CDNs: Great for speeding up the internet, bad for location privacy

Infosec in brief Using a custom-built tool, a 15-year-old hacker exploited Cloudflare's content delivery network to approximate the locations of users of apps like Signal, Discord, and others.

The attack, developed by self-described "15-year-old high school junior" Daniel, is surprisingly straightforward. By exploiting Cloudflare's CDN caching behavior, an attacker can infer a user's general location by determining which datacenter cached a resource requested by the user's device.

"In the US East region, for example, the nearest datacenter to me is less than 100 miles," Daniel said. "If you live in a developed country, there's a good chance the nearest datacenter to you is less than 200 miles from you."

In other words, you won't be able to pinpoint someone's exact position, but can narrow it down to within 200 miles of a Signal user that is seeking anonymity.

Because Cloudflare doesn't allow direct requests to individual datacenters, Daniel exploited a bug in Cloudflare Workers' serverless scripting service to route traffic through specific datacenters. Using this method, he developed a tool called Cloudflare Teleport, which proxies requests to target datacenters and identifies where cached resources are stored. By sending a specific item – such as an image – to a target and observing which datacenter caches it, an attacker can infer the target's approximate location.

Daniel also discovered that the attack can work without user interaction when apps automatically download cached resources, such as avatars triggered by push notifications.

Cloudflare has since patched the bug that enabled Cloudflare Teleport to route traffic to specific datacenters. However, Daniel noted the underlying issue persists. He was able to achieve similar results by using VPN servers that align with Cloudflare datacenters.

In short, if you're worried about anonymity, CDNs - it seems - are not your friends.

"Any app using a CDN for content delivery and caching can still be vulnerable," Daniel claimed.

It's crypto laundry day: Tornado Cash sanctions scrapped by court

Crypto mixer Tornado Cash, sanctioned by the US Treasury in 2022 for laundering cryptocurrency stolen by North Korean hacking operations, has been granted a reprieve after a Texas court decided the US government overstepped its authority in sanctioning the operation.

The US District Court for the Western District of Texas has remanded the matter back to circuit court, but in doing so, decided a previous decision upholding the Treasury sanctions was to be reversed, opening the possibility of a Tornado Cash return.

Crypto mixers are used to obscure blockchain records by pooling digital currency from multiple users and redistributing it, allowing individuals to withdraw coins that are not directly traceable to their original transactions, effectively breaking the chain of custody typically established by blockchain records. They're frequently used by cybercriminals to mask the path of ill-gotten gains.

Roman Storm, co-founder of the platform, was arrested and charged with conspiracy to commit money laundering and sanctions violations, and operating an unlicensed money transmitting business in 2023. It's not immediately clear how the court decision could affect his upcoming trial.

Subaru web app vulnerability allowed accurate vehicle tracking

It seems like lots of automakers have been caught with security failures in connected vehicle applications. This time, it's Subaru's turn.

Security researcher Sam Curry reported that he managed to fuzz and brute force his way into a Subaru STARLINK (not to be confused with Elon Musk's Starlink) admin portal that allowed him to remotely start, stop, or unlock vehicles; retrieve customer PII; access service history for a vehicle; and even see location history from the past year, accurate to within five meters. 

The bug allowed Curry to retrieve this information on Subaru vehicles in the US, Canada, and Japan, and a victim's data could be accessed by knowing nothing but their last name and one of either their ZIP code, email address, phone number, or plate number.

Luckily, Subaru took the matter seriously and patched the flaw within 24 hours of it being reported, and it's not believed it was exploited maliciously at all.

US military contractor hit with ransomware

US defense contractor Stark Aerospace, not to be confused with the fictional Stark Industries, has allegedly been breached by the INC ransomware gang, according to security analyst Dominic Alvieri.

While INC might not have made off with plans for the Iron Man suit, it did claim to have stolen 4 TB of data including source code, supply chain information, building plans, employee passports, and more.

Stark Aerospace produces missile systems, electronics, and loitering munitions for the US military – not exactly the sort of info you want in the hands of ransomware operators.

"We also found a lot of interesting information on the programs for the production and launch of reconnaissance satellites," INC claimed. "Copies of your websites, significant laboratories (in the form of virtual machines), configuration of information security tools and other things – all this is in our possession and will be sold … in case of refusal to cooperate."

Insurance database stolen in MOVEit breach found online

A massive list of personal data belonging to customers of American National Insurance Company (ANICO) was found online recently in what appears to be yet another example of the MOVEit breach continuing to pay dividends for cybercriminals.

ANICO's stolen data was found on a clear web forum by investigators from the SafetyDetectives, and reportedly contains 279,332 lines of sensitive information. The author of the post claimed it contains customer data including names, email addresses, birth dates, physical addresses, and more. Some employee data was reportedly included in the database as well.

The insurer acknowledged that it fell victim to the 2023 MOVEit breach around the same time as many other affected organizations. However, recent reports suggest that data stolen during the incident may now be available online for purchase, though this has not been independently verified.

ANICO customers from before May 2023 should take steps to protect themselves, be wary of phishing attempts, and ensure 2FA is enabled on all accounts, SafetyDetectives suggested. ®