News
Hi folks!
Here we are with this week's issue. I'm glad I got it out in time for once :-)
I don't have much else to share right now, except: have a wonderful, bright, sunny day and week! <3
Cheers, Dieter
One Token to rule them all - obtaining Global Admin in every Entra ID tenant
Read the article (dirkjanm.io).
This is a doozy. Great write-up of how this security researcher combined two flaws in Entra to gain full admin access over all Entra ID tenants.
From the article:
Effectively this means that with a token I requested in my lab tenant I could authenticate as any user, including Global Admins, in any other tenant. Because of the nature of these Actor tokens, they are not subject to security policies like Conditional Access, which means there was no setting that could have mitigated this for specific hardened tenants.
Oof. On the bright side, Microsoft responded quickly and patched the issue within days. Good work, good write-up, and a good discussion on Hackernews.
Self-propagating supply chain attack hits 187 npm packages
Read the article (bleepingcomputer.com).
This is a different one than last week, or the week before that.
We're getting better and faster at catching these. Although honestly, at some point, we should probably just come to terms that this whole dependency at build/runtime thing is not working out. I'm starting to look forlornly at Golang for new projects just because of its beautiful standard library.
The malware also showed "worm-like" behavior, distributing itself through other packages. From the article:
The malware downloads each package by a maintainer, modifies its package.json, injects a bundle.js script (shown below), repacks the archive, and republishes it, thereby "enabling automatic trojanization of downstream packages," as Socket researchers explained.
So every package that depended on it would also be compromised, I think?. Impressive.
New Phoenix attack bypasses Rowhammer defenses in DDR5 memory
Read the article (bleepingcomputer.com).
Mostly just including this for the one-paragraph explanation of Rowhammer that finally made me understand it:
A Rowhammer attack works by repeatedly accessing specific rows of memory cells at high-speed read/write operations to cause enough electrical interference to alter the value of the nearby bits from one to zero and vice-versa (bit flipping).
Researchers expose MalTerminal, an LLM-enabled malware pioneer
Read the article (securityaffairs.com).
That's right, malware that ships with an LLM model, or uses one through API tokens, to write the real malicious code at runtime.
OpenAI fixes zero-click ShadowLeak vulnerability affecting ChatGPT Deep Research agent
Read the article (therecord.media).
Because of the issue, you could send your victim an email with embedded commands, which ChatGPT would interpret while searching through your inbox to perform a task for you.
Quick links
- Cyberattack on Collins Aerospace disrupted operations at major European airports: link.
- Fortra discloses 10/10 severity bug in GoAnywhere MFT: link.
- Apple backports zero-day patches to older iPhones and iPads: link.
- Microsoft: Office 2016 and Office 2019 reach end of support next month: link.
- BreachForums founder resentenced to three years in prison: link.
- CISA: technical analysis of malware used on Ivanti: link.
That was it for this week! Thank you for reading, and thanks to 1Password for their wonderful support. See you next week!