Red Hat Security Advisory 2024-0265-03 - An update for java-1.8.0-openjdk is now available for Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 8.8 Extended Update Support, Red Hat Enterprise Linux 9, and Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include code execution and out of bounds access vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0265.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: java-1.8.0-openjdk security and bug fix updateAdvisory ID:        RHSA-2024:0265-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:0265Issue date:         2024-01-17Revision:           03CVE Names:          CVE-2024-20918====================================================================Summary: An update for java-1.8.0-openjdk is now available for Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 8.8 Extended Update Support, Red Hat Enterprise Linux 9, and Red Hat Enterprise Linux 9.2 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.Security Fix(es):* OpenJDK: array out-of-bounds access due to missing range check in C1 compiler (8314468) (CVE-2024-20918)* OpenJDK: RSA padding issue and timing side-channel attack against TLS (8317547) (CVE-2024-20952)* OpenJDK: JVM class file verifier flaw allows unverified bytecode execution (8314295) (CVE-2024-20919)* OpenJDK: range check loop optimization issue (8314307) (CVE-2024-20921)* OpenJDK: arbitrary Java code execution in Nashorn (8314284) (CVE-2024-20926)* OpenJDK: logging of digital signature private keys (8316976) (CVE-2024-20945)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Bug Fix(es):* In the previous release in October 2023 (8u392), the RPMs on RHEL 8 were changed to use Provides for java, jre, java-headless, jre-headless, java-devel and java-sdk which included the full RPM version. This prevented the Provides being used to resolve a dependency on Java 1.8.0 (for example, \"Requires: java-headless 1:1.8.0\"). This change has now been reverted to the old \"1:1.8.0\" value. (RHEL-19636, RHEL-19637)Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-20918References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2257728https://bugzilla.redhat.com/show_bug.cgi?id=2257837https://bugzilla.redhat.com/show_bug.cgi?id=2257850https://bugzilla.redhat.com/show_bug.cgi?id=2257853https://bugzilla.redhat.com/show_bug.cgi?id=2257859https://bugzilla.redhat.com/show_bug.cgi?id=2257874

Red Hat Security Advisory 2024-0265-03

Red Hat Security Advisory 2024-0250-03 - An update is now available for OpenJDK. Issues addressed include code execution and out of bounds access vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0250.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenJDK 21.0.2 security update  
Advisory ID:        RHSA-2024:0250-03  
Product:            OpenJDK  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0250  
Issue date:         2024-01-17  
Revision:           03  
CVE Names:          CVE-2024-20918  
====================================================================

Summary: 

An update is now available for OpenJDK.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The OpenJDK 21 packages provide the OpenJDK 21 Java Runtime Environment and the OpenJDK 21 Java Software Development Kit.

This release of the Red Hat build of OpenJDK 21 (21.0.2) for Windows serves as a replacement for the Red Hat build of OpenJDK 21 (21.0.1) and includes security and bug fixes. For further information, refer to the release notes linked to in the References section.

Security Fix(es):

* OpenJDK: array out-of-bounds access due to missing range check in C1 compiler (8314468) (CVE-2024-20918)

* OpenJDK: RSA padding issue and timing side-channel attack against TLS (8317547) (CVE-2024-20952)

* OpenJDK: JVM class file verifier flaw allows unverified bytecode execution (8314295) (CVE-2024-20919)

* OpenJDK: range check loop optimization issue (8314307) (CVE-2024-20921)

* OpenJDK: logging of digital signature private keys (8316976) (CVE-2024-20945)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-20918

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2257728  
https://bugzilla.redhat.com/show_bug.cgi?id=2257837  
https://bugzilla.redhat.com/show_bug.cgi?id=2257853  
https://bugzilla.redhat.com/show_bug.cgi?id=2257859  
https://bugzilla.redhat.com/show_bug.cgi?id=2257874

Red Hat Security Advisory 2024-0250-03

Red Hat Security Advisory 2024-0249-03 - An update for java-21-openjdk is now available for Red Hat Enterprise Linux 9. Issues addressed include code execution and out of bounds access vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0249.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: java-21-openjdk security update  
Advisory ID:        RHSA-2024:0249-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0249  
Issue date:         2024-01-17  
Revision:           03  
CVE Names:          CVE-2024-20918  
====================================================================

Summary: 

An update for java-21-openjdk is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The java-21-openjdk packages provide the OpenJDK 21 Java Runtime Environment and the OpenJDK 21 Java Software Development Kit.

Security Fix(es):

* OpenJDK: array out-of-bounds access due to missing range check in C1 compiler (8314468) (CVE-2024-20918)

* OpenJDK: RSA padding issue and timing side-channel attack against TLS (8317547) (CVE-2024-20952)

* OpenJDK: JVM class file verifier flaw allows unverified bytecode execution (8314295) (CVE-2024-20919)

* OpenJDK: range check loop optimization issue (8314307) (CVE-2024-20921)

* OpenJDK: logging of digital signature private keys (8316976) (CVE-2024-20945)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-20918

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2257728  
https://bugzilla.redhat.com/show_bug.cgi?id=2257837  
https://bugzilla.redhat.com/show_bug.cgi?id=2257853  
https://bugzilla.redhat.com/show_bug.cgi?id=2257859  
https://bugzilla.redhat.com/show_bug.cgi?id=2257874

Red Hat Security Advisory 2024-0249-03

Red Hat Security Advisory 2024-0248-03 - An update for java-21-openjdk is now available for Red Hat Enterprise Linux 8. Issues addressed include code execution and out of bounds access vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0248.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: java-21-openjdk security update  
Advisory ID:        RHSA-2024:0248-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0248  
Issue date:         2024-01-17  
Revision:           03  
CVE Names:          CVE-2024-20918  
====================================================================

Summary: 

An update for java-21-openjdk is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The java-21-openjdk packages provide the OpenJDK 21 Java Runtime Environment and the OpenJDK 21 Java Software Development Kit.

Security Fix(es):

* OpenJDK: array out-of-bounds access due to missing range check in C1 compiler (8314468) (CVE-2024-20918)

* OpenJDK: RSA padding issue and timing side-channel attack against TLS (8317547) (CVE-2024-20952)

* OpenJDK: JVM class file verifier flaw allows unverified bytecode execution (8314295) (CVE-2024-20919)

* OpenJDK: range check loop optimization issue (8314307) (CVE-2024-20921)

* OpenJDK: logging of digital signature private keys (8316976) (CVE-2024-20945)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-20918

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2257728  
https://bugzilla.redhat.com/show_bug.cgi?id=2257837  
https://bugzilla.redhat.com/show_bug.cgi?id=2257853  
https://bugzilla.redhat.com/show_bug.cgi?id=2257859  
https://bugzilla.redhat.com/show_bug.cgi?id=2257874

Red Hat Security Advisory 2024-0248-03

Red Hat Security Advisory 2024-0247-03 - An update is now available for OpenJDK. Issues addressed include code execution and out of bounds access vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0247.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenJDK 21.0.2 security update  
Advisory ID:        RHSA-2024:0247-03  
Product:            OpenJDK  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0247  
Issue date:         2024-01-17  
Revision:           03  
CVE Names:          CVE-2024-20918  
====================================================================

Summary: 

An update is now available for OpenJDK.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The OpenJDK 21 packages provide the OpenJDK 21 Java Runtime Environment and the OpenJDK 21 Java Software Development Kit.

This release of the Red Hat build of OpenJDK 21 (21.0.2) for portable Linux serves as a replacement for the Red Hat build of OpenJDK 21 (21.0.1) and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section.

Security Fix(es):

* OpenJDK: array out-of-bounds access due to missing range check in C1 compiler (8314468) (CVE-2024-20918)

* OpenJDK: RSA padding issue and timing side-channel attack against TLS (8317547) (CVE-2024-20952)

* OpenJDK: JVM class file verifier flaw allows unverified bytecode execution (8314295) (CVE-2024-20919)

* OpenJDK: range check loop optimization issue (8314307) (CVE-2024-20921)

* OpenJDK: logging of digital signature private keys (8316976) (CVE-2024-20945)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-20918

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2257728  
https://bugzilla.redhat.com/show_bug.cgi?id=2257837  
https://bugzilla.redhat.com/show_bug.cgi?id=2257853  
https://bugzilla.redhat.com/show_bug.cgi?id=2257859  
https://bugzilla.redhat.com/show_bug.cgi?id=2257874

Red Hat Security Advisory 2024-0247-03

Red Hat Security Advisory 2024-0246-03 - An update is now available for OpenJDK. Issues addressed include code execution and out of bounds access vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0246.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenJDK 17.0.10 security update  
Advisory ID:        RHSA-2024:0246-03  
Product:            OpenJDK  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0246  
Issue date:         2024-01-17  
Revision:           03  
CVE Names:          CVE-2024-20918  
====================================================================

Summary: 

An update is now available for OpenJDK.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The OpenJDK 17 packages provide the OpenJDK 17 Java Runtime Environment and the OpenJDK 17 Java Software Development Kit.

This release of the Red Hat build of OpenJDK 17 (17.0.10) for Windows serves as a replacement for the Red Hat build of OpenJDK 17 (17.0.9) and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section.

Security Fix(es):

* OpenJDK: array out-of-bounds access due to missing range check in C1 compiler (8314468) (CVE-2024-20918)

* OpenJDK: incorrect handling of ZIP files with duplicate entries (8276123) (CVE-2024-20932)

* OpenJDK: RSA padding issue and timing side-channel attack against TLS (8317547) (CVE-2024-20952)

* OpenJDK: JVM class file verifier flaw allows unverified bytecode execution (8314295) (CVE-2024-20919)

* OpenJDK: range check loop optimization issue (8314307) (CVE-2024-20921)

* OpenJDK: logging of digital signature private keys (8316976) (CVE-2024-20945)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-20918

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2257720  
https://bugzilla.redhat.com/show_bug.cgi?id=2257728  
https://bugzilla.redhat.com/show_bug.cgi?id=2257837  
https://bugzilla.redhat.com/show_bug.cgi?id=2257853  
https://bugzilla.redhat.com/show_bug.cgi?id=2257859  
https://bugzilla.redhat.com/show_bug.cgi?id=2257874

Red Hat Security Advisory 2024-0246-03

A new report from Chainalysis finds that stablecoins like Tether, tied to the value of the US dollar, were used in the vast majority of crypto-based scam transactions and sanctions evasion in 2023.

Stablecoins, cryptocurrencies pegged to a stable value like the US dollar, were created with the promise of bringing the frictionless, border-crossing fluidity of Bitcoin to a form of digital money with far less volatility. That combination has proved to be wildly popular, rocketing the total value of stablecoin transactions since 2022 past even that of Bitcoin itself.

It turns out, however, that as stablecoins have become popular among legitimate users over the past two years, they were even more popular among a different kind of user: those exploiting them for billions of dollars of international sanctions evasion and scams.

As part of its annual crime report, cryptocurrency-tracing firm Chainalysis today released new numbers on the disproportionate use of stablecoins for both of those massive categories of illicit crypto transactions over the last year. By analyzing blockchains, Chainalysis determined that stablecoins were used in fully 70 percent of crypto scam transactions in 2023, 83 percent of crypto payments to sanctioned countries like Iran and Russia, and 84 percent of crypto payments to specifically sanctioned individuals and companies. Those numbers far outstrip stablecoins' growing overall use—including for legitimate purposes—which accounted for 59 percent of all cryptocurrency transaction volume in 2023.

In total, Chainalysis measured $40 billion in illicit stablecoin transactions in 2022 and 2023 combined. The largest single category of that stablecoin-enabled crime was sanctions evasion. In fact, across all cryptocurrencies, sanctions evasion accounted for more than half of the $24.2 billion in criminal transactions Chainalysis observed in 2023, with stablecoins representing the vast majority of those transactions.

The attraction of stablecoins for both sanctioned people and countries, argues Andrew Fierman, Chainalysis' head of sanctions strategy, is that it allows targets of sanctions to circumvent any attempt to deny them a stable currency like the US dollar. “Whether it's an individual located in Iran or a bad guy trying to launder money—either way, there's a benefit to the stability of the US dollar that people are looking to obtain,” Fierman says. “If you're in a jurisdiction where you don't have access to the US dollar due to sanctions, stablecoins become an interesting play.”

As examples, Fierman points to Nobitex, the largest cryptocurrency exchange operating in the sanctioned country of Iran, as well as Garantex, a notorious exchange based in Russia that has been specifically sanctioned for its widespread criminal use. Stablecoin usage on Nobitex outstrips bitcoin by a 9:1 ratio, and on Garantex by a 5:1 ratio, Chainalysis found. That's a stark difference from the roughly 1:1 ratio between stablecoins and bitcoins on a few nonsanctioned mainstream exchanges that Chainalysis checked for comparison.

Chainalysis's chart showing the growth in stablecoins as a fraction of the value of total illicit crypto transactions over time.

COURTESY OF CHAINALYSIS

Chainalysis concedes that the analysis in its report excludes some cryptocurrencies like Monero and Zcash that are designed to be harder or impossible to trace with blockchain analysis. It also says it based its numbers on the type of cryptocurrency sent directly to an illicit actor, which may leave out other currencies used in money laundering processes that repeatedly swap one type of cryptocurrency for another to make tracing more difficult.

Chainalysis's findings come on the heels of another report released earlier this week by United Nations researchers on the outsize role of stablecoins in illegal gambling and scam operations across East and Southeast Asia. While Chainalysis declined to break out the value of any particular stablecoin in its findings, the UN report singles out Tether, the most popular stablecoin. The report describes Tether sent through the TRON blockchain-based payment network as the “preferred choice for regional cyberfraud operations and money launderers alike due to its stability and the ease, anonymity, and low fees of its transactions.”

“Pig butchering” scams—cons in which scammers typically trick users into sending funds into fraudulent investments—consistently use Tether as the means of bilking victims, says Erin West, a deputy district attorney for California's Santa Clara County and a member of the REACT High Tech Task Force, who has long focused on crypto crime. “It’s always, always, always Tether. I’ve never heard of pig butchering that _isn’t_ Tether,” says West. “These scammers can’t risk the volatility of any of the other coins like bitcoin or ether. All they want is to move assets from the victims' hands to their own in the cheapest, easiest way possible.”

West says that the high proportion of stablecoin use in sanctions evasion also represents a disturbing trend, given that it undermines a system meant to hold specific countries, individuals, and companies accountable for criminal behavior and violations of international law. “It's so dangerous,” West says. “It enables them to have access to the very units of currency that we’re trying to prevent them from accessing. This is exactly what sanctions are meant to stop, and they’re able to bypass it.”

Chainalysis's chart showing how stablecoins dominated cryptocurrency-based sanctions evasion and scams in 2023.

COURTESY OF CHAINALYSIS

When WIRED reached out to Tether Holdings—the company that issues the stablecoin that shares its name—it responded in a statement following publication of this article that “Tether proactively collaborates with global law enforcement agencies to identify and prevent illicit use of” its cryptocurrency, adding that its “commitment to the highest standards of compliance is evident in our efforts to eliminate various forms of criminal activity.”

Tether argued further that it has contributed to freezing the assets of users involved in scams or found to be violating the US Treasury's sanctions lists, and noted that all of its transactions, like many cryptocurrencies, can be publicly observed on blockchains—in other words, the observability that made Chainalysis's report possible. “Between our active and direct engagement with law enforcement and leveraging the transparent nature of blockchain transactions, individuals attempting to conceal their illicit financial activities face significant risks, as every transaction can be easily traced,” the company's statement reads.

Tether Holdings has more flatly denied other reports of Tether's use in crime and sanctions evasion. It wrote that an October _Wall Street Journal_ article on the subject was based on “highly erroneous interpretations of data”—though in that case, the company pointed to Chainalysis findings as a more accurate accounting. “There is simply no evidence that Tether has violated Sanctions laws or the Bank Secrecy Act through inadequate customer due diligence or screening practices,” Tether Holdings wrote in an October 26 blog post addressing the _WSJ_ article.

In contrast to most cryptocurrencies, Tether does have the capability to freeze user funds, and it said in the October blog post that since its launch in 2014, it had frozen $835 million in funds deemed to be tied to illicit activities. “Tether's ethos revolves around transparency, compliance, and proactive collaboration with relevant authorities worldwide,” the company wrote.

Chainalysis' Fierman says that Tether's efforts to freeze criminal funds are having an impact, and more enforcement could help end stablecoins' exploitation by criminals. “Just as we’ve seen with compliant exchanges dominating more and more of total transaction volumes, illicit activity gets pushed to the fringes,” Fierman says.

Despite Tether's ability to freeze funds, Chainalysis' data suggests that illicit use of stablecoins has so far dwarfed those seizures. West, the prosecutor, notes that most Tether associated with crime is cashed out for another currency long before anyone identifies it. That means Tether hasn't yet come close to solving the underlying problem.

“I applaud it. I'm all for it,” West says of Tether's efforts to freeze criminal assets. “But when we're talking about billions and billions of dollars in assets moving, I just think this is one piece of one piece of the puzzle. There are so many more pieces. And the bad actors are so far ahead of us.”

_Updated at 9:45 am ET, January 18, 2024, to correctly identify prosecutor Erin West's professional title and at 2:45 pm ET with a statement from Tether Holdings._

‘Stablecoins’ Enabled $40 Billion in Crypto Crime Since 2022

Continuous integration and continuous delivery (CI/CD) misconfigurations discovered in the open-source TensorFlow machine learning framework could have been exploited to orchestrate supply chain attacks.
The misconfigurations could be abused by an attacker to "conduct a supply chain compromise of TensorFlow releases on GitHub and PyPi by compromising TensorFlow's build agents via

Supply Chain Attacks / AI Security

Continuous integration and continuous delivery (CI/CD) misconfigurations discovered in the open-source TensorFlow machine learning framework could have been exploited to orchestrate supply chain attacks.

The misconfigurations could be abused by an attacker to "conduct a supply chain compromise of TensorFlow releases on GitHub and PyPi by compromising TensorFlow's build agents via a malicious pull request," Praetorian researchers Adnan Khan and John Stawinski said in a report published this week.

Successful exploitation of these issues could permit an external attacker to upload malicious releases to the GitHub repository, gain remote code execution on the self-hosted GitHub runner, and even retrieve a GitHub Personal Access Token (PAT) for the tensorflow-jenkins user.

TensorFlow uses GitHub Actions to automate the software build, test, and deployment pipeline. Runners, which refer to machines that execute jobs in a GitHub Actions workflow, can be either self-hosted or hosted by GitHub.

"We recommend that you only use self-hosted runners with private repositories," GitHub notes in its documentation. "This is because forks of your public repository can potentially run dangerous code on your self-hosted runner machine by creating a pull request that executes the code in a workflow."

Put differently, this allows any contributor to execute arbitrary code on the self-hosted runner by submitting a malicious pull request.

This, however, does not pose any security concern with GitHub-hosted runners, as each runner is ephemeral and is a clean, isolated virtual machine that's destroyed at the end of the job execution.

Praetorian said it was able to identify TensorFlow workflows that were executed on self-hosted runners, subsequently finding fork pull requests from previous contributors that automatically triggered the appropriate CI/CD workflows without requiring approval.

An adversary looking to trojanize a target repository could, therefore, fix a typo or make a small but legitimate code change, create a pull request for it, and then wait until the pull request is merged in order to become a contributor. This would then enable them to execute code on the runner sans raising any red flag by creating a rogue pull request.

Further examination of the workflow logs revealed that the self-hosted runner was not only non-ephemeral (thus opening the door for persistence), but also that the GITHUB\_TOKEN permissions associated with the workflow came with extensive write permissions.

"Because the GITHUB\_TOKEN had the Contents:write permission, it could upload releases to https://github\[.\]com/tensorflow/tensorflow/releases/," the researchers said. "An attacker that compromised one of these \`GITHUB\_TOKEN's could add their own files to the Release Assets."

On top of that, the contents:write permissions could be weaponized to push code directly to the TensorFlow repository by covertly injecting the malicious code into a feature branch and getting it merged into the main branch.

That's not all. A threat actor could steal the AWS\_PYPI\_ACCOUNT\_TOKEN used in the release workflow to authenticate to the Python Package Index (PyPI) registry and upload a malicious Python .whl file, effectively poisoning the package.

"An attacker could also use the GITHUB\_TOKEN's permissions to compromise the JENKINS\_TOKEN repository secret, even though this secret was not used within workflows that ran on the self-hosted runners," the researchers said.

Following responsible disclosure on August 1, 2023, the shortcomings were addressed by the project maintainers as of December 20, 2023, by requiring approval for workflows submitted from all fork pull requests and by changing the GITHUB\_TOKEN permissions to read-only for workflows that ran on self-hosted runners.

"Similar CI/CD attacks are on the rise as more organizations automate their CI/CD processes," the researchers said.

"AI/ML companies are particularly vulnerable as many of their workflows require significant compute power that isn't available in GitHub-hosted runners, thus the prevalence of self-hosted runners."

The disclosure comes as both researchers revealed that several public GitHub repositories, including those associated with Chia Networks, Microsoft DeepSpeed, and PyTorch, are susceptible to malicious code injection via self-hosted GitHub Actions runners.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

TensorFlow CI/CD Flaw Exposed Supply Chain to Poisoning Attacks

In today's digital landscape, traditional password-only authentication systems have proven to be vulnerable to a wide range of cyberattacks. To safeguard critical business resources, organizations are increasingly turning to multi-factor authentication (MFA) as a more robust security measure. MFA requires users to provide multiple authentication factors to verify their identity, providing an

Authentication Security / Passwords

In today's digital landscape, traditional password-only authentication systems have proven to be vulnerable to a wide range of cyberattacks. To safeguard critical business resources, organizations are increasingly turning to multi-factor authentication (MFA) as a more robust security measure. MFA requires users to provide multiple authentication factors to verify their identity, providing an additional layer of protection against unauthorized access.

However, cybercriminals are relentless in their pursuit of finding ways to bypass MFA systems. One such method gaining traction is MFA spamming attacks, also known as MFA fatigue, or MFA bombing. This article delves into MFA spamming attacks, including the best practices to mitigate this growing threat.

**What is MFA spamming?**

MFA spamming refers to the malicious act of inundating a target user's email, phone, or other registered devices with numerous MFA prompts or confirmation codes. The objective behind this tactic is to overwhelm the user with notifications, in the hopes that they will inadvertently approve an unauthorized login. To execute this attack, hackers require the target victim's account credentials (username and password) to initiate the login process and trigger the MFA notifications.

**MFA spamming attack techniques**

There are various methods employed to execute MFA spamming attacks, including:

1.  Utilizing automated tools or scripts to flood the targeted victims' devices with a high volume of verification requests.
2.  Employing social engineering tactics to deceive the target user into accepting a verification request.
3.  Exploiting the API of the MFA system to send a substantial number of false authentication requests to the target user.

By employing these techniques, attackers aim to exploit any unintentional approvals, ultimately gaining unauthorized access to sensitive information or accounts.

**Examples of MFA spamming attack**

Hackers increasingly leverage MFA spamming attack to bypass MFA systems. Here are two noticeable cyberattacks executed using this technique:

*   Between March and May 2021, hackers circumvented the Coinbase company's SMS multi-factor authentication, which is considered one of the largest cryptocurrency exchange companies worldwide, and stole cryptocurrencies from over 6,000 customers
*   In 2022, hackers flooded Crypto.com customers with a large number of notifications to withdraw money from their wallets. Many customers approve the fraudulent transaction requests inadvertently, leading to a loss of 4,836.26 ETH, 443.93 BTC and approximately US$66,200 in other cryptocurrencies

**How to mitigate MFA spamming attacks**

Mitigating MFA spamming attacks necessitates the implementation of technical controls and the enforcement of relevant MFA security policies. Here are some effective strategies to prevent such attacks.

**Enforce strong password policies and block breach passwords**

For the MFA spamming attack to be successful, the attacker must first obtain the login credentials of the target user. Hackers employ various methods to acquire these credentials, including brute force attacks, phishing emails, credential stuffing, and purchasing stolen/breached credentials from the dark web.

The first line of defense against MFA spamming is securing your users' passwords. Specops Password Policy with Breached Password Protection helps prevent users from utilizing compromised credentials, thereby reducing the risk of attackers gaining unauthorized access to their accounts.

**End-user training**

Your organization's end-user training program should emphasize the importance of carefully verifying MFA login requests before approving them. If users encounter a significant number of MFA requests, it should raise suspicion and serve as a potential clue of a targeted cyberattack. In such cases, it is crucial to educate users about the immediate action they should take, which includes resetting their account credentials as a precautionary measure and notifying security teams. By leveraging a self-service password reset solution like Specops uReset, end-users gain the ability to swiftly change their passwords, effectively minimizing the window of opportunity for MFA spamming attacks.

**Rate limiting**

Organizations should implement rate-limiting mechanisms that restrict the number of authentication requests allowed from a single user account within a specific time frame. By doing so, automated scripts or bots are unable to overwhelm users with an excessive number of requests.

**Monitoring and alerting**

Implement robust monitoring systems to detect and alert on unusual patterns of MFA requests. This can help identify potential spamming attacks in real-time, and allow for immediate action to be taken.

**Key takeaways**

To effectively protect against MFA spamming, organizations must prioritize robust security practices. One effective tactic is to strengthen password policies and block the use of compromised passwords. Implementing a solution like Specops Password Policy's Breached Password Protection feature can help organizations achieve this.

Try it free here and see how you can enhance your password security and safeguard your organization against MFA spamming attacks.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

MFA Spamming and Fatigue: When Security Measures Go Wrong

By Deeba Ahmed
9Hits, Double Hit: Malware Mimics Web Tool to Mine Crypto, Generate Fake Website Traffic.
This is a post from HackRead.com Read the original post: Malware Exploits 9Hits, Turns Docker Servers into Traffic Boosted Crypto Miners

Cybercriminals are targeting vulnerable Docker servers by deploying two containers: a standard XMRig miner and the 9Hits viewer application—an automated traffic exchange system.

Cado Security researchers have discovered a new campaign targeting vulnerable Docker servers, deploying two containers – a regular XMRig miner and the 9hits viewer application. This is the first documented case of malware deploying the 9Hits Traffic Exchange viewer application as a payload.

For your information, 9hits is a platform where members buy credits for traffic generated on their website and can run the viewer app to visit requested websites in exchange for credits.

Researchers suspect that the attackers discovered the honeypot via Shodan or a similar service, as their IP isn’t included in common abuse databases, or they may be using a different server for scanning.

Further probing revealed that the attacker is likely using a script to set the DOCKER\_HOST variable and run the regular CLI to compromise the server. They fetch off-the-shelf images from Dockerhub for their 9hits and XMRig software, a common attack vector for campaigns targeting Docker.

Generally, attackers use a generic Alpine image to break out of a container and run malware on the host. In this campaign, however, they do not try to exit the container and run it with a predetermined argument.

The spreader initiates the infection using a custom command to invoke a Docker container, including configuration/session identifiers. The nh.sh process is the entry point, and after the attacker adds their session token, it allows the 9hits app to authenticate with their servers and fetches a list of sites to visit. Once the app has visited the site, the session token owner is awarded a credit on the 9hits platform.

It is worth noting that the session token system is designed to work in untrusted contexts, allowing the app to be run in illegitimate campaigns without the risk of the attacker’s account being compromised.

9hits, a headless Chrome app, is used to visit various websites, including adult and pop-up sites. In 2017, Chrome 59 introduced Headless mode, allowing users to run the browser in an unattended environment without visible UI, making it popular for browser automation with projects like Puppeteer or ChromeDriver.

According to Cado Security’s blog post, interestingly, the attacker disabled the app’s ability to visit crypto-related sites. The -o option in XMRig deployments specifies a mining pool, typically a public pool with the owner’s wallet address, but in this case, it appears private, preventing campaign statistics analysis.

Further, as seen in the image below, the dscloud domain is used for dynamic DNS, updated by the Synology server with the attacker’s IP. The address resolves to 2736.82.56, the same IP that infected the honeypot.

Exposure to Docker hosts remains a common entry vector for attackers, emphasizing the importance of maintaining system security to prevent malicious use of systems. The campaign significantly impacts compromised hosts by exhausting CPU resources, causing legitimate workloads to fail.

Additionally, it could potentially leave a remote shell on the system, causing a more serious breach. This highlights the ongoing trend of attackers seeking new strategies to exploit compromised hosts.

****_RELATED ARTICLES_****

1.  **Change your password: Docker suffers breach; 190k users affected**
2.  **Hackers Exploit Adobe ColdFusion Vulnerabilities to Deploy Malware**
3.  **Threat actors hijacking Bitbucket and Docker Hub for Monero mining**
4.  **OracleIV DDoS Botnet Malware Targets Docker Engine API Instances**
5.  **Kinsing Crypto Malware Targets Linux Systems via Apache ActiveMQ Flaw**

Tag

#git