The EU Commission said Meta’s pay or consent model means users cannot freely consent to their personal data being collected for advertising purposes

Qualys published a blog posts with details regarding a critical remote code execution vulnerability [1]

This week is far from ideal to have to deal with a critical vulnerability in widely used software like OpenSSH. So I want to save you some time by summarizing the most important points in a very brief post:

• The CVEs associated with this vulnerability are CVE-2006-5051 and CVE-2024-6387,
• The reason for the two CVE numbers and the use of the old 2006 CVE number is that this is a regression. An old vulnerability that came back. Sadly, this happens somewhat regularly (not with OpenSSH, but software in general) if developers do not add tests to ensure the vulnerability is patched in future versions. Missing comments are another reason for these regressions. A developer may remove a test they consider unnecessary. 
• The vulnerability does allow arbitrary remote code execution without authentication.
• OpenSSH versions up to 4.4p1 are vulnerable to CVE-2006-5051
• OpenSSH versions from 8.5p1 to 9.8p1 (this is the version patched version)
• Remember that many Linux distributions will not increase version numbers if they are backporting a patch
• This is a timing issue, and exploitation is not easily reproducible but takes about 10,000 attempts on x86 (32-bit).
• This speed of exploitation is limited by the MaxStartups and LoginGraceTime.
• Exploitation for AMD64 appears to be not practical at this time.

Most Linux systems are currently running on 64-bit architectures. However, this could be a big deal for legacy systems / IoT systems in particular if no more patches are available. Limiting the rate of new connections using a network firewall may make exploitation less likely in these cases. First of all, a patch should be applied. But if no patch is available, port knocking, moving the server to an odd port or allowlisting specific IPs may be an option.

 

[1] https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

An executive from National Australia Bank says the country's four major banks are under constant attack, with threat actors launching a barrage of attacks every minute of every day. According to Chris Sheehan, National Australia Bank's executive for group investigations, "every bank is being attacked all the time." The aim of these attacks is to steal sensitive information and money from unsuspecting customers. The four major banks in Australia include ANZ Bank, Commonwealth Bank, National Australia Bank (NAB), and Westpac. These banks are officially recognized to be the largest within the country and are prohibited from mergers or acquisitions between each other as part of the "Four pillars policy." This relentless barrage of cyber assaults targets not only the banks' systems but also their customers, leaving millions potentially vulnerable to sophisticated scams and financial theft. Threat actors may employ various forms of attacks, including the distribution of malicious code, security breaches, and denial of service campaigns, making it a daunting task for banks to stay ahead.

National Australia Bank Executive Raises Alarm

The cyber attacks on Australian banks are not isolated incidents but a  stream of continuous attempts to breach security, deny services, and steal sensitive information. Sheehan describes the situation as "asymmetrical warfare," with threats ranging from amateur hackers to highly organized transnational crime groups and even malicious nation-state actors. Sheehan stated:

From, being colloquial, Larry the loser, in the basement at home that's having a bit of a chop away at the laptop and trying to steal money from people or hack into a system, all the way to highly sophisticated, ruthless and resilient transnational organised crime groups and they're the ones that are driving 90 per cent of the scams that are hitting Australian victims.

Criminals perceive online attacks as lower risk compared to traditional bank robberies, with the potential for much higher rewards. The extent of the problem is staggering, with Australians losing an estimated $3 billion annually to cyber scams. The official's statements come shortly after customers observed the bank's own website being down for several hours. NAB's website temporarily informed visitors that its services were not working and directed them to use the NAB app or telephone banking instead. [caption id="attachment_79748" align="alignnone" width="1182"] Source: X.com(@Tzarimas)[/caption] While the bank's services appear to have been restored, it is unknown if the downtime was the result of an attack or routine maintenance. Several customers expressed frustration over not being alerted of the downtime via email or text and concerns over pending transactions. [caption id="attachment_79752" align="alignnone" width="1174"] Source: X.com(@NAB)[/caption]

Defending Australian Banks

In response to this relentless assault, Australian banks have ramped up their defenses. The banks are working hard to stay ahead of the scammers, with NAB employing a dedicated call center and operations team to fight fraud and scams. The team consists of 350-400 people working around the clock and is available 24/7. Banks have also implemented new policies, such as eliminating hyperlinks in official communications with customers, to help distinguish legitimate messages from scams. Despite these efforts, the battle against cyber crime remains an uphill struggle. Once a customer falls victim to a scam and initiates a payment, recovery of funds is often impossible. Chris Sheehan advises, "if it looks or sounds too good to be true, or if someone's applying pressure to you that you're going to miss out on something, or you're going to suffer a penalty, if you don't make that payment, they are massive red flags." The Australian Banking Association acknowledges the severity of the situation, describing it as a "scams war." The banks are also implementing extra safeguards to prevent money from being lost to international criminal gangs. Amidst this persistent threat, it is crucial for customers of the major banks to remain vigilant against the tactics used by these scammers.

CocoaPods vulnerabilities reported today could allow malicious actors to take over thousands of unclaimed pods and insert malicious code into many of the most popular iOS and MacOS applications, potentially affecting "almost every Apple device." E.V.A Information Security researchers found that the three vulnerabilities in the open source CocoaPods dependency manager were present in applications provided by Meta (Facebook, Whatsapp), Apple (Safari, AppleTV, Xcode), and Microsoft (Teams); as well as in TikTok, Snapchat, Amazon, LinkedIn, Netflix, Okta, Yahoo, Zynga, and many more. The vulnerabilities have been patched, yet the researchers still found 685 Pods “that had an explicit dependency using an orphaned Pod; doubtless there are hundreds or thousands more in proprietary codebases.” The widespread issue is further evidence of the vulnerability of the software supply chain. The researchers wrote that they often find that 70-80% of client code they review “is composed of open-source libraries, packages, or frameworks.”

The CocoaPods Vulnerabilities

The newly discovered vulnerabilities – one of which (CVE-2024-38366) received a 10 out of 10 criticality score – actually date from a May 2014 CocoaPods migration to a new 'Trunk’ server, which left 1,866 orphaned pods that owners never reclaimed. The other two CocoaPods vulnerabilities (CVE-2024-38368 and CVE-2024-38367) also date from the migration. For CVE-2024-38368, the researchers said that in analyzing the source code of the ‘Trunk’ server, they noticed that all orphan pods were associated with a default CocoaPods owner, and the email created for this default owner was unclaimed-pods@cocoapods.org. They also noticed that the public API endpoint to claim a pod was still available, and the API “allowed anyone to claim orphaned pods without any ownership verification process.” “By making a straightforward curl request to the publicly available API, and supplying the unclaimed targeted pod name, the door was wide open for a potential attacker to claim any or all of these orphaned Pods as their own,” wrote Reef Spektor and Eran Vaknin. Once they took over a Pod, an attacker would be able to manipulate the source code or insert malicious content into the Pod, which “would then go on to infect many downstream dependencies, and potentially find its way into a large percentage of Apple devices currently in use.” Earlier in 2014, a change was committed to the CocoaPods ‘Trunk’ source code implementing MX record validation for registered emails. The changes created a new attack path that was identified by analyzing the registration flow, resulting in the CVE-2024-38366 vulnerability. The changes created a new verification process for the user-provided email address using the third-party Ruby gem package rfc-822, which can be attacked in a few ways, potentially resulting in attacks that could “dump pod owners’ session tokens, poison client’s traffic or even shut down the server completely.” In CVE-2024-38367, the researchers found they could spoof XFH headers to engineer a zero-click account takeover by defeating email security boundaries. “Using this method, we managed to take over the owner accounts of some of the most popular CocoaPods packages,” the researchers said. “Potentially we could have used these accounts for highly damaging supply chain attacks that could impact the entire Apple ecosystem.”

DevOps Teams: Get to Work

While the vulnerabilities have been patched, the work for developers and DevOps teams is just getting started. Developers and DevOps teams that have used CocoaPods in recent years - particularly before October 2023 - "should verify the integrity of open source dependencies used in their application code,” the E.V.A researchers said. “The vulnerabilities we discovered could be used to control the dependency manager itself, and any published package.” Downstream dependencies could mean that thousands of applications and millions of devices were exposed over the last few years, and close attention should be paid to software that relies on orphaned CocoaPod packages that do not have an owner assigned to them. Developers and organizations should review dependency lists and package managers used in their applications, validate checksums of third-party libraries, perform periodic scans to detect malicious code or suspicious changes, keep software updated, and limit use of orphaned or unmaintained packages. "Dependency managers are an often-overlooked aspect of software supply chain security," the researchers wrote. "Security leaders should explore ways to increase governance and oversight over the use these tools."

Nearly a month after The Cyber Express exposed a data breach in the digital assets of India’s Telangana State Police, the cops have restored services for the public on their official website. The Telangana Police data breach came to light in June when their Hawk Eye app, a popular citizen-friendly crime reporting app and TSCOP app, an internal crime detection app of the state police, were reportedly compromised. As a fallout over the twin data breaches, the Telangana Police shut down public access to the official department website, citing maintenance. The police also arrested a 20-year-old hacker who was responsible for the data breaches. In their report, the Telangana Police acknowledged that the news report on The Cyber Express gave them crucial leads that led to the arrest of the hacker.

Telangana Police Website Access Restored

The Telangana State Police website offers a variety of services to citizens, such as checking the status of their complaints and traffic tickets, making payments online, obtaining a police verification certificate for applying for a job or a passport, reporting stolen or lost mobile phones, reporting cybercrimes, and finding contact information for emergency services in the State. All the above services were suspended by the police for almost the entire month of June because of the data breach. On June 30, 2024, the Telangana Police wrote a post on X informing the public that services have been restored. [caption id="attachment_79723" align="aligncenter" width="826"] Source: X[/caption] “Access the Telangana Police services online! Visit **http://tspolice.gov.in** to report complaints, grievances, or concerns,” the police wrote in the post. The post added that citizens could now directly download FIRs from the website. FIR, or the First Information Report (FIR), is a written document prepared by the police in India to detail a cognizable offence.

Improved Security Checks on Telangana Police Website

When the Hawk Eye app data was breached on May 31, the hacker threatened to leak sensitive data of over 200,000 citizens, including their Personally Identifiable Information (PII), names, email addresses, phone numbers, physical addresses, IMEI numbers, and location coordinates. Days later, the same hacker breached the TSCOP app, which had sensitive data of police officers, criminals and gun license holders in Telangana. Cybersecurity experts also warned the cops of multiple vulnerabilities that could be exploited. [caption id="attachment_79718" align="aligncenter" width="687"] Source: X[/caption] “It is easy to hack into their system as they used basic authentication and encoding,” India’s popular data security researcher Srinivas Kodali said. He condemned the state police for not hiring proper developers and putting the privacy of several thousand users at risk. Following the data breaches, the Telangana Police shut down access to the public to the website. The police then initiated a Vulnerability Assessment and Penetration Testing "across all police internal and external networks, web and mobile applications, as well as cloud and endpoints." The cops shared that security checks were being carried out to identify and address any weaknesses and to prevent any future breaches. To ensure that there is an added layer of security on its website, the Telangana Police have now added a security feature of a One-Time Password (OTP) to the registered mobile number once the user has typed in their login credentials. Despite the police officially declaring that the website services have been restored, many users shared that the services remained inaccessible. Most of the complaints were a 404 error message. [caption id="attachment_79722" align="aligncenter" width="702"] Source: X[/caption] But sources told The Cyber Express that the other digital assets of the Telangana Police were undergoing maintenance and access would be restored in a phased manner after mandatory security checks were completed.

A trio of security flaws has been uncovered in the CocoaPods dependency manager for Swift and Objective-C Cocoa projects that could be exploited to stage software supply chain attacks, putting downstream customers at severe risks. The vulnerabilities allow "any malicious actor to claim ownership over thousands of unclaimed pods and insert malicious code into many of the most popular iOS and

The Australian Federal Police (AFP) have charged a man for setting up fake free WiFi access points in order to steal personal data from people.

The crime was discovered when an airline reported a suspicious WiFi network identified by its employees during a domestic flight. When the alleged perpetrator landed at Perth airport, his bags were searched and authorities found a portable wireless access device, a laptop, and a mobile phone in his hand luggage.

The police say that the man, 42, used a portable wireless access device to create ‘evil twin’ free WiFi networks; so called because criminals set up free WiFi access points that mimic the name of legitimate public WiFi networks.

When people tried to connect their devices to the free WiFi networks, they were taken to a fake webpage requiring them to sign in using their email or social media logins. Those details were then allegedly saved to the man’s devices.

The email and password details harvested could then be used to access more personal information, including bank accounts, emails and messages, photos and videos, and more. 

AFP cybercrime investigators have identified data relating to the use of the alleged fraudulent WiFi pages at airports in Perth, Melbourne and Adelaide, on domestic flights, and at locations linked to the man’s previous employment.

The investigation is ongoing but the man can expect to face nine charges for the alleged cybercrime offences.

‘Evil twin’ attacks are a type of “machine-in-the-middle” attack, where all traffic is routed through a server under the attacker’s control, giving them access to all of the submitted information.

Cybercriminals favour places where people expect to have free WiFi, such as airports, planes, coffee, shops, and libraries. The attacker finds the legitimate network name—known as the SSID (service set identifier)—and creates an access point with the same name.

Access points and wireless router networks broadcast their SSIDs to identify themselves, but the identifiers are not unique. Your device can connect to any SSID if the network has no security options enabled, and it will not be able to differentiate between the legitimate and the fake one.

Evil twin attacks are based on the fact that when two networks have the same SSID and security settings, your device will either connect to the one with the strongest signal or the one it sees first.

How to stay safe from evil twin attacks

There are a few things you can do to protect yourself against this kind of attack.

• Firstly, do not allow your device to auto-connect to public or unsecure networks. See below on how to turn this off.
• Look out for unexpected behavior. To connect to a free WiFi network, you shouldn’t have to enter any personal details—such as logging in through an email or social media account.
• Install a trusted VPN to encrypt the traffic regardless of the network you are using, and even when you’re not visiting websites that HTTPS (Hypertext transfer protocol secure) which encrypts the traffic between a browser and the website.
• And my personal favorite: Use your own personal hotspot. I use a portable 5G Mifi router, which provides me with reliable high-speed WiFi throughout my domestic journeys.

How to disable auto-connect

When you’re travelling it may be safer to disable auto-connect on Wi-Fi altogether.

On Android it works roughly like this (steps may be slightly different depending on your Android version, device type, and vendor):

Settings > Network & Internet (or Connections) > Wi-Fi > Wi-Fi preferences (or Advanced). Toggle off Connect to public networks.

On iOS you can disable auto-connect by doing this:

Settings > Wi-Fi. Tap the (i) next to the network name and then toggle off Auto-Join.

---

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

HubSpot is "actively investigating and blocking attempts” to hack into customer accounts but some targets have already been compromised.

The post HubSpot Warns of Ongoing Cyberattacks Targeting Customer Accounts appeared first on SecurityWeek.

Chris Evans, CISO and chief hacking officer at HackerOne, challenges the common perception of both hackers and their motivation.

The post Hacker Conversations: Chris Evans, Hacker and CISO appeared first on SecurityWeek.

This week on the Lock and Code podcast…

More than 20 years ago, a law that the United States would eventually use to justify the warrantless collection of Americans’ phone call records actually started out as a warning sign against an entirely different target: Libraries.

Not two months after terrorists attacked the United States on September 11, 2001, Congress responded with the passage of The USA Patriot Act. Originally championed as a tool to fight terrorism, The Patriot Act, as introduced, allowed the FBI to request “any tangible things” from businesses, organizations, and people during investigations into alleged terrorist activity. Those “tangible things,” the law said, included “books, records, papers, documents, and other items.”

Or, to put it a different way: things you’d find in a library and records of the things you’d check out from a library. The concern around this language was so strong that this section of the USA Patriot Act got a new moniker amongst the public: “The library provision.”

The Patriot Act passed, and years later, the public was told that, all along, the US government wasn’t interested in library records.

But those government assurances are old.

What remains true is that libraries and librarians want to maintain the privacy of your records. And what also remains true is that the government looks anywhere it can for information to aid investigations into national security, terrorism, human trafficking, illegal immigration, and more.

What’s changed, however, is that companies that libraries have relied on for published materials and collections—Thomson Reuters, Reed Elsevier, Lexis Nexis—have reimagined themselves as big data companies. And they’ve lined up to provide newly collected data to the government, particularly to agencies like Immigrations and Customers Enforcement, or ICE.

There are many layers to this data web, and libraries are seemingly stuck in the middle.

Today, on the Lock and Code podcast with host Davd Ruiz, we speak with Sarah Lamdan, deputy director Office of Intellectual Freedom at the American Library Association, about library privacy in the digital age, whether police are legitimately interested in what the public is reading, and how a small number of major publishing companies suddenly started aiding the work of government surveillance:

“Because to me, these companies were information providers. These companies were library vendors. They’re companies that we work with because they published science journals and they published court reporters. I did not know them as surveillance companies.”

Tune in today to listen to the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

---

Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

Life insurance company Landmark Admin says personal, medical, and insurance information was compromised in a May data breach.

The post Landmark Admin Discloses Data Breach Impacting Personal, Medical Information appeared first on SecurityWeek.

Google has announced a new KVM bug bounty program named kvmCTF with rewards of up to $250,000 for a full VM escape.

The post Google Offering $250,000 for Full VM Escape in New KVM Bug Bounty Program appeared first on SecurityWeek.

GreyNoise observes the first attempts to exploit a path traversal vulnerability in discontinued D-Link DIR-859 WiFi routers.

The post Hackers Target Vulnerability Found Recently in Long-Discontinued D-Link Routers appeared first on SecurityWeek.

Millions of OpenSSH servers could be vulnerable to unauthenticated remote code execution due to a vulnerability tracked as regreSSHion and CVE-2024-6387.

The post Millions of OpenSSH Servers Potentially Vulnerable to Remote regreSSHion Attack appeared first on SecurityWeek.

Critical dependency manager supply chain vulnerabilities have exposed millions and millions of devices to arbitrary malware for the better part of decade.

Analysts say Apple's black-box approach provides a blueprint for rival chip makers and cloud providers.

Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.

To be effective, managing risk demands both fast responses and strategic thinking.

While AI helps automatically detect and respond to rapidly evolving threats, XAI helps security professionals understand how these decisions are being made.

The post What is the Role of Explainable AI (XAI) In Security? appeared first on Security Boulevard.

Despite extensive information available about the GDPR, many misconceptions still persist. This blog breaks down some of them. 

The post Does the GDPR Really Say That? Clearing Up Common Misunderstandings appeared first on Scytale.

The post Does the GDPR Really Say That? Clearing Up Common Misunderstandings appeared first on Security Boulevard.

The output of a security and information event management (SIEM) platform is only as good as the data that is feeding into it. “Garbage in, garbage out,” as they say. Clean and contextualized data is the foundation of accurate security…

The post 5 New Features that Streamline Security and Compliance with LogRhythm Axon appeared first on LogRhythm.

The post 5 New Features that Streamline Security and Compliance with LogRhythm Axon appeared first on Security Boulevard.

Behind every LogRhythm product release, our team puts customers at the very core. That’s part of our commitment to you every 90 days. In our ninth consecutive quarterly release, we’ve opened LogRhythm SIEM to allow any JSON agent that supports…

The post Expand Log Source Collection and Flexibility with LogRhythm 7.17 appeared first on LogRhythm.

The post Expand Log Source Collection and Flexibility with LogRhythm 7.17 appeared first on Security Boulevard.

When it comes to log sources, LogRhythm recognizes there are limitless options. After all, more than 30,000 Softwares as a Service (SaaS) companies exist around the globe. While we can’t keep up with every SaaS tool in the market, LogRhythm…

The post Benefits of JSON Log Source Collection for LogRhythm Customers appeared first on LogRhythm.

The post Benefits of JSON Log Source Collection for LogRhythm Customers appeared first on Security Boulevard.

LogRhythm, the company helping security teams stop breaches by turning disconnected data and signals into trustworthy insights, today announced its 9th consecutive quarterly release. In the AI-ready world, LogRhythm empowers security teams with the highest integrity data in the security…

The post LogRhythm’s Machine Data Intelligence Fabric Empowers AI-Ready Organizations to Enter the Modern Era with Confidence appeared first on LogRhythm.

The post LogRhythm’s Machine Data Intelligence Fabric Empowers AI-Ready Organizations to Enter the Modern Era with Confidence appeared first on Security Boulevard.

The Cyber Trust Mark is a labeling initiative for consumer IoT devices in the United States that builds on work undertaken by the FCC and NIST, establishing data privacy and cybersecurity standards for connected devices.

The post Cyber Trust Mark: The Impacts and Incentives of Early Adoption appeared first on Security Boulevard.

The coalescing of the next-gen security platforms that will carry us forward continues.

Related: Jump starting vulnerability management

Adaptiva, a leader in autonomous endpoint management, recently announced the launch of OneSite Patch for CrowdStrike. This new solution integrates with … (more…)

The post New Tech Q&A: Adaptiva – CrowdStrike alliance highlights trend of blending IT and security systems first appeared on The Last Watchdog.

The post New Tech Q&A: Adaptiva – CrowdStrike alliance highlights trend of blending IT and security systems appeared first on Security Boulevard.

A newly discovered RCE vulnerability, which can lead to full system compromise, has put over 14 million OpenSSH server instances are potentially at risk, according to Qualys

Evil twin Wi-Fi access points mimicked legitimate networks to capture personal data from unsuspecting victims who mistakenly connected to them

The threat actor known as Transparent Tribe has continued to unleash malware-laced Android apps as part of a social engineering campaign to target individuals of interest. "These APKs continue the group's trend of embedding spyware into curated video browsing applications, with a new expansion targeting mobile gamers, weapons enthusiasts, and TikTok fans," SentinelOne security researcher Alex

Juniper Networks has urgently released security updates to address a critical vulnerability affecting some of its routers, identified as CVE-2024-2973. This flaw, with a maximum CVSS severity score of 10.0, could potentially allow attackers to bypass authentication mechanisms and gain unauthorized control over affected devices. The router vulnerability specifically impacts Juniper Networks' Session Smart Router and Conductor products when deployed with redundant peers. In such configurations, a network-based attacker could exploit the flaw to circumvent authentication safeguards, thereby compromising the entire device.

Juniper Networks Issues Patches for Router Vulnerability

[caption id="attachment_79708" align="alignnone" width="1105"] Source: Juniper Networks[/caption] Juniper Networks issued an advisory, highlighting the severity of the vulnerabilities in routers: "An Authentication Bypass Using an Alternate Path or Channel vulnerability in Juniper Networks Session Smart Router or Conductor running with a redundant peer allows a network-based attacker to bypass authentication and take full control of the device." Affected products include Session Smart Router versions before 5.6.15, from 6.0 before 6.1.9-lts, and from 6.2 before 6.2.5-sts, as well as Session Smart Conductor versions before 5.6.15, from 6.0 before 6.1.9-lts, and 6.2 before 6.2.5-sts. Additionally, WAN Assurance Router versions 6.0 before 6.1.9-lts and 6.2 before 6.2.5-sts are impacted. Juniper Networks has moved swiftly to address this issue by releasing updated software versions that resolve the vulnerability. Users are strongly advised to upgrade affected systems to the following patched releases: SSR-5.6.15, SSR-6.1.9-lts, SSR-6.2.5-sts, and subsequent versions. For deployments managed by a Conductor, upgrading Conductor nodes will automatically apply the fix to connected routers, though direct router upgrades are still recommended for comprehensive protection.

No Threat Detected 

It is reassuring that Juniper Networks' Security Incident Response Team (SIRT) has not detected any instances of malicious exploitation of CVE-2024-2973 in the wild. The company discovered this vulnerability internally during routine security testing and promptly took action to mitigate the risk. For users of MIST-managed WAN Assurance routers connected to the Mist Cloud, the patch has been applied automatically to safeguard against potential exploitation. Importantly, applying this fix is designed to be non-disruptive to normal network operations, with minimal downtime expected during implementation. Juniper Networks emphasizes that no other products or platforms in its portfolio are affected by this specific vulnerability, limiting the scope of necessary updates to the identified router models. While the discovery of CVE-2024-2973 highlights the importance of cybersecurity practices, Juniper Networks' proactive response through prompt patching and clear mitigation guidance exemplifies industry best practices in safeguarding against router vulnerabilities. Users are encouraged to promptly update their systems to the latest recommended versions to ensure optimal security posture against emerging threats.

TeamViewer, a provider of remote access software, has confirmed that a recent cyberattack has been successfully contained within its internal corporate IT environment. Crucially, the company has reassured its customers and stakeholders that the breach did not affect its product environment, the TeamViewer connectivity platform, or any customer data. This announcement comes as the investigation into the TeamViewer data breach progresses, providing clarity and reassurance to the millions of users who rely on it's services.

TeamViewer Breach Overview and Immediate Response

The TeamViewer data breach was first detected on June 26, 2024, prompting an immediate response from TeamViewer’s security team. The company has attributed the breach to an advanced persistent threat group, tracked as APT29, also known as Midnight Blizzard or Cozy Bear. This group is renowned for its sophisticated cyberespionage capabilities and has a history of targeting high-profile entities, including Western diplomats and technology firms. In an initial statement posted on Thursday in the company’s Trust Center, TeamViewer explained that the breach was confined to its internal corporate IT environment. The company emphasized that this environment is distinct and separate from its product environment, where customer interactions occur. As such, there is no evidence to suggest that the product or customer data was compromised. "TeamViewer’s internal corporate IT environment is completely independent from the product environment. There is no evidence to suggest that the product environment or customer data is affected. Investigations are ongoing and our primary focus remains to ensure the integrity of our systems," reads the initial statement.

Details of the Data Compromise

According to TeamViewer, the threat actor leveraged a compromised employee account to gain access to the internal corporate IT environment. This access allowed the attacker to copy certain employee directory data, including names, corporate contact information, and encrypted employee passwords. Importantly, the compromised data was limited to internal corporate information, and no customer data was involved. The company has taken swift action to mitigate the risk associated with the encrypted passwords. "According to current findings, the threat actor leveraged a compromised employee account to copy employee directory data, i.e. names, corporate contact information, and encrypted employee passwords for our internal corporate IT environment. We have informed our employees and the relevant authorities. The risk associated with the encrypted passwords contained in the directory has been mitigated in collaboration with leading experts from our incident response partner Microsoft," reads the statement. In collaboration with leading experts from their incident response partner, Microsoft, TeamViewer has implemented enhanced authentication procedures and added further strong protection layers. These measures ensure that the authentication processes for employees are now at the maximum security level. "The risk associated with the encrypted passwords contained in the directory has been mitigated in collaboration with leading experts from our incident response partner Microsoft. We hardened authentication procedures for our employees to a maximum level and implemented further strong protection layers. Additionally, we have started to rebuild the internal corporate IT environment towards a fully trusted state," reads TeamViewer statement.

The Role of NCC Group

The cybersecurity firm NCC Group played a significant role in highlighting the TeamViewer data breach. NCC Group was alerted to the compromise of TeamViewer’s remote access and support platform by APT29. Their involvement underscores the importance of third-party cybersecurity firms in detecting and responding to advanced threats. For TeamViewer’s customers, the key takeaway from this incident is that their data and the functionality of the TeamViewer connectivity platform remain secure. The company has reiterated that its overall system architecture follows best practices, with a clear segmentation between the corporate IT environment, the production environment, and the TeamViewer connectivity platform. This segmentation is a critical factor in ensuring that breaches in one area do not affect others.

A new paper, “Polynomial Time Cryptanalytic Extraction of Neural Network Models,” by Adi Shamir and others, uses ideas from differential cryptanalysis to extract the weights inside a neural network using specific queries and their results. This is much more theoretical than practical, but it’s a really interesting result.

Abstract:

Billions of dollars and countless GPU hours are currently spent on training Deep Neural Networks (DNNs) for a variety of tasks. Thus, it is essential to determine the difficulty of extracting all the parameters of such neural networks when given access to their black-box implementations. Many versions of this problem have been studied over the last 30 years, and the best current attack on ReLU-based deep neural networks was presented at Crypto’20 by Carlini, Jagielski, and Mironov. It resembles a differential chosen plaintext attack on a cryptosystem, which has a secret key embedded in its black-box implementation and requires a polynomial number of queries but an exponential amount of time (as a function of the number of neurons). In this paper, we improve this attack by developing several new techniques that enable us to extract with arbitrarily high precision all the real-valued parameters of a ReLU-based DNN using a polynomial number of queries and a polynomial amount of time. We demonstrate its practical efficiency by applying it to a full-sized neural network for classifying the CIFAR10 dataset, which has 3072 inputs, 8 hidden layers with 256 neurons each, and about 1.2 million neuronal parameters. An attack following the approach by Carlini et al. requires an exhaustive search over 2^256 possibilities. Our attack replaces this with our new techniques, which require only 30 minutes on a 256-core computer.

CISA, in collaboration with the Fauquier County Sheriff’s Office, the Fauquier County Fire Rescue System, and Fauquier County Public Schools, recently conducted a comprehensive K-12 active shooter exercise to strengthen the safety and security of schools in the region.  This exercise, held at Kettle Run High School and Greenville Elementary School on June 27, aimed to evaluate and enhance emergency response strategies in simulated active shooter scenarios. The joint effort involved various local stakeholders, including law enforcement, school administrators, teachers, and emergency medical services. These participants played pivotal roles in testing the effectiveness of current safety protocols, particularly in scenarios involving mock injuries, evacuations, and the reunification of students with their families.

CISA and Fauquier County’s K-12 Active Shooter Exercise

David Mussington, CISA’s Executive Assistant Director for Infrastructure Security, highlighted the importance of K-12 active shooter exercise in fostering collaboration among federal, state, and local entities to safeguard educational environments. He emphasized that such initiatives are crucial for preparing communities to respond effectively to potential threats. Sheriff Jeremy Falls further highlighted the exercise's role in improving preparedness for real-world incidents, stating, “Our primary goal is the safety and well-being of our community. This exercise provided invaluable insight into our readiness and identified areas for further strengthening our response capabilities.” Dr. Major Warner, superintendent of Fauquier County Public Schools, emphasized the partnership’s role in enhancing school safety, noting, “Testing our emergency protocols has significantly bolstered our readiness as a school division, ensuring a safer learning environment for our students and staff.”

Collaborative Training Exercises

The exercise also aimed to assess the speed and coordination of law enforcement responses, emergency medical operations, and communication between agencies during crises. Chief Kalvyn Smith of the Fauquier County Fire Rescue System stressed the importance of collaborative training exercises in preparing agencies to protect and serve the community effectively. Janelle Downes, Fauquier County Administrator, highlighted the necessity of involving various stakeholders in such exercises, stating, “Large-scale critical incidents demand a coordinated response. This exercise allowed us to plan and refine our coordination for potential future emergencies.” Bill Ryan, CISA’s Regional Director, emphasized the value of these exercises in identifying strengths and areas for improvement, ensuring continuous learning and adaptation to maintain readiness. CISA remains committed to supporting local communities through training and collaborative initiatives aimed at enhancing security measures. This exercise with Fauquier County represents a significant step in these ongoing efforts to safeguard schools and promote community resilience.

It’s been almost two weeks since the CDK Global cyberattack paralyzed the US automotive industry and many car sales outlets are still limping back to normalcy. The CDK Global cyberattack has reportedly raked up millions of dollars in losses for dealerships. According to a report by CNN, the cyber automobile, the cyberattack has made it difficult for dealers to track customer interactions, orders and sales.

Background of CDK Global Cyberattack

On June 19, 2024, CDK Global, a provider of software solutions to around 15,000 auto dealerships across the United States, experienced a cyberattack. On June 21, the company disclosed that it experienced twin cyberattacks in the same week. The cyberattacks, had a profound impact on major clients of CDK Global, including General Motors dealerships, Group 1 Automotive, Asbury Automotive Group, AutoNation, Lithia Motors, Penske, Sonic Automotive and Holman, which operates dealerships across the U.S. These dealerships rely heavily on CDK’s software to manage their daily operations, from sales transactions to inventory management. CNN reported that due to the outage, some dealers started fulfilling orders with pen and paper. Other services, such as state inspections, repairs and parts deliveries, came to a standstill in some parts of the country. After the initial attack, CDK Global shut down most of its systems to investigate the incident and restore systems. “We are actively investigating a cyber incident,” the company had said. “Out of an abundance of caution and concern for our customers, we have shut down most of our systems and are working diligently to get everything up and running as quickly as possible.”

How Victim Firms Responded to Cyberattacks

In response to the cyberattacks, Asbury, AutoNation, Lithia Motors, Sonic Automotive, and Group 1 Automotive activated their incident response plans and disconnected from CDK systems as a precaution. Sonic Automotive mentioned that as of June 24, the extent to which the attackers accessed customer data remains unknown. Lithia Motors highlighted the ongoing negative impact on its operations, indicating uncertainty over whether the incident will materially affect its financial condition. Penske Automotive reported that the ransomware attack primarily affected its Premier Truck Group, which sells heavy- and medium-duty trucks across 48 locations in the U.S. and Canada. The company has implemented business continuity plans and continues operations using manual and alternate processes designed for such incidents. Penske noted that the truck dealership business that serves business customers has lower unit volumes compared to automotive dealerships. Asbury said business operations are functioning but “slower than normal.” It added that the dealerships at Koons Automotive locations in Maryland and Virginia do not use CDK’s Dealer Management System or CDK’s Customer Relationship Management system and therefore continue to operate with minimal interruption, as does Clicklane, their online vehicle purchasing platform. Asbury operates 157 new vehicle dealerships, which includes 206 franchises representing 31 domestic and foreign vehicle brands.

Cyberattack Could Almost Cost a Billion in Losses: Report

An estimate study prepared by the Anderson Economic Group, reported that the cyberattacks on CDK could result in approximately $944 million in direct losses due to business interruptions for affected car dealers if the outage lasts a full three weeks. In an automated voice message to its clients on Friday, CDK company said it was making progress in bringing some dealerships back online  but it did not expect the issue to be entirely resolved until July. “We do feel it’s important to share that we do not believe that we will be able to get all dealers live prior to June 30,” the message said. The CNN report, quoting a CDK spokesperson, said, “We have successfully brought two small groups of dealers and one large publicly traded dealer group live on the Dealer Management System (DMS). We are also actively working to bring live additional applications — including our Customer Relationship Management (CRM) and Service solutions — and our Customer Care channels. “We understand and share the urgency for our customers to get back to business as usual, and we will continue providing updates as more information is available,” the CDK spokesperson added.

Installers for three different software products developed by an Indian company named Conceptworld have been trojanized to distribute information-stealing malware. The installers correspond to Notezilla, RecentX, and Copywhiz, according to cybersecurity firm Rapid7, which discovered the supply chain compromise on June 18, 2024. The issue has since been remediated by Conceptworld as of June 24

At the heart of every application are secrets. Credentials that allow human-to-machine and machine-to-machine communication. Machine identities outnumber human identities by a factor of 45-to-1 and represent the majority of secrets we need to worry about. According to CyberArk's recent research, 93% of organizations had two or more identity-related breaches in the past year. It is clear that we

OpenSSH maintainers have released security updates to contain a critical security flaw that could result in unauthenticated remote code execution with root privileges in glibc-based Linux systems. The vulnerability, codenamed regreSSHion, has been assigned the CVE identifier CVE-2024-6387. It resides in the OpenSSH server component, also known as sshd, which is designed to listen for connections

Juniper Networks warns of a critical authentication bypass flaw impacting Session Smart routers and conductors.

The post Juniper Networks Warns of Critical Authentication Bypass Vulnerability appeared first on SecurityWeek.

Prudential Financial has updated the February data breach impact estimate to 2.5 million individuals.

The post Prudential Financial Data Breach Impacts 2.5 Million appeared first on SecurityWeek.

TeamViewer has confirmed that the Russian cyberespionage group APT29 appears to be behind the recent hack.

The post TeamViewer Hack Officially Attributed to Russian Cyberspies appeared first on SecurityWeek.

As employers scramble to find or train security talent, organizations that ignore the inclusive approach may weaken their competitive posture in the battle for talent and overall security.

The post Cybersecurity Workforce Sustainability has a Problem. DEI Could be the Solution. appeared first on Security Boulevard.

Digital nomads go where the wind takes them around the globe, often working from coffee shops, co-working locations or public libraries. They rely on connecting to their work life via their mobile hotspot or public wi-fi connections.

The post Remote Rigor: Safeguarding Data in the Age of Digital Nomads appeared first on Security Boulevard.

Insurance broker Howden says premiums are falling as security best practice takes hold

Outsourcer Infosys McCamish Systems has revealed millions of victims were impacted by a ransomware attack last year

In a recent advisory, the Reserve Bank of India (RBI) has cautioned scheduled commercial banks about the increasing risk of cyberattacks. The RBI advisory, issued by the Department of Banking Supervision at the Central Office in Mumbai, highlights the critical importance of cybersecurity measures in today's digital banking domain. Central to the RBI advisory is the role of Corporate Governance in ensuring accountability within banks. It emphasizes that IT Governance forms an integral part of this framework, requiring strong leadership support, a well-defined organizational structure, and streamlined processes. Effective IT Governance, according to the RBI, is the responsibility of both the Board of Directors and Executive Management.

Technological Adoption in Banking

Highlighting the widespread adoption of technology across banking operations, the RBI cybersecurity advisory notes that nearly every commercial bank branch has embraced technology to some extent. This includes the implementation of core banking solutions (CBS) and various alternate delivery channels such as internet banking, mobile banking, phone banking, and ATMs. The RBI advisory provides clear guidance to banks on enhancing their IT Governance: Roles and Responsibilities: Clearly defining the roles and responsibilities of the Board and Senior Management is crucial for effective IT Governance. This ensures proper project control and accountability. Organizational Framework: Recommends establishing an IT Strategy Committee at the Board level, comprising technically competent members with substantial IT expertise. The committee's responsibilities include advising on strategic IT directions, reviewing IT investments, and ensuring alignment with business goals. IT Organizational Structure: Suggests structuring IT functions based on the bank’s size and business activities, with divisions such as technology and development, IT operations, IT assurance, and supplier management. Each division should be led by experienced senior officials to manage IT systems effectively.

Implementing IT Governance Practices

The RBI cybersecurity advisory stresses the implementation of robust IT Governance practices aligned with international standards such as COBIT (Control Objectives for Information and Related Technologies). These practices focus on value delivery, IT risk management, strategic alignment, resource management, and performance measurement.

Information Security Governance

Addressing the critical aspect of information security, the RBI advises banks to implement comprehensive security governance frameworks. This includes developing security policies, defining roles and responsibilities, conducting regular risk assessments, and ensuring compliance with regulatory requirements. The advisory recommends separating the information security function from IT operations to enhance oversight and mitigate risks effectively.

Risk Management and Compliance

Emphasizing the importance of risk management, the advisory highlights the need for banks to integrate IT risks into their overall risk management framework. This involves identifying threats, assessing vulnerabilities, and implementing appropriate controls to mitigate risks effectively. Regular monitoring and oversight through steering committees are essential to ensure compliance with policies and regulatory standards.

Conclusion

In conclusion, the RBI’s advisory highlights the importance of strengthening their cybersecurity posture amidst digital threats. By implementing IT Governance and information security frameworks, banks can enhance operational resilience, protect customer data, and safeguard financial stability. Adhering to these guidelines will not only ensure regulatory compliance but also bolster trust and confidence in the banking sector. The RBI continues to monitor cybersecurity developments closely and urges banks to remain vigilant against emerging threats. With technology playing an increasingly pivotal role in banking, proactive measures are essential to mitigate risks and maintain a secure banking environment. For further information and detailed guidelines on implementing RBI’s cybersecurity advisory, banks are encouraged to refer to the official communication from the Reserve Bank of India. Taking proactive steps today will safeguard the future of banking operations against cybersecurity challenges.