At a glance.
- Bugs discovered in Honda sales platform.
- Update on Minecraft mod malware.
- Switzerland says government data were exposed in third-party attack.
Bugs discovered in Honda sales platform.
US-based cybersecurity researcher Eaton Zveare has published a blog post detailing his discovery of serious vulnerabilities in an eCommerce platform used by automaker Honda. Zveare says that by exploiting a password reset API, he was able to easily reset the password of any account, and that an attacker could use such an exploit to access sensitive customer and dealer data. As well, Zveare was able to access a dealer admin dashboard that allowed him to elevate his privileges to administrator of the entire platform, giving him powers only intended for Honda employees. From here, he could access private details about 21,000 customer orders ranging from 2016 to 2023, and had the power to modify fifteen hundred dealer sites. In his blog post, Zveare stated, “With access to more than 21k customer orders, highly targeted phishing campaigns could be created to trick customers into providing even more valuable data, or to try and install malware on their devices.” He also noted that a hacker could use the access to active sites to covertly add malicious code like cryptominers and credit card skimmers. As Security Week explains, Zveare reported his findings to Honda in March, and the car giant immediately resolved the issues. The platform in question supports sales of Honda power equipment like generators and lawnmowers, not cars, and powers Honda Dealer Sites, a service that allows dealers to create websites where they sell Honda products.
Tom Kellermann, SVP of Cyber Strategy at Contrast Security, offered some bullet points on the growing significance of APIs to the criminal underworld. “APIs have become a gateway for cybercriminals to hijack the digital transformation of companies," he wrote. "Honda is not the first or last major corporation to be attacked in this fashion. We should expect to see APIs increase as an attack vector for a number of reasons:
- "The total number of public and private APIs in use is approaching 200 million.
- "There is a shift in new development approaches to microservices architecture.
- "Shadow APIs abound.
- "Hybrid apps spanning on-premises, cloud and serverless environments increase the attack surface.”
Jason Kent, Hacker in Residence at Cequence Security, sees the incident as an object lesson in the importance of formal information-sharing arrangements:
"Illustrating why ISACs (information sharing and analysis centers) are so important, this attacker figured out what to do on Toyota and moved to Honda. The actual tech stack rarely matters, the business logic for any automotive manufacturers platforms is going to be similar. The way they are implemented, similar. The flaws, similar.
"Just as with the Toyota hack, finding an API that allowed for privileged access was a great way to get in. It’s interesting they found that while trying a standard password reset attack but realized it would be way less noisy to attack the token directly. Though the tech stacks were different the methodology is what proved the be the best given the implementation of the desired components. Using techniques like enumerating IDs in query strings, is as basic as modern API security gets, GUIDs are always better but obfuscation alone will only get one so far.
"API Security is immature at this stage of history but application security, the basis for it, has been around for the better part of 3 decades now. The lessons we thought we had learned in AppSec, don’t seem to be resonating with the same communities that are looking after APIs. If the technique works at my neighbor, it will probably work on me, needs to be a priority. Taking the lessons learned from the industry, and applying them, is the only way we are going to make things better."
Update on Minecraft mod malware.
As we noted yesterday, a malware called Fractureiser discovered in Minecraft mods was used to launch a pseudo-supply chain attack. An investigation revealed that the mods and plugins were hosted on the CurseForge and Bukkit modding communities and could be used to publish malware-tainted updates without the original author’s knowledge. In an update added today, Bitdefender says they tracked an old sample of the malware that was likely used for testing and indicate that the malware was created in April 2023. Several identified executables show that the attackers initially planned to distribute EXE files rather than JAR files, but it's unclear whether the EXE files were distributed in the wild.
Switzerland says government data were exposed in third-party attack.
The Swiss government has disclosed that a cyberattack impacting a tech firm that provides software for several departments might have compromised government operational data, Barron's reports. In a statement issued yesterday, the government stated, "Xplain, a Swiss provider of government software, has been the victim of a ransomware attack. After the stolen data had been encrypted and the company blackmailed, the attackers posted some of the stolen data on the darknet. Contrary to the initial findings and following recent in-depth clarifications... it appears that operational data of the federal administration could also be affected.” Xplain supplies software to authorities specializing in homeland security, and the Swiss army and customs department were among their clients. The Play ransomware group is allegedly responsible for the attack, but Xplain’s director Andreas Loewinger says the company has not made any contact with the attackers and does not plan to pay a ransom.