Cyber security news November 2023

This posting is here to collect cyber security news in November 2023.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.

94 Comments

  1. Tomi Engdahl says:

    DNA:n asiakkaan puhelin voi lakata toimimasta https://www.is.fi/digitoday/mobiili/art-2000009961625.html

    DNA:n asiakkailla on erä viallisia sim-kortteja käytössään.

    Reply
  2. Tomi Engdahl says:

    Pääkirjoitus: Tiktokin käytön rajoituksiakin pohdittava – sovellus muovaa aivojasi, vaikket sitä huomaa https://www.is.fi/paakirjoitus/art-2000009961941.html

    Reply
  3. Tomi Engdahl says:

    EU antoi Metalle kirvelevän iskun: Voit pian nähdä uuden ilmoituksen Facebookissa ja Instagramissa https://www.is.fi/digitoday/art-2000009964166.html

    Reply
  4. Tomi Engdahl says:

    Apple’s latest iOS release does fix a raft of iPhone issues. Sadly, the Flipper Zero lockup bug remains a threat to any iOS device in its immediate vicinity.

    iOS 17.1 update still no defense against Flipper Zero iPhone crashes
    https://www.zdnet.com/article/ios-17-1-update-still-no-defense-against-flipper-zero-iphone-crashes/?ftag=COS-05-10aaa0h&utm_campaign=trueAnthem%3A%20Trending%20Content&utm_medium=trueAnthem&utm_source=facebook&fbclid=IwAR0sYUNV5bntV4xWpdLtrM9IKzg4EcSokDQPJj10L1L6Ey8jAQXI16ZrUbU

    Apple’s latest iOS release does fix a raft of iPhone issues. Sadly, the Flipper Zero lockup bug remains a threat to any iOS device in its immediate vicinity.

    Reply
  5. Tomi Engdahl says:

    Bleeping Computer: Ace Hardware says 1,202 devices were hit during cyberattack > https://www.bleepingcomputer.com/news/security/ace-hardware-says-1-202-devices-were-hit-during-cyberattack/, 2023-11-02 16:52:13 -0400

    Reply
  6. Tomi Engdahl says:

    Bleeping Computer: Atlassian warns of exploit for Confluence data wiping bug, get patching > https://www.bleepingcomputer.com/news/security/atlassian-warns-of-exploit-for-confluence-data-wiping-bug-get-patching/, 2023-11-02 17:46:30 -0400

    Reply
  7. Telkom University says:

    Have there been any notable advancements in cybersecurity technology or practices during November 2023?

    Reply
  8. Tomi Engdahl says:

    This tiny device is sending updated iPhones into a never-ending DoS loop, rendering them “almost unusable” in the words of one security researcher—and while there’s an easy workaround, the portability and availability of the equipment powering this attack signals an alarming trend: https://trib.al/tLS0MMW

    Reply
  9. Tomi Engdahl says:

    If a transgression by a single employee breaches your network, you’re doing it wrong.

    No, Okta, senior management, not an errant employee, caused you to get hacked
    If a transgression by a single employee breaches your network, you’re doing it wrong.
    https://arstechnica.com/information-technology/2023/11/no-okta-senior-management-not-an-errant-employee-caused-you-to-get-hacked/?utm_social-type=owned&utm_source=facebook&utm_brand=ars&utm_medium=social&fbclid=IwAR0l3Ol4fJQ6FTf0yFQmz9s5OtBDl8PGf3wgo8CLp4KbYrFVqUVLrXoHJes

    Identity and authentication management-provider Okta on Friday published an autopsy report on a recent breach that gave hackers administrative access to the Okta accounts of some of its customers. While the postmortem emphasizes the transgressions of an employee logging in to a personal Google account on a work device, the biggest contributing factor was something the company understated: a badly configured service account.

    In a post, Okta Chief Security Officer David Bradbury said that the most likely way the threat actor behind the attack gained access to parts of his company’s customer support system was by first compromising an employee’s personal device or personal Google account and, from there, obtaining the username and password for a special form of account, known as a service account, used for connecting to the support segment of the Okta network. Once the threat actor had access, they could obtain administrative credentials for entering the Okta accounts belonging to 1Password, BeyondTrust, Cloudflare, and other Okta customers.

    Passing the buck
    “During our investigation into suspicious use of this account, Okta Security identified that an employee had signed-in to their personal Google profile on the Chrome browser of their Okta-managed laptop,” Bradbury wrote. “The username and password of the service account had been saved into the employee’s personal Google account. The most likely avenue for exposure of this credential is the compromise of the employee’s personal Google account or personal device.”

    This means that when the employee logged in to the account on Chrome while it was authenticated to the personal Google account, the credentials got saved to that account, most likely through Chrome’s built-in password manager. Then, after compromising the personal account or device, the threat actor obtained the credentials needed to access the Okta account.

    Accessing personal accounts at a company like Okta has long been known to be a huge no-no. And if that prohibition wasn’t clear to some before, it should be now. The employee almost surely violated company policy, and it wouldn’t be surprising if the offense led to the employee’s firing.

    However, it would be wrong for anyone to conclude that employee misconduct was the cause of the breach. It wasn’t. The fault, instead, lies with the security people who designed the support system that was breached, specifically the way the breached service account was configured.

    Memo to Okta security team
    First, Okta should have put access controls in place besides a simple password to limit who or what could log in to the service account. One way of doing this is to put a limit or conditions on the IP addresses that can connect. Another is to regularly rotate access tokens used to authenticate to service accounts. And, of course, it should have been impossible for employees to be logged in to personal accounts on a work machine. These and other precautions are the responsibility of senior people inside Okta.

    The security approach known as “zero trust” gets overused sometimes, but the principle is sound. Assume your network is already breached and design it in a way that prevents bad things from happening anyway. That means using a layered, defense-in-depth way to prevent single points of failure, such as the compromise of a simple password or authentication token.

    Okta’s lack of visibility into its network is another failing that, while not a cause of the breach, allowed it to be much worse than it would have been had the access been spotted sooner.

    Reply
  10. Tomi Engdahl says:

    Aamuöinen näky bensatankilla yllätti tankkaajan – Näytöllä pyöri paljas alapää
    Aikuisviihdevideo pyöri Askolan Monninkylän Seon bensatankilla lauantain ja sunnuntain välisenä yönä
    https://www.iltalehti.fi/iltvuutiset/a/12dee73f-ae3c-4375-b66d-285f8dab8740?utm_medium=Social&utm_source=Facebook&fbclid=IwAR2XiuEZ0JpZWvW7UfVjxtQ-7Ws8yLyFwbd0W-a_gftyA177ZrSR9oz4lvw#Echobox=1699449498

    Reply
  11. Tomi Engdahl says:

    Puhelin­yhteydet katkeilevat itä­rajalla – kylä­kauppias tuskailee: ”Asiakkaat ovat soittaneet, ollaanko me auki” https://www.is.fi/taloussanomat/art-2000009985380.html

    Reply
  12. Tomi Engdahl says:

    CISO STRATEGYOkta Hack Blamed on Employee Using Personal Google Account on Company Laptop
    Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.
    https://www.securityweek.com/okta-hack-blamed-on-employee-using-personal-google-account-on-company-laptop/

    Reply
  13. Tomi Engdahl says:

    Kinsing Actors Exploiting Recent Linux Flaw to Breach Cloud Environments
    https://thehackernews.com/2023/11/kinsing-actors-exploit-linux-flaw-to.html

    The threat actors linked to Kinsing have been observed attempting to exploit the recently disclosed Linux privilege escalation flaw called Looney Tunables as part of a “new experimental campaign” designed to breach cloud environments.

    “Intriguingly, the attacker is also broadening the horizons of their cloud-native attacks by extracting credentials from the Cloud Service Provider (CSP),” cloud security firm Aqua said in a report shared with The Hacker News.

    The development marks the first publicly documented instance of active exploitation of Looney Tunables (CVE-2023-4911), which could allow a threat actor to gain root privileges.

    Reply
  14. Tomi Engdahl says:

    Ace Hardware Still Reeling From Weeklong Cyberattack
    Cyberattackers downed a quarter of the hardware giant’s entire IT apparatus. Now, before the company can recover, they’re going after individual branches.
    https://www.darkreading.com/attacks-breaches/ace-hardware-still-reeling-from-weeklong-cyberattack

    Reply
  15. Tomi Engdahl says:

    Highly invasive backdoor snuck into open source packages targets developers
    Packages downloaded thousands of times targeted people working on sensitive projects.
    https://arstechnica.com/security/2023/11/developers-targeted-with-malware-that-monitors-their-every-move/

    Reply
  16. Tomi Engdahl says:

    Microsoft haluaa ”turvavyöt” päälle – antaa 90 päivää aikaa
    Jori Virtanen9.11.202313:44TIETOTURVATUNNISTAUTUMINEN
    Microsoft pitää monivaiheista tunnistautumista elintärkeänä tietoturvalle.
    https://www.tivi.fi/uutiset/microsoft-haluaa-turvavyot-paalle-antaa-90-paivaa-aikaa/3ab68634-16a8-4b5d-a297-5f613743fdaa

    Reply
  17. Tomi Engdahl says:

    Aikamoista. Outlookin uusin versio kopioi sähköpostitilien salasanat sekä myös sähköpostien ja kalenterien sisällöt Microsoftille, vaikka tili olisi jossain ihan muualla.

    Warning: New Outlook sends passwords, mails and other data to Microsoft
    https://mailbox.org/en/post/warning-new-outlook-sends-passwords-mails-and-other-data-to-microsoft?fbclid=IwAR1RZXC8zWzUe-W7CyQoMsgfD-0eEnAc4cHoE0aZeBnB1ADGcRyoH95D7UU

    Reply
  18. Tomi Engdahl says:

    Satamat kiinni useita päiviä: kyberisku ravisteli kansallista turvallisuutta
    Suvi Korhonen13.11.202314:38|päivitetty13.11.202314:38TIETOTURVADIGITALOUSLOGISTIIKKA
    Syypään selvittäminen jatkuu nyt, kun satamat on saatu katkon jälkeen avattua.
    https://www.tivi.fi/uutiset/satamat-kiinni-useita-paivia-kyberisku-ravisteli-kansallista-turvallisuutta/a59843e2-6bad-4f52-b6b8-284ccb7cc858

    Australiassa kyberturvallisuusviranomainen on luokitellut satamaan kohdistuneen hyökkäyksen kansallisesti merkittäväksi kyberturvatapahtumaksi.

    Iskun kohteena oli logistiikkayhtiö DP World, jonka järjestelmät kaatuivat perjantaina neljässä kohteessa eli Melbournen, Sydneyn, Brisbanen ja Perthin satamissa. Yhtiö vastaa 40 prosentista Australiaan saapuvasta rahtikonttiliikenteestä, The Register uutisoi.

    Australia declares ‘nationally significant cyber incident’ after port attack
    PLUS: Citrix quits China; Cambodia deports Japanese scammers; Chinese tech CEO disappears; and more
    https://www.theregister.com/2023/11/13/asia_tech_news_roundup/

    Australia’s National Cyber Security Coordinator has described an attack on logistics company DP World as a “nationally significant cyber incident.”

    The attack saw DP World’s tech go offline at four Australian ports late last Friday. The facilities remain closed at the time of writing.

    The major logistics provider handles 40 percent of the containers coming into Australia’s ports – so while the incident has not stopped all goods moving in and out of the country, the impact is significant. Authorities have assured residents that critical supplies can be landed.

    Reply
  19. Tomi Engdahl says:

    Dan Goodin / Ars Technica:
    In a first, researchers show a large portion of cryptographic keys used to protect data in computer-to-server SSH traffic are vulnerable to complete compromise

    In a first, cryptographic keys protecting SSH connections stolen in new attack
    An error as small as a single flipped memory bit is all it takes to expose a private key.
    https://arstechnica.com/security/2023/11/hackers-can-steal-ssh-cryptographic-keys-in-new-cutting-edge-attack/

    For the first time, researchers have demonstrated that a large portion of cryptographic keys used to protect data in computer-to-server SSH traffic are vulnerable to complete compromise when naturally occurring computational errors occur while the connection is being established.

    Underscoring the importance of their discovery, the researchers used their findings to calculate the private portion of almost 200 unique SSH keys they observed in public Internet scans taken over the past seven years. The researchers suspect keys used in IPsec connections could suffer the same fate. SSH is the cryptographic protocol used in secure shell connections that allows computers to remotely access servers, usually in security-sensitive enterprise environments. IPsec is a protocol used by virtual private networks that route traffic through an encrypted tunnel.

    The vulnerability occurs when there are errors during the signature generation that takes place when a client and server are establishing a connection. It affects only keys using the RSA cryptographic algorithm, which the researchers found in roughly a third of the SSH signatures they examined. That translates to roughly 1 billion signatures out of the 3.2 billion signatures examined. Of the roughly 1 billion RSA signatures, about one in a million exposed the private key of the host.

    While the percentage is infinitesimally small, the finding is nonetheless surprising for several reasons—most notably because most SSH software in use has deployed a countermeasure for decades that checks for signature faults before sending a signature over the Internet. Another reason for the surprise is that until now, researchers believed that signature faults exposed only RSA keys used in the TLS—or Transport Layer Security—protocol encrypting Web and email connections. They believed SSH traffic was immune from such attacks because passive attackers—meaning adversaries simply observing traffic as it goes by—couldn’t see some of the necessary information when the errors happened.

    Reply
  20. SiPSAP says:

    Unlock the full potential of your business with SAP Services Activation, a comprehensive solution tailored to optimize your SAP systems. Our expert consultants bring unparalleled expertise in activating and configuring SAP services to align with your unique business requirements. From seamless implementation to ongoing support, our services ensure that your organization harnesses the full power of SAP technologies.

    Reply
    • Tomi Engdahl says:

      No thank you. My feeling is that quite often when when companies start to use SAP I their company, their business starts to go downhill in year or two. There seems to be some correlation on starting expensive SAP projects and business problems, I am not sure if there is causality or not.

      Reply
  21. Tomi Engdahl says:

    Meet the Unique New “Hacking” Group: AlphaLock
    https://www.bleepingcomputer.com/news/security/meet-the-unique-new-hacking-group-alphalock/

    It’s not every day that you discover a new Russian hacking group complete with a song and dance routine (performed live), a sleek user interface (with dark mode!) and a clearly thought-out business model. But that is exactly what our security research team discovered with “AlphaLock,” a “pentesting training organization” that trains hackers and then monetizes their services through a dedicated affiliate program.

    Reply
  22. Tomi Engdahl says:

    In a first, cryptographic keys protecting SSH connections stolen in new attack
    An error as small as a single flipped memory bit is all it takes to expose a private key.
    https://arstechnica.com/security/2023/11/hackers-can-steal-ssh-cryptographic-keys-in-new-cutting-edge-attack/

    For the first time, researchers have demonstrated that a large portion of cryptographic keys used to protect data in computer-to-server SSH traffic are vulnerable to complete compromise when naturally occurring computational errors occur while the connection is being established.

    Underscoring the importance of their discovery, the researchers used their findings to calculate the private portion of almost 200 unique SSH keys they observed in public Internet scans taken over the past seven years. The researchers suspect keys used in IPsec connections could suffer the same fate. SSH is the cryptographic protocol used in secure shell connections that allows computers to remotely access servers, usually in security-sensitive enterprise environments. IPsec is a protocol used by virtual private networks that route traffic through an encrypted tunnel.

    Reply
  23. Tomi Engdahl says:

    Intel fixes high-severity CPU bug that causes “very strange behavior”
    Among other things, bug allows code running inside a VM to crash hypervisors.
    https://arstechnica.com/security/2023/11/intel-fixes-high-severity-cpu-bug-that-causes-very-strange-behavior/

    Intel on Tuesday pushed microcode updates to fix a high-severity CPU bug that has the potential to be maliciously exploited against cloud-based hosts.

    The flaw, affecting virtually all modern Intel CPUs, causes them to “enter a glitch state where the normal rules don’t apply,” Tavis Ormandy, one of several security researchers inside Google who discovered the bug, reported. Once triggered, the glitch state results in unexpected and potentially serious behavior, most notably system crashes that occur even when untrusted code is executed within a guest account of a virtual machine, which, under most cloud security models, is assumed to be safe from such faults. Escalation of privileges is also a possibility.

    Very strange behavior
    The bug, tracked under the common name Reptar and the designation CVE-2023-23583, is related to how affected CPUs manage prefixes, which change the behavior of instructions sent by running software. Intel x64 decoding generally allows redundant prefixes—meaning those that don’t make sense in a given context—to be ignored without consequence. During testing in August, Ormandy noticed that the REX prefix was generating “unexpected results” when running on Intel CPUs that support a newer feature known as fast short repeat move, which was introduced in the Ice Lake architecture to fix microcoding bottlenecks.

    Intel’s official bulletin lists two classes of affected products: those that were already fixed and those that are fixed using microcode updates released Tuesday. Specifically, these products have the new microcode update

    https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/processors-affected-consolidated-product-cpu-model.html

    Reply
  24. Tomi Engdahl says:

    Jonathan Greig / The Record:
    MeridianLink confirms a cyberattack after a ransomware gang claimed to have reported the financial software company to the US SEC for not disclosing the breach — Financial software company MeridianLink confirmed that it is dealing with a cyberattack after the hackers behind …

    MeridianLink confirms cyberattack after ransomware gang claims to report company to SEC
    https://therecord.media/meridianlink-confirms-cyberattack-after-sec-threat

    Financial software company MeridianLink confirmed that it is dealing with a cyberattack after the hackers behind the incident took extraordinary measures to pressure the company into paying a ransom.

    MeridianLink, which reported more than $76 million in revenue last quarter, provides tools to banks, credit unions, mortgage lenders and consumer reporting agencies in the United States.

    This week, the company was added to the leak site of AlphV/Black Cat, a ransomware gang believed to be based in Russia that has been involved in several brazen attacks, including the takedown of MGM Resorts.

    A spokesperson for MeridianLink confirmed to Recorded Future News that they recently identified a cybersecurity incident.

    “Upon discovery, we acted immediately to contain the threat and engaged a team of third-party experts to investigate the incident,” the spokesperson said.

    Reply
  25. Tomi Engdahl says:

    Bill Toulas / BleepingComputer:
    The FBI and CISA release an advisory detailing tactics used by Scattered Spider, a hacking group that now collaborates with the BlackCat ransomware group — The Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency released an advisory …

    FBI shares tactics of notorious Scattered Spider hacker collective
    https://www.bleepingcomputer.com/news/security/fbi-shares-tactics-of-notorious-scattered-spider-hacker-collective/#google_vignette

    Reply
  26. Tomi Engdahl says:

    Katie Malone / Engadget:
    Google finds and helps patch a Zimbra Collaboration email server zero-day used to steal data from governments in Greece, Moldova, Tunisia, Vietnam, and Pakistan — Google’s threat analysis team discovered the security flaw in June. — Google’s Threat Analysis Group revealed on Thursday …

    An email vulnerability let hackers steal data from governments around the world
    Google’s threat analysis team discovered the security flaw in June.
    https://www.engadget.com/an-email-vulnerability-let-hackers-steal-data-from-governments-around-the-world-160005510.html?guccounter=1&guce_referrer=aHR0cHM6Ly93d3cudGVjaG1lbWUuY29tLw&guce_referrer_sig=AQAAAAaw4LlNUjO5sPXpNO8BsJK_ZuCmXYQN820S0xQZXVRy63OrTYLaGCOrRVWsUDTGIV–shRbppioRsHcGdihvxGDCFfIbG1hbUpFf8RGSeSaBy0eIW5olPvS6rctVzv99LPt2H4Sna5my55HUvidF2041ozusa2B2Y1K3Y1Qj-FG

    Reply
  27. Tomi Engdahl says:

    Bill Toulas / BleepingComputer:
    Toyota Financial Services, which provides auto financing to Toyota customers, confirms a breach after the Medusa ransomware gang threatened to leak company data — Toyota Financial Services (TFS) has confirmed that it detected unauthorized access on some of its systems in Europe and Africa …

    Toyota confirms breach after Medusa ransomware threatens to leak data
    https://www.bleepingcomputer.com/news/security/toyota-confirms-breach-after-medusa-ransomware-threatens-to-leak-data/

    Reply
  28. Tomi Engdahl says:

    Karen Freifeld / Reuters:
    Sources: chip equipment maker Applied Materials is under a US DOJ criminal investigation for possibly evading export restrictions on SMIC, China’s top chipmaker — Semiconductor equipment maker Applied Materials (AMAT.O) is under U.S. criminal investigation for potentially evading export restrictions …

    Exclusive: Applied Materials under US criminal probe for shipments to China’s SMIC
    https://www.reuters.com/technology/applied-materials-under-us-criminal-probe-shipments-chinas-smic-sources-2023-11-16/

    Reply
  29. Tomi Engdahl says:

    Nordean palveluissa häiriö – useat tilit näyttävät nollaa https://www.is.fi/taloussanomat/art-2000010000679.html

    Reply
  30. Tomi Engdahl says:

    In a first, cryptographic keys protecting SSH connections stolen in new attack
    An error as small as a single flipped memory bit is all it takes to expose a private key.
    https://arstechnica.com/security/2023/11/hackers-can-steal-ssh-cryptographic-keys-in-new-cutting-edge-attack/

    The reason: By comparing the malformed signature with a valid signature, the adversary could perform a GCD—or greatest common denominator—mathematical operation that, in turn, derived one of the prime numbers underpinning the security of the key. This led to a series of attacks that relied on actively triggering glitches during session negotiation, capturing the resulting faulty signature and eventually compromising the key. Triggering the errors relied on techniques such as tampering with a computer’s power supply or shining a laser on a smart card.

    Then, in 2015, a researcher showed for the first time that attacks on keys used during TLS sessions were possible even when an adversary didn’t have physical access to the computing device. Instead, the attacker could simply connect to the device and opportunistically wait for a signature error to occur on its own. Last year, researchers found that even with countermeasures added to most TLS implementations as long as two decades earlier, they were still able to passively observe faulty signatures that allowed them to compromise the RSA keys of a small population of VPNs, network devices, and websites, most notably Baidu.com, a top-10 Alexa property.

    As noted earlier, researchers had no evidence that passive attacks exploiting signature errors were feasible when traffic was transmitted through non-TLS protocols such as SSH or IPsec. The reason is that the cryptographic hash of the signature from the latter protocols includes a shared secret generated by the Diffie-Hellman key exchange. The security provided by the exchange meant that passively observing the faulty signature didn’t expose enough key material to recover the private key using a GCD attack.

    The researchers traced the keys they compromised to devices that used custom, closed-source SSH implementations that didn’t implement the countermeasures found in OpenSSH and other widely used open source code libraries. The devices came from four manufacturers: Cisco, Zyxel, Hillstone Networks, and Mocana. Both Cisco and Zyxel responded to the researchers’ notification of the test results before the completion of the study. Hillstone responded afterward. The paper reports:

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*