This posting is here to collect cyber security news in July 2024.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in July 2024.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
322 Comments
Tomi Engdahl says:
How to set up virtual PCs with VMware Workstation, a now-free pro tool
The professional software VMware Workstation Pro, which used to cost more than $200, is now free. Here’s how to set up virtual PCs with Windows and Linux.
https://www.pcworld.com/article/2377991/vmware-workstation-17-now-free-of-charge-how-to-set-up-virtual-pcs-with-the-professional-tool.html
Tomi Engdahl says:
10 miljardia salasanaa jaossa – kaikkien aikojen suurin salasanavuoto
https://etn.fi/index.php/13-news/16390-10-miljardia-salasanaa-jaossa-kaikkien-aikojen-suurin-salasanavuoto
Tiettävästi tähän asti suurin salasanakokoelma, lähes kymmenen miljardin salasanan kokoelma on suositulle hakkerointifoorumille. Cybernewsin tutkimusryhmä uskoo, että vuoto aiheuttaa vakavia vaaroja käyttäjille, jotka ovat taipuvaisia käyttämään vanhoja salasanoja uudelleen.
Kaikkiaan rockyou2024.txt -niminen tiedosto sisälsi 9 948 575 739 salasanaa selkokielisenä. Tiedosto julkistettiin viime torstaina eli 4. heinäkuuta. Sama käyttäjä on aiemmin jakanut esimerkiksi Simmons & Simmons -lakitoimiston työntekijätietokannan, AskGamblers-verkkokasinon johdon ja opiskelijahakemuksia Burlington Countyn Rowan Collegeen.
Cybernewsin mukaan RockYou2024-vuoto on kokoelma reaalimaailman salasanoja, joita ihmiset käyttävät kaikkialla maailmassa. Useiden salasanojen paljastuminen kerralla verkkorikollisten ulottuville lisää huomattavasti riskiä, että tietoja käytetään väärin.
Kolme vuotta sitten Cybernews julkaisi tarinan RockYou2021-salasanakokoelmasta, joka oli tuolloin suurin, ja siinä oli 8,4 miljardia salasanaa luettavan tekstin muodossa. RockYou2024-analyysin mukaan hyökkääjät kehittivät tietojoukon tutkimalla Internetiä tietovuotojen varalta, joten pakettiin onnistuttiin lisäämään 1,5 miljardia uutta salasanaa viimeisen kolmen vuoden aikana.
Tomi Engdahl says:
Nyt tuli iso varoitus – Venäjä aloittanut vakavia toimia
https://www.iltalehti.fi/muutlajit/a/e32c1e17-49db-4d8f-a973-4f5fd84fa3a7
Venäjä on jo aloittanut kyberkampanjansa Ranskaa ja Pariisin olympialaisia vastaan.
Venäjä on jo aloittanut kyberkampanjansa Ranskaa ja Pariisin olympialaisia vastaan.
– Uskon lähes varmasti, että näemme Venäjän vaikuttamiskampanjoita kesäolympialaisia vastaan, Marrén sanoi yhtiön tiedotteessa Kauppalehden mukaan.
Kyberiskujen määrä on kasvanut olympialaisten välillä. Yahoon mukaan Lontoon kesäolympialaisten aikaan tehtiin 212 miljoonaa kyberiskua, kun taas Tokiossa niitä oli jo 450 miljoonaa.
Tomi Engdahl says:
Financial Times:
Australia, backed by the US, the UK, Japan, and other allies, accuses a Chinese state-backed hacking group of targeting government and private sector networks — US, UK, Germany and J
Australia accuses China-backed hackers of breaching government networks
US, UK, Germany and Japan back report alleging APT40 conducted ‘malicious’ cyber espionage activities
https://www.ft.com/content/7b02f495-2673-4e61-b395-26fa14dba6a2
Tomi Engdahl says:
Craig Silverman / ProPublica:
Investigation: the US Cyber Safety Review Board didn’t investigate, for unclear reasons, the weaknesses in Microsoft tools that the SolarWinds hack exploited
The Microsoft headquarters in Redmond, Washington Credit: Greg Kahn, special to ProPublica
Technology
The President Ordered a Board to Probe a Massive Russian Cyberattack. It Never Did.
https://www.propublica.org/article/cyber-safety-board-never-investigated-solarwinds-breach-microsoft
Tomi Engdahl says:
Microsoft Orders China Staff to Use iPhones for Work and Drop Android
https://www.bloomberg.com/news/articles/2024-07-08/microsoft-orders-china-staff-to-switch-from-android-phones-to-iphones-for-work
Company will block corporate access from Android in China
Microsoft has been tightening cybersecurity following attacks
Tomi Engdahl says:
CNN:
An investigation finds Airbnb fails to protect its guests from hidden cameras and moves swiftly to contain user complaints and resolve them out of court
No room for privacy: How Airbnb fails to protect guests from hidden cameras
https://edition.cnn.com/2024/07/09/business/airbnb-hidden-camera-invs/
It was another lawsuit brought by another victim whose fun-filled vacation turned into a voyeuristic nightmare: A woman was secretly recorded undressing at a rental property, her images stored on the computer of an alleged sexual predator accused of spying on unsuspecting renters for years.
Airbnb, one of the world’s largest short-term rental companies, had seen this sort of scenario before. Typically, the company seeks to settle hidden camera cases quickly and confidentially.
But this one played out differently.
An Airbnb representative testifying at a court-ordered deposition early last year offered a rare glimpse of the company’s hidden camera problem: Airbnb has generated tens of thousands of customer support tickets related to surveillance devices in the last decade.
During the hours-long deposition, the Airbnb employee also revealed that when a guest complains of a hidden camera, the company doesn’t – as a matter of practice – notify law enforcement, not even when a child is involved. The company may, however, reach out to hosts about complaints as part of internal inquiries – a move law enforcement experts say could hinder criminal investigations because it gives suspects time to destroy evidence.
A CNN investigation found that Airbnb consistently fails to protect its guests despite knowing hidden cameras are a persistent concern within its industry. Airbnb’s corporate strategies, moreover, have been aimed at preventing regulation of the short-term rental market to allow the company to distance itself from responsibility for guest safety and privacy.
Thousands of images have been recovered from short-term rental hosts by law enforcement. Hidden cameras placed in bedrooms and bathrooms show guests during their most private moments – changing clothes, being with their children, even having sex, according to CNN’s review of court and police records, as well as interviews with nearly two dozen guests who found surveillance devices at short-term rental properties or were told by police they had been secretly recorded.
Victims say they live under a shadow of fear that those private moments will become internet fodder.
“This is not my Social Security number or my email address. This is my naked body,”
‘The Wild West’
Brian Chesky was unemployed when he and his roommate came up with the idea for Airbnb in 2007 while struggling to make rent in San Francisco. For $80 a night, they opened their home to three travelers, offering them air mattresses, breakfast and Wi-Fi. They called their start-up Air Bed and Breakfast. Thirteen years later, the company went public in the largest IPO of 2020, with a valuation of $47 billion.
Today, Airbnb – which is valued higher than Hyatt Hotels Corporation and Marriott International combined – continues to chase the benefits of being an international hotel chain while shouldering few of the costs or responsibilities.
Unlike hotels, Airbnb doesn’t control the properties it advertises or employ on-site staff such as security guards, receptionists or cleaning professionals. Instead, it leaves the costs of maintaining and protecting short-term rentals to hosts.
And, while hotels can be held legally responsible for guests harmed on their property, Airbnb frequently is not. In fact, Airbnb has fought against such liability in court, arguing it has little control over what happens at its listings – despite collecting roughly 17% of each booking.
The multi-billion-dollar short-term rental industry paints a rosy picture with advertisements highlighting how home sharing improves human connection and offers intimate, private spaces for busy travelers.
Still, violent crime and prostitution, as well as traveler deaths, have repeatedly forced Airbnb and its competitors into the international spotlight.
One security concern, which has gone largely unchecked by Airbnb and the rest of the short-term rental market, is hidden cameras. Airbnb has known about the problem for at least a decade and has repeatedly notified its shareholders of the issue in annual reports since the company went public.
In January, CNN began reaching out to former Airbnb employees to ask about hidden camera concerns within the industry. In early March, Saturday Night Live mocked how ubiquitous the issue is in a skit. Just over a week later, the company announced it would ban all indoor cameras as of April 30. The company said nothing about how it would force hosts to comply with the rules.
“You can have all these great rules, but if no one’s checking that the rules are being followed … it’s still kind of the Wild West,”
Airbnb told CNN its use of arbitration and non-disclosure agreements are standard practices within the industry.
The Airbnb representative came to the table with a number. Her testimony revealed the company generated 35,000 customer support tickets about surveillance devices in the preceding decade.
In the deposition, the Airbnb representative sought to downplay the significance of the number of tickets, testifying they could reflect instances such as a malfunctioning doorbell camera or a tablet with recording capabilities left out on a coffee table. The representative did not provide any statistics detailing the number of claims she suggested were innocuous among the 35,000 tickets.
The Airbnb spokesperson told CNN that a single report could create multiple tickets. The company declined to specify how many unique complaints there have been.
host who had earned Airbnb’s coveted “superhost” status, they booked it.
But after the pair arrived at the cottage in Comfort, Texas, and changed for the night, Wyzynajtys noticed something that terrified him: a hidden camera plugged into the wall and pointed directly at the bed.
“The scariest moment of my life,” Wyzynajtys recalled.
Wyzynajtys said Airbnb was “totally just negligent or didn’t care about it at all.”
The next day, Wyzynajtys contacted law enforcement.
Police obtained a search warrant and raided Allee’s property, confiscating cell phones, computers, and the camera, which Allee had been using to record guests for much of a year. Among the more than 2,000 recovered images, law enforcement identified more than 30 victims, including several children.
Allee was later charged with 15 counts of invasive visual recording and pleaded guilty to six of them.
Thirteen people who stayed at Allee’s cottage – including two minors – sued Airbnb in California state court in July 2022. Airbnb settled with the plaintiffs six months later.
Regulations are ‘bad for business’
Earlier this year, lawmakers in the European Union agreed to groundbreaking regulations governing the short-term rental industry. The new rules will require host registration, data sharing by the company and quality control of listings. Airbnb hailed the regulations as a “watershed moment” for the industry and praised the EU-wide approach.
Its public praise belies the fact that Airbnb has fought European cities for attempting to regulate the industry, said Kim van Sparrentak, a member of the European Parliament, who steered the legislation through the governing body.
“Airbnb is similar to other sharing economy companies – on a municipal level that means filing lawsuits as soon as any regulation is proposed,”
“It’s bad for business for them to follow regulations,” said Murray Cox, who runs the nonprofit watchdog organization Inside Airbnb.
“It’s about corporate greed.”
Airbnb’s legal weapon of choice in its fight against regulations – and in at least one case against a guest who claimed she was injured while staying at an Airbnb rental – stems from a decades-old law known as Section 230 of the Communications Decency Act. The law, often propped up as a defense by tech giants such as Facebook and X, states the platforms cannot be held responsible for user-posted content.
But for Airbnb, the argument has not always been successful.
In March, Airbnb disclosed only about 20% of its property listings worldwide had been verified. However, the company has boasted that every host, co-host and booking guest is identity-verified. That accomplishment comes with a big disclaimer: Its identity verification badge “does not guarantee that someone is who they claim to be,” the company’s website states.
Background checks appear to go beyond identity verification and involve searching public databases for users’ information. The checks, which Airbnb says are conducted by a third party, could notify the company of users’ criminal histories. However, the company makes no guarantees to perform them on every user worldwide.
In 2022, Airbnb superhost Peter Madden pleaded guilty to seven counts of violation of privacy in connection with recording five guests at his property in Maine
“I’m an artist,” he said. “I look at everything, I study everything.”
Madden served 14 days behind bars.
Victims, on the other hand, suffer lengthier consequences.
All of Allee’s victims who spoke with CNN, seven in total, said they suffered long-term trauma due to Allee’s actions. They also detailed the crippling fear that their images – or those of their kids – will one day end up online, if they haven’t already.
“What is made into digital content is forever,” said the woman who was secretly recorded having sex with her husband at Allee’s cottage.
“It’s violating,” she told CNN. “Who knows where that footage went and who saw that?”
Tomi Engdahl says:
Microsoft Warns of Windows Hyper-V Zero-Day Being Exploited
Patch Tuesday: Microsoft patches more than 140 security vulnerabilities in the Windows ecosystem, including a pair of exploited zero-days.
https://www.securityweek.com/microsoft-warns-of-windows-hyper-v-zero-day-being-exploited/
Tomi Engdahl says:
Adobe Issues Critical Patches for Multiple Products, Warns of Code Execution Risks
Adobe documents at least seven code execution bugs affecting Adobe Premiere Pro, Adobe InDesign and Adobe Bridge on Windows and macOS.
Adobe Issues Critical Patches for Multiple Products, Warns of Code Execution Risks
https://www.securityweek.com/adobe-issues-critical-patches-for-multiple-products-warns-of-code-execution-risks/
Adobe documents at least seven code execution bugs affecting Adobe Premiere Pro, Adobe InDesign and Adobe Bridge on Windows and macOS.
Tomi Engdahl says:
BlastRADIUS Attack Exposes Critical Flaw in 30-Year-Old RADIUS Protocol
https://www.securityweek.com/blastradius-attack-exposes-critical-flaw-in-30-year-old-radius-protocol/
Security vendor InkBridge Networks calls urgent attention to the discovery of a decades-old design flaw (CVE-2024-3596) in the popular RADIUS protocol.
Security vendor InkBridge Networks on Tuesday called urgent attention to the discovery of a thirty-year-old design flaw in the RADIUS protocol and warned that advanced attackers can launch exploits to authenticate anyone to a local network, bypassing any multi-factor-authentication (MFA) protections.
The company published a technical description of what is being called the BlastRADIUS attack and warned that corporate networks such as internal enterprise networks, Internet Service Providers (ISPs), and Telecommunications companies (telcos) are exposed to major risk.
The flaw was discovered by researchers at Boston University, Cloudflare, BastionZero, Microsoft Research, Centrum Wiskunde & Informatica and the University of California, San Diego.
The vulnerability is being tracked as CVE-2024-3596 and VU#456537.
“The root cause of the attack is that in the RADIUS protocol, some Access-Request packets are not authenticated and lack integrity checks. An attacker can modify these packets in a way which allows them to control who gets onto the network,” the research team explained.
The RADIUS protocol, first standardized in the late 1990s, is used to control network access via authentication, authorization, and accounting and is still used widely today in switches, routers, access points and VPN products.
“All of those devices are likely vulnerable to this attack,” the researchers warned.
“The key to the attack is that in many cases, Access-Request packets have no authentication or integrity checks. An attacker can then perform a chosen prefix attack, which allows modifying the Access-Request in order to replace a valid response with one chosen by the attacker. Even though the response is authenticated and integrity checked, the chosen prefix vulnerability allows the attacker to modify the response packet, almost at will,” according to the InkBridge Networks documentation.
The company described the issue as “a fundamental design flaw of the RADIUS protocol” and noted that all standards compliant RADIUS clients and servers are likely vulnerable to this attack, even if they correctly implement all aspects of the RADIUS protocol.
“Since all security of the RADIUS protocol for UDP and TCP transports is based on the shared secret, this attack is perhaps the most serious attack possible on the RADIUS protocol,” the company declared.
At the absolute minimum, InkBridge Networks recommends that every single RADIUS server world-wide must be upgraded to address this vulnerability. “It is not sufficient to upgrade only RADIUS clients, as doing so will allow the network to remain vulnerable.”
The company said a private proof-of-concept exploit has been created by its researchers but there is no indication that this vulnerability is being actively exploited in the wild.
Even if someone managed to recreate the exploit, the researchers note that a successful attack will be costly. “It can take a significant amount of cloud computing power to succeed in performing the attack. This cost is also per packet being exploited, and cannot be automatically applied to many packets. If an attacker wants to perform 100 attacks, he has to use 100 times of computing power.”
Blast-RADIUS Attack in More Detail
https://www.blastradius.fail/attack-details
The RADIUS (Remote Authentication Dial-In User Service) protocol is at the core of today’s network infrastructure. Although the protocol was first designed in 1991 — during the era of dial-up internet — it remains the de facto standard lightweight authentication protocol used for remote access for users and administrators to networked devices. RADIUS is supported by “essentially every switch, router, access point, and VPN concentrator product sold in the last twenty years” (source).
In RADIUS, a NAS (Network Access Server) acts as a client that verifies an end user’s credentials via RADIUS requests to a central server. The RADIUS client and server share a fixed secret. The server responds with an accept or reject message (called Access-Accept and Access-Reject, respectively). Requests and responses may contain labeled fields called “attributes” that specify various parameters such as username and password in a request, or network access in a response. Request packets include a value called a Request Authenticator that is essentially a random nonce. Response packets include a value called a Response Authenticator value that is intended to integrity-protect server responses.
In our paper, we give an attack against this ad hoc RADIUS Response Authenticator “MAC” construction. Our attack allows a man in the middle between the RADIUS client and server to forge a valid Access-Accept response to a failed authentication request. The attacker does this by injecting a malicious Proxy-State attribute into a valid client request. This Proxy-State attribute is guaranteed to be echoed back by the server in its response. The attacker constructs the Proxy-State so that the Response Authenticator values between the valid response and the response the attacker wishes to forge will be identical. This forgery will cause the NAS to grant the adversary access to network devices and services without the adversary guessing or brute forcing passwords or shared secrets.
The MD5 collision attack that we exploit is a version of the chosen-prefix collision from Stevens et al..
This description is simplified. In particular, we had to do cryptographic work to split the MD5 collision gibberish across multiple properly formatted Proxy-State attributes
Tomi Engdahl says:
SAP Patches High-Severity Vulnerabilities in PDCE, Commerce
Patch Tuesday: Enterprise software vendor SAP releases patches for high-severity vulnerabilities in multiple products and tools.
https://www.securityweek.com/sap-patches-high-severity-vulnerabilities-in-pdce-commerce/
Tomi Engdahl says:
Evolve Bank Data Breach Impacts 7.6 Million People
Evolve Bank says personal information of more than 7.6 million individuals was compromised in a ransomware attack.
https://www.securityweek.com/evolve-bank-data-breach-impacts-7-6-million-people/
Tomi Engdahl says:
Mandiant Highlights Russian and Chinese Cyber Threats to NATO on Eve of 75th Anniversary Summit
https://www.securityweek.com/mandiant-highlights-russian-and-chinese-cyber-threats-to-nato-on-eve-of-75th-anniversary-summit/
On the eve of NATO’s 75th anniversary summit in Washington DC, Mandiant outlines the current state of cyberthreats facing NATO and aligned countries.
Cyber threats directed against NATO and its member states have increased with the war in Ukraine, but the aggressors are not limited to Russia. NATO technologies and defense secrets are a prize target for any state not directly aligned with NATO or NATO-sympathetic nations.
John Hultquist, chief analyst at Mandiant Intelligence has collated the primary cyber threats facing NATO ahead of its Washington DC summit from July 9, 2024, to July 11, 2024 (coinciding with NATO’s 75th anniversary).
The primary adversaries are Russian and Chinese nation state actors, escalating financially motivated criminal activity, and ideologically driven hacktivists. The primary political motivations are cyber espionage, and hybrid warfare (spreading disinformation and attacking civil society to weaken public resolve and support).
Hultquist highlights three Russian state actors: APT29 (focusing on intelligence collection), COLDRIVER (focused on disinformation), and APT44 (formerly known as Sandworm, and focused on disruptive cyberattacks).
APT29
APT29 is believed to be associated with the Russian Foreign Intelligence Services (SVR). During the past year it has been targeting technology companies and IT service providers to initiate supply chain access to government and policy organizations.
COLDRIVER
COLDRIVER is an actor linked to Russia’s domestic intelligence agency, the Federal Security Service (FSB). This actor uses credential phishing against high profile politically relevant targets. “Information stolen by COLDRIVER was leaked in 2022 in an effort to exacerbate Brexit-related political divisions in UK politics,” writes Hultquist. The actor primarily targets NATO countries and Ukraine with the purpose of sowing discord among the citizens.
APT44
APT44 is tied to Russian military intelligence, and is generally considered to be the disruptive arm of Russian state cyber. It was involved in the NotPetya and Pyeongchang Olympic games attacks, and blackouts in Ukraine. More recently, in October 2022, it is believed to be behind Prestige ransomware attacks against Poland and Ukraine.
Chinese espionage
Chinese activity has transitioned from loud, easily attributable attacks to a greater focus on stealth. “Technical investments have amplified the challenge to defenders and bolstered successful campaigns against government, military, and economic targets in NATO member states,” says Hultquist.
There is now a focus on using zero-day vulnerabilities to compromise edge devices. In 2023, 12 zero-days were used, many targeting security products at the network edge.
Disinformation
Disinformation campaigns continue, especially in a major year of western elections.
Prigozhin’s information operations have survived his death, although less effectively. “The narratives propagated by these operations call for NATO’s dismantlement and imply that the Alliance is a source of global instability,” comments Hultquist.
Ghostwriter, at least partially linked to Belarus, has been targeting Belarus’ neighboring NATO states
Hacktivism and ransomware
Hacktivism never went away but has certainly grown with the war in Ukraine. By its nature, it is difficult to tie hacktivism to specific nation states, but it can often be tied to political ideologies. KillNet, for example, is pro-Russia; the IT Army of Ukraine is anti-Russia.
Ransomware is a favored financially motivated tool of cybercriminals. While it is primarily used by criminals, it is also used by North Korea and has been used by Russian state actors. However, whatever the motivation, the effect is similar: disruption to companies and services, and concern to customers – which is particularly concerning to patients.
Geopolitical cyber activity has undoubtedly increased with the Ukraine war, and is now largely focused against NATO and western alliance counties. “NATO must rely on collaboration with the private sector in the same way it draws on the strength of its constituent members,” says Hultquist. “Furthermore, it must harness its greatest advantage against cyber threats–the technological capability of the private sector–to seize the initiative in cyberspace from NATO’s adversaries.”
Tomi Engdahl says:
OVHcloud Sees Record 840 Mpps DDoS Attack
OVHcloud says it mitigated the largest ever DDoS attack leveraging packet rate, which peaked at 840 Mpps.
https://www.securityweek.com/ovhcloud-sees-record-840-mpps-ddos-attack/
Tomi Engdahl says:
Michael Kan / PCMag:
The US DOJ and its partners seized two domain names and 968 accounts on X used by Russian actors to create an AI-enhanced bot farm that spread disinformation — Russian media outlet RT ran the bot farm to pump out disinformation via 968 Twitter accounts, the US Justice Department says.
US Disrupts Russian Bots Spreading Propaganda on Twitter
https://uk.pcmag.com/security/153183/us-disrupts-russian-bots-spreading-propaganda-on-twitter
Russian media outlet RT ran the bot farm to pump out disinformation via 968 Twitter accounts, the US Justice Department says.
US investigators have discovered a Russian state-owned media outlet using a “bot farm” to spread propaganda on Twitter/X.
On Tuesday, the Justice Department accused Russian media outlet RT of running the bot farm to pump out disinformation via 968 Twitter accounts.
Federal investigators allege that an unnamed deputy editor-in-chief at RT led development of the bot farm’s software, dubbed Meliorator. “As planned, the social media bot farm would create fictitious online personas for social media accounts, through which RT, or any operator of the bot farm, could distribute information on a wide-scale basis,” the DOJ says.
US investigators also claim that an officer from the Kremlin’s Federal Security Service oversaw the bot farm, which is designed to help the Russian government covertly circulate disinformation. It produced hundreds of fake accounts on Twitter, which also use AI-generated images of people for profile photos.
The fake accounts pretended to be US citizens while posting content in support of the Russian government, including justifying the country’s actions in Ukraine and Europe by sharing videos of Russian President Vladimir Putin.
RT allegedly created the fake user accounts by using US-based domain name registrar Namecheap to buy two domain names, MLRTR.com and OTANMAIL.com. “They then used those domains to create the email servers that ultimately allowed them to create fictitious social media accounts using the bot farm software,” the DOJ says.
According to court documents, the FBI learned of the bot farm through another unnamed US agency, which spotted RT developing the bot farm’s software.
In response, federal agents seized the 968 Twitter accounts and took over the two domain names.
RT isn’t necessarily denying the bot farming allegations. The Russian media outlet tells PCMag: “Farming is a beloved pastime for millions of Russians.”
Tomi Engdahl says:
Damien Wilde / 9to5Google:
Google will make its dark web monitoring feature available to all users for free in late July 2024, no longer requiring a Google One membership to access it — After the Google One VPN shutdown in late June, the “Dark Web reports” function is now coming to all Google Account holders from late July 2024.
Google One ‘Dark web reports’ coming to all Google Account holders from late July
https://9to5google.com/2024/07/09/google-one-dark-web-reports-all-google-accounts/
Tomi Engdahl says:
New Blast-RADIUS attack breaks 30-year-old protocol used in networks everywhere
Ubiquitous RADIUS scheme uses homegrown authentication based on MD5. Yup, you heard right.
https://arstechnica.com/security/2024/07/new-blast-radius-attack-breaks-30-year-old-protocol-used-in-networks-everywhere/
One of the most widely used network protocols is vulnerable to a newly discovered attack that can allow adversaries to gain control over a range of environments, including industrial controllers, telecommunications services, ISPs, and all manner of enterprise networks.
Short for Remote Authentication Dial-In User Service, RADIUS harkens back to the days of dial-in Internet and network access through public switched telephone networks. It has remained the de facto standard for lightweight authentication ever since and is supported in virtually all switches, routers, access points, and VPN concentrators shipped in the past two decades. Despite its early origins, RADIUS remains an essential staple for managing client-server interactions for:
VPN access
DSL and Fiber to the Home connections offered by ISPs,
Wi-Fi and 802.1X authentication
2G and 3G cellular roaming
5G Data Network Name authentication
Mobile data offloading
Authentication over private APNs for connecting mobile devices to enterprise networks
Authentication to critical infrastructure management devices
Eduroam and OpenRoaming Wi-Fi
RADIUS provides seamless interaction between clients—typically routers, switches, or other appliances providing network access—and a central RADIUS server, which acts as the gatekeeper for user authentication and access policies. The purpose of RADIUS is to provide centralized authentication, authorization, and accounting management for remote logins.
The protocol was developed in 1991 by a company known as Livingston Enterprises. In 1997 the Internet Engineering Task Force made it an official standard, which was updated three years later. Although there is a draft proposal for sending RADIUS traffic inside of a TLS-encrypted session that’s supported by some vendors, many devices using the protocol only send packets in clear text through UDP (User Datagram Protocol).
Roll-your-own authentication with MD5? For real?
Since 1994, RADIUS has relied on an improvised, home-grown use of the MD5 hash function. First created in 1991 and adopted by the IETF in 1992, MD5 was at the time a popular hash function for creating what are known as “message digests” that map an arbitrary input like a number, text, or binary file to a fixed-length 16-byte output.
For a cryptographic hash function, it should be computationally impossible for an attacker to find two inputs that map to the same output. Unfortunately, MD5 proved to be based on a weak design: Within a few years, there were signs that the function might be more susceptible than originally thought to attacker-induced collisions, a fatal flaw that allows the attacker to generate two distinct inputs that produce identical outputs. These suspicions were formally verified in a paper published in 2004 by researchers Xiaoyun Wang and Hongbo Yu and further refined in a research paper published three years later.
The latter paper—published in 2007 by researchers Marc Stevens, Arjen Lenstra, and Benne de Weger—described what’s known as a chosen-prefix collision
Despite the undisputed demise of MD5, the function remained in widespread use for years. Deprecation of MD5 didn’t start in earnest until 2012 after malware known as Flame, reportedly created jointly by the governments of Israel and the US, was found to have used a chosen prefix attack to spoof MD5-based code signing by Microsoft’s Windows update mechanism. Flame used the collision-enabled spoofing to hijack the update mechanism so the malware could spread from device to device inside an infected network.
“Surprisingly, in the two decades since Wang et al. demonstrated an MD5 hash collision in 2004, RADIUS has not been updated to remove MD5,” the research team behind Blast RADIUS wrote in a paper published Tuesday and titled RADIUS/UDP Considered Harmful. “In fact, RADIUS appears to have received notably little security analysis given its ubiquity in modern networks.”
The paper’s publication is being coordinated with security bulletins from at least 90 vendors whose wares are vulnerable. Many of the bulletins are accompanied by patches implementing short-term fixes, while a working group of engineers across the industry drafts longer-term solutions. Anyone who uses hardware or software that incorporates RADIUS should read the technical details provided later in this post and check with the manufacturer for security guidance.
From hours to minutes
Key to making Blast-RADIUS practical is a series of optimizations made to hashclash that radically reduce the time required to complete a chosen prefix attack.
The 2008 attack used to create the rogue certificate authority, for instance, required about 2,800 core-days, a measurement of computational time equivalent to running one CPU for 2,800 days. The optimization devised for Blast-RADIUS whittles that time down to just 39 core hours. Distributing the load to a cluster of roughly 2,000 CPU cores ranging from 7 to 10 years old, plus four newer low-end GPUs—the modest resources available to the academic researchers—the wall time required for Blast-RADIUS to complete is about five minutes.
This version of Blast-RADIUS isn’t practical for attacking RADIUS because logins typically time out after 30 to 60 seconds. The researchers say the five minutes they required is the result of them using commodity old hardware. They say they’re convinced their attack is sufficient when carried out on hardware better suited for hash collisions.
The improvements also allow the attacker to split the gibberish block as multiple properly formatted small protocol attribute fields that get appended to the chosen prefix. This allows the Blast-RADIUS attacker to carry out the attack efficiently, within the RADIUS timeout limits of 30 to 60 seconds, and to squeeze the required data into the RADIUS protocol format. Blast-RADIUS affects all authentication modes of RADIUS/UDP apart from those that use EAP (Extensible Authentication Protocol).
Threat model
Blast-RADIUS requires the adversary to have the network access needed to act as an active adversary-in-the-middle attacker, meaning the adversary has the ability to read, intercept, block, and modify all data passing between the victim device’s RADIUS client and RADIUS server. When there are proxies between the two endpoints, the attack can occur between any hop.
This access to RADIUS traffic can happen when RADIUS/UDP packets travel over the open Internet, a practice that’s discouraged but still known to happen. When traffic is restricted to an internal network, the attacker might first compromise a part of that network, another common occurrence. In the event RADIUS traffic is restricted to a protected part of an internal network, it may still be exposed as a result of configuration or routing errors. An attacker with partial network access might also be able to access RADIUS traffic by exploiting mechanisms such as DHCP to induce victim devices to send traffic outside of a dedicated VPN
With that, the attacker has successfully logged in to the device with administrative system rights. The attacker does not need to wait for a real user to attempt to log in to a RADIUS client. Instead, the attacker triggers an authentication request on its own by using any password. From there, Blast-RADIUS changes the authentication outcome from unsuccessful to successful.
Mitigations
Over the long run, the researchers said, the only way to fix RADIUS is to transport it over TLS or DTLS, a move that provides modern security guarantees including confidentiality to the user data in the requests and ensures the integrity of the Access-Accept and Access-Reject responses. A working group within the IETF is drafting a specification update that aims to do just that. These sorts of major renovations take months or even years to complete. Some implementations of RADIUS, namely the one from Microsoft, have yet to support TLS.
In the meantime, for those environments that must continue to transport RADIUS over UDP, the researchers recommend that both RADIUS clients and servers always send and require Message-Authenticator attributes for all requests and responses using what’s known as HMAC-MD5 for packet authentication. For Access-Accept and Access-Reject responses, the Message-Authenticator should be included as the first attribute. All five of the major RADIUS implementations—available from FreeRADIUS, Radiator, Cisco, Microsoft, and Nokia—have updates available that follow this short-term recommendation.
“This measure breaks compatibility with old implementations that may not include Message-Authenticators in requests or responses,” the researchers cautioned. “However, unlike other options, it is not a fundamental change to the protocol and can be adopted as a fairly simple patch to clients and servers.”
“Given the enormous amount of effort put into securing these protocols it is surprising that a protocol as ubiquitous as RADIUS has received so little cryptanalytic attention over the years,” they wrote. “TLS may be the charismatic megafauna of cryptographic protocol research, but in order to actually secure our infrastructure we need to analyze and secure the entire universe of enterprise security that academic cryptographers have little to no visibility into or insight in.”
Tomi Engdahl says:
CVE-2024-3596 Detail
https://nvd.nist.gov/vuln/detail/CVE-2024-3596
RADIUS Protocol under RFC 2865 is susceptible to forgery attacks by a local attacker who can modify any valid Response (Access-Accept, Access-Reject, or Access-Challenge) to any other response using a chosen-prefix collision attack against MD5 Response Authenticator signature.
RADIUS protocol susceptible to forgery attacks.
Vulnerability Note VU#456537
https://kb.cert.org/vuls/id/456537
Description
RADIUS is a popular lightweight authentication protocol used for networking devices specified in IETF 2058 as early as 1997 (obsoleted by RFC 2138 and then RFC 2865. There have been several other IETF standards (RADIUS/TCP, RADIUS/TLS and RADIUS/DTLS) that cover and enhance various parts of the specification for the use of RADIUS in authentication. RADIUS is widely used to authenticate both users and devices and widely supported by networking devices, from basic network switches to more complex VPN solutions. Recently, RADIUS has also been adopted in much of the cloud services that provide tiered, role-based access-control to resources. As a client-server protocol, RADIUS uses a Request-Response model to verify authentication requests and further provide any role-based access using Groups. RADIUS can also be proxied to support multi-tenant roaming access services.
A vulnerability in the verification of RADIUS Response from a RADIUS server has been disclosed by a team of researchers from UC San Diego and their partners. An attacker, with access to the network where the RADIUS protocol is being transmitted, can spoof a UDP-based RADIUS Response packet to modify any valid Response (Access-Accept, Access-Reject, or Access-Challenge) to any other response, with almost any content, completely under the attackers control. This allows the attacker to transform a Reject into an Accept without knowledge of the shared secret between the RADIUS client and server. The attack is possible due to a basic flaw in the RADIUS protocol specification that uses a MD5 hash to verify the response, along with the fact that part of the hashed text is predictable allowing for a chosen-prefix collision. The attack, demonstrated by UCSD team, takes advantage of the chosen-prefix collision of the MD5 message in a novel way. The widespread use of RADIUS and its adoption into the cloud allows for such attacks to pose a reasonable threat to the authentication verification process that relies on RADIUS.
RADIUS servers that only perform Extensible Authentication Protocol (EAP), as specified in RFC 3579, are unaffected by this attack. The EAP authentication messages require the Message-Authenticator attribute, which will prevent these attacks from succeeding. The use of TLS (or DTLS) encryption can also prevent such attacks from succeeding. However, RADIUS over TCP itself can still be susceptible to this attack, with more advanced man-in-the-middle scenarios, to successfully attack the TCP connection.
Solution
Device Manufacturers
RADIUS-compliant software and hardware manufacturers should adopt the recommendations from the Article document to mitigate the risk of the RADIUS protocol limitations identified in this attack. Manufacturers who bundle the open-source RADIUS implementations, such as FreeRadius, should update to the latest available software for both clients and servers and, at a minimum, require the use of the Message-Authenticator for RADIUS authentication.
Operators
Network operators who rely on the RADIUS-based protocol for device and/or user authentication should update their software and configuration to a secure form of the protocol for both clients and servers. This can be done by enforcing TLS or DTLS encryption to secure the communications between the RADIUS client and server. Where possible, network isolation and secure VPN tunnel communications should be enforced for the RADIUS protocol to restrict access to these network resources from untrusted sources.
Tomi Engdahl says:
Blast RADIUS Resource Hub
https://www.inkbridgenetworks.com/blastradius
We are the experts on Blast RADIUS
Our expertise has been sought after since the discovery of BlastRADIUS. Read the FAQ.
All RADIUS vendors have used our vendor guide to upgrade their products. These changes will be added to the RADIUS standards, and mandated as new behavior for all RADIUS implementations.
Blast RADIUS FAQs
Get answers to our most frequently asked questions.
https://www.inkbridgenetworks.com/blastradius/faq
Tomi Engdahl says:
“Gay Furry Hackers” Claim Credit for Hacking Heritage Foundation Over Project 2025
https://theintercept.com/2024/07/09/gay-furry-hackers-claim-credit-for-hacking-heritage-foundation-over-project-2025/
The hacker collective SiegedSec says it infiltrated the conservative think tank to oppose its campaign against trans rights.
SiegedSec, a collective of self-proclaimed “gay furry hackers,” has claimed credit for breaching online databases of the Heritage Foundation, the conservative think tank that spearheaded the right-wing Project 2025 playbook. On Wednesday, as part of a string of hacks aimed at organizations that oppose transgender rights, SiegedSec released a cache of Heritage Foundation material.
In a post to Telegram announcing the hack, SiegedSec called Project 2025 “an authoritarian Christian nationalist plan to reform the United States government.” The attack was part of the group’s #OpTransRights campaign, which recently targeted right-wing media outlet Real America’s Voice, the Hillsong megachurch, and a Minnesota pastor.
In his foreword to the Project 2025 manifesto, the Heritage Foundation’s president, Kevin Roberts, rails against “the toxic normalization of transgenderism” and “the omnipresent propagation of transgender ideology.” The playbook’s other contributors call on “the next conservative administration” to roll back certain policies, including allowing trans people to serve in the military.
This is at least the second hack against the Heritage Foundation this year. In April, Heritage shut down its network following a cyberattack
A spokesperson for the Heritage Foundation declined to comment on the breach.
SiegedSec’s other recent operations have targeted NATO and Israeli companies to oppose the war in Gaza.
https://static.project2025.org/2025_MandateForLeadership_FULL.pdf
Tomi Engdahl says:
Project 2025 Suffers Online Hack
https://www.newsweek.com/gay-furry-hackers-hack-project-2025-1923119
group of “gay furry hackers” has targeted right-wing think tank The Heritage Foundation—which is behind Project 2025—by releasing the passwords, usernames, and user logs of its users.
The activists, known as SiegedSec, posted approximately two gigabytes of data online that it says was retrieved from the foundation’s servers.
The Saturday hacking of the influential policy group came after it made headlines with its controversial Project 2025 document, which seeks to guide a future conservative administration to radically transform the federal government with a far reaching right-wing agenda.
In a Telegram post on Tuesday by SiegedSec, the group of self-described “gay furry hackers” wrote: “Project 2025 threatens the rights of abortion health care and LGBTQ+ communities in particular. so of course, we won’t stand for that! ^-^”
The Real Targets of Project 2025’s War on Porn
It’s not people watching porn online. It’s drag queens, trans people, LGBTQ library books, and more.
https://newrepublic.com/article/183636/project-2025-war-porn-trans-drag
Tomi Engdahl says:
Hackvists release two gigabytes of Heritage Foundation data
A politically-oriented cybercrime group carried out the attack in response to Heritage’s Project 2025.
https://cyberscoop.com/hackvists-release-two-gigabytes-of-heritage-foundation-data/
An established cybercrime group with a track record of attacking political targets posted on Tuesday roughly two gigabytes of data from the Heritage Foundation, a prominent conservative think tank based in Washington, D.C.
Self-described “gay furry hackers,” SiegedSec said it released the data in response to Heritage Foundation’s Project 2025, a set of proposals that aim to give Donald Trump a set of ready-made policies to implement if he wins this fall’s election. Its authors describe it as an initiative “to lay the groundwork for a White House more friendly to the right.”
The data, reviewed by CyberScoop, includes Heritage Foundation blogs and material related to The Daily Signal, a right-wing media site affiliated with Heritage. The data was created between 2007 and November 2022.
The group says it gained access to the data on July 2 and released it to provide “transparency to the public regarding who exactly is supporting heritage (sic),” a spokesperson for the group who goes by the online handle “vio” told CyberScoop in an online chat Tuesday.
The data includes the “full names, email addresses, passwords, and usernames” of people associating with Heritage, vio said, including users with U.S. government email addresses. “This itself can have an impact to heritage’s (sic) reputation,” they added, “and it’ll especially push away users in positions of power.”
SiegedSec also claimed to be in possession of more than 200 gigabytes of additional “mostly useless” data, which the group said won’t be released.
Richard Lawler
Hacktivists release Heritage Foundation data allegedly stolen in response to “Project 2025.”
A group that has previously claimed responsibility for breaching NATO, as well as satellite systems used by Halliburton and Shell, tells CyberScoop they’ve released 2GB of data from the conservative think tank behind “Project 2025” policy proposals for a second Trump administration.
https://www.theverge.com/2024/7/9/24195341/hacktivists-release-heritage-foundation-data-allegedly-stolen-in-response-to-project-2025
Tomi Engdahl says:
Taysin potilastietojärjestelmän häiriö korjattu
Tays tiedotti häiriön korjaantumisesta keskiviikkona iltapäivästä.
https://www.iltalehti.fi/digiuutiset/a/609cf09d-ec36-4737-a88d-5ebe504bf1a2
Taysin Uranus-potilastietojärjestelmässä ilmeni vikatilanne keskiviikkona, tiedottaa Pirkanmaan hyvinvointialue. Aamupäivästä ilmennyt vika on sittemmin saatu korjattua.
Häiriön kerrotaan johtuneen sisäisestä virhetilanteesta, eikä taustalla ollut ulkoisia tekijöitä. Häiriön taustatyön selvittäminen ja korjaaminen jatkuu edelleen.
Tomi Engdahl says:
Espanja tuomitsi 15 koululaista ikätovereidensa alastonkuvien tuottamisesta tekoälyllä
https://yle.fi/a/74-20099082
Syytteistä 20 koskee lasten hyväksikäyttökuvien luomista ja 20 uhrien moraalista koskemattomuutta vastaan.
Lounais-Espanjan tuomioistuin on tuominnut 15 koululaista tekoälyn tuottamien kuvien luomisesta ja levittämisestä. Kuvat oli luotu koululaisten naispuolisista ikätovereista, uutisoi The Guardian.
Tapaus on herättänyt keskustelua deepfake-teknologian väärinkäytöstä.
Espanjan poliisi alkoi tutkia tapausta viime vuonna sen jälkeen, kun Almendralejo-kaupungin lasten vanhempia ilmoitti, että tyttöjen väärennettyjä alastonkuvia leviää Whatsapp-ryhmissä.
– Monet tytöt olivat täysin kauhuissaan ja saivat valtavia ahdistuskohtauksia, koska he kärsivät tästä hiljaisuudessa, kertoi yhden uhrin äiti uutistoimisto Reutersille viime kesänä.
Spain sentences 15 schoolchildren over AI-generated naked images
https://www.theguardian.com/world/article/2024/jul/09/spain-sentences-15-school-children-over-ai-generated-naked-images
Teenagers each given a year’s probation after creating and spreading faked images of female classmates in south-west Spain
A court in south-west Spain has sentenced 15 schoolchildren to a year’s probation for creating and spreading AI-generated images of their female peers in a case that prompted a debate on the harmful and abusive uses of deepfake technology.
Police began investigating the matter last year after parents in the Extremaduran town of Almendralejo reported that faked naked pictures of their daughters were being circulated on WhatsApp groups.
The mother of one of the victims said the dissemination of the pictures on WhatsApp had been going on since July.
“Many girls were completely terrified and had tremendous anxiety attacks because they were suffering this in silence,” she told Reuters at the time. “They felt bad and were afraid to tell and be blamed for it.”
On Tuesday, a youth court in the city of Badajoz said it had convicted the minors of 20 counts of creating child abuse images and 20 counts of offences against their victims’ moral integrity.
Each of the defendants was handed a year’s probation and ordered to attend classes on gender and equality awareness, and on the “responsible use of technology”.
“The sentence notes that it has been proved that the minors used artificial intelligence applications to obtain manipulated images of [other minors] by taking girls’ original faces from their social media profiles and superimposing those images on the bodies of naked female bodies,” the court said in a statement. “The manipulated photos were then shared on two WhatsApp groups.”
Police identified several teenagers aged between 13 and 15 as being responsible for generating and sharing the images.
Under Spanish law minors under 14 cannot be charged but their cases are sent to child protection services, which can force them to take part in rehabilitation courses.
In an interview with the Guardian five months ago, the mother of one of the victims recalled her shock and disbelief when her daughter showed her one of the images.
“It’s a shock when you see it,” said the woman from Almendralejo. “The image is completely realistic … If I didn’t know my daughter’s body, I would have thought that image was real.”
Spanish prosecutor to probe AI-generated images of naked minors
https://www.theguardian.com/world/article/2024/jul/09/spain-sentences-15-school-children-over-ai-generated-naked-images
MADRID, Sept 25 (Reuters) – A Spanish prosecutor’s office said on Monday it would probe whether AI-generated images of naked teenaged girls, allegedly created and shared by their peers in southwestern Spain, constituted a crime.
The rise in use by children of such technologies has sparked widespread concern among parents worldwide. The U.S. Federal Bureau of Investigation warned in June that criminals were increasingly using artificial intelligence to create sexually explicit images to intimidate and extort victims.
Tomi Engdahl says:
https://www.securityweek.com/microsoft-warns-of-windows-hyper-v-zero-day-being-exploited/
Tomi Engdahl says:
It’s Time to Reassess Your Cybersecurity Priorities
https://www.securityweek.com/its-time-to-reassess-your-cybersecurity-priorities/
A cyber resilience strategy is vital for business continuity and can provide a range of benefits before, during, and after a cyberattack.
Tomi Engdahl says:
ICS Patch Tuesday: Siemens, Schneider Electric, CISA Issue Advisories
https://www.securityweek.com/ics-patch-tuesday-siemens-schneider-electric-cisa-issue-advisories/
Several ICS vendors released advisories on Tuesday to inform customers about vulnerabilities found in industrial and OT products.
Tomi Engdahl says:
Citrix Patches Critical NetScaler Console Vulnerability
Citrix rolls out patches for multiple security vulnerabilities, including critical and high-severity issues in the NetScaler product line.
https://www.securityweek.com/citrix-patches-critical-netscaler-console-vulnerability/
Tomi Engdahl says:
Data Protection
VMware Patches Critical SQL-Injection Flaw in Aria Automation
https://www.securityweek.com/vmware-patches-critical-sql-injection-flaw-in-aria-automation/
VMware warns that authenticated malicious users could enter specially crafted SQL queries and perform unauthorized read/write operations in the database.
Broadcom-owned VMWare on Wednesday pushed out patches for a high-risk SQL-injection vulnerability in its Aria Automation product and warned that an authenticated malicious user could target the flaw to manipulate databases.
The vulnerability, tracked as CVE-2024-22280, allows for unauthorized read and write operations in the database through specially crafted SQL queries, VMWare said in an advisory with a “high-severity” rating
The bug carries a CVSS severity score of 8.5/10.
Affected products include VMware Aria Automation version 8.x, and VMware Cloud Foundation versions 5.x and 4.x.
From the VMware advisory:
“VMware Aria Automation does not apply correct input validation which allows for SQL-injection in the product. An authenticated malicious user could enter specially crafted SQL queries and perform unauthorized read/write operations in the database.”
VMware said the bug was privately reported by researchers at Quebec’s Centre Gouvernemental de Cyberdéfense (CGCD).
Tomi Engdahl says:
Palo Alto Networks Addresses BlastRADIUS Vulnerability, Fixes Critical Bug in Expedition Tool
https://www.securityweek.com/palo-alto-networks-addresses-blastradius-vulnerability-fixes-critical-bug-in-expedition-tool/
Palo Alto Networks patched a critical vulnerability in its Expedition tool and addressed the impact of the recently disclosed BlastRADIUS vulnerability.
Palo Alto Networks on Wednesday released patches for multiple vulnerabilities, including a critical-severity bug in its Expedition migration tool.
Tracked as CVE-2024-5910 (CVSS score of 9.3), the security defect is described as a missing authentication for a critical function, which could allow attackers to take over administrative accounts. Palo Alto Networks addressed the flaw in Expedition version 1.2.92.
On Wednesday, the cybersecurity giant also resolved a high-severity arbitrary file upload issue in Panorama software that could lead to a denial-of-service (DoS) condition.
Tracked as CVE-2024-5911, the vulnerability requires that an attacker is authenticated to the web interface as a read-write administrator.
“Repeated attacks eventually cause the Panorama to enter maintenance mode, which requires manual intervention to bring the Panorama back online,” Palo Alto Networks explained.
Palo Alto Networks also published an advisory on Wednesday detailing the impact of the recently disclosed BlastRADIUS vulnerability on its PAN-OS firewalls configured to use the CHAP or PAP protocols for authentication with a RADIUS server.
“This vulnerability allows an attacker performing a meddler-in-the-middle attack between Palo Alto Networks PAN-OS firewall and a RADIUS server to bypass authentication and escalate privileges to ‘superuser’ when RADIUS authentication is in use and either CHAP or PAP is selected in the RADIUS server profile,” the company explained.
CVE-2024-3596 PAN-OS: CHAP and PAP When Used with RADIUS Authentication Lead to Privilege Escalation
https://security.paloaltonetworks.com/CVE-2024-3596
This vulnerability allows an attacker performing a meddler-in-the-middle attack between Palo Alto Networks PAN-OS firewall and a RADIUS server to bypass authentication and escalate privileges to ‘superuser’ when RADIUS authentication is in use and either CHAP or PAP is selected in the RADIUS server profile.
CHAP and PAP are protocols with no Transport Layer Security (TLS), and hence vulnerable to meddler-in-the-middle attacks. Neither protocol should be used unless they are encapsulated by an encrypted tunnel. If they are in use, but are encapsulated within a TLS tunnel, they are not vulnerable to this attack.
To be vulnerable, Palo Alto Networks PAN-OS firewalls must be configured to use CHAP or PAP as the authentication protocol for a RADIUS server. Note that PAP differs from EAP-TTLS with PAP, which is not vulnerable to this attack.
Severity: MEDIUM
CVSSv4.0 Base Score: 5.3 (CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/AU:N/R:A/V:C/RE:M/U:Amber)
Tomi Engdahl says:
https://www.blastradius.fail/
https://www.securityweek.com/blastradius-attack-exposes-critical-flaw-in-30-year-old-radius-protocol/
Tomi Engdahl says:
https://www.blastradius.fail/
Hasn’t MD5 been broken for 20 years? How is this attack new?
Our attack is more complex than simply applying an old MD5 collision attack.
While an MD5 hash collision was first demonstrated in 2004, it was not thought to be possible to exploit this in the context of the RADIUS protocol. Our attack identifies a protocol vulnerability in the way RADIUS uses MD5 that allows the attacker to inject a malicious protocol attribute that produces a hash collision between the server-generated Response Authenticator and the attacker’s desired forged response packet.
In addition, because our attack is online, the attacker needs to be able to compute a so-called chosen-prefix MD5 collision attack in minutes or seconds. The previous best reported chosen-prefix collision attack times took hours, and produced collisions that were not compatible with the RADIUS protocol.
We introduce several improvements in speed, space, and scaling for the existing MD5 attacks to demonstrate that these collisions can be computed in at most minutes and can fit within RADIUS protocol attributes.
Is your attack practical?
Yes and no. In the proof-of-concept attacks described in our paper, it took us 3 to 6 minutes to compute the MD5 chosen-prefix hash collision required for the attack. This is longer than the 30- to 60-second timeouts that are commonly used in practice for RADIUS.
However, every step of the collision algorithm parallelizes well and is amenable to hardware optimization, so we expect a well-resourced attacker could obtain running times that are tens or hundreds of times faster by implementing the attack on GPUs, FPGAs, or hardware.
Our reported running times are from optimizing some 15 year old code and running it on a bunch of 7 to 10 year old CPUs, because this is what we have access to. We did not think that spending further engineering effort to make MD5 collisions faster was a good use of time when MD5 should have been abolished 20 years ago.
What is the threat model for this attack? Who can run it?
Our attack requires the adversary to have network access to act as a man-in-the-middle attacker on the connection between the victim device’s RADIUS client and RADIUS server. When there are proxies, the attack can occur between any hop. Our attacker will need to be able to act as a full network man-in-the-middle who can read, intercept, block, and modify inbound and outbound network packets.
Such access to RADIUS traffic may happen through different mechanisms. Although sending RADIUS/UDP over the open internet is discouraged, this is still known to happen in practice. For internal network traffic, the attacker might initially compromise part of an enterprise network; such compromises appear frequently in news reports and security advisories. Even if RADIUS traffic is confined to a protected part of an internal network, configuration or routing mistakes might unintentionally expose this traffic. An attacker with partial network access may be able to exploit DHCP or other mechanisms to cause victim devices to send traffic outside of a dedicated VPN.
Our adversary does not know the shared secret between the RADIUS client and server.
Our RADIUS traffic is in a separate VLAN; are we secure against this attack?
A current best practice for RADIUS/UDP traffic is to expose it only to a restricted-access management VLAN within an organization. While this reduces the attack surface and is certainly preferable to exposing UDP traffic to a broader network or the open internet, there may still be vulnerabilities in case of a network misconfiguration or attacker compromise of this portion of the network.
This approach is also at odds with the US Executive Branch Office of Management and Budget’s 2022 memo, which envisions moving to systems that do not rely on network separation for security: “A key tenet of a zero trust architecture is that no network is implicitly considered trusted”
Who is affected by these vulnerabilities?
Nearly all RADIUS/UDP implementations are vulnerable to our protocol attack when using non-EAP authentication methods. RADIUS is used by many organizations to control access to a wide variety of network devices and services. Our attack requires man-in-the-middle network access; organizations should evaluate their own network security threat model.
RADIUS implementers, vendors, and system administrators should follow best practices and the guidance in this document. Our attack does not compromise end user credentials, and there is nothing that end users can do to protect against this attack.
EAP authentication methods are protected against our attack because RFC 2869 mandates that a Message-Authenticator attribute must be present, and this attribute is an HMAC-MD5 over the entire packet that we cannot forge. A theoretical protocol vulnerability appears to exist, but may not be practically exploitable. RADIUS Accounting also appears to be affected by a theoretical protocol vulnerability that seems to be difficult to exploit in practice.
What is the impact of your attacks?
An adversary exploiting our attack can escalate privileges from partial network access to being able to log into any device that uses RADIUS for authentication, or to assign itself arbitrary network privileges.
RADIUS is used for remote access for diverse use cases including network routers and switches, industrial control systems, VPNs, ISPs using DSL or FTTH, Linux Pluggable Authentication Modules, 2G and 3G cellular roaming and 5G DNN authentication, and mobile Wi-Fi offload with SIM card-based authentication.
Can I detect whether this attack was run on my network?
Yes, but you need log files of Access-Rejects on the RADIUS server and Access-Accepts on the RADIUS client.
If you have detailed log files on the RADIUS client that log the values of all attributes, you could look for suspicious Proxy-State attributes. If there are Access-Accept packets with Proxy-State attributes consisting of random bytes, then this might be a sign of an attack. End clients should not receive packets with Proxy-State attributes.
To confirm an attack, you need would need to find the corresponding Access-Reject (or any other type) response packet in the RADIUS server logs, and verify that the server’s response differs from the response received by the client, and that both contain valid Response Authenticator values for the request ID and Request Authenticator.
If both of these packets produce the same MD5 hash in the Response Authenticator, this issue was exploited in your system.
How can we mitigate this attack in our system?
We recommend reading the detailed guide for implementors published by Alan DeKok, the maintainer of FreeRADIUS.
Patches including the short-term mitigation described in the mitigation section will be available from major RADIUS implementations in coordinated release with this work; downstream vendors and network operators should check for and apply these patches. Where an option exists to require a Message-Authenticator attribute on all packets, this option should be enabled.
Implementers, vendors, and admins should follow the guidance in this IETF draft to deprecate insecure practices in RADIUS to mitigate numerous other attacks; we expect future versions to mandate Message-Authenticator attributes in more settings.
The long-term mitigation for our attack is to use RADIUS inside of a modern cryptographically protected transport like TLS 1.3. The IETF RADEXT working group has existing drafts in progress outlining RADIUS/(D)TLS.
Are your recommended mitigations backward compatible?
It depends.
Including a Message-Authenticator attribute in every packet is backward compatible. Unfortunately, requiring the presence of a Message-Authenticator attribute in requests and responses may not be backward compatible with old client or server implementations that do not have the option to include them.
Our long-term mitigation of moving to RADIUS/TLS requires clients and servers that support TLS, as well as new configuration (like PKI) on the part of network operators. TLS may not be supported at all on older hardware.
I have a different idea for a mitigation that I think works better.
A number of tempting, commonly suggested countermeasures do not sufficiently mitigate the vulnerability.
Decreasing Timeouts
It is tempting to hope that simply setting a shorter client timeout would mitigate our attack. We believe this should not be done: it decreases usability and does not protect against our attack.
Using TACACS+ or Diameter
RADIUS is not the only protocol to suffer from the types of security issues that we outline. TACACS+ is a popular (TCP-based) administrator login protocol for switches that also does not meet modern cryptographic security standards. RFC 8907 was published in September 2020, and explicitly mandates that TACACS+ be used with a secure transport. However, much like RADIUS, TACACS+ is still most commonly used over insecure transports.
Diameter (RFC 6733) was initially designed as a successor to RADIUS, although it never replaced RADIUS for many common use cases. It is used in 3G+ networks, and is generally only supported in large NAS equipment used by bigger ISPs and telecommunications providers; consumer or enterprise-grade equipment typically only supports RADIUS.
Although Diameter was intended to replace RADIUS, the protocol itself offers no security when used over TCP. As a result, RFC 6733 suggests that Diameter messages should be secured using TLS or DTLS; 5G has replaced Diameter with signaling over HTTP/2. The US government has described exploits against Diameter targeting mobile users.
Random shared secrets
Organizations can protect against dictionary attacks on the shared secret by picking random shared secrets of sufficient length, as the runtime of such an attack grows exponentially with the entropy of the secret. For example, this work-in-progress IETF draft recommends shared secrets with at least 96 bits of entropy
Using Multi-Factor Authentication (MFA)
Using MFA or 2FA is not a mitigation either. Our attack largely bypasses the user authentication mechanism, and forges the accept response from the server’s reject. MFA may be supported through multiple mechanisms within the RADIUS protocol, including authentication protocols like PAP that are vulnerable by default to our attack.
Rejecting Proxy-States
Our forged Access-Accept packets contain Proxy-State attributes that the client is not expecting. However, having the client discard packets with unexpected Proxy-States does not mitigate the vulnerability. First, such a mitigation would only apply to a NAS; the Proxy-State attribute is actually used by RADIUS server proxies and thus difficult to remove without breaking functionality.
Even if NAS clients rejected unexpected Proxy-State attributes, it would be possible to craft colliding packets where the Access-Accept has the collision gibberish in a different attribute
Replacing MD5
It is tempting to think that simply replacing MD5 in the Response Authenticator with a secure hash function like SHA-2 or SHA-3 might be a short-term mitigation against our attacks. However, since the RADIUS protocol does not provide for any cryptographic agility, such a change would be incompatible with all existing implementations, and thus be equivalent to requiring a new protocol. Given the other security and privacy concerns with the rest of RADIUS, it would be better at that point to redesign the entire protocol or transport.
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Researchers detail the Blast-RADIUS MD5-based vulnerability affecting RADIUS, a widely used network access authentication protocol first developed in 1991
New Blast-RADIUS attack breaks 30-year-old protocol used in networks everywhere
Ubiquitous RADIUS scheme uses homegrown authentication based on MD5. Yup, you heard right.
https://arstechnica.com/security/2024/07/new-blast-radius-attack-breaks-30-year-old-protocol-used-in-networks-everywhere/
One of the most widely used network protocols is vulnerable to a newly discovered attack that can allow adversaries to gain control over a range of environments, including industrial controllers, telecommunications services, ISPs, and all manner of enterprise networks.
Short for Remote Authentication Dial-In User Service, RADIUS harkens back to the days of dial-in Internet and network access through public switched telephone networks. It has remained the de facto standard for lightweight authentication ever since and is supported in virtually all switches, routers, access points, and VPN concentrators shipped in the past two decades. Despite its early origins, RADIUS remains an essential staple for managing client-server interactions for:
VPN access
DSL and Fiber to the Home connections offered by ISPs,
Wi-Fi and 802.1X authentication
2G and 3G cellular roaming
5G Data Network Name authentication
Mobile data offloading
Authentication over private APNs for connecting mobile devices to enterprise networks
Authentication to critical infrastructure management devices
Eduroam and OpenRoaming Wi-Fi
Tomi Engdahl says:
Wes Davis / The Verge:
Google now lets its users set up Advanced Protection Program with a single passkey, using Android or iOS biometric authentication, instead of two physical keys
You can now protect your high-risk Google account with just your phone
/ Google’s Advanced Protection Program required two physical security keys before — now all you need is a passkey.
https://www.theverge.com/2024/7/10/24195306/google-accounts-advanced-protection-passkey-enrollment-support-security-key
Tomi Engdahl says:
Samuel Stolton / Bloomberg:
Apple settles with the EU over Apple Pay and avoids the threat of fines by agreeing to open NFC access on iOS to third-party wallets for free for a decade — – EU accepts Apple pledge to open up payment tech to rivals — Firm still faces mounting EU antitrust scrutiny in other areas
Apple Avoids EU Antitrust Threat With Tap-and-Pay Probe Settlement
https://www.bloomberg.com/news/articles/2024-07-11/apple-avoids-eu-antitrust-threat-with-tap-and-pay-probe-settlement
EU accepts Apple pledge to open up payment tech to rivals
Firm still faces mounting EU antitrust scrutiny in other areas
Tomi Engdahl says:
Ticketmaster SafeTix Reverse-Engineered
https://hackaday.com/2024/07/11/ticketmaster-safetix-reverse-engineered/
Ticketmaster is having a rough time lately. Recently, a hacker named [Conduition] managed to reverse-engineer their new “safe” electronic ticket system. Of course, they also had the recent breach where more than half a billion accounts had personal and financial data leaked without any indication of whether or not the data was fully encrypted. But we’re going to focus on the former, as it’s more technically interesting.
Ticketmaster’s stated goals for the new SafeTix system — which requires the use of a smartphone app — was to reduce fraud and ticket scalping. Essentially, you purchase a ticket using their app, and some data is downloaded to your phone which generates a rotating barcode every 15 seconds. When [Conduition] arrived at the venue, cell and WiFi service was totally swamped by everyone trying to load their barcode tickets. After many worried minutes (and presumably a few choice words) [Conduition] managed to get a cell signal long enough to update the barcode, and was able to enter, albeit with a large contingent of similarly annoyed fans trying to enter with their legally purchased tickets.
The real kicker here is that since the barcode rotates every 15 seconds, printing it out simply isn’t an option. This alienates anyone who doesn’t have a smartphone, which includes individuals who may not be able to physically operate one. So the problem isn’t simply that users were being forced to install yet another application on their device, but that the system reduces accessibility to entertainment. [Conduition] was dismayed and frustrated with this, and so the reverse-engineering effort began.
Decoding the barcode was actually quite simple. It is a standard PDF417 barcode, which contains a long Base64 string, two six-digit numbers, and a Unix timestamp all concatenated together with colons. The only parts of the string that seemed to change over time were the two six-digit numbers. Hmm, can we think of a common technology which generates six-digit numbers that update seemingly randomly on a fixed cycle? Of course — it’s just a Time-based one-time password (TOTP), the technology behind 2FA authenticator apps!
So where were the secret keys coming from? TOTP only requires two things: a static secret string, and the current time. [Conduition] checked the communication with the Ticketmaster servers and found a particularly interesting request that returned JSON-formatted data, inside which were of course the two secret keys. One seems to be unique per customer, and the other per ticket.
The Ticketmaster API documentation only briefly mentions this feature, but they do state that customers must refresh their ticket barcodes within 20 hours before an event starts.
Reverse Engineering TicketMaster’s Rotating Barcodes (SafeTix)
https://conduition.io/coding/ticketmaster/
The Marketing
TicketMaster markets their SafeTix technology as a cure-all for scammers and scalpers.
SafeTix™ are powered by a new and unique barcode that automatically refreshes every few seconds so it cannot be stolen or copied, keeping your tickets safe and secure.
Ticketmaster SafeTix are powered by a new and unique barcode that automatically refreshes every 15 seconds. This greatly reduces the risk of ticket fraud from stolen or illegal counterfeit tickets.
Source
Our secure ticket technology reduces the risk of ticket fraud, eliminating the possibilities of theft or counterfeiting. Once you’ve purchased your mobile tickets on Ticketmaster, you can always rest assured you’re getting the seats you paid for.
Source
There’s also this gem:
If you take a closer look at your ticket, you may notice that it has a gliding movement, making it in a sense, alive. That movement is our ticket technology actively working to safeguard you every second.
Bullshit, TicketMaster. It’s a CSS animation. Get over yourself.
The part that got me worried:
The barcode on your mobile ticket includes technology to protect it, which means screenshots or printouts of your ticket will not be scannable.
This triggered flashbacks to the concert last year, and I pictured myself once more haphazardly waving my phone around, praying for service like Saul Goodman in the desert.
But TicketMaster was prepared for this anxiety:
Concerned about cell phone service at venues? This ticket has you covered. Once you view it in our App, your ticket is automatically saved so it’s always ready.
Great, so as long as I trust their app not to have a seizure on the day of the concert, I should be fine. Too bad I really don’t trust that, besides the fact that I don’t want to install their spyware on my phone.
Motivations
It’s pretty clear why TicketMaster is pushing this technology:
SafeTix makes it harder for people to resell tickets outside of TicketMaster’s closed, high-margin ticket-resale marketplace, where they make a boatload of money by buying low and selling high to customers with no alternative.
It pushes users to install TicketMaster’s proprietary closed-source app, which gives TicketMaster more insight into their users’ devices and behavior.
People can’t save and transfer tickets outside of Ticketmaster. This forces ticketholders to surrender their friends’ contact information to TicketMaster, who can use this data to build social graphs, or conduct other privacy-invasive practices.
TicketMaster will never admit to these motivations, but it cannot be doubted that these effects have manifested regardless of TicketMaster’s intent, and they’re all good news for TicketMaster’s shareholders, if not for their customers.
The Contradiction
If you have any experience with computers and software, then having read all of TicketMaster’s marketing, you might come to the same question I did.
How can tickets be saved offline if they can’t also be transferred outside of TicketMaster?
This ticket is digital. Saving data offline is the same as copying it to your hard drive. If data can be copied, it can be transmitted. If it can be transmitted, it can be shared. If it can be shared, it can be sold.
This is a contradiction in TicketMaster’s marketing. They can’t have robust DRM on their tickets if those tickets can still be viewed offline.
So what is TicketMaster really doing to create these rotating barcodes?
Reverse Engineering
My first order of business was inspecting the barcodes themselves to see what I could learn. Their format is quite simple. They are PDF417 barcodes which encode UTF-8 text. As I mentioned earlier, that blue bar which sweeps across the barcode is just a gimmicky CSS animation: It doesn’t actually prevent screenshots of the barcode from scanning, because PDF417 has error correction properties built-in.
My instinct was that the first two numbers are indeed TOTPs, generated from different secrets, using the unix timestamp appended at the end of the barcode data. This makes sense: TicketMaster wouldn’t want to reinvent the wheel with this system, so they used a tried and tested cryptographic tool as a building block.
When the ticket is scanned at the venue, TicketMaster (or perhaps the venue) looks up the ticket metadata using that bearer token, and then validates the two OTPs against two secrets stored in its database. If both steps pass, then your ticket is valid and the staff can let you in.
TOTPs are very customizable, but generally the software industry has settled on a set of common defaults for TOTP standardization. You really only need to have two things to generate a TOTP:
The shared secret, which is just a byte array.
A working clock.
If you have both of those, you can generate as many TOTPs as you’d like, entirely offline.
There are two TOTPs in the barcode data, so there are probably two shared secrets I need to find. If I have both of those, plus the bearer token, I can create as many valid barcodes as I want.
So now my goal is much clearer: I need to find out where these tokens & secrets come from.
It appears the two TOTPs are generated with a 15-second time step interval, but are otherwise constructed in the same way as the ubiquitous industry-standard SHA-1 TOTPs we see in any mobile 2FA app. The first one is generated with the eventKey, and the second with the customerKey. Finally, the unix timestamp used for both TOTPs is appended to help with verification on the server-side.
irating Tickets
I now know everything I would need to duplicate TicketMaster’s barcodes in a custom app, or even resell a ticket outside of TicketMaster’s closed marketplace. All I would need to do is extract the base64 token property from the /api/render-ticket/secure-barcode API endpoint, or engineer a way to fetch that token dynamically using TicketMaster session credentials.
That base64 token string IS the ticket, as far as the venue staff at the gates are concerned. If you have a valid rawToken, eventKey, and customerKey, you can generate valid PDF417 barcodes, indistinguishable from the official TicketMaster app. Short of checking photo IDs at the entry gate, the venue staff can’t tell whether the person at the gate is the same person who the ticket is registered to on TicketMaster.
Quite hilariously, TicketMaster actually makes token-extraction easy on us: The token is logged to the browser console automatically when the barcode renderer component is mounted on the web page.
This means we don’t even need to mess around injecting custom user-scripts into the page to get the token out. You can just open your SafeTix barcode on the TicketMaster web-app, connect your phone’s Chrome instance to your laptop’s Chrome DevTools, and open the console. You’ll see the token printed right there. You can copy and use it wherever you’d like.
Lifetimes
The only unknown factor here is the rawToken lifetime. It’s difficult to know for sure how TicketMaster’s backend server uses rawToken to look up the ticket. It’s likely that a new rawToken is generated every time the client contacts the /api/render-ticket/secure-barcode endpoint.
I have no idea how long each rawToken remains valid.
Based on this, it might be reasonable to assume the rawToken is only valid for a 20 hour period, which would mean you’d need to fetch the rawToken at most 20 hours before the event to be able to resell or transfer it without TicketMaster’s permission. However, if all you want to do is save a ticket offline, this is more than adequate. I even built a little Expo app I call TicketGimp which renders SafeTix barcodes if you give it a token.
Conclusion
I think we can all agree: Fuck TicketMaster. I hope their sleazy product managers and business majors read this and throw a tantrum. I hope their devs read this and feel embarrassed. It’s rare that I feel genuine malice towards other developers, but to those who designed this system, I say: Shame.
Shame on you for abusing your talent to exclude the technologically-disadvantaged.
Shame on you for letting the marketing team dress this dark-pattern as a safety measure.
Shame on you for supporting a company with such cruel business practices.
Software developers are the wizards and shamans of the modern age. We ought to use our powers with the austerity and integrity such power implies. You’re using them to exclude people from entertainment events.
Have fun refactoring your ticket verification system.
Tomi Engdahl says:
CISA, FBI Urge Immediate Action on OS Command Injection Vulnerabilities in Network Devices
https://www.securityweek.com/cisa-fbi-urge-immediate-action-on-os-command-injection-vulnerabilities-in-network-devices/
In response to recent intrusions, CISA and the FBI are urging businesses and device manufacturers to eliminate OS command injection vulnerabilities at the source.
CISA and the FBI on Wednesday issued a joint alert on exploitation of OS command injection vulnerabilities in network edge devices.
Published in response to recent intrusions exploiting CVE-2024-20399 (Cisco NX-OS), CVE-2024-3400 (Palo Alto Networks PAN-OS), and CVE-2024-21887 (Ivanti Connect Secure), CISA and the FBI are urging business leaders and device manufacturers to eliminate OS command injection vulnerabilities at the source.
“OS command injection vulnerabilities arise when manufacturers fail to properly validate and sanitize user input when constructing commands to execute on the underlying OS. Designing and developing software that trusts user input without proper validation or sanitization can allow threat actors to execute malicious commands, putting customers at risk,” the joint alert reads.
To prevent these types of vulnerabilities, organizations are advised to adopt a secure-by-design approach throughout all products’ lifecycle, reducing the burden on customers and risk to the public, CISA and the FBI say.
Tomi Engdahl says:
Can AI be Meaningfully Regulated, or is Regulation a Deceitful Fudge?
https://www.securityweek.com/can-ai-be-meaningfully-regulated-or-is-regulation-a-deceitful-fudge/
Few people understand AI, nor how to use nor control it, nor where it is going. Yet politicians wish to regulate it.
Tomi Engdahl says:
https://thehackernews.com/2024/07/new-openssh-vulnerability-discovered.html
Select versions of the OpenSSH secure networking suite are susceptible to a new vulnerability that can trigger remote code execution (RCE).
The vulnerability, tracked as CVE-2024-6409 (CVSS score: 7.0), is distinct from CVE-2024-6387 (aka RegreSSHion) and relates to a case of code execution in the privsep child process due to a race condition in signal handling. It only impacts versions 8.7p1 and 8.8p1 shipped with Red Hat Enterprise Linux 9.
Tomi Engdahl says:
https://cybersecuritynews.com/outlook-zero-click-rce-vulnerability/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/gitlab-warns-of-critical-bug-that-lets-attackers-run-pipelines-as-an-arbitrary-user/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/fujitsu-confirms-customer-data-exposed-in-march-cyberattack/
Tomi Engdahl says:
https://cybersecuritynews.com/vmware-vcenter-server-poc-exploit/
Tomi Engdahl says:
https://www.theregister.com/2024/07/10/july_2024_patch_tuesday/
Tomi Engdahl says:
Autovarkailla uusi työkalu – Ovet aukeavat ja auto käynnistyy jopa sekunneissa
Kalliilla koodinlukulaitteella saa murtauduttua autoon jopa sekunneissa.
https://www.iltalehti.fi/autouutiset/a/afcb9fc5-e2c1-4244-9bd4-ebc316e3f5ac
Rikolliset ovat ottaneet askeleen eteenpäin ja moderneihin autoihin pystyy nyt murtautumaan Nintendon Game Boy -käsikonsolia muistuttavalla välineellä. Kyseessä on auton lukituksen radiosignaalia lukeva emulaattori, joka laskee auton lukituksen koodin pahimmillaan jopa sekunneissa.
Asiasta kertoneen InsideEV:n mukaan laite alkaa laskemaan avaimettoman kulun koodia. Avaimettomassa kulussa auton avaimien ei tarvitse olla kuin taskussa.
Laite ei tosin ole ihan jokaisen autovarkaan saatavilla. Laite maksaa InsideEVn tietojen mukaan mallista riippuen noin 14 700–27 600 euroa.
Laitteella voi murtautua muun muassa useisiin Infinitin, Lexuksen, Mercedes-Benzin, Mitsubishin, Nissanin, Subarun ja Toyotan malleihin – ainakin niihin, jotka ovat USA:n markkinoilla. Euroopan markkinoilla olevien ajoneuvojen haavoittuvuudesta ei ole tietoa.
Puolalainen Polsat News sai käsiinsä kyseisen laitteen ja testasi laitteen toimivuutta yhdessä virkavallan kanssa. Videolla näkyy, miten toimittaja pääsee laitteen avulla sisälle autoon ja käynnistää auton.
https://www.youtube.com/watch?v=_Go6byfIgaU
Hyundai Ioniq 5, Kia EV6 Are Newest Victims Of ‘Game Boy’ Hack
Using a small “Game Boy”-like device, thieves are able to steal Hyundai and Kia EVs in just seconds.
https://insideevs.com/news/724328/hyundai-kia-ioniq-5-gameboy/
Tomi Engdahl says:
‘CrystalRay’ Expands Arsenal, Hits 1,500 Targets With SSH-Snake and Open Source Tools
https://www.securityweek.com/crystalray-expands-arsenal-hits-1500-targets-with-ssh-snake-and-open-source-tools/
A threat actor tracked as CrystalRay has hit 1,500 victims since February, stealing credentials and deploying backdoors.
The ‘CrystalRay’ threat actor behind a February wave of attacks using the SSH-Snake penetration testing tool has significantly increased their operation, hitting thousands of victims with an expanded arsenal.
Developed by Australian security researcher Joshua Rogers to harvest SSH keys and use them for automatic network traversal, SSH-Snake made it to the headlines in February when more than 100 organizations had their credentials stolen using the tool.
A self-replicating and self-propagating fileless tool, SSH-Snake was intended for hacking purposes, acting like a worm. However, Rogers told SecurityWeek in February, the tool capitalizes on security mis-architecture and only automates what humans can already do.
Five months after the first report of SSH-Snake’s malicious use, Sysdig says that the threat actor behind the initial attack, now tracked as CrystalRay, has expanded its toolset with mass scanning, exploitation of multiple vulnerabilities, and backdoors deployed using open source software (OSS) security tools.
The actor has attempted to discover services such as Activemq, Confluence, Metabase, Weblogic, Solr, Openfire, Rocketmq, and Laravel, and to exploit vulnerabilities such as CVE-2022-44877, CVE-2021-3129, and CVE-2019-18394.
Tomi Engdahl says:
GitLab Ships Update for Critical Pipeline Execution Vulnerability
GitLab issues an advisory for a critical-severity vulnerability that allows an attacker to trigger a pipeline as another user.
https://www.securityweek.com/gitlab-ships-update-for-critical-pipeline-execution-vulnerability/
Tomi Engdahl says:
Data Protection
Tracebit Raises $5 Million for Threat Deception Solution
London startup Tracebit has raised $5 million in seed funding for its cloud-native threat detection and deception solution.
https://www.securityweek.com/tracebit-raises-5-million-for-threat-deception-solution/
Tomi Engdahl says:
CISA, FBI Urge Immediate Action on OS Command Injection Vulnerabilities in Network Devices
https://www.securityweek.com/cisa-fbi-urge-immediate-action-on-os-command-injection-vulnerabilities-in-network-devices/
In response to recent intrusions, CISA and the FBI are urging businesses and device manufacturers to eliminate OS command injection vulnerabilities at the source.
CISA and the FBI on Wednesday issued a joint alert on exploitation of OS command injection vulnerabilities in network edge devices.
Published in response to recent intrusions exploiting CVE-2024-20399 (Cisco NX-OS), CVE-2024-3400 (Palo Alto Networks PAN-OS), and CVE-2024-21887 (Ivanti Connect Secure), CISA and the FBI are urging business leaders and device manufacturers to eliminate OS command injection vulnerabilities at the source.
“OS command injection vulnerabilities arise when manufacturers fail to properly validate and sanitize user input when constructing commands to execute on the underlying OS. Designing and developing software that trusts user input without proper validation or sanitization can allow threat actors to execute malicious commands, putting customers at risk,” the joint alert reads.
Tomi Engdahl says:
Palo Alto Networks Addresses BlastRADIUS Vulnerability, Fixes Critical Bug in Expedition Tool
https://www.securityweek.com/palo-alto-networks-addresses-blastradius-vulnerability-fixes-critical-bug-in-expedition-tool/
Palo Alto Networks patched a critical vulnerability in its Expedition tool and addressed the impact of the recently disclosed BlastRADIUS vulnerability.