Kimsuky uses compiled HTML help files for cyberattacks
According to security firm Rapid-7, threat actors linked to North Korea are currently exploiting compiled HTML help files (CHMs) to deliver malware and steal sensitive data. Although CHM files are designed to provide help documentation, they are useful for distributing malware because they can execute JavaScript when opened.
(Hacker News)
KDE issues a warning after a theme wipes a Linux user's files
KDE, an international team that develops and distributes applications for Linux and other platforms, says that if you install a global theme, even from the official KDE store, you can run arbitrary code on your device and update your desktop. Users are warned to use extreme caution as they customize their appearance. According to BleepingComputer, the KDE Store currently allows anyone to upload new themes and various other plugins and add-ons without any checks for malicious behavior. KDE states that this is due to a lack of resources to review the code used in each global theme submitted for inclusion in the official store.
(Bleeping Computer)
Critical flaws in Atlassian Bamboo data centers and servers must be fixed immediately
Atlassian has addressed numerous vulnerabilities in our Bamboo, Bitbucket, Confluence, and Jira products. The most severe of these, tracked as CVE-2024-1597 with a CVSS score of 10, is a SQL injection flaw affecting third-party dependencies on Bamboo data centers and servers. According to the advisory, the flaw allows an unauthenticated attacker to “expose assets in the environment that are susceptible to exploits that significantly impact confidentiality, integrity, and availability and do not require user interaction.” There is a possibility. A link to Atlassian's report is in the show notes for this episode.
(Atlassian)
Top Democratic Party proposes cybersecurity standards after Change Healthcare attack
“As long as health care providers and their vendors who have suffered a cyberattack meet minimum cybersecurity standards, they will be able to receive advanced and rapid assistance through government programs,” Democratic Sen. Mark Warner of Virginia said in the Senate last Friday. He proposed a bill that would make them eligible for payments. The bill was filed as a follow-up to his attack on Change Healthcare, a technology that affects one in three patients' records in the United States. But implementing mandatory minimum cybersecurity standards will be difficult, according to experts who spoke to CyberScoop, and major groups including the American Hospital Association say they oppose such proposals.
(Cyber Scoop)
A big thank you to this week's episode sponsor, Varonis
Pwn2Own Vancouver 2024 ends with 29 zero days
Participants in this year's hacking contest demonstrated 29 unique zero-days and won $1.1 million. On the first day, Team Synacktiv successfully demonstrated an exploit against Tesla cars. Researcher Manfred Pohl won Master of Pwn with $202,500 and he earned 25 points. Other products exploited by the zero-day included Apple Safari, Google Chrome, Microsoft Edge browser, Windows 11, Ubuntu Desktop, VMware Workstation, Oracle VirtualBox, and of course Tesla. Vendors must address vulnerabilities exploited by participants during the Pwn2Own hacking contest within 90 days of Trend Micro's zero-day initiative disclosing the issue.
(security related)
US Government releases new DDoS attack guidelines for public sector
This is a joint advisory from CISA, the FBI, and the Multistate Information Sharing and Analysis Center (MS-ISAC) that highlights three major types of DDoS attacks that the public sector should be prepared for: Listed. attacks, protocol-based attacks, and application layer-based attacks. This document also provides tips to prevent DDoS incidents and techniques for response and recovery.
(InfoSecurity Magazine and CISA)
Vulnerabilities in Apple's silicon M series chips cannot be patched
Academic researchers from a number of U.S. universities have teamed up to discover a vulnerability that “allows hackers to access private encryption keys on Apple computers equipped with Apple's new silicon M-series chipsets.” This includes M1, M2, and M3 Apple MacBook and Mac computer models. ” The vulnerability lies in the prefetcher, which fetches data predictively before the request to speed up processing, but leaves room for malicious attacks. Researchers have dubbed the attack GoFetch and say the problem lies in the architecture of the chip itself, which cannot be patched. A link to the research report is in the show notes for this episode.
(Mashable and GoFetch papers)
Biden nominates cyber policy veteran to new Pentagon post
President Joe Biden announced Thursday his intention to nominate U.S. Army Chief Cyber Adviser Michael Thalmeyer as the Pentagon's first digital policy director. Mr. Salmeyer has held various senior positions at the National Security Council, U.S. Cyber Command, and the National Security Agency. Salmeyer is now responsible for advising Secretary of the Army Christine E. Worms “on all cyber issues, including readiness, capability, and strategic issues,” according to a White House statement. Previously, he served as Director of the Cybersecurity Project at Harvard's Kennedy School's Belfer Center for Science and International Affairs.
(record)
