FBI Director’s warning, Apple flaw warning, Pentagon supplier breach

FBI director warns of Chinese hacker threat to U.S. critical infrastructure

Appearing before the House Select Committee on the Chinese Communist Party on Wednesday, FBI Director Christopher Wray elicited stark warnings about the increasing threat of Chinese cyberattacks against U.S. electrical grids and other infrastructure, stating there has been “far too little public focus” on the issue. Mentioning Volt Typhoon as an example, Wray stated it, “enabled China to hide, among other things, pre-operational reconnaissance and network exploitation against critical infrastructure like our communications, energy, transportation and water sectors.”

(NBC News)

CISA warns of exploited Apple flaw

This is a high-severity flaw affecting iOS, iPadOS, macOS, tvOS, and watchOS, and is tracked as CVE-2022-48618 (CVSS score: 7.8). CISA added it to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. Patches for this flaw were originally released in December 2022, hence the CVE number, but was only publicly disclosed on January 9 of this year. “An attacker with arbitrary read and write capability may be able to bypass Pointer Authentication,” Apple has stated.

(The Hacker News)

Pentagon Intelligence supplier allegedly hacked

ALPHV, also known as BlackCat, said on Tuesday that they had “stolen and threatened to leak 300 gigabytes of data from Technica, a Virginia-based IT services company that describes itself as working with the federal government in performing background investigations. As posted at Cyberscoop, “by allegedly breaching Technica, ALPHV claimed to have obtained data related to the Defense Counterintelligence and Security Agency, which carries out background investigations and insider threat analyses…To back up its claim, ALPHV posted more than two dozen screenshots of purportedly stolen documents featuring the names, social security numbers, clearance levels and roles and work locations of dozens of people.”

(Cyberscoop)?

Windows Event Log zero-day flaw gets unofficial patches

In response to a zero-day vulnerability discovered by a security researcher known as Florian, these free unofficial patches are being made available. The flaw is named EventLogCrasher and it lets attackers “remotely crash the Event Log service on devices within the same Windows domain.” According to Bleeping Computer, “This zero-day vulnerability affects all versions of Windows, from Windows 7 up to the latest Windows 11 and from Server 2008 R2 to Server 2022. Microsoft says the reason for the release of an unofficial patch is that it’s a duplicate of a 2022 bug that didn’t meet the requirements for servicing.

(Bleeping Computer)

Huge thanks to this week’s episode sponsor, Vanta

Google Bazel Command Injection Threat

One of Google’s premier open-source products, Bazel, which is used for the automation of building and testing software, has been found to have a supply-chain vulnerability, specifically “a command injection vulnerability in a dependent GitHub Actions workflow, potentially allowing malicious actors to insert harmful code into Bazel’s codebase.” Researchers at Cycode warn that this could “affect millions of projects and users on various platforms, including Kubernetes, Angular, Uber, LinkedIn, Databricks, Dropbox, Nvidia and Google itself.” Cycode alerted Google on November 1 and fixes were deployed by December 5.

(InfoSecurity Magazine)

Canadian Government branch suffers data breach

Global Affairs Canada a branch of the Canadian federal government, which includes Canadian trade and foreign ministries, said, in a statement dated January 30, that it “activated an unplanned IT outage on Jan. 24 to address the discovery of malicious cyber activity.” The notice stated that the “ompromised”system was the virtual private network (VPN) staff use to access the department’s Ottawa headquarters. “Early results indicate there has been a data breach and that there has been unauthorized access to personal information of users including employees, the statement said.

(Reuters and CBC News)

Founder of Ripple cryptocurrency claims multimillion dollar theft

The theft was discovered by blockchain security expert ZachXBT who saw 213 million XRP Ripple coins being shifted through Binance, Kraken, and other platforms. Ripple co-founder and executive chair Chris Larsen has denied that Ripple itself had been hacked, pointing instead to unauthorized access to some of his personal accounts, and that no Ripple wallets had been compromised.

(The Record)

HTTP request smuggling and HTTP/2 downgrading – they are both a thing

Love Andrén, Junior Application Security Auditor at Swedish cybersecurity firm Outpost24, has posted a blog on two threats, HTTP request smuggling and HTTP/2 downgrading, the former being “a security vulnerability that arises from a disparity between the front-end and back-end systems in how they handle the size of a message’s body, [which] malicious actors can exploit this vulnerability to “smuggle” their own requests into the back-end, and the other being similar in which the different behaviors of HTTP/2 and HTTP/1 open up smuggling opportunities. A link to Andrén’s report is available in the show notes to this episode.

(Outpost24)