affected, since OMI is also independently installed on other Linux machines and is often used on-premises.

“Management agents like OMI are part of the overall attack surface for a deployed system and as such need to be accounted for within the threat models associated with the application,” Tim Mackey, principal security strategist at electronic designed automation firm Synopsys Inc.’s Cybersecurity Research Center, told SiliconANGLE.

“Put…

Source…

Mobile app developers potentially expose personal data of 100 million Android users

/in


After examining 23 Android applications, Check Point Research noticed mobile app developers potentially exposed the personal data of over 100 million users through a variety of misconfigurations of third party cloud services. 

Personal data included emails, chat messages, location, passwords and photos, which, in the hands of malicious actors could lead to fraud, identity-theft and service swipes.

CPR discovered publicly available sensitive data from real-time databases in 13 Android applications, with the number of downloads that each app has ranging from 10,000 to 10 million.

It found push notification and cloud storage keys embedded in a number of Android applications themselves. 

Modern cloud-based solutions have become the new standard in the mobile application development world. Services such as cloud-based storage, real-time databases, notification management, analytics, and more are simply a click away from being integrated into applications. Yet, CPR says developers often overlook the security aspect of these services, their configuration, and their content.

CPR recently discovered that in the last few months, many application developers have left their data and millions of users’ private information exposed by not following best practices when configuring and integrating third party cloud-services into their applications. The misconfiguration put users’ personal data and developers’ internal resources, such as access to update mechanisms, storage and more, at risk, it says.

Misconfiguring Real-Time Databases

Real-time databases allow application developers to store data on the cloud, making sure it is synchronised in real-time to every connected client. This service solves one of the most encountered problems in application development, while making sure that the database is supported for all client platforms. 

However, what happens if the developers behind the application do not configure their real-time database with a simple and basic feature like authentication?

“This misconfiguration of real-time databases is not new, and continues to be widely common, affecting millions of users,” CPR says. 

“All CPR researchers had to do was attempt to access…

Source…