CyberSec Roundup
A synopsis of the Latest Cybersecurity News
Mercedes-Benz Leaks Customer Data
Mercedes-Benz informed their customers that there was a data breach from one of their vendors where approximately 1.6 million records were accessed. Less than 1000 customers would have been affected, but the data accessed included personal information such as driver license numbers, social security numbers, and credit card numbers. According to a security firm that investigated the incident, the data was accessible because their vendor was using an insecure cloud storage platform that was used to capture information customers submitted to dealer and Mercedes-Benz websites between January 1, 2014, and June 19, 2017. Any of the affected customers are being offered a complimentary 24-month subscription to a credit monitoring service.
SonicWall VPN Patch Botched
Last year in October, Sonic Wall released a patch to fix a buffer overflow vulnerability in their VPN appliances (tracked as CVE-2020-5135). This vulnerability could allow attackers to potentially execute arbitrary code by sending a malicious request to the firewall. That same month, cybersecurity firm Tripwire discovered a memory leak vulnerability (tracked as CVE-2021-20019) as a result of an improper fix for the previous buffer overflow vulnerability (CVE-2020-5135). This new flaw could potentially lead to an internal sensitive data disclosure vulnerability. The flaw has remained since then and has only recently been patched. Thankfully, SonicWall says there is no sign that the vulnerability is being exploited in the wild.
Zyxel Firewalls under Attack
Zyxel firewalls have not been so fortunate, as the company has notified their customers that a sophisticated threat actor has been targeting their security appliances that have remote management or SSL VPN enabled. The company believes that devices configured with a proper security policy for remote access can effectively defend against these attacks. Therefore, the company has released a standard operating procedures document to guide customers on how to best set up their remote access policy.
By: David Pinder
IT & Security Consultant
Certified Ethical Hacker (Master)