This posting is here to collect cyber security news in June 2024.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in June 2024.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
187 Comments
Tomi Engdahl says:
Supply Chain Security
Polyfill Supply Chain Attack Hits Over 100k Websites
More than 100,000 websites are affected by a supply chain attack injecting malware via a Polyfill domain.
https://www.securityweek.com/polyfill-supply-chain-attack-hits-over-100k-websites/
Security researchers are warning of a web supply chain attack impacting over 100,000 websites that are using the ‘cdn.polyfill.io’ domain.
The polyfill.io website was used to host a service for adding JavaScript polyfills to sites, small bits of code that provide modern functionality in older browsers and ensure compatibility with a broader range of browsers.
In February 2024, however, the domain and associated GitHub account were taken over by the Chinese content delivery network (CDN) company Funnull, which sparked concerns of supply chain attacks being carried out via polyfill.io.
These concerns proved substantiated recently, when website owners using polyfill.io started noticing the abnormal behavior and complained about it.
On Tuesday, security researchers at Sansec and C/side confirmed that the cdn.polyfill.io domain is injecting malicious code into more than 100,000 websites that are using it.
“The polyfill code is dynamically generated based on the HTTP headers, so multiple attack vectors are likely,” Sansec warned, noting that one payload was redirecting to a sports betting website that was using a fake Google analytics domain.
“The malicious code dynamically generates payloads based on HTTP headers, activating only on specific mobile devices, evading detection, avoiding admin users, and delaying execution. The code is also obfuscated,” C/side said.
Users are being redirected to sports betting websites or adult domains, likely based on their location, the threat intelligence firm said.
“But this being JavaScript, could at any moment introduce new attacks like formjacking, clickjacking, and broader data theft,” C/side warned.
While the Polyfill service appears to remain functional and clean, the cdn.polyfill.io domain should immediately be removed from any website, the threat intelligence firm said.
“This incident is a typical example of a supply chain attack,” Sansec underlined. Overall, more than 110,000 websites appear to be using cdn.polyfill.io.
Also on Tuesday, Google started warning advertisers about issues with loading JavaScript code from polyfill.io and several other domains, noting that site visitors may be redirected to malicious domains without their permission and that it would block Google Ads for the infected websites.
Tomi Engdahl says:
Cyberwarfare
The EU Targets Russia’s LNG Ghost Fleet With Sanctions as Concern Mounts About Hybrid Attacks
Some expressed concern about a rise in hybrid attacks by Russia – including allegations of election interference, cyberattacks and sabotage.
https://www.securityweek.com/the-eu-targets-russias-lng-ghost-fleet-with-sanctions-as-concern-mounts-about-hybrid-attacks/
The European Union on Monday slapped new sanctions on Russia over its war on Ukraine, targeting Moscow’s shadow fleet of tankers moving liquefied natural gas through Europe as well as several companies.
At a meeting in Luxembourg, where the sanctions were endorsed, EU foreign ministers also agreed on new financial support to help Ukraine defend itself. Some expressed concern about a rise in hybrid attacks by Russia – including allegations of election interference, cyber-attacks and sabotage.
In an effort to push Russia into using more costly routes for energy purposes, the ministers said in a statement, the EU will “forbid reloading services of Russian LNG in EU territory for the purpose of transshipment operations to third countries.”
The EU estimates that about 4-to-6 billion cubic meters (141 billion-212 billion cubic feet) of Russian LNG was shipped to third countries via EU ports last year. Russia is suspected of running a “ghost fleet” of up to 400 ships to evade sanctions and keep up the flow of energy earnings so that it can finance the war.
Tomi Engdahl says:
https://www.securityweek.com/p2pinfect-worm-now-dropping-ransomware-on-redis-servers/
Malware & Threats
P2Pinfect Worm Now Dropping Ransomware on Redis Servers
The P2Pinfect worm targeting Redis servers has been updated with ransomware and cryptocurrency mining payloads.
P2Pinfect, a peer-to-peer (P2P) worm targeting Redis servers, was recently updated to deploy ransomware and cryptocurrency miners, Cado Security reports.
Written in the Rust programming language, the worm was first spotted in July 2023, spreading to Redis servers impacted by an older Lua sandbox escape bug tracked as CVE-2022-0543 (CVSS score of 10).
On the infected systems, the worm was deploying scripts and scanning tools that allowed it to identify additional vulnerable servers and propagate itself to them.
While P2Pinfect did not appear to have an objective other than spreading to vulnerable Redis servers, a recent update modified its behavior and attacks observed since June 23 revealed the use of ransomware and cryptomining payloads.
Tomi Engdahl says:
WikiLeaks Founder Julian Assange Returns to Australia a Free Man After US Legal Battle Ends
WikiLeaks founder Julian Assange returned to Australia, hours after pleading guilty to obtaining and publishing U.S. military secrets.
https://www.securityweek.com/wikileaks-founder-julian-assange-returns-to-australia-a-free-man-after-us-legal-battle-ends/
Tomi Engdahl says:
Jessica Lyons / The Register:
Researchers: polyfill.io, which offers JavaScript polyfills, is being used to infect 100K+ websites with malware, after a Chinese CDN bought the domain in 2024
If you’re using Polyfill.io code on your site – like 100,000+ are – remove it immediately
Scripts turn malicious, infect webpages after mysterious CDN swallows domain
https://www.theregister.com/2024/06/25/polyfillio_china_crisis/
The polyfill.io domain is being used to infect more than 100,000 websites with malware after what’s said to be a Chinese organization bought the domain earlier this year.
Multiple security firms sounded the alarm on Tuesday, warning organizations whose websites use any JavaScript code from the polyfill.io domain to immediately remove it.
The site offered polyfills – useful bits of JavaScript code that add functionality to older browsers that is built into newer versions. These in-fills make life easier for developers in that by using polyfillers, they know their web code will work across a greater range of browsers.
Now we’re told polyfill.io is serving malicious code hidden in those scripts, meaning anyone visiting a website using the domain will end up running that malware in their browser.
“The cdn.polyfill.io domain is currently being used in a web supply chain attack,” security monitoring biz c/side’s Carlo D’Agnolo said in an advisory. “It used to host a service for adding JavaScript polyfills to websites, but is now inserting malicious code in scripts served to end-users.”
https://developer.mozilla.org/en-US/docs/Glossary/Polyfill
Tomi Engdahl says:
Arm security defense shattered by speculative execution 95% of the time
‘TikTag’ security folks find anti-exploit mechanism rather fragile
https://www.theregister.com/2024/06/18/arm_memory_tag_extensions_leak/?td=keepreading
In 2018, chip designer Arm introduced a hardware security feature called Memory Tagging Extensions (MTE) as a defense against memory safety bugs. But it may not be as effective as first hoped.
Implemented and supported last year in Google’s Pixel 8 and Pixel 8 Pro phones and previously in Linux, MTE aims to help detect memory safety violations, as well as hardening devices against attacks that attempt to exploit memory safety flaws.
Memory safety bugs are said to be responsible for the majority of security vulnerabilities in large codebases. And for the past few years, there’s been a concerted effort in the public and private sector to reduce such flaws by promoting memory safe programming languages, software-based code hardening techniques, and hardware-specific options like SPARC ADI and Arm MTE.
MTE works by tagging blocks of physical memory with metadata. This metadata serves as a key that permits access. When a pointer references data within a tagged block of memory, the hardware checks to make sure the pointer contains a key matching that of the memory block to gain access to the data. A mismatch throws out an error.
Tomi Engdahl says:
https://www.securityweek.com/evolve-bank-data-leaked-after-lockbits-federal-reserve-hack/
Tomi Engdahl says:
ICS/OT
Gas Chromatograph Hacking Could Have Serious Impact: Security Firm
Critical vulnerabilities have been found in an Emerson gas chromatograph and Claroty warns that attacks could have a serious impact.
https://www.securityweek.com/gas-chromatograph-hacking-could-have-serious-impact-security-firm/
Claroty, a company that specializes in security solutions for cyber-physical systems, has disclosed the details of several vulnerabilities discovered in a gas chromatograph made by Emerson, and warned that attacks could have a serious impact.
A gas chromatograph is a chemical analysis instrument that measures the content of various components in a sample. Such devices are used by hospitals in blood testing and by environmental facilities to measure air pollution.
Claroty’s analysis showed that Emerson gas chromatography devices are connected to internal networks and they are controlled remotely by technicians over a communication channel that leverages a proprietary protocol.
Claroty’s research focused on the Emerson Rosemount 370XA gas chromatograph. Since the product costs $100,000, the cybersecurity firm managed to emulate the device instead of using a real one for its testing.
The analysis found — and Emerson confirmed — that Rosemount GC370XA, GC700XA, and GC1500XA products are affected by four vulnerabilities.
https://www.cisa.gov/news-events/ics-advisories/icsa-24-030-01
Tomi Engdahl says:
CISA Warns of Exploited GeoServer, Linux Kernel, and Roundcube Vulnerabilities
CISA on Wednesday warned that three older flaws in GeoServer, Linux kernel, and Roundcube webmail are exploited in the wild.
https://www.securityweek.com/cisa-warns-of-exploited-geoserver-linux-kernel-and-roundcube-vulnerabilities/
The US cybersecurity agency CISA on Wednesday raised the alarm on threat actors exploiting known vulnerabilities in GeoServer, the Linux kernel, and Roundcube Webmail.
The GeoServer flaw, tracked as CVE-2022-24816 (CVSS score of 9.8), is described as a code injection flaw in the Jai-Ext open source project that could be exploited to achieve remote code execution.
The issue is related to the use of the scripting language Jiffle: Jiffle scripts are compiled into Java code via Janino, and then executed.
GeoServer version 1.2.22 was released in April 2022 with a patch that disabled the ability to inject malicious code into the resulting script.
Technical information on CVE-2022-24816 and proof-of-concept (PoC) exploit code have been available since August 2022.
Tracked as CVE-2022-2586 (CVSS score of 7.8), the Linux kernel flaw is a use-after-free issue in nft tables that could lead to privilege escalation.
“A nft object or expression could reference a nft set on a different nft table, leading to a use-after-free once that table was deleted,” a NIST advisory reads.
Tomi Engdahl says:
Application Security
‘Phantom’ Source Code Secrets Haunt Major Organizations
Aqua Security shows that code in repositories remains accessible even after being deleted or overwritten, continuing to leak secrets.
https://www.securityweek.com/phantom-source-code-secrets-haunt-major-organizations/
Underlying processes within Git-based Source Code Management systems (SCMs) cause code to remain accessible even after being deleted or overwritten, continuing to expose previously leaked secrets, new Aqua Security research shows.
Security best practices dictate that developers should never hard-code secrets, and Aqua’s new research shows that a secret – be it a password, token, or passkey – that was hardcoded once may be permanently exposed even after removal, as most secrets scanners are likely to miss it. Aqua is calling them ‘phantom’ secrets.
Conventional scanning methods, most of which only scan repositories accessible via the Git clone command, are likely to miss roughly 18% of the potentially exposed secrets, Aqua discovered after looking at more than 50,000 repositories belonging to the top 100 organizations on GitHub.
“During our research, we uncovered some significant secrets, including gaining access to the complete cloud environments of some of the biggest organizations in the world, infiltrating the internal fuzzing infrastructure of sensitive projects, accessing telemetry platforms, and even obtaining access to network devices, SNMP secrets, and camera footage of Fortune 500 companies,” the cybersecurity firm says.
“The problem of exposed secrets in source code remains a common and significant challenge in the software development life cycle (SDLC). Not all secrets scanning tools are alike, the diverse scanning tools vary in the volume of results, and the level of their accuracy,” Aqua notes.
“The findings once again reinforce the best practice that secrets should never be put into code, not even for testing purposes, and security teams must be able to monitor this. The software supply chain is optimized for speed and convenience, but this cannot come at the expense of secure engineering practices,” Aqua Security CTO and co-founder Amir Jerbi said.
Tomi Engdahl says:
CISA: Most critical open source projects not using memory safe code
https://www.bleepingcomputer.com/news/security/cisa-most-critical-open-source-projects-not-using-memory-safe-code/?fbclid=IwZXh0bgNhZW0CMTEAAR1wJW3FBQN-htGX58SWaF5Bq9wVEI3b58jqTLGDQr4x6m_pt8aIEb4eHDI_aem_J63TZXsepZCXX0O_0RFXtQ
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published research looking into 172 key open-source projects and whether they are susceptible to memory flaws.
The report, cosigned by CISA, the Federal Bureau of Investigation (FBI), as well as Australian (ASD, ACSC) and Canadian organizations (CCCS), is a follow-up to the ‘Case for Memory Safe Roadmaps’ released in December 2023, aimed at raising awareness about the importance of memory-safe code.
Memory safety
Memory-safe languages are programming languages designed to prevent common memory-related errors such as buffer overflows, use-after-free, and other types of memory corruption.
A modern example of a safe language system is Rust’s borrow checker, which eliminates data races. Other languages like Golang, Java, C#, and Python manage memory through garbage collection, automatically reclaiming freed memory to prevent exploitation.
Memory-unsafe languages are those that do not provide built-in memory management mechanisms, burdening the developer with this responsibility and increasing the likelihood of errors. Examples of such cases are C, C++, Objective-C, Assembly, Cython, and D.
Key findings presented in the report are summarized as follows:
52% of critical open-source projects analyzed contain code written in memory-unsafe languages.
55% of the total lines of code (LoC) across these projects are written in memory-unsafe languages.
The largest projects are disproportionately written in memory-unsafe languages.
Of the ten largest projects by total LoC, each has a proportion of memory-unsafe LoC above 26%.
The median proportion of memory-unsafe LoC in these large projects is 62.5%, with four projects exceeding 94%.
Even projects written in memory-safe languages often depend on components written in memory-unsafe languages.
Some notable examples from the examined set are Linux (unsafe code ratio 95%), Tor (unsafe code ratio 93%), Chromium (unsafe ratio 51%), MySQL Server (unsafe ratio 84%), glibc (ratio 85%), Redis (ratio 85%), SystemD (65%), and Electron (47%).
CISA explains that software developers face multiple challenges that often oblige them to use memory-unsafe languages, such as resource constraints and performance requirements.
That is especially true when implementing low-level functionalities like networking, cryptography, and operating system functions.
“We observed that many critical open source projects are partially written in memory-unsafe languages and limited dependency analysis indicates that projects inherit code written in memory-unsafe languages through dependencies,” explains CISA in the report.
Tomi Engdahl says:
Modular trojan deployed via SQL injection attacks
https://www.scmagazine.com/brief/modular-trojan-deployed-via-sql-injection-attacks
Tomi Engdahl says:
https://www.theregister.com/2024/06/21/optus_data_breach_faulty_api/
Tomi Engdahl says:
Cloudflare, a lead provider of content delivery network (CDN) services, cloud security, and DDoS protection has warned that it has not authorized the use of its name or logo on the Polyfill.io website, which has recently been caught injecting malware on more than 100,000 websites in a significant supply chain attack.
https://www.bleepingcomputer.com/news/security/cloudflare-we-never-authorized-polyfillio-to-use-our-name/
Tomi Engdahl says:
IS:n tiedot: Kahteen kriittiseen vesihuoltokohteeseen murtauduttu Tampereella
https://www.is.fi/kotimaa/art-2000010527873.html
Tomi Engdahl says:
https://etn.fi/index.php/13-news/16373-sama-troijalainen-uhkaa-useimpia-android-puhelimia
Maailmassa on yli 3,9 miljardia aktiivista Android-käyttäjää, joten ei ole ihme, että laitteisiin yritetään koko ajan hyökätä. Check Point varoittaa etähallintaohjelmasta, joka uhkaa useimpia Android-laitteita ja antaa hyökkääjälle laajat oikeudet laitteen resursseihin.
Tomi Engdahl says:
Veljekset keksivät, miten lukkoja voi murtaa – Yrittivät kiristää Abloylta 37 miljoonaa
Kolme veljestä on tuomittu käräjäoikeudessa yli kahden vuoden tuomioihin ja maksamaan isot korvaukset.
https://www.iltalehti.fi/kotimaa/a/c1ff836c-6d92-4de0-8b32-0a8297ddfa0e
Veljeskolmikko keksi, miten eräitä Abloyn valmistamia ja myymiä lukkoja saisi avattua niiden omalla avaimella ohittamalla sähköisen puolen. He kuvasivat videoita, joissa avasivat lukot murtojälkiä jättämättä. Näiden videoiden avulla he yrittivät kaupata keksintöään Abloylle, joka voisi näin huomioida turvallisuuspuutteet. Veljeksillä on taustaa lukkoalalta.
Toiminta olisi sinänsä voinut olla aivan laillista, mutta kaupankäynti alkoi muuttua epäilyttäväksi.
Sähköpostiviestittelyyn veljekset perustivat peitenimen ja sille sähköpostitilin [email protected]. Sähköpostittelu tehtiin lähettäjän alkuperän salaavan VPN-yhteyden takaa. Viestit lähetettiin englanniksi, vaikka veljekset ovat suomenkielisiä.
Alkuun Abloy ilmoitti, että se voisi mahdollisesti maksaa kertakorvauksen keksinnöstä, joka olisi 30 000 – 100 000 euron luokkaa. Edellytyksenä kuitenkin olisi, että viestin lähettäjän henkilöllisyys olisi paljastettava.
Veljekset eivät suostuneet, vaan vaativat huomattavasti isompaa summaa, lopulta 37 miljoonaa euroa. Abloy ei suostunut, jolloin veljekset antoivat ymmärtää, että he aikovat julkaista kuvaamansa videot ja määrittivät aikarajan seuraavalle vastaukselle. Keskenään miehet viestittelivät julkaisusta seuraavasta ”paskamyrskystä”.
Abloy ei kiristykseen myöntynyt, vaan otti yhteyttä keskusrikospoliisiin, joka sai miesten henkilöllisyyden selvitettyä.
Tapaus päätyi Pohjois-Karjalan käräjäoikeuteen, joka katsoi miesten toiminnan olleen törkeän kiristyksen yritystä. Sillä oli tavoiteltu erittäin arvokasta oikeudetonta taloudellista etua ja se aiheutti Abloylle runsaasti kuluja ja mainehaittaa. Lisäksi lukkoja käyttäneiden turvallisuus oli uhattuna.
Käräjäoikeus tuomitsi Anssi, Henri ja Pauli Pukarin kahden vuoden ja yhdentoista kuukauden vankeusrangaistukseen. Huomionarvoista on, että enimmäisrangaistus törkeän kiristyksen yrityksestä on kolme vuotta vankeutta.
Lisäksi miesten pitää maksaa tuntuvat vahingonkorvaukset sekä oikeudenkäyntikulut. Kullekin kertyy maksettavaa yli 200 000 euroa.
Veljekset kiistivät syytteet. Heidän mukaansa kyse oli normaaleista liikeneuvotteluista.
Pauli Pukari on entinen poliisi ja työskennellyt muun muassa keskusrikospoliisissa vanhempana konstaapelina. Hän myös kuului Iloq-lukkoyrityksen johtoryhmään.
Käräjäoikeuden tuomio ei ole vielä lainvoimainen.
MTV Uutisten mukaan murtokikka ei kohdistunut kuluttajatuotteisiin, vaan ammattimaisiin lukkoratkaisuihin.
Abloy kodeille kiristysyrityksestä: Älkää olko huolissanne – “paskamyrskystä” puhuneet veljekset vaativat miljoonia, tai lukot aukeavat
https://www.mtvuutiset.fi/artikkeli/abloy-kodeille-kiristysyrityksesta-alkaa-olko-huolissanne-paskamyrskylla-pelotelleet-veljekset-vaativat-miljoonia-tai-lukot-aukeavat/8951882#gs.bh5ebn
Avainjätti Abloyn mukaan siihen kohdistunut kiristysyritys ei kohdistunut kuluttajatuotteisiin. Törkeän kiristyksen yrityksestä syytettyjen veljesten havaitsemat turvallisuuspuutteet koskivat ammattimaisten loppukäyttäjien käyttämää lukitusratkaisua.
MTV Uutiset kertoi eilen, että kolme lukitusalalla työskennellyttä veljestä vaati Abloylta 37 miljoonaa euroa vastineeksi siitä, etteivät he paljasta Abloyn lukkojen turvallisuuspuutteita ja keinoa avata lukot ilman avainta.
Uutisen julkaisun jälkeen Abloy otti yhteyttä kertoen, ettei kiristysyritys koske kuluttajatuotteita eli tavallisten ihmisten ovissa käytettyjä lukkoja.
– Haluaisin vielä tähdentää, että kiristysyritys ei koske kuluttajatuotteita, vaan ammattimaisten loppukäyttäjien käyttämää lukitusratkaisua. Tämä tarkoittaa, että heillä on tyypillisesti käytössään oma turvallisuusyksikkö ja kohteissa on useita turvatasoja, Abloy Oy:n viestinnän ja HR:n johtaja Petri Lempiäinen kirjoitti sähköpostitse.
Abloyn mukaan sen lukitusratkaisut ovat turvallisia.
– Sisäisten ja ulkoisten asiantuntija-arvioiden mukaan kyseiset lukitusratkaisut ovat turvallisia ja niiden käyttöä on voitu jatkaa normaalisti.
Videoita salattu
Syyttäjä ja Abloy vaativat, että oikeus määrää salaiseksi oikeudenkäynnin, jossa syyttäjä vaatii parhaillaan Pohjois-Karjalan käräjäoikeudessa vankeusrangaistusta veljeskolmikolle.
MTV:n tietojen mukaan oikeus määräsi oikeudenkäynnin julkiseksi, koska ei pitänyt jonkin turvallisuuspuutteen osoittamista jossakin tuotteessa riittävänä perusteena salaamiselle. Oikeudessa kirjallisena todisteena esitetyt videot oikeus salasi.
MTV:n tietojen mukaan kyseisillä videoilla veljekset osoittavat miten Abloyn lukot voi manipuloida auki.
Abloyn mukaan sen lukot ovat turvallisia
Veljesten kiristysyritys kohdistui Abloyn tiettyihin lukkoihin, joita on käytetty “useissa” kohteissa maailmanlaajuisesti. Tähän mennessä julkiseksi tulleista asiakirjoista ei selviä, mitä lukkomalleja turvallisuuspuutteet koskevat ja miten suuri määrä kyseisiä lukkoja on käytössä eri puolilla maailmaa.
Haastehakemuksen perusteella lukkoja käytetään kuitenkin myös kriittisen infrastruktuurin kohteissa.
Lempiäisen mukaan Abloyn tuotteet ovat turvallisia, eikä kiristysyritys vaikuta yrityksen tuotteisiin millään tavalla.
– Osana tuotekehitystämme arvioimme ja kehitämme tuotteitamme jatkuvasti, näin parantaen niiden turvallisuutta ja ominaisuuksia.
Syyttäjän mukaan 50-vuotias suomalaismies keksi teknisen keinon avata tiettyjä Abloyn Suomessa ja Saksassa valmistamia lukkoja ilman avainta ja murtojälkiä. Tämän jälkeen miehen 45- ja 41-vuotiaat veljet tarjosivat avainjätille vanhimman veljen keksintöä ja tietoa havaituista turvallisuuspuutteista 37 miljoonan euron hintaan.
Veljekset kutsuivat salanimellä ja suojatuilla yhteyksillä käytyä viestittelyä Abloyn ja sen tytäryhtiöiden kanssa “neuvotteluiksi”. Kun “neuvottelut” eivät edistyneet parin kuukauden aikana veljesten toivomaan suuntaan, heidän viestiensä sävy koveni.
Veljekset latasivat lukkojen manipulointivideoita Youtubeen yksityisesti ja lähettivät yrityksille katselulinkit. Samalla he uhkasivat julkaista videot kaiken kansan katseltaviksi, jos yritykset eivät suostu maksamaan heidän vaatimaansa palkkiota. Näin väittää syyttäjä.
Veljesten viesteissä uhkailtiin seurauksilla ja mainehaitalla. Lisäksi veljekset puhuivat keskinäisissä viesteissään “paskamyrskystä” ja “paskan lentämisestä tuulettimeen”.
Abloy ei maksanut rahaa vaan teki asiasta tutkintapyynnön keskusrikospoliisille.
Veljekset kiistävät syytteen, heidän mukaansa kyse oli vain neuvotteluista. Veljesten mukaan palkkiopyyntö ei ollut yhteydessä siihen, että he kertoivat julkaisevansa videot.
– He halusivat vain tuoda turvallisuushaitan julkiseen tietoisuuteen
Kaikilla kolmella veljeksellä on aiempaa työhistoriaa lukitusratkaisuja valmistavassa iLOQ:ssa, joka on Abloyn kilpailijayritys.
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/cloudflare-we-never-authorized-polyfillio-to-use-our-name/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/teamviewers-corporate-network-was-breached-in-alleged-apt-hack/
Tomi Engdahl says:
https://www.quora.com/How-can-data-be-recovered-from-a-hard-drive-after-writing-it-fully-with-0s-Why-do-we-need-to-use-random-BITS-and-overwrite-it-multiple-times
Tomi Engdahl says:
https://cybersecuritynews.com/vmware-esxi-authentication-vulnerability/
Tomi Engdahl says:
Your Phone’s 5G Connection is Vulnerable to Bypass, DoS Attacks
Wireless service providers prioritize uptime and lag time, occasionally at the cost of security, allowing attackers to take advantage, steal data, and worse.
https://www.darkreading.com/mobile-security/your-phone-s-5g-connection-is-exposed-to-bypass-dos-attacks
Mobile devices are at risk of wanton data theft and denial of service, thanks to vulnerabilities in 5G technologies.
At the upcoming Black Hat 2024 in Las Vegas, a team of seven Penn State University researchers will describe how hackers can go beyond sniffing your Internet traffic by literally providing your Internet connection to you. From there, spying, phishing, and plenty more are all on the table.
It’s a remarkably accessible form of attack, they say, involving commonly overlooked vulnerabilities and equipment you can buy online for a couple of hundred dollars.
Tomi Engdahl says:
Your phone’s secret network activity: 10 times worse than DNS logs reveal
https://cybernews.com/editorial/phone-secret-network-activity/
Tomi Engdahl says:
https://www.jamk.fi/fi/projekti/suomen-kyberosaamiskeskus-ficec/kyberin-ytimessa-podcastit
Tomi Engdahl says:
https://www.omgubuntu.co.uk/2024/06/openshot-3-2-linux-video-editor-features
Tomi Engdahl says:
ISP accused of installing malware on 600,000 customer PCs to interfere with torrent traffic
When throttling just isn’t enough
https://www.techspot.com/news/103548-korean-isp-accused-installing-malware-600000-customers-pcs.html
Tomi Engdahl says:
Two new offensive techniques using Windows Fibers: PoisonFiber (The first remote enumeration & Fiber injection capability POC tool) PhantomThread (An evolved callstack-masking implementation)
https://github.com/JanielDary/ImmoralFiber
Tomi Engdahl says:
https://www.neowin.net/news/windows-10-will-get-five-years-of-additional-support-thanks-to-0patch/
0patch, a service that provides micro security patches without disruptions, announced today that it plans to offer security patches for Windows 10 for at least five years after its official end of life, giving customers a chance to stick to their current devices without significant security compromises. In fact, analysts predict that the end of Windows 10 will trigger a wave of PC upgrades.
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/dev-rejects-cve-severity-makes-his-github-repo-read-only/
Tomi Engdahl says:
https://www.sonatype.com/blog/exploit-creator-selling-250-reserved-npm-packages-via-telegram
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/google/google-chrome-to-let-isolated-web-app-access-sensitive-usb-devices/
Tomi Engdahl says:
https://www.securityweek.com/microsoft-details-skeleton-key-ai-jailbreak-technique/
Tomi Engdahl says:
Cyberwarfare
Microsoft Alerts More Customers to Email Theft in Expanding Midnight Blizzard Hack
Shockwaves from the Russian government’s hack of Microsoft’s corporate infrastructure continue to spread as the victim pool widens.
https://www.securityweek.com/microsoft-alerts-more-customers-to-email-theft-in-expanding-midnight-blizzard-hack/
Tomi Engdahl says:
Malware & Threats
In Other News: Malware Delivered by ISP, Temu Spying, Critical Dataverse Vulnerability
Noteworthy stories that might have slipped under the radar: Korean ISP delivers malware to customers, Temu sued for allegedly spying on users, Microsoft patches a critical Dataverse vulnerability.
https://www.securityweek.com/in-other-news-malware-delivered-by-isp-temu-spying-critical-dataverse-vulnerability/
South Korean ISP delivered malware to 600,000 users
South Korean ISP KT has been accused of delivering malware to 600,000 customers in an attempt to interfere with BitTorrent traffic. The company was likely trying to ease the burden placed by torrent traffic on its network and save costs.
Chinese shopping app Temu allegedly used for spying
The company behind the Chinese shopping app Temu has been sued by the Arkansas Attorney General. The lawsuit, which describes the application as ‘dangerous malware’, claims Temu can collect a lot of data from the devices it’s installed on, and points to the risks of providing information to a Chinese company. In response, Temu denied the accusations and said the lawsuit is based on inaccurate information. The company will defend itself against the claims.
South Korean ISP ‘Infected’ Torrenting Subscribers with Malware
https://torrentfreak.com/south-korean-isp-infected-torrenting-subscribers-with-malware-240625/
News reports from South Korea, reveal that Internet provider KT actively installed malware on the computers of over half a million subscribers. The malware was intended to interfere with BitTorrent traffic, presumably as a network management solution. A police investigation suggests that cost savings likely played a role too, which is not surprising given local file-sharing habits.
Tomi Engdahl says:
Sustaining Digital Certificate Security – Entrust Certificate Distrust
https://security.googleblog.com/2024/06/sustaining-digital-certificate-security.html?m=1
The Chrome Root Program Policy states that CA certificates included in the Chrome Root Store must provide value to Chrome end users that exceeds the risk of their continued inclusion.
Over the past several years, publicly disclosed incident reports highlighted a pattern of concerning behaviors by Entrust that fall short of the above expectations, and has eroded confidence in their competence, reliability, and integrity as a publicly-trusted CA Owner.
When will this action happen?
Blocking action will begin on approximately November 1, 2024, affecting certificates issued at that point or later.
Blocking action will occur in Versions of Chrome 127 and greater on Windows, macOS, ChromeOS, Android, and Linux. Apple policies prevent the Chrome Certificate Verifier and corresponding Chrome Root Store from being used on Chrome for iOS.
What is the user impact of this action?
By default, Chrome users in the above populations who navigate to a website serving a certificate issued by Entrust or AffirmTrust after October 31, 2024 will see a full page interstitial similar to this one.
Certificates issued by other CAs are not impacted by this action.
How can a website operator tell if their website is affected?
Website operators can determine if they are affected by this issue by using the Chrome Certificate Viewer.
I use Entrust certificates for my internal enterprise network, do I need to do anything?
Beginning in Chrome 127, enterprises can override Chrome Root Store constraints like those described for Entrust in this blog post by installing the corresponding root CA certificate as a locally-trusted root on the platform Chrome is running (e.g., installed in the Microsoft Certificate Store as a Trusted Root CA).
Tomi Engdahl says:
https://www.theregister.com/2024/06/28/teamviewer_russia/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/critical-gitlab-bug-lets-attackers-run-pipelines-as-any-user/