Sign up to save your podcasts
Or
Share Cyber Bites - 31st January 2025
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Cyber Bites - 31st January 2025
* Subaru Flaw Could Have Let Hackers Track and Control Vehicles
* Hundreds of Fake Reddit Sites Push Lumma Stealer Malware
* Cybersecurity Needs to Start Saying 'No' Again
* GitHub Desktop and Other Git Clients Vulnerable to Credential Leaks
* Sophisticated Voice Phishing Scam Attempt Exploiting Google Workspace Domain Verification Flaw
Subaru Flaw Could Have Let Hackers Track and Control Vehicles
https://samcurry.net/hacking-subaru
A critical security vulnerability in Subaru's Starlink service could have allowed attackers to remotely control and track vehicles in the United States, Canada, and Japan.
The flaw, discovered by security researchers Sam Curry and Shubham Shah, enabled attackers to gain unrestricted access to customer accounts using limited information such as the victim's last name, ZIP code, email address, phone number, or license plate.
This access would have allowed attackers to:
* Remotely start, stop, lock, and unlock vehicles.
* Track vehicle locations in real-time and access historical location data.
* Access sensitive customer information, including personal details, billing information, and emergency contacts.
The researchers exploited a vulnerability in the Starlink admin portal, allowing them to bypass authentication measures and gain unauthorized access to customer accounts. The portal has two-factor authentication (2FA) which was also easily bypassed by removing the client-side overlay from the portal's user interface.
Subaru addressed the issue within 24 hours of being notified. While this specific flaw was not exploited, it highlights the critical importance of robust security measures for connected vehicles.
This incident follows a similar vulnerability discovered in Kia's dealer portal, emphasizing the need for automakers to prioritize vehicle security and protect customer data.
Hundreds of Fake Reddit Sites Push Lumma Stealer Malware
https://www.bleepingcomputer.com/news/security/hundreds-of-fake-reddit-sites-push-lumma-stealer-malware/
Cybercriminals are leveraging hundreds of fake Reddit and WeTransfer websites to distribute the Lumma Stealer malware.
These deceptive websites mimic the appearance of legitimate platforms, tricking users into downloading malicious payloads. For instance, the fake Reddit sites display fabricated discussion threads where users appear to be assisting each other with downloading files.
The thread creator asks for help to download a specific tool, another user offers to help by uploading it to WeTransfer and sharing the link, and a third thanks him to make everything appear legitimate.
These threads often link to fake WeTransfer pages, which then redirect users to download the Lumma Stealer malware.
Lumma Stealer is a sophisticated info-stealer known for its advanced evasion techniques and data theft capabilities. It can steal sensitive information such as passwords, cookies, and other credentials, potentially allowing attackers to hijack accounts and gain access to valuable data.
This campaign highlights the ongoing threat of social engineering and the importance of critical thinking when interacting with online content. Users are advised to be wary of unsolicited downloads and to verify the authenticity of websites and messages before clicking on any links.
Cybersecurity Needs to Start Saying 'No' Again
https://www.darkreading.com/cyber-risk/security-needs-start-saying-no-again
For years, cybersecurity teams were often perceived as the "Department of No," constantly blocking initiatives due to security concerns. However, in an effort to demonstrate value and foster collaboration, many teams have shifted towards a more accommodating approach.
While this shift has its benefits, some experts argue that it may have gone too far, leading to security teams overlooking critical risks and compromising their ability to effectively protect the organization.
Avoiding necessary "nos" can have detrimental consequences, including:
* Misalignment: Lack of clear boundaries can lead to confusion and misalignment between security teams and other departments.
* Overwhelmed Teams: Constant pressure to accommodate requests can overwhelm security teams and lead to burnout.
* Unmanaged Risks: Compromising on security measures can increase the organization's vulnerability to cyber threats.
However, saying "no" effectively is crucial. It requires careful consideration, clear communication, and a focus on aligning security decisions with broader business goals.
By emphasizing the importance of well-considered "nos" and fostering open communication and collaboration, security teams can better protect their organizations while maintaining positive relationships with other departments.
GitHub Desktop and Other Git Clients Vulnerable to Credential Leaks
https://flatt.tech/research/posts/clone2leak-your-git-credentials-belong-to-us/
Multiple vulnerabilities have been discovered in popular Git clients, including GitHub Desktop, that could allow attackers to steal user credentials.
These vulnerabilities, stemming from improper handling of messages within the Git Credential Protocol, could be exploited by attackers to trick users into sending their credentials to malicious servers.
One such vulnerability, CVE-2025-23040, affects GitHub Desktop and allows attackers to inject malicious URLs that can mislead the client into sending credentials to the wrong server.
Other vulnerabilities impact the Git Credential Manager and Git LFS, also allowing attackers to exploit weaknesses in how these tools handle URLs and potentially leak credentials.
GitHub CLI is also vulnerable, particularly when used within GitHub Codespaces, where it can inadvertently leak access tokens to unauthorized hosts.
These vulnerabilities highlight the importance of keeping software updated and exercising caution when interacting with untrusted repositories.
Users are advised to update their Git clients to the latest versions, avoid cloning repositories from untrusted sources, and minimize the use of credential helpers where possible.
Sophisticated Voice Phishing Scam Attempt Exploiting Google Workspace Domain Verification Flaw
https://gist.github.com/zachlatta/f86317493654b550c689dc6509973aa4
Google is fortifying its security measures following a recent, elaborate voice phishing attack documented by programmer Zach Latta.
Latta, founder of Hack Club, detailed a close call he had with scammers who attempted to hijack his Google account through a series of tactics that bypassed traditional security measures.
The scammers, posing as Google Workspace support staff, contacted Latta claiming to have detected a suspicious login attempt. They used a phone number associated with Google Assistant calls and a seemingly legitimate "Google" caller ID. Additionally, a password reset email was sent from a genuine Google Workspace address, making the scam highly convincing.
However, Latta remained cautious and ultimately identified inconsistencies in the scammers' story. Notably, one scammer contradicted another on details, and a request to call them back was met with an unfazed response, raising a red flag.
This incident exposes a critical vulnerability: the ability for attackers to create Google Workspace accounts using unverified g.co subdomains. This allows them to send password reset emails that appear to originate from Google itself.
Google has acknowledged the issue and is taking steps to bolster its defenses against such scams. They have suspended the account used in this attempt and are working to prevent attackers from exploiting g.co subdomains during registration.
The Latta case serves as a stark reminder to be wary of unsolicited calls, even if they appear to come from legitimate sources. Users should never provide sensitive information over the phone and should be extra cautious about emails originating from unverified senders.
This incident also highlights the evolving nature of phishing tactics and the need for continuous vigilance and security improvements.
This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit edwinkwan.substack.com
View all episodes
By Edwin Kwan* Subaru Flaw Could Have Let Hackers Track and Control Vehicles
* Hundreds of Fake Reddit Sites Push Lumma Stealer Malware
* Cybersecurity Needs to Start Saying 'No' Again
* GitHub Desktop and Other Git Clients Vulnerable to Credential Leaks
* Sophisticated Voice Phishing Scam Attempt Exploiting Google Workspace Domain Verification Flaw
Subaru Flaw Could Have Let Hackers Track and Control Vehicles
https://samcurry.net/hacking-subaru
A critical security vulnerability in Subaru's Starlink service could have allowed attackers to remotely control and track vehicles in the United States, Canada, and Japan.
The flaw, discovered by security researchers Sam Curry and Shubham Shah, enabled attackers to gain unrestricted access to customer accounts using limited information such as the victim's last name, ZIP code, email address, phone number, or license plate.
This access would have allowed attackers to:
* Remotely start, stop, lock, and unlock vehicles.
* Track vehicle locations in real-time and access historical location data.
* Access sensitive customer information, including personal details, billing information, and emergency contacts.
The researchers exploited a vulnerability in the Starlink admin portal, allowing them to bypass authentication measures and gain unauthorized access to customer accounts. The portal has two-factor authentication (2FA) which was also easily bypassed by removing the client-side overlay from the portal's user interface.
Subaru addressed the issue within 24 hours of being notified. While this specific flaw was not exploited, it highlights the critical importance of robust security measures for connected vehicles.
This incident follows a similar vulnerability discovered in Kia's dealer portal, emphasizing the need for automakers to prioritize vehicle security and protect customer data.
Hundreds of Fake Reddit Sites Push Lumma Stealer Malware
https://www.bleepingcomputer.com/news/security/hundreds-of-fake-reddit-sites-push-lumma-stealer-malware/
Cybercriminals are leveraging hundreds of fake Reddit and WeTransfer websites to distribute the Lumma Stealer malware.
These deceptive websites mimic the appearance of legitimate platforms, tricking users into downloading malicious payloads. For instance, the fake Reddit sites display fabricated discussion threads where users appear to be assisting each other with downloading files.
The thread creator asks for help to download a specific tool, another user offers to help by uploading it to WeTransfer and sharing the link, and a third thanks him to make everything appear legitimate.
These threads often link to fake WeTransfer pages, which then redirect users to download the Lumma Stealer malware.
Lumma Stealer is a sophisticated info-stealer known for its advanced evasion techniques and data theft capabilities. It can steal sensitive information such as passwords, cookies, and other credentials, potentially allowing attackers to hijack accounts and gain access to valuable data.
This campaign highlights the ongoing threat of social engineering and the importance of critical thinking when interacting with online content. Users are advised to be wary of unsolicited downloads and to verify the authenticity of websites and messages before clicking on any links.
Cybersecurity Needs to Start Saying 'No' Again
https://www.darkreading.com/cyber-risk/security-needs-start-saying-no-again
For years, cybersecurity teams were often perceived as the "Department of No," constantly blocking initiatives due to security concerns. However, in an effort to demonstrate value and foster collaboration, many teams have shifted towards a more accommodating approach.
While this shift has its benefits, some experts argue that it may have gone too far, leading to security teams overlooking critical risks and compromising their ability to effectively protect the organization.
Avoiding necessary "nos" can have detrimental consequences, including:
* Misalignment: Lack of clear boundaries can lead to confusion and misalignment between security teams and other departments.
* Overwhelmed Teams: Constant pressure to accommodate requests can overwhelm security teams and lead to burnout.
* Unmanaged Risks: Compromising on security measures can increase the organization's vulnerability to cyber threats.
However, saying "no" effectively is crucial. It requires careful consideration, clear communication, and a focus on aligning security decisions with broader business goals.
By emphasizing the importance of well-considered "nos" and fostering open communication and collaboration, security teams can better protect their organizations while maintaining positive relationships with other departments.
GitHub Desktop and Other Git Clients Vulnerable to Credential Leaks
https://flatt.tech/research/posts/clone2leak-your-git-credentials-belong-to-us/
Multiple vulnerabilities have been discovered in popular Git clients, including GitHub Desktop, that could allow attackers to steal user credentials.
These vulnerabilities, stemming from improper handling of messages within the Git Credential Protocol, could be exploited by attackers to trick users into sending their credentials to malicious servers.
One such vulnerability, CVE-2025-23040, affects GitHub Desktop and allows attackers to inject malicious URLs that can mislead the client into sending credentials to the wrong server.
Other vulnerabilities impact the Git Credential Manager and Git LFS, also allowing attackers to exploit weaknesses in how these tools handle URLs and potentially leak credentials.
GitHub CLI is also vulnerable, particularly when used within GitHub Codespaces, where it can inadvertently leak access tokens to unauthorized hosts.
These vulnerabilities highlight the importance of keeping software updated and exercising caution when interacting with untrusted repositories.
Users are advised to update their Git clients to the latest versions, avoid cloning repositories from untrusted sources, and minimize the use of credential helpers where possible.
Sophisticated Voice Phishing Scam Attempt Exploiting Google Workspace Domain Verification Flaw
https://gist.github.com/zachlatta/f86317493654b550c689dc6509973aa4
Google is fortifying its security measures following a recent, elaborate voice phishing attack documented by programmer Zach Latta.
Latta, founder of Hack Club, detailed a close call he had with scammers who attempted to hijack his Google account through a series of tactics that bypassed traditional security measures.
The scammers, posing as Google Workspace support staff, contacted Latta claiming to have detected a suspicious login attempt. They used a phone number associated with Google Assistant calls and a seemingly legitimate "Google" caller ID. Additionally, a password reset email was sent from a genuine Google Workspace address, making the scam highly convincing.
However, Latta remained cautious and ultimately identified inconsistencies in the scammers' story. Notably, one scammer contradicted another on details, and a request to call them back was met with an unfazed response, raising a red flag.
This incident exposes a critical vulnerability: the ability for attackers to create Google Workspace accounts using unverified g.co subdomains. This allows them to send password reset emails that appear to originate from Google itself.
Google has acknowledged the issue and is taking steps to bolster its defenses against such scams. They have suspended the account used in this attempt and are working to prevent attackers from exploiting g.co subdomains during registration.
The Latta case serves as a stark reminder to be wary of unsolicited calls, even if they appear to come from legitimate sources. Users should never provide sensitive information over the phone and should be extra cautious about emails originating from unverified senders.
This incident also highlights the evolving nature of phishing tactics and the need for continuous vigilance and security improvements.
This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit edwinkwan.substack.com