This posting is here to collect cyber security news in September 2024.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in September 2024.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
149 Comments
Tomi Engdahl says:
Tämän laitteen pohjaan on syytä vilkaista – Yle: Supo vahvisti vakoilun
Suojelupoliisin mukaan ei-demokraattiset valtiot ovat käyttäneet suomalaiskotitalouksien suojaamattomia verkkolaitteita vakoiluun. Asiasta kertoo Yle.
https://www.iltalehti.fi/digiuutiset/a/8191802c-fb1b-49f3-a7ce-c29b4f48b8d6
Tomi Engdahl says:
https://etn.fi/index.php/13-news/16545-tietomurto-maksaa-jo-laehes-viisi-miljoonaa-dollaria
Tomi Engdahl says:
Revival Hijack supply-chain attack threatens 22,000 PyPI packages
https://www.bleepingcomputer.com/news/security/revival-hijack-supply-chain-attack-threatens-22-000-pypi-packages/
Threat actors are utilizing an attack called “Revival Hijack,” where they register new PyPi projects using the names of previously deleted packages to conduct supply chain attacks.
The technique “could be used to hijack 22K existing PyPI packages and subsequently lead to hundreds of thousands of malicious package downloads,” the researchers say.
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/google-backports-fix-for-pixel-eop-flaw-to-other-android-devices/
Tomi Engdahl says:
Hybridisodankäynnin asiantuntija Jakub Kalenský: neljä tapaa torjua disinformaatiota
https://www.kouvolanturvallisuus.fi/ajankohtaiset/hybridisodankaynnin-asiantuntija-jakub-kalensky-nelja-tapaa-torjua-disinformaatiota/
Disinformaatio voi murentaa hallitusten ja kansalaisten päättäväisyyttä ja toimintakykyä yllättävänkin tehokkaasti. Mutta mitä asialle voi tehdä??
Jakub Kalenský Euroopan hybridiuhkien torjunnan osaamiskeskuksestaon perehtynyt näihin teemoihin jo vuosien ajan.
”Ykkösosaamisalueeni on venäläinen disinformaatio, jota olen tutkinut vuodesta 2015”, kertoo osaamiskeskuksen hybridivaikutustiimin apulaisjohtajana toimiva Kalenský. Hänen mukaansa hyvä uutinen tässä kaikessa on se, että alati kasvavan disinformaatioaallon kesyttämiseksi voidaan tehdä paljonkin.
Tomi Engdahl says:
YubiKeys are vulnerable to cloning attacks thanks to newly discovered side channel
Sophisticated attack breaks security assurances of the most popular FIDO key.
https://arstechnica.com/security/2024/09/yubikeys-are-vulnerable-to-cloning-attacks-thanks-to-newly-discovered-side-channel/
Tomi Engdahl says:
In Leak, Facebook Partner Brags About Listening to Your Phone’s Microphone to Serve Ads for Stuff You Mention
https://futurism.com/the-byte/facebook-partner-phones-listening-microphone
Tomi Engdahl says:
Vulnerabilities In Two WordPress Contact Form Plugins Affect +1.1 Million
Vulnerabilities discovered in two of the most popular WordPress contact form plugins could affect over 1.1 million installations
https://www.searchenginejournal.com/wordpress-contact-form-vulnerabilities/526057/
The affected contact form plugins are Ninja Forms, (with over 800,000 installations) and Contact Form Plugin by Fluent Forms (+300,000 installations). The vulnerabilities are not related to each other and arise from separate security flaws.
Ninja Forms is affected by a failure to escape a URL which can lead to a reflected cross-site scripting attack (reflected XSS) and the Fluent Forms vulnerability is due to an insufficient capability check.
Tomi Engdahl says:
When Cyber Security Breaches Are Inevitable, It’s Time To Call For A New Approach
https://www.forbes.com/sites/keithferrazzi/2024/09/03/when-cyber-security-breaches-are-inevitable-its-time-to-call-for-a-new-approach/
At the TED Conference in Vancouver this year, our Radical Innovators foundation hosted a forum with more than 60 of the world’s top CHROs, CIOs, and founders. On the agenda: how new technologies like AI and quantum computing can elevate our human experience, transforming how we work and live together.
Despite the hopeful purpose of this impressive community, we also felt compelled to host a session on a more troubling topic: how these same emerging technologies will supercharge cybersecurity threats. We asked thought leader and CISO of T-Mobile, Jeff Simon to facilitate this future of security discussion with an impressive list of very engaged tech execs.
Tomi Engdahl says:
https://www.dailymail.co.uk/sciencetech/article-13805393/Facebook-partner-brags-listening-phones-microphone-serve-ads.html
Tomi Engdahl says:
https://cybersecuritynews.com/hacktivist-group-exploit-winrar-vulnerability/
Tomi Engdahl says:
Security Advisory YSA-2024-03 Infineon ECDSA Private Key Recovery
https://www.yubico.com/support/security-advisories/ysa-2024-03/
A vulnerability was discovered in Infineon’s cryptographic library, which is utilized in YubiKey 5 Series, and Security Key Series with firmware prior to 5.7.0 and YubiHSM 2 with firmware prior to 2.4.0. The severity of the issue in Yubico devices is moderate.
An attacker could exploit this issue as part of a sophisticated and targeted attack to recover affected private keys. The attacker would need physical possession of the YubiKey, Security Key, or YubiHSM, knowledge of the accounts they want to target, and specialized equipment to perform the necessary attack. Depending on the use case, the attacker may also require additional knowledge including username, PIN, account password, or authentication key. See Affected Use Cases and Mitigations for more details.
The moderate vulnerability primarily impacts FIDO use cases because the FIDO standard relies on the affected functionality by default. YubiKey PIV and OpenPGP applications and YubiHSM 2 usage may also be impacted depending on configuration and algorithm choices by the end user.
Tomi Engdahl says:
https://ninjalab.io/wp-content/uploads/2024/09/20240903_eucleak.pdf
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/d-link-says-it-is-not-fixing-four-rce-flaws-in-dir-846w-routers/
Tomi Engdahl says:
Hackers poison Google search results by spreading malware as spoofed VPN solution
https://cybernews.com/news/hackers-poison-google-search-results-spreading-malware/
Tomi Engdahl says:
https://www.exove.com/fi/blogit/eun-tietoturvadirektiivi-nis2-mika-se-on-ja-koskeeko-se-minua/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/legal/admins-of-mfa-bypass-service-plead-guilty-to-fraud/
Tomi Engdahl says:
https://www.techradar.com/pro/security/microsoft-copilot-could-have-been-hacked-by-some-very-low-tech-methods
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/cisco-warns-of-backdoor-admin-account-in-smart-licensing-utility/
Tomi Engdahl says:
https://www.techspot.com/news/104436-previously-unknown-hardware-backdoors-could-turn-rfid-cards.html
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/new-eucleak-attack-lets-threat-actors-clone-yubikey-fido-keys/
Tomi Engdahl says:
https://etn.fi/index.php/13-news/16562-fortinet-haavoittuvuuksia-hyoedynnetaeaen-yhae-nopeammin
Tomi Engdahl says:
Approximately $11,000 worth of scopes and probes according to Ars Technica. The equipment used is listed in the whitepaper itself. Essentially, only a nation state actor or very sophisticated outfit is going to have this type of gear lying around and the expertise to use it.
https://ninjalab.io/wp-content/uploads/2024/09/20240903_eucleak.pdf
https://arstechnica.com/security/2024/09/yubikeys-are-vulnerable-to-cloning-attacks-thanks-to-newly-discovered-side-channel/
Tomi Engdahl says:
Urkinnan mestari: Näin usein puhelin pitäisi sammuttaa
Yhdysvaltain Kansallinen turvallisuusvirasto NSA suosittelee älypuhelimen sammuttamista kerran viikossa.
https://www.iltalehti.fi/digiuutiset/a/80420c2c-6941-47b2-bb61-93f57c878b68
Oman puhelimen tietosuojasta huolehtiminen vaatii usein maalaisjärkeä sekä muutaman selkeän nyrkkisäännön noudattamista.
On esimerkiksi hyvä suhtautua varauksella avoimiin verkkoihin, sovelluskaupan ulkopuolelta ladattuihin sovelluksiin, sähköpostien ja tekstiviestien linkkeihin sekä epämääräisiin soittajiin.
NSA:n antamassa ohjeistuksessa on mielenkiintoinen yksityiskohta, sillä virasto suosittelee puhelimen sulkemista ja käynnistämistä viikoittain.
NSA:n mukaan tämä yksinkertainen kikka saattaa auttaa niin sanotuissa klikittömissä zero click exploit -hyökkäyksissä, joissa haitta aktivoituu ilman laitteen käyttäjän myötävaikutusta, sekä kohdennettuun tietojenkalasteluun.
Dokumentissa tosin todetaan, että laitteen sulkeminen ei ole varma keino välttyä näiltä hyökkäyksiltä. Vaikka kyseessä ei ole mikään hopealuoti, ei puhelimen sammuttamisesta kerran viikossa ole ainakaan mitään haittaa.
Tomi Engdahl says:
Russian GRU Unit Tied to Assassinations Linked to Global Cyber Sabotage and Espionage
A secretive Russian military unit, previously linked to assassinations and destabilization in Europe, is blamed for destructive wiper malware attacks in Ukraine.
https://www.securityweek.com/russian-gru-unit-tied-to-assassinations-linked-to-global-cyber-sabotage-and-espionage/
A secretive Russian military intelligence unit, previously tied to foreign assassinations and destabilizing actions in Europe, has now been linked to cyberespionage and sabotage operations for the first time, according to a joint advisory from the US government and its allies.
The military unit — identified as Russian GRU’s 161st Specialist Training Center (Unit 29155) — is being blamed for a series of aggressive cyber operations around the world, including the destructive WhisperGate malware that wiped the Master Boot Record (MBR) of computers in Ukraine.
Tomi Engdahl says:
How Exceptional CISOs Are Igniting the Security Fire in Their Development Team
For years, many CISOs have struggled to influence their development cohort on the importance of putting security first.
https://www.securityweek.com/how-exceptional-cisos-are-igniting-the-security-fire-in-their-development-team/
Tomi Engdahl says:
CISA Breaks Silence on Controversial ‘Airport Security Bypass’ Vulnerability
Researchers and the TSA have different views on the impact of vulnerabilities in an airport security application that could allegedly allow the bypass of certain airport security systems.
https://www.securityweek.com/cisa-responds-after-disclosure-of-controversial-airport-security-bypass-vulnerability/
The cybersecurity agency CISA has issued a response following the disclosure of a controversial vulnerability in an application related to airport security systems.
In late August, researchers Ian Carroll and Sam Curry disclosed the details of an SQL injection vulnerability that could allegedly allow threat actors to bypass certain airport security systems.
The security hole was discovered in FlyCASS, a third-party service for airlines participating in the Cockpit Access Security System (CASS) and Known Crewmember (KCM) programs.
Tomi Engdahl says:
Recent SonicWall Firewall Vulnerability Potentially Exploited in the Wild
SonicWall is warning customers that the recently patched critical vulnerability CVE-2024-40766 may be exploited in the wild.
https://www.securityweek.com/recent-sonicwall-firewall-vulnerability-potentially-exploited-in-the-wild/
Tomi Engdahl says:
LiteSpeed Cache Plugin Vulnerability Exposes Millions of WordPress Sites to Attacks
A vulnerability in the LiteSpeed Cache WordPress plugin leads to the exposure of sensitive information, including user cookies.
https://www.securityweek.com/litespeed-cache-plugin-vulnerability-exposes-millions-of-wordpress-sites-to-attacks/
Tomi Engdahl says:
https://www.securityweek.com/russian-gru-unit-tied-to-assassinations-linked-to-global-cyber-sabotage-and-espionage/
Tomi Engdahl says:
Incident Response
UnitedHealth CEO Says Hackers Lurked in Network for Nine Days Before Ransomware Strike
UnitedHealth Group’s CEO Andrew Witty shares details on the damaging cyberattack in testimony before a US Congress committee set for May 1, 2024.
https://www.securityweek.com/unitedhealth-ceo-says-hackers-lurked-in-network-for-nine-days-before-ransomware-strike/
Tomi Engdahl says:
Vulnerabilities
LiteSpeed Cache Plugin Vulnerability Exposes Millions of WordPress Sites to Attacks
A vulnerability in the LiteSpeed Cache WordPress plugin leads to the exposure of sensitive information, including user cookies.
https://www.securityweek.com/litespeed-cache-plugin-vulnerability-exposes-millions-of-wordpress-sites-to-attacks/
Tomi Engdahl says:
https://www.securityweek.com/polands-cybersecurity-experts-foil-russian-and-belarussian-attacks/
Tomi Engdahl says:
https://www.securityweek.com/google-pushes-rust-in-legacy-firmware-to-tackle-memory-safety-flaws/
Tomi Engdahl says:
New RAMBO Attack Allows Air-Gapped Data Theft via RAM Radio Signals
An academic researcher has devised a new method of exfiltrating data from air-gapped systems using radio signals from memory buses.
https://www.securityweek.com/new-rambo-attack-allows-air-gapped-data-theft-via-ram-radio-signals/
An academic researcher has devised a new attack technique that relies on radio signals from memory buses to exfiltrate data from air-gapped systems.
According to Mordechai Guri from Ben-Gurion University of the Negev in Israel, malware can be used to encode sensitive data that can be captured from a distance using software-defined radio (SDR) hardware and an off-the-shelf antenna.
The attack, named RAMBO (PDF), allows attackers to exfiltrate encoded files, encryption keys, images, keystrokes, and biometric information at a rate of 1,000 bits per second. Tests were conducted over distances of up to 7 meters (23 feet).
Tomi Engdahl says:
Intel Warns of 20+ Vulnerabilities, Advises Firmware Updates
Intel on Tuesday published advisories covering more than 20 vulnerabilities affecting processors and other products.
https://www.securityweek.com/intel-informs-customers-about-over-a-dozen-processor-vulnerabilities/
Tomi Engdahl says:
Ransomware
Google Introduces ‘Air-Gapped’ Backup Vault to Thwart Ransomware
“It’s critical to not only back up your critical workloads, but also to secure those backups against subsequent modification and deletion.”
By
Ryan Naraine
https://www.securityweek.com/google-introduces-air-gapped-backup-vault-to-thwart-ransomware/
Tomi Engdahl says:
Malware & Threats
PIXHELL Attack Allows Air-Gap Jumping via Noise From Screens
Noise generated by the pixels on a screen can be leveraged to exfiltrate data from air-gapped computers in what is called a PIXHELL attack.
https://www.securityweek.com/pixhell-attack-allows-air-gap-jumping-via-noise-from-screens/
A researcher has presented the details of a new attack method for exfiltrating data from air-gapped computers using the noise generated by the ‘pixels’ on the screen.
The data exfiltration method, named PIXHELL, was discovered by Mordechai Guri of the Ben-Gurion University of the Negev in Israel.
Over the past years, Guri and other researchers have demonstrated several methods for jumping air gaps, including through ultrasonic tones, RAM-generated Wi-Fi signals, fan vibrations, heat emissions, HDD LEDs, infrared cameras, magnetic fields, power lines, router LEDs, scanners, screen brightness, USB devices, noise from hard drives and fans, and electromagnetic radiation.
Most recently, Guri published a paper on an air-gap-jumping attack called RAMBO, which relies on radio signals from memory buses.
In the case of the PIXHELL attack, as with all of these types of attacks, the attacker needs to find a way to plant malware on the air-gapped computer from which they want to exfiltrate data. This can be achieved using malicious insiders, social engineering or supply chain attacks.
The malware can collect sensitive information from the targeted device, such as passwords and encryption keys, and convert them into ‘0’ and ‘1’ bits that can be transmitted through the noise. For instance, a certain frequency can represent a ‘1’ and a different frequency a ‘0’.
These bits can be captured by a nearby smartphone, microphone or laptop at a rate of 5-20 bits per second (bps) over distances ranging between 0 and 2.5 meters (8 feet), according to the experiments conducted by the researcher.
A paper published on September 7 provides technical details, as well as countermeasures for this type of attack. A video that shows the PIXHELL attack in action is also available.
Tomi Engdahl says:
Beyond Immature Rhetoric: The Case Against Mockery and Ambulance Chasing in the Security Industry
Five reasons why “Ambulance Chasing” and mocking harm the security profession and are never a good idea.
https://www.securityweek.com/beyond-immature-rhetoric-the-case-against-mockery-and-ambulance-chasing-in-the-security-industry/
Tomi Engdahl says:
Chinese Hackers Exploit Visual Studio Code in Southeast Asian Cyberattacks
https://thehackernews.com/2024/09/chinese-hackers-exploit-visual-studio.html
The China-linked advanced persistent threat (APT) group known as Mustang Panda has been observed weaponizing Visual Studio Code software as part of espionage operations targeting government entities in Southeast Asia.
“This threat actor used Visual Studio Code’s embedded reverse shell feature to gain a foothold in target networks,” Palo Alto Networks Unit 42 researcher Tom Fakterman said in a report, describing it as a “relatively new technique” that was first demonstrated in September 2023 by Truvis Thornton.
The campaign is assessed to be a continuation of a previously documented attack activity aimed at an unnamed Southeast Asian government entity in late September 2023.
Tomi Engdahl says:
https://etn.fi/index.php/13-news/16592-tutkimus-paljastaa-android-sovellukset-vaativat-huolestuttavan-maeaeraen-vaarallisia-lupia
Tomi Engdahl says:
https://www.securityweek.com/new-chrome-features-protect-users-against-threats-provide-more-control-over-personal-data/
Tomi Engdahl says:
https://www.securityweek.com/microsoft-says-windows-update-zero-day-being-exploited-to-undo-security-fixes/
Microsoft on Tuesday raised an alarm for in-the-wild exploitation of a critical flaw in Windows Update, warning that attackers are rolling back security fixes on certain versions of its flagship operating system.
The Windows flaw, tagged as CVE-2024-43491 and marked as actively exploited, is rated critical and carries a CVSS severity score of 9.8/10.
Microsoft did not provide any information on public exploitation or release IOCs (indicators of compromise) or other data to help defenders hunt for signs of infections. The company said the issue was reported anonymously.
Redmond’s documentation of the bug suggests a downgrade-type attack similar to the ‘Windows Downdate’ issue discussed at this year’s Black Hat conference.
From the Microsoft bulletin:
“Microsoft is aware of a vulnerability in Servicing Stack that has rolled back the fixes for some vulnerabilities affecting Optional Components on Windows 10, version 1507 (initial version released July 2015).
Tomi Engdahl says:
Cybercrime
Evasion Tactics Used By Cybercriminals To Fly Under The Radar
Relentless in their methods, attackers will continue employing evasion tactics to circumvent traditional security measures.
https://www.securityweek.com/evasion-tactics-used-by-cybercriminals-to-fly-under-the-radar/
Tomi Engdahl says:
Tom Warren / The Verge:
Microsoft plans to make changes to Windows that will help CrowdStrike, Broadcom, and other security vendors operate outside of the Windows kernel — Microsoft is announcing plans to make changes to Windows that will help CrowdStrike and other security vendors operate outside of the Windows kernel.
Microsoft is building new Windows security features to prevent another CrowdStrike incident
/ There’s no talk of locking down the Windows kernel just yet, but Microsoft clearly wants to move endpoint security systems out of there.
https://www.theverge.com/2024/9/12/24242947/microsoft-windows-security-kernel-access-features-crowdstrike
Microsoft is announcing plans to make changes to Windows that will help CrowdStrike and other security vendors operate outside of the Windows kernel. The announcement stems from a Microsoft-hosted security summit earlier this week at the company’s Redmond, Washington, headquarters, where it discussed changes to Windows in the wake of the disastrous CrowdStrike incident in July.
Windows kernel access has been a hot topic ever since the CrowdStrike catastrophe took down 8.5 million Windows PCs and servers. CrowdStrike’s software runs at the kernel level of Windows — the core part of an operating system that has unrestricted access to system memory and hardware. That’s what allowed a faulty update to generate a Blue Screen of Death as soon as affected systems started up.
In the months since, Microsoft has called for changes to Windows to improve resiliency and dropped hints about moving security vendors out of the Windows kernel to prevent this from happening again. But there’s been pressure on Microsoft, from both partners and regulators, to not move unilaterally in making that change.
Microsoft says it has now “discussed the requirements and key challenges in creating a new platform which can meet the needs of security vendors” with partners like CrowdStrike, Broadcom, Sophos, and Trend Micro.
“Both our customers and ecosystem partners have called on Microsoft to provide additional security capabilities outside of kernel mode which, along with safe deployment practices, can be used to create highly available security solutions,” says David Weston, vice president of enterprise and OS security at Microsoft.
Tomi Engdahl says:
Kyle Wiggers / TechCrunch:
The White House says Adobe, Cohere, Microsoft, Anthropic, OpenAI, and Common Crawl made voluntary commitments to fight AI-generated image-based sexual abuse — The White House has announced that several major AI vendors, including OpenAI and Microsoft, have committed to taking steps …
AI
White House extracts voluntary commitments from AI vendors to combat deepfake nudes
https://techcrunch.com/2024/09/12/white-house-extracts-voluntary-commitments-from-ai-vendors-to-combat-deepfake-nudes/
Tomi Engdahl says:
Nyt tarkkana: Tämä viesti kaappaa käyttäjätilisi – ja sitten sinulta lähtee sähköpostia jopa tuhansille
Huijaus on erityisen petollinen, koska käyttäjät saavat väärennöksen sijaan aidolta lähettäjältä tulevan sähköpostin.
Nyt tarkkana: Tämä viesti kaappaa käyttäjätilisi – ja sitten sinulta lähtee sähköpostia jopa tuhansille
https://www.is.fi/digitoday/tietoturva/art-2000010694886.html
Suomen tietoturvaviranomainen, Liikenne- ja viestintävirasto Traficomin Kyberturvallisuuskeskus varoittaa Dropboxilta tulevista sähköposteista, joita hyödynnetään käyttäjätunnusten kalasteluun. Viranomaisella on tiedossaan noin 60 tilimurtoa heinäkuun jälkeen
Sähköposteja lähetetään yrityksiin, ja niillä kalastellaan käyttäjien Microsoft 365 -tunnuksia.
Hyökkäys tapahtuu Dropboxissa jaettavalla pdf-tiedostolla. Jaosta tulee ilmoitus kohteen sähköpostiin. Pdf-tiedostossa on puolestaan linkki kalastelusivulle, joka varastaa M365-tunnukset.
Tomi Engdahl says:
https://www.securityweek.com/apple-suddenly-drops-nso-group-spyware-lawsuit/
Tomi Engdahl says:
Endpoint Security
Post-CrowdStrike Fallout: Microsoft Redesigning EDR Vendor Access to Windows Kernel
Microsoft is revamping how anti-malware tools interact with the Windows kernel to avoid another CrowdStrike faulty update catastrophe.
https://www.securityweek.com/post-crowdstrike-fallout-microsoft-redesigning-edr-vendor-access-to-windows-kernel/
Microsoft plans to redesign the way anti-malware products interact with the Windows kernel in direct response to the global IT outage in July that was caused by a faulty CrowdStrike update.
Technical details on the changes are not yet available, but the world’s largest software vendor said “new platform capabilities” will be fitted into Windows 11 to allow security vendors to operate “outside of kernel mode” in the interest of software reliability.
Following a one-day summit in Redmond with EDR vendors, Microsoft vice president David Weston described the OS tweaks as part of long-term steps to serve resilience and security goals.
https://www.securityweek.com/microsoft-convenes-endpoint-security-firms-following-crowdstrike-incident/
Tomi Engdahl says:
Apple Patches Vision Pro Vulnerability to Prevent GAZEploit Attacks
Apple has released a patch for Vision Pro after researchers showed how an attacker can obtain passwords typed by looking at keys.
https://www.securityweek.com/apple-patches-vision-pro-vulnerability-to-prevent-gazeploit-attacks/