VMware emits security alerts, Planet Hollywood chain hacked, SWAT death caller gets 20 years in clink, and more

Roundup Last week we saw someone admit hoarding NSA documents, a Huawei patch bungle, and an axe looming for DXC security employees.

Now, here's some extra bits and bytes to start this week and month.

VMware rings the klaxon over service provider vulnerability

If you're running a server hosting VMware's Service Provider portal, you will want to make sure all your software is up to date immediately. That's because the virtualization giant recently put out an advisory for a remote hijacking bug.

"VMware vCloud Director for Service Providers update resolves a Remote Session Hijack vulnerability in the Tenant and Provider Portals," VMware says. "Successful exploitation of this issue may allow a malicious actor to access the Tenant or Provider Portals by impersonating a currently logged in session."

Discovery of the flaw was credited to Tyler Flaagan, Eric Holm, Andrew Kramer, and Logan Stratton from Dakota State University.

Meanwhile, VMware ESXi, Workstation and Fusion need to be patched to close a guest-to-host hypervisor escape.

"VMware ESXi, Workstation and Fusion contain an out-of-bounds read/write vulnerability and a Time-of-check Time-of-use (TOCTOU) vulnerability in the virtual USB 1.1 UHCI (Universal Host Controller Interface)," said VMware. "Exploitation of these issues requires an attacker to have access to a virtual machine with a virtual USB controller present. These issues may allow a guest to execute code on the host."

The Fluoroacetate team of Amat Cama and Richard Zhu were thanked for finding the flaw, reported via this year's Pwn2Own competition.

Celeb hacker pleads guilty

A 27-year-old man from the US state of Georgia has agreed to two felony counts over a hacking spree that targeted professional athletes and rappers.

Kwamaine Ford pleaded guilty to aggravated identity theft and computer fraud in connection with a massive hacking campaign that saw him lift the credit card numbers of "dozens" of NBA basketball players, NFL football players, and rappers (none were named).

Prosecutors said Ford had posed as Apple support and sent emails to the targets asking them to reset their accounts. When the marks went to the phishing page and entered the information, Ford was then able to access their accounts and get their credit card numbers.

Old Cisco flaw resurfaces in exploits

If you haven't updated your Cisco WebEx software in a while, here's a good reason to consider patching ASAP.

Switchzilla warned this week that an in-the-wild exploit has been targeting CVE-2017-3823, a vulnerability that allows remote hijacking via the WebEx browser plugin.

"An attacker that can convince an affected user to visit an attacker-controlled web page or follow an attacker-supplied link with an affected browser could exploit the vulnerability."

Given that the flaw is more than two years old, there's a good chance you already have the fix for this one, but it's a good idea to check your plugin and get the most recent version just in case.

Planet Hollywood owner barfs up customer payment card info

It appears we have yet another major chain falling victim to point-of-sale malware.

This time, it's restaurant chain Earl Enterprises, who own and operate chains like Planet Hollywood, Buca di Beppo, Earl of Sandwich, Chicken Guy!, Mixology, and Tequila Taqueria.

The eatery conglomerate was relieved of card information including numbers, expiration date, and the names of some cardholders.

"Although the dates of potentially affected transactions vary by location, guests that used their payment cards at potentially affected locations between May 23, 2018 and March 18, 2019 may have been affected by this incident," Earl says.

Forget cashless shops, we think the next generation of secure eateries should avoid this whole mess and go cash only.

Man overturns child abuse image charge thanks to his own lousy opsec

Professor Orin Kerr shared a court ruling in the US that overturned someone's conviction of possessing child sex abuse images because the evidence against him was collected from a laptop that wasn't password protected and in part of his home shared with housemates.

The New Hampshire circuit court of appeals ruled that the conviction of a man accused of downloading child pornography from a P2P network had to be vacated over lack of evidence, after it was found that prosecutors could not prove exactly who fetched the vile imagery.

In this case, the defendant shared his home with a number of roommates and left his computer in a common area with no password. Because anyone in the house could have in theory sat down at the PC and gone online to get the images, the court found it could not be proven beyond a reasonable doubt that the defendant was the one that had downloaded the illegal content.

In case you needed yet another reason to lock down your machine, do it lest your roommates be allegedly secretly committing crimes.

Asus MAC addresses surface

Earlier last month, the news broke that up to a million or so Asus machines had been bugged with spyware thanks to a compromised update server. At the same time, we learned from Kaspersky Lab that of those one million infected, about 600 were specifically targeted, selected by their network adapter's MAC address from a list hardcoded in the malware.

Now, someone's compiled those addresses into a public list for sysadmins to check against their Asus laptop inventory for possible infections.

A post on GitHub gives a list that looks to be all of the machines whose addresses were infected via the malicious software update. It goes without saying that if you find your Asus computer (or a machine you administer) on the list you will want to get in touch with law enforcement as well as scrub the machine of the software nasty, check network logs for data exfiltration, and reset login credentials.

If these hackers went through the effort of infecting so many machines to get at a few hundred, they must have had very strong motivation to obtain and siphon off your data.

Zscaler warns of malware spreading through common HTTPS directory

Researchers with Zscaler say that a recent malware outbreak has been hiding in plain sight on a number of Wordpress sites.

Mohd Sadique explained how vulnerable versions of the content management system were compromised and loaded with phishing pages that hid themselves within a specific directory used to handle SSL certificates. These directories are used to check and validate certs, and for the most part administrators don't even know they exist.

"The attackers use these locations to hide malware and phishing pages from the administrators," Sadique explained.

"The tactic is effective because this directory is already present on most HTTPS sites and is hidden, which increases the life of the malicious/phishing content on the compromised site."

Junked Teslas betray driver info

If you total your brand new Tesla and it needs to be hauled off to the junkyard, you may want to check the console first is wiped clean of personal data.

That's because researchers have found that junked cars may still contain unencrypted information about you, including all of the contact information from your paired phone.

This isn't much of a privacy issue specific to Tesla, as other researchers have pointed out that the same sort of information often gets left in rental cars and other shared vehicles. In other words, think of your modern car as a tablet on wheels, and make sure it's wiped clean before letting go of it.

Fatal swatter gets 20 years in clink

We've previously covered the story of how an alleged feud between three gamers in the US got an innocent man from Kansas killed by police shortly after Christmas 2017.

There were new developments in the case last month when a Wichita judge sentenced Tyler Barriss, the man who made the "swatting" call that led to police shooting dead 28-year-old Andrew Finch, to 20 years behind bars.

Barriss had previously pleaded guilty to 51 federal charges relating to that and other fake calls he had made to police over the years. The men whose online feud lead to Barriss making the swatting call, Casey Viner of Ohio and Shae Gaskill of Kansas, are awaiting trial for their roles after denying any wrongdoing. ®