BleedingTooth: the new critical kernel Bluetooth vulnerabilities

Researchers discovered several critical flaws – collectively called “BleedingTooth” – in the BlueZ kernel Bluetooth stack. There is already a YouTube video demonstrating remote code execution using these vulnerabilities. More details can be found below.

BleedingTooth vulnerabilities: Linux Bluetooth allows Zero-Click Attacks

Bluetooth vulnerabilities that have been identified in the Linux kernel could be exploited to run arbitrary code or access sensitive information.

Referred to as BleedingTooth, the issues were identified by Andy Nguyen, a security engineer from Google, and are tracked as CVE-2020-12351 CVSS score of 8.3), CVE-2020-12352 (CVSS score of 5.3), and CVE-2020-24490 (CVSS score of 5.3).

CVE-2020-12351: the most severe of discovered flaws affects Linux kernel 4.8 and higher. The bug can be exploited by a remote attacker within Bluetooth range of the victim and which knows the bd address of the target device. To trigger the flaw, the attacker would have to send a malicious l2cap packet, which can lead to denial of service or even execution of arbitrary code, with kernel privileges. The vulnerability can be also triggered by a malicious Bluetooth chip.

This bug could be responsible for a Zero-Click Attack – which means it does not require user interaction to be exploited (it is a zero-click vulnerability).

The second issue is considered medium severity. CVE-2020-12352, is a stack-based information leak that impacts Linux kernel 3.6 and higher. A remote attacker in short distance knowing the victim’s bd address can retrieve kernel stack information containing various pointers that can be used to predict the memory layout and to defeat KASLR. The leak may contain other valuable information such as the encryption keys.

The last bug tracked as CVE-2020-24490 and also considered medium risk is a heap-based buffer overflow that affects Linux kernel 4.19 and higher. A remote attacker within a short range of a vulnerable device can trigger the flaw through broadcasting extended advertising data. This could lead to denial of service or even arbitrary code execution with kernel privileges.

The vulnerabilities affect all Linux kernel versions before 5.9. BlueZ, the official Linux Bluetooth protocol stack, has announced Linux kernel fixes that patch all three of these security issues. 


VPN vulnerabilities, a never-ending story… 800k SonicWall VPNs vulnerable to attack

SonicWall NSAs are used as firewalls and SSL VPN portals to filter, control, and allow employees to access internal and private networks. Almost 800,000 internet-accessible VPN appliances will need to be updated and patched for a major new vulnerability. 

CVE-2020-5135 is a bug in a component that handles custom protocols. It impacts SonicOS, the operating system running on SonicWall Network Security Appliance (NSA) devices.

A trivial bug but still dangerous

The vulnerable component is exposed on the WAN (public internet) interface, meaning any attacker can exploit it, as long as they’re aware of the device’s IP address. The bug, in its simplest form, can cause a denial of service and crash devices.

CVE-2020-5135 is considered a critical bug, with a rating of 9.4 out of 10, and is expected to come under active exploitation once proof-of-concept code is made publicly available. Exploiting the vulnerability doesn’t require the attacker to have valid credentials as the bug manifests before any authentication operations.

Tripwire, which security team discovered a new vulnerability, reported the bug to SonicWall. Patches were released on last Monday, Oct. 12th.


Lemon Duck – cryptocurrency miners are back into the spotlight

Researchers from Cisco Talos are warning of a recent dramatic uptick in the activity of the Lemon Duck cryptocurrency-mining botnet, which targets victims’ computer resources to mine the Monero virtual currency. Although this threat has been active since at least the end of December 2018, they have noticed an increase in its activity at the end of August 2020. It is one of the more complex mining botnets with several interesting tricks up its sleeve.

How did it work?  The infection starts with a PowerShell loading script, which is copied from other infected systems with SMB, email or external USB drives. The actor also employs several exploits for vulnerabilities such as SMBGhost and Eternal Blue. The code exploiting the Bluekeep vulnerability is also present but it is disabled in the version they analysed. 

The botnet has executable modules that get downloaded and driven by the main module, which communicates with the command and control (C2) server over HTTP.

The email-spreading module uses COVID-19-related subject lines and text, with an infected attachment sent using Outlook automation to every contact in the affected user’s address book.

Looking into a sleeve. Lemon Duck has at least 12 independent infection vectors – more than most malware. These capabilities range from  Server Message Block (SMB) and Remote Desktop Protocol (RDP) password brute-forcing, sending emails with exploit attachments or targeting the RDP BlueKeep flaw (CVE-2019-0708) in Windows machines. The attackers could also successfully compromise a Linux host via Redis, YARN or SSH.

Source: Cisco Talos

The modules include a main loader, which checks the level of user privileges and components relevant for mining, such as the type of the available graphic card (including GTX, Nvidia, GeForce, AMD and Radeon). If these GPUs are not detected, the loader downloads and runs the commodity XMRig CPU-based mining script.

Lemon Duck was previously spotted in 2020 in a campaign targeting printers, smart TVs and automated guided vehicles that depend on Windows 7. Researchers in February warned that the processor-intensive mining efforts are taking their toll on gear and triggering equipment malfunctions along with exposing devices to safety issues, disruption of supply chains and data loss.

Defenders need to be constantly vigilant and monitor the behavior of systems within their network to spot new resource-stealing threats such as cryptominers. Cryptocurrency-mining botnets can be costly in terms of the stolen computing cycles and power consumption costs. While organizations need to be focused on protecting their most valuable assets, they should not ignore threats that are not particularly targeted toward their infrastructure.

Sources: 12

Pull the red card on FIFA 21 scams

In-game features of the just-released FIFA 21 title give scammers easy access to its vast audience.

The hotly anticipated release of blockbuster video game FIFA 21 on Oct. 6, along with the return of professional play, are giving soccer fans reason to celebrate. And, unsurprisingly, cybercriminals are already figuring out how to capitalize.

A report from researcher Christopher Boyd at Malwarebytes Labs outlined the various ways scammers are tapping into the oversized audience of FIFA 21 to turn a quick buck, including leveraging in-game goods and rewards. 

He explained that fraudsters are finding an easy hunting ground through a game mode called FIFA Ultimate Team (FUT). Within this mode, players can earn “coins” which are used within the game to buy “cards,” which Boyd described as “the lifeblood of the game.”

He pointed out there’s something called “FIFA points” which can be bought with real-life money within the game and from legit third parties. This is exactly the type of scenario that tends to grab the attention of fraudsters, he pointed out.

Crooks stand up fake coin “gift generators” and scam “rewards” delivered through banner ads, social-media posts, customer-service interventions and direct messages (DMs) — all designed to get players to unwittingly enter in their personal data in order to claim their prizes. Information harvested can include name, address, login credentials and more. Regardless of how players are contacted with the fraudulent offers, all roads lead to phishing pages or some other malicious gambit.

Of course, this isn’t new; criminals have been launching attacks using FIFA for cover for years. In 2018, the FIFA World Cup inspired massive spikes in both phishing attempts and spam, often using lures like Ronaldo and his counterpart at FC Barcelona, Lionel Messi. The mega, worldwide event and its enthusiastic fans even kicked off phishing attempts on travel organizations like and Alaska Airlines, which saw a jump in traffic in the runup to the tournament.


Do you have thirst for knowledge? There is ten more cybersecurity stories below

1. Microsoft and others orchestrate takedown of TrickBot botnet (ZDNet
2. After blows from Cyber Command and Microsoft, TrickBot lives on (CyberScoop)
3. QBot uses Windows Defender Antivirus phishing bait to infect PCs (Bleeping Computer)
4. Microsoft is forcibly installing Office PWAs in Windows 10 (Bleeping Computer)
5. Windows “Ping of Death” bug revealed – patch now! (Naked Security)
6. Barnes & Noble hit by cyberattack that exposed customer data (Bleeping Computer)
7. Cybercriminals are using legitimate Office 365 services to launch attacks (Help Net Security)
8. BazarLoader used to deploy Ryuk ransomware on high-value targets (Bleeping Computer)
9. For Foxit’s sake: Windows and Mac users alike urged to patch PhantomPDF over use-after-free vulns (The Register)
10. Zoom Rolls Out End-to-End Encryption After Setbacks (Threat Post)