Friday Five: 11/17 Edition
Catch up on all the week's InfoSec news with this roundup!
Oracle, for the second time in the past three weeks, was forced to release an out-of-bound set of security fixes to address vulnerabilities in its products. Oracle PeopleSoft Campus Solutions, Human Capital Management, Financial Management, and Supply Chain Management, as well as any other product using the Tuxedo 2 application server, are vulnerable according to Ars Technica's Sean Gallagher. One of the bugs - JoltandBleed (a la Heartbleed) – rates a 10 out 10 severity and affects Oracle's Jolt protocol. The bug could allow attackers to extract data from memory on the app server, including session information, user names, and passwords in plaintext.
More details on threats from North Korea, namely malware dropped by the group Hidden Cobra, came to light this week, thanks to two joint alerts via the FBI and the U.S. Cybersecurity Emergency Readiness Team. Both agencies initially warned of the group back in June but this week the agencies highlighted a list of IP addresses believed to be associated with Volgmer, a Trojan used by the group to target government/media/financial sectors. According to FCW’s Mark Rockwell the group has also been utilizing a remote administration tool named FALLCHILL to keep tabs on malware that’s already made it onto U.S. servers. Hidden Cobra, known in some circles as the Lazarus Group, is purportedly the group behind well publicized attacks on Sony and SWIFT attacks against banks in Bangladesh and Mexico.
OnePlus, a China-based smartphone manufacturer, said this week that it plans to fix a flaw in most of its phones that’s tantamount to a backdoor. A researcher who declined to give his name – instead going by the pseudonym of Mr. Robot's Elliot Alderson – said he discovered last month a preinstalled application named EngineerMode could essentially be used to root the device and turn it into a backdoor. According to Bleeping Computer’s Catalin Cimpanu the app can perform hardware diagnostic tests, check for root status, diagnose the GPS function, and more. The company stressed in a forum post on Tuesday that the APK doesn’t allow third party apps to access root privileges but nonetheless it plans on removing the function, something called the ADB Root Function, in a future OTA update.
Another week, another breach. Forever 21, a fast fashion retailer announced on Tuesday that its looking into a breach of its payment card systems, in stores from March to October 2017. The source of the hack is unclear; the company only said that some point-of-sale stores were affected “when the encryption on those devices was not operating.” The company joins a laundry list of companies hit by data breaches so far this year as Buzzfeed's Leticia Miranda points out: Arby's, Sak's Fifth Avenue, Chipotle, Verizon, Equifax, and Whole Foods Market.
Amazon was quick to issue a fix for its Key product - the service designed to monitor the company's couriers while dropping off packages - after a flaw was found in it earlier this week. Researchers with Rhino Security Labs, a security firm based in Seattle, found that an attacker in WiFi range could disable the camera by freezing it, essentially carrying out a denial of service attack. Amazon told CNET/ZDNet on Wednesday it would be pushing an update later this week that will let users known whether Cloud Cam, the device behind Amazon Key, is offline and not unlock the door if Wi-Fi is disabled and the camera is offline. The service, announced last month, already had privacy-conscious users on edge as it provides Amazon delivery drivers unfettered access to users homes.