Cyber security news August 2024

This posting is here to collect cyber security news in August 2024.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.

188 Comments

  1. Tomi Engdahl says:

    Cyber insurers are winners from the biggest ever IT outage
    In one of the market’s raciest corners, participants cannot be confident they will come off so lightly in the future
    https://www.ft.com/content/3faa79a5-f1a6-4d44-ba92-9b138bae0561

    Reply
  2. Tomi Engdahl says:

    GitHub Attack Vector Cracks Open Google, Microsoft, AWS Projects
    Cloud services and thus millions of end users who access them could have been affected by the poisoning of artifacts in the development workflow of open source projects.
    https://www.darkreading.com/cloud-security/github-attack-vector-google-microsoft-aws-projects

    Reply
  3. Tomi Engdahl says:

    A former security architect demonstrates 15 different ways to break Copilot: “Microsoft is trying, but if we are honest here, we don’t know how to build secure AI applications”
    News
    By Kevin Okemwa published 2 days ago
    Microsoft Copilot could be a resourceful tool for hackers if security loopholes aren’t addressed soon.
    https://www.windowscentral.com/software-apps/former-security-architect-demonstrates-15-ways-to-break-copilot

    Reply
  4. Tomi Engdahl says:

    CLFS Bug Crashes Even Updated Windows 10, 11 Systems
    A quick and easy exploit for crashing Windows computers has no fix yet nor really any way to mitigate its effects.
    https://www.darkreading.com/vulnerabilities-threats/clfs-bug-crashes-even-updated-windows-10-11-systems

    Reply
  5. Tomi Engdahl says:

    https://www.facebook.com/share/p/EzUSyG3zMaZUJZNE/

    How the CrowdStrike Tech Outage Reignited a Battle Over the Heart of Microsoft Systems
    Access to the Windows ‘kernel’ helps in detecting cyber threats, but mistakes can crash computers

    Aug. 16, 2024 at 6:00 am ET
    https://www.wsj.com/articles/how-the-crowdstrike-tech-outage-reignited-a-battle-over-the-heart-of-microsoft-systems-72b62c90?fbclid=IwY2xjawEtKnlleHRuA2FlbQIxMQABHbnQfl7W8ImNiTB4BeJmlksiVQ468ucfhyvA9EPjO2imL5Om8Xkwta88cQ_aem_fdFx3tPtyn6cyUcJ88YynQ
    The July tech outage that knocked out businesses worldwide renews scrutiny over why some companies have access to the very heart of a computer and, therefore, the ability to suddenly crash it.

    Access to the “kernel,” considered the core of a computer’s operating system, is critical to protecting against viruses. But last month’s tech outage showed the risk of such openness on Microsoft’s Windows computers. Developers and software makers say there are safer ways to tap in to the kernel without full access, but Microsoft hasn’t made the leap.

    An errant software update from the cybersecurity firm CrowdStrike in July took out 8.5 million Microsoft Windows computers, disrupting operations for banks, emergency services, schools and hospitals while forcing airlines to ground flights.

    Allowing software makers to run “kernel drivers,” which are programs built to access a computer’s core and its hardware, isn’t the only option for their products to work. Apple, for instance, cuts off access to its MacOS operating system kernel to all third parties, forcing cyber vendors to operate in the more restricted “user mode.”

    In user mode, where most applications run today, buggy software can’t crash a computer. In kernel mode, where CrowdStrike and most other antivirus makers run on Windows, a faulty update can bring on the “blue screen of death.” But there are also benefits to running in kernel mode, such as giving antivirus makers access to the low-level system data critical for detecting cyberattacks and threats, and letting their tools activate before malware can.

    Another open-source alternative is already available on the Linux operating system, but it’s up to Microsoft to make it available for Windows, said Alexei Starovoitov, a Meta Platforms engineer and a creator of the technology.

    Called the Extended Berkeley Packet Filter, or eBPF, the decade-old technology pioneered by Starovoitov and others could have helped prevent CrowdStrike’s global outage, its proponents and cyber vendors say. EBPF puts programs in a walled-off environment in the kernel, preventing a bad or malicious update from reaching it and crashing a computer.

    CrowdStrike agrees. It’s a “super revolutionary technology,” the company’s president, Michael Sentonas, said. “If something happens where you have a crash, you don’t take out the entire kernel.”

    While headlines rolled out on the impact of the outage, Brendan Gregg, an eBPF pioneer and fellow at Intel, said he and other leaders of the open-source technology were talking: “We’re like, ‘We have worked on the solution to this for so many years.’”

    Kernel mode for everything

    Using the kernel isn’t new. “There’s a lot of software that we don’t even realize has access in kernel mode,” said Allie Mellen, a cybersecurity analyst at Forrester Research. Many functions on a computer simply work better with kernel access, Microsoft said.

    Gaming and photo-editing software and programs for printing and enabling Bluetooth all tap in to the kernel to interact with a computer’s hardware and improve its performance. Any of these can knock out a computer—and have.

    “Kernel modules crashing an operating system is nothing new,” said Craig Connors, chief technology officer of Cisco’s security business group. “It’s only new that it happened eight million times, from the same thing.”

    For Microsoft, the decision to give developers kernel-level access dates back about 15 years. A company spokesman said it can’t legally wall off its operating system because of an understanding it reached with the European Commission at the time.

    The case—brought by the commission over concerns that Microsoft may have abused its dominant market position by tying its web browser and other software to Windows—was resolved in December 2009 when Microsoft agreed to give users more browser choices. The company also committed to giving third-party vendors the same level of operating system access that Microsoft gets.

    In other words, Microsoft’s Defender security product can’t hold a competitive advantage over competing products by preventing them from accessing the kernel or running a kernel driver.

    With access to the Windows kernel, CrowdStrike and other antivirus makers must determine when it’s best to tap user mode instead of kernel mode in their products, and customers, in turn, have had to figure out the trade-offs in kernel programming decisions—no easy task for even experienced software developers.

    Microsoft Windows changes

    One of eBPF’s primary benefits is that it enables software like CrowdStrike’s to access the kernel, but lets only safe, verified programs actually run. That means the bad CrowdStrike update would have been walled off.
    Plus, a member of eBPF’s open-source community could have spotted bugs much sooner, Starovoitov said, “before it’s deployed to millions of servers around the world.”

    Microsoft has been working with the eBPF Foundation, which is part of the Linux Foundation, for several years to make it available on Windows, said Gregg of eBPF. CrowdStrike said it uses eBPF for Linux, and is willing to use it on Windows when Microsoft makes it available.

    But, Microsoft said eBPF isn’t ready for Windows yet, citing new security risks it could introduce. Its task is to secure and manage Windows holistically, not just the slice that cyber vendors use, it said.

    Gregg said that while it will take time for the technology to improve on Windows, its additional security measures still make it safer than using the kernel.

    Without providing a specific timeline, Microsoft said the most likely near-term solution is to give developers other options for direct and indirect kernel access. In the longer term, it will move toward an Apple-like approach where developers get pushed deeper into user mode and out of the kernel. That takes custom engineering work, it said, much of which is already done.

    Microsoft said it already has worked with some vendors, including CrowdStrike, to put more functionality in user mode. Regardless of how any developer accesses the kernel, they can still crash a computer without proper safeguards, testing and software rollout, Microsoft said.

    Long road ahead

    Still, some cyber vendors aren’t convinced Microsoft will enable eBPF, considered the Linux method, or wall off kernel access, following the Apple method.

    Alex Stamos, chief information security officer of CrowdStrike competitor SentinelOne, said regardless of the option Microsoft pursues, Microsoft’s own security product must use the method of access as outside competitors. If not, Microsoft gives itself an unfair advantage as both operating system maker and security vendor, he said.

    Meanwhile, the pressure to find an alternative grows. In July, Germany’s powerful cybersecurity agency asked Microsoft to develop “more resilient architectures” for endpoint protection software with minimal kernel-level access.

    Cisco also is working with Microsoft to build eBPF for Windows, Connors said, aiming to use the technology for its Windows antivirus software.

    Any kernel overhaul requires a major product change and mind shift, said Gartner cybersecurity analyst Neil MacDonald. That’s time-consuming and costly for both Microsoft and its software partners. It might take the form of a larger Windows revamp, Stamos said, just as Apple made its change as part of a MacOS update and move to its own silicon.

    “It’s somewhat painful, but it’s a necessary evolution,” MacDonald said.

    How the CrowdStrike Tech Outage Reignited a Battle Over the Heart of Microsoft Systems
    Access to the Windows ‘kernel’ helps in detecting cyber threats, but mistakes can crash computers

    Reply
  6. Tomi Engdahl says:

    After nearly 3B personal records leak online, Florida data broker confirms it was ransacked by cyber-thieves
    Names, addresses, Social Security
    https://www.theregister.com/2024/08/16/national_public_data_theft/

    That information, totaling billions of records, includes the names, Social Security numbers, physical and email addresses, and phone numbers of folks in the United States, UK, and Canada. It’s the sort of records data brokers regularly buy and sell.

    And it is now available via the dark web for anyone to download and use for fraud.

    Reply
  7. Tomi Engdahl says:

    USA epäilee, että Wi-Fi-reititin vuotaa dataa Kiinaan
    https://etn.fi/index.php/13-news/16485-usa-epaeilee-ettae-wi-fi-reititin-vuotaa-dataa-kiinaan

    Kiinan ja Yhdysvaltain kauppasuhteet ovat tulehtuneet ja nyt amerikkalaispoliitikot haluavat, että maan kauppaministeriö tutkii suosittuja TP-Linkin Wi-Fi-reitittimiä. Poliitikot haluavat, että tutkitaan josko laitteet muodostavat kansallisen turvallisuusriskin.

    Viime viikolla lähetetyssä kirjeessä edustajat John Moolenaar ja Raja Krishnamoorthi pyysivät kauppaministeri Gina Raimondoa aloittamaan tutkimuksen TP-Link Technologiesista ja sen tytäryhtiöistä. Heidän mukaansa saadut tiedot viittaavat siihen, että yritys voi olla vakava uhka IT-turvallisuudelle.

    Reply
  8. Tomi Engdahl says:

    Näin rahasi viedään nyt – kaksi kieroa huijausta muuttui vieläkin kierommaksi
    Nettihuijaukset kehittyvät koko ajan. Se käy suomalaisille kalliiksi, varoittaa poliisi.
    https://www.is.fi/digitoday/tietoturva/art-2000010640021.html

    Reply
  9. Tomi Engdahl says:

    https://etn.fi/index.php/13-news/16488-uusi-haittaohjelma-varastaa-selaintiedot

    Check Point Research (CPR) on paljastanut uuden haittaohjelman, joka pystyy varastamaan selaintietoja, Telegramin ja Discordin pikaviestintäkeskusteluja sekä kryptovaluuttaa. Kyse on haitasta nimeltä Styx Stealer, joka on johdettu pahamaineisesta Phemedrone Stealer -ohjelmasta.

    Styx Stealer Se kohdistuu yrityksiin useilla eri toimialoilla maailmanlaajuisesti ja on aiheuttanut merkittäviä tietovuotoja varastamalla arkaluonteisia tietoja. Tutkimukset paljastivat, että Styx Stealer -haittaohjelman kehittäjä, joka käytti nimimerkkiä Sty1x, oli yhteydessä Agent Tesla -haittaohjelman toimijaan, Fucosrealiin. Tämä yhteys löytyi, kun CPR havaitsi maaliskuussa 2024 roskapostikampanjan, jossa Agent Tesla -haittaohjelmaa käytettiin hyökkäyksiin kiinalaisia ja muita kansainvälisiä yrityksiä vastaan.

    Reply
  10. Tomi Engdahl says:

    Jos Windows menee yllättäen jumiin, toimi näin
    Jos Bitlockerin bugi iskee, kone käynnistää itsensä palautustilaan, ja siinähän sitä sitten ollaan, jumissa.
    https://www.iltalehti.fi/digiuutiset/a/5593fe66-1117-4cbb-92bd-f8ac01b1c64c

    Heinäkuussa Microsoft julkaisi Windowsille tietoturvapäivityksen. Se paikkasi monta tietoturva-aukkoa ja ongelmaa, mutta myös aiheutti niitä. Yksi vakavimmista oli bugi, jonka seurauksena kone saattoi käynnistää itsensä uudelleen Bitlocker-salausruutuun.

    Jos Bitlocker-avainta ei tiennyt, kuten lienee valtaosalla työläppäriä käyttävien työntekijöiden kohdalla, kone jäi käytännössä Windowsin oman suojamuurin vangiksi. Käytännössä laitteella oleva data jäi siis lukkojen taa, ja siellä se tulisi myös pysymään.

    Zdnet kertoo, että tuttuun tapaansa Microsoft on kommentoinut kuivasti vain, että tämän tapahtuminen ei ole yleistä. Yhtiö ei myöskään kerro mikä koneen voisi suistaa palautustilaan.

    Redditissä puolestaan eri yhtiöiden it-osastot päivittelevät, että heidän organisaatiossaan bugi on joihinkin koneisiin iskenyt. Kaikki koneet ovat olleet HP:n tai Lenovon läppäreitä, joiden päivittämiset hoidetaan yhtiön verkon kautta.

    The Windows BitLocker recovery bug is fixed, according to Microsoft
    https://www.zdnet.com/article/the-windows-bitlocker-recovery-bug-is-fixed-according-to-microsoft/#google_vignette
    Last month’s BitLocker Recovery bug should be a wake-up call for everyone who owns a Windows PC. Make sure you have a copy of your recovery key so you can avoid being locked out of your data files. Here’s how.

    Reply
  11. Tomi Engdahl says:

    Artificial Intelligence
    Unlocking the Power of AI in Cybersecurity
    https://www.securityweek.com/unlocking-the-power-of-ai-in-cybersecurity/

    As adversaries increasingly exploit AI, security practitioners must not fall behind. What does it take to unlock the full potential of AI in cybersecurity?

    Reply
  12. Tomi Engdahl says:

    Microsoft Copilot Studio Vulnerability Led to Information Disclosure

    A vulnerability in Microsoft Copilot Studio exposed information on internal services shared among tenants, potentially impacting multiple customers.

    https://www.securityweek.com/microsoft-copilot-studio-vulnerability-led-to-information-disclosure/

    Reply
  13. Tomi Engdahl says:

    Cyberattack Disrupts Microchip Technology Manufacturing Facilities

    Microchip Technology has disclosed a cyberattack impacting operations at some of its manufacturing facilities.

    https://www.securityweek.com/cyberattack-disrupts-microchip-technology-manufacturing-facilities/

    Reply
  14. Tomi Engdahl says:

    IoT Security
    Major Backdoor in Millions of RFID Cards Allows Instant Cloning

    A significant backdoor in contactless cards made by China-based Shanghai Fudan Microelectronics allows instantaneous cloning of RFID cards used to open office doors and hotel rooms around the world.

    https://www.securityweek.com/major-backdoor-in-millions-of-rfid-cards-allows-instant-cloning/

    French security services firm Quarkslab has made an eye-popping discovery: a significant backdoor in millions of contactless cards made by Shanghai Fudan Microelectronics Group, a leading chip manufacturer in China.

    The backdoor, documented in a research paper by Quarkslab researcher Philippe Teuwen, allows the instantaneous cloning of RFID smart cards used to open office doors and hotel rooms around the world.

    Although the backdoor requires just a few minutes of physical proximity to an affected card to conduct an attack, an attacker in a position to carry out a supply chain attack could execute such attacks instantaneously at scale, Teuwen explained in the paper (PDF).

    Teuwen said he discovered the backdoor while conducting security experiments on the MIFARE Classic card family that is widely deployed in public transportation and the hospitality industry.

    The MIFARE Classic card family, originally launched in 1994 by Philips (now NXP Semiconductors), are widely used and have been subjected to numerous attacks over the years.

    Security vulnerabilities that allow “card-only” attacks (attacks that require access to a card but not the corresponding card reader) are of particular concern as they may enable attackers to clone cards, or to read and write their content, just by having physical proximity for a few minutes. Over the years, new versions of the MIFARE Classic family fixed the different types of attacks documented by security researchers.

    In 2020, the FM11RF08S variant of the MIFARE Classic was released by Shanghai Fudan Microelectronics, the leading chinese manufacturer of unlicensed “MIFARE compatible” chips. Teuwen noted that this variant features specific countermeasures designed to thwart all known card-only attacks and has gradually gained market share worldwide.

    While looking at Shanghai Fudan’s FM11RF08S cards, which use a countermeasure dubbed by the community as “static encrypted nonce,” Teuwen devised an attack for that variant capable of cracking FM11RF08S keys in a few minutes if they are being reused across at least three sectors or three cards.

    Additional research revealed a hardware backdoor that allows authentication with an unknown key. Teuwen then used the new attack to obtain (“crack”) that secret key and found it to be common to all existing FM11RF08S cards.

    “The FM11RF08S backdoor enables any entity with knowledge of it to compromise all user-defined keys on these cards, even when fully diversified, simply by accessing the card for a few minutes,” Quarkslab said in a note, urging consumers to swiftly check their infrastructure and assess the risks.

    “Many are probably unaware that the MIFARE Classic cards they obtained from their supplier are actually Fudan FM11RF08 or FM11RF08S, as these two chip references are not limited to the Chinese market. For example, we found these cards in numerous hotels across the US, Europe, and India,” the company said.

    MIFARE Classic: exposing the static encrypted nonce variant… and a few hardware backdoors
    https://blog.quarkslab.com/mifare-classic-static-encrypted-nonce-and-backdoors.html

    Reply
  15. Tomi Engdahl says:

    Hacker Tried to Dodge Child Support by Breaking Into Registry to Fake His Death, Prosecutors Say

    Kentucky man attempted to fake his death to avoid paying child support obligations by hacking into state registries and falsifying official records.

    https://www.securityweek.com/hacker-tried-to-dodge-child-support-by-breaking-into-registry-to-fake-his-death-prosecutors-say/

    Reply
  16. Tomi Engdahl says:

    Degraded Performance Issue Sparks Concern Among CrowdStrike Customers

    CrowdStrike has addressed a cloud service issue causing degraded performance and boot times for some of its customers.
    https://www.securityweek.com/degraded-performance-issue-sparks-concern-among-crowdstrike-customers/

    Reply
  17. Tomi Engdahl says:

    SolarWinds left critical hardcoded credentials in its Web Help Desk product
    Why go to the effort of backdooring code when devs will basically do it for you accidentally anyway
    https://www.theregister.com/2024/08/22/hardcoded_credentials_bug_solarwinds_whd/

    Reply
  18. Tomi Engdahl says:

    Chinese Hackers Exploiting Zero-Day Flaw in Cisco Switches to Deploy Malware
    https://cybersecuritynews.com/chinese-hackers-exploiting-zero-day/

    Reply
  19. Tomi Engdahl says:

    Chrome Zero-day Vulnerability (CVE-2024-7971) Actively Exploited in The Wild
    https://cybersecuritynews.com/chrome-zero-day-vulnerability/

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*