Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Vulnerabilities and Exploits. Show all posts
Windows 10
Content Censorship Digital Platform Microsoft Online Streaming Vulnerabilities and Exploits Windows 10

Unveiling Vulnerabilities in Microsoft PlayReady DRM: Impact on Streaming Platforms

 

In a meticulous research endeavor, Security Explorations, a division of AG Security Research, embarked on an exhaustive analysis of Microsoft's Warbird and Protected Media Path (PMP) technologies. The culmination of this investigation has unearthed critical deficiencies within the security architecture of Microsoft's PlayReady Digital Rights Management (DRM) system, posing profound implications for content security across a spectrum of streaming platforms. 

At the core of Microsoft's content protection ecosystem lies Protected Media Path (PMP), an amalgamation of cryptographic protocols, code integrity checks, and authentication mechanisms designed to fortify content security within Windows OS environments. In tandem, Microsoft Warbird endeavors to erect formidable barriers against reverse engineering attempts, encrypting and obfuscating binaries to thwart unauthorized access. 

However, despite the multifaceted security measures embedded within these technologies, Security Explorations' research has illuminated vulnerabilities within PMP components. These vulnerabilities lay bare the underbelly of Microsoft's DRM infrastructure, allowing for the extraction of plaintext content keys essential for the decryption of high-definition content. The ramifications of such exploits extend far and wide, implicating prominent streaming platforms including Canal+ Online, Netflix, HBO Max, Amazon Prime Video, and Sky Showtime. 

Of particular concern is the vulnerability's prevalence on Windows 10 systems lacking Hardware DRM capability, a demographic constituting a significant portion of the user base due to compatibility constraints with Windows 11. The exploitation of Software DRM implementations prevalent in these environments underscores the urgent need for remedial action. While Microsoft's PlayReady team has been apprised of these findings, Security Explorations has refrained from disclosing detailed technical information through the MSRC channel, citing proprietary concerns and the imperative to safeguard intellectual property. 

Beyond the immediate ramifications for individual platforms, the research underscores broader implications for the content security landscape. With the burgeoning digital streaming industry valued at $544 billion, the imperative of ensuring robust DRM solutions cannot be overstated. The compromise of plaintext content keys not only imperils individual platforms but also undermines consumer trust and revenue streams, posing a systemic risk to the digital content ecosystem. 

Mitigating these vulnerabilities demands a concerted effort from industry stakeholders. Streaming platforms may consider transitioning to alternative DRM technologies or implementing interim safeguards to mitigate the risk of exploitation. However, the challenge lies in striking a delicate balance between security measures and user accessibility, ensuring seamless functionality without compromising content security. The research findings underscore the imperative for collaborative efforts between security researchers and industry stakeholders to fortify DRM ecosystems against evolving threats. 
Moreover, they highlight the pressing need for enhanced regulatory scrutiny and industry standards to bolster content security in the digital age. 

In light of these revelations, streaming platforms must reassess their security posture and implement robust measures to safeguard against unauthorized access and content piracy. Failure to address these vulnerabilities not only jeopardizes consumer confidence but also undermines the viability of streaming platforms in an increasingly interconnected world. As the digital landscape continues to evolve, proactive measures are indispensable to safeguarding content integrity and preserving the sanctity of digital content distribution channels. Only through collective vigilance and concerted action can the industry fortify itself against the ever-looming specter of security threats.
Read more »
Vulnerability Disclosure
API Bug Deliniea Secret Server Flaw Vulnerabilities and Exploits Vulnerability Disclosure

Navigating Vulnerability Disclosure: Lessons from Delinea’s Secret Server Flaw

Lessons from Delinea’s Secret Server Flaw

Recently, an incident involving Delinea’s Secret Server SOAP API highlighted the challenges faced by both parties in the disclosure process.

Vulnerability Details

A major flaw in Delinea's Secret Server SOAP API was discovered this week, prompting security professionals to rush to implement a fix. However, a researcher claims he contacted the privileged access management provider weeks ago to notify them of the flaw, only to be informed he was not authorized to file a case.

Vendor Response

Delinea first revealed the SOAP endpoint issue on April 12. The next day, Delinea teams released an automatic remedy for cloud deployments and a download for on-premises Secret Servers. But Delinea was not the first to sound the alarm.

The vulnerability, which has yet to be issued a CVE, was first publicly exposed by researcher Johnny Yu, who presented a full study of the Delinea Secret Server issue and stated that he had been attempting to contact the vendor since February 12 to responsibly disclose the bug. After working with Carnegie Mellon University's CERT Coordination Center and seeing no reaction from Delina for weeks, Yu decided to publish his findings on February 10.

Silence and Questions

The lack of information regarding the reaction indicates "issues" with Delina's patching protocols, according to Callie Guenther, senior manager of threat research at Critical Start. However, she emphasizes that the crushing weight of vulnerability management is harming everyone.

The National Institute of Science and Technology (NIST) recently stated that it is unable to keep up with the number of vulnerabilities submitted to the National Vulnerability Database and has requested assistance from both the government and the commercial sector.

Lessons Learned: How to Resolve this Situation?

1. Inclusivity Matters

Vendors must revisit their bug submission policies. Excluding independent researchers like Yu can hinder the discovery of critical flaws. A more inclusive approach—one that welcomes input from all corners—can only strengthen our collective security posture.

2. Communication Is Key

Prompt communication is essential. When researchers encounter vulnerabilities, they need a clear channel to report them. Vendors should actively engage with the security community, acknowledge submissions promptly, and provide transparent timelines for fixes.

3. Transparency Builds Trust

Delinea’s delayed response eroded trust. Transparency about the vulnerability’s impact, the timeline for resolution, and the steps taken to mitigate risk fosters goodwill. Vendors should be open about their processes and demonstrate commitment to security.

4. Collaboration Over Competition

Researchers and vendors share a common goal: securing systems. Rather than racing against each other, they should collaborate. A cooperative approach benefits everyone—vendors get timely fixes, and researchers contribute to a safer digital ecosystem.

Read more »
Vulnerabilities and Exploits
CVE-2024-3400 Cyber Cybersecurity Palo Alto Networks PAN-OS firewall Remote Code Execution Threat actors Volexity Vulnerabilities and Exploits

Zero-Day Exploitation of Palo Alto Networks Firewall Allows Backdoor Installation

 

Suspected state-sponsored hackers have exploited a zero-day vulnerability in Palo Alto Networks firewalls, identified as CVE-2024-3400, since March 26. These hackers have utilized the compromised devices to breach internal networks, pilfer data, and hijack credentials.

Palo Alto Networks issued a warning on the active exploitation of an unauthenticated remote code execution flaw in its PAN-OS firewall software. Patch updates are slated for release on April 14. Given the ongoing exploitation, Palo Alto Networks opted to disclose the vulnerability and provide interim mitigations for customers until patches are fully deployed.

Further insights into the zero-day exploitation emerged from a subsequent report by Volexity, the entity that discovered the flaw. According to Volexity, hackers have been exploiting the vulnerability since March, employing a custom backdoor dubbed 'Upstyle' to infiltrate target networks and execute data theft. The activity, tracked under the designation UTA0218, is strongly suspected to be orchestrated by state-sponsored threat actors.

Volexity's investigation traced the zero-day exploitation to April 10, primarily targeting the GlobalProtect feature of Palo Alto Networks PAN-OS. The subsequent deployment of identical exploitation methods at another customer site underscored the severity of the situation. Despite the exploitation period starting as early as March 26, payloads were not deployed until April 10.

The 'Upstyle' backdoor, facilitated by a Python script, enables remote command execution on compromised devices. The backdoor leverages a path configuration file to execute commands, allowing threat actors to operate stealthily within compromised environments.

In addition to the 'Upstyle' backdoor, Volexity observed the deployment of additional payloads, including reverse shells, PAN-OS configuration data exfiltration tools, and the Golang tunneling tool 'GOST.' In some instances, threat actors pivoted to internal networks to steal sensitive files, such as Active Directory databases and browser data from specific targets.

Volexity recommends two methods for detecting compromised Palo Alto Networks firewalls: generating Tech Support Files to analyze forensic artifacts and monitoring network activity for specific indicators of compromise.

This incident underscores the increasing targeting of network devices by threat actors, as demonstrated by previous campaigns exploiting vulnerabilities in Fortinet, SonicWall, Cisco, TP-Link, and Barracuda devices.
Read more »
Vulnerabilities and Exploits
CISA cyber threat DLL hijacking North Korea North Korea Hackers Security Breach Vulnerabilities and Exploits

Navigating the Complex Landscape of Cyber Threats: Insights from the Sisense Breach and North Korean Tactics

 

In the intricate tapestry of cybersecurity, recent events have thrust vulnerabilities and threats into the spotlight once again. The breach of data analytics powerhouse Sisense, coupled with the emergence of novel sub-techniques utilized by North Korean threat actors, underscores the dynamic and relentless nature of cyber warfare. Let's delve deeper into these incidents and glean valuable insights for bolstering our defenses against evolving cyber threats. 

Sisense, a formidable player in the realm of business intelligence software, recently found itself ensnared in a security breach that rippled through critical infrastructure organizations. With offices sprawled across strategic locations such as New York City, London, and Tel Aviv, and a prestigious clientele including Nasdaq, ZoomInfo, Verizon, and Air Canada, Sisense's allure to cyber adversaries is palpable. 

The breach, currently under scrutiny by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), serves as a stark reminder of the precarious balance between innovation and security in today's digital landscape. At the heart of the Sisense breach lie two sub-techniques that have become favoured tools in the arsenal of North Korean threat actors. The first involves the manipulation of Transparency, Consent, and Control (TCC), a foundational security protocol governing application permissions on Apple's macOS. 

Despite the robustness of security measures such as Full Disk Access (FDA) and System Integrity Protection (SIP), attackers have exhibited a remarkable ability to circumvent these controls, gaining unfettered access to macOS environments. This tactic underscores the imperative of continuous monitoring and adaptive security strategies to thwart the nefarious designs of cyber adversaries. 

The second sub-technique, colloquially known as "phantom" Dynamic Link Library (DLL) hijacking, sets its sights on Windows environments, leveraging nonexistent DLL files referenced by the operating system. By capitalizing on this loophole, threat actors such as the Lazarus Group and APT 41 can inject malicious code undetected, posing a grave threat to system integrity. 

The clandestine nature of this tactic exemplifies the ingenuity and adaptability of cyber adversaries in navigating the labyrinthine landscape of cybersecurity defenses. Mitigating these sophisticated threats necessitates a multifaceted approach that encompasses both technical fortifications and user awareness initiatives. For macOS users, safeguarding the integrity of System Integrity Protection (SIP) and exercising caution with app permissions are imperative steps in mitigating the risk of TCC manipulation. 

In Windows environments, proactive monitoring, robust application controls, and preemptive measures to block remote DLL loading are indispensable in thwarting phantom DLL attacks. Moreover, fostering a culture of collaboration and information sharing between industry stakeholders and government agencies is paramount in confronting the ever-evolving threat landscape. 

By pooling resources, sharing threat intelligence, and adopting a unified front against cyber adversaries, organizations can amplify their collective resilience and fortify their defenses against emerging threats. 

In conclusion, the Sisense breach and the intricate tactics employed by North Korean threat actors serve as poignant reminders of the relentless onslaught of cyber threats. By remaining vigilant, proactive, and collaborative, organizations can navigate the turbulent waters of cybersecurity with resilience and fortitude, safeguarding their digital assets and preserving the integrity of our interconnected world.
Read more »
Vulnerabilities and Exploits
BMC Flaw Silent Flaw Supply Chain Vulnerabilities and Exploits

The Silent Flaw: How a 6-Year-Old BMC Vulnerability Went Unnoticed


A six-year-old vulnerability has recently come to light, affecting Intel and Lenovo servers. Let’s delve into the details of this silent flaw and its implications. 

About vulnerability

The vulnerability resides within the Lighttpd web server, a lightweight and efficient open-source server commonly used for high-traffic websites. Researchers at the Binary firmware security firm stumbled upon this flaw, which had remained unnoticed for years. The flaw lies in the handling of “folded” HTTP request headers, leading to a heap out-of-bounds (OOB) read vulnerability.

The Culprit: Lighttpd Web Server

The Lighthttpd developers stealthily patched the issue in version 1.4.51 without issuing a tracking ID (CVE), even though it was resolved in August 2018.

Because of this, the AMI MegaRAC BMC developers overlooked the change and neglected to incorporate it into the final version. As a result, system vendors and their clients were affected further down the supply chain by the vulnerability.

The Impact

BMCs are microcontrollers that are integrated into server-grade motherboards, such as those found in cloud and data center systems, and allow for firmware updates, remote management, restarting, and monitoring of the device.

Binary discovered that AMI neglected to implement the Lighttpd patch from 2019 until 2023, which resulted in the deployment of numerous devices that were susceptible to the remotely exploitable flaw throughout this time.

The vulnerability allows attackers to exfiltrate process memory addresses, a critical piece of information. Armed with this data, malicious actors can bypass security mechanisms like Address Space Layout Randomization (ASLR). In essence, the flaw undermines the very protection mechanisms designed to prevent unauthorized access.

Supply Chain Fallout

The story takes an unexpected twist as we trace the flaw’s journey through the supply chain. The maintainers of Lighttpd patched the vulnerability silently in August 2018 (version 1.4.51), without assigning a tracking ID (CVE). Unfortunately, this stealthy fix allowed the flaw to persist in the wild.

The Vendors and Their Devices

Several vendors unwittingly shipped devices with this vulnerability, including Intel, Lenovo, and Supermicro. Let’s explore the impact of each:

Intel

The vulnerability affects the M70KLP series firmware (latest version).

Internal identifier: BRLY-2024-002.

Approximately 2000+ Intel server models remain vulnerable.

Lenovo

Lenovo’s BMC firmware (latest version) harbors the same flaw.

Impacted server models: HX3710, HX3710-F, and HX2710-E.

Internal identifier: BRLY-2024-003.

Supermicro

While not explicitly mentioned, Supermicro devices are likely affected due to their reliance on Lighttpd. The flaw underscores the need for thorough security assessments across the board.

The Hackable Hardware

The oversight in communication between vendors, maintainers, and end-users has resulted in the shipment of hackable hardware. These devices unwittingly expose sensitive information, jeopardizing the security of data centers, cloud services, and critical infrastructure.

The Urgent Call to Action

As the flaw’s existence becomes public knowledge, vendors must act swiftly:

Patch and Update: Vendors should release patches addressing the vulnerability promptly.

Security Audits: Rigorous security audits are essential to identify and rectify hidden flaws.

Transparency: Clear communication channels between maintainers, vendors, and end-users are crucial.

Read more »
Vulnerabilities and Exploits
Data Exfiltration Files Microsoft SharePoint threats Vulnerabilities and Exploits

Secrets of SharePoint Security: New Techniques to Evade Detection

 



According to a recent discovery by Varonis Threat Labs, two new techniques have emerged that pose a significant threat to data security within SharePoint, a widely used platform for file management. These techniques enable users to evade detection and retreat files without triggering alarm bells in audit logs.

Technique 1: Open in App Method

The first technique leverages SharePoint's "open in app" feature, allowing users to access and download files while leaving behind only access events in the file's audit log. This method, which can be executed manually or through automated scripts, enables rapid exfiltration of multiple files without raising suspicion.

Technique 2: SkyDriveSync User-Agent

The second technique exploits the User-Agent for Microsoft SkyDriveSync, disguising file downloads as sync events rather than standard downloads. By mislabeling events, threat actors can bypass detection tools and policies, making their activity harder to track.

Implications for Security

These techniques pose a significant challenge to traditional security tools such as cloud access security brokers and data loss prevention systems. By hiding downloads as less suspicious access and sync events, threat actors can circumvent detection measures and potentially exfiltrate sensitive data unnoticed.

Microsoft's Response

Despite Varonis disclosing these methods to Microsoft, the tech giant has designated them as a "moderate" security concern and has not taken immediate action to address them. As a result, these vulnerabilities remain in SharePoint deployments, leaving organisations vulnerable to exploitation.

Recommendations for Organisations

To alleviate the risk posed by these techniques, organisations are advised to closely monitor access events in their SharePoint and OneDrive audit logs. Varonis recommends leveraging User and Entity Behavior Analytics (UEBA) and AI features to detect and stop suspicious activities, such as mass file access.

What Are the Risks?

While SharePoint and OneDrive are essential tools for facilitating file access in organisations, misconfigured permissions and access controls can inadvertently expose sensitive data to unauthorised users. Threat actors often exploit these misconfigurations to exfiltrate data, posing a significant risk to organisations across various industries.

Detection and Prevention Strategies

To detect and prevent unauthorised data exfiltration, organisations should implement detection rules that consider behavioural patterns, including frequency and volume of sync activity, unusual device usage, and synchronisation of sensitive folders. By analysing these parameters, organisations can identify and mitigate potential threats before they escalate.




Read more »
Vulnerabilities and Exploits
IoT devices Smart TV Threat Landscape Unauthorized access Vulnerabilities and Exploits

91,000 Smart LG TV Devices Susceptible to Unauthorised Remote Access

 

New vulnerabilities have been discovered in LG TVs that could allow unauthorised access to the devices' root systems, possibly exposing thousands of units worldwide. 

The finding, made as part of Bitdefender's continuing inspection of the popular Internet of Things (IoT) technology, focuses on vulnerabilities in WebOS versions 4-7, which are used in LG sets. The detected flaws allow unauthorised access to the TV's root system by circumventing the permission process. 

Despite its intended use for LAN access only, Shodan, an internet-connected device search engine, has identified over 91,000 devices that expose this service to the internet. 

Among the uncovered flaws, CVE-2023-6317 stands out because it allows attackers to bypass authorization methods, allowing unauthorised access to the TV's root system. Additionally, CVE-2023-6318 enables attackers to extend their access to root privileges, heightening the security risk. 

Furthermore, CVE-2023-6319 allows for the injection of operating system commands, whilst CVE-2023-6320 enables authenticated command injection. The concerned models are LG43UM7000PLA, OLED55CXPUA, OLED48C1PUB, and OLED55A23LA. Devices running WebOS versions 4.9.7 through 7.3.1 have been confirmed to be impacted. 

“Attackers could use the compromised Smart TV as a starting point to launch additional attacks against remote systems or hosts,” noted Thomas Richards, principal security consultant at the Synopsys Software Integrity Group.

According to the cybersecurity expert, if attackers get administrator access to the TV, the user's personal information, including login passwords, can be compromised. 

“Smart TV owners should not have their TVs directly connected to the internet. Keeping the TV behind a router will reduce the likelihood of a compromise since remote attackers will not be able to reach it,” Richards added. “Enabling the automatic update option on the TV will keep the TV up to date with vendor patches to remediate security risks.” 

Bitdefender's disclosure timetable highlighted the approach followed, with vendor notice taking place on November 1, 2023, some months before a fix delivery on March 22, 2024. In the face of emerging threats, prompt patching and upgrades are critical to minimising possible risks, safeguarding user privacy, and enhancing device security.
Read more »
Vulnerabilities and Exploits
Cyber Breach Cyberattacks CyberCrime Cybersecurity Cyberthreats Security Breach Software update UAE Vulnerabilities and Exploits

Security Advisory: Protecting Mobile Devices for UAE Residents

 


In a security update released by Microsoft on Thursday, 61 high-risk vulnerabilities, including critical ones, were addressed. The cyber threat actor may be able to exploit some of these vulnerabilities to gain control of a computer that has been affected. To prevent the breach or leak of information or personal data, UAE Cyber Security Wednesday advised users to implement Microsoft updates. 

The UAE authorities have emphasized the importance of heightened awareness of the vulnerability of their devices and the need for proactive measures to combat it. As the digital world is increasing, it has become increasingly important to secure users' mobile devices to ensure that they are protected against potential risks.

By taking proactive steps, residents can mitigate these threats and protect their data. The Cyber Security Council has provided a real-life example to educate residents regarding the dangers posed by online disrupters. A report issued by the UAE Cyber Security Council and CPX Holding jointly published in 2024 on UAE's cybersecurity highlights a worrying reality. 

There are currently 155,000 cyber assets in the UAE that are vulnerable, with over 40 per cent of them over the age of five. In light of the escalating cyber threats, including sophisticated attacks such as ransomware, the need for advanced cybersecurity measures is urgent, particularly now that the nation has faced an increase in cyberattacks. 

In general, software updates are not thought to be solely relevant to smartphones. However, they play an important role in ensuring security across all types of devices and applications - computers, tablets, smart appliances and even wearables - as well as ensuring security and protecting the user's data. It is imperative to keep devices up to date to ensure security and safeguard them, particularly when they are intertwined with a variety of aspects of life for users.

Users who prefer to update their devices and apps via Wi-Fi might want to set a reminder for when they need to update their apps so they don't have to consume their data plan while doing so. Tips for making updating software a more secure decision: 

To ensure that the data is protected, it is important to periodically update your device's operating system and applications. Ensure that you are up-to-date on software updates from the appropriate source to avoid cyber attacks. Back up important files to prevent losing updates. Ensure that automatic updates are enabled on the device so that manual intervention is minimized. It is important to consider updates for all devices, including smartphones, laptops, wearables, and tablets, when updating software and apps.
Read more »
Vulnerabilities and Exploits
China Exploit Hacker Groups Ivanti security flaws Researchers Security Vulnerabilities and Exploits

Researchers Uncover Numerous Chinese Hacker Collectives Exploiting Ivanti Security Vulnerabilities

 

Several threat actors with connections to China have been identified as responsible for exploiting three security vulnerabilities affecting Ivanti appliances. These vulnerabilities are identified as CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893.

Mandiant, a cybersecurity firm, has been monitoring these clusters of threat actors, identifying them under the names UNC5221, UNC5266, UNC5291, UNC5325, UNC5330, and UNC5337. Among them, UNC3886, a Chinese hacking group, has been previously known for exploiting zero-day bugs in Fortinet and VMware systems to infiltrate networks.

Financially motivated actors have also been observed exploiting CVE-2023-46805 and CVE-2024-21887, likely for cryptocurrency mining purposes.

UNC5266 overlaps in part with UNC3569, a China-nexus espionage actor that has been observed exploiting vulnerabilities in Aspera Faspex, Microsoft Exchange, and Oracle Web Applications Desktop Integrator, among others, to gain initial access to target environments," Mandiant researchers said

Post-exploitation activities by these threat actors often involve deploying malicious tools such as the Sliver command-and-control framework, WARPWIRE credential stealer variant, and a new backdoor named TERRIBLETEA, which comes with various functionalities like command execution and keylogging.

UNC5330 has been combining CVE-2024-21893 and CVE-2024-21887 to target Ivanti Connect Secure VPN appliances, leveraging custom malware like TONERJAM and PHANTOMNET for further actions. These include reconnaissance, lateral movement, and compromising LDAP bind accounts for higher privileges.

UNC5337, another China-linked group, has been using CVE-2023-46805 and CVE-2024-218 to infiltrate Ivanti devices since January 2024, deploying a custom malware toolset known as SPAWN. This toolset includes components like SPAWNSNAIL, SPAWNMOLE, SPAWNANT, and SPAWNSLOTH, designed for stealthy and persistent backdoor access.

Mandiant assesses with medium confidence that UNC5337 and UNC5221 might be the same group, highlighting the sophistication of their tools aimed at avoiding detection.

UNC5221 has also been associated with various web shells and a Perl-based web shell called ROOTROT, which is embedded into legitimate files to evade detection. Successful deployment of these shells leads to network reconnaissance and lateral movement, potentially compromising vCenter servers with a Golang backdoor named BRICKSTORM.

Finally, UNC5291, likely associated with another group called UNC3236, has been targeting academic, energy, defense, and health sectors, focusing on Citrix Netscaler ADC initially before shifting to Ivanti Connect Secure devices.

These findings emphasize the ongoing threat posed by edge appliances, with threat actors utilizing a combination of zero-day vulnerabilities, open-source tools, and custom backdoors to evade detection and maintain access to networks for extended periods. access to target systems.
Read more »
WordPress
Cyberattacks Cybersecurity Cyberthreats LayerSlider Plugin Vulnerabilities and Exploits WordPress

LayerSlider Plugin Imperils 1 Million WordPress Sites, Urgent Fixes Mandated!

 


The LayerSlider WordPress slider plugin has been installed by more than one million people and offers a full package of features for editing web content, creating digital visual effects, and designing graphic content in a single application. 

Considering that WordPress is the most popular website builder in the world, as well as used by roughly half of all websites on the planet, it makes it an ideal target for cybercriminals all over the world. Despite that, hackers have turned their attention and focus to third-party themes and plugins, which are seldom as secure as the platform itself, because most people consider this platform to be relatively secure. 

In addition, Defiant’s Wordfence team stated that unauthenticated attackers can append SQL queries to existing queries to extract information such as password hashes due to the lack of sufficient escape of the parameter supplied by the user, as well as the lack of sufficient preparation of the existing SQL query. 

There is a vulnerability of over 1 million WordPress sites attributed to a premium plugin referred to as LayerSlider, requiring administrators to prioritize applying security updates to that plugin. In addition to being a visual web content editor, LayerSlider also offers graphic design software, as well as digital visual effects that enable users to create animations and rich content for their websites. It is noted by its website that there are millions of people using it globally. 

During the week of March 25, 2024, a researcher named AmrAwad found a critical vulnerability (CVSS score: 9.8) affecting WordPress security firm Wordfence through their bug bounty program. He received $5,500 for his responsible reporting. AmrAwad was recognized for his responsible reporting. 

If an attacker has access to sensitive data from the site's database, such as password hashes, from versions 7.9.11 through 7.10.0 of the plugin, the website could be put at risk of a complete takeover or data breach in the future. In LayerSlider, SQL injection is possible as well as the function that queries slider pop-up markups is done by the “ls_get_popup_markup” function. 

If the “id” parameter of this function is not a number, it is not sanitized before it is passed to “find”. Moreover, even though the plugin escapes $args values with the “esc_sql” function, the “where” key is not included in this function, so attacker-controlled inputs within “where” can be used to query the victim's database by the attacker-controlled inputs. 

 By manipulating “id” and “where”, an attacker can craft a request in such a way that sensitive data from the database, such as password hashes, can be extracted by manipulating those variables. As the structure of possible queries limits the attack to a time-based blind SQL injection, attackers must observe the database's response times to determine the data from the database. There are several ways in which threat actors can enter WordPress sites through vulnerable WordPress plugins to steal data or compromise a website. 

It has been shown that, in January, more than 6,700 WordPress sites were exploited by Balada Injector malware triggered by a cross-site scripting flaw in the Popup Builder plugin logged under CVE-2023-6000. In addition to the thousands of sites that were exposed to the TagDiv Composer plugin flaw tracked as CVE-2023-3169 in October, Balada Injector was installed on over 9,000 sites. In the past six years, over a million WordPress sites have been compromised by the Balada Injector campaign. 

According to Sucuri, the Balada Injector has been responsible for more than a million WordPress sites that have been compromised in this campaign. It is important to note that CVE-2024-2879 still allows malicious actors to access sensitive user information and password hashes from a compromised website's database, despite this limitation. Malicious actors can do this without having any authentication on the website. 

There is a further complication because the queries are not prepared using WordPress' '$wpdb->prepare()' function, which ensures that usernames and passwords are sanitized before a query is sent to the database. This prevents SQL injection because the input is therefore sanitized before it is submitted to the database. It was quickly acknowledged by the Kreatura Team of the plugin's creators that the plugin had been prone to the flaw and it was immediately addressed. 

It has been less than 48 hours since the developers contacted me about the release of a security update. There are critical vulnerabilities in LayerSlider, which are addressed in version 7.10.1, but it is strongly recommended that all users upgrade to version 7.10.1. A WordPress site admin should in general make sure that all their plugins are up-to-date, remove any plugins that are not required, use strong passwords for their accounts, and deactivate any dormant accounts that could be hacked. 

In the world of WordPress, there are thousands of themes and plugins available, each of which builds upon the WordPress experience for the user and makes it better. Some of these are free programs, but the commercial ones tend to have a dedicated team who work on improving them as well as maintaining the security of the program. This happens mainly because hackers choose to target free-to-use themes and plugins.

Many of these are used by millions of people today, but their developers have abandoned them and they are prone to vulnerabilities that have never been addressed (or rarely) by the developers. A safe and secure installation process involves administrators installing themes and plugins that they intend to use, and ensuring that they are always updated to the most recent version of those themes and plugins.
Read more »
XZ Utils Library
Backdoor Information Security Linux Linux Security Vulnerabilities and Exploits XZ Utils Library

Unveiling the XZ Utils Backdoor: A Wake-Up Call for Linux Security

 

The recent discovery of a backdoor in the XZ Utils, a vital tool for lossless data compression on Linux, has sent shockwaves through the tech community. This revelation poses a significant risk to nearly all Linux systems, prompting urgent concerns about cybersecurity and system integrity. 

The Common Vulnerabilities and Exposures (CVE) system, a reference for publicly known information-security vulnerabilities, assigned a severity score of 10/10 to the Linux XZ Utils backdoor. This rating underscores the gravity of the situation and underscores the urgent need for action. 

The initial detection of the backdoor was made by Andres Freund, a PostgreSQL developer at Microsoft. Freund noticed unusual SSH login delays and CPU usage spikes on a Debian Linux system, leading to an investigation that uncovered the presence of the backdoor in the XZ Utils. This discovery exposed countless Linux servers and workstations to potential attacks, highlighting the widespread impact of the vulnerability. 

The backdoor was cleverly concealed within binary files in the XZ Utils’ test folder, encrypted using the XZ library itself, making it difficult to detect. While systems running Debian or Red Hat Linux distributions were particularly vulnerable, Arch Linux and Gentoo Linux appeared to be spared due to their unique system architectures. The malware exploited an audit hook in the dynamic linker, a fundamental component of the Linux operating system, enabling attackers to execute code remotely at the system level. 

This capability granted them full control over compromised systems, posing severe risks such as data theft, system disruption, and the deployment of additional malware or ransomware. Further investigations revealed that the breach of the XZ repository was a sophisticated and well-coordinated effort, likely involving multiple individuals. This complexity raises concerns about the extent of the damage and the potential for other undiscovered vulnerabilities. 

The attack's sophistication suggests a deep understanding of the Linux ecosystem and the XZ Utils, highlighting the need for enhanced security measures in open-source software development. Immediate steps, such as updating to patched versions of XZ Utils or reverting to safe earlier versions, are crucial for system security. This incident serves as a wake-up call for the Linux community to reassess its security practices and strengthen defenses against future attacks. 

Rigorous code reviews, increased use of security auditing tools, and fostering transparency and collaboration among developers and security researchers are essential steps to mitigate similar threats in the future. As the tech community grapples with the implications of this backdoor, ongoing research is underway to determine the full extent of the threat. This incident underscores the critical importance of system security and the need for continuous vigilance against evolving cyber threats. Together, we must learn from this experience and work towards building a more secure and resilient Linux ecosystem.
Read more »
Vulnerabilities and Exploits
Apple M1 Chip Cryptocurrency Vulnerability Mac Security Risk Unfixable Security Issue Vulnerabilities and Exploits

Unpatchable Security Flaw in Apple Silicon Macs: A Cryptocurrency Nightmare

Unpatchable Security Flaw in Apple Silicon Macs

In today's cybersecurity world, vulnerabilities are discovered and patched regularly. However, what happens when a flaw is deemed unpatchable? That’s precisely the situation with a critical security issue affecting Apple Silicon Macs, including the M1, M2, and M3 chips. Let’s delve into the details of this alarming discovery.

The Flaw: Data Memory-dependent Prefetchers (DMP)

At the heart of this vulnerability lies a seemingly innocuous process called Data Memory-dependent Prefetchers (DMP). These prefetchers play a crucial role in predicting memory addresses that running code is likely to access shortly. By doing so, they reduce latency between the CPU and main memory, enhancing overall system performance. Unfortunately, within the DMP mechanism, there exists a bug—a tiny but devastating flaw.

How It Works: A Cryptographic Heist

Imagine a scenario where data stored in the chip is mistaken for a memory address and cached. This seemingly harmless error becomes the Achilles’ heel of Apple Silicon Macs. Here’s how the attack unfolds:

Malicious App Exploitation: A malicious app leverages the DMP bug repeatedly. Each time it does so, it gains a tiny piece of information—like a cryptographer deciphering a code.

Data Leakage via Cache Side Channels: The DMP treats certain data values as pointers, even when they aren’t. As a result, it leaks information via cache-side channels. These channels allow an attacker to infer what’s happening inside the chip, akin to eavesdropping on a conversation.

Decrypting Cryptographic Keys: Over time, the attacker accumulates enough leaked data to decrypt cryptographic keys. These keys protect sensitive information, including cryptocurrencies stored on the Mac.

The Unpatchable Conundrum

The gravity of this flaw lies in its unmatchable nature. Unlike software vulnerabilities that can be fixed with a timely update, this issue is deeply ingrained in the architecture of the chips themselves. Seven researchers from different universities collaborated to uncover this vulnerability and aptly named their proof-of-concept app GoFetch.

Impact: A Race Against Time

The implications are far-reaching:

Cryptocurrency Holders Beware: If you’re a cryptocurrency enthusiast who stores digital assets on your Mac, this flaw should send shivers down your spine. Attackers could potentially gain access to your private keys, rendering your holdings vulnerable.

Corporate Espionage: Beyond cryptocurrencies, corporate secrets, intellectual property, and sensitive documents could be at risk. Imagine a corporate espionage scenario where a competitor gains unauthorized access to critical information.

National Security: Even national security agencies rely on secure communication channels. If their Macs are compromised, it could have severe consequences.

Apple’s Dilemma

Apple faces a Catch-22 situation. While they can’t retroactively fix existing devices, they must address this flaw in future chip designs. Balancing security and performance is a tightrope walk, and this vulnerability underscores the need for rigorous scrutiny during chip development.

Mitigation Strategies

Until a hardware-level solution emerges, users can take the following steps:

Limit Sensitive Activities: Avoid performing sensitive tasks (such as cryptocurrency transactions) on affected Macs.

Air-Gapped Systems: Consider using air-gapped systems for critical operations. These systems are physically isolated from the internet, reducing exposure.

Third-Party Solutions: Explore third-party security tools that monitor and detect anomalous behavior.

Read more »
Vulnerabilities and Exploits
Encryption Cracks M-Series Chips Tech Giant User Security Vulnerabilities and Exploits

Critical Flaw Identified in Apple's Silicon M-Series Chips – And it Can't be Patched

 

Researchers have identified a novel, unpatched security vulnerability that can allow an attacker to decrypt data on the most advanced MacBooks. 

This newly discovered vulnerability affects all Macs utilising Apple silicon, including the M1, M2, and M3 CPUs. To make matters worse, the issue is built into the architecture of these chips, so Apple can't fix it properly. Instead, any upgrades must be done before the iPhone maker launches its M4 chips later this year. 

The vulnerability, like last year's iLeakage attack, is a side channel that, under specific circumstances, allows an attacker to extract the end-to-end encryption keys. Fortunately, exploiting this flaw is challenging for an attacker, as it can take a long time. 

The new flaw was identified by a group of seven academic academics from universities across the United States, who outlined their findings in a research paper (PDF) on microarchitectural side channel attacks. 

To demonstrate how this issue could be exploited by hackers, they created GoFetch, an app that does not require root access. Instead, it merely requires the same user privileges as most third-party Mac apps. For those unfamiliar with Apple's M-series chips, they are all organised into clusters that house their respective cores. 

If the GoFetch app and the cryptography app being targeted by an attacker share the same performance cluster, GoFetch will be able to mine enough secrets to reveal a secret key. 

Patching will hinder performance

Patching this flaw will be impossible as it exists in Apple's processors, not in its software. To fully resolve the issue, the iPhone manufacturer would have to create entirely new chips. 

The researchers who found the vulnerability advise Apple to use workarounds in the company's M1, M2, and M3 chips to solve it, as there is no way to fix it. 

In order to implement these solutions, cryptographic software developers would need to incorporate remedies such as ciphertext blinding, which modifies or eliminates masks applied to sensitive variables, such as those found in encryption keys, before or after they are loaded into or saved from memory. 

Why there's no need for concern

To leverage this unfixable vulnerability in an attack, a hacker would first have to dupe a gullible Mac user into downloading and installing a malicious app on their computer. In macOS with Gatekeeper, Apple limits unsigned apps by default, which would make it much harder to install the malicious app required to carry out an attack. 

From here, this attack takes quite some time to complete. In reality, during their tests, the researchers discovered that it took anywhere between an hour and ten hours, during which time the malicious app would have to be operating continually. 

While we haven't heard anything from Apple about this unpatched issue yet, we'll update this post if we do. Until then, the researchers advised that users maintain all of the software on their Apple silicon-powered Macs up to date and apply Apple updates as soon as they become available.
Read more »
Vulnerabilities and Exploits
Aiohttp Cyble Internet Ransomware Vulnerabilities and Exploits

Critical Bug in aiohttp: Ransomware Attackers On A Roll

Critical Bug in aiohttp: Ransomware Attackers On A Roll

In the rapidly changing world of cybersecurity, cyber threats have been a nuisance and Ransomware is a constant menace. In a recent incident, cybersecurity firm Cyble found a serious vulnerability that threat actors are exploiting to get unauthenticated remote access to sensitive data from server files. Let's take a look into the concerning issue.

The Aiohttp Library Vulnerability

At the core of this story lies the Aiohttp Python library, a famous web synchronous framework that makes web apps and APIs. Sadly, a bug in the library has allowed hackers to break in. 

How does the vulnerability work?

The vulnerability, known as CVE-2024-23334 is a "directory traversal vulnerability." In other words, it lets unauthorized remote actors obtain files from a server they aren't ethically allowed to. 

This is how the vulnerability works:

1. Not enough Proper Validation: When setting routes for server files, Aiohttp is unable to execute proper validation. Particularly, the problem hits when the follow_symlinks option is set to true. 

2. Accessing files outside the Root Directory: Attackers exploit this flaw to traverse directories and steal files beyond the specified root directory. In simple terms, the attackers can steal sensitive information like databases, configuration files, and other important data. 

The flaw rates 7.5 on the CVSS scale. 

The Damage

The impact of the flaw is concerning:

1. Ransomware Attacks: Ransomware as a service (RaaS) attacks are monetizing on this flaw. Threat actors gain account critical files, encrypt them, and demand heavy randoms for decryption keys. 

2. Global Penetration: Cyble has found around 43,000 web-exposed Aiohttp incidents across the world. A lot of these servers are situated in the USA, Spain, Germany, and different Asian regions. 

3. Data Exposure: Companies using Aiohttp may cluelessly expose sensitive files on the internet. Threat actors can misuse this loophole and steal important data, disrupting user privacy and business operations. 

How to control it?

Follow these steps to protect your systems

1. Security Audits: Perform routine security audits of your web apps. Keep an eye out for incidents of Aiohttp and cross-check that they are using patched versions.

2. Access Controls: Have strict access controls. Restrict the Aiohttp accessible directories to avoid unauthorized traversal. 

3. Update Aiohttp: The Aiohttp development team immediately addressed the problem by releasing version 3.9.2. Make sure to update your Aiohttp installations as soon as possible. 

The ShadowSyndicate Links

Surprisingly, one of the IP addresses related to the hackers was earlier associated with the infamous ShadowSyndicate group. The group has a notorious history of foul play in ransomware attacks. This makes the exploitation of the Aiohttp flaw even more problematic. 

What can we learn?

The digital landscape is evolving, but so do cyber threats. The Aiohttp flaw is a sign that caution and routine updates are a must. We should stay informed, patch our systems timely, and strengthen defenses against ransomware attacks. 

Prevention is better than cure, a vigilant approach today will protect us from tomorrow's data hostility. 

Read more »
Vulnerabilities and Exploits
Aiohttp Ransomware Shadowssyndicate Threat Landscape Vulnerabilities and Exploits

Threat Actors Exploit the Aiohttp Bug to Locate Susceptible Networks

 

The ransomware actor "ShadowSyndicate" was observed searching for servers that could be exposed to the aiohttp Python library's directory traversal vulnerability, CVE-2024-23334. 

Aiohttp is an open-source toolkit designed to manage massively concurrent HTTP requests without the need for conventional thread-based networking. It is built on top of Python's Asyncio asynchronous I/O framework. 

Tech companies, web developers, data scientists, and backend engineers use it to create high-performance web applications and services that combine data gathered from numerous external APIs. 

On January 28, 2024, aiohttp published version 3.9.2, which addressed CVE-2024-23334, a high-severity path traversal issue that affects all versions of aiohttp from 3.9.1 and earlier and enables unauthenticated remote hackers to access files on susceptible servers. 

When 'follow_symlinks' is set to 'True' for static routes, there is insufficient validation, which leads to an unauthorised access to files located outside the server's static root directory On February 27, 2024, a researcher published a proof-of-concept (PoC) exploit for CVE-2024-23334 on GitHub, and a thorough video demonstrating step-by-step exploitation instructions was published on YouTube in early March.

Cyble's threat analysts indicate that their scanners detected exploitation attempts targeting CVE-2024-23334 beginning on February 29 and continuing at an increasing pace throughout March.

The scanning efforts originate from five IP addresses, one of which was identified in a Group-IB report from September 2023 as belonging to the Shadowsyndicate ransomware perpetrator. 

ShadowSyndicate is an opportunistic, financially motivated threat actor who has been active since July 2022 and has been associated to an array of ransomware variants, including Quantum, Nokoyawa, BlackCat/ALPHV, Clop, Royal, Cactus, and Play. Group-IB suspects the threat actor is an affiliate involved in numerous ransomware operations. 

Cyble's findings, while not conclusive, suggests that threat actors may be conducting scans on servers using a compromised version of the aiohttp library. Whether or whether these scans result in breaches is unknown at this moment. 

In terms of the attack surface, Cyble's internet scanner ODIN shows that there are around 44,170 internet-exposed aiohttp instances worldwide. The majority (15.8%) are in the United States, followed by Germany (8%), Spain (5.7%), the United Kingdom, Italy, France, Russia, and China.
Read more »
Vulnerabilities and Exploits
Cyberattacks CyberCrime Cybersecurity Data Extortion eSIM Mobile Cyber Attacks Phone Hijacks Vulnerabilities and Exploits

eSIM Vulnerabilities: SIM Swappers Exploit Flaws, Hijack Phone Numbers

 


According to a new report, SIM-swapping crimes are rising worldwide, mainly committed by eSIM (Embedded Subscriber Identity Modules) users. eSIMs are digitally stored SIM cards that are embedded using software into devices. As a result, hackers are now attempting to exploit vulnerabilities within this software to brute force their way into victims' phone accounts to port their mobile numbers to their own devices through brute force. 

A study also indicated that bad actors are primarily interested in victims' online banking accounts and other financial services, which explains why embedded Subscriber Identity Modules (eSIMs) function similarly to physical SIM cards. Still, they are digitally stored on mobile device chips and are similar to physical SIM cards. 

By scanning QR codes provided by service providers, these devices can be remotely reprogrammed and can also be activated and deactivated with various functionalities. In addition, according to this report, F.A.C.C.T., a Russian cybersecurity company, notes that SIM swappers are exploiting eSIM systems with a surge in exploitation. 

Criminals can manipulate eSIM functionalities to gain control of phone numbers, allowing them to gain unauthorized access to sensitive accounts by bypassing security measures. As opposed to social engineering and insider assistance, attackers have switched tactics to exploit vulnerabilities in mobile accounts by using stolen credentials instead of social engineering and insider assistance. 

As a result, they can gain control of the victim's phone number by generating QR codes within compromised accounts that are used to facilitate number porting, which is a method of gaining access to their compromised accounts. SIM swappers have previously relied on social engineering or insider assistance from mobile carriers to port the number of a target.

Cybercriminals, however, have turned their attention to emerging opportunities in new technologies as companies have implemented more protections to thwart these takeovers in the past few years. It has now become common for attackers to breach a victim's mobile account using stolen credentials, brute-forced credentials, or leaked credentials and then start porting the victim's number to another device without their help. 

Essentially, hijackers can activate a new eSIM through the hijacked mobile account by generating a QR code through the hijacked mobile account and scanning it with their device. At the same time, the legitimate owner's eSIM/SIM is deactivated, thus hijacking the number. 

Additionally, attackers who port their SIM numbers to their devices gain access to SIM-linked accounts in various messaging apps, which opens up more opportunities for them to scam other people, such as posing as the victim and tricking them into sending money, with additional advantages. 

Researchers recommend that cellular service providers use complex and unique passwords for their accounts and enable two-factor authentication if they can, to protect themselves from eSIM-swapping attacks. There are several reasons why users should consider protecting their more valuable accounts with physical keys or authenticator apps, such as e-banking and cryptocurrency wallets. 

Among the security measures that users may use to mitigate such risks are to create strong passwords, to enable two-factor authentication, and to consider physical keys or authenticator apps as additional security measures. 

Thus, SIM swappers have inadvertently created new avenues for exploitation as a result of the development of eSIM technology. Efforts must be made to protect users' digital assets and personal information from cyber threats as cyber attacks evolve, and users must maintain vigilance by implementing robust security practices.
Read more »
Vulnerabilities and Exploits
AI technology phishing Social Engineering Tesla Vulnerabilities and Exploits

Thinking of Stealing a Tesla? Just Use Flipper Zero

Thinking of Stealing a Tesla? Just Use Flipper Zero

Researchers have found a new way of hijacking WiFi networks at Tesla charging stations for stealing vehicles- a design flaw that only needs an affordable, off-the-shelf tool.

Experts find an easy way to steal a Tesla

As Mysk Inc. cybersecurity experts Tommy Mysk and Talal Haj Bakry have shown in a recent YouTube video hackers only require a simple $169 hacking tool known as Flipper Zero, a Raspberry Pi, or just a laptop to pull the hack off. 

This means that with a leaked email and a password, the owner could lose their Tesla car. The rise of AI technologies has increased phishing and social engineering attacks. As a responsible company, you must factor in such threats in your threat models. 

And it's not just Tesla. You'll be surprised to know cybersecurity experts have always cautioned about the use of keyless entry in the car industry, which often leaves modern cars at risk of being hacked.

Hash Tag Foolery

The problem isn't hacking- like breaking into software, it's a social engineering attack that tricks a car owner into handing over their information. Using a Flipper, the experts create a WiFi network called "Tesla Guest," the same name Tesla uses for its guest networks at service centers. After this, Mysk created a fake website resembling Tesla's login page. 

After this, it's a cakewalk. In this case, hackers broadcast networks around a charging station, where a bored driver might be looking to connect over WiFi. The owner (here, the victim) connects to the WiFi and fills in their username and password on the fake Tesla website. 

The hacker uses the provided login credentials and gains access to the real Tesla app, which prompts a two-factor authentication code. The victim puts the code into the fake site, and hackers get access to their account. 

Once you've trespassed into the Tesla app, you can create a "phone key" to unlock and control the car via Bluetooth using a smartphone. Congratulations, the car is yours!

Mysk has demonstrated the attack in a YouTube video

Tesla can fix the flaw easily but chooses not to

Mysk says that Tesla doesn't alert the owner if a new key is created, so the victim doesn't know they've been breached. And the bad guy doesn't have to steal the car right away, because the app shows the location of the car. 

The Tesla owner can charge the car and take it somewhere else, the thief just has to trace the location and steal it, without needing a physical card. Yes, it's that easy. 

Mysk tested the design flaw on his own Tesla and discovered he could easily create new phone keys without having access to the original key card. But Tesla has mentioned that's not possible in its owner manual

Tesla evades allegation

When Mysk informed Tesla about his findings, the company said it was all by design and "intended behaviour," underplaying the flaw. 

Mysk doesn't agree, stressing the design to pair a phone key is only made super easy at the cost of risking security. He argues that Tesla can easily fix this vulnerability by alerting users whenever a new phone key is created. 

But without any efforts from Tesla, the car owners might as well be sitting ducks. 

A sophisticated computer/machine doesn't always mean it's secure, the extra complex layers make us more vulnerable. Two decades back, all you needed to steal a car was getting a driver's key or hot-wiring the vehicle. But if your car key is a bundle of ones and zeroes, you must rethink the car's safety.


Read more »
Vulnerabilities and Exploits
data security threats Data server e-government technologies Government Database Vulnerabilities and Exploits

Critical Vulnerabilities in GovQA Platform Expose Sensitive Government Records

 

In a significant cybersecurity revelation, critical vulnerabilities were discovered in the GovQA platform, a tool extensively used by state and local governments across the U.S. to manage public records requests. 

Independent researcher Jason Parker uncovered flaws that, if exploited, could have allowed hackers to access and download troves of unsecured files connected to public records inquiries. These files often contain highly sensitive personal information, including IDs, fingerprints, child welfare documentation, and medical reports. 

The vulnerabilities in the GovQA platform, designed by IT services provider Granicus, have since been addressed with a patch deployed on Monday. However, the potential consequences of these flaws were severe. If exploited, hackers could have gained access to personally identifiable information submitted by individuals making public records requests. 

This information, often including driver's licenses and other verification documents, could be linked to the subjects of the requests, posing a significant privacy and security risk. Granicus, responding to the findings, emphasized that the vulnerabilities did not constitute a breach of Granicus systems, GovQA, or any other part of applications or infrastructure. 

The company classified the vulnerabilities as "low severity" but acknowledged the need to work with customers to minimize the information collected and disclosed. However, cybersecurity experts who reviewed the findings disputed this classification, considering the flaws to be more severe than labeled. The GovQA platform is a crucial tool used by hundreds of government management centers in at least 37 states and the District of Columbia.

Its purpose is to assist offices in sorting and delivering records to requesters through official public access channels. The flaws in the platform, discovered by Parker, could have allowed bad actors not only to access sensitive personal information but also to trick the system into letting individuals edit or change the metadata of records requests without detection by administrators. 

By modifying the webpage's code, a skilled hacker could have accessed more information than intended, potentially leading to the exposure of highly sensitive data. The GovQA platform, used for managing records requests, often involves individuals submitting personal information for verification purposes. This information is stored alongside the requested files and could be exposed in the event of a cyberattack. 

The vulnerabilities were particularly concerning as they could be exploited to access records tied to both the requestor and the subject of their request, even in cases where requests were denied. The findings by Jason Parker underscore the broader challenges faced by state and local governments in safeguarding sensitive information. With cyber incidents targeting government entities becoming more common, the need for robust security measures and a culture of responsibility around code security is paramount. 

As President Joe Biden recently signed an executive order focused on preventing sensitive data from falling into the hands of foreign adversaries, the vulnerabilities in the GovQA platform highlight the urgency of addressing security risks in widely used records systems. The incident serves as a reminder of the potential consequences when cybersecurity vulnerabilities are present in critical tools that manage sensitive government data.
Read more »
Vulnerabilities and Exploits
AI image generation Copilot image generation models Microsoft Microsoft Copilot Vulnerabilities and Exploits

Microsoft Employee Raises Alarms Over Copilot Designer and Urges Government Intervention

 

Shane Jones, a principal software engineering manager at Microsoft, has sounded the alarm about the safety of Copilot Designer, a generative AI tool introduced by the company in March 2023. 

His concerns have prompted him to submit a letter to both the US Federal Trade Commission (FTC) and Microsoft's board of directors, calling for an investigation into the text-to-image generator. Jones's apprehension revolves around Copilot Designer's unsettling capacity to generate potentially inappropriate images, spanning themes such as explicit content, violence, underage drinking, and drug use, as well as instances of political bias and conspiracy theories. 

Beyond highlighting these concerns, he has emphasized the critical need to educate the public, especially parents and educators, about the associated risks, particularly in educational settings where the tool may be utilized. Despite Jones's persistent efforts over the past three months to address the issue internally at Microsoft, the company has not taken action to remove Copilot Designer from public use or implement adequate safeguards. His recommendations, including the addition of disclosures and adjustments to the product's rating on the Android app store, were not implemented by the tech giant. 

Microsoft responded to the concerns raised by Jones, assuring its commitment to addressing employee concerns within the framework of company policies. The company expressed appreciation for efforts aimed at enhancing the safety of its technology. However, the situation underscores the internal challenges companies may face in balancing innovation with the responsibility of ensuring their technologies are safe and ethical. 

This incident isn't the first time Jones has spoken out about AI safety concerns. Despite facing pressure from Microsoft's legal team, Jones persisted in voicing his concerns, even extending his efforts to communicate with US senators about the broader risks associated with AI safety. The case of Copilot Designer adds to the ongoing scrutiny of AI technologies in the tech industry. Google recently paused access to its image generation feature on Gemini, its competitor to OpenAI's ChatGPT, after facing complaints about historically inaccurate images involving race. 

DeepMind, Google's AI division, reassured users that the feature would be reinstated after addressing the concerns and ensuring responsible use of the technology. As AI technologies become increasingly integrated into various aspects of our lives, incidents like the one involving Copilot Designer highlight the imperative for vigilant oversight and ethical considerations in AI development and deployment. The intersection of innovation and responsible AI use remains a complex landscape that necessitates collaboration between tech companies, regulatory bodies, and stakeholders to ensure the ethical and safe evolution of AI technologies.
Read more »
Vulnerabilities and Exploits
Houthi Rebels Red Sea Cable telecommunications Undersea Cable Vulnerabilities and Exploits

Red Sea Cable Damage Disrupts Internet Traffic Across Continents

 


Recently, in a telecommunications setback, damage to submarine cables in the Red Sea is causing disruptions in communication networks, affecting a quarter of the traffic between Asia, Europe, and the Middle East, including internet services. Four major telecom networks, including Hong Kong's HGC Global Communications, report that cables have been cut, leading to a substantial impact on communication in the Middle East. HGC estimates that approximately 25% of traffic between Asia and Europe, as well as the Middle East, has been affected.

To mitigate the disruption, HGC is rerouting traffic and providing assistance to affected businesses. However, the company has not disclosed the cause of the cable damage or identified those responsible. Seacom, a South Africa-based company owning one of the affected cable systems, has stated that repairs will not commence for at least a month due in part to the time needed to secure permits for operation in the area.

These undersea cables, largely funded by internet giants such as Google, Microsoft, Amazon, and Meta (Facebook's parent company), are the backbone of the internet. Damage to these subsea networks can result in widespread internet outages, reminiscent of the aftermath of the 2006 Taiwan earthquake.

The recent damage in the Red Sea follows warnings from the official Yemeni government about the potential targeting of cables by Houthi rebels. These Iranian-backed militants have previously disrupted global supply chains by attacking commercial vessels in the crucial waterway. While Israeli reports suggested Houthi involvement in the cable damage, rebel leader Abdel Malek al-Houthi denied these allegations, blaming British and US military units operating in the area for the destruction.

Prenesh Padayachee, Chief Digital Officer at Seacom, highlights the lengthy process of acquiring permits from the Yemeni maritime authority, estimating up to eight weeks for approval. Until repairs are complete, client traffic will continue to be rerouted to ensure uninterrupted service.

Among the affected networks is Asia-Africa-Europe 1, a 25,000-kilometre cable system connecting South East Asia to Europe via Egypt, and the Europe India Gateway (EIG), which has sustained damage. Vodafone, a major investor in EIG and a prominent mobile network operator in the United Kingdom has declined to comment on the situation.

In response to this disruption, it is essential to note that most large telecom companies rely on multiple undersea cable systems, allowing them to reroute traffic during outages to maintain uninterrupted service for users across the affected regions. The implications of this event underscore the vulnerability of our interconnected global communication infrastructure.

As Seacom and other stakeholders work towards repairing the damaged cables, the global community awaits a resolution to this critical issue that impacts the seamless flow of information across continents.


Read more »
Subscribe to: Posts (Atom)