The 160+ Best Black Friday Deals of the Thousands We've … – The New York Times
The 160+ Best Black Friday Deals of the Thousands We’ve … The New York Times
Tag Archive for: Thousands
Cisco Zero-Day Exploited to Implant Malicious Lua Backdoor on Thousands of Devices
Cisco has warned of a new zero-day flaw in IOS XE that has been actively exploited by an unknown threat actor to deploy a malicious Lua-based implant on susceptible devices.
Tracked as CVE-2023-20273 (CVSS score: 7.2), the issue relates to a privilege escalation flaw in the web UI feature and is said to have been used alongside CVE-2023-20198 (CVSS score: 10.0) as part of an exploit chain.
“The attacker first exploited CVE-2023-20198 to gain initial access and issued a privilege 15 command to create a local user and password combination,” Cisco said in an updated advisory published Friday. “This allowed the user to log in with normal user access.”
“The attacker then exploited another component of the web UI feature, leveraging the new local user to elevate privilege to root and write the implant to the file system,” a shortcoming that has been assigned the identifier CVE-2023-20273.
A Cisco spokesperson told The Hacker News that a fix that covers both vulnerabilities has been identified and will be made available to customers starting October 22, 2023. In the interim, it’s recommended to disable the HTTP server feature.
While Cisco had previously mentioned that a now-patched security flaw in the same software (CVE-2021-1435) had been exploited to install the backdoor, the company assessed the vulnerability to be no longer associated with the activity in light of the discovery of the new zero-day.
“An unauthenticated remote actor could exploit these vulnerabilities to take control of an affected system,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said. “Specifically, these vulnerabilities allow the actor to create a privileged account that provides complete control over the device.”
Successful exploitation of the bugs could allow attackers to gain unfettered remote access to routers and switches, monitor network traffic, inject and redirect network traffic, and use it as a persistent beachhead to the network due to the lack of protection solutions for these devices.
The development comes as more 41,000 Cisco devices running the vulnerable IOS XE software are estimated to have been compromised by threat…
Casino giant Caesars sends breach notifications to thousands • The Register
As more details emerge from September’s Las Vegas casino cyberattacks, Caesars Entertainment – the owner of Caesars Palace – has disclosed more than 41,000 Maine residents alone had their info stolen by a ransomware gang.
In a Friday filing with the the US state’s Attorney General’s office, Caesars disclosed extortionists siphoned 41,397 Mainers’ data, and listed the total number of victims “TBD.”
The hotel, restaurant, and casino chain described the theft as follows:
The hotel chain’s loyalty program was pillaged and Caesars noted that the stolen personal data included names and driver’s license numbers and/or identification card numbers. According to the filing, the crooks didn’t access customers’ financial information nor payment details.
In an attached security breach notification letter [PDF], Caesars told customers that the entertainment conglomerate has “taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result.”
These steps, we’d assume, including paying the ransom demand – which was reportedly negotiated at $15 million after an initial demand for $30 million.
“To ease any concern you may have, we are offering you complimentary identity theft protection services for two years through IDX, a data breach and recovery services expert,” the notification letter continued.
“This identity protection service includes two years of credit and dark web monitoring to help detect any misuse of your information, as well as a $1,000,000 insurance reimbursement policy and fully managed identity restoration in the event that you fall victim to identity theft.”
The casino giant first confirmed the data theft in an SEC filing in September, but has yet to comment on the reported ransom paid to the ransomware crew.
Caesars has not responded to multiple inquiries from The…
Hackers have discovered a loophole to ‘jailbreak’ Tesla’s paywall-blocked driving features, saving them thousands
Tesla has been at the forefront of the electric vehicle movement. But has also pioneered another aspect of the car industry — software-defined vehicles, or SDVs — that has not been quite as universally popular.
SDVs basically mean that some Tesla features, which are already built into the cars, are locked behind a paywall, requiring customers to pay extra if they want to use them. Some features in this category include a heated steering wheel, footwell lights, an “acceleration boost,” or the brand’s $15,000 Full Self-Driving feature.
Now, a group of hackers has discovered a way to “jailbreak” those paywalled features, and it looks like Tesla can’t do anything about it.
The team of hackers from Germany — a security researcher and three Ph.D. students — figured out a way to trick Tesla’s Media Control Unit (MCU) into thinking that certain purchases had already been made.
The reason that Tesla is powerless to stop it is that the MCU operates using a computer processor made by another company, called AMD. The hack targets AMD’s technology instead of Tesla’s proprietary tech.
In order for Tesla to stop this hack from spreading, it would have to physically swap out the MCUs in its cars with a new type of processor. That said, it’s possible the practice could invalidate warranties or other software updates if ever detected by Tesla, as is often the case with mobile phone and video game hardware.
The German team of hackers will soon present their findings at the BlackHat 2023 cyber security event, where they may give more details about how they accomplished the feat, potentially allowing other tech-savvy Tesla drivers to jailbreak features on their own.
For customers who have had issues with Tesla’s SDVs in the past — the company has been forced to settle multiple lawsuits around its automatic software updates, which customers have alleged have violated their consumer rights — this news could be taken as a bit of schadenfreude.
For Tesla, though, the news is surely worrying, as getting customers to make what are essentially in-app purchases after they have already bought a car is a big part of the EV maker’s business model.
But the company also has other things…