Weekly Security News – 30th September 2024

/ Security News

Network rail targeted in cyber attack, updates for HP Aruba and nVIDIA, data breach at Harvey Nichols and Kaspersky replacing software...

Welcome to this week’s Security News. We’ve collated the best articles from the around the internet and put them all into one place. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly. 

Vulnerabilities and Patches

HPE Aruba Networking Releases Security Updates for Instant AOS-8 and AOS-10 in Access Points

Hewlett Packard Enterprise (HPE) Aruba Networking has issued an advisory that addresses 3 vulnerabilities that affect Aruba Access Points (APs) product lines that use Instant AOS (ArubaOS). AOS is a distributed network operating system working with Aruba Central that controls APs and optional gateways. Three critical command injection vulnerabilities that have CVSSv3 scores of 9.8 could be exploited by an unauthenticated, remote attacker via a specially crafted packet to achieve remote code execution (RCE). Successful exploitation could lead to the ability to execute arbitrary code as a privileged user on the underlying operating system. Affected organisations are encouraged to review the HPE Security Advisory HPESBNW04712 rev.1 – HPE Aruba Networking Access Points Multiple Vulnerabilities and apply any relevant updates or workarounds. End of maintenance ArubaOS software versions are also affected. HPE Aruba Networking strongly recommends all customers running End of Support Life (EoSL) software to upgrade to a supported version as soon as possible.

Critical NVIDIA Container Toolkit Vulnerability Could Grant Full Host Access to Attackers

A critical security flaw has been disclosed in the NVIDIA Container Toolkit that, if successfully exploited, could allow threat actors to break out of the confines of a container and gain full access to the underlying host. The vulnerability, tracked as CVE-2024-0132, carries a CVSS score of 9.0 out of a maximum of 10.0. It has been addressed in NVIDIA Container Toolkit version v1.16.2 and NVIDIA GPU Operator version 24.6.2. “NVIDIA Container Toolkit 1.16.1 or earlier contains a Time-of-Check Time-of-Use (TOCTOU) vulnerability when used with default configuration where a specifically crafted container image may gain access to the host file system,” NVIDIA said in an advisory. “A successful exploit of this vulnerability may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.” The issue impacts all versions of NVIDIA Container Toolkit up to and including v1.16.1, and Nvidia GPU Operator up to and including 24.6.1. However, it does not affect use cases where Container Device Interface (CDI) is used.

Cyber Attacks

Network Rail issues update after 19 stations targeted in cyber attack

Network Rail confirmed that 19 of its stations were affected in a cyber security incident. The stations were all affected by the attack saw passengers trying to log on seeing messages about terror attacks in Europe. The wifi webpage after the hack said, “We love you, Europe” and contained information about terror attacks. Network Rail, which manages the stations, suspended wifi services at stations across the country and confirmed that British Transport Police were investigating the incident. British Transport Police said: “We received reports at around 5.03pm on September 25th of a cyber-attack displaying Islamophobic messaging on some Network Rail wifi services. The stations affected are:

  1. Birmingham New Street
  2. Bristol Temple Meads
  3. Edinburgh Waverley
  4. Glasgow Central
  5. Guildford
  6. Leeds
  7. Liverpool Lime Street
  8. London Bridge
  9. London Cannon Street
  10. London Charing Cross
  11. London Clapham Junction
  12. London Euston
  13. London King’s Cross
  14. London Liverpool Street
  15. London Paddington
  16. London Victoria
  17. London Waterloo
  18. Manchester Piccadilly
  19. Reading

Cybercrooks steal customer data from UK's luxury retailer Harvey Nichols

Harvey Nichols, a luxury British department store chain known for offering high-end fashion, beauty, food, and home products, suffered a cyberattack in which crooks stole sensitive user data. The company confirmed the news in data breach notification letters it recently started mailing to affected customers. In the email, the company said that it lost people’s names, postal addresses, phone numbers, company names, and email addresses. It described the information stolen as “non-sensitive” even though it can be used in dangerous phishing attacks that can result with wire fraud, ransomware attacks, and more. Besides the data breach notification letters, the company is tight-lipped about the breach. It said nothing about it on its website, or social media accounts. Luckily, payment information and login credentials were not exposed. On X, it advises victims to reach out via email for further assistance. 

In Other News...

Mozilla Faces Privacy Complaint for Enabling Tracking in Firefox Without User Consent

Vienna-based privacy non-profit noyb (short for None Of Your Business) has filed a complaint with the Austrian data protection authority (DPA) against Firefox maker Mozilla for enabling a new feature called Privacy-Preserving Attribution (PPA) without explicitly seeking users’ consent. “Contrary to its reassuring name, this technology allows Firefox to track user behavior on websites,” noyb said. “In essence, the browser is now controlling the tracking, rather than individual websites”. Noyb also called out Mozilla for allegedly taking a leaf out of Google’s playbook by “secretly” enabling the feature by default without informing users. PPA, which is currently enabled in Firefox version 128 as an experimental feature, has its parallels in Google’s Privacy Sandbox project in Chrome. The initiative, now abandoned by Google, sought to replace third-party tracking cookies with a set of APIs baked into the web browser that advertisers can talk to in order to determine users’ interests and serve targeted ads.

Kaspersky Exits U.S., Automatically Replaces Software With UltraAV, Raising Concerns

Antivirus vendor Kaspersky has formally begun pulling back its offerings in the U.S., migrating existing users to UltraAV, effective September 19, 2024, ahead of its formal exit at the end of the month. “Kaspersky antivirus customers received a software update facilitating the transition to UltraAV,” the company said in a post announcing the move on September 21. “This update ensured that users would not experience a gap in protection upon Kaspersky’s exit from the market”. The Russian company, which was banned from selling its software in the U.S. due to national security concerns, said it “worked closely” with UltraAV to ensure that the standards of security and privacy were maintained after the switch. However, some users who experienced the update have taken to Kaspersky’s forums and Reddit, stating that Kaspersky’s software was automatically deleted and replaced by UltraAV without any prior notice. UltraAV, in an FAQ, said “all Kaspersky U.S. users with a valid email address associated with their accounts received email communication detailing the transition process” starting September 5.

Further Reading