This posting is here to collect cyber security news in April 2024.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in April 2024.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
155 Comments
Tomi Engdahl says:
https://hackaday.com/2024/05/07/imperva-report-claims-that-50-of-the-world-wide-web-is-now-bots/
Tomi Engdahl says:
Salatuissa VPN-yhteyksissä on ollut aukko jo yli 20 vuotta
https://etn.fi/index.php/13-news/16179-salatuissa-vpn-yhteyksissae-on-ollut-aukko-jo-yli-20-vuotta
Tieturvayritys Leviathan Security kertoo, että DHCP-protokollaan sisäänrakennettuja ominaisuuksia hyödyntäen voi hyökkääjä pakottaa dataliikenteen pois suojatusta VPN-tunnelista. Yhtiön mukaan aukko on ollut olemassa jo vuodesta 2002 lähtien.
VPN eli virtuaalinen privaattiverkko toimii luomalla salatun ja turvatun yhteyden käyttäjän laitteen ja VPN-palvelimen välille. Tämä tapahtuu käyttäen VPN-protokollia, kuten IPSec, SSL/TLS tai OpenVPN. Kun käyttäjä muodostaa yhteyden VPN-palvelimeen, kaikki käyttäjän tietoliikenne kulkee salattuna VPN-tunnelissa, joka suojaa sitä ulkopuolisilta silmiltä.
Leviathan Securityn mukaan heidän äskettäin tunnistamansa verkkotekniikka ohittaa VPN-kapseloinnin. Hyökkääjä voi käyttää tätä tekniikkaa pakottaakseen kohdekäyttäjän liikenteen pois VPN-tunnelistaan käyttämällä DHCP:n (Dynamic Host Configuration Protocol) sisäänrakennettuja ominaisuuksia. Tämän seurauksena käyttäjä lähettää paketteja, joita VPN ei koskaan salaa, ja hyökkääjä voi tiedustella tätä liikennettä.
Yhtiö arvioi, että tekniikka on voinut olla mahdollinen jo vuonna 2002, ja se on voitu jo havaita ja mahdollisesti sitä on käytetty hyökkäyksissä. Linux-pohjaisissa käyttöjärjestelmissä ongelmaa on yritetty korjata. Tutkijat muistuttavat, että ongelmaa ei voida korjata yksinkertaisesti poistamalla tuki DHCP-ominaisuudesta, koska tämä voi katkaista Internet-yhteyden myös laillisissa tapauksissa.
Leviathan kertoo blogissaan tarkempia tietoja haavoittuvuudesta, jolle on annettu nimeksi TunnelVision (CVE-haavoittuvuutunnus on 2024-3661).
TunnelVision (CVE-2024-3661): How Attackers Can Decloak Routing-Based VPNs For a Total VPN Leak
https://www.leviathansecurity.com/blog/tunnelvision
Recently, we identified a novel network technique that bypasses VPN encapsulation. An attacker can use this technique to force a target user’s traffic off their VPN tunnel using built-in features of DHCP (Dynamic Host Configuration Protocol). The result of this is the user transmits packets that are never encrypted by a VPN, and an attacker can snoop their traffic. We are using the term decloaking to refer to this effect. Importantly, the VPN control channel is maintained so features such as kill switches are never tripped, and users continue to show as connected to a VPN in all the cases we’ve observed.
We’ve spent extensive time exploring this capability and attempting to notify as many affected parties as possible. We also know it is our responsibility as security researchers to inform the security and privacy community, as well as the general public, about this threat. We also believe this technique may have been possible as far back as 2002 and could have already been discovered* and potentially used in the wild. For that reason, we believe it is critical for us to disclose publicly because notifying every VPN provider, operating system maintainer, self-hosted VPN admin, and VPN user is far beyond the capacity of our small research team.
Tomi Engdahl says:
Data Breaches
University System of Georgia Says 800,000 Impacted by MOVEit Hack
https://www.securityweek.com/university-system-of-georgia-says-800000-impacted-by-moveit-hack/
University System of Georgia says Social Security numbers and bank account numbers were compromised in the May 2023 MOVEit hack.
University System of Georgia is notifying 800,000 individuals that their personal and financial information was compromised in the May 2023 MOVEit hack.
The data breach occurred after the Russia-linked Cl0p ransomware group exploited a vulnerability in Progress Software’s MOVEit Transfer managed file transfer (MFT) software and stole data from organizations using it.
To date, more than 2,000 organizations have disclosed impact from the MOVEit hack, including roughly 900 schools in the United States. Over 60 million individuals are believed to have been affected.
University System of Georgia (USG), which was using MOVEit to “transfer and store sensitive data”, is the latest education entity to disclose impact from the attack.
Although the data breach report has been listed on the Maine AGO’s website only this week, USG started sending the notification letters in mid-April, when it also posted an incident notice on its website.
Tomi Engdahl says:
Financial Times:
The UK is investigating “potential failings” at IT contractor SSCL, which was breached by suspected Chinese hackers to expose payroll records for 272K people
https://www.ft.com/content/b21c9eba-54c4-46c6-bd99-e9554c4660d9
Tomi Engdahl says:
The Guardian:
An investigation finds a vast web of fake shops run from China touting designer brands that duped 800K+ people in Europe and the US into sharing personal data
Chinese network behind one of world’s ‘largest online scams’
https://www.theguardian.com/money/article/2024/may/08/chinese-network-behind-one-of-worlds-largest-online-scams
Exclusive: Vast web of fake shops touting designer brands took money and personal details from 800,000 people in Europe and US, data suggests
Carmen Aguilar García, Sarah Marsh and Philip McMahon
Wed 8 May 2024 06.00 CEST
Last modified on Wed 8 May 2024 08.09 CEST
More than 800,000 people in Europe and the US appear to have been duped into sharing card details and other sensitive personal data with a vast network of fake online designer shops apparently operated from China.
An international investigation by the Guardian, Die Zeit and Le Monde gives a rare inside look at the mechanics of what the UK’s Chartered Trading Standards Institute has described as one of the largest scams of its kind, with 76,000 fake websites created.
A trove of data examined by reporters and IT experts indicates the operation is highly organised, technically savvy – and ongoing.