Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Vulnerabilities. Show all posts
Vulnerabilities
CyberCrime Cybersecurity CyberThreat HM Surf macOS Microsoft Privacy Safari Vulnerabilities

HM Surf Bug in macOS Raises Data Privacy Concerns

 


Several vulnerabilities in the Safari web browser for macOS may have left users open to being spied on, having their data stolen, and acquiring other types of malware thanks to this security weakness. Specifically, the vulnerability arises from the special permissions Apple gives to its proprietary apps, and here, it is the browser, as well as the ease with which an attacker can obtain the important configuration files of an app. 

Ultimately, what it allows a user to do is to circumvent the Transparency, Consent, and Control (TCC) security layer on MacBooks that is designed to safeguard sensitive data from an attacker. CVE-2024-44133 has been rated as a "medium" severity vulnerability by the Common Vulnerability Scoring System (CVSS), meaning that it has a 5.5 severity score as per the CVSS. According to the CVE-2024-44133 vulnerability report, attackers can bypass the user data protection methods implemented by the operating system by bypassing Transparency, Consent, and Control (TCC). 

During the September 16 update for Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later), the vulnerability, also referred to as CVE-2024-44133, had been fixed. Please take note that this vulnerability will only impact devices that are managed by Mobile Device Management (MDM), not any other device. Typically, MDM managed devices are subject to policies and procedures set by the IT department of an organization, which is responsible for centrally managing and maintaining the devices.


According to Microsoft, the flaw has been named "HM Surf." By exploiting this vulnerability an attacker would be able to bypass macOS' Transparency, Consent, and Control (TCC) features and gain unauthorized access to a user's protected data, which they would have no control over. There is a possibility users may discover Safari's TCC in action while browsing a website that requires access to the camera or microphone when browsing through the website. It was noted by Apple in mid-September that a bug in macOS Sequoia 15 has been fixed by removing the vulnerable code. However, the bug does not seem to affect MDM-managed devices. As stated in the blog post, Microsoft’s Sequoia 15 release only protects Apple’s Safari web browser when it is installed. 

It was also pointed out that browsers like Google Chrome and Mozilla Firefox don't have the same private entitlements as Apple applications, so they cannot bypass TCC checks like Apple applications can. Therefore, once TCC checks are approved, it is up to the app to maintain access to the privacy database as long as people have approved the checks. This vulnerability can be exploited by removing the TCC protection for the Safari browser directory and editing a configuration file in that directory. It is stated in Microsoft's response that it involves gaining access to the user's data, such as browsed pages, the camera, microphone, and location of the device, without the user's knowledge.

Users of macOS are strongly encouraged to apply these security updates as soon as possible so that their system will be protected. Using its behavior monitoring capabilities, Microsoft Defender for Endpoint has detected activities associated with Adload, one of the most prevalent macOS threat families, which may be exploiting this vulnerability in some way. In addition to detecting and blocking CVE-2024-44133 exploitation, Windows Defender for Endpoint also detects and blocks anomalous modifications of the Preferences file through HM Surf or other mechanisms that potentially exploit the vulnerability.

According to Microsoft, it was TCC technology that first enabled them to learn how to bypass the technology when they discovered powerdir's vulnerability. Please remember that TCC, as its name implies, is a technology that prevents apps from accessing users' personal information when they are installed and that this includes services such as location services, camera and microphone devices, download directories, and others, without the user's knowledge or consent. 

In the world of mobile applications, the only legal way for them to gain access to these services is by approving a popup through their user interface, or if they approve per-app access via the settings in their operating system. This vulnerability, known as HM-Surf, may allow attackers to bypass key security features on macOS systems, which gives them a chance to gain access to sensitive data through the use of malicious code. It is possible that users who are not authorized to exploit the flaw could exploit macOS' own security functions, such as the sandboxing mechanisms and restrictions on file access. 

HM-Surf exploit is a vulnerability that allows attackers to gain enhanced privileges, which allows them to access sensitive data and files that would otherwise require a login and password. Initial warnings were raised about this vulnerability because it played a role in adware campaigns, where malicious actors used this loophole to install unwanted software on users' devices in order to profit from the vulnerability. There are, however, a lot more dangers than just adware; though, it is only the beginning. If the same vulnerability were weaponized, then it might even be used for more serious attacks, such as data exfiltration, surveillance, or even as a gateway to further malware infiltration in the near future. There is probably no doubt that HM-Surf's unique ability to bypass Apple's robust security architecture is one of the most troubling aspects of this malware. 

Security macOS is widely regarded as a secure platform, but the recent discovery of the HM-Surf vulnerability shows that even advanced systems are not immune to evolving cyber threats. This finding serves as a crucial reminder for users and organizations to prioritize cybersecurity and adopt proactive measures to protect their digital environments. Microsoft's cybersecurity team uncovered HM-Surf, an exploit posing a serious risk to macOS. Their investigation revealed a program altering Google Chrome settings to grant unauthorized microphone and camera access while collecting user and device data. 

These actions suggested preparations for a second-stage payload that could further compromise the device. The culprit was identified as the well-known macOS adware "AdLoad." This malware hijacks browser traffic, inundates users with ads, harvests data, and transforms infected devices into botnet nodes for further malicious activity. Although Microsoft's findings aligned with HM-Surf techniques, the researchers could not conclusively link AdLoad to actively exploiting the vulnerability. 

Nevertheless, they warned that "attackers using a similar method to deploy a prevalent threat" underscored the need for enhanced protection. The HM-Surf vulnerability illustrates the risks associated with macOS, highlighting that no operating system is invulnerable to sophisticated attacks. Exploiting such weaknesses could lead to severe consequences, including financial losses, reputational damage, and the exposure of sensitive data. The evolving nature of these threats suggests that attackers are continuously refining their methods to bypass security measures.

To address these challenges, organizations must adopt a multi-layered approach to cybersecurity. This includes regular system updates, comprehensive monitoring, and user education on safe practices. Deploying advanced threat detection and real-time monitoring can help detect and mitigate attacks before they cause significant harm. Regular security assessments can also identify and address potential vulnerabilities. In summary, the emergence of the HM-Surf vulnerability is a stark reminder of the dynamic landscape of cybersecurity threats. For macOS users and businesses, this discovery emphasizes the need to act swiftly in strengthening defenses and protecting digital assets against evolving risks.
Read more »
Vulnerabilities
CPS critical Cyber Security Cyberattack Cybersecurity Digital Infrastructure National Security public safety Supply Chain Vulnerabilities

Cyberattacks on Critical Infrastructure: A Growing Threat to Global Security

 

During World War II, the U.S. Army Air Forces launched two attacks on ball bearing factories in Schweinfurt, aiming to disrupt Germany’s ability to produce machinery for war. The belief was that halting production would significantly affect Germany’s capacity to manufacture various war machines.

This approach has a modern parallel in the cybersecurity world. A cyberattack on a single industry can ripple across multiple sectors. For instance, the Colonial Pipeline attack affected American Airlines operations at Charlotte Douglas Airport. Similarly, the Russian NotPetya attack against Ukraine spilled onto the internet, impacting supply chains globally.

At the 2023 S4 Conference, Josh Corman discussed the potential for cascading failures due to cyberattacks. The creation of the Cybersecurity and Infrastructure Security Agency’s National Critical Functions was driven by the need to coordinate cybersecurity efforts across various critical sectors. Corman highlighted how the healthcare sector depends on several infrastructure sectors, such as water, energy, and transportation, to provide patient care.

The question arises: what if a cyber incident affected multiple segments of the economy at once? The consequences could be devastating.

What makes this more concerning is that it's not a new issue. The SQL Slammer virus, which appeared over two decades ago, compromised an estimated one in every 1,000 computers globally. Unlike the recent CrowdStrike bug, Slammer was an intentional exploit that remained unpatched for over six months. Despite differences between the events, both show that software vulnerabilities can be exploited, regardless of intent.

Digital technology now underpins everything from cars to medical devices. However, as technology becomes more integrated into daily life, it brings new risks. Research from Claroty’s Team82 reveals that insecure code and misconfigurations exist in software that controls physical systems, posing potential threats to national security, public safety, and economic stability.

Although the CrowdStrike incident was disruptive, businesses and governments must reflect on the event to prevent larger, more severe cyber incidents in the future.

Cyber-Physical Systems: A Shifting Threat Landscape

Nearly every facility, from water treatment plants to hospitals, relies on digital systems known as cyber-physical systems (CPS) to function. These systems manage critical tasks, but they also introduce vulnerabilities. Today, billions of tiny computers are embedded in systems across all industries, offering great benefits but also exposing the soft underbelly of society to cyber threats.

The Stuxnet malware attack in 2014, which disrupted Iran's nuclear program, was the first major cyber assault on CPS. Since then, there have been several incidents, including the 2016 Russian Industroyer malware attack that disrupted part of Ukraine’s power grid, and the 2020 Iranian attempt to attack Israeli water utilities. Most recently, Chinese hackers have targeted U.S. critical infrastructure.

These incidents highlight how cybercriminals and nation states exploit vulnerabilities in critical infrastructure to understand weaknesses and the potential impact on security. China, for example, has expanded its objectives from espionage to compromising U.S. infrastructure to weaken its defense capabilities in case of a conflict.

The CrowdStrike Bug and Broader Implications

The CrowdStrike bug wasn’t a malicious attack but rather a mistake tied to a gap in quality assurance. Still, the incident serves as a reminder that our dependence on digital systems has grown significantly. Failures in cyber-physical systems—whether in oil pipelines, manufacturing plants, or hospitals—can have dangerous physical consequences.

Although attacks on CPS are relatively rare, many of these systems still rely on outdated technology, including Windows operating systems, which account for over 25% of vulnerabilities in the CISA Known Exploited Vulnerabilities Catalog. Coupled with long periods of technological obsolescence, these vulnerabilities pose significant risks.

What would happen if a nation-state deliberately targeted CPS in critical infrastructure? The potential consequences could be far worse than the CrowdStrike bug.

Addressing the vulnerabilities in CPS will take time, but there are several steps that can be taken immediately:

  • Operationalize compensating controls: Organizations must inventory assets and implement network segmentation and secure access to protect vulnerable systems.
  • Expand secure-by-design principles: CISA has emphasized the need to focus on secure-by-design in CPS, particularly for medical devices and automation systems.
  • Adopt secure-by-demand programs: Organizations should ask the right questions of software vendors during procurement to ensure higher security standards.
Although CPS drive innovation, they also introduce new risks. A failure in one link of the global supply chain could cascade across industries, disrupting critical services. The CrowdStrike bug wasn’t a malicious attack, but it underscores the fragility of modern infrastructure and the need for vigilance to prevent future incidents
Read more »
Vulnerabilities
Baxer CISA Cyber Bugs Cyber Security Cyberattacks CyberCrime Cyberhackers Cyberthreats Mitsubishi Products Vulnerabilities

CISA Identifies Industrial Cybersecurity Bugs in Baxter and Mitsubishi Products

 


A report published recently by the Cybersecurity and Infrastructure Security Agency (CISA) warned about two new ICS vulnerabilities found in products widely used in healthcare, critical manufacturing, and other sectors susceptible to cybercrime activity. Among the affected products are Baxter's Connex Health Portal, as well as Mitsubishi Electric's MELSEC line of programmable controllers for the home and office. 

In response to the vulnerabilities found in the respective technologies, both vendors have released updates to plug the vulnerabilities and recommended mitigations for customers who wish to mitigate risk further. According to CISA's advisory, two vulnerabilities were identified in Baxter's Connex Health Portal (formerly Hillrom and Welch Allyn) that could be remotely exploited and have low attack complexity, which made them suitable for remote attacks. 

The CVE-2024-6795 vulnerability is one of the highest severity (CVSS score of 10.0) SQL injection vulnerabilities that an unauthenticated attacker could exploit to run arbitrary SQL queries on affected systems through one of the vulnerabilities, assignment CVE-2024-6795. It was described by CISA that this vulnerability would allow attackers to view, manipulate, and delete sensitive data, in addition to taking other administrator-level actions, including shutting down the database in some cases. As part of the U.S. 

Cybersecurity and Infrastructure Security Agency (CISA) various advisory letters regarding industrial control systems (ICS) have been released, including one specifically for medical devices as well as two updates. As part of the project, we are developing advisories that serve to provide ICS owners with timely information about security threats, vulnerabilities, and exploits. It had previously been announced that the cybersecurity agency was deploying advisories across critical infrastructure sectors to warn users and technical administrators about ICS vulnerabilities and offer mitigation strategies. 

Hughes Network Systems has identified hardware vulnerabilities in its WL3000 Fusion software equipment that are caused by bugs in the hardware. This report contains updated information on vulnerabilities in Mitsubishi Electric's MELSEC iQ-R, Q, and L Series, as well as the MELSEC iQ-R, iQ-L Series, and the MELIPC Series, which are all produced by Mitsubishi Electric. During the CISA study, the vulnerability in the hardware architecture of the Baxter Connex Health Portal was also identified. 

CISA warned it in an advisory that Hughes' WL3000 Fusion Software deployed across critical infrastructure sectors appears to have several vulnerabilities that are not sufficiently protected such as credentials that are insufficiently protected and sensitive data that are not encrypted. The report states that if these vulnerabilities are exploited successfully, an attacker could gain access read-only to information associated with network configurations and terminal configurations, and otherwise gain access to confidential data. 

It is important to note that credentials for gaining access to device configuration information are stored in flash memory unencrypted. It is also possible with these credentials, to gain read-only access to information about the network configuration and terminal configuration. It has been assigned the designation CVE-2024-39278 as the vulnerability that needs to be addressed. The CVSS v3.1 base score was determined to be 4.2 out of a possible five points, and the CVSS v4 base score was calculated to be 5.1. 

A report by CISA also revealed that credentials for accessing device configurations were being transmitted using an unencrypted protocol that was not secure. These credentials would allow the administrator to access only the data associated with the configuration of the network and the terminals. The vulnerability has been identified as CVE-2024-42495 and it has been assigned a severity of critical. The CVSS v3.1 base score has been determined to be 6.5, and the CVSS v4 base score has also been calculated to be 7.1, based on the CVSS v3.1 and CVSS v4 scores. 

During publishing this advisory, Hughes Networks pointed out that the vulnerabilities had been corrected, which did not require any user action.  There is a risk of remote attackers, unauthenticated and remotely situated, running arbitrary SQL queries anywhere, at any time, including accessing, changing, and deleting sensitive data, as well as performing administrative operations on the database such as halting it. 

Two vulnerabilities in this system are associated with one CVE-2024-6795, and a CVSS v3.1 base score of 10.0 has been calculated for this vulnerability. A CISA report also indicated that the system was not appropriately protecting against an improper access control vulnerability in the application. As a result, an unauthorized user could have access to clinical and sensitive information about patients, as well as be able to change or delete information about the clinic. 

There has been a vulnerability identified as CVE-2024-6796 and it has been assigned a CVSS v3.1 base score of 8.2, which makes it a high vulnerability. As revealed by the advisory, Baxter is unaware of any exploits of these vulnerabilities or any compromises of personally identifiable information or health information related to this vulnerability. The Cybersecurity and Infrastructure Security Agency (CISA) has identified and flagged vulnerabilities in industrial control systems (ICS) used in products from Baxter and Mitsubishi. 

These vulnerabilities, which posed potential cybersecurity risks, were promptly addressed by both companies. Following their discovery, Baxter implemented the necessary patches to rectify the issues. As a result, no further action is required from users at this time. In addition to these remedial actions, CISA has issued general recommendations to mitigate future risks. One of the key suggestions is to minimize network exposure for all control system devices and systems, ensuring that they are not directly accessible from the internet. 

CISA further advises that control system networks and remote devices should be placed behind firewalls and segregated from business networks to enhance security. For instances where remote access is necessary, organizations are encouraged to adopt more secure solutions such as Virtual Private Networks (VPNs). However, CISA stresses the importance of maintaining up-to-date versions of VPN software, as vulnerabilities may exist in older versions. 

It is also emphasized that the overall security of the VPN is dependent on the security of the devices it connects to, underscoring the need for comprehensive security measures across all connected devices. By following these defensive measures, organizations can reduce the likelihood of exploitation and enhance the security of their industrial control systems against potential cyber threats.
Read more »
WordPress
Cache Plugin Cyber Attacks CyberCrime Cyberhackers Cybersecurity CyberThreat LitesSpeed Patchstack Vulnerabilities WordPress

Critical LiteSpeed Cache Plugin Flaw CVE-2024-28000 Sparks a Surge in Cyberattacks

 


According to cyber security researchers, there is a critical security flaw in the LiteSpeed Cache plugin for WordPress that users can exploit without authentication to gain administrative privileges on the site. It is an all-in-one site acceleration plugin that features an exclusive server-level cache along with a suite of optimization features designed to make the websites more efficient with LiteSpeed Cache for WordPress. As a WordPress Multisite plugin, LowSide supports a wide range of plugins, including WooCommerce, bbPress, and Yoast SEO, for the best possible experience. 

There is no compatibility issue with ClassicPress when using LiteSpeed Cache for WordPress. In LiteSpeed Cache, which comes bundled with WordPress, there is a critical vulnerability that can allow attackers to take full control of millions of sites once a rogue admin account is created. This is an open-source and almost universally popular WordPress site acceleration plugin with over 5 million active installations, and it also supports WooCommerce, bbPress, ClassicPress, and Yoast SEO. It is available as a free download. 

In LiteSpeed Cache versions 6.3.0.1 and earlier, the plugin's user simulation feature has an unauthenticated privilege escalation vulnerability (CVE-2024-28000). As a result of this vulnerability, the highest bounty has been awarded in the history of bug bounty hunting for WordPress. This researcher has been rewarded USD 14,400 in cash through the Patchstack Zero Day program as part of this award. It would be great if anyone else interested in joining the community as well would be able to benefit from the program. 

This vulnerability has been automatically protected for all Patchstack users who have enabled protection, so they are no longer at risk. For only $5 per site per month, Patchstack offers a free Community account, where users can scan for vulnerabilities and apply protection for only $5 / site per month by creating a PatchStack account. It is the plugin's user simulation feature that is vulnerable to the vulnerability, as it uses a weak security hash as part of its security process. 

It must be said that the hash value is generated by using an insecure random number generator and the value is stored without being salted or related to a particular request made by the user.  The Patchstack security research tool warns that the hash is relatively easy to guess due to the limited number of possible values, which allows attackers to iterate through all possible hashes to discover the appropriate one and to simulate a user who is an administrator. 

This vulnerability affects all versions of the LiteSpeed Cache plugin for WordPress, from version 6.3.0.1 onwards. In addition, the plugin is susceptible to privilege escalation attacks. Certainly! Here is the rewritten information in a formal, expanded, and third-person tone: --- The security vulnerability identified as CVE-2024-28000 in the LiteSpeed Cache plugin has been linked to a critical issue concerning the improper restriction of role simulation functionality. This flaw allows a user with access to a valid hash—discoverable through debug logs or susceptible to brute-force attacks—to alter their current user ID to that of an administrator. 

This, in turn, enables unauthenticated attackers to impersonate an administrator and utilize the `/wp-json/wp/v2/users` REST API endpoint to create a new user account with administrative privileges. The vulnerability is present in all versions of the LiteSpeed Cache plugin up to and including version 6.3.0.1. The vulnerability was addressed in LiteSpeed Cache version 6.4, released on August 13, 2024. Website administrators utilizing the plugin are strongly advised to update to this latest version to prevent exploitation. 

The urgency of this update is underscored by a report from Wordfence, a leading WordPress security provider, which disclosed that over 30,000 attacks targeting CVE-2024-28000 were blocked within a single day. This surge in attacks illustrates the swift adoption of this exploit by cybercriminals, who are leveraging the vulnerability to compromise WordPress installations. Currently, the attacks are predominantly directed at non-Windows-based WordPress sites. This is because the vulnerability exploits a PHP method called `sys_getloadavg()`, which is not available on Windows systems. 

Consequently, while Windows-based WordPress installations are not vulnerable to this specific exploit, other systems remain at significant risk. The flaw was reported to Patchstack's bug bounty program by security researcher John Blackbourn on August 1, 2024. The LiteSpeed development team promptly created and released a patch with LiteSpeed Cache version 6.4 on August 13. Successful exploitation of this vulnerability can grant unauthenticated visitors administrator-level access, potentially allowing them to fully control compromised websites. 

This control includes installing malicious plugins, altering critical settings, redirecting traffic to harmful sites, distributing malware to visitors, or stealing user data. Additionally, in June 2024, the Wordfence Threat Intelligence team reported that a threat actor had compromised at least five plugins on WordPress.org, adding malicious PHP scripts to enable the creation of administrator accounts on affected websites. 

To protect against this vulnerability, Wordfence Premium, Wordfence Care, and Wordfence Response users were provided with a firewall rule effective from August 20, 2024. Users of the free version of Wordfence will receive similar protection starting on September 19, 2024.
Read more »
Vulnerabilities
Cyber Security Digital Communication email security Malware Detection Vulnerabilities

Email Security Vulnerabilities: Shocking Gaps in Malware Detection

Email Security Vulnerabilities: Shocking Gaps in Malware Detection

In an era where digital communication dominates, email remains a fundamental tool for personal and professional correspondence. However, recent research by web browser security startup SquareX has exposed alarming vulnerabilities in email security. 

The study, titled “Security Bite: iCloud Mail, Gmail, Others Shockingly Bad at detecting malware, Study Finds,” highlights the shortcomings of popular email service providers in safeguarding users from malicious attachments.

The State of Email Security

1. The Persistent Threat of Malicious Attachments

  • Despite advancements in cybersecurity, email attachments continue to be a prime vector for malware distribution.
  • Malicious attachments can carry viruses, trojans, ransomware, and other harmful payloads.
  • Users often unknowingly open attachments, leading to compromised devices and data breaches.

2. The SquareX Study

Researchers collected 100 malicious document samples, categorized into four groups:

  • Original Malicious Documents from Malware Bazaar
  • Slightly Altered Malicious Documents from Malware Bazaar (with changes in metadata and file formats)
  • Malicious Documents modified using attack tools
  • Basic Macro-enabled Documents that execute programs on user devices

These samples were sent via Proton Mail to addresses on iCloud Mail, Gmail, Outlook, Yahoo! Mail, and AOL.

3. Shockingly Bad Detection Rates

The study’s findings were alarming:

  • iCloud Mail and Gmail failed to deliver any of the malicious samples. Their malware detection mechanisms worked effectively.
  • Outlook, Yahoo! Mail, and AOL delivered the samples, leaving users potentially exposed to threats.

Implications and Recommendations

1. User Awareness and Caution

  • Users must exercise caution when opening email attachments, even from seemingly legitimate sources.
  • Educate users about the risks associated with opening attachments, especially those from unknown senders.

2. Email Providers Must Step Up

  • Email service providers need to prioritize malware detection.
  • Regularly update and enhance their security protocols to prevent malicious attachments from reaching users’ inboxes.
  • Collaborate with cybersecurity experts to stay ahead of evolving threats.

3. Multi-Layered Defense

Implement multi-layered security measures:

  • Attachment Scanning: Providers should scan attachments for malware before delivery.
  • Behavioral Analysis: Monitor user behavior to detect suspicious patterns.
  • User Training: Educate users about phishing and safe email practices.

4. Transparency and Reporting

  • Email providers should transparently report their detection rates and improvements.
  • Users deserve to know how well their chosen service protects them.

What next?

Always think before you click. The SquareX study serves as a wake-up call for email service providers. As the digital landscape evolves, robust email security is non-negotiable. Let’s bridge the gaps, protect users, and ensure that our inboxes remain safe havens rather than gateways for malware.
Read more »
Vulnerabilities
AI workload scaling Anyscale CVE Cyber Security Cybersecurity hacking campaign python Ray Framework ShadowRay Vulnerabilities

Hackers Exploit Flaw in Ray Framework to Breach Servers

 

The Ray framework, a tool for scaling AI and Python workloads in open source, has been found vulnerable to multiple flaws that enable hackers to take control of devices and pilfer sensitive data. Cybersecurity researchers from Oligo disclosed their discoveries about a new hacking campaign named “ShadowRay”.

Operating since early September 2023, ShadowRay targeted various sectors including education, cryptocurrency, and biopharma by exploiting five distinct vulnerabilities in Ray. Four of these vulnerabilities, identified as CVE-2023-6019, CVE-2023-6020, CVE-2023-6021, and CVE-2023-48023, were patched by Anyscale, the developer of Ray. However, the fifth vulnerability, labelled as a critical remote code execution (RCE) flaw and tracked as CVE-2023-48022, remained unaddressed.

Anyscale defended the unpatched vulnerability, stating that it was a deliberate decision rather than a bug, as Ray lacks built-in authentication. They indicated their intention to introduce authentication in a future release as part of a defense-in-depth strategy. Anyscale argued that exploitation of this RCE flaw would only be feasible in deployments deviating from their recommended network environment controls.

In contrast, Oligo criticized Anyscale's stance, highlighting that disputing the CVE left many developers unaware of potential security risks. They termed the unresolved CVE as a "shadow vulnerability", explaining that it could lead to breaches despite not being detected in static scans. 

Oligo observed numerous instances of the CVE-2023-48022 actively exploited in the wild, resulting in compromised Ray servers and the theft of sensitive data, including AI models and production database credentials, along with instances of cryptominer installations.


Read more »
wireless chargers
Academic attacks Cyber Security electromagnetic interference Researchers Security VoltSchemer Vulnerabilities wireless chargers

Researchers Develop 'VoltSchemer' Assaults Aimed at Wireless Charging Systems

 

A team of researchers from the University of Florida, collaborating with CertiK, a Web3 smart contract auditor, have uncovered potential security threats in wireless charging systems. Their research introduces new attack methods, named VoltSchemer, which exploit vulnerabilities in these systems by manipulating power supply voltages.

The VoltSchemer attacks, outlined in a research paper, target weaknesses in wireless charging setups, allowing attackers to disrupt charging devices, tamper with voice assistants, and override safety mechanisms outlined in the Qi standard. Notably, these attacks utilize voltage fluctuations from the power source, requiring no direct modifications to the chargers themselves.

While wireless chargers are generally considered more secure than wired alternatives due to their reliance on near-field magnetic coupling, the researchers argue that they are still susceptible to manipulation. By tampering with power signals, attackers could potentially compromise communication between the charger and the device being charged, leading to malicious actions.

The underlying issue lies in the susceptibility of wireless chargers to electromagnetic interference (EMI) caused by voltage fluctuations. This interference can modulate the power signals transmitted by the charger, enabling attackers to manipulate the magnetic field produced and issue unauthorized commands to connected devices.

In their experiments, the researchers tested the VoltSchemer attacks on nine commercially available wireless chargers, all of which were found to be vulnerable. By inserting a disguised voltage manipulation device, such as a modified power port, between the power adapter and the charger, the researchers successfully executed the attacks.

The consequences of these attacks were significant, with charging smartphones experiencing overheating and devices such as key fobs, USB drives, SSD drives, and NFC cards being permanently damaged or destroyed. The researchers emphasize that the root cause of these vulnerabilities lies in the lack of effective noise suppression in certain frequency bands within wireless charging systems.

Overall, the findings highlight the potential risks associated with wireless charging technologies and underscore the need for improved security measures, especially in high-power systems like electric vehicle (EV) wireless charging.
Read more »
Vulnerabilities and Exploits
cyber attack Cyberattacks Ivanti system hacked USA VPN Vulnerabilities Vulnerabilities and Exploits

Ivanti US Faces Security Crisis, Threatening Worldwide Systems


In a recent development, a critical server-side request forgery (SSRF) vulnerability has been discovered in Ivanti Connect Secure and Ivanti Policy Secure servers, marked as CVE-2024-21893. Security experts have confirmed that this vulnerability is being actively exploited by multiple attackers, raising concerns over the security of affected systems worldwide. 

Let's Understand SSRF and Its Impact 

SSRF vulnerabilities allow attackers to send crafted requests from the vulnerable server, potentially leading to unauthorized access to internal resources, sensitive data exposure, or even full system compromise. Imagine you have a key to open doors in a building. Now, imagine someone tricks you into using that key to open doors you are not supposed to. That is what happens in an SSRF attack. 

Normally, a website can only talk to the outside world through your web browser. But in an SSRF attack, the bad guys make the website talk to other places it is not supposed to, like secret internal parts of a company's network or even random outside websites. This can lead to big problems. 

For example, if the website connects to a secret part of a company's network, the bad guys might steal important information. Or if it connects to a random website, it might give away sensitive data, like your passwords or credit card numbers. 

Ivanti and the Vulnerabilities 

Ivanti raised the alarm about a critical flaw in the gateway's SAML components on January 31, 2024. This vulnerability, identified as CVE-2024-21893, was immediately classified as a zero-day exploit, indicating that hackers were already taking advantage of it. Initially, the impact seemed limited, affecting only a small number of customers. 

However, the exploitation of CVE-2024-21893 opened the door for attackers to sidestep authentication measures and gain unauthorized access to restricted resources on vulnerable devices, specifically those operating on versions 9.x and 22.x. 

Now, according to the threat monitoring service Shadowserver, the situation has escalated. They have detected numerous attackers capitalizing on the SSRF bug, with a staggering 170 unique IP addresses attempting to exploit the vulnerability. This widespread exploitation poses a significant threat to the security of affected systems and the data they hold. 

The disclosure of CVE-2024-21893 revealed a series of critical vulnerabilities affecting Ivanti Connect Secure and Policy Secure VPN appliances. Alongside CVE-2024-21893, two other zero-day vulnerabilities, CVE-2023-46805 and CVE-2024-21887, were also identified on January 10, 2024, prompting Ivanti to release temporary mitigations. 

These vulnerabilities were exploited by the Chinese espionage threat group UTA0178/UNC5221, resulting in the installation of webshells and backdoors on compromised devices. Despite initial mitigations, attackers managed to bypass defenses, compromising even device configuration files. 

What Measures Company is Taking? 

Ivanti postponed firmware patches scheduled for January 22 due to the sophisticated nature of the threat. Given the active exploitation of multiple critical zero-days, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) has mandated federal agencies to disconnect all Ivanti Connect Secure and Policy Secure VPN appliances. 

Only devices that have been factory reset and updated to the latest firmware should be reconnected. However, older versions without a patch remain vulnerable. While this directive is not compulsory for private organizations, they are strongly advised to assess the security status of their Ivanti deployments and overall environment, considering the potential risks posed by these vulnerabilities. 

About the Company 

Ivanti is a company based in Utah, USA, that makes different kinds of computer software for things like keeping your computer safe, managing IT services, tracking IT assets, managing all your devices from one place, controlling who has access to what, and managing the supply chain. It was created in 2017 when two companies, LANDESK and HEAT Software, joined together. Later, they also bought another company called Cherwell Software. Ivanti became more famous because of some big problems with the security of the VPN hardware they sell.
Read more »
Vulnerabilities
connected gadgets Cyber Security Cyber Threats Data Privacy IoT Network Security Remote Work Risks Smart Devices Vulnerabilities

Unveiling the Unseen Cybersecurity Threats Posed by Smart Devices

 

The number of smart devices worldwide has surpassed the global population, with a continuous upward trend, particularly amidst remote and hybrid work settings. Ranjit Atwal, Gartner's senior research director, attributes this surge to the increase in remote work. As work mobility grows, the demand for connected devices like 4G/5G laptops rises, crucial for employees to work from anywhere.

Smart devices encompass gadgets connecting to the internet, like smart bulbs, speakers (e.g., Amazon's Alexa), and wearables such as the Apple Watch. They collect data, enhancing user experience but also pose security risks exploited by cybercriminals. Surprisingly, consumers often overlook security when purchasing smart devices, as shown by Blackberry's research.

In response, the European Union proposed the "Cyber Resilience Act" to enforce cybersecurity standards for all connected devices. Failure to comply may result in hefty fines. Margrethe Vestager from the European Commission emphasizes the need for market products to meet robust cybersecurity measures, likening it to trusting CE-marked toys or fridges.

Security vulnerabilities in smart devices pose threats, as seen in TP-Link's smart lightbulb. Exploiting these vulnerabilities could grant hackers access to networks, risking data and enabling potential malware deployment. Even smart homes face numerous entry points for hackers, as illustrated by investigations conducted by Which?, showcasing thousands of hacking attempts in a week.

Mirai botnet targets smart devices, using brute-force attacks to gain access via weak passwords. In a concerning case, a Google Home speaker was turned into a wiretap due to vulnerabilities, highlighting the potential risks associated with unsecured devices.

Securing home networks becomes paramount. Strategies include:

1. Purposeful Device Selection: Opt for devices that suit your needs, avoiding unnecessary interconnected gadgets.
2. Router Security: Update router settings, change default passwords, and enable automatic firmware updates.
3. Password Management:Use password managers to create strong and unique passwords for each account.
4. Multi-Factor Authentication (MFA): Employ MFA to add layers of verification during logins.
5. Wi-Fi Network Segmentation: Create separate networks for different devices to isolate potential threats.
6. Virtual Private Networks (VPNs):Invest in VPNs to encrypt online activities and protect against cyber threats on unsecured networks.

Implementing these measures strengthens overall cybersecurity, safeguarding personal data and devices from potential breaches and threats.
Read more »
Vulnerabilities
Cryptojacking Cryptojacking Campaign Imperva Imperva Threat Research malware Oracle Weblogic Server Threat research TTPs Vulnerabilities

Imperva Report Previously Undocumented 8220 Gang Activities


Imperva Threat Research team has recently discovered a previously unreported activity from the 8220 gang, which is well-known for mass-deploying a range of constantly evolving TTPs to distribute malware in large quantities. The threat actor has a history of using cryptojacking malware to target Linux and Windows web servers.

The researchers reported the issue in a blog, discussing the group’s attack tactics, recent activities, and indicators of compromise (IoCs) from the threat actor’s most recent campaign. Customers of Imperva are shielded from the known actions of this group. All firms are required to keep their security and patching up-to-date. 

History of the Threat Actor

The 8220 gang, which is believed to be a China-based group, was initially discovered in 2017 by Cisco Talos. The targets include Apache Struts2, Hadoop YARN, and Drupal systems, where the threat actors transmitted cryptojacking malware. Since then, a number of additional researchers have offered updates on the group's growing tactics, methods, and procedures (TTPs), which include making use of vulnerabilities in Log4j and Confluence. The group's use of the Oracle WebLogic vulnerability CVE-2017-3506 to infect specific systems was most recently shown by Trend Micro.

Evolving TTPs

The Imperva Threat Research disclosed the use of malware identified as CVE-2021-44228 and CVE-2017-3506. Also, the researchers revealed that the threat group exploited CVE-2020-14883, a Remote Code Execution vulnerability in Oracle WebLogic Server, to spread malware.

This vulnerability, frequently linked with CVE-2020-14882 (an authentication bypass vulnerability also affecting Oracle Weblogic Server) or using compromised, stolen, or leaked credentials, permits remote authenticated attackers to execute code via a gadget chain. The documented exploitation of these vulnerabilities is extensive. This way, it is easier to modify for the distribution of malware. 

The 8220 gang employs two distinct gadget chains: one allows an XML file to be loaded, and this file contains a call to another gadget chain that allows commands to be executed on the operating system.

The report further notes that Imperva Cloud WAF and on-prem WAF have addressed the issues already by mitigating flaws that were used by the 8220 gang for conducting their malicious activities. Some of these vulnerabilities have been listed below:

  • CVE-2017-3506 – Oracle WebLogic Server RCE 
  • CVE-2019-2725 – Oracle WebLogic Server Authenticated Deserialization 
  • CVE-2020-14883 – Oracle WebLogic Server Authenticated RCE 
  • CVE-2021-26084 – Atlassian Confluence Server OGNL Injection RCE 
  • CVE-2021-44228 – Apache Log4j JNDI RCE 
  • CVE-2022-26134 – Atlassian Confluence Server RCE  

Read more »
Vulnerabilities
Crypto Currency cryptocurrency Cyberattacks Cybersecurity Data Breach database Gokumarket Vulnerabilities

Massive Data Breach at Gokumarket: Over a Million Users' Information Exposed

 


Several days before the leak, the GokuMarket team found an unprotected MongoDB instance, which was storing information about its users, namely those who bought and sold crypto on the exchange. In GokuMarket's case, it is the details of more than a million customers and admin users of the company that are stored in MongoDB in the form of large chunks of document-oriented information. 

Several users of GokuMarket, the centralized crypto exchange owned by ByteX and operated by its staff, have had their records revealed thanks to an open instance, according to a Cybernews investigation. 

With offices in Canada, the European Economic Area, and India, ByteX is a licensed and regulated CeDeFi platform that offers its services in those countries. It is ByteX's goal to bridge the best of both worlds by providing a KYC-verified platform with a compliant DeFi architecture, thus enabling a smooth transition from traditional to crypto credit infrastructure by reinventing it with transparency. 

The Gokumarket cryptocurrency exchange, one of the world's leading crypto exchanges, recently suffered a massive data breach, resulting in the disclosure of sensitive information belonging to over a million users. This is quite a significant and alarming development. 

In light of this breach, significant concerns are raised regarding the security infrastructure of the platform and the potential implications of the breach on the affected users. As a result of GokuMarket's decision, which had around a million users, denying users the option to withdraw their funds in mid-2022, which was a disastrous year for the crypto markets at the time, the company almost went bankrupt. 

GokuMarket faced the harsh reality of insolvency and financial bankruptcy as a result of the crypto market crash that occurred in early 2018. To assist users in safeguarding and protecting their interests, ByteX provided alternative solutions that were in comparison to what ByteX had originally offered. 

There has been considerable turbulence in the market in the aftermath of the recent collapse of several giants, which has also affected the stability of GokuMarket. In acquiring the platform's custodial users, we are making a conscious decision to safeguard and protect both its assets and its users from further challenges. 

It has been discovered that GokuMarket has a database that has been exposed on the web for a considerable period, which is why it was only detected in October 2023 and secured the next day after researchers sent a responsible disclosure note. However, the database could have been accessed by anyone for a considerable amount of time. 

An extensive user base, encompassing an estimated one million people, has been able to access a substantial repository of sensitive data, previously kept in a secure environment. In addition to IP addresses and geographical locations, the information compiled includes information about the users' dates of birth, their first and last names, as well as their mobile phone numbers. 

The encrypted passwords, the crypto wallet addresses, as well as their cryptocurrency wallet addresses, are all compiled in this study. Concern over the security and privacy of the affected individuals is significant in light of this breach of data. 

A persistent attacker could easily use this information to develop a spear-phishing campaign, which would likely involve draining the user's crypto funds, as the researchers believe that there is more than enough information to do so. There was also a revelation that the database, which had full-admin access, held 35 accounts that contained all sorts of sensitive information, including private Telegram channel IDs, secret exchange tokens, passwords and other highly sensitive information. 

A far more dangerous can of worms arises when attackers exploit admin access details to scam users of other platforms, with the ability to steal en-masse and transfer money to their accounts that would otherwise not be there. This is all possible through credential stuffing attacks, which can take advantage of individual user data to target exposed users. 

Using official Telegram channels for malicious purposes, attackers can manipulate the market if a leak of this nature arises. Although the official GokuMarket Telegram channel has not been active since September 2022, scammers are still attempting to impersonate brands within the crypto community to gain their attention.
Read more »
Vulnerabilities
Breach Threat Cyberattacks CyberCrime Cybersecurity Data Breach Opensource OwnCloud Vulnerabilities

Data Breach Threat: OwnCloud Users Urged to Patch Vulnerabilities Now

 


The maintainers of ownCloud, a popular open-source file-sharing software, have recently issued an alert regarding three critical security flaws that could have severe consequences. The flaws have become known through a recent announcement by ownCloud's maintainers. 

Several vulnerabilities in ownCloud pose a significant risk to the security and privacy of users, as they could allow sensitive information to be exposed and files to be modified unauthorized, compromising the security and privacy of users in ownCloud. 

A CVSS score of 10.0 has been assigned to the first vulnerability, which affects containerized deployments. This vulnerability requires the disclosure of sensitive credentials and configurations in order to exploit it. An important flaw in graphapi versions ranging for 0.2.0 to 0.3.0 has been exploited against graphapi. 

If an attacker is able to access a particular URL, crucial details about a PHP environment, including variables used to control a web server, could be revealed. The environment variables of containerized deployments may contain sensitive data such as the administrator password for the OwnCloud system, the credentials for the email server, and the license key for the software. 

Among the three critical security vulnerabilities that have been discovered in the open source file sharing software ownCloud is a vulnerability that could expose passwords for administrators and credentials for the mail server. 

The OpenSource OwnCloud system is a solution that allows users to sync and share files individually or as a team based on a self-hosted platform that allows users to access and manage files from anywhere. In addition to businesses, educational institutions, government agencies, and individuals who prefer to maintain control over their data, a cloud storage program is also used by businesses and enterprises, educational institutions, government agencies, and individuals who are conscious of their privacy.

In addition to its ownCloud site reporting that 200 million users are using OwnCloud, it also reports 600 enterprise customers. There have been three security bulletins issued by the development team behind OwnCloud this past week stating that the project could be severely compromised due to three different vulnerabilities in the project's components. 

CVE-2023-49103 is the first flaw identified, which has a CVSS v3 score of 10. This flaw allows for the theft of credentials and configuration information in containerized deployments, and it impacts all of the server's environment variables as well. 

OwnCloud recommends that immediate action be taken in order to mitigate this issue, such as deleting a particular file and disabling the PHPinfo function. It is also advised that users should change the password for the ownCloud admin account, their mail server and database credentials, as well as their access codes for Object-Store and Amazon S3. 

In order to resolve this issue, it is recommended that the  ownCloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php file be deleted, Docker containers should be disabled from executing the phpinfo function, and that secrets such as the ownCloud admin password, mail server, database credentials, and Object-Store/S3 access keys be changed. 

A second vulnerability, rated 9.8, can be used by malicious actors to bypass WebDAV API authentication using pre-signed URLs, which has a CVSS score of 9.8. As a result of this vulnerability, users have the ability to access, modify, or delete files without their consent when their username is known and their signing key is not configured, but it impacts core versions from 10.6.0 to 10.13.0. 

Lastly, ownCloud has made a warning about a security vulnerability discovered in oauth2 before version 0.6.1 that can bypass the validation process for subdomains. By bypassing the validation code, this vulnerability enables an attacker to redirect callbacks to a top-level domain (TLD) controlled by them, which has a CVSS score of 9.0. 

OwnCloud suggests that as a temporary solution to this issue, you disable the "Allow Subdomains" option and harden the validation code in the OAUTH2 application. In the event that the user's username is known and the sign-key has not been configured (the default setting), attackers can access, edit, or delete any file without authentication. 

It has been published that the pre-signed URLs cannot be used unless a signing key has been set up for the file owner. This can be fixed by denying the use of pre-signed URLs. There is also a third flaw (CVSS v3 score: 9) that affects all versions of the oauth2 library below version 0.6.1, which is a subdomain validation bypass vulnerability. 

The attacker can inject a specially crafted redirect URL into the Oauth2 app that bypasses the validation code, allowing the attacker's callbacks to be redirected to his own domain. As a temporary workaround, a temporary workaround is provided in the bulletin of the Oauth2 application. It is recommended that the validation code be hardened in the Oauth2 application. 

Three security flaws described in the bulletins significantly damage the security and integrity of ownCloud, potentially exposing sensitive information to phishing attacks, stealthy data theft, and other possible malicious activities. Various ransomware groups have been using vulnerabilities in file-sharing platforms to steal data from thousands of companies around the world, and are using them as part of their attacks on companies that use file-sharing platforms. 

As a result of this disclosure, a proof-of-concept (PoC) exploit for a critical remote code execution vulnerability (CVE-2023-43177) has been released for the CrushFTP solution. If exploited by an unauthenticated attacker, the attacker could gain access to files, run arbitrary programs on the host, and obtain plain-text passwords through the application. Converge security researcher Ryan Emmons discovered and reported the issue, and the issue has been resolved since CrushFTP 10.5.2, the version that was released on August 10, 2023, addressed this issue.
Read more »
Vulnerabilities
AutoZone Faces Cyber Attacks CyberCrime Data Breach MOVEit Ransomware Vulnerabilities

AutoZone Faces Data Breach Headache as MOVEit System Compromised

 


Almost 185,000 individuals have been informed that their personal information has been compromised due to the recent data breach at the American car parts company AutoZone. MOVEit Transfer managed file transfer application was exploited by cybercriminals to steal sensitive information including the social security number of its users as well as other private information. 

There have been no reports so far that the exposed information has been used for fraudulent activity as a result of this alarming breach, yet AutoZone has assured its customers that there has been no evidence that such information has been misused. A credit monitoring service and identity protection services are complimentary as a preventative measure for customers who are affected by this issue. 

It has been reported that AutoZone did suffer a data breach due to an attack on the file transfer service Clop MOVEit where they lost data for tens of thousands of its customers. With over 7 140 locations in the U.S., and also in Brazil, Mexico, and Puerto Rico, AutoZone is the country's number one retailer and distributor of automotive spare parts and accessories. 

There are approximately 17.5 billion dollars in revenue generated each year by the company, 119,000 jobs are created by the company, and 35 million monthly users visit the company's online shop, as reported by similarweb.com statistics. It has come to AutoZone's attention that an unauthorized third party exploited a vulnerability associated with MOVEit and exfiltrated certain information from an AutoZone system supported by the MOVEit application, the company said in a notice published last week. 

The AutoZone company was found on or about August 15, 2023, to be responsible for the exfiltration of certain data as a result of the exploiting of a vulnerability in the MOVEit application." Despite not specifying what type of data has been stolen, the filing with the Maine Attorney General states "full names" and "social security numbers." This information is sufficient for identity theft or even wire fraud to occur.  

An archive of 1.1 gigabytes contains employee names, emails, details about parts supplies, tax information, payroll documents, Oracle databases, and much more, and many other data. The archive seems to have spared customers from this issue. AutoZone has been operating for over 7,000 years and employs close to 120,000 people across the US, making it a major retailer of spare car parts. 

Since late May, a staggering number of organizations have been affected by the MOVEit software vulnerability, which has been tracked as CVE-2023-34362. According to data collected from Huntress with industry collaborators, there have not been any notable exploits of the identified vulnerability since the discovery in late May 2023, as MoveIt found the patch for vulnerability by 31st May 2023.

It is conceivable that a malicious actor equipped with an effective exploit for a service characterized by high availability, making it resistant to swift patching, and commonly accessible from external sources, would persist in capitalizing on this opportunity. However, contrary to this expectation, the broader security community has noted an initial surge in activity, followed by a marked decrease or absence of actions as the calendar transitioned into June. 

In an update issued by cybersecurity firm Emsisoft on November 21, it was reported that over 2,620 organizations, either directly or indirectly, had been impacted by this breach, with an overall count of over 77 million individuals having been affected as a result. 

Many US schools and the state of Maine are among the victims in this extensive list, along with Siemens Energy, Schneider Electric, and Shell, among other big-name energy companies. In the wake of the MOVEit hack, organizations have suffered significant disruptions and financial losses in a variety of industries and sectors as a result.

Keeping vigilance in the face of ever-evolving threats and robust cybersecurity measures is essential for the protection of all data, including AutoZone's, as a stark reminder of the importance of robust cybersecurity measures. 

For businesses that are more reliant on digital tools and technologies, it becomes even more crucial for them to prioritize secure data management, regularly update software, and implement multilayered security protocols to avoid potential breaches of data security. 

As AutoZone has taken immediate action to address this breach, businesses of all sizes should take the opportunity to learn from this incident and strengthen their cybersecurity defences to protect their customers' personal information and prevent future breaches from occurring. To do so, one needs to invest in advanced threat detection systems, conduct regular security audits, and train employees in cybersecurity best practices to prevent future breaches. 

To maintain the trust and confidence of their stakeholders, organizations have to remain vigilant in protecting sensitive data and prioritizing the security of their digital infrastructure to ensure that cyber threats do not increase their level of sophistication.
Read more »
Vulnerabilities
Apple CISA Cybersecurity Google Heating Issue iOS iPhone Iphone15 Mac Technology Vulnerabilities

Apple's iOS 17.0.3 Update: Solving Overheating and Enhancing Security

 


In response to reports that iPhone 15s were running hot over the weekend, Apple pointed to an array of possible causes for the problem, including app-specific problems like Instagram and Uber, problems with background processing/post-transfer, and the presence of unspecified bugs in iOS 17. 

With the new software update created recently by Apple, the company was able to address a bug that could cause the iPhone to run hotter than normal. According to the patch notes for iOS 17.0.3, this bug may cause the iPhone to run hotter than usual.

It has been identified that two vulnerabilities have been fixed for both iOS and iPadOS in an update highlighting the security fixes included in this patch. An attacker with local access to the device could exploit the first vulnerability, which was a kernel exploit that could be exploited by a local attacker on the device. 

Apple mentioned that they believe it was exploited against older versions of iOS before iOS 16.6. It was also tackled in the update that a bug had been found in libvpx, which had been previously raised as a concern by CISA (Cybersecurity and Infrastructure Security Agency) and had been noted by them. 

A device with this bug may be vulnerable to remote attacks that could allow attackers to gain control of the device remotely. Additionally, other applications such as Chrome and Firefox have recently implemented similar patches to fix the same libvpx bug that was identified in the Chrome bug report. 

As a result, it is recommended that you check for the latest version of the iOS on your device in the Settings application. The download will take approximately 400MB, and there is no charge for this update. This update addresses an issue in iOS, the iPhone operating system, that was discovered on Wednesday.

The developers of these apps are also updating their apps with fixes for bugs that have been found in them. In addition, Apple said that the heat issue with the new phones was not partly due to the titanium and aluminium frames on the new models at the top end, and it was not partly due to the USB-C port since USB-C is the standard for charging phones now. 

It should be noted that Apple informs its customers that all iPhones are likely to feel warm when they are being restored from a backup, while they are being wirelessly charged, when using graphics-rich apps and games or when streaming high-quality video. 

As long as iPhones display an explicit warning about the temperature, they are safe to use, according to Apple. There has been a security problem identified in iOS 17.0.3 and iPadOS 17.0.3 that was addressed by Apple with improved checks, but Apple has not yet revealed who is responsible for finding and reporting the issue. 

In a nutshell, there are a lot of devices that have been impacted, including: iPhone XS and later In addition to iPad Pro 12.9-inch and iPad Pro 10.5-inch 2nd generation models, there are the iPad Pro 11-inch and iPad Pro 12.9-inch 1st generation models, the iPad Air and iPad Mini 5th generation models, as well as iPad 6th generation models. 

The open-source libvpx video codec library does not contain a heap buffer overflow vulnerability, CVE-2023-5217, which can be exploited to execute arbitrary code, resulting in the execution of arbitrary code following successful exploitation. 

The vulnerability was also addressed by Apple. Despite this fact, Apple has not labelled the libvpx bug as exploited anywhere in the wild, but it has already been patched as a zero-day by both Google and Microsoft in their Edge and Teams web browsers and their Skype service. 

As part of Google's Threat Analysis Group (TAG), a group of security experts who are known for frequently discovering zero-day vulnerabilities in government-sponsored targeted spyware attacks that target high-risk individuals, Clément Lecigne discovered CVE-2023-5217 as part of a research project. 

In the past few months, Apple has begun to fix 17 zero-day vulnerabilities discovered by its clients through attacks due to CVE-2023-42824 being exploited. Aside from the recently patched CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993, Apple recently patched three other zero-day vulnerabilities reported by Citizen Lab and Google TAG researchers and exploited by hackers to install Cytrox's Predator spyware during spyware attacks. 

In addition to these two zero-day bugs (CVE-2023-41061 and CVE-2023-41064), Citizens Lab also disclosed today that they were exploited, together with NSO Group's Pegasus spyware, to infect fully patched iPhones with BLASTPASS, a zero-click exploit chain exploited by the FBI. 

In the same way that new phones and new operating systems come out at around the same time each year, it's not uncommon for new iPhones to receive specific iOS patches in rapid succession. In addition, older devices receive a more thorough vetting as they enter the months-long developer and public beta programs, which Apple is making even easier to use in recent releases. 

There is currently a beta version of the first major update to iOS 17 called 17.1, which is currently being tested. According to MacRumors, the update appears to mainly refine a few of iOS 17's new features, such as the StandBy smart display mode. 

A comprehensive list of the changes can be found in MacRumors. It is expected that Apple will release the 17.1 update within a couple of weeks if it follows its usual schedule. Although rumours were circulating about potential hardware issues, possibly linked to the iPhone 15's advanced processor or the incorporation of titanium components, Apple's official statements primarily attribute the problem to software-related issues. 

Moreover, they also acknowledge the possibility of overheating when utilizing USB-C chargers. It is worth noting that Apple had previously released a post-iPhone 15 launch patch to address data transfer problems that were experienced by certain new users. 

Additionally, it is important to mention that the company is currently in the beta testing phase for a more substantial update, namely iOS 17.1. This update is expected to bring significant improvements and enhancements to the overall user experience.
Read more »
Vulnerabilities
CISA Cyber Security Meeting Owl Video Conferencing Vulnerabilities

CISA Removes Meeting Owl Vulnerabilities from Exploited List


CISA Reverses Course on Malicious Exploitation of Video Conferencing Device Flaws

The US Cybersecurity and Infrastructure Security Agency (CISA) recently removed five vulnerabilities affecting Owl Labs’ Meeting Owl smart video conferencing product from its Known Exploited Vulnerabilities (KEV) Catalog. The vulnerabilities, discovered by researchers at Modzero, include encryption flaws, hardcoded credentials, and authentication issues. However, CISA cited insufficient evidence of exploitation for their removal from the catalog. The vulnerabilities would require an attacker to be in Bluetooth range of the device, making it unlikely to be exploited.

What is the KEV Catalog?

The KEV Catalog is a list of known vulnerabilities that have been exploited by threat actors in the past. It is maintained by CISA and is used by federal agencies to prioritize their patching efforts. The catalog includes vulnerabilities that have been exploited in the wild and those that have not yet been exploited but are considered high-risk.

The Meeting Owl Vulnerabilities

The Meeting Owl is a smart video conferencing device that uses artificial intelligence to automatically focus on the person speaking in a meeting room. Researchers at Modzero discovered five vulnerabilities in the device that could allow an attacker to control it. These include encryption flaws, hardcoded credentials, and authentication issues. However, the vulnerabilities would require an attacker to be in the Bluetooth range of the device, making it unlikely to be exploited.

CISA’s Decision

CISA’s decision to remove the Meeting Owl vulnerabilities from its KEV Catalog has raised some eyebrows. While it is true that the vulnerabilities would require an attacker to be in the Bluetooth range of the device, this does not mean that they are not exploitable. In fact, researchers at Modzero were able to exploit the vulnerabilities in their lab environment. Furthermore, removing the vulnerabilities from the catalog could lead federal agencies to deprioritize patching efforts for the Meeting Owl.

While it is true that the Meeting Owl vulnerabilities would require an attacker to be in the Bluetooth range of the device, they are still exploitable. CISA’s decision to remove them from its KEV Catalog could lead federal agencies to deprioritize patching efforts for the device. It is important for organizations to remain vigilant and patch all known vulnerabilities in their systems.

Read more »
Vulnerabilities
AIE Cyber Attacks CyberCrime Cybersecurity Radio Vulnerabilities

Exposed Secrets: Backdoor Vulnerabilities in Worldwide Radio Systems

 


The world has been secretive for over 25 years about a technology used for critical data and voice radio communication around the globe. No one could closely examine its security properties to detect vulnerabilities. A small group of researchers in the Netherlands have compiled a research study on the subject. Now, due to their efforts, it is publicly airing. It was discovered that its viscera, including a deliberate backdoor, had serious flaws, which they worked around. 

Vendors who sell radios have known the encryption algorithm baked into them for years by vendors who sell the technology. Customers have not necessarily known this backdoor. A pipeline, a railway, an electric grid, a mass transit system, or a freight train could send encrypted data and commands via this technology. If someone has access to these communications, they could snoop on them and find out how they work. The command could then be relayed to the radios, triggering a blackout, stopping gas pipeline flows, or rerouting trains. This would eliminate the problem at hand. 

An additional vulnerability was found in a different part of the same radio technology that is used in more specialized systems used only by police forces, prisons, military personnel, intelligence agencies, and emergency services that were sold exclusively to police forces, prison personnel, military personnel, and emergency services. 

The Dutch police, fire brigades, ambulance services, and the Ministry of Defense utilize the C2000 communication system for mission-critical voice and data communication to manage their business. Someone could exploit the flaw to decrypt the encryption of voice and data communications and send fraudulent messages. This could be done to spread misinformation during times of national crisis or to redirect personnel and forces during that period. 

A Dutch security firm, Midnight Blue, has discovered five vulnerabilities in the Terrestrial Trunked Radio system (TETRA), which is used by governments, law enforcement agencies, emergency services organizations, etc. In many countries in Europe, the United Kingdom, and other parts of the world. 

Several innovations have been brought about by TETRA development because it is an open standard with competition between vendors. There is no doubt that TETRA solutions from Airbus can achieve outstanding coverage. This is because they use the same frequency band and output power as cellular systems seen today. 

It seems that all TETRA radio networks are affected by the flaw, named TETRA: BURST. An attacker may have access to these vulnerabilities to decrypt communications in real-time or later, inject messages, deanonymize users, or set the session key to zero so that a backdoor could be set for interception on the uplink. 

Two of the flaws have been classified as critical, which means they require immediate attention. It can be used for decrypting text, voice, or data communications to reveal their contents during an attack (CVE-2022-24401). Air Interface Encryption (AIE) keystream generator relies on public and unencrypted network time, which encrypts sensitive data at transmission. 

A second vulnerability (CVE-2022-24402) that the researchers detected is not technical - the TEA1 [PDF] encryption algorithm, they claim, "has a backdoor that can be exploited to reduce the original 80-bit key size to a size that can be easily brute-forced on consumer hardware in minutes." There seems to be a consensus among the Midnight Blue team that the backdoor, as they call it, stems from deliberately designed.

 In most cases, encryption technology must be weakened under various rules and regulations to be used for export purposes: for instance, under certain rules and regulations, it may be necessary to weaken the security to allow the shipment. 

An attacker could read the encrypted message through a radio if they targeted a radio that could transmit the message. This shows that the message would be intercepted in a demonstration video demonstrating CVE-2022-24401. There is no way for you to gain access to a key in any of the circumstances under which this vulnerability is exploited by Midnight Blue founder Wouter Bokslag. He says, “The only thing you will receive is the keystream, which is the key stream you need to decrypt, arbitrary frames, or arbitrary messages that pass through the network.” 

CVE-2022-24402 can be demonstrated in a second demo video, which exposes a backdoor in the TEA1 algorithm that can affect networks that rely on TEA1 concerning both confidentiality and integrity, due to the backdoor. The TEA1 algorithm used in this case also has an 80-bit key that allows an attacker to brute-force it to listen in undetected to the communications as well as a brute-force attack to intercept them. 

Bokslag admits he may seem overly sensitive about his use of the word backdoor, but he thinks the term is justified here. The TEA1 decryption process involves inserting an 80-bit key into it. That 80-bit key is then reduced by a reduction step, leaving it with only 32 bits of key material left, which it can use in the decryption process. 

What is the Suitability of TETRA for Telemetry? 


With TETRA, you are assured of the highest levels of reliability which can be an invaluable advantage for critical applications. The majority of telemetry transactions are composed of a few bytes taken from varying sources, so they can be relatively small. 

TETRA offers several powerful Short Data Services (SDS). It is possible to deliver SDS messages on several channels, such as the control channel, during the speech, or on dedicated data transmission channels. TETRA systems from Airbus can also address a single message to multiple devices at the same time as you send it. There will be significant savings in capacity and time due to this. 

In cases where the volume of data to be transferred is high, it is recommended to use the IP Packet Data service. As long as the spectrum is limited, it may make sense to use State Messaging (16 bytes), SDS messages (140 bytes without concatenation), and IP Packet Data together as a means of communication. 

As a result of the weakening of the cipher, Bokslag says an attacker could search exhaustively through all 32 bits of the cipher. He could also decrypt all traffic with very cheap hardware as a result of the attack. In many cases, the attacker would have permanent access to communications since they only needed a $10 USB dongle to receive signals. They would have access to those communications until the key changed. In many cases, however, the key never changes, which means that the attacker can attack communications at any time they want.   
Read more »
Subscribe to: Posts (Atom)