I hope you all had a wonderful week, and that you get to kick butt on this Friday. And I hope that you get a few minutes of peace, quiet and a coffee to go through this week's issue :-) Enjoy!
Breaches and leaks
- Bing had a misconfiguration that allowed for manipulation of search results and XSS injection: link.
- Github had their private RSA SSH key briefly exposed and had to generate a new one: link and interesting HN thread.
- Procter & Gamble fell victim to a ransomware attack through the GoAnywhere vulnerability: link.
- So did Crown Resorts, an Australian gambling and entertainment company: link.
- Twitter had source code of theirs posted to Github, presumably by a disgruntled employee: link.
- ChatGPT had an issue where some users might have seen titles and first sentences of other users' chat history: link.
- Latitude, an Australian financial company, was breached through compromised employee credentials. The last update has the number of impacted customers at 14 million: link.
- Sun Pharma, an Indian pharmaceutical company, suffered a ransomware attack: link.
From the article: "Security Copilot answers defenders' security-related questions via a ChatGPT-like interface and continuously learns from these interactions to adapt to each enterprise environment to advise them on the best course of action." Not quite at the Jarvis-level yet, and they admit that it can make very GPT-esque mistakes, but colour me very intruiged nonetheless. The first video in the article is worth watching, it gives a good preview and it's only three minutes. You can skip the second video though.
Microsoft is introducing a new Exchange Online security feature that will automatically start throttling and eventually block all emails sent from "persistently vulnerable Exchange servers" 90 days after the admins are pinged to secure them. Very interesting approach. I like it.
I never heard of 3CX before, apparently it's used for video confercing and the likes by over 12 million users. In a very Solar Winds-like attack, the automatic updates have been compromised by malware, probably by a North Korean state actor. If you use this software, drop everything and get on this.
Biden issued an executive order that bans spyware usage from the US government, sort of. It's certainly a great start, but I would hold off on the confetti.
Github now gives you the ability to download a software bill-of-materials (SBOM) for any repository that you have read access to. The resulting JSON file holds your project dependencies and metadata, like versions and licenses, which can then be used with other security and compliance tools.
I missed this last week, but it seems that MITRE is quietly rolling out their System of Trust application, a framework to assess supply chain risk. The article explains what it does in a pretty good way. The MITRE SoT page is here.
This is a very cool type of attack called "Near-Ultrasound Inaudible Trojan" (NUIT) attack, developed by American university researchers. They embed a voice command for digital assistants (think Siri or Alexa) at a frequency that we can't hear, but the devices can. They can then ask the assistant to, for example, open a door, unlock the car or visit a malicious website.
This is worth reporting on just because of how great it is that this happens. The fix is ported back as far as iPhone 6s, SE 1st generation, and even the last iPod Touch (7th gen). Well done, Apple.
Probably not super-exploitable as it gets largely mitigated by TLS, but very interesting research nonetheless. It has to do with forcing an access point to buffer frames by making it think that the spoofed device went into sleep mode, and then triggering a transmit where the attacker can choose the encryption settings. I think. This stuff gets complicated fast. The article does a great job of explaining it though.
Definitely worth a look, you can find the pdf here.
Our industry is trying to completely remove phishing as a threat by using passkeys, and it has me pretty excited. Check out this article to learn more about how they work and how it applies to 1Password going forward. (Sponsored)