Actively exploited bug bypasses authentication on millions of routers
A critical authentication bypass vulnerability is impacting home routers with Arcadyan firmware that will allow for deployment of Mirai botnet malicious payloads. Tracked as CVE-2021-20090 with a rating of rated 9.9/10, this poses threats to millions of routers from or connected to Asus, British Telecom, Deutsche Telekom, Orange, O2 (Telefonica), Verizon, Vodafone, Telstra, and Telus. The security flaw was discovered by Tenable, which published a security advisory on April 26 and added proof of concept exploit code on Tuesday, August 3. Most disturbing, Tenable says is that the vulnerability has existed in the supply chain for at least 10 years.
A zero-day RCE in Cisco ADSM has yet to be fixed
Cisco has provided an update on remote code execution vulnerability (CVE-2021-1585) in its Adaptive Security Device Manager (ADSM) Launcher, stating that the flaw has yet to be addressed and that there are currently no workarounds. The ADSM provides a local, web-based interface to allow customers to manage Cisco Adaptive Security Appliance (ASA) firewalls and the Cisco AnyConnect Secure Mobility clients. The vulnerability affects ADSM software versions from releases 9.16.1 and earlier. Cisco’s Product Security Incident Response Team is not aware of any public availability of proof-of-concept exploits for this flaw or attacks exploiting it in the wild.
Password of three random words better than complex variation, experts say
The National Cyber Security Centre (NCSC), part of the UK’s Government Communications Headquarters said a three-word system creates passwords that are easy to remember, and creates unusual combinations of letters, enough to keep online accounts secure from cybercriminals. “Traditional password advice telling us to remember multiple complex passwords is simply daft,” the NCSC’s technical director, Dr Ian Levy, said on the center’s website, conceding also that using three random words was not 100% safe, since people might use predictable word combinations. He suggested a major advantage of the system was its usability “because security that’s not usable doesn’t work.”
Luxembourg tops the 2021 list for highest salaries for cybersecurity experts
A new report from Techshielder analyzed several metrics to determine the best cities for cybersecurity jobs, including average salary, job availability and cost of living as well as the most in-demand skills for 2021. The report names Washington D.C. as the best city for cybersecurity jobs thanks to its many opportunities and overall high average salary. Singapore was found to have the highest job availability for cybersecurity professionals, but has a very high cost of living, while Luxembourg pays cybersecurity experts the highest salaries overall. Also appearing in the top ten list are Berlin, Ottawa, London, Riyadh, Brussels, Vienna and Tokyo.
Thanks to our episode sponsor, Sotero
New Amazon DNS attack method allows for nation-state level spying
The attack method was identified by researchers at Wiz while conducting an analysis of Amazon Route 53, a cloud DNS web service offered to AWS users. The findings were presented this week at the Black Hat cybersecurity conference in Las Vegas. In short, Wiz researchers discovered that registering a domain with a name such as ns-852.awsdns-42.net. and adding it in Route 53 to the DNS server with the same name gave them insight into DNS traffic from more than 15,000 organizations, including Fortune 500 companies, 45 U.S. government agencies, and 85 government agencies from other countries. The intercepted data included internal and external IP addresses, computer names, user names, and office locations. The researchers equate this to nation-state level spying capability. The issue is related to an algorithm used by Windows devices to find and update the master DNS server when IP addresses change.
(Wiz.io)
RansomEXX ransomware leaks files stolen from Italian luxury brand Zegna
Ermenegildo Zegna Group is the largest menswear brand in the world by revenue. The RansomEXX group claims to have stolen 20.74GB of data from the company and leaked 43 archives (42 archives of 500MB in size and 1 archive containing 239.54MB of documents). Recently the RansomEXX gang infected systems at Italy’s Lazio region causing problems for the ongoing COVID19 vaccination campaign. This week the ransomware gang RansomEXX ransomware gang hit the Taiwanese manufacturer and distributor of computer hardware GIGABYTE and claims to have stolen 112GB of data.
(Cybersecurity World Conference)
Amazon Kindle bug was aimed at hijacking ebook readers
Amazon has revealed that in April of this year it addressed a critical vulnerability in its Kindle e-book reader platform that could have been exploited to take full control over a user’s device, resulting in the theft of sensitive information including Amazon account credentials and billing information, by just deploying a malicious e-book. This type of attack would have allowed an attacker to target a very specific audience, Amazon said. The fix was distributed as part of its 5.13.5 version of Kindle firmware in April 2021.
Paul Allen’s boat now available for rent
Octopus, the vast “explorer class” superyacht built for Microsoft co-founder Paul Allen has been sold for almost £200m, and is now available to rent for £1m a week. On the market since Allen’s death in 2018, it was purchased by a Scandinavian buyer. The eight-deck Octopus has 13 guest suites, including a private owner’s deck. There is also a cinema, a gym, a spa, a basketball court, a pool (which converts into a dancefloor) and a pizza oven. It features not one but two helicopters, two submarines and space for seven tenders and a large SUV. The yacht has quarters for up to 63 crew. Director James Cameron used it as a base when he dove to the bottom of the Marianis trench, the deepest point in the world, and Mick Jagger, Bono, Usher and Joss Stone have recorded in its world class studio. But hey! A pizza oven!