Saturday 28th September 2024

Happy Saturday everyone! Today's installment is looking at hackers who are exploiting critical flaws in Kia’s dealer portals to remotely unlock cars using just a license plate, and the latest variant of RomCom malware to steal data from unsuspecting networks. Enjoy!

Critical NVIDIA Container Toolkit Flaw Exposes Hosts

A critical security flaw in the NVIDIA Container Toolkit (CVE-2024-0132) could allow attackers to escape container confines and gain full access to the host system. With a CVSS score of 9.0, the vulnerability affects NVIDIA Container Toolkit versions up to 1.16.1 and NVIDIA GPU Operator up to 24.6.1, but it’s patched in versions 1.16.2 and 24.6.2.

The flaw, discovered by cloud security firm Wiz, involves a Time-of-check Time-of-use (TOCTOU) vulnerability that can be exploited by rogue container images to access the host file system. This access enables attackers to execute arbitrary commands with root privileges, posing severe risks to multi-tenant environments where data and secrets could be exposed across shared resources.

Users should update immediately to protect against this potential breach vector. While futuristic AI threats capture headlines, vulnerabilities in foundational infrastructure remain a top priority for cybersecurity defenses.

Kia Cars Vulnerable to Remote Hacks Using License Plates

Researchers uncovered critical flaws in Kia’s dealer portal that allowed hackers to control Kia cars made after 2013 using just a license plate. Discovered by cybersecurity experts Neiko Rivera, Sam Curry, Justin Rhinehart, and Ian Carroll in June 2024, the vulnerabilities let attackers remotely control key functions of any hardware-equipped Kia vehicle, steal personal information, and even add themselves as hidden users on a victim's vehicle.

By mimicking dealer registration, the team gained access to Kia’s backend APIs, allowing them to execute commands on vehicles like unlocking doors and tracking the car—all in under 30 seconds. Notably, the flaws affected Kia vehicles regardless of Kia Connect subscription status and could be used without notifying the car owner.

The same team previously found similar vulnerabilities in over a dozen other car brands, including BMW, Mercedes-Benz, and Ferrari, as well as services like Reviver and SiriusXM. The flaws granted access to sensitive information, allowing attackers to manipulate critical systems and even perform remote code execution.

Kia has patched the vulnerabilities, and no evidence suggests they were exploited maliciously. But the findings highlight the need for robust security in vehicle connectivity systems.

New RomCom Variant "SnipBot" Targets Networks for Espionage

A new variant of the RomCom malware, dubbed SnipBot, has emerged with enhanced capabilities, targeting various sectors including IT services, legal, and agriculture. Discovered by Palo Alto Networks' Unit 42, SnipBot builds on RomCom’s previous versions to steal data from compromised systems and pivot across networks.

SnipBot, considered RomCom 5.0, extends its control with 27 commands, allowing attackers to specify data exfiltration targets, compress stolen data, and deploy archive payloads for evasion. Notable upgrades include advanced anti-sandboxing techniques, window message-based control flow obfuscation, and modules that execute directly from memory, enhancing stealth.

Attackers typically initiate infections through phishing emails and fake websites, such as a malicious Adobe font site, which deliver downloader payloads signed with legitimate certificates to avoid detection. SnipBot then hijacks COM objects to achieve persistence, injects itself into "explorer.exe," and exfiltrates data using tools like PuTTY Secure Copy and WinRAR.

While SnipBot’s exact goals remain murky, experts suspect a shift from financial theft to espionage, given the diverse targets and sophisticated tactics. The evolution of RomCom into SnipBot underscores the ongoing threat of advanced malware adapting to breach increasingly complex security defences.