Schlagwort-Archive: Hackers

Motivations behind XZ Utils backdoor may extend beyond rogue maintainer

Kommentar verfassen

Security researchers are raising questions about whether the actor behind an attempted supply chain attack was engaged in a random, solo endeavor.

Source: https://www.cybersecuritydive.com/news/motivations-xz-utils-backdoor/712080/

The attempted supply chain attack against XZ Utils is raising troubling questions about the motivations of the suspected threat actor behind the incident as well as the overall security of the larger open source ecosystem. 

A Microsoft engineer accidentally found obfuscated malicious code installed in the xz library, which could lead to a major supply chain compromise. 

Security researchers and other industry experts are pointing to the suspicion that a longtime contributor is behind what is now considered a multiyear effort to establish themselves as an insider, leading up to the attempted supply chain attack. 

XZ Utils, a data compression software utility found in most Linux distributions, has long been considered a widely trusted project, according to researchers. 

“The most unique and unsettling aspect of this attack is the significant effort and investment made by the attacker in gradually establishing themselves over several years as a credible open-source contributor and carefully advancing their position until they gained trust and the opportunity to maintain and add malicious code into a widely used package,” Jonathan Sar Shalom, director of threat research at JFrog, said via email. 

Researchers point to a Github account @JiaT75, which has since been suspended, as the suspected original source of the backdoor. 

GitHub confirmed that it “suspended user accounts and removed the content” in keeping with its acceptable use policies, however after an investigation the account belonging to @Larhzu was reinstated. 

The @Larhzu account is linked to Lassie Collin, the original and legitimate maintainer of the site. 

What followed was a multiyear effort to gain trust within the community, while at the same time allegedly testing the waters by making subtle changes that failed to raise any immediate alarm bells. 

“Now when we look back at the tale of the tape, what we see is Jia kind of surreptitiously inserted all these little changes over time,” Omkhar Arasaratnam, general manager at the Open Source Security Foundation, said in an interview. “None of them catastrophic, none of them very flashy. But you know, just to see if people were watching.”

Maintainers in focus

The open source community has seen previous cases of maintainers throwing tantrums or using the community as a platform to protest larger issues. But the patience and sophistication of this attack is raising questions for an increasing pool of experts about whether nation-state support is a factor.

“Our analysis suggests that the sophistication and operational security observed in this incident, including the strategic use of email addresses and IP addresses, point to a highly trained and sophisticated adversary,” said Brian Fox, co-founder and CTO of Sonatype, a supply chain management platform. “The lack of tangible evidence of the threat actor’s existence beyond their precise and limited engagements further distinguishes this from the actions of a rogue open source contributor.”

Red Hat on Friday warned that malicious code was present in the latest versions of xz tools and libraries. The vulnerability was assigned CVE-2024-3094 with a CVSS score of 10. 

Users were urged to immediately stop using Fedora Rawhide instances for work or personal use and the Cybersecurity and Infrastructure Security Agency warned developers and users to downgrade to an uncompromised version. 

Andres Freund, a principal software engineer at Microsoft, stumbled upon some anomalous activity last week and publicly disclosed the incident. Freund observed sshd processes using an unusual amount of CPU, however noted that the wrong usernames had been applied. 

“Recalled that I had seen an odd valgrind complaint in automated testing of postgres, a few weeks earlier after package updates,” Freund said in a post on Mastodon

Microsoft confirmed his role in discovering the attack and released guidance on how to respond, with a list of impacted Linux distributions. 

Jake Williams, a faculty member at IANS Research, said the incident highlights the need for defense in depth, including the need to have properly staffed vulnerability intelligence teams and proper investments in tooling.

“Organizations with strict firewall rules preventing access to their SSH servers limited exploitation opportunities, even for vulnerable deployments,” Williams said via email. “Some [cloud security posture management systems] had scans for vulnerable instances released the same day this was detected.”

How hackers are stealing keyless cars

Kommentar verfassen

Wirelessly unlocking your car is convenient, but it comes at a price. The increasing number of keyless cars on the road has led to a new kind of crime — key fob hacks!  With the aid of new cheap electronic accessories and techniques, a key fob’s signal is now relatively easy for criminals to intercept or block. Imagine a thief opening your car and driving away with it without setting off any alarms!

According to the FBI, car theft numbers have been on a downward spiral since their peak in 1991. However, numbers have been steadily inching their way up again since 2015. In fact, there was a 3.8 percent increase in car theft cases in 2015, a 7.4 increase in 2016 and another 4.1 increase in the first half of 2017.

In order to fight this upward trend and prevent your car from becoming a car theft statistic itself, awareness is definitely the key.

So arm yourself against this new wave of car crimes. Here are the top keyless car hacks everyone needs to know about.

1. Relay hack

Always-on key fobs present a serious weakness in your car’s security. As long as your keys are in range, anyone can open the car and the system will think it’s you. That’s why newer car models won’t unlock until the key fob is within a foot.

However, criminals can get relatively cheap relay boxes that capture key fob signals up to 300 feet away, and then transmit them to your car.

Here’s how this works. One thief stands near your car with a relay box while an accomplice scans your house with another one. When your key fob signal is picked up, it is transmitted to the box that’s closer to your car, prompting it to open.

In other words, your keys could be in your house, and criminals could walk up to your car and open it. This isn’t just a theory either; it’s actually happening.

According to the German Automotive Club, here are the top cars that are vulnerable to key fob relay attacks:

Audi: A3, A4, A6

BMW: 730d

Citroen: DS4 CrossBack

Ford: Galaxy, Eco-Sport

Honda: HR-V

Hyundai: Santa Fe CRDi

Kia: Optima

Lexus: RX 450h

Mazda: CX-5

Mini: Clubman

Mitsubishi: Outlander

Nissan: Qashqai, Leaf

Vauxhall: Ampera

Range Rover: Evoque

Renault: Traffic

Ssangyong: Tivoli XDi

Subaru: Levorg

Toyota: Rav4

Volkswagen: Golf GTD, Touran 5T

2. Keyless jamming

In this scenario, the crooks will block your signal so when you issue a lock command from your key fob, it won’t actually reach your car and your doors will remain unlocked. The crooks can then have free access to your vehicle.

Safety tip: To prevent this from happening to you, always manually check your car doors before stepping away. You can also install a steering wheel lock to prevent car thieves from stealing your car even if they do get inside.

3. Tire pressure sensor hijack

Here’s a novel technique, but it is happening — crooks are hijacking your tire sensors to send false tire pressure readings. Why? So they can lure you into stopping your car, creating an opportunity for them to attack you. Sounds crazy, but this scheme is out there.

Safety tip: If you have to check your tires, always pull over at a well-lit, busy public area, preferably at a gas station or a service garage so you can ask for assistance.

4. Telematics exploits

One of the current buzzwords for connected cars is something called telematics. What is telematics? Simply put, it’s a connected system that can monitor your vehicle’s behavior remotely. This data may include your car’s location, speed, mileage, tire pressure, fuel use, braking, engine/battery status, driver behavior and more.

But as usual, anything that’s connected to the internet is vulnerable to exploits and telematics is no exception. If hackers manage to intercept your connection, they can track your vehicle and even control it remotely. Quite scary!

Safety tip: Before you get a car with built-in telematics, consult with your car dealer about the cybersecurity measures they’re employing on connected cars. If you do have a connected car, make sure its software is always up-to-date.

5. Networking attacks

Aside from taking over your car via telematics, hackers can also employ old-school denial-of-service attacks to overwhelm your car and potentially shut down critical functions like airbags, anti-lock brakes, and door locks. Since some connected cars even have built-in Wi-Fi hotspot capabilities, this attack is completely feasible. As with regular home Wi-Fi networks, they can even steal your personal data if they manage to infiltrate your car’s local network.

Also, it’s a matter of physical safety. Remember, modern cars are basically run by multiple computers and Engine Control Modules (ECMs) and if hackers can shut these systems down, they can put you in grave danger.

Safety tip: Changing your car’s onboard Wi-Fi network’s password regularly is a must.

6. Onboard diagnostics (OBD) hacks

Did you know that virtually every car has an onboard diagnostics (OBD) port? This is an interface that allows mechanics to access your car’s data to read error codes, statistics and even program new keys.

It turns out, anyone can buy exploit kits that can utilize this port to replicate keys and program new ones to use them for stealing vehicles. Now, that’s something that you don’t want to be a victim of.

Safety tip: Always go to a reputable mechanic. Plus, a physical steering wheel lock can also help.

7. In-car phishing

Another old-school internet hack is also making its way to connected cars, specifically models with internet connectivity and built-in web browsers.

Yep, it’s the old phishing scheme and crooks can send you emails and messages with malicious links and attachments that can install malware on your car’s system. As usual, once malware is installed, anything’s possible. Worse yet, car systems don’t have built-in malware protections (yet), so this can be hard to spot.

Safety tip: Practice good computer safety practices even when connected to your car. Never open emails and messages nor follow links from unknown sources.

How about car insurance?

Unfortunately, this rise in car theft numbers will not only put your keyless car at increased risk, but it can also hike up your insurance rates as well.

If you have a keyless car, please check your car insurance and see if it’s covered against car hacks. Since these types of crimes are relatively new, there might be some confusion on who’s going to be liable for what — will it be the driver, the car maker or the car computer developer?

According to financial advice site MoneySupermarket, most car insurance policies currently have these in place when dealing with emerging car technologies:

  • Drivers have one insurance policy that covers both manual and autonomous (self-driving) car modes.
  • If the driver of a self-driving car inflicts injury or damage to a third party, that party can claim against that driver’s car insurer regardless of what driving mode the car was in when the accident occurred.
  • Now here’s the part that covers car theft due to key fob and wireless attacks. Apparently, drivers won’t be liable for faults and weaknesses in their car’s systems and they will be able to file a claim if they are injured or have suffered loss because of those faults.

With key fob relay car theft and hacks, MoneySupermarket said that insurance companies will pay out as long as the car owner has taken reasonable steps to protect their vehicle.

However, if your particular car model is a common target for keyless theft, car insurance companies may charge you with higher premiums.

Steps to stop relay attacks

But still, it’s important to have the best possible protection against these emerging car crimes.

There are a few easy ways to block key fob attacks. You can buy a signal-blocking pouch that can hold your keys, like a shielded RFID-blocking pouch.

Stick it in the fridge…

If you don’t want to spend any money, you can stick your key fob into the refrigerator or freezer. The multiple layers of metal will block your key fob’s signal. Just check with the fob’s manufacturer to make sure freezing your key fob won’t damage it.

…or even inside the microwave

If you’re not keen to freeze your key fob, you can do the same thing with your microwave oven. (Hint: Don’t turn it on.) Stick your key fob in there, and criminals won’t be able to pick up its signal. Like any seasoned criminal, they’ll just move on to an easier target.

Wrap your keyfob in foil

Since your key fob’s signal is blocked by metal, you can also wrap it up in aluminum foil. While that’s the easiest solution, it can also leak the signal if you don’t do it right. Plus, you might need to stock up on foil. You could also make a foil-lined box to put your keys in, if you’re in a crafting mood.

 

Source: https://www.komando.com/happening-now/495924/7-clever-ways-hackers-are-stealing-keyless-cars