This posting is here to collect cyber security news in April 2024.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in April 2024.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
135 Comments
Tomi Engdahl says:
Microsoft Quick Assist Tool Abused for Ransomware Delivery
The Black Basta group abuses remote connection tool Quick Assist in vishing attacks leading to ransomware deployment.
https://www.securityweek.com/microsoft-quick-assist-tool-abused-for-ransomware-delivery/
Tomi Engdahl says:
The Fall of the National Vulnerability Database
Since its inception, three key factors have affected the NVD’s ability to classify security concerns — and what we’re experiencing now is the result.
https://www.darkreading.com/vulnerabilities-threats/fall-of-national-vulnerability-database
Tomi Engdahl says:
New WiFi Vulnerability: The SSID Confusion Attack
This vulnerability exploits a design flaw in the WiFi standard, allowing attackers to trick WiFi clients on any operating system into connecting to a untrusted network.
https://www.top10vpn.com/research/wifi-vulnerability-ssid/
Tomi Engdahl says:
Cyber Official Speaks Out, Reveals Mobile Network Attacks in U.S.
Joseph Cox
JOSEPH COX
·
MAY 16, 2024 AT 9:01 AM
A CISA official breaks with the government narrative and tells the FCC that SS7 and similar networks and protocols have been used to track people in the U.S. in recent years.
https://www.404media.co/email/79f7367c-bd3c-4bff-ac9f-85c738d08bec/
Tomi Engdahl says:
Here’s how to protect against ‘GoldPickaxe’, the first iPhone trojan [U]
https://9to5mac.com/2024/05/14/protect-against-iphone-trojan-goldpickaxe/
Tomi Engdahl says:
HUPS – Tiedot vuotivat nettiin
Viime aikoina olemme saaneet lukea Helsingin kaupungin tietomurrosta. Helsingin Sanomissa WithSecuren tutkimusjohtaja Mikko Hyppönen arveli, että Helsingin kaupunki olisi valikoitunut sattumalta uhriksi. Harvoin olen eri mieltä Hyppösen kanssa, mutta nyt epäilen, että sattumalla oli pienempi merkitys kuin voisi olettaa. Oma oletukseni on, että Helsingin kaupunki valikoitui uhriksi automaattisen haavoittuvuusskannauksen avulla eli tekijä on tietoisesti etsinyt tiettyä haavoittuvuutta verkosta ja löytänyt sen Helsingin kaupungin palvelimelta.
https://spear.fi/hups-tiedot-vuotivat-nettiin
Tomi Engdahl says:
White hat hackers put their skills to the test at Hack the Networks event in Otaniemi
Published: 13.5.2024
Aalto University is providing a unique 5G test network for the event and is co-hosting one of the challenges
https://www.aalto.fi/en/news/white-hat-hackers-put-their-skills-to-the-test-at-hack-the-networks-event-in-otaniemi
Tomi Engdahl says:
Norway recommends replacing SSL VPN to prevent breaches
https://www.bleepingcomputer.com/news/security/norway-recommends-replacing-ssl-vpn-to-prevent-breaches/
The Norwegian National Cyber Security Centre (NCSC) recommends replacing SSLVPN/WebVPN solutions with alternatives due to the repeated exploitation of related vulnerabilities in edge network devices to breach corporate networks.
The organization recommends that the transition be completed by 2025, while organizations subject to the ‘Safety Act’ or those in critical infrastructure should adopt safer alternatives by the end of 2024.
NCSC’s official recommendation for users of Secure Socket Layer Virtual Private Network (SSL VPN/WebVPN) products is to switch to Internet Protocol Security (IPsec) with Internet Key Exchange (IKEv2).
SSL VPN and WebVPN provide secure remote access to a network over the internet using SSL/TLS protocols, securing the connection between the user’s device and the VPN server using an “encryption tunnel.”
IPsec with IKEv2 secures communications by encrypting and authenticating each packet using a set of periodically refreshed ke
“The severity of the vulnerabilities and the repeated exploitation of this type of vulnerability by actors means that the NCSC recommends replacing solutions for secure remote access that use SSL/TLS with more secure alternatives. NCSC recommends Internet Protocol Security (IPsec) with Internet Key Exchange (IKEv2),” reads the NCSC announcement.
Tomi Engdahl says:
WI-FI “DOWNGRADE ATTACK” — Researchers have discovered a new security vulnerability stemming from a design flaw in the IEEE 802.11 Wi-Fi standard that tricks victims into connecting to a less secure wireless network and eavesdrop on their network traffic.
The SSID Confusion attack, tracked as CVE-2023-52424, impacts all operating systems and Wi-Fi clients, including home and mesh networks that are based on WEP, WPA3, 802.11X/EAP, and AMPE protocols.
The method “involves downgrading victims to a less secure network by spoofing a trusted network name (SSID) so they can intercept their traffic or carry out further attacks,”
Tomi Engdahl says:
That’ll ruin your day… But it really shouldn’t… There will always be a rce in something critical, be ready for it…
#2600net #irc #secnews #rce #cybersecurity #vulnerabilitymanagement
Critical Git vulnerability allows RCE when cloning repositories with submodules (CVE-2024-32002)
New versions of Git are out, with fixes for five vulnerabilities, the most critical (CVE-2024-32002) of which can be used by attackers to remotely execute code during a “clone” operation.
https://www.helpnetsecurity.com/2024/05/16/git-cve-2024-32002/?fbclid=IwZXh0bgNhZW0CMTEAAR1rgZMcA5LBKM_zC2nhjtjsKYO-e6MHtaNbrF8ENuS-2UNHQNhLBjiUmAc_aem_AU-lz9XLaIQ3q6wDyXi_v750vjTpOQqp5LXNL8v3tVDUDiCHsU2vclo1YMJS71w4YN7HD4BU9oy86wbPpWc__GdC
Tomi Engdahl says:
Organizations need to detect and remove intruders quickly to prevent data loss and minimize the impact of lateral movement attacks.
Learn more from Specops Software on blocking lateral movement in networks.
#cybersecurity #breach #cyberattack
https://www.bleepingcomputer.com/news/security/protect-against-lateral-movement-attacks-by-securing-credentials/
Tomi Engdahl says:
https://www.helpnetsecurity.com/2024/05/16/git-cve-2024-32002/
Tomi Engdahl says:
Microsoft Has Yet to Patch 7 Pwn2Own Zero-Days
A number of serious Windows bugs still haven’t made their way into criminal circles, but that won’t remain the case forever — and time is running short before ZDI releases exploit details.
https://www.darkreading.com/vulnerabilities-threats/microsoft-has-yet-to-patch-7-pwn2own-zero-days
Tomi Engdahl says:
“Unprecedented” Google Cloud event wipes out customer account and its backups
UniSuper, a $135 billion pension account, details its cloud compute nightmare.
https://arstechnica.com/gadgets/2024/05/google-cloud-accidentally-nukes-customer-account-causes-two-weeks-of-downtime/
Buried under the news from Google I/O this week is one of Google Cloud’s biggest blunders ever: Google’s Amazon Web Services competitor accidentally deleted a giant customer account for no reason. UniSuper, an Australian pension fund that manages $135 billion worth of funds and has 647,000 members, had its entire account wiped out at Google Cloud, including all its backups that were stored on the service. UniSuper thankfully had some backups with a different provider and was able to recover its data, but according to UniSuper’s incident log, downtime started May 2, and a full restoration of services didn’t happen until May 15.
UniSuper’s website is now full of must-read admin nightmare fuel about how this all happened. First is a wild page posted on May 8 titled “A joint statement from UniSuper CEO Peter Chun, and Google Cloud CEO, Thomas Kurian.” This statement reads, “Google Cloud CEO, Thomas Kurian has confirmed that the disruption arose from an unprecedented sequence of events whereby an inadvertent misconfiguration during provisioning of UniSuper’s Private Cloud services ultimately resulted in the deletion of UniSuper’s Private Cloud subscription. This is an isolated, ‘one-of-a-kind occurrence’ that has never before occurred with any of Google Cloud’s clients globally. This should not have happened. Google Cloud has identified the events that led to this disruption and taken measures to ensure this does not happen again.”
Tomi Engdahl says:
https://www.unisuper.com.au/about-us/media-centre/2024/a-joint-statement-from-unisuper-and-google-cloud
Tomi Engdahl says:
PingRAT secretly passes C2 traffic through firewalls using ICMP payloads https://github.com/umutcamliyurt/PingRAT
Tomi Engdahl says:
https://www.xda-developers.com/connected-windows-xp-internet-didnt-survive-long/
Tomi Engdahl says:
https://www.techradar.com/vpn/vpns-arent-broken-tunnelvision-is-being-blown-out-of-the-water
Tomi Engdahl says:
Quantum internet inches closer: Qubits sent 22 miles via fiber optic cable
Three research labs in three different countries have found different ways to make the quantum internet possible.
https://interestingengineering.com/science/quantum-internet-closer-reality
Tomi Engdahl says:
Researchers find LLMs are easy to manipulate into giving harmful information
https://techxplore.com/news/2024-05-llms-easy.html#google_vignette
Tomi Engdahl says:
Hakkerit iskivät lottoon – saalis kattaa yli 500 000 pelaajaa
17.5.202419:05
Iskusta vastuun ottaneet väittivät aiemmin vieneensä vieläkin suuremman tietosaaliin.
https://www.mikrobitti.fi/uutiset/hakkerit-iskivat-lottoon-saalis-kattaa-yli-500-000-pelaajaa/ce1e7ab3-b331-4dd1-b3d7-dc3856fea0d4
Tomi Engdahl says:
https://www.macrumors.com/2024/05/17/ios-17-5-bug-wiped-devices-photos-resurfacing/?fbclid=IwZXh0bgNhZW0CMTEAAR3br0EApEZeJ7WwP7tN2OymVLqZWJMtYgo3vcIa4ZbuM0aDn2L78hWNkrQ_aem_AXwo5jfCcOTCzG6ZiY3sjZ3Jm-4peN3aHrsBUDJrlk7irFrKr9gTpT2B2yLzH1MqyjfQEWLnAhmPC9Ik9FZEqX_D
Tomi Engdahl says:
In most cases the security risk is not an ssl vpn(ike phases, ciphers, anti-bruteforce (multidecade running slow brutes on tcp:500 are a thing at least since 2010, and they just started to pay out in this decade, in case u havent noticed) or user lockout policies, how they are balanced and hosted in the infra, if they are properly observed through logging, etc), the security risk is the illiterate administrator who completely misconfigures it.
Saying “they are insecure” and just calling it a day and give them more simple “clementoni toys”, is more of a foolish attempt to legitimize the actions of untrained people, than a real critical and minded approach to anything.
That being said, openvpn is good for a certain scenario, wireguard is the best thing we had in the tunneling word since the invention of the double phases with different cyphers, and they both work fantastically each in their own scenario… which is not – often – even the same where you use a two phases ssl-vpn… (or a whatever/ipsec tunnel, for that matter..)
Also, vpn cascading (with different tunnels and different types of tunnels) is another $var to consider nowadays.
Tomi Engdahl says:
Cyber Official Speaks Out, Reveals Mobile Network Attacks in U.S.
https://www.404media.co/email/79f7367c-bd3c-4bff-ac9f-85c738d08bec/?ref=daily-stories-newsletter&attribution_id=6644e12b7b000200015d638e&attribution_type=post
Tomi Engdahl says:
Yhdysvalloissa Ohion osavaltiossa lottoa pelanneille saattaa olla tiedossa kovat ajat tietomurron vuoksi. Ohio Lottery julkisti tällä viikolla tiedot, joiden mukaan tietomurrossa on vuotanut yhteensä 538 959 henkilön nimi ja sosiaaliturvatunnus.
Tietomurto tapahtui The Registerin mukaan jo 24. joulukuuta, mutta sen selvittäminen kesti huhtikuun alkuun saakka.
https://www.mikrobitti.fi/uutiset/hakkerit-iskivat-lottoon-saalis-kattaa-yli-500-000-pelaajaa/ce1e7ab3-b331-4dd1-b3d7-dc3856fea0d4
Tomi Engdahl says:
https://www.securityweek.com/user-outcry-as-slack-scrapes-customer-data-for-ai-model-training/
Tomi Engdahl says:
Artificial Intelligence
A Former OpenAI Leader Says Safety Has ‘Taken a Backseat to Shiny Products’ at the AI Company
Jan Leike, who ran OpenAI’s “Super Alignment” team, believes there should be more focus on preparing for the next generation of AI models, including on things like safety.
https://www.securityweek.com/a-former-openai-leader-says-safety-has-taken-a-backseat-to-shiny-products-at-the-ai-company/
Tomi Engdahl says:
In Other News: MediSecure Hack, Scattered Spider Targeted by FBI, New Wi-Fi Attack
Noteworthy stories that might have slipped under the radar: FBI is targeting Scattered Spider, Australia’s MediSecure hacked, new Wi-Fi attack.
https://www.securityweek.com/in-other-news-medisecure-hack-scattered-spider-targeted-by-fbi-new-wi-fi-attack/
New Wi-Fi vulnerability allows SSID confusion attack
Researchers have found that all Wi-Fi clients and all operating systems are affected by a new vulnerability, tracked as CVE-2023-52424, that can be exploited to launch SSID confusion attacks against enterprise, mesh and home networks. An attacker can use the method to trick users into connecting to a network with a spoofed network name (SSID), leaving them vulnerable to traffic interception and manipulation.
https://www.top10vpn.com/research/wifi-vulnerability-ssid/
This vulnerability exploits a design flaw in the WiFi standard, allowing attackers to trick WiFi clients on any operating system into connecting to a untrusted network.
Tomi Engdahl says:
CISA Warns of Exploited Vulnerabilities in EOL D-Link Products
CISA has added two vulnerabilities in discontinued D-Link products to its KEV catalog, including a decade-old flaw.
https://www.securityweek.com/cisa-warns-of-exploited-vulnerabilities-in-eol-d-link-products/
Tomi Engdahl says:
Application Security
Critical Flaw in AI Python Package Can Lead to System and Data Compromise
A critical vulnerability tracked as CVE-2024-34359 and dubbed Llama Drama can allow hackers to target AI product developers
https://www.securityweek.com/critical-flaw-in-ai-python-package-can-lead-to-system-and-data-compromise/
A critical vulnerability discovered recently in a Python package used by AI application developers can allow arbitrary code execution, putting systems and data at risk.
The issue, discovered by researcher Patrick Peng (aka retr0reg), is tracked as CVE-2024-34359 and it has been dubbed Llama Drama. Cybersecurity firm Checkmarx on Thursday published a blog post describing the vulnerability and its impact.
CVE-2024-34359 is related to the Jinja2 template rendering Python tool, which is mainly used for generating HTML, and the llama_cpp_python package, which is used for integrating AI models with Python.
Llama_cpp_python uses Jinja2 for processing model metadata, but failed to use certain safeguards, enabling template injection attacks.
“The core issue arises from processing template data without proper security measures such as sandboxing, which Jinja2 supports but was not implemented in this instance,” Checkmarx explained.
According to the security firm, the vulnerability can be exploited for arbitrary code execution on systems that use the affected Python package. The company found that more than 6,000 AI models on the Hugging Face AI community that use llama_cpp_python and Jinja2 are impacted.
Tomi Engdahl says:
Hack the Networks 2024: Valkokaulushakkerit 5G-verkkojen kimpussa
https://www.uusiteknologia.fi/2024/05/18/hack-the-networks-2024-valkokaulushakkerit-5g-verkkojen-kimpussa/
Liikenne- ja viestintävirasto Traficom järjestää tänä viikonloppuna Espoon Otaniemessä yhdessä Huoltovarmuuskeskuksen kanssa kaksipäiväisen 5G:n kyberturvallisuuteen pureutuvan hakkeritapahtuman. Mukana ovat myös Aalto-yliopisto, Nokia, Ericsson sekä Digita, Fortum ja PwC.
Kolmannen kerran järjestetty tilaisuus kerää Espoon Dipoliin kahdeksi päiväksi lähes 70 eettistä valkokaulushakkeria ja tietoturvaosaajaa. Edellinen 5G:n kybertuvallisuuteen keskittyvä hakkeritapahtuma järjestettiin koronan takia virtuaalisesti vuonna 2021 ja ensimmäinen 2019 Oulussa.
Eilen Espoossa alkaneessa hackathonissa valkokaulushakkerit työskentelevät yrityskumppanien tarjoamien haasteiden parissa kellon ympäri Dipolin tiloissa. Varsin tiiviillä yhteistyöllä yritysten ja yhteisöjen asiantuntijoiden avulla halutaan löytää käytössä olevista 5G-verkon ratkaisuista haavoittuvuuksia niin teknologiasta, laitteista ja järjestelmistä.
”Tämän kaltaiset tapahtumat ovat ainutlaatuisia tilaisuuksia tunnistaa teknologian ja laitteiden haavoittuvuuksia, syventää yhteistyötä eri toimijoiden kanssa ja edistää Suomen kyberturvallisuusosaamista todellisissa ympäristöissä turvallisesti”, sanoo Traficomin pääjohtaja Jarkko Saarimäki.
Tomi Engdahl says:
[Scott Manley] Explains GPS Jamming
https://hackaday.com/2024/05/19/scott-manley-explains-gps-jamming/
We always think of [Scott Manley] as someone who knows a lot about rockets. So, if you think about it, it isn’t surprising he’s talking about GPS — after all, the system uses satellites. GPS is used in everything these days, and other forms of navigation are starting to fall by the wayside. However, the problem is that the system is vulnerable to jamming and spoofing. This is especially important if you fear GPS allowing missiles or drones to strike precise targets. But there are also plenty of opportunities for malicious acts. For example, drone light shows may be subject to GPS attacks from rival companies, and you can easily imagine worse. [Scott] talks about the issues around GPS spoofing in the video,
Since GPS satellites are distant, blocking the signal is almost too easy, sometimes happening inadvertently. GPS has technology to operate in the face of noise and interference, but there’s no way to prevent it entirely. Spoofing — where you produce false GPS coordinates — is much more difficult.
GPS Jamming & Spoofing – How Does It Work, And Who’s Doing It?
https://www.youtube.com/watch?v=sAjWJbZOq6I
Tomi Engdahl says:
This Week In Security: The Time Kernel.org Was Backdoored And Other Stories
https://hackaday.com/2024/05/17/this-week-in-security-the-time-kernel-org-was-backdoored-and-other-stories/
Tomi Engdahl says:
Karu GPS-häirintätilasto julki
Ilma-aluksiin liittyvistä GPS-häiriöistä tehtyjen ilmoitusten määrä on kasvanut alkuvuonna huomattavasti.
https://www.iltalehti.fi/kotimaa/a/2fbf9a94-1763-4c7b-b7d9-29845b3d04f2
GPS-häiriöistä viranomaisille ilmoittavat lennonjohdot ja suomalaiset lentoyhtiöt. Niitä aiheuttavaa häirintää on pidetty jo uhkana lentoliikenteelle, vaikka lentokoneet pystyvät suunnistamaan myös ilman GPS-järjestelmää.
GPS-häiriöistä on tehty Suomessa alkuvuodesta noin 1 200 ilmoitusta. Viime vuonna ilmoituksia oli koko vuoden aikana noin 240 kappaletta.
Traficomin mukaan GPS-häirinnän lähteet ovat kuitenkin Suomen rajojen ulkopuolella, eikä sitä tehdä Suomesta käsin.
Viranomaisille on ilmoitettu myös muutamasta maan pinnalla havaitusta GPS-häiriöstä. Pääasiassa GPS-häirintää havaitaan ilmaliikenteessä. Traficom ja poliisi havaitsevat kuitenkin ajoittain myös autoissa käytettäviä laittomia radiolähettimiä.
Ilma-aluksista on tehty alkuvuonna Traficomille jo noin 1200 ilmoitusta GPS-häiriöistä Suomessa. Määrä on muuttunut huomattavasti, sillä koko viime vuonna ilmoituksia häiriöistä tehtiin 239 kappaletta ja toissa vuonna vain 65 kappaletta.
Liikenne- ja viestintävirasto Traficom julkisti viime viikon lopulla uudet GPS-häiriöitä koskevat luvut. Niiden perusteella myös Suomen ulkopuolelta tulleet suomalaisten toimijoiden ilmoitukset kasvoivat viime vuonna merkittävästi ja sama suuntaus on jatkunut. Huhtikuun loppuun mennessä Traficomille oli ilmoitettu noin 2 100 kertaa GPS-häiriöistä ulkomailla. Viime vuonna ilmoituksia tuli kaikkiaan 7 370.
Traficomin mukaan häiriöistä ulkomailla on tullut runsaasti ilmoituksia Suomenlahden, Kaliningradin ja Mustanmeren alueilta. Ilmoituksia tekevät suomalaiset lentoyhtiöt ja kotimaan lennonjohdot.
Iltalehti tiedusteli Traficomilta tehdäänkö GPS-häiriöitä aiheuttavaa häirintää myös Suomesta käsin, vai onko rajan takaa tulleen häirinnän voimakkuus kasvanut nyt merkittävästi.
Traficomin mukaan ilmaliikenteessä havaitut häiriöt eivät kuitenkaan ole lähtöisin Suomesta, vaan niiden alkuperä on valtakunnanrajojen ulkopuolella.
– Tilastoissa kuvatut ilmailun häiriöhavainnot on tehty Suomen alueella. Ilmassa häiriö voi ilmetä kaukanakin häiriölähteestä, Traficomin digitaalisten yhteyksien päällikkö Suvi Juurakko-Lehikoinen kertoo sähköpostivastauksessaan.
Finnairilta kova päätös: ”Olemme pahoillamme”
Finnair peruu lentojaan Viron Tarttoon GPS-häirinnän vuoksi.
https://www.iltalehti.fi/kotimaa/a/f1421103-6af5-406a-ac47-baad39aa8d4e
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/arrl-cyberattack-takes-logbook-of-the-world-offline/