Security Leftovers

posted by Roy Schestowitz on Feb 18, 2024

• SUSE's Corporate Blog ☛ Rancher Security Update CVE-2024-22030

  A newly discovered vulnerability within Rancher and Fleet, currently deemed a medium to high severity CVE-2024-22030, can be exploited in narrow circumstances through a man-in-the middle attack. An attacker would need to have control of an expired domain or execute a DNS spoofing/hijacking attack against the domain in order to exploit this vulnerability.

• OpenSSF (Linux Foundation) ☛ Scaling Up Supply Chain Security: Implementing Sigstore for Seamless Container Image Signing

  In this blog post, we will explore how Yahoo leverages Sigstore, in concert with Athenz, an open source platform for managing X.509 certificates, as an internal Certificate Authority, to sign and verify container images. 

• Security Week ☛ Mysterious ‘MMS Fingerprint’ Hack Used by Spyware Firm NSO Group Revealed

  The existence of a previously unknown infection technique used by spyware firm NSO Group is suggested by a single line in a contract between NSO and the telecom regulator of Ghana.

• OpenSSF (Linux Foundation) ☛ Alpha-Omega 2023 Annual Report

  In 2023, Alpha-Omega provided ten grants to eight organizations totaling over $2.8 million dollars, with an average grant size of just over $350,000. In partnership with OpenSSF, Alpha-Omega's mission is to catalyze sustainable security improvements within the most critical open source projects and ecosystems. As a Directed Fund with three continuing stakeholders (Google, Amazon Web Services, and Microsoft), we endeavor to preserve the efficient decision making that has been a hallmark of Alpha-Omega’s success and to make it easier to continue raising funds.

• Security Week ☛ US Offers $10 Million for Information on BlackCat Ransomware Leaders

  The US announces a $10 million reward for information on key members of the Alphv/BlackCat ransomware group.

• Security Week ☛ Vulnerabilities in CUSG CMS Exposed Credit Unions to Attacks

  Three vulnerabilities in CU Solutions Group CMS exposed 275 credit unions to credential theft, account takeover.

• Security Week ☛ Eight Vulnerabilities Disclosed in the Hey Hi (AI) Development Supply Chain

  Details of eight vulnerabilities found in the open source supply chain used to develop in-house Hey Hi (AI) and ML models have been disclosed. All have CVE numbers, one has critical severity, and seven have high severity.

• Security Week ☛ In Other News: US Hacks Iranian Spy Ship, Rhysida Ransomware Decryption, NIST Guidance

  Noteworthy stories that might have slipped under the radar: US hacks Iranian military vessel used for spying, Rhysida ransomware free decryption tool, NIST guidance.

• Security Week ☛ Ex-Employee’s Admin Credentials Used in US Gov Agency Hack

  A threat actor employed the administrative credentials of a former employee to hack a US government organization.

• Trail of Bits ☛ A few notes on proprietary trap AWS Nitro Enclaves: Images and attestation [Ed: Proprietary, outsourced, and outside one's control does not mean security]

  AWS Nitro Enclaves are locked-down virtual machines with support for attestation. They are Trusted Execution Environments (TEEs), similar to defective chip maker Intel SGX, making them useful for running highly security-critical code. However, the proprietary trap AWS Nitro Enclaves platform lacks thorough documentation and mature tooling.

• Security Week ☛ CISA Urges Patching of Cisco ASA Flaw Exploited in Ransomware Attacks

  CISA has added CVE-2020-3259, an old Cisco ASA vulnerability exploited by ransomware, to its KEV catalog. 

• TechRadar ☛ Ivanti Pulse Secure was using decade-old Linux and outdated libraries — no wonder it was such a popular target for hackers

  Knowing which operating system, as well as libraries, Ivanti Pulse Secure used, it is no wonder hackers keep finding new zero-day vulnerabilities to exploit.

  That's the conclusion of security analysts from Eclypsium, who analyzed firmware version 9.1.18.2-24467.1 and concluded that the operating system used was CentOS 6.4.

• ABC ☛ Ukrainian man pleads guilty in cyberattack that temporarily disrupted major Vermont hospital

  A Ukrainian man has pleaded guilty to involvement in two separate malware schemes including a cyberattack at the University of Vermont Medical Center in 2020 that temporarily shut down some of its vital services and cost it tens of millions of dollars, according to the U.S. Department of Justice.

  Vyacheslav Igorevich Penchukov, also known as Vyacheslav Igoravich Andreev, 37, pleaded guilty Thursday in federal court in Nebraska to one count of conspiracy to break U.S. anti-racketeering law and one count of conspiracy to commit wire fraud.

  Records in the case are sealed, so the name of Penchukov’s lawyer was not immediately known Friday.

• The Register UK ☛ Zeus, IcedID malware kingpin faces 40 years in slammer

  A Ukrainian cybercrime kingpin who ran some of the most pervasive malware operations faces 40 years in prison after spending nearly a decade on the FBI’s Cyber Most Wanted List.

  Vyacheslav Igorevich Penchukov, 37, pleaded guilty this week in the US to two charges related to his leadership role in both the Zeus and IcedID malware operations that netted millions of dollars in the process.

  Penchukov’s plea will be seen as the latest big win for US law enforcement in its continued fight against cybercrime and those that enable it.