PRESS RELEASE

Lakera, the world's leading real-time Generative AI (GenAI) Security company, has raised $20 million in a Series A funding round. Led by European VC Atomico, with participation from Citi Ventures, Dropbox Ventures, and existing investors including redalpine, this investment brings Lakera's total funding to $30 million. This funding positions Lakera at the forefront of the global economy's race to secure GenAI applications. As part of this round, Atomico Partner Sasha Vidiborskiy will join Lakera's board.

It's been predicted that by 2026, 80% of enterprises will have used GenAI or GenAI-enabled applications in production environments, up from less than 5% in 2023. As businesses worldwide scramble to harness the power of GenAI without exposing themselves to AI-specific risks, the demand for Lakera's platform is expected to continue growing at a rapid clip.

While GenAI could add an estimated $4.4 trillion annually to global GDP, cybersecurity remains the second most-cited risk associated with its adoption as traditional cyber tools are ill-equipped to address the novel dangers it poses. This creates a critical need for security solutions that address GenAI-specific risks, without which businesses are unable to unlock the benefits of AI.

David Haber, Founder and CEO of Lakera, explains the urgency: "With the advent of GenAI, the old cybersecurity techniques aren't sufficient. Enterprises now operate in a world where anyone who knows how to talk knows how to hack. Security solutions need to change but they can't get in the way of user experience. There is a need for real-time AI security solutions that continuously evolve and enable amazing user experiences."

David elaborates in his blog published today.

Cybersecurity-risks posed by LLMs

The spectrum of LLM vulnerabilities is both diverse and severe:

*   GenAI introduces prompt attacks as the most widely accessible hacking method. In the past, hackers needed to be able to code - but now, the only barrier to entry is being able to talk.
    
*   Prompt attacks can easily be used to manipulate GenAI so that a malicious actor can gain unauthorized access to a company's systems, steal confidential data, take unauthorized actions, and generate harmful content.
    
*   AI "sleeper agents" can lie dormant until activated for malicious purposes. Jailbreaking techniques can compromise powerful models in mere minutes.
    
*   AI-targeted worms can bypass security measures, harvesting data and launching widespread attacks.
    

Lakera's comprehensive approach to AI security delivers three key benefits for enterprises: protection that doesn't slow down their AI applications; the ability to stay ahead of AI threats with continuously evolving intelligence; and centralized implementation of AI security controls.

The company's growth comes at a pivotal moment in AI development. With the adoption of GenAI, users now direct software applications using natural language, and Lakera's real-time AI security does not compromise application interactivity. To make implementation effortless for developers, the company's API can be integrated with a single line of code, providing an ultra-low-latency security layer compatible with any GenAI model. Centralized controls allow security teams to customize application-specific policies and address emerging threats without code changes.

Lakera is uniquely positioned to tackle these fast-changing challenges, in part thanks to Gandalf - an AI educational platform created by the company which serves as the world's largest AI red team. With over 250 thousand unique users worldwide, including companies such as Microsoft where it's used in security training, Gandalf generates a real-time database of AI threats which is growing by 100 thousands of uniquely new attacks every day and keeps Lakera's software up to date, ensuring continuous protection for customers. The 50+ million data points generated by Gandalf, combined with the founding team's deep experience in building AI systems with real-time requirements, means Lakera's customers are able to stay ahead of threats and deliver amazing user experiences.

Atomico Partner Sasha Vidoborskiy, who will join Lakera's board, said: "Lakera has seen impressive commercial pull, winning customers such as Dropbox and a top 3 US bank, and already having more than 35% of Fortune 100 companies knock on their door. All those clients have an urgency to deploy GenAI applications into production, but can't do it without protection in place. Easy integration, best-in-class performance, and low latency are why they pick Lakera. But most importantly, the company is led by David and his team, who are thought leaders in the space and have a deep understanding of what the adoption of AI means for new cybersecurity risks."

"At Dropbox, ensuring the security of our systems and customers' data is a top priority," said Donald Tucker, Head of Corporate Development and Ventures at Dropbox. "Lakera's team has extensive expertise and a deep understanding of the complex security challenges companies are facing with LLMs and Generative AI. Their advanced technology is helping companies like Dropbox safeguard against vulnerabilities these new technologies pose. We're thrilled to strengthen our existing relationship with Lakera by investing in the future of the company and AI security."

Lakera plans to use this funding round to invest further in its product development and expand its presence in the US, where it already has a foothold in Silicon Valley.

About Lakera  
Lakera is the world's leading real-time GenAI security company. Customers rely on Lakera for security that doesn't slow down their AI applications. To accelerate secure adoption of AI, the company created Gandalf, an educational tool, where more than one million users have learned about AI security. Lakera uses AI to continuously evolve defenses, so customers can stay ahead of emerging threats. Lakera was founded by David Haber, Mateo Rojas-Carulla and Matthias Kraft in 2021.

About Atomico  
Atomico invests in ambitious tech founders from Seed through to IPO with a particular focus on Europe, leveraging deep operational experience to supercharge their growth. Founded in 2006, Atomico has partnered with over 100 ambitious teams - including those at Klarna, Supercell, Graphcore, Compass, MessageBird, Masterclass, Attentive Mobile, Pipedrive and Hinge Health. Atomico's team of founders, investors and operational leaders have been responsible for global expansion, hiring and marketing at companies from Skype and Google to Twitter and Uber. The firm currently has $5B in assets under management.

Lakera Raises $20M Series A to Secure Generative AI Applications

PRESS RELEASE

LONDON, July 25, 2024 /PRNewswire/ -- An investigation by Heimdal reveals that the EU is facing a surge in brute force cyber attacks on corporate and institutional networks, primarily originating from Russia.

These attackers exploit Microsoft infrastructure, particularly in Belgium and the Netherlands, to avoid detection.

The investigation into the Russian brute-force campaign has revealed several critical insights:

*   Attackers are aiming for High-Value Targets (HVTs)
    
*   Key infrastructure cities like Edinburgh and Dublin have been frequently targeted
    
*   Over half of the attack IP addresses are linked to Moscow, targeting major cities in the UK, Denmark, Hungary, and Lithuania
    
*   The rest of the investigated attack IPs can be traced back to Amsterdam and Brussels
    
*   Major ISPs like Telefonica LLC and IPX-FZCO were significantly abused
    
*   Heimdal's data shows these attacks date back to May 2024 but may have been happening even longer.
    

Prevalent Infiltration and Attack Techniques

The attackers primarily target administrative accounts using various case combinations and language variants.

Over 60% of attack IPs are new, with approximately 65% recently compromised and the rest previously abused, revealing a constantly evolving threat.

The threat actors employ known attack principles such as SMBv1 crawlers, RDP crawlers, and RDP alternative port crawlers, exploiting weak or default credentials through password guessing, spraying, and stuffing.

Additionally, their use of legitimate Microsoft infrastructure broadens the attack surface and complicates detection and response.

Data shows that attackers have actively exploited Microsoft infrastructure from the Netherlands and Belgium to increase their attack range and success odds.

Russia Leveraging State-Owned Networks to Propagate Attack

Major ISPs like Telefonica LLC and IPX-FZCO are significantly abused, with the former accounting for 27.7% of attacks from Russia.

The attackers also leveraged resources from Russian allies, including Indian telecom companies Bharat Sanchar Nigam Limited and Bharti Airtel Limited, both of which have faced recent data breaches.

Scope of Brute-Force Campaign

Russia's motivation behind these cyberattacks is multifaceted.

The reasons for these actions likely include aims to destabilize and disrupt critical infrastructure in Europe, extract sensitive data, gain financial advantage to fuel ongoing cyber-war efforts, or deploy malware.

The threat actors' mandates can span multiple types of subversive cyber-warfare ops, including seek-and-destroy, disruption of critical assets, and sabotage.

A Wake Up Call for the European Union

This persistent threat underscores the need for cybersecurity measures within EU countries, including strengthening cloud security, enforcing multi-factor authentication, conducting regular security audits, and educating employees.

Morten Kjaersgaard, Founder of Heimdal, said:

"This data shows that an entity in Russia is waging a hybrid war on Europe, and may have even infiltrated it.

The threat actors are aiming to extract as much data or financial means as possible, leveraging Microsoft infrastructure to do so.

Whoever is responsible, whether it's the state or another nefarious group, they have no shame in using Russia's allies to commit these crimes.

The exploitation of Indian infrastructure is a strong example. The data also proves these attackers have strong ties with China."

Paul Vixie, Co-Founder of SIE Europe, added:

"The data that Heimdal has uncovered is explosively evil, and SIE Europe data clearly shows how well built these Russian Wasp nests are and they show no signs of stopping.

SIE Europe does not ever traffic in Personally Identifiable Information, and this case shows the investigative power of public information once cooperatively assembled."

Read the full investigation here: Russia-Linked Brute-Force Campaign Targets EU via Microsoft Infrastructure (heimdalsecurity.com).

Heimdal Security Presents its Latest Report on Brute-Force Cyberattacks

Microsoft says that an examination of Windows crash reports around the outage shows that kernel drivers need to be carefully employed.

Source: Mundissima via Alamy Stock Photo

UPDATED

Microsoft has released more details around its assessment of the CrowdStrike Falcon outage nearly two weeks ago, noting that one takeaway is the need to reduce infosec vendors' reliance on the kernel drivers.

In a blog post published over the weekend, David Weston, vice president of enterprise and OS security at Microsoft, detailed that the company measured the impact of the incident through accessing crash reports that were voluntarily shared by customers. 

As not every customer opts to share crash reports, those are just "a subset of the number of impacted devices previously shared by Microsoft," Weston wrote. 

But the consensus that emerged was that while kernel drivers such as those employed by CrowdStrike can actually improve performance and prevent software tampering, those advantages must be rationalized against potential risk posed by their innate privileges.

"Since kernel drivers run at the most trusted level of Windows, where containment and recovery capabilities are by nature constrained, security vendors must carefully balance needs like visibility and tamper resistance with the risk of operating within kernel mode," Weston wrote.

He said he believes that if security vendors can strike the right balance, organizations can minimize kernel usage while also maintaining a strong security position.

This story was updated at 9:15 a.m. ET on July 30, 2024 to correct inaccurate reporting that Microsoft revised the original 8.5 million device estimate for how many machines were affected by the CrowdStrike outage.

**About the Author(s)**

Microsoft Talks Kernel Drivers Post CrowdStrike Outage

Ubuntu Security Notice 6924-1 - Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-6924-1July 29, 2024linux, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp,linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4,linux-iot, linux-kvm, linux-raspi, linux-xilinx-zynqmp vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTS- Ubuntu 18.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux: Linux kernel- linux-azure: Linux kernel for Microsoft Azure Cloud systems- linux-bluefield: Linux kernel for NVIDIA BlueField platforms- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-gkeop: Linux kernel for Google Container Engine (GKE) systems- linux-ibm: Linux kernel for IBM cloud systems- linux-iot: Linux kernel for IoT platforms- linux-kvm: Linux kernel for cloud environments- linux-raspi: Linux kernel for Raspberry Pi systems- linux-xilinx-zynqmp: Linux kernel for Xilinx ZynqMP processors- linux-azure-5.4: Linux kernel for Microsoft Azure cloud systems- linux-gcp-5.4: Linux kernel for Google Cloud Platform (GCP) systems- linux-hwe-5.4: Linux hardware enablement (HWE) kernel- linux-ibm-5.4: Linux kernel for IBM cloud systemsDetails:Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:  - ARM SCMI message protocol;  - InfiniBand drivers;  - TTY drivers;  - TLS protocol;(CVE-2024-26584, CVE-2024-36016, CVE-2024-26585, CVE-2021-47131,CVE-2024-26907, CVE-2022-48655, CVE-2024-26583)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS  linux-image-5.4.0-1041-iot      5.4.0-1041.42  linux-image-5.4.0-1048-xilinx-zynqmp  5.4.0-1048.52  linux-image-5.4.0-1076-ibm      5.4.0-1076.81  linux-image-5.4.0-1089-bluefield  5.4.0-1089.96  linux-image-5.4.0-1096-gkeop    5.4.0-1096.100  linux-image-5.4.0-1113-raspi    5.4.0-1113.125  linux-image-5.4.0-1117-kvm      5.4.0-1117.124  linux-image-5.4.0-1133-gcp      5.4.0-1133.142  linux-image-5.4.0-1134-azure    5.4.0-1134.141  linux-image-5.4.0-190-generic   5.4.0-190.210  linux-image-5.4.0-190-generic-lpae  5.4.0-190.210  linux-image-5.4.0-190-lowlatency  5.4.0-190.210  linux-image-azure-lts-20.04     5.4.0.1134.128  linux-image-bluefield           5.4.0.1089.85  linux-image-gcp-lts-20.04       5.4.0.1133.135  linux-image-generic             5.4.0.190.188  linux-image-generic-lpae        5.4.0.190.188  linux-image-gkeop               5.4.0.1096.94  linux-image-gkeop-5.4           5.4.0.1096.94  linux-image-ibm-lts-20.04       5.4.0.1076.105  linux-image-kvm                 5.4.0.1117.113  linux-image-lowlatency          5.4.0.190.188  linux-image-oem                 5.4.0.190.188  linux-image-oem-osp1            5.4.0.190.188  linux-image-raspi               5.4.0.1113.143  linux-image-raspi2              5.4.0.1113.143  linux-image-virtual             5.4.0.190.188  linux-image-xilinx-zynqmp       5.4.0.1048.48Ubuntu 18.04 LTS  linux-image-5.4.0-1076-ibm      5.4.0-1076.81~18.04.1                                  Available with Ubuntu Pro  linux-image-5.4.0-1133-gcp      5.4.0-1133.142~18.04.1                                  Available with Ubuntu Pro  linux-image-5.4.0-1134-azure    5.4.0-1134.141~18.04.1                                  Available with Ubuntu Pro  linux-image-5.4.0-190-generic   5.4.0-190.210~18.04.1                                  Available with Ubuntu Pro  linux-image-5.4.0-190-lowlatency  5.4.0-190.210~18.04.1                                  Available with Ubuntu Pro  linux-image-azure               5.4.0.1134.141~18.04.1                                  Available with Ubuntu Pro  linux-image-gcp                 5.4.0.1133.142~18.04.1                                  Available with Ubuntu Pro  linux-image-generic-hwe-18.04   5.4.0.190.210~18.04.1                                  Available with Ubuntu Pro  linux-image-ibm                 5.4.0.1076.81~18.04.1                                  Available with Ubuntu Pro  linux-image-lowlatency-hwe-18.04  5.4.0.190.210~18.04.1                                  Available with Ubuntu Pro  linux-image-oem                 5.4.0.190.210~18.04.1                                  Available with Ubuntu Pro  linux-image-oem-osp1            5.4.0.190.210~18.04.1                                  Available with Ubuntu Pro  linux-image-snapdragon-hwe-18.04  5.4.0.190.210~18.04.1                                  Available with Ubuntu Pro  linux-image-virtual-hwe-18.04   5.4.0.190.210~18.04.1                                  Available with Ubuntu ProAfter a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-6924-1  CVE-2021-47131, CVE-2022-48655, CVE-2024-26583, CVE-2024-26584,  CVE-2024-26585, CVE-2024-26907, CVE-2024-36016Package Information:  https://launchpad.net/ubuntu/+source/linux/5.4.0-190.210  https://launchpad.net/ubuntu/+source/linux-azure/5.4.0-1134.141  https://launchpad.net/ubuntu/+source/linux-bluefield/5.4.0-1089.96  https://launchpad.net/ubuntu/+source/linux-gcp/5.4.0-1133.142  https://launchpad.net/ubuntu/+source/linux-gkeop/5.4.0-1096.100  https://launchpad.net/ubuntu/+source/linux-ibm/5.4.0-1076.81  https://launchpad.net/ubuntu/+source/linux-iot/5.4.0-1041.42  https://launchpad.net/ubuntu/+source/linux-kvm/5.4.0-1117.124  https://launchpad.net/ubuntu/+source/linux-raspi/5.4.0-1113.125  https://launchpad.net/ubuntu/+source/linux-xilinx-zynqmp/5.4.0-1048.52

Ubuntu Security Notice USN-6924-1

Ubuntu Security Notice 6918-1 - It was discovered that a race condition existed in the Bluetooth subsystem in the Linux kernel when modifying certain settings values through debugfs. A privileged local attacker could use this to cause a denial of service. Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-6918-1July 26, 2024linux-oracle vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 24.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-oracle: Linux kernel for Oracle Cloud systemsDetails:It was discovered that a race condition existed in the Bluetooth subsystemin the Linux kernel when modifying certain settings values through debugfs.A privileged local attacker could use this to cause a denial of service.Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:  - ARM64 architecture;  - RISC-V architecture;  - S390 architecture;  - x86 architecture;  - Block layer subsystem;  - Compute Acceleration Framework;  - Accessibility subsystem;  - Android drivers;  - Drivers core;  - Bluetooth drivers;  - Clock framework and drivers;  - Data acquisition framework and drivers;  - Cryptographic API;  - Buffer Sharing and Synchronization framework;  - GPU drivers;  - On-Chip Interconnect management framework;  - IOMMU subsystem;  - Multiple devices driver;  - Media drivers;  - VMware VMCI Driver;  - Network drivers;  - Microsoft Azure Network Adapter (MANA) driver;  - Device tree and open firmware driver;  - Chrome hardware platform drivers;  - i.MX PM domains;  - TI SCI PM domains driver;  - S/390 drivers;  - SCSI drivers;  - SPI subsystem;  - Thermal drivers;  - TTY drivers;  - USB subsystem;  - Framebuffer layer;  - BTRFS file system;  - Network file system server daemon;  - NILFS2 file system;  - File systems infrastructure;  - Pstore file system;  - SMB network file system;  - BPF subsystem;  - Bluetooth subsystem;  - Netfilter;  - io_uring subsystem;  - Core kernel;  - Extra boot config (XBC);  - Memory management;  - Amateur Radio drivers;  - B.A.T.M.A.N. meshing protocol;  - Ethernet bridge;  - Networking core;  - IPv4 networking;  - IPv6 networking;  - Multipath TCP;  - NFC subsystem;  - RDS protocol;  - Network traffic control;  - SMC sockets;  - Sun RPC protocol;  - TLS protocol;  - Unix domain sockets;  - Wireless networking;  - eXpress Data Path;  - SELinux security module;(CVE-2024-26988, CVE-2024-36023, CVE-2024-35869, CVE-2024-35938,CVE-2024-27000, CVE-2024-35880, CVE-2024-35915, CVE-2024-35959,CVE-2024-35883, CVE-2024-35886, CVE-2024-35976, CVE-2024-35903,CVE-2024-35980, CVE-2024-27020, CVE-2024-35955, CVE-2024-35964,CVE-2024-26980, CVE-2024-35882, CVE-2024-35927, CVE-2024-35884,CVE-2024-35914, CVE-2024-35905, CVE-2024-26925, CVE-2024-35885,CVE-2024-26990, CVE-2024-27012, CVE-2024-35969, CVE-2024-35862,CVE-2024-35956, CVE-2024-35971, CVE-2024-27022, CVE-2024-35935,CVE-2024-26992, CVE-2024-27010, CVE-2024-35892, CVE-2024-26999,CVE-2024-26989, CVE-2024-35963, CVE-2024-35981, CVE-2024-26997,CVE-2024-35920, CVE-2024-35918, CVE-2024-35933, CVE-2024-35867,CVE-2024-35904, CVE-2024-35890, CVE-2024-35968, CVE-2024-35917,CVE-2024-35897, CVE-2024-26922, CVE-2024-36026, CVE-2024-27013,CVE-2024-26991, CVE-2024-26996, CVE-2024-35873, CVE-2024-26987,CVE-2024-35895, CVE-2024-36027, CVE-2024-35896, CVE-2024-35894,CVE-2024-26983, CVE-2024-35966, CVE-2024-35967, CVE-2024-35945,CVE-2024-27003, CVE-2024-35939, CVE-2024-35861, CVE-2024-26985,CVE-2024-27015, CVE-2024-35982, CVE-2024-35912, CVE-2024-35979,CVE-2024-35879, CVE-2024-26982, CVE-2024-35891, CVE-2024-35925,CVE-2024-35870, CVE-2024-27021, CVE-2024-35866, CVE-2024-27014,CVE-2024-27001, CVE-2024-27004, CVE-2024-35953, CVE-2024-36021,CVE-2024-35931, CVE-2024-27007, CVE-2024-35922, CVE-2024-35872,CVE-2024-35926, CVE-2024-27016, CVE-2024-26984, CVE-2024-35919,CVE-2024-35911, CVE-2024-26923, CVE-2024-35929, CVE-2024-35887,CVE-2024-35893, CVE-2024-35898, CVE-2024-35930, CVE-2024-35934,CVE-2024-35916, CVE-2024-35877, CVE-2024-26926, CVE-2024-35974,CVE-2024-36018, CVE-2024-27002, CVE-2024-35975, CVE-2024-35864,CVE-2024-35958, CVE-2024-35944, CVE-2024-35985, CVE-2024-35940,CVE-2024-35900, CVE-2024-27018, CVE-2024-26936, CVE-2024-36024,CVE-2024-26998, CVE-2024-35954, CVE-2024-35878, CVE-2024-26928,CVE-2024-35952, CVE-2024-36020, CVE-2024-26986, CVE-2024-35950,CVE-2024-35957, CVE-2024-35909, CVE-2024-27005, CVE-2024-35978,CVE-2024-35875, CVE-2024-35943, CVE-2024-35970, CVE-2024-35863,CVE-2024-26993, CVE-2024-35865, CVE-2024-26995, CVE-2024-35888,CVE-2024-35899, CVE-2024-35868, CVE-2023-52699, CVE-2024-26994,CVE-2024-26817, CVE-2024-35902, CVE-2024-35977, CVE-2024-35961,CVE-2024-36025, CVE-2024-35936, CVE-2024-35913, CVE-2024-27017,CVE-2024-35889, CVE-2024-35972, CVE-2024-35901, CVE-2024-26921,CVE-2024-26924, CVE-2024-35951, CVE-2024-35860, CVE-2024-35907,CVE-2024-35910, CVE-2024-36022, CVE-2024-27019, CVE-2024-27009,CVE-2024-26981, CVE-2024-35973, CVE-2024-35965, CVE-2024-36019,CVE-2024-35871, CVE-2024-27008, CVE-2024-26811, CVE-2024-35908,CVE-2024-35921, CVE-2024-35942, CVE-2024-35946, CVE-2024-35924,CVE-2024-27011, CVE-2024-35960, CVE-2024-27006, CVE-2024-35937,CVE-2024-35932)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 24.04 LTS  linux-image-6.8.0-1008-oracle   6.8.0-1008.8  linux-image-6.8.0-1008-oracle-64k  6.8.0-1008.8  linux-image-oracle              6.8.0-1008.8  linux-image-oracle-64k          6.8.0-1008.8After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-6918-1  CVE-2023-52699, CVE-2024-24857, CVE-2024-24858, CVE-2024-24859,  CVE-2024-26811, CVE-2024-26817, CVE-2024-26921, CVE-2024-26922,  CVE-2024-26923, CVE-2024-26924, CVE-2024-26925, CVE-2024-26926,  CVE-2024-26928, CVE-2024-26936, CVE-2024-26980, CVE-2024-26981,  CVE-2024-26982, CVE-2024-26983, CVE-2024-26984, CVE-2024-26985,  CVE-2024-26986, CVE-2024-26987, CVE-2024-26988, CVE-2024-26989,  CVE-2024-26990, CVE-2024-26991, CVE-2024-26992, CVE-2024-26993,  CVE-2024-26994, CVE-2024-26995, CVE-2024-26996, CVE-2024-26997,  CVE-2024-26998, CVE-2024-26999, CVE-2024-27000, CVE-2024-27001,  CVE-2024-27002, CVE-2024-27003, CVE-2024-27004, CVE-2024-27005,  CVE-2024-27006, CVE-2024-27007, CVE-2024-27008, CVE-2024-27009,  CVE-2024-27010, CVE-2024-27011, CVE-2024-27012, CVE-2024-27013,  CVE-2024-27014, CVE-2024-27015, CVE-2024-27016, CVE-2024-27017,  CVE-2024-27018, CVE-2024-27019, CVE-2024-27020, CVE-2024-27021,  CVE-2024-27022, CVE-2024-35860, CVE-2024-35861, CVE-2024-35862,  CVE-2024-35863, CVE-2024-35864, CVE-2024-35865, CVE-2024-35866,  CVE-2024-35867, CVE-2024-35868, CVE-2024-35869, CVE-2024-35870,  CVE-2024-35871, CVE-2024-35872, CVE-2024-35873, CVE-2024-35875,  CVE-2024-35877, CVE-2024-35878, CVE-2024-35879, CVE-2024-35880,  CVE-2024-35882, CVE-2024-35883, CVE-2024-35884, CVE-2024-35885,  CVE-2024-35886, CVE-2024-35887, CVE-2024-35888, CVE-2024-35889,  CVE-2024-35890, CVE-2024-35891, CVE-2024-35892, CVE-2024-35893,  CVE-2024-35894, CVE-2024-35895, CVE-2024-35896, CVE-2024-35897,  CVE-2024-35898, CVE-2024-35899, CVE-2024-35900, CVE-2024-35901,  CVE-2024-35902, CVE-2024-35903, CVE-2024-35904, CVE-2024-35905,  CVE-2024-35907, CVE-2024-35908, CVE-2024-35909, CVE-2024-35910,  CVE-2024-35911, CVE-2024-35912, CVE-2024-35913, CVE-2024-35914,  CVE-2024-35915, CVE-2024-35916, CVE-2024-35917, CVE-2024-35918,  CVE-2024-35919, CVE-2024-35920, CVE-2024-35921, CVE-2024-35922,  CVE-2024-35924, CVE-2024-35925, CVE-2024-35926, CVE-2024-35927,  CVE-2024-35929, CVE-2024-35930, CVE-2024-35931, CVE-2024-35932,  CVE-2024-35933, CVE-2024-35934, CVE-2024-35935, CVE-2024-35936,  CVE-2024-35937, CVE-2024-35938, CVE-2024-35939, CVE-2024-35940,  CVE-2024-35942, CVE-2024-35943, CVE-2024-35944, CVE-2024-35945,  CVE-2024-35946, CVE-2024-35950, CVE-2024-35951, CVE-2024-35952,  CVE-2024-35953, CVE-2024-35954, CVE-2024-35955, CVE-2024-35956,  CVE-2024-35957, CVE-2024-35958, CVE-2024-35959, CVE-2024-35960,  CVE-2024-35961, CVE-2024-35963, CVE-2024-35964, CVE-2024-35965,  CVE-2024-35966, CVE-2024-35967, CVE-2024-35968, CVE-2024-35969,  CVE-2024-35970, CVE-2024-35971, CVE-2024-35972, CVE-2024-35973,  CVE-2024-35974, CVE-2024-35975, CVE-2024-35976, CVE-2024-35977,  CVE-2024-35978, CVE-2024-35979, CVE-2024-35980, CVE-2024-35981,  CVE-2024-35982, CVE-2024-35985, CVE-2024-36018, CVE-2024-36019,  CVE-2024-36020, CVE-2024-36021, CVE-2024-36022, CVE-2024-36023,  CVE-2024-36024, CVE-2024-36025, CVE-2024-36026, CVE-2024-36027Package Information:  https://launchpad.net/ubuntu/+source/linux-oracle/6.8.0-1008.8

Ubuntu Security Notice USN-6918-1

Ubuntu Security Notice 6917-1 - Ziming Zhang discovered that the DRM driver for VMware Virtual GPU did not properly handle certain error conditions, leading to a NULL pointer dereference. A local attacker could possibly trigger this vulnerability to cause a denial of service. Gui-Dong Han discovered that the software RAID driver in the Linux kernel contained a race condition, leading to an integer overflow vulnerability. A privileged attacker could possibly use this to cause a denial of service.

    ==========================================================================Ubuntu Security Notice USN-6917-1July 26, 2024linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-azure: Linux kernel for Microsoft Azure Cloud systems- linux-azure-fde: Linux kernel for Microsoft Azure CVM cloud systems- linux-azure-5.15: Linux kernel for Microsoft Azure cloud systems- linux-azure-fde-5.15: Linux kernel for Microsoft Azure CVM cloud systemsDetails:Ziming Zhang discovered that the DRM driver for VMware Virtual GPU did notproperly handle certain error conditions, leading to a NULL pointerdereference. A local attacker could possibly trigger this vulnerability tocause a denial of service. (CVE-2022-38096)Gui-Dong Han discovered that the software RAID driver in the Linux kernelcontained a race condition, leading to an integer overflow vulnerability. Aprivileged attacker could possibly use this to cause a denial of service(system crash). (CVE-2024-23307)It was discovered that a race condition existed in the Bluetooth subsystemin the Linux kernel when modifying certain settings values through debugfs.A privileged local attacker could use this to cause a denial of service.(CVE-2024-24857, CVE-2024-24858, CVE-2024-24859)Bai Jiaju discovered that the Xceive XC4000 silicon tuner device driver inthe Linux kernel contained a race condition, leading to an integer overflowvulnerability. An attacker could possibly use this to cause a denial ofservice (system crash). (CVE-2024-24861)Chenyuan Yang discovered that the Unsorted Block Images (UBI) flash devicevolume management subsystem did not properly validate logical eraseblocksizes in certain situations. An attacker could possibly use this to cause adenial of service (system crash). (CVE-2024-25739)Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:  - ARM64 architecture;  - RISC-V architecture;  - x86 architecture;  - Block layer subsystem;  - Accessibility subsystem;  - Android drivers;  - Bluetooth drivers;  - Clock framework and drivers;  - Data acquisition framework and drivers;  - Cryptographic API;  - DMA engine subsystem;  - GPU drivers;  - HID subsystem;  - I2C subsystem;  - IRQ chip drivers;  - Multiple devices driver;  - VMware VMCI Driver;  - MMC subsystem;  - Network drivers;  - Microsoft Azure Network Adapter (MANA) driver;  - Device tree and open firmware driver;  - PCI subsystem;  - S/390 drivers;  - SCSI drivers;  - Freescale SoC drivers;  - Trusted Execution Environment drivers;  - TTY drivers;  - USB subsystem;  - VFIO drivers;  - Framebuffer layer;  - Xen hypervisor drivers;  - File systems infrastructure;  - BTRFS file system;  - Ext4 file system;  - FAT file system;  - Network file system client;  - Network file system server daemon;  - NILFS2 file system;  - Pstore file system;  - SMB network file system;  - UBI file system;  - Netfilter;  - BPF subsystem;  - Core kernel;  - PCI iomap interfaces;  - Memory management;  - B.A.T.M.A.N. meshing protocol;  - Bluetooth subsystem;  - Ethernet bridge;  - Networking core;  - Distributed Switch Architecture;  - IPv4 networking;  - IPv6 networking;  - MAC80211 subsystem;  - IEEE 802.15.4 subsystem;  - NFC subsystem;  - Open vSwitch;  - RDS protocol;  - Network traffic control;  - SMC sockets;  - Unix domain sockets;  - eXpress Data Path;  - Key management;  - ALSA SH drivers;  - KVM core;(CVE-2024-26993, CVE-2024-26996, CVE-2024-35879, CVE-2024-26812,CVE-2024-26984, CVE-2024-26817, CVE-2024-35950, CVE-2024-26960,CVE-2024-27437, CVE-2024-26964, CVE-2024-27059, CVE-2024-35969,CVE-2024-35936, CVE-2024-35912, CVE-2024-35915, CVE-2024-35938,CVE-2024-27019, CVE-2024-35822, CVE-2024-35997, CVE-2024-35855,CVE-2024-26925, CVE-2024-26654, CVE-2024-26923, CVE-2024-36031,CVE-2024-36020, CVE-2024-35823, CVE-2024-35852, CVE-2024-35989,CVE-2024-27000, CVE-2024-35853, CVE-2024-27013, CVE-2024-35854,CVE-2024-35922, CVE-2024-26937, CVE-2023-52880, CVE-2024-26974,CVE-2024-26629, CVE-2024-35804, CVE-2024-35958, CVE-2024-26814,CVE-2024-35890, CVE-2024-35940, CVE-2024-26999, CVE-2024-35847,CVE-2024-27015, CVE-2024-26687, CVE-2024-26970, CVE-2024-35930,CVE-2024-26813, CVE-2024-26810, CVE-2024-26969, CVE-2024-26977,CVE-2024-26956, CVE-2024-35901, CVE-2024-27020, CVE-2024-35905,CVE-2024-35785, CVE-2024-27009, CVE-2024-35877, CVE-2024-35893,CVE-2024-26989, CVE-2024-26642, CVE-2024-35857, CVE-2024-35935,CVE-2024-26828, CVE-2024-26965, CVE-2024-35888, CVE-2024-35900,CVE-2024-26951, CVE-2024-35809, CVE-2024-27008, CVE-2024-26958,CVE-2024-35973, CVE-2024-26935, CVE-2024-26934, CVE-2024-35982,CVE-2023-52488, CVE-2024-35884, CVE-2024-35907, CVE-2024-27018,CVE-2024-26929, CVE-2024-35984, CVE-2024-35899, CVE-2024-26976,CVE-2024-26922, CVE-2024-35817, CVE-2024-26961, CVE-2024-35925,CVE-2024-35821, CVE-2024-36005, CVE-2024-35988, CVE-2024-35970,CVE-2024-27001, CVE-2024-35960, CVE-2022-48808, CVE-2024-35927,CVE-2024-35806, CVE-2024-27016, CVE-2024-35897, CVE-2024-26957,CVE-2024-36025, CVE-2024-35872, CVE-2024-26988, CVE-2024-35819,CVE-2024-35896, CVE-2024-36007, CVE-2024-35944, CVE-2024-35990,CVE-2024-36006, CVE-2024-36004, CVE-2024-35955, CVE-2024-35898,CVE-2024-26973, CVE-2024-26950, CVE-2024-36008, CVE-2024-35805,CVE-2024-35807, CVE-2024-35934, CVE-2024-26926, CVE-2024-35902,CVE-2024-35918, CVE-2024-35895, CVE-2024-35978, CVE-2024-35849,CVE-2024-35791, CVE-2024-26931, CVE-2024-35886, CVE-2024-26981,CVE-2024-27395, CVE-2024-35815, CVE-2024-26994, CVE-2024-35825,CVE-2024-35789, CVE-2024-35813, CVE-2024-35885, CVE-2024-35851,CVE-2024-35796, CVE-2023-52699, CVE-2024-35871, CVE-2024-26811,CVE-2024-26966, CVE-2024-35976, CVE-2024-26955, CVE-2024-36029,CVE-2024-27396, CVE-2024-27004, CVE-2024-27393, CVE-2024-35910,CVE-2024-35933)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS  linux-image-5.15.0-1068-azure   5.15.0-1068.77  linux-image-5.15.0-1068-azure-fde  5.15.0-1068.77.1  linux-image-azure-fde-lts-22.04  5.15.0.1068.77.45  linux-image-azure-lts-22.04     5.15.0.1068.66Ubuntu 20.04 LTS  linux-image-5.15.0-1068-azure   5.15.0-1068.77~20.04.1  linux-image-5.15.0-1068-azure-fde  5.15.0-1068.77~20.04.1.1  linux-image-azure               5.15.0.1068.77~20.04.1  linux-image-azure-cvm           5.15.0.1068.77~20.04.1  linux-image-azure-fde           5.15.0.1068.77~20.04.1.45After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-6917-1  CVE-2022-38096, CVE-2022-48808, CVE-2023-52488, CVE-2023-52699,  CVE-2023-52880, CVE-2024-23307, CVE-2024-24857, CVE-2024-24858,  CVE-2024-24859, CVE-2024-24861, CVE-2024-25739, CVE-2024-26629,  CVE-2024-26642, CVE-2024-26654, CVE-2024-26687, CVE-2024-26810,  CVE-2024-26811, CVE-2024-26812, CVE-2024-26813, CVE-2024-26814,  CVE-2024-26817, CVE-2024-26828, CVE-2024-26922, CVE-2024-26923,  CVE-2024-26925, CVE-2024-26926, CVE-2024-26929, CVE-2024-26931,  CVE-2024-26934, CVE-2024-26935, CVE-2024-26937, CVE-2024-26950,  CVE-2024-26951, CVE-2024-26955, CVE-2024-26956, CVE-2024-26957,  CVE-2024-26958, CVE-2024-26960, CVE-2024-26961, CVE-2024-26964,  CVE-2024-26965, CVE-2024-26966, CVE-2024-26969, CVE-2024-26970,  CVE-2024-26973, CVE-2024-26974, CVE-2024-26976, CVE-2024-26977,  CVE-2024-26981, CVE-2024-26984, CVE-2024-26988, CVE-2024-26989,  CVE-2024-26993, CVE-2024-26994, CVE-2024-26996, CVE-2024-26999,  CVE-2024-27000, CVE-2024-27001, CVE-2024-27004, CVE-2024-27008,  CVE-2024-27009, CVE-2024-27013, CVE-2024-27015, CVE-2024-27016,  CVE-2024-27018, CVE-2024-27019, CVE-2024-27020, CVE-2024-27059,  CVE-2024-27393, CVE-2024-27395, CVE-2024-27396, CVE-2024-27437,  CVE-2024-35785, CVE-2024-35789, CVE-2024-35791, CVE-2024-35796,  CVE-2024-35804, CVE-2024-35805, CVE-2024-35806, CVE-2024-35807,  CVE-2024-35809, CVE-2024-35813, CVE-2024-35815, CVE-2024-35817,  CVE-2024-35819, CVE-2024-35821, CVE-2024-35822, CVE-2024-35823,  CVE-2024-35825, CVE-2024-35847, CVE-2024-35849, CVE-2024-35851,  CVE-2024-35852, CVE-2024-35853, CVE-2024-35854, CVE-2024-35855,  CVE-2024-35857, CVE-2024-35871, CVE-2024-35872, CVE-2024-35877,  CVE-2024-35879, CVE-2024-35884, CVE-2024-35885, CVE-2024-35886,  CVE-2024-35888, CVE-2024-35890, CVE-2024-35893, CVE-2024-35895,  CVE-2024-35896, CVE-2024-35897, CVE-2024-35898, CVE-2024-35899,  CVE-2024-35900, CVE-2024-35901, CVE-2024-35902, CVE-2024-35905,  CVE-2024-35907, CVE-2024-35910, CVE-2024-35912, CVE-2024-35915,  CVE-2024-35918, CVE-2024-35922, CVE-2024-35925, CVE-2024-35927,  CVE-2024-35930, CVE-2024-35933, CVE-2024-35934, CVE-2024-35935,  CVE-2024-35936, CVE-2024-35938, CVE-2024-35940, CVE-2024-35944,  CVE-2024-35950, CVE-2024-35955, CVE-2024-35958, CVE-2024-35960,  CVE-2024-35969, CVE-2024-35970, CVE-2024-35973, CVE-2024-35976,  CVE-2024-35978, CVE-2024-35982, CVE-2024-35984, CVE-2024-35988,  CVE-2024-35989, CVE-2024-35990, CVE-2024-35997, CVE-2024-36004,  CVE-2024-36005, CVE-2024-36006, CVE-2024-36007, CVE-2024-36008,  CVE-2024-36020, CVE-2024-36025, CVE-2024-36029, CVE-2024-36031Package Information:  https://launchpad.net/ubuntu/+source/linux-azure/5.15.0-1068.77  https://launchpad.net/ubuntu/+source/linux-azure-fde/5.15.0-1068.77.1  https://launchpad.net/ubuntu/+source/linux-azure-5.15/5.15.0-1068.77~20.04.1  https://launchpad.net/ubuntu/+source/linux-azure-fde-5.15/5.15.0-1068.77~20.04.1.1

Ubuntu Security Notice USN-6917-1

This week on the Lock and Code podcast, we speak with Jess Dodson about SIEM selection, management, and proper data collection.

_This week on the Lock and Code podcast…_

In the world of business cybersecurity, the powerful technology known as “Security Information and Event Management” is sometimes thwarted by the most unexpected actors—the very people setting it up.

Security Information and Event Management—or SIEM—is a term used to describe data-collecting products that businesses rely on to make sense of everything going on inside their network, in the hopes of catching and stopping cyberattacks. SIEM systems can log events and information across an entire organization and its networks. When properly set up, SIEMs can collect activity data from work-issued devices, vital servers, and even the software that an organization rolls out to its workforce. The purpose of all this collection is to catch what might easily be missed.

For instance, SIEMs can collect information about repeated login attempts occurring at 2:00 am from a set of login credentials that belong to an employee who doesn’t typically start their day until 8:00 am. SIEMs can also collect whether the login credentials of an employee with typically low access privileges are being used to attempt to log into security systems far beyond their job scope. SIEMs must also take in the data from an Endpoint Detection and Response (EDR) tool, and they can hoover up nearly anything that a security team wants—from printer logs, to firewall logs, to individual uses of PowerShell.

But just because a SIEM _can_ collect something, doesn’t necessarily mean that it should.

Log activity for an organization of 1,000 employees is tremendous, and the collection of frequent activity could bog down a SIEM with noise, slow down a security team with useless data, and rack up serious expenses for a company.

Today, on the Lock and Code podcast with host David Ruiz, we speak with Microsoft cloud solution architect Jess Dodson about how companies and organizations can set up, manage, and maintain their SIEMs, along with what advertising pitfalls to avoid when doing their shopping. Plus, Dodson warns about one of the simplest mistakes in trying to save budget—setting up arbitrary data caps on collection that could leave an organization blind.

“A small SMB organization … were trying to save costs, so they went and looked at what they were collecting and they found their biggest ingestion point,” Dodson said. “And what their biggest ingestion point was was their Windows security events, and then they looked further and looked for the event IDs that were costing them the most, and so they got rid of those.”

Dodson continued:

> “Problem was the ones they got rid of were their Log On/Log Off events, which I think most people would agree is kind of important from a security perspective.”

Tune in today to listen to the full conversation.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

 SIEM is not storage, with Jess Dodson (Lock and Code S05E16) 

An attack flow that combines API flaws within "log in with" implementations and Web injection bugs could affect millions of websites.

Source: Richard Levine via Alamy Stock Photo

Critical API security flaws have put millions of users at risk for account takeover, by using a modern authentication standard to resurrect a longtime vulnerability. The bugs were found in the Hotjar service, which tracks and records Web user activity, and in the code of the popular Business Insider global news website.

That's according to API security firm Salt Security's Salt Labs, which found that by pairing manipulation of the OAuth standard with cross-site scripting (XSS) flaws in the two sites, attackers can potentially expose sensitive data and conduct malicious activity acting as legitimate users of more than a million websites.

Hotjar, a tool that complements Google Analytics by recording user activity to analyze behavior, serves more than a million websites, including well-known brands such as Adobe, Microsoft, Panasonic, Columbia, RyanAir, Decathlon, T-Mobile, and Nintendo.

"Due to the nature of the Hotjar solution, the data it collects can include a vast volume of personal and sensitive data, such as names, emails, addresses, private messages, bank details, and even credentials under certain circumstances," according to a Salt Labs blog post on the research.

A separate but just as dangerous vulnerability found on the Business Insider website can meanwhile be exploited to perform an cross-site scripting (XSS) attack and take over accounts on that site, which has millions of global users.

More worrisome, the same combination of problems is likely widespread and lurking on whole swathes of the Internet, the researchers warned.

**A Modern Authentication Standard Meets an Old Flaw**

OAuth is a relatively new standard increasingly being used for seamless cross-website authentication, familiar to many as the engine behind the "log in with Facebook" or "log in with Google" functionality included in many websites. The standard drives the mechanism responsible for the authentication handoff between the sites, allowing user data to be shared between them. It's been known to be misconfigured upon implementation in ways that create serious vulnerabilities that span numerous sites.

XSS, meanwhile, is one of the most oft-exploited and oldest Web vulnerabilities. It allows an attacker to inject malicious code into a legitimate Web page or application in order to execute scripts in a website visitor's browser for data theft and more.

An attacker who successfully exploits an attack vector that combines the two "will gain the same permissions and functionality as the victim, and therefore, the risk will be parallel to what can actually be done by a normal system user," Yaniv Balmas, vice president of research at Salt, tells Dark Reading.

Salt Labs discovered the vulnerability on the Business Insider site on March 20 and immediately informed the company, which fixed the flaws by March 30. The Hotjar flaw was discovered on April 17, and, upon disclosure, mitigated two days later.

However, Salt researchers believe that flaws that allow attackers to exploit this combo of OAuth and XSS are likely lurking undetected on other sites, thus exposing millions of unsuspecting users to potential account takeover.

"We strongly believe this is a very common issue, and most chances are that many other online services suffer from the same issue," Balmas says.

**Hotjar Attack**

Given that XSS has been around so long, most websites have built-in protections against attacks that exploit this vulnerability. Salt researchers were able to get around them using OAuth in two separate instances on both Hotjar and the Business Insider website.

On the former, the researchers manipulated the social login aspect of Hotjar, which redirects to Google to receive a secret token through OAuth to complete authentication on Hotjar. That token is a URL that contains secret code, which is something that JavaScript code can read, creating an XSS flaw.

"To combine XSS with this new social-login feature and achieve working exploitation, we use a JavaScript code that starts a new OAuth login flow in a new window and then reads the token from that window," according to the post. "With this method, the JavaScript code opens a new tab to Google, and Google automatically redirects the user back to \[the Hotjar site\] with the OAuth code in the URL."

The code reads the URL from the new tab and extracts the OAuth credentials from it. Once the attackers have a victim's code, they can start a new login flow in Hotjar, replacing their code with the victim code and leading to a full account takeover and thus potential exposure of all the personal data collected by Hotjar.

**Exploiting Mobile Logins**

The researchers also managed to exploit the social sign-in feature integrated into the code of the Business Insider website, specifically through mobile authentication, which opens a new Web browser to authenticate the user. After the user completes the authentication on the Web, they are then redirected to an endpoint with their credentials as parameters that are sent from the Web to the mobile site.

"This endpoint, created only to support authentication using the mobile application, is vulnerable to XSS," according to the post. Thus, if an attacker can read the credentials from the URL, they can achieve account takeover.

"What we need to do is write JavaScript code that starts a login flow, wait for the token to be visible in the URL, and then read that URL," according to the post. "If a victim clicks on that link, their credentials will be passed to a malicious domain."

Though the flaws specifically found on Hotjar and Business Insider have been mitigated, the potential for exploit on other sites means site administrators need to be careful in how they implement OAuth, lest it be used in similar attack scenarios, Balmas says.

"As always, when implementing any new technology, many things need to be considered, including, of course, security," he says. "A solid implementation that considers all possible options should be secure and will not allow an attacker an opportunity to abuse this attack vector."

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

OAuth+XSS Attack Threatens Millions of Web Users With Account Takeover

This year's conference will be a treasure trove of insights for cybersecurity professionals.

Meny Har, CEO & Co-Founder, Opus Security

July 29, 2024

3 Min Read

Source: Anton Gvozdikov via Alamy Stock Photo

COMMENTARY

As always, Black Hat USA 2024 promises to be a treasure trove of insights for cybersecurity professionals. The artificial intelligence craze notwithstanding, vulnerability remediation continues to be the core focus for all sizes of organizations seeking to make security more efficient. Understandably, this year's conference promises a variety of approaches, case studies, and informative discussions on this topic. Here are the seven most illuminating sessions we suggest you attend, for insights on discovering, prioritizing, and patching vulnerabilities: 

**Breaching AWS Accounts Through Shadow Resources**

Speakers: Yakir Kadkoda, Michael Katchinskiy, Ofek Itach   
Date: Wednesday, Aug. 7, 10:20 a.m.-11 a.m.   
Tracks: Cloud security, enterprise security

Did you know that six critical vulnerabilities in Amazon Web Services (AWS) have the potential to lead to severe breaches, including remote code execution and information disclosure? This session dives into a methodology for discovering these vulnerabilities, and the speakers will introduce a new open source tool for researching service internal API calls. This session is essential for understanding and mitigating complex cloud vulnerabilities. 

**Predict, Prioritize, Patch: How Microsoft Harnesses LLMs for Security Response**

Speaker: Bill Demirkapi   
Date: Wednesday, Aug. 7, 1:30 p.m.-2:10 p.m.   
Tracks: AI, ML & data science, application security: defense

Joining this session will help you understand more about how Microsoft leverages large language models (LLMs) to streamline security response workflows. Hear about practical applications of LLMs for deriving vulnerability information, predicting report severity, and generating root causes from crash dumps. This is a seminal session for organizations looking to enhance their vulnerability management with AI. 

**Self-Hosted GitHub CI/CD Runners: Continuous Integration, Continuous Destruction**

Speakers: Adnan Khan, John Stawinski   
Date: Wednesday, Aug. 7, 1:30 p.m.-2:10 p.m.   
Tracks: Enterprise security, application security: offense

This technical deep dive addresses the security risks associated with self-hosted CI/CD runners, highlighting critical vulnerabilities discovered in GitHub and other platforms. Attendees will learn how to defend against pipeline poisoning and privilege escalation attacks, which are vital for securing the software development life cycle. 

**The GCP Jenga Tower: Hacking Millions of Google's Servers With a Single Package (and More)**

Speaker: Liv Matan   
Date: Wednesday, Aug. 7, 1:30 p.m.-2:10 p.m.   
Tracks: Cloud security, application security: offense

Explore how a single faulty command in Google Cloud Platform (GCP) led to a critical RCE vulnerability, affecting millions of servers. This session will provide insights into the complexity of cloud services and present tools for uncovering hidden APIs used by cloud providers. Security leaders managing cloud security in their organizations and seeking to understand cloud service vulnerabilities will find this talk invaluable. 

**Will We Survive the Transitive Vulnerability Locusts?**

Speakers: Eyal Paz, Liad Cohen   
Date: Thursday, Aug. 8, 2:30 p.m.-3 p.m.   
Tracks: Application security: defense, exploit development & vulnerability discovery

Learn about the risk of transitive dependencies in software projects, with speakers clearly demonstrating how these vulnerabilities can be exploited. Attendees will learn practical strategies for mitigating these risks and prioritizing vulnerabilities in their threat model, which is crucial for secure software development. 

**Break the Wall From Bottom: Automated Discovery of Protocol-Level Evasion Vulnerabilities in Web Application Firewalls**

Speakers: Qi Wang, Jianjun Chen, Run Guo, Chao Zhang, Haixin Duan   
Date: Thursday, Aug. 8, 2:30 p.m.-3 p.m.   
Tracks: Application security: offense, cloud security

Discover how protocol-level evasion vulnerabilities in WAFs can be exploited to bypass security measures. This session introduces WAF Manis, a novel testing framework that uncovered 311 evasion cases and could be extremely useful for those looking to strengthen their Web application defenses against sophisticated attacks. 

**Are Your Backups Still Immutable, Even Though You Can't Access Them?**

Speakers: Ryan Kane, Rushank Shetty   
Date: Thursday, Aug. 8, 3:20 p.m.-4 p.m.   
Tracks: Enterprise security, application security: offense

This session explores the security of immutable backups, highlighting how attackers can target the infrastructure hosting backup data. Learn the processes, failures, and successes in testing immutable backups, crucial for ensuring data resilience against ransomware attacks.

These sessions and many others on vulnerability remediation are a testament to the growing importance of building a culture of proactive security, by addressing the constantly evolving attack surfaces and staying vigilant. Ensuring that you have a robust vulnerability remediation process is a critical and vital security checkpoint in your organization's security posture. 

**About the Author(s)**

CEO & Co-Founder, Opus Security

Meny Har is the CEO and co-founder of Opus Security, a cloud-native security remediation platform, helping security teams orchestrate remediation processes from start to fix. Before founding Opus, he was part of the founding team and vice president of product with the cloud-native SOAR platform Siemplify, which was acquired by Google Cloud in January 2022. Meny has more than 15 years of cybersecurity experience, with a proven track record of building, validating, and scaling successful products.

7 Sessions Not to Miss at Black Hat USA 2024

An unknown threat actor has been linked to a massive scam campaign that exploited an email routing misconfiguration in email security vendor Proofpoint's defenses to send millions of messages spoofing various legitimate companies.
"These emails echoed from official Proofpoint email relays with authenticated SPF and DKIM signatures, thus bypassing major security protections — all to deceive

An unknown threat actor has been linked to a massive scam campaign that exploited an email routing misconfiguration in email security vendor Proofpoint's defenses to send millions of messages spoofing various popular companies like Best Buy, IBM, Nike, and Walt Disney, among others.

"These emails echoed from official Proofpoint email relays with authenticated SPF and DKIM signatures, thus bypassing major security protections — all to deceive recipients and steal funds and credit card details," Guardio Labs researcher Nati Tal said in a detailed report shared with The Hacker News.

The cybersecurity company has given the campaign the name **EchoSpoofing**. The activity is believed to have commenced in January 2024, with the threat actor exploiting the loophole to send as many as three million emails per day on average, a number that hit a peak of 14 million in early June as Proofpoint began to enact countermeasures.

"The most unique and powerful part of this domain is the spoofing method – leaving almost no chance to realize this is not a genuine email sent from those companies," Tal told the publication.

"This EchoSpoofing concept is really powerful. It's kind of strange it is being used for large-scale phishing like this instead of a boutique spear-phishing campaign – where an attacker can swiftly take any real company team member's identity and send emails to other co-workers – eventually, through high-quality social engineering, get access to internal data or credentials and even compromise the entire company.

The technique, which involves the threat actor sending the messages from an SMTP server on a virtual private server (VPS), is notable for the fact that it complies with authentication and security measures such as SPF and DKIM, which are short for Sender Policy Framework and DomainKeys Identified Mail, respectively, and refer to authentication methods that are designed to prevent attackers from imitating a legitimate domain.

It all goes back to the fact that these messages are routed from various adversary-controlled Microsoft 365 tenants, which are then relayed through Proofpoint enterprise customers' email infrastructures to reach users of free email providers such as Yahoo!, Gmail, and GMX.

This is the result of what Guardio described as a "super-permissive misconfiguration flaw" in Proofpoint servers ("pphosted.com") that essentially allowed spammers to take advantage of the email infrastructure to send the messages.

"The root cause is a modifiable email routing configuration feature on Proofpoint servers to allow relay of organizations' outbound messages from Microsoft 365 tenants, but without specifying which M365 tenants to allow," Proofpoint said in a coordinated disclosure report shared with The Hacker News.

"Any email infrastructure that offers this email routing configuration feature can be abused by spammers."

Put differently, an attacker can weaponize the shortcoming to set up rogue Microsoft 365 tenants and deliver spoofed email messages to Proofpoint's relay servers, from where they are "echoed back" as genuine digital missives impersonating the customers' domains.

This, in turn, is accomplished by configuring the Exchange Server's outgoing email connector directly to the vulnerable pphosted.com endpoint associated with the customer. Furthermore, a cracked version of a legitimate email delivery software called PowerMTA is used for sending the messages.

"The spammer used a rotating series of leased virtual private servers (VPS) from several providers, using many different IP addresses to initiate quick bursts of thousands of messages at a time from their SMTP servers, sent to Microsoft 365 to be relayed to Proofpoint-hosted customer servers," Proofpoint said.

"Microsoft 365 accepted these spoofed messages and sent them to these customers' email infrastructures to be relayed. When customer domains were spoofed while relaying through the matching customer's email infrastructure, DKIM signing was also applied as the messages transited through the Proofpoint infrastructure, making the spam messages more deliverable."

It's being suspected that EchoSpoofing was intentionally chosen by the operators as a way to generate illegal revenue as well as avoid the risk of exposure for extended periods of time, as directly targeting the companies via this modus operandi could have drastically increased the chances of getting detected, effectively imperiling the entire scheme.

That having said, it's currently not clear who is behind the campaign. Proofpoint said the activity does not overlap with any known threat actor or group.

"In March, Proofpoint researchers identified spam campaigns being relayed through a small number of Proofpoint customers' email infrastructure by sending spam from Microsoft 365 tenants," it said in a statement. "All analyses indicate this activity was conducted by one spam actor, whose activity we do not attribute to a known entity."

"Since discovering this spam campaign, we have worked diligently to provide corrective instructions, including implementing a streamlined administrative interface for customers to specify which M365 tenants are allowed to relay, with all other M365 tenants denied by default."

Proofpoint emphasized that no customer data was exposed, nor did any of them experience loss of data, as a result of these campaigns. It further noted that it reached out to some of its customers directly to change their settings to stop the effectiveness of the outbound relay spam activity.

"As we started to block the spammer's activity, the spammer accelerated its testing and moved quickly to other customers," the company pointed out. "We established a continuous process of identifying the customers affected each day, re-prioritizing outreach to fix configurations."

To cut down on spam, it's urging VPS providers to limit their users' ability to send large volumes of messages from SMTP servers hosted on their infrastructure. It's also calling on email service providers to restrict the capabilities of free trial and newly created unverified tenants to send bulk outbound email messages as well as prevent them from sending messages that spoof a domain for which they do not have proven ownership.

"For CISOs, the main takeaway here is to take extra care of their organization's cloud posture – specifically with the use of 3rd party services that become the backbone of your company's networking and communication methods," Tal said. "Specifically in the realm of emails, always maintain a feedback loop and control of your own – even if you trust your email provider fully."

"And as for other companies providing this kind of backbone services – just like Proofpoint did, they must be vigilant and proactive in thinking of all possible types of threats in the first place. Not only threats that directly affect their customers but the wider public as well.

"This is crucial for the safety of all of us and companies that create and operate the backbone of the internet, even if privately held, have the highest responsibility on it. Just like one said, in a different context entirely yet so relevant here: 'With great powers, comes great responsibility.'"

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#microsoft