0:00

Hello, and welcome to the Tuesday,

0:02

May 9 2023 edition of the Sands and Stormcast. My

0:09

name is Johannes Ulrich, and I

0:11

am recording from Jacksonville, Florida.

0:16

We've got more news about QR codes. Overall,

0:19

I'm not really considering QR

0:21

codes of the huge threats that some people

0:24

consider them, but there are

0:26

certainly some issues where the

0:29

ease of use of QR codes also

0:32

helps attackers. With that,

0:34

there are two distinct cases where recently

0:36

QR codes have been used maliciously.

0:40

One apparently in Singapore.

0:42

Now in this case, the victim

0:45

scanned a QR

0:46

code in a restaurant, believing

0:48

that it led to a survey, which of course

0:51

offered some kind of price. The

0:53

first thing that should probably

0:55

have triggered sort of a little bit an

0:57

alarm here is that in order to participate

1:00

in a survey, you first have to download

1:02

a mobile app on your Android phone.

1:05

Okay, and these days, everything sort of is

1:07

its own app, maybe not really all

1:09

that suspicious to require the

1:11

download of an app in order to participate

1:14

in this simple restaurant

1:16

survey. But then

1:18

once the app was installed, it did

1:20

require quite excessive

1:23

privileges to accessibility features,

1:26

microphone, camera, essentially

1:28

gaining full access to the

1:31

device. The app then used

1:33

this access in order to

1:35

take over financial applications

1:38

and train victims bank

1:40

accounts. The other case

1:42

was here in the United States and a little bit of more

1:44

traditional sort of QR code

1:46

abuse. Apparently in San Francisco,

1:49

someone is handing out fake parking

1:51

tickets which conveniently come

1:53

with a QR code that allows the

1:56

victim to pay. These

1:58

are then good old.

1:59

phishing websites that basically just steal

2:02

payment data from the victim.

2:05

The tickets were not only dated in the future

2:07

but they were also issued apparently

2:10

by the city of San Francisco

2:12

where usually San Francisco tickets

2:15

are issued by the San Francisco

2:17

Municipal Transport Agency. Of

2:19

course, something that maybe someone who is

2:22

not receiving a lot of parking tickets may

2:24

not notice. Of course, these

2:27

are all tricks that may have

2:29

worked

2:29

with a URL shortener or just by

2:32

tricking the user into typing

2:34

a particular URL but

2:36

by making it a QR code, you

2:39

give the victim just a couple

2:42

of seconds to think about and

2:44

maybe discover that this is a scam.

2:49

And it's still a week until patch

2:51

Tuesday for May but

2:54

we did already get an update for

2:57

Microsoft Edge. Microsoft

2:59

Edge of course based on the Chromium

3:02

browser does update

3:04

whenever Chromium updates and we

3:06

are now at version 113. There

3:10

are a number of security improvements

3:13

that come with this version like

3:15

for example sort of a better definition of

3:18

the different security modes

3:20

that you have between balanced

3:23

and strict. Also some

3:25

vulnerabilities that are specific to

3:28

Edge that don't necessarily affect

3:30

Chromium were also patched. One

3:33

affects the content security policy

3:36

implementation only a CFS score

3:38

of 4.7 or medium and privilege escalation

3:44

vulnerability with a CFS

3:46

score of 7.5.

3:49

And the latest Facebook security

3:52

report hits a familiar theme

3:54

with a flat off fake

3:57

chat GPT.

3:59

here and this is something I think I mentioned

4:02

a couple times this is not just affecting

4:04

Facebook this is sort of across

4:06

multiple platforms like all the

4:08

different app stores and such are affected

4:11

by this that hackers are releasing

4:14

fake software that claims to be chat

4:16

GPT it may

4:18

offer sort of an interface for

4:21

chat GPT but often

4:23

does also a number of malicious

4:26

things. So just like QR codes are

4:28

being used to trick users

4:29

into installing various

4:32

malicious software while the

4:34

label chat GPT on some software

4:37

may do the same thing and that's of course

4:39

not unexpected given

4:42

that whenever we have big news

4:44

items like this there are scammers

4:46

like this jumping on the bandwagon

4:49

and using it to trick users to

4:51

install malicious software.

4:54

Then we got a couple of miscellaneous vulnerability

4:57

one is an Apache's BRPC where

4:59

B stands for better so

5:02

better RPC. Vulnerability

5:04

CVE 2023 3103 9 does

5:08

allow for arbitrary remote

5:11

code execution. There is

5:13

an update available so make

5:15

sure you patch and

5:17

talking about RPC pentest

5:20

partners disclosed a vulnerability

5:23

in cyberghost that is

5:25

exploited by sending a crafted

5:28

JSON payload to the RPC

5:30

service and again it can lead to

5:32

command line injection in

5:35

the open VPN process

5:37

cyberghost VPN is based out of one

5:39

of those wrappers around

5:41

open VPN and again

5:44

patches are available

5:47

and if you don't have enough of me I'll

5:49

actually participate on q-state

5:52

morning at 10 a.m eastern

5:55

in sans podcast it's sort

5:57

of a new thing that sans is starting it's

5:59

a

5:59

weekly podcast, but also YouTube

6:02

live stream, 10 a.m. Eastern. I'll

6:06

add a link to the show notes and

6:09

well, let me know if you like that

6:11

as well. And maybe I'll participate

6:13

in that more frequently. Thanks

6:16

and talk to you again tomorrow.

6:18

Bye.