This posting is here to collect cyber security news in August 2024.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in August 2024.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
188 Comments
Tomi Engdahl says:
Microsoft/Tech/Security
Delta CEO: ‘When was the last time you heard of a big outage at Apple?’ / After the recent outage cost the airline $500 million, Delta’s leader says his company is rethinking its relationships with Microsoft and CrowdStrike.
https://www.theverge.com/2024/8/1/24210680/crowdstrike-microsoft-outage-delta-lawsuit-class-action-damages?fbclid=IwY2xjawEZyTZleHRuA2FlbQIxMQABHcaKHkUa5H_fzq1k0-fqEEDmDMEYpBygMg8Fs_5a1eM4by_AMBvdjcghyg_aem_qaTVpHKjxUS881zedtO0jw
In an interview with CNBC, Delta Air Lines CEO Ed Bastian said the July 19th outage caused by a CrowdStrike update cost his company half a billion dollars in five days. Delta canceled more than 5,000 flights that weekend and had blue error screens still visible at airports days after the initial crash. Among the costs Bastian said Delta incurred were more than 40,000 servers that “we had to physically touch and reset” as well as compensation payments to travelers left in the lurch.
Asked about a continuing relationship with Microsoft after the crash, Bastian said he regards it as “probably the most fragile platform” and asked the question, “When was the last time you heard of a big outage at Apple?” He placed some blame on the valuations of big tech companies, which lately have been lifted by generative AI hype, saying, “…they’re building the future, and they have to make sure they fortify the current.”
Apparently, the only thing offered to Delta so far from the two companies was free consulting advice, so it seems their IT department wasn’t on the list for one of CrowdStrike’s $10 UberEats cards. CNBC previously reported Delta has hired attorney David Boies to seek damages.
Delta isn’t alone — CrowdStrike shareholders filed a proposed class action lawsuit this week, reports Reuters.
Delta isn’t alone — CrowdStrike shareholders filed a proposed class action lawsuit this week, reports Reuters. The suit cites CrowdStrike CEO George Kurtz’s comments on a March 5th call that its software was “validated, tested, and certified.” The shareholders now regard those claims as false and misleading since CrowdStrike wasn’t performing the same level of testing on Rapid Response Content updates as it does on other updates, and its Content Validator checks didn’t catch the bug that caused the global IT crash.
As described in Tom Warren’s recap of the events on the 19th, unlike Microsoft, Apple has in recent years restricted the access third-party developers have to the kernel of macOS. A Microsoft spokesperson said to The Wall Street Journal that it “cannot legally wall off its operating system in the same way Apple does because of an understanding it reached with the European Commission following a complaint.”
“If you’re going to have priority access to the Delta ecosystem… you’ve gotta test this stuff. You can’t come into a mission-critical, 24-7 operation and tell us, ‘We have a bug.’ It doesn’t work.”
Tomi Engdahl says:
Tom Warren
Delta wants compensation from CrowdStrike and Microsoft.Delta was hit particularly badly by the CrowdStrike outage that impacted millions of Windows-based machines earlier this month. Now, CNBC reports that Delta has hired an attorney to seek damages from both CrowdStrike and Microsoft after it had to cancel nearly 7,000 flights due to the IT outage. The outage may have cost Delta up to $500 million.
https://www.theverge.com/2024/7/30/24209418/delta-wants-compensation-from-crowdstrike-and-microsoft
Tomi Engdahl says:
https://cybersecuritynews.com/multiple-smtp-servers-vulnerable/
Tomi Engdahl says:
GitHub Models gives developers new power to experiment with Gen AI
https://venturebeat.com/ai/github-models-gives-developers-new-power-to-experiment-with-gen-ai/
GitHub is no stranger to the world of AI for development, but to date it hasn’t been as easy as it could be for developers to try out new gen AI models. That’s starting to change today.
GitHub is launching a new effort called GitHub Models in a bid to provide an easier onramp for enterprise developers to try out and build applications with gen AI. GitHub is an early pioneer in the use of gen AI, particularly with its GitHub Copilot service. With GitHub Copilot developers get code completion and suggestion capabilities to build applications. GitHub Copilot is currently powered by a single model that GitHub has carefully curated and evaluated. GitHub Models, on the other hand, is a new initiative that provides developers with direct access to a wider range of AI models including Meta’s Llama 3.1, OpenAI’s GPT-4o, Mistral Large 2, AI21’s Jamba-Instruct, Microsoft Phi-3 as well as models from Cohere.
Tomi Engdahl says:
SLUBStick Linux Vulnerability Let Attackers Gain Full System Control
https://cybersecuritynews.com/slubstick-linux-vulnerability/#google_vignette
Security researchers have discovered a severe vulnerability in the Linux kernel that could allow attackers to gain full control over affected systems. Dubbed “SLUBStick,” the exploit technique uses memory allocation flaws to achieve arbitrary read and write access to kernel memory.
The vulnerability, detailed in a paper by Graz University of Technology researchers, affects recent Linux kernel versions, including 5.19 and 6.2. It allows unprivileged users to elevate privileges and potentially escape container environments.
Tomi Engdahl says:
Crowdstrike: Delta Air Lines refused free help to resolve IT outage
https://www.bleepingcomputer.com/news/security/crowdstrike-delta-air-lines-refused-free-help-to-resolve-it-outage/?fbclid=IwZXh0bgNhZW0CMTEAAR199z0p271pr99Bpg7cnL1yiiZKjqk-o46p94tQD0tTZa8Ygcky83trsV4_aem_cxyge74cmsAJ4uOXlrcN6w
The legal spars between Delta Air Lines and CrowdStrike are heating up, with the cybersecurity firm claiming that Delta’s extended IT outage was caused by poor disaster recovery plans and the airline refusing to accept free onsite help in restoring Windows devices.
After CrowdStrike pushed out a faulty update for its Falcon cybersecurity software, over 8.5 million Windows devices suddenly crashed and would no longer boot into the operating system.
To fix the issues, IT staff were required to manually remove the bad update from Windows devices, leading to extended IT outages for companies with thousands of devices.
Tomi Engdahl says:
Delta CEO says Microsoft is “probably the most fragile platform” after it lost “half a billion dollars in five days” during the CrowdStrike outage
Delta CEO says Microsoft is “probably the most fragile platform” after it lost “half a billion dollars in five days” during the CrowdStrike outage
https://www.windowscentral.com/microsoft/delta-ceo-says-microsoft-is-probably-the-most-fragile-platform?fbclid=IwZXh0bgNhZW0CMTEAAR2EHL4bfouoTw6Qx1aJHGRIr8iNmkZJsYZc931GVzScFuww9AXz-SURkLI_aem_kuoxDrsTcNkcz0R5LxWC7w
Ed Bastian has “tremendous respect for Microsoft and (CEO) Satya,” but the lack of fortification might force Delta Air Lines to look elsewhere.
What you need to know
Delta Air Lines CEO Ed Bastian says the CrowdStrike outage that toppled Microsoft’s services cost the airline $500 million.
The executive says the incident has forced him to rethink the airline’s partnership with Microsoft and CrowdStrike while touting Apple’s apparent ‘immunity’ to repeated outages.
The airline is seeking damages amounting to $500 million from Microsoft and CrowdStrike. However, the former has only offered free IT consultation advice, while the latter touted $10 Uber Eats gift cards for those affected.
The global digital pandemic caused by a buggy CrowdStrike kernel driver update that left over 8.5 million Windows devices with BSoD errors for hours might have been resolved; it consistently places CrowdStrike and Microsoft between a rock and a hard place.
Earlier this week, Delta Air Lines, one of the many companies whose operations were crippled by the global IT outage, hired bigshot attorney David Boies to seek damages amounting to over $350 million from Microsoft and CrowdStrike. While Microsoft wasn’t directly responsible for the massive outage, it’s seemingly bottled up in the whole fiasco alongside CrowdStrike.
More recently, Delta CEO Ed Bastian touched base with CNBC to discuss the digital pandemic that left thousands of passengers stranded across airports. The company reportedly lost between $350 million to $500 million after approximately 7,000 people canceled their flights, coupled with 176,000 refund and reimbursement requests. Delta CEO claims the company incurred costs of more than 40,000 servers that they were forced to tamper with to rest the system.
Tomi Engdahl says:
Microsoft Azure outage takes down services across North America
https://www.bleepingcomputer.com/news/microsoft/microsoft-azure-outage-takes-down-services-across-north-america/?fbclid=IwZXh0bgNhZW0CMTEAAR35_z4Hqc8benXbJNyG9MCOr9QltLMGzP1lAbm3mCjd79zYaIACDRHN4f8_aem_HaP8coFCRQjh4cb1ler9Uw
Microsoft has mitigated an Azure outage that lasted more than two hours and took down multiple services for customers across North and Latin America.
The company says the incident started around 18:22 UTC and impacted services that leverage Azure Front Door (AFD), its modern cloud Content Delivery Network (CDN).
“This issue is impacting multiple geographies, mostly in North America and Latin America,” Redmond explained when it first acknowledged the outage on the Azure status page, saying it was caused by what it described as a “configuration change.”
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/new-lianspy-malware-hides-by-blocking-android-security-feature/
Tomi Engdahl says:
https://cybernews.com/security/thousands-ubiquiti-cameras-and-routers-vulnerable/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/hackers-breach-isp-to-poison-software-updates-with-malware/
Tomi Engdahl says:
Mac and Windows users infected by software updates delivered over hacked ISP
DNS poisoning attack worked even when targets used DNS from Google and Cloudflare.
https://arstechnica.com/security/2024/08/hacked-isp-infects-users-receiving-unsecure-software-updates/?fbclid=IwY2xjawEee1hleHRuA2FlbQIxMQABHaiNhY0yxd-Rk0B77PwsMhfjF_kKqPO-3Ivy9Mu7r33OtlJPcY_lf3mV7w_aem_CNUeepAhEt6j18XLq0bzZQ
Hackers delivered malware to Windows and Mac users by compromising their Internet service provider and then tampering with software updates delivered over unsecure connections, researchers said.
The attack, researchers from security firm Volexity said, worked by hacking routers or similar types of device infrastructure of an unnamed ISP. The attackers then used their control of the devices to poison domain name system responses for legitimate hostnames providing updates for at least six different apps written for Windows or macOS. The apps affected were the 5KPlayer, Quick Heal, Rainmeter, Partition Wizard, and those from Corel and Sogou.
These aren’t the update servers you’re looking for
Because the update mechanisms didn’t use TLS or cryptographic signatures to authenticate the connections or downloaded software, the threat actors were able to use their control of the ISP infrastructure to successfully perform machine-in-the-middle (MitM) attacks that directed targeted users to hostile servers rather than the ones operated by the affected software makers. These redirections worked even when users employed non-encrypted public DNS services such as Google’s 8.8.8.8 or Cloudflare’s 1.1.1.1 rather than the authoritative DNS server provided by the ISP.
“That is the fun/scary part—this was not the hack of the ISPs DNS servers,” Volexity CEO Steven Adair wrote in an online interview. “This was a compromise of network infrastructure for Internet traffic. The DNS queries, for example, would go to Google’s DNS servers destined for 8.8.8.8. The traffic was being intercepted to respond to the DNS queries with the IP address of the attacker’s servers.”
In other words, the DNS responses returned by any DNS server would be changed once it reached the infrastructure of the hacked ISP. The only way an end user could have thwarted the attack was to use DNS over HTTPS or DNS over TLS to ensure lookup results haven’t been tampered with or to avoid all use of apps that deliver unsigned updates over unencrypted connections.
As an example, the 5KPlayer app uses an unsecure HTTP connection rather than an encrypted HTTPS one to check if an update is available and, if so, to download a configuration file named Youtube.config. StormBamboo, the name used in the industry to track the hacking group responsible, used DNS poisoning to deliver a malicious version of the Youtube.config file from a malicious server. This file, in turn, downloaded a next-stage payload that was disguised as a PNG image. In fact, it was an executable file that installed malware tracked under the names MACMA for macOS devices or POCOSTICK for Windows devices.
Tomi Engdahl says:
Vakoileeko valvontakamerasi sinua?
https://etn.fi/index.php/13-news/16436-vakoileeko-valvontakamerasi-sinua
Tietoturvayritys Check Point tutkimusosasto varoittaa Suomessakin suositun Ubiquiti G4 Instant -kameran haavoittuvuuksista. Markkinoilla on kaikkiaan yli 20 000 Ubiquiti-kameraa ja -reititintä, jotka ovat alttiina verkkohyökkäyksille ja tietosuojariskeille.
Ubiquiti G4 Instant -kamera on pienikokoinen, laajakulmainen WiFi-kamera, jossa on kaksisuuntainen ääniyhteys. Kamera toimii yhdessä sen sovelluksen käyttöä tukevan Cloud Key+ -laitteen kanssa. Nämä laitteet paljastavat IP-osoitteita, laitealustojen nimiä ja ohjelmistoversioita – kaikki tietoja, joita voidaan käyttää teknisiin ja sosiaalisen manipuloinnin hyökkäyksiin.
Tomi Engdahl says:
Tietoturva voi vaatia erillistä laitetta myös älypuhelimissa
https://etn.fi/index.php/13-news/16435-tietoturva-voi-vaatia-erillistae-laitetta-myoes-aelypuhelimissa
Tietoturva, käyttäjän henkilöllisyyden varmentaminen ja datan suojaaminen ovat monille aivan kriittisiä kysymyksiä. Niiden pitäisi olla sitä jokaiselle. Ruotsalainen Yubico uskoo, että pieni mukana kannettava laite on avain turvaan myös mobiililaitteissa.
Viime aikoina monet maailman johtavista teknologiayrityksistä ovat alkaneet ottaa käyttöön Passkeys-tekniikkaa eli ”salasanatonta” tunnistautumista. Nämä ratkaisut perustuvat Fast IDentity Online Alliancen luomaan FIDO-kirjautumisstandardiin.
Yksi FIDO-tunnistautumisen kärkinimiä on Yubico, joka on viime aikoina tehnyt paljon yhteistyötä Apple, Microsoftin ja muiden isojen yritysten kanssa.
- Yksi YubiKeyn tärkeimmistä vahvuuksista on siinä, että se käyttää protokollia, kuten FIDO U2F (Universal 2nd Factor) ja FIDO2/WebAuthn, jotka kestävät tietojenkalasteluhyökkäyksiä. Nämä protokollat varmistavat, että todennusprosessi on kryptografisesti sidottu alkuperäiseen sivustoon, mikä estää tehokkaasti hyökkääjiä ohjaamasta käyttäjiä vilpillisiin verkkosivustoihin. Tämä korkea turvallisuustaso tekee YubiKeystä luotettavan vaihtoehdon arkaluonteisten tietojen suojaamiseen, Ward selventää.
Laajan yhteensopivuuden ansiosta YubiKeys-avaimia voidaan käyttää eri alustoilla, kuten Windows, macOS, Linux, iOS ja Android sekä yleisimmissä selainversioissa. YubiKeys on hyvin tuettu yritysympäristöissä, ja ne on integroitu identiteetin ja pääsynhallintajärjestelmiin, kuten Microsoft Entra AD, Google Workspace, Okta ja monet muut.
Fyysisesti YubiKey istuu monenlaisiin liitäntöhin, mukaan lukien USB-A-, USB-C-, Lightning- ja NFC-yhteensopivat mallit.
Kuinka turvallinen YubiKey-avain sitten on? Wardin mukaan YubiKey OTP (One-Time Password) -striimin onnistuneita sieppauksia ja vaarantumista ei ole havaittu. Hänen mukaansa tämä johtuu suurelta osin YubiKey OTP -suunnitteluun upotetuista vankoista turvaominaisuuksista, jotka tekevät sieppauksesta ja väärinkäytöstä erittäin haastavaa.
- Ensinnäkin YubiKey OTP:t luodaan AES-128-salauksella. Tämä tarkoittaa, että YubiKey ja todennuspalvelin jakavat salaisen avaimen, jota käytetään OTP:n salaamiseen. Ilman pääsyä tähän salaiseen avaimeen OTP:n salauksen purkaminen, vaikka se siepattaisiin, on käytännössä mahdotonta.
Lisäksi jokainen YubiKeyn luoma OTP on ainutlaatuinen ja sitä voidaan käyttää vain kerran. Siksi, vaikka OTP siepattaisiin, siitä tulisi hyödytön ensimmäisen käytön jälkeen. Tämä kertakäyttöominaisuus varmistaa, että OTP:itä ei voida käyttää uudelleen hyökkäyksessä.
Ludwig Wardin mukaan salasanattoman todennuksen markkinat kehittyvät nopeasti, koska perinteisten salasanapohjaisten järjestelmien rajoitukset ja haavoittuvuudet tunnustetaan yhä enemmän.
- Biometriset tiedot ja laitteistotunnukset edustavat kahta näkyvää lähestymistapaa salasanattomassa todennusympäristössä, joista jokaisella on omat etunsa ja haasteensa. Biometriset tiedot, kuten sormenjälkiskannaukset, kasvojentunnistus ja iirisskannaukset, tarjoavat käyttäjille erittäin mukavuutta. Ne poistavat tarpeen muistaa monimutkaisia salasanoja ja tarjoavat saumattoman todennuskokemuksen. Yksi esimerkki tästä on YubiKey Bio Series, joka hyödyntää itse YubiKeyn biometrisiä tietoja PIN-koodin sijasta, aivan kuten älypuhelimesi biometrisiä tietoja, joita kaikki pitävät nykyään.
Biometrisiin tietoihin liittyy kuitenkin myös merkittäviä yksityisyyttä ja tietoturvaa koskevia huolenaiheita. Lisäksi joidenkin biometristen järjestelmien käyttöönotto vaatii pitkälle kehitettyä ja usein kallista infrastruktuuria. Toisaalta suojausavaimet, kuten YubiKeys, tarjoavat vankan suojan käyttämällä salausmenetelmiä käyttäjien todentamiseen. Nämä tunnukset kestävät tietojenkalasteluhyökkäyksiä ja tarjoavat konkreettisen suojan, jota käyttäjät voivat hallita.
Tomi Engdahl says:
Every Microsoft employee is now being judged on their security work / Microsoft is making security its top priority, and employees will now have to start delivering
https://www.theverge.com/2024/8/5/24213774/microsoft-security-performance-reviews-employees-top-priority
Microsoft made it clear earlier this year that it was planning to make security its top priority, following years of security issues and mounting criticisms. Starting today, the software giant is now tying its security efforts to employee performance reviews.
Kathleen Hogan, Microsoft’s chief people officer, has outlined what the company expects of employees in an internal memo obtained by The Verge. “Everyone at Microsoft will have security as a Core Priority,” says Hogan. “When faced with a tradeoff, the answer is clear and simple: security above all else.”
A lack of security focus for Microsoft employees could impact promotions, merit-based salary increases, and bonuses. “Delivering impact for the Security Core Priority will be a key input for managers in determining impact and recommending rewards,” Microsoft is telling employees in an internal Microsoft FAQ on its new policy.
Microsoft has now placed security as one of its key priorities alongside diversity and inclusion. Both are now required to be part of performance conversations — internally called a “Connect” — for every employee, alongside priorities that are agreed upon between employees and their managers.
Microsoft employees will have to demonstrate how they’ve made impactful security changes. For technical employees, that means incorporating security into product design processes at the start of a project, following established security practices, and making sure products are secure by default for Microsoft’s customers.
Tomi Engdahl says:
Every Microsoft Employee Is Now Being Judged on Their Security Work
https://m.slashdot.org/story/431560
Tomi Engdahl says:
Bad apps bypass Windows security alerts for six years using newly unveiled trick
Bad apps bypass Windows security alerts for six years using newly unveiled trick
Windows SmartScreen and Smart App Control both have weaknesses of which to be wary
https://www.theregister.com/2024/08/06/bad_apps_bypass_windows_security/?fbclid=IwY2xjawEfM1dleHRuA2FlbQIxMQABHeE5DvDTiN5zRCgxThdQqx9IYarafAXrYnH7SzOrsNII3HRg-4KQAHVCww_aem_s9Apabl_fYpuZIzp_9qjpA
Elastic Security Labs has lifted the lid on a slew of methods available to attackers who want to run malicious apps without triggering Windows’ security warnings, including one in use for six years.
The research focused on ways to bypass Windows SmartScreen and Smart App Control (SAC), the go-to built-in protections against running potentially nasty software downloaded from the web in Windows 8 and 11 respectively.
Tomi Engdahl says:
Hacker wipes 13,000 devices after breaching classroom management platform
https://www.bleepingcomputer.com/news/security/hacker-wipes-13-000-devices-after-breaching-classroom-management-platform/?fbclid=IwY2xjawEfNr9leHRuA2FlbQIxMQABHQG29IGA-CJSc6MJOUWI4YIoEU7LfJz3AvRTrZvZUefH4C6BHjEQqMcH2g_aem_BmIIhp6qiEPKXwnsHFv-DQ
A hacker has breached Mobile Guardian, a digital classroom management platform used worldwide, and remotely wiped data from at least 13,000 student’s iPads and Chromebooks.
Mobile Guardian, a ‘Google for Education’ partner, is a cross-platform (Android, Windows, iOS, ChromeOS, macOS) one-on-one solution for K-12 schools that offers a complete suite of device management, parental monitoring and control, secure web filtering, classroom management, and communications.
The platform announced it suffered a security breach on August 4, 2024, where a hacker gained unauthorized access to its platform, impacting its North American, European, and Singaporean instances.
As a result of the breach, Mobile Guardian says a small percentage of iOS and ChromeOS devices were wiped remotely, but there’s no evidence of data access or exfiltration.
The service has been suspended for now, so users cannot log in to the Mobile Guardian platform, and students are limited to restricted access on their devices.
Tomi Engdahl says:
French police probe ransomware attack on Olympic venue
By REUTERS Published: AUGUST 6, 2024 12:32
French cyber crime police are investigating a ransomware attack against the Grand Palais exhibition hall in Paris where Olympic events including fencing and Taekwondo are being held, Paris prosecutors said on Tuesday.
They said cyber criminals had targeted the institution’s central computer system, but the incident had not caused any disruption to Olympic events taking place in the iconic glass-roofed exhibition hall in the center of the French capital.
https://m.jpost.com/breaking-news/article-813504?fbclid=IwY2xjawEfSERleHRuA2FlbQIxMQABHTdXV0Aw7RJAjBhiwyNXvHa9-DuvAH6Lp3va2QiKmVUmf01RanANd61BpA_aem_boierHuKxoOFfOCH1Fmicg
Tomi Engdahl says:
Microsoft 365 anti-phishing feature can be bypassed with CSS
https://www.bleepingcomputer.com/news/security/microsoft-365-anti-phishing-feature-can-be-bypassed-with-css/?fbclid=IwZXh0bgNhZW0CMTEAAR0Gk2JaK6XjmpLxEyNnmiFkNYNdZoefsmJSzMWkomJcVSCCozCAySVc53o_aem_LqhVC–lQ4uT68MFQnv19w
Researchers have demonstrated a method to bypass an anti-phishing measure in Microsoft 365 (formerly Office 365), elevating the risk of users opening malicious emails.
Specifically, the anti-phishing measure that can be hidden is the ‘First Contact Safety Tip,’ which warns email recipients on Outlook when they receive a message from an unfamiliar address.
The key aspect of this mechanism is that the alert is appended to the main body of the HTML email, opening up the potential for manipulation using CSS embedded in an email message.
When this CSS is used in a phishing email sent from a new contact to a target, no alert shows up to warn the recipient.
Taking the deception one step further, Certitude found that it’s also possible to add more HTML code that spoofs the icons Microsoft Outlook adds to encrypted/signed emails to make them appear even more secure.
Tomi Engdahl says:
https://www.securityweek.com/microsoft-hits-back-at-delta-after-the-airline-said-last-months-tech-outage-cost-it-500-million/
Tomi Engdahl says:
https://www.securityweek.com/crowdstrike-releases-root-cause-analysis-of-falcon-sensor-bsod-crash/
Tomi Engdahl says:
https://www.securityweek.com/french-museum-network-hit-by-ransomware-attack-but-no-disruptions-are-reported-at-olympic-events/
Tomi Engdahl says:
https://www.securityweek.com/samsung-bug-bounty-program-payouts-reach-5m-top-reward-increased-to-1m/
Tomi Engdahl says:
Fighting Back Against Multi-Staged Ransomware Attacks Crippling Businesses
Modern ransomware attacks are multi-staged and highly targeted. First, attackers research the target organization and its employees.
https://www.securityweek.com/fighting-back-against-multi-staged-ransomware-attacks-crippling-businesses/
Traditional ransomware attacks were fairly straightforward. Attackers lured indiscriminate victims using social engineering and phishing tactics. Once victims were tricked into visiting a malicious website or opening a malicious link or attachment, they would execute malware that would spread rapidly and encrypt valuable files and folders. Hackers would then demand a ransom in return for decryption keys.
Enter the Modern Ransomware Attacker Workflow
Modern ransomware attacks are quite different today because they are multi-staged and highly targeted. First, attackers research the target organization and its employees. Next, using custom phishing attacks, stolen credentials or unpatched vulnerabilities, attackers install a trojan or a stager in the victim’s machine. This trojan then modifies the victim’s machine, downloads updates and instructions from command and control [C&C or C2] servers and notifies hackers about the intrusion. While the program awaits instructions, it collects information about the victim’s environment, including passwords stored in a computer’s cache or a user’s browser.
Tomi Engdahl says:
https://www.securityweek.com/thousands-of-devices-wiped-remotely-following-mobile-guardian-hack/
Tomi Engdahl says:
APT-ryhmät tehneet tietomurtoja Suomessakin – näin ne toimivat verkossa
Petteri Järvinen4.8.202412:11KyberVakoiluTietoturva
Verkon vaarallisimmat rikolliset ovat kärsivällisiä ja pitkäjänteisiä ammattilaisia, jotka tekevät työtään virka-aikaan. Heitä kutsutaan APT-toimijoiksi.
https://www.tivi.fi/uutiset/apt-ryhmat-tehneet-tietomurtoja-suomessakin-nain-ne-toimivat-verkossa/ea73bcf7-7b30-498c-a726-77405c858712
Tomi Engdahl says:
FFS
Such a simple mistake with no error checking
CrowdStrike releases root cause analysis of the global Microsoft breakdown
https://www.abc.net.au/news/2024-08-07/drt-crowdstrike-root-cause-analysis/104193866?fbclid=IwY2xjawEgmXxleHRuA2FlbQIxMQABHegFG8de7iqNaI0TrgRdPu1U7SG_tISl1TebYGjcHEvo8DP6510rPSIyLQ_aem_PXHuTKDAD_yC6W9XiAr2_A
In short:CrowdStrike has released its root cause analysis of the faulty software update that led to a global outage in July.
It found one undetected sensor written into an update for its Falcon software caused the system crash.
What’s next?CrowdStrike announced steps it will take to prevent the situation from repeating, but experts say the “embarrassing” mistake should never have happened.
On July 19, the fateful Blue Screen of Death (BSOD) Friday, about 8.5 million Windows systems around the world went into meltdown when an update for CrowdStrike’s Falcon sensor product went very wrong.
The US cybersecurity company released a preliminary report days after the incident.
Now a more in-depth, 12-page analysis has confirmed the root of the cause — one single undetected sensor.
The widespread outage has been linked to its Falcon sensor software, which is installed to look for threats and help lock them down.
Sigi Goode, a professor of information systems at the Australian National University, said Falcon had very privileged access.
It sits at what is called the kernel level of Windows.
“It’s sitting as close to the engine that powers the operating system as possible,” Professor Goode said.
“Kernel mode is constantly watching what you’re doing and listening to requests from the applications you’re using, and servicing them in a way that appears seamless to you.”
On July 19, the company sent out a Rapid Response Content update to certain Windows hosts.
In the RCA, CrowdStrike called it the “Channel 291 Incident”, in which a new capability was introduced into Falcon’s sensors.
Tomi Engdahl says:
Tuhansien suomalaisten tietoja hakkeroitu ja julkaistu nyt netissä
Tuhansien ihmisten tietoja jaetaan hakkerifoorumilla, joten huijauksia voi olla luvassa.
https://www.is.fi/digitoday/tietoturva/art-2000010614533.html
SUOMALAISTEN koiraharrastajien tietoja varastettiin ja julkaistiin Breachforums-hakkerifoorumilla maanantaina 5. elokuuta.
Kennelliitto kiistää joutuneensa tietomurron kohteeksi. Liikenne- ja viestintävirasto Traficomin Kyberturvallisuuskeskus vahvistaa liiton näkemyksen, mutta ei nimeä uhriksi joutunutta tahoa.
Liiton mukaan tiedot onnistuttiin varastamaan toiselta taholta, ja vuotaneessa aineistossa sattuu olemaan samoja henkilöitä kuin Kennelliitossa on jäsenenä. Jäsenrekisteri ei siis ole vaarantunut.
Tomi Engdahl says:
2.9 billion hit in one of the largest data breaches ever — full names, addresses and SSNs exposed
News
By Anthony Spadafora last updated 18 minutes ago
Stolen data was then put up for sale on the dark web
https://www.tomsguide.com/computing/online-security/29-billion-hit-in-one-of-largest-data-breaches-ever-full-names-addresses-and-ssns-exposed?fbclid=IwY2xjawEgpspleHRuA2FlbQIxMQABHfPcGRSOBoZt2kAN5sz7vg9t1rifGrnaIQez_WdsmreXytF1lABFI77KMw_aem_GtIF1lDexHAIbQB4Ib2ZeQ
Regardless of how careful you are online, your personal data can still end up in the hands of hackers—and a new data breach that exposed the data of 2.9 billion people is the perfect example of this.
As reported by Bloomberg, news of this massive new data breach was revealed as part of a class action lawsuit that was filed at the beginning of this month. A complaint submitted to the US District Court for the Southern District of Florida claims the exposed personal data belongs to a public records data provider named National Public Data, which specializes in background checks and fraud prevention.
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/microsoft/windows-update-downgrade-attack-unpatches-fully-updated-systems/?fbclid=IwZXh0bgNhZW0CMTEAAR0–prA9_hGyZKtXNmUWAMEYo65PsWQ0jmYmjUkUG0M4V6qpfJi1In4Iks_aem_ewth0l1HM91wA7Mtpuc53g
Tomi Engdahl says:
18-year-old security flaw in Firefox and Chrome exploited in attacks
https://www.bleepingcomputer.com/news/security/18-year-old-security-flaw-in-firefox-and-chrome-exploited-in-attacks/
A vulnerability disclosed 18 years ago, dubbed “0.0.0.0 Day”, allows malicious websites to bypass security in Google Chrome, Mozilla Firefox, and Apple Safari and interact with services on a local network.
However, it should be noted that this only affects Linux and macOS devices, and does not work on Windows.
For impacted devices, threat actors can exploit this flaw to remotely change settings, gain unauthorized access to protected information, and, in some cases, achieve remote code execution.
Despite being reported in 2008, 18 years ago, this problem remains unresolved on Chrome, Firefox, and Safari, though all three have acknowledged the problem and are working towards a fix.
Researchers at Oligo Security report that the risk not only makes attacks theoretically possible, but has observed multiple threat actors exploiting the vulnerability as part of their attack chains.
Malicious websites can send HTTP requests to 0.0.0.0 targeting a service running on the user’s local machine, and due to a lack of consistent security, these requests are often routed to the service and processed.
Existing protection mechanisms like Cross-Origin Resource Sharing (CORS) and Private Network Access (PNA) fail to stop this risky activity, explains Oligo.
By default, web browsers prevent a website from making requests to a third-party website and utilizing the returned information. This was done to prevent malicious websites from connecting to other URLs in a visitor’s web browser that they may be authenticated on, such as an online banking portal, email servers, or another sensitive site.
Web browsers introduced Cross-Origin Resource Sharing (CORS) to allow websites to access data from another site if they are explicitly allowed to.
Unfortunately, the risk isn’t just theoretical. Oligo Security has identified several cases where the “0.0.0.0 Day” vulnerability is activity exploited in the wild.
The first case is the ShadowRay campaign, which the same researchers documented last March. This campaign targets AI workloads running locally on developers’ machines (Ray clusters).
The attack begins with the victim clicking on a link sent via email or found on a malicious site that triggers JavaScript to send an HTTP request to ‘http://0[.]0[.]0[.]0:8265′, typically used by Ray.
Tomi Engdahl says:
https://thehackernews.com/2024/08/0000-day-18-year-old-browser.html
Cybersecurity researchers have discovered a new “0.0.0.0 Day” impacting all major web browsers that malicious websites could take advantage of to breach local networks.
0.0.0.0 Day impacts Google Chrome/Chromium, Mozilla Firefox, and Apple Safari that enables external websites to communicate with software that runs locally on MacOS and Linux. It does not affect Windows devices as Microsoft blocks the IP address at the operating system level.
Tomi Engdahl says:
Venäläinen hakkeriryhmä hyökkää auton ostajien kimppuun
Ilkka Ahtokivi
Julkaistu 08.08.2024 | 13:20
Päivitetty 08.08.2024 | 13:43
Tietoturva, Venäjä
Fighting Ursa on käyttänyt Audi-autojen mainoksia houkutellakseen ihmisiä klikkaamaan haitallista linkkiä.
https://www.verkkouutiset.fi/a/venalainen-hakkeriryhma-hyokkaa-auton-ostajien-kimppuun/#78f1161d
Tietoturvayhtiö Palo Alto Networksin uusi tutkimus osoittaa, että venäläinen hakkeriryhmä Fighting Ursa käyttää Audi Q7 Quattro -maastoauton myyntimainoksia houkutellakseen erityisesti diplomaatteja asentamaan haittaohjelman.
Hakkeriryhmä Fighting Ursa tunnetaan myös nimillä APT28, Fancy Bear ja Sofacy. Hakkeriryhmän katsotaan olevan sidoksissa Venäjän tiedustelupalveluun. Se käyttää luovia menetelmiä kohdistaakseen ja tartuttaakseen kriittisiä lähteitä haitallisilla haittaohjelmilla joko vahingoittaakseen vastaanottajaa tai seuratakseen heidän tekemisiään.
Tomi Engdahl says:
Critical AWS Vulnerabilities Allow S3 Attack Bonanza
https://www.darkreading.com/remote-workforce/critical-aws-vulnerabilities-allow-s3-attack-bonanza
Researchers at Aqua Security discovered the “Shadow Resource” attack vector and the “Bucket Monopoly” problem, where threat actors can guess the name of S3 buckets based on their public account IDs.
BLACK HAT USA – Las Vegas – Thursday, Aug. 8 – Six critical vulnerabilities in Amazon Web Services (AWS) could have allowed threat actors to target organizations with remote code execution (RCE), exfiltration, denial-of-service attacks, or even account takeovers.
“Most of the vulnerabilities were considered critical because they gave access to other accounts with minimal effort from the attacker perspective,” Aqua’s lead security researcher Yakir Kadkoda tells Dark Reading.
Open Source Projects in S3 Buckets Could Still Be Vulnerable
While AWS has mitigated the vulnerabilities impacting its services, Kadkoda warns that the attack vectors could still impact open source projects deployed in their AWS environments. Many open source projects automatically create S3 buckets or direct users to deploy them, he notes.
“We found a lot of open source projects vulnerable to this vector because they’re using them behind the scenes with predictable bucket names,” Kadkoda says.
Tomi Engdahl says:
Access to Gmail, the world’s largest free email provider, was disrupted for more than four hours worldwide on Thursday, August 8. Thousands of users reported being unable to send email or save attachments—here’s what happened: https://trib.al/oSw9Gar
Tomi Engdahl says:
CSC ServiceWorks discloses data breach after 2023 cyberattack
https://www.bleepingcomputer.com/news/security/csc-serviceworks-discloses-data-breach-after-2023-cyberattack/
Tomi Engdahl says:
New AMD SinkClose flaw helps install nearly undetectable malware
https://www.bleepingcomputer.com/news/security/new-amd-sinkclose-flaw-helps-install-nearly-undetectable-malware/
Tomi Engdahl says:
2.9 billion hit in one of the largest data breaches ever — full names, addresses and SSNs exposed
News
By Anthony Spadafora last updated 2 days ago
Stolen data was then put up for sale on the dark web
https://www.tomsguide.com/computing/online-security/29-billion-hit-in-one-of-largest-data-breaches-ever-full-names-addresses-and-ssns-exposed
Tomi Engdahl says:
Ransomware gang targets IT workers with new SharpRhino malware
https://www.bleepingcomputer.com/news/security/hunters-international-ransomware-gang-targets-it-workers-with-new-sharprhino-malware/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/cisco-warns-of-critical-rce-zero-days-in-end-of-life-ip-phones/
Tomi Engdahl says:
DN: Ruotsin koko ajoneuvorekisteri on joutumassa Venäjän haltuun – joukossa suuri määrä Suomessa olevia tuontiautoja
Asiaa selvitellään Ruotsissa nyt hallitustasolla asti. Mukana on myös turvallisuuspoliisi Säpo
DN: Ruotsin koko ajoneuvorekisteri on joutumassa Venäjän haltuun – joukossa suuri määrä Suomessa olevia tuontiautoja
https://www.is.fi/autot/art-2000010619572.html
VENÄJÄN tiedustelupalvelu on saamassa pääsyn koko Ruotsin kattavaan ajoneuvorekisteriin, paljastaa Dagens Nyheter.
Lehden mukaan Suomen Traficomia vastaava Transportstyrelsen käy parhaillaan oikeutta Ruotsin kaikkien rekisterikilpien valmistamisen voittanutta Tönnjes-konsernia vastaan ja pyrkii kumoamaan yrityksen pian alkavan sopimuskauden ennen sen voimaanastumista.
Tjönnes voitti keväällä kisan ruotsalaiskilpien valmistamisesta muita tarjoajia lähes puolet edullisemmalla hinnallaan.
Tarjottu kilpivalmistus käsitti pääsyn koko maan kattavaan ajoneuvorekisteriin – aina Ruotsin ylimmän valtionjohdon, hallinnon, poliisin ja pelastuspalveluiden ajoneuvoja myöten.
DN:n selvityksen mukaan halvimman tarjouksen tehneellä Tönnjesillä on kuitenkin suoria yhteyksiä Venäjän valtionjohtoon ja se on myös rekisterikilpien valmistukseen erikoistuneen venäläisen Znak-yhtiön enemmistöomistaja.
Znakin perustaja sekä yhä myös omistaja on EU:n pakotelistaltakin löytyvä Venäjän ylähuoneen liittoneuvoston jäsen Valeri Andrejevits Ponomarjev.
Tomi Engdahl says:
Malware force-installs Chrome extensions on 300,000 browsers, patches DLLs
https://www.bleepingcomputer.com/news/security/malware-force-installs-chrome-extensions-on-300-000-browsers-patches-dlls/?fbclid=IwY2xjawEjS9dleHRuA2FlbQIxMQABHRtwJwLCvT5gAMgwHcw4Y_pG-AVbu0i9MczXSqzxH0v0LCUZMd-qleZdBw_aem_zBjjPu79jxV9Q3Rp8CHzjg
Tomi Engdahl says:
Confusion Attacks in Apache HTTP Server Let Attackers Gain Root Access Remotely
https://cybersecuritynews.com/confusion-attacks-in-apache-http-server/
A recent research presentation at Black Hat USA 2024 revealed architectural vulnerabilities within the Apache HTTP Server, a widely used web server software.
The research highlights several technical debts within Httpd, including three types of Confusion Attacks, nine new vulnerabilities, 20 exploitation techniques, and over 30 case studies.
According to Orange Tsai’s research, the modules’ lack of deep understanding and the absence of stringent development guidelines create gaps and inconsistencies, making the system vulnerable to potential exploitation.
9 Discovered Vulnerabilities
The research discovered nine new vulnerabilities in the Apache HTTP Server
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/malware-force-installs-chrome-extensions-on-300-000-browsers-patches-dlls/?fbclid=IwY2xjawEjyVNleHRuA2FlbQIxMQABHcgPyFBS0uqr3ziMXbrgva6oOFMMWhfBj0kSlocIdK8T-M2UIkMBaZwVCw_aem_Z7PRxPJl7iBvP84Ha1xHwA
Tomi Engdahl says:
Numerous class action lawsuits have been filed in federal court against Acadian Ambulance in relation to patient health information being accessed by a hacker earlier this year.
Multiple class action lawsuits filed against Acadian Ambulance over data breach
https://www.kplctv.com/2024/08/07/multiple-class-action-lawsuits-filed-against-acadian-ambulance-over-data-breach/?fbclid=IwZXh0bgNhZW0CMTEAAR17k0ZJGq5xdIlKwwXEQWVXc009f3PSFhy2IlsrdBb4nUAm325gkclX33E_aem_wgxfVVUQMbcnB-2Kq-esKA
LAFAYETTE, La. (KPLC) – Numerous class action lawsuits have been filed in federal court against Acadian Ambulance in relation to patient health information being accessed by a hacker earlier this year, according to reporting by KLFY.
The federal suits, filed by patients and former employees, allege that the cybercriminal organization Daxin Team was able to access patient information such as full names, social security numbers, dates of birth, and medical and treatment information.
KLFY reports that the lawsuits say the hackers demanded Acadian Ambulance pay a $7 million ransom for the return of the stolen information. The ambulance company refused and instead offered to pay $173,000, which the hackers rejected.
Daixin has threatened to release the full data if its demands are not met.
It is unknown at this time what Acadian Ambulance has done to ensure similar incidents will not happen in the future
Tomi Engdahl says:
https://www.tomshardware.com/pc-components/cpus/ghostwrite-vulnerability-exploits-architectural-bug-in-risc-v-cpu-to-gain-root-access
Tomi Engdahl says:
Confusion Attacks in Apache HTTP Server Let Attackers Gain Root Access Remotely
https://cybersecuritynews.com/confusion-attacks-in-apache-http-server/#google_vignette
A recent research presentation at Black Hat USA 2024 revealed architectural vulnerabilities within the Apache HTTP Server, a widely used web server software.
The research highlights several technical debts within Httpd, including three types of Confusion Attacks, nine new vulnerabilities, 20 exploitation techniques, and over 30 case studies.
Tomi Engdahl says:
“one such flaw that has persisted in AMD processors for decades, and that would allow malware to burrow deep enough into a computer’s memory that, in many cases, it may be easier to discard a machine than to disinfect it.”
‘Sinkclose’ Flaw in Hundreds of Millions of AMD Chips Allows Deep, Virtually Unfixable Infections
https://www.wired.com/story/amd-chip-sinkclose-flaw/?fbclid=IwY2xjawEkOctleHRuA2FlbQIxMQABHdIlY1y0My3fufWKObEz7b5obGK41TybTmieJCRpmLvTb7Lk_W9hL76tkw_aem_PjjeM-sXaj7af-phDHbRdw
Researchers warn that a bug in AMD’s chips would allow attackers to root into some of the most privileged portions of a computer—and that it has persisted in the company’s processors for decades
Tomi Engdahl says:
“When you give AI access to data, that data is now an attack surface for prompt injection.”
The Copilot AI Microsoft Built Into Windows Makes It Incredibly Hackable, Research Shows
https://futurism.com/the-byte/ai-microsoft-windows-incredibly-hackable
“When you give AI access to data, that data is now an attack surface for prompt injection.”
A security researcher has demonstrated that Microsoft’s Copilot AI can easily be manipulated into revealing an organization’s sensitive data, including emails and bank transactions. On top of that, Wired reports, it can also be weaponized into a powerful phishing machine that requires little of the effort usually needed to carry out these kinds of attacks.
“I can do this with everyone you have ever spoken to, and I can send hundreds of emails on your behalf,” Michael Bargury, the cofounder and CTO of security company Zenity, told Wired. “A hacker would spend days crafting the right email to get you to click on it, but they can generate hundreds of these emails in a few minutes.”
Bargury presented these findings at the Black Hat security conference in Las Vegas, joining other accounts of the liabilities posed by AI chatbots, including ChatGPT, that are tapped into datasets containing sensitive information that can be leaked.