This week
Remote code execution vulnerability in OpenSSH server
- Researchers at Qualys have discovered an unauthenticated remote code execution (RCE) vulnerability in OpenSSH (sshd). CVE-2024-6387 (8.1/10) is the result of some proper old-school hacking in a well-reviewed code base. As a remote access system, SSH servers are typically Internet-accessible, and so having an RCE vulnerability that does not require the threat actor to be authenticated is a serious issue.
- Patches for major Linux distributions and SSHd are now available following a coordinated disclosure.
- Exploiting the vulnerability requires some clever techniques to work around address space layout randomisation (ASLR) protections. This makes it quite a slow attack, according to researchers at NetSPI. Successful attacks may take between six hours and one week of persistent effort, reducing the chances of mass exploitation. (You are logging unsuccessful login attempts, right?). Get patching!
- LINK, QUALYS BLOG, TECHNICAL WRITEUP, ADVISORIES
ShinyHunters steal phone numbers of 33 million Authy users from unsecured API
- Twilio has confirmed a data breach affecting millions of its Authy multi-factor authentication service users. An unsecured API endpoint allowed attackers to verify the phone numbers of Authy users. The ShinyHunters group has released a CSV file containing 33,420,546 rows.
- Twilio says it has taken action to secure the endpoint and no longer accepts unauthenticated requests. It sounds like anyone could have cycled through trying different username and phone number combinations. (You’d hope that the large volume of requests would be noticed!) A spokesperson added that Twilio has “seen no evidence” that its systems were compromised or that other sensitive data was accessed.
- Authy users should be alert to potential targeted phishing and smishing attacks impersonating Twilio and Authy. LINK
Interesting stats
48% increase in Google’s greenhouse gas emissions in five years, as artificial intelligence use soars. LINK
Other newsy bits / in brief
🤓 Interesting reads:
- Delving into these potentially significant words, researchers have analysed the abstracts of 14 million papers and found a pronounced increase in some words in a post-LLM era. They don’t think it’s typical language evolution which changes more slowly (except terms associated with big medical outbreaks; think “ebola”, “zika”, and “lockdown”). Identifying text from generative AI is a hot topic and, in a security context, may give insight into legitimate messages vs those created by scammers (and marketers, sorry!). LINK
- Recorded Future thinks that law enforcement can use the logs from infostealer malware to help identify individuals sharing child sexual abuse material. Cybercriminals typically use info stealer malware to obtain online banking and other credentials they can use for financial gain. However, other logins may also be collected, including dark websites, which may then be correlated with logins for legitimate sites and services. That is a neat idea, though I’m unsure of the permissibility of the evidence. LINK
⚠️ Incidents:
- The update server of a South Korean ERP vendor has been compromised and used to distribute malware, according to AhnLab. The primary suspect is North Korea. LINK
- Russia is interfering with European satellites, affecting GPS signals and television broadcasts. The United Nations’ International Telecommunication Union is urging Russia to cease the operations. Russia has not responded. LINK
- Affirm, a buy now pay later loan provider, says that it has been affected by the breach at Evolve Bank & Trust. Evolve has provided services to many fintechs and startups, including Wise and Bilt. LINK
- Online tabletop gaming site Roll20 has disclosed a data breach. According to the site, the “bad actor” had access to a company’s admin site for around one hour, during which time they “may” have viewed data including users’ name, email, IP address and last four payment card digits. It sounds like it was detected and resolved quickly. LINK
- HealthEquity, a ‘health savings account’ provider, has suffered a data breach during which an attacker gained access to protected health information. The firm acknowledged the breach in an SEC 8-K filing, in which it attributed the compromise to a “personal use device belonging to a business partner”. LINK
- ShinyHunters claims to have ticket barcodes for upcoming Taylor Swift concerts to pressure TicketMaster, whose data was stolen from a compromised Snowflake instance. However, the company downplayed the issue, saying that the stolen information cannot be used to access gigs. LINK
🏴☠️ Ransomware:
- Brain Cipher, the cybercriminal group responsible for a ransomware attack against a data centre running Indonesian government services, has apologised and handed over the decryption keys. The ‘generous’ act only comes after talks over an $8 million ransom payment became deadlocked, with the government officials refusing to pay. LIKN
- Patelco Credit Union, a California-based financial services provider with 400,000 customers and over $9 billion of assets, has proactively shut down customer-facing services following a ransomware attack. LINK
🪲 Vulnerabilities:
- Juniper Networks have released an emergency patch for their routers to address a critical vulnerability. CVE-2024-2973 (10/10!) is an authentication bypass bug, allowing an attacker to take full control of Juniper Networks Session Smart Router or Conductor appliances. LINK, ADVISORY
- Cisco has patched a vulnerability in its Nexus switches that allowed attackers with admin privileges to execute commands as root. CVE-2024-20399 (6.7/10) is allegedly being used by Velvet Ant (a Chinese-aligned group) to install custom malware on network devices within compromised environments. LINK, ADVISORY
🛠️ Security engineering:
- Vulnerabilities in CocoaPods, a dependency manager popular with Mac and iOS developers, went undetected for ten years, leaving up to 3 million apps susceptible to supply-chain attacks. It’s a big headline. There’s no evidence of compromise, though log artefacts dating back ten years aren’t available to confirm. My gut feeling is that, were this being exploited, word would have gotten out about it, or attackers would have got greedy. But you never know. CocoaPods addressed the issues in October last year. LINK
🧿 Privacy:
- OpenAI’s Mac app was storing chat logs in plaintext in a non-protected location accessible to any user on the system. The issue has now been fixed. It’s a similar issue to Microsoft’s ill-fated Recall feature. User data should be stored in areas belonging to that user as a minimum and preferably encrypted in some way (though human-readable logs can also be useful in some circumstances). LINK
📜 Policy & Regulation:
- The US Supreme Court’s decision to overturn the ‘Chevron doctrine’ may leave many of the country’s cyber regulations more difficult to implement and enforce. The Chevron doctrine defers interpretation of the law from courts to federal agencies where these laws are not passed by Congress. That’s been used to reinterpret statutes passed a long time ago to include provisions for cyber security, for example, the 50-year-old Safe Drinking Water Act to include considerations for cyber security in audits of water utility companies. LINK
👮 Law Enforcement:
- The National Crime Agency has announced the disruption of 690 IP addresses running Cobalt Strike servers. Cobalt Strike is a legitimate cyber security ‘Swiss army knife’ for penetration testers, but cybercriminals commonly use pirated versions to conduct attacks. Former colleagues at BAE Systems and other private parties supported the NCA, FBI, and five other law enforcement partners. Well done, folks! LINK
💰 Investments, mergers and acquisitions:
- Huntress closed a $150 million Series D funding round in June, valuing the company, which provides managed endpoint and identity detection and response, at $1.5 billion. LINK
And finally
- Japan has won the war on floppy disks! Until last month, over 1,000 regulations required people to submit documents using the venerable floppy disk (aka ‘save icon’ 💾). Digital Minister Taro Kono “declared war” on floppies in 2021 as part of his agency’s efforts to digitise and modernise government services. LINK