Cyber security news September 2024

This posting is here to collect cyber security news in September 2024.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.

149 Comments

  1. Tomi Engdahl says:

    Tämän laitteen pohjaan on syytä vilkaista – Yle: Supo vahvisti vakoilun
    Suojelupoliisin mukaan ei-demokraattiset valtiot ovat käyttäneet suomalaiskotitalouksien suojaamattomia verkkolaitteita vakoiluun. Asiasta kertoo Yle.
    https://www.iltalehti.fi/digiuutiset/a/8191802c-fb1b-49f3-a7ce-c29b4f48b8d6

    Reply
  2. Tomi Engdahl says:

    Revival Hijack supply-chain attack threatens 22,000 PyPI packages
    https://www.bleepingcomputer.com/news/security/revival-hijack-supply-chain-attack-threatens-22-000-pypi-packages/

    Threat actors are utilizing an attack called “Revival Hijack,” where they register new PyPi projects using the names of previously deleted packages to conduct supply chain attacks.

    The technique “could be used to hijack 22K existing PyPI packages and subsequently lead to hundreds of thousands of malicious package downloads,” the researchers say.

    Reply
  3. Tomi Engdahl says:

    Hybridisodankäynnin asiantuntija Jakub Kalenský: neljä tapaa torjua disinformaatiota
    https://www.kouvolanturvallisuus.fi/ajankohtaiset/hybridisodankaynnin-asiantuntija-jakub-kalensky-nelja-tapaa-torjua-disinformaatiota/

    Disinformaatio voi murentaa hallitusten ja kansalaisten päättäväisyyttä ja toimintakykyä yllättävänkin tehokkaasti. Mutta mitä asialle voi tehdä??

    Jakub Kalenský Euroopan hybridiuhkien torjunnan osaamiskeskuksestaon perehtynyt näihin teemoihin jo vuosien ajan.

    ”Ykkösosaamisalueeni on venäläinen disinformaatio, jota olen tutkinut vuodesta 2015”, kertoo osaamiskeskuksen hybridivaikutustiimin apulaisjohtajana toimiva Kalenský. Hänen mukaansa hyvä uutinen tässä kaikessa on se, että alati kasvavan disinformaatioaallon kesyttämiseksi voidaan tehdä paljonkin.

    Reply
  4. Tomi Engdahl says:

    YubiKeys are vulnerable to cloning attacks thanks to newly discovered side channel
    Sophisticated attack breaks security assurances of the most popular FIDO key.
    https://arstechnica.com/security/2024/09/yubikeys-are-vulnerable-to-cloning-attacks-thanks-to-newly-discovered-side-channel/

    Reply
  5. Tomi Engdahl says:

    In Leak, Facebook Partner Brags About Listening to Your Phone’s Microphone to Serve Ads for Stuff You Mention
    https://futurism.com/the-byte/facebook-partner-phones-listening-microphone

    Reply
  6. Tomi Engdahl says:

    Vulnerabilities In Two WordPress Contact Form Plugins Affect +1.1 Million
    Vulnerabilities discovered in two of the most popular WordPress contact form plugins could affect over 1.1 million installations
    https://www.searchenginejournal.com/wordpress-contact-form-vulnerabilities/526057/

    The affected contact form plugins are Ninja Forms, (with over 800,000 installations) and Contact Form Plugin by Fluent Forms (+300,000 installations). The vulnerabilities are not related to each other and arise from separate security flaws.

    Ninja Forms is affected by a failure to escape a URL which can lead to a reflected cross-site scripting attack (reflected XSS) and the Fluent Forms vulnerability is due to an insufficient capability check.

    Reply
  7. Tomi Engdahl says:

    When Cyber Security Breaches Are Inevitable, It’s Time To Call For A New Approach
    https://www.forbes.com/sites/keithferrazzi/2024/09/03/when-cyber-security-breaches-are-inevitable-its-time-to-call-for-a-new-approach/

    At the TED Conference in Vancouver this year, our Radical Innovators foundation hosted a forum with more than 60 of the world’s top CHROs, CIOs, and founders. On the agenda: how new technologies like AI and quantum computing can elevate our human experience, transforming how we work and live together.

    Despite the hopeful purpose of this impressive community, we also felt compelled to host a session on a more troubling topic: how these same emerging technologies will supercharge cybersecurity threats. We asked thought leader and CISO of T-Mobile, Jeff Simon to facilitate this future of security discussion with an impressive list of very engaged tech execs.

    Reply
  8. Tomi Engdahl says:

    Security Advisory YSA-2024-03 Infineon ECDSA Private Key Recovery
    https://www.yubico.com/support/security-advisories/ysa-2024-03/

    A vulnerability was discovered in Infineon’s cryptographic library, which is utilized in YubiKey 5 Series, and Security Key Series with firmware prior to 5.7.0 and YubiHSM 2 with firmware prior to 2.4.0. The severity of the issue in Yubico devices is moderate.

    An attacker could exploit this issue as part of a sophisticated and targeted attack to recover affected private keys. The attacker would need physical possession of the YubiKey, Security Key, or YubiHSM, knowledge of the accounts they want to target, and specialized equipment to perform the necessary attack. Depending on the use case, the attacker may also require additional knowledge including username, PIN, account password, or authentication key. See Affected Use Cases and Mitigations for more details.

    The moderate vulnerability primarily impacts FIDO use cases because the FIDO standard relies on the affected functionality by default. YubiKey PIV and OpenPGP applications and YubiHSM 2 usage may also be impacted depending on configuration and algorithm choices by the end user.

    Reply
  9. Tomi Engdahl says:

    Hackers poison Google search results by spreading malware as spoofed VPN solution
    https://cybernews.com/news/hackers-poison-google-search-results-spreading-malware/

    Reply
  10. Tomi Engdahl says:

    Approximately $11,000 worth of scopes and probes according to Ars Technica. The equipment used is listed in the whitepaper itself. Essentially, only a nation state actor or very sophisticated outfit is going to have this type of gear lying around and the expertise to use it.
    https://ninjalab.io/wp-content/uploads/2024/09/20240903_eucleak.pdf

    https://arstechnica.com/security/2024/09/yubikeys-are-vulnerable-to-cloning-attacks-thanks-to-newly-discovered-side-channel/

    Reply
  11. Tomi Engdahl says:

    Urkinnan mestari: Näin usein puhelin pitäisi sammuttaa
    Yhdysvaltain Kansallinen turvallisuusvirasto NSA suosittelee älypuhelimen sammuttamista kerran viikossa.
    https://www.iltalehti.fi/digiuutiset/a/80420c2c-6941-47b2-bb61-93f57c878b68

    Oman puhelimen tietosuojasta huolehtiminen vaatii usein maalaisjärkeä sekä muutaman selkeän nyrkkisäännön noudattamista.

    On esimerkiksi hyvä suhtautua varauksella avoimiin verkkoihin, sovelluskaupan ulkopuolelta ladattuihin sovelluksiin, sähköpostien ja tekstiviestien linkkeihin sekä epämääräisiin soittajiin.

    NSA:n antamassa ohjeistuksessa on mielenkiintoinen yksityiskohta, sillä virasto suosittelee puhelimen sulkemista ja käynnistämistä viikoittain.

    NSA:n mukaan tämä yksinkertainen kikka saattaa auttaa niin sanotuissa klikittömissä zero click exploit -hyökkäyksissä, joissa haitta aktivoituu ilman laitteen käyttäjän myötävaikutusta, sekä kohdennettuun tietojenkalasteluun.

    Dokumentissa tosin todetaan, että laitteen sulkeminen ei ole varma keino välttyä näiltä hyökkäyksiltä. Vaikka kyseessä ei ole mikään hopealuoti, ei puhelimen sammuttamisesta kerran viikossa ole ainakaan mitään haittaa.

    Reply
  12. Tomi Engdahl says:

    Russian GRU Unit Tied to Assassinations Linked to Global Cyber Sabotage and Espionage

    A secretive Russian military unit, previously linked to assassinations and destabilization in Europe, is blamed for destructive wiper malware attacks in Ukraine.

    https://www.securityweek.com/russian-gru-unit-tied-to-assassinations-linked-to-global-cyber-sabotage-and-espionage/

    A secretive Russian military intelligence unit, previously tied to foreign assassinations and destabilizing actions in Europe, has now been linked to cyberespionage and sabotage operations for the first time, according to a joint advisory from the US government and its allies.

    The military unit — identified as Russian GRU’s 161st Specialist Training Center (Unit 29155) — is being blamed for a series of aggressive cyber operations around the world, including the destructive WhisperGate malware that wiped the Master Boot Record (MBR) of computers in Ukraine.

    Reply
  13. Tomi Engdahl says:

    How Exceptional CISOs Are Igniting the Security Fire in Their Development Team

    For years, many CISOs have struggled to influence their development cohort on the importance of putting security first.

    https://www.securityweek.com/how-exceptional-cisos-are-igniting-the-security-fire-in-their-development-team/

    Reply
  14. Tomi Engdahl says:

    CISA Breaks Silence on Controversial ‘Airport Security Bypass’ Vulnerability

    Researchers and the TSA have different views on the impact of vulnerabilities in an airport security application that could allegedly allow the bypass of certain airport security systems.

    https://www.securityweek.com/cisa-responds-after-disclosure-of-controversial-airport-security-bypass-vulnerability/

    The cybersecurity agency CISA has issued a response following the disclosure of a controversial vulnerability in an application related to airport security systems.

    In late August, researchers Ian Carroll and Sam Curry disclosed the details of an SQL injection vulnerability that could allegedly allow threat actors to bypass certain airport security systems.

    The security hole was discovered in FlyCASS, a third-party service for airlines participating in the Cockpit Access Security System (CASS) and Known Crewmember (KCM) programs.

    Reply
  15. Tomi Engdahl says:

    Recent SonicWall Firewall Vulnerability Potentially Exploited in the Wild

    SonicWall is warning customers that the recently patched critical vulnerability CVE-2024-40766 may be exploited in the wild.

    https://www.securityweek.com/recent-sonicwall-firewall-vulnerability-potentially-exploited-in-the-wild/

    Reply
  16. Tomi Engdahl says:

    LiteSpeed Cache Plugin Vulnerability Exposes Millions of WordPress Sites to Attacks

    A vulnerability in the LiteSpeed Cache WordPress plugin leads to the exposure of sensitive information, including user cookies.

    https://www.securityweek.com/litespeed-cache-plugin-vulnerability-exposes-millions-of-wordpress-sites-to-attacks/

    Reply
  17. Tomi Engdahl says:

    Incident Response
    UnitedHealth CEO Says Hackers Lurked in Network for Nine Days Before Ransomware Strike

    UnitedHealth Group’s CEO Andrew Witty shares details on the damaging cyberattack in testimony before a US Congress committee set for May 1, 2024.

    https://www.securityweek.com/unitedhealth-ceo-says-hackers-lurked-in-network-for-nine-days-before-ransomware-strike/

    Reply
  18. Tomi Engdahl says:

    Vulnerabilities
    LiteSpeed Cache Plugin Vulnerability Exposes Millions of WordPress Sites to Attacks

    A vulnerability in the LiteSpeed Cache WordPress plugin leads to the exposure of sensitive information, including user cookies.

    https://www.securityweek.com/litespeed-cache-plugin-vulnerability-exposes-millions-of-wordpress-sites-to-attacks/

    Reply
  19. Tomi Engdahl says:

    New RAMBO Attack Allows Air-Gapped Data Theft via RAM Radio Signals

    An academic researcher has devised a new method of exfiltrating data from air-gapped systems using radio signals from memory buses.

    https://www.securityweek.com/new-rambo-attack-allows-air-gapped-data-theft-via-ram-radio-signals/

    An academic researcher has devised a new attack technique that relies on radio signals from memory buses to exfiltrate data from air-gapped systems.

    According to Mordechai Guri from Ben-Gurion University of the Negev in Israel, malware can be used to encode sensitive data that can be captured from a distance using software-defined radio (SDR) hardware and an off-the-shelf antenna.

    The attack, named RAMBO (PDF), allows attackers to exfiltrate encoded files, encryption keys, images, keystrokes, and biometric information at a rate of 1,000 bits per second. Tests were conducted over distances of up to 7 meters (23 feet).

    Reply
  20. Tomi Engdahl says:

    Intel Warns of 20+ Vulnerabilities, Advises Firmware Updates
    Intel on Tuesday published advisories covering more than 20 vulnerabilities affecting processors and other products.
    https://www.securityweek.com/intel-informs-customers-about-over-a-dozen-processor-vulnerabilities/

    Reply
  21. Tomi Engdahl says:

    Ransomware
    Google Introduces ‘Air-Gapped’ Backup Vault to Thwart Ransomware

    “It’s critical to not only back up your critical workloads, but also to secure those backups against subsequent modification and deletion.”
    By
    Ryan Naraine
    https://www.securityweek.com/google-introduces-air-gapped-backup-vault-to-thwart-ransomware/

    Reply
  22. Tomi Engdahl says:

    Malware & Threats
    PIXHELL Attack Allows Air-Gap Jumping via Noise From Screens

    Noise generated by the pixels on a screen can be leveraged to exfiltrate data from air-gapped computers in what is called a PIXHELL attack.

    https://www.securityweek.com/pixhell-attack-allows-air-gap-jumping-via-noise-from-screens/

    A researcher has presented the details of a new attack method for exfiltrating data from air-gapped computers using the noise generated by the ‘pixels’ on the screen.

    The data exfiltration method, named PIXHELL, was discovered by Mordechai Guri of the Ben-Gurion University of the Negev in Israel.

    Over the past years, Guri and other researchers have demonstrated several methods for jumping air gaps, including through ultrasonic tones, RAM-generated Wi-Fi signals, fan vibrations, heat emissions, HDD LEDs, infrared cameras, magnetic fields, power lines, router LEDs, scanners, screen brightness, USB devices, noise from hard drives and fans, and electromagnetic radiation.

    Most recently, Guri published a paper on an air-gap-jumping attack called RAMBO, which relies on radio signals from memory buses.

    In the case of the PIXHELL attack, as with all of these types of attacks, the attacker needs to find a way to plant malware on the air-gapped computer from which they want to exfiltrate data. This can be achieved using malicious insiders, social engineering or supply chain attacks.

    The malware can collect sensitive information from the targeted device, such as passwords and encryption keys, and convert them into ‘0’ and ‘1’ bits that can be transmitted through the noise. For instance, a certain frequency can represent a ‘1’ and a different frequency a ‘0’.

    These bits can be captured by a nearby smartphone, microphone or laptop at a rate of 5-20 bits per second (bps) over distances ranging between 0 and 2.5 meters (8 feet), according to the experiments conducted by the researcher.

    A paper published on September 7 provides technical details, as well as countermeasures for this type of attack. A video that shows the PIXHELL attack in action is also available.

    Reply
  23. Tomi Engdahl says:

    Beyond Immature Rhetoric: The Case Against Mockery and Ambulance Chasing in the Security Industry

    Five reasons why “Ambulance Chasing” and mocking harm the security profession and are never a good idea.

    https://www.securityweek.com/beyond-immature-rhetoric-the-case-against-mockery-and-ambulance-chasing-in-the-security-industry/

    Reply
  24. Tomi Engdahl says:

    Chinese Hackers Exploit Visual Studio Code in Southeast Asian Cyberattacks
    https://thehackernews.com/2024/09/chinese-hackers-exploit-visual-studio.html

    The China-linked advanced persistent threat (APT) group known as Mustang Panda has been observed weaponizing Visual Studio Code software as part of espionage operations targeting government entities in Southeast Asia.

    “This threat actor used Visual Studio Code’s embedded reverse shell feature to gain a foothold in target networks,” Palo Alto Networks Unit 42 researcher Tom Fakterman said in a report, describing it as a “relatively new technique” that was first demonstrated in September 2023 by Truvis Thornton.

    The campaign is assessed to be a continuation of a previously documented attack activity aimed at an unnamed Southeast Asian government entity in late September 2023.

    Reply
  25. Tomi Engdahl says:

    https://www.securityweek.com/microsoft-says-windows-update-zero-day-being-exploited-to-undo-security-fixes/

    Microsoft on Tuesday raised an alarm for in-the-wild exploitation of a critical flaw in Windows Update, warning that attackers are rolling back security fixes on certain versions of its flagship operating system.

    The Windows flaw, tagged as CVE-2024-43491 and marked as actively exploited, is rated critical and carries a CVSS severity score of 9.8/10.

    Microsoft did not provide any information on public exploitation or release IOCs (indicators of compromise) or other data to help defenders hunt for signs of infections. The company said the issue was reported anonymously.

    Redmond’s documentation of the bug suggests a downgrade-type attack similar to the ‘Windows Downdate’ issue discussed at this year’s Black Hat conference.

    From the Microsoft bulletin:

    “Microsoft is aware of a vulnerability in Servicing Stack that has rolled back the fixes for some vulnerabilities affecting Optional Components on Windows 10, version 1507 (initial version released July 2015).

    Reply
  26. Tomi Engdahl says:

    Cybercrime
    Evasion Tactics Used By Cybercriminals To Fly Under The Radar

    Relentless in their methods, attackers will continue employing evasion tactics to circumvent traditional security measures.

    https://www.securityweek.com/evasion-tactics-used-by-cybercriminals-to-fly-under-the-radar/

    Reply
  27. Tomi Engdahl says:

    Tom Warren / The Verge:
    Microsoft plans to make changes to Windows that will help CrowdStrike, Broadcom, and other security vendors operate outside of the Windows kernel — Microsoft is announcing plans to make changes to Windows that will help CrowdStrike and other security vendors operate outside of the Windows kernel.

    Microsoft is building new Windows security features to prevent another CrowdStrike incident
    / There’s no talk of locking down the Windows kernel just yet, but Microsoft clearly wants to move endpoint security systems out of there.
    https://www.theverge.com/2024/9/12/24242947/microsoft-windows-security-kernel-access-features-crowdstrike

    Microsoft is announcing plans to make changes to Windows that will help CrowdStrike and other security vendors operate outside of the Windows kernel. The announcement stems from a Microsoft-hosted security summit earlier this week at the company’s Redmond, Washington, headquarters, where it discussed changes to Windows in the wake of the disastrous CrowdStrike incident in July.

    Windows kernel access has been a hot topic ever since the CrowdStrike catastrophe took down 8.5 million Windows PCs and servers. CrowdStrike’s software runs at the kernel level of Windows — the core part of an operating system that has unrestricted access to system memory and hardware. That’s what allowed a faulty update to generate a Blue Screen of Death as soon as affected systems started up.

    In the months since, Microsoft has called for changes to Windows to improve resiliency and dropped hints about moving security vendors out of the Windows kernel to prevent this from happening again. But there’s been pressure on Microsoft, from both partners and regulators, to not move unilaterally in making that change.

    Microsoft says it has now “discussed the requirements and key challenges in creating a new platform which can meet the needs of security vendors” with partners like CrowdStrike, Broadcom, Sophos, and Trend Micro.

    “Both our customers and ecosystem partners have called on Microsoft to provide additional security capabilities outside of kernel mode which, along with safe deployment practices, can be used to create highly available security solutions,” says David Weston, vice president of enterprise and OS security at Microsoft.

    Reply
  28. Tomi Engdahl says:

    Kyle Wiggers / TechCrunch:
    The White House says Adobe, Cohere, Microsoft, Anthropic, OpenAI, and Common Crawl made voluntary commitments to fight AI-generated image-based sexual abuse — The White House has announced that several major AI vendors, including OpenAI and Microsoft, have committed to taking steps …

    AI
    White House extracts voluntary commitments from AI vendors to combat deepfake nudes
    https://techcrunch.com/2024/09/12/white-house-extracts-voluntary-commitments-from-ai-vendors-to-combat-deepfake-nudes/

    Reply
  29. Tomi Engdahl says:

    Nyt tarkkana: Tämä viesti kaappaa käyttäjä­tilisi – ja sitten sinulta lähtee sähkö­postia jopa tuhansille
    Huijaus on erityisen petollinen, koska käyttäjät saavat väärennöksen sijaan aidolta lähettäjältä tulevan sähköpostin.
    Nyt tarkkana: Tämä viesti kaappaa käyttäjätilisi – ja sitten sinulta lähtee sähköpostia jopa tuhansille
    https://www.is.fi/digitoday/tietoturva/art-2000010694886.html

    Suomen tietoturvaviranomainen, Liikenne- ja viestintävirasto Traficomin Kyberturvallisuuskeskus varoittaa Dropboxilta tulevista sähköposteista, joita hyödynnetään käyttäjätunnusten kalasteluun. Viranomaisella on tiedossaan noin 60 tilimurtoa heinäkuun jälkeen

    Sähköposteja lähetetään yrityksiin, ja niillä kalastellaan käyttäjien Microsoft 365 -tunnuksia.

    Hyökkäys tapahtuu Dropboxissa jaettavalla pdf-tiedostolla. Jaosta tulee ilmoitus kohteen sähköpostiin. Pdf-tiedostossa on puolestaan linkki kalastelusivulle, joka varastaa M365-tunnukset.

    Reply
  30. Tomi Engdahl says:

    Endpoint Security
    Post-CrowdStrike Fallout: Microsoft Redesigning EDR Vendor Access to Windows Kernel

    Microsoft is revamping how anti-malware tools interact with the Windows kernel to avoid another CrowdStrike faulty update catastrophe.

    https://www.securityweek.com/post-crowdstrike-fallout-microsoft-redesigning-edr-vendor-access-to-windows-kernel/

    Microsoft plans to redesign the way anti-malware products interact with the Windows kernel in direct response to the global IT outage in July that was caused by a faulty CrowdStrike update.

    Technical details on the changes are not yet available, but the world’s largest software vendor said “new platform capabilities” will be fitted into Windows 11 to allow security vendors to operate “outside of kernel mode” in the interest of software reliability.

    Following a one-day summit in Redmond with EDR vendors, Microsoft vice president David Weston described the OS tweaks as part of long-term steps to serve resilience and security goals.

    https://www.securityweek.com/microsoft-convenes-endpoint-security-firms-following-crowdstrike-incident/

    Reply
  31. Tomi Engdahl says:

    Apple Patches Vision Pro Vulnerability to Prevent GAZEploit Attacks

    Apple has released a patch for Vision Pro after researchers showed how an attacker can obtain passwords typed by looking at keys.

    https://www.securityweek.com/apple-patches-vision-pro-vulnerability-to-prevent-gazeploit-attacks/

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*