Cyber security news April 2024

This posting is here to collect cyber security news in April 2024.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.

50 Comments

  1. Tomi Engdahl says:

    Chromen uusi toiminto suojaa tietojen kalastelulta
    Google on päivittänyt Chromea uudella tietoturvaominaisuudella, joka vaikeuttaa hakkerien pääsyä tiedostoihisi. Lue nyt, miten se otetaan käyttöön.
    https://kotimikro.fi/internet/selain/chromen-uusi-toiminto-suojaa-tietojen-kalastelulta

    Suojaksi Google Safe Browsing
    Google on lisännyt Chromeen uuden tietoturvaominaisuuden, joka pitää tietosi turvassa ja verkkorikolliset loitolla.

    Toiminto on nimeltään Google Safe Browsing, ja se suojaa käyttäjiä hyökkäyksiltä reaaliaikaisesti. Aiemmin se sisälsi luettelon vaarallisista tiedostoista, ja sen avulla tarkistettiin, ovatko selaamasi verkkosivustot vaarallisia.

    Luettelo päivitettiin 30–60 minuutin välein, mutta Googlen tutkimusten mukaan vaaralliset sivustot ovat yleensä olemassa vain alle kymmenen minuuttia. Siksi ominaisuus suojaa nyt hakujasi reaaliaikaisesti, mikä Googlen mukaan estää 25 prosenttia enemmän phishing-hyökkäyksiä eli tiedonkalastelua.´

    Suojaa tietokoneen, iPhonen ja Android-laitteet
    Uusi ominaisuus on jo saatavilla tietokoneisiin ja iPhonelle, ja myöhemmin tässä kuussa se saadaan myös Android-laitteisiin.

    Sinun ei tarvitse tehdä mitään saadaksesi uuden ominaisuuden käyttöön, sillä se on oletusarvoisesti käytössä, jos olet ottanut oletussuojauksen käyttöön Chromessa.

    Kannattaa myös huomata, että Google Chromessa voit ottaa käyttöön Parannettu suojaus -toiminnon, joka tarjoaa vielä kehittyneempiä tietoturvapalveluja.

    Ottamalla tämän ominaisuuden käyttöön saat muun muassa varoituksen salasanavuodoista ja suojaa haitallisilta selaimen laajennuksilta.

    Reply
  2. Tomi Engdahl says:

    Cloud Email Filtering Bypass Attack Works 80% of the Time
    A majority of enterprises that employ cloud-based email spam filtering services are potentially at risk, thanks to a rampant tendency to misconfigure them.
    https://www.darkreading.com/cloud-security/cloud-email-filtering-bypass-attack

    Reply
  3. Tomi Engdahl says:

    Backdoor found in widely used Linux utility targets encrypted SSH connections
    Malicious code planted in xz Utils has been circulating for more than a month.
    https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/

    Researchers have found a malicious backdoor in a compression tool that made its way into widely used Linux distributions, including those from Red Hat and Debian.

    The compression utility, known as xz Utils, introduced the malicious code in versions ​​5.6.0 and 5.6.1, according to Andres Freund, the developer who discovered it. There are no known reports of those versions being incorporated into any production releases for major Linux distributions, but both Red Hat and Debian reported that recently published beta releases used at least one of the backdoored versions—specifically, in Fedora Rawhide and Debian testing, unstable and experimental distributions. A stable release of Arch Linux is also affected. That distribution, however, isn’t used in production systems.

    Because the backdoor was discovered before the malicious versions of xz Utils were added to production versions of Linux, “it’s not really affecting anyone in the real world,” Will Dormann, a senior vulnerability analyst at security firm Analygence, said in an online interview. “BUT that’s only because it was discovered early due to bad actor sloppiness. Had it not been discovered, it would have been catastrophic to the world.”

    Reply
  4. Tomi Engdahl says:

    PyPI halted new users and projects while it fended off supply-chain attack
    Automation is making attacks on open source code repositories harder to fight.
    https://arstechnica.com/security/2024/03/pypi-halted-new-users-and-projects-while-it-fended-off-supply-chain-attack/

    PyPI, a vital repository for open source developers, temporarily halted new project creation and new user registration following an onslaught of package uploads that executed malicious code on any device that installed them. Ten hours later, it lifted the suspension.

    Short for the Python Package Index, PyPI is the go-to source for apps and code libraries written in the Python programming language.

    Reply
  5. Tomi Engdahl says:

    https://www.bleepingcomputer.com/news/security/700-cybercrime-software-turns-raspberry-pi-into-an-evasive-fraud-tool/

    Cybercriminals are selling custom Raspberry Pi software called ‘GEOBOX’ on Telegram, which allows inexperienced hackers to convert the mini-computers into anonymous cyberattack tools.

    GEOBOX is sold on Telegram channels for a subscription of $80 per month or $700 for a lifetime license, payable in cryptocurrency.

    Analysts at Resecurity discovered the tool during an investigation into a high-profile banking theft impacting a Fortune 100 company.

    Reply
  6. Tomi Engdahl says:

    Feds finally decide to do something about years-old SS7 spy holes in phone networks

    Feds finally decide to do something about years-old SS7 spy holes in phone networks
    And Diameter, too, for good measure
    https://www.theregister.com/2024/04/02/fcc_ss7_security/?fbclid=IwAR05GjQ4NtIH0lMI6zaj-qOk1fk9a50CY73vwTkJ9T-Lc8i562sYxK6Be1c

    The FCC appears to finally be stepping up efforts to secure decades-old flaws in American telephone networks that are allegedly being used by foreign governments and surveillance outfits to remotely spy on and monitor wireless devices.

    At issue are the Signaling System Number 7 (SS7) and Diameter protocols, which are used by fixed and mobile network operators to enable interconnection between networks. They are part of the glue that holds today’s telecommunications together.

    According to the US watchdog and some lawmakers, both protocols include security weaknesses that leave folks vulnerable to unwanted snooping. SS7′s problems have been known about for years and years, as far back as at least 2008, and we wrote about them in 2010 and 2014, for instance. Little has been done to address these exploitable shortcomings.

    These threats, according to Wyden, are caused by flaws in SS7 and Diameter, and have been abused by “authoritarian governments to conduct surveillance” and obtain people’s information.

    This isn’t the first time Senator Wyden has demanded the government address vulnerabilities in SS7 — or the first time he’s called the protocol flaws a national security issue.

    Reply
  7. Tomi Engdahl says:

    Poliisi varoittaa verkko­pankkien käyttäjiä: ”Älä syötä”
    Verkkopankkiin menemiseen on turvallisempia ja vähemmän turvallisia tapoja.
    https://www.is.fi/digitoday/tietoturva/art-2000010336459.html

    Älä syötä verkkopankkitunnuksiasi qr-koodin välityksellä avautuvalle sivustolle, poliisi varoitti torstaina. Tiedotteen mukaan rikolliset ovat tunnistaneet tämän yksinkertaiseksi tavaksi ohjata ihmisiä haluamilleen huijaussivustoille.

    Qr-koodi on puhelimen kameralla luettava neliömäinen symboli, joka toimii nopeana reittinä paitsi verkkosivuille menemiseen, myös sovellusten asentamiseen ja maksamiseenkin. Monet internetsivustot sekä palveluiden tarjoajat ovat alkaneet käyttää näitä koodeja sivustojen suorien verkko-osoitteiden sijasta.

    Suomessa qr-koodeja on käytetty tähän asti maksamiseen melko vähän. Suosittu MobilePay kuitenkin edistää aktiivisesti maksutapaa tuomalla kauppojen kassoille puhelimien kameralla luettavia koodeja.

    Koodeja on kuitenkin helppo käyttää väärin. Sähköpostiohjelmistot eivät välttämättä estä haitallisia qr-koodeja sisältäviä viestejä, ja esimerkiksi katulampun kyljestä löytyvän mainoksen koodi on saattanut vanhentua ja on nyt valjastettu rikolliseen käyttöön. Vaarallisia qr-tarroja voidaan myös liimata alkuperäisten koodien päälle.

    Koodien väärinkäytöstä käytetään nimitystä quishing erotuksena tavallisesta kalastelusta (phishing)

    Sisä-Suomen poliisilaitos on lähiaikoina vastaanottanut useita ilmoituksia, joissa ulkomaalaisen verkkokauppapaikan käyttäjiä on ohjattu qr-koodien avulla verkkopankkisivustoja muistuttaville huijaussivustoille.

    Käyttäjät ovat saaneet ilmoituksen, että heidän myymänsä tuote on palvelun välityksellä ostettu ja ostotapahtuman vahvistamiseksi heidän tulisi kirjautua henkilökohtaisilla verkkopankkitunnuksilla huijaussivustolle tai syöttää maksukorttinsa tiedot, jotta voisivat vastaanottaa maksun.

    Verkkopankkitunnuksilla kirjautumisen tai maksukorttitietojen syöttämisen jälkeen käyttäjien pankkitileiltä tai maksukorteilla on tehty oikeudettomia veloituksia, jotka ovat päätyneet ulkomaille.

    Reply
  8. Tomi Engdahl says:

    new linux exploit is absolutely insane
    https://www.youtube.com/watch?v=ixn5OygxBY4

    The new privilege escalation against the Linux is absolutely wild. In this video we talk about what a privesc is, how they typically work, and why the techniques used in this one are so wild

    Reply
  9. Tomi Engdahl says:

    What Everyone Missed About The Linux Hack
    https://www.youtube.com/watch?v=0pT-dWpmwhA

    The xz exploit pushed the limits of social engineering, code obfuscation, package distribution and more. I’m concerned the important parts aren’t being covered, so I decided to do a vid

    Comments:

    This attack hit the entire software exploit playbook. Built trust? Check. Socially engineered a situation? Check. Built an elaborate, difficult to detect exploit? Check. Managed to infiltrate a wide scope of possible downstream systems? CHECK!
    I hope there is recourse against this (these?!) bad actor(s).

    Reply
  10. Tomi Engdahl says:

    Linux Supply Chain Attack Discovered in SSH CVE-2024-3094
    https://www.youtube.com/watch?v=VsCTp9yH6iQ

    CHAPTERS:
    0:00 – Intro
    0:48 – How the backdoor was discovered
    2:11 – Security Vulnerability Details
    4:56 – Open Source Security

    Reply
  11. Tomi Engdahl says:

    The XZ Backdoor Almost Compromised Every Linux System
    https://www.youtube.com/watch?v=044GiRqGebc

    In this video I discuss how advanced persistent threat actors managed to backdoor xz-utils and almost gained system RCE on every Debian Linux system.

    The XZ Linux Backdoor Is Incredibly BAD!!
    https://www.youtube.com/watch?v=OHAyf0qwdCs

    Reply
  12. Tomi Engdahl says:

    Jason Koebler / 404 Media:
    Developers say open-source software culture, where users demand constant updates from volunteer coders, is a security issue, as shown by the XZ Utils backdoor

    Bullying in Open Source Software Is a Massive Security Vulnerability
    https://www.404media.co/xz-backdoor-bullying-in-open-source-software-is-a-massive-security-vulnerability/

    The Xz backdoor and a near miss on the F-Droid app store show how the entitled attitude of some people in the open source community can be used to push malicious or insecure code.

    A previously unknown contributor to the popular open-source Android app store F-Droid repeatedly pressured its developers to push a code update that would have introduced a new vulnerability to the software, in what one of the developers described on Mastodon as a “similar kind of attempt as the Xz backdoor.”

    As the fallout of the Xz backdoor continues to rock the open source software community, people woking on open source software are realizing (and reiterating) that a culture in which people often feel entitled to constant updates and additional features from volunteer coders presents a pretty large attack surface.

    In the case of the Xz backdoor, a malicious actor was able to pressure the owner of a widely-used Linux compression utility called Xz Utils into making them a trusted maintainer of the project. They did this in part by arguing that the owner was letting the community of users down because they weren’t pushing new features and updates often enough, in the eyes of this malicious coder.

    Tuesday, Hans-Christoph Steiner, a longtime developer of F-Droid, explained that a very similar situation nearly led F-Droid to push an update that would have introduced a security vulnerability into the product three years ago: “Three years ago, F-Droid had a similar kind of attempt as the Xz backdoor,” he posted on Mastodon. “A new contributor submitted a merge request to improve the search, which was oft requested but the maintainers hadn’t found time to work on. There was also pressure from other random accounts to merge it. In the end, it became clear that it added a SQL injection vulnerability. In this case, we managed to catch it before it was merged. Since similar tactics were used, I think it’s relevant now.”

    Other open source developers and security experts have pointed to the dynamic of bullying and the general reliance on a small number of volunteer developers. They explained that it’s a problem across much of the open source software ecosystem, and is definitely a problem for the large tech companies and infrastructure who rely on these often volunteer-led projects to build their for-profit software on top of.

    Glyph, the founder of the Twisted python networking engine open source project, said the Xz Utils pressure campaign should “cause an industry-wide reckoning with the common practice of letting your entire goddamn product rest on the shoulders of one overworked person having a slow mental health crisis without financially or operationally supporting them whatsoever. I want everyone who has an open source dependency to read this message.”

    The Xz Backdoor Highlights the Vulnerability of Open Source Software—and Its Strengths
    https://www.404media.co/the-xz-backdoor-highlights-the-vulnerability-of-open-source-software-and-its-strengths/

    The backdoor highlights the politics, governance, and community management of an ecosystem exploited by massive tech companies and largely run by volunteers.

    Friday afternoon, Andres Freund, a software developer at Microsoft, sent an email to a listserv of open source software developers with the subject line “backdoor in upstream xz/liblzma leading to ssh server compromise.” What Freund had stumbled upon was a malicious backdoor in xz Utils, a compression utility used in many major distributions of Linux, that increasingly seems like it was purposefully put there by a trusted maintainer of the open source project. The “xz backdoor” has quickly become one of the most important and most-discussed vulnerabilities in recent memory.

    Ars Technica has a detailed writeup of the technical aspects of the backdoor, which intentionally interfered with SSH encryption, which is a security protocol that allows for secure connections over unsecured networks. The specific technical details are still being debated

    Reply
  13. Tomi Engdahl says:

    Backdoor found in widely used Linux utility targets encrypted SSH connections
    Malicious code planted in xz Utils has been circulating for more than a month.
    https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/?ref=404media.co

    Reply
  14. Tomi Engdahl says:

    Ukrainian cybersecurity official reveals structure of Russian hacker groups
    https://www.ukrinform.net/rubric-ato/3848343-ukrainian-cybersecurity-official-reveals-structure-of-russian-hacker-groups.html?fbclid=IwAR2Q9AgkOr5VmXNGx79sEyIsf0dla2k6ccV-XsOv9ktAFeui8_6VQ12WKkc

    EXCLUSIVE04.04.2024 11:36
    Russian hacker groups are military units with code names that are part of the Main Intelligence Directorate of the General Staff and the Federal Security Service of the Russian Federation.
    Illia Vitiuk, head of the Cybersecurity Department of the Security Service of Ukraine (SBU), said this in an interview with Ukrinform

    Reply
  15. Tomi Engdahl says:

    Ukrainan hakkerit tuhosivat Venäjän suuren datakeskuksen
    ILKKA AHTOKIVI
    JULKAISTU 08.04.2024 | 14:51
    PÄIVITETTY 08.04.2024 | 14:51
    UKRAINAN SOTA
    Lähteiden mukaan yli 10000 Venäjän sotateollisuuteen osallistuvaa tahoa tallensi tietojaan pilvipalveluun.
    https://www.verkkouutiset.fi/a/ukrainan-hakkerit-tuhosivat-venajan-suuren-datakeskuksen/#78f1161d

    Reply
  16. Tomi Engdahl says:

    Google Adds V8 Sandbox to Chrome

    Google fights Chrome V8 engine memory safety bugs with a new sandbox and adds it to the bug bounty program.

    https://www.securityweek.com/google-adds-v8-sandbox-to-chrome/

    Reply
  17. Tomi Engdahl says:

    Microsoft’s Security Chickens Have Come Home to Roost

    News analysis: SecurityWeek editor-at-large Ryan Naraine reads the CSRB report on China’s audacious Microsoft’s Exchange Online hack and isn’t at all surprised by the findings.

    https://www.securityweek.com/microsofts-security-chickens-have-come-home-to-roost/

    Reply
  18. Tomi Engdahl says:

    Thousands of Ivanti VPN Appliances Impacted by Recent Vulnerability

    Researchers at the Shadowserver Foundation identify thousands of internet-exposed Ivanti VPN appliances likely impacted by a recently disclosed vulnerability leading to remote code execution.

    https://www.securityweek.com/thousands-of-ivanti-vpn-appliances-impacted-by-recent-vulnerability/

    Reply
  19. Tomi Engdahl says:

    Microsoft Plugs Gaping Hole in Azure Kubernetes Service Confidential Containers

    Patch Tuesday: Microsoft warns that unauthenticated hackers can take complete control of Azure Kubernetes clusters.

    https://www.securityweek.com/microsoft-plugs-gaping-hole-in-azure-kubernetes-service-confidential-containers/

    Software giant Microsoft on Tuesday released a massive batch of security patches with cover for at least 150 vulnerabilities and called urgent attention to a gaping hole that lets inauthentic hackers take full control of Azure Kubernetes clusters.

    The vulnerability, tracked as CVE-2024-29990, allows an unauthenticated hacker to steal credentials and affects resources beyond the security scope managed by Azure Kubernetes Service Confidential Containers (AKSCC), Redmond said in an advisory.

    Redmond’s security response team said the Azure Kubernetes Service bug carries a CVSS severity score of 9/10 and could be exploited to take over confidential guests and containers beyond the network stack it might be bound to.

    “An unauthenticated attacker can move the same workload onto a machine they control, where the attacker is root,” Microsoft warned.

    The Azure Kubernetes Service bug headlines a massive patch bundle that includes fixes for a trio of remote code execution bugs in Microsoft Defender for IOT and a critical-severity Windows Secure Boot bypass that’s marked as already exploited.

    Reply
  20. Tomi Engdahl says:

    Karmea moka – Suomalaisten suosiman lentoyhtiön asiakastiedot päätyivät hakkereiden käsiin
    https://www.kauppalehti.fi/uutiset/karmea-moka-suomalaisten-suosiman-lentoyhtion-asiakastiedot-paatyivat-hakkereiden-kasiin/c2608924-a267-4bd5-82b9-597d676f634b?fbclid=IwAR0CPrHOkH-PLspGGSybfGi4lMcoOQ2jtMX1YXwkD4LZdbAH59sfIOhrj3E

    Tietovarkauden kohteeksi joutunut alihankkija piti varkauden omana tietonaan kolmen viikon ajan. Eikä kyseessä edes ollut murto, vaan alihankkijan oma virhe.

    Reply
  21. Tomi Engdahl says:

    Lentoyhtiö Norwegian on joutunut tietovarkauden kohteeksi. Hakkerit saivat saaliikseen noin 16 000 asiakkaan henkilötietoja, mukaan lukien koko nimen, sukupuolen, puhelinnumeron sekä joissakin tapauksissa myös lentotietoja.
    https://www.kauppalehti.fi/uutiset/karmea-moka-suomalaisten-suosiman-lentoyhtion-asiakastiedot-paatyivat-hakkereiden-kasiin/c2608924-a267-4bd5-82b9-597d676f634b?fbclid=IwAR0CPrHOkH-PLspGGSybfGi4lMcoOQ2jtMX1YXwkD4LZdbAH59sfIOhrj3E

    Reply
  22. Tomi Engdahl says:

    https://www.theatlantic.com/technology/archive/2024/04/roku-tv-ads-patent/678041/?fbclid=IwAR14e-UYmZwoqlq4KLTenG7rfFKrZoEoBJN9D5S3Og9XeHWx3tjZ3EoyrVM

    Welcome to the Golden Age of User Hostility
    They don’t make ’em like they used to!

    What happens when a smart TV becomes too smart for its own good? The answer, it seems, is more intrusive advertisements.

    Last week, Janko Roettgers, a technology and entertainment reporter, uncovered a dystopian patent filed last August by Roku, the television- and streaming-device manufacturer whose platform is used by tens of millions of people worldwide. The filing details plans for an “HDMI customized ad insertion,” which would allow TVs made by Roku to monitor video signals through the HDMI port—where users might connect a game console, a Blu-ray player, a cable box, or even another streaming device—and then inject targeted advertisements when content is paused. This would be a drastic extension of Roku’s surveillance potential: The company currently has no ability to see what users might be doing when they switch away from its proprietary streaming platform. This is apparently a problem, in that Roku is missing monetization opportunities!

    Reply
  23. Tomi Engdahl says:

    Although the patent may never come to fruition (a spokesperson for Roku told me that the company had no plans to put HDMI ad insertion into any products at this time), it speaks to a dispiriting recent trend in consumer hardware. Internet-connected products can transform after the point of purchase in ways that can feel intrusive or even hostile to users.

    Reply
  24. Tomi Engdahl says:

    Brian Krebs / Krebs on Security:
    CISA is investigating a breach at business intelligence company Sisense; sources: the attackers copied several terabytes of customer data, including credentials — The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said today it is investigating a breach at business intelligence …

    Why CISA is Warning CISOs About a Breach at Sisense
    https://krebsonsecurity.com/2024/04/why-cisa-is-warning-cisos-about-a-breach-at-sisense/

    Reply
  25. Tomi Engdahl says:

    Varo, huijareilla on uusi täky: Pyydettiinkö sinua vahvistamaan sähkö­posti­osoitteesi?

    Verkkorikolliset hyödyntävät kaikille tuttua vahvistusmekanismia.

    https://www.is.fi/digitoday/tietoturva/art-2000010350760.html

    Suomalaisia huijataan parhaillaan uuden koukun sisältävällä huijausviestillä. Digi- ja väestötietovirasto (DVV) varoittaa sen ylläpitämän Suomi.fi-palvelun nimissä lähetettävistä huijauksista.

    Liikkeellä on parhaillaan useita Suomi.fin nimissä olevia viestejä. Uusimmissa huijauksissa pyydetään vahvistamaan sähköpostiosoite. Tämä jäljittelee aitoa vahvistusviestiä, jonka saa Suomi.fi-viestien tilauksen yhteydessä. Huijauksessa vedotaan kiireellisyyteen, jota ei aidossa viestissä ole.

    Kaikkia viestejä yhdistää se, että niillä yritetään saada uhri klikkaamaan viestissä olevaa linkkiä ja luovuttamaan pankkitunnuksensa rikollisille.

    Huijausviestejä voi tulla sekä tekstiviestinä että sähköpostina.

    Suomi.fi-huijauksilta on helppo suojautua. Ensimmäinen keino on käyttää Suomi.fi-mobiilisovellusta verkkosivujen sijaan. Voit päivittää tietosi ja lukea viestisi turvallisesti sovelluksella.

    Toinen tehokas suojautumistapa on käyttää tunnistautumiseen mobiilivarmennetta pankkitunnusten sijaan viranomaisten sivuilla. Kun et käytä tunnistautumiseen pankkitunnuksia, verkkorikolliset eivät pääse käsiksi verkkopankkitunnuksiisi.

    Reply
  26. Tomi Engdahl says:

    Mikko Hyppöseltä kylmäävät terveiset: ”Tätä emme ole vielä nähneet, mutta pian näemme”
    https://www.is.fi/digitoday/tietoturva/art-2000010344740.html

    Mikko Hyppönen listasi merkittävimmät tekoälyn lähitulevaisuudessa tuomat uhat. Samalla hän kertoo muuttaneensa mielensä tärkeässä avoimuuskysymyksessä.

    Tietoturvaguru ja tietoturvayhtiö WithSecuren tutkimusjohtaja Mikko Hyppönen on kertonut, millaisia uhkia tekoälyn nopea yleistyminen tuo tullessaan. Englantilaisessa University College London -yliopistossa luennoidessaan Hyppönen pohti käsillä olevaan tekniseen vallankumoukseen liittyviä vaaroja.

    Hyppönen mainitsi suurimmiksi tekoälyn aiheuttamiksi tietoturvauhiksi deepfaket eli syväväärennökset, sarjahuijaukset eli deepscamit, itse itseään kehittävät haittaohjelmat sekä tietoturva-aukkoja etsivän tekoälyn.

    Hyppönen kansantajuisti aluksi tekoälyn hyvin kouriintuntuvalla tavalla: kyse on tekniikasta, joka ”tietää” asioita siten, että se osaa laittaa sanoja peräkkäin perustuen siihen, miten ne yleensä kielessä asettuvat.

    AI-enabled Crime
    https://www.youtube.com/watch?v=Wc1yCYgwjfg

    Reply
  27. Tomi Engdahl says:

    Rust rustles up fix for 10/10 critical command injection bug on Windows in std lib
    BatBadBut hits Erlang, Go, Python, Ruby as well
    https://www.theregister.com/2024/04/10/rust_critical_vulnerability_windows/

    Programmers are being urged to update their Rust versions after the security experts working on the language addressed a critical vulnerability that could lead to malicious command injections on Windows machines.

    The vulnerability, which carries a perfect 10-out-of-10 CVSS severity score, is tracked as CVE-2024-24576. It affects the Rust standard library, which was found to be improperly escaping arguments when invoking batch files on Windows using the library’s Command API – specifically, std::process::Command.

    “An attacker able to control the arguments passed to the spawned process could execute arbitrary shell commands by bypassing the escaping,” said Pietro Albini of the Rust Security Response Working Group, who wrote the advisory.

    https://blog.rust-lang.org/2024/04/09/cve-2024-24576.html

    Reply
  28. Tomi Engdahl says:

    Roku says 576,000 accounts breached in cyberattack
    https://edition.cnn.com/2024/04/12/business/roku-security-breach-user-accounts/index.html?fbclid=IwAR2stJVaa0Iqdxi1Ja53aJnpf8_vSEjIGPrKZBVPoMYNXrrdbALDnlNdd_4

    About 576,000 Roku accounts were compromised in a cyberattack, the company said on Friday, the second security breach for the streaming service this year.

    Hackers gained access to user accounts through stolen login credentials, Roku said in a blog post. The security breach was discovered while Roku monitored account activity after a cyberattack affected 15,000 accounts earlier this year.

    https://www.roku.com/blog/protecting-your-roku-account

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*