A little later in the day than usual, but hopefully no less interesting :-) I hope you enjoy the read.
It's my pleasure to welcome a new sponsor, Escape. They are an awesome looking API inventory and security company, make sure to check them out. Thank you, Escape, for supporting this humble newsletter.
Have a wonderful weekend everyone!
The Lumma malware package is promoting a new feature that would allow you to restore expired Google cookies, which can be used to hijack Google accounts. That would be a pretty serious vulnerability. They do say that the restoration will only work once, but still. No comment from Google yet. Fun detail: it's only available to Lumma users in the "Corporate" tier, at $1,000/month, because that's how malware works these days.
CISA and the FBI released an advisory warning companies, again, about the Citrix Bleed vulnerability. Thousands of organisations are still vulnerable, and the LockBit ransomware group are actively exploiting the issue. As a reminder, Citrix Bleed refers to an remote-code execution vulnerability within Citrix Netscaler devices. After installing the patch you have to make sure to remove all previous users sessions as well.
Researchers analysed -all- the code committed to PyPi packages and surfaced thousands of hardcoded credentials. Anything from SSH keys to Azure AD (I'm sorry, Entra) API keys. To be specific, 3,938 unique secrets were found, of which 768 secrets were still valid.
If you think doing a quick pentest every few quarters isn’t enough, you are correct. GlitchSecure combines continuous vulnerability assessments with real-time pentesting - all verified by highly skilled (and wonderful) humans in a user friendly platform. (Sponsored)
Interesting read on how security researchers bypassed Windows Hello fingerprint authentication on Dell Inspiron, Lenovo ThinkPad, and Microsoft Surface Pro X laptops.
Disgusting. He disrupted phone and printer services, and stole the personal information of more than 200 patients from a mammogram machine, all to boost his company's business.
It can't be easy to come up with a comprehensive cybersecurity plan for an organisation of such size and complexity, and apparently this one was way overdue. You can view the document itself here. (pdf)
Well that didn't take long. Recently, Australia was one of the countries that pledged to ban ransomware payments. Instead, they plan to implement a mandatory reporting obligation. Again, not an easy issue, I'm not at all sure what I would decide if it were up to me. Which, fortunately for everyone involved, it isn't.
A team of researchers demonstrated that it's possible, under certain conditions, for passive network attackers to retrieve secret RSA keys from naturally occurring errors during SSH connection attempts. This problem was known in older TLS versions, but SSH was previously assumed safe. It doesn't seem like a practical attack, but interesting research nonetheless.
The sales-ness of the video is a bit cringe, of course, but I found it very cool to see how Copilot might be used to assist in security investigations. The most interesting bit begins around minute 7, where they look at a specific use case of a compromised user account.
Feeling overwhelmed trying to understand your organization's attack surface and biggest security gaps? No worries! Join security expert James Berthoty and Escape's CEO, Tristan Kalos, as they share practical insights on establishing a strong security foundation for your products. (Sponsored)
Breaches and leaks
- Yamaha Motor confirms ransomware attack on Philippines subsidiary: link.
- Open-source Blender project battling DDoS attacks since Saturday: link.
- Lazarus hackers breach CyberLink in supply chain attack: link.
- Welltok data breach exposes data of 8.5 million US patients: link.
- Kansas courts confirm data theft, ransom demand after cyberattack: link.
- Canadian government discloses data breach after contractor hacks: link.
- Hacktivists breach U.S. nuclear research lab, steal employee data: link.
- Auto parts giant AutoZone warns of MOVEit data breach: link.
- Personal info of Canadian Armed Forces, RCMP stolen in cyberattack: link.
- Greater Paris wastewater agency dealing with cyberattack: link.
- Crypto firm Kronos Research says $26 million stolen after cyberattack: link.
Issues and fixes
- Exploit for CrushFTP RCE chain released: link.
You probably use SSH to push code to GitHub, access servers, and more. So why is it such a pain to set up new keys? Well, fret no longer. You can now easily generate, store, and use SSH Keys directly from 1Password 8 and the built-in SSH agent. Securely sync your keys across devices, authenticate SSH workflows, and even sign code commits. (Sponsored)