Cyber security news February 2024

This posting is here to collect cyber security news in February 2024.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.

80 Comments

  1. Tomi says:

    CISA Sets 48-Hour Deadline for Removal of Insecure Ivanti Products
    In an unprecedented move, CISA is demanding that federal agencies disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure products within 48 hours.
    https://www.securityweek.com/cisa-sets-48-hour-deadline-for-removal-of-insecure-ivanti-products/

    Reply
  2. Tomi Engdahl says:

    Google’s automatic update system broke people’s devices, but the fix is completely manual, requiring users to download the developer tools, install drivers, change settings, plug in their phones, and delete certain files via a command-line interface.

    https://arstechnica.com/gadgets/2024/02/googles-pixel-storage-issue-fix-requires-developer-tools-and-a-terminal/?utm_social-type=owned&utm_medium=social&utm_brand=ars&utm_source=facebook&fbclid=IwAR2B8ThvEdQ2sXozx5FInD-vme_QVBB2gdtihaGnBhdyAheiTHPN42kWjHE

    Reply
  3. Tomi Engdahl says:

    Helsingin absurdi ongelma onkin laajempi – Sähköpostit eivät mene perille
    Helsingin kaupungilla on vaikeuksia saada lähettämiään sähköposteja perille vastaanottajille.
    https://www.hs.fi/kaupunki/art-2000010200081.html?fbclid=IwAR2F0u0B4G3986dhOnrpzhfzCgH88rrVXYAn7ITyPnkgGf5kDXL1xl2QGkYhttps://www.hs.fi/kaupunki/art-2000010200081.html?fbclid=IwAR2F0u0B4G3986dhOnrpzhfzCgH88rrVXYAn7ITyPnkgGf5kDXL1xl2QGkY

    Reply
  4. Tomi Engdahl says:

    Taping over your webcam might not be enough to stop hackers from spying on you — they can now use a device’s ambient light sensor
    News
    By Mark Tyson published 1 day ago
    Time to install another privacy shutter (or piece of tape).
    https://www.tomshardware.com/peripherals/webcams/taping-over-your-webcam-might-not-be-enough-to-stop-hackers-from-spying-on-you

    Reply
  5. Tomi Engdahl says:

    That tape over your webcam may not be enough. Researchers at the Massachusetts Institute of Technology (MIT) have highlighted imaging privacy threats enabled by ambient light sensors, in a paper recently published in Science Advances. Device users concerned with security and privacy may be comforted by hardware solutions (shutters) and software permissions restricting webcam use. However, researchers have shown visual information can be gathered via one of the common ambient light sensors installed in many devices. These small sensors usually aren’t shuttered or disabled by users and are typically permission-free on a device level.

    Ambient light sensors are categorized as low-risk by device makers and can often be accessed directly by software (or malware) without any permissions or privileges. Nevertheless, previous studies have shown such a rudimentary sensor can provide enough information to infer keystrokes on a virtual keyboard and steal a device PIN, about 80% of the time. The new research shows what an ambient light sensor can do when combined with an active light source component – namely the device’ screen.

    https://www.tomshardware.com/peripherals/webcams/taping-over-your-webcam-might-not-be-enough-to-stop-hackers-from-spying-on-you

    Reply
  6. Tomi Engdahl says:

    The man who owes Nintendo $14m: Gary Bowser and gaming’s most infamous piracy case
    The hacker whose involvement with anti-piracy software ended in a jail sentence has emerged from prison struggling to make rent as he starts paying his fine. ‘It could be worse,’ he says
    https://www.theguardian.com/games/2024/feb/01/the-man-who-owes-nintendo-14m-gary-bowser-and-gamings-most-infamous-piracy-case

    Reply
  7. Tomi Engdahl says:

    Cloudflare Breach: Nation-State Hackers Access Source Code and Internal Docs
    https://thehackernews.com/2024/02/cloudflare-breach-nation-state-hackers.html

    Cloudflare has revealed that it was the target of a likely nation-state attack in which the threat actor leveraged stolen credentials to gain unauthorized access to its Atlassian server and ultimately access some documentation and a limited amount of source code.

    The intrusion, which took place between November 14 and 24, 2023, and detected on November 23, was carried out “with the goal of obtaining persistent and widespread access to Cloudflare’s global network,” the web infrastructure company said, describing the actor as “sophisticated” and one who “operated in a thoughtful and methodical manner.”

    Reply
  8. Tomi Engdahl says:

    https://www.kyberturvallisuuskeskus.fi/fi/haavoittuvuus_5/2024

    Merkittävä haavoittuvuus GNU glibc-kirjastossa
    HAAVOITTUVUUS5/2024CVE-2023-6246 (ULKOINEN LINKKI)
    Julkaistu 01.02.2024 10:59
    GNU glibc-kirjastossa on havaittu puskurin ylivuotohaavoittuvuus, joka vaikuttaa useisiin Linux-jakeluihin. Haavoittuvuus mahdollistaa paikallisille käyttäjille oikeuksien korottamisen pääkäyttäjän (root) tasolle. Linux-jakeluista haavoittuvaiseksi on todettu ainakin Debian (versiot 12 ja 13), Ubuntu (23.04 ja 23.10) ja Fedora (37 – 39). Mainittuihin jakeluihin on tarjolla korjaavat päivitykset.

    Reply
  9. Tomi Engdahl says:

    Lawrence Abrams / BleepingComputer:
    Remote desktop software maker AnyDesk says it has suffered a cyberattack recently; source: hackers stole source code and private code signing keys

    AnyDesk says hackers breached its production servers, reset passwords
    https://www.bleepingcomputer.com/news/security/anydesk-says-hackers-breached-its-production-servers-reset-passwords/#google_vignette

    Reply
  10. Tomi Engdahl says:

    Ransomware Hit on Tietoevry Causes IT Outages Across Sweden
    Finnish IT Services Previews Days or Weeks of Disruption, Ties Attack to Akira
    https://www.bankinfosecurity.com/ransomware-hit-on-tietoevry-causes-outages-across-sweden-a-24154

    Reply
  11. Tomi Engdahl says:

    In major gaffe, hacked Microsoft test account was assigned admin privileges
    How does a legacy test account grant access to read every Office 365 account?
    https://arstechnica.com/security/2024/01/in-major-gaffe-hacked-microsoft-test-account-was-assigned-admin-privileges/

    Reply
  12. Tomi Engdahl says:

    3 million smart toothbrushes were just used in a DDoS attack. Really

    https://www.zdnet.com/home-and-office/smart-home/3-million-smart-toothbrushes-were-just-used-in-a-ddos-attack-really/?fbclid=IwAR1x4pvsDgXC927dvMEuw9uReM4pBDlXMeE-g0KdRdNcyl_npNNugeu0kAs

    What’s next, malware-infected dental floss? But seriously: It’s a reminder that even the smallest smart home devices can be a threat. Here’s how to protect yourself.

    Reply
  13. Tomi says:

    https://thehackernews.com/2024/02/critical-bootloader-vulnerability-in.html

    Tracked as CVE-2023-40547 (CVSS score: 9.8), the vulnerability could be exploited to achieve a Secure Boot bypass. Bill Demirkapi of the Microsoft Security Response Center (MSRC) has been credited with discovering and reporting the bug.

    Major Linux distributions that use shim such as Debian, Red Hat, SUSE, and Ubuntu have all released advisories for the security flaw.

    https://nvd.nist.gov/vuln/detail/CVE-2023-40547

    CVE-2023-40547 Detail
    Description
    A remote code execution vulnerability was found in Shim. The Shim boot support trusts attacker-controlled values when parsing an HTTP response. This flaw allows an attacker to craft a specific malicious HTTP request, leading to a completely controlled out-of-bounds write primitive and complete system compromise. This flaw is only exploitable during the early boot phase, an attacker needs to perform a Man-in-the-Middle or compromise the boot server to be able to exploit this vulnerability successfully.

    https://wiki.debian.org/SecureBoot

    Shim
    shim is a simple software package that is designed to work as a first-stage bootloader on UEFI systems.

    It was developed by a group of Linux developers from various distros, working together to make SB work using Free Software. It is a common piece of code that is safe, well-understood and audited so that it can be trusted and signed using platform keys. This means that Microsoft (or other potential firmware CA providers) only have to worry about signing shim, and not all of the other programs that distro vendors might want to support.

    Shim then becomes the root of trust for all the other distro-provided UEFI programs. It embeds a further distro-specific CA key that is itself used for as a trust root for signing further programs (e.g. Linux, GRUB, fwupdate). This allows for a clean delegation of trust – the distros are then responsible for signing the rest of their packages. Shim itself should ideally not need to be updated very often, reducing the workload on the central auditing and CA teams.

    Reply
  14. Tomi Engdahl says:

    Helsingin absurdi ongelma onkin laajempi – Googlen sähkö­postia käyttävät kaupunkilaiset eivät välttämättä saa tärkeitäkään viestejä
    Helsingin kaupungilla on vaikeuksia saada lähettämiään sähköposteja perille vastaanottajille.
    https://www.hs.fi/kaupunki/art-2000010200081.html?fbclid=IwAR0uboWyutsTqsoOWccfAOzByhzHkZ3i4l_U3-rpFwlR0wSrtC2d0h1Opyg

    Reply
  15. Tomi says:

    https://www.darkreading.com/vulnerabilities-threats/rce-vulnerability-in-shim-bootloader-impacts-all-linux-distros

    Exaggerated Severity?
    Some security experts, though, perceived the vulnerability as requiring a high degree of complexity and happenstance to exploit. Lionel Litty, chief security architect at Menlo Security, says the exploitation bar is high because the attacker would need to already have gained administrator privileges on a vulnerable device. Or they’d need to be targeting a device that uses network boot and also be able to perform a man-in-the-middle attack on the local network traffic of the targeted device.

    “According to the researcher who found the vulnerability, a local attacker can modify the EFI partition to modify the boot sequence to then be able to leverage the vulnerability,” Litty says. “[But] modifying the EFI partition will require being a fully privileged admin on the victim machine,” he says.

    If the device is using network boot and the attacker can do MITM on the traffic, then that’s when they can target the buffer overflow. “They would return a malformed HTTP response that would trigger the bug and give them control over the boot sequence at this point,” Litty says. He adds that organizations with machines using HTTP boot or pre-boot execution environment (PXE) boot should be concerned, especially if communication with the boot sever is in an environment where an adversary could insert themselves into the middle of traffic.

    Shachar Menashe, senior director of security research at JFrog, says Red Hat’s assessment of the vulnerability’s severity is more accurate than NVDs “over-exaggerated” score.

    There are two possible explanations for the discrepancy, he says. “NVD provided the score based on keywords from the description, and not a thorough analysis of the vulnerability,” he says. For example, assuming that “malicious HTTP request” automatically translates to a network attack vector.

    NVD may also be alluding to an extremely unlikely worst-case scenario where the victim machine is already configured to boot via HTTP from a server outside the local network and the attacker already has control over this HTTP server. “This is an extremely unlikely scenario which would cause tons of trouble even unrelated to this CVE,” Shachar says.

    THE REAL SHIM SHADY – HOW CVE-2023-40547 IMPACTS MOST LINUX SYSTEMS
    https://eclypsium.com/blog/the-real-shim-shady-how-cve-2023-40547-impacts-most-linux-systems/

    Reply
  16. Tomi Engdahl says:

    Varoitus Nato-liittolaisille Alanko­maista – myös supo hereillä
    Alankomaiden viranomaisten mukaan kiinalaiset hakkerit onnistuivat sijoittamaan maan asevoimien tietoverkkoon vakoiluhaitta­ohjelman.
    https://www.is.fi/ulkomaat/art-2000010222145.html

    ALANKOMAALAISTEN tiedusteluviranomaisten mukaan Kiinan vakoilu Hollannissa ja sen liittolaismaissa on selkeässä kasvussa. Myös Suomi Alankomaiden Nato-liittolaisena kuuluu näiden maiden ryhmään.

    Alankomaiden sotilastiedustelupalvelut kertoivat viime viikolla, että Kiinan valtion tukemat kybervakoilijat pääsivät viime vuonna tunkeutumaan Hollannin sotilastietoverkkoon.

    Tiedustelupalvelujen mukaan operaatio oli osa Kiinan poliittista vakoilua Hollantia ja sen liittolaisia vastaan.

    Reply
  17. Tomi Engdahl says:

    Wi-Fi jamming to knock out cameras suspected in nine Minnesota burglaries — smart security systems vulnerable as tech becomes cheaper and easier to acquire
    News
    By Mark Tyson published 1 day ago
    Police believe a string of nine robberies in Edina have used this tech.
    https://www.tomshardware.com/networking/wi-fi-jamming-to-knock-out-cameras-suspected-in-nine-minnesota-burglaries-smart-security-systems-vulnerable-as-tech-becomes-cheaper-and-easier-to-acquire

    Reply
  18. Tomi Engdahl says:

    The Canadian government wants to ban Flipper Zero-type hacker tools to combat car theft (Updated)
    News
    By Les Pounder published about 7 hours ago
    Grand Theft Dolphin?
    https://www.tomshardware.com/software/security-software/the-canadian-government-wants-to-ban-flipper-zero-type-hacker-tools-to-combat-car-theft

    Reply
  19. Tomi Engdahl says:

    New Wi-Fi Authentication Bypass Flaws Expose Home, Enterprise Networks
    https://www.securityweek.com/new-wi-fi-authentication-bypass-flaws-expose-home-enterprise-networks/

    A couple of Wi-Fi authentication bypass vulnerabilities found in open source software can expose enterprise and home networks to attacks.

    A couple of new Wi-Fi authentication bypass vulnerabilities found in open source software could expose many enterprise and home networks to attacks.

    The vulnerabilities were discovered by Mathy Vanhoef, a professor at the KU Leuven research university in Belgium, and Heloise Gollier, a student at KU Leuven, in collaboration with VPN testing company Top10VPN. Vanhoef is well known for his research in the field of Wi-Fi security, including for the attacks named KRACK, Dragonblood, and FragAttacks.

    The newly disclosed Wi-Fi authentication bypass vulnerabilities have been found in Wpa_supplicant and Intel’s iNet Wireless Daemon (IWD) software.

    Wpa_supplicant, which provides support for WPA, WPA2 and WPA3, is present in all Android devices, a majority of Linux devices, and the Chromebook operating system ChromeOS.

    The vulnerability identified in Wpa_supplicant, tracked as CVE-2023-52160, can be exploited against users connecting to an enterprise Wi-Fi network. The flaw can allow an attacker to trick a targeted user into connecting to a malicious Wi-Fi network set up to mimic a legitimate enterprise network. The attacker can then intercept the victim’s traffic.

    “The vulnerability can be exploited against Wi-Fi clients that are not properly configured to verify the certificate of the authentication server, which unfortunately still often occurs in practice, in particular with ChromeOS, Linux, and Android devices,” the researchers wrote in a paper describing the flaws.

    Bypassing Wi-Fi Authentication in Modern WPA2/3 Networks
    https://www.top10vpn.com/assets/2024/01/Top10VPN-Vanhoef-WiFi-Vulnerabilities.pdf

    How vulnerabilities in Wi-Fi software put
    users at risk, despite the recent release
    of new security standards like WPA3

    Reply
  20. Tomi Engdahl says:

    DDoS Hacktivism is Back With a Geopolitical Vengeance
    https://www.securityweek.com/ddos-hacktivism-is-back-with-a-geopolitical-vengeance/

    DDoS attacks have evolved from social protests through criminal extortion, hack attack smokescreens and competitor suppression to geopolitical vengeance.

    Distributed denial of service (DDoS) attacks have evolved from social protests through criminal extortion, hack attack smokescreens and competitor suppression to geopolitical vengeance. All these drivers currently coexist, but aggressive geopolitical revenge now dominates.

    This is the primary conclusion to be drawn from StormWall’s Q4 2023 review of global DDoS attacks. StormWall, based in Bratislava, Slovakia, offers a DDoS protection service delivered through a global network of scrubbing centers.

    The effect of geopolitics is clearly seen in the timing and volume of current attacks against Israel. In Q3, 2023, less than 1% of global attacks targeted Israel. But following the Hamas raid on October 7, 2023, and the retaliatory invasion of Gaza by the Israeli military, this number leapt to 10.6% — with size and durations ranging from 1.2 Gbps to 135 Gbps, and from a few minutes to 24 hours. In Q4, 2023, tiny Israel became the fourth most DDoS attacked nation in the world, behind China (12.6%), USA (12.2%) and India (11.7%).

    Reply
  21. Tomi Engdahl says:

    Application Security
    No Security Scrutiny for Half of Major Code Changes: AppSec Survey
    https://www.securityweek.com/no-security-scrutiny-for-half-of-major-code-changes-appsec-survey/

    Only 54% of major code changes go through a full security review, a new CrowdStrike State of Application Security report reveals.

    Reply
  22. Tomi Engdahl says:

    Jamie Tarabay / Bloomberg:
    The US and its allies disrupt access by Russia-backed hacking group APT28, or Fancy Bear, to 1,000+ home and small business routers used for criminal purposes — The US and its allies have disrupted access by a Russian-state sponsored hacking organization to “well over a thousand home …

    https://www.bloomberg.com/news/articles/2024-02-15/us-and-allies-kick-russian-hackers-off-home-routers-fbi-says

    Reply
  23. Tomi Engdahl says:

    Just one bad packet can bring down a vulnerable DNS server thanks to DNSSEC
    ‘You don’t have to do more than that to disconnect an entire network’ El Reg told as patches emerge
    https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/

    Reply
  24. Tomi Engdahl says:

    Security firm now says toothbrush DDOS attack didn’t happen, but source publication says company presented it as real
    News
    By Mark Tyson published February 09, 2024
    Dental IoT devices caused millions of Euros in damages for Swiss company, says report.
    https://www.tomshardware.com/networking/three-million-malware-infected-smart-toothbrushes-used-in-swiss-ddos-attacks-botnet-causes-millions-of-euros-in-damages

    Reply
  25. Tomi Engdahl says:

    Critical Boot Loader Vulnerability in Shim Impacts Nearly All Linux Distros
    https://thehackernews.com/2024/02/critical-bootloader-vulnerability-in.html

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*