Daily Brief

Sony Interactive Entertainment (Sony) has acknowledged a cybersecurity breach affecting around 6,800 individuals. The breach exposed personal information of current and former employees and their family members. The breach resulted from exploitation of a zero-day vulnerability within Sony's MOVEit Transfer platform. The vulnerability has been leveraged in wider attacks by the Clop ransomware gang. The intrusion took place on May 28, and was discovered on June 2 when unauthorized downloads were found. The platform was immediately taken offline and the vulnerability has since been remediated. The impact of the incident was limited to the MOVEit Transfer platform with no effect on other Sony systems. However, sensitive information related to 6,791 US individuals was compromised. Recipients of the data breach notification are being offered Equifax credit monitoring and identity restoration services. The services can be accessed until February 29, 2024. Sony experienced another security breach last month resulting in the theft of 3.14GB of data from the company's systems. Sony has confirmed limited security breaches in two different incidents within the last four months.

SaaS security provider, Wing Security, has announced a new tier of security service, designed to provide essential security requirements for businesses and priced at $1,500 a year. The offering includes crucial SaaS security must-haves such as shadow IT discovery, automated vendor risk assessments, and user access reviews for critical business applications. Wing’s services allow companies to generate compliance-ready access reports for auditors and contribute towards ISO 27001 and SOC 2 certification. The average employee uses 28 different SaaS applications, with an average of seven new applications introduced to mid-size organizations each month. Wing's new product enables organizations to meet basic security standards, even if they cannot invest in a complete Secure Software Portfolio Management (SSPM) solution. While the new product tier provides essential security features, the solution is not intended to be comprehensive, suggesting that companies will eventually need to upgrade to a full SSPM solution for complete secure SaaS usage.

A deceptive package has been discovered within the npm package registry, delivering an open-source rootkit named r77. This is the first time a rogue package has used rootkit technology. The rogue package, "node-hide-console-windows", mimics a legitimate npm package and is part of a typosquatting campaign. It was downloaded 704 times over two months before it was detected and removed. The package downloads a Discord bot that enables the deployment of the r77 rootkit. This underscores the potential for open-source projects to be opportunistically used to distribute malware. The malicious code fetches and automatically runs a C#-based open-source trojan known as DiscordRAT 2.0, which can remotely commandeer a victim host over Discord, collect sensitive data, and disable security software. Two versions of the deceptive package were found to fetch an open-source information stealer known as Blank-Grabber alongside DiscordRAT 2.0, posing it as a "visual code update." The campaign uses components that are freely available online, which requires minimal effort by cybercriminals and indicates the potential for even the low-stake attackers to exploit the supply chain. The findings highlight the need for vigilance among developers when installing packages from open-source repositories. The malicious actors made concerted efforts to make their packages appear trustworthy, which can easily go unnoticed without thorough checks.

Microsoft's security researchers detailed how attackers unsuccessfully attempted to breach a cloud environment through a SQL Server instance, exploiting a SQL injection vulnerability in an application. The attackers gained access and elevated permissions on a Microsoft SQL Server instance deployed in an Azure Virtual Machine (VM). They then attempted to move laterally to additional cloud resources by abusing the server's cloud identity, which was assumed to have potential elevated access to perform various malicious actions in the cloud. Microsoft did not find any evidence to suggest that the attackers successfully breached the cloud resources using this technique. The attackers used a tool called webhook[.]site for potential data exfiltration, exploiting the fact that outgoing traffic to this service is deemed legitimate and unlikely to be flagged. The attempted cyberattack underscores the increased sophistication of cloud-based attack techniques, with ill-intentioned actors constantly searching for over-privileged processes and accounts to conduct further malicious activities. Having secure cloud identities is crucial to prevent similar risks, as these attacks can cause severe impact not only on the SQL Server instances but also on the associated cloud resources.

A new Linux security vulnerability named Looney Tunables has been detected in the GNU C library's dynamic loader. If exploited, the flaw could lead to a local privilege escalation and allow an attacker to gain root privileges. The vulnerability, tracked as CVE-2023-4911, is a buffer overflow affecting the processing of the GLIBC_TUNABLES environment variable in the dynamic loader. Discovered by cybersecurity firm Qualys, the bug was introduced in a code commit made in April 2021 and affects major Linux distributions including Fedora 37 and 38, Ubuntu 22.04 and 23.04, and Debian 12 and 13. The GNU C library (glibc) is integral to Linux-based systems and the dynamic loader is responsible for preparing and running programs, making the vulnerability significant. Alpine Linux is not affected as it uses the musl libc library instead of glibc. Red Hat has alerted to the vulnerability and offered temporary mitigation by terminating any setuid program invoked with GLIBC_TUNABLES in the environment. This adds to a growing list of privilege escalation flaws found in Linux in recent years such as CVE-2021-3156 (Baron Samedit), CVE-2021-3560, CVE-2021-33909 (Sequoia), and CVE-2021-4034 (PwnKit).

Security researchers have identified three vulnerabilities, collectively known as “ShellTorch,” affecting TorchServe, an open-source tool for PyTorch machine learning models. Software bill of material management firm, Oligo Security, reveals that these flaws made "tens of thousands of exposed instances" susceptible to server takeover and remote code execution (RCE). Meta, the maintaining firm, has downplayed the issues and confirmed their resolution, advising developers to use the latest version of TorchServe. Amazon, co-manager of the open-source project, echoed Meta's advice, noting an update to TorchServe version 0.8.2 had addressed the issues. Customers using AWS PyTorch inference Deep Learning Containers (DLC) 1.13.1, 2.0.0, or 2.0.1 through EC2, EKS, or ECS are recommended to update to TorchServe version 0.8.2. Despite no sign of actual ShellTorch exploitation, Oligo’s CEO warned that it could be easily executed using basic knowledge of TorchServe and its configuration. Oligo also suggested altering management console default settings to obstruct remote access and updating allowed_urls in the config.properties file to ensure models are only fetched from trusted domains.

The trial against former FTX CEO Sam Bankman-Fried began in New York. The ex-cryptocurrency tycoon is accused of diverting billions of dollars of customer funds for personal use before the company's collapse. Bankman-Fried also filed a lawsuit against his insurance company, Continental Casualty Company (CNA), claiming that it has not adhered to the terms of his insurance policy supposed to cover his legal defense costs. FTX, now overseen by liquidators, has filed for bankruptcy protection while customers demand their money back. Bankman-Fried denies any wrongdoing. Previously, an eight-count indictment for fraud, money laundering, and campaign finance offenses was brought against Bankman-Fried by federal prosecutors. Later, five additional charges were added and six of the total 13 counts were moved to a second criminal trial slated to start in March 2024. Four former FTX associates, including co-founder Gary Wang and former Alameda Research co-CEO Caroline Ellison, have pleaded guilty in related cases and some are expected to testify against Bankman-Fried as the trial progresses.

A new Linux vulnerability called 'Looney Tunables' has been identified that enables attackers to gain root access to major distributions like Fedora, Ubuntu, and Debian. The bug exploits a buffer overflow weakness in the GNU C Library's ld.so dynamic loader, which is a crucial functionality provider in most Linux-based systems. The vulnerability was discovered by the Qualys Threat Research Unit, who have withheld the exploit code but have highlighted the ease with which the buffer overflow can be transformed into an attack. The system vulnerability is triggered by the processing of GLIBC_TUNABLES environment variables in default installations of certain distributions, however, Alpine Linux is unaffected as it uses musl libc. Attackers require low privileges to exploit this vulnerability and do not need user interactions. The researchers have urged system administrators to act swiftly to patch the flaw in order to ensure system integrity and security. This is not the first high-severity Linux security flaw that Qualys researchers have discovered, with previous ones also allowing attackers to gain root privileges in default configurations of many Linux distributions.

Google will implement stricter sender guidelines starting February 1, 2024, designed to enhance email security against phishing and malware attacks. The new guidelines will require senders of more than 5,000 emails daily to Gmail users to establish SPF/DKIM and DMARC email authentication for their domains. Besides, the new regulations enforce lower spam thresholds, demand an option for Gmail customers to unsubscribe from commercial messages in a single click, and require handling unsubscription requests in a two-day period. The update by Google is intended to protect users from email spoofing and phishing, with non-compliance potentially leading to email delivery issues due to enforced DMARC quarantine policy. Google indicated its AI-driven systems prevent more than 99.9% of spam, phishing, and malware, equivalent to nearly 15 billion unwanted emails every day. Google further explained that if senders did not meet the stipulated requirements, their emails could be mislabeled as spam or not delivered as expected.

Google's latest security update for Android addresses two active exploits and 52 other vulnerabilities. Two flaws, CVE-2023-4863, a buffer overflow vulnerability in libwebp, and CVE-2023-4211, a use-after-free memory issue in Arm Mali GPU drivers, are currently being actively exploited. CVE-2023-4863 affects many software products, including Chrome, Firefox, iOS, and Microsoft Teams. It was initially erroneously assigned separate CVEs for Apple iOS and Google Chrome, but these were actually in the underlying library. A new CVE for this issue was assigned but subsequently rejected. Many different Android models could be impacted by CVE-2023-4211. Successful exploitation could enable attackers to locally access or manipulate sensitive data. The update utilizes a dual patch system wherein patches for core components are released first, followed by patches for kernels and closed-source components. Upgrades for older versions of Android are recommended due to potential vulnerabilities; Android 10 and older versions are no longer supported.

Qualcomm has released a security update fixing 17 vulnerabilities, including several that are under active exploitation. Out of 17, three have been rated critical, 13 are rated high, and one is rated medium in severity. According to Google's threat analysis groups, four codes (CVE-2023-33106, CVE-2023-33107, CVE-2022-22071, and CVE-2023-33063) could be under targeted exploitation. The company has issued patches concerning Adreno GPU and Compute DSP drivers. Original Equipment Manufacturers (OEMs) have been strongly advised to carry out these security updates as quickly as possible. CVE-2022-22071, which is a use-after-free in Automotive OS Platform, was first patched by Qualcomm in its May 2022 updates. Further specific information regarding the remaining vulnerabilities will be made public in 2023. Alongside Qualcomm's security measures, Arm also released patches for a security flaw in the Mali GPU kernel driver that had limited, targeted exploitation.

Researchers have identified critical vulnerabilities, known as 'ShellTorch,' in the open-source TorchServe AI model-serving tool, exposing thousands of internet servers, including those of large corporations. The TorchServe tool, maintained by Meta and Amazon, is utilized extensively in AI model training and development by a range of entities, including key tech firms such as Amazon, OpenAI, Tesla, Azure, Google, and Intel. The ShellTorch vulnerabilities lead to unauthorized server access and remote code execution (RCE) on susceptible instances. The suite comprises three flaws, two of which can allow remote code execution and the other an unauthenticated management interface API misconfiguration. Tens of thousands of IP addresses are potentially exposed to ShellTorch attacks, some of which belong to globally recognized organizations. The researchers suggest an upgrade to TorchServe 0.8.2 to mitigate the vulnerabilities and emphasize the importance of only fetching models from trusted domains. While the upgrade does not fix one of the vulnerabilities (CVE-2023-43654), it does issue a warning to the user about the Server-Side Request Forgery (SSRF) issue. Oligo has released a free tool to assist administrators in identifying if their instances are vulnerable to the identified attacks.

Critical security flaws have been discovered in the TorchServe tool for serving and scaling PyTorch models, which could lead to remote code execution (RCE) on affected systems. The vulnerabilities, coined ShellTorch, were disclosed by Israel-based runtime application security company Oligo and can leave a high number of services and end-users vulnerable to unauthorized access and potential full server takeover. Flaws allow attackers to upload a malicious model from their controlled address, enabling arbitrary code execution without requiring any authentication on any default TorchServe server. The vulnerabilities could be chained with CVE-2022-1471, opening the way for code execution and full takeover of exposed instances. Amazon Web Services (AWS) has issued an advisory urging customers using PyTorch inference Deep Learning Containers (DLC) 1.13.1, 2.0.0, or 2.0.1 in EC2, EKS, or ECS released prior to September 11, 2023, to update to TorchServe version 0.8.2. Through exploiting these vulnerabilities, attackers can view, modify, steal, and delete AI models and sensitive data flowing to and from the target TorchServe server, undermining the credibility of the application.

Qualcomm has disclosed three zero-day vulnerabilities in its GPU and Compute DSP drivers which are currently being exploited. Google’s Threat Analysis Group (TAG) and Project Zero teams reported the potential limited targeted exploitation of the vulnerabilities, CVE-2023-33106, CVE-2023-33107, CVE-2022-22071, and CVE-2023-33063. Qualcomm has already issued security updates addressing these issues, and vulnerable OEMs have been notified. The CVE-2022-22071 flaw was disclosed in May 2022 and it's a high-severity locally exploitable flaw that impacts popular chips like the SD855, SD865 5G, and SD888 5G. More information regarding the exploitation of the CVE-2023-33106, CVE-2022-22071, and CVE-2023-33063 vulnerabilities will be provided in Qualcomm's December 2023 bulletin. Qualcomm has also disclosed 13 high-severity and three critical-severity flaws, the latter being remotely exploitable. However, there is no evidence these have been exploited. While consumers await updates, Qualcomm advises Android device owners to limit the number of downloaded applications, sourcing them strictly from trustworthy repositories. Yesterday, Arm released a similar advisory, warning of an actively exploited flaw in a range of its Mali GPU drivers.

Around three dozen counterfeit packages designed to extract sensitive data from developers' systems have been found in the npm package repository. The discovery was made by Fortinet FortiGuard Labs. One set of packages, namely @expue/webpack, @expue/core, @expue/vue3-renderer, @fixedwidthtable/fixedwidthtable, @virtualsearchtable/virtualsearchtable, contains an obfuscated JavaScript file capable of collecting secrets such as Kubernetes configurations, SSH keys, and system metadata. Another four modules discovered result in unauthorised extraction of the source code and configuration files which could hold intellectual property and sensitive credentials. This information is archived and uploaded to an FTP server. Some packages have been seen to use a Discord webhook to extract sensitive data, while others download and execute a potentially harmful executable file from a URL. A unique package identified, @cima/prism-utils, leaves connections vulnerable to adversary-in-the-middle (AitM) attacks by using an install script to disable the TLS certificate validation. The company categorised the identified modules into nine different groups based on code similarities and functions. It recommends end-users to be careful with packages that use suspicious install scripts.