Security teams around the world got another shock on Thursday when news of disclosure of a PoC for an unauthenticated RCE zero-day vulnerability in Spring Core, a massively popular framework for building modern Java-based enterprise applications, began circulating online. Thanks to many security researchers, the situation is a bit clearer today and there’s no need to panic just yet: Unlike Log4Shell, this new flaw – with no official CVE and currently nicknamed Spring4Shell – seems to only be exploitable in certain configurations.
Researchers from the University of Oxford published details of a vulnerability in the Combined Charging System that has the potential to abort charging. The Combined Charging System (CCS) is one of the plethora of standards in the EV charging world, and allows DC fast charging. Different plug types are used for the US and EU regions (dubbed Combo 1 and 2 respectively) but both use the same underlying technology. As well as taking in all that lovely charge, the EV and the Electric Vehicle Supply Equipment (EVSE) swap messages concerning how charged things are, the maximum possible current and so on. The link used for the communication is provided by the HomePlug Green PHY (HPGP) power-line communication (PLC) technology. The researchers created a lab testbed that consisted of the same HPGP modems used in most EVs and charging stations at the victim end, and a software defined radio replete with a 1W RF amplifier on an antenna the team made themselves (with which to carry out the attack).
Team Nautilus has uncovered a Python-based ransomware attack that, for the first time, was targeting Jupyter Notebook, a popular tool used by data practitioners. The attackers gained initial access via misconfigured environments, then ran a ransomware script that encrypts every file on a given path on the server and deletes itself after execution to conceal the attack. Since Jupyter notebooks are used to analyze data and build data models, this attack can lead to significant damage to organizations if these environments aren’t properly backed up.
The United States Federal Bureau of Investigation (FBI) is currently investigating more than 100 different variants of ransomware, many of which have been used in multiple ransomware campaigns. Information on the Bureau’s efforts to tackle the malware threat was among the remarks delivered to the United States House Committee on the Judiciary in Washington on Tuesday by Bryan Vorndran, assistant director of the FBI’s Cyber Division. “There is not a day that goes by without multiple FBI field offices responding to ransomware attacks,” said Vorndran, “The ransomware threat is not new, and it has been one of the FBI’s top cybercriminal investigative priorities for some time, but we have seen ransomware attack reporting increase significantly in the past two years, and the impact of these attacks has grown to dangerous proportions, threatening our economic and national security.”
If you own any of the Wyze Cam devices — the V1, V2, or V3 — someone could have easily watched you in secret and even downloaded the feed from the SD card of your camera. What’s worse? For three years, Wyze knew about the problem and chose not to acknowledge it, fix it, or even inform affected customers. The software flaw in Wyze’s cameras was discovered by folks over at Bitdefender. The security research firm claims it informed Wyze about the problem in March 2019. However, the Seattle-based company failed to respond until November 2020. Two years later, in February 2022, Wyze discontinued the Wyze Cam V1, citing the camera’s inability to support a security update. “Your continued use of the Wyze Cam v1 after February 1, 2022, carries increased risk, is discouraged by Wyze, and is entirely at your own risk,” the company said in an email to customers. However, it still didn’t disclose the fact that the cameras were essentially secret peepholes for hackers and that it knew about the issue. As Bleeping Computer notes, Wyze Cam owners might still be running a vulnerable firmware version.
MULTIFACTOR AUTHENTICATION (MFA) is a core defense that is among the most effective at preventing account takeovers. In addition to requiring that users provide a username and password, MFA ensures they must also use an additional factor—be it a fingerprint, physical security key, or one-time password—before they can access an account. Nothing in this article should be construed as saying MFA isn’t anything other than essential. That said, some forms of MFA are stronger than others, and recent events show that these weaker forms aren’t much of a hurdle for some hackers to clear. In the past few months, suspected script kiddies like the Lapsus$ data extortion gang and elite Russian-state threat actors (like Cozy Bear, the group behind the SolarWinds hack) have both successfully defeated the protection.
The Lapsus$ hacking group appears to have struck again, with the latest victim is Globant – a software development company from Luxembourg. The group has said it is “back from vacation”, and posted a 70GB torrent file on its Telegram channel, claiming the dump contains Globant’s customer source code, among other items. The company’s customers include Google, LinkedIn, EA, and Coca-Cola, among others. EA has had its endpoints breached last year, by one member of Lapsus$, but at the moment, it’s impossible to know if the two breaches have anything in common. Lapsus$ has also published a screenshot of a folder, showcasing a number of alleged Globant customers – Facebook, Citibank, C-Span.