Daily Brief

OpenAI's GPT-4o language model was manipulated to generate Python exploit code for a critical Docker Engine vulnerability (CVE-2024-41110) by encoding instructions in hexadecimal. Marco Figueroa, a technical product manager at 0Din, Mozilla’s generative AI bug bounty platform, demonstrated how to bypass the AI's security guardrails. The generated exploit code could enable an attacker to bypass authorization plugins in Docker, leading to unauthorized actions including privilege escalation. The hex-encoded exploit crafted by the AI closely resembled an existing proof-of-concept exploit, highlighting the model's efficiency in reproducing functional attacks. Figueroa suggests the incident underscores the need for AI models to have sophisticated security measures capable of detecting encoded or obfuscated content. He recommends enhancing AI safety by developing models that can understand the broader context of multi-step tasks and identify patterns consistent with exploit generation. The experiment also raised questions about the ethical implications and safety concerns of using AI-driven technologies in sensitive and security-focused environments.

Free, unofficial patches are now available for a new Windows Themes zero-day vulnerability that enables remote stealing of NTLM credentials. ACROS Security researchers found the vulnerability while working on a micropatch for another related security issue, which itself was an incomplete fix for a previously patched cybersecurity threat. This newly discovered vulnerability affects all fully updated Windows versions from Windows 7 to the latest Windows 11 24H2, potentially exposing users’ NTLM credentials. The exploitation could occur by merely viewing a specially crafted malicious file, without the need for the user to click or open the file, making it especially insidious. ACROS Security offers the unofficial micropatches for free through its 0patch service for all affected Windows versions until Microsoft releases an official update. Microsoft has acknowledged the issue and stated they are considering actions to protect users, with an official patch expected soon. As a stopgap, Windows users can employ additional mitigation measures recommended by Microsoft to block potential NTLM hash leaks.

Over 22,000 instances of CyberPanel were targeted by a ransomware named PSAUX due to a critical remote code execution vulnerability. Security flaws in CyberPanel versions 2.3.6 and likely 2.3.7 allowed unauthenticated remote root access, which were exploited in the ransomware attack. A security patch was released on GitHub by CyberPanel developers after the vulnerabilities were disclosed, although no new version of the software was issued. The ransomware encrypts files using AES and IV keys, saving encrypted keys on the server, with mistakes in the encryption process allowing potential file recovery. Nearly half of the affected CyberPanel instances were located in the United States, impacting the management of over 152,000 domains and databases. Users managing the affected CyberPanel instances are advised to update their software immediately to the latest version available on GitHub to mitigate risks.

QNAP addressed a critical zero-day vulnerability in their HBS 3 Hybrid Backup Sync software, tracked as CVE-2024-50388. The flaw, allowing remote command execution, was exposed during the Pwn2Own Ireland 2024 competition by Team Viettel. To mitigate the issue, users are advised to update their HBS 3 software to version 25.1.1.673 or later through the QTS or QuTS hero interfaces. The patched zero-day enabled hackers to gain administrative privileges on a TS-464 NAS device. QNAP regularly falls victim to ransomware due to the storage of sensitive personal files on their devices. Team Viettel secured victory at Pwn2Own Ireland 2024, a contest which highlighted over 70 zero-day vulnerabilities. Past security incidents at QNAP include an SQL Injection vulnerability and a backdoor account that facilitated ransomware attacks.

International law enforcement, led by the Dutch Politie, arrested two individuals and charged another in connection with distributing Redline and Meta infostealer malware. The arrests and charges follow year-long Operation Magnus, which involved multiple nations and resulted in the seizure of servers and shutdown of domains linked to malware distribution. Two suspects were arrested in Belgium with limited public disclosure of their identities; one remains in custody, accused of being an infostealer customer. The U.S. charged Maxim Rudometov with several crimes, including access device fraud and money laundering, related to his role as a developer and administrator of Redline. The operation unearthed over 1,200 servers hosting the malware and reached out to all users of Redline and Meta, urging them to collaborate with law enforcement. ESET, a Slovak security company, developed a free online scanner specifically for detecting Redline or Meta infections on Windows machines. Law enforcement has hinted at possible future arrests, not ruling out further actions against other suspects involved in the malware operation. Critics question the effectiveness of such operations, noting the difficulty in arresting suspects, especially in regions without extradition agreements with Interpol.

In February 2024, Change Healthcare, a subsidiary of UnitedHealth Group (UHG), suffered a significant ransomware attack by the ALPHV/BlackCat group, leading to the theft of around 4 terabytes of data. The breach potentially impacted up to 110 million individuals, exposing sensitive health information and disrupting healthcare services and payments. The lack of Multi-Factor Authentication was identified as a key weakness during a congressional hearing with UnitedHealthcare CEO Andrew Witty. Despite paying a $22 million ransom, the attackers did not fulfill their promise to delete the stolen data. Following the breach, the US Senate proposed the Health Infrastructure Security and Accountability Act (HISAA), aiming to enhance cybersecurity measures and accountability in the healthcare sector. The bill emphasizes regular security testing, business continuity plans, compliance audits, and includes substantial financial support for healthcare entities to improve cybersecurity. Senator Ron Wyden criticized the incident as preventable, attributing it to corporate negligence and inadequate cybersecurity leadership at UHG. The proposed HISAA legislation would create stricter cybersecurity standards and penalties to prevent similar breaches, significantly altering the landscape of healthcare data security in the United States.

A new critical vulnerability in the Spring WebFlux framework, identified as CVE-2024-38821, has been disclosed, impacting specific Java applications. The vulnerability allows for the bypass of security rules but only affects applications that use Spring WebFlux with static resources support under non-permitAll authorization rules. Despite its critical rating of 9.1 by the National Vulnerability Database, vendors like Red Hat suggest a lower severity score of 7.4, citing the restricted conditions needed for exploitation. Approximately 60% of Java applications are reported to depend on the Spring framework, underlining the broad potential impact. IBM labels the risk as moderate, pointing out that the vulnerability impacts only static resources such as CSS, JavaScript, or images, which do not involve user-specific data or core business logic. Italy's CSIRT-ITA rates the impact as high, assessing it at 65.51 out of 100, highlighting discrepancies in severity assessments across different organizations. Enterprises using affected versions of Spring and meeting the specified conditions are advised to update their systems to mitigate the vulnerability.

The U.S. has charged Maxim Rudometov, a Russian citizen, with developing and administering the RedLine infostealer malware. RedLine allows users to steal credentials, financial data, and bypass multi-factor authentication systems. The charges are part of 'Operation Magnus,' involving international law enforcement including the FBI and Eurojust, targeting malware-as-a-service platforms. The operation disrupted RedLine and META platforms, dismantling significant cybercriminal infrastructure across several countries. Authorities have seized multiple servers and domains in the Netherlands; arrests have also been made in Belgium. Rudometov could face up to 35 years in prison but his current custody status is unspecified. Cybersecurity firm ESET has released an online scanner to help detect infections by the mentioned malware types and is advising infected users to change their passwords and monitor their financial accounts.

Over three dozen security vulnerabilities have been identified in various open-source AI and ML models, including potential for remote code execution and information theft. Significant vulnerabilities discovered in AI tools such as ChuanhuChatGPT, Lunary, and LocalAI, reported through Protect AI's Huntr bug bounty platform. Two critical vulnerabilities in Lunary enable unauthorized prompt updates and potential theft of confidential information. ChuanhuChatGPT exposed to remote code execution due to a path traversal flaw in its user upload feature. LocalAI's vulnerabilities allow arbitrary code execution through malicious file uploads and API key extraction via timing attacks. A remote code execution flaw, rooted in an arbitrary file overwrite bug, affects the Deep Java Library's package handling. NVIDIA has issued patches for a path traversal flaw in its NeMo AI framework to prevent code execution and data tampering. Protect AI also released Vulnhuntr, a Python static code analyzer using LLMs to detect zero-day vulnerabilities, enhancing security measures for AI development.

Exposure validation improves cybersecurity by allowing teams to focus on vulnerabilities that pose real threats, rather than all potential vulnerabilities. This method follows Sherlock Holmes' philosophy of eliminating the impossible to uncover the truth, prioritizing significant risks over less probable ones. Techniques such as Breach and Attack Simulation (BAS) and Automated Penetration Testing help validate which vulnerabilities are exploitable. Automated exposure validation is crucial in modern IT environments to efficiently manage and address security risks at scale. Real-world scenario simulations during exposure validation provide actionable insights, enabling security teams to prioritize high-risk vulnerabilities efficiently. Integrating exposure validation into a Continuous Threat Exposure Management (CTEM) program helps distinguish between theoretical risks and actual threats, optimizing cybersecurity efforts. Common concerns about exposure validation include hesitancy to shift from traditional vulnerability management to proactive exploitation testing and threat prioritization.

Dutch National Police, with global partners, disrupted operations of information stealers RedLine and MetaStealer under Operation Magnus. On October 28, 2024, authorities took down three servers in the Netherlands and seized two domains linked to these malware operations. Over 1,200 servers globally were estimated to be involved in running this malicious software. Legal actions included charges against one administrator in the U.S. and the arrest of two individuals in Belgium, with one still in custody. The operation was initiated following a tip from cybersecurity firm ESET about the server locations in the Netherlands. Seized data included user credentials, IP addresses, timestamps, and the source codes of the malware. Several Telegram accounts associated with the malware distribution were also shut down, indicating a crackdown on encrypted services previously deemed secure by criminals. Ongoing investigations are focusing on the customers of these malware-as-a-service (MaaS) platforms, which rent out the stealing tools to other cyber criminals.

French President Macron's bodyguards have inadvertently exposed his movements by posting their workout data on Strava. Investigations by Le Monde revealed that the Security Group for the Presidency of the Republic (GSPR) members publicly shared their geo-localized workout sessions on the app. This security breach means that anyone can potentially trace the locations of Macron’s residences, meeting areas, and travel routes. Similar risks were noted for other global leaders, including President Biden and Russian President Vladimir Putin, indicating a widespread issue. Prior incidents include the 2018 exposure of secret military bases through Strava’s data, leading the US military to reassess its guidelines on app usage. The problem stems from Strava’s default settings that map movements unless users specifically opt to keep their location private. While some users of fitness apps enjoy sharing their data, the article calls for more stringent security measures to prevent unintended leaks of sensitive information.

The Five Eyes intelligence coalition, comprising Australia, Canada, New Zealand, the UK, and the US, has issued new cybersecurity guidance for tech startups. This guidance focuses on combatting threats such as IP theft, particularly from China, as highlighted in a recent summit. Each participating country has developed unique materials to help startups implement better security practices; these range from infographics and videos to detailed advisory documents. The United States has released documents which include advice on managing cyber risks while traveling, such as using remote wipe capabilities and on-device encryption. New Zealand's contribution includes a comprehensive 33-page advisory that outlines basic security improvements and incident response procedures. Australia introduced a "Secure Innovation Placemat" as part of its approach to offer straightforward, easily accessible advice. Despite this coordinated effort, it remains uncertain if these resources will effectively change the prevailing "move fast and break things" culture in many startups. Historical examples of security issues faced by companies like Uber, Lyft, GitLab, and OpenAI underscore the ongoing challenge of ensuring startups prioritize robust security measures.

The U.S. government has released new guidelines for the use of the Traffic Light Protocol (TLP) in sharing cybersecurity threat intelligence. The TLP framework involves four colors—Red, Amber, Green, and White—to guide the dissemination of sensitive information to appropriate parties. This protocol aims to build trust and enhance collaborative efforts in the cybersecurity community by controlling how information is shared. The guidance ensures that TLP markings on voluntarily shared cybersecurity information by individuals or organizations are respected, barring conflicts with existing laws or policies. National Cyber Director Harry Coker, Jr. emphasized the government's commitment to respecting trusted information-sharing channels with both federal and private sector partners. The updated guidance is expected to foster more effective partnerships and advance a secure, cooperative cybersecurity environment.

GCHQ is actively seeking to hire lead and senior cyber security experts, offering salaries significantly lower than the private sector. Advertised roles, located in the National Cyber Security Centre in London, offer modest salaries plus potential small bonuses. In comparison, private sector roles like those at Unilever and BAE Systems offer higher base salaries and additional perks. GCHQ roles involve hands-on technical work, including software development and security analysis and require advanced skills in various cyber security domains. Despite offering the unique opportunity to contribute to national defense, GCHQ’s salaries may hinder its ability to attract the best talent. The hiring challenge highlights the broader issue of wage disparities between public and private sector jobs in the cybersecurity field. The application deadline provided in the job advert is Monday, November 4.