Blog Layout

Don’t trust links with known domains: BMW affected by redirect vulnerability

Jan 08, 2024

Sometimes, you can’t even trust links with your own domain. As the Cybernews research team has discovered, some BMW subdomains were vulnerable to redirect vulnerability, enabling attackers to forge links leading to malicious sites through them.

Cybernews researchers have discovered two BMW subdomains that were vulnerable to SAP redirect vulnerability. They were used to access the internal workplace systems for BMW dealers and could have been useful to attackers for spear-phishing campaigns or malware distribution.

SAP redirect vulnerability is a security issue that affects web application servers for SAP products (SAP NetWeaver Application Server Java). This means that anyone could forge a redirect link using these subdomains by adding a string such as this:

“sap/public/bc/icf/logoff?redirecturl=https://maliciouswebsite.com”

The final URL would look like this:

“https://<…>.bmw.com/sap/public/bc/icf/logoff?redirecturl=https://maliciouswebsite.com”

“It allows an attacker to redirect a user to a malicious website or inject arbitrary content into a legitimate website. This can be done by manipulating the URL parameters of the affected SAP system,” Cybernews researchers explained.

While not critical, such a vulnerability opens many creative opportunities for phishers, targeting employees or customers.

“Imagine you get an email from your CEO or manager asking you to do something. The firewall won’t block the malicious link in an email as the domain is legitimate. If you open the link and enter your credentials, attackers suddenly gain access to deploy ransomware or for other deeds. This exploit could also be used for mass phishing campaigns, targeting customers,” our researchers said.

Attackers exploit this vulnerability in the wild to steal sensitive information, such as login credentials, or to spread malware to unsuspecting users. When the victim clicks on a link that appears to be legitimate, they’re redirected to the attacker’s website, where malicious JavaScript is executed in the client’s browser or where they are prompted to enter sensitive information.

BMW fixes the vulnerability

Cybernews researchers immediately disclosed the vulnerability to BMW, and it was promptly fixed.

A BMW spokesperson assured us that information security is a top priority for the BMW Group, which applies to the company’s employees, customers, and business partners.

“After we identified the vulnerability, we acted to assess it and put the necessary actions in place to minimize a possible impact. As far as we know, the addressed vulnerability didn’t compromise BMW Group-related systems, nor was any data leaked or misused,” the spokesperson said.

They also explained that the BMW Group uses multi-level security controls when accessing internal systems, according to the principle: the more sensitive the data, the higher the security measures.

BMW is a German manufacturer of luxury vehicles headquartered in Munich.

How the redirect attacks work and how to avoid them

An SAP Redirect vulnerability and similar vulnerabilities usually cause web applications to redirect users to specified URLs. Those typically occur when web apps or components fail to properly validate or sanitize URLs before redirecting users.

This type of vulnerability, which affected BMW websites and other SAP systems, was first identified in 2012 but still poses risks to organizations even after applying security updates.

All attackers need to do is modify the URL value to redirect to a malicious site.

 

“Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance,” MITRE’s definition of the common weakness reads. “Whether this issue poses a vulnerability will be subject to the intended behavior of the application. For example, a search engine might intentionally provide redirects to arbitrary URLs.”

To address an SAP redirect vulnerability, Cybernews researchers recommend the following:

  • SAP has released patches for the affected products that address the SAP redirect vulnerability. Applying these patches is the most effective way to mitigate the vulnerability.
  • To prevent injection attacks and other vulnerabilities, developers should follow secure coding practices and guidelines, such as the Open Web Application Security Project (OWASP) Top 10.
  • Regular security assessments can help identify vulnerabilities in systems and applications and allow for proactive remediation before attackers can exploit them.

“Security is an ongoing process, and companies should regularly review and update their security measures to ensure they remain effective,” researchers noted.

“Redirect vulnerabilities are significant security risks and can have a devastating impact on organizations.”

Users should also beware of clicking any links – even when the domain appears legitimate. Attackers still have other ways to deliver a malicious payload.

Security Lapse by Microsoft Employees Exposes Internal Passwords

26 Apr, 2024
In continuation of Microsoft’s series of data security incidents, employees accidentally exposed internal data to the public. The leak exposed an unprotected Azure storage server containing code, scripts, and configuration files. Microsoft has announced that it has fixed a security breach that exposed internal company credentials and files to the open internet. The breach was first discovered by security researchers from cybersecurity firm SOC Radar. According to their report, an internal error resulted in an Azure storage server without password protection being given public access. The exposed data was primarily related to Microsoft’s Bing search engine, including configuration files, code, and scripts that employees used to access a range of internal systems and databases. Consequently, bad actors could identify and access locations for Microsoft's internal data. So far, it has not been made clear how long the data has been exposed. Anuj Mudaliar Assistant Editor - Tech, SWZD opens a new window opens a new window Anuj Mudaliar is a content development professional with a keen interest in emerging technologies, particularly advances in AI. As a tech editor for Spiceworks, Anuj covers many topics, including cloud, cybersecurity, emerging tech innovation, AI, and hardware. When not at work, he spends his time outdoors - trekking, camping, and stargazing. He is also interested in cooking and experiencing cuisine from around the world.

AT&T experienced data breach that impacted 51 million customers (No one is immune)

26 Apr, 2024
AT&T is notifying 51 million former and current customers, warning them of a data breach that exposed their personal information on a hacking forum. However, the company has still not disclosed how the data was obtained. These notifications are related to the recent leak of a massive amount of AT&T customer data on the Breach hacking forums that was offered for sale for $1 million in 2021. When threat actor ShinyHunters first listed the AT&T data for sale in 2021, the company told BleepingComputer that the collection did not belong to them and that their systems had not been breached. Last month, when another threat actor known as 'MajorNelson' leaked the entire dataset on the hacking forum, AT&T once again told BleepingComputer that the data did not originate from them and their systems were not breached. After BleepingComputer confirmed that the data belonged to AT&T and DirectTV accounts, and TechCrunch reported AT&T passcodes were in the data dump, AT&T finally confirmed that the data belonged to them. While the leak contained information for more than 70 million people, AT&T is now saying that it impacted a total of 51,226,382 customers. "The [exposed] information varied by individual and account, but may have included full name, email address, mailing address, phone number, social security number, date of birth, AT&T account number and AT&T passcode," reads the notification. "To the best of our knowledge, personal financial information and call history were not included. Based on our investigation to date, the data appears to be from June 2019 or earlier." BleepingComputer contacted AT&T as to why there is such a large difference in impacted customers and was told that some of the people had multiple accounts in the dataset. "We are sending a communication to each person whose sensitive personal information was included. Some people had more than one account in the dataset, and others did not have sensitive personal information," AT&T told BleepingComputer. The company has still not disclosed how the data was stolen and why it took them almost five years to confirm that it belonged to them and to alert customers. Furthermore, the company told the Maine Attorney General's Office that they first learned of the breach on March 26, 2024, yet BleepingComputer first contacted AT&T about it on March 17th and the information was for sale first in 2021. While it is likely too late, as the data has been privately circulating for years, AT&T is offering one year of identity theft protection and credit monitoring services through Experian, with instructions enclosed in the notices. The enrollment deadline was set to August 30, 2024, but exposed people should move much faster to protect themselves. Recipients are urged to stay vigilant, monitor their accounts and credit reports for suspicious activity, and treat unsolicited communications with elevated caution. For the admitted security lapse and the massive delay in verifying the data breach claims and informing affected customers accordingly, AT&T is facing multiple class-action lawsuits in the U.S. Considering that the data was stolen in 2021, cybercriminals have had ample opportunity to exploit the dataset and launch targeted attacks against exposed AT&T customers. However, the dataset has now been leaked to the broader cybercrime community, exponentially increasing the risk for former and current AT&T customers. Update 4/10/24: Added statement from AT&T about discrepancy in numbers. BILL TOULAS Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.

Home Depot Data Compromised Through Third-Party SaaS Misconfiguration

26 Apr, 2024
Home improvement retailer Home Depot confirmed with multiple publishers that it suffered a data break due to a third-party SaaS vendor inadvertently exposing a subset of employee data. IntelBroker, the threat actor behind the attack claims it has the information of 10,000 Home Depot employees. A Home Depot software vendor suffered a data breach leading to the compromise of an undisclosed number of employees. IntelBroker, the threat actor behind the attack claims it has the information of 10,000 Home Depot employees. Home improvement retailer Home Depot confirmed with multiple publishers that it suffered a data break due to a third-party software vendor inadvertently exposing a subset of employee data. Reportedly, the breach was caused by a misconfigured software-as-a-service (SaaS) application.
More Posts
Share by: