Smart home cybersecurity news roundup [August 2020]

This August edition of the smart home cybersecurity news roundup includes a Chrome browser vulnerability that could allow hackers to execute arbitrary code, an Amazon Alexa exploit that lets hackers gather user data, and a crypto-mining worm that steals high-level credentials from AWS users.

High-severity vulnerability affects the world’s most popular browser

A high-severity vulnerability (CVE-2020-6492) has been reported to affect a part of the Google Chrome browser which could allow hackers to execute arbitrary code and triggers a crash when the WebGL component fails to render properly.

The Web Graphics Library or WebGL is a JavaScript API that renders interactive 2D and 3D graphics without the use of plugins in compatible browsers. It’s a component of the Chrome browser that could lead to arbitrary code execution in the context of the browser's process following successful exploitation. The vulnerability specifically deals with ANGLE, a compatibility layer between OpenGL and Direct3D used on PCs running Windows.

The vulnerability was discovered by Marcin Towalski, senior research engineer for Cisco Talos and ranked 8.3 / 10.0 CVSSv3 score.

The Chrome beta and stable releases (85.0.4149.0) already include a patch for the vulnerability. The vulnerability still affects Chrome versions 81.0.4044.138 (stable), 84.0.4136.5 (dev) and 84.0.4143.7 (Canary).

Amazon Alexa vulnerability allowed hackers access to user data

On Aug. 13 Amazon publicly disclosed a flaw in Amazon Alexa and Echo devices that could have allowed hackers to gain access to personal user data and install skills, or apps, on them. Researchers believe bad actors would have had access to user voice history stored on the Alexa devices including banking data and banking history, usernames, phone numbers and home addresses.

“Amazon does not record your banking login credentials, but your interactions are recorded...we can access the victim’s interaction with the bank skill and get their data history,” they said. The researchers also noted that usernames and phone numbers could also be accessed, depending on the skills installed on the Alexa device.

You can watch how bad actors can take control of the Alexa device through the vulnerability in a video created by Check Point Research:

“We fixed this issue soon after it was brought to our attention, and we continue to further strengthen our systems,” said an Amazon spokesperson to Threatpost in an interview.

“We are not aware of any cases of this vulnerability being used against our customers or of any customer information being exposed.”

Researchers disclosed their findings to Amazon in June 2020, and the fix has been implemented since then.

Cryptojacking worm that steals high-level AWS creds

A cryptocurrency miner and DDoS-attacking worm targeting Docker systems for months has now mutated to steal high-level Amazon Web Services credentials. The hackers who authored the worm, TeamTNT, have also begun targeting Kubernetes clusters and Jenkins servers.

According to an article published by Help Net Security, the original worm had the capabilities to:

• Scan for open Docker daemon ports (i.e., misconfigured Docker containers)
• Create an Alpine Linux container to host the coinminer and DDoS bot
• Search for and delete other coin miners and malware
• Configure the firewall to allow ports that will be used by the other components, sinkhole other domain names, exfiltrate sensitive information from the host machine
• Download additional utilities, a log cleaner, and a tool that attackers may use to pivot to other devices in the network (via SSH)
• Download and install the coinminer
• Collect system information and send it to the C&C server

Now, the worm has mutated to search for exploitable Kubernetes systems and files that could contain credentials and config details for AWS infrastructure.

“Whilst these attacks aren’t particularly sophisticated, the numerous groups out there deploying crypto-jacking worms are successful at infecting large amounts of business systems,” writes Cado Security, the research team reporting on the incident, in their blog.

Researchers expect that other worms will copy this code in the future, and warn businesses to:

• Identify and delete any systems that may be storing AWS credential files unless needed
• Utilize firewall rules to limit access to Docker APIs
• Review network traffic for connections to mining pools or using the Stratum mining protocol
• Review any connections sending the AWS Credentials file over HTTP