Red Hat Security Advisory 2024-1305-03 - An update for edk2 is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.4 Telecommunications Update Service. Issues addressed include a buffer overflow vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1305.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: edk2 security updateAdvisory ID:        RHSA-2024:1305-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1305Issue date:         2024-03-13Revision:           03CVE Names:          CVE-2023-45234====================================================================Summary: An update for edk2 is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.4 Telecommunications Update Service.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:EDK (Embedded Development Kit) is a project to enable UEFI support for VirtualMachines. This package contains a sample 64-bit UEFI firmware for QEMU and KVM.Security Fix(es):* edk2: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message (CVE-2023-45234)Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-45234References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2258697

Red Hat Security Advisory 2024-1305-03

Red Hat Security Advisory 2024-1278-03 - An update for kpatch-patch is now available for Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions. Issues addressed include out of bounds write and use-after-free vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1278.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: kpatch-patch security update  
Advisory ID:        RHSA-2024:1278-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1278  
Issue date:         2024-03-12  
Revision:           03  
CVE Names:          CVE-2023-3390  
====================================================================

Summary: 

An update for kpatch-patch is now available for Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel.

Security Fix(es):

* kernel: ktls overwrites readonly memory pages when using function splice with a ktls socket as destination (CVE-2024-0646)

* kernel: use-after-free in sch_qfq network scheduler (CVE-2023-4921)

* kernel: IGB driver inadequate buffer size for frames larger than MTU (CVE-2023-45871)

* kernel: use after free in nvmet_tcp_free_crypto in NVMe (CVE-2023-5178)

* kernel: net/sched: sch_hfsc UAF (CVE-2023-4623)

* kernel: net/sched: sch_qfq component can be exploited if in qfq_change_agg function happens qfq_enqueue overhead (CVE-2023-3611)

* kernel: nf_tables: stack-out-of-bounds-read in nft_byteorder_eval() (CVE-2023-35001)

* kernel: UAF in nftables when nft_set_lookup_global triggered after handling named and anonymous sets in batch requests (CVE-2023-3390)

* kernel: out-of-bounds write in qfq_change_class function (CVE-2023-31436)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-3390

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2192671  
https://bugzilla.redhat.com/show_bug.cgi?id=2213260  
https://bugzilla.redhat.com/show_bug.cgi?id=2220892  
https://bugzilla.redhat.com/show_bug.cgi?id=2225191  
https://bugzilla.redhat.com/show_bug.cgi?id=2237757  
https://bugzilla.redhat.com/show_bug.cgi?id=2241924  
https://bugzilla.redhat.com/show_bug.cgi?id=2244723  
https://bugzilla.redhat.com/show_bug.cgi?id=2245514  
https://bugzilla.redhat.com/show_bug.cgi?id=2253908

Red Hat Security Advisory 2024-1278-03

February 2024 is likely to be remembered as one of the most turbulent months in ransomware history.

_This article is based on research by Marcelo Rivero, Malwarebytes’ ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, “known attacks” are those where the victim **did not** pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher._

In February, there were 376 ransomware victims, marking an unusually active month for the historically subdued time period. But February didn’t just bring unprecedented numbers, but unprecedented developments as well: law enforcement shut down LockBit, the largest ransomware gang, while ALPHV, the second-largest, appeared to fake its demise and abscond with its own affiliates’ funds.

Before we dive into the two biggest stories of the month, however, let’s start with a quick overview of other significant ransomware developments, including a new Coveware report revealing a record low of 29% of victims paying ransoms in the last quarter of 2023.

A few years ago, paying ransomware attackers was almost a given—85% of hit organizations in early 2019 felt they had no choice. But fast forward to 2024, and Coveware data suggests that that trend has completely reversed—not only have the number of victims paying dropped but so have the dollar amounts of actual ransom payments. In other words, we’re seeing fewer and smaller ransomware payouts than ever before. 

At first glance, the trend appears counterintuitive: with global ransomware attacks hitting record highs annually, one might expect a proportional increase in the number of victims choosing to pay a ransom. But as it turns out, all the attention on ransomware is effectively shooting attackers in the foot: the more these attacks make headlines, the more businesses understand ransomware as a prime threat, leading to improved security measures that can allow victims to recover from an attack without paying a ransom. Also discouraging payments are increasing doubts about cybercriminals’ reliability and stricter anti-ransom laws.

But all of this begs the question: with fewer payments, will ransomware gangs adapt their strategies to remain a threat, or will the decrease in successful ransoms lead to a decline in attacks as they seek more lucrative avenues? Will ransomware attacks always remain profitable, albeit less so over time? The report raises just about as many questions as it answers. 

Our prediction? Ransomware gangs aren’t backing down any time soon; in fact, they’ll likely continue getting more inventive in pressuring companies to pay up. Our coverage on “big game ransomware” showed ransomware gangs aren’t just hiking up demands when companies resist paying, they’re also turning to more aggressive tactics. “Threats to leak data, sell it online, break other parts of the business, attack related firms, or even harass employees are all tactics gangs can make use of” to force reluctant businesses to pay, writes former Malwarebytes Labs author Christopher Boyd.

In other words, despite fewer companies paying up, we foresee ransomware attackers compensating with higher ransom demands and more sophisticated, aggressive negotiation tactics.

Known ransomware attacks by gang, February 2024

Known ransomware attacks by country, February 2024

Known ransomware attacks by industry sector, February 2024

In other February news, new reports highlighted ALPHV’s surge of targeted attacks against the healthcare sector. Coincidentally, a day after these reports were published, there was news of ALPHV’s severe attack on Change Healthcare, one of the largest healthcare technology companies in the US.

The report indicated that since mid-December 2023, out of nearly 70 leaked victims, the healthcare sector has been ALPHV’s most frequent target. This seems to be a response to the ALPHV Blackcat administrator’s encouragement for its affiliates to target hospitals following actions against the group and its infrastructure in early December 2023.

The Roman historian Tacitus once said, “Crime, once exposed, has no refuge but in audacity.” Well, the exposure of ALPHV’s crimes has seemingly emboldened them further, pushing them to undertake even more brazen acts of revenge against the very institutions aiming to curb their criminal activities. At the end of the day, ALPHV’s actions are unsurprisingly petty, pointless, and endanger human lives, but they at the very least they hint at the group’s last desperate gasps for relevance.

On the vulnerability front, ransomware gangs like Black Basta, Bl00dy, and LockBit were seen exploiting vulnerabilities in ConnectWise ScreenConnect last month that exposed servers to control by attackers. It appears that almost every other month, our ransomware reviews uncover a new vulnerability being exploited with great success—whether it was MOVEit in the summer of 2023 or Citrix Bleed at the end of 2023. The vulnerabilities in ScreenConnect are once again part of this broader trend we’ve noticed of ransomware gangs finding ever-new points of entry—perhaps even more quickly and extensively than in previous years.

**LockBit down, ALPHV out**

February 2024 is likely to be remembered for years as the month when two of the most dangerous ransomware gangs in the world suffered some serious turbulence.

LockBit has been the preeminent ransomware menace since the demise of Conti in spring 2022, but for the first time there are serious reasons to doubt its status and longevity. On February 19, the ransomware gang’s dark web site announced “This site is now under the control of The National Crime Agency of the UK, working in close cooperation with the FBI and the international law enforcement task force, ‘Operation Cronos’.”

What followed was something quite unique in the annals of ransomware takedowns. Alongside the usual dry press releases, the law enforcement agencies responsible used the site it had acquired to showcase the details of what it had done.

The LockBit dark web site was subverted by law enforcement

It was an act of exquisite trolling that looked designed to damage the LockBit brand by humiliating it in the eyes of its peers and affiliates.

There was substance to the disruption too—some arrests, “a vast amount of intelligence” gathered, infrastructure seized, cryptocurrency accounts frozen, decryption keys captured, and the revelation that LockBit administrator LockBitSupp “has engaged with law enforcement.”

LockBit quickly established a new site and insisted everything was fine in exactly the way that people do when things aren’t fine, by releasing a stream of concious 3,000-word essay that explained precisely how fine things were, thanks. It remains to be seen if LockBit’s rebound will last. When ransomware gangs start to feel the hot breath of law enforcement on their neck a rebrand normally follows.

LockBit’s main rival, ALPHV, used February to demonstrate an alternative ending. It decided to leave the ransomware world behind by ripping off its own customers (which are really just affiliates in crime) in a sloppily executed exit scam. ALPHV had suffered its own brush with law enforcement in December and, like LockBit, appeared to have recovered.

Perhaps it was spooked by its brush with the feds, or perhaps the $22 million ransom an affiliate extracted from its devastating attack on Change Healthcare was just too hard to resist. Whatever the reason, ALPHV cut and ran, taking the cash and leaving its criminal affiliates high and dry. A half-hearted attempt to pin the blame for its disappearance on the FBI fooled no one.

The ALPHV gang faked a law enforcement seizure of its website

**Preventing Ransomware**

Fighting off ransomware gangs like the ones we report on each month requires a layered security strategy. Technology that preemptively keeps gangs out of your systems is great—but it’s not enough. 

Ransomware attackers target the easiest entry points: an example chain might be that they first try phishing emails, then open RDP ports, and if those are secured, they’ll exploit unpatched vulnerabilities. Multi-layered security is about making infiltration progressively harder and detecting those who do get through. 

Technologies like Endpoint Protection (EP) and Vulnerability and Patch Management (VPM) are vital first defenses, reducing breach likelihood. 

The key point, though, is to assume that motivated gangs will eventually breach defenses. Endpoint Detection and Response (EDR) is crucial for finding and removing threats before damage occurs. And if a breach does happen—ransomware rollback tools can undo changes.

****How ThreatDown Addresses Ransomware****

ThreatDown bundles take a comprehensive approach to these challenges. Our integrated solutions combine EP, VPM, and EDR technologies, tailored to your organization’s specific needs. ThreatDown’s select bundles offer:

*   Advanced Web Protection: Blocking phishing websites ransomware gangs use for initial access.
*   RDP Shield: Securing remote access points with Brute Force Protection.
*   Continuous Vulnerability Scanning and Patch Management: Identifying and patching weaknesses before ransomware gangs can exploit them.
*   Sophisticated EDR: Detecting and neutralizing advanced threats such as LockBit within the network.
*   Ransomware Rollback: Reversing the impact of any successful attacks.

ThreatDown EDR detecting LockBit ransomware

ThreatDown automatically quarantining LockBit ransomware

For resource-constrained organizations, select ThreatDown bundles offer Managed Detection and Response (MDR) services, providing expert monitoring and swift threat response to ransomware threats—without the need for large in-house cybersecurity teams.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 Ransomware review: March 2024 

Red Hat Security Advisory 2024-1268-03 - An update for kernel is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.2 Telecommunications Update Service. Issues addressed include null pointer, out of bounds write, and use-after-free vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1268.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: kernel security and bug fix update  
Advisory ID:        RHSA-2024:1268-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1268  
Issue date:         2024-03-12  
Revision:           03  
CVE Names:          CVE-2022-3545  
====================================================================

Summary: 

An update for kernel is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.2 Telecommunications Update Service.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

* kernel: nf_tables: stack-out-of-bounds-read in nft_byteorder_eval() (CVE-2023-35001,ZDI-CAN-20721)

* hw: Intel: Gather Data Sampling (GDS) side channel vulnerability (CVE-2022-40982,Downfall)

* kernel: net/sched: sch_qfq component can be exploited if in qfq_change_agg function happens qfq_enqueue overhead (CVE-2023-3611)

* kernel: fbcon: out-of-sync arrays in fbcon_mode_deleted due to wrong con2fb_map assignment (CVE-2023-38409)

* kernel: net/sched: sch_hfsc UAF (CVE-2023-4623)

* kernel: null-ptr-deref vulnerabilities in sl_tx_timeout in drivers/net/slip   (CVE-2022-41858)

* kernel: nfp: use-after-free in area_cache_get() (CVE-2022-3545)

* kernel: use-after-free in l2cap_sock_release in net/bluetooth/l2cap_sock.c (CVE-2023-40283)

* kernel: use after free in nvmet_tcp_free_crypto in NVMe (CVE-2023-5178)

* kernel: IGB driver inadequate buffer size for frames larger than MTU (CVE-2023-45871)

* kernel: out-of-bounds write in qfq_change_class function (CVE-2023-31436)

* kernel: inactive elements in nft_pipapo_walk (CVE-2023-6817)

* kernel: ktls overwrites readonly memory pages when using function splice with a ktls socket as destination (CVE-2024-0646)

* kernel: UAF in nftables when nft_set_lookup_global triggered after handling named and anonymous sets in batch requests (CVE-2023-3390)

* kernel: vmwgfx: NULL pointer dereference in vmw_cmd_dx_define_query (CVE-2022-38096)

* kernel: use-after-free in sch_qfq network scheduler (CVE-2023-4921)

Bug Fix(es):

* kernel: fbcon: out-of-sync arrays in fbcon_mode_deleted due to wrong con2fb_map assignment (JIRA:RHEL-1203)

* How to reduce or prevent thousands of kworker/events_freezable_power_efficient threads being created every time multipath -ll is run (JIRA:RHEL-15054)

* kernel: net/sched: sch_hfsc UAF (JIRA:RHEL-16461)

* [SanityOnly][kernel]BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:35 at: sock_map_update_elem_sys+0x85/0x2a0 (JIRA:RHEL-6126)

* kernel: hw: Intel: Gather Data Sampling (GDS) side channel vulnerability (JIRA:RHEL-9246)

* ipoib mcast lockup fix (JIRA:RHEL-19695)

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2022-3545

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2133452  
https://bugzilla.redhat.com/show_bug.cgi?id=2144379  
https://bugzilla.redhat.com/show_bug.cgi?id=2161310  
https://bugzilla.redhat.com/show_bug.cgi?id=2192671  
https://bugzilla.redhat.com/show_bug.cgi?id=2213260  
https://bugzilla.redhat.com/show_bug.cgi?id=2220892  
https://bugzilla.redhat.com/show_bug.cgi?id=2223949  
https://bugzilla.redhat.com/show_bug.cgi?id=2225191  
https://bugzilla.redhat.com/show_bug.cgi?id=2230042  
https://bugzilla.redhat.com/show_bug.cgi?id=2231800  
https://bugzilla.redhat.com/show_bug.cgi?id=2237757  
https://bugzilla.redhat.com/show_bug.cgi?id=2241924  
https://bugzilla.redhat.com/show_bug.cgi?id=2244723  
https://bugzilla.redhat.com/show_bug.cgi?id=2245514  
https://bugzilla.redhat.com/show_bug.cgi?id=2253908  
https://bugzilla.redhat.com/show_bug.cgi?id=2255139

Red Hat Security Advisory 2024-1268-03

The Pentagon says it’s not hiding aliens, but it stops notably short of saying what it is hiding. Here are the key questions that remain unanswered—some answers could be weirder than UFOs.

But what, then, were those programs? Herein lies the most intriguing—and potentially ground-breaking—question that the Pentagon study leaves us wondering: What exactly are the secret compartmentalized programs that the whistleblowers and government witnesses _misidentified_ as being related to UAP technology? What, exactly, are the Pentagon, intelligence community, or defense contractors working on that, from a concentric circle or two away inside the shadowy world of SAPs, looks and sounds like reverse-engineering out-of-this-world technology or even studying so-called “non-human biologics”?

There are at least four clear possibilities.

Secret Tech From Foreign Nations

First, what exotic technological possibilities have been recovered from unknown _terrestrial_ sources? For example, if the government is working on reverse-engineering technologies, those technologies are likely from advanced adversary nation-states like China, Russia, and Iran, and perhaps even quasi-allies like Israel that may be more limited in their technology-sharing with the US. What have other countries mastered that we haven’t?

A Question of ‘Peculiar Characteristics’

Second, what technologies has the US mastered that the public doesn’t know about? One of the common threads of UFO sightings across decades have been secret military aircraft and spacecraft in development or not yet publicly acknowledged. For example, the CIA estimated that the U-2 spy plane in the 1950s accounted for as much as half of reported UFO sightings. And the AARO report spends a half-dozen pages documenting how confusion over subsequent generations of secret US government aircraft appear to have also contributed to the great intergalactic game of telephone of UFO programs inside the government, including modern Predator, Reaper, and Global Hawk drones. AARO investigated one claim where a witness reported hearing a former US military service member had touched an extraterrestrial spacecraft, but when they tracked down the service member, he said that the conversation was likely a garbled version of the time he touched an F-117 Nighthawk stealth fighter at a secret facility.

There are surely other secret craft still in testing and development now, including the B-21 stealth bomber, which had its first test flight in November and is now in testing at Edwards Air Force Base in California, as well as others we don’t know about. The government can still surprise us with unknown craft—like the until-then-unknown modified stealthy helicopter left behind on the Pakistan raid to kill Osama bin Laden. And some of these still-classified efforts are likely causing UFO confusion too: AARO untangled one witness’s claim of spotting a UAP with “peculiar characteristics” at a specific time and place and were able to determine, “at the time the interviewee said he observed the event, the DOD was conducting tests of a platform protected by a SAP. The seemingly strange characteristics reported by the interviewee match closely with the platform’s characteristics, which was being tested at a military facility in the time frame the interviewee was there.” So what was that craft—and what were its “peculiar characteristics?”

Relatedly, the US military has a classified spaceship, the X-37B, that has regularly orbited around the Earth since its first mission in 2010—it just blasted off on its seventh and most recent mission in December—and its previous, sixth, mission lasted a record-breaking 908 days in orbit. The Pentagon has said remarkably little about what it does up there for years at a time. What secret space-related or aviation-related programs is the government running that outsiders confuse as alien spacecraft?

A Material Matter

The third likely area of tech development that might appear to outsiders to be UFO-related is more speculative basic research and development: What propulsion systems or material-science breakthroughs are defense contractors at work on right now that could transform our collective future? Again, AARO found such confusion taking place: After one witness reported hearing that “aliens” had observed one secret government test, AARO traced the allegation back to find “the conversation likely referenced a test and evaluation unit that had a nickname with ‘alien’ connotations at the specific installation mentioned. The nature of the test described by the interviewee closely matched the description of a specific materials test conveyed to AARO investigators.” So what materials were being tested there?

There are some puzzling materials-science breadcrumbs wrapped throughout the AARO report. It found one instance where “a private sector organization claimed to have in its possession material from an extraterrestrial craft recovered from a crash at an unknown location from the 1940s or 1950s. The organization claimed that the material had the potential to act as a THz frequency waveguide, and therefore, could exhibit ‘anti-gravity’ and ‘mass reduction’ properties under the appropriate conditions.” Ultimately, though, the new report concluded, “AARO and a leading science laboratory concluded that the material is a metallic alloy, terrestrial in nature, and possibly of USAF \[US Air Force\] origin, based on its materials characterization.”

A Knowledge Limit

Fourth and lastly is the category of the truly weird: Scientists at the forefront of physics point out that we should be humble about how little of the universe we truly understand; as Harvard astronomy chair Avi Loeb explains, effectively all that we’ve learned about relativity and quantum physics has unfolded in the span of a single human lifespan, and astounding new discoveries continue to amaze scientists. Just last summer, scientists announced they’d detected for the first time gravitational waves criss-crossing the universe that rippled through space-time, and astrophysicists continue to suspect that the universe is far weirder than we think. (Italian astrophysicist Carlo Rovelli last year posited the existence of “white holes” that would be related to black holes, which, he pointed out, were still a mystery just 25 years ago when he was starting his career.)

Answers here could be almost unfathomably weird—think parallel dimensions or the ability to travel at a fraction of the speed of light. And one of the most intriguing questions left by the UAP “game of telephone” is whether there are truly astounding advances in physics that government scientists, defense contractors, or research laboratories or centers could be feeling around that could also appear from the outside to be UFO-related.

The 4 Big Questions the Pentagon’s New UFO Report Fails to Answer

This week on the Lock and Code podcast, we speak with Leigh Honeywell about the cybersecurity defenses to online harassment.

_This week on the Lock and Code podcast…_

A disappointing meal at a restaurant. An ugly breakup between two partners. A popular TV show that kills off a beloved, main character.

In a perfect world, these are irritations and moments of vulnerability. But online today, these same events can sometimes be the catalyst for hate. That disappointing meal can produce a frighteningly invasive Yelp review that exposes a restaurant owner’s home address for all to see. That ugly breakup can lead to an abusive ex posting a video of revenge porn. And even a movie or videogame can enrage some individuals into such a fury that they begin sending death threats to the actors and cast mates involved.

Online hate and harassment campaigns are well-known and widely studied. Sadly, they’re also becoming more frequent.

In 2023, the Anti-Defamation League revealed that 52% of American adults reported being harassed online at least some time in their life—the highest rate ever recorded by the organization and a dramatic climb from the 40% who responded similarly just one year earlier. When asking teens about _recent_ harm, 51% said they’d suffered from online harassment in strictly the 12 months prior to taking the survey itself—a radical 15% increase from what teens said the year prior.

The proposed solutions, so far, have been difficult to implement.

Social media platforms often deflect blame—and are frequently shielded from legal liability—and many efforts to moderate and remove hateful content have either been slow or entirely absent in the past. Popular accounts with millions of followers will, without explicitly inciting violence, sometimes draw undue attention to everyday people. And the increasing need to have an online presence for teens—even classwork is done online now—makes it near impossible to simply “log off.”

Today, on the Lock and Code podcast with host David Ruiz, we speak with Tall Poppy CEO and co-founder Leigh Honeywell, about the evolution of online hate, personal defense strategies that mirror many of the best practices in cybersecurity, and the modern risks of accidentally becoming viral in a world with little privacy.

> “It’s not just that your content can go viral, it’s that when your content goes viral, five people might be motivated enough to call in a fake bomb threat at your house.”
> 
> Leigh Honeywell, CEO and co-founder of Tall Poppy

Tune in today to listen to the full conversation.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

 Going viral shouldn&#8217;t lead to bomb threats, with Leigh Honeywell: Lock and Code S05E06 

Meta has offered details on how it intends to implement interoperability in WhatsApp and Messenger with third-party messaging services as the Digital Markets Act (DMA) went into effect in the European Union.
“This allows users of third-party providers who choose to enable interoperability (interop) to send and receive messages with opted-in users of either Messenger or WhatsApp – both designated

Meta Details WhatsApp and Messenger Interoperability to Comply with EU's DMA Regulations

Red Hat Security Advisory 2024-1195-03 - An update for the postgresql:12 module is now available for Red Hat Enterprise Linux 8.4 Advanced Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1195.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: postgresql:12 security updateAdvisory ID:        RHSA-2024:1195-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1195Issue date:         2024-03-06Revision:           03CVE Names:          CVE-2024-0985====================================================================Summary: An update for the postgresql:12 module is now available for Red Hat Enterprise Linux 8.4 Advanced Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:PostgreSQL is an advanced object-relational database management system (DBMS).Security Fix(es):* postgresql: non-owner 'REFRESH MATERIALIZED VIEW CONCURRENTLY' executes arbitrary SQL (CVE-2024-0985)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-0985References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2263384

Red Hat Security Advisory 2024-1195-03

The US Treasury Department has sanctioned Predator spyware vendor Intellexa Consortium, and banned the company from doing business in the US.

The US Treasury Department has sanctioned Predator spyware vendor Intellexa Consortium, and banned the company from doing business in the US.

Predator can turn infected smartphones into surveillance devices. Intellexa is based in Greece but the Treasury Department imposed the sanctions because of the use of the spyware against Americans, including US government officials, journalists, and policy experts.

Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson said:

> “Today’s actions represent a tangible step forward in discouraging the misuse of commercial surveillance tools, which increasingly present a security risk to the United States and our citizens.”

Since its founding in 2019, the Intellexa Consortium has marketed the Predator label as a suite of tools created by a variety of offensive cybercompanies that enable targeted and mass surveillance campaigns.

Predator is capable of infiltrating a range of electronic devices without any user interaction (known as ‘zero-click’). Once installed, Predator deploys its extensive data-stealing and surveillance capabilities, giving the attacker access to a variety of applications and personal information on the compromised device. The spyware is capable of turning on the user’s microphone and camera, downloading their files without their knowledge, tracking their location, and more.

Under the sanctions, Americans and people who do business with the US are forbidden from transacting with Intellexa, its founder and architect Tal Dilian, employee Sara Hamou and four of the companies affiliated with Intellexa.

Sanctions of this magnitude leveraged against commercial spyware vendors for enabling misuse of their tools are unprecedented, but the US has expressed concerns about commercial spyware vendors before.

> “A growing number of foreign governments around the world, moreover, have deployed this technology to facilitate repression and enable human rights abuses, including to intimidate political opponents and curb dissent, limit freedom of expression, and monitor and target activists and journalists.”

In July 2023, the US Commerce Department’s Bureau of Industry and Security (BIS) added Intellexa and Cytrox AD to the Entity List for trafficking in cyber exploits used to gain access to information systems. Cytrox AD is a North Macedonia-based company within the Intellexa Consortium and acts as a developer of the consortium’s Predator spyware.

The Entity List is a trade control list created and maintained by the US government. It identifies foreign individuals, organizations, companies, and government entities that are subject to specific export controls and restrictions due to their involvement in activities that threaten US national security or foreign policy interests.

Earlier this month, a California federal judge ordered spyware maker NSO Group to hand over the code for Pegasus and other spyware products used to spy on WhatsApp users.

While you’ll see Predator and Pegasus usually deployed in small-scale and targeted attacks, putting a stop to the development and deployment of spyware by these commercial entities is good news for everyone.

**How to remove spyware**

Because spyware apps install under a different name and hide themselves from the user, it can be hard to find and remove them. That is where Malwarebytes for Android can help you.

1.  Open Malwarebytes for Android and navigate to the dashboard
2.  Tap **Scan** **now**
3.  It may take a few minutes to scan your device, but it will tell you if it finds spyware or any other nasties.
4.  You can then uninstall the app.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Predator spyware vendor banned in US 

Ubuntu Security Notice 6679-1 - It was discovered that FRR incorrectly handled certain malformed OSPF LSA packets. A remote attacker could possibly use this issue to cause FRR to crash, resulting in a denial of service.

    ==========================================================================Ubuntu Security Notice USN-6679-1March 06, 2024frr vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 23.10- Ubuntu 22.04 LTSSummary:FRR could be made to crash if it received specially crafted networktraffic.Software Description:- frr: FRRouting suite of internet protocolsDetails:It was discovered that FRR incorrectly handled certain malformed OSPF LSApackets. A remote attacker could possibly use this issue to cause FRR tocrash, resulting in a denial of service.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 23.10:   frr                             8.4.4-1.1ubuntu1.3Ubuntu 22.04 LTS:   frr                             8.1-1ubuntu1.9In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-6679-1   CVE-2024-27913Package Information:   https://launchpad.net/ubuntu/+source/frr/8.4.4-1.1ubuntu1.3   https://launchpad.net/ubuntu/+source/frr/8.1-1ubuntu1.9

Tag

#sap