CYBERSECURITY / DEFENSE / INTELLIGENCE

  • Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including two zero-day exploits showcased at the prestigious Pwn2Own 2024 hacking competition.

    The update, which affects Chrome users on Windows, Mac, and Linux, elevates the browser version to 123.0.6312.86/.87 for Windows and Mac, and 123.0.6312.86 for Linux, with the rollout expected to reach users progressively over the coming days and weeks.

    Security Fixes and Rewards

    Google’s latest security update includes fixes for seven vulnerabilities, with a special emphasis on those discovered by external researchers.

    The tech giant has a longstanding tradition of rewarding these contributors for identifying and reporting bugs.

    This practice enhances Chrome’s security and fosters a collaborative relationship between the company and the cybersecurity community.

    Critical CVE-2024-2883: Use After Free in ANGLE

    One of the most critical issues addressed in this update is CVE-2024-2883, a use-after-free vulnerability in ANGLE, a cross-platform graphics engine abstraction layer used by Chrome to improve graphics performance on various platforms.

    This vulnerability was reported by Cassidy Kim (@cassidy6564) on March 3, 2024, and has been rewarded with a $10,000 bounty. Use-after-free vulnerabilities can lead to arbitrary code execution, making them particularly dangerous.

    High CVE-2024-2885: Use After Free in Dawn

    Another significant vulnerability patched in this release is CVE-2024-2885, a high-severity use-after-free issue in Dawn, an open-source and cross-platform implementation of the WebGPU standard.

    This bug was reported by an entity known as Fuzz on March 11, 2024.

    The severity of this vulnerability underscores the importance of timely updates to mitigate potential risks.

    High CVE-2024-2886 and CVE-2024-2887: Exploits Unveiled at Pwn2Own 2024

    However, the spotlight shines on two high-severity vulnerabilities, CVE-2024-2886 and CVE-2024-2887, unveiled during the Pwn2Own 2024 competition.

    CVE-2024-2886, reported by Seunghyun Lee (@0x10n) of KAIST Hacking Lab, is a use-after-free vulnerability in WebCodecs, a component critical for efficient media content encoding and decoding.

    CVE-2024-2887, reported by Manfred Paul, involves type confusion in WebAssembly, a binary instruction format for a stack-based virtual machine that enables high-performance applications on the web.

    These discoveries at Pwn2Own highlight the event’s role in identifying and mitigating potential threats before they can be exploited maliciously.

    Ongoing Security Efforts

    Google also acknowledges the contributions of its internal security team, whose ongoing efforts have led to various fixes identified through internal audits, fuzzing, and other initiatives.

    The company’s use of tools like AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, and AFL is crucial in detecting and addressing security bugs.

    Chrome users are urged to update their browsers immediately to protect against these vulnerabilities.

    For those interested in switching release channels or reporting new issues, Google provides resources and a community help forum for assistance and learning about common issues.

    Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

    The post 2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and turning them into bots for the Faceless proxy service.

    TheMoon bots grew to over 40,000 in early 2024 and enabled Faceless to gain nearly 7,000 new users weekly.

    It identified a botnet targeting end-of-life SOHO/IoT devices in late 2023, which is a variant of the previously dormant TheMoon botnet, that infects devices and enrolls them in the Faceless residential proxy service.Β 

    Logical Overview of Faceless Network

    Faceless is a successor to the iSocks anonymity service and is popular among cybercriminals for anonymizing their activity, whereas the strong correlation between TheMoon bots and Faceless suggests TheMoon is the main supplier of bots for the Faceless proxy service. 

    It mapped the Faceless network and observed a campaign targeting 6,000 ASUS routers within 3 days, while Lumen Technologies blocked traffic to/from Faceless and TheMoon infrastructure and released indicators of compromise to disrupt this operation.

    An initial loader exploiting shell availability infects the device and then establishes persistence, sets firewall rules for specific IP ranges, and uses a spoofed NTP request to verify internet connectivity. 

    Following a connection attempt to hardcoded IPs and a potential check-in packet, the malware retrieves a secondary payload (worm or proxy) based on instructions from the C2 server. 

    Check-in packet from debugger on the left and packet capture on the right
    Check-in packet from debugger on the left and packet capture on the right

    The Worm Module spreads by exploiting vulnerable web servers and downloading additional modules and the .sox file. Upon execution, it checks for updates, establishes a connection with the Faceless C2 server, and reads Lumen reports.

    Β The .sox.twn file
     The .sox.twn file

    If no update file is found, it uses a hardcoded IP address to connect, and upon receiving the update file, .sox extracts the C2 server address, initiates communication on a random port, and then sends additional scripts to update C2 information or removes traces of the malware, re

    The investigation revealed a strong correlation between TheMoon botnet and the Faceless proxy service, where significant overlap between bots communicating with TheMoon and Faceless C2 servers has been observed.

    Chart showing the delta between when an infected device communicates with a Moon and Faceless Server
    Chart showing the delta between when an infected device communicates with a Moon and Faceless Server

    Most new TheMoon bots contacted a Faceless C2 server within 3 days, and both services used the same communication port scheme and founded a Faceless C2 server directly communicating with a TheMoon C2 server, strongly suggesting TheMoon as the primary botnet feeding Faceless.  

    Graphic showing the Moon Elf file hosted on a Faceless C2
    Graphic showing the Moon Elf file hosted on a Faceless C2

    Global Telemetry Analysis – Faceless

    The Moon malware infects devices and communicates with its C2 server, as a subset of these devices are enrolled in the Faceless proxy network, where they receive instructions from Faceless C2s and route traffic through an intermediary server before reaching the final destination. 

    Longevity of Faceless bots
    Longevity of Faceless Bots

    The network is particularly useful for bypassing geolocation and IP-based blocking, as analysis shows that while 30,000 bots communicate with TheMoon C2 weekly, only 23,000 connect to Faceless C2s, suggesting some devices interact with TheMoon but not Faceless. 

    It has been suspected that the remaining bots might be used for credential stuffing or financial data exfiltration.

    Interestingly, some long-lasting connections originate from known threat actor infrastructure, indicating they might be using Faceless for additional anonymity.

    Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter

    The post The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • In June 2017, a study of more than 3,000 Massachusetts Institute of Technology (MIT) students published by the National Bureau for Economic Research (NBER) found that 98% of them were willing to give away their friends’ email addresses in exchange for free pizza. “Whereas people say they care about privacy, they are willing to relinquish private data quite easily when

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • The documents would detail how the Pentagon and Space Force want to use private space companies for military missions.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • Here are the first conversations from our annual State of Defense interview series.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • Light infantry units also need more indirect fire systems, Gen. Rainey said.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • Senators are seeking more information about AI safety within the AUKUS program.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • Indian government entities and energy companies have been targeted by unknown threat actors with an aim to deliver a modified version of an open-source information stealer malware called HackBrowserData and exfiltrate sensitive information in some cases by using Slack as command-and-control (C2). “The information stealer was delivered via a phishing email, masquerading as an invitation letter

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • A critical vulnerability in Ray, an open-source AI framework that is widely utilized across various sectors, including education, cryptocurrency, and biopharma.

    This vulnerability, known as CVE-2023-48022, has been under active exploitation for the past seven months, allowing attackers to hijack computing power and leak sensitive data.

    The Discovery of CVE-2023-48022: ShadowRay

    Late in 2023, five unique vulnerabilities were disclosed to Anyscale, the developers of Ray, by cybersecurity entities Bishop Fox, Bryce Bearchell, and Protect AI.

    Anyscale addressed four of these vulnerabilities in Ray version 2.8.1, but the fifth, CVE-2023-48022, remains disputed and unpatched.

    The Oligo team has dubbed this vulnerability “ShadowRay” due to its ability to evade static scans and lead to significant breaches.

    AI environments are goldmines for attackers due to the sensitive information they contain, such as private intellectual property, third-party tokens, and access to company databases.

    The high-powered machines used for AI models are also prime targets for their computing power.

    The Oligo research team has uncovered an active attack campaign that has put thousands of servers at risk.

    Meet Ray: The Affected Framework

    Ray is a unified framework designed to scale AI and Python applications.

    Anyscale maintains it and has garnered significant attention, with 30K stars on GitHub.

    Large organizations like Uber, Amazon, and OpenAI use Ray in production for its scalability and efficiency.

    Source: anyscale.com
    Source: ray.io
    Source: ray.io

    The Exploitation of Ray Clusters

    The lack of authorization in Ray’s Jobs API has been a critical point of exploitation.

    Attackers with network access to the dashboard can invoke arbitrary jobs on the remote host without authorization.

    Ray’s official Kubernetes deployment guide [10] and Kuberay’s Kubernetes operator encourage people to expose the dashboard on 0.0.0.0:

    This oversight has led to the compromise of numerous publicly exposed Ray servers, with attackers leveraging the flaw for cryptocurrency mining and data theft.

    The collective value of the compromised machines is staggering, with the potential worth nearing a billion USD.

    Attackers are drawn to these machines not only for the sensitive information they can extract but also for the high value of the GPUs, which are in short supply and expensive.

    A6000 GPUs from the machine above are out of stock on NVIDIA’s website
    A6000 GPUs from the machine above are out of stock on NVIDIA’s website

    The Common Thread: Crypto Miners

    Oligo Research has identified patterns in the compromised clusters, suggesting that the same attackers targeted them.

    Crypto-mining campaigns have been leveraging ShadowRay to install miners and reverse-shells, with some attackers reaching the top 5% of miners in certain pools.

    XMRig crypto miner connected to Zephyr mining pool
    XMRig crypto miner connected to Zephyr mining pool

    In light of these findings, organizations using Ray are urged to review their environments for exposure and analyze any suspicious activity.

    For more detailed information on the vulnerabilities and the steps taken by Anyscale, readers can refer to the blog posts by Bishop Fox, Bryce Bearchell, and Protect AI.

    Ray users must be aware of the security aspects and common pitfalls associated with the framework.

    As the battle between functionality and security continues, the Ray incident serves as a stark reminder of the importance of vigilance in the digital age.

    The disputed nature of CVE-2023-48022 has not only highlighted the complexities of software development but also the critical need for robust security measures in protecting valuable AI infrastructure.

    Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter

    The post Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ