Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Starbucks Singapore Breached

The personal details of 200,000 customers of Starbucks in Singapore have been offered for sale in an online forum. For $SGD3,500, the buyer will get a highly-exploitable collection of names, user ID's, birthdates, email addresses, phone numbers and more.

The company claims that credit card details have not been breached but that customers should reset their passwords, and warns them to be alert for social engineering attacks.

Cluely, Graham, Starbucks Singapore warns customers after hacker steals data, offers it for sale on underground forum, Bitdefender HotForSecurity blog, 17 September 2022. Available online at https://www.bitdefender.com/blog/hotforsecurity/starbucks-singapore-warns-customers-after-hacker-steals-data-offers-it-for-sale-on-underground-forum/.

More Info on Uber Hack

More information continues to emerge on last week's major breach of rideshare company Uber. The initial breach was apparently accomplished by spamming an Uber employee with MFA push authentication requests for over an hour, then contacting him on WhatsApp, claiming to be from Uber IT and telling him the only way to stop the requests was to accept it - which he did. This technique is referred to as 'push fatigue'.

This got the attacker VPN credentials and access to Uber's intranet, but what happened next should send shivers down the spine of any infosec pro: the attacker found a network share containing PowerShell scripts which contained the hardcoded username and password of a system administrator. Having obtained the keys to the castle, the attacker was able to get more credentials and access many of Uber's systems, including Amazon Web Services and Google Workspace environments.

Leyden, John, Uber hack linked to hardcoded secrets spotted in powershell script, The Daily Swig, 16 September 2022. Available online at https://portswigger.net/daily-swig/uber-hack-linked-to-hardcoded-secrets-spotted-in-powershell-script.

Vijayan, Jai, Attacker Apparently Didn't Have to Breach a Single System to Pwn Uber, Dark Reading, 17 September 2022. Available online at https://www.darkreading.com/attacks-breaches/attacker-apparently-didnt-breach-single-system-pwn-uber.

Multiple Vulns in Web Application Firewall

We rely on external controls such as firewalls to reduce our risk, but that doesn't happen in a straightforward fashion, as security software (and appliances) brings its own vulnerabilities. The latest example is the WAPPLES web application firewall from Korean vendor Penta Security Systems. In a blog post, security researcher Konstantin Burov lists multiple very basic errors in this product, which is sold either as a VM image for cloud deployment or as an appliance.

The vulnerabilities are absolute classics, ranging from the same keys being used across multiple machines, for both the self-signed SSL certificates in the web UI and SSH server, through a system account with a predefined password and varoius privilege escalation vulns to remote command execution via a default CouchDB configuration. Almost all of these are very basic configuration errors - in many cases, it is possible for an admin to fix these settings and reconfigure the system - although an update to the current version of the product will also provide fixes.

Burov, Konstantin, WAPPLES Web Application Firewall Multiple Vulnerabilities, blog post, 12 September 2022. Available online at https://medium.com/@_sadshade/wapples-web-application-firewall-multiple-vulnerabilities-35bdee52c8fb.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.