In this latest roundup of cyber security news, we look at serious Bluetooth chip-level bugs, a zero-day vulnerability on Cisco software, a raft of Apple security fixes, and a massive customer data breach at Cathay Pacific.
Enterprise Wi-Fi access points vulnerable to Bluetooth bug
A pair of critical Bluetooth bugs could make popular wireless access points used in many enterprises vulnerable to breaches.
The critical vulnerabilities reside in Bluetooth Low Energy (BLE) chips from Texas Instruments which are present in Wi-Fi access points from Cisco, Cisco Meraki and Aruba.
Dubbed Bleedingbit, the bugs were discovered by researchers from Armis and disclosed last week.
If exploited, the vulnerabilities could allow unauthenticated attackers to stealthily break into enterprise networks, take over access points, spread malware, and move laterally across network segments.
The first vulnerability affects TI BLE chips cc2640 and cc2650, used in Cisco and Cisco Meraki Wi-Fi access points. The second bug impacts the Aruba Wi-Fi access point Series 300 with TI BLE chip cc2540 and its use of TI’s over-the-air firmware download (OAD) feature.
“These vulnerabilities are a sharp reminder that we need to ensure the security of the infrastructure we employ to support IoT devices is not undermined by those IoT devices or the protocols that support them,” Brian Honan, CEO at BH Consulting, told Help Net Security.
To exploit either vulnerability, an attacker would have to physically be within Bluetooth range of the targeted access point. TI, Cisco, Cisco Meraki and Aruba have all responded with patches, mitigations and information.
However, the vulnerabilities may affect devices beyond the scope of Wi-Fi access points. Armis said it’s working with US-CERT and other vendors to identify other potentially affected products used in industries such as healthcare, automotive and retail.
It plans to release a white paper describing the vulnerabilities and their exploitation at the Black Hat Europe conference in December.
Hackers exploit Cisco zero-day
A zero-day vulnerability affecting security software from Cisco is being exploited in the wild.
The vulnerability is present in the Session Initiation Protocol (SIP) inspection engine of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software.
It could allow an unauthenticated, remote attacker to cause an affected device to reload or trigger high CPU, resulting in a denial of service (DoS) condition, Cisco said in an advisory.
Attackers can exploit the vulnerability by sending SIP requests designed to specifically trigger this issue at a high rate across an affected device, Cisco said.
Attackers Use Zero-Day That Can Restart Cisco Security Appliances (Bleeping Computer)
Apple users: Listen up!
Apple has released updates for a variety of operating systems, web services and applications that collectively fix tens of vulnerabilities. The updateed products include iOS, MacOS, Safari, iCloud and iTunes.
“If you own any kind of Apple device or software, you may want to check to see if you have an update waiting for you,” Maria Varmazis, writing on Sophos’ Naked Security blog, recommended.
For example, among the 71 CVEs fixed on MacOS, 19 potentially allowed for arbitrary code executions at the system or kernel levels, and another six for denial of service attacks, Varmazis reported.
Meanwhile, SANS Institute noted that the iOS update — 12.1 — “includes fixes for more than 30 vulnerabilities, including nine remote code execution flaws in the WebKit browser engine and several flaws in FaceTime.”
Apple Releases Multiple Security Updates (US CERT)
Apple Patches Multiple Major Security Flaws (Dark Reading)
Apple Fixes Creepy FaceTime Vulnerability, Crash Bug in macOS, and More (Bleeping Computer)
Water, energy systems at risk of cyber intrusions
Trend Micro is sounding the alarm on IT vulnerabilities that could put water and energy systems at risk of hacks that could endanger people’s safety.
The problems lie within the so-called human machine interface (HMI) systems that employees use to interact with supervisory control and data acquisition (SCADA) environments.
“Many of these HMIs are legacy systems that were not initially designed to be connected to a network in this way. Today, connectivity is being added to many legacy operational technology systems, which have long lifespans and are very difficult to patch, exacerbating the risk of attack,” Trend Micro said in a statement.
The 70-page report can be accessed here.
Many water and energy systems vulnerable to significant cyber risk (Help Net Security)
Hackers access personal data of millions of Cathay Pacific passengers
Cathay Pacific suffered a data breach in which personal data from 9.4 million customers was accessed, an incident Bloomberg calls the worst data hack ever suffered by an airline.
Data includes names, nationalities, birthdates, phone numbers, email and physical addresses, and passport numbers.
Hackers also got identity card numbers, frequent flyer numbers, and historical travel information, the company said. The combination of data accessed for each affected passenger varies.
The airline is facing criticism over its handling of the situation, primarily because it discovered the breach in March but reported it in late October.
“There are reasonable grounds to believe there may be a contravention of a requirement under the law,” Hong Kong’s Privacy Commissioner for Personal Data, Stephen Wong, said in a statement.
If EU residents are affected by the breach, which is a very likely scenario, the EU’s severe General Data Protection Regulation (GDPR) could come into play as well.
Cathay Pacific should have alerted shareholders earlier about massive data leak (South China Morning Post)
In other news …
- Internet-connected solar power systems in the U.S. raise the risk of cyber attacks on the electrical grid, Bloomberg reported, citing a study from Ridge Global LLC.
- A new data privacy law in Canada tightens requirements and potential fines on businesses.
- FIFA suffered a phishing attack earlier this year, and warned that the perpetrators could release confidential information stolen during the breach.
- A Washington state ISP left an AWS S3 storage bucket unprotected for months. It contained sensitive confidential information about its operations.
- Abandoned yet insecure web apps represent a major risk for large enterprises, according to a study from High-Tech Bridge.