This posting is here to collect cyber security news in July 2024.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in July 2024.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
322 Comments
John Kek says:
thank you for this topic
Tomi Engdahl says:
OpenSSH maintainers have released security updates to contain a critical security flaw that could result in unauthenticated remote code execution with root privileges in glibc-based Linux systems.
https://thehackernews.com/2024/07/new-openssh-vulnerability-could-lead-to.html?fbclid=IwZXh0bgNhZW0CMTEAAR1nvC-WOLmVaBhS1k3-B7_vsGKUHwRNywArbvlwlVbMalwThngYXy0TRg4_aem_N1DYdhNMrEBFP7UMFBXA6Q&m=1
Tomi Engdahl says:
OpenSSH maintainers have released security updates to contain a critical security flaw that could result in unauthenticated remote code execution with root privileges in glibc-based Linux systems.
The vulnerability has been assigned the CVE identifier CVE-2024-6387. It resides in the [OpenSSH server component](https://ubuntu.com/server/docs/openssh-server), also known as sshd, which is designed to listen for connections from any of the client applications.
“The vulnerability, which is a signal handler race condition in OpenSSH’s server (sshd), allows unauthenticated remote code execution (RCE) as root on glibc-based Linux systems,” Bharat Jogi, senior director of the threat research unit at Qualys, [said](https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server) in a disclosure published today. “This race condition affects sshd in its default configuration.”
The cybersecurity firm said it identified no less than 14 million potentially vulnerable OpenSSH server instances exposed to the internet, adding it’s a regression of an already patched 18-year-old flaw tracked as [CVE-2006-5051](https://nvd.nist.gov/vuln/detail/CVE-2006-5051), with the problem reinstated in October 2020 as part of OpenSSH version 8.5p1.
“Successful exploitation has been demonstrated on 32-bit Linux/glibc systems with [[address space layout randomization](https://en.wikipedia.org/wiki/Address_space_layout_randomization)],” OpenSSH [said](https://www.openssh.com/releasenotes.html) in an advisory. “Under lab conditions, the attack requires on average 6-8 hours of continuous connections up to the maximum the server will accept.”
The vulnerability impacts versions between 8.5p1 and 9.7p1. Versions prior 4.4p1 are also vulnerable to the race condition bug unless they are patched for CVE-2006-5051 and [CVE-2008-4109](https://nvd.nist.gov/vuln/detail/CVE-2008-4109). It’s worth noting that OpenBSD systems are unaffected as they include a security mechanism that blocks the flaw.
Specifically, Qualys found that if a client does not authenticate within 120 seconds (a setting defined by LoginGraceTime), then sshd’s SIGALRM handler is called asynchronously in a manner that’s not [async-signal-safe](https://man7.org/linux/man-pages/man7/signal-safety.7.html).
The net effect of exploiting CVE-2024-6387 is full system compromise and takeover, enabling threat actors to execute arbitrary code with the highest privileges, subvert security mechanisms, data theft, and even maintain persistent access.
“A flaw, once fixed, has reappeared in a subsequent software release, typically due to changes or updates that inadvertently reintroduce the issue,” Jogi said. “This incident highlights the crucial role of thorough regression testing to prevent the reintroduction of known vulnerabilities into the environment.”
While the vulnerability has significant roadblocks due to its remote race condition nature, users are recommended to apply the latest patches to secure against potential threats. It’s also advised to limit SSH access through network-based controls and enforce network segmentation to restrict unauthorized access and lateral movement.
#2600net #irc #secnews #openssh #ssh
Source:
https://www.facebook.com/share/p/FgkPvrqRCe6msbPn/
Tomi Engdahl says:
https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server?fbclid=IwZXh0bgNhZW0CMTEAAR2a82ht3lCSG7ppjG3lZ8zW0agFexnhSpf2Zyi3Cl4kGH-QqxBo1cMXX-c_aem_sAYm0RD4w5dIE5yyGf4_Zg
Tomi Engdahl says:
https://www.kyberturvallisuuskeskus.fi/fi/haavoittuvuus_17/2024
Tomi Engdahl says:
Bleeping Computer: Fake IT support sites push malicious PowerShell scripts as Windows fixes > https://www.bleepingcomputer.com/news/security/fake-it-support-sites-push-malicious-powershell-scripts-as-windows-fixes/, 2024-06-30 10:21:42 -0400
Tomi Engdahl says:
Vulnerabilities
Millions of OpenSSH Servers Potentially Vulnerable to Remote regreSSHion Attack
Millions of OpenSSH servers could be vulnerable to unauthenticated remote code execution due to a vulnerability tracked as regreSSHion and CVE-2024-6387.
https://www.securityweek.com/millions-of-openssh-servers-potentially-vulnerable-to-remote-regresshion-attack/
Tomi Engdahl says:
Selvitys: Vesihuoltolaitosten tietoturvassa puutteita
https://www.is.fi/digitoday/art-2000010537539.html
Viime syksynä tehdyn selvityksen mukaan osassa Suomen vesihuoltolaitoksia ei esimerkiksi kerätty lokitietoja tietojärjestelmistä.
Poliisi tutkii vesihuoltolaitoksiin tehtyjä murtoja, mutta viranomaiset ovat viime vuosina kiinnittäneet huomiota toiseen alaa koskevaan turvallisuushuoleen.
Vesihuoltoa valtakunnallisesti valvovan viranomaisen selvityksestä ilmenee, että vesihuoltolaitosten kyberturvallisuus on Suomessa osin puutteellista. Selvityksen on laatinut Etelä-Savon ely-keskuksen alaisuudessa toimiva valtakunnallinen vesihuoltopalvelut-yksikkö. Sen viime lokakuussa julkaiseman raportin mukaan osassa siinä tarkastelluista vesihuoltolaitoksista ei esimerkiksi kerätty lokitietoja tietojärjestelmistä.
– Monet kyberturvallisuuden parantamiseksi vaadittavat toimet, myös tekniseltä kalskahtavat, edellyttävät koko vesihuoltolaitoksen toiminnan systemaattisuuden parantamista, todetaan selvityksessä.
Selvityksen haastatteluissa ilmeni, että eräs vastaaja ymmärsi riskin sähkökatkolle muttei sitä, että kyberhäiriö voisi aiheuttaa sähkökatkoa vastaavan tilanteen.
– Etenkin johdolle tarvittaisiin lisää koulutusta erilaisten kyberhäiriöiden ja -hyökkäysten vaikutuksesta toiminnan jatkuvuuteen, sanotaan selvityksessä.
Myös Huoltovarmuuskeskus on toissa vuonna julkaisemassa katsauksessaan arvioinut, että vesihuoltoalalla olisi it-turvallisuudessa parannettavaa.
Toimialojen
kyberkypsyyden
selvitys 2022
Kansallinen koosteraportti
https://www.huoltovarmuuskeskus.fi/files/bbdecbcd7921768bd3ac5496af7992a0460a9f2b/hvk-toimialojen-kyberkypsyyden-selvitys-2022.pdf
Tomi Engdahl says:
https://securityonline.info/cve-2024-6387-critical-openssh-unauthenticated-rce-flaw-regresshion-exposes-millions-of-linux-systems/
Tomi Engdahl says:
Police allege ‘evil twin’ of in-flight Wi-Fi used to steal passenger’s credentials
Fasten your seat belts, secure your tray table, and try not to give away your passwords
https://www.theregister.com/2024/07/01/australia_evil_twin_wifi_airline_attack/
Australia’s Federal Police (AFP) has charged a man with running a fake Wi-Fi networks on at least one commercial flight and using it to harvest fliers’ credentials for email and social media services.
The man was investigated after an airline “reported concerns about a suspicious Wi-Fi network identified by its employees during a domestic flight.”
Tomi Engdahl says:
Microsoft tells yet more customers their emails have been stolen
Plus: US auto dealers still offline; Conti coders sanction; Rabbit R1 hardcoded API keys; and more
https://www.theregister.com/2024/07/01/infosec_in_brief/
Tomi Engdahl says:
More info about this issue https://www.openssh.com/txt/release-9.8
One of best defense is not expose ssh port to public IP, use VPN to manage the servers.
Versions earlier than 4.4p1 are vulnerable unless patched for CVE-2006-5051 and CVE-2008-4109.
Versions from 4.4p1 up to, but not including, 8.5p1 are not vulnerable.
Versions from 8.5p1 up to, but not including, 9.8p1 are vulnerable.
Tomi Engdahl says:
Ubuntu’s website also mentions a mitigation for those who can’t upgrade.
https://ubuntu.com/security/CVE-2024-6387
Tomi Engdahl says:
Mitigation
Set LoginGraceTime to 0 in /etc/ssh/sshd_config. This makes sshd
vulnerable to a denial of service (the exhaustion of all MaxStartups
connections), but it makes it safe from this vulnerability.
Tomi Engdahl says:
Google Patches 25 Android Flaws, Including Critical Privilege Escalation Bug
Google ships an Android security update with fixes for 15 vulnerabilities, including a critical-severity flaw in Framework.
https://www.securityweek.com/google-patches-25-android-flaws-including-critical-privilege-escalation-bug/
Tomi Engdahl says:
Data Breaches
Evolve Bank Shares Data Breach Details as Fintech Firms Report Being Hit
Fintech companies Wise and Affirm are impacted by the data breach at Evolve Bank, which has shared additional details on the recent ransomware attack.
https://www.securityweek.com/evolve-bank-shares-data-breach-details-as-fintech-firms-report-being-hit/
Tomi Engdahl says:
Splunk Patches High-Severity Vulnerabilities in Enterprise Product
Splunk has patched multiple vulnerabilities in Splunk Enterprise, including high-severity remote code execution bugs.
https://www.securityweek.com/splunk-patches-high-severity-vulnerabilities-in-enterprise-product/
Tomi Engdahl says:
Cyberinsurance Premiums are Going Down: Here’s Why and What to Expect
The change in premium rates is more likely to be the insurers’ correction than the insureds’ improvement in security.
https://www.securityweek.com/cyberinsurance-premiums-are-going-down-heres-why-and-what-to-expect/
Cyberinsurance Premiums
Cyberinsurance is getting cheaper, with premiums falling around 15% since they peaked in 2022. Commenting on a report from broker Howden, Reuters suggests business has become more adept in curbing losses from cybercrime.
“Added security such as multifactor authentication has helped to protect companies’ data, reducing insurance claims,” writes Reuters on July 1, 2024. It would be good if this were true, but most things are usually more complex than they first appear.
Cyberinsurance premiums increased rapidly in 2021 and 2022. The insurers got their sums wrong through an insufficient understanding of the cybercrime market. They were forced to redefine a cyberwar exclusion clause, increase denials and exclusions, and hike premiums. Now premiums are declining again.
“Fewer companies are willing to invest a considerable amount of money in cyberinsurance after a bad experience when insurance coverage was denied for various reasons and contractual clauses subtly incorporated into the insurance agreement,” comments Ilia Kolochenko, partner & cybersecurity practice lead at Platt Law LLP, and CEO at ImmuniWeb.
Tomi Engdahl says:
Critical Flaw in PTC License Server Can Allow Lateral Movement in Industrial Organizations
PTC has patched a critical vulnerability in the Creo Elements/Direct License Server that can be exploited for unauthenticated command execution.
https://www.securityweek.com/critical-flaw-in-ptc-license-server-can-allow-lateral-movement-in-industrial-organizations/
Tomi Engdahl says:
PortSwigger Scores Hefty $112 Million Investment
The British company behind the popular Burp Suite pen-test utilities has banked a massive $112 million investment from Brighton Park Capital.
https://www.securityweek.com/portswigger-scores-hefty-112-million-investment/
Tomi Engdahl says:
Cisco Patches NX-OS Zero-Day Exploited by Chinese Cyberspies
Cisco has patched an NX-OS command injection zero-day exploited by China-linked cyberespionage group Velvet Ant.
https://www.securityweek.com/cisco-patches-nx-os-zero-day-exploited-by-chinese-cyberspies/
Tomi Engdahl says:
Cynthia Brumfield / CSO:
SCOTUS’ Chevron ruling could weaken federal cybersecurity regulations, as FCC data breach reporting requirements and other rules are likely to be challenged
US Supreme Court ruling will likely cause cyber regulation chaos
https://www.csoonline.com/article/2512955/us-supreme-court-ruling-will-likely-cause-cyber-regulation-chaos.html
The ruling could weaken almost all US federal cybersecurity regulations, including SEC incident reporting, FCC data breach reporting, and CISA cyber incident reporting rules.
The US Supreme Court has issued a decision that could upend all federal cybersecurity regulations, moving ultimate regulatory approval to the courts and away from regulatory agencies. A host of likely lawsuits could gut the Biden administration’s spate of cyber incident reporting requirements and other recent cyber regulatory actions.
In a stunning reversal of nearly 40 years of regulatory law, in Loper Bright Enterprises v. Raimondo, the Court voted six to three last week to gut a legal precedent known as the Chevron deference. Decided in a 1984 Supreme Court case, Chevron instructed lower courts to defer to expert regulatory agencies in cases requiring interpretation of congressional intent.
In Loper, the Supreme Court ruled that courts — not regulatory agencies — are the ultimate arbiters of what governing congressional law says, casting into doubt thousands of federal regulations affecting virtually all aspects of society, from environmental safety to financial fraud.
Tomi Engdahl says:
Dan Goodin / Ars Technica:
For ~10 years, millions of macOS and iOS apps using CocoaPods were vulnerable to a serious flaw in the dependency manager, which was patched in October 2023 — Apps that used code libraries hosted on CocoaPods were vulnerable for about 10 years. — Vulnerabilities that went undetected …
3 million iOS and macOS apps were exposed to potent supply-chain attacks
Apps that used code libraries hosted on CocoaPods were vulnerable for about 10 years.
https://arstechnica.com/security/2024/07/3-million-ios-and-macos-apps-were-exposed-to-potent-supply-chain-attacks/
Tomi Engdahl says:
regreSSHion OpenSSH Flaw: Potential Exploitation Attempts Seen, but Mass Attacks Unlikely
The critical OpenSSH vulnerability tracked as regreSSHion and CVE-2024-6387 may already be targeted by attackers, but mass exploitation is unlikely.
https://www.securityweek.com/regresshion-openssh-flaw-potential-exploitation-attempts-seen-but-mass-attacks-unlikely/
More information has become available on the possible exploitation of the recently disclosed OpenSSH vulnerability tracked as CVE-2024-6387 and named regreSSHion.
Qualys revealed on July 1 that its researchers discovered a critical OpenSSH vulnerability — a race condition — that can be exploited by an unauthenticated attacker for remote code execution.
The vulnerability has been compared to Log4Shell, and Qualys warned that its exploitation can lead to a complete system takeover, enabling the deployment of malware and backdoors.
The security hole has been named regreSSHion because it’s a regression of an OpenSSH flaw first patched in 2006 — the issue was reintroduced in 2020 and it was accidentally patched recently with the release of version 9.8p1.
Searches conducted by Qualys using the Shodan and Censys services showed more than 14 million potentially vulnerable OpenSSH instances on the internet, and the security firm’s own customer data showed roughly 700,000 systems that appeared to be vulnerable.
Qualys has made available technical details, but it has not released proof-of-concept (PoC) code. However, others have started making public what appear to be PoC exploits.
On the other hand, Palo Alto Networks has tested some of the PoC code and was not able to achieve remote code execution. The cybersecurity giant said there’s no reason for panic, noting that while the vulnerability is critical it’s unlikely to lead to mass exploitation.
Exploitation of CVE-2024-6387 is not a straightforward task. Qualys explained that in its experiments it took roughly 10,000 tries to win the race condition required for exploitation, taking between several hours and one week to obtain a remote root shell.
Tomer Schwartz, co-founder and CTO of Dazz, highlighted that exploitation is mostly possible in a lab setting.
“It is a statistical exploit by nature: it takes a significant number of attempts to win the race condition and successfully execute arbitrary code, and there are quite a few obstacles that attackers need to overcome,” Schwartz told SecurityWeek. “The best-known exploit takes over 4 hours to run, even in the best-case scenario.”
In release notes for OpenSSH 9.8, developers pointed out that exploitation has only been demonstrated on 32-bit glibc-based Linux systems and noted that OpenBSD is not impacted.
“Exploitation on 64-bit systems is believed to be possible but has not been demonstrated at this time. It’s likely that these attacks will be improved upon,”
OpenSSH developers said. “Exploitation on non-glibc systems is conceivable but has not been examined. Systems that lack ASLR or users of downstream Linux distributions that have modified OpenSSH to disable per-connection ASLR re-randomisation […] may potentially have an easier path to exploitation.”
Tomi Engdahl says:
Members of the cybersecurity community have started releasing open source tools that can be used to identify vulnerable OpenSSH servers.
https://x.com/xaitax/status/1807877193734688995
For those interested, made a lightweight and efficient scanner designed to identify servers running vulnerable versions of OpenSSH, specifically targeting the recently discovered regreSSHion vulnerability (CVE-2024-6387).
https://github.com/xaitax/CVE-2024-6387_Check
CVE-2024-6387_Check is a lightweight, efficient tool designed to identify servers running vulnerable versions of OpenSSH, specifically targeting the recently discovered regreSSHion vulnerability (CVE-2024-6387). This script facilitates rapid scanning of multiple IP addresses, domain names, and CIDR network ranges to detect potential vulnerabilities and ensure your infrastructure is secure.
Tomi Engdahl says:
Intel Says No New Mitigations Required for Indirector CPU Attack
Researchers disclosed a new high-precision Branch Target Injection attack method named Indirector, but Intel says no new mitigations are needed.
https://www.securityweek.com/intel-says-no-new-mitigations-required-for-indirector-cpu-attack/
A team of researchers from the University of California San Diego has published a paper detailing a novel attack method targeting Intel CPUs, but the chip giant says no new mitigations are required to address it.
The new attack, named Indirector, is similar to the well-known Spectre v2 or Spectre Branch Target Injection (BTI) attack.
These methods typically allow an attacker who has access to the targeted system to obtain information, including sensitive data such as passwords or encryption keys, from memory.
The researchers described Indirector as a high-precision BTI attack that exploits the Indirect Branch Predictor (IBP) and the Branch Target Buffer (BTB) in high-end Intel CPUs such as Raptor Lake and Alder Lake.
According to the researchers, previous BTI attacks overlooked IBP, which they describe as a “critical component of the branch prediction unit that predicts the target address of indirect branches”.
https://indirector.cpusec.org/
This paper introduces novel high-precision Branch Target Injection (BTI) attacks, leveraging the intricate structures of the Indirect Branch Predictor (IBP) and the Branch Target Buffer (BTB) in high-end Intel CPUs (Raptor Lake and Alder Lake).
Tomi Engdahl says:
Malware & Threats
Over 380k Hosts Still Referencing Malicious Polyfill Domain: Censys
Censys has discovered more than 380,000 hosts, including major platforms, still referencing the malicious polyfill.io domain.
https://www.securityweek.com/over-380k-hosts-still-referencing-malicious-polyfill-domain-censys/
Tomi Engdahl says:
Nation-State
TeamViewer Hack Officially Attributed to Russian Cyberspies
https://www.securityweek.com/europol-announces-crackdown-on-cobalt-strike-servers-used-by-cybercriminals/
TeamViewer has confirmed that the Russian cyberespionage group APT29 appears to be behind the recent hack.
TeamViewer has confirmed that a notorious Russian cyberespionage group appears to be behind the recent hacker attack targeting the company’s systems.
The remote connectivity software provider revealed last week that it had detected an intrusion on June 26.
According to follow-up statements issued by the company on Friday and over the weekend, the breach only impacted its internal corporate IT environment, and did not affect its product environment, the TeamViewer connectivity platform, or any customer data.
“Following best-practice architecture, we have a strong segregation of the Corporate IT, the production environment, and the TeamViewer connectivity platform in place,” TeamViewer explained. “This means we keep all servers, networks, and accounts strictly separate to help prevent unauthorized access and lateral movement between the different environments.”
The company revealed that the attackers hacked into its systems after obtaining the credentials for a standard employee account that had access to the corporate IT environment.
Tomi Engdahl says:
Malware & Threats
Europol Announces Crackdown on Cobalt Strike Servers Used by Cybercriminals
European law enforcement agency announces the takedown of nearly 600 Cobalt Strike servers linked to criminal activity.
https://www.securityweek.com/europol-announces-crackdown-on-cobalt-strike-servers-used-by-cybercriminals/
European law enforcement agency Europol on Wednesday announced a global crackdown against the use of legitimate security tools by cybercriminals, including the takedown of nearly 600 Cobalt Strike servers linked to criminal activity.
The agency said it teamed up with multiple private sector companies to flag known Cobalt Strike servers used by criminal groups and passed that information to online service providers to disable unlicensed versions of the tool.
“A total of 690 IP addresses were flagged to online service providers in 27 countries. By the end of the week, 593 of these addresses had been taken down,” Europol said.
The cross-border investigation, codenamed Operation Morpheus, was led by the UK National Crime Agency and involved law enforcement authorities from Australia, Canada, Germany, the Netherlands, Poland and the United States.
Europol said it coordinated the international activity, and liaised with the private partners in a complex investigation initiated since 2021.
Tomi Engdahl says:
Charles Gorrivan / Bloomberg:
CDK Global, a software provider to ~15K North American car dealerships, says “substantially all” of its dealers are back online, after two cyberattacks in June
CDK Says ‘Substantially All’ Car Dealerships Restored After Hack
https://www.bloomberg.com/news/articles/2024-07-02/cdk-says-substantially-all-car-dealership-systems-back-online-after-hack
Software provider serves about 15,000 dealers in North America
CDK suffered two cyberattacks that forced systems offline
Tomi Engdahl says:
https://www.securityweek.com/twilio-confirms-data-breach-after-hackers-leak-33m-authy-user-phone-numbers/
Tomi Engdahl says:
Kova väite Temusta – ”Vaarallinen haittaohjelma”
https://www.is.fi/digitoday/tietoturva/art-2000010529741.html
Tomi Engdahl says:
Shopping app Temu is “dangerous malware,” spying on your texts, lawsuit claims
Temu “surprised” by the lawsuit, plans to “vigorously defend” itself.
https://arstechnica.com/tech-policy/2024/06/shopping-app-temu-is-dangerous-malware-spying-on-your-texts-lawsuit-claims/
Temu—the Chinese shopping app that has rapidly grown so popular in the US that even Amazon is reportedly trying to copy it—is “dangerous malware” that’s secretly monetizing a broad swath of unauthorized user data, Arkansas Attorney General Tim Griffin alleged in a lawsuit filed Tuesday.
Griffin cited research and media reports exposing Temu’s allegedly nefarious design, which “purposely” allows Temu to “gain unrestricted access to a user’s phone operating system, including, but not limited to, a user’s camera, specific location, contacts, text messages, documents, and other applications.”
“Temu is designed to make this expansive access undetected, even by sophisticated users,” Griffin’s complaint said. “Once installed, Temu can recompile itself and change properties, including overriding the data privacy settings users believe they have in place.”
Griffin fears that Temu is capable of accessing virtually all data on a person’s phone, exposing both users and non-users to extreme privacy and security risks. It appears that anyone texting or emailing someone with the shopping app installed risks Temu accessing private data, Griffin’s suit claimed, which Temu then allegedly monetizes by selling it to third parties, “profiting at the direct expense” of users’ privacy rights.
“Compounding” risks is the possibility that Temu’s Chinese owners, PDD Holdings, are legally obligated to share data with the Chinese government, the lawsuit said, due to Chinese “laws that mandate secret cooperation with China’s intelligence apparatus regardless of any data protection guarantees existing in the United States.”
Seeking an injunction to stop Temu from allegedly spying on users, Griffin is hoping a jury will find that Temu’s alleged practices violated the Arkansas Deceptive Trade Practices Act (ADTPA) and the Arkansas Personal Information Protection Act. If Temu loses, it could be on the hook for $10,000 per violation of the ADTPA and ordered to disgorge profits from data sales and deceptive sales on the app.
Temu “surprised” by lawsuit
The company that owns Temu, PDD Holdings, was founded in 2015 by a former Google employee, Colin Huang. It was originally based in China, but after security concerns were raised, the company relocated its “principal executive offices” to Ireland, Griffin’s complaint said. This, Griffin suggested, was intended to distance the company from debate over national security risks posed by China, but because the majority of its business operations remain in China, risks allegedly remain.
Tomi Engdahl says:
Verkkohyökkäys Venäjältä käynnissä – tästä on kyse
Verkkohyökkäyksen sanotaan olevan vastaus sotilastukikohtien avaamiseen amerikkalaisille.
https://www.is.fi/digitoday/tietoturva/art-2000010544467.html
Venäläismielinen NoName057(16)-nettiaktivistiryhmä hyökkää parhaillaan suomalaisia rahalaitoksia vastaan.
Ryhmä ilmoittaa Telegram-kanavallaan palvelunestohyökkäystensä kohteiksi Keskuskauppakamarin sekä OP-ryhmän. Tämän lisäksi ryhmä ilmoittaa hyökkäävänsä Ranskan valtiovarainministeriötä vastaan.
Kirjoitushetkellä molempien suomalaisten rahalaitosten verkkosivut toimivat. Tämä saattaa johtua hyökkäyksen siirtymisestä toiseen kohteeseen tai vastatoimista.
Tomi Engdahl says:
Tekstiviesteihin ilmestyi uudenlainen uhka – näin voit suojautua
https://www.is.fi/digitoday/tietoturva/art-2000010541954.html
Lue tiivistelmä
Älypuhelimissa yleistyvät rcs-viestit, jotka ovat paranneltu versio perinteisistä tekstiviesteistä.
Rcs-viestit tuovat pikaviestimistä tuttuja ominaisuuksia puhelimen oletusviestisovellukseen.
Huijari voi rcs-viestien avulla varmistaa, että potentiaalinen uhri on olemassa ja luoda entistä uskottavampia huijausviestejä.
Rcs-viestien turvallisuutta ei ole vielä todistettu ja niiden toteutuksessa voi olla haavoittuvuuksia.
Tomi Engdahl says:
https://cybersecuritynews.com/exploiting-http-file-server/
Tomi Engdahl says:
Passkey Redaction Attacks Subvert GitHub, Microsoft Authentication
Adversary-in-the-middle attacks can strip out the passkey option from login pages that users see, leaving targets with only authentication choices that force them to give up credentials.
https://www.darkreading.com/cloud-security/passkey-redaction-attacks-subvert-github-microsoft-authentication
Tomi Engdahl says:
https://www.politico.eu/article/spain-builds-porn-passport-to-stop-kids-watching-smut/
Tomi Engdahl says:
Hacker Stole Secrets From OpenAI
https://www.securityweek.com/hackers-stole-secrets-from-openai/
ChatGPT maker OpenAI was breached in 2023, but the company says source code and customer data were not accessed.
Tomi Engdahl says:
OVHcloud Sees Record 840 Mpps DDoS Attack
https://www.securityweek.com/ovhcloud-sees-record-840-mpps-ddos-attack/
OVHcloud says it mitigated the largest ever DDoS attack leveraging packet rate, which peaked at 840 Mpps.
Cloud provider OVHcloud this week revealed that it had mitigated the largest ever distributed denial-of-service (DDoS) attack in terms of packet rate, amid an overall increase in DDoS attack intensity.
Packet rate DDoS attacks seek to overload the processing engines of the networking devices close to the target, essentially taking down the infrastructure in front of the victim, such as the anti-DDoS systems.
Packet rate DDoS attacks, the cloud provider explains, are highly effective as their mitigation requires dealing with many small packets, which is typically more difficult than dealing with less, albeit larger packets.
“We can summarize this problem into a single sentence: if your job is to deal mostly with payloads, bandwidth may be the hard limit; but if your job is to deal mostly with packet headers, packet rate is the hard limit,” OVHcloud notes.
Peaking at around 840 Mpps (million packets per second), the largest packet rate attack was registered in April this year, breaking the record that was set at 809 Mpps in 2021.
Even more worrying, however, is that OVHcloud has been observing a sharp increase in packet rate DDoS attacks above the 100 Mpps threshold over the past six months.
Typically, threat actors rely on DDoS attacks that focus on exhausting the target’s bandwidth (network-layer or Layer 3 attacks) or resources (application-layer or Layer 7 attacks), but the adoption of packet rate assaults is surging.
“We went from mitigating a few of them each week, to tens or even hundreds per week. Our infrastructures had to mitigate several 500+ Mpps attacks at the beginning of 2024, including one peaking at 620 Mpps. In April 2024, we even mitigated a record-breaking DDoS attack reaching ~840 Mpps,” OVHcloud says.
Most of the traffic used in the record attack, the cloud provider says, consisted of TCP ACK packets originating from roughly 5,000 IPs.
The company’s investigation revealed the use of MikroTik routers as part of the attack, specifically cloud core routers – namely the CCR1036-8G-2S+ and CCR1072-1G-8S+ device models. There are close to 100,000 CCR devices exposed to the internet, with the two models accounting for roughly 40,000 of them.
Should a threat actor be able to ensnare all these devices into a botnet, OVHcloud says, that botnet could theoretically generate 2.28 billion packets per second (or Gpps).
Following a steady increase in frequency over the past year and a half, large network-layer attacks are also a normal occurrence now, the cloud provider reports.
The Mirai botnet was the first to break the 1 Tbps (terabit per second) threshold in 2016, with 3.47 Tbps and 2.5 Tbps records set in 2022, DDoS attacks over 1 Tbps are run-of-the-mill now.
“In the past 18 months, we went from 1+ Tbps attacks being quite rare, then weekly, to almost daily (averaged out over one week). The highest bit rate we observed during that period was ~2.5 Tbps,” OVHcloud notes.
In October last year, the industry observed some of the largest Layer 7 DDoS attacks in history. Exploiting the ‘HTTP/2 Rapid Reset’ zero-day vulnerability, multiple record-breaking assaults were seen over the course of several days, with the largest peaking at 398 million requests per second (rps).
Tomi Engdahl says:
California Advances Unique Safety Regulations for AI Companies Despite Tech Firm opposition
Lawmakers voted to advance legislation that would require AI companies to test their systems and add safety measures to prevent them from being potentially manipulated for malicious purposes.
https://www.securityweek.com/california-advances-unique-safety-regulations-for-ai-companies-despite-tech-firm-opposition/
Tomi Engdahl says:
How Intelligence Sharing Can Help Keep Major Worldwide Sporting Events on Track
The Olympic Games is only 29 days long, so set up and take down is a very intense period, where the threat actors can take advantage.
https://www.securityweek.com/how-intelligence-sharing-can-help-keep-major-worldwide-sporting-events-on-track/
Major worldwide sporting events like the Olympics or the FIFA World Cup attract global interest as people follow their national teams and hope for success. To put this into context, the Olympic Games are one of the most widely covered sporting events in the world, with an audience of more than 4 billion viewers. Probably owing to the sheer scale of such events, not to mention their high profile, they also attract bad actors looking to disrupt them for ideological reasons or illegal profit.
Tomi Engdahl says:
In Other News: Microsoft Details ICS Flaws, Smart Grill Hacking, Predator Spyware Activity
Noteworthy stories that might have slipped under the radar: Microsoft details Rockwell HMI vulnerabilities, smart grills hacked, Predator spyware activity drops.
https://www.securityweek.com/in-other-news-microsoft-details-ics-flaws-smart-grill-hacking-predator-spyware-activity/
Microsoft details serious vulnerabilities found in Rockwell HMIs
Microsoft has shared details on a couple of critical- and high-severity vulnerabilities discovered in Rockwell Automation PanelView Plus HMIs. The flaws can be remotely exploited by unauthenticated attackers for remote code execution and denial-of-service (DoS) attacks. The security holes were patched by Rockwell in September and October 2023.
Tomi Engdahl says:
Malware & Threats
Over 380k Hosts Still Referencing Malicious Polyfill Domain: Censys
Censys has discovered more than 380,000 hosts, including major platforms, still referencing the malicious polyfill.io domain.
https://www.securityweek.com/over-380k-hosts-still-referencing-malicious-polyfill-domain-censys/
JavaScript scripts referencing the recently suspended polyfill.io domain are present on over 380,000 internet-exposed hosts, attack surface management firm Censys reports.
Used to host polyfills, small JavaScript bits providing modern functionality in older browsers, polyfill.io was suspended last week, after it was caught redirecting the visitors of websites embedding polyfill.io code to betting and adult sites.
The security community linked the malicious behavior to the site’s owner, the Chinese content delivery network (CDN) company Funnull, which bought polyfill.io and the associated GitHub repository in February 2024.
The supply chain attack was estimated to have impacted just over 100,000 websites and triggered a prompt response from the industry, including warnings from Google, uBlock Origin blocking polyfill.io, and Namecheap suspending it.
Now, Censys says that the potential impact from the incident was much larger: as of July 2, there are still 384,773 hosts embedding a polyfill script referencing the malicious domain.
Most of these are in Germany, within the Hetzner network (AS24940), but domains tied to major platforms, including Hulu, Mercedes-Benz, Pearson, and Warner Bros, also have a large number of hosts linking to the malicious polyfill endpoint.
According to Censys, an analysis of the identified domains shows broad usage of polyfill.io across various sectors, including government websites. A total of 182 affected hosts were displaying a .gov domain.
The good news is that significantly more websites are now using alternative secure polyfill endpoints, such as those provided by Fastly and Cloudflare: the number went from 80,312 on June 28 to 216,504 on July 2.
The bad news is that the polyfill incident might be part of a broader malicious campaign that started in June 2023 and which appears to involve four other domains that are likely controlled by the same threat actor, namely bootcdn[.]net, bootcss[.]com, staticfile[.]net, and staticfile[.]org.
“One of these domains, bootcss[.]com, has been observed engaging in malicious activities that are very similar to the polyfill[.]io attack, with evidence dating back to June 2023,” Censys says.
Tomi Engdahl says:
Lorenzo Franceschi-Bicchierai / TechCrunch:
Twilio says “threat actors” identified its 2FA app Authy users’ phone numbers; last week, ShinyHunters claimed to have stolen 33M phone numbers from Twilio
https://techcrunch.com/2024/07/03/twilio-says-hackers-identified-cell-phone-numbers-of-two-factor-app-authy-users/
Tomi Engdahl says:
Bloomberg:
South Korea unveils a monitoring system to find crypto exchange accounts linked to “suspected” trading activity, as a new law is set to take effect on July 19
South Korea Hunts for Fraudulent Crypto Trading as Rules Tighten
https://www.bloomberg.com/news/articles/2024-07-04/south-korea-hunts-for-fraudulent-crypto-trading-as-rules-tighten
Regulator asks exchanges to help detect questionable trades
Measure comes alongside mandatory protections for investors
Tomi Engdahl says:
Reuters:
Interfax: Apple removed the mobile apps of 25 VPN services from its App Store in Russia, following a request by state communications watchdog Roskomnadzor — U.S. tech giant Apple (AAPL.O) removed the mobile apps of 25 VPN services from its App Store, following a request …
https://www.reuters.com/technology/russia-says-apple-blocks-25-vpn-apps-russia-ifx-reports-2024-07-04/
Tomi Engdahl says:
RockYou2024: 10 billion passwords leaked in the largest compilation of all time
https://cybernews.com/security/rockyou2024-largest-password-compilation-leak/?fbclid=IwZXh0bgNhZW0CMTEAAR0ZN97-R_GAIUxULuHcUQVafmE8lsiXDo2UJvzlPM9X8b8_a7hFcUiL_Vk_aem_tu50neZQK-G2We0JgCf8ZA
Tomi Engdahl says:
https://arstechnica.com/security/2024/07/3-million-ios-and-macos-apps-were-exposed-to-potent-supply-chain-attacks/
Tomi Engdahl says:
https://www.xda-developers.com/protect-home-network-with-a-raspberry-pi/