Weekly Security News – 29th January 2024

Welcome to this week’s Security News. We’ve collated the best articles from the around the internet and put them all into one place. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly. 

Vulnerabilities and Patches

Chrome 121 Patches 17 Vulnerabilities

Google has released Chrome version 121, addressing 17 vulnerabilities, including 11 reported by external researchers. Three of the externally reported security defects have a severity rating of ‘high.’ One high-severity bug fixed in Chrome 121 is a use-after-free issue in WebAudio (CVE-2024-0807), which earned the reporting researcher a $11,000 bug bounty. Google awarded over $30,000 in bug bounty rewards for the reported vulnerabilities. Users are advised to update their Chrome browsers to the latest version to benefit from the security patches and maintain a secure browsing experience.

Critical Jenkins Vulnerability Exposes Servers to RCE Attacks

The maintainers of the open-source CI/CD automation software Jenkins have addressed nine security flaws, including a critical bug (CVE-2024-23897) that, if successfully exploited, could lead to remote code execution (RCE). The critical vulnerability is described as an arbitrary file read flaw through the built-in command line interface (CLI) in Jenkins. The software uses the args4j library for parsing command arguments and options on the Jenkins controller when processing CLI commands. Users are advised to update their Jenkins installations to the latest version to mitigate potential risks associated with these security vulnerabilities.

Cyber Attacks

HPE Says Russian Government Hackers Had Access to Emails for 6 Months

Hewlett Packard Enterprise (HPE) has disclosed in an SEC filing that it was targeted by hackers believed to be sponsored by the Russian government. The threat group, identified as Midnight Blizzard and Cozy Bear, reportedly hacked into HPE’s cloud-based email environment. HPE detected and removed the attackers, but an investigation revealed that the threat actor had gained access in May 2023 and started exfiltrating data. The targeted mailboxes belonged to staff in various departments, including cybersecurity, go-to-market, and business segments. This incident highlights the ongoing cybersecurity threats faced by organizations and the importance of robust defence measures.

Microsoft Warns of Widening APT29 Espionage Attacks Targeting Global Orgs

Microsoft has revealed that the Russian state-sponsored threat actors responsible for a cyber attack on its systems in late November 2023 have been targeting other organizations, and it is in the process of notifying them. This disclosure follows Hewlett Packard Enterprise’s announcement that it was the victim of an attack by the same threat actors, APT29, also known as BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard, and The Dukes. The threat actor primarily targets governments, diplomatic entities, non-governmental organizations (NGOs), and IT service providers, primarily in the U.S. and Europe, according to the Microsoft Threat Intelligence team.

40,000 Attacks in 3 Days: Critical Confluence RCE Under Active Exploitation
Malicious actors have been actively exploiting a critical security flaw (CVE-2023-22527) affecting Atlassian Confluence Data Center and Confluence Server, within three days of its public disclosure. The vulnerability impacts out-of-date versions of the software, allowing unauthenticated attackers to achieve remote code execution. Exploitation attempts have been recorded from more than 600 unique IP addresses, with nearly 40,000 attempts reported in the wild shortly after the flaw became publicly known. Users are strongly advised to update their Confluence installations to the latest versions to mitigate the risk of exploitation.

Articles

Tesla hacked again, 24 more zero-days exploited at Pwn2Own Tokyo

During the second day of the Pwn2Own Automotive 2024 hacking competition, security researchers from Synacktiv Team successfully hacked the Tesla infotainment system by chaining two zero-day bugs for a sandbox escape, earning a reward of $100,000. Additionally, they used a three-chain zero-day exploit to compromise the Automotive Grade Linux operating system, securing an additional $35,000. Pwn2Own events demonstrate the potential vulnerabilities in automotive systems and highlight the importance of addressing security issues to enhance the resilience of connected vehicles.

COVID-19 test lab accused of exposing 1.3 million patient records to open internet

A password-less database containing approximately 1.3 million sets of Dutch COVID-19 testing records was left exposed to the open internet. The insecurely configured database included information such as coronavirus test certificates, appointment records, testing samples, and personally identifiable information (PII) such as patient names, dates of birth, passport numbers, and email addresses. The incident raises concerns about the security and privacy of sensitive health data, highlighting the importance of robust cybersecurity measures in handling and protecting such information.

Apps Secretly Harvest Data When They Send You Notifications

Security researchers at Mysk Inc. have found that iPhone apps, including Facebook, LinkedIn, TikTok, and Twitter, are bypassing Apple’s privacy rules to collect user data through notifications. This technique allows apps to collect data even when users close them to prevent background data collection. The collected data appears unnecessary for processing notifications and is likely related to analytics, advertising, and tracking users across various apps and devices. Some of the companies mentioned in the findings dispute the accuracy of these claims. This highlights ongoing challenges in enforcing and maintaining user privacy standards in the mobile app ecosystem.

$1.7 Billion Stolen in Cryptocurrency Hacks in 2023

According to a report by blockchain analysis firm Chainalysis, a total of $1.7 billion worth of cryptocurrency was stolen in 2023 due to cryptocurrency platform hacks. Although the number of incidents increased from 219 in 2022 to 231 in 2023, the total amount lost to hackers decreased significantly from $3.7 billion in 2022. Chainalysis attributes this drop to hacker attacks targeting decentralized financial systems (DeFi), which have been a major focus in recent years. The report underscores the continued importance of security measures in the cryptocurrency space and the evolving tactics of malicious actors.

The 10 Biggest Cyber Security Trends In 2024 Everyone Must Be Ready For Now

The cost of cyber attacks on the global economy is predicted to exceed $10.5 trillion by the end of the coming year. This significant amount underscores the growing impact of cyber threats on individuals, organizations, and governments, emphasizing the need for cybersecurity to be treated as a strategic priority. As cyber threats continue to evolve, effective measures and investments in cybersecurity are essential to mitigate risks and protect against the potentially devastating consequences of cyber attacks.