Infosec in brief Trend Micro's Zero Day Initiative held its first-ever automotive-focused Pwn2Own event in Tokyo last week, and awarded over $1.3 million to the discoverers of 49 vehicle-related zero day vulnerabilities.
Researchers from French security outfit Synacktiv took home $450,000 after demonstrating six successful exploits, one of which saw the company's crew gain root access to a Tesla Modem.
Five $60,000 bounties - the second-highest monetary awards behind Synacktiv's $100k Tesla hacks - were awarded for attacks on EV chargers manufactured by Emporia, ChargePoint, Ubiquiti, Phoenix and JuiceBox.
Three attacks against Automotive Grade Linux were also attempted, with only one succeeding.
This vehicular cut of Linux is used as the backbone of infotainment systems by several automotive OEMs, including Subaru, Toyota and Lexus.
Given most of the bugs exploited at the event were newly reported zero days, little information about the nature of the flaws was revealed.
ZDI's next event will be its annual Pwn2Own fete in Vancouver from March 20-24, at which hackers will be able to demonstrate their prowess at exploiting vulnerabilities in a new category: Cloud native and container software.
Cisco reported a CVSS 9.9 vulnerability in several of its Unified Communications and Contact Center products last week that could allow an attacker to execute arbitrary commands on the OS beneath the software.
While admittedly serious, Cisco UCM software isn't designed to be exposed to the internet, so these systems should be hard targets for miscreants.
CVSS 10.0 - Multiple CVEs: MachineSense FeverWarn temperature checking kiosks contain hard coded credentials, missing authentication and improper access control, which could be exploited to give an attacker control over devices.
CVSS 9.8 - CVE-2023-7227: SystemK network video recorders in the 504, 508 and 516 series contain a command injection vulnerability that could be used to execute commands with root privileges.
CVSS 9.8 - Multiple CVEs: Voltronic Power ViewPower Pro UPS management software version 2.0-22165 contains a series of vulnerabilities that could allow an attacker to trigger DoS, steal admin credentials and execute remote code.
CVSS 8.8 - CVE-2022-44037: APsystems ECU-C power control software contains an improper access control bug that could give an attacker full admin access without authenticating.
CVSS 8.4 - CVE-2023-6926: Crestron AM-300 wireless presentation systems are vulnerable to OS command injection that can give attackers root access.
CVSS 8.0 - Multiple CVEs: Westermo Lynx 206-F2G layer three industrial ethernet switches running firmware 4.24 contain a series of vulnerabilities that an attacker could use to inject code, execute commands and the like.
Apple has identified a zero day vulnerability in WebKit under active exploit that could trigger arbitrary code execution when viewing malicious web content.
For those unfamiliar with this form of attack, SIM swaps involve convincing a telecom carrier to transfer a phone number to a new SIM card, giving an attacker control over communications going to and from that number - like a second authentication factor.
Downloaders of cracked macOS apps, beware: A newly discovered macOS malware family is making the rounds in cracked apps, and it's a doozy.
If detected, the malware swaps the installed version for a malicious replacement that transmits seed phrases to the C2 server as soon as the infected Exodus install is opened.
Non-cryptobros should still be aware of this threat - the backdoor gives an attacker plenty of opportunity to wreak other havoc, and Securelist believes the malware is still a work in progress, so other nastiness could be added later.
This Cyber News was published on go.theregister.com. Publication date: Mon, 29 Jan 2024 01:43:10 +0000