OpenBSD bugs, Microsoft’s bad update, a new Nork hacking crew, and more

Welcome to yet another El Reg security roundup. Off we go.

OpenBSD a little too true to its name

The widely-used OpenBSD operating system is the host of a rather serious security vulnerability.

Researchers with Qualys found and reported, an authentication bypass flaw that would allow an attacker to login without valid credentials.

“We discovered an authentication-bypass vulnerability in OpenBSD’s authentication system: this vulnerability is remotely exploitable in smtpd, ldapd, and radiusd, but its real-world impact should be studied on a case-by-case basis,” notes Qualys. “For example, sshd is not exploitable thanks to its defense-in-depth mechanisms.”

Admins will want to update their systems as soon as possible.

Microsoft update borks databases

Admins running Microsoft Access might want to hold off on installing the latest patch from Redmond.

This after Microsoft warned that the original patch for the database tool, released on November 12, was causing queries to fail.

While some versions have been updated with a fix to clean up the issue, two others, Access 2013 C2R and Access 2019 Volume License, will not get their fix until December 10.

For those wondering, things like this are part of the reason why some companies are behind on their patching: security fixes can sometimes bring with them other bugs that can cripple important systems.

IBM breaks down Hive0080

No, that’s not the name of the cheesy EDM act your sister’s new boyfriend plays in. It’s the newest North Korean hacking operation.

The team at IBM’s X-Force says that Hive0080 is in many ways like the other APTs operating out of the reclusive dictatorship. The outfit mainly exists to help the sanction-hit nation line its coffers with purloined currency.

“Our analysis of this group’s activity indicates they have been active since at least early 2018 and that their malware and TTPs are linked closely to those employed by North Korean-backed cyber operations groups,” X-Force reports.

“These links suggest that this group is financially motivated and, based on their efforts to stage enterprise data for extraction, may also be attempting to steal intellectual property.”

Beware orphaned Windows Hello TPM keys

Admins will want to read this Microsoft advisory and make sure they are not vulnerable to a security hole caused by mishandling of orphaned TPM keys in Azure Active Directory.

“After a user sets up Windows Hello for Business (WHfB), the WHfB public key is written to the on-premises Active Directory. The WHfB keys are tied to a user and a device that has been added to Azure AD, and if the device is removed, the corresponding WHfB key is considered orphaned,” Microsoft says of the keys.

“However, these orphaned keys are not deleted even when the device it was created on is no longer present.”

Bayrob hackers go down for decades

Bogdan Nicolescu and Radu Miclaus, the Romanian duo behind the Bayrob fraud operation, have been sentenced to 20 and 18 years in prison, respectively.

The pair were found to have infected more than 400,000 people’s with malware and made off with an estimated $4m using a combination of identity theft, phishing and cryptocurrency mining.

DOJ takes aim at money mules

The US Department of Justice has launched a campaign to take down money mule networks across the US.

The “mules”, sometimes unwitting accomplices, are used as the go-between for cybercriminals to get money out of the accounts of victims and wired overseas to accounts controlled by the bad guys. The DOJ hopes it will be able to identify and stop hundreds of these individuals.

“The Money Mule initiative highlights the importance of partnership to stop fraud schemes, and it sends a message to all who are engaged in money mule activity that they will be caught and prosecuted,” FBI director Christopher Wray said of the effort.

Aviatrix VPNs vulnerable

Researchers with Immersive Labs have uncovered a vulnerability in the popular Aviatrix enterprise VPN platform

The elevation of privilege flaw requires the attacker to already have access to the VPN, so it is not a major risk, but admins will still want to update the software as soon as possible, since these bugs can often be chained with other exploits to create a more serious issue.

“Coming hot on the heels of the UK and US Government warnings about VPN vulnerabilities, this underlines that often the technology protecting enterprises needs to be managed as tightly as the people using it,” said Alex Seymour, the Immersive Labs researcher who uncovered the bug.

“People tend to think of their VPN as one of the more secure elements of their security posture, so it should be a bit of a wakeup call for the industry.” ®

Sponsored: Technical Overview: Exasol Peek Under the Hood

READ MORE HERE