This posting is here to collect cyber security news in December 2024.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in December 2024.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
221 Comments
Tomi Engdahl says:
Artificial Intelligence
Tuskira Scores $28.5M for AI-Powered Security Mesh
Tuskira is working on an AI-powered security mesh promising to integrate fragmented security tools and mitigate risk exposure in real time
https://www.securityweek.com/tuskira-scores-28-5m-for-ai-powered-security-mesh/
Tomi Engdahl says:
https://www.securityweek.com/virtual-event-today-cyber-ai-automation-summit-2/
Tomi Engdahl says:
White House Says at Least 8 US Telecom Firms, Dozens of Nations Impacted by China Hacking Campaign
A top White House official said at least eight U.S. telecom firms and dozens of nations have been impacted by a Chinese hacking campaign.
https://www.securityweek.com/white-house-says-at-least-8-us-telecom-firms-dozens-of-nations-impacted-by-china-hacking-campaign/
A top White House official on Wednesday said at least eight U.S. telecom firms and dozens of nations have been impacted by a Chinese hacking campaign.
Deputy national security adviser Anne Neuberger offered new details about the breadth of the sprawling Chinese hacking campaign that gave officials in Beijing access to private texts and phone conversations of an unknown number of Americans.
Neuberger divulged the scope of the hack a day after the FBI and the Cybersecurity and Infrastructure Security Agency issued guidance intended to help root out the hackers and prevent similar cyberespionage in the future. White House officials cautioned that the number of telecommunication firms and countries impacted could still grow.
https://www.securityweek.com/fbi-tells-telecom-firms-to-boost-security-following-wide-ranging-chinese-hacking-campaign/
Tomi Engdahl says:
BT Investigating Hack After Ransomware Group Claims Theft of Sensitive Data
UK telecoms company BT has launched an investigation after the Black Basta ransomware group claimed the theft of 500 Gb of data.
https://www.securityweek.com/bt-investigating-hack-after-ransomware-group-claims-theft-of-sensitive-data/
Tomi Engdahl says:
FBI: Lopeta tekstiviestien käyttäminen
Viestiliikenteen salaamisessa on heikkous, josta moni ei ole tietoinen.
FBI: Lopeta tekstiviestien käyttäminen
https://www.is.fi/digitoday/art-2000010881789.html
Kiinan valtioon kytköksissä olevat hakkerit iskivät perinteiseen tekstiviestiliikenteeseen, Yhdysvaltain, Kanadan, Australian ja Uuden-Seelannin viranomaiset varoittavat.
Politico-lehden mukaan kampanjassa tunkeuduttiin jopa 80:een tele- ja internet-operaattoriin ympäri maailmaa. Tavoitteena oli vakoilla yhdysvaltalaisia poliittisia päättäjiä ja kansallista turvallisuutta koskevia tietoja.
Tiettävästi edelleen käynnissä oleva hyökkäys on kohdistunut tavallisiin tekstiviesteihin – ei pikaviesteihin, jollaisia vaikkapa WhatsAppissa lähetetään.
Esimerkiksi WhatsAppissa ja Signalissa viestiliikenne on salattua päästä päähän. Se tarkoittaa, että edes palvelun tarjoaja ei pääse viestien sisältöön käsiksi joitakin poikkeuksia lukuun ottamatta.
Tomi Engdahl says:
Chinese hack of global telecom providers is ‘ongoing,’ officials warn
Officials from the FBI and the Cybersecurity and Infrastructure Security Agency say the major Chinese hack began in late spring, and they are strongly urging Americans to use encrypted communications.
https://www.politico.com/news/2024/12/03/chinese-hack-global-telecom-ongoing-00192410
Tomi Engdahl says:
White House official: 8 US telecom providers hacked by Chinese
https://edition.cnn.com/2024/12/04/politics/us-telecom-providers-chinese-hack/index.html
Tomi Engdahl says:
https://dawn.fi/uutiset/2024/12/06/unkari-yrittaa-saada-viestiliikenteen-yksityisyyden-murtavan-lain-lapi-takaoven-kautta-ensimmainen-yritys-kaatui?fbclid=IwY2xjawHASBtleHRuA2FlbQIxMQABHUhWJ12I6xShNdRz4V-FYZfjhfbg17qP8uAHvWAKoU9hRgtjzL-gM9zMuA_aem_aLouvRyA51nMmbLeAcn2yw
Tomi Engdahl says:
“Just by opening a shared folder or USB disk containing the malicious file, or even simply viewing the downloads folder where the file was automatically downloaded from an attacker’s web page, is all it takes to exploit the threat.”
New Windows 7 To 11 Warning As Zero-Day With No Official Fix Confirmed
https://www.forbes.com/sites/daveywinder/2024/12/06/new-windows-7-to-11-warning-as-zero-day-with-no-official-fix-strikes/?fbclid=IwY2xjawHA2iNleHRuA2FlbQIxMQABHdzOuitOHimrPeCtfVxs0mZTgOJADYHZkI6D8Z_Q6TXXQ3EAutd9HtVf2A_aem_Zg6ipwT4QWJ3tMV6nr0kkQ
Researchers at Acros Security have confirmed the existence of another Windows zero-day threat, a credential-stealer that affects all versions of Windows from 7 through 11 and Windows Server 2008 R2 onwards. Here’s what you need to know and how to protect yourself while Microsoft is readying a patch to protect against the exploit.
The Windows Zero-Day Exploit With No Official Fix—What We Know So Far
The zero-day vulnerability, which has been reported to Microsoft but currently has no Common Vulnerabilities and Exposures allocation or, indeed, any official patch, is about as bad as it gets. Impacting the Windows NT LAN Manager, a suite of Microsoft security protocols providing authentication, integrity and confidentiality to users, full technical details are being withheld until such a time that an official Microsoft fix starts rolling out to minimize any further risk of exploitation
“The vulnerability allows an attacker to obtain user’s NTLM credentials by simply having the user view a malicious file in Windows Explorer,” Mitja Kolsek, founder of Acros security which operates the 0patch vulnerability patch management platform, said. Just by opening a shared folder or USB disk containing the malicious file, or even simply viewing the downloads folder where the file was automatically downloaded from an attacker’s web page, is all it takes to exploit the threat.
How To Protect Your Version Of Windows
Until an official fix is made available by Microsoft itself, Windows users can protect themselves using the free “micropatch” that has been made available by the 0patch platform. These patches are even available for those versions of Windows that are outside of official support. This is a developing story and I have reached out to Microsoft for a statement.
https://0patch.com/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/new-windows-zero-day-exposes-ntlm-credentials-gets-unofficial-patch/
Tomi Engdahl says:
Chinese industry bodies to companies: Don’t use chips from Nvidia, AMD and Intel; they are ‘no longer safe’
https://timesofindia.indiatimes.com/technology/tech-news/chinese-industry-bodies-to-companies-dont-use-chips-from-nvidia-amd-and-intel-they-are-no-longer-safe/articleshow/115983706.cms
Read more at:
http://m.timesofindia.com/articleshow/115983706.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst
Tomi Engdahl says:
https://www.forbes.com/sites/zakdoffman/2024/12/06/fbi-warns-iphone-and-android-users-stop-sending-texts/
Tomi Engdahl says:
T-Mobile Engineers Spotted Hackers Running Commands on Routers
https://www.insurancejournal.com/news/national/2024/12/02/803154.htm
Suspicious behavior on T-Mobile US Inc.’s network devices tipped off the company to a breach that was potentially part of a sprawling cyber-espionage campaign that has raised urgent questions about the exposure of a critical sector of the economy.
Jeff Simon, T-Mobile’s chief security officer, said in an interview with Bloomberg News that while the behavior wasn’t “inherently malicious,” it was unusual enough to draw the attention of the company’s network engineers. In recent weeks, the engineers had spotted unauthorized users running commands on the company’s network devices, seeming to probe the structure of the network, Simon said.
Upon discovery, the engineers booted the bad actors from the network before they got deeper into the network or accessed customer data.
Tomi Engdahl says:
65% Of Employees Bypass Cybersecurity Measures, New Study Finds
https://www.forbes.com/sites/larsdaniel/2024/12/05/new-study-finds-65-of-employees-bypass-cybersecurity-measures/
As businesses become increasingly reliant on digital tools and cloud-based workflows, a pressing issue is emerging. Employees are bypassing security measures to meet productivity goals, inadvertently creating significant cybersecurity risks. A recent survey by CyberArk sheds light on the scale of this challenge, revealing that 65% of office workers admit to circumventing company security policies in the name of efficiency. This tension between security and productivity underscores a key challenge for organizations in today’s fast-paced business environment: How do you enforce compliance without stifling workflow?
The Weakest Link In Cybersecurity
Modern businesses deploy solutions to protect sensitive data, from multi-factor authentication to real-time threat detection. But when employees reuse passwords, share credentials or access work applications from unsecured personal devices, they create vulnerabilities that even the most advanced systems can’t close.
Consider these findings from the CyberArk study:
Password Reuse: 49% of respondents use the same login credentials for multiple work applications, and 36% use the same credentials for personal and professional accounts.
Password Sharing: 30% of employees share their workplace passwords with colleagues, effectively nullifying the protections offered by unique credentials or MFA.
Device Security Gaps: 36% delay installing security patches on personal devices used for work, exposing critical applications to exploitation.
AI Risks: As artificial intelligence tools become common in workflows, 72% of employees report using AI tools, but with 38% either ignoring company policies about sensitive data input or say no such policies exist, leaving valuable data exposed.
Personal Devices: 80% of respondents access workplace applications from personal devices that lack security controls.
Sharing Confidential Data: 52% of respondents said they shared confidential workplace information with external parties, which increases the risk of data breaches.
Why Do Employees Bypass Cybersecurity?
It is not difficult to understand why people ignore or circumvent security measures. With many workers struggling to keep up with the demands of their jobs, the needs of the moment can overshadow concerns about security. The tyranny of the urgent can make concerns about potential cyber events a distant thought, fading into the background in the face of a concrete deadline. When it comes to cybersecurity, the root causes of employee disengagement are:
Convenience vs. Security: Employees often view security protocols as cumbersome. Long, complex passwords, frequent logins and multi-step authentication can feel like barriers to productivity.
Pressure to Deliver: In fast-paced environments, meeting deadlines often takes precedence over following security guidelines. Employees may perceive cutting corners as a necessary tradeoff.
Lack of Awareness: Many employees don’t fully understand the risks posed by their actions. Without proper training, they may not see the connection between bypassing a protocol and the potential for a breach.
The phrase “a chain is only as strong as its weakest link” is particularly apt in cybersecurity. Even the most advanced technologies can be undone by a single weak password, an unpatched device or a careless click on a phishing email.
Organizations must recognize that their employees are both their greatest assets and their most significant vulnerabilities. In today’s rapidly evolving threat landscape, good cybersecurity isn’t just about buying the best solutions. It’s about making sure everyone in the organization understands their role in protecting the digital ecosystem. The greatest challenges and problems in cybersecurity have been, and remain, human.
Tomi Engdahl says:
Russia’s ‘BlueAlpha’ APT Hides in Cloudflare Tunnels
Cloudflare Tunnels is just the latest legitimate cloud service that cybercriminals and state-sponsored threat actors are abusing to hide their tracks.
https://www.darkreading.com/cloud-security/russias-bluealpha-apt-cloudflare-tunnels
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/cloudflares-developer-domains-increasingly-abused-by-threat-actors/
Tomi Engdahl says:
https://thehackernews.com/2024/12/nachovpn-tool-exploits-flaws-in-popular.html
Tomi Engdahl says:
https://arstechnica.com/security/2024/11/code-found-online-exploits-logofail-to-install-bootkitty-linux-backdoor/
Tomi Engdahl says:
https://thehackernews.com/2024/12/researchers-uncover-backdoor-in-solanas.html
Tomi Engdahl says:
SafeLine: Open-source web application firewall (WAF)
SafeLine is an open-source and self-hosted Web Application Firewall (WAF) that protects websites from cyber attacks.
https://www.helpnetsecurity.com/2024/12/04/safeline-open-source-web-application-firewall-waf/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/russian-turla-hackers-hijack-pakistani-apt-servers-for-cyber-espionage-attacks/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/veeam-warns-of-critical-rce-bug-in-service-provider-console/
Tomi Engdahl says:
“Rockstar 2FA” Phishing-as-a-Service Steals Microsoft 365 Credentials Via AiTM Attacks
https://cybersecuritynews.com/rockstar-2fa/#google_vignette
Tomi Engdahl says:
https://thehackernews.com/2024/11/matrix-botnet-exploits-iot-devices-in.html
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/bootkitty-uefi-malware-exploits-logofail-to-infect-linux-systems/
Tomi Engdahl says:
Vodka maker Stoli’s US companies file for bankruptcy after cyberattack
https://www.reuters.com/legal/litigation/vodka-maker-stolis-us-companies-file-bankruptcy-after-cyberattack-2024-12-02/?fbclid=IwY2xjawHBkm9leHRuA2FlbQIxMQABHXBZiS0pxSIWSzMIKmHvikzSOVYnlRcMtKUt_fRnSo2F_5-SI9EYvklbyQ_aem_05CagGP5uTyLDUkdlq171A
Dec 2 (Reuters) – Two U.S.-based subsidiaries of vodka maker Stoli Group have filed for bankruptcy protection in Dallas, Texas, after a damaging cyberattack, the Russian government’s seizure of its remaining distilleries in that country, and a dispute with the company’s lenders.
Stoli Group USA, which imports and distributes Stoli-owned liquor brands in the U.S., and Kentucky Owl, a bourbon brand, filed for Chapter 11 protection last week.
Both companies are U.S.-based subsidiaries of the Luxembourg-based Stoli Group, which is not bankrupt.
The two companies entered bankruptcy with $84 million in debt, and the bankruptcy will give them more time to recover from the cyberattack and negotiate a debt restructuring that will preserve jobs, according to bankruptcy court documents filed Friday.
Stoli has been embroiled in a decades-long legal battle over the Russian government’s attempt to reclaim ownership of vodka brands that were privatized in the 1990s.
Tomi Engdahl says:
Government
In Other News: Cloudflare Abuse, UK and EU Cybersecurity Reports, FBI Gen-AI Alert
Noteworthy stories that might have slipped under the radar: ENISA and NCSC release cybersecurity reports, abuse of Cloudflare services, FBI warns of gen-AI enabling fraud.
https://www.securityweek.com/in-other-news-cloudflare-abuse-uk-and-eu-cybersecurity-reports-fbi-gen-ai-alert/
Tomi Engdahl says:
Wall Street Journal:
A profile of Brian Krebs, who over the past 20 years has investigated and outed some of the worst cybercriminals, including the alleged Snowflake client hackers
He Investigates the Internet’s Most Vicious Hackers—From a Secret Location
In the increasingly dangerous world of cybercrime, Brian Krebs faces threats, manipulation and the odd chess challenge
https://www.wsj.com/tech/cybersecurity/hacking-brian-krebs-snowflake-waifu-49b87fce?st=oGU8Xy&reflink=desktopwebshare_permalink
One morning in September, a hacker known as Waifu sent a message to Brian Krebs, a cybersecurity researcher investigating him. Waifu wanted to play a game.
“Here is the deal,” Waifu wrote. “Beat me 2 out of 3 in chess, and if your demand is reasonable, I would answer questions without trolling u.”
Krebs didn’t reply, but the messages kept coming in. “I would rate you FBI range in terms of HUMINT skill and capability,” Waifu wrote, using a military term for gathering intelligence from human sources. “But I really want to play you in chess.”
The two had been communicating on messaging apps for months. Investigators had linked Waifu to a hacking rampage that started in April and exposed private information on hundreds of millions of Americans, including phone records. Some investigators, including Krebs, had tied Waifu to a real-world identity over the summer, although they hadn’t gone public with that information—yet.
While many researchers sell cybersecurity services to companies, Krebs, a former Washington Post reporter, makes most of his money from banner ads on the website where he shares his findings. His site, Krebs on Security, routinely pulls in more than 1 million visits a month. He hears from law enforcement and other officials who read his posts—and from hackers, too.
Tomi Engdahl says:
Alexander Cornwell / Reuters:
A White House official says that the US believes China-linked Salt Typhoon hackers targeted and recorded the phone calls of “very senior” US political figures
US alleges China hacked calls of ‘very senior’ political figures, official says
https://www.reuters.com/world/us-alleges-china-hacked-calls-very-senior-political-figures-official-says-2024-12-07/
MANAMA, Bahrain, Dec 7 (Reuters) – The U.S. believes that an alleged sweeping Chinese cyber espionage campaign known as Salt Typhoon targeted and recorded telephone calls of “very senior” American political figures, a White House official said on Saturday.
The comments by Anne Neuberger, the U.S. deputy national security advisor for cyber and emerging technology, to reporters at the Manama Dialogue regional security conference in Bahrain’s capital revealed new details of the campaign.
Tomi Engdahl says:
Nyt tuli jyrähdys: Pankkeja vaaditaan vastuuseen
Kuluttajaliitto vaatii pankeilta enemmän vastuuta huijaustilanteissa. Sen vaatimuksiin lukeutuu myös törkeän huolimattomuuden määritelmän tarkentaminen lainsäädännössä.
https://www.iltalehti.fi/digiuutiset/a/90d65d0d-7458-445d-bf4c-e3da19c4d867
Kuluttajaliitto haluaa lisätä pankkien vastuuta huijaustilanteissa, yhdistys tiedottaa.
Kuluttajaliiton ulostulo liittyy EU:n uuteen maksupalveluasetukseen. Muun muassa Belgia ja Unkari ovat esittäneet muutosehdotuksia asetukseen. Näihin muutosehdotuksiin kuuluu myös kuluttajan asemia parantavia ehdotuksia.
Yhdistys kertoo tiedotteessaan, että kuluttajat joutuvat usein käsittelemään huijaustilanteet ”täysin yksin.”
– Pankit ottivat viime vuonna vastuulleen vain neljä prosenttia petollisten tilisiirtojen tappioista. 92 prosenttia jäi kuluttajan itse maksettavaksi, Kuluttajaliitto kertoo tiedotteessaan.
Kuluttajaliitto on esittänyt neljä vaatimusta uuteen maksupalveluasetukseen. Vaatimuksiin lukeutuu muun muassa törkeän huolimattomuuden määritelmän tarkentaminen lainsäädännössä ja pankkien vastuun painottaminen.
Kuluttajan ei pitäisi yhdistyksen mukaan joutua vastaamaan hyväksymistään maksuista, jos rikollinen on tekeytynyt pankin työntekijäksi.
Tomi Engdahl says:
FBI varoittaa: Lopettakaa tekstiviestien lähettäminen
Varoitus johtuu Salt Typhoon -hakkerointikampanjasta.
https://www.iltalehti.fi/digiuutiset/a/fee3bb18-0eac-4ca6-93f1-b363e2194f91
Tomi Engdahl says:
Jos kotonasi on mitään älykästä, nämä asiat on tiedettävä
Näin varmistat, ettei televisiosi salakuuntele sinua, eivätkä kodinkoneesi osallistu palvelunestohyökkäyksiin.
https://www.iltalehti.fi/digiuutiset/a/2da13d1c-4c32-4605-a293-51f4eae4864b
Älykkään kodintekniikan yleistyessä myös laitteisiin liittyvät tietoturvahaasteet nousevat otsikoihin aiempaa useammin. Riskejä ei IT-konsulttiyhtiö Rakettitieteen mukaan kannata liioitella, mutta niistä on syytä olla tietoinen.
Aiemmin on uutisoitu muun muassa kaapattujen kodinkoneiden mahdollisesta roolista Nordeaan kohdistuneissa palvelunestohyökkäyksissä sekä solvauksia ladelleista ja asukkaita vakoilleista robotti-imureista.
Rakettitieteen tietoturva-asiantuntija Richard Topchii kertoo yhtiön tiedotteessa, ettei kuluttaja välttämättä tule ajatelleeksi kaikkia tapoja, joilla älylaitteet voivat kerätä tietoa.
– Esimerkiksi robotti-imurissa on kamera, joka auttaa sitä liikkumaan huoneistossa, ja älytelevisio saattaa lähettää jatkuvasti tietoa käyttäjän katselutottumuksista sekä kuunnella ja tallentaa, mitä ympäristössä puhutaan. Uusissa kaiuttimissa voi olla mikrofoni, jonka kaappaamalla niiden lähiympäristöä pystyy salakuuntelemaan, Topchii luettelee.
– Luottamukselliset ja arkaluontoiset tiedot voivat olla vaarassa, jos älykotilaitteen valmistajan palvelimelle murtaudutaan ja tiedot varastetaan, Topchii jatkaa.
Rakettitieteen mukaan älykkään kodintekniikan suojaaminen ei ole mitään rakettitiedettä. Alla on listattuna tärkeimmät toimenpiteet, joilla älykodin tietoturva pysyy kunnossa.
Vaihda reitittimen oletussalasana vahvaan ja itse keksittyyn sekä huolehdi reitittimen päivityksistä.
Pidä älylaitteiden ohjelmistot päivitettyinä.
Älä pidä päällä ominaisuuksia, joita et tarvitse. Tällaisia voivat olla muun muassa etäkäyttö verkon yli, ääniohjaus ja paikannus.
Ota käyttöön kaksivaiheinen tunnistautuminen, mikäli mahdollista.
Luo erillinen verkko kodin älylaitteille, jotta mahdollinen murtautuminen ei vaaranna pääverkkoa.
Irrota verkosta älylaitteet, joiden tietoturva huolettaa. Esimerkiksi robotti-imuria voi käyttää ilman älykkäitä ominaisuuksia.
Harkitse tietoturvaohjelmiston asentamista.
Muista arkijärki, äläkä jaa käyttäjätunnuksia, salasanoja tai muita arkaluontoisia tietoja.
Tomi Engdahl says:
Critical OpenWrt Flaw Exposes Firmware Update Server to Exploitation
The CVE-2024-54143 vulnerability affects the OpenWrt sysupgrade server and exposes users to risks of installing malicious firmware images.
https://www.securityweek.com/critical-openwrt-flaw-exposes-firmware-update-server-to-exploitation/
The OpenWrt Project, an open-source initiative providing a Linux-based operating system for embedded devices, has pushed a critical patch to cover flaws that expose its firmware update server to malicious exploitation.
The vulnerability, tracked as CVE-2024-54143, affects the OpenWrt sysupgrade server and exposes users to potential risks of installing compromised firmware images.
An OpenWrt bulletin explains the problem:
“Due to the combination of command injection in the image builder and the truncated SHA-256 hash included in the build request hash, an attacker can pollute the legitimate image by providing a package list that causes a hash collision.”
The maintainers documented two main issues:
Command Injection in Imagebuilder — User-supplied package names are incorporated into `make` commands without proper sanitization, allowing malicious users to inject arbitrary commands into the build process. This results in the production of malicious firmware images signed with the legitimate build key.
Truncated SHA-256 Hash Collisions — The request hashing mechanism truncates SHA-256 hashes to 12 characters, significantly reducing entropy and enabling attackers to generate collisions. Exploiting this allows a previously built malicious image to replace legitimate ones, compromising the artifact cache.
“Combined, these vulnerabilities enable attackers to serve compromised firmware images via the Attended SysUpgrade service, affecting the integrity of delivered builds,”
Tomi Engdahl says:
Romania’s election systems targeted in over 85,000 cyberattacks
https://www.bleepingcomputer.com/news/security/romanias-election-systems-targeted-in-over-85-000-cyberattacks/?fbclid=IwY2xjawHE78ZleHRuA2FlbQIxMQABHWFPNl_acAfZAbiAwow1o3FbM30cc9vOTrTxeMUnuuvfLMDTNZvjSGaGHw_aem_CKEFYDT8PdD5agjO1iPPow
A declassified report from Romania’s Intelligence Service says that the country’s election infrastructure was targeted by more than 85,000 cyberattacks.
Threat actors also obtained access credentials for election-related websites and leaked them on a Russian hacker forum less than a week before the first presidential election round.
Tomi Engdahl says:
https://hackaday.com/2024/12/06/this-week-in-security-national-backdoors-web3-backdoors-and-nearest-neighbor-wifi/
AI Fuzzing
There’s yet another researcher thinking about LLM guided fuzzing. This time, it’s looking for HTTP/S endpoints on a public site. The idea here is that you can crawl a domain and collect every link to build a URL map of the site — but that list is likely incomplete. There may be an administrative page, undocumented API endpoints, or even unintended .git files. Finding those endpoints is a useful step to finding vulnerabilities. Brainstorm is a new tool Open Source tool that uses AI to find non-obvious URLs.
There are a couple of interesting metrics to measure how well endpoint discovery is done. The most straightforward is how many endpoints are found for a given site. The other is the ratio of requests to discovered. And while this is just a sample size of one on a test site, brainstorm found 10 hidden endpoints with only 328 requests. Impressive!
Brainstorm tool release: Optimizing web fuzzing with local LLMs
https://www.invicti.com/blog/security-labs/brainstorm-tool-release-optimizing-web-fuzzing-with-local-llms/
Tomi Engdahl says:
https://metro.co.uk/2024/12/10/microsoft-goes-hundreds-reporting-problems-teams-outlook-22159756/?fbclid=IwY2xjawHFV6hleHRuA2FlbQIxMQABHejgMTHQLLKvjKpL8Ny0RhO4aNU31_ZWhaHt5Ss8J-aCfg6wqxpcvwV-AA_aem_soS07dwhiAIxiggrgzuzSA
Tomi Engdahl says:
Microsoft Ships Urgent Patch for Exploited Windows CLFS Zero-Day
Patch Tuesday: Redmond patches 71 security flaws and calls immediate attention to an exploited Windows zero-day reported by CrowdStrike.
https://www.securityweek.com/microsoft-ships-urgent-patch-for-exploited-windows-clfs-zero-day/
Software giant Microsoft on Tuesday rolled out patches for more than 70 documented security defects and called urgent attention to an already-exploited zero-day in the Windows Common Log File System (CLFS).
The CLFS vulnerability, tagged as CVE-2024-49138 and marked as actively exploited in the wild, was reported by anti-malware vendor CrowdStrike. It carries a CVSS severity score of 7.8/10.
According to an important bulletin from Redmond, the CLFS driver flaw allows attackers to gain SYSTEM privileges through a heap-based buffer overflow. A successful exploit requires no user interaction and low privileges to execute, Microsoft warned.
As is customary, the company did not release indicators of compromise (IOCs) or any other telemetry to help defenders hunt for signs of compromise.
Over the last five years, there have been at least 25 documented vulnerabilities in CLFS, the Windows subsystem used for data and event logging. Earlier this year, Microsoft said it was experimenting with a major new security mitigation to thwart a surge in cyberattacks hitting flaws in the Windows CLFS.
The company plans to add Hash-based Message Authentication Codes (HMAC) to detect unauthorized modifications to CLFS log files and cover one of the most attractive attack surfaces for APTs and ransomware attacks.
Tomi Engdahl says:
Adobe Patches Over 160 Vulnerabilities Across 16 Products
Adobe has patched over 160 vulnerabilities across over a dozen products, including Reader, Illustrator, Photoshop and Connect.
https://www.securityweek.com/adobe-patches-over-160-vulnerabilities-across-16-products/
Tomi Engdahl says:
https://www.securityweek.com/cleo-file-transfer-tool-vulnerability-exploited-in-wild-against-enterprises/
Tomi Engdahl says:
Suomalaisten reitittimissä piilee vaara, jota moni ei tiedä
Tietoturva-asiantuntija näkee kaksi tavallisiin ihmisiin kohdistuvaa uhkaa.
https://www.is.fi/digitoday/tietoturva/art-2000010877568.html
Lue tiivistelmä
Suomalaisten kotien reititinkanta on yhteneväinen, mikä helpottaa kyberaseiden räätälöintiä.
Vuonna 2016 Suomessa yli 10 000 modeemia saastuttanut Mirai-haittaohjelma on edelleen täällä yleinen.
Kiristysohjelmat voivat tulevaisuudessa kohdistua tavallisiin ihmisiin, ei vain yrityksiin.
Tekoälyä käytetään tietojenkalasteluhyökkäysten automatisointiin, mikä lisää kyberuhkia.
Suomalaisia uhkaa kybervaara, jota kovin moni ei välttämättä tule ajatelleeksi.
Suomalaisten kotien reititinkanta on erittäin yhteneväinen. Tämä johtuu siitä, että teleoperaattorien suomalaisille tarjoamien reitittimien määrä on erittäin rajallinen, sanoo Check Pointin johtava tietoturva-asiantuntija Jarno Ahlström.
Tämä taas tekee mahdollisen Suomeen kohdistuvan kyberaseen räätälöinnistä helppoa.
Ilmiö on nähtävissä, sillä reitittimissä toimivaa, vuosia vanhaa Mirai-haittaohjelmaa tavataan Suomessa edelleen. Se on Liikenne- ja viestintävirasto Traficomin Kyberturvallisuuskeskuksen Autoreporter-järjestelmän mukaan kuluvan vuoden toisen vuosineljänneksen 7. yleisin haittaohjelma Suomessa.
Vuonna 2016 ensimmäistä kertaa nähty Mirai-haittaohjelma osoitti internetiin liitettävien älylaitteiden vaarat. Sillä on muun muassa valjastettu kotireitittimiä osaksi rikollisten bottiverkkoa, jonka avulla oli mahdollista toteuttaa laajoja palvelunestohyökkäyksiä.
Vuonna 2016 Mirai saastutti yli 10 000 modeemia Suomessa. Ohjelman tekijät julkaisivat sen lähdekoodin, joten haitaketta on kehitetty jatkuvasti ja se on otettu osaksi muita haittaohjelmia.
Tomi Engdahl says:
Sergiu Gatlan / BleepingComputer:
The US sanctions Chinese cybersecurity government contractor Sichuan Silence and one of its staff over Ragnarok ransomware ties and creating and using zero-days — The U.S. Treasury Department has sanctioned Sichuan Silence, a Chinese cybersecurity company, and one of its employees …
US sanctions Chinese firm for hacking firewalls in ransomware attacks
https://www.bleepingcomputer.com/news/security/us-sanctions-chinese-firm-for-hacking-firewalls-in-ragnarok-ransomware-attacks/
The U.S. Treasury Department has sanctioned Chinese cybersecurity company Sichuan Silence and one of its employees for their involvement in a series of Ragnarok ransomware attacks targeting U.S. critical infrastructure companies and many other victims worldwide in April 2020.
According to the Department’s Office of Foreign Assets Control (OFAC), Sichuan Silence is a Chengdu-based cybersecurity government contractor (recently profiled by the Natto Thoughts team) that provides products and services to core clients like China’s intelligence services.
The company’s services include computer network exploitation, brute-force password cracking, email monitoring, and public sentiment suppression.
Tomi Engdahl says:
Venkat / Windows Report:
Mozilla is removing the “Do Not Track” feature from Firefox in version 135, the first major browser to do so, saying few websites honor the preference
Mozilla Firefox removes “Do Not Track” Feature support: Here’s what it means for your Privacy
Will Chrome, Edge, and Other Privacy-Focused Browsers follow this move?
https://windowsreport.com/mozilla-firefox-removes-do-not-track-feature-support-heres-what-it-means-for-your-privacy/
Tomi Engdahl says:
Anyone can Access Deleted and Private Repository Data on GitHub
https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github
You can access data from deleted forks, deleted repositories and even private
repositories on GitHub. And it is available forever. This is known by GitHub,
and intentionally designed that way.
This is such an enormous attack vector for all organizations that use GitHub
that we’re introducing a new term: Cross Fork Object Reference (CFOR). A CFOR
vulnerability occurs when one repository fork can access sensitive data from
another fork (including data from private and deleted forks). Similar to an
Insecure Direct Object Reference, in CFOR users supply commit hashes to
directly access commit data that otherwise would not be visible to them.
Tomi Engdahl says:
Androxgh0st iskee IoT-laitteisiin ja kriittiseen infrastruktuuriin
https://www.uusiteknologia.fi/2024/12/11/androxgh0st-iskee-iot-laitteisiin-ja-kriittiseen-infrastruktuuriin/
Sijainti
Etusivu > Artikkelit/raportit > Androxgh0st iskee IoT-laitteisiin ja kriittiseen infrastruktuuriin
Androxgh0st iskee IoT-laitteisiin ja kriittiseen infrastruktuuriin
Artikkelit/raportit
- 11.12.2024
Tietoturvayhtiö Check Point Softwaren haittaohjelmakatsaus nostaa esiin Androxgh0stin nousun sekä Jokerin ja Anubiksen jatkuvat uhat ja entistä kehittyneemmät toimintatavat. Haitake jatkaa hyökkäyksiä esimerkiksi kriittiseen infrastruktuuriin. Androxgh0stin oli myös Suomen että maailman yleisin haittaohjelma.
Check Pointin tutkijat korostavat erityisesti Androxgh0stin nopeaa nousua. Se hyödyntää haavoittuvuuksia eri alustoilla, kuten IoT-laitteissa ja verkkopalvelimissa, jotka ovat kriittisen infrastruktuurin keskeisiä osia. ”Androxgh0stin nousu ja sen yhdistyminen Moziin osoittavat, kuinka kyberrikolliset kehittävät jatkuvasti toimintatapojaan’’, sanoo VP of Research Maya Horowitz Check Point Softwarelta.
Mozin toimintatapoja jäljitellen Androxgh0st käyttää etäkoodin suorittamista ja tunnistetietojen varastamista, jotta se säilyttää jatkuvan pääsyn järjestelmiin. Tämä mahdollistaa muun muassa palvelunestohyökkäykset (DDoS) ja tietovarkaudet. Bottiverkko tunkeutuu kriittiseen infrastruktuuriin korjaamattomien haavoittuvuuksien kautta, ja Mozin ominaisuuksien lisääminen on merkittävästi laajentanut Androxgh0stin toimintamahdollisuuksia.
Androxgh0st pystyy Check Pointin mukaan tartuttamaan enemmän IoT-laitteita ja hallitsemaan laajempaa kohdejoukkoa bottiverkkojen kautta. Näillä hyökkäyksillä on laajoja vaikutuksia eri toimialoihin, mikä korostaa niiden vakavuutta niin hallituksille, yrityksille kuin yksityishenkilöillekin, jotka ovat riippuvaisia kriittisestä infrastruktuurista.
AndroxGh0st Malware Integrates Mozi Botnet to Target IoT and Cloud Services
https://thehackernews.com/2024/11/androxgh0st-malware-integrates-mozi.html
The threat actors behind the AndroxGh0st malware are now exploiting a broader set of security flaws impacting various internet-facing applications, while also deploying the Mozi botnet malware.
“This botnet utilizes remote code execution and credential-stealing methods to maintain persistent access, leveraging unpatched vulnerabilities to infiltrate critical infrastructures,” CloudSEK said in a new report.
AndroxGh0st is the name given to a Python-based cloud attack tool that’s known for its targeting of Laravel applications with the goal of sensitive data pertaining to services like Amazon Web Services (AWS), SendGrid, and Twilio.
Active since at least 2022, it has previously leveraged flaws in the Apache web server (CVE-2021-41773), Laravel Framework (CVE-2018-15133), and PHPUnit (CVE-2017-9841) to gain initial access, escalate privileges, and establish persistent control over compromised systems.
Nov 08, 2024Ravie LakshmananIoT Security / Vulnerability
AndroxGh0st Malware
The threat actors behind the AndroxGh0st malware are now exploiting a broader set of security flaws impacting various internet-facing applications, while also deploying the Mozi botnet malware.
“This botnet utilizes remote code execution and credential-stealing methods to maintain persistent access, leveraging unpatched vulnerabilities to infiltrate critical infrastructures,” CloudSEK said in a new report.
AndroxGh0st is the name given to a Python-based cloud attack tool that’s known for its targeting of Laravel applications with the goal of sensitive data pertaining to services like Amazon Web Services (AWS), SendGrid, and Twilio.
Active since at least 2022, it has previously leveraged flaws in the Apache web server (CVE-2021-41773), Laravel Framework (CVE-2018-15133), and PHPUnit (CVE-2017-9841) to gain initial access, escalate privileges, and establish persistent control over compromised systems.
Cybersecurity
Earlier this January, U.S. cybersecurity and intelligence agencies revealed that attackers are deploying the AndroxGh0st malware to create a botnet for “victim identification and exploitation in target networks.”
The latest analysis from CloudSEK reveals a strategic expansion of the targeting focus, with the malware now exploiting an array of vulnerabilities for initial access -
CVE-2014-2120 (CVSS score: 4.3) – Cisco ASA WebVPN login page XSS vulnerability
CVE-2018-10561 (CVSS score: 9.8) – Dasan GPON authentication bypass vulnerability
CVE-2018-10562 (CVSS score: 9.8) – Dasan GPON command injection vulnerability
CVE-2021-26086 (CVSS score: 5.3) – Atlassian Jira path traversal vulnerability
CVE-2021-41277 (CVSS score: 7.5) – Metabase GeoJSON map local file inclusion vulnerability
CVE-2022-1040 (CVSS score: 9.8) – Sophos Firewall authentication bypass vulnerability
CVE-2022-21587 (CVSS score: 9.8) – Oracle E-Business Suite (EBS) Unauthenticated arbitrary file upload vulnerability
CVE-2023-1389 (CVSS score: 8.8) – TP-Link Archer AX21 firmware command injection vulnerability
CVE-2024-4577 (CVSS score: 9.8) – PHP CGI argument injection vulnerability
CVE-2024-36401 (CVSS score: 9.8) – GeoServer remote code execution vulnerability
“The botnet cycles through common administrative usernames and uses a consistent password pattern,” the company said. “The target URL redirects to /wp-admin/, which is the backend administration dashboard for WordPress sites. If the authentication is successful, it gains access to critical website controls and settings.”
The attacks have also been observed leveraging unauthenticated command execution flaws in Netgear DGN devices and Dasan GPON home routers to drop a payload named “Mozi.m” from different external servers (“200.124.241[.]140″ and “117.215.206[.]216″).
Mozi is another well-known botnet that has a track record of striking IoT devices to co-opt them into a malicious network for conducting distributed denial-of-service (DDoS) attacks.
While the malware authors were arrested by Chinese law enforcement officials in September 2021, a precipitous decline in Mozi activity wasn’t observed until August 2023, when unidentified parties issued a kill switch command to terminate the malware. It’s suspected that either the botnet creators or Chinese authorities distributed an update to dismantle it.
AndroxGh0st’s integration of Mozi has raised the possibility of a possible operational alliance, thereby allowing it to propagate to more devices than ever before.
Tomi Engdahl says:
Oletko saanut tällaisen sähköpostiviestin? Taustalla kansainvälinen suuroperaatio
Kansainvälisessä operaatiossa verkosta on poistettu useita sivustoja, joita on käytetty palvelunestohyökkäyksiin.
https://www.iltalehti.fi/digiuutiset/a/edecc43f-5157-46e3-a4b9-8ee8bdf24622
Kansainvälisessä operaatiossa on suljettu kymmeniä palvelunestohyökkäyksiin käytettyjä sivuja.
Palveluiden käyttäjistä löytyi satoja suomalaisia.
KRP lähettää suomalaiskäyttäjille sähköpostia, jossa kerrotaan palvelun laittomuudesta.
KRP lähetti maileja
Suomesta operaatiossa on ollut KRP, joka on lähestynyt palveluihin rekisteröityneitä suomalaisia käyttäjiä sähköpostitse.
Viestissään poliisi on kertonut, että sähköpostin vastaanottaja on rekisteröitynyt laittomia palveluja tarjoavalle sivustolle, joka on takavarikoitu. Käyttäjää on varoitettu sivuston laittomuudesta, kehottamaan lopettamaan sen käyttö ja poistamaan palveluun liittyvä data ja ohjelmisto laitteiltaan.
Poliisi ei epäile sähköpostiyhteydenoton saaneita suomalaisia tällä hetkellä rikoksesta, eikä sähköposti edellytä vastaanottajilta toimenpiteitä. Viestin saaneet voivat halutessaan ottaa yhteyttä keskusrikospoliisiin sähköpostitse osoitteeseen poweroff.krp@poliisi.
Pidetään harmittomina
Palvelunestohyökkäyksen tekeminen on rikoslain nojalla rangaistava teko. Rikosnimikkeenä kyseeseen voi tulla esimerkiksi tietojärjestelmän tai tietoliikenteen häirintä.
Keskusrikospoliisin rikostarkastajan Mikko Rauhamaan mukaan palvelunestohyökkäyksiä pidetään usein jokseenkin harmittomina, niin sanottuna digitaalisena liikenneruuhkana. Pahimmillaan ne kuitenkin voivat aiheuttaa vakavia vahinkoja ihmisille, yrityksille ja jopa koko yhteiskunnan kriittisille toiminnoille, kuten hätäkeskukselle.
Kuluttajille palvelunestohyökkäykset voivat näkyä esimerkiksi päivittäisten palveluiden, kuten verkkopankin tai kaupan maksupäätteiden toimimattomuutena.
Hyökkäysten torjuminen vaatii usein mittavia ja kalliita suojaustoimenpiteitä. Kaatuneen verkkopalvelun saaminen takaisin normaaliin käyttöön voi viedä paljon aikaa ja rahaa.
Ensiaskel kyberrikollisuuteen
Rauhamaan mukaan booter-palveluiden käyttö on valitettavan yleistä etenkin nuorten keskuudessa, ja esimerkiksi pelialustoilla dossailu on usein nuoren ensimmäinen kosketus kyberrikollisuuteen.
Poliisi muistuttaa, että myös automatisoidun työkalun avulla tehty hyökkäys on rikos.
Tomi Engdahl says:
A Potential Exploit With The Ext Filesystem
https://hackaday.com/2024/12/10/a-potential-exploit-with-the-ext-filesystem/
The extended filesystem, otherwise known as ext, has been a fundamental part of Linux since before the 1.0 release in 1994. Currently the filesystem is on its fourth major revision, in use since its release in 2008 thanks to its stability, reliability, and backwards compatibility with the other ext filesystem versions. But with that much history there are bound to be a few issues cropping up here and there. [Will] recently found an exploit with this filesystem that can cause a Linux kernel to immediately panic when a manipulated USB drive is inserted into a computer.
https://infosec.exchange/@chort/113625798207808552
Back when I was poking around with filesystem fuzzing stuff years back, I noticed something odd:
An EXT filesystem can tell the Linux OS how it should behave “if” the filesystem is corrupt, including triggering a kernel panic. In a world where USB thumb drives exist, this seems… not ideal.
Let’s see what happens if we plug such a mass storage device into a fully patched Chromebook in 2024…
The man page for tune2fs is pretty clear about this capability.
The person who writes the data to the USB mass storage device can specify that both:
1) The OS that reads the device should panic if the filesystem has an error.
2) The filesystem has an error.
It’s funny (and rather cringe-inducing) to us infosec folks, but to 99% of developers they will always say “why would anyone do that?”
The vast majority just truly have no concept that anyone might want to act maliciously. If the engineer themself wouldn’t perform a malicious action, they cannot conceive that anyone else would.
Small thumb drives that are almost flush with the port exist. Stick one of these behind any important machine that you’ve gained physical access to and walk away while you hear it boot loop in perpetuity until the drive is identified or the entiere machine replaced.
Copy shops. Though those are probably not running on Linux.
Or those photo copiers that are also scanners and allow the user to save the scan on a USB-Stick.
We’d need to think about ways how a forced reboot can become s.th. more interesting.
if you have the ability to supply external boot media, but cannot access the power button (kiosk perhaps?)
Another example: Many years ago I found a security “appliance” that allowed passwordless database login by root, with a limited set of privileges. Interestingly, the privileges allowed creating new privileges, but did not allow applying the privileges. However, the new privileges would be applied when the DB restarted. So I combine that with an existing Linux kernel unauthenticated remote DoS that would reboot the machine.
I’m sure people way smarter than me could figure out ways to leverage this.
Yes, I was thinking about something like a kiosk, a machine that provides a service and people need to plug in their USB sticks, but the machine is phsically locked away otherwise (e.g. at the other side of a wall).
Tomi Engdahl says:
All of Meta’s platforms – Facebook, Instagram, WhatsApp, Messenger and Threads – appear to have broken in a huge outage.
https://www.independent.co.uk/tech/facebook-down-instagram-meta-outage-b2662836.html#Echobox=1733941975
Tomi Engdahl says:
WAF Vulnerability in Akamai, Cloudflare, and Imperva Affected 40% of Fortune 100 Companies
https://cybersecuritynews.com/waf-vulnerability-in-akamai-cloudflare-and-imperva/#google_vignette
A recently discovered security vulnerability dubbed “BreakingWAF” in the configuration of web application firewall (WAF) services has left numerous Fortune 1000 companies vulnerable to cyberattacks, according to Zafran, a leading cybersecurity research team.
The flaw affects some of the most popular WAF providers include Akamai, Cloudflare, Fastly, and Imperva. The flaw makes denial-of-service (DoS) attacks, ransomware, and even full application compromise very likely.
This misconfiguration, uncovered by Zafran’s researchers, impacts over 140,000 domains belonging to Fortune 1000 companies. Among these, 36,000 backend servers had 8,000 domains linked to them, leaving them open to potential attackers and susceptible to DDoS attacks.
Nearly 40% of Fortune 100 and 20% of Fortune 1000 companies are affected, highlighting widespread misconfiguration.
Zafran’s team demonstrated the severity of this vulnerability by executing a 20-second denial-of-service attack on a web domain owned by Berkshire Hathaway subsidiary BHHC, highlighting the potential for real-world consequences.
According to the Zafran technical analysis, The flaw lies in the dual functionality of modern WAF providers, which also operate as content delivery networks (CDNs) to enhance network reliability and caching.
When backend servers don’t properly check traffic, this architectural design opens up a major hole that lets attackers get around WAF protections and go straight for backend infrastructure.
Attackers can exploit this flaw by mapping external domains to backend IP addresses, a process they intend to keep secret but can reverse-engineer using advanced fingerprinting techniques.
Attackers can launch distributed denial-of-service (DDoS) attacks, install ransomware, or exploit application vulnerabilities that the WAF would typically block once they gain access to the backend servers.
The discovery highlights a systemic weakness in the design and implementation of WAF/CDN solutions.
Cyber incidents stemming from WAF bypasses have already resulted in catastrophic consequences, as seen in the Capital One data breach, one of the largest in history.
Recent trends show attackers increasingly targeting web applications with poor configurations. For instance, we have observed the Advanced Persistent Threat (APT) group APT41 exploiting similar vulnerabilities to exfiltrate sensitive data. Additionally, cloud ransomware attacks on exposed web applications are becoming more common.
The financial impact of such attacks is staggering. For example, a DDoS attack lasting an hour could cost a financial organization approximately $1.8 million, while a similar duration of downtime for a major pizza chain could result in losses of up to $1.9 million.
To safeguard against the risks associated with this WAF misconfiguration, Zafran outlined several mitigation strategies
IP Whitelisting (Origin IP Access Control Lists): Restrict access to backend servers to only the IP addresses of CDN providers. Although simple, this method is not foolproof.
Pre-Shared Secrets in Custom Headers: Use custom HTTP headers with pre-shared secrets to authenticate traffic. While effective in the short term, this requires periodic secret rotation.
Mutual TLS (mTLS): Employ client certification to validate both the server and CDN. This is the most secure approach, but it requires specialized tooling that may not be supported by all popular load balancers.
WAF providers like Akamai and Cloudflare offer detailed guides for implementing these mitigation measures.
Zafran initiated a 90-day coordinated disclosure process to notify impacted companies, beginning on August 23, 2024. The team reported the vulnerability to Visa, Intel, JPMorgan Chase, Berkshire Hathaway’s BHHC, and UnitedHealth. Notably, JPMorgan Chase and UnitedHealth have already resolved the issue, preventing potential exploitation.
Tomi Engdahl says:
FBI Warns iPhone, Android Users—Change WhatsApp, Facebook Messenger, Signal Apps
https://www.forbes.com/sites/zakdoffman/2024/12/10/fbi-warns-iphone-android-users-change-whatsapp-facebook-messenger-signal-apps/
Last week, the FBI warned iPhone and Android users to stop texting and to use an encrypted messaging platform instead. The news made global headlines, with cyber experts urging smartphone users to switch to fully secured platforms—WhatsApp, Signal, Facebook Messenger. But the FBI also has a serious security warning for U.S. citizens using encrypted platforms—those apps, it says, need to change.
While China has denied any involvement in the ongoing cyberattacks on U.S. telco networks, describing this as “a pretext to smear China,” government agencies are clear that Salt Typhoon hackers linked to China’s Ministry of State Security, have infiltrated multiple networks, putting both metadata and actual content at risk.
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/chinese-hackers-use-visual-studio-code-tunnels-for-remote-access/