Hey guys and welcome to Exploit Brokers where we break down articles, recap recent hacking events, and give insight on the technical aspects of the hacking events. I will explain things and give my opinion on tech and hacking events so let’s get started.
Hackable License Plates or Hack way or the Highway
What if your car’s license plate could track you? What if hackers were able to access that information and could now monitor the position of your car whenever they wanted? This isn’t science fiction this is what security researchers were able to access when they gained admin access to Reviver’s backend system. In an article by Vice titled, “Researchers Could Track the GPS Location of All of California’s New Digital License Plates” they dive into the issue found by security researchers. Reviver is the company that sells and maintains the REVIVER license plate, a digital license plate that the company states is the modern license plate. The digital license plate also allows a personalized message at the bottom of the plate. Once the security researcher was able to gain admin access, they could change this to whatever they wanted. In addition to modifying the personalized message an attacker could track the plate, update, and delete any plate they want to. Currently California is allowing digital license plates and Reviver is the sole provider of these plates.
Let’s break down the technical information available to try to understand what happened. At first glance it appears there are two main account types of an account given, a “CONSUMER” type and a “CORPORATE” type. At least that’s what appears to normally be passed out. There was a third type of account identified as a “REVIVER” account. This acted as an admin account or root in Linux terms. This means whoever had an account with a “REVIVER” type on it would be able to wield virtually unchecked powers. In my opinion this sounds like something developers and testers would implement so they can get in and out of the system for testing, maintaining, and enhancing pieces of code and products. This is purely what I suspect happened but only REVIVER currently knows what the intention of the account type was.
The good news? Reviver has patched the issues that were reported by the security researchers. Good on them. It’s nice to see companies being receptive to bugs being reported and doing something about it. Far too many times do you hear about companies ignoring bug reports or outside people finding flaws in their systems. REVIVER I think you did well in fixing the issues promptly.
Canada’s standard means tether gets more restrictions.
It appears the crypto markets can’t catch a break. Decrypt.co is reporting on some more bad news for the crypto markets. It appears that crypto.com will delist the tether stable coin in Canada due to pressures from Canadian regulators. Users will only have until January 31st to trade or withdraw their tether coins. There was some confusion since the notice by crypto.co did not specifically list that only Canadian Users would be affected. Any remaining tether coin after the January 31st deadline would be automatically converted over to another stable coin known as USD Coin which is by the financial tech company Circle.
The controversial decision was essentially forced by the Ontario Securities Commission when the Canadian Standards Association or CSA stated their view on stable coins. The CSA essentially views stablecoins or stablecoin related agreements to be securities and/or derivatives. This change of view means that the stablecoins are now seen a regulated entity like that of stocks, derivatives, futures, and things of that nature. For my American viewers the Ontario Securities association is essentially the Canadian Securities and Exchange Commission or the SEC.
Let’s stop for a second and give some background on the topic. A stable coin is the intermediary between crypto and fiat currency. It is generally tied to another currency or commodity and makes it easier for transactions between coins to happen without the added steps of exchanging to fiat currency such as US dollars. Stable coins are backed by the real-world assets such as the US dollar. To give further background on stable coins; tether is the third-largest digital asset by market capitalization and the largest crypto stablecoin available at the time of this recording. As well, the USD Coin is the second largest stablecoin by a FinTech company known as Circle. The move to change to USDC for any remaining tether makes sense. USDC is owned by a registered Money Service business in the US and is therefore already regulated and scrutinized by the US. Tether had previous issues in the past including lawsuits brought up pertaining to their statements pertaining to USDT being backed by cash and cash equivalents. I’ll be sure to do a video on this in the future.
Let’s JWT this down
The one thing most developers and system admins don’t want to hear is that there is a severe vulnerability in systems they are developing or maintaining. A new high-severity flaw has been found in JsonWebToken or JWT. The severity has the potential to allow an attacker to do Remote Code Execution or RCE. Known as CVE-2022-23529, has been patched in the 9.0.0 version of the JWT package. If your app is running 8.5.1 or below, then it’s time to update it to 9.0.0 to avoid it being exploited out in the wild.
To give some context JWT is how some web applications authenticate users. The JWT library is developed and maintained by Auth0 which is owned by Okta, Inc. The severity is a concern because the JWT library we’re discussing has over 10 million weekly downloads on NPM , the popular node package manager, and is used by over 22,000 projects. That means thousands of potential applications that are running vulnerable code that could lead to an attacker executing malicious code on a victim server.
We’re seeing more and more software supply chain related attacks lately. Essentially why attack an application directly when you can find exploitable bugs in package that have widespread usage. This allows you to target tons of applications all at once. The moment a strong vulnerability is found the attacker only needs to play the numbers game to try and get a successful attack underway.
Developers should be mindful of security as often as possible. I know it’s alluring to think that software has to be shipped fast but it’s important to have processes in place to try to catch as many of these vulnerabilities as soon as possible. It’s impossible to eventually introduce bugs into applications but the more that are caught the harder it is for an attacker to find an easy vector of attack.
The Zero Day in Sugar
So, there is a major vulnerability in the SugarCRM that allows attackers to take full control of the victim’s server. A recent Zero Day, or previously unknown vulnerability, has been discovered to have been exploited in the wild against SugarCRM instances. The zero day has reportedly affected 12 percent or roughly 354 of the over 3,000 SugarCRM servers online. SugarCRM did make a hot fix available early January and has applied it to its cloud-based offerings. It does encourage any admin running SugarCRM on their own servers to patch as soon as possible.
The vulnerability was posted in late December and included Google Dorks, or search queries used to find certain things by using by Google’s powerful web crawling. A hacker can use a google dork to find websites that are potentially vulnerable by searching information not generally available on the surface of the website.
To give more info on the zero-day found, it was identified as an authentication bypass bug. An authentication bypass bug allows an attacker to send access the server without needing to be authenticated or logged in. The attacker in this instance was able to manipulate a file on the server. The file manipulation allowed the attacker to obtain a cookie which can then be chained to upload a malicious image. The malicious image contained code that allows the attacker to open a remote session on the server. Once they have a remote session on the server, they can do virtually anything they want to. This essentially means the hacker has completely taken over the server and could place other backdoors and launch their own apps at the expense of the server owner.
Thank you for tuning in this has been Exploit Brokers, I’ll see you in the next one!