LG’s Smart TV Root Access, Google’s Multi-Admin Check, Stealthy SharePoint Downloads – Cyber Security News

The Daily Decrypt

LG's Smart TV Root Access, Google's Multi-Admin Check, Stealthy SharePoint Downloads - Cyber Security News

00:00 /

Dive into the cyber-landscape where LG smart TVs, Google Workspace, and SharePoint vulnerabilities lay bare the challenges and defenses in our interconnected world. Discover how Bitdefender unearths vulnerabilities in LG’s webOS, prompting an urgent patch rollout for millions. Explore Google’s stride towards double-layered security with multi-party approvals in Workspace, a bold move against unauthorized changes. Unpack Varonis’ latest discovery of SharePoint flaws allowing stealthy data theft, spotlighting the silent battles in cybersecurity. Engage with us on strategies and stories from the front lines of digital defense.

Sources:

The Hacker News: https://thehackernews.com/2024/04/researchers-discover-lg-smart-tv.html
Bitdefender Labs: https://www.bitdefender.com/blog/labs/vulnerabilities-identified-in-lg-webos/
Help Net Security: https://www.helpnetsecurity.com/2024/04/09/google-workspace-multi-party-approvals/
Google Workspace Updates: https://workspaceupdates.googleblog.com/2024/04/multi-party-approvals-for-sensitive-admin-actions.html
BleepingComputer: https://www.bleepingcomputer.com/news/security/new-sharepoint-flaws-help-hackers-evade-detection-when-stealing-files/
Varonis Blog: https://www.varonis.com/blog/sidestepping-detection-while-exfiltrating-sharepoint-data

Thanks to Jered Jones for providing the music for this episode. https://www.jeredjones.com/

Logo Design by https://www.zackgraber.com/

Tags:

LG Smart TV, Google Workspace, SharePoint, cybersecurity, vulnerabilities, webOS, multi-party approvals, data exfiltration, root access, security patches, digital defense, cloud security, Bitdefender, Varonis, Microsoft SharePoint, tech news, information security, cyber threats, administrative controls

Search Phrases:

Bitdefender LG smart TV vulnerabilities
Google Workspace multi-party approval feature
Varonis exposes SharePoint flaws
How to secure LG smart TVs against hackers
Implementing Google Workspace multi-party approvals
Protecting SharePoint data from undetected theft
Latest cybersecurity threats and defenses
Root access vulnerabilities in LG TVs
Enhancing cloud security with administrative approvals
Stealthy data exfiltration techniques in SharePoint
Cybersecurity updates for LG smart TV owners
Advanced security features in Google Workspace
Mitigating risks in Microsoft SharePoint
Cyber threat insights from Bitdefender and Varonis
Protecting digital assets against unauthorized access

Transcript:

Apr 10

Welcome back to the Daily Decrypt.

Bitdefender reveals a series of high criticality vulnerabilities in LG Smart TV’s

which could potentially allow attackers to bypass security measures and gain unauthorized root access, which could affect tens of thousands of smart TVs globally.

Do you have an LG smart TV? If so, keep listening to find out how you can protect yourself from these vulnerabilities.

Someone recently told Google that it’s important to check with a friend before making any important decisions. Google is introducing multi party approvals for security features in Google Workspace, which will require multiple admins to approve any sensitive changes.

Why is this important? And what types of things can this protect against?

And finally, Varonis Threat Labs has just exposed two new vulnerabilities in Microsoft SharePoint that allow hackers to download sensitive files undetected, which will put thousands of businesses at risk.

In a recent cybersecurity revelation, researchers at the Romanian firm Bitdefender have brought to light a series of severe vulnerabilities in LG’s webOS, the operating system powering its smart TVs. These weaknesses span across versions 4. 9. 7 to 7. 3. 1. of webOS and present a critical threat potentially allowing unauthorized users to gain root access and take control of the devices.

So it sounds like Bitdefender did the honorable thing and let LG know about this months ago before disclosing it to the public.

And finally LG on March 22nd issued some patches to address these vulnerabilities.

Now that’s all well and good, but

Smart TVs go un updated, potentially forever,

the most alarming vulnerability that has been patched, which is CVE 2023 6317, allows attackers to circumvent PIN verification processes to add a privileged user to the TV, requiring no interaction from the device owner.

Another vulnerability lets attackers elevate their access level to root, or the highest level of access.

Bitdefender’s research uncovered that over 91, 000 devices worldwide had this vulnerable service exposed to the internet. Which essentially means that Bitdefender can open up their laptop and scan the internet for your device and find it. And if Bitdefender can do it, any attacker can do it.

So make sure that your TVs are up to date, go into the settings, double check which version it is,

And make sure it’s the most up to date. There should be some sort of indicator saying your system is up to date.

If it’s not, and your TV is internet facing, attackers can infiltrate your TV, create a backdoor, so that even after the update, they can still access.

Then, if your TV has a microphone or a camera, they’ll be able to access those things and see what’s going on inside your house. They could use those things to steal data. If you’ve entered in your credit card number into the TV, they’ll have access to that. It could be used as a pivot point to try to get to your more sensitive devices like your laptop or your phone, and then inject malware there.

If your office space uses an LG Smart TV, it could be used to pivot and conduct a ransomware attack.

The uses of this vulnerability are limited only by the attacker’s creativity, so make sure to go in. And ensure your device is updated. And a lot of these devices just go to sleep. They don’t do a full power cycle or a restart. So go in, maybe unplug the TV for a couple minutes, maybe overnight, however long you can.

And then replug it in when you need to use it again. That should wipe the temporary memory and increase the chances that you’ve gotten rid of the attacker from your TV.

In an effort to bolster security measures for its Google Workspace customers, Google has introduced a new feature designed to mitigate the risk of unauthorized or accidental changes within its system. The tech giant announced the rollout of multi party approvals for its cloud based productivity and collaboration platform.

This optional security measure requires that certain sensitive admin actions receive approval from another admin before they can be executed. The multi party approvals feature aims to combat potential threats from both inside and outside an organization. By ensuring that changes to critical settings, such as two step verification and account recovery policies, undergo an additional layer of scrutiny.

Admins will have the ability to review details of each request, making informed decisions on whether to allow or deny the proposed changes. This process not only secures the platform against unauthorized access, but also streamlines administrative tasks by executing actions automatically once they receive approval.

Google Workspace’s multi party approvals will be accessible to a broad range of customers, including those subscribed to the enterprise standard. Enterprise Plus, Education Standard, Education Plus, and Cloud Identity Premium plans. But, the feature is turned off by default and can be enabled through the admin console under the multi party approval settings.

This is a pretty nice feature for Google to introduce. Probably pretty easy to do on their end, just require more permissions

before being able to accomplish certain tasks.

Granted, this only requires twice as many permissions as were required before, so if an attacker can get in and make these changes, what’s to say they can’t get in, create a new account, new admin account,

and get the required approvals that way. Anyway, The blog post by Google doesn’t address this use case specifically, but it would be great if Google

required multiple admins in order to create a new admin, which would essentially solve this problem.

And then what’s also cool about this new feature is that, yeah, it’s introducing new automation features as well. Once you have the approvals, Google will automatically go in and place the changes that were already requested.

This doesn’t save any time from the legacy workflow, which is where admins would go in and do these actions. They would happen immediately. Because the admins will still have to go in and perform these actions, they will just require approvals afterwards. So the action time is the same, but luckily they don’t have to wait for approval and then go perform the action again or something like that.

It’ll happen automatically.

And this is so important because one of the first things that an attacker will try to do once they infiltrate your environment is to make sure they can get back in. And one of the ways they can do that is to create accounts or alter security settings, maybe change logging preferences so that their tracks might be more covered up, allowing them to move more freely throughout your network and

perform more malicious actions unrestricted. If it requires multiple admins, To edit logging preferences from debug to verbose or turn off two factor authentication so that attackers can sign in from wherever or any of these things, attackers are less likely to succeed down the line. So if you do run a Google workspace, however small, and you have multiple admins, I highly encourage you to go enable this feature once it’s available.

It’s coming out and it’s going to be cool.

Our final segment discusses new Microsoft SharePoint vulnerabilities that Varonis Threat Labs discovered, which could allow hackers to stealthily download files from SharePoint, evading traditional audit logs or detection methods.

The first method exploits the quote, open in app feature of SharePoint, which when used does not log a file downloaded event, but rather an access event, which might not raise immediate alarms for administrators. This loophole could facilitate what’s being termed as silent data exfiltration, allowing for the downloading of documents in a manner that doesn’t attract the usual scrutiny.

So there’s so many events that go on in the Microsoft ecosystem, especially in SharePoint, whether it’s opening or downloading or transferring. So many events, they all kind of get funneled into different categories of event. As mentioned, there’s a download event and there’s an access event. So you might be able to see the Severity difference in these two events.

If someone’s downloading something that’s a little more severe than just opening something. And so security teams will create alerts for different types. of event. So they might have a more serious alert for the download event than they do the access event. And so this first attack

is essentially leveraging a bet that security teams aren’t alerting as scrutinously on access events, and they’re able to download files while only triggering an access event, not a download event.

The second vulnerability, uh, Involves spoofing the user agent string of file access requests to appear as if the actions are part of a routine data syncing operation within Microsoft’s SkyDrive sync. Thus making the download seem less suspect and more like benign sync events. Both methods open the door to stealthy exfiltration of sensitive documents, bypassing the eyes of cloud access, security tools, and security information and event management platforms, or SIMs.

Some recommendations include monitoring for unusual access patterns or high volumes of data activity, which could indicate unauthorized data movements. Until Microsoft addresses these vulnerabilities, we’re not sure. Which have currently been acknowledged, but rated as moderate and hence are not slated for immediate patching.

Organizations are urged to adopt proactive measures to mitigate potential risks.

And I would agree with that assessment. It’s a moderate vulnerability and it will be slated for patching, but maybe not immediately

since they are still generating events, just maybe not at the correct severity.

If this is an important thing to you, make sure to write to Microsoft. Send them an email, get your whole team to send them an email. Try to get them to bump up the priority on this to get it patched. Otherwise, there’s going to be a lot of false positive alerts if you’re trying to monitor for things that are generally less severe.

Hoping for the needle in the haystack. That’s going to exhaust your security teams and Reduce the quality of their output.

My best advice, if you are planning to take the alerting route, is to create some sort of event sequence based alerting. Like, if someone does this, and someone does this, and someone does this, then generate an alert. Now, not everyone has the ability to do that, but simply raising the severity of Access based alerts isn’t going to be the best method and potentially the download alerts will fall through the cracks while analysts are focusing on these.

Less severe alerts looking for that, like I said, needle in a haystack.

That’s all I got for you today. Thanks so much for listening. Hope you got a chance to enjoy the solar eclipse on Monday. I was lucky enough to have the day off from work and this podcast. Huge thanks to dogespan for covering down for me. And it was a really cool experience.

And send us a message, send us a DM, send us an email with anything. We’d love to hear from you. Any feedback, anything you’d like to see, we’d greatly appreciate it. And we will talk to you some more later.