Daily Brief

Simone Margaritelli discovered critical vulnerabilities in the Linux CUPS printing system, which could allow remote hijacking. No current patches available; recommendations include removing cups-browsed or blocking UDP port 631. Vulnerabilities trigger arbitrary command execution through manipulated print job URLs upon initiating a print job. Public disclosure rushed after private reports were leaked, highlighting flaws in the zero-day reporting process. Less than a single-digit percentage of internet-facing Linux systems are vulnerable, yet the risk remains significant. IBM engineer rates the bugs 9.9 out of 10 in severity, suggesting significant potential impact despite needed user interaction. Cybersecurity experts urge immediate evaluation of exposure to prevent breaches due to now-public vulnerabilities. Ongoing updates expected as part of a series revealing further details and potential exploits related to the flaw.

Multiple vulnerabilities identified in CUPS (Common UNIX Printing System) enable potential remote code execution on Linux systems. The discovered vulnerabilities, tracked as CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, and CVE-2024-47177, require specific conditions to be exploitable, including an enabled cups-browsed daemon. Simone Margaritelli, the discoverer, pointed out that the flaws don't affect systems by default, as most do not have the daemon enabled. The attack involves tricking a user into printing to a maliciously created network printer, which then installs a malicious PostScript Printer Description (PPD) capable of executing arbitrary code. While the potential for misuse exists, several mitigations reduce the risk, such as the fact that UDP is often disabled on network ingress, and the service is not usually enabled. Red Hat has classified the flaws with an "Important" rating and suggests mitigation measures, including disabling and preventing the cups-browsed service from running. No patches are currently available, but system administrators can halt the vulnerable service to prevent exploitation as an interim measure.

Nvidia Container Toolkit bug tagged CVE-2024-0132 allows attackers to escape containers and take over host machines. This flaw, rated 9.0 out of 10 in severity, affects versions up to v1.16.1 of the Container Toolkit and v24.6.1 of the GPU Operator. Approximately 33% of cloud environments running the mentioned Nvidia software versions are vulnerable to attacks. The security issue, a Time of Check Time of Use (TOCTOU) vulnerability, can lead to unauthorized resource access and potential data breaches. Exploits could involve crafted malicious images used in environments that handle third-party container images or AI models. Nvidia has released updates (Container Toolkit v1.16.2 and GPU Operator v24.6.2) to mitigate the risk. Wiz security researchers have disclosed the vulnerability but limited technical details are currently public to prevent exploitation. The vulnerability poses a significant threat to both single-tenant and shared computing environments, especially those involving GPU resources.

A new variant of RomCom malware, named SnipBot, has been identified targeting various sectors including IT services, legal, and agriculture. Palo Alto Network's Unit 42 discovered SnipBot after analyzing a DLL used in recent attacks, noting its sophisticated data theft and network pivot capabilities. RomCom 4.0 was previously known for delivering Cuba ransomware and carrying out phishing operations; SnipBot, or RomCom 5.0, enhances command flexibility and data exfiltration methods. SnipBot incorporates advanced obfuscation techniques using window message-based control flows and employs anti-sandboxing measures to remain undetected. The infection vector for SnipBot typically begins with phishing emails leading recipients to download malicious files disguised as innocuous documents. Once installed, SnipBot executes a second discovery phase using AD Explorer to navigate and edit Active Directory, facilitating targeted data theft which is then exfiltrated using compressed files. The ultimate goal of SnipBot attacks appears to be shifting away from financial gain towards potentially espionage-oriented operations, though the exact motives remain unclear.

Security researchers identified critical vulnerabilities in Kia's dealer portal that could allow hackers to hijack cars and access owner data. The flaws were discovered on June 11th, 2024, highlighting risks for vehicles produced post-2013. Hackers could manipulate car functions such as locking, unlocking, starting, stopping, and horn honking using a license plate number. Personal data of car owners, including names, phone numbers, and addresses, were exposed due to the security weaknesses. Attackers could also add themselves as secondary users on the vehicles undetected. The vulnerabilities were exploited by generating an access token after registering a fake dealer account, subsequently accessing vehicle controls and owner details through backend dealer APIs. Despite the potential risks, the vulnerabilities have been fixed, and according to researcher Sam Curry, there was no malicious exploitation of these flaws.

HPE released emergency patches for three critical vulnerabilities in Aruba access points, affecting both AOS-8 and AOS-10 versions. The security flaws, rated 9.8 on the CVSS scale, allow remote code execution through specific UDP port interactions. Affected versions include AOS 10.6.x.x up to 10.6.0.2 and Instant AOS 8.12.x.x up to 8.12.0.1; older versions require system upgrades for protection. HPE offers mitigations such as enabling cluster security on Instant AOS-8.x systems or blocking UDP port 8211 on AOS-10 devices from untrusted networks. The vulnerabilities were identified by part-time flaw finder Erik de Jong and reported through Bugcrowd. No current evidence suggests these vulnerabilities have been exploited in the wild; however, with the public release of the patches, the risk of exploitation could increase. This patching is especially significant for systems within the US military, following Aruba's designation as the preferred supplier to the Pentagon in 2020.

The Tor Project and Tails OS have announced a merger to enhance collaboration and improve internet privacy and security tools. The merger was initiated by Tails to manage growth and reduce operational stress, particularly on expanded framework needs. Tails OS, renowned for its anonymization capabilities, will benefit from a more extensive organizational framework under the Tor Project. The merger will lead to better sustainability, reduced overhead costs, and the expansion of training and outreach programs. This integration is expected to enhance resource pooling and improve the effectiveness in combating digital threats worldwide. Existing users of both entities can expect a more comprehensive solution that ensures privacy both at the network and operating system levels. The decision reflects a strategic alignment to optimize operations and outreach, particularly helping Tails to handle non-technical challenges like fundraising and human resources.

A decade-old unpatched remotely exploitable flaw, rated 9.9 on the CVSS scale, threatens all GNU/Linux systems and potentially others. Bug hunter Simone Margaritelli will disclose full details and a proof-of-concept exploit by September 30, aiming to prompt remedial actions. The vulnerability is comparable to, yet potentially more severe than, the famous Heartbleed bug, which had a CVSS rating of 7.5. Major Linux distributors like Canonical and RedHat have acknowledged the severity of the issue but have yet to update on mitigation measures. The flawed software has widespread use, impacting systems from personal Wi-Fi routers to critical national infrastructure. The disclosure process has been contentious, with the developers being defensive rather than proactive in addressing the submitted proofs of concept. Security professionals, including Sonatype CTO Brian Fox, are treating the warning with utmost seriousness due to the simplicity of potential exploitation and the core-level presence of the bug. There is a pressing call for the Linux community to recognize and mend the vulnerability due to its extensive implications on operational security.

Cybersecurity researchers identified serious vulnerabilities in Kia vehicles that could enable remote control of the car using only a license plate number. The vulnerabilities were found in almost all Kia models post-2013, affecting the Kia Connect system and dealership API infrastructure. Attackers could use these flaws to become an "invisible" secondary user, gaining sensitive information like the vehicle owner's name, contact details, and physical address. By exploiting the vulnerabilities, an attacker could issue commands to lock, unlock, start the vehicle, or activate the horn without alerting the vehicle owner. The vulnerabilities involve a process where the attacker could input a license plate into a customized dashboard, extract the VIN, and send commands within about 30 seconds. The flaws were responsibly disclosed to Kia in June 2024 and were fully patched by August 14, 2024. There's no evidence that these vulnerabilities were exploted before being patched. Researchers emphasize the ongoing risk of car vulnerabilities similar to potential risks in other technology platforms like social media.

The U.S. Treasury has sanctioned Cryptex and PM2BTC, two crypto exchanges associated with laundering funds for Russian cybercrime groups. Cryptex has laundered over $51 million from ransomware attacks, with connections to over $720 million in illicit transactions. PM2BTC is implicated in laundering virtual currency through sanctioned banks, notably facilitating currency to ruble conversions for Russian cybercriminals. The sanctions tie these organizations to Sergey Sergeevich Ivanov, a major money launderer linked to various cybercrime activities over the past two decades. Ivanov is connected to payment processing for OFAC-designated fraud shops and darknet marketplaces. U.S. citizens and entities are prohibited from transactions with the sanctioned parties; any U.S.-based assets of these entities will be frozen. These sanctions are part of a global initiative called Operation Endgame, aimed at disrupting Russian cybercrime infrastructure and financial networks. The U.S. Department of State offers a reward up to $10 million for information leading to the capture of Ivanov and associated cybercrime operatives.

Nutanix is hosting a webinar on October 2nd, aimed at securing intellectual property (IP) in AI deployments. The rise of large language models in cloud computing increases vulnerabilities, exposing sensitive data. The webinar covers secure deployment of AI models in both cloud-native and on-premises environments. Strategies to prevent data leakage and protect against IP theft will be explored. Best practices for managing AI model updates without compromising private data will be discussed. This session is designed for IT leaders, security professionals, and AI developers. Participants will learn essential techniques to protect their organization’s valuable data while leveraging AI advancements.

A mobile app fraudulently using the WalletConnect name on Google Play deceived users and stole $70,000 in cryptocurrency. Over 10,000 people downloaded the app, but CPR linked it to around 150 actual victims who had their digital wallets compromised. The app exploited the lack of an official WalletConnect application on the Play Store, gaining a false air of legitimacy through numerous fake reviews. Attackers targeted novice users by promising compatibility and support solutions for web3 applications, luring them into linking their wallets. The scam operated by diverting users to a malicious website under the pretense of performing legitimate wallet transactions, then stealing tokens. Despite only 20 negative reviews posted, the scam prevailed for several months, showing a significant delay in community and platform response. The app was operational from March and was not removed until five months later, despite Google's claims of rigorous app vetting processes. This incident has raised concerns about the security of the app ecosystem and the need for more advanced protective measures in decentralized finance.

Automattic has restricted WP Engine's access to WordPress.org resources, impacting plugin updates for sites hosted by WP Engine. WP Engine is accused by WordPress.org of altering WordPress's core features for profit and blocking negative feedback through the dashboard's news widget. This action results in security update denials to thousands of WP Engine-hosted websites, potentially affecting millions of internet users. The ongoing dispute heightens, with legal tensions surging as WP Engine engages in litigation against WordPress-related entities. Matt Mullenweg criticizes WP Engine for not contributing sufficiently to the WordPress ecosystem, leading to severe public and legal altercations. Essential security patches are being withheld from publishing by Patchstack until the dispute is settled to prevent exploitation on unprotected sites. WP Engine's customers are advised to consider alternative hosting options due to potential security vulnerabilities and unresolved issues.

A fraudulent app named WallConnect, impersonating the legitimate WalletConnect, was available on Google Play for five months. The app accumulated over 10,000 downloads and was used to steal cryptocurrency by redirecting users to a malicious site for transaction authorization. Check Point researchers discovered that the app focused on extracting more valuable tokens first from the victims' wallets. At least 150 users fell victim to this scam, losing a total exceeding $70,000 in digital assets. The fake reviews boosted the app’s visibility, potentially inflating its download numbers beyond the actual user interest. Google has since removed the malicious app from Google Play following the researchers' notification. Despite security measures on Google Play, apps that engage in deceptive practices without directly embedding malicious code can still breach the platform.

North Korean-linked threat group Kimsuky has deployed two new malware types, KLogEXE and FPSpy, targeting entities primarily in South Korea and Japan. Kimsuky, also known under various aliases including APT43 and Velvet Chollima, has been active since 2012 and is noted for its spear phishing expertise. The newly discovered malware strains show significant advancements in Kimsuky's operational capabilities, enhancing their technical arsenal for espionage. KLogEXE, developed in C++, is a sophisticated keylogger designed to monitor and transmit data on user keystrokes, mouse actions, and running applications. FPSpy serves as a multifunctional backdoor capable of extracting system information, downloading further payloads, and executing arbitrary commands. Both KLogEXE and FPSpy share similar source codes, indicating they were likely developed by the same authors within the Kimsuky group. Research by Palo Alto Networks' Unit 42 has played a crucial role in identifying these threats and providing insights into their functionalities and targets.