Tag Archive for: warn

🚪 These video doorbells have terrible security, consumer experts warn


On a recent Thursday afternoon, a Consumer Reports journalist received an email containing a grainy image of herself waving at a doorbell camera she’d set up at her back door.

If the message came from a complete stranger, it would have been alarming. Instead, it was sent by Steve Blair, a CR privacy and security test engineer who had hacked into the doorbell from 2,923 miles away.

Blair had pulled similar images from connected doorbells at other CR employees’ homes and from a device in our Yonkers, N.Y., testing lab. While we expected him to gain access to these devices, it was still a bit shocking to see photos of the journalist’s deck and backyard. After all, video doorbells are supposed to help you keep an eye on strangers at the door, not let other people watch you.

Blair was able to capture those images because he and fellow test engineer David Della Rocca had found serious security flaws in this doorbell, along with others sold under different brands but apparently made by the same manufacturer. The doorbells also lack a visible ID issued by the Federal Communications Commission (FCC) that’s required by the agency’s regulations, making them illegal to distribute in the U.S.

Thousands of these video doorbells are sold each month on Amazon and other online marketplaces, including Walmart, Sears, and the globally popular marketplaces Shein and Temu. Experts say they’re just a drop in the flood of cheap, insecure electronics from Chinese manufacturers being sold in the U.S.

Previously, regulators have asserted that thousands of unsafe products, including potentially dangerous children’s sleepwear, carbon monoxide detectors and dietary supplements, have been widely available on Amazon.

“Big e-commerce platforms like Amazon need to take more responsibility for the harms generated by the products they sell,” said Justin Brookman, director of technology policy for CR. “There is more they could be doing to vet sellers and respond to complaints. Instead, it seems like they’re coasting on their reputation and saddling unknowing consumers with broken products.”

Consumer Reports warn of security flaws in certain doorbell cameras (Copyright 2024 by WKMG ClickOrlando -…

Source…

US cyber and law enforcement agencies warn of Phobos ransomware attacks


US cyber and law enforcement agencies warn of Phobos ransomware attacks

Pierluigi Paganini
March 02, 2024

US CISA, the FBI, and MS-ISAC issued a joint CSA to warn of attacks involving Phobos ransomware variants observed as recently as February 2024

US CISA, the FBI, and MS-ISAC issued a joint cyber security advisory (CSA) to warn of attacks involving Phobos ransomware variants such as Backmydata, Devos, Eight, Elking, and Faust.

The attacks were observed as recently as February 2024, they targeted government, education, emergency services, healthcare, and other critical infrastructure sectors.

Phobos operation uses a ransomware-as-a-service (RaaS) model, it has been active since May 2019.

Based on information from open sources, government experts linked multiple Phobos ransomware variants to Phobos intrusions due to observed similarities in Tactics, Techniques, and Procedures (TTPs). Phobos intrusions also involved the use of various open-source tools, including Smokeloader, Cobalt Strike, and Bloodhound. These tools are widely available and user-friendly across different operating environments, contributing to the popularity of Phobos and its associated variants among various threat actors.

Threat actors behind Phobos attacks were observed gaining initial access to vulnerable networks by leveraging phishing campaigns. They dropped hidden payloads or used internet protocol (IP) scanning tools, such as Angry IP Scanner, to search for vulnerable Remote Desktop Protocol (RDP) ports or by leveraging RDP on Microsoft Windows environments.

“Once they discover an exposed RDP service, the actors use open source brute force tools to gain access. If Phobos actors gain successful RDP authentication in the targeted environment, they perform open source research to create a victim profile and connect the targeted IP addresses to their associated companies. Threat actors leveraging Phobos have notably deployed remote access tools to establish a remote connection within the compromised network.” reads the joint CSA. “Alternatively, threat actors send spoofed email attachments that are embedded with hidden payloads such as SmokeLoader, a backdoor trojan that is often used in…

Source…

Someone is hacking 3D printers to warn owners of a security flaw


Do you have an Anycubic Kobra 2 Pro/Plus/Max 3D printer?  Did you know it has a security vulnerability?

If you answered “yes” to both those questions, then chances are that I can guess just how you found out your 3D printer was vulnerable to hackers.

My bet is that you might have learnt about the problem after seeing a strange message displayed on your device, claiming that it had been hacked.

As multiple posts on Reddit confirm, owners of the 3D printers have had an unusual message pop up on their devices.

The message contains ASCII art of a worm and claims to be “harmless” – but warns of a “critical vulnerability” in the printer, posing a “significant threat”. It advises affected users to disconnect their printer from the internet to avoid being hacked.

In the message, someone calling themselves “printer god” bemoans Anycubic’s lax security and warns that a malicious attack could have caused damage.

The warning message in the file hacked_machine_readme.gcode can be safely deleted from the printer’s screen or USB drive.  The author claims to have sent it to over 2.9 million vulnerable printers.

The hack seems to be connected to a post in an online forum earlier this week by a user called “Dump”.  “Dump” claimed to have tried to communicate with Anycubic for two months about “two critical security vulnerabilities” – with one described as “catastrophic if found to be malicious.”

Anycubic has now confirmed the existence of a “security issue”, which it claims was “caused by a third party using a security vulnerability of the MQTT server to access users’ printers.”

Anycubic says that it is enhancing its cloud server security and will release new firmware to users on March 5, 2024.

This isn’t the first time that printers have been hijacked through security vulnerabilities to spread messages. For instance, in 2018, thousands of printers were seized to print out a message promoting PewDiePie’s YouTube channel.

Source…

Cybersecurity Agencies Warn Ubiquiti EdgeRouter Users of APT28’s MooBot Threat


Feb 28, 2024NewsroomFirmware Security / Vulnerability

MooBot Threat

In a new joint advisory, cybersecurity and intelligence agencies from the U.S. and other countries are urging users of Ubiquiti EdgeRouter to take protective measures, weeks after a botnet comprising infected routers was felled by law enforcement as part of an operation codenamed Dying Ember.

The botnet, named MooBot, is said to have been used by a Russia-linked threat actor known as APT28 to facilitate covert cyber operations and drop custom malware for follow-on exploitation. APT28, affiliated with Russia’s Main Directorate of the General Staff (GRU), is known to be active since at least 2007.

APT28 actors have “used compromised EdgeRouters globally to harvest credentials, collect NTLMv2 digests, proxy network traffic, and host spear-phishing landing pages and custom tools,” the authorities said [PDF].

The adversary’s use of EdgeRouters dates back to 2022, with the attacks targeting aerospace and defense, education, energy and utilities, governments, hospitality, manufacturing, oil and gas, retail, technology, and transportation sectors in the Czech Republic, Italy, Lithuania, Jordan, Montenegro, Poland, Slovakia, Turkey, Ukraine, the U.A.E., and the U.S.

Cybersecurity

MooBot attacks entail targeting routers with default or weak credentials to deploy OpenSSH trojans, with APT28 acquiring this access to deliver bash script and other ELF binaries to collect credentials, proxy network traffic, host phishing pages, and other tooling.

This includes Python scripts to upload account credentials belonging to specifically targeted webmail users, which are collected via cross-site scripting and browser-in-the-browser (BitB) spear-phishing campaigns.

APT28 has also been linked to the exploitation of CVE-2023-23397 (CVSS score: 9.8), a now-patched critical privilege escalation flaw in Microsoft Outlook that could enable the theft of NT LAN Manager (NTLM) hashes and mount a relay attack without requiring any user interaction.

Another tool in its malware arsenal is MASEPIE, a Python backdoor capable of executing arbitrary commands on victim machines utilizing compromised Ubiquiti EdgeRouters as command-and-control (C2) infrastructure.

“With…

Source…