With many popular apps, users must hand over personal information to prove their identity, and the big downside is they have no control over how that information gets processed and stored.

Source: Pamela Au via Alamy Stock Photo

Swaths of personal data and documents belonging to users of the world's most popular apps have been exposed online for well over a year now, and may have leaked to cybercriminals a while ago.

The company responsible for the leak, AU10TIX, is based in a suburb of Tel Aviv and specializes in identity verification via personal documents, biometrics, and more. Its customers include major companies like X, TikTok, LinkedIn, Coinbase, eToro, PayPal, Fiverr, Upwork, Bumble, Uber, and others.

Recently, a security researcher discovered exposed credentials that belonged to a network operations center manager at AU10TIX. They included the manager's passwords and tokens for various accounts, including an AU10TIX logging platform, where the company handled data belonging to individuals whose identities it had vetted.

**The Extent of the Damage**

The logging platform data included names, birth dates, nationalities, and images of ID documents such as driver licenses and passports.

Though the researcher limited his snooping, some data fields appeared to indicate the nature and purpose of the stored data, such as a chart with values such as "Impersonation\_XCorp" and "uber-carshare-passport."

He also found proprietary data from the innards of the company's verification tech. One table, for example, contained results of live face scans, with a field rating the "probability" that the user's face was "live" on a scale from 0 to 1. Others measured the authenticity of documents and photos of faces.

Crucially, the exposed credentials seem to have been sucked up by malware back in December 2022, and posted to Telegram in March 2023.

In statements to 404media, AU10TIX initially claimed that "a thorough investigation determined that employee credentials were illegally accessed then and were promptly rescinded." When the publication informed the vendor that the credentials were still exposed online as of this month, 18 months after the fact, the company said it would work to take down the exposed logging system. It also claimed to have notified affected customers, and highlighted that "based on our current findings, we see no evidence that such data has been exploited."

**The Catch-22 for App Users**

Customers today are faced with an unfortunate choice (if it can even be considered a choice). Whether it be a cryptocurrency or payments, social media or dating, in order to use popular apps today, you often must hand over extra-sensitive information and documents that prove your identity. At the same time, you don't have any control over how that information and those documents are processed and stored.

Is there no way to achieve app security without a cost to personal security?

"Companies can adopt several methods for verifying identities that minimize the need to store sensitive documents and personally identifiable information," says Jason Soroko, senior vice president of product at Sectigo. "One approach is tokenization, which involves storing tokens or hashed values representing the documents instead of the actual documents. This reduces the risk in case the storage system is compromised."

"Another method uses zero-knowledge proofs, a cryptographic technique that allows one party to prove to another that they know a value without conveying any information beyond the fact that they know the value. "This can verify identity without exposing the actual data," Soroko explains. "Additionally, decentralized identity verification leverages blockchain technology, enabling users to control their identity information and share only the necessary parts with services that require verification, thereby enhancing privacy and security.

"These methods, while enhancing security and privacy, require careful implementation and ongoing management to avoid introducing new vulnerabilities."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Authenticator for X, TikTok Exposes Personal User Info for 18 Months

A report in March found that 72% of cryptocurrency projects had died since 2020, with crypto trading platform FTX’s downfall taking out many of them in one fell swoop.

Thursday, June 27, 2024 14:00

AI has since replaced “cryptocurrency” and “blockchain” as the cybersecurity buzzwords everyone wants to hear. 

We're not getting as many headlines about cryptocurrency miners, the security risks or promises of the blockchain, or non-fungible tokens being referenced on “Saturday Night Live.” 

A report in March found that 72% of cryptocurrency projects had died since 2020, with crypto trading platform FTX’s downfall taking out many of them in one fell swoop. This, in turn, means there are fewer instances of cryptocurrency mining malware being deployed in the wild — if cryptocurrencies aren’t as valuable, the return on investment for adversaries just isn’t there.  

But that still hasn’t stopped bad actors from using the cryptocurrency and blockchain spaces to carry out other types of scams that have cost consumers millions of dollars, as a few recent incidents highlight. 

In place of major cryptocurrencies, many bad faith actors are creating “memecoins,” which are cryptocurrencies usually themed around a particular internet meme or character meant to quickly generate hype. The most famous example, Dogecoin, themed after the “Doge” meme, was 72% below its peak value as of Wednesday. 

At one point, Dogecoin was at least worth something, which is more than can be said for most other memecoins launched today. Cryptocurrency news site CoinTelegraph found that one in six newly launched meme-themed cryptocurrencies are outright scams, primarily centered around getting users to spend real-world money to invest in currency before the creator just takes off with their funds. 

And 90% of the memecoins they studied contained at least one security vulnerability that could leave users open to abuse or theft. 

Singer Jason Derulo is even facing allegations that his “JASON” memecoin on the Solana blockchain platform is a scam after it hit a market cap of $5 million on June 23, and then the value fell almost immediately later that day. Separately, someone hacked rapper 50 Cent’s Twitter account to promote the “$GUINT” memecoin. Upon regaining control of his account, 50 Cent said that whoever committed the scam made $3 million in 30 minutes, with consumers putting money into the memecoin thinking it was legitimate, before the creator took off with the money almost immediately, leaving users unable to access their funds. 

Another popular scam still going around in this space is called the “rug pull,” where a cryptocurrency or NFT developer starts to hype up a new project to attract investor funds, only to completely shut down the project days or weeks later, taking investors’ assets with them. 

Blockfence, a Web3 security firm, found a collection of these scammers earlier this year, claiming they had stolen the equivalent of $32 million from more than 42,000 people across multiple rug pull scams. Unmoderated social media platforms have been rife for abuse for these types of scams, with semi-anonymous users with large followings finding it fairly easy to get a large amount of interest in whatever their latest “project” is in a short amount of time.  

The last example, I’m still not sure if it’s a scam yet. A new video game called “Banana” recently blew up on the Steam online store, even though it’s barely a video game. Users can open the game at fixed intervals and click a button to receive a “banana” in their Steam account. Some of these bananas, usually different artists' renderings of an image of the fruit, are extraordinarily rare and can be re-sold on Steam’s internal marketplace for real-world money. 

Some of these bananas have sold for more than $1,000, but most of the basic ones are only worth a few cents. To me, this looks and smells like an NFT. A former cryptocurrency scammer was once even connected to the project before the creators parted ways with him.  

I have no way of knowing any of this for sure, but there doesn’t seem to be any safeguards in place to ensure the creators of the game could rig it for themselves and give only themselves or close friends copies of the rarer items. And I’m not fully sure what the endgame is for the developers, since “Banana” is free to download and “play.”  

Thankfully, I’m not getting as many questions as I used to about NFTs and “the crypto” from extended family members. But just because it’s disappeared from mainstream consciousness doesn’t mean scammers have forgotten about this space, too. 

**The one big thing **

Cisco Talos recently discovered an ongoing campaign from SneakyChef, a newly discovered threat actor using SugarGh0st malware. SneakyChef uses lures that are scanned documents of government agencies, most of which are related to various countries’ Ministries of Foreign Affairs or embassies. Talos recently revealed SneakyChef’s continuing campaign targeting government agencies across several countries in EMEA and Asia, delivering the SugarGh0st malware, however, we found a new malware we dubbed “SpiceRAT” was also delivered in this campaign.   

**Why do I care? **

SneakyChef has already targeted more than a dozen government ministries across the Eastern Hemisphere. Based on the lure documents Talos discovered the actor using, like targets for the campaign could include the Ministries of Foreign Affairs from Angola, India, Kazakhstan, Latvia, and Turkmenistan and the Saudi Arabian embassy in Abu Dhabi. This actor doesn’t seem to be deterred by much, either, as their actions have largely continued in the same manner since Talos first disclosed the existence of SugarGh0st several years ago, using the same TTPs and C2.  

**So now what? **

Talos could not find any of the lure documents used in the wild, so they were very likely stolen through espionage and slightly modified. This could make it more difficult to spot lure documents and spam emails, so users should pay closer attention to the sender’s email address if they are suspicious of any messages. We also released OSQueries, Snort rules and ClamAV signatures that can detect and block SneakyChef’s activities and the SpiceRAT malware.  

**Top security headlines of the week **

**A cyber attack that is stalling communication and sales at car dealerships around the U.S. is unlikely to be restored by the end of the month.** CDK Global, the victim of the campaign, reportedly told customers that they should prepare alternative methods for preparing month-end financial statements. Car dealerships use CDK to conduct sales, process financial information, and look up vehicles’ warranties and recalls. The outage is affecting more than 60 percent of Audi dealerships in the U.S. and about half of Volkswagen’s locations, forcing them to switch to pen-and-paper transactions and contracts or to drop sales altogether. One sales manager of an affected dealership told CNN it could take “months to correct, if not years,” the financial fallout of the outage. CDK first disclosed two back-to-back cyber attacks last week, both of which occurred on June 19. There are already two class action lawsuits against CDK, with plaintiffs alleging that the breach may have exposed customers’ and employees’ names, addresses, social security numbers and other financial information. (Reuters, CNN) 

**The list of victims resulting from a data breach at cloud storage provider Snowflake continues to grow.** Australian ticket sales platform Tiketek informed customers this week of a potential data breach, though it was not immediately clear if it was connected to Snowflake. Retailer Advance Auto Parts also said this week that said employee and applicant data — including social security numbers and other government identification information — were stolen during the breach. Clothing chain Neiman Marcus also filed regulatory documents in Maine and Vermont disclosing that the personal information of more than 64,000 people was potentially accessed because of the Snowflake breach. This information could include names, contact information, dates of birth and gift card numbers for the retailer. Security researchers at Mandiant first estimated that as many as 165 Snowflake customers could be affected. Snowflake says that internal investigations found that the breach was not caused by “a vulnerability, misconfiguration, or breach of Snowflake’s platform." (The Register, The Record by Recorded Future) 

**Adversaries quickly started exploiting another vulnerability in the MOVEit file transfer software, just hours after it was disclosed.** The high-severity vulnerability, CVE-2024-5806, could allow an attacker to authenticate to the file-transfer platform as any valid user with the accompanying privileges. The vulnerability exists because of an improper authentication issue in MOVEit’s SFTP module, which Progress, the creator of the software, says “can lead to authentication bypass in limited scenarios.” A different vulnerability in MOVEit was targeted in a rash of Clop ransomware attacks that eventually affected more than 160 victims, including the state of Maine, the University of California Los Angeles, and British Airways. Managed file transfer software (MFT) like MOVEit are popular targets for threat actors because they contain large amounts of sensitive information, which adversaries will steal and then use to extort victims. The Shadowserver Foundation posted on Twitter on Tuesday that they began seeing exploitation attempts shortly after details emerged about CVE-2024-5806. (Dark Reading, SecurityWeek) 

**Can’t get enough Talos? **

*   Cisco Talos: How Threat Actors Target MFA 
*   MFA plays a rising role in major attacks, research finds 
*   SpiceRAT: Cisco Talos Sound Alarm Over New Trojan 
*   Hack your water and electricity! Myth or Reality? 
*   Multiple vulnerabilities in TP-Link Omada system could lead to root access 
*   Talos Takes Ep. #188: Everything we know about denial-of-service attacks in 2024 

**Upcoming events where you can find Talos **

**_BlackHat USA_** **_(Aug. 3 – 8)_** 

_Las Vegas, Nevada_ 

**_Defcon_** **_(Aug. 8 – 11)_** 

_Las Vegas, Nevada_ 

**_BSides Krakow_** **_(Sept. 14)_**  

_Krakow, Poland_ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202   
**MD5:** e4acf0e303e9f1371f029e013f902262   
**Typical Filename:** FileZilla\_3.67.0\_win64\_sponsored2-setup.exe   
**Claimed Product:** FileZilla   
**Detection Name:** W32.Application.27hg.1201 

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

**SHA 256:** a024a18e27707738adcd7b5a740c5a93534b4b8c9d3b947f6d85740af19d17d0   
**MD5:** b4440eea7367c3fb04a89225df4022a6   
**Typical Filename:** Pdfixers.exe   
**Claimed Product:** Pdfixers   
**Detection Name:** W32.Superfluss:PUPgenPUP.27gq.1201 

**SHA 256:** 484c74d529eb1551fc2ddfe3c821a7a87113ce927cf22d79241030c2b4a4aa74  
**MD5:** dc30cfd21bbb742c10e3621d5b506780  
**Typical Filename:** KMS-R@1nHook.exe  
**Claimed Product:** N/A  
**Detection Name:** W32.File.MalParent

**SHA 256:** 9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202  
**MD5:** e4acf0e303e9f1371f029e013f902262  
**Typical Filename:** FileZilla\_3.67.0\_win64\_sponsored2-setup.exe  
**Claimed Product:** FileZilla  
**Detection Name:** W32.Application.27hg.1201

We’re not talking about cryptocurrency as much as we used to, but there are still plenty of scammers out there

While Progress has released patches for the vulnerabilities, attackers are trying to exploit them before organizations have a chance to remediate.

Source: Color4260 via Shutterstock

Attackers appear to be pounding away at a couple of critical bugs that Progress Software disclosed this week in its MOVEit file transfer application, with nearly the same ferocity as they did the zero-day flaw the company disclosed almost exactly a year ago.

While patches are available for the new flaws, the big question now for affected organizations is whether they can apply them quickly enough to beat adversaries targeting their systems, especially with a proof-of-concept (PoC) exploit available in the wild.

**Patching Alone Is Insufficient**

Even those that might have already applied updates have more work to do because the original patch that Progress issued for one of the flaws does not mitigate new issues that the software maker discovered after the patch release.

The new MOVEit Transfer vulnerabilities are both improper authentication issues in the SFTP module. They allow an attacker to potentially impersonate any user on an affected instance and take control of it. One of the flaws, tracked as CVE-2024-5806, affects MOVEit Transfer versions from 2023.0.0 before 2023.0.11, from 2023.1.0 before 2023.1.6, and from 2024.0.0 before 2024.0.2. The other, identified as CVE-2024-5805, affects MOVEit Gateway: 2024.0.0.

When Progress first disclosed CVE-2024-5806 on June 25, the company assigned the flaw a medium-severity score of 7.4 out of a maximum possible 10 on the CVSS scale. Progress quickly upgraded that score to 9.1 after researchers at watchTowr discovered a vulnerability in a third-party component (IPWorks SSH) used in MOVEit Transfer. Progress described the issue as introducing new risks to organizations, including those that might have already applied the patch for CVE-2024-5806.

In an update to its original advisory, Progress urged affected organizations to install the patch and also block public inbound RDP access to MOVEit Transfer servers and limit outbound transfers to only known and trusted endpoints.

An Internet scan that Censys conducted on June 25 unearthed some 2,700 MOVEit Transfer instances online, most of them in the US. Internet scanning entity ShadowServer, which reported observing exploit attempts targeting CVE-2024-5806 almost immediately after Progress disclosed the flaw, identified some 1,800 instances online as of June 27.

**Relatively Easy to Exploit**

"Based on our understanding of the vulnerability, exploitation doesn't appear exceptionally difficult," says Emily Austin, principal security researcher at Censys. In theory, an actor would need to identify an unpatched MOVEit Transfer instance and know a valid username for accessing the service, she says. "While knowing a valid username might seem like a hurdle, a little OSNIT combined with watchTowr researchers' discovery of a method for enumerating valid MOVEit Transfer instance usernames makes this somewhat trivial," Austin notes.

The new flaws come a year after Progress disclosed CVE-2023-34362, a SQL injection zero-day vulnerability in MOVEit Transfer that ranked as one of the most widely exploited flaws of 2023. The Cl0p ransomware group, which claimed credit for discovering the flaw, was among the many that exploited it with devastating affect last year.

Affected organizations cannot afford to delay given how widely they are being targeted, says Mike Walters, president and co-founder of Action1. "The consequences can be devastating because these vulnerabilities allow an attacker to take over the server," Walters says. "With a CVSS score of 9.1 and a PoC available, the vulnerability will likely be added to the toolkit of leading APT groups rather quickly." If the companies that were attacked last time have not ramped up their information security in any way, the consequences for them could well be the same as last time, he warns.

Austin says CVE-2024-5806 is somewhat more complex than the SQL injection bug in MOVEit Transfer that Cl0p exploited throughout 2023. Even so, instance administrators should still take the new flaw very seriously and follow mitigation guidance provided by Progress Software, she says.

"We don't have a way to see exploitation or patch status of MOVEit Transfer instances, but we know that as of Tuesday, June 25, 2024, there are 2,700 MOVEit Transfer instances exposed to the Internet," Austin says. "This is very similar to the number of MOVEit Transfer exposures we observed around this time last year, suggesting that the tool is still widely used in spite of various security issues."

**Cause for Optimism?**

Despite the severity of the threat, there is still some optimism that the new flaws that Progress disclosed this week — especially CVE-2024-5806 — won't cause quite as much damage as last year's SQL injection flaw because patches are already available.

At this time, it seems unlikely that the exploitation of this vulnerability will be as widespread as last year's massive campaign exploiting CVE-2023-34362, says Paul Prudhomme, principal security analyst at SecurityScorecard. "That was a zero-day vulnerability, giving threat actors more time to exploit it before a patch became available," he says. "In this case, threat actors have less time because patches are already available; the most that they can do is take advantage of organizations’ delays in patching it, so this window of time is crucial to minimizing its impact."

Prudhomme reiterates that patching alone is not sufficient against vulnerabilities such as CVE-2024-5806. "A layered security approach, combining patching with threat intelligence and proactive risk management, is essential," he says. "Organizations can build resilience against evolving cyber threats by prioritizing a multifaceted approach to security.”

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

MOVEit Transfer Flaws Push Security Defense Into a Race With Attackers

Wireless service providers prioritize uptime and lag time, occasionally at the cost of security, allowing attackers to take advantage, steal data, and worse.

Source: peter galleghan via Alamy Stock Photo

Mobile devices are at risk of wanton data theft and denial of service, thanks to vulnerabilities in 5G technologies.

At the upcoming Black Hat 2024 in Las Vegas, a team of seven Penn State University researchers will describe how hackers can go beyond sniffing your Internet traffic by literally providing your Internet connection to you. From there, spying, phishing, and plenty more are all on the table.

It's a remarkably accessible form of attack, they say, involving commonly overlooked vulnerabilities and equipment you can buy online for a couple of hundred dollars.

**Step 1: Set Up a Fake Base Station**

When a device first attempts to connect with a mobile network base station, the two undergo an authentication and key agreement (AKA). The device sends a registration request, and the station replies with requests for authentication and security checks.

Though the station vets the phone, the phone does not initially vet the station. Its legitimacy is essentially accepted as a given.

"Base stations advertise their presence in a particular area by broadcasting 'sib1' messages every 20 milliseconds, or 40 milliseconds, and none of those broadcast messages have authentication, or any kind of security mechanisms," explains Penn State assistant professor Syed Rafiul Hussain. "They're just plaintext messages. So there's no way that a phone or a device can check whether it's coming from a fake tower."

Setting up a fake tower isn't as tall a task as it might seem. You just need to mimic a real one using a software-defined radio (SDR). As Kai Tu, another Penn State research assistant points out, "People can purchase them online — they're easy to get. Then you can get some open source software (OSS) to run on it, and this kind of setup can be used as a fake base station." Expensive SDRs might cost tens of thousands of dollars, but cheap ones that get the job done are available for only a few hundred.

It might seem counterintuitive that a small contraption could seduce your phone away from an established commercial tower. But a targeted attack with a nearby SDR could provide even greater 5G signal strength than a tower servicing thousands of other people at the same time. "By their nature, devices try to connect to the best possible cell towers — that is, the ones providing the highest signal strength," Hussain says.

**Step 2: Exploit a Vulnerability**

Like any security process, AKA can be exploited. In the 5G modem integrated in one popular brand of mobile processor, for example, the researchers found a mishandled security header that an attacker could use to bypass the AKA process entirely.

This processor in question is used in the majority of devices manufactured by two of the world's biggest smartphone companies. Dark Reading has agreed to keep its name confidential.

After having attracted a targeted device, an attacker could use this AKA bypass to return a maliciously crafted "registration accept" message and initiate a connection. At this point the attacker becomes the victim's Internet service provider, capable of seeing everything they do on the Web in unencrypted form. They can also engage the victim by, for example, sending a spear phishing SMS message, or redirecting them to malicious sites.

Though AKA bypass was the most severe, the researchers discovered other vulnerabilities that would allow them to determine a device's location, and perform denial of service (DoS).

**How to Secure 5G**

The Penn State researchers have reported all the vulnerabilities they discovered to their respective mobile vendors, which have all since deployed patches.

A more permanent solution, however, would have to begin with securing 5G authentication. As Hussain says, "If you want to ensure the authenticity of these broadcast messages, you need to use public key infrastructure (PKI). And deploying PKI is expensive — you need to update all of the cell towers. And there are some non-technical challenges. For example, who will be the root certificate authority of the public keys?"

It's unlikely that such an overhaul will happen any time soon, as 5G systems were knowingly built to transmit messages in plaintext for specific reasons.

"It's a matter of incentives. Messages are sent in milliseconds, so if you incorporate some kind of cryptographic mechanism, it will increase the computational overhead for the cell tower and for the user device. Computational overhead is also associated with time, so performance-wise it will be a bit slower," Hussain explains.

Perhaps the performance incentives outweigh security ones. But whether it be via a fake cell tower, Stingray device, or any other means, "They all exploit this feature — the lack of authentication of the initial broadcast messages from the cell towers."

"This is the root of all evil," Hussain adds.

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Your Phone's 5G Connection Is Vulnerable to Bypass, DoS Attacks

CISA outlines how modern cybersecurity relies on network visibility to defend against threats and scams.

Source: The X FilePhoto via Adope Stock Photo

The Cybersecurity and Infrastructure Security Agency (CISA), along with the Federal Bureau of Investigation (FBI) and similar entities in New Zealand, has issued guidance on modern approaches to network access security. With the growing number of breaches and data incidents, organizations need to be thinking about, and planning to adopt, modern firewall and network access management technologies to gain visibility over the network.

CISA lays out three specific approaches its guidance: zero trust, secure service edge (SSE), and secure access service edge (SASE). The guidance also tackles remote access, virtual private network (VPN) deployment, and remote access misconfiguration, as well as threats and vulnerabilities associated with VPN and conventional remote access deployments.

*   Zero trust: Based on the principle "never trust, always verify," the zero-trust approach focuses on making sure users are authenticated, authorized, and validated before providing access to data and applications. Implementing zero trust can cut the risk of data breaches by around 50%, CISA said.
    
*   SSE: SSE combines features such as cloud access security brokers (CASBs), secure Web gateways (SWGs), and zero-trust network access (ZTNA). Organizations using SSE witnessed a 40% reduction in security incidents and a 30% improvement in network performance, CISA said.
    
*   SASE: SASE broadens SSE's functionality to provide users with secure, optimized access to data and applications, regardless of their physical locations. Deploying SASE improves network agility by 35% and reduces operational costs by 25%, according to CISA.
    

**Network Best Practices**

CISA and its partners also recommended ways to optimize network security:

*   Continuous monitoring and assessment: Organizations need to implement continuous monitoring to identify user activity and network traffic to detect and respond to threats in real time.
    
*   Multifactor authentication (MFA): As several recent breaches have shown, adding MFA for an extra layer of user authentication will help block many security threats.
    
*   Regular security audits: Look for vulnerabilities by conducting regular security audits and penetration testing on the network.
    

**About the Author(s)**

CISA Releases Guidance on Network Access, VPNs

Debian Linux Security Advisory 5721-1 - Several vulnerabilities have been discovered in the FFmpeg multimedia framework, which could result in denial of service or potentially the execution of arbitrary code if malformed files/streams are processed.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5721-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
June 26, 2024                         https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : ffmpeg  
CVE ID         : CVE-2022-48434 CVE-2023-50010 CVE-2023-51793  
                 CVE-2023-51794 CVE-2023-51798

Several vulnerabilities have been discovered in the FFmpeg multimedia  
framework, which could result in denial of service or potentially the  
execution of arbitrary code if malformed files/streams are processed.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 7:4.3.7-0+deb11u1.

We recommend that you upgrade your ffmpeg packages.

For the detailed security status of ffmpeg please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/ffmpeg

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmZ8XGAACgkQEMKTtsN8  
TjayWQ//WBpVVtgWkhyjdpro2pRqJ1gOoRJHzHrx0NHBg1Taz1xL5UPj3YTzFJsf  
h73nAlbqe4uf4NjdcOzRjqsTEVXzIAyV34hh+4R0q9ct13e4f/iDxXKFlm/dNmux  
Lyx1lqT0C9yr7//XORM7zW3t7zaBMr/ZDzodw5ecndIqlqGoEH6IhPPAsPE2L2GA  
bFsN4RUeeI3XLbabWnGTB0DdAV/6oU7S9zb7D8uWuM351q9ihRloIQUNuWJdA2Te  
di85QDZdcM78BCIYwZ8gQpvimZG2GyF2erZni/qaOtp8JmhYHD9BdeIEe3fCNmeM  
R7FkNPHgr/f+h3Gu5/wXOutwtyswxH19R1GkdchPd3NtJhHeu1CY9Wf4OboCReCr  
x4N4Tqw36DUzGOy5mAdDfMyulli/bG5hItLG9krk2mNBI421xRnaSYzG2kvcUqNL  
FtxTPyhsr9Rh105y2eQjWjekTW4V8e/CdAvK/YkOgUtPqNob2LbZeoTu0Iig9zWw  
Ur8Brr/vUQvIGxudIoCpNXyD2VDcVMhAivDZRqdFOQoA7omDTIuO9peVF/71w27u  
2ykEG8QZblkCjKLZXb1G1cpIq+VpGO7V0k92sKqw27npBPvqSXSwAsZ78pvL7Om+  
FJdp/rcQngEApQEUgcIAEvae37Da57Cz+0TTnDHa4N/w8HGjH8w=  
=dG6V  
-----END PGP SIGNATURE-----

Debian Security Advisory 5721-1

Red Hat Security Advisory 2024-4160-03 - An update for java-1.8.0-ibm is now available for Red Hat Enterprise Linux 7 Supplementary. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4160.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: java-1.8.0-ibm security updateAdvisory ID:        RHSA-2024:4160-03Product:            Red Hat Enterprise Linux SupplementaryAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4160Issue date:         2024-06-27Revision:           03CVE Names:          CVE-2023-38264====================================================================Summary: An update for java-1.8.0-ibm is now available for Red Hat Enterprise Linux 7 Supplementary.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.Security Fix(es):* IBM JDK: Object Request Broker (ORB) denial of service (CVE-2023-38264)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-38264References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2279963

Red Hat Security Advisory 2024-4160-03

Red Hat Security Advisory 2024-4146-03 - An update for golang is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include denial of service and memory leak vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4146.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: golang security updateAdvisory ID:        RHSA-2024:4146-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4146Issue date:         2024-06-27Revision:           03CVE Names:          CVE-2023-45288====================================================================Summary: An update for golang is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The golang packages provide the Go programming language compiler.Security Fix(es):* golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS (CVE-2023-45288)* golang-fips/openssl: Memory leaks in code encrypting and decrypting RSA payloads (CVE-2024-1394)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-45288References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2262921https://bugzilla.redhat.com/show_bug.cgi?id=2268273

Red Hat Security Advisory 2024-4146-03

Red Hat Security Advisory 2024-4144-03 - VolSync v0.9.2 general availability release images provide the following: enhancements, security fixes, and updated container images.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4144.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: VolSync 0.9.2 for RHEL 9  
Advisory ID:        RHSA-2024:4144-03  
Product:            Red Hat ACM  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:4144  
Issue date:         2024-06-26  
Revision:           03  
CVE Names:          CVE-2024-22189  
====================================================================

Summary: 

VolSync v0.9.2 general availability release images provide the following:  
enhancements, security fixes, and updated container images.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE links in the References section.

Description:

VolSync v0.9.2 is a Kubernetes operator that enables asynchronous replication of persistent volumes within a cluster, or across clusters. After deploying  
the VolSync operator, you can create and maintain copies of your persistent  
data.

For more information about VolSync, see:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.10/html/business_continuity/business-cont-overview#volsync

or the VolSync open source community website at:  
https://volsync.readthedocs.io/en/stable/.

This advisory contains enhancements and updates to the VolSync  
container images.

Security fix(es):  
* CVE-2024-24786 - golang-protobuf: encoding/protojson,  
internal/encoding/json: infinite loop in protojson.Unmarshal when  
unmarshaling certain forms of invalid JSON

Solution:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.10/html/business_continuity/business-cont-overview#volsync

CVEs:

CVE-2024-22189

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://issues.redhat.com/browse/ACM-12028  
https://issues.redhat.com/browse/ACM-12021  
https://issues.redhat.com/browse/ACM-11528

Red Hat Security Advisory 2024-4144-03

Red Hat Security Advisory 2024-4126-03 - This is release 1.4 of the container images for Red Hat Service Interconnect. Red Hat Service Interconnect 1.4 introduces a service network, linking TCP and HTTP services across the hybrid cloud. A service network enables communication between services running in different network locations or sites. It allows geographically distributed services to connect as if they were all running in the same site.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4126.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Red Hat Service Interconnect 1.4.5 Release security update  
Advisory ID:        RHSA-2024:4126-03  
Product:            Red Hat Service Interconnect  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:4126  
Issue date:         2024-06-26  
Revision:           03  
CVE Names:          CVE-2024-2961  
====================================================================

Summary: 

This is release 1.4 of the container images for Red Hat Service Interconnect. Red Hat Service Interconnect 1.4 introduces a service network, linking TCP and HTTP services across the hybrid cloud.  
A service network enables communication between services running in different network locations or sites. It allows geographically distributed services to connect as if they were all running in the same site.

Red Hat Product Security has rated this update as having a security impact of  
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a  
detailed severity rating, is available for each vulnerability from the CVE  
link(s) in the References section.

Description:

As a Kubernetes user, I cannot connect easily connect services from one cluster with services on another cluster. Red Hat Application Interconnect enables me to create a service network and it allows geographically distributed services to connect as if they were all running in the same site.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-2961

References:

https://access.redhat.com/security/updates/classification/#important  
https://docs.redhat.com/en/documentation/red_hat_service_interconnect/1.4  
https://bugzilla.redhat.com/show_bug.cgi?id=2268019  
https://bugzilla.redhat.com/show_bug.cgi?id=2268273

Tag

#vulnerability