Millions of IoT devices, baby monitors open to audio, video snooping

The vulnerability would allow threat actors to remotely compromise a targeted ThroughTek IoT device and watch the real-time video feed, listen to audio, and compromise device credentials for additional attacks.

The cybersecurity researchers at FireEye have shared details of a critical IoT supply chain vulnerability that might be exposing millions of ThroughTek internet-connected cameras to espionage. Reportedly, the flaw affects IoT cameras worldwide and lets attackers hijack video streams.

It is worth noting that at the time of publishing this article; ThroughTek claims to have more than 83 million active IoT devices and over 1.1 billion monthly connections on their platform.

Flaw Identified in ThroughTek’s P2P SDK

The flaw was discovered in ThroughTek’s software core component of the Kalay cloud platform used by OEMs to manufacture IP cameras, baby/pet monitoring cameras, battery devices, and robotic devices.

The vulnerability (CVE-2021-28372) is present in the company’s P2P SDK, which is a function that allows a client on a desktop or mobile app to access the camera’s audio or video streams via the internet.

It is reported that the protocol used to transmit these data streams don’t possess a secure key exchange. Instead, it relies on a fixed key-based obfuscation scheme. Hence, attackers can access it and construct the audio/video stream to spy on users remotely.

Moreover, it can allow attackers to carry out device spoofing, eavesdropping on-camera audio/video, and hijack device certificates.

CISA Releases Security Alert

Yesterday, CISA released a separate advisory for ThroughTek P2P SDK and gave it a CVSS score of 9.1, stating that:

“ThroughTek supplies multiple original equipment manufacturers of IP cameras with P2P connections as part of its cloud platform. Successful exploitation of this vulnerability could permit unauthorized access to sensitive information, such as camera audio/video feeds.”

CISA noted that the vulnerability impacts SDK version 3.1.5 and older, versions with nossl tag, and device firmware lacking AuthKey for IOTC connection and using the RDT module, P2PTunnel, or AVAPI module without enabling DTLS.

The advisory revealed that the impacted P2P products don’t adequately protect the data transmitted between the company’s servers and the local device, letting the attackers access sensitive data such as camera feeds.

CVE-2021-28372 poses a huge risk to an end user’s security and privacy and should be mitigated appropriately. Unprotected devices, such as IoT cameras, can be compromised remotely with access to a UID and further attacks are possible depending on the functionality exposed by a device, FireEye researchers warned in a blog post.

ThroughTek’s Response

The company conveniently blamed developers who incorrectly implemented its SDK or didn’t update to the latest version. ThroughTek claims that it introduced version 3.3 in mid-2020 to fix this issue and update its devices’ SDK version, and those who didn’t upgrade the software are vulnerable to this threat.

Original article: https://cybersecdn.com/index.php/2021/08/17/millions-of-iot-devices-baby-monitors-open-to-audio-video-snooping/

Experian API Exposed Credit Scores of Most Americans (again)

Big-three consumer credit bureau Experian just fixed a weakness with a partner website that let anyone look up the credit score of tens of millions of Americans just by supplying their name and mailing address, KrebsOnSecurity has learned. Experian says it has plugged the data leak, but the researcher who reported the finding says he fears the same weakness may be present at countless other lending websites that work with the credit bureau.

Security Researcher Bill Demirkapi found the Experian API could be accessed directly without any sort of authentication, and that entering all zeros in the “date of birth” field let him then pull a person’s credit score. He even built a handy command-line tool to automate the lookups, which he dubbed “Bill’s Cool Credit Score Lookup Utility.”

In addition to credit scores, the Experian API returns for each consumer up to four “risk factors,” indicators that might help explain why a person’s score is not higher.

Source: https://krebsonsecurity.com/2021/04/experian-api-exposed-credit-scores-of-most-americans/

Severe Vulnerabilities Patched in Redirection for Contact Form 7 Plugin

The WordFence Threat Intelligence team discovered and responsibly disclosed several vulnerabilities in Redirection for Contact Form 7, a WordPress plugin used by over 200,000 sites in early February. One of these flaws made it possible for unauthenticated attackers to generate arbitrary nonces for any function. The second flaw made it possible for authenticated attackers to install arbitrary plugins and inject PHP Objects. The third flaw made it possible for authenticated attackers to delete arbitrary posts on a site running the plugin causing a loss of availability.

These are considered severe vulnerabilities. Therefore, we highly recommend updating to the latest patched version available immediately.

Full details at https://www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-redirection-for-contact-form-7-plugin

Severe Unpatched Vulnerabilities Leads to Closure of Store Locator Plus Plugin

Store Locator Plus is a plugin designed to add a store locator to a WordPress site and makes it very simple to do so. Unfortunately, there was functionality in the plugin that made it possible for authenticated users to update their user meta data to become an administrator on any site using the plugin. This could allow attackers to gain administrative access to a site and completely take it over.

WordFence strongly recommends deactivating and removing this plugin immediately and finding a replacement. We do not know at this point if the plugin will be patched.

In addition to the privilege escalation vulnerability, WordFence found several endpoints in the plugin that could allow unauthenticated attackers the ability to inject malicious JavaScript into pages. These could be used by an attacker to inject backdoors or add new administrative user accounts, ultimately leading to complete site compromise.

We strongly recommend deactivating and removing the Store Locator Plus plugin and finding a replacement, as this plugin may not be patched in the foreseeable future. If you must keep the plugin installed on your site until you find a replacement, you should also be using WordFence’s Web Application Firewall, which has rules in place to mitigate attacks.

Source: https://www.wordfence.com/blog/2021/04/severe-unpatched-vulnerabilities-leads-to-closure-of-store-locator-plus-plugin

Sucuri: Malware Disables Security Plugins to Avoid Detection

An alarm or monitoring system is a great tool that can be used to improve the security of a home or website, but what if an attacker can easily disable it?

Sucuri recently described an exploit in which hackers gain access to the site and then immediately disable any of a list of well known security plugins which are installed. If you security plugins are turned off, they’re not going to scan your site for malware and they’re not going to email you a warning.

“If a user tries to reactivate one of the disabled security plugins, it will momentarily appear to activate only for the malware to immediately disable it again. This behavior will prevail until the malware is fully removed from the compromised environment, making it more difficult to detect malicious behavior on the website.”

Ideally your sites are locked down well enough that the hackers can’t gain access in the first place. But keep an eye on your site and if you see any behavior similar to what’s described, contact us and we’ll clean it up.

https://blog.sucuri.net/2020/09/wordpress-malware-disables-security-to-avoid-detection.html

Google Chrome Bug Could Let Hackers Bypass CSP Protection; Update Web Browsers

If you haven’t recently updated your Chrome, Opera, or Edge web browser to the latest available version, it would be an excellent idea to do so as quickly as possible.

Cybersecurity researchers on Monday disclosed details about a zero-day flaw in Chromium-based web browsers for Windows, Mac and Android that could have allowed attackers to entirely bypass Content Security Policy (CSP) rules since Chrome 73.

Full article: https://thehackernews.com/2020/08/chrome-csp-bypass.html

Stay Alert to New Scams and Tricks

Phishing attackers can play with web addresses in a number of ways to trick you into following the link:

Hiding the link with a link shortener (bit.ly, goo.gl, etc)

Hiding the link under a “Click here” or similar button

Substituting numbers for letters (the number 0 for the letter o, as in “dr0pb0x.com”)

Spelling an existing address incorrectly (Facbook.com instead of Facebook.com)