Ubuntu Security Notice 6200-2 - USN-6200-1 fixed vulnerabilities in ImageMagick. Unfortunately these fixes were incomplete for Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. This update fixes the problem.

==========================================================================  
Ubuntu Security Notice USN-6200-2  
July 25, 2024

imagemagick vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in ImageMagick.

Software Description:  
- imagemagick: Image manipulation programs and library

Details:

USN-6200-1 fixed vulnerabilities in ImageMagick. Unfortunately these fixes were  
incomplete for Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. This update fixes the  
problem.

Original advisory details:

 It was discovered that ImageMagick incorrectly handled the "-authenticate"  
 option for password-protected PDF files. An attacker could possibly use  
 this issue to inject additional shell commands and perform arbitrary code  
 execution. This issue only affected Ubuntu 20.04 LTS. (CVE-2020-29599)

  It was discovered that ImageMagick incorrectly handled certain values  
 when processing PDF files. If a user or automated system using ImageMagick  
 were tricked into opening a specially crafted PDF file, an attacker could  
 exploit this to cause a denial of service. This issue only affected Ubuntu  
 20.04 LTS. (CVE-2021-20224)

  Zhang Xiaohui discovered that ImageMagick incorrectly handled certain  
 values when processing image data. If a user or automated system using  
 ImageMagick were tricked into opening a specially crafted image, an  
 attacker could exploit this to cause a denial of service. This issue only  
 affected Ubuntu 20.04 LTS. (CVE-2021-20241, CVE-2021-20243)

  It was discovered that ImageMagick incorrectly handled certain values  
 when processing visual effects based image files. By tricking a user into  
 opening a specially crafted image file, an attacker could crash the  
 application causing a denial of service. This issue only affected Ubuntu  
 20.04 LTS. (CVE-2021-20244, CVE-2021-20309)

  It was discovered that ImageMagick incorrectly handled certain values  
 when performing resampling operations. By tricking a user into opening  
 a specially crafted image file, an attacker could crash the application  
 causing a denial of service. This issue only affected Ubuntu 20.04 LTS.  
 (CVE-2021-20246)

  It was discovered that ImageMagick incorrectly handled certain values  
 when processing thumbnail image data. By tricking a user into opening  
 a specially crafted image file, an attacker could crash the application  
 causing a denial of service. This issue only affected Ubuntu 20.04 LTS.  
 (CVE-2021-20312)

  It was discovered that ImageMagick incorrectly handled memory cleanup  
 when performing certain cryptographic operations. Under certain conditions  
 sensitive cryptographic information could be disclosed. This issue only  
 affected Ubuntu 20.04 LTS. (CVE-2021-20313)

  It was discovered that ImageMagick did not use the correct rights when  
 specifically excluded by a module policy. An attacker could use this issue  
 to read and write certain restricted files. This issue only affected Ubuntu  
 20.04 LTS. (CVE-2021-39212)

  It was discovered that ImageMagick incorrectly handled memory under certain  
 circumstances. If a user were tricked into opening a specially crafted  
 image file, an attacker could possibly exploit this issue to cause a denial  
 of service or other unspecified impact. This issue only affected Ubuntu  
 20.04 LTS. (CVE-2022-28463, CVE-2022-32545, CVE-2022-32546, CVE-2022-32547)

  It was discovered that ImageMagick incorrectly handled memory under certain  
 circumstances. If a user were tricked into opening a specially crafted  
 image file, an attacker could possibly exploit this issue to cause a denial  
 of service or other unspecified impact. This issue only affected Ubuntu  
 22.04 LTS, Ubuntu 22.10, and Ubuntu 23.04. (CVE-2021-3610, CVE-2023-1906,  
 CVE-2023-3428)

  It was discovered that ImageMagick incorrectly handled certain values  
 when processing specially crafted SVG files. By tricking a user into  
 opening a specially crafted SVG file, an attacker could crash the  
 application causing a denial of service. This issue only affected Ubuntu  
 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 22.10, and Ubuntu 23.04. (CVE-2023-1289)

  It was discovered that ImageMagick incorrectly handled memory under certain  
 circumstances. If a user were tricked into opening a specially crafted  
 tiff file, an attacker could possibly exploit this issue to cause a denial  
 of service or other unspecified impact. This issue only affected Ubuntu  
 22.04 LTS, Ubuntu 22.10, and Ubuntu 23.04. (CVE-2023-3195)

  It was discovered that ImageMagick incorrectly handled memory under certain  
 circumstances. If a user were tricked into opening a specially crafted  
 image file, an attacker could possibly exploit this issue to cause a denial  
 of service or other unspecified impact. (CVE-2023-34151)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS  
  imagemagick                     8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5  
  imagemagick-6-common            8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5  
  imagemagick-6.q16               8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5  
  imagemagick-6.q16hdri           8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5  
  imagemagick-common              8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5  
  libimage-magick-perl            8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5  
  libimage-magick-q16-perl        8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5  
  libimage-magick-q16hdri-perl    8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5  
  libmagick++-6-headers           8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5  
  libmagick++-6.q16-8             8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5  
  libmagick++-6.q16-dev           8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5  
  libmagick++-6.q16hdri-8         8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5  
  libmagick++-6.q16hdri-dev       8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5  
  libmagick++-dev                 8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5  
  libmagickcore-6-headers         8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5  
  libmagickcore-6.q16-6           8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5  
  libmagickcore-6.q16-dev         8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5  
  libmagickcore-6.q16hdri-6       8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5  
  libmagickcore-6.q16hdri-dev     8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5  
  libmagickcore-dev               8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5  
  libmagickwand-6-headers         8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5  
  libmagickwand-6.q16-6           8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5  
  libmagickwand-6.q16-dev         8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5  
  libmagickwand-6.q16hdri-6       8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5  
  libmagickwand-6.q16hdri-dev     8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5  
  libmagickwand-dev               8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5  
  perlmagick                      8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5

Ubuntu 20.04 LTS  
  imagemagick                     8:6.9.10.23+dfsg-2.1ubuntu11.10  
  imagemagick-6-common            8:6.9.10.23+dfsg-2.1ubuntu11.10  
  imagemagick-6.q16               8:6.9.10.23+dfsg-2.1ubuntu11.10  
  imagemagick-6.q16hdri           8:6.9.10.23+dfsg-2.1ubuntu11.10  
  imagemagick-common              8:6.9.10.23+dfsg-2.1ubuntu11.10  
  libimage-magick-perl            8:6.9.10.23+dfsg-2.1ubuntu11.10  
  libimage-magick-q16-perl        8:6.9.10.23+dfsg-2.1ubuntu11.10  
  libimage-magick-q16hdri-perl    8:6.9.10.23+dfsg-2.1ubuntu11.10  
  libmagick++-6-headers           8:6.9.10.23+dfsg-2.1ubuntu11.10  
  libmagick++-6.q16-8             8:6.9.10.23+dfsg-2.1ubuntu11.10  
  libmagick++-6.q16-dev           8:6.9.10.23+dfsg-2.1ubuntu11.10  
  libmagick++-6.q16hdri-8         8:6.9.10.23+dfsg-2.1ubuntu11.10  
  libmagick++-6.q16hdri-dev       8:6.9.10.23+dfsg-2.1ubuntu11.10  
  libmagick++-dev                 8:6.9.10.23+dfsg-2.1ubuntu11.10  
  libmagickcore-6-headers         8:6.9.10.23+dfsg-2.1ubuntu11.10  
  libmagickcore-6.q16-6           8:6.9.10.23+dfsg-2.1ubuntu11.10  
  libmagickcore-6.q16-dev         8:6.9.10.23+dfsg-2.1ubuntu11.10  
  libmagickcore-6.q16hdri-6       8:6.9.10.23+dfsg-2.1ubuntu11.10  
  libmagickcore-6.q16hdri-dev     8:6.9.10.23+dfsg-2.1ubuntu11.10  
  libmagickcore-dev               8:6.9.10.23+dfsg-2.1ubuntu11.10  
  libmagickwand-6-headers         8:6.9.10.23+dfsg-2.1ubuntu11.10  
  libmagickwand-6.q16-6           8:6.9.10.23+dfsg-2.1ubuntu11.10  
  libmagickwand-6.q16-dev         8:6.9.10.23+dfsg-2.1ubuntu11.10  
  libmagickwand-6.q16hdri-6       8:6.9.10.23+dfsg-2.1ubuntu11.10  
  libmagickwand-6.q16hdri-dev     8:6.9.10.23+dfsg-2.1ubuntu11.10  
  libmagickwand-dev               8:6.9.10.23+dfsg-2.1ubuntu11.10  
  perlmagick                      8:6.9.10.23+dfsg-2.1ubuntu11.10

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6200-2  
  https://ubuntu.com/security/notices/USN-6200-1  
  CVE-2023-1289, CVE-2023-34151

Package Information:  
  https://launchpad.net/ubuntu/+source/imagemagick/8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5  
  https://launchpad.net/ubuntu/+source/imagemagick/8:6.9.10.23+dfsg-2.1ubuntu11.10

Ubuntu Security Notice USN-6200-2

A ransomware group called Dark Angels made headlines this past week when it was revealed the crime group recently received a record $75 million data ransom payment from a Fortune 50 company. Security experts say the Dark Angels have been around since 2021, but the group doesn't get much press because they work alone and maintain a low profile, picking one target at a time and favoring mass data theft over disrupting the victim's operations.

A ransomware group called **Dark Angels** made headlines this past week when it was revealed the crime group recently received a record $75 million data ransom payment from a Fortune 50 company. Security experts say the Dark Angels have been around since 2021, but the group doesn’t get much press because they work alone and maintain a low profile, picking one target at a time and favoring mass data theft over disrupting the victim’s operations.

Image: Shutterstock.

Security firm **Zscaler** **ThreatLabz** this month ranked Dark Angels as the top ransomware threat for 2024, noting that in early 2024 a victim paid the ransomware group $75 million — higher than any previously recorded ransom payment. ThreatLabz found Dark Angels has conducted some of the largest ransomware attacks to date, and yet little is known about the group.

**Brett Stone-Gross**, senior director of threat intelligence at ThreatLabz, said Dark Angels operate using an entirely different playbook than most other ransomware groups. For starters, he said, Dark Angels does not employ the typical ransomware affiliate model, which relies on hackers-for-hire to install malicious software that locks up infected systems.

“They really don’t want to be in the headlines or cause business disruptions,” Stone-Gross said. “They’re about making money and attracting as little attention as possible.”

Most ransomware groups maintain flashy victim leak sites which threaten to publish the target’s stolen data unless a ransom demand is paid. But the Dark Angels didn’t even have a victim shaming site until April 2023. And the leak site isn’t particularly well branded; it’s called **Dunghill Leak**.

The Dark Angels victim shaming site, Dunghill Leak.

“Nothing about them is flashy,” Stone-Gross said. “For the longest time, they didn’t even want to cause a big headline, but they probably felt compelled to create that leaks site because they wanted to show they were serious and that they were going to post victim data and make it accessible.”

Dark Angels is thought to be a Russia-based cybercrime syndicate whose distinguishing characteristic is stealing truly staggering amounts of data from major companies across multiple sectors, including healthcare, finance, government and education. For large businesses, the group has exfiltrated between 10-100 terabytes of data, which can take days or weeks to transfer, ThreatLabz found.

Like most ransom gangs, Dark Angels will publish data stolen from victims who do not pay. Some of the more notable victims listed on Dunghill Leak include the global food distribution firm **Sysco**, which disclosed a ransomware attack in May 2023; and the travel booking giant **Sabre**, which was hit by the Dark Angels in September 2023.

Stone-Gross said Dark Angels is often reluctant to deploy ransomware malware because such attacks work by locking up the target’s IT infrastructure, which typically causes the victim’s business to grind to a halt for days, weeks or even months on end. And those types of breaches tend to make headlines quickly.

“They selectively choose whether they want to deploy ransomware or not,” he said. “If they deem they can encrypt some files that won’t cause major disruptions — but will give them a ton of data — that’s what they’ll do. But really, what separates them from the rest is the volume of data they’re stealing. It’s a whole order of magnitude greater with Dark Angels. Companies losing vast amounts of data will pay these high ransoms.”

So who paid the record $75 million ransom? **Bleeping Computer** posited on July 30 that the victim was the pharmaceutical giant **Cencora** (formerly **AmeriSourceBergen Corporation**), which reported a data security incident to the **U.S. Securities and Exchange Commission** (SEC) on February 21, 2024.

The SEC requires publicly-traded companies to disclose a potentially material cybersecurity event within four days of the incident. Cencora is currently #10 on the Fortune 500 list, generating more than $262 billion in revenue last year.

Cencora did not respond to questions about whether it had made a ransom payment in connection with the February cybersecurity incident, and referred KrebsOnSecurity to expenses listed under “Other” in the restructuring section of their latest quarterly financial report (PDF). That report states that the majority of the $30 million cost in “Other” was associated with the breach.

Cencora’s quarterly statement said the incident affected a standalone legacy information technology platform in one country and the foreign business unit’s ability to operate in that country for approximately two weeks.

Cencora’s 2024 1st quarter report documents a $30 million cost associated with a data exfiltration event in mid-February 2024.

In its most recent State of Ransomware report (PDF), security firm **Sophos** found the average ransomware payment had increased fivefold in the past year, from $400,000 in 2023 to $2 million. Sophos says that _in more than four-fifths (82%) of cases funding for the ransom came from multiple sources_. Overall, 40% of total ransom funding came from the organizations themselves and 23% from insurance providers.

Further reading: ThreatLabz ransomware report (PDF).

Low-Drama ‘Dark Angels’ Reap Record Ransoms

Organizations in Kazakhstan are the target of a threat activity cluster dubbed Bloody Wolf that delivers a commodity malware called STRRAT (aka Strigoi Master).
"The program selling for as little as $80 on underground resources allows the adversaries to take control of corporate computers and hijack restricted data," cybersecurity vendor BI.ZONE said in a new analysis.
The cyber attacks employ

Network Security / Threat Intelligence

Organizations in Kazakhstan are the target of a threat activity cluster dubbed **Bloody Wolf** that delivers a commodity malware called STRRAT (aka Strigoi Master).

"The program selling for as little as $80 on underground resources allows the adversaries to take control of corporate computers and hijack restricted data," cybersecurity vendor BI.ZONE said in a new analysis.

The cyber attacks employ phishing emails as an initial access vector, impersonating the Ministry of Finance of the Republic of Kazakhstan and other agencies to trick recipients into opening PDF attachments.

The file purports to be a non-compliance notice and contains links to a malicious Java archive (JAR) file as well as an installation guide for the Java interpreter necessary for the malware to function.

In an attempt to lend legitimacy to the attack, the second link points to a web page associated with the country's government website that urges visitors to install Java in order to ensure that the portal is operational.

The STRRAT malware, hosted on a website that mimics the website of the Kazakhstan government ("egov-kz\[.\]online"), sets up persistence on the Windows host by means of a Registry modification and runs the JAR file every 30 minutes.

What's more, a copy of the JAR file is copied to the Windows startup folder to ensure that it automatically launches after a system reboot.

Subsequently, it establishes connections with a Pastebin server to exfiltrate sensitive information from the compromised machine, including details about operating system version and antivirus software installed, and account data from Google Chrome, Mozilla Firefox, Internet Explorer, Foxmail, Outlook, and Thunderbird.

It's also designed to receive additional commands from the server to download and execute more payloads, log keystrokes, run commands using cmd.exe or PowerShell, restart or shut down the system, install a proxy, and remove itself.

"Using less common file types such as JAR enables the attackers to bypass defenses," BI.ZONE said. "Employing legitimate web services such as Pastebin to communicate with the compromised system makes it possible to evade network security solutions."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Kazakh Organizations Targeted by 'Bloody Wolf' Cyber Attacks

Cybersecurity companies are warning about an uptick in the abuse of Clouflare's TryCloudflare free service for malware delivery.
The activity, documented by both eSentire and Proofpoint, entails the use of TryCloudflare to create a one-time tunnel that acts as a conduit to relay traffic from an attacker-controlled server to a local machine through Cloudflare's infrastructure.
Attack chains

Malware / Network Security

Cybersecurity companies are warning about an uptick in the abuse of Clouflare's TryCloudflare free service for malware delivery.

The activity, documented by both eSentire and Proofpoint, entails the use of TryCloudflare to create a one-time tunnel that acts as a conduit to relay traffic from an attacker-controlled server to a local machine through Cloudflare's infrastructure.

Attack chains taking advantage of this technique have been observed delivering a cocktail of malware families such as AsyncRAT, GuLoader, PureLogs Stealer, Remcos RAT, Venom RAT, and XWorm.

The initial access vector is a phishing email containing a ZIP archive, which includes a URL shortcut file that leads the message recipient to a Windows shortcut file hosted on a TryCloudflare-proxied WebDAV server.

The shortcut file, in turn, executes next-stage batch scripts responsible for retrieving and executing additional Python payloads, while simultaneously displaying a decoy PDF document hosted on the same WebDAV server to keep up the ruse.

"These scripts executed actions such as launching decoy PDFs, downloading additional malicious payloads, and changing file attributes to avoid detection," eSentire noted.

"A key element of their strategy was using direct syscalls to bypass security monitoring tools, decrypting layers of shellcode, and deploying the Early Bird APC queue injection to stealthily execute code and evade detection effectively."

According to Proofpoint, the phishing lures are written in English, French, Spanish, and German, with the email volumes ranging from hundreds to tens of thousands of messages that target organizations from across the world. The themes cover a broad range of topics such as invoices, document requests, package deliveries, and taxes.

The campaign, while attributed to one cluster of related activity, has not been linked to a specific threat actor or group, but the email security vendor assessed it to be financially motivated.

The exploitation of TryCloudflare for malicious ends was first recorded last year, when Sysdig uncovered a cryptojacking and proxyjacking campaign dubbed LABRAT that weaponized a now-patched critical flaw in GitLab to infiltrate targets and obscure their command-and-control (C2) servers using Cloudflare tunnels.

Furthermore, the use of WebDAV and Server Message Block (SMB) for payload staging and delivery necessitates that enterprises restrict access to external file-sharing services to only known, allow-listed servers.

"The use of Cloudflare tunnels provide the threat actors a way to use temporary infrastructure to scale their operations providing flexibility to build and take down instances in a timely manner," Proofpoint researchers Joe Wise and Selena Larson said.

"This makes it harder for defenders and traditional security measures such as relying on static blocklists. Temporary Cloudflare instances allow attackers a low-cost method to stage attacks with helper scripts, with limited exposure for detection and takedown efforts."

The findings come as the Spamhaus Project called on Cloudflare to review its anti-abuse policies following cybercriminals' exploitation of its services to mask malicious actions and enhance their operational security by means of what's called "living-off-trusted-services" (LoTS).

It said it "observes miscreants moving their domains, which are already listed in the DBL, to Cloudflare to disguise the backend of their operation, be it spamvertized domains, phishing, or worse."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Cybercriminals Abusing Cloudflare Tunnels to Evade Detection and Spread Malware

Two US senators accuse carmakers of deceptive language and shifty practices in sharing and resale of driver data.

Source: CC7 via Shutterstock

Two US senators have called on the US Federal Trade Commission (FTC) to hold automakers accountable for sharing driver data without consent, highlighting the growing data privacy challenges — and deceptive verbiage from terms of service — associated with modern smart cars.

In a letter to the FTC (PDF) last week, Sens. Ron Wyden (D-Ore.) and Edward Markey (D-Mass.) used the data-sharing practices of General Motors, Honda, and Hyundai as symptomatic of an industrywide problem that needs immediate investigation.

**Data Sharing Without Consent**

All three vendors collected and sold driver information such as acceleration and braking data to Verisk, a data analytics company that used the information to prepare driver behavior reports that it then resold to insurance companies. By their own account, none of the automakers obtained informed consent from customers before sharing their information. Instead, they deliberately obscured their data-sharing relationship with Verisk in lengthy disclosures and made deceptive claims about how they would use driver data, the senators charged.

"The FTC should hold accountable the automakers, which shared their customers' data with data brokers without obtaining informed consent, as well as the data brokers, which resold data that had not been obtained in a lawful manner," their letter noted. "Given the high number of consumers impacted, and the outrageous manipulation of consumers using dark patterns, the FTC should also hold senior company officials responsible for their flagrant abuse of their customers' privacy."

The letter highlights just one aspect of what many say is a rapidly growing set of security and privacy issues around modern, highly connected software-defined vehicles. While such vehicles offer increased automation, autonomous capabilities, and highly customizable user experiences, they also collect an enormous amount of data that can be hard to protect and secure.

"Your vehicle knows your name, your home address, your debit/credit card info, how fast you drive, how hard you brake, what you ask its voice assistant, the locations you frequent and at what times," says Riley Keehn, lead regulatory and government affairs consultant for SBD Automotive, an automotive research and consulting firm. "Certain occupant detection and automated driving cameras and sensors can even see you and your surroundings."

The onboard storage of this sheer volume of personal and identifying information (PII) and sensitive data types make drivers and their vehicles the direct targets of cyberattacks. These attacks can happen via hardwired systems like the OBD-II port or even the headlights, connections to the vehicle via shared and insecure Wi-Fi networks, through electric vehicle charging stations, compromised aftermarket components, and other means, Keehn says.

Some of these risks can be addressed via security-by-design approaches and the implementation of industry best practices and regulations, such as UN R155 on Cybersecurity Management Systems (CSMS) and UN R156 on Software Update Management Systems (SUMS), ISO/SAE 21434:2021 on Cybersecurity Engineering for Road Vehicles, and other international and regional requirements, she notes.

**A Complete Lack of Consumer Privacy Protections?**

But where things can get messy is what happens to personal data after a vehicle collects it. "The US still lacks a comprehensive, general data privacy regulation comparable to the EU's GDPR, China's PIPL/DSL/CSL framework, and other global regulations that have adopted the GDPR's model and stringency," Keehn says.

The US largely relies on sector-specific regulations, such as HIPAA in healthcare, to address unique data privacy and security requirements. Individual states have filled that gap with their own data privacy laws, creating a patchwork of inconsistent rules, often exempting certain sectors and technologies. While some states may have clear requirements for how an original equipment manufacturer (OEM) must handle the storage, collection, sharing, and sale of data, other states may have different requirements or none at all, she says.

"This inconsistency and lack of national guidance in the US creates a host of risks at the business level and can foster an OEM culture where security stops with the vehicle," Keehn adds.

**Can the FTC Really Drive Change?**

David Brumley, CEO of software security firm ForAllSecure, says car companies should be required to ask for informed consent from drivers to share their information for advertising or for any other purpose not specific to delivering a required feature. 

"Over-the-air software updates? Probably being served from Amazon or Google. Maps? Probably from a third-party. Accurate position? It's not just GPS; often it's assisted with other metadata — like Swift Navigation — to increase accuracy," Brumley notes.

A car vendor might require some data, like location information, for instance, to provide services such as roadside assistance, traffic warnings, and autonomous driving. So there needs to be separate consent requirement for sharing such data and for sharing data for pure profit reasons, he says. "Second, we need a law that says companies must not limit functionality when someone opts out," he adds. "Someone shouldn't be able to force your consent so you can keep driving to work."

Brumley says it's unrealistic, however, to expect the FTC to drive much change. "They don't exercise their regulatory powers in other domains, and instead rely on free-market" dynamics, which won't help here, he says. "Where we may get a bump is EU regulations, which tend to be stricter.  We also need consumers to speak up that it impacts their buying decisions."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Smart Cars Share Driver Data, Prompting Calls for Federal Scrutiny

AMPLE BILLS version 1.0 suffers from a cross site scripting vulnerability.

    =============================================================================================================================================| # Title     : AMPLE BILLS v1.0 XSS Vulnerability                                                                                          || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/php/16741/free-and-open-source-inventory-management-system-php-source-code.html              |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : app/invoice/mpdf/examples/formsubmit.php?1<ScRiPt>prompt(913011)</ScRiPt>[+] http://localhost/ample/app/invoice/mpdf/examples/formsubmit.php?1%3CScRiPt%3Eprompt(913011)%3C/ScRiPt%3EGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

AMPLE BILLS 1.0 Cross Site Scripting

The fake updates are part of a phishing and fraud surge that is both more voluminous and more targeted that the usual activity around national news stories.

Source: imageBROKER.com GmbH & Co. KG via Alamy Stock Photo

Scam alert: Cybercriminals are using last week's CrowdStrike outage as a vehicle for social engineering attacks against the security vendor's customers.

In the hours after the event that grounded planes, shuttered stores, closed down medical facilities, and more, national cybersecurity agencies in the US, UK, Canada, and Australia all reported follow-on phishing activity by petty criminals. That much is to be expected after any national news event. But, says BforeAI CEO Luigi Lenguito, these post-CrowdStrike attacks are both more copious and more targeted than those typically seen after major media stories.

For reference, "in the attack last week on Trump, we saw a spike on the first day of 200 \[related cyber threats\] and then it flattened to 40, 50 a day," he says. "Here, you're looking at a spike that is three times as big. We're seeing about 150 to 300 attacks per day. I would say this is not the normal volume for news-related attacks."

**Profile of a CrowdStrike-Themed Scam**

"The philosophy is: We have these large corporations' users who are lost, because their computers cannot connect to the mothership, and now they're trying to get connected. It's a perfect opportunity for cybercriminals to get back into these networks," Lenguito explains.

This makes CrowdStrike-themed phishing attacks characteristically different from, say, Trump assassination-themed ones. They're much more targeted — aimed at organizations affected by the outage — and potential victims are more technically adept and educated in cybersecurity than your average bear.

To convince those people to let them in, attackers have been masquerading as either the company itself, related technical support, or competing companies with their own "offerings."

The evidence lies in phishing and typosquatting domains registered in recent days, like crowdstrikefix\[.\]com, crowdstrikeupdate\[.\]com, and www.microsoftcrowdstrike\[.\]com. One security researcher identified more than 2,000 such domains that have been generated thus far.

These domains might be used to distribute malware, like the ZIP file pretending to be a hotfix which was uploaded to a malware scanning service last weekend. The ZIP contained HijackLoader (aka IDAT Loader), which in turn loaded the RemCos RAT. The file was first reported from Mexico, and it contained Spanish-language filenames, indicating that the campaign likely targeted CrowdStrike customers in Latin America.

In another case, attackers distributed a CrowdStrike-themed phishing email with a crudely designed PDF attachment. Inside the PDF was a link to download a ZIP attachment with an executable inside. Once launched, the executable asked the victim for permission to install an update. The update, though, was a wiper. The pro-Hamas hacktivist group "Handala" took responsibility, claiming that "dozens" of Israeli organizations had lost several terabytes of data as a result.

However the threats might arrive, Lenguito says, organizations can protect themselves by using blocklists, protective DNS tools, and by avoiding tech support from anywhere other than CrowdStrike's own website and customer service channels.

Or, perhaps, they can just wait it out. "We're still early, right? We'll probably see it taper over the coming weeks. Generally, what we see is these campaigns have a tendency to last two to three weeks," he says.

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

CrowdStrike 'Updates' Deliver Malware &amp; More as Attacks Snowball

Though IE was officially retired in June 2022, the vulnerability ramped up in January 2023 and has been going strong since.

Source: mundissima via Alamy Stock Photo

Check Point earlier this month discovered a remote code execution vulnerability, tracked as CVE-2024-38112, that impacts Microsoft Windows users and different versions of Windows Server.

The attackers used Windows Internet Shortcut files, which call on the retired Internet Explorer to visit a URL with a hidden malicious extension name and controlled by these threat actors. Because users are opening this URL with Internet Explorer, and not more secure browsers like Chrome or Edge, the threat actor has more advantages in exploiting the victim's device.

The threat actors also use a second method where they "make the victim believe they are opening a PDF file, while in fact, they are downloading and executing a dangerous .hta application," wrote the Check Point researchers.

The Cybersecurity and Infrastructure Security Agency (CISA) has added this high-severity vulnerability to its Known Exploited Vulnerabilities Catalog  Catalog, with its score of 7.5 due to its active exploitation, and mandated that all Windows systems within federal agencies must be updated or shut down by July 30.

Other research shows that of the roughly 500,000 endpoints running Windows 10 and 11, more than 10% of those devices are missing endpoint protection controls and almost 9% lack patch management controls, meaning that these organizations have a significant number of blind spots for attackers to exploit. 

Though Microsoft issued a patch on July 9, some exploits of this vulnerability date back more than a year ago, which means organizations need to act quickly in their mitigation efforts.

**About the Author(s)**

Microsoft's Internet Explorer Gets Revived to Lure in Windows Victims

Ubuntu Security Notice 6915-1 - It was discovered that poppler incorrectly handled certain malformed PDF. An attacker could possibly use this issue to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6915-1  
July 24, 2024

poppler vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS  
- Ubuntu 22.04 LTS

Summary:

poppler could be made to denial of service if it opened a specially crafted PDF.

Software Description:  
- poppler: PDF rendering library

Details:

It was discovered that poppler incorrectly handled certain malformed PDF.  
An attacker could possibly use this issue to cause a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 24.04 LTS  
  libpoppler134                   24.02.0-1ubuntu9.1  
  poppler-utils                   24.02.0-1ubuntu9.1

Ubuntu 22.04 LTS  
  libpoppler118                   22.02.0-2ubuntu0.5  
  poppler-utils                   22.02.0-2ubuntu0.5

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6915-1  
  CVE-2024-6239

Package Information:  
  https://launchpad.net/ubuntu/+source/poppler/24.02.0-1ubuntu9.1  
  https://launchpad.net/ubuntu/+source/poppler/22.02.0-2ubuntu0.5

Ubuntu Security Notice USN-6915-1

The good news: Only organizations far behind on standard Windows patching have anything to worry about.

Source: dennizn via Alamy Stock Photo

A Microsoft Defender SmartScreen vulnerability that was patched in February is still being used in infostealing attacks across the globe.

CVE-2024-21412 — a "high" severity, 8.1 CVSS-scored security bypass bug in SmartScreen — was first disclosed and fixed on Feb. 13. Since then, it has been used in campaigns involving well-known infostealers like Lumma Stealer, Water Hydra, and DarkGate.

Now, five months later, Fortinet has flagged yet another campaign involving two more stealers: Meduza and ACR. Attacks thus far have reached the US, Spain, and Thailand.

Sometimes, organizations take their time updating third-party software. By contrast, "The attackers in this case are taking advantage of software that's native on Microsoft Windows, which would be updated in normal Microsoft patch cycles," notes Aamir Lakhani, global security strategist and researcher at Fortinet. "It's a little unclear and concerning when these vulnerabilities are not patched, because it could indicate there are other Microsoft vulnerabilities that are not being patched as well."

**A CVE-2024-21412 Attack Chain**

If you visit a website, or download a file or program that's known to be unsafe — or is suspicious for any number of other reasons — SmartScreen will step in and present you with that famous blue screen message: "Windows protected your PC." It's a simple, effective way to alert users to potentially dangerous cyber threats.

So consider how useful it would be to an attacker if they could simply disable that notification. This is what CVE-2024-21412 allows them to do.

In the latest campaign identified by Fortinet, the attackers are beating SmartScreen "through the combination of PowerShell trickery and hiding attacks in images and taking advantage of how those images are processed," Lakhani explains.

First, they lure victims with a URL that triggers the download of a shortcut (LNK) file. The LNK downloads an executable with an HTML Application (HTA) script with PowerShell code for retrieving decoy PDF files and malicious code injectors.

One of the injectors is more interesting than the other. After running anti-debugging checks, it downloads a JPG image file, then uses a Windows API to access its pixels and decode its bytes, wherein lies malicious code.

"These types of image-based attacks have been around a long time and, while they aren't as common as other types of attacks we typically observe, we still see them pop up over time because they are quite effective," Lakhani notes. "It's not surprising to see this attack, especially because \[steganography\] detection is often overlooked compared to other attack scenarios."

**Consequences to the Unpatched**

The stealers smuggled in through image files in this case get planted inside of legitimate Windows processes, at which point the gathering and exfiltration of data begins.

The kinds of information they aim for are broad. ACR, for example, steals from dozens of browsers (Google Chrome, Firefox), dozens of crypto wallets (Binance, Ledger Live), messenger apps (Telegram, WhatsApp), password managers (Bitwarden, 1Password), virtual private network (VPN) apps, email clients, file transfer protocol (FTP) clients, and more. 

Only organizations far behind on standard Windows patching have anything to worry about. Clearly, though, those organizations are out there.

"I would understand how individual software updates from smaller companies may be missed, but most organizations have regular Microsoft software patch updates, and this particular vulnerability remains open to attack," Lakhani says. To encourage better patching practices, he adds, "I think in all cases, software vendors need to give users alerts and notifications that critical security patches exist and should be installed when the software is launched or used."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Tag

#pdf