This posting is here to collect cyber security news in September 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in September 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
314 Comments
Tomi Engdahl says:
https://hackaday.com/2023/09/15/this-week-in-security-blastpass-mgm-heist-and-killer-themes/
Cisco has a CVSS 10.0 vulnerability in the Single Sign-On built in to BroadWorks. This can potentially affect quite a few Cisco applications that are part of the BroadWorks cloud calling platform. Cisco has issued updates to fix the problems.
Cisco BroadWorks Application Delivery Platform and Xtended Services Platform Authentication Bypass Vulnerability
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-bw-auth-bypass-kCggMWhX
Tomi Engdahl says:
Notepad++ v8.5.7 Release (Vulnerability fixes)
https://community.notepad-plus-plus.org/topic/24895/notepad-v8-5-7-release-vulnerability-fixes/4
Notepad++ v8.5.7 Change log:
Fix 4 security issues CVE-2023-40031, CVE-2023-40036, CVE-2023-40164 & CVE-2023-40166. (Fix #14073)
Fix eventual memory leak while reading Utf8-16 files.
Tomi Engdahl says:
Annoying Apple Fans: The Flipper Zero Bluetooth Prank Revealed
https://techryptic.github.io/2023/09/01/Annoying-Apple-Fans/
Tomi Engdahl says:
https://hackaday.com/2023/09/22/this-week-in-security-webp-cavium-gitlab-and-asahi-lina/
Last week we covered the latest 0-day from NSO group, BLASTPASS. There’s more details about exactly how that works, and a bit of a worrying revelation for Android users. One of the vulnerabilities used was CVE-2023-41064, a buffer overflow in the ImageIO library. The details have not been confirmed, but the timing suggests that this is the same bug as CVE-2023-4863, a Webp 0-day flaw in Chrome that is known to be exploited in the wild.
The problem seems to be an Out Of Bounds write in the BuildHuffmanTable() function of libwebp.
What’s particularly fun about this compression technique is that the image includes not just Huffman compressed data, but also a table of statistical data needed for decompression. The table is rather large, so it gets Huffman compressed too. It turns out, there can be multiple layers of this compression format, which makes the vulnerability particularly challenging to reverse-engineer.
An interesting note is that as one of Google’s C libraries, this is an extensively fuzzed codebase. While fuzzing and code coverage are both great, neither is guaranteed to find vulnerabilities, particularly well hidden ones like this one.
Tomi Engdahl says:
GPUs from all major suppliers are vulnerable to new pixel-stealing attack
https://arstechnica.com/security/2023/09/gpus-from-all-major-suppliers-are-vulnerable-to-new-pixel-stealing-attack/
A previously unknown compression side channel in GPUs can expose images thought to be private.
GPUs from all six of the major suppliers are vulnerable to a newly discovered attack that allows malicious websites to read the usernames, passwords, and other sensitive visual data displayed by other websites, researchers have demonstrated in a paper published Tuesday.
The cross-origin attack allows a malicious website from one domain—say, example.com—to effectively read the pixels displayed by a website from example.org, or another different domain. Attackers can then reconstruct them in a way that allows them to view the words or images displayed by the latter site. This leakage violates a critical security principle that forms one of the most fundamental security boundaries safeguarding the Internet. Known as the same origin policy, it mandates that content hosted on one website domain be isolated from all other website domains.
GPU.zip, as the proof-of-concept attack has been named, starts with a malicious website that places a link to the webpage it wants to read inside of an iframe, a common HTML element that allows sites to embed ads, images, or other content hosted on other websites. Normally, the same origin policy prevents either site from inspecting the source code, content, or final visual product of the other. The researchers found that data compression that both internal and discrete GPUs use to improve performance acts as a side channel that they can abuse to bypass the restriction and steal pixels one by one.
For GPU.zip to work, a malicious page must be loaded into the Chrome or Edge browsers. Under-the-hood differences in the way Firefox and Safari work prevent the attack from succeeding when those browsers process an attack page. Another requirement is that the page linked to in the iframe must not be configured to deny being embedded by cross-origin websites.
The security threats that can result when HTML is embedded in iframes on malicious websites have been well-known for more than a decade. Most websites restrict the cross-origin embedding of pages displaying user names, passwords, or other sensitive content through X-Frame-Options or Content-Security-Policy headers. Not all, however, do. One example is Wikipedia, which shows the usernames of people who log in to their accounts.
Tomi Engdahl says:
Vulnerabilities
In-the-Wild Exploitation Expected for Critical TeamCity Flaw Allowing Server Takeover
https://www.securityweek.com/in-the-wild-exploitation-expected-for-critical-teamcity-flaw-allowing-server-takeover/
A critical vulnerability in the TeamCity CI/CD server could allow unauthenticated attackers to execute code and take over vulnerable servers.
A critical vulnerability in the TeamCity CI/CD server could be exploited remotely, without authentication, to execute arbitrary code and gain administrative control over a vulnerable server.
Developed by JetBrains, TeamCity is a general-purpose build management and continuous integration platform available both for on-premises installation and as a cloud service.
The recently identified critical flaw, tracked as CVE-2023-42793 (CVSS score of 9.8), is described as an authentication bypass impacting the on-premises version of TeamCity.
The issue can be exploited by attackers over an HTTP(S) connection and does not require user interaction for successful exploitation, code security firm Sonar Source, which identified the bug, explains.
“This enables attackers not only to steal source code but also stored service secrets and private keys. And it’s even worse: With access to the build process, attackers can inject malicious code, compromising the integrity of software releases and impacting all downstream users,” Sonar notes.
Tomi Engdahl says:
Xenomorph Android Banking Trojan Targeting Users in US, Canada
https://www.securityweek.com/xenomorph-android-banking-trojan-targeting-users-in-us-canada/
The Xenomorph Android banking trojan can now mimic financial institutions in the US and Canada and is also targeting crypto wallets.
Tomi Engdahl says:
Predator Spyware Delivered to iOS, Android Devices via Zero-Days, MitM Attacks
https://www.securityweek.com/predator-spyware-delivered-to-ios-android-devices-via-zero-days-mitm-attacks/
Predator spyware delivered to iPhones and Android devices using iOS and Chrome zero-day vulnerabilities and MitM attacks.
Tomi Engdahl says:
Microsoft Adding New Security Features to Windows 11
https://www.securityweek.com/microsoft-adding-new-security-features-to-windows-11/
Microsoft announced that the latest Windows 11 update (23H2) will bring more support for passkeys and several new security features.
Microsoft on Tuesday announced the new security features that will be available in the latest version of Windows 11.
Windows 11 feature updates are released in the second half of each calendar year. The latest update, 23H2, is being gradually rolled out to users, with Microsoft expecting the new features to reach all devices by the release of the November 2023 security updates.
However, customers with eligible devices running Windows 11 version 22H2 can get the updates sooner by going to the Windows Update section in Settings and enabling the ‘Get the latest updates as soon as they’re available’ option.
Microsoft said its goal is to simplify and modernize security for IT teams by reducing the attack surface.
The latest Windows 11 update expands support for passkeys, which are replacing passwords to offer enhanced security. Users will be able to use and secure passkeys via their phone or Windows Hello (including Hello for Business), enabling them to sign in to a website or application using a device PIN, their face or their fingerprint.
Tomi Engdahl says:
UAE-Linked APT Targets Middle East Government With New ‘Deadglyph’ Backdoor
UAE-linked APT group Stealth Falcon has used the new Deadglyph backdoor in an attack targeting a governmental entity in the Middle East.
https://www.securityweek.com/uae-linked-apt-targets-middle-east-government-with-new-deadglyph-backdoor/
Tomi Engdahl says:
Sony Investigating After Hackers Offer to Sell Stolen Data
https://www.securityweek.com/sony-investigating-after-hackers-offer-to-sell-stolen-data/
Sony has launched an investigation after a ransomware group claimed to have compromised all systems and offered to sell stolen data.
Tomi Engdahl says:
US and Japan warn of Chinese hackers backdooring Cisco routers https://www.bleepingcomputer.com/news/security/us-and-japan-warn-of-chinese-hackers-backdooring-cisco-routers/
US and Japanese law enforcement and cybersecurity agencies warn of the Chinese ‘BlackTech’ hackers breaching network devices to install custom backdoors for access to corporate networks.
The joint report comes from the FBI, NSA, CISA, and the Japanese NISC
(cybersecurity) and NPA (police), who explain that the state-sponsored hacking group is breaching network devices at international subsidiaries to pivot to the networks of corporate headquarters.
BlackTech (aka Palmerworm, Circuit Panda, and Radio Panda) is a state-sponsored Chinese APT group (advanced persistent threat) known for conducting cyber espionage attacks on Japanese, Taiwanese, and Hong Kong-based entities since at least 2010.
The sectors BlackTech targets include government, industrial, technology, media, electronics, telecommunication, and the defense industry.
Tomi Engdahl says:
US and Japan warn of Chinese hackers backdooring Cisco routers https://www.bleepingcomputer.com/news/security/us-and-japan-warn-of-chinese-hackers-backdooring-cisco-routers/
US and Japanese law enforcement and cybersecurity agencies warn of the Chinese ‘BlackTech’ hackers breaching network devices to install custom backdoors for access to corporate networks.
The joint report comes from the FBI, NSA, CISA, and the Japanese NISC
(cybersecurity) and NPA (police), who explain that the state-sponsored hacking group is breaching network devices at international subsidiaries to pivot to the networks of corporate headquarters.
BlackTech (aka Palmerworm, Circuit Panda, and Radio Panda) is a state-sponsored Chinese APT group (advanced persistent threat) known for conducting cyber espionage attacks on Japanese, Taiwanese, and Hong Kong-based entities since at least 2010.
The sectors BlackTech targets include government, industrial, technology, media, electronics, telecommunication, and the defense industry.
Alkup. https://www.ic3.gov/Media/News/2023/230927.pdf
Tomi Engdahl says:
GitHub repos bombarded by info-stealing commits masked as Dependabot https://www.bleepingcomputer.com/news/security/github-repos-bombarded-by-info-stealing-commits-masked-as-dependabot/
Hackers are breaching GitHub accounts and inserting malicious code disguised as Dependabot contributions to steal authentication secrets and passwords from developers.
The campaign unfolded in July 2023, when researchers discovered unusual commits on hundreds of public and private repositories forged to appear as Dependabot commits.
Dependabot is an automated tool provided by GitHub that scans projects for vulnerable dependencies and then automatically issues pull requests to install the updated versions.
Tomi Engdahl says:
Sony investigates cyberattack as hackers fight over who’s responsible https://www.bleepingcomputer.com/news/security/sony-investigates-cyberattack-as-hackers-fight-over-whos-responsible/
Sony says that it is investigating allegations of a cyberattack this week as different hackers have stepped up to claim responsibility for the purported hack.
While claims of attacking Sony’s systems were initially made by an extortion group called RansomedVC, a different threat actor has touted themselves to be the attackers and refuted RansomedVC’s claims.
Thus far, over 3.14 GB of uncompressed data, allegedly belonging to Sony, has been dumped on hacker forums.
Tomi Engdahl says:
https://thehackernews.com/2023/09/new-zenrat-malware-targeting-windows.html
https://thehackernews.com/2023/09/new-zenrat-malware-targeting-windows.html
A new malware strain called ZenRAT has emerged in the wild that’s distributed via bogus installation packages of the Bitwarden password manager.
“The malware is specifically targeting Windows users and will redirect people using other hosts to a benign web page,” enterprise security firm Proofpoint said in a technical report. “The malware is a modular remote access trojan
(RAT) with information stealing capabilities.”
ZenRAT is hosted on fake websites pretending to be associated with Bitwarden, although it’s uncertain as to how traffic is being directed to the domains.
Such malware has been propagated via phishing, malvertising, or SEO poisoning attacks in the past.
The payload (Bitwarden-Installer-version-2023-7-1.exe), downloaded from crazygameis[.]com, is a trojanized version of the standard Bitwarden installation package that contains a malicious .NET executable (ApplicationRuntimeMonitor.exe).
—
Tomi Engdahl says:
Vulnerability in popular ‘libwebp’ code more widespread than expected https://therecord.media/libwebp-vulnerability-more-widespread-than-expected
Cybersecurity experts are warning that the scope of a previously disclosed vulnerability affecting a variety of web applications is wider than what was originally announced.
The vulnerability — first tracked as CVE-2023-4863 — was disclosed by Google last week as a vulnerability affecting its Chrome browser. Other browsers began to release notices about the issue before researchers dug deeper into it and sourced the vulnerability back to the open-source libwebp library.
The library — which provides code for rendering images in the WebP format — is used by multiple browsers and image editors, including Chrome, Mozilla’s Firefox and Microsoft Edge.
This week, Google gave the issue a new number — CVE-2023-5129 — and marked the vulnerability with the highest CVSS severity rating, 10 out of 10. Google did not respond to requests for comment about the issue.
Software supply-chain security researchers at Rezilion last week had said the vulnerability’s scope is “much wider than initially assumed, affecting millions of different applications worldwide.”
“Vulnerability scanners will not necessarily provide a reliable indication of the presence of this vulnerability, due to being wrongly scoped as a Chrome issue,” researchers from the company said.
The vulnerable library was “found in several popular container images’ latest versions, collectively downloaded and deployed billions of times, such as Nginx, Python, Joomla, WordPress, Node.js, and more.”
Tomi Engdahl says:
Russian hackers target Ukrainian government systems involved in war crimes investigations https://therecord.media/russian-hackers-target-ukraine-gov-systems-war-crime-espionage
Russia is stepping up its cyberattacks on Ukraine’s law enforcement agencies in an effort to uncover what they know about war crimes committed by Russian soldiers, according to Ukrainian cybersecurity officials.
The Kremlin’s recent espionage campaigns targeted Ukraine’s prosecutor general’s office, courts, and other entities involved in investigating war crimes, said Victor Zhora, the deputy chairman of Ukraine’s cybersecurity service (SSSCIP), during a press conference on Tuesday.
Tomi Engdahl says:
Russian zero-day seller offers $20M for hacking Android and iPhones
https://techcrunch.com/2023/09/27/russian-zero-day-seller-offers-20m-for-hacking-android-and-iphones/?guccounter=1&guce_referrer=aHR0cHM6Ly9pdC5zbGFzaGRvdC5vcmcv&guce_referrer_sig=AQAAACD3OC_G3n0htbEoIsbSys9tw87S8vczespQBgcg8ZfQO3QYw6dAoLgGffOFyF9FMW9s_C4
A company that acquires and sells zero-day exploits — flaws in software that are unknown to the affected developer — is now offering to pay researchers $20 million for hacking tools that would allow its customers to hack iPhones and Android devices.
On Wednesday, Operation Zero announced on its Telegram accounts and on its official account on X, formerly Twitter, that it was increasing payments for zero-days in those platforms from $200,000 to $20 million.
Operation Zero, which is based in Russia and launched in 2021, also added that “as always, the end user is a non-NATO country.” On its official website, the company says that “our clients are Russian private and government organizations only.”
When asked why they only sell to non-NATO countries, Operation Zero CEO Sergey Zelenyuk declined to say. “No reasons other than obvious ones,” he said.
Tomi Engdahl says:
Stable Channel Update for Desktop
https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_27.html
The Stable channel has been updated to 117.0.5938.132 for Windows, Mac and Linux, which will roll out over the coming days/weeks. A full list of changes in this build is available in the log.
Google is aware that an exploit for CVE-2023-5217 exists in the wild.
Tomi Engdahl says:
Google korjasi kiireellä pahan haavoittuvuuden Chromesta – silti liian myöhään https://www.is.fi/digitoday/tietoturva/art-2000009885732.html
GOOGLE julkaisi keskiviikkona kiireellisen paikkauksen erittäin suositun Chrome-verkkoselaimen haavoittuvuuteen. Windowsille, Macille ja Linuxille ilmestynyt päivitys korjaa aukon videon pakkauksessa käytetystä koodista.
Google sanoo tietävänsä, että aukolle on jo olemassa menetelmä sen käyttämiseksi hyväksi. Ongelmasta ilmoitti Googlen Threat Analysis Groupissa työskentelevä tutkija Clément Lecigne maanantaina. Googlelta kesti siis vain kaksi päivää korjata se ja julkaista päivitys.
Samassa Threat Analysis Groupissa niin ikään työskentelevä Maddie Stone sanoi X:ssä eli entisessä Twitterissä, että haavoittuvuutta käyttää hyväkseen kaupallinen vakoiluyritys. Kyseessä lienee siis taho, joka myy keinoja hyökätä Chromen käyttäjiä vastaan esimerkiksi valtioille tai muille halukkaille.
Tomi Engdahl says:
Työn alla oleva laki antaisi poliisille pääsyn kaikkeen yksityiseen viestintään – näin sitä perustellaan puolesta ja vastaan https://www.is.fi/digitoday/art-2000009884437.html
PIKAVIESTIMIEN vahvan salauksen purkamisen mahdollistavan lakiesityksen käsittely on edennyt Suomessa valiokuntavaiheeseen. Kyseessä on EU-komission lakiehdotus, jonka takana on lapsiin kohdistuvan seksuaalisen väkivallan vastainen taistelu.
Alkuperäisessä ehdotuksessa Euroopan parlamentin ja neuvoston asetukseksi ja valtioneuvoston kirjelmässä ehdotetaan velvoitteita internet-yhtiöille, joihin kuuluvat muun muassa pikaviestimet, verkkotallennustilan tarjoajat ja teleoperaattorit. Velvoitteiden mukaan yhtiöiden tulisi tunnistaa niiden palveluissa liikkuva seksuaaliväkivaltaa todistava kuvamateriaali ja grooming.
Lisäksi tulisi perustaa erillinen lapsiin kohdistuvan seksuaaliväkivallan EU-torjuntakeskus.
Kokonaisuudessaan ehdotuksen nimi on Euroopan komission ehdotus Euroopan parlamentin ja neuvoston asetukseksi lapsiin kohdistuvan seksuaaliväkivallan ehkäisystä ja torjuntaa koskevista säännöistä. Puhekielessä siitä käytetään nimeä CSAM-laki tai chat control.
Tomi Engdahl says:
Ransomware group demands $51 million from Johnson Controls after cyber attack https://www.bitdefender.com/blog/hotforsecurity/ransomware-group-demands-51-million-from-johnson-controls-after-cyber-attack/
Johnson Controls, a multinational conglomerate that secures industrial control systems, security equipment, fire safety and air conditioning systems, has been hit by a massive cyber attack.
The company, which employs over 100,000 people around the world, suffered a ransomware attack over the weekend which left data encrypted and caused it to shut down sections of its IT infrastructure.
The Dark Angels ransomware group has claimed responsibility for the attack, and claims to have exfiltrated over 25 TB of data from the organisation. The threat? If a whopping $51 million ransom is not paid, Dark Angels say that the stolen data will be published on the “Dunghill Leaks” site.
Tomi Engdahl says:
Pegasus spyware and how it exploited a WebP vulnerability https://www.malwarebytes.com/blog/news/2023/09/pegasus-spyware-and-how-it-exploited-a-webp-vulnerability
Recent events have demonstrated very clearly just how persistent and wide-spread the Pegasus spyware is. For those that have missed the subtle clues, we have tried to construct a clear picture. We attempted to follow the timeline of events, but have made some adjustments to keep the flow of the story alive.
Tomi Engdahl says:
Suspected China-based hackers target Middle Eastern telecom, Asian government https://therecord.media/suspected-chinese-hackers-target-telecom-asia-government
Hackers targeted a Middle Eastern telecom organization and an Asian government in a recent spying operation, according to a report published Thursday.
The hacking group Budworm, also known as Emissary Panda and APT27, is believed to be based in China. Last year, it attacked a U.S. state legislature using a Log4j vulnerability.
In its most recent campaign in August, Budworm used a previously unseen version of its custom backdoor called SysUpdate to spy on the unnamed telecom company Asian government body, as reported by Symantec researchers.
Tomi Engdahl says:
Cisco Warns of IOS Software Zero-Day Exploitation Attempts https://www.securityweek.com/cisco-warns-of-ios-software-zero-day-exploitation-attempts/
Cisco this week announced patches for multiple vulnerabilities impacting its products, including a medium-severity flaw in IOS and IOS XE software that appears to have been exploited in attacks.
Tracked as CVE-2023-20109, the bug impacts the Group Encrypted Transport VPN (GET VPN) feature of IOS and IOS XE and can lead to remote code execution.
Successful exploitation of the flaw requires that the attacker has valid credentials and administrative control over a group member or a key server.
The tech giant also notes that it has observed exploitation attempts targeting this vulnerability.
“Cisco discovered attempted exploitation of the GET VPN feature and conducted a technical code review of the feature. This vulnerability was discovered during our internal investigation,” the company notes.
Cisco says that, aside from CVE-2023-20109, it is not aware of any of these vulnerabilities [announced this week] being exploited in attacks. Additional information can be found on Cisco’s security advisories page.
Tomi Engdahl says:
Volkswagen stuck in neutral after ‘IT disruption’
https://www.theregister.com/2023/09/28/volkswagen_crippled_it_disruption/
Some of Volkswagen’s operations have screeched to a halt after some sort of cyber incident, according to German media reports.
The event has halted large parts of the car manufacturer’s IT and production systems at locations around the globe, according to daily business newspaper Handelsblatt.
A VW spokesperson confirmed the disruption to the German publication, describing it as an “IT disruption of network components at the Wolfsburg location.” It reportedly began at 1230 local time on Wednesday, and the full extent of the shutdown remains unknown.
***
Tomi Engdahl says:
Vulnerabilities
Firefox 118 Patches High-Severity Vulnerabilities
https://www.securityweek.com/firefox-118-patches-high-severity-vulnerabilities/
Firefox 118 patches six high-severity vulnerabilities, including a memory leak potentially leading to sandbox escape.
Mozilla on Tuesday announced security updates for both Firefox and Thunderbird, addressing a total of nine vulnerabilities in its products, including high-severity flaws.
Firefox 118 was released to the stable channel with patches for all nine vulnerabilities – all are memory issues, most of which could lead to exploitable crashes.
Tracked as CVE-2023-5168 and CVE-2023-5169, the first two high-severity flaws are described as out-of-bounds write issues in the browser’s FilterNodeD2D1 and PathOps components. According to Mozilla, both could lead to “a potentially exploitable crash in a privileged process”.
The third bug, CVE-2023-5170, is a memory leak issue that “could be used to effect a sandbox escape if the correct data was leaked”, Mozilla explains in its advisory.
Another high-severity vulnerability was patched in the Ion compiler. Tracked as CVE-2023-5171 and described as a use-after-free condition, the bug allowed an attacker to write two NUL bytes, causing a potentially exploitable crash.
Firefox 118 also patches CVE-2023-5172, a memory corruption in Ion Hints that could lead to a use-after-free condition and a potentially exploitable crash.
The browser update also resolves multiple high-severity memory safety bugs that are collectively tracked as CVE-2023-5176. According to Mozilla, “with enough effort”, an attacker could exploit some of these flaws to execute arbitrary code.
https://www.mozilla.org/en-US/security/advisories/mfsa2023-41/
Tomi Engdahl says:
US State Department Says 60,000 Emails Taken in Alleged Chinese Hack
https://www.securityweek.com/us-state-department-says-60000-emails-taken-in-alleged-chinese-hack/
The US State Department said that hackers took around 60,000 emails in an attack which Microsoft has blamed on China.
The US State Department said Thursday that hackers took around 60,000 emails, although none of them classified, in an attack which Microsoft has blamed on China.
Microsoft revealed in July that a Chinese hacking group had breached its email platform and accessed messages from around 25 organizations including US government agencies.
“It was approximately 60,000 unclassified emails that were exfiltrated as a part of that breach,” State Department spokesman Matthew Miller told reporters.
“Classified systems were not hacked. These only related to the unclassified system,” he said.
Tomi Engdahl says:
https://www.securityweek.com/lumu-raises-30-million-for-threat-detection-and-response-platform/
Tomi Engdahl says:
Endpoint Security
New GPU Side-Channel Attack Allows Malicious Websites to Steal Data
https://www.securityweek.com/new-gpu-side-channel-attack-allows-malicious-websites-to-steal-data/
GPUs from AMD, Apple, Arm, Intel, Nvidia and Qualcomm are vulnerable to a new type of side-channel attack named GPU.zip.
Nearly all modern graphics processing units (GPUs) are vulnerable to a new type of side-channel attack that could be leveraged to obtain sensitive information, according to a team of researchers from various universities in the United States.
The new attack method, named GPU.zip, was discovered and detailed by representatives of the University of Texas at Austin, Carnegie Mellon University, University of Washington, and University of Illinois Urbana-Champaign.
The GPU.zip attack leverages hardware-based graphical data compression, an optimization in modern GPUs that is designed for improving performance.
“GPU.zip exploits software-transparent uses of compression. This is in contrast to prior compression side channels, which leak because of software-visible uses of compression and can be mitigated by disabling compression in software,” the researchers explained.
https://www.hertzbleed.com/gpu.zip/
https://www.hertzbleed.com/gpu.zip/GPU-zip.pdf
Questions and Answers
Am I affected by GPU.zip?
Likely, yes. We tested integrated GPUs from AMD, Apple, Arm, Intel, and Qualcomm and one discrete GPU from Nvidia. We have at least preliminary results to show that all tested GPUs are affected.
I am a website developer. How do I protect my users?
If your website displays sensitive information about users, you should configure your website to deny being embedded by cross-origin websites. For more information on how to do this, we refer to this web.dev article.
https://web.dev/security-headers/
I am a user. Should I be worried?
Under most circumstances, probably not. Most sensitive websites already deny being embedded by cross-origin websites. As a result, they are not vulnerable to the pixel stealing attack we mounted using GPU.zip. However, some websites remain vulnerable.
Do GPU vendors plan to patch?
As of September 2023, no GPU vendor has committed to patching.
Does Chrome plan to patch?
As of September 2023, Google is still deciding whether and how to patch.
What about other browsers?
Chrome is vulnerable to the pixel stealing attack demonstrated in the paper because it satisfies the following three criteria:
1. It allows cross-origin iframes to be loaded with cookies.
2. It allows rendering SVG filters on iframes.
3. It delegates rendering tasks to the GPU.
Other browsers, like Firefox and Safari, do not meet all these criteria and are therefore not vulnerable.
Tomi Engdahl says:
Cybercrime
Progress Software Patches Critical Pre-Auth Flaws in WS_FTP Server Product
https://www.securityweek.com/progress-software-patches-critical-pre-auth-flaws-in-ws_ftp-server-product/
Progress Software ships patches for critical-severity flaws in its WS_FTP file transfer software and warns that a pre-authenticated attacker could wreak havoc on the underlying operating system.
Enterprise technology vendor Progress Software on Thursday shipped patches for critical-level security flaws in its WS_FTP file transfer software, warning that a pre-authenticated attacker could wreak havoc on the underlying operating system.
An urgent bulletin from the Burlington, Mass. company documented at least eight security defects that could be exploited remotely and urged business customers to immediately upgrade to WS_FTP Server 2020.0.4 (8.7.4) and WS_FTP Server 2022.0.2 (8.8.2).
Progress Software said two of the vulnerabilities — CVE-2023-40044 and CVE-2023-40045 — are rated critical because of the risk of pre-auth remote command execution attacks.
Tomi Engdahl says:
Government
Government Shutdown Could Bench 80% of CISA Staff
https://www.securityweek.com/80-of-cisa-staff-at-risk-of-furlough-as-government-shutdown-looms/
Roughly 80% of CISA staff will be sent home at the end of the week in case of a government shutdown.
Roughly 80% of the staff at US cybersecurity agency CISA may be sent home at the end of the week as a government shutdown looms.
The US government will partially shut down on Sunday unless lawmakers reach a deal on a funding bill. A shutdown will result in the furlough of hundreds of thousands of non-essential federal employees and the suspension of many services.
The Department of Homeland Security has announced the number of employees that would stay on during a shutdown for each of its agencies. In the case of CISA, which had 3,117 employees as of June 17, only 571 would remain during a lapse in appropriations. This means that more than 80% of its workers would be furloughed.
A government shutdown can have a significant impact on cybersecurity, including increasing criminal activity, failure to renew digital certificates, failure to deploy security patches, and denting the government’s ability to recruit talent.
In CISA’s case, the agency plays an important role in protecting the government and the private sector against cyber threats.
This includes issuing warnings over actively exploited vulnerabilities, helping investigate high-impact cyberattacks, creating guidance, aiding critical infrastructure organizations beef up their security, conducting cyber exercises, and assisting with incident response.
“The silver lining for cybersecurity in any government shutdown is that most government personnel involved with cybersecurity operations are likely to be classified as essential and will be exempt from furlough. These would include roles like security monitoring and incident response, but generally not roles like security governance,” commented Jake Williams, veteran cybersecurity expert and faculty at IANS Research.
“The dark cloud is that in many government agencies, large percentages of the tactical security operations work is performed by contractors, who have historically not had the same exemptions to remain in place. In any shutdown scenario, there will be fewer staff available for security monitoring and response,” Williams added.
Tomi Engdahl says:
Katala huijaus piinaa tuhansia pankkiasiakkaita – ”Huijari on nähnyt vaivaa”
Traficomin tiedotteen mukaan pankkitunnuksia kalasteleva huijari on nähnyt asian eteen vaivaa.
https://www.iltalehti.fi/kotimaa/a/24a14a98-889e-4e18-97b1-3e96905c7175
Suomalaisia on yritetty kuluvalla viikolla huijata tuhansilla pankkitunnuksia kalastelevilla viesteillä, kertoo Traficom tiedotteessaan.
Tomi Engdahl says:
People using apps, software frameworks, or websites that involve VP8, especially for video encoding, should exercise caution.
A new Chrome 0-day is sending the Internet into a new chapter of Groundhog Day
If your software package involves VP8 video encoding, it’s likely vulnerable to attack.
https://arstechnica.com/security/2023/09/new-0-day-in-chrome-and-firefox-is-likely-to-plague-other-software/?utm_source=facebook&utm_brand=ars&utm_social-type=owned&utm_medium=social&fbclid=IwAR20jyw0ARP1mnuZJRVglNYrJwFDd8nieYTpUgQHHvmfWotiAiCwFJrVVtU
On Wednesday, Google reported that a critical zero-day vulnerability in its Chrome browser is opening the Internet to a new chapter of Groundhog Day.
Like a critical zero-day Google disclosed on September 11, the new exploited vulnerability doesn’t affect just Chrome. Already, Mozilla has said that its Firefox browser is vulnerable to the same bug, which is tracked as CVE-2023-5217. And just like CVE-2023-4863 from 17 days ago, the new one resides in a widely used code library for processing media files, specifically those in the VP8 format.
Pages here and here list hundreds of packages for Ubuntu and Debian alone that rely on the library known as libvpx. Most browsers use it, and the list of software or vendors supporting it reads like a who’s who of the Internet, including Skype, Adobe, VLC, and Android.
It’s unclear how many software packages that depend on libvpx will be vulnerable to CVE-2023-5217. Google’s disclosure says the zero-day applies to video encoding. By contrast, the zero-day exploited in libwebp, the code library vulnerable to the attacks earlier this month, worked for encoding and decoding. In other words, based on the wording in the disclosure, CVE-2023-5217 requires a targeted device to create media in the VP8 format. CVE-2023-4863 could be exploited when a targeted device simply displayed a booby-trapped image.
“The fact that a package depends on libvpx does NOT necessarily mean that it’d be vulnerable,” Will Dorman, senior principal analyst at Analygence, wrote in an online interview. “The vuln is in VP8 encoding, so if something uses libvpx only for decoding, they have nothing to worry about.”
Even with that important distinction, there are likely to be many more packages besides Chrome and Firefox that will require patching. “Firefox, Chrome (and Chromium-based) browsers, plus other things that expose VP8 encoding capabilities from libvpx to JavaScript (i.e. web browsers), seem to be at risk,” he said.
Few details are currently available about the in-the-wild attacks that exploited the latest zero-day. The Google post said only that code exploiting the flaw “exists in the wild.” A social media post from Maddie Stone, a security researcher in Google’s Threat Analysis Group, said the zero-day was “in use by a commercial surveillance vendor.”
Tomi Engdahl says:
Hackers Claim Coca-Cola Bottler Paid $1.5 Million to Keep Lid on ‘Certain’ Files Stolen in Ransomware Attack
https://www.bitdefender.com/blog/hotforsecurity/hackers-claim-coca-cola-bottler-paid-1-5-million-to-keep-lid-on-certain-files-stolen-in-ransomware-attack/?cid=soc%7Cc%7Cfb%7CH4S%2F&fbclid=IwAR0RRugu_87tS2f3NHt4my3MWStYOF_0Ee7BQ9eeYP6oqDPCYh7NZjrIXoI%2F
Coca-Cola FEMSA, the world’s largest franchise Coca-Cola bottler, allegedly suffered a cyberattack, prompting management to pay the hackers ransom to prevent the leak of “certain” files.
A threat actor known as “TheSnake” allegedly acquired a “full database Coca-Cola FEMSA containing company information, confidential photos and files, and much more,” reports DataBreaches.net, which covers daily data breach events and leaks.
In a typical ransomware attack, the threat actor and his crew allegedly penetrated the company’s IT infrastructure twice in just over a year, resulting in a data dump exceeding 8 GB (5.8 GB compressed).
https://www.databreaches.net/coca-cola-femsa-victim-of-ransomware-attack-and-data-leak/
Tomi Engdahl says:
North Korean hackers posed as Meta recruiter on LinkedIn
Targets of the operation were given phony coding challenges that delivered a range of malware including a previously-unseen backdoor.
https://cyberscoop.com/north-korea-meta-linkedin/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/github-repos-bombarded-by-info-stealing-commits-masked-as-dependabot/
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Researchers report critical vulnerabilities in the Exim open-source mail transfer agent that allow for remote code execution; Exim is used by up to 253K servers — Remote code execution requiring no authentication fixed. 2 other RCEs remain unpatched. — Thousands of servers running …
Critical vulnerabilities in Exim threaten over 250k email servers worldwide
Remote code execution requiring no authentication fixed. 2 other RCEs remain unpatched.
https://arstechnica.com/security/2023/09/critical-vulnerabilities-in-exim-threaten-over-250k-email-servers-worldwide/
Thousands of servers running the Exim mail transfer agent are vulnerable to potential attacks that exploit critical vulnerabilities, allowing remote execution of malicious code with little or no user interaction.
The vulnerabilities were reported on Wednesday by Zero Day Initiative, but they largely escaped notice until Friday when they surfaced in a security mail list. Four of the six bugs allow for remote code execution and carry severity ratings of 7.5 to 9.8 out of a possible 10. Exim said it has made patches for three of the vulnerabilities available in a private repository. The status of patches for the remaining three vulnerabilities—two of which allow for RCE—are unknown. Exim is an open source mail transfer agent that is used by as many as 253,000 servers on the Internet.
“Sloppy handling” on both sides
ZDI provided no indication that Exim has published patches for any of the vulnerabilities, and at the time this post went live on Ars, the Exim website made no mention of any of the vulnerabilities or patches. On the OSS-Sec mail list on Friday, an Exim project team member said that fixes for two of the most severe vulnerabilities and a third, less severe one are available in a “protected repository and are ready to be applied by the distribution maintainers.”
There were no more details about the fixes, precisely how admins obtain them, or if there are mitigations available for those who can’t patch right away. Exim project team members didn’t respond to an email asking for additional information.
The most severe of the vulnerabilities, tracked as CVE-2023-42115, is among those that the Exim team member said have been patched. ZDI described it as an out-of-bounds flaw in an Exim component that handles authentication.
Another patched vulnerability, tracked as CVE-2023-42116, is a stack-based overflow in the Exim challenge component. Its severity rating is 8.1 and also allows for RCE.
The third fixed vulnerability is tracked as CVE-2023-42114, which allows for disclosure of sensitive information. It carries a rating of 3.7.
Some critics have called out the Exim project for not transparently disclosing the vulnerabilities. Adding more fuel to the critiques, the ZDI disclosures provided a timeline that indicated company representatives notified Exim project members of the vulnerabilities in June 2022. A handful of back-and-forth interactions occurred over the intervening months until ZDI disclosed them Wednesday.
In a post on Friday to the OSS-Sec mail list, Exim project team member Heiko Schlittermann said that after receiving the private ZDI report in June 2022, team members asked for additional details “but didn’t get answers we were able to work with.” The next contact didn’t occur until May 2023. “Right after this contact we created project bug tracker for 3 of the 6 issues,” Schlittermann said. “The remaining issues are debatable or miss information we need to fix them.”
Some people participating in the discussion criticized both sides.
“This looks like sloppy handling of these issues so far by both ZDI and Exim—neither team pinging the other for 10 months, then Exim taking 4 months to fix even the 2 high-scored issues it did have sufficient info on,” the distinguished security researcher known as Solar Designer wrote. “What are you doing to improve the handling from this point on?”
With only a limited number of details becoming available so late on a Friday, patching and potential mitigations may not be as straightforward as some admins might hope. Despite any potential hardships, the vulnerabilities sound serious.
Tomi Engdahl says:
Olivia Solon / Bloomberg:
Research: ahead of Slovakia’s parliamentary elections, videos with deepfake voices of politicians are spreading on apps like Facebook, Instagram, and Telegram
Trolls in Slovakian Election Tap AI Deepfakes to Spread Disinfo
https://www.bloomberg.com/news/articles/2023-09-29/trolls-in-slovakian-election-tap-ai-deepfakes-to-spread-disinfo#xj4y7vzkg
Videos featuring AI-generated deepfake voices of politicians are spreading on social media ahead of the Slovak parliamentary elections this weekend, showcasing how the emergent technology is being harnessed for political disinformation.
The clips are being shared on sites including Meta Platforms Inc.’s Facebook and Instagram and messaging apps like Telegram that include audio impersonating political opponents, Reset, a research group that looks at technology’s impact on democracy, said in a report on Friday.
Tomi Engdahl says:
Millions of Exim mail servers exposed to zero-day RCE attacks https://www.bleepingcomputer.com/news/security/millions-of-exim-mail-servers-exposed-to-zero-day-rce-attacks/
A critical zero-day vulnerability in all versions of Exim mail transfer agent
(MTA) software can let unauthenticated attackers gain remote code execution
(RCE) on Internet-exposed servers. Found by an anonymous security researcher and disclosed through Trend Micro’s Zero Day Initiative (ZDI), the security bug (CVE-2023-42115) is due to an Out-of-bounds Write weakness found in the SMTP service.
While this type of issue can lead to software crashes or corruption of data following successful exploitation, it can also be abused by attackers for code or command execution on vulnerable servers.
“The specific flaw exists within the smtp service, which listens on TCP port
25 by default,” a ZDI security advisory published on Wednesday explains.
“The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of a buffer. An attacker can leverage this vulnerability to execute code in the context of the service account.”
Tomi Engdahl says:
Progress warns of maximum severity WS_FTP Server vulnerability https://www.bleepingcomputer.com/news/security/progress-warns-of-maximum-severity-ws-ftp-server-vulnerability/
Progress Software, the maker of the MOVEit Transfer file-sharing platform recently exploited in widespread data theft attacks, warned customers to patch a maximum severity vulnerability in its WS_FTP Server software.
The company says thousands of IT teams worldwide use its enterprise-grade WS_FTP Server secure file transfer software. In an advisory published on Wednesday, Progress disclosed multiple vulnerabilities impacting the software’s manager interface and Ad hoc Transfer Module.
Tomi Engdahl says:
Cisco Warns of Vulnerability in IOS and IOS XE Software After Exploitation Attempts https://thehackernews.com/2023/09/cisco-warns-of-vulnerability-in-ios-and.html
Cisco is warning of attempted exploitation of a security flaw in its IOS Software and IOS XE Software that could permit an authenticated remote attacker to achieve remote code execution on affected systems. The medium-severity vulnerability is tracked as CVE-2023-20109, and has a CVSS score of 6.6. It impacts all versions of the software that have the GDOI or
G-IKEv2 protocol enabled.
The company said the shortcoming “could allow an authenticated, remote attacker who has administrative control of either a group member or a key server to execute arbitrary code on an affected device or cause the device to crash.”
Tomi Engdahl says:
APT34 Deploys Phishing Attack With New Malware https://www.trendmicro.com/en_us/research/23/i/apt34-deploys-phishing-attack-with-new-malware.html
We analyzed a new malware, which we attribute to the APT34 advanced persistent threat (APT) group, that was involved in a phishing attack. In August, our threat hunting activities identified a malicious document we investigated to have been used during a targeted phishing attack by the group. The malicious document is responsible for dropping a new malware we have called Menorah (taken from the malicious document’s dropped executable, detected by Trend Micro as Trojan.W97M.SIDETWIST.AB), and for creating a scheduled task for persistence. The malware was designed for cyberespionage, capable of identifying the machine, reading and uploading files from the machine, and downloading another file or malware.
Tomi Engdahl says:
Lazarus luring employees with trojanized coding challenges: The case of a Spanish aerospace company https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/
ESET researchers have uncovered a Lazarus attack against an aerospace company in Spain, where the group deployed several tools, most notably a publicly undocumented backdoor we named LightlessCan. Lazarus operators obtained initial access to the company’s network last year after a successful spearphishing campaign, masquerading as a recruiter for Meta – the company behind Facebook, Instagram, and WhatsApp.
The fake recruiter contacted the victim via LinkedIn Messaging, a feature within the LinkedIn professional social networking platform, and sent two coding challenges required as part of a hiring process, which the victim downloaded and executed on a company device. The first challenge is a very basic project that displays the text “Hello, World!”, the second one prints a Fibonacci sequence – a series of numbers in which each number is the sum of the two preceding ones.
Tomi Engdahl says:
Exploit released for Microsoft SharePoint Server auth bypass flaw https://www.bleepingcomputer.com/news/security/exploit-released-for-microsoft-sharepoint-server-auth-bypass-flaw/
Proof-of-concept exploit code has surfaced on GitHub for a critical authentication bypass vulnerability in Microsoft SharePoint Server, allowing privilege escalation. Tracked as CVE-2023-29357, the security flaw can let unauthenticated attackers gain administrator privileges following successful exploitation in low-complexity attacks that don’t require user interaction.
“An attacker who has gained access to spoofed JWT authentication tokens can use them to execute a network attack which bypasses authentication and allows them to gain access to the privileges of an authenticated user,” Microsoft explained in June when it patched the vulnerability.
“An attacker who successfully exploited this vulnerability could gain administrator privileges. The attacker needs no privileges nor does the user need to perform any action.”
Tomi Engdahl says:
A cryptor, a stealer and a banking trojan https://securelist.com/crimeware-report-asmcrypt-loader-lumma-stealer-zanubis-banker/110512/
As long as cybercriminals want to make money, they’ll keep making malware, and as long as they keep making malware, we’ll keep analyzing it, publishing reports and providing protection. Last month we covered a wide range of cybercrime topics. For example, we published a private report on a new malware found on underground forums that we call ASMCrypt (related to the DoubleFinger loader). But there’s more going on in the cybercrime landscape, so we also published reports on new versions of the Lumma stealer and Zanubis Android banking trojan. This blog post contains excerpts from those reports.
Tomi Engdahl says:
FBI: Dual ransomware attack victims now get hit within 48 hours https://bleepingcomputer.com/news/security/fbi-dual-ransomware-attack-victims-now-get-hit-within-48-hours/
The FBI has warned about a new trend in ransomware attacks where multiple strains are deployed on victims’ networks to encrypt systems in under two days. FBI’s warning comes in the form of a Private Industry Notification prompted by trends observed starting July 2023. The federal law enforcement agency explains that ransomware affiliates and operators have been observed using two distinct variants when targeting victim organizations. Variants used in these dual ransomware attacks include AvosLocker, Diamond, Hive, Karakurt, LockBit, Quantum, and Royal.
“This use of dual ransomware variants resulted in a combination of data encryption, exfiltration, and financial losses from ransom payments,” the FBI said. “Second ransomware attacks against an already compromised system could significantly harm victim entities.”
Tomi Engdahl says:
Large Michigan healthcare provider confirms ransomware attack https://therecord.media/mclaren-healthcare-ransomware-attack-michigan
One of the largest healthcare systems in Michigan confirmed that it is dealing with a ransomware attack after a notorious hacker gang boasted about the incident. A spokesperson for McLaren HealthCare said the organization recently detected suspicious activity on its computer network and immediately began an investigation.
“Based on our investigation, we have determined that we experienced a ransomware event. We are investigating reports that some of our data may be available on the dark web and will notify individuals whose information was impacted, if any, as soon as possible,” a spokesperson said. McLaren operates
13 hospitals across Michigan, as well as other medical services such as infusion centers, cancer centers, primary and specialty care offices and a clinical laboratory network. The company has more than 28,000 employees and also has a wholly owned medical malpractice insurance company.
Tomi Engdahl says:
Tuhansia huijausviestejä OP:n nimissä – rahat menevät jos tällä sivulla luovuttaa tunnuksensa https://www.is.fi/digitoday/tietoturva/art-2000009888996.html
OP-Pankin nimissä toimivat huijarit ovat olleet erittäin aktiivisia kuluneella viikolla. Tietoturvaviranomainen Kyberturvallisuuskeskus kertoo huijaussähköposteja lähetetyn suomalaisille tuhansittain. Keskus on saanut viesteistä kymmeniä ilmoituksia.
Huijausviestien tarkoituksena on saada asiakkaita syöttämään pankkitunnuksensa huijarien tekemille valesivuille. Juoni muistuttaa joitakin muita viime aikoina nähtyjä pankkihuijauksia siinä, että viestissä väitetään vastaanottajan pankkitilin joutuneen mahdollisesti hyökkäyksen kohteeksi.