Discover more from Bob’s Newsletter
Daily Drop (613): OpenRefine's Zip Slip Vul. , NATSEC: Political Extremism, Cisco VPN Vul. , Silent Skimmer Strikes, ETSI Cyber Breach, APIs, Scandium-based Nuclear Clocks, LUCR-3, EU: AI Chip Market
OpenRefine's Zip Slip Vulnerability: A Deep Dive into the Security Flaw
Bottom Line Up Front (BLUF): Open-source OpenRefine data cleanup and transformation tool has been identified with a high-severity Zip Slip vulnerability, tracked as CVE-2023-37476, which could lead to arbitrary code execution on affected systems if exploited.
Analyst Comments: The Zip Slip vulnerability in OpenRefine underscores the importance of continuous security assessments and timely patching in the software ecosystem. Given the tool's open-source nature, it's widely accessible and could be used by a broad range of individuals and organizations, making the potential impact of such a vulnerability significant. The rapid response in patching the flaw is commendable, but users must ensure they update their software to the latest version to remain protected. Additionally, the recent spate of vulnerabilities in other software highlights the ever-evolving threat landscape and the need for organizations and individuals to remain vigilant and prioritize cybersecurity.
FROM THE MEDIA: OpenRefine, a popular open-source data cleanup tool, has been found to contain a significant security flaw that could allow attackers to execute arbitrary code on compromised systems. This vulnerability, known as a Zip Slip, can have severe consequences when importing a maliciously crafted project in versions 3.7.3 and below. The flaw's exploitation hinges on two components: a malicious archive and extraction code that lacks proper validation. When these two are combined, it can lead to unintended file overwrites or extraction to unauthorized locations, potentially leading to code execution. The vulnerability was responsibly disclosed onPolitical Extremism July 7, 2023, and a patch was released ten days later in version 3.7.4. This discovery comes amidst other recent vulnerability disclosures in software like Microsoft SharePoint Server and Apache NiFi.
READ THE STORY: THN
Political Extremism from Both Sides
Bottom Line Up Front (BLUF): The most significant threats to America may not be external powers like China or Russia but rather internal political extremism, represented by "Wokeism" from the extreme left and the "MAGA" ideology from the far right.
Analyst Comments: This piece paints a picture of a nation deeply divided by extreme ideologies, with both major political parties being held "ransom" by these beliefs. The historical context provided, from colonial disagreements to the divides during World Wars, suggests that while America has faced internal challenges before, the current situation is particularly dire. The article calls for a return to traditional values and principles, suggesting that until this happens, external adversaries like China and Russia will be secondary concerns. The overarching message is clear: America's greatest enemy might be its own internal divisions.
FROM THE MEDIA: Drawing inspiration from the comic strip "Pogo," which once stated, "We have met the enemy and it is us," the article underscores the internal challenges America faces today. While external threats like pandemics, environmental disasters, and aggressive actions by nations like Russia and China are concerning, the internal political divide poses a more immediate danger. The article highlights two primary sources of this divide: "Wokeism" from the extreme left and the "MAGA" ideology from the far right. While "Wokeism" pushes for progressive solutions to contemporary social issues, sometimes through force, the MAGA ideology, popularized by former President Donald Trump, seeks to restore perceived lost values. Both ideologies have taken hold of their respective political parties, leading to a departure from traditional values and principles. The article emphasizes the need for America to return to its foundational values and principles, warning that internal divisions might pose a greater threat than any external adversary.
READ THE STORY: The Hill
Cisco's VPN Vulnerability: A Deep Dive into the Zero-Day ExCisco's VPN Vulploit
Bottom Line Up Front (BLUF): Cisco has identified a vulnerability in its VPN software, specifically in the Cisco Group Encrypted Transport VPN feature of Cisco IOS Software and Cisco IOS XE Software. This flaw, labeled as CVE-2023-20109, could potentially allow hackers to execute arbitrary code, gain full control of the affected system, or cause a denial of service (DoS) condition. While patches have been provided, the vulnerability's exploitation requires prior infiltration of the target environment.
Analyst Comments: The discovery of this vulnerability in Cisco's VPN software underscores the importance of continuous monitoring and patching in the realm of cybersecurity. While the flaw is deemed challenging to exploit, its potential impact is significant, especially if hackers gain full control of a router. The recent warnings from cybersecurity officials in the U.S. and Japan about Chinese government hackers targeting routers, including those made by Cisco, further highlight the gravity of the situation. Organizations must prioritize both physical and digital security measures to safeguard their environments against such vulnerabilities.
FROM THE MEDIA: Cisco recently published advisories about several vulnerabilities, with a particular focus on one affecting its VPN product. This vulnerability, which has a CVSS severity score of 6.6 out of 10, was announced on September 27. If successfully exploited, attackers could gain full control of the affected system or cause it to crash, leading to a DoS condition. The company emphasized that the vulnerability can only be exploited in one of two specific ways, both requiring prior infiltration of the environment. While there are no workarounds, Cisco has provided patches to address the issue. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also issued a warning, urging companies to install the provided patches. Several cybersecurity experts have weighed in on the matter, suggesting that while the vulnerability is serious, its exploitation would require the attacker to have deep access within an organization's systems. This would likely make the flaw more appealing to those aiming to escalate their access privileges in an already-compromised system.
READ THE STORY: The Record
Silent Skimmer Strikes: Web Skimming Campaign Targets Online Payment Platforms
Bottom Line Up Front (BLUF): Online payment businesses across Asia Pacific, North America, and Latin America have been under siege from a web skimming campaign, dubbed "Silent Skimmer," for over a year, targeting their payment data.
Analyst Comments: The Silent Skimmer campaign underscores the evolving threats faced by online businesses, especially those in the payment sector. The attackers' ability to exploit common vulnerabilities and their focus on regional websites collecting payment data indicates a blend of opportunistic and targeted approaches. The campaign's longevity and sophistication suggest that businesses must prioritize regular security assessments and timely patching to safeguard their platforms and customer data. Given the financial motivations behind such attacks, the potential repercussions for affected businesses can be severe, ranging from financial losses to reputational damage.
FROM THE MEDIA: The BlackBerry Research and Intelligence Team has identified a financially driven campaign that has been targeting online payment platforms and point-of-sale (PoS) service providers with web skimmers. The actor behind this campaign, believed to be proficient in the Chinese language, primarily exploits vulnerabilities in web applications, especially those hosted on Internet Information Services (IIS). The main aim is to compromise the payment checkout page and harvest sensitive payment data from visitors. Once the attackers gain an initial foothold, they employ a mix of open-source tools and living-off-the-land (LotL) techniques for further exploitation, leading to the deployment of a PowerShell-based remote access trojan. The ultimate objective is to infiltrate the web server, implant a scraper in the payment checkout service, and discreetly capture financial information entered by users.
READ THE STORY: THN
ETSI Cyber Breach: User Database Stolen
Bottom Line Up Front (BLUF): The European Telecommunications Standards Institute (ETSI) has experienced a significant security breach, resulting in the theft of a user database. The exact intentions behind this cyberattack, whether for financial gain or espionage, remain uncertain.
Analyst Comments: The ETSI breach emphasizes the growing importance of cybersecurity, especially for entities that manage sensitive and potentially valuable data. Given the pivotal role of telecommunication standards in shaping global communications and their inherent geopolitical implications, such breaches can have far-reaching consequences. Organizations, especially those with international influence like ETSI, must prioritize cybersecurity to safeguard against evolving threats. The breach also serves as a reminder of the potential geopolitical implications, given the international nature of telecommunications standards and the political dynamics surrounding them.
FROM THE MEDIA: ETSI, a nonprofit institution responsible for developing communication standards, announced the breach recently. Located in the Sophia Antipolis technology park in the French Riviera, the institute has yet to clarify the hackers' motivations. In response to the incident, ETSI engaged with France's cybersecurity agency, ANSSI, to investigate and rectify the compromised systems. While the vulnerability that led to the breach has been addressed, it remains undisclosed whether it was a known issue or a zero-day exploit at the time. ETSI has since advised its online users to change their passwords as a precautionary measure. The breach has triggered a judicial inquiry, and the French data protection authority has been informed. ETSI's director-general, Luis Jorge Romero, referred to the incident as a "crisis" and acknowledged ANSSI's role in enhancing the institute's cybersecurity measures. With ETSI having over 900 member organizations from more than 60 countries, the nature and extent of the stolen data remain a concern.
READ THE STORY: The Record
APIs: The Double-Edged Sword of Modern Digital Ecosystems
Bottom Line Up Front (BLUF): APIs, while instrumental in driving digital innovation across industries, have emerged as significant cybersecurity vulnerabilities. Their widespread adoption has made them prime targets for cybercriminals, leading to substantial breaches across sectors.
Analyst Comments: he article underscores the transformative role of APIs across industries, from healthcare's patient care revolution to financial institutions' enhanced customer experiences. However, the numerous real-world breach examples, such as Quest Diagnostics, Latitude Financial, Dropbox, and Peleton, highlight the pressing need for robust API security measures. The potential financial and reputational repercussions of these breaches emphasize the importance of proactive security measures, including strong authentication, regular vulnerability assessments, and compliance with industry regulations. As the digital landscape continues to evolve, ensuring the security of APIs will be paramount for organizations to safeguard their assets and maintain trust with their user base.
FROM THE MEDIA: APIs serve as the backbone of today's digital ecosystem, enabling seamless communication and data exchange between software applications and systems. Their role is particularly pronounced given the rise of cloud computing, mobile apps, and the Internet of Things (IoT). However, this ubiquity has also made them attractive targets for cyberattacks. A notable vulnerability, BOLA (broken object-level authorization), allows attackers to manipulate API requests, potentially letting unprivileged users access or delete another user's data. The year 2023 saw a 137% surge in cyberattacks targeting APIs, with industries like healthcare and manufacturing being prime targets. Key API security concerns for security teams include Zombie APIs, DDoS attacks, Authentication Bypass, Data Leakage, Data exfiltration, and Shadow APIs.
READ THE STORY: THN
The Dawn of Scandium-based Nuclear Clocks
Bottom Line Up Front (BLUF): Scientists are on the brink of a revolutionary advancement in timekeeping technology, with the development of scandium-based nuclear clocks that promise an accuracy of up to 1 second in 300 billion years, far surpassing the current atomic clocks.
Analyst Comments: The exploration into scandium-based nuclear clocks signifies a monumental stride in the realm of timekeeping. The potential accuracy of these clocks could have profound implications for various scientific and technological applications. The research not only showcases the continuous quest for precision in the scientific community but also underscores the potential of elements like scandium in redefining established norms. As we move forward, the adoption and integration of such advanced timekeeping mechanisms could revolutionize sectors ranging from space exploration to quantum computing.
FROM THE MEDIA: Researchers at the European XFEL X-ray have explored the potential of scandium as the foundation for nuclear clocks, which are anticipated to be the next evolution in timekeeping accuracy beyond the existing atomic clocks. While most atomic clocks utilize oscillators like caesium, which oscillate reliably when excited by microwave radiation, the ambition has always been to utilize the oscillation of the atomic nucleus for even greater precision. Scandium, available as a high-purity metal foil or scandium dioxide, has shown atomic resonances that are sharper than those of electrons in the atomic shell. However, exciting these resonances requires X-rays with an energy 10,000 times that of visible light. The outcome is an extremely narrow resonant width, which could potentially lead to unparalleled clock accuracy. Ralf Röhlsberger, a researcher involved in the project, highlighted that a scandium-based nuclear clock could achieve an accuracy equivalent to one second in 300 billion years.
READ THE STORY: The Register
LUCR-3 (Scattered Spider): A Deep Dive into a Financially Motivated Threat Actor
Bottom Line Up Front (BLUF): LUCR-3, also known as Scattered Spider, is a financially motivated threat actor targeting Fortune 2000 companies across various sectors. Their primary method of attack is compromising Identity Providers (IDPs) for initial access, followed by the expert use of victims' tools and resources to achieve their goals. Their main objective is data theft, particularly Intellectual Property (IP), for extortion purposes.
Analyst Comments: The emergence and activities of LUCR-3 underscore the evolving nature of cyber threats. Their ability to seamlessly integrate into an organization's environment, using the organization's own tools against them, highlights the need for robust cybersecurity measures. Companies, especially those in the Fortune 2000 list, must be vigilant and proactive in monitoring their systems, particularly their IDPs and SaaS applications, to detect and counteract such sophisticated threat actors.
FROM THE MEDIA: LUCR-3 overlaps with several other groups and is known for its sophisticated approach, avoiding heavy reliance on malware or scripts. Instead, they use victims' own tools, applications, and resources. They gain initial access by compromising identities in IDPs such as Okta, Azure AD, and Ping Identity. Once inside, they utilize SaaS applications for reconnaissance, leading to data theft focused on IP, Code Signing Certificates, and customer data. Their tooling primarily involves Windows 10 systems, AWS services, and SaaS applications. They are meticulous in their approach, from initial recon to establishing persistence, ensuring they remain undetected for as long as possible.
READ THE STORY: THN
European Commission Eyes AI Chip Market
Bottom Line Up Front (BLUF): The European Commission (EC) is closely observing the AI chip market, particularly AI-driven chipmakers, for potential anticompetitive behaviors, although no formal investigation has been launched.
Analyst Comments: The AI chip market's rapid growth, coupled with Nvidia's dominant position and the recent surge in GPU demand, has understandably caught the attention of regulatory bodies like the EC. While no formal investigation is underway, the EC's proactive monitoring approach indicates the significance of ensuring fair competition in rapidly evolving tech sectors. As AI continues to be integrated into various industries and applications, ensuring a competitive market is crucial for innovation, fair pricing, and consumer choice. The coming years will likely see increased scrutiny and potential regulations as the AI industry matures and its impact becomes even more pronounced.
FROM THE MEDIA: Recent reports suggest that the European Commission is keenly monitoring the AI chip sector for any signs of anticompetitive practices. While no official investigation has been declared, the EC has been gathering insights on potential abusive practices in the industry. This scrutiny follows last week's claims that French authorities had searched the offices of GPU manufacturer Nvidia, a dominant player in the graphics card sector, as part of an inquiry into the industry by the country's Competition Authority. Nvidia's GPUs are particularly prominent in the AI accelerator market. Despite Nvidia's refusal to comment on any potential EC investigation, it is understood that the EC consistently watches for possible anticompetitive behaviors across all sectors. The heightened demand for GPUs, especially for AI model training, and the subsequent price surge might have triggered the EC's interest. Analysts from Gartner have forecasted that the AI chip market's revenue could reach $53.4 billion this year, marking a growth of over 20% from 2022, with projections of it hitting $119.4 billion by 2027.
READ THE STORY: The Register
BunnyLoader: The Rising Malware-as-a-Service Menace
Bottom Line Up Front (BLUF): BunnyLoader, a new malware-as-a-service (MaaS) threat, is making waves in the cybercrime underground. This C/C++-based loader, available for a lifetime license at $250, offers a range of malicious functionalities, from downloading second-stage payloads to stealing browser credentials and system information. Its continuous development and enhancement, coupled with its fileless loading feature, make it a formidable threat to cybersecurity.
Analyst Comments: The emergence of BunnyLoader underscores the evolving and sophisticated nature of threats in the cyber landscape. Its range of functionalities, coupled with its continuous development and evasion techniques, makes it a significant concern for cybersecurity professionals. Organizations must remain vigilant and proactive in monitoring and updating their security measures to counteract such threats. The MaaS model's adaptability and ease of access for potential cybercriminals further emphasize the need for robust and up-to-date cybersecurity defenses.
FROM THE MEDIA: Cybersecurity experts have recently identified BunnyLoader, a MaaS threat that's being actively advertised and sold in the cybercrime underground. This malware provides a plethora of functionalities, including downloading and executing second-stage payloads, stealing browser credentials, system information, and more. It also boasts features like a keylogger and a clipper functionality, which monitors and replaces content in the victim's clipboard, particularly targeting cryptocurrency wallet addresses. BunnyLoader's continuous development since its debut on September 4, 2023, has seen the incorporation of anti-sandbox and antivirus evasion techniques. A notable feature, as highlighted by its author PLAYER_BUNNY, is its fileless loading capability, which poses challenges for antiviruses attempting to remove the malware.
READ THE STORY: THN
Items of interest
Vietnam Investigates Chinese Wind Towers for Dumping
Bottom Line Up Front (BLUF): Vietnam's industry ministry has iniCybersecurity must be more than just a technological issue. It must also include understanding the profile and motivation of the cybercriminal. The inspiration for CSI Cyber and world-renowned cyber psychologist Mary Aiken explains.tiated an investigation into the potential dumping of wind towers imported from China, following complaints from local producers.
Analyst Comments: The investigation into the potential dumping of wind towers from China underscores Vietnam's commitment to protecting its domestic industries, especially as the country seeks to expand its renewable energy sector. The proposed anti-dumping tax rate of 97% indicates the severity of the concerns raised by local producers. If implemented, such a tax could significantly impact the wind energy sector's growth in Vietnam, given the current reliance on imported towers. This move might also strain trade relations between Vietnam and China, two significant players in the South-East Asian region.
FROM THE MEDIA: Vietnam's government announced on Saturday that its industry ministry has started an investigation that might result in anti-dumping duties on wind towers originating from China. This move comes after domestic producers in Vietnam claimed that the dumping of these Chinese towers has caused them "significant damage." The specific nature of the damage was not detailed in the government's statement. If the preliminary investigation results indicate a need, the trade ministry might impose temporary anti-dumping measures to protect domestic manufacturing. While there is no set timeline for the investigation's completion, local producers have suggested an anti-dumping tax rate of 97%. Currently, wind towers imported to Vietnam benefit from a most-favored nation (MFN) tariff of 3%. As Vietnam aims to transition to carbon neutrality by mid-century, it is focusing on enhancing wind energy, targeting wind power to constitute 18.5% of the total power mix by 2030. The Chinese embassy in Hanoi has not yet commented on the matter.
READ THE STORY: The Daily Star
Senate Intelligence Committee hearing on China’s influence in the US (Video)
FROM THE MEDIA: A former FBI counterintelligence official is among those expected to speak.
Inside the Mission of DOJ’s New National Security Cyber Section (Video)
FROM THE MEDIA: The Cyber Initiatives Group (CIG) is a organization of cyber leaders with deep government and private sector experience who come together four times a year to share information on threats and emerging trends in cyberspace and how this will affect public-private sector collaboration.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at firstname.lastname@example.org.