This posting is here to collect cyber security news in August 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in August 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
333 Comments
Tomi Engdahl says:
All versions of Ivanti product affected by vulnerability used in Norway gov’t attack https://therecord.media/all-ivanti-versions-affected-by-vulnerability-tied-to-norway-attacks
IT giant Ivanti said on Monday that several recently-discovered vulnerabilities affect all versions of their Endpoint Manager Mobile (EPMM) tool.
Two weeks ago, the government of Norway revealed that 12 government agencies in the country had been hacked through several zero-days affecting EPMM.
Ivanti initially said the bug only affected MobileIron Core 11.2 and earlier.
But in an updated advisory on Monday, the company said the vulnerability affects all versions.
Tomi Engdahl says:
Patch Tuesday: Microsoft (Finally) Patches Exploited Office Zero-Days
https://www.securityweek.com/patch-tuesday-microsoft-finally-patches-exploited-office-zero-days/
Patch Tuesday: A month after confirming active exploitation of Office code execution flaws, Microsoft has shipped patches for multiple affected products.
Tomi Engdahl says:
Suomessa leviää huijaus, joka tuntee vastaanottajansa nimeltä – näin vältät ansaan lankeamisen https://www.is.fi/digitoday/tietoturva/art-2000009768570.html
”Hei Nico”, alkaa IS Digitodayn maanantaina iltapäivällä vastaanottama tekstiviestihuijaus. Viestin mukaan tilattu paketti on toimitettu ”toimituspisteeseen”. Viestissä mainittu toimituspäivä oli sama kuin viestin lähetyspäivä, ja huijari osasi kutsua vastaanottajaa hänen oikealla etunimellään. Huijari lupaa esittää noutopaikan viestissä mukana olevan verkkolinkin takana.
Tekstiviesteinä tulevia pakettihuijauksia on nähty useita pitkin viime vuosia ja viranomainenkin on niistä ajoittain varoittanut. Huijausviestin teemana on nähty esimerkiksi puuttuva tullimaksu, toimitusosoitteen vahvistaminen tai epäonnistunut toimitus.
Tomi Engdahl says:
UK Electoral Commission data breach exposes 8 years of voter data https://www.bleepingcomputer.com/news/security/uk-electoral-commission-data-breach-exposes-8-years-of-voter-data/
The UK Electoral Commission disclosed a massive data breach exposing the personal information of anyone who registered to vote in the United Kingdom between 2014 and 2022.
The disclosure comes ten months after the Commission first detected the breach and two years after the initial breach occurred, raising questions about why it took so long to report the incident to the public. In the “public notification of cyber-attack,” the Commission says they first detected the attack in October 2022 but since learned that threat actors breached their systems much earlier, in August 2021.
Tomi Engdahl says:
New Yashma Ransomware Variant Targets Multiple English-Speaking Countries https://thehackernews.com/2023/08/new-yashma-ransomware-variant-targets.html
An unknown threat actor is using a variant of the Yashma ransomware to target various entities in English-speaking countries, Bulgaria, China, and Vietnam at least since June 4, 2023.
Cisco Talos, in a new write-up, attributed the operation with moderate confidence to an adversary of likely Vietnamese origin.
“The threat actor uses an uncommon technique to deliver the ransom note,”
security researcher Chetan Raghuprasad said. “Instead of embedding the ransom note strings in the binary, they download the ransom note from the actor-controlled GitHub repository by executing an embedded batch file.”
Tomi Engdahl says:
LOLBAS in the Wild: 11 Living-Off-The-Land Binaries That Could Be Used for Malicious Purposes https://thehackernews.com/2023/08/lolbas-in-wild-11-living-off-land.html
Cybersecurity researchers have discovered a set of 11 living-off-the-land binaries-and-scripts (LOLBAS) that could be maliciously abused by threat actors to conduct post-exploitation activities.
“LOLBAS is an attack method that uses binaries and scripts that are already part of the system for malicious purposes,” Pentera security researcher Nir Chako said. “This makes it hard for security teams to distinguish between legitimate and malicious activities, since they are all performed by trusted system utilities.”
Tomi Engdahl says:
Norway fines Facebook owner Meta over privacy breaches https://www.reuters.com/technology/norway-data-regulator-fine-meta-over-privacy-breaches-2023-08-07/
Facebook owner Meta Platforms will be fined 1 million crowns ($98,500) per day over privacy breaches from Aug. 14, Norway’s data protection authority told Reuters on Monday, a decision that could have wider European implications.
The regulator, Datatilsynet, had said on July 17 that the company would be fined if it did not address privacy breaches the regulator had identified.
Tomi Engdahl says:
Interpol takes down 16shop phishing-as-a-service platform https://www.bleepingcomputer.com/news/security/interpol-takes-down-16shop-phishing-as-a-service-platform/
A joint operation between Interpol and cybersecurity firms has led to an arrest and shutdown of the notorious 16shop phishing-as-a-service (PhaaS) platform.
Phishing-as-a-service platforms offer cybercriminals a one-stop-shop to conduct phishing attacks. These platforms typically include everything you need, including email distribution, ready-made phishing kits for well-known brands, hosting, data proxying, victim overview dashboards, and other tools that help increase the success of their operations.
Tomi Engdahl says:
Patch Tuesday: Adobe Patches 30 Acrobat, Reader Vulns
https://www.securityweek.com/patch-tuesday-adobe-patches-30-acrobat-reader-vulns/
Adobe rolls out a big batch of security updates to fix at least 30 Acrobat and Reader vulnerabilities affecting Windows and macOS users.
Adobe on Tuesday rolled out a big batch of security updates for its flagship Acrobat and Reader software, patching at least 30 vulnerabilities affecting Windows and macOS installations.
The software maker documented the 30 security defects in a critical-level advisory and warned that successful exploitation could lead to arbitrary code execution, memory leaks, security feature bypass and application denial-of-service attacks.
Adobe said affected software include Acrobat DC, Acrobat Reader DC, Acrobat 2020 and Acrobat Reader 2020. The company described most of the bugs as memory safety issues and said it was not aware of any exploits in the wild.
Tomi Engdahl says:
Government
White House Holds First-Ever Summit on the Ransomware Crisis Plaguing the Nation’s Public Schools
https://www.securityweek.com/white-house-holds-first-ever-summit-on-the-ransomware-crisis-plaguing-the-nations-public-schools/
CISA will step up training for the K-12 sector and technology providers, including Amazon Web Services and Cloudflare, will offer grants and free software.
Tomi Engdahl says:
Cybersecurity Funding
Horizon3 AI Raises $40 Million to Expand Automated Pentesting Platform
Horizon3.ai, a provider of autonomous security testing solutions, raised $40 million through a Series C funding round.
https://www.securityweek.com/horizon3-ai-raises-40-million-to-expand-automated-pentesting-platform/
Tomi Engdahl says:
ICS/OT
ICS Patch Tuesday: Siemens Fixes 7 Vulnerabilities in Ruggedcom Products
https://www.securityweek.com/ics-patch-tuesday-siemens-fixes-7-vulnerabilities-in-ruggedcom-products/
ICS Patch Tuesday: Siemens releases a dozen advisories covering over 30 vulnerabilities, but Schneider Electric has only published one advisory.
Siemens released a dozen advisories covering more than 30 vulnerabilities this Patch Tuesday, but Schneider Electric has only published one advisory to inform customers about one flaw.
Siemens has published three advisories describing serious vulnerabilities patched in its Ruggedcom products.
One advisory covers five vulnerabilities, including four rated ‘critical’ and ‘high severity’, in the Ruggedcom Crossbow server application. The weaknesses can be exploited to cause a DoS condition, escalate privileges, execute arbitrary SQL queries on the database, and write arbitrary files to the targeted system. The issues were discovered by the UK’s National Cyber Security Centre (NCSC).
Siemens also informed customers about a critical mirror port isolation vulnerability in Ruggedcom ROS devices.
“The affected products insufficiently block data from being forwarded over the mirror port into the mirrored network,” the vendor explained. “An attacker could use this behavior to transmit malicious packets to systems in the mirrored network, possibly influencing their configuration and runtime behavior.”
ROS devices are also impacted by a high-severity DoS vulnerability, which has been covered by Siemens in a separate advisory.
The industrial giant informed customers about several high-severity vulnerabilities that can be exploited using specially crafted files. Impacted products include Sicam Toolbox II, Parasolid, Teamcenter Visualization, JT2Go, JT Open, JT Utilities, Solid Edge, and Siemens Software Center (SSC).
Two of Siemens’ advisories describe the impact of two medium and high-severity OpenSSL vulnerabilities on its Simatic products.
Tomi Engdahl says:
Poliisi: Tällaisia rikoksia verkossa tehdään nyt https://www.is.fi/digitoday/tietoturva/art-2000009773264.html
Keskusrikospoliisi kertoo kyberrikoskatsauksessaan, että verkossa leviää tällä hetkellä useita erilaisia huijauksia. Ajankohtaisia ovat muun muassa turvatilipetokset, ”Hei äiti” -huijaukset Whatsappissa, arpajaispetokset Facebookissa, rakkaushuijaukset ja suomi.fi-palvelun nimissä lähetetyt sähköpostihuijaukset.
Huijarit voivat tekeytyä muun muassa verottajaksi, postiksi, matkapuhelinoperaattoriksi tai maksunvälittäjäksi.
Tomi Engdahl says:
Microsoft Office update breaks actively exploited RCE attack chain https://www.bleepingcomputer.com/news/security/microsoft-office-update-breaks-actively-exploited-rce-attack-chain/
Microsoft today released a defense-in-depth update for Microsoft Office that prevents exploitation of a remote code execution (RCE) vulnerability tracked as CVE-2023-36884 that threat actors have already leveraged in attacks.
In today’s Microsoft August Patch Tuesday, the update helps fix CVE-2023-36884, a security issue disclosed in July, which Microsoft did not patch at the time but provided mitigation advice.
Tomi Engdahl says:
Cloud Account Takeover Campaign Leveraging EvilProxy Targets Top-Level Executives at over 100 Global Organizations https://www.proofpoint.com/us/blog/email-and-cloud-threats/cloud-account-takeover-campaign-leveraging-evilproxy-targets-top-level
Over the last six months, Proofpoint researchers have observed a dramatic surge of over 100% in successful cloud account takeover incidents impacting high-level executives at leading companies.
Over 100 organizations were targeted globally, collectively representing 1.5 million employees.
Threat actors utilized EvilProxy – a phishing tool based on a reverse proxy architecture, which allows attackers to steal MFA-protected credentials and session cookies.
This rising threat combines sophisticated Adversary-in-the-Middle phishing with advanced account takeover methods, in response to the growing adoption of multifactor authentication by organizations.
Tomi Engdahl says:
The Rhysida Ransomware: Activity Analysis And Ties To Vice Society https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/
The Rhysida ransomware group was first revealed in May this year, and since then has been linked to several impactful intrusions, including an attack on the Chilean Army. Recently the group was also tied to an attack against Prospect Medical Holdings, affecting 17 hospitals and 166 clinics across the United States.
While responding to a recent Rhysida ransomware case against an educational institution, the Check Point Incident Response Team (CPIRT), in collaboration with Check Point Research (CPR), observed a set of unique Techniques, Tactics and Tools (TTPs). During our analysis, we identified significant similarities to the TTPs of another ransomware group – Vice Society. Vice Society was one of the most active and aggressive ransomware groups since 2021, mostly targeting the education and healthcare sectors.
Tomi Engdahl says:
IRS confirms takedown of bulletproof hosting provider Lolek https://therecord.media/lolek-bulletproof-hosting-seizure-fbi-irs
A popular bulletproof hosting platform was taken down by authorities in the U.S. and Poland this week, marking the latest effort to limit the anonymous access cybercriminals have to critical tools.
As early as Tuesday, the Lolek Hosted website showed a banner from the FBI and IRS.
“This domain has been seized by the Federal Bureau of Investigation and Internal Revenue Service – Criminal Investigation as part of a coordinated law enforcement action taken against Lolek Hosted,” the banner said.
Tomi Engdahl says:
Vulnerabilities in Sogou Keyboard encryption expose keypresses to network eavesdropping https://citizenlab.ca/2023/08/vulnerabilities-in-sogou-keyboard-encryption/
We analyzed Tencent’s Sogou Input Method, which, with over 450 million monthly active users, is the most popular Chinese input method in China.
Analyzing the Windows, Android, and iOS versions of the software, we discovered troubling vulnerabilities in Sogou Input Method’s custom-designed “EncryptWall” encryption system and in how it encrypts sensitive data.
We found that network transmissions containing sensitive data such as those containing users’ keystrokes are decipherable by a network eavesdropper, revealing what users are typing as they type.
Tomi Engdahl says:
Prospect Medical hospitals still recovering from ransomware attack https://therecord.media/prospect-hospitals-still-recovering
The 16 hospitals run by Prospect Medical Holdings are still recovering from a ransomware attack announced last Thursday that caused severe outages at facilities in four states.
Several of the hospitals were forced to divert ambulances to other healthcare facilities, cancel appointments and close smaller clinics while the parent company dealt with the attack.
Waterbury Hospital in Connecticut wrote on Facebook Tuesday that its computer systems “continue to be down throughout the network due to a data security incident.” The hospital has been forced to use paper records while treating patients and they have had to cancel outpatient services like diagnostic imaging and blood draws.
Tomi Engdahl says:
Downfall: New Intel CPU Attack Exposing Sensitive Information
https://www.securityweek.com/downfall-new-intel-cpu-attack-exposing-sensitive-information/
Google researcher discloses the details of an Intel CPU attack method named Downfall that may be remotely exploitable.
The details of a new side-channel attack targeting Intel processors were disclosed on Tuesday.
The attack, discovered by a researcher at Google and named Downfall, leverages a vulnerability tracked as CVE-2022-40982.
Similar to other CPU attack methods, Downfall can be exploited by a local attacker or a piece of malware to obtain sensitive information, such as passwords and encryption keys, belonging to the targeted device’s users.
This transient execution attack also works against cloud environments, allowing an attacker to steal data from other users on the same cloud computer.
“The vulnerability is caused by memory optimization features in Intel processors that unintentionally reveal internal hardware registers to software. This allows untrusted software to access data stored by other programs, which should not be normally be accessible,” explained
Moghimi, who reported his findings to Intel one year ago, said the GDS method is “highly practical” — he has created a proof-of-concept (PoC) exploit that can steal encryption keys from OpenSSL.
Remote attacks conducted via a web browser are theoretically also possible, but additional research is needed to demonstrate such an attack.
Intel published a security advisory on Tuesday to inform customers about CVE-2022-40982, which it has rated ‘medium severity’.
“Intel is releasing firmware updates and an optional software sequence to mitigate this potential vulnerability,” the chipmaker said.
Intel Xeon and Core processors released over the past decade are affected, and the Intel SGX hardware security feature is also impacted, according to the researcher.
The same day Downfall was disclosed, researchers at ETH Zurich disclosed the details of Inception, an attack that leaks potentially sensitive data from anywhere in the memory of a device powered by an AMD Zen processor.
Tomi Engdahl says:
Endpoint Security
New ‘Inception’ Side-Channel Attack Targets AMD Processors
https://www.securityweek.com/new-inception-side-channel-attack-targets-amd-processors/
Researchers have disclosed the details of a new side-channel attack targeting AMD CPUs named Inception.
Researchers on Tuesday disclosed the details of a new CPU side-channel attack named Inception that impacts AMD processors.
The Inception attack method was discovered by a team of researchers from the ETH Zurich university in Switzerland. It allows a local attacker to leak potentially sensitive data, such as passwords or encryption keys, from anywhere in the memory of a computer powered by an AMD Zen processor.
Inception is a transient execution attack that leverages a method named Training in Transient Execution (TTE) and an attack dubbed Phantom Speculation (CVE-2022-23825).
“As in the movie of the same name, Inception plants an ‘idea’ in the CPU while it is in a sense ‘dreaming’, to make it take wrong actions based on supposedly self conceived experiences. Using this approach, Inception hijacks the transient control-flow of return instructions on all AMD Zen CPUs,” the researchers explained.
They have published separate papers detailing the Inception and Phantom attacks. For Inception, they have also made available proof-of-concept (PoC) source code and a video showing the exploit in action.
Inception: how a simple XOR can cause a Microarchitectural Stack Overflow
https://comsec.ethz.ch/research/microarch/inception/
Over the past one and a half years, we have studied two phenomena that enable an unprivileged attacker to leak arbitrary information on all modern AMD CPUs:
Phantom speculation: We can trigger misprediction without any branch at the source of the misprediction.
Training in Transient Execution: We can manipulate future mispredictions through a previous misprediction that we trigger.
Putting the two together gives rise to a new type of attack called Inception: we can inject future mispredictions through a previous misprediction that we trigger — in the absence of branches. You can see a demo of Inception and find more information about the issues below:
Inception (CVE-2023-20569) is a novel transient execution attack that leaks arbitrary data on all AMD Zen CPUs in the presence of all previously deployed software- and hardware mitigations. As in the movie of the same name, Inception plants an “idea” in the CPU while it is in a sense “dreaming”, to make it take wrong actions based on supposedly self conceived experiences. Using this approach, Inception hijacks the transient control-flow of return instructions on all AMD Zen CPUs.
https://www.cve.org/CVERecord?id=CVE-2023-20569
https://comsec.ethz.ch/research/microarch/inception/
https://github.com/comsec-group/inception
INCEPTION: Exposing New Attack Surfaces with Training in Transient Execution
https://comsec.ethz.ch/wp-content/files/inception_sec23.pdf
Phantom: Exploiting Decoder-detectable Mispredictions
https://comsec.ethz.ch/wp-content/files/phantom_micro23.pdf
AMD has published an advisory confirming that an Inception attack can lead to information disclosure.
Return Address Security Bulletin
https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7005.html
Bulletin ID: AMD-SB-7005
Potential Impact: Data Confidentiality
Severity: Medium
AMD has received an external report titled ‘INCEPTION’, describing a new speculative side channel attack. The attack can result in speculative execution at an attacker-controlled address, potentially leading to information disclosure. This attack is similar to previous branch prediction-based attacks like Spectrev2 and Branch Type Confusion (BTC)/RetBleed. As with similar attacks, speculation is constrained within the current address space and to exploit, an attacker must have knowledge of the address space and control of sufficient registers at the time of RET (return from procedure) speculation. Hence, AMD believes this vulnerability is only potentially exploitable locally, such as via downloaded malware, and recommends customers employ security best practices, including running up-to-date software and malware detection tools.
AMD is not aware of any exploit of ‘Inception’ outside the research environment at this time.
CVE Details
CVE-2023-20569
A side channel vulnerability in some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled instruction pointer register, potentially leading to information disclosure.
Mitigation
AMD recommends customers apply either the standalone µcode patch or a BIOS update that incorporates the µcode patch, as applicable, for products based on “Zen 3” and “Zen 4” CPU architectures. AMD plans to release updated AGESA™ versions to Original Equipment Manufacturers (OEM), Original Design Manufacturers (ODM) and motherboard manufacturers (MB) on the target dates listed below. Please refer to your OEM, ODM, or MB for a BIOS update specific to your product, which will follow after the dates listed below, as applicable.
AMD recommends customers apply either the standalone µcode patch or a BIOS update that incorporates the µcode patch, as applicable, for products based on “Zen 3” and “Zen 4” CPU architectures. AMD plans to release updated AGESA™ versions to Original Equipment Manufacturers (OEM), Original Design Manufacturers (ODM) and motherboard manufacturers (MB) on the target dates listed below. Please refer to your OEM, ODM, or MB for a BIOS update specific to your product, which will follow after the dates listed below, as applicable. No µcode patch or BIOS update, which includes the µcode patch, is necessary for products based on “Zen” or “Zen 2” CPU architectures because these architectures are already designed to flush branch type predictions from the branch predictor.
Operating system (OS) configuration options may also be available to help mitigate certain aspects of this vulnerability. AMD recommends users evaluate their risk environment (including the risk of running untrusted local code) when deciding on OS mitigation options and refer to OS-specific documentation for guidance. “Zen 3” and “Zen 4” based systems will require the µcode patch, which is incorporated in the BIOS update, prior to enabling OS configuration options.
Tomi Engdahl says:
40 Vulnerabilities Patched in Android With August 2023 Security Updates
https://www.securityweek.com/40-vulnerabilities-patched-in-android-with-august-2023-security-updates/
40 vulnerabilities have been patched by Google in the Android operating system with the release of the August 2023 security updates.
Just over 40 vulnerabilities have been patched by Google in the Android operating system with the release of the August 2023 security updates.
According to the tech giant, the most serious of the vulnerabilities is CVE-2023-21273, a critical remote code execution issue affecting the System component. No user interaction or elevated privileges are required for exploitation. CVE-2023-21273 impacts Android 11, 12, 12L and 13.
Several other vulnerabilities have also been rated ‘critical’, including CVE-2023-21282 (remote code execution flaw in Media Framework component), CVE-2023-21264 (kernel privilege escalation flaw), and CVE-2022-40510 (memory corruption in Qualcomm closed-source components).
Three dozen of the security holes patched with the latest updates have been assigned a ‘high severity’ rating. A majority can lead to privilege escalation and information disclosure, and some can be exploited for denial-of-service (DoS) attacks.
Tomi Engdahl says:
Intel Addresses 80 Firmware, Software Vulnerabilities
https://www.securityweek.com/intel-addresses-80-firmware-software-vulnerabilities/
Intel has addressed 80 vulnerabilities affecting its products, including 18 high-severity privilege escalation and DoS flaws.
Intel on Tuesday released a total of 46 new security advisories to inform customers about 80 vulnerabilities affecting the company’s firmware and software.
The most serious of the flaws, based on their CVSS score, are 18 high-severity issues allowing privilege escalation or, in a few cases, denial-of-service (DoS) attacks.
The vulnerabilities impact processor BIOS, chipset firmware, NUC BIOS, Unison, Manageability Commander, NUC Kit and Mini PC BIOS, Driver and Support Assistant (DSA), AI Hackathon, PROSet/Wireless Wi-Fi and Killer WiFi, NUC Pro Software Suite, Easy Streaming Wizard, Virtual RAID on CPU (VROC), SGX and TDX for some Xeon Processors, and Unite products.
Medium-severity vulnerabilities have been addressed in processors, RealSense SDKs and ID software, ITS, Unite Android app, NUC BIOS firmware, PSR SDK, SDP tool, Server Board BMC video drivers, Unison, oneAPI, Hyperscan Library, DTT, Support Android app, Agilex (Quartus Prime Pro Edition for Linux), ISPC, and Advanced Link Analyzer Standard Edition.
Bugs with a ‘medium severity’ rating have also been resolved in VCUST Tool, Distribution of OpenVINO Toolkit, Optimization for TensorFlow, Ethernet controllers and adapters, System Firmware Update Utility for Server Boards and Server System, NUC ITE Tech, Arc graphics cards, SSD Tools, PCSD, Ethernet Controller RDMA driver for Linux, and RST products.
https://www.intel.com/content/www/us/en/security-center/default.html
Tomi Engdahl says:
Vulnerabilities
Western Digital, Synology NAS Vulnerabilities Exposed Millions of Users’ Files
https://www.securityweek.com/western-digital-synology-nas-vulnerabilities-exposed-millions-of-users-files/
Critical vulnerabilities discovered in WD and Synology NAS devices could have exposed the files of millions of users.
Tomi Engdahl says:
Rapid7 Announces Layoffs, Office Closings Under Restructuring Plan
https://www.securityweek.com/rapid7-announces-layoffs-office-closings-under-restructuring-plan/
Restructuring plan will result in an 18% reduction in employee headcount and closing of some Rapid7 office locations.
Rapid7 (NASDAQ: RPD) is the latest cybersecurity vendor to announce layoffs, with the Boston-based firm announcing a restructuring plan late Tuesday that will result in an 18% reduction in employee headcount.
In total, approximately 500 employees could be impacted based on the roughly 2,700-person headcount at the end of 2022, with more than 700 people in its Boston headquarters.
The company also said in an SEC filing that it would close certain office locations, but did not disclose how many offices would be closed or what locations would be shuttered.
News of the layoffs came as the company reported strong Q2 2023 results, sending shares of the company higher by nearly 15% in after-hours trading on Tuesday.
The company ended the quarter with annualized recurring revenue (ARR) of $751 million, an increase of 14% year-over-year, and total revenue of $190 million, up 14% year-over-year. Products revenue came in at $182 million, also up 14% year-over-year.
“Revenue and Non-GAAP operating income exceeded our guidance ranges and we saw better than expected traction with our consolidation offerings as customers gravitate towards our integrated security operations platform”, Corey Thomas, Chairman and CEO of Rapid7, said in a statement.
Tomi Engdahl says:
Apple Lists APIs That Developers Can Only Use for Good Reason
To boost user privacy, Apple is requiring app developers to declare a reason to use specific APIs.
https://www.securityweek.com/apple-lists-apis-that-developers-can-only-use-for-good-reason/
Tomi Engdahl says:
Onko Macissasi tämä sovellus? Poista se välittömästi https://www.tivi.fi/uutiset/tv/8393efaf-32df-4a18-a4b8-b91fb87b9bba
MacOS-käyttöjärjestelmässä on jo pitkään ollut asetus, jonka avulla tietokone osaa automaattisesti vaihtaa päivätilasta yötilaan, eli kirkkaasta ja valkoista käyttävästä ruudusta tummasävyisempään käyttötilaan.
LifeHacker kertoo, että macOS:n oma toiminto ei kuitenkaan ole mitenkään hyvä viritys, jonka vuoksi monet käyttäjät ovat turvautuneet näppärään NightOwl-sovellukseen. NightOwl antaa käyttäjän määritellä useita tapoja ja ehtoja, milloin vaihdetaan päivätilasta yötilaan ja takaisin. NightOwlin avulla voidaan myös tietyt sovellukset pitää koko ajan yötilassa.
Nyt NightOwl on paljastanut todellisen luonteensa. Se on nimittäin yhtäkkiä muuttunut perin juurin ikäväksi haittaohjelmaksi: NightOwl lisää käyttäjän tietokoneen osaksi bottiverkkoa.
Tomi Engdahl says:
Poikkeuksellisen sinnikäs huijari yrittää ainakin neljästi – näin käy, jos näpäytät linkkiä https://www.is.fi/digitoday/art-2000009772495.html
Suomalaisille on viime viikkoina lähetetty tekstiviestillä huijausta, jossa on mukana vastaanottajan etunimi ja väite saapuneesta lähetyksestä. Oikean nimen käyttäminen ei kuitenkaan ole huijauksen ainoa erikoisuus.
Monista muista vastaavista vedätyksistä poiketen huijaus ei välttämättä pääty ensimmäiseen viestiin, vaikka sen jättäisi kokonaan huomiotta. IS Digitodayn näkemässä esimerkissä huijari lähetti perään muistutuksen alkuperäistä viestiä seuranneena päivänä.
Tomi Engdahl says:
Nearly every AMD CPU since 2017 vulnerable to Inception data-leak attacks https://www.theregister.com/2023/08/09/amd_inception/
AMD processor users, you have another data-leaking vulnerability to deal with:
like Zenbleed, this latest hole can be to steal sensitive data from a running vulnerable machine.
The flaw (CVE-2023-20569), dubbed Inception in reference to the Christopher Nolan flick about manipulating a person’s dreams to achieve a desired outcome in the real world, was disclosed by ETH Zurich academics this week.
Tomi Engdahl says:
How an unpatched Microsoft Exchange 0-day likely caused one of the UK’s biggest hacks ever https://arstechnica.com/security/2023/08/how-an-unpatched-microsoft-exchange-0-day-likely-caused-one-of-the-uks-biggest-hacks-ever/
It’s looking more and more likely that a critical zero-day vulnerability that went unfixed for more than a month in Microsoft Exchange was the cause of one of the UK’s biggest hacks ever—the breach of the country’s Electoral Commission, which exposed data for as many as 40 million residents.
Electoral Commission officials disclosed the breach on Tuesday. They said that they discovered the intrusion last October when they found “suspicious activity” on their networks and that “hostile actors had first accessed the systems in August 2021.” That means the attackers were in the network for 14 months before finally being driven out. The Commission waited nine months after that to notify the public.
Tomi Engdahl says:
Missouri says some Medicaid health information was compromised in MOVEit breach https://therecord.media/missouri-medicaid-health-info-moveit-breach
Missouri’s Department of Social Services (DSS) this week became the latest state agency to confirm it had data stolen through a vulnerability affecting the MOVEit file transfer tool.
A DSS spokesperson would not say how many people were affected but said they will be sending notices to “all Missouri Medicaid participants and providers that were enrolled in May of 2023.”
In a statement released Tuesday, officials said they were notified by IBM on June 13 that Medicaid participants’ protected health information was accessed by hackers.
Tomi Engdahl says:
Dell Compellent hardcoded key exposes VMware vCenter admin creds https://www.bleepingcomputer.com/news/security/dell-compellent-hardcoded-key-exposes-vmware-vcenter-admin-creds/
An unfixed hardcoded encryption key flaw in Dell’s Compellent Integration Tools for VMware (CITV) allows attackers to decrypt stored vCenter admin credentials and retrieve the cleartext password.
Dell Compellent is a line of enterprise storage systems offering features such as data progression, live volume, thin provisioning, data snapshots and cloning, and integrated management.
The flaw is caused by a static AES encryption key, shared across all installs, that is used to encrypt the vCenter credentials stored in the program’s configuration file.
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/dell-compellent-hardcoded-key-exposes-vmware-vcenter-admin-creds/
Tomi Engdahl says:
There’s a good chance your VPN is vulnerable to privacy-menacing TunnelCrack attack
Especially on Apple gear, uni team says
https://www.theregister.com/2023/08/10/tunnelcrack_vpn/
A couple of techniques collectively known as TunnelCrack can, in the right circumstances, be used by snoops to force victims’ network traffic to go outside their encrypted VPNs, it was demonstrated this week.
A team of academics – Nian Xue of New York University, Yashaswi Malla, Zihang Xia, and Christina Popper of New York University Abu Dhabi, and Mathy Vanhoef of imec-DistriNet and KU Leuven – on Tuesday explained how the attacks work, released proof-of-concept exploits, and reckoned “every VPN product is vulnerable on at least one device.”
Their co-authored Usenix-accepted paper [PDF] has all the details. The researchers said they tested more than 60 VPN clients, and found that “all VPN apps” on iOS are vulnerable. Android appears to be most secure of the bunch.
Essentially, we’re told, these flaws can be exploited to route a victim’s network traffic outside of their secure VPN tunnel, allowing that traffic to be observed to some degree by snoopers on the local network at least. Exploitation requires a mix of skill and coercion, plus victims using vulnerable clients or configurations.
And bear in mind, if you’re securely encrypting connections before they’re sent through your VPN tunnel – such as using HTTPS to visit a website or SSH to manage a remote host – those connections should remain secure and encrypted even if redirected by these techniques; anything plain-text will be fair game. We’re assuming here your secure connections can resist man-in-the-middle decryption attacks.
https://tunnelcrack.mathyvanhoef.com/
Tomi Engdahl says:
Enhancing TLS Security: Google Adds Quantum-Resistant Encryption in Chrome 116
https://thehackernews.com/2023/08/enhancing-tls-security-google-adds.html
Google has announced plans to add support for quantum-resistant encryption algorithms in its Chrome browser, starting with version 116.
“Chrome will begin supporting X25519Kyber768 for establishing symmetric secrets in TLS, starting in Chrome 116, and available behind a flag in Chrome 115,” Devon O’Brien said in a post published Thursday.
Kyber was chosen by the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) as the candidate for general encryption in a bid to tackle future cyber attacks posed by the advent of quantum computing. Kyber-768 is roughly the security equivalent of AES-192.
Tomi Engdahl says:
Intel Releases a Patch for ‘Downfall’ Vulnerability Affecting Billions of CPUs
There are no free lunches, though, so the fix for this bug comes with a performance penalty.
https://www.extremetech.com/internet/intel-releases-a-patch-for-downfall-vulnerability-affecting-billions-of
Intel has released a patch to plug a gaping hole in the security of older CPUs—specifically, those made from 2015 to 2019, aka Skylake to Tiger Lake. The vulnerability allowed a person sharing a computer with another person to steal “high-value credentials” such as passwords and encryption keys. Though most of us don’t usually share a computer with another person, it’s a standard scenario in cloud computing, with many clients accessing the same hardware simultaneously. Unfortunately, Intel’s fix comes with a performance penalty.
The vulnerability affecting billions of Intel CPUs was discovered by Daniel Moghimi, who is a Senior Research Scientist at Google. According to the site Mr. Moghimi made for the bug, the vulnerability essentially allows sensitive data to move between two users sharing the same physical CPU cores, a common scenario in a cloud computing environment. It’s due to a memory optimization feature in older Intel CPUs whereby internal hardware registers are inadvertently exposed to software, allowing a malicious actor to steal sensitive information from whoever is sharing the computer’s resources. Intel states in its security bulletin that it’s not aware of this attack being used outside of a “controlled lab environment.”
Tomi Engdahl says:
https://www.androidauthority.com/android-unknown-tracker-alerts-rollout-3350756/
Tomi Engdahl says:
CLI-beautifying ANSI escape sequences can also make your log files a security threat
When you can’t even cat your telemetry safely, who can you trust?
https://www.theregister.com/2023/08/09/ansi_escape_sequence_risks/
Spend much time working in a command-line terminal and you’re likely to have at least a passing familiarity with ANSI escape sequences. Those are the codes that can add color and other highlights to text, among performing other tasks, making your screen a little more easily readable.
Unbeknownst to some, these sequences, if ingested into logs, can corrupt those files as well as exploit buggy software accessing or processing that information, potentially. Here’s why you should clean those codes out of input data before logging it.
As security researcher and TRUESEC creative director Fredrik “Stök” Alexandersson is due to demonstrate at Black Hat today, ANSI escape sequences are also a security risk, and one that’s been long neglected.
“Somebody is going to break stuff with this,” Stök told The Register, and log files would be one thing to stuff up.
Some of us older vultures can recall being warned back in the day about cat’ing log files and other sources with potentially user-submitted data, in case whatever was processing and displaying the information – such as a filter and terminal emulator – had a bug that could be exploited by that input. But hey, that was years ago, and now is a good time as any to remind people about cleaning user input before handling it.
“Log files are a very, very important thing when it comes to creating a timeline of a breach,” Stök said. When it comes to examining an incident or strange system behavior, Stök said, lots of people tend to start by running their logs through cat, grep, awk, and/or one of several apps that can display the contents of a log file.
As Stök told us, some tool along that chain may accept and follow any ANSI escape sequences included in that input stream, so if an attacker can manage to get some carefully crafted codes embedded in a log file – such as in a profile name or some submitted feedback – you could end up with a mangled or manipulated view of your IT situation.
Tomi Engdahl says:
https://techcrunch.com/2023/08/09/researchers-watched-100-hours-of-hackers-hacking-honeypot-computers/
Tomi Engdahl says:
https://techcrunch.com/2023/08/09/rapid7-layoffs-second-quarter-earnings-loss/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/microsoft-visual-studio-code-flaw-lets-extensions-steal-passwords/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/microsoft-office-update-breaks-actively-exploited-rce-attack-chain/
Tomi Engdahl says:
Puolustusvoimien Virve-verkosta löytyi kriittisiä haavoittuvuuksia – tämän takia Suomessa ei kuitenkaan kannata huolestua
TIVI1.8.202310:15|päivitetty1.8.202310:15HAAVOITTUVUUDETMATKAPUHELINVERKOTVERKOT
Tetra-teknologiasta paljastui takaovi. Suomessa Tetrasta ollaan hankkiutumassa eroon, mutta prosessi on hidas.
https://www.tivi.fi/uutiset/puolustusvoimien-virve-verkosta-loytyi-kriittisia-haavoittuvuuksia-taman-takia-suomessa-ei-kuitenkaan-kannata-huolestua/ed6a49e7-83c4-4c88-a3d8-509f15253739
Tomi Engdahl says:
New acoustic attack steals data from keystrokes with 95% accuracy
https://www.bleepingcomputer.com/news/security/new-acoustic-attack-steals-data-from-keystrokes-with-95-percent-accuracy/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-flaw-after-being-called-irresponsible-by-tenable-ceo/
Tomi Engdahl says:
https://hackaday.com/2023/08/06/noisy-keyboards-sink-ships/
Tomi Engdahl says:
Cyberattack causes multiple hospitals to shut emergency rooms and divert ambulances
https://www.cbsnews.com/news/prospect-medical-cyberattack-california-pennsylvania-hospital/
Cybercriminals attacked the computer systems of a California-based health care provider causing emergency rooms in multiple states to close and ambulance services to be redirected.
The ransomware attack happened at Prospect Medical Holdings of Los Angeles, which has hospitals and clinics in Connecticut, Pennsylvania, Rhode Island and Texas. Prospect Medical is investigating how the breach happened and is working on resolving the issue, the company said in a statement Friday.
Tomi Engdahl says:
Thieves use tech devices to scan cars before breaking into them
https://www.nbcbayarea.com/news/local/car-break-ins-tech-devices/3285126/
Tomi Engdahl says:
https://www.kktv.com/2023/08/04/massive-data-breach-could-impact-many-how-attended-or-worked-public-school-colorado/
Tomi Engdahl says:
Researchers reveal Tesla jailbreak that could unlock Full Self-Driving for free
The group found a hardware exploit they say would be hard for Tesla to mitigate.
https://www.engadget.com/researchers-reveal-tesla-jailbreak-that-could-unlock-full-self-driving-for-free-190431645.html