Tuesday 3rd July 2024

Good morning everyone, thank you for joining me for today's installment of Cyber Daily. If you’ve ever wanted to channel your inner hacker, now's your chance with Google's latest bug bounty contest. We dive into the CocoaPods vulnerability rocking the Apple ecosystem and the latest cyberespionage exploit targeting Cisco's NX-OS software. Grab your coffee and let’s get into it.

CocoaPods Supply Chain Scare

Heads up, Apple developers! CocoaPods, the popular dependency manager for Swift and Objective-C, has been vulnerable to supply chain attacks for almost a decade. Security firm EVA Information Security revealed that thousands of unclaimed "Pods" were open to hijacking, leading to potential security risks for millions of iOS and macOS apps.

Back in 2014, CocoaPods migrated dependencies to a new server, resetting authorship and leaving some Pods orphaned and easily claimable by anyone with a simple CURL request. This issue, now known as CVE-2024-38368, has a critical CVSS score of 9.3, reflecting its high risk due to the large number of potentially affected apps, including those from major companies like Meta, Apple, and Microsoft.

EVA also uncovered two other vulnerabilities: CVE-2024-38366 (CVSS 10.0) enabling remote code execution on the Trunk server, and CVE-2024-38367 (CVSS 8.2) allowing session token theft via email scanning services.

Although there’s no evidence these flaws have been exploited in the wild, the CocoaPods team has patched them. Developers are urged to review and update their dependencies to ensure their apps are secure.

This incident underscores the importance of scrutinizing open-source dependencies and maintaining up-to-date security practices to safeguard against supply chain attacks.

Cisco Patches NX-OS Zero-Day Exploited by Chinese Hackers

Cisco has rolled out patches for a medium-severity zero-day vulnerability in its NX-OS software, actively exploited by the Chinese cyberespionage group Velvet Ant. The flaw, tracked as CVE-2024-20399 with a CVSS score of 6, affects the command line interface of NX-OS, allowing local attackers to execute commands with root privileges.

The details:

• The vulnerability stems from insufficient validation of CLI command arguments.
• Exploiting the flaw requires authenticated administrative access to the device.

Impact:

• Affects MDS 9000, Nexus 3000, 5500, 5600, 6000, 7000, and 9000 series switches.
• Sygnia, the cybersecurity firm that discovered the bug, linked its exploitation to Velvet Ant, a China-associated threat actor.

Velvet Ant has a history of using outdated F5 BIG-IP appliances for command-and-control operations, remaining undetected while exfiltrating sensitive data. The group's recent tactics include exploiting this NX-OS vulnerability to deploy malware, remotely connect to devices, and execute additional code.

Mitigation:

• Cisco has released firmware updates for the affected devices.
• Organisations are advised to update their systems promptly and follow security best practices to prevent initial access to their networks.

Despite the difficulty in exploiting this vulnerability, persistent and sophisticated actors like Velvet Ant highlight the need for robust security measures to protect network appliances from being compromised.

Google Offers $250K for VM Hypervisor Bug Bounty

Got skills in cybersecurity? Google’s latest bug bounty program could net you up to $250,000. The tech giant has launched a new capture-the-flag contest, "kvmCTF," inviting researchers to find zero-day vulnerabilities in the Kernel-based Virtual Machine (KVM) hypervisor.

What's at stake?

• Top prize: $250,000 for a full VM escape.
• Other rewards: $100,000 for arbitrary memory write, $50,000 for memory read or relative memory write, $20,000 for denial of service, and $10,000 for relative memory read.

Participants book time slots to log into a guest VM running on a bare metal host and attempt a guest-to-host attack. The challenge is to exploit a zero-day vulnerability in the KVM subsystem of the host kernel. Vulnerabilities in the QEMU emulator or relying on host-to-KVM techniques aren’t covered.

KVM, an open-source project included in mainline Linux since 2007, allows devices to run multiple VMs with hardware emulation. Google uses KVM in its Android and Google Cloud platforms, so ensuring its security is crucial.

The contest kicked off on June 27, and participants can find all the rules and details in the Google Security blog entry. So far, no submissions have been received, making now the perfect time to showcase your hacking prowess and potentially claim a hefty reward.