Infosec In Brief Put away that screwdriver and USB charging cable – the latest way to steal a Kia just requires a cellphone and the victim’s license plate number.
Sam Curry, who previously demonstrated remote takeover vulnerabilities in a range of brands – from Toyota to Rolls Royce – found this vulnerability in vehicles as old as model year 2014. The mess means the cars can be geolocated, turned on or off, locked or unlocked, have their horns honked and lights activated, and even have their cameras accessed – all remotely.
The vulnerability also exposed victims’ personal details – name, phone number, email, and physical address – and let attackers add themselves as invisible secondary users to the vehicle.
The issue originated in one a Kia web portals used by dealerships. Long story short and a hefty bit of API abuse later, Curry and his band of far-more-capable Kia Boyz managed to register a fake dealer account to get a valid access token, which they were then able to use to call any backend dealer API command they wanted.
“From the victim’s side, there was no notification that their vehicle had been accessed nor their access permissions modified,” Curry noted in his writeup. “An attacker could resolve someone’s license plate, enter their VIN through the API, then track them passively and send active commands like unlock, start, or honk.”
Curry’s team developed a smartphone tool that automated the process, but didn’t release it. Not that it would matter much, really: Curry noted that Kia has fixed the issue, and he’s verified the exploit no longer works.
“Cars will continue to have vulnerabilities,” Curry noted. “In the same way that Meta could introduce a code change which would allow someone to take over your Facebook account, car manufacturers could do the same for your vehicle.”
Critical vulnerabilities of the week: Another Ivanti exploit in the wild
It’s been a busy few weeks in Ivanti exploit land. After putting a CVSS 9.4 path traversal vulnerability in the Known Exploited Vulnerability catalog on September 20, CISA added another one just seven days later.
CVE-2024-7593 is rated 9.8 and means versions Ivanti Traffic Manager other than 22.2R1 or 22.7R2 have a problem that means a remote attacker could bypass the authentication requirements of the product’s administrator panel.
Not great for such a critical piece of software – we’d recommend ensuring you’re on one of those safe versions ASAP.
UK citizen charged with hacking companies to steal financial secrets
The US Securities and Exchange Commission filed charges against a UK citizen for hacking public companies prior to their earnings announcements to steal information used to make money in the stock market.
Robert Westbrook was accused of hacking five unnamed US businesses prior to their earnings announcements on at least 14 occasions between January 2019 and August 2020, earning around $3.75 million with the info he accessed.
The SEC said Westbrook obtained access by resetting the passwords on accounts belonging to senior executives. Details weren’t provided outside of the SEC indictment indicating “four of the five hacked companies used the same password reset portal software.”
Westbrook allegedly took considerable steps to conceal his identity, including using anonymous emails, VPN services, and cryptocurrency – but none of that appears to have mattered.
“The Commission’s advanced data analytics, crypto asset tracing, and technology can uncover fraud even in cases involving sophisticated international hacking,” explained SEC crypto assets and cyber unit acting chief Jorge Tenreiro.
Westbrook was apprehended by UK authorities and is awaiting extradition to the United States, where he’s also facing charges from the Department of Justice. If convicted on the DoJ charges he could face up to 65 years in prison.
Namebay ransomwared
Monaco-based Namebay, one of the oldest domain registrars around, has admitted to falling prey to a ransomware attack.
According to Namebay, it was hit on September 21, knocking its mail and web hosting and API services offline. Other services remained online, though the site’s DNS system did go down for several hours during incident recovery.
As of Friday, September 27, Namebay’s mail hosting is still not working properly, though the registrar said it stood up alternative messaging infrastructure on Wednesday. Namebay customers won’t be automatically able to access the service; however, they will need to message Namebay directly to have specific mailboxes activated. The company said the process is ongoing, and that employees would be on hand over the weekend to ensure activations continued.
Namebay hasn’t specified whether any data was exfiltrated during the attack, or when normal service will be restored.
How not to succeed at ransoming critical infrastructure
Critical infrastructure systems like water treatment plants have become popular targets for nation-state backed threat actors – and the occasional idiot, too.
City officials in the small town of Arkansas City, Kansas, last week took to local news to reassure citizens that a cyber attack on the city’s water treatment plant may have knocked systems offline, but there wasn’t anything to worry about.
“Residents can rest assured that their drinking water is safe, and the City is operating under full control during this period,” city manager Randy Frazer declared, per local news outlet the Courier Traveler.
The reason locals don’t need to worry is that, while the attack took the plant’s control systems offline, it also prevented attackers from further tampering with the infrastructure. Frazer told the Courier Traveler that no city or customer information was compromised.
The identity of the attackers remains a mystery, local news reported, and Arkansas City authorities did not plan to pay the requested ransom.
TikTok ejects Russian media
TikTok has ejected multiple media outlets linked to the Russian government amid growing concern over misinformation from Moscow in the run-up to the US election.
The accounts associated with Rossiya Segodnya and TV-Novosti were removed last week “for engaging in covert influence operations on TikTok which violates our Community Guidelines.” This comes weeks after the Department of Justice seized multiple websites and charged two RT (Russia Today) employees for spreading Russian propaganda on social media.
TikTok closed three accounts “representing a media company, its founder, and a faked news outlet” in the days after the DoJ’s moves, though it didn’t identify who the accounts were affiliated with.
Like TikTok, Meta took similar action to ban RT accounts after the DoJ’s report, citing the actions violated its rules on foreign interference activity.
Separately this week, the US Director of National Intelligence claimed Russia continues to be the most prolific in its use of AI to meddle in US politics. ®