Robin’s Newsletter #328

29 September 2024. Volume 7, Issue 39
Linux CUPS vuln hype. UK railway wifi portal defaced. Kaspersky pulls switchero on US customers.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

I thought I’d try a new feature this week, the Need to Know Matrix, to help you discern the signal from the noise at a glance. Without further a do:

Need to Know, 29th Sep 2024

What do you think about this matrix?

Linux CUPS vulnerability hype overfloweth 

  • Lots of speculation (hysteria) over a ‘doomsday’ Linux vulnerability that wasn’t this week. If you’re running the Unix printing system ‘CUPS’ and have cups-browed installed, enabled, and accessible to the Internet, you need to be concerned. Otherwise, keep calm and carry on. 
  • CVE-2024-47176, 47076, 47175, 47177 (up to 9.9/10), aren’t fixed yet; researcher Simone Margaritelli got frustrated with the handling of his vulnerability reports. BLOG POST
  • Exploitation does require the victim to actually print something to be effective. If you run Linux and use CUPS, then you probably don’t want it Internet accessible. Block UDP port 631 on your firewall. LINK

UK railway public wifi portals defaced

  • UK rail infrastructure operator Network Rail’s public wifi portals were compromised this week to display an Islamophobic message. Network Rail operates twenty of the UK’s main train stations and contracts the wifi service to Telent, which uses Global Reach for parts of the service. 
  • A Global Reach employee has been arrested on suspicion of Computer Misuse offences. They may have opportunistically abused administrative privileges to deface the page displayed to users when they joined the wifi network. LINK
  • While there’s often not a lot that the police can do when it comes to cross-border crime, they do seem to be pretty efficient and effective at nabbing domestic perpetrators. ARREST

Kaspersky withdraws from the US, leaves UltraAV as a parting gift

  • Kaspersky has automatically uninstalled itself from computers in the US and automatically replaced itself with antivirus software called UltraAV. Kaspersky set out plans to close down its US business after being added to a list of foreign entities deemed a national security concern earlier this year. What wasn’t on that plan was the surprise installation of alternative software, which caught many users off-guard.
  • I think it’s a GoodThing™ to not leave users without AV protection, and no doubt it’s also mitigated some of the commercial damage to Kaspersky, but it seems this could have been handled better—in a way that maintains users’ trust. 
  • It also perfectly highlights the concerns that the US had with the Russian-headquartered firm. As former NSA cyber director Rob Joyce points out: “They had total control of your machine”. (FWIW, I suspect similar could be achieved by other software vendors, too.)
  • UltraAV is a new offering from US company Pango Group, which white-labels cyber security tools for financial services and telco companies to bundle for their customers. It doesn’t have a track record, nor has it been publicly tested, leading to suspicions from many users.
  • Kaspersky defended the decision and said it had started communicating the “transition” at the beginning of the month, but some had not provided the company with email addresses. LINK, MORE

Interesting stats

2.56x increased likelihood of a cyber instance if compromised accounts turn up on the dark web,  1.75x increase where the organisation is mentioned on Telegram, and  1.63x increased likelihood where you can see incoming traffic originating from the dark web to organisational resources, according to Searchlight Cyber and MarshMclennan. LINK

20% of automotive safety ‘recalls’ are now software updates, according to DeMayo Law. LINK, meanwhile  4/5 second-hand cars sold in Germany, the UK and Italy are sold with the previous drivers’ personal data intact. LINK

100% of 34 of you have not been targeted by an AI voice cloning scam in the last year. Perhaps we’re security-biased. Or maybe the Starling Bank data is misleading. vol. 7, iss. 37

Other newsy bits / in brief

🤓 Interesting reads:

  • A long read from Iain Nash and Pier Giorgio Chiara on the forthcoming EU Cyber Resilience Act. LINK
  • GCHQ on why lawyers underpin, rather than undermine, the SIGINT agency’s cyber operations. LINK
  • OpenAI’s long-term conversation memory could be used to exfiltrate data from ChatGPT in a manner that persists across user sessions. Technology is great at doing what it’s told, hyper efficiently; it’s less good, despite appearances, at reasoning and common sense. LINK
  • CrowdStrike appeared on Capitol Hill in Washington DC this week to answer questions from the House Subcommittee on Cybersecurity and Infrastructure Protection. Matt Kapko reports the committee were largely sympathetic and has a round-up of five takeaways from the testimony. CEO George Kurtz pushed the concept of a ‘resilient by design’ framework at the company’s Fal.Con last week.  LINK, KURTZ

⚠️ Incidents:

  • A water treatment facility in Arkansas City, Kansas, had to switch to manual operation following the detection of a cyber attack this week. The move by the operator appears to be precautionary. The water supply remains safe, with no disruption to supply. LINK
  • Kia’s dealer portal could be exploited to steal personal data and to target vehicles. With just a licence plate, tracking, unlocking, starting, and honking any Kia with remote hardware in under 30 seconds was possible. LINK
  • The UK ICO is investigating a data breach at MoneyGram, whose services have been disrupted this week after it detected a “cybersecurity issue” and took systems, including the company’s website, offline to contain the incident. MoneyGram is the world’s second-largest money transfer provider. LINK

🏴‍☠️ Ransomware:

  • Kuwait’s Ministry of Health is restoring systems after a suspected ransomware attack at the Kuwait Cancer Control centre and environments operating the national health insurance system. LINK

🕵️ Threat Intel:

  • Pen testers and cyber criminals have long-favoured Cobalt Strike as their post-compromise toolkit of choice; now Palo Alto says a new kid on the block is gaining popularity with cybercriminals, Splinter. LINK
  • Ukraine’s computer emergency response team says that Russian state forces have shifted their offensive cyber campaigns from opportunistic, disruptive attacks to a greater focus on Ukrainian entities directly involved in the ongoing conflict. Attacks are up 20% in 24H1 compared to 23H2 to 1,739. LINK
  • Kaspersky says Google Play apps with 11 million installs featured a malicious SDK that infected devices with ‘Necro’ malware. Wuta Camera and Max Browser are the offending apps, with other popular apps on third-party marketplaces also being backdoored. LINK
  • Proofpoint says it’s been tracking a group since May 2024 that’s been targeting North American transportation companies with info-stealing malware, like Lumia Stealer, StealC, and DanaBot. Attackers have also impersonated legitimate fleet management software to gain a foothold in organisations. LINK

🪲 Vulnerabilities:

  • HPE Aruba Networks has patched three critical vulnerabilities in its Aruba Access Points. Attackers can exploit CVE-2024-42505, 42506, and 42507 (9.8/10) to gain remote code execution on the affected devices via the command line interface. LINK, ADVISORY
  • Nvidia’s Container Toolkit contains a vulnerability that could allow attackers to escape the environment and take control of the underlying host. Container Toolkit is used to manage AI workloads in cloud environments, with Wiz saying it believes around 1/3 of cloud environments have a vulnerable version installed. CVE-2024-0132 (9.0/10) is fixed in Container Toolkit v1.16.2 and Nvidia GPU Operator v24.6.2. LINK, ADVISORY

🧰 Guidance and tools:

  • NIST is proposing changes to its standards that mandate ineffective and outdated approaches to passwords. Amongst the changes are the removal of requirements mandating a mix of different character types and periodic changes. Other improvements include recommending support for passwords of at least 64 characters and accepting all ASCII characters, including spaces. LINK

🛠️ Security engineering:

  • Cloudflare has launched ‘one-click’ blocking of AI content scraping bots and said it will introduce a marketplace to facilitate negotiating paid access to content. LINK
  • AI bots beat 100% of Google’s ReCAPTCHA v2 tests — like clicking on traffic lights, identifying bicycles, stairs, etc. Millions of websites still use ReCAPTCHA v2 (a newer version has been available for years). Given their propensity for prompt injection, perhaps we can ask if they’re a bot rather than if we’re human. LINK

🏭 Operational technology:

  • Ten critical vulnerabilities in automatic tank gauge systems from five vendors could allow attackers full administrative access to networks, says CISA and BitSight. ProGauge’s MagLink scores a 10/10 severity rating. Products from Omntec, Alisonic, OPW, and Franklin Fuelling Systems are also affected. LINK
  • CISA also warned this week that critical infrastructure providers are also being targeted by adversaries using “unsophisticated methods” like brute forcing and default passwords to gain entry. LINK 

🧿 Privacy:

📜 Policy & Regulation:

  • China is well on the way to domestic tech self-sufficiency, spurred on by Western embargoes on high-tech goods. LINK
  • The AI Incident Reporting and Security Enhancement Act — which would see NIST add AI vulnerabilities to the National Vulnerability Database (NVD) — has passed the House Science, Space and Technology CommitteCommittee stage. LINK

👮 Law Enforcement:

  • Telegram will share phone numbers and IP addresses of “bad actors” that violate the app’s terms with law enforcement “in response to valid legal requests”. LINK
  • The US DOJ has unsealed charges against three Iranian nationals, alleging they breached the Donald Trump presidential campaign. LINK
  • the DOJ is also charging a UK national, Robert Westbrook, 39, with wire, securities and computer fraud. Westbrook allegedly broke into the email accounts of senior executives and used the information to buy and sell stock ahead of public earnings reports. LINK

💰 Investments, mergers and acquisitions:

  • Security automation outfit Torq has closed a $70 million Series C funding round led by Evolution Equity Partners. The company reported over $24 million in annual recurring revenue from nearly 900 enterprises, of which 150 are direct customers. LINK 
  • Hot on the heels of MasterCard’s acquisition of Recorded Future, Visa has announced that it intends to acquire British firm Featurespace, whose solution detects fraud patterns in transaction data. Terms were not disclosed, but it’s believed to be valued at just under $1 billion. LINK
  • Maritime assurance firm DNV has acquired CyberOwl to bolster cyber security capabilities. DNV, who acquired Applied Risk in 2021 and Nixu in 2023, claims the acquisition makes them one of the world’s largest maritime cyber service providers. LINK

🗞️ Industry news:

  • Microsoft has appointed 13 deputy CISOs, each responsible for different product categories. LINK
  • Drata is laying off 9% of its workforce (~40 people), despite reporting 100% YoY revenue growth and “650 new customers each quarter”. LINK

And finally

  • New York City mayor Eric Adams, facing an investigation over alleged bribery, changed his PIN to “prevent members of his staff from inadvertently or intentionally deleting the contents of his phone” and “preserve the contents of his phone”… and then forgot the PIN. Other actions taken by Adams’ staffers also look pretty suspicious. LINK

  • Fancy a new job? Senior cyber salaries are out of hand! (H/t Dave) LINK Job listing for a deputy data protection officer, paying up to £6.8 billion/year (Source: LinkedIn / Ministry of Defence)

Robin

  Robin's Newsletter - Volume 7

  Linux CUPS Network Rail Defacement Kaspersky UltraAV Pango Group Dark Web Automotive Cyber Resilience Act (EU) GCHQ Cyber Operations CrowdStrike ChatGPT Passwords CAPTCHA China