Ubuntu Security Notice 7089-7 - Chenyuan Yang discovered that the USB Gadget subsystem in the Linux kernel did not properly check for the device to be enabled before writing. A local attacker could possibly use this to cause a denial of service. Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-7089-7November 19, 2024linux-lowlatency, linux-lowlatency-hwe-6.8 vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 24.04 LTS- Ubuntu 22.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-lowlatency: Linux low latency kernel- linux-lowlatency-hwe-6.8: Linux low latency kernelDetails:Chenyuan Yang discovered that the USB Gadget subsystem in the Linuxkernel did not properly check for the device to be enabled beforewriting. A local attacker could possibly use this to cause a denial ofservice. (CVE-2024-25741)Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:  - ARM32 architecture;  - MIPS architecture;  - PA-RISC architecture;  - PowerPC architecture;  - RISC-V architecture;  - S390 architecture;  - x86 architecture;  - Cryptographic API;  - Serial ATA and Parallel ATA drivers;  - Null block device driver;  - Bluetooth drivers;  - Cdrom driver;  - Clock framework and drivers;  - Hardware crypto device drivers;  - CXL (Compute Express Link) drivers;  - Cirrus firmware drivers;  - GPIO subsystem;  - GPU drivers;  - I2C subsystem;  - IIO subsystem;  - InfiniBand drivers;  - ISDN/mISDN subsystem;  - LED subsystem;  - Multiple devices driver;  - Media drivers;  - Fastrpc Driver;  - Network drivers;  - Microsoft Azure Network Adapter (MANA) driver;  - Near Field Communication (NFC) drivers;  - NVME drivers;  - NVMEM (Non Volatile Memory) drivers;  - PCI subsystem;  - Pin controllers subsystem;  - x86 platform drivers;  - S/390 drivers;  - SCSI drivers;  - Thermal drivers;  - TTY drivers;  - UFS subsystem;  - USB DSL drivers;  - USB core drivers;  - DesignWare USB3 driver;  - USB Gadget drivers;  - USB Serial drivers;  - VFIO drivers;  - VHOST drivers;  - File systems infrastructure;  - BTRFS file system;  - GFS2 file system;  - JFFS2 file system;  - JFS file system;  - Network file systems library;  - Network file system client;  - NILFS2 file system;  - NTFS3 file system;  - SMB network file system;  - Memory management;  - Netfilter;  - Tracing infrastructure;  - io_uring subsystem;  - BPF subsystem;  - Core kernel;  - Bluetooth subsystem;  - CAN network layer;  - Ceph Core library;  - Networking core;  - IPv4 networking;  - IPv6 networking;  - IUCV driver;  - MAC80211 subsystem;  - Network traffic control;  - Sun RPC protocol;  - Wireless networking;  - AMD SoC Alsa drivers;  - SoC Audio for Freescale CPUs drivers;  - MediaTek ASoC drivers;  - SoC audio core drivers;  - SOF drivers;  - Sound sequencer drivers;(CVE-2024-42104, CVE-2024-42084, CVE-2024-42252, CVE-2024-41096,CVE-2024-42237, CVE-2024-42140, CVE-2024-42150, CVE-2024-41031,CVE-2024-41059, CVE-2024-41062, CVE-2024-41051, CVE-2024-41028,CVE-2024-41090, CVE-2024-41092, CVE-2024-43855, CVE-2024-41021,CVE-2024-42229, CVE-2024-41056, CVE-2024-41048, CVE-2024-41036,CVE-2024-42094, CVE-2024-41089, CVE-2024-41068, CVE-2024-41039,CVE-2024-41095, CVE-2024-41069, CVE-2024-42234, CVE-2024-42136,CVE-2024-41025, CVE-2024-42157, CVE-2024-42248, CVE-2024-42087,CVE-2024-41041, CVE-2024-42230, CVE-2024-42151, CVE-2024-42130,CVE-2024-42244, CVE-2024-41079, CVE-2024-42253, CVE-2024-42092,CVE-2024-41022, CVE-2024-42137, CVE-2024-42132, CVE-2024-42108,CVE-2024-42155, CVE-2024-42127, CVE-2024-41060, CVE-2024-42074,CVE-2024-41081, CVE-2024-42066, CVE-2024-42098, CVE-2024-42082,CVE-2024-42093, CVE-2024-42245, CVE-2024-41072, CVE-2024-41052,CVE-2024-42161, CVE-2024-42096, CVE-2024-42115, CVE-2024-41074,CVE-2024-42120, CVE-2024-41046, CVE-2024-42239, CVE-2024-41063,CVE-2024-42090, CVE-2024-41023, CVE-2024-42069, CVE-2024-41087,CVE-2024-42158, CVE-2024-41067, CVE-2024-41084, CVE-2024-41077,CVE-2024-42240, CVE-2024-42145, CVE-2024-42102, CVE-2024-41020,CVE-2024-42231, CVE-2024-41053, CVE-2024-42131, CVE-2024-42089,CVE-2024-41083, CVE-2024-42247, CVE-2024-42105, CVE-2024-41044,CVE-2024-42128, CVE-2024-42271, CVE-2024-41037, CVE-2024-42114,CVE-2024-42106, CVE-2024-41076, CVE-2024-42088, CVE-2024-41057,CVE-2024-41091, CVE-2024-42152, CVE-2024-41070, CVE-2024-41035,CVE-2024-41050, CVE-2024-39487, CVE-2024-42113, CVE-2024-42250,CVE-2024-41047, CVE-2024-42149, CVE-2024-42079, CVE-2024-42091,CVE-2024-42227, CVE-2024-42095, CVE-2024-42109, CVE-2024-41033,CVE-2023-52888, CVE-2024-41061, CVE-2024-42223, CVE-2024-42235,CVE-2024-41086, CVE-2024-42133, CVE-2024-41082, CVE-2024-41071,CVE-2024-41007, CVE-2023-52887, CVE-2024-39486, CVE-2024-41075,CVE-2024-42101, CVE-2024-42077, CVE-2024-41042, CVE-2024-42225,CVE-2024-42126, CVE-2024-41094, CVE-2024-41085, CVE-2024-41019,CVE-2024-41058, CVE-2024-41066, CVE-2024-42156, CVE-2024-42119,CVE-2024-41032, CVE-2024-41088, CVE-2024-42100, CVE-2024-42142,CVE-2024-41054, CVE-2024-42103, CVE-2024-42124, CVE-2024-41034,CVE-2024-42251, CVE-2024-42153, CVE-2024-41045, CVE-2024-42086,CVE-2024-42243, CVE-2024-41055, CVE-2024-41078, CVE-2024-42117,CVE-2024-41030, CVE-2024-42068, CVE-2024-42110, CVE-2024-42147,CVE-2024-42121, CVE-2024-41080, CVE-2024-41027, CVE-2024-43858,CVE-2024-42085, CVE-2024-42111, CVE-2024-42238, CVE-2024-41018,CVE-2024-42138, CVE-2024-41038, CVE-2024-42070, CVE-2024-42141,CVE-2024-41098, CVE-2024-42118, CVE-2024-41073, CVE-2024-42144,CVE-2024-42280, CVE-2024-41049, CVE-2024-42076, CVE-2024-41065,CVE-2024-42063, CVE-2024-41064, CVE-2024-41017, CVE-2024-42112,CVE-2024-42064, CVE-2024-42135, CVE-2024-42146, CVE-2024-41010,CVE-2024-41097, CVE-2024-41012, CVE-2024-42097, CVE-2024-42067,CVE-2024-42236, CVE-2024-42080, CVE-2024-42241, CVE-2024-42065,CVE-2024-42232, CVE-2024-42246, CVE-2024-41093, CVE-2024-41015,CVE-2024-42129, CVE-2024-42073, CVE-2024-41029)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 24.04 LTS  linux-image-6.8.0-48-lowlatency  6.8.0-48.48.3  linux-image-6.8.0-48-lowlatency-64k  6.8.0-48.48.3  linux-image-lowlatency          6.8.0-48.48.3  linux-image-lowlatency-64k      6.8.0-48.48.3  linux-image-lowlatency-64k-hwe-24.04  6.8.0-48.48.3  linux-image-lowlatency-hwe-24.04  6.8.0-48.48.3Ubuntu 22.04 LTS  linux-image-6.8.0-48-lowlatency  6.8.0-48.48.3~22.04.1  linux-image-6.8.0-48-lowlatency-64k  6.8.0-48.48.3~22.04.1  linux-image-lowlatency-64k-hwe-22.04  6.8.0-48.48.3~22.04.1  linux-image-lowlatency-hwe-22.04  6.8.0-48.48.3~22.04.1After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-7089-7  https://ubuntu.com/security/notices/USN-7089-6  https://ubuntu.com/security/notices/USN-7089-5  https://ubuntu.com/security/notices/USN-7089-4  https://ubuntu.com/security/notices/USN-7089-3  https://ubuntu.com/security/notices/USN-7089-2  https://ubuntu.com/security/notices/USN-7089-1  CVE-2023-52887, CVE-2023-52888, CVE-2024-25741, CVE-2024-39486,  CVE-2024-39487, CVE-2024-41007, CVE-2024-41010, CVE-2024-41012,  CVE-2024-41015, CVE-2024-41017, CVE-2024-41018, CVE-2024-41019,  CVE-2024-41020, CVE-2024-41021, CVE-2024-41022, CVE-2024-41023,  CVE-2024-41025, CVE-2024-41027, CVE-2024-41028, CVE-2024-41029,  CVE-2024-41030, CVE-2024-41031, CVE-2024-41032, CVE-2024-41033,  CVE-2024-41034, CVE-2024-41035, CVE-2024-41036, CVE-2024-41037,  CVE-2024-41038, CVE-2024-41039, CVE-2024-41041, CVE-2024-41042,  CVE-2024-41044, CVE-2024-41045, CVE-2024-41046, CVE-2024-41047,  CVE-2024-41048, CVE-2024-41049, CVE-2024-41050, CVE-2024-41051,  CVE-2024-41052, CVE-2024-41053, CVE-2024-41054, CVE-2024-41055,  CVE-2024-41056, CVE-2024-41057, CVE-2024-41058, CVE-2024-41059,  CVE-2024-41060, CVE-2024-41061, CVE-2024-41062, CVE-2024-41063,  CVE-2024-41064, CVE-2024-41065, CVE-2024-41066, CVE-2024-41067,  CVE-2024-41068, CVE-2024-41069, CVE-2024-41070, CVE-2024-41071,  CVE-2024-41072, CVE-2024-41073, CVE-2024-41074, CVE-2024-41075,  CVE-2024-41076, CVE-2024-41077, CVE-2024-41078, CVE-2024-41079,  CVE-2024-41080, CVE-2024-41081, CVE-2024-41082, CVE-2024-41083,  CVE-2024-41084, CVE-2024-41085, CVE-2024-41086, CVE-2024-41087,  CVE-2024-41088, CVE-2024-41089, CVE-2024-41090, CVE-2024-41091,  CVE-2024-41092, CVE-2024-41093, CVE-2024-41094, CVE-2024-41095,  CVE-2024-41096, CVE-2024-41097, CVE-2024-41098, CVE-2024-42063,  CVE-2024-42064, CVE-2024-42065, CVE-2024-42066, CVE-2024-42067,  CVE-2024-42068, CVE-2024-42069, CVE-2024-42070, CVE-2024-42073,  CVE-2024-42074, CVE-2024-42076, CVE-2024-42077, CVE-2024-42079,  CVE-2024-42080, CVE-2024-42082, CVE-2024-42084, CVE-2024-42085,  CVE-2024-42086, CVE-2024-42087, CVE-2024-42088, CVE-2024-42089,  CVE-2024-42090, CVE-2024-42091, CVE-2024-42092, CVE-2024-42093,  CVE-2024-42094, CVE-2024-42095, CVE-2024-42096, CVE-2024-42097,  CVE-2024-42098, CVE-2024-42100, CVE-2024-42101, CVE-2024-42102,  CVE-2024-42103, CVE-2024-42104, CVE-2024-42105, CVE-2024-42106,  CVE-2024-42108, CVE-2024-42109, CVE-2024-42110, CVE-2024-42111,  CVE-2024-42112, CVE-2024-42113, CVE-2024-42114, CVE-2024-42115,  CVE-2024-42117, CVE-2024-42118, CVE-2024-42119, CVE-2024-42120,  CVE-2024-42121, CVE-2024-42124, CVE-2024-42126, CVE-2024-42127,  CVE-2024-42128, CVE-2024-42129, CVE-2024-42130, CVE-2024-42131,  CVE-2024-42132, CVE-2024-42133, CVE-2024-42135, CVE-2024-42136,  CVE-2024-42137, CVE-2024-42138, CVE-2024-42140, CVE-2024-42141,  CVE-2024-42142, CVE-2024-42144, CVE-2024-42145, CVE-2024-42146,  CVE-2024-42147, CVE-2024-42149, CVE-2024-42150, CVE-2024-42151,  CVE-2024-42152, CVE-2024-42153, CVE-2024-42155, CVE-2024-42156,  CVE-2024-42157, CVE-2024-42158, CVE-2024-42161, CVE-2024-42223,  CVE-2024-42225, CVE-2024-42227, CVE-2024-42229, CVE-2024-42230,  CVE-2024-42231, CVE-2024-42232, CVE-2024-42234, CVE-2024-42235,  CVE-2024-42236, CVE-2024-42237, CVE-2024-42238, CVE-2024-42239,  CVE-2024-42240, CVE-2024-42241, CVE-2024-42243, CVE-2024-42244,  CVE-2024-42245, CVE-2024-42246, CVE-2024-42247, CVE-2024-42248,  CVE-2024-42250, CVE-2024-42251, CVE-2024-42252, CVE-2024-42253,  CVE-2024-42271, CVE-2024-42280, CVE-2024-43855, CVE-2024-43858Package Information:  https://launchpad.net/ubuntu/+source/linux-lowlatency/6.8.0-48.48.3 https://launchpad.net/ubuntu/+source/linux-lowlatency-hwe-6.8/6.8.0-48.48.3~22.04.1

Ubuntu Security Notice USN-7089-7

Ubuntu Security Notice 7117-1 - Qualys discovered that needrestart passed unsanitized data to a library which expects safe input. A local attacker could possibly use this issue to execute arbitrary code as root. Qualys discovered that the library libmodule-scandeps-perl incorrectly parsed perl code. This could allow a local attacker to execute arbitrary shell commands.

==========================================================================  
Ubuntu Security Notice USN-7117-1  
November 19, 2024

Several security issues were fixed in needrestart and Module::ScanDeps  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.10  
- Ubuntu 24.04 LTS  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS  
- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in libmodule-scandeps-perl, needrestart.

Software Description:  
- libmodule-scandeps-perl: module to recursively scan Perl code for   
dependencies  
- needrestart: check which daemons need to be restarted after library   
upgrades

Details:

Qualys discovered that needrestart passed unsanitized data to a library  
(libmodule-scandeps-perl) which expects safe input. A local attacker could  
possibly use this issue to execute arbitrary code as root.  
(CVE-2024-11003)

Qualys discovered that the library libmodule-scandeps-perl incorrectly  
parsed perl code. This could allow a local attacker to execute arbitrary  
shell commands. (CVE-2024-10224)

Qualys discovered that needrestart incorrectly used the PYTHONPATH  
environment variable to spawn a new Python interpreter. A local attacker  
could possibly use this issue to execute arbitrary code as root.  
(CVE-2024-48990)

Qualys discovered that needrestart incorrectly checked the path to the  
Python interpreter. A local attacker could possibly use this issue to win  
a race condition and execute arbitrary code as root. (CVE-2024-48991)

Qualys discovered that needrestart incorrectly used the RUBYLIB  
environment variable to spawn a new Ruby interpreter. A local attacker  
could possibly use this issue to execute arbitrary code as root.  
(CVE-2024-48992)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 24.10  
  libmodule-scandeps-perl         1.35-1ubuntu0.24.10.1  
  needrestart                     3.6-8ubuntu4.2

Ubuntu 24.04 LTS  
  libmodule-scandeps-perl         1.35-1ubuntu0.24.04.1  
  needrestart                     3.6-7ubuntu4.3

Ubuntu 22.04 LTS  
  libmodule-scandeps-perl         1.31-1ubuntu0.1  
  needrestart                     3.5-5ubuntu2.2

Ubuntu 20.04 LTS  
  libmodule-scandeps-perl         1.27-1ubuntu0.1~esm1  
                                  Available with Ubuntu Pro  
  needrestart                     3.4-6ubuntu0.1+esm1  
                                  Available with Ubuntu Pro

Ubuntu 18.04 LTS  
  libmodule-scandeps-perl         1.24-1ubuntu0.1~esm1  
                                  Available with Ubuntu Pro  
  needrestart                     3.1-1ubuntu0.1+esm1  
                                  Available with Ubuntu Pro

Ubuntu 16.04 LTS  
  libmodule-scandeps-perl         1.20-1ubuntu0.1~esm1  
                                  Available with Ubuntu Pro  
  needrestart                     2.6-1ubuntu0.1~esm1  
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-7117-1  
  CVE-2024-10224, CVE-2024-11003, CVE-2024-48990, CVE-2024-48991,  
  CVE-2024-48992

Package Information:

 https://launchpad.net/ubuntu/+source/libmodule-scandeps-perl/1.35-1ubuntu0.24.10.1  
  https://launchpad.net/ubuntu/+source/needrestart/3.6-8ubuntu4.2

 https://launchpad.net/ubuntu/+source/libmodule-scandeps-perl/1.35-1ubuntu0.24.04.1  
  https://launchpad.net/ubuntu/+source/needrestart/3.6-7ubuntu4.3

 https://launchpad.net/ubuntu/+source/libmodule-scandeps-perl/1.31-1ubuntu0.1  
  https://launchpad.net/ubuntu/+source/needrestart/3.5-5ubuntu2.2

Ubuntu Security Notice USN-7117-1

Ubuntu Security Notice 7115-1 - It was discovered that Waitress could process follow up requests when receiving a specially crafted message. An attacker could use this issue to have the server process inconsistent client requests. Dylan Jay discovered that Waitress could be lead to write to an unexisting socket after closing the remote connection. An attacker could use this issue to increase resource utilization leading to a denial of service.

==========================================================================  
Ubuntu Security Notice USN-7115-1  
November 19, 2024

Waitress vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.10  
- Ubuntu 24.04 LTS  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in Waitress.

Software Description:  
- waitress: production-quality pure-Python WSGI server

Details:

It was discovered that Waitress could process follow up requests when  
receiving a specially crafted message. An attacker could use this issue to  
have the server process inconsistent client requests. (CVE-2024-49768)

Dylan Jay discovered that Waitress could be lead to write to an unexisting  
socket after closing the remote connection. An attacker could use this  
issue to increase resource utilization leading to a denial of service.  
(CVE-2024-49769)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 24.10  
  python3-waitress                3.0.0-1ubuntu0.1

Ubuntu 24.04 LTS  
  python3-waitress                2.1.2-2ubuntu0.1~esm1  
                                  Available with Ubuntu Pro

Ubuntu 22.04 LTS  
  python3-waitress                1.4.4-1.1ubuntu1.1

Ubuntu 20.04 LTS  
  python3-waitress                1.4.1-1ubuntu0.2

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-7115-1  
  CVE-2024-49768, CVE-2024-49769

Package Information:  
  https://launchpad.net/ubuntu/+source/waitress/3.0.0-1ubuntu0.1  
  https://launchpad.net/ubuntu/+source/waitress/1.4.4-1.1ubuntu1.1  
  https://launchpad.net/ubuntu/+source/waitress/1.4.1-1ubuntu0.2

Ubuntu Security Notice USN-7115-1

Though the information regarding the exploits is limited, the company did report that Intel-based Mac systems have been targeted by cybercriminals looking to exploit CVE-2024-44308 and CVE-2024-44309.

Source: Shahid Jamil via Alamy Stock Photo

Apple has released security updates to address two zero-day vulnerabilities that are under active exploitation in the wild.

The bugs, tracked as CVE-2024-44308 (CVSS 6.8) and CVE-2024-44309 (CVSS 4.3), are, respectively, a vulnerability in JavaScriptCore that could lead to arbitrary code execution; and a cookie management vulnerability in WebKit that could lead to a cross-site scripting (XSS) attack while processing malicious Web content.

The bugs affect Apple's iOS, iPadOS, macOS, visionOS, and the Safari Web browser; the company reports that it has addressed them with better checks and improved state management.

Clément Lecigne and Benoît Sevens at Google's Threat Analysis Group (TAG) first discovered and reported the vulnerabilities and, as is customary for the company, Apple did not provide any additional details of reported attacks nor did it offer indicators of compromise (IoCs).

"Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems," Apple stated its advisory for both zero-days, the lone piece of information regarding in-the-wild exploitation attempts.

Those using affected Apple ecosystem products should update to iOS 18.1.1, macOS Sequoia 15.1.1, and  iOS 17.7.2 as soon as possible to avoid compromise.

**About the Author**

Apple Urgently Patches Actively Exploited Zero-Days

If the US wants to maintain its lead in cybersecurity, it needs to make the tough funding decisions that are demanded of it.

Michael Daniel, President & CEO, Cyber Threat Alliance

November 20, 2024

5 Min Read

Source: Skorzewiak via Alamy Stock Photo

COMMENTARY

The term "government cybersecurity agency" probably conjures up a range of images, from men in dark suits to rooms filled with huge screens and people typing away at keyboards. It likely does not prompt people to think of a small underfunded agency in the Department of Commerce. Although organizations like the National Security Agency (NSA), the FBI, and the Cybersecurity and Infrastructure Security Agency (CISA) receive the most attention regarding cybersecurity, many other government agencies perform critical cybersecurity functions and are chronically underfunded and short-staffed. 

The digital ecosystem can suffer far-reaching negative impacts if these agencies cannot perform their missions. If the US wants to maintain its cybersecurity edge, Congress must allocate appropriate funding for agencies across the cybersecurity ecosystem to protect networks and critical infrastructure. The Commerce Department's National Institute of Standards and Technology (NIST) and the National Vulnerabilities Database (NVD) provide an excellent case study for this problem. 

The NVD is a catalog of known IT software and hardware vulnerabilities that bad actors can exploit to carry out malicious activities, such as breaking into a network to steal data or accessing a control system to sabotage equipment. 

Software vendors, cybersecurity providers, and network operators want to know about vulnerabilities so they can patch them and prevent bad actors from exploiting them. The NVD serves as a foundation for almost all vulnerability analysis, assessment, management, or remediation activities in the US, the European Union, and throughout much of the world. 

The US government has operated the NVD since 1999 under NIST. A relatively small agency by US government standards, it has a well-deserved reputation for quality, industry collaboration, and integrity; its expertise in standards development is unparalleled. The agency plays an outsized role in the cybersecurity ecosystem due to the extensive use of its standards, guidelines, best practices, and other cybersecurity products. 

**How the NVD Started and Developed**

The NVD started as a research project. As the vulnerability management process evolved, NIST staff began adding certain data fields to the NVD entries, a process that became known as enrichment. As the number and importance of vulnerability tracking increased — and businesses and network operators increasingly relied on the data — maintaining the NVD and its enriched data became an essential operational requirement for cybersecurity across the entire ecosystem. NIST continued to manage the NVD, despite not being an operational agency.  

This status quo persisted until mid-February 2024, when NIST stopped enriching the NVD entries without much warning. 

While the reasons for the outage are not fully known, long-time observers assert that a lack of resources played into NIST's decision. This abrupt change created major problems across the cybersecurity ecosystem because so many organizations relied on the enriched NVD data for their vulnerability management systems. While the resulting outcry eventually forced the US government to cobble together a solution and restart the process, the decision to stop enriching vulnerabilities measurably increased global cyber-risk for several months. 

**The Problem: Widespread Underfunding of Government Security**

This process breakdown shows what happens when we rely on underfunded government organizations for critical Internet security functions. Unfortunately, the NVD is hardly an outlier. A review of executive orders, presidential guidance documents, and national strategies would show many new tasks for NIST, but decreased funding in the financial year 2025 budget. NIST isn't the only agency in this situation. The Environmental Protection Agency, the Coast Guard, and the Department of Agriculture all have cybersecurity missions and are critical players in increasing our cyber resilience. The State Department and the US Agency for International Development are also responsible for carrying out our cyber policies abroad. Yet the collective resource allocations for these agencies and programs don't reflect their contribution to our overall cybersecurity. The allocated resources are not commensurate with our national security, economic prosperity, and public health and safety needs. 

As a country, we should recognize the importance of these functions and resource them appropriately. We should also think critically about who performs these tasks; for example, in the case of the NVD, should a government research organization maintain a foundational operational capability, or should another agency take over the function? For that matter, we should consider whether a function should be moved out of the federal government to a private sector entity or nonprofit. 

The structures, policies, and resource allocations that worked when the Internet was a "nice-to-have" no longer suffice. Now that the Internet is a "critical function," underpinning public health, safety, and global economic prosperity, we need to invest in the cybersecurity capabilities needed to keep the Internet functioning. We must shoulder our responsibilities appropriately, including allocating sufficient resources to meet our collective needs. 

Unfortunately, the current approach to funding government agencies by continuing resolution simply compounds the resourcing problem. Continuing resolutions are better than a government shutdown, of course, but they are otherwise bad for cybersecurity. They keep agencies at the same funding level as previous years, making no changes for inflation or mission, and they do not permit agencies to start new programs. Their short duration creates uncertainty and effectively freezes the federal government in place. We need Congress to pass annual appropriations bills and provide the resources necessary for our cybersecurity. As the recent McCrary Institute Presidential Transition Task Force report states, "The misalignment between policy objectives and funding is a recurring issue that compromises the effectiveness of national cybersecurity efforts." That's why the report dedicates an entire section to funding and resource recommendations — without adequate resources, the best policies will not achieve their intended effects. 

The US is still a cyber superpower, but that status is not guaranteed to last — we could squander it. If the US wants to maintain its lead in cybersecurity, we need to act like adults and make the tough funding decisions that are demanded of us. Growing up is hard to do — but the alternative is very unattractive.

**About the Author**

President & CEO, Cyber Threat Alliance

Michael Daniel is president of the Cyber Threat Alliance and oversees the organization's operations. Prior to joining CTA in February 2017, Michael served from June 2012 to January 2017 as Special Assistant to President Obama and Cybersecurity Coordinator on the National Security Council Staff. In this role, Michael led the development of national cybersecurity strategy and policy, and ensured that the US government effectively partnered with the private sector, non-governmental organizations, and other nations.

Small US Cyber Agencies Are Underfunded &amp; That's a Problem

Aqua Nautilus’ research reveals hackers are leveraging vulnerable and misconfigured Jupyter Notebook servers to steal live sports streams.…

Aqua Nautilus’ research reveals hackers are leveraging vulnerable and misconfigured Jupyter Notebook servers to steal live sports streams. Learn about the techniques used, the risks involved, and how to protect your organization from similar attacks.

Cybersecurity researchers at Aqua Nautilus uncovered a novel attack technique where threat actors exploited misconfigured JupyterLab and Jupyter Notebook servers to illegally stream sports events, drop live streaming capture tools, and duplicate broadcasts on their illegal server, causing stream ripping.

Unfortunately, illegal live streaming of sports events is a growing issue, impacting broadcasters, leagues, and legitimate platforms. With readily available streaming tools and high-speed internet, unauthorized broadcasts are flourishing, causing financial losses for both major leagues and smaller teams dependent on viewership revenue.

The targeted source streamed the UEFA Champions League match between Shakhtar Donetsk and BSC Young Boys on November 6, 2024 (Screenshot: Aqua Nautilus)

“The problem is widespread, with 5.1 million adults in England, Scotland, and Wales admitting to watching an illegal stream during the first six of last year,” researchers noted in the blog post. 

In this instance, the red flag was the seemingly harmless tool, ffmpeg. This open-source software is widely used for video processing and streaming. While threat intelligence confirmed its legitimacy, closer inspection revealed a twist. The attackers exploited misconfigured JupyterLab and Jupyter Notebook environments to gain access and deploy ffmpeg for live stream ripping.

The attack started with exploiting unauthenticated access to JupyterLab or Jupyter Notebook, which allowed remote code execution. The attackers then updated the server and downloaded ffmpeg, which was repurposed to capture live sports streams and redirect them to a malicious server. 

This reveals that the MITRE ATT&CK framework was used in an attack, where adversaries gained access through misconfigured Jupyter Notebook and JupyterLab environments. Attackers installed and ran ffmpeg, exfiltrated video content, and used the victim’s bandwidth to transfer the stolen streaming data.

This exploitation can result in “denial of service, data manipulation, data theft, corruption of AI and ML processes, lateral movement to more critical environments and, in the worst-case scenario, substantial financial and reputational damage,” researchers explained.

Attack flow (Screenshot: Aqua Nautilus)

Though seemingly minor in its immediate impact on organizations, the attack indicates the importance of behavioural analysis. Traditional security solutions might overlook such activity. However, the unusual deployment and execution of ffmpeg for live-stream capture alerted Aqua Nautilus’ security team. By analyzing network traffic, files, and memory dumps, Aqua Nautilus was able to reconstruct the entire attack sequence.

Undoubtedly, JupyterLab and Jupyter Notebook are valuable assets for data scientists, but security shortcomings can leave them vulnerable. Often, these servers are managed by individuals without a strong security background.

Leaving them connected to the internet with open access or weak firewalls allows threat actors to exploit them for attack. Token mishandling is another concern, as exposed tokens can grant full access. Thankfully, implementing best practices like restricted IPs, strong authentication, HTTPS, and proper token management can greatly lower these risks.

1.  New Jupyter infostealer delivered through the MSI installer
2.  Qubitstrike Malware Hits Jupyter Notebooks for Cloud Data
3.  New Jupyter backdoor malware steals Chrome, Firefox data
4.  NTLM Credential Theft in Python Apps Risk Windows Security
5.  PythonAnywhere Cloud Platform Abused to Host Ransomware

Hackers Exploit Misconfigured Jupyter Servers for Illegal Sports Streaming

Dubai, United Arab Emirates, 20th November 2024, CyberNewsWire

**Dubai, United Arab Emirates, November 20th, 2024, CyberNewsWire**

ANY.RUN announced the launch of Smart Content Analysis, an advanced mechanism within its Automated Interactivity feature that enables the service to automatically detonate complex malware and phishing attacks, helping users speed up their investigations and gain in-depth insights into malicious behavior. 

**About Smart Content Analysis** 

Smart Content Analysis is a mechanism that allows the ANY.RUN sandbox to execute multi-stage cyber attacks without any user involvement. It does this by following three main steps: 

*   Scanning uploaded files to locate critical components, such as URLs and email attachments. 
*   Identifying the key components detonation of which moves the attack forward, including URLs embedded within QR codes or rewritten by security filters. 
*   Engaging with the malicious content in a controlled environment, for instance, by opening URLs in a browser or running payloads found in email archive attachments to observe their behavior. 

Automated Interactivity toggle inside ANY.RUN sandbox 

**Detonating a Multi-Stage Attack with Automated Interactivity** 

With this new upgrade, ANY.RUN’s sandbox can automatically execute the following types of content found at different stages of complex cyber attacks: 

*   URLs inside QR codes 
*   Modified links 
*   Multi-stage redirects 
*   Email attachments 
*   Payloads with archives 

**Users interested can get a 14-day free trial of ANY.RUN to explore Automated Interactivity and other PRO features**  

Consider the following multi-stage phishing attack analyzed with Automated Interactivity.  

The phishing email analyzed with Automated Interactivity 

The system automatically opens the .eml file submitted by the user via Outlook, detects a PDF attachment, and scans its contents. 

The static analysis module in ANY.RUN sandbox reveals the link hidden in the QR 

Inside the PDF, it identifies a QR code, instantly extracts the embedded URL, and opens it in a browser.   

ANY.RUN sandbox automatically solving CAPTCHA challenges 

When faced with a CAPTCHA challenge, commonly used to evade detection, the feature successfully solves it and moves on to the next stage of the attack. 

The final phishing page designed to steal victims’ credentials 

Eventually, it successfully reaches the final phishing page, not only ensuring complete detection of the attack, but also providing additional context on the threat at hand. 

**Adaptive to New Threats** 

ANY.RUN’s Smart Content Analysis is built to adapt to the changing threat landscape. With regular attack scenario updates from the ANY.RUN threat research team, the system remains aligned with emerging attack methods, allowing it to handle even the latest and most evasive threats. 

**Exploring Smart Content Analysis** 

Automated Interactivity helps security professionals streamline and improve their threat investigations: 

*   **Less manual effort**: No more wasted clicks. Let the sandbox handle repetitive actions so you can focus on the bigger picture.  
*   **Faster, deeper insights**: Go beyond surface detections with simulations that bring hidden threat layers to light.  
*   **Speedy analysis**: Accelerate your analysis with automation that moves as fast as you do, from simple phishing links to layered attack chains. 

Users can request a 14-day free trial of ANY.RUN’s Interactive Sandbox to try Automated Interactivity for free.

𝐀𝐛𝐨𝐮𝐭 𝐀𝐍𝐘.𝐑𝐔𝐍

ANY.RUN serves over 500,000 cybersecurity professionals globally, offering an interactive platform for malware analysis targeting Windows and Linux environments. With advanced threat intelligence tools such as TI Lookup, YARA Search, and Feeds, ANY.RUN enhances incident response and provides analysts with essential data to counter cyber threats effectively.

Users can connect through social media: X, LinkedIn

**Contact**

**ANYRUN FZCO**  
**\[email protected\]**  
**+1 657-366-5050**

ANY.RUN Sandbox Now Automates Interactive Analysis of Complex Cyber Attack Chains

An elusive, sophisticated cybercriminal group has used known and zero-day vulnerabilities to compromise more than 20,000 SOHO routers and other IoT devices so far, and then puts them up for sale on a residential proxy marketplace for state-sponsored cyber-espionage actors and others to use.

Source: Jiraroj Praditcharoenkul via Alamy Stock Photo

A cybercriminal group is exploiting vulnerabilities in Internet of Things (IoT) devices and then turning a tidy profit by putting them up for sale on a residential proxy marketplace, where they can be turned into proxy botnets by state-sponsored advance persistent threats (APTs) and other malicious actors.

The gang, tracked as "Water Barghest," has already compromised more than 20,000 IoT devices, including small office and home office (SOHO) routers used by businesses, by using automated scripts to identify and compromise vulnerable devices, according to new research from Trend Micro. The threat actor, which has operated for more than five years (largely under the radar due to a sophisticated automation strategy) discovers vulnerable IoT devices from public Internet-scanning databases such as Shodan, the researchers noted.

Once Water Barghest compromises devices, it deploys proprietary malware called Ngioweb to register the device as a proxy — i.e., a network that puts an intermediary between a client and a server. Water Barghest then lists the device for sale on a residential proxy marketplace for other threat actors to purchase.

The entire cybercriminal process to enslave a target takes as little as 10 minutes, "indicating a highly efficient and automated operation," Trend Micro researchers Feike Hacquebord and Fernando Mercês wrote in the post.

**Selling Proxy Devices as a Cybercrime Business Model**

There is indeed a significant incentive for both espionage-motivated and financially motivated actors to set up proxy botnets to help hide where their malicious activities originate; Russia's Sandworm, for example, recently used the VPNFilter botnet and Cyclops Blink in activities against Ukraine that were elusive for a time before being ultimately disrupted by the FBI, according to Trend Micro.

"These \[botnets\] can serve as an anonymization layer, which can provide plausibly geolocated IP addresses to scrape contents of websites, access stolen or compromised online assets, and launch cyberattacks," the researchers wrote.

Threat actors can find any IoT device that accepts incoming connections on the open Internet using public scanning services, making it easy for them to compromise ones with known vulnerabilities, or even zero-days, for future use in malicious activities, they wrote. This makes it easy for threat actors like Water Barghest to exploit them for financial gain and further abuse, they added.

**Uncovering the Elusive Botnet-for-Sale Cyber Operation**

Trend Micro discovered Water Barghest's operation during an investigation of the Department of Justice's disruption of a Russian military intelligence botnet that Russian state-sponsored threat group Fancy Bear (aka APT28) used for global cyber espionage.

The researchers examined EdgeRouter devices that had been used by Sandworm, and eventually uncovered Water Barghest's Ngioweb malware and botnet. The group's infrastructure had been up and running for more than five years but had been able to evade detection by security researchers and law enforcement "because of their careful operational security and high degree of automation," the researchers wrote.

"They quietly erased log files from their servers and made forensic analysis more difficult," they wrote. "They removed human error from their operations by automating almost everything. They also removed financial traceability by using cryptocurrency for anonymous payments."

Water Barghest automates each step of the 10-minute process, from initially finding vulnerable IoT devices to ultimately putting them for sale on a residential proxy marketplace. The group first acquires known exploits for flaws in devices, then uses search queries on one of the publicly available Internet-scanning databases to find vulnerable devices and their IP addresses. It then uses a set of data center IP addresses to try the exploits against potentially vulnerable IoT devices.

When one works, the compromised IoT devices download a script that iterates through Ngioweb malware samples compiled for different Linux architectures. When one of the samples runs successfully, Ngioweb will run in memory on the victim’s IoT device, registering it with a command-and-control (C2) server, and then eventually sending it to be listed on a Dark Web marketplace.

Water Barghest has about 17 identities on virtual private servers that continuously scan routers and IoT devices for known vulnerabilities and also upload Ngioweb malware to freshly compromised IoT devices. In this way, Water Barghest has been running a profitable business "for years, with the worker IP addresses changing slowly over time," according to the Trend Micro analysis.

**Protecting SOHO Routers: Limit Exposure to Public Internet**

Trend Micro expects that both the commercial market for residential proxy services and the underground market of proxies will grow in the coming years due to high demand from both APTs and financial cybercriminal groups alike. This growth will pose "a challenge for many enterprises and government organizations around the world" to protect against the anonymization layers behind which these groups hide, the researchers wrote.

While law enforcement has been effective in disrupting proxy botnets, it's better to go directly to the source to combat the problem, and that can be done by addressing the security of IoT devices. Indeed, these devices are notoriously hackable, posing a problem for organizations that must manage increasingly larger networks of them.

"It is important \[for organizations\] … to put mitigations in place to avoid their infrastructure being part of the problem itself," the researchers wrote. They can do this, they added, by limiting the exposure of these devices to incoming connections from the open Internet whenever it is not business-essential.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

'Water Barghest' Sells Hijacked IoT Devices for Proxy Botnet Misuse

People are receiving disturbing emails that appear to imply something has happened to their friend or family member.

Tech support scammers are again stooping low with their email campaigns. This particular one hints that one of your contacts may have met an untimely end.

It all starts with an email titled “Sad announcement” followed by a full name of someone you know. The email may appear to come from the person themselves.

A co-worker who received such an email pointed it out to our team. Looking around, I found the first report about such an email in a tweet dating back to February 5, 2024.

With some more information about what I was looking for, I managed to find several more.

There is a great deal of variation between the emails, but we do have enough samples to show you a pattern which looks like this:

Subject: Sad announcement: <First name><Last name>

Sometimes the colon is replaced by the word “from”.

Then a short sentence to pique the reader’s curiosity, which often references photos. Here are some examples:

> “When you open them you will see why I actually wanted to share them with you today”
> 
> “Never thought I would want to share these images with you, anyways here they are”
> 
> “I’m presuming you should remember these two ladies, in that photo”
> 
> “When I was looking through some old folders I found these 3 pics”
> 
> “it wasn’t initially my plan, but I had to change my mind about it”
> 
> “Two pictures that I wanted to share with you. They’re likely to bring a flood of memories to you, as they did to me…”
> 
> “Probably should have contacted you a little bit earlier. Anyways just wanted to keep you updated”

This is then immediately followed by a link. These also follow a certain pattern:

gjsqr.hytsiysx.com

tmdlod.vdicedohf.com

gtfhq.rmldxkff.com

pdbh.ramahteen.com

owwiu.dexfyerd.com

roix.unrgagceso.com

yrlbi.vohdsniuz.com

uqjk.mbafwnds.com

vjdbd.hhesdeh.com

mbjzo.enexoo.com

These domains are all registered with NameCheap and are only active for a few days.

To close the emails off, the scammers end with a quote in the format:

> “You do not find the happy life. You make it.” –  Camilla Eyring Kimball

The sender addresses are spoofed to look like they were coming from family or friends of the target. The actual sender addresses are compromised accounts from all over the world.

The campaign looks to have targeted mainly the US, but I also found some located in Ireland and the UK and some odd ones in India and Italy.

So, the question is, what are they after? The short-lived domains really made it hard for me to figure that out. It took me quite a bit to find a domain that was still active, but then I knew soon enough what the end-goal of the spammers was.

A short chain of redirects sent me to https://niceandsafetystore0990.blob.core.windows[.]net/niceandsafetystore0990/index.html which is now blocked by Malwarebytes Browser Guard.

The blob.core.windows.net subdomains are unique identifiers for Azure Blob Storage accounts. They follow this format:

<storageaccountname>.blob.core.windows.net

Where <storageaccountname> is the name of the specific Azure Storage account. Spammers like using them because the windows.net part of the domain makes them look trustworthy.

The website itself probably looks familiar to a lot of readers: A fake online Windows Defender scan.

The fake Windows Defender site shows that your system is infected with loads of threats.

Funny enough the site claims to be Windows Defender, but uses Malwarebytes’ detection names. For example: Microsoft does not detect the Potentially Unwanted Program which Malwarebytes detects as PUP.Optional.RelevantKnowledge.

Anyway, the website quickly takes up the entire screen, so you have to click or hold (depending on your browser) the ESC button to get back the controls that allow you to close the website.

Now that you have seen the patterns in the email, we hope that you will refrain from clicking the links. The redirect chain can be changed and may be different for your location and type of system. So, there may be more serious consequences than an annoying website.

**How to avoid the “sad announcement” scam**

*   Always compare the actual sender address with the email address this person would normally use to send you an email.
*   Never click on link in an unsolicited email before checking with the sender.
*   Don’t call the phone numbers displayed on the website, because they will try to defraud you.
*   If in doubt, contact your friend via another, trusted method

If your browser or mobile device “locks up”, meaning you’re no longer able to navigate away from a virus warning, you’re likely looking at a tech support scam. If something claims to show the files and folders from inside of your browser, this is another signal that you’re on a fake page. Close the browser if possible or restart your device if this doesn’t work.

Despite the occasional arrests and FTC fines for tech support scammers and their henchmen, there are still plenty of cybercriminals active in this field. Scams range from unsolicited calls offering help with your “infected” computer to fully-fledged websites where you can purchase heavily over-priced versions of legitimate security software.

Unfortunately for some people these warnings may have come too late. So what should you do if you have fallen victim to a tech support scam? Here are a few pointers:

*   Have you already paid? Contact your credit card company or bank and let them know what’s happened. You may also need to file a complaint with the FTC or contact your local law enforcement agency, depending on your region.
*   If you’ve shared your password with a scammer, change it on every account that uses this password. Consider using a password manager and enable 2FA for important accounts.
*   Scan your device. If scammers have had access to your system, they may have planted a backdoor so they can revisit whenever they feel like it. Malwarebytes can remove backdoors and other software left behind by scammers.
*   Keep an eye out for unexpected payments. Be on the lookout for suspicious charges/payments on your credit cards and bank accounts so you can revert and stop them.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 “Sad announcement” email leads to tech support scam 

Apple has released security updates that look especially important for Intel-based Macs because they are already being exploited in the wild.

Apple has released security patches for most of its operating systems, including iOS, Mac, iPadOS, Safari, and visionOS.

The updates for iOS and Intel-based Mac systems are especially important, as they tackle vulnerabilities that are being actively exploited by cybercriminals. You should make sure you update as soon as you can.

To check if you’re using the latest software version, go to **Settings > General > Software Update**. It’s also worth turning on Automatic Updates if you haven’t already, which you can do on the same screen.

To determine whether your Mac is Intel-based or equipped with Apple silicon, follow these simple steps:

*   Click the Apple icon in the top-left corner of your screen.
*   Select **About This Mac**.
*   Check the information:
    
    *   If you see an item labeled Chip, your Mac has Apple silicon (like M1, M2, or M3).
    
    *   If you see an item labeled Processor, it indicates that your Mac is Intel-based, and the specific Intel processor name will be listed next to it.

**Technical details**

Because Apple does not share details until everyone has had a chance to update, it is hard to figure out what the exact problem is. But there are some things we can deduct from the given information.

The vulnerabilities that Apple says may have been actively exploited on Intel-based Mac systems are:

CVE-2024-44308: a vulnerability in the JavaScriptCore component. Processing maliciously crafted web content may lead to arbitrary code execution. This means that an attacker will have to trick a victim into opening a malicious file containing web content.

JavaScriptCore is the built-in JavaScript engine for WebKit that enables cross-platform development by providing a way to execute JavaScript within native iOS and macOS applications.

CVE-2024-44309: a cookie management issue in the WebKit component was addressed with improved state management. This issue is fixed in Safari 18.1.1, iOS 17.7.2 and iPadOS 17.7.2, macOS Sequoia 15.1.1, iOS 18.1.1 and iPadOS 18.1.1, visionOS 2.1.1. Processing maliciously crafted web content may lead to a cross-site scripting attack.

**We don’t just report on macOS security—we provide it.**

Cybersecurity risks should never spread beyond a headline. Keep threats off your Mac by downloading Malwarebytes for Mac today.

Latest News