Daily Brief

Cybersecurity experts from NCC Group have discovered vulnerabilities in Sonos smart speakers that allow for unauthorized audio surveillance. Two specific flaws, CVE-2023-50809 and CVE-2023-50810, enable remote attackers to capture audio and execute unsigned code, respectively. CVE-2023-50809 involves a memory corruption issue in Sonos One’s MediaTek wireless driver, permitting remote code execution without user interaction. CVE-2023-50810 allows attackers to bypass the secure boot process on the Era-100 model, facilitating higher-level privilege escalations. Researchers emphasize the need for OEM and third-party components to meet uniform security standards and comprehensive threat modeling. Affected devices include all versions prior to Sonos S2 release 15.9 and Sonos S1 release 11.12, issued in late 2023. The vulnerabilities were highlighted at Black Hat USA 2024, underlining the importance of robust security practices in smart devices. They also discussed a widespread firmware issue, PKfail, impacting multiple vendors and enabling Secure Boot bypass, posing significant security risks.

Microsoft reports increased Iranian efforts to manipulate the upcoming US presidential election, showcasing cyber-enabled influence operations as a persistent threat. Iranian groups, notably Sefid Flood, are impersonating social and political activists to destabilize trust in election integrity and intimidate key figures. Recent Iranian cyber activities include attempts to spear-phish US presidential campaign officials and infiltrate election-related systems. Companion Iranian operations, Mint Sandstorm and Peach Sandstorm, are also implicated in activities potentially aimed to disrupt US electoral processes. Microsoft contrasts Iranian campaigns with Russian efforts, noting differences in timing and methods, though both nations are active in election interference. CISA Director Jen Easterly confirms the physical security of US election infrastructures, despite ongoing foreign influence operations. Fake news sites, set up by Iranian actors, are targeting US voters with divisive content to widen political divides and influence voter perceptions.

Researchers at Aqua discovered multiple severe vulnerabilities in Amazon Web Services (AWS) that could lead to remote code execution (RCE), data theft, and full-service takeovers. These vulnerabilities exploit AWS services like CloudFormation, Glue, EMR, and others, where S3 buckets are automatically created with predictable names, allowing attackers to covertly access or manipulate data. Attackers can preemptively create S3 buckets in various regions, which unsuspecting AWS customers might later activate, unknowingly running malicious code. The vulnerabilities were responsibly disclosed to Amazon in February 2024 and subsequently addressed from March to June. Attack methods include modifying CloudFormation templates to create rogue admin users, enabling complete control over the victim's AWS services. Aqua's findings suggest that AWS account IDs are sensitive and should be treated as secrets, contrary to Amazon’s current guidelines, to prevent similar attacks. The vulnerabilities have implications beyond Amazon, affecting several open-source projects that auto-generate AWS resources, potentially exposing more users to these attack vectors. Aqua recommends using unique hashes or random identifiers for S3 bucket names to prevent such exploitative attacks.

The U.S. Department of Justice charged Matthew Isaac Knoot with multiple federal crimes including conspiracy to cause damage to protected computers and aggravated identity theft. Knoot allegedly operated a "laptop farm" in Nashville, facilitating employment for North Korean IT workers in American and British IT companies, using a stolen identity. These North Korean workers, believed to be from the Munitions Industry Department of the Workers' Party of Korea, potentially used their positions to fund North Korea's weapons programs. The scheme caused significant financial loss to victim companies, with the total costs exceeding $500,000 for auditing and remediation efforts. Knoot reportedly used unauthorized software to help North Korean operatives appear as U.S. workers and gain remote access to company networks. Over $250,000 was paid to the IT workers by companies, under the mistaken belief they were hiring a legitimate U.S. worker named "Andrew M." This case follows a recent pattern, including another individual charged for a similar operation and companies mistakenly employing North Korean nationals due to identity theft and AI-enhanced deceptions. The U.S. government has heightened its efforts to tackle such fraudulent schemes, including rewards for information leading to the arrest of involved individuals globally.

Oligo Security identified a significant security vulnerability affecting Chromium-based browsers, Safari, and Firefox on macOS and Linux platforms. The vulnerability allows malicious web pages to send requests to local IP address 0.0.0.0, bypassing intended security measures like CORS and PNA. This loophole has been exploited by attackers to gain unauthorized access to local services on users’ machines, a technique possibly utilized since the late 2000s. Browser vendors including Google Chrome, Apple (WebKit), and Mozilla Firefox are implementing fixes to block access to 0.0.0.0, with Google planning a phased fix rollout up to Chrome version 133. Mozilla has not yet implemented PNA and is working on amending the Fetch specification to enhance security, although no immediate fix has been released. The continued existence of this security issue highlights the need for improved security frameworks such as Private Network Access (PNA) to be standardized and enforced. The vulnerability sheds light on the broader issue where local services rely on inaccessibility as their primary security defense, an approach that is flawed and risky.

CISA has identified threat actors exploiting the legacy Cisco Smart Install feature to access system configuration files. There has been observed misuse of weak password types on Cisco network devices, increasing susceptibility to password-cracking attacks. CISA recommends using type 8 password protection on all Cisco devices to enhance security. Organizations are urged to follow the NSA’s advisories on Smart Install Protocol Misuse and Network Infrastructure Security. Best practices suggested include strong hashing algorithms for password storage, the use of complex passwords, and avoidance of password reuse and group accounts. Cisco has reported a critical vulnerability (CVE-2024-20419) in Smart Software Manager On-Prem, allowing attackers to change user passwords remotely. Additional critical vulnerabilities in Small Business SPA300 and SPA500 Series IP Phones could allow attackers to execute commands or cause denial-of-service. Cisco has announced no software updates for these vulnerabilities due to the affected devices reaching end-of-life, advising users to upgrade to newer models.

Security researcher from BAE identified three critical flaws in Cisco's SPA300 and SPA500 series IP phones. The vulnerabilities, rated CVSS 9.8, enable unauthenticated remote attackers to gain root privileges via the web management interface. Issues stem from improper validation of incoming HTTP requests, leading to buffer overflow and potential arbitrary command execution. Two additional vulnerabilities with a CVSS score of 7.8 could cause denial of service but not code execution. Cisco has ceased updates for these affected models due to their end-of-life status, with support fully ending by 2025. Although no current exploits have been reported in the wild, the lack of future patches increases risk exposure. Organizations using these phone models are advised to consider replacements to mitigate security risks.

CrowdStrike's flawed update to its Falcon system led to over 8 million crashed Windows machines globally. More than 37,000 Delta computers were affected, resulting in approximately 1.3 million disrupted travel plans and over $500 million in losses for Delta. Delta accused CrowdStrike of shifting blame for the IT meltdown and criticized the timeliness and effectiveness of the support offered post-incident. Delta's attorney, David Boies, emphasized the software developer's "grossly negligent" actions in his latest correspondence, highlighting the lack of a staged rollout for the faulty update. The financial impact specified in Delta's SEC filing included $380 million related to flight cancellations and $170 million in non-fuel operational recovery costs. CrowdStrike's CEO's late outreach to Delta was considered "unhelpful and untimely," as critical systems were already restored by then. Delta continues to highlight its significant investment in IT infrastructure and criticizes its dependency on CrowdStrike and Microsoft for prolonged recovery. Delta insists on full disclosure of incident details from CrowdStrike, hinting that the truth will emerge in impending litigation.

U.S. authorities have arrested Matthew Isaac Knoot in Nashville for aiding North Korean IT actors in posing as American remote workers. Knoot facilitated the impersonation of a U.S. citizen and setup operations that allowed North Koreans to work remotely for U.S. companies from China. He is charged with several offenses including wire fraud and aggravated identity theft, facing up to 20 years in prison. The fraudulent activities supported North Korea’s nuclear program, with individual North Korean workers earning over $250,000. The operation involved unauthorized access to company networks using shipped laptops and installed remote desktop applications. This is part of a broader crackdown called the "DPRK RevGen: Domestic Enabler Initiative" targeting U.S.-based operations aiding North Korean cyber activities. North Korean IT workers are prevalent in Fortune 500 companies, often using sophisticated methods to conceal their identities and location. Another case involved Christina Marie Chapman from Arizona, demonstrating a pattern of North Koreans using stolen identities to infiltrate U.S. companies.

Cisco disclosed five vulnerabilities in the SPA 300 and SPA 500 series IP phones, with three classified as critical. The critical vulnerabilities allow remote code execution with root access via specially crafted HTTP requests. Affected models are end-of-life; Cisco offers no fixes and advises upgrading to newer devices. High-severity flaws could lead to denial of service, impacting device availability. All reported vulnerabilities affect all firmware versions and configurations of the specified models. Cisco's Technology Migration Program provides trade-in options for upgrading to supported models. SPA 300 support ended February 2022, while SPA 500 will be covered until May 2025 under certain conditions. Cisco urges affected users to contact their Technical Assistance Center for guidance on upgrades.

Matthew Isaac Knoot from Nashville, Tennessee, was arrested for operating a fraudulent scheme, outsourcing IT jobs to North Korean workers under the guise of being an American employee. Knoot allegedly created a "laptop farm" where laptops sent by U.S. and UK companies were used by North Koreans to remotely perform outsourced jobs, deceiving the companies into believing they were employing a U.S. citizen. This operation generated over $250,000 per job, funneling money through North Korean and Chinese accounts directly to finance North Korea's weapons development programs. The elaborate scheme involved identity theft, using the credentials of an American, Andrew M, allowing North Koreans to pose as U.S. workers and bypass geographical work limitations. The U.S. Department of Justice claims this is part of North Korea's larger strategy of using fraudulent employment to fund its weapon of mass destruction programs. Investigations into the operations led by Knoot and the subsequent required remediation have cost the affected companies an excess of half a million dollars. Knoot faces serious charges including conspiracy to unlawfully employ foreigners and aggravated identity theft, potentially leading to a 20-year prison sentence.

The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has issued warnings for two actively exploited vulnerabilities in Apache OFBiz. Apache OFBiz is an open-source ERP system widely used across various industries for business management. CVE-2024-32113, a critical path traversal flaw, was disclosed and has been exploited to execute arbitrary code remotely on affected systems. CVE-2024-38856, another severe vulnerability revealed, allows pre-authentication remote code execution and affects the latest versions of OFBiz. Both vulnerabilities have been added to CISA's Known Exploited Vulnerability Catalog; affected entities are mandated to update their systems by August 28, 2024, or discontinue use. Comprehensive details of the flaws and proof of concept have been published, intensifying the risks of exploits by malicious actors. Federal and state organizations must apply the available security updates to mitigate risks associated with these vulnerabilities.

Cisco has issued a warning about a critical exploit, CVE-2024-20419, which affects its Smart Software Manager On-Prem (SSM On-Prem) servers. The vulnerability enables attackers to change user passwords on SSM On-Prem without requiring the current credentials. Attackers can gain elevated privileges by exploiting the flaw through crafted HTTP requests. Despite the availability of exploit code, there is no report of this vulnerability being exploited in the wild as of now. Cisco released patches in July to address this security flaw and there are no alternative workarounds. This vulnerability poses significant risks, potentially allowing unauthorized access to the web UI or API of the system. Cisco also addressed other severe issues recently, including a critical flaw that could allow attackers to add root-access users and another that was actively exploited to install malware. The advisory followed a CISA warning to disable Cisco's legacy Smart Install feature to prevent attacks and data theft.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recommended disabling the outdated Cisco Smart Install (SMI) feature to thwart hacker exploitation. Recent attacks have seen malicious actors using the Cisco SMI protocol to extract sensitive data, including system configuration files, by exploiting protocol vulnerabilities. Threat groups, notably including the Russian-backed Dragonfly APT, have historically targeted Cisco switches by manipulating the SMI protocol to alter configurations and exfiltrate data. Cisco had previously identified and alerted customers to these vulnerabilities in 2017 and 2018, emphasizing the risk of exposed Internet-facing devices with enabled SMI. Alongside SMI concerns, CISA also addressed weak password protections found in Cisco network devices, urging the use of stronger, NIST-approved password algorithms. Recommendations include adopting robust password protocols, avoiding password reuse, and ensuring passwords are stored using advanced cryptographic methods. CISA advises following NSA guidelines and best practices to enhance network infrastructure security and safeguard against configuration file and password theft.

An 18-year-old vulnerability known as "0.0.0.0 Day" enables malicious sites to bypass browser security on Linux and macOS, targeting internal network services. Despite being reported in 2008, the flaw remains unpatched in Google Chrome, Mozilla Firefox, and Apple Safari. The vulnerability leverages the "wildcard" IP address 0.0.0.0, allowing external requests to interact with local network services. Existing security measures like CORS and PNA are ineffective against attacks that exploit this vulnerability. Oligo Security has documented multiple active exploitations, including the ShadowRay and Selenium Grid attacks, which manipulate local services and execute arbitrary code. Browsers are now responding, with planned updates to block access to 0.0.0.0 in future browser versions across Chrome, Firefox, and Safari. Developers are advised to implement security measures proactively to protect applications until browser patches are fully implemented.