Zoom calls exposed to eavesdropping

Aug 14 2023

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that reckons cybercriminals should be forced to do National Service. 74% of pensioners think ALL young people should ????????????

Today’s hottest cyber security stories:

  • ???? Zoom flaws expose users to eavesdropping hackers ????

  • ???? Flaws in CyberPower, Dataprobe products leave data centres in the lurch ????

  • ????‍♂️ Cumbria police accidentally published the salaries of 2,000+ employees ????

Loose links sink ships ????

???? BREAKING NEWS: Security Alert! ????

Multiple ???? vulnerabilities revealed in AudioCodes desk phones and Zoom's Zero Touch Provisioning (ZTP) ????. The findings, presented by SySS security researcher Moritz Abrell at Black Hat USA conference, highlight serious risks ????️.

???? The vulnerabilities lie in Zoom's ZTP, an IT admin tool to manage VoIP devices centrally. No client-side authentication during config file retrieval ????️‍♂️ allows attackers to potentially download malicious firmware ???? from a rogue server.

Meanwhile, AudioCodes VoIP phones with improper authentication issues can expose sensitive info like passwords and config files ????.

???? This combo of flaws creates a powerful attack chain ???? that could be exploited for full remote control over devices. The impact? Eavesdropping on rooms and calls ????, pivoting through devices, attacking corporate networks ????, and even building a botnet ???? of infected devices.

⚠️ As Moritz Abrell warns, this highly scalable attack poses a significant security risk ????. Similar to the German cybersecurity company's findings on Microsoft Teams, where external attackers could make unauthorised calls through victims' phone lines ????.

I came across ZZZ money club during the crypto market bull run when everyone’s a winner, even during the bear market this discord group has been amazing at giving information on projects and ways to make passive income in various ways.

The group is very active and everyone in this private discord group is very chatty and helpful.

Its run by Yourfriendandy and Decadeinvestor, you can find them here on YouTube, both top guys with great content.

If you are interested in joining the group you can through the link below.

More like CyberPower-outage and Dataprobed ????

???? Uh-oh! Critical Vulnerabilities Discovered! ????

???? CyberPower's PowerPanel Enterprise Data Center Infrastructure Management (DCIM) platform and Dataprobe's iBoot Power Distribution Unit (PDU) are at risk ????. Wow, catchy names! ????

Nine vulnerabilities (CVE-2023-3259 to CVE-2023-3267) with severity scores from 6.7 to 9.8 have been identified, creating a potential nightmare for data centres ????.

???? Threat actors could exploit these weaknesses to gain unauthenticated access, leading to catastrophic damage ????. The dangers include shutting down entire data centres, data theft, or launching massive attacks on an unprecedented scale.

????️ Trellix security researchers warn that an attacker could chain these vulnerabilities, gaining full access to the systems. Both products are susceptible to remote code injection, creating backdoors or entry points to the broader network ????????.

???? The findings were presented at the DEFCON security conference, and while no evidence of abuse exists, it's essential to act. The vulnerabilities have been addressed in PowerPanel Enterprise software version 2.6.9 and Dataprobe iBoot PDU firmware version 1.44.08042023. ????

???? Key Vulnerabilities: ????

  • Dataprobe iBoot PDU: Untrusted data deserialization, OS command injection, buffer overflow, hard-coded credentials, authentication bypass by alternate name.

  •  CyberPower PowerPanel Enterprise: Hard-coded credentials, improper neutralisation of escape sequences, improperly implemented security checks, OS command injection.

???? The risks are enormous! Successful exploitation could lead to data centre shutdowns with a "flip of a switch," ransomware, DDoS attacks, or even cyber espionage.

Protect your critical infrastructure and take immediate action! ????????????️

????️ Extra, Extra! Read all about it ????️

Each fortnite, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • ???? Daily Dough: Bite-sized investing ideas, wisdom, news, and trends you need to grow your dough!

  • ???? ProductivityGlide: A bite-sized email for your most productive day yet!

  • ???? AI Marketing School: The latest AI Marketing tools, techniques, and news delivered biweekly.

Let us know what you think!

‘Ello, ‘ello, ‘ello. What’s all this then? ????????

???? I smell bacon; I smell pork. Run little piggy, I’ve got a fork! ????

???? Cumbria Police, another British police force in the doghouse, reveals a massive data breach. ????Names and salaries of over 2,000 employees, including covert and sensitive roles, were accidentally published online. ???? Apologies issued. Nice one, chaps!

While not as severe as the recent PSNI scandal, it's still embarrassing. ???? The PSNI breach was extremely serious because officers there face heightened dangers, some not even telling their friends and families that they work for the police because of the threat of terrorist attack.

The leaked info affected 1,304 officers, 756 staff, and 52 police community support officers. Human error is to blame, says the force, and they've taken steps to prevent future breaches. ????

The ICO was notified, reviewed the situation, and advised no further action needed. So, same as what happens when you call them about your stolen bike or literally anything else then: no action.

But retweet something vaguely offensive and you’ll be in cuffs before you know it. But that’s neither here nor there… ????

????️‍♂️ The privacy watchdog was satisfied with the measures taken to manage the breach, anyway.

That’s all for today, folks. Stay informed, stay safe! ???????? ????????

So long and thanks for reading all the phish!

Recent articles