This posting is here to collect cyber security news in June 2024.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in June 2024.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
187 Comments
Tomi Engdahl says:
Apple Patches Vision Pro Vulnerability Used in Possibly ‘First Ever Spatial Computing Hack’
Apple has released a visionOS update that patches CVE-2024-27812, which may be the first flaw specific to the VR headset.
https://www.securityweek.com/apple-patches-vision-pro-vulnerability-used-in-first-ever-spatial-computing-hack/
Apple on Monday updated visionOS, the operating system powering its Vision Pro virtual reality headset, to version 1.2, which addresses several vulnerabilities, including what may be the first security flaw that is specific to this product.
visionOS 1.2 patches nearly two dozen vulnerabilities. However, a vast majority of them are in components that visionOS shares with other Apple products, such as iOS, macOS and tvOS.
Apple on Monday released the new visionOS security advisory and also updated iOS, macOS, and other advisories initially published in May to add the CVEs from the visionOS advisory.
The vulnerabilities can lead to arbitrary code execution, information disclosure, privilege escalation, and denial of service (DoS).
The vulnerability that stands out is CVE-2024-27812. This appears to be the only CVE that is specific to the Vision Pro headset, as it’s not listed in the advisories for any Apple product other than visionOS.
According to Apple, CVE-2024-27812 is related to the processing of specially crafted web content and exploitation can lead to a DoS condition.
Tomi Engdahl says:
Nyt huijataan ASCII-merkeillä tehdyillä QR-koodeilla
https://etn.fi/index.php/13-news/16321-nyt-huijataan-ascii-merkeillae-tehdyillae-qr-koodeilla
Quishing eli QR-koodeilla tapahtuva tietojenkalastelu yleistyy hyvin nopeasti. Check Point kertoo, että rikolliset ovat keksineet nerokkaan tavan kiertää QR-koodien optisen OCR-tarkastusjärjestelmän.
Tietoturvayrityksen Harmony Email -tutkijat ovat paljastaneet uuden kampanjan, jossa QR-koodi ei ole kuvana, vaan se on luotu HTML- ja ASCII-merkkien avulla. Tutkijat olivat toukokuun lopulla nähneet jo yli 600 tällaista sähköpostiviestiä.
Ylläolevassa kuvassa näkyy vasemmalla ASCII-merkeillä luotu QR-koodi ja oikealla ”normaali” kuva. Viestin osaksi ASCII-merkit liitetään normaalilla HTML-koodilla. Hyökkääjien ajatuksena on ohittaa OCR-moottorit.
Tomi Engdahl says:
Microsoft Patches Zero-Click Outlook Vulnerability That Could Soon Be Exploited
Microsoft’s June 2024 Patch Tuesday updates resolve a zero-click Outlook vulnerability leading to remote code execution.
https://www.securityweek.com/microsoft-patches-zero-click-outlook-vulnerability-that-could-soon-be-exploited/
Tomi Engdahl says:
https://www.securityweek.com/google-warns-of-pixel-firmware-zero-day-under-limited-targeted-exploitation/
Tomi Engdahl says:
Ransomware Group May Have Exploited Windows Vulnerability as Zero-Day
The Black Basta ransomware gang may have exploited the Windows privilege escalation flaw CVE-2024-26169 before it was patched.
https://www.securityweek.com/ransomware-group-may-have-exploited-windows-vulnerability-as-zero-day/
Tomi Engdahl says:
Arm Warns of Exploited Kernel Driver Vulnerability
Arm warns that CVE-2024-4610, a Mali GPU kernel driver vulnerability addressed two years ago, is exploited in attacks.
https://www.securityweek.com/arm-warns-of-exploited-kernel-driver-vulnerability/
Tomi Engdahl says:
Chrome 126, Firefox 127 Patch High-Severity Vulnerabilities
Google and Mozilla have released patches for 21 and 15 vulnerabilities in Chrome and Firefox, respectively.
https://www.securityweek.com/chrome-126-firefox-127-patch-high-severity-vulnerabilities/
Tomi Engdahl says:
Ransomware Group Exploits PHP Vulnerability Days After Disclosure
The TellYouThePass ransomware gang started exploiting a recent code execution flaw in PHP days after public disclosure.
https://www.securityweek.com/ransomware-group-exploits-php-vulnerability-days-after-disclosure/
Tomi Engdahl says:
ICS Patch Tuesday: Advisories Published by Siemens, Schneider Electric, Aveva, CISA
Several ICS vendors released advisories on Tuesday to inform customers about vulnerabilities found in their industrial and OT products.
https://www.securityweek.com/ics-patch-tuesday-advisories-published-by-siemens-schneider-electric-aveva-cisa/
Tomi Engdahl says:
Joseph Cox / 404 Media:
A hacker says they breached Tile internal tools, including one for processing data for cops, and stole customer data like phone numbers, addresses, and Tile IDs — A hacker broke into systems used by Tile, the tracking company, then stole a wealth of customer data and had access to internal company tools.
https://www.404media.co/email/b2f3b3e8-64a2-4f91-b0b7-8c6220721ecb/
Tomi Engdahl says:
ProPublica:
Former Microsoft employee Andrew Harris says the company dismissed his warnings about a critical flaw that led to the 2021 SolarWinds hack; Harris left in 2020 — Microsoft hired Andrew Harris for his extraordinary skill in keeping hackers out of the nation’s most sensitive computer networks.
Microsoft Chose Profit Over Security and Left U.S. Government Vulnerable to Russian Hack, Whistleblower Says
https://www.propublica.org/article/microsoft-solarwinds-golden-saml-data-breach-russian-hackers
Tomi Engdahl says:
Microsoft in damage-control mode, says it will prioritize security over AI
Microsoft CEO Satya Nadella is now personally responsible for security flaws.
https://arstechnica.com/tech-policy/2024/06/microsoft-in-damage-control-mode-says-it-will-prioritize-security-over-ai/
Microsoft is pivoting its company culture to make security a top priority, President Brad Smith testified to Congress on Thursday, promising that security will be “more important even than the company’s work on artificial intelligence.”
Satya Nadella, Microsoft’s CEO, “has taken on the responsibility personally to serve as the senior executive with overall accountability for Microsoft’s security,” Smith told Congress.
Tomi Engdahl says:
https://www.tomshardware.com/tech-industry/disgruntled-ex-employee-costs-company-over-dollar600000-after-he-deletes-all-180-of-its-test-servers-found-server-deletion-scripts-on-google
Tomi Engdahl says:
https://cybersecuritynews.com/fortios-vulnerability-unauthorized-commands/
Tomi Engdahl says:
Microsoft deprecates Windows DirectAccess, recommends Always On VPN
https://www.bleepingcomputer.com/news/microsoft/microsoft-deprecates-windows-directaccess-recommends-always-on-vpn/
Tomi Engdahl says:
New Linux malware is controlled through emojis sent from Discord
https://www.bleepingcomputer.com/news/security/new-linux-malware-is-controlled-through-emojis-sent-from-discord/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/asus-warns-of-critical-remote-authentication-bypass-on-7-routers/
Tomi Engdahl says:
Ransomware attackers quickly weaponize PHP vulnerability with 9.8 severity rating
TellYouThePass group opportunistically infects servers that have yet to update.
https://arstechnica.com/security/2024/06/thousands-of-servers-infected-with-ransomware-via-critical-php-vulnerability/
Ransomware criminals have quickly weaponized an easy-to-exploit vulnerability in the PHP programming language that executes malicious code on web servers, security researchers said.
As of Thursday, Internet scans performed by security firm Censys had detected 1,000 servers infected by a ransomware strain known as TellYouThePass, down from 1,800 detected on Monday. The servers, primarily located in China, no longer display their usual content; instead, many list the site’s file directory, which shows all files have been given a .locked extension, indicating they have been encrypted. An accompanying ransom note demands roughly $6,500 in exchange for the decryption key.
When opportunity knocks
The vulnerability, tracked as CVE-2024-4577 and carrying a severity rating of 9.8 out of 10, stems from errors in the way PHP converts Unicode characters into ASCII. A feature built into Windows known as Best Fit allows attackers to use a technique known as argument injection to convert user-supplied input into characters that pass malicious commands to the main PHP application. Exploits allow attackers to bypass CVE-2012-1823, a critical code execution vulnerability patched in PHP in 2012.
CVE-2024-4577 affects PHP only when it runs in a mode known as CGI, in which a web server parses HTTP requests and passes them to a PHP script for processing. Even when PHP isn’t set to CGI mode, however, the vulnerability may still be exploitable when PHP executables such as php.exe and php-cgi.exe are in directories that are accessible by the web server. This configuration is extremely rare, with the exception of the XAMPP platform, which uses it by default. An additional requirement appears to be that the Windows locale—used to personalize the OS to the local language of the user—must be set to either Chinese or Japanese.
The critical vulnerability was published on June 6, along with a security patch. Within 24 hours, threat actors were exploiting it to install TellYouThePass, researchers from security firm Imperva reported Monday. The exploits executed code that used the mshta.exe Windows binary to run an HTML application file hosted on an attacker-controlled server. Use of the binary indicated an approach known as living off the land, in which attackers use native OS functionalities and tools in an attempt to blend in with normal, non-malicious activity.
Tomi Engdahl says:
Windows-aukko sallii haittaohjelmien asentamisen WiFi-verkon kautta – korjaus saatavilla
https://muropaketti.com/tietotekniikka/tietotekniikkauutiset/windows-aukko-sallii-haittaohjelmien-asentamisen-wifi-verkon-kautta-korjaus-saatavilla/
Tomi Engdahl says:
https://books.google.com/books/about/Tallinn_Manual_2_0_on_the_International.html?hl=fi&id=n9wcDgAAQBAJ
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/exploit-for-critical-veeam-auth-bypass-available-patch-now/
Tomi Engdahl says:
https://dawn.fi/uutiset/2024/06/11/mastercard-token-maksutapa-eurooppa
Tomi Engdahl says:
The Google Pay app is dead
Google Wallet takes over app duties, but it looks like Google is quitting P2P payments.
https://arstechnica.com/gadgets/2024/06/google-shuts-down-the-google-pay-app/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/malicious-vscode-extensions-with-millions-of-installs-discovered/
Tomi Engdahl says:
https://www.securityweek.com/200000-impacted-by-data-breach-at-los-angeles-county-public-health-agency/
Tomi Engdahl says:
https://www.securityweek.com/uk-man-suspected-of-being-scattered-spider-leader-arrested/
Tomi Engdahl says:
https://www.securityweek.com/pakistani-threat-actors-caught-targeting-indian-gov-entities/
Tomi Engdahl says:
ICS/OT
Know Your Adversary: Why Tuning Intelligence-Gathering to Your Sector Pays Dividends
Without tuning your approach to fit your sector, amongst other variables, you’ll be faced with an unmanageable amount of noise.
https://www.securityweek.com/know-your-adversary-why-tuning-intelligence-gathering-to-your-sector-pays-dividends/
Critical national infrastructure (CNI) sites and providers are targeted by some of the most advanced and persistent threat actors in the world. The nature of CNI – which encompasses everything from communications and transportation industries to energy networks and water utilities – makes it the ideal high-profile target for ideologically motivated threat actors. Successful attacks demonstrate adversary infiltration and digital superiority. To compound the challenge, CNI has become increasingly vulnerable due to ongoing digital transformation efforts. While these are essential to provide the level of service expected by today’s citizens, growing digital dependence unavoidably introduces a plethora of new risks and interdependencies between disparate systems and services that can be cumbersome to identify and manage.
I was reminded of this with two recent stories that appeared in the press, one in The Wall Street Journal: U.S. Fears Undersea Cables Are Vulnerable to Espionage From Chinese Repair Ships. Google, Meta Platforms and other digital service providers have shared ownership of many cables that carry cross-global internet traffic, but they rely on third-party maintenance specialists, including some with foreign ownership. U.S. officials are concerned that these cables could be vulnerable to tampering by Chinese-owned repair ships. Another story concerns attacks on rural US water system facilities, of which there have been several over recent years attributed to bad actors backed by Russia and Iran.
Tomi Engdahl says:
https://newatlas.com/technology/gpt4-autonomously-hack-zero-day-security-flaws/
Tomi Engdahl says:
PoC Exploit Released for Linux Kernel Privilege Escalation Vulnerability
https://cybersecuritynews.com/linux-kernel-privilege-escalation-flaw/#google_vignette
Tomi Engdahl says:
New Meterpreter Backdoor Hides Malicious Codes Within the Image
https://cybersecuritynews.com/meterpreter-backdoor-hides-malicious-codes/#google_vignette
Tomi Engdahl says:
Microsoft Will Switch Off Recall by Default After Security Backlash
After weeks of withering criticism and exposed security flaws, Microsoft has vastly scaled back its ambitions for Recall, its AI-enabled silent recording feature, and added new privacy features.
https://www.wired.com/story/microsoft-recall-off-default-security-concerns/
Tomi Engdahl says:
New ARM ‘TIKTAG’ attack impacts Google Chrome, Linux systems
https://www.bleepingcomputer.com/news/security/new-arm-tiktag-attack-impacts-google-chrome-linux-systems/
A new speculative execution attack named “TIKTAG” targets ARM’s Memory Tagging Extension (MTE) to leak data with over a 95% chance of success, allowing hackers to bypass the security feature.
The paper, co-signed by a team of Korean researchers from Samsung, Seoul National University, and the Georgia Institute of Technology, demonstrates the attack against Google Chrome and the Linux kernel.
MTE is a feature added in the ARM v8.5-A architecture (and later), designed to detect and prevent memory corruption.
Tomi Engdahl says:
https://www.darkreading.com/cyberattacks-data-breaches/warmcookie-cyberattackers-backdoor-initial-access
Tomi Engdahl says:
https://wccftech.com/intel-13th-14th-gen-instability-issues-buggy-microcode-etvb-fix-bios-fix-0×125/
Tomi Engdahl says:
https://www.securityweek.com/cisa-conducts-first-ai-cyber-incident-response-exercise/
Tomi Engdahl says:
https://www.securityweek.com/keytronic-says-personal-information-stolen-in-ransomware-attack/
Tomi Engdahl says:
https://www.securityweek.com/insurance-company-globe-life-investigating-data-breach/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/unc3886-hackers-use-linux-rootkits-to-hide-on-vmware-esxi-vms/
Tomi Engdahl says:
https://www.pcgamesn.com/intel/cpu-game-crashes-update
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/cdk-global-hacked-again-while-recovering-from-first-cyberattack/
Tomi Engdahl says:
https://thehackernews.com/2024/06/researchers-uncover-uefi-vulnerability.html
Tomi Engdahl says:
Researchers crack Arm’s memory safety mechanism, achieve 95% bypass rate
Shockingly effective
https://www.techspot.com/news/103440-researchers-crack-arm-memory-safety-mechanism-achieve-95.html
Tomi Engdahl says:
https://thehackernews.com/2024/06/chinese-cyber-espionage-group-exploits.html
Tomi Engdahl says:
https://www.neowin.net/news/microsoft-windows-11-cant-open-photos-due-to-non-admin-group-policy-csp-policy-conflict/
Tomi Engdahl says:
https://www.phoronix.com/news/systemd-tmpfiles-purge-drama
Tomi Engdahl says:
That PowerShell ‘fix’ for your root cert ‘problem’ is a malware loader in disguise
Control-C, Control-V, Enter … Hell
https://www.theregister.com/2024/06/19/powershell_fix_malware/
Crafty criminals are targeting thousands of orgs around the world in social-engineering attacks that use phony error messages to trick users into running malicious PowerShell scripts.
This latest Windows malware distribution campaign uses fake Google Chrome, Microsoft Word, and OneDrive error messages that look kinda like real warnings. After visiting a legit but compromised website, victims see some kind of pop-up text box in their browser telling them something went wrong – it’s an old but highly effective trick. One worth knowing, we reckon, so that you can help stop colleagues and others falling for it.
Tomi Engdahl says:
https://www.forbes.com/sites/daveywinder/2024/06/19/smart-guessing-algorithm-cracks-87-million-passwords-in-under-60-seconds/
Tomi Engdahl says:
City of Helsinki: Vulnerable remote server led to massive data breach
“According to current information, the data obtained by the criminal party has not been misused,” the City said.
https://yle.fi/a/74-20094950
Tomi Engdahl says:
https://techcrunch.com/2024/06/18/security-bug-allows-anyone-to-spoof-microsoft-employee-emails/