This posting is here to collect cyber security news in February 2024.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in February 2024.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
80 Comments
Tomi Engdahl says:
https://www.hackster.io/news/qualys-warns-of-a-gnu-c-library-flaw-leading-to-a-privilege-escalation-vulnerability-in-linux-bee9f4a2d059?fbclid=IwAR3M5c1HA2_EWIP3htYi6K_R3-TUAHQcguqht4a4XoLm062Xxb6puplcSkM
Tomi Engdahl says:
https://www.404media.co/binance-internal-code-and-passwords-exposed-on-github-for-months/?fbclid=IwAR1UgtY8SV-J19h5oWlPYgFJB5RJColzc6Fe7AYvHV6W7LmOLEm5cKhH9Yk
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/new-linux-glibc-flaw-lets-attackers-get-root-on-major-distros/?fbclid=IwAR1IAx4a5XVJJDfTom5e250CjN4nunbhcC8qXB63ADsFXJD7jyqb1a3mlJM
Tomi says:
https://www.securityweek.com/leaked-github-token-exposed-mercedes-source-code/
Tomi says:
https://www.securityweek.com/gnu-c-library-vulnerability-leads-to-full-root-access/
Tomi says:
CISA Sets 48-Hour Deadline for Removal of Insecure Ivanti Products
In an unprecedented move, CISA is demanding that federal agencies disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure products within 48 hours.
https://www.securityweek.com/cisa-sets-48-hour-deadline-for-removal-of-insecure-ivanti-products/
Tomi Engdahl says:
Google’s automatic update system broke people’s devices, but the fix is completely manual, requiring users to download the developer tools, install drivers, change settings, plug in their phones, and delete certain files via a command-line interface.
https://arstechnica.com/gadgets/2024/02/googles-pixel-storage-issue-fix-requires-developer-tools-and-a-terminal/?utm_social-type=owned&utm_medium=social&utm_brand=ars&utm_source=facebook&fbclid=IwAR2B8ThvEdQ2sXozx5FInD-vme_QVBB2gdtihaGnBhdyAheiTHPN42kWjHE
Tomi Engdahl says:
Helsingin absurdi ongelma onkin laajempi – Sähköpostit eivät mene perille
Helsingin kaupungilla on vaikeuksia saada lähettämiään sähköposteja perille vastaanottajille.
https://www.hs.fi/kaupunki/art-2000010200081.html?fbclid=IwAR2F0u0B4G3986dhOnrpzhfzCgH88rrVXYAn7ITyPnkgGf5kDXL1xl2QGkYhttps://www.hs.fi/kaupunki/art-2000010200081.html?fbclid=IwAR2F0u0B4G3986dhOnrpzhfzCgH88rrVXYAn7ITyPnkgGf5kDXL1xl2QGkY
Tomi Engdahl says:
Taping over your webcam might not be enough to stop hackers from spying on you — they can now use a device’s ambient light sensor
News
By Mark Tyson published 1 day ago
Time to install another privacy shutter (or piece of tape).
https://www.tomshardware.com/peripherals/webcams/taping-over-your-webcam-might-not-be-enough-to-stop-hackers-from-spying-on-you
Tomi Engdahl says:
That tape over your webcam may not be enough. Researchers at the Massachusetts Institute of Technology (MIT) have highlighted imaging privacy threats enabled by ambient light sensors, in a paper recently published in Science Advances. Device users concerned with security and privacy may be comforted by hardware solutions (shutters) and software permissions restricting webcam use. However, researchers have shown visual information can be gathered via one of the common ambient light sensors installed in many devices. These small sensors usually aren’t shuttered or disabled by users and are typically permission-free on a device level.
Ambient light sensors are categorized as low-risk by device makers and can often be accessed directly by software (or malware) without any permissions or privileges. Nevertheless, previous studies have shown such a rudimentary sensor can provide enough information to infer keystrokes on a virtual keyboard and steal a device PIN, about 80% of the time. The new research shows what an ambient light sensor can do when combined with an active light source component – namely the device’ screen.
https://www.tomshardware.com/peripherals/webcams/taping-over-your-webcam-might-not-be-enough-to-stop-hackers-from-spying-on-you
Tomi Engdahl says:
The man who owes Nintendo $14m: Gary Bowser and gaming’s most infamous piracy case
The hacker whose involvement with anti-piracy software ended in a jail sentence has emerged from prison struggling to make rent as he starts paying his fine. ‘It could be worse,’ he says
https://www.theguardian.com/games/2024/feb/01/the-man-who-owes-nintendo-14m-gary-bowser-and-gamings-most-infamous-piracy-case
Tomi Engdahl says:
Cloudflare Breach: Nation-State Hackers Access Source Code and Internal Docs
https://thehackernews.com/2024/02/cloudflare-breach-nation-state-hackers.html
Cloudflare has revealed that it was the target of a likely nation-state attack in which the threat actor leveraged stolen credentials to gain unauthorized access to its Atlassian server and ultimately access some documentation and a limited amount of source code.
The intrusion, which took place between November 14 and 24, 2023, and detected on November 23, was carried out “with the goal of obtaining persistent and widespread access to Cloudflare’s global network,” the web infrastructure company said, describing the actor as “sophisticated” and one who “operated in a thoughtful and methodical manner.”
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/new-linux-glibc-flaw-lets-attackers-get-root-on-major-distros/
Tomi Engdahl says:
https://www.kyberturvallisuuskeskus.fi/fi/haavoittuvuus_5/2024
Merkittävä haavoittuvuus GNU glibc-kirjastossa
HAAVOITTUVUUS5/2024CVE-2023-6246 (ULKOINEN LINKKI)
Julkaistu 01.02.2024 10:59
GNU glibc-kirjastossa on havaittu puskurin ylivuotohaavoittuvuus, joka vaikuttaa useisiin Linux-jakeluihin. Haavoittuvuus mahdollistaa paikallisille käyttäjille oikeuksien korottamisen pääkäyttäjän (root) tasolle. Linux-jakeluista haavoittuvaiseksi on todettu ainakin Debian (versiot 12 ja 13), Ubuntu (23.04 ja 23.10) ja Fedora (37 – 39). Mainittuihin jakeluihin on tarjolla korjaavat päivitykset.
Tomi Engdahl says:
https://venturebeat.com/ai/ai-poisoning-tool-nightshade-received-250000-downloads-in-5-days-beyond-anything-we-imagined/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/a-mishandled-github-token-exposed-mercedes-benz-source-code/
Tomi Engdahl says:
https://arstechnica.com/gadgets/2024/01/microsoft-edge-is-apparently-seamlessly-usurping-chrome-on-peoples-pcs/
Tomi Engdahl says:
https://www.reuters.com/technology/x-lifts-ban-taylor-swift-searches-after-explicit-fake-images-spread-wsj-2024-01-30/
Tomi Engdahl says:
https://arstechnica.com/security/2024/01/ars-reader-reports-chatgpt-is-sending-him-conversations-from-unrelated-ai-users/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/microsoft/microsoft-says-outlook-apps-cant-connect-to-outlookcom/
Tomi Engdahl says:
Lawrence Abrams / BleepingComputer:
Remote desktop software maker AnyDesk says it has suffered a cyberattack recently; source: hackers stole source code and private code signing keys
AnyDesk says hackers breached its production servers, reset passwords
https://www.bleepingcomputer.com/news/security/anydesk-says-hackers-breached-its-production-servers-reset-passwords/#google_vignette
Tomi Engdahl says:
https://arstechnica.com/security/2024/01/the-life-and-times-of-cozy-bear-the-russian-hackers-who-just-hit-microsoft-and-hpe/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/hackers-target-wordpress-database-plugin-active-on-1-million-sites/
Tomi Engdahl says:
Ransomware Hit on Tietoevry Causes IT Outages Across Sweden
Finnish IT Services Previews Days or Weeks of Disruption, Ties Attack to Akira
https://www.bankinfosecurity.com/ransomware-hit-on-tietoevry-causes-outages-across-sweden-a-24154
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/over-5-300-gitlab-servers-exposed-to-zero-click-account-takeover-attacks/
Tomi Engdahl says:
https://www.techradar.com/pro/sec-reveals-how-its-twitter-account-was-hacked-and-its-rather-embarrassing
Tomi Engdahl says:
Mother of all breaches reveals 26 billion records: what we know so far
https://cybernews.com/security/billions-passwords-credentials-leaked-mother-of-all-breaches/
Tomi Engdahl says:
In major gaffe, hacked Microsoft test account was assigned admin privileges
How does a legacy test account grant access to read every Office 365 account?
https://arstechnica.com/security/2024/01/in-major-gaffe-hacked-microsoft-test-account-was-assigned-admin-privileges/
Tomi Engdahl says:
https://crypto.stackexchange.com/questions/104251/is-there-a-hash-function-thats-more-expensive-for-an-attacker-than-for-the-serv
Tomi Engdahl says:
3 million smart toothbrushes were just used in a DDoS attack. Really
https://www.zdnet.com/home-and-office/smart-home/3-million-smart-toothbrushes-were-just-used-in-a-ddos-attack-really/?fbclid=IwAR1x4pvsDgXC927dvMEuw9uReM4pBDlXMeE-g0KdRdNcyl_npNNugeu0kAs
What’s next, malware-infected dental floss? But seriously: It’s a reminder that even the smallest smart home devices can be a threat. Here’s how to protect yourself.
Tomi Engdahl says:
https://thehackernews.com/2024/02/hackers-exploit-job-boards-in-apac.html
Tomi says:
https://thehackernews.com/2024/02/critical-bootloader-vulnerability-in.html
Tracked as CVE-2023-40547 (CVSS score: 9.8), the vulnerability could be exploited to achieve a Secure Boot bypass. Bill Demirkapi of the Microsoft Security Response Center (MSRC) has been credited with discovering and reporting the bug.
Major Linux distributions that use shim such as Debian, Red Hat, SUSE, and Ubuntu have all released advisories for the security flaw.
https://nvd.nist.gov/vuln/detail/CVE-2023-40547
CVE-2023-40547 Detail
Description
A remote code execution vulnerability was found in Shim. The Shim boot support trusts attacker-controlled values when parsing an HTTP response. This flaw allows an attacker to craft a specific malicious HTTP request, leading to a completely controlled out-of-bounds write primitive and complete system compromise. This flaw is only exploitable during the early boot phase, an attacker needs to perform a Man-in-the-Middle or compromise the boot server to be able to exploit this vulnerability successfully.
https://wiki.debian.org/SecureBoot
Shim
shim is a simple software package that is designed to work as a first-stage bootloader on UEFI systems.
It was developed by a group of Linux developers from various distros, working together to make SB work using Free Software. It is a common piece of code that is safe, well-understood and audited so that it can be trusted and signed using platform keys. This means that Microsoft (or other potential firmware CA providers) only have to worry about signing shim, and not all of the other programs that distro vendors might want to support.
Shim then becomes the root of trust for all the other distro-provided UEFI programs. It embeds a further distro-specific CA key that is itself used for as a trust root for signing further programs (e.g. Linux, GRUB, fwupdate). This allows for a clean delegation of trust – the distros are then responsible for signing the rest of their packages. Shim itself should ideally not need to be updated very often, reducing the workload on the central auditing and CA teams.
Tomi Engdahl says:
Helsingin absurdi ongelma onkin laajempi – Googlen sähköpostia käyttävät kaupunkilaiset eivät välttämättä saa tärkeitäkään viestejä
Helsingin kaupungilla on vaikeuksia saada lähettämiään sähköposteja perille vastaanottajille.
https://www.hs.fi/kaupunki/art-2000010200081.html?fbclid=IwAR0uboWyutsTqsoOWccfAOzByhzHkZ3i4l_U3-rpFwlR0wSrtC2d0h1Opyg
Tomi says:
https://www.darkreading.com/vulnerabilities-threats/rce-vulnerability-in-shim-bootloader-impacts-all-linux-distros
Exaggerated Severity?
Some security experts, though, perceived the vulnerability as requiring a high degree of complexity and happenstance to exploit. Lionel Litty, chief security architect at Menlo Security, says the exploitation bar is high because the attacker would need to already have gained administrator privileges on a vulnerable device. Or they’d need to be targeting a device that uses network boot and also be able to perform a man-in-the-middle attack on the local network traffic of the targeted device.
“According to the researcher who found the vulnerability, a local attacker can modify the EFI partition to modify the boot sequence to then be able to leverage the vulnerability,” Litty says. “[But] modifying the EFI partition will require being a fully privileged admin on the victim machine,” he says.
If the device is using network boot and the attacker can do MITM on the traffic, then that’s when they can target the buffer overflow. “They would return a malformed HTTP response that would trigger the bug and give them control over the boot sequence at this point,” Litty says. He adds that organizations with machines using HTTP boot or pre-boot execution environment (PXE) boot should be concerned, especially if communication with the boot sever is in an environment where an adversary could insert themselves into the middle of traffic.
Shachar Menashe, senior director of security research at JFrog, says Red Hat’s assessment of the vulnerability’s severity is more accurate than NVDs “over-exaggerated” score.
There are two possible explanations for the discrepancy, he says. “NVD provided the score based on keywords from the description, and not a thorough analysis of the vulnerability,” he says. For example, assuming that “malicious HTTP request” automatically translates to a network attack vector.
NVD may also be alluding to an extremely unlikely worst-case scenario where the victim machine is already configured to boot via HTTP from a server outside the local network and the attacker already has control over this HTTP server. “This is an extremely unlikely scenario which would cause tons of trouble even unrelated to this CVE,” Shachar says.
THE REAL SHIM SHADY – HOW CVE-2023-40547 IMPACTS MOST LINUX SYSTEMS
https://eclypsium.com/blog/the-real-shim-shady-how-cve-2023-40547-impacts-most-linux-systems/
Tomi says:
https://lists.debian.org/debian-lts-announce/2023/02/msg00006.html
https://thehackernews.com/2024/02/critical-bootloader-vulnerability-in.html
https://arstechnica.com/security/2024/02/critical-vulnerability-affecting-most-linux-distros-allows-for-bootkits/
Tomi Engdahl says:
Varoitus Nato-liittolaisille Alankomaista – myös supo hereillä
Alankomaiden viranomaisten mukaan kiinalaiset hakkerit onnistuivat sijoittamaan maan asevoimien tietoverkkoon vakoiluhaittaohjelman.
https://www.is.fi/ulkomaat/art-2000010222145.html
ALANKOMAALAISTEN tiedusteluviranomaisten mukaan Kiinan vakoilu Hollannissa ja sen liittolaismaissa on selkeässä kasvussa. Myös Suomi Alankomaiden Nato-liittolaisena kuuluu näiden maiden ryhmään.
Alankomaiden sotilastiedustelupalvelut kertoivat viime viikolla, että Kiinan valtion tukemat kybervakoilijat pääsivät viime vuonna tunkeutumaan Hollannin sotilastietoverkkoon.
Tiedustelupalvelujen mukaan operaatio oli osa Kiinan poliittista vakoilua Hollantia ja sen liittolaisia vastaan.
Tomi says:
https://etn.fi/index.php/13-news/15853-yli-70-000-sivustoa-mukana-haittaohjelmien-levitysverkossa
https://www.uusiteknologia.fi/2024/02/13/vextrio-on-pahin-kyberuhkien-levittaja/
Tomi Engdahl says:
Wi-Fi jamming to knock out cameras suspected in nine Minnesota burglaries — smart security systems vulnerable as tech becomes cheaper and easier to acquire
News
By Mark Tyson published 1 day ago
Police believe a string of nine robberies in Edina have used this tech.
https://www.tomshardware.com/networking/wi-fi-jamming-to-knock-out-cameras-suspected-in-nine-minnesota-burglaries-smart-security-systems-vulnerable-as-tech-becomes-cheaper-and-easier-to-acquire
Tomi Engdahl says:
The Canadian government wants to ban Flipper Zero-type hacker tools to combat car theft (Updated)
News
By Les Pounder published about 7 hours ago
Grand Theft Dolphin?
https://www.tomshardware.com/software/security-software/the-canadian-government-wants-to-ban-flipper-zero-type-hacker-tools-to-combat-car-theft
Tomi Engdahl says:
New Wi-Fi Authentication Bypass Flaws Expose Home, Enterprise Networks
https://www.securityweek.com/new-wi-fi-authentication-bypass-flaws-expose-home-enterprise-networks/
A couple of Wi-Fi authentication bypass vulnerabilities found in open source software can expose enterprise and home networks to attacks.
A couple of new Wi-Fi authentication bypass vulnerabilities found in open source software could expose many enterprise and home networks to attacks.
The vulnerabilities were discovered by Mathy Vanhoef, a professor at the KU Leuven research university in Belgium, and Heloise Gollier, a student at KU Leuven, in collaboration with VPN testing company Top10VPN. Vanhoef is well known for his research in the field of Wi-Fi security, including for the attacks named KRACK, Dragonblood, and FragAttacks.
The newly disclosed Wi-Fi authentication bypass vulnerabilities have been found in Wpa_supplicant and Intel’s iNet Wireless Daemon (IWD) software.
Wpa_supplicant, which provides support for WPA, WPA2 and WPA3, is present in all Android devices, a majority of Linux devices, and the Chromebook operating system ChromeOS.
The vulnerability identified in Wpa_supplicant, tracked as CVE-2023-52160, can be exploited against users connecting to an enterprise Wi-Fi network. The flaw can allow an attacker to trick a targeted user into connecting to a malicious Wi-Fi network set up to mimic a legitimate enterprise network. The attacker can then intercept the victim’s traffic.
“The vulnerability can be exploited against Wi-Fi clients that are not properly configured to verify the certificate of the authentication server, which unfortunately still often occurs in practice, in particular with ChromeOS, Linux, and Android devices,” the researchers wrote in a paper describing the flaws.
Bypassing Wi-Fi Authentication in Modern WPA2/3 Networks
https://www.top10vpn.com/assets/2024/01/Top10VPN-Vanhoef-WiFi-Vulnerabilities.pdf
How vulnerabilities in Wi-Fi software put
users at risk, despite the recent release
of new security standards like WPA3
Tomi Engdahl says:
DDoS Hacktivism is Back With a Geopolitical Vengeance
https://www.securityweek.com/ddos-hacktivism-is-back-with-a-geopolitical-vengeance/
DDoS attacks have evolved from social protests through criminal extortion, hack attack smokescreens and competitor suppression to geopolitical vengeance.
Distributed denial of service (DDoS) attacks have evolved from social protests through criminal extortion, hack attack smokescreens and competitor suppression to geopolitical vengeance. All these drivers currently coexist, but aggressive geopolitical revenge now dominates.
This is the primary conclusion to be drawn from StormWall’s Q4 2023 review of global DDoS attacks. StormWall, based in Bratislava, Slovakia, offers a DDoS protection service delivered through a global network of scrubbing centers.
The effect of geopolitics is clearly seen in the timing and volume of current attacks against Israel. In Q3, 2023, less than 1% of global attacks targeted Israel. But following the Hamas raid on October 7, 2023, and the retaliatory invasion of Gaza by the Israeli military, this number leapt to 10.6% — with size and durations ranging from 1.2 Gbps to 135 Gbps, and from a few minutes to 24 hours. In Q4, 2023, tiny Israel became the fourth most DDoS attacked nation in the world, behind China (12.6%), USA (12.2%) and India (11.7%).
Tomi Engdahl says:
Application Security
No Security Scrutiny for Half of Major Code Changes: AppSec Survey
https://www.securityweek.com/no-security-scrutiny-for-half-of-major-code-changes-appsec-survey/
Only 54% of major code changes go through a full security review, a new CrowdStrike State of Application Security report reveals.
Tomi Engdahl says:
Jamie Tarabay / Bloomberg:
The US and its allies disrupt access by Russia-backed hacking group APT28, or Fancy Bear, to 1,000+ home and small business routers used for criminal purposes — The US and its allies have disrupted access by a Russian-state sponsored hacking organization to “well over a thousand home …
https://www.bloomberg.com/news/articles/2024-02-15/us-and-allies-kick-russian-hackers-off-home-routers-fbi-says
Tomi Engdahl says:
Just one bad packet can bring down a vulnerable DNS server thanks to DNSSEC
‘You don’t have to do more than that to disconnect an entire network’ El Reg told as patches emerge
https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/
Tomi Engdahl says:
https://www.tomshardware.com/pc-components/cpus/intel-discloses-34-security-holes-in-firmware-and-software-thunderbolt-xtu-chipset-drivers-and-more
Tomi Engdahl says:
https://www.zdnet.com/home-and-office/smart-home/3-million-smart-toothbrushes-were-not-used-in-a-ddos-attack-but-they-could-have-been/
https://www.bleepingcomputer.com/news/security/no-3-million-electric-toothbrushes-were-not-used-in-a-ddos-attack/#google_vignette
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/google-tests-blocking-side-loaded-android-apps-with-risky-permissions/
Tomi Engdahl says:
Security firm now says toothbrush DDOS attack didn’t happen, but source publication says company presented it as real
News
By Mark Tyson published February 09, 2024
Dental IoT devices caused millions of Euros in damages for Swiss company, says report.
https://www.tomshardware.com/networking/three-million-malware-infected-smart-toothbrushes-used-in-swiss-ddos-attacks-botnet-causes-millions-of-euros-in-damages
Tomi Engdahl says:
Critical Boot Loader Vulnerability in Shim Impacts Nearly All Linux Distros
https://thehackernews.com/2024/02/critical-bootloader-vulnerability-in.html
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/facebook-ads-push-new-ov3r-stealer-password-stealing-malware/