Cyber Pulse: Edition 133 | 14 October 2020

Here is our cyber security news round-up of the week:

Amazon Prime Day 2020: Beware of scams and lures

Undoubtedly there will be a raft of phishing activity associated with this year’s Amazon Prime Day, set to take the unassuming consumer for a pretty penny. It’s always a lucrative market for the scammers looking to leverage a great marketing campaign, and Amazon Prime Day 2020 is an ideal opportunity to lure the consumer into downloading malware or sharing sensitive information and account details. . Security researchers identified a specific kit designed to target Amazon customers in sophisticated phishing scams.

Remember: if it looks too good to be true, it’s highly likely to be a scam. Don’t be tempted by the super deal advert, report the phishing attempt to Action Fraud and check directly on the Amazon platform for the latest offers.

Serious vulnerabilities in HP Device Manager

A security researcher has chained a trio of serious vulnerabilities in HP Device Manager to achieve unauthenticated remote code execution (RCE) with admin privileges. Organisations that use HP Device Manager, an application used by IT administrators to manage HP Thin Client devices, have been urged to update their systems after Nick Bloor achieved privilege escalation on a backdoor superuser account. Bloor, founder of Cognitous Cyber Security, decided to mount deserialisation attacks against HP Device Manager after discovering an open port was being used for the Java Remote Method Invocation (RMI) service registry during a network security assessment. Bloor's blog post sets out the multi-stage process exhaustively, complete with the final, step-by-step exploit to gain remote control of the server.

An HP security advisory released on 25 September confirmed that all three vulnerabilities are present in HP Device Manager versions 5.0.3 and below, and 4.7 up to and including service pack 12. Unlike the privilege escalation flaw (CVE-2020-6927), a weak cipher flaw (CVE-2020-6925) and remote method invocation bug (CVE-2020-6926) are also present in all other versions. The issues were patched in HP Device Manager 5.0.4, which was rolled out on 25 September.

Apple bug bounty programme – results revealed

A team of security researchers who spent three months hacking Apple, discovered a slew of vulnerabilities in the company's digital infrastructure, and received bounty payments totalling more than $50,000. The tech giant maintains a bug bounty program that pays security researchers for found vulnerabilities. As researcher Sam Curry notes, he previously thought that Apple only paid bounties for issues affecting physical products like the iPhone. But, in July, researchers noticed that bounties were seemingly available for web infrastructure, too. According to Apple's bug bounty program page, the company pays out for vulnerabilities with a "significant impact to users". After three months of scanning Apple's systems and testing various exploits, the team found a total of 55 vulnerabilities of varying severity. At least 11 were ranked as critical and 29 were of high severity.

Security researcher, Sam Curry explained:

"During our engagement, we found a variety of vulnerabilities in core portions of their infrastructure that would've allowed an attacker to fully compromise both customer and employee applications, launch a worm capable of automatically taking over a victim's iCloud account, retrieve source code for internal Apple projects, fully compromise an industrial control warehouse software used by Apple, and take over the sessions of Apple employees with the capability of accessing management tools and sensitive resources.”

The team wasn't able to deeply disclose all of the flaws they found, but Curry did provide write-ups for some of the more interesting vulnerabilities.

Watchdog reports on plane-hacking risks

US Federal regulators have not taken adequate steps to protect computer systems on airliners from hackers, a government watchdog agency reported. The agency said the Federal Aviation Administration has not developed a training program for cybersecurity or testing airplane computer systems that could be vulnerable to attack. The GAO recommends that FAA conduct a risk assessment of security of avionics systems and train inspectors to judge security of avionics systems. It said FAA should also enact guidance that includes independent testing of cybersecurity on new airplane designs.

The GAO report focused on the vulnerability of systems on planes that automatically transmit data to air traffic controllers, airline maintenance crews and others on the ground. Advanced networks carry data used to track planes, tell pilots about the weather ahead, and handle secure communication between pilots and people on the ground. Manufacturer representatives told GAO they realise cybersecurity threats are growing, and they are trying to involve security experts in testing their planes. Airbus officials told GAO they have allowed security agencies in France, Germany and the United Kingdom to conduct cyber-penetration tests.

London Borough of Hackney investigates cyber breach

Hackney Council in north London says it has been the target of a serious cyberattack, which is affecting many of its services and IT systems. The council said it is working closely with the National Cyber Security Centre (NCSC), external experts and the Ministry of Housing, Communities and Local Government to investigate and understand the impact of the incident. It's unclear exactly what form the cyberattack has taken or when it took place.

In a statement on the council's public-facing website, which is still up and running, Mayor Philip Glanville said:

"Our focus is on continuing to deliver essential frontline services, especially to our most vulnerable residents, and protecting data, while restoring affected services as soon as possible. In the meantime, some council services may be unavailable or slower than normal, and our call centre is extremely busy. We ask that residents and businesses only contact us if absolutely necessary, and to bear with us while we seek to resolve these issues."

Thousands of vulnerabilities discovered in virtual appliances

Orca Security used its SideScanning technology to check virtual appliances for vulnerabilities and outdated operating systems. The company scanned a total of more than 2,200 virtual appliances from 540 vendors in April and May, and identified over 400,000 vulnerabilities, detailed in their report. The virtual appliances were obtained from marketplaces associated with cloud platforms such as AWS, VMware, Google Cloud Platform, and Microsoft Azure, but Orca says these virtual appliances are in many cases the same as the ones provided directly by vendors. Orca contacted each of the impacted vendors before making its findings public.

The company says vendors have addressed roughly 36,000 of the 400,000 identified vulnerabilities, either by deploying patches or by removing the virtual appliance altogether. The company has also shared some recommendations for organisations to reduce the risk posed by the use of virtual appliances. This includes asset management for keeping track of virtual appliances, vulnerability management tools that can discover weaknesses, and a vulnerability management process that prioritises the most serious issues.

Edited and compiled by QA's Director of Cyber, Richard Beck.

Subscribe to our weekly Cyber Pulse newsletter below.

Click here to find out about QA's extensive cyber-security courses.