New Kimsuky technique, KDE Linux warning, Atlassian critical flaws
Kimsuky turns to compiled HTML Help files for cyberattacks
According to security firm Rapid-7, the North Korea-linked threat actor is now exploiting Compiled HTML Help files (CHM) to deliver malware in order to steal sensitive data. CHM files were designed to deliver help documentation, but their usefulness in distributing malware is due to their ability to execute JavaScript when opened.
KDE issues warning after theme wipes Linux user’s files
KDE, the international team that develops and distributes applications for Linux and other platforms is warning users to exercise extreme caution when installing global themes, even from the official KDE Store, because these themes run arbitrary code on devices to customize the desktop’s appearance. According to BleepingComputer, the KDE Store currently allows anyone to upload new themes and various other plugins or add-ons without any checks for malicious behavior. KDE says this is because it lacks the resources to review the code used by each global theme submitted for inclusion in its official store.
Critical flaw in Atlassian Bamboo data center and server must be fixed immediately
Atlassian has addressed numerous vulnerabilities in its Bamboo, Bitbucket, Confluence, and Jira products. The most severe of these, tracked as CVE-2024-1597, with a CVSS score of 10, is an SQL injection flaw that impacts the third-party dependency of Bamboo Data Center and Server. According to its advisory, this flaw could allow an unauthenticated attacker to “expose assets in your environment susceptible to exploitation which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction.” A link to the Atlassian report is available in the show notes to this episode.
(Atlassian )
Top Democrat proposes cybersecurity standards following Change Healthcare attack
Mark Warner, the Democratic senator for Virginia, proposed a bill last Friday in the Senate that would “allow health care providers who suffer cyberattacks to qualify for advanced and accelerated payments through government programs so long as they and their vendors met minimum cybersecurity standards.” This bill comes as a follow-up to the attack on Change Healthcare, whose technology affects one in every three American patient records. However, according to experts speaking to Cyberscoop, implementing mandatory minimum cybersecurity standards will be difficult, and major groups, including the American Hospital Association, have said they would oppose such proposals.
(Cyberscoop )
领英推荐
Huge thanks to this week’s episode sponsor, Varonis
Pwn2Own Vancouver 2024 concludes with 29 zero-days
Participants in this year’s hacking competition earned $1.1 million for demonstrating 29 unique zero-days. On day one, Team Synacktiv successfully demonstrated exploits against a Tesla car. Researcher Manfred Paul won the Master of Pwn earning $202,500 and 25 points. Other products for which zero-days were exploited were Apple Safari, Google Chrome, and Microsoft Edge browsers, Windows 11, Ubuntu Desktop, VMware Workstation, Oracle VirtualBox and of course Tesla. Vendors have 90 days to address the vulnerabilities exploited by the participants during the Pwn2Own hacking competition before TrendMicro’s Zero Day Initiative publicly discloses the issues.
U.S. Government releases new DDoS attack guidance for public sector
This is a joint advisory from CISA, the FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC), highlighted the three main types of DDoS attacks public sector entities must be prepared for, which they list as volume-based attacks, protocol-based attacks, and application layer-based attacks. The document also provides tips for preventing DDoS incidents, and techniques for response and recovery.
(InfoSecurity Magazine and CISA )
Vulnerability in Apple’s Silicon M-series chips can’t be patched
Academic researchers from a number of U.S. universities together discovered a vulnerability that “allows hackers to gain access to secret encryption keys on Apple computers with Apple’s new Silicon M-Series chipset. This includes the M1, M2, and M3 Apple MacBook and Mac computer models.” The vulnerability lies with prefetchers, which predictively retrieve data before a request to increase processing speed, but which leave an opening for malicious attacks. The researchers have consequently named the attack GoFetch, and they say it is unpatchable because the issue lies with the architecture of the chip itself. A link to the research report is available in the show notes to this episode.
(Mashable and GoFetch paper )
Biden assigns cyber policy veteran to new Pentagon post
President Joe Biden announced on Thursday his intention to nominate Michael Sulmeyer, the U.S. Army’s principal cyber advisor, to become the Pentagon’s first digital policy chief. Sulmeyer has served in various senior roles at the National Security Council, U.S. Cyber Command, and the National Security Agency. According to a White House statement, Sulmeyer is currently responsible for advising the Army Secretary Christine E. Wormuth “on all cyber matters, including issues of readiness, capabilities, and strategy.” Prior to that he was the head of the Cybersecurity Project at the Harvard Kennedy School’s Belfer Center for Science and International Affairs.
(The Record )