A threat actor tracked as MUT-1244 has stolen over 390,000 WordPress credentials in a large-scale, year-long campaign targeting other threat actors using a trojanized WordPress credentials checker. […] Read More
The all in one place for non-profit security aid.
A threat actor tracked as MUT-1244 has stolen over 390,000 WordPress credentials in a large-scale, year-long campaign targeting other threat actors using a trojanized WordPress credentials checker. […] Read More
Visa warns of new JSOutProx malware variant targeting financial orgs
Visa is warning about a spike in detections for a new version of the JsOutProx malware targeting financial institutions and their customers. […] Read More
BleepingComputer
30+ Tesla Cars Hacked Using Third-Party Software
A security researcher identified a vulnerability in TeslaLogger, a third-party software used to collect data from Tesla vehicles, that leveraged insecure default settings that could be exploited to gain unauthorized access to TeslaLogger instances.
Reported the issue to the TeslaLogger maintainer, who took steps to mitigate the risk, as it is important to note that this vulnerability does not reside within Tesla vehicles or Tesla’s infrastructure.
Vulnerabilities have been identified in TeslaLogger, an open-source data logger for Tesla cars, while searching for interesting automotive projects.
After installing it on the laptop using Docker, the researcher employed nmap to identify running services in the MariaDB database (port 3306), the Graphana visualization tool (port 3000), and an admin panel (port 8888).
Intrigued by MariaDB and Graphana, he leveraged DBweaver to connect to the database using default credentials found in the project repository, and with the hopes of extracting the Tesla car API key, executed a SQL query to retrieve all data from the ‘cars’ table.
A vulnerability exists in Tesla integrations that utilize the Tesla API, as compromised Tesla tokens, including access tokens and refresh tokens, grant attackers full remote control over a car.
While Tesla’s API employs Role-Based Access Control (RBAC), Tesla logger applications often request excessive permissions, allowing attackers to exploit the API key to manipulate the car’s state (e.g., adding drivers, unlocking doors, controlling climate).
Free On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free
This issue persists even if the database is not exposed, as alternative methods for obtaining API keys exist. Certain Tesla logger implementations on Raspberry Pi devices further exacerbate the problem by negligently exposing the API key.
Harish SG discovered a vulnerable Grafana dashboard with default credentials, allowing access to Tesla API tokens. TeslaLogger, a third-party software used for Tesla data logging, was vulnerable due to storing credentials in plain text and insecure default configurations.
By exploiting these weaknesses, identified over 30 TeslaLogger instances susceptible to remote attacks, potentially granting control of Tesla vehicles, and responsibly reported the findings to the TeslaLogger developer after discovering their contact information.
public internet censys
Disclosed a vulnerability in TeslaLogger, a third-party software for Tesla cars, that could have allowed attackers to steal Tesla API credentials if they compromised the TeslaLogger database.
He worked with the TeslaLogger maintainer to fix the issue, which involved encrypting the API credentials in the database and adding authentication to the admin pane, as he did not report the issue directly to Tesla because of an unhelpful response they received from Tesla in the past regarding a similar issue with another third-party software.
ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service
The post 30+ Tesla Cars Hacked Using Third-Party Software appeared first on Cyber Security News.
End of VBScript! Microsoft Replacing it With Advanced Alternatives
Microsoft has officially announced the gradual deprecation of VBScript, with plans to replace it with more advanced alternatives such as JavaScript and PowerShell.
The move comes as part of Microsoft’s commitment to providing users with the best and most efficient experiences.
VBScript, a lightweight scripting language introduced by Microsoft in 1996, has been widely used for automating tasks and controlling applications on Windows-based systems. However, with the advancement of technology, more modern and efficient options are now available.
Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers
The deprecation will occur in three phases. Beginning with the new OS release slated for later this year, VBScript will be available as features on demand (FODs).
The feature will be completely retired from future Windows OS releases as Microsoft transitions to more efficient PowerShell experiences.
As a result of this change, projects that rely on VBScript will stop functioning once the language is fully retired. Microsoft expects users to switch to suggested alternatives by then.
These alternatives offer enhanced capabilities and better performance, aligning with the advancements in technology over the years. PowerShell, in particular, is highlighted as a more efficient experience for task automation and system management.
The move to deprecate VBScript is part of Microsoft’s efforts to modernize scripting options for web development and task automation. By replacing VBScript with more advanced alternatives, Microsoft aims to provide users with the most modern and efficient options available.
Malicious actors have used VBScript to distribute malware strains like Lokibot, Emotet, Qbot, and DarkGate. Deprecating VBScript is likely part of Microsoft’s broader strategy to mitigate the increasing prevalence of these malware campaigns.
For more information on VBScript deprecation and best practices for transitioning to alternative technologies, Microsoft encourages users to visit the Windows Tech Community and follow their updates.
The primary reasons for deprecating VBScript appear to be enhancing security by preventing its use in malware distribution, encouraging the transition to modern scripting alternatives, and allowing Microsoft to remove a legacy component that may contain vulnerabilities. However, Microsoft has not provided an official, detailed explanation behind this decision.
ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service
The post End of VBScript! Microsoft Replacing it With Advanced Alternatives appeared first on Cyber Security News.