Critical .NET deadline is tomorrow, over $1bn in crypto currency lost, Apple agrees $95m Siri Privacy settlement...
Welcome to this week’s Security News. We’ve collated the best articles from the around the internet and put them all into one place. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly.
Vulnerabilities and Patches
LDAPNightmare PoC Exploit Crashes LSASS and Reboots Windows Domain Controllers
A proof-of-concept (PoC) exploit, dubbed “LDAPNightmare,” has been released for a now-patched security flaw in Windows Lightweight Directory Access Protocol (LDAP). This vulnerability, identified as CVE-2024-49113 with a CVSS score of 7.5, was addressed by Microsoft in December 2024. The exploit can trigger a denial-of-service (DoS) condition by crashing the Local Security Authority Subsystem Service (LSASS), leading to a forced reboot of unpatched Windows Servers. The PoC was developed by SafeBreach Labs and requires only that the victim’s DNS server has internet connectivity. Additionally, the same exploit chain could potentially be modified to achieve remote code execution, as indicated by the related vulnerability CVE-2024-49112, which has a CVSS score of 9.8. Organizations are advised to apply the December 2024 patches released by Microsoft to mitigate these risks.
Apache Tomcat Vulnerability CVE-2024-56337 Exposes Servers to RCE Attacks
The Apache Software Foundation (ASF) has released a security update addressing a significant vulnerability in Apache Tomcat, identified as CVE-2024-56337. This flaw is an incomplete mitigation of a previous critical vulnerability, CVE-2024-50379, which had a CVSS score of 9.8. Both vulnerabilities are Time-of-Check Time-of-Use (TOCTOU) race conditions that could lead to remote code execution (RCE) on case-insensitive file systems when the default servlet is enabled for write operations. These vulnerabilities allow concurrent read and upload operations under load to bypass Tomcat’s case sensitivity checks, potentially causing an uploaded file to be treated as a JavaServer Page (JSP), leading to RCE. The ASF credited security researchers Nacl, WHOAMI, Yemoli, and Ruozhi for identifying and reporting these issues, with the KnownSec 404 Team independently reporting CVE-2024-56337 along with a proof-of-concept (PoC) code. Users are strongly advised to apply the necessary updates and configuration changes promptly to mitigate potential security risks.
Cyber Attacks
Over $1bn in Cryptocurrency Lost to Web3 Cyber Incidents in 2024
In the first half of 2024, over $1.1 billion in cryptocurrency was lost due to 408 Web3 cybersecurity incidents, averaging $2.9 million per incident. Phishing was the most prevalent attack vector, accounting for 150 incidents and $497.7 million in losses. Private key compromises, though fewer in number (42 incidents), resulted in substantial losses totalling $408.9 million, underscoring vulnerabilities in key management. Ethereum was the most frequently targeted blockchain, with 222 incidents leading to $315 million in losses. Notably, a single security breach on May 31, 2024, involving the Japanese cryptocurrency exchange DMM Bitcoin, led to the theft of 4,502.9 BTC, valued at $304 million. These figures represent a significant increase compared to the same period in 2023, which saw $640.2 million in losses, indicating a rising trend in Web3-related cyber incidents.
New 'DoubleClickjacking' Exploit Bypasses Clickjacking Protections on Major Websites
A novel exploit named “DoubleClickjacking” has been identified, enabling attackers to bypass existing clickjacking protections on major websites. Unlike traditional clickjacking, which relies on a single click, DoubleClickjacking manipulates the timing between two clicks in a double-click sequence. This method allows attackers to circumvent defenses such as X-Frame-Options headers and SameSite cookies, which were designed to prevent unauthorized UI interactions.
The attack typically involves the following steps:
- A user visits a malicious website that opens a new window or tab, often disguised as a CAPTCHA verification.
- The user is prompted to double-click to proceed.
- During the double-click, the original site uses JavaScript to redirect to a malicious page, such as one approving an unauthorized OAuth application.
- The overlay window closes, and the user’s second click unknowingly approves the malicious action.
This technique has been demonstrated to facilitate account takeovers on platforms like Shopify, Slack, and Salesforce. To mitigate this vulnerability, website owners are advised to implement client-side measures that disable critical buttons by default, activating them only after detecting genuine user interactions, such as specific mouse gestures or key presses. Additionally, it’s recommended that browser vendors develop new standards similar to X-Frame-Options to defend against double-click exploitation. This discovery underscores the evolving nature of UI manipulation attacks and the necessity for continuous enhancement of web so protect users from sophisticated threats.
In Other News...
Malicious NPM Package Disguised as Ethereum Tool Deploys Quasar RAT
Cybersecurity researchers have identified a malicious npm package named “ethereumvulncontracthandler” that masquerades as a tool for detecting vulnerabilities in Ethereum smart contracts. Published on December 18, 2024, by a user with the alias “solidit-dev-416,” this package is heavily obfuscated and, upon installation, retrieves a malicious script from a remote server. This script executes silently to deploy Quasar RAT, an open-source remote access trojan, onto Windows systems. Quasar RAT is known for its extensive capabilities, including keystroke logging, screenshot capturing, credential harvesting, and file exfiltration. The malware establishes persistence by modifying the Windows Registry and communicates with a command-and-control server at “captchacdn[.]com:7000” to receive further instructions. This incident highlights the risks associated with supply chain attacks, where threat actors exploit trusted third-party resources to infiltrate systems. Developers, especially those working with Ethereum smart contracts, are advised to exercise caution when incorporating third-party code, thoroughly vet dependencies, and monitor for any unusual system behaviour to mitigate such threats.
New AI Jailbreak Method 'Bad Likert Judge' Increases Attack Success Rates by Over 60%
Cybersecurity researchers from Palo Alto Networks Unit 42 have unveiled a novel jailbreak technique, dubbed “Bad Likert Judge,” that effectively bypasses safety measures in large language models (LLMs), enabling them to produce potentially harmful or malicious content. This multi-turn attack strategy involves prompting the LLM to evaluate the harmfulness of a given response using the Likert scale—a psychometric scale commonly used to measure attitudes or opinions. Subsequently, the model is instructed to generate responses that correspond to various points on the scale, with the highest Likert scale value potentially eliciting the most harmful content. Testing this method across various categories—including hate speech, harassment, self-harm, sexual content, and illegal activities—on six state-of-the-art LLMs from providers such as Amazon Web Services, Google, Meta, Microsoft, OpenAI, and NVIDIA, demonstrated an increase in attack success rates by more than 60% compared to standard attack prompts. The researchers emphasize the importance of implementing robust content filtering strategies to mitigate such risks, noting that effective filters can reduce attack success rates by an average of 89.2 percentage points across all tested models. This development underscores the ongoing challenges in securing AI systems against sophisticated adversarial techniques designed to circumvent their safety protocols.
Critical Deadline: Update Old .NET Domains Before January 7, 2025, to Avoid Service Disruption
Microsoft has announced an urgent change affecting the distribution of .NET installers and archives, necessitating immediate updates to production and DevOps infrastructures. This action is prompted by the impending shutdown of the Edgio platform, which currently hosts .NET binaries on domains ending in .azureedge.net, such as dotnetcli.azureedge.net and dotnetbuilds.azureedge.net. Edgio’s services are scheduled to terminate on January 15, 2025, following its acquisition by Akamai.
To prevent service disruptions, Microsoft plans to migrate affected workloads to Azure Front Door CDNs by January 7, 2025. Developers are advised to proactively update their systems to point to the new domains:
- Replace dotnetcli.azureedge.net with builds.dotnet.microsoft.com
- Replace dotnetcli.blob.core.windows.net with builds.dotnet.microsoft.com
Automatic migration will not cover endpoints with *.vo.msecnd.net domains. Organizations intending to migrate to alternative CDN providers must set the Feature Flag DoNotForceMigrateEdgioCDNProfiles before January 7, 2025, to prevent automatic migration to Azure Front Door. It’s important to note that configuration changes to Azure CDN by Edgio profiles will be frozen starting January 3, 2025, although services will continue to operate until the platform’s shutdown. Microsoft also recommends adopting custom domains to enhance flexibility and reduce single points of failure. This proactive measure is crucial to maintain service continuity and security, especially considering the potential risks if the azureedge.net domain were to be acquired by malicious actors. For detailed guidance and to ensure compliance with these changes, developers should review Microsoft’s official communications and update their infrastructures accordingly.
Apple Agrees to $95 Million Settlement Over Siri Privacy Violations
Apple has agreed to pay $95 million to settle a class-action lawsuit alleging that its Siri voice assistant inadvertently recorded users’ private conversations without consent. The settlement applies to U.S. individuals who owned Siri-enabled devices between September 17, 2014, and December 31, 2024. Eligible users could claim up to $20 per device, for up to five devices, if they experienced unintended Siri activations during confidential conversations. The lawsuit followed a 2019 report revealing that third-party contractors listened to Siri recordings to improve the service, leading to concerns over privacy violations. Apple has denied any wrongdoing but has since implemented measures allowing users to opt out of Siri analytics and delete their Siri history. This settlement underscores the importance of user privacy and the need for companies to ensure that voice-activated assistants do not inadvertently capture private communications.