Red Hat Security Advisory 2024-10275-03 - An update for kernel-rt is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_10275.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: kernel-rt security updateAdvisory ID:        RHSA-2024:10275-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:10275Issue date:         2024-11-26Revision:           03CVE Names:          CVE-2022-48773====================================================================Summary: An update for kernel-rt is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.Security Fix(es):* kernel: xprtrdma: fix pointer derefs in error cases of rpcrdma_ep_create (CVE-2022-48773)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2022-48773References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2298109

Red Hat Security Advisory 2024-10275-03

LifeLabs managed to hold up a report about a ransomware incident in court for four years. It's now been published.

In 2019, a ransomware attack hit LifeLabs, a Canadian medical testing company. The ransomware encrypted the lab results of 15 million Canadians, and personally identifiable information (PII) of 8.6 million people was stolen.

After noticing the attack, LifeLabs informed its customers and the Canadian privacy regulators, which immediately announced an investigation.

The privacy commissioners of both British Columbia and Ontario finished writing a report about the incident in 2020 but LifeLabs managed to hold that up in court for four years. Now the report is publicly available and some of the findings are both shocking and unsurprising.

According to the report, LifeLabs had several shortcomings before the breach:

*   LifeLabs failed to take reasonable steps to protect personal information and personal health information in its custody and control from theft, loss, and unauthorized access, collection, use, disclosure, copying, modification or disposal.
*   LifeLabs failed to have in place and follow policies and information practices that comply with PIPA and PHIPA
*   LifeLabs collected more personal information and personal health information than is reasonably necessary to meet the purpose for which it was collected.

Additionally, the investigation found that LifeLabs didn’t comply with its obligation to notify affected people at the first reasonable opportunity. This was because it didn’t implement a process to notify people about the details of what personal health information was compromised without requiring them to make a formal access request.

Patricia Kosseim, Information and Privacy Commissioner of Ontario commented:

> “Personal health information is particularly sensitive and privacy breaches can have devastating impacts for individuals.”

The regulator said it was important for the report to be made public after four years of resistance by LifeLabs. We agree that it is important that we know how companies are protecting our data, especially the medical kind. But at the same time we also know that many organizations in the healthcare industry do not have the staff to handle this, not do they have the funding to hire those staff. It’s catch 22.

At the time, LifeLabs wrote in an open letter that the cybersecurity firm it hired to investigate the incident advised it that the risk to its customers in connection with this cyberattack was low. LifeLabs said it hadn’t seen any public disclosure of customer data as part of its investigations, including monitoring of the dark web and other online locations.

Malwarebytes checked up whether that claim still held through and could indeed not find any LifeLabs customer data that came from that breach.

The reason is not a big mystery. Reportedly, LifeLabs paid the ransomware group, which is why it’s still unknown which group was behind the attack. The specific amount of the ransom paid has not been disclosed by the company.

But as ransomware groups are just a gang of criminals, it might be hard to take their word for it that they won’t release the data at some point. We will keep an eye on it.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Medical testing company LifeLabs failed to protect customer data, report finds 

Researchers reveal major vulnerabilities in popular corporate VPN clients, allowing remote attacks. Discover the NachoVPN tool and expert…

Researchers reveal major vulnerabilities in popular corporate VPN clients, allowing remote attacks. Discover the NachoVPN tool and expert advisories to mitigate these critical security risks.

In a recent presentation at SANS HackFest Hollywood 2024, cybersecurity researchers at London, England-based firm AmberWolf have revealed critical security vulnerabilities in widely used corporate Virtual Private Network (VPN) clients allowing attackers to target macOS and Windows systems.

These vulnerabilities, found in both traditional SSL-VPN clients and modern Zero Trust solutions, could be exploited by attackers to gain remote code execution and elevated privileges on end-user devices.

The researchers found that VPN clients, while essential for secure remote access, often have deep system access. This makes them attractive and possibly a lucrative target for hackers.

The main problem lies in how these clients trust VPN servers. Attackers can create malicious VPN servers that exploit this trust, allowing them to run commands and gain administrator-level access to a user’s computer with little to no user interaction.

****NachoVPN****

To help the security community understand and mitigate these risks, the researchers have released NachoVPN, an open-source tool that simulates the attack scenarios discussed in their presentation. This tool acts as a malicious VPN server and shows how it can exploit weaknesses in different VPN clients. NachoVPN is designed to be easy to use and can be adapted to test for new vulnerabilities as they are discovered.

_“_NachoVPN serves as a proof-of-concept tool to simulate rogue VPN servers capable of exploiting these vulnerabilities, AmberWolf researchers wrote in their blog post. _“_It showcases how insecure behaviours in VPN clients can be leveraged to gain privileged code execution._“_

Alongside NachoVPN, the researchers have published detailed advisories documenting the specific vulnerabilities disclosed during their presentation. These advisories provide technical descriptions, attack vectors, and mitigation recommendations to help organizations protect themselves against these threats.

****Vulnerabilities****

The vulnerabilities affect popular corporate VPN clients, including Palo Alto GlobalProtect and SonicWall NetExtender for Windows. The advisories, identified as CVE-2024-5921 and CVE-2024-29014, highlight the risks of remote code execution and privilege escalation via malicious VPN servers.

****NachoVPN on GitHub****

For more information about NachoVPN and the disclosed vulnerabilities, interested parties can visit the project’s **GitHub** repository and review the detailed advisories. The researchers’ presentation from SANS HackFest Hollywood 2024 is also available on the SANS YouTube channel, providing further insights into their findings and recommendations.

1.  ASUS and NordVPN Partner to Integrate VPN into Routers
2.  Hackers Calling Employees to Steal VPN Logins from Firms
3.  Ivanti VPN Flaws Exploited by DSLog Backdoor, Crypto Miners
4.  Cisco Fixes High-Severity Code Execution, VPN Hijacking Flaws
5.  Hackers Use Stolen VPN Access against Ivanti Users Despite Patches

AmberWolf Launches NachoVPN Tool to Tackle VPN Security Risks

Over the past year, "Matrix" has used publicly available malware tools and exploit scripts to target weakly secured IoT devices — and enterprise servers.

Source: Kundra via Shutterstock

A Russian script kiddie using little more than publicly available malware tools and exploits targeting weak credentials and configurations has assembled a distributed denial-of-service (DDoS) botnet capable of disruption on a global scale.

In assembling the botnet, the attacker has targeted not just vulnerable Internet-of-Things (IoT) devices, as is the common practice these days, but also enterprise development and production servers, significantly increasing its potential for widespread disruption.

**Matrix Unleashed**

The attacker, whom researchers at Aqua Nautilus are tracking as "Matrix" after spotting the campaign recently, has established a store of sorts on Telegram, where customers can buy different DDoS plans and services. These include plans ranging from "Basic" to "Enterprise" that allow purchasers to unleash DDoS attacks of different durations at the transport and applications layers of targets of their choice.

"Although this campaign does not use advanced techniques, it capitalizes on widespread security gaps across a range of devices and software," said Assaf Morag, lead data analyst at Aqua in a blog post this week. "The simplicity of these methods highlights the importance of addressing fundamental security practices, such as changing default credentials, securing administrative protocols, and applying timely firmware updates, to protect against broad, opportunistic attacks like this one."

DDoS attacks have been a standard item in attacker playbooks for a long time. Though organizations have generally gotten better at dealing with them over the years, DDoS attacks remain hard to protect against entirely. Threat actors have continuously increased the volume and duration of DDoS attacks while developing techniques to target different layers of the network to maximize their disruptive impact. A Gcore study released earlier this year showed a 46% increase in DDoS attacks in the first half of 2024 compared with the same period last year. Some attacks peaked in excess of multiple terabits of attack traffic per second.

Matrix's campaign appears to have launched in November 2023 with the creation of a GitHub account. The attacker has been using the account primarily as a repository for various publicly available malware tools downloaded from different sources and which, in some cases, Matrix then modified for use in the DDoS campaign.

**Off-the-Shelf Attack Tools**

Aqua's analysis of Matrix's GitHub account showed a collection of commonly available DDoS botnet tools, including perennial favorite Mirai, DDoS agent, Pybot, Pynet, SSH Scan Hacktool, and Discord Go. Most of these tools are publicly available and open source; what distinguishes Matrix is how it's been able to integrate and use these tools effectively in assembling a DDoS botnet. "Instead of forking repositories, the tools are downloaded and modified locally, suggesting a level of customization and adaptability," Morag said.

Matrix has been using the tools to scan the Internet for IoT devices with known vulnerabilities in them that the owners have left unpatched. Many of the vulnerabilities that the threat actor's attack scripts scan for are older flaws, including one from 2014 (CVE-2014-8361) a remote code execution (RCE) vulnerability in Realtek Software Development Kit.

Aqua listed vulnerabilities the attacker is targeting, including three from 2017 (CVE-2017-17215, CVE-2017-18368, and CVE-2017-17106); another three targeted vulnerabilities are from 2018 (CVE-2018-10561, CVE-2018-10562, and CVE-2018-9995). The vulnerabilities affect a range of Internet-connected devices including network routers, DVRs, cameras, and telecom equipment.

And in something of a departure from typical DDoS campaigns, the threat actor is scanning the IP ranges of several cloud service providers for vulnerabilities and misconfigurations in telnet, SSH, Hadoop YARN, and other enterprise servers. One of the vulnerabilities that Matrix has targeted is CVE-2024-27348, a critical RCE vulnerability in Apache HugeGraph servers. Nearly half (48%) the scanning activity that Aqua observed targeted servers in AWS environments, 34% were in Microsoft Azure, and 16% on Google's cloud platform. For the moment at least, Matrix's primary focus appears to be China and Japan, likely due to the high density of IoT devices in those countries, Morag said.

**Brute-Force Attacks**

As is common in most such campaigns, Matrix has also been taking advantage of default and weak passwords and misconfigurations to compromise IoT devices and enterprise servers and making them part of the DDoS botnet. Aqua found Matrix using a brute-force script against 167 username and password pairs that organizations had used to secure access to their IoT and server environments. A startling 134 of the pairs granted root or admin level access on affected devices.

Aqua's analysis showed there are 35 million systems running the software that the attacker appears to be targeting. Not all of them are vulnerable. But if even if just 1% are exploitable, that would give the attacker a botnet of around 350,000 devices.

In comments to Dark Reading, Morag says only content delivery networks and organizations with visibility into Internet traffic logs can really say what the actual size of the botnet that Matrix has assembled. But indications are that it is large. "We have hundreds of honeypots, and we usually see an attack/campaign on one or two types of honeypots. But in this case, we saw attacks on our SSH, Telnet, Jupytar Lab, Jupytar Notebook, Hadoop, HugeGraph, and a few simulators of IoT devices," which is unusual, he says. "In addition, the attacker utilized some of our honeypots to attack Telnet and SSH, with a 95% success rate."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Russian Script Kiddie Assembles Massive DDoS Botnet

Enterprise cybersecurity teams tell Omdia's Maxine Holt that they want to dig out from underneath mounting tech and pivot to a simpler platform model — but they are finding that tricky to pull off.

Omdia's survey of cybersecurity leaders demonstrated that they're currently in a conundrum — drowning in security products they want to pare down but instead having to add layers to cope with the exploding threat landscape.

It's a challenge they are looking at cybersecurity platforms to solve, but it's going to take time.

Maxine Holt, who leads the Omdia cybersecurity research group, joined the Dark Reading News Desk at Black Hat USA 2024 fresh off the Omdia Summit, where her team of analysts presented the detailed results of their 2024 survey of cybersecurity decision-makers. They found the typical organization is running somewhere between 21 to 50 separate cybersecurity tools. And while three-quarters of organizations indicated they were interested in cutting that number down to a more manageable number, 87% of respondents had nonetheless added tools to their systems over the past year.

"They're struggling with the threat landscape," Holt said. "It's not as easy as unplugging one thing and plugging in something else."

These organizations will have the opportunity to migrate over to a cybersecurity platform over the next three to five years, as their contracts sunset, according to the survey.

Major players in the cybersecurity platform space, including CrowdStrike, Palo Alto Networks, Fortinet, and Check Point, stand to gain market share in the next few years as the shift occurs, but Holt stressed the need for a healthy ecosystem of vendors.

"We have to support the thousands of vendors in the space so they can innovate," Holt said.

News Desk 2024: The Rise of Cybersecurity Platforms

GenAI's 30%-50% coding productivity boost comes with a downside — it's also generating vulnerabilities. Veracode's Chris Wysopal talks about what he finds out in this News Desk interview during Black Hat USA.

It's faster, for sure, but generative artificial intelligence (GenAI) is learning how to code just like a human developer would — and that means picking up mistakes along the way.

GenAI and large language models (LLMs) learn how to code based off of open source models, which themselves are flawed, explained Chris Wysopal, CTO and co-founder of Veracode, at this year's Dark Reading News Desk at Black Hat USA 2024.

"\[GenAI\] can write a lot more code a lot faster," he said. "So what you end up with is more code and more vulnerabilities per unit of time."

The trick then becomes finding and fixing vulnerabilities at the same pace.

In his research presented at the conference, "From HAL to HALT: Thwarting Skynet's Siblings in the GenAI Coding Era" (a titled itself written by an LLM), Wysopal proposes the best way forward is using AI to find and fix the vulnerabilities in AI-generated software code. But we're not there yet.

According to research, the current model that can write code the best is an LLM called StarCoder. That's not to say it writes code completely free of vulnerabilities, but it's the best thing going. ChatGPT 4.0 and ChatGPT 2.5 were also found to be fairy adept at writing secure code.

"A general purpose LLM can fix some security bugs, but it turns out it's not great at it," Wysopal says. "And so we're seeing specialized LLMs that are trained just to secure code."

Wysopal and his team at Veracode are working on that, as well as other companies, he adds.

News Desk 2024: Can GenAI Write Secure Code?

The preview version now includes multiple security-focused additions Microsoft had promised to add, such as SecureBoot, BitLocker, and Windows Hello.

Source: Mundissima via Shutterstock

Six months after announcing (and modifying and delaying) Windows Recall, Microsoft has released a first-look preview of a reworked version for Windows Insiders via its Dev Channel. 

The preview is available only to Windows Insiders with Qualcomm Snapdragon X Elite and Plus Copilot+ PCs. The build of Windows that includes Recall (preview) with Click to Do (Preview) is Windows 11 Insider Preview Build 26120.2415 (KB5046723), Microsoft said. Support for Intel- and AMD-powered Copilot+ PCs will be available at a later date.

Recall takes "snapshots" of a user's PC that can be searched at anytime, thus allowing users to "recall" any application action, website visited, or image or document previously accessed on the system. Recall uses optical character recognition (OCR) to extract the text in screenshots and saves both of the images and text into a searchable database. When users describe what they are looking for, Recall searches the database to help them find it. The built-in neural processing unit is capable of running artificial intelligence (AI) and machine learning workloads locally and does not store anything in the cloud. This means Microsoft doesn't have access to any Recall snapshots, and none of the snapshots will be used to train Microsoft's AI models.

Recall was initially scheduled to be released last summer, but Microsoft had repeatedly delayed it to address privacy concerns. In September, the company explained how it was working to secure Recall snapshots.

Several of the new security-focused additions are available in the preview. Those who download the preview must opt in to saving snapshots, which is a change from the original plan to make it an opt-out feature. Recall now requires BitLocker disk encryption and Secure Boot to be enabled. Users must also be enrolled in Windows Hello because they must reauthenticate with Hello each time they access Recall's database. Users have the ability to delete any snapshot they want, and the system can detect sensitive personal data, like credit card numbers, passwords, and PINs, and won’t save them.

Users can also opt out of using Recall on specific apps and websites or just uninstall it altogether. For enterprise and education users, Recall will be managed by IT administrators. Administrators can also completely uninstall Recall if they are concerned about data exposure. 

The purpose of the Windows Insider preview is to give users the ability to try out the feature in real-world scenarios and help Microsoft identify issues that need to be addressed. Users can submit their feedback of the preview versions of Recall and Click to Do (recognize text and images in Recall snapshots and then copy the text or save images out of the snapshots) via the Feedback Hub. Insiders are asked to provide feedback on Recall's "updated security and privacy architecture" through the Windows Insider Preview Bug Bounty Program. 

Microsoft did not say how long it plans to keep Recall in preview before it would be considered ready for general release.

Microsoft Finally Releases Recall as Part of Windows Insider Preview

Cybersecurity researchers have shed light on what has been described as the first Unified Extensible Firmware Interface (UEFI) bootkit designed for Linux systems.
Dubbed Bootkitty by its creators who go by the name BlackCat, the bootkit is assessed to be a proof-of-concept (PoC) and there is no evidence that it has been put to use in real-world attacks. Also tracked as IranuKit, it was uploaded

Researchers Discover "Bootkitty" – First UEFI Bootkit Targeting Linux Kernels

Multi-stage cyber attacks, characterized by their complex execution chains, are designed to avoid detection and trick victims into a false sense of security. Knowing how they operate is the first step to building a solid defense strategy against them. Let's examine real-world examples of some of the most common multi-stage attack scenarios that are active right now.
URLs and Other Embedded

Latest Multi-Stage Attack Scenarios with Real-World Examples

Cebu, Philippines, 27th November 2024, CyberNewsWire

**Cebu, Philippines, November 27th, 2024, CyberNewsWire**

Cebu-based entrepreneur Brian Christopher Aguilar has emerged as a notable figure in the cryptocurrency sector, leveraging blockchain technology to support environmental sustainability. As the founder of Ora Coin Foundation, Brian has turned his humble beginnings into a remarkable empire now valued at PHP 1.3 billion and growing—all within just a few months. His groundbreaking initiative, the One Billion Tree Planting Initiative, across South East Asia and Middle East, aims to leave an indelible mark on the planet and secure a brighter future for generations to come.

Brian’s journey began with his dream to combine technology and environmental stewardship. Ora Coin, the cryptocurrency he created with his partner Mr. Lataza, is more than just digital money. Each of its 21 million rare tokens represents an opportunity to combat deforestation and promote ecological balance. For every coin, a tree is planted under the foundation’s watchful eye, tracked with a 3D GPS monitoring system. But Brian’s vision doesn’t stop at planting; it includes a unique feature where tree sponsors can interact and meditate with their trees online, creating a deeper connection between humans and nature.

In partnership with Cebu Technological University, a leading state college in the Philippines, Brian’s mission has gained significant momentum. This collaboration has not only ensured scientific rigor in the project but also empowered local communities and students to participate in environmental conservation efforts. Together, they are pushing the boundaries of what is possible in eco-friendly blockchain innovation.

Before Ora Coin, Brian was no stranger to entrepreneurship. He made a name for himself in Hong Kong, running the successful Healthy Chicken Group, renowned for its star product, KALE. Starting as a musician, Brian’s story is one of grit, resilience, and a commitment to meaningful impact.

Now leading one of the most inspiring initiatives in both cryptocurrency and environmental activism, Brian is proving that businesses can thrive while giving back to the planet. As the One Billion Tree Planting Initiative marches forward, Ora Coin Foundation is not just planting trees—it’s planting hope for a better world.

> “We owe it to the next generation,” Brian says, “to leave a legacy of sustainability and innovation. Ora Coin is just the beginning.”

****About Ora Coin Foundation****

The Ora Coin Foundation is a blockchain-powered organization committed to environmental sustainability and innovation. Established by Brian Christopher Aguilar, the foundation focuses on using cryptocurrency to drive impactful ecological initiatives, such as the One Billion Tree Planting Initiative. With each Ora Coin token directly tied to the planting of a tree, the foundation leverages cutting-edge technology, including 3D GPS tracking, to ensure transparency and accountability. Through strategic partnerships, such as its collaboration with Cebu Technological University, Ora Coin Foundation empowers communities and fosters a deeper connection between people and nature

**Contact**

**Founder**  
**Brian Christopher Aguilar**  
**Ora Coin Foundation**  
**\[email protected\]**

Latest News