There’s been a great deal of AI hype recently, but that doesn’t mean the robots are here to replace us. This article sets the record straight and explains how businesses should approach AI.
From musing about self-driving cars to fearing AI bots that could destroy the world, there has been a great deal of AI hype in the past few years. AI has captured our imaginations, dreams, and occasionally,

_There's been a great deal of AI hype recently, but that doesn't mean the robots are here to replace us. This article sets the record straight and explains how businesses should approach AI._

From musing about self-driving cars to fearing AI bots that could destroy the world, there has been a great deal of AI hype in the past few years. AI has captured our imaginations, dreams, and occasionally, our nightmares. However, the reality is that AI is currently much less advanced than we anticipated it would be by now. Autonomous cars, for example, often considered the poster child of AI's limitless future, represent a narrow use case and are not yet a common application across all transportation sectors.

In this article, we de-hype AI, provide tools for businesses approaching AI and share information to help stakeholders educate themselves.

**AI Terminology De-Hyped****AI vs. ML**

AI (Artificial Intelligence) and ML (Machine Learning) are terms that are often used interchangeably, but they represent different concepts. AI aims to create intelligence, which means cognitive abilities and the capacity to pass the Turing test. It works by taking what it has learned and elevating it to the next level. The goal of using AI is to replicate human actions, such as creating a cleaning robot that operates in a manner similar to a human cleaner.

ML is a subset of AI. It comprises mathematical models and its abilities are based on combining machines with data. ML works by learning lessons from events and then prioritizing those lessons. As a result, ML can perform actions that humans cannot, like going over vast reams of data, figuring out patterns, predicting probabilities, and more.

**Narrow vs. General AI**

The concept of General AI is the one that often scares most people, since it's the epitome of our "robot overlords" replacing human beings. However, while this idea is technically possible, we are not at that stage right now.

Unlike General AI, Narrow AI is a specialized form of AI that is tuned for very specific tasks. This focus allows supporting humans, relieving us from work that is too demanding or potentially harmful. It is not intended to replace us. Narrow AI is already being applied across industries, like for building cars or packaging boxes. In cybersecurity, Narrow AI can analyze activity data and logs, searching for anomalies or signs of an attack.

**AI and ML in the Wild**

There are three common models of AI and ML in the wild: generative AI, supervised ML and unsupervised ML.

**Generative AI**

Generative AI is a cutting-edge field in AI, characterized by models, like LLMs, that are trained on a corpus of knowledge. The generative AI technology has the ability to generate new content based on the information contained within that corpus. Generative AI has been described as a form of "autocorrect" or "type ahead," but on steroids. Examples of Generative AI applications include ChatGPT, Bing, Bard, Dall-E, and specialized cyber assistants, like IBM Security QRadar Advisor with Watson or MSFT Security CoPilot.

Generative AI is best suited for use cases like brainstorming, assisted copyediting and conducting research against a trusted corpus. **Cybersecurity professionals**, like SOC and fusion teams, can leverage Generative AI for research, to help them understand zero-day vulnerabilities, network topologies, or new indicators of compromise (IoC). It's important to recognize that Generative AI sometimes produces "hallucinations", i.e. wrong answers.

Cyber Security Master Class: Episode 13

Everything You Wanted To Know About AI Security But Were Afraid To Ask

In this session, we will go beyond the hype and find out if and how AI impacts your cybersecurity strategy.

Watch Now

According to Etay Maor, Senior Director Security Strategy at **Cato Networks**, "Generative AI can also help criminals. For example, they can use it to write phishing emails. Before ChatGPT, one of the basic detections of phishing emails was spelling mistakes and bad grammar. Those were indicators that something was suspicious. Now, criminals can easily write a phishing email in multiple languages in perfect grammar."

**Unsupervised Learning**

Unsupervised learning in ML means that the training data and the outcomes are not labeled. This approach allows algorithms to make inferences from data without human intervention, to find patterns, clusters and connections. Unsupervised learning is commonly used for dynamic recommendations, like in retail websites.

In cybersecurity, unsupervised learning can be used for clustering or grouping and for finding patterns that weren't apparent before, for example it can help identify all malware with a certain signature originating from a specific nation-state. It can also find associations and links between data sets. For example, determining if people who click on phishing emails are more likely to reuse passwords. Another use case is anomaly detection, like detecting activity that might indicate an attacker is using stolen credentials.

Unsupervised learning is not always the right choice. When getting the output wrong has a very high impact and severe consequences, when short training times are needed, or when full transparency is required, it's recommended to take a different approach.

**Supervised Learning**

In supervised learning, the training data is labeled with input/output pairs, and the model's accuracy depends on the quality of labeling and dataset completeness. Human intervention is often required to review the output, improve accuracy,and correct any bias drift. Supervised learning is best suited for making predictions.

In cybersecurity, supervised learning is used for classification, which can help identify phishing and malware. It can also be used for regression, like predicting the cost of a novel attack based on past incident costs.

Supervised learning is not the best fit if there's no time to train or no one to label or train the data. It's also not recommended when there is a need to analyze large amounts of data, when there is not enough data, or when automated classification/clustering is the end goal.

**Reinforcement Learning (RL)**

Reinforcement Learning (RL) occupies a space between fully supervised and unsupervised learning and is a unique approach to ML. It means retraining a model when existing training fails to anticipate certain use cases. Even deep learning, with its access to large datasets, can still miss outlier use cases that RL can address. The very existence of RL is an implicit admission that models can be flawed.

**What Cybercriminals are Saying About Generative AI**

Generative AI is of interest to cyber criminals. According to Etay Maor "Cyber criminals have been talking about how to use ChatGPT, Bard and other GenAI applications from the day they were introduced, as well as sharing their experience and thoughts about their capabilities. As it seems, they believe that GenAI has limitations and will probably be more mature for attacker use in a few years."

Some conversation examples include:

**The Artificial Intelligence Risk Management Framework (AI RMF) by NIST**

When engaging with AI and AI-based solutions, it's important to understand AI's limitations, risks and vulnerabilities. The Artificial Intelligence Risk Management Framework (AI RMF) by NIST is a set of guidelines and best practices designed to help organizations identify, assess and manage the risks associated with the deployment and use of artificial intelligence technologies.

The framework consists of six elements:

1.  **Valid and Reliable** \- AI can provide the wrong information, which is also known in GenAI as "hallucinations". It's important that companies can validate the AI they're adopting is accurate and reliable.
2.  **Safe** - Ensuring that the prompted information isn't shared with other users, like in the infamous Samsung case.
3.  **Secure and Resilient** - Attackers are using AI for cyber attacks. Organizations should ensure the AI system is protected and safe from attacks and can successfully thwart attempts to exploit it or use it for assisting with attacks.
4.  **Accountable and Transparent** - It's important to be able to explain the AI supply chain and to ensure there is an open conversation about how it works. AI is not magic.
5.  **Privacy-enhanced** - Ensuring the prompted information is protected and anonymized in the data lake and when used.
6.  **Fair** - This is one of the most important elements. It means managing harmful bias. For example, there is often bias in AI facial recognition, with light-skinned males being more accurately identified compared to women and darker skin colors. When using AI for law enforcement, for example, this could have severe implications.

Additional resources for managing AI risk include the MITRE ATLAS (Adversarial Threat Landscape for Artificial-Intelligence Systems), OWASP Top 10 for ML and Google's Secure AI Framework (SAIF).

**Questions to Ask Your Vendor**

In the near future, it will be very common for vendors to offer generative AI capabilities. Here is a list of questions to ask to support your educated choice.

****1\. What and Why?****

What are the AI capabilities and why are they needed? For example, GenAI is very good at writing emails, so GenAI makes sense for an email system. What's the use case for the vendor?

****2\. Training data****

Training data needs to be properly and accurately managed, otherwise it can create bias. It's important to ask about the types of training data, how it has been cleaned, how it is managed, etc.

****3\. Was resilience built-in?****

Has the vendor taken into consideration that cybercriminals are attacking the system itself and implemented security controls?

****4\. Real ROI vs. Claims****

What is the ROI and does the ROI justify implementing AI or ML (or were they added because of the hype and for sales purposes)?

****5\. Is it Really Solving a Problem?****

The most important question - is the AI solving your problem and is it doing it well? There's no point in paying a premium and incurring extra overhead unless the AI is solving the problem and working the way it should.

AI can empower us and help us perform better, but it is not a silver bullet. That's why it's important for businesses to make educated decisions about tools with AI they choose to implement internally.

To learn more about AI and ML use cases, risks, applications, vulnerabilities and implications for security experts, **watch the entire masterclass here**.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Everything You Wanted to Know About AI Security but Were Afraid to Ask

ImpressionTech CMS version 1.4 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : ImpressionTech CMS ٍv1.4 Sql injection Vulnerability                                                                || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 61.0.1 (32-bit)                                            || # Vendor    : http://www.imprtech.com/                                                                                           |  | # Dork      : "Website | Impression Technologies LLC"  .php?id=                                                                  |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+] Use Payload : /news.php?id=58[+] http://127.0.0.1/xxxxxxxxxx.com/news.php?id=58 <======= inject hereGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

ImpressionTech CMS 1.4 SQL Injection

Impress CMS version 1.3.9 suffers from an open redirection vulnerability.

    ====================================================================================================================================| # Title     : impress CMS v1.3.9 Open Redirect vulnerability                                                                     || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : http://www.impresscms.org/                                                                                         || # Dork      : "Powered by ImpressCMS"                                                                                            |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload :http://localhost/user.php?xoops_redirect="maliciouslink"[+] http://localhost/user.php?xoops_redirect=https://packetstormsecurity.com/Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Impress CMS 1.3.9 Open Redirection

ImgHosting version 1.3 suffers from a html injection vulnerability.

    ====================================================================================================================================| # Title     : ImgHosting v1.3 html injection Vulnerability                                                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0(32-bit)                                               | | # Vendor    : https://codecanyon.net/user/FoxSash/?ref=FoxSash                                                                   |  | # Dork      : "ImgHosting  Programming by FoxSash"                                                                               |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Register new user http://www.127.0.0.1/sowrkom/?register[+] Login and upload image file go to yours file http://127.0.0.1/ikhostingcom/?files[+] and edit your image and add Description put this code Url redirect <META http-equiv="refresh" content="5;URL=https://cxsecurity.com/">[+] http://127.0.0.1/ikhostinom/DNSRBJhGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

ImgHosting 1.3 HTML Injection

Humhub version 1.3.13 suffers from a remote shell upload vulnerability.

    ====================================================================================================================================| # Title     : Humhub v1.3.13 Unrestricted File Upload Vulnerability                                                              || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 67.0(32-bit)                                               || # Vendor    : https://www.humhub.org/en/download/package/humhub-1.3.13.zip                                                       || # Dork      : "Propulsé par HumHub"                                                                                              |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Unauthorized file upload Allows any Registered members to upload malicious files and run them.[+] Register new user .[+] go to your profile https://127.0.0.1/humhub.com/u/admin/user/profile/home Get started and post something bad.[+] /uploads/file/yours.phpGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Humhub 1.3.13 Shell Upload

Malicious actors associated with the Vietnamese cybercrime ecosystem are leveraging advertising-as-a-vector on social media platforms such as Meta-owned Facebook to distribute malware.
“Threat actors have long used fraudulent ads as a vector to target victims with scams, malvertising, and more,” WithSecure researcher Mohammad Kazem Hassan Nejad said. “And with businesses now leveraging the reach

Malicious actors associated with the Vietnamese cybercrime ecosystem are leveraging advertising-as-a-vector on social media platforms such as Meta-owned Facebook to distribute malware.

"Threat actors have long used fraudulent ads as a vector to target victims with scams, malvertising, and more," WithSecure researcher Mohammad Kazem Hassan Nejad said. "And with businesses now leveraging the reach of social media for advertising, attackers have a new, highly-lucrative type of attack to add to their arsenal – hijacking business accounts."

Cyber attacks targeting Meta Business and Facebook accounts have gained popularity over the past year, courtesy of activity clusters such as Ducktail and NodeStealer that are known to raid businesses and individuals operating on Facebook.

Among the methods employed by cybercriminals to gain unauthorized access to user accounts, social engineering plays a significant role.

Victims are approached through various platforms ranging from Facebook and LinkedIn to WhatsApp and freelance job portals like Upwork. Another known distribution mechanism is the use of search engine poisoning to boost bogus software such as CapCut, Notepad++, OpenAI ChatGPT, Google Bard, and Meta Threads.

An element that's common to these groups is the abuse of URL shortener services, Telegram for command-and-control (C2), and legitimate cloud services like Trello, Discord, Dropbox, iCloud, OneDrive, and Mediafire to host the malicious payloads.

The actors behind Ducktail, for instance, leverage lures related to brand and marketing projects to infiltrate individuals and businesses that operate on Meta's Business platform, with new attack waves employing job and recruitment-related themes to activate the infection.

In these attacks, potential targets are directed to bogus postings on Upwork and Freelancer through Facebook ads or LinkedIn InMail, which, in turn, contain a link to a booby-trapped job description file hosted on one of the aforementioned cloud storage providers, ultimately leading to the deployment of the Ducktail stealer malware.

"Ducktail malware steals saved session cookies from browsers, with code specifically tailored to take over Facebook business accounts," Zscaler ThreatLabz researchers Sudeep Singh and Naveen Selvan noted in a parallel analysis, stating the accounts sell for anywhere between $15 to $340.

"The 'products' of the operation (i.e. hacked social media accounts) feed an underground economy of stolen social media accounts, where numerous vendors offer accounts priced according to their perceived usefulness for malicious activity."

Select infection sequences observed between February and March 2023 have involved the use of shortcut and PowerShell files to download and launch the final malware, illustrating the attackers' continued evolution of their tactics.

The experimentation also extends to the stealer, which has been updated to harvest a user's personal information from X (formerly Twitter), TikTok Business, and Google Ads, as well as leverage the stolen Facebook session cookies to create fraudulent ads in an automated fashion and obtain elevated privileges to perform other actions.

A primary method used to takeover a victim's compromised account is by adding their own email address to that account, subsequently changing the password and email address of the victim's Facebook account to lock them out of the service.

"Another new feature observed in Ducktail samples since (at least) July 2023 is using RestartManager (RM) to kill processes that lock browser databases," WithSecure said. "This capability is often found in ransomware as files that are in-use by processes or services cannot be encrypted."

What's more, the final payload is obscured using a loader to decrypt and execute it dynamically at runtime in what's seen as an attempt to incorporate techniques aimed at increasing analysis complexity and detection evasion.

Some of the other methods adopted by the threat actor to hinder analysis encompass the use of uniquely generated assembly names and the reliance on SmartAssembly, bloating, and compression to obfuscate the malware.

Zscaler said it spotted cases where the group initiated contact via compromised LinkedIn accounts that belonged to users working in the digital marketing space, some of whom had more than 500 connections and 1,000 followers.

UPCOMING WEBINAR

Detect, Respond, Protect: ITDR and SSPM for Complete SaaS Security

Discover how Identity Threat Detection & Response (ITDR) identifies and mitigates threats with the help of SSPM. Learn how to secure your corporate SaaS applications and protect your data, even after a breach.

Supercharge Your Skills

"The high amount of connections/followers helped lend authenticity to the compromised accounts and facilitated the social engineering process for threat actors," the researchers said.

This also highlights the worm-like propagation of Ducktail wherein LinkedIn credentials and cookies stolen from a user who fell victim to the malware attack is used to login to their accounts and contact other targets and broaden their reach.

Ducktail is said to be one of the many Vietnamese threat actors who are leveraging shared tooling and tactics to pull off such fraudulent schemes. This also includes a Ducktail copycat dubbed Duckport, which has been active since late March 2023 and performs information stealing alongside Meta Business account hijacking.

It's worth pointing out that the campaign that Zscaler is tracking as Ducktail is in fact Duckport, which, according to WithSecure, is a separate threat owing to the differences in the Telegram channels used for C2, the source code implementation, and the fact that both the strains have never been distributed together.

"While Ducktail has dabbled with the usage of fake branded websites as part of their social engineering efforts, it has been a common technique for Duckport," WithSecure said.

"Instead of providing direct download links to file hosting services such as Dropbox (which may raise suspicion), Duckport sends victims links to branded sites that are related to the brand/company they're impersonating, which then redirects them to download the malicious archive from file hosting services (such as Dropbox)."

Duckport, while based on Ducktail, also comes with novel features that expand on the information stealing and account hijacking capabilities, and also take screenshots or abuse online note-taking services as part of its C2 chain, essentially replacing Telegram as a channel to pass commands to the victim's machine.

"The Vietnamese-centric element of these threats and high degree of overlaps in terms of capabilities, infrastructure, and victimology suggests active working relationships between various threat actors, shared tooling and TTPs across these threat groups, or a fractured and service-oriented Vietnamese cybercriminal ecosystem (akin to ransomware-as-a-service model) centered around social media platforms such as Facebook."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Vietnamese Cybercriminals Targeting Facebook Business Accounts with Malvertising

If you want the highest possible level of protection, this is it.

There's a constant battle going on between software developers trying to keep their apps and platforms secure, and hackers and malware writers eager to break through those digital defenses. In its quest to offer a more secure and private suite of web apps, security-focused service provider Proton is rolling out a new feature called Proton Sentinel.

If you're new to Proton, the Switzerland-based company offers email, VPN, cloud storage, and various other digital services, with a clear emphasis on security and privacy. It's a bit like Google without the tracking or the ads, and the newly unveiled Proton Sentinel is a “high-security program” for keeping users and their data safe.

It's worth emphasizing that Proton accounts already come with a bunch of security features and protections to keep out bad actors. There's end-to-end, zero-access encryption for user data, there's two-factor authentication to help you prove you are who you say you are when you log in, there's a custom-built spam filtering system, there are real-time notifications of logins, and more.

However, Sentinel goes further. Proton describes the additional feature as offering more protection than most people will need, aimed at “users who need the most security”: Journalists, government officials, religious leaders, and leaders of international peace organizations are mentioned as some of those who are particularly at risk from hacking attempts.

You can enable Sentinel from inside your Proton account.

Proton via David Nield

"Accounts such as these have a high risk of being attacked by criminals or state-backed hackers," writes Proton's Dingchao Lu. “We are now ready to provide the same level of advanced protection and support that we reserved for these VIPs to any Proton user that wants it through the Proton Sentinel program.”

You don't have to fall into one of those categories to use Proton Sentinel, but you do have to be a paying Proton user: a Visionary, Lifetime, Family, Unlimited, or Business plan is required, and you can see details of all the plans here.

A lot of the work that Proton Sentinel does goes on behind the scenes, and you'll find that Proton itself doesn't go into too much detail about how it functions—which is sensible if you want to minimize the chances of someone else getting around it.

The advanced security protection it offers includes strict challenges for “suspicious” login attempts, typically those from devices that you don't normally use and parts of the world that you're not normally in. You might find yourself asked to confirm more of your logins to Proton services with Sentinel enabled, but it's worth it for the extra peace of mind.

Proton says that suspicious logins are flagged by automated systems and then escalated to human security analysts, around the clock. Any support requests you file related to account security will also get escalated to trained security specialists, meaning that if there is a security problem, it's going to be dealt with more quickly.

Related to this stricter policy on logins, Proton Sentinel also gives you access to detailed security logs inside your account, listing attempts to log in using your credentials, as well as other key actions you need to be aware of (such as password changes.)

More detailed security logs are available with Proton Sentinel.

Proton via David Nield

If you're on board with Proton Sentinel and everything that it offers, log into your Proton account on the web. Click the **settings** cogwheel, then **Go to settings**, and then **Security and privacy**: At the top of the screen there should be an **Enable Proton Sentinel** toggle switch that you can turn on. That's all there is to it: You're now protected.

Farther down the same screen is the security logs panel: Turn on both **Enable authentication logs** and **Enable advanced logs** to get all of the information possible about when and where your account is being used. All successful and unsuccessful login attempts are listed here, since the very first day you opened your Proton account—and if security actions were taken on a login attempt, this will be recorded next to it.

If you see something you don't recognize, you can click the **Revoke** button next to an existing session: The device in question will be remotely logged out, and a fresh sign-in will be required to use Proton's apps on that device. It's better to err on the side of caution here, and log out from any sessions that you don't immediately recognize. If you do notice anything suspicious, you should contact Proton Support too.

Proton Sentinel is simple to set up, takes very little effort to maintain, and keeps your Proton account as well protected as possible—so it makes a lot of sense to enable the feature. Like the Enhanced Safety Mode that Google offers as part of Chrome's feature set, Sentinel goes above and beyond the norms to make sure that there's no unauthorized access to your account.

How to Use Proton Sentinel to Keep Your Accounts Safe

Ubuntu Security Notice 6330-1 - Daniel Moghimi discovered that some Intel Processors did not properly clear microarchitectural state after speculative execution of various instructions. A local unprivileged user could use this to obtain to sensitive information. Tavis Ormandy discovered that some AMD processors did not properly handle speculative execution of certain vector register instructions. A local attacker could use this to expose sensitive information.

==========================================================================  
Ubuntu Security Notice USN-6330-1  
August 31, 2023

linux-gcp-5.15 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-gcp-5.15: Linux kernel for Google Cloud Platform (GCP) systems

Details:

Daniel Moghimi discovered that some Intel(R) Processors did not properly  
clear microarchitectural state after speculative execution of various  
instructions. A local unprivileged user could use this to obtain to  
sensitive information. (CVE-2022-40982)

Tavis Ormandy discovered that some AMD processors did not properly handle  
speculative execution of certain vector register instructions. A local  
attacker could use this to expose sensitive information. (CVE-2023-20593)

Ye Zhang and Nicolas Wu discovered that the io_uring subsystem in the Linux  
kernel did not properly handle locking for rings with IOPOLL, leading to a  
double-free vulnerability. A local attacker could use this to cause a  
denial of service (system crash) or possibly execute arbitrary code.  
(CVE-2023-21400)

It was discovered that the universal 32bit network packet classifier  
implementation in the Linux kernel did not properly perform reference  
counting in some situations, leading to a use-after-free vulnerability. A  
local attacker could use this to cause a denial of service (system crash)  
or possibly execute arbitrary code. (CVE-2023-3609)

It was discovered that the netfilter subsystem in the Linux kernel did not  
properly handle certain error conditions, leading to a use-after-free  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2023-3610)

It was discovered that the Quick Fair Queueing network scheduler  
implementation in the Linux kernel contained an out-of-bounds write  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2023-3611)

It was discovered that the network packet classifier with  
netfilter/firewall marks implementation in the Linux kernel did not  
properly handle reference counting, leading to a use-after-free  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2023-3776)

Kevin Rich discovered that the netfilter subsystem in the Linux kernel did  
not properly handle table rules flush in certain circumstances. A local  
attacker could possibly use this to cause a denial of service (system  
crash) or execute arbitrary code. (CVE-2023-3777)

Kevin Rich discovered that the netfilter subsystem in the Linux kernel did  
not properly handle rule additions to bound chains in certain  
circumstances. A local attacker could possibly use this to cause a denial  
of service (system crash) or execute arbitrary code. (CVE-2023-3995)

It was discovered that the netfilter subsystem in the Linux kernel did not  
properly handle PIPAPO element removal, leading to a use-after-free  
vulnerability. A local attacker could possibly use this to cause a denial  
of service (system crash) or execute arbitrary code. (CVE-2023-4004)

Kevin Rich discovered that the netfilter subsystem in the Linux kernel did  
not properly handle bound chain deactivation in certain circumstances. A  
local attacker could possibly use this to cause a denial of service (system  
crash) or execute arbitrary code. (CVE-2023-4015)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 20.04 LTS:  
   linux-image-5.15.0-1040-gcp     5.15.0-1040.48~20.04.1  
   linux-image-gcp                 5.15.0.1040.48~20.04.1

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6330-1  
   CVE-2022-40982, CVE-2023-20593, CVE-2023-21400, CVE-2023-3609,  
   CVE-2023-3610, CVE-2023-3611, CVE-2023-3776, CVE-2023-3777,  
   CVE-2023-3995, CVE-2023-4004, CVE-2023-4015

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-gcp-5.15/5.15.0-1040.48~20.04.1

Ubuntu Security Notice USN-6330-1

Plus: A major FBI botnet takedown, new Sandworm malware, a cyberattack on two major scientific telescopes—and more.

A monthslong WIRED investigation published this week revealed the inner workings of the Trickbot ransomware gang, which has targeted hospitals, businesses, and government agencies around the world. 

The investigation stemmed from a mysterious leak publish on X (formerly Twitter) last year by an anonymous account called Trickleaks. The document trove contained dossiers on 35 alleged Trickbot members, including names, dates of birth, and much more. It also listed thousands of IP addresses, cryptocurrency wallets, email addresses, and Trickbot chat logs. Armed with this information, we enlisted the help of multiple cybersecurity and Russian cybercrime experts to paint a vivid picture of Trickbot’s organizational structure and corroborate the real-world identity of one of its key members. 

Last weekend, someone (more on that later) successfully disrupted more than 20 trains in Poland. The incidents were originally described as a “cyberattack,” but it was actually something much simpler: a radio hack. Using equipment that can cost as little as $30, the attack exploited the trains’ unencrypted radio system to cause them to perform an emergency stop. 

Over on the dark web, cybercriminals are making money in an unexpected way: writing contests. With total prizes reaching as high as $80,000, the competitions enlist hacking forum members to craft the best essays, many of which explain how to carry out cyberattacks and scams. 

Last December, Apple officially killed its controversial photo-scanning tool for detecting child sexual abuse material (CSAM) on iCloud, a tool the company launched in August 2021 before un-launching it a month later after backlash from cybersecurity experts, civil liberties advocates, and others who argued that the tool would violate users’ security and privacy. But the issue is far from resolved. This week, a new child safety group called Heat Initiative demanded that Apple reinstate the tool. Apple responded with a letter, which it shared with WIRED, detailing for the first time its full reasoning behind terminating the tool. Heat Initiative’s push comes amid international pressure to weaken encryption for law enforcement purposes.

Elsewhere, we detailed the big security patches you need to install to keep your devices safe (looking at you, Google Chrome and Android users). And we dove into the supremely nerdy world of a code-cracking competition that had contestants racing to decode a German U-boat cipher from World War II. One team had a secret weapon.

But that’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

When more than 20 trains in Poland were bought to a halt last weekend in what was described as a “cyberattack,” all eyes turned to Russia. After all, Poland’s rails serve as a key piece of infrastructure for supporting Ukraine’s war effort. But as we reported a day later, the disruption had been caused not through any sophisticated cyber intrusion but through a simple radio hack that sent a “radio stop” command to the Polish trains over an unencrypted and unauthenticated system. “The frequencies are known. The tones are known. The equipment is cheap,” Polish-speaking cybersecurity researcher Lukasz Olejnik told WIRED. “Everybody could do this. Even teenagers trolling.”

Well, not teenagers exactly, but twentysomethings. This week, Polish police arrested a 24-year-old man and a 29-year-old man, both Polish citizens, who allegedly carried out the radio train hack. One of the two men, based in the city of Bialystok near the border with Belarus, was a police officer. Amateur radio equipment was found in one of their apartments, according to Poland’s RMF Radio, where the younger man was found (reportedly in a drunken state).

2 Polish Men Arrested for Radio Hack That Disrupted Trains

Ubuntu Security Notice 6329-1 - Daniel Moghimi discovered that some Intel Processors did not properly clear microarchitectural state after speculative execution of various instructions. A local unprivileged user could use this to obtain to sensitive information. Tavis Ormandy discovered that some AMD processors did not properly handle speculative execution of certain vector register instructions. A local attacker could use this to expose sensitive information.

==========================================================================  
Ubuntu Security Notice USN-6329-1  
August 31, 2023

linux-gcp-5.4, linux-oracle-5.4 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS (Available with Ubuntu Pro)

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-gcp-5.4: Linux kernel for Google Cloud Platform (GCP) systems  
- linux-oracle-5.4: Linux kernel for Oracle Cloud systems

Details:

Daniel Moghimi discovered that some Intel(R) Processors did not properly  
clear microarchitectural state after speculative execution of various  
instructions. A local unprivileged user could use this to obtain to  
sensitive information. (CVE-2022-40982)

Tavis Ormandy discovered that some AMD processors did not properly handle  
speculative execution of certain vector register instructions. A local  
attacker could use this to expose sensitive information. (CVE-2023-20593)

It was discovered that the universal 32bit network packet classifier  
implementation in the Linux kernel did not properly perform reference  
counting in some situations, leading to a use-after-free vulnerability. A  
local attacker could use this to cause a denial of service (system crash)  
or possibly execute arbitrary code. (CVE-2023-3609)

It was discovered that the Quick Fair Queueing network scheduler  
implementation in the Linux kernel contained an out-of-bounds write  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2023-3611)

It was discovered that the network packet classifier with  
netfilter/firewall marks implementation in the Linux kernel did not  
properly handle reference counting, leading to a use-after-free  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2023-3776)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 18.04 LTS (Available with Ubuntu Pro):  
   linux-image-5.4.0-1107-oracle   5.4.0-1107.116~18.04.1  
   linux-image-5.4.0-1111-gcp      5.4.0-1111.120~18.04.1  
   linux-image-gcp                 5.4.0.1111.87  
   linux-image-oracle              5.4.0.1107.116~18.04.79

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6329-1  
   CVE-2022-40982, CVE-2023-20593, CVE-2023-3609, CVE-2023-3611,  
   CVE-2023-3776

Tag

#google