By Deeba Ahmed
Popular File Transfer Software Hit by Zero-Day Exploit: Millions Potentially Exposed - Install Patches Right Now!
This is a post from HackRead.com Read the original post: Popular File Transfer Software CrushFTP Hit by Zero-Day Exploit

A critical zero-day vulnerability in CrushFTP, a popular file transfer software, allows attackers to download sensitive system files. This puts millions of users at risk! Learn how to protect yourself from this exploit and secure your file transfers.

Attention file transfer users! A recently discovered zero-day exploit in CrushFTP, a popular enterprise file transfer software solution, has sent security researchers scrambling. This critical vulnerability could allow attackers to download sensitive system files, potentially compromising the security of millions of users worldwide.

****What is CrushFTP and Why Should You Care?****

CrushFTP is a widely used software program that enables secure file transfers between computers and servers, offering functionalities like FTP, SFTP, FTPS, WebDAV, and more. However, the recent discovery of a zero-day exploit raises concerns about the potential for unauthorized access and data breaches, making businesses/organizations using it for data exchanges vulnerable.

****How Does the Exploit Work?****

The vulnerability (CVE-2024-4040), identified by Simon Garrelou of Airbus CERT, allows attackers to bypass the software’s virtual file system (VFS) restrictions and download system files that are typically off-limits. This unauthorized access could lead to the theft of sensitive data, the installation of malicious software, and disruption of file transfer operations or server inoperability.

****Who is Affected?****

The exact number of affected users is unknown, but CrushFTP boasts a significant user base across various industries. Organizations of all sizes, from small businesses to large enterprises, could be at risk if they haven’t applied the latest security patch, details of which can be found in CrushFTP’s advisory.

“CrushFTP v11 versions below 11.1 have a vulnerability where users can escape their VFS and download system files. This has been patched in v11.1.0,” the advisory read.

It must be noted that customers operating CrushFTP instances within a demilitarized zone (DMZ) are safe from the attacks. The flaw is yet to receive a CVE identifier.

Cybersecurity firm CrowdStrike reported an exploit for the CrushFTP Zero-Day flaw targeting U.S. entities in what it believes is a politically motivated intelligence-gathering activity.

However, CrushFTP’s founder, Ben Spink, claims the company hasn’t received any user complaints as yet whereas the vulnerability was patched within hours of identification.

To update CrushFTP to the latest version v11.1.0, log in to the dashboard, click the About tab, and click Update> Update Now. Wait 5 minutes for files to download, unzip, and copy, then auto-restart CrushFTP.

1.  WinRAR users update software as 0-day vulnerability is found
2.  WeTransfer phishing attack spoofs file-sharing to steal credential
3.  APT Winter Vivern Exploits Roundcube 0-Day against European Entities

Popular File Transfer Software CrushFTP Hit by Zero-Day Exploit

PRESS RELEASE

Tampa Bay, FL (April 24, 2024) – KnowBe4, the provider of the world’s largest security awareness training and simulated phishing platform, today announced it has entered into a definitive agreement to acquire Egress, a leader in adaptive and integrated cloud email security. Egress’ Intelligent Email Security suite provides a set of scaled, AI-enabled security tools with adaptive learning capabilities to help prevent, protect and defend organizations against sophisticated email cybersecurity threats. Further terms of the transaction were not disclosed.

Organizations globally struggle to contain behavioral-based data breaches, with 74 percent of incidents involving the human element according to Verizon’s Data Breach Investigations Report. By acquiring Egress, KnowBe4 plans to deliver a single platform that aggregates threat intelligence dynamically, offering AI-based email security and training that is automatically tailored relative to risk. 

“The future of security is personalized AI-driven controls and real-time coaching. By providing a single platform from KnowBe4 and Egress, our customers will benefit from differentiated aggregate threat detection to stay ahead of evolving cyber threats and foster a strong security culture,” said Stu Sjouwerman, CEO, KnowBe4. “As integration partners for over a year with strong philosophical and cultural alignment, this acquisition is a natural progression for both companies to take human risk management and cloud email security to the next level.”

“KnowBe4 and Egress have a shared vision of delivering tailored and relevant security to each employee,” said Tony Pepper, CEO, Egress. “One of the biggest challenges organizations face is accurately identifying who the next source of compromise is – and why. By combining intelligence and analytics from integrated applications, companies can gain valuable insights across their entire cyber ecosystem, allowing them to focus on the risks that matter most.”

The announcement comes on the heels of significant achievements for both companies thus far in 2024. KnowBe4 recently announced its AI-native platform, Artificial Intelligence Defense Agents (AIDA), which incorporates advanced AI agents to power efficacy and speed. Recent notable awards include being recognized as a Top Software Winner by G2 and a winner of Energage’s Top Workplaces USA for 2024. Meanwhile, Egress launched its AI-powered Automated Abuse Mailbox in early April and received several award recognitions, including Security Innovation of the Year (Computing Security Excellence Awards), Best Email Security Solution, Best Data Leak Prevention Solution (SC Awards Europe) and Best Place to Work in the UK (Great Places to Work 2024).

The transaction is expected to close in the coming months subject to customary closing conditions and regulatory approvals.

Egress is backed by FTV Capital and AlbionVC. Citi served as exclusive financial advisor to Egress and Orrick, Herrington & Sutcliffe LLP served as legal counsel to Egress.

For more information on KnowBe4, visit www.knowbe4.com. For more information on Egress, visit www.egress.com. 

About KnowBe4   
KnowBe4, the provider of the world’s largest security awareness training and simulated phishing platform, is used by more than 65,000 organizations around the globe. Founded by IT and data security specialist Stu Sjouwerman, KnowBe4 helps organizations address the human element of security by raising awareness about ransomware, CEO fraud and other social engineering tactics through a new-school approach to awareness training on security. The late Kevin Mitnick, who was an internationally recognized cybersecurity specialist and KnowBe4’s Chief Hacking Officer, helped design the KnowBe4 training based on his well-documented social engineering tactics. Organizations rely on KnowBe4 to mobilize their end users as their last line of defense and trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

About Egress

As advanced persistent threats continue to evolve, we recognize that people are the biggest risk to organizations’ security and are most vulnerable when using email. 

Egress is the only cloud email security platform to continuously assess human risk and dynamically adapt policy controls, preparing customers to defend against advanced phishing attacks and outbound data breaches before they happen. Leveraging contextual machine learning and neural networks, with seamless integration using cloud-native API architecture, Egress provides enhanced email protection, deep visibility into human risk, and instant time to value.

KnowBe4 to Acquire Egress

PRESS RELEASE

Houston, Texas – Black Girls Do Engineer recently signed an Education Partnership Agreement (EPA) with the National Security Agency in an effort to continue playing a key role in developing science and technology talent for possible national security challenges.

The National Security Agency (NSA) partners with select universities and nonprofit organizations as part of the Agency’s Minority Serving Institution (MSI) Hacking 4 Intelligence (H4I) program. It is a program where the U.S. Government and industry partners, collaborate to solve national security problems. The program engages HBCU students and college bound students studying STEM disciplines.

Black Girls Do Engineer, a 501c3 nonprofit organization that provides access, education and resources to Black students K-12 in STEM was selected to participate because of its stellar reputation in hosting cohorts of students through various STEM subjects including co-ed HBCU and High School programs, utilizing Microsoft technology to do so.

The NSA’s collaborative H4I program is for students to have the opportunity to cultivate essential skills by deconstructing and analyzing NSA and Microsoft problem sets, all while collaborating and networking with government and industry partners. Students will form interdisciplinary teams and work to solve real-world NSA and Microsoft problem sets. At the end of a 12-week cohort, students exit the program with a minimum viable product ready for deployment.

“This partnership with NSA will allow our program to provide our cybersecurity resources and curriculum to Higher Education institutions through our developed BGDE digital infrastructure enhanced by Microsoft tools,” states Kara Branch the Founder and CEO of Black Girls Do Engineer.

Black Girls Do Engineer’s licensed STEM curriculum is committed to excellence in cyber defense education and research. Some of its programs include cybersecurity, artificial intelligence, data science and a host of technical training. Higher education programs include their design Badge A Thon event offered for college students.

“This collaboration will allow our national impact to reach new heights with higher education students,” concludes Kara Branch, Founder and CEO of Black Girls Do Engineer.

About Black Girls Do Engineer

As the fastest growing nationwide program for Black girls in STEM., BGDE has been dubbed “The Ivy League of Nonprofits.” The program is application-based and offers full-time membership-based STEM camps and workshops to Black girls in grades K through 12, with mentorship and individual workshops offered to college students up through age 21. The program currently has a 100% college acceptance rate and 100% job placement rate among its members. Since its launch in 2019, BGDE has served 4,000 girls though its program. The nonprofit has also helped secure its members $44,000 in STEM-related college scholarships.

BGDE futuristic programs of study include: A.I., Energy, Audio/Visual, Aerospace, Engineering, Medical, Robotics and Coding. Mentoring includes: College Prep, Financial Literacy, Upskilling, and Mentorship from professionals working in these fields offering real life experience.

Black Girls Do Engineer Signs Education Partnership Agreement With NSA

Sources suspect China is behind the targeted exploitation of two zero-day vulnerabilities in Cisco’s security appliances.

Network security appliances like firewalls are meant to keep hackers out. Instead, digital intruders are increasingly targeting them as the weak link that lets them pillage the very systems those devices are meant to protect. In the case of one hacking campaign over recent months, Cisco is now revealing that its firewalls served as beachheads for sophisticated hackers penetrating multiple government networks around the world.

On Wednesday, Cisco warned that its so-called Adaptive Security Appliances—devices that integrate a firewall and VPN with other security features—had been targeted by state-sponsored spies who exploited two zero-day vulnerabilities in the networking giant's gear to compromise government targets globally in a hacking campaign it's calling ArcaneDoor.

The hackers behind the intrusions, which Cisco's security division Talos is calling UAT4356 and which Microsoft researchers who contributed to the investigation have named STORM-1849, couldn't be clearly tied to any previous intrusion incidents the companies had tracked. Based on the group's espionage focus and sophistication, however, Cisco says the hacking appeared to be state-sponsored.

“This actor utilized bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted, hallmarks of a sophisticated state-sponsored actor,” a blog post from Cisco's Talos researchers reads.

Cisco declined to say which country it believed to be responsible for the intrusions, but sources familiar with the investigation tell WIRED the campaign appears to be aligned with China's state interests.

Cisco says the hacking campaign began as early as November 2023, with the majority of intrusions taking place between December and early January of this year, when it learned of the first victim. “The investigation that followed identified additional victims, all of which involved government networks globally,” the company's report reads.

In those intrusions, the hackers exploited two newly discovered vulnerabilities in Cisco's ASA products. One, which it's calling Line Dancer, let the hackers run their own malicious code in the memory of the network appliances, allowing them to issue commands to the devices, including the ability to spy on network traffic and steal data. A second vulnerability, which Cisco is calling Line Runner, would allow the hackers' malware to maintain its access to the target devices even when they were rebooted or updated. It's not yet clear if the vulnerabilities served as the initial access points to the victim networks, or how the hackers might have otherwise gained access before exploiting the Cisco appliances.

Cisco has released software updates to patch both vulnerabilities, and advises that customers implement them immediately, along with other recommendations for detecting whether they've been targeted. Despite the hackers' Line Runner persistence mechanism, a separate advisory from the UK's National Cybersecurity Center notes that physically unplugging an ASA device does disrupt the hackers' access. “A hard reboot by pulling the power plug from the Cisco ASA has been confirmed to prevent Line Runner from re-installing itself,” the advisory reads.

The ArcaneDoor hacking campaign represents just the latest series of intrusions to target network perimeter applications sometimes referred to as “edge” devices like email servers, firewalls, and VPNs—often devices intended to provide security—whose vulnerabilities allowed hackers to obtain a staging point inside a victim's network. Cisco's Talos researchers warn of that broader trend in their report, referring to highly sensitive networks that they've seen targeted via edge devices in recent years. “Gaining a foothold on these devices allows an actor to directly pivot into an organization, reroute or modify traffic and monitor network communications,” they write. “In the past two years, we have seen a dramatic and sustained increase in the targeting of these devices in areas such as telecommunications providers and energy sector organizations—critical infrastructure entities that are likely strategic targets of interest for many foreign governments.”

State-sponsored hackers' shift to compromising edge devices has become prevalent enough over the past year that Google-owned security firm Mandiant also highlighted it in its annual M-Trends report earlier this week, based on the company's threat intelligence and incident response findings. The report points to widely exploited vulnerabilities in network edge devices sold by Barracuda and Ivanti and notes that hackers—and specifically espionage-focused Chinese groups—are building custom malware for edge devices, in part because many networks have little or no way to monitor for compromise of the devices. Detecting the ArcaneDoor hackers' access to Cisco ASA appliances, in particular, is “incredibly difficult,” according to the advisory from the UK's NCSC.

Mandiant notes that it has observed Russian state-sponsored hackers targeting edge devices too: It's observed the unit of Russia's GRU military intelligence agency, known as Sandworm, repeatedly hack edge devices used by Ukrainian organizations to gain and maintain access to those victim networks, often for data-destroying cyberattacks. In some cases, the lack of visibility and monitoring in those edge devices has meant that Sandworm was able to wipe a victim network while holding on to its control of an edge device—then hit the same network again.

“They’re systemically targeting security appliances that sit on the edge for access to the rest of the network,” says John Hultquist, Mandiant's head of threat intelligence. “This is no longer an emerging trend. It's established."

Hultquist notes, however, that China is unmatched in its discovery and use of network appliance zero days, like the ones it has used to run rampant through Cisco firewalls over the past several months. He expects more to come, as China's cyberspies continue to turn devices meant to protect target networks against their owners. “It's unlikely these zero days are being produced haphazardly. We suspect a well-resourced, coordinated effort is underway to find and exploit these vulnerabilities,” Hultquist says. “Unfortunately, we'll almost certainly see several more zero-days in security appliances this year.”

'ArcaneDoor' Cyberspies Hacked Cisco Firewalls to Access Government Networks

ArcaneDoor is a campaign that is the latest example of state-sponsored actors targeting perimeter network devices from multiple vendors. Coveted by these actors, perimeter network devices are the perfect intrusion point for espionage-focused campaigns.

ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices

An exploit for the vulnerability allows unauthenticated attackers to escape a virtual file system sandbox to download system files and potentially achieve RCE.

Source: Andre Boukreev via Shutterstock

Virtual file transfer system provider CrushFTP and various security researchers are sounding the alarm about a sandbox escape flaw in the CrushFTP server that attackers already have exploited as a zero-day in attacks against organizations in the US.

CrushFTP is a multiprotocol, multiplatform, cloud-based file transfer server. The security vulnerability, tracked as CVE-2024-4040, is an improper input validation bug in the CrushFTP file transfer server version 11.1. The company unveiled and patched the flaw on April 19 with the release of version 11.1.0 of the product; however, there already were various reports of threat actors hammering the flaw with an existing exploit.

These attacks, which were potentially "politically motivated," were targeted in nature for intelligence gathering and detected at various US entities, according to Crowdstrike's threat hunters Falcon OverWatch and Falcon Intelligence, which published an advisory on Reddit.

**A Developing Attack Scenario for Cloud File Transfer**

The attack scenario is developing, with new research by Tenable published April 23 identifying more than 7,100 CrushFTP servers publicly accessible "based on a Shodan query in a Nuclei template created by h4sh," according to the report. However, "it's unclear how many of these systems are potentially vulnerable," Satnam Narang, a Tenable senior staff research engineer, noted in the post.

Attacks are likely to continue on unpatched servers given that a proof-of-concept (PoC) exploit for the flaw is now publicly available, posted April 23 to GitHub by the researcher who discovered and reported the flaw to CrushFTP, Simon Garrelou of Airbus Community Emergency Response Team (CERT), Narang added.

Other attackers also aim to benefit from all the attention in the flaw, by targeting users with fake PoCs, Narang wrote, noting there already is a repository posted to GitHub that directs users to a third-party site called SatoshiDisk, which requests a payment of 0.00735 bitcoin (around $513) for an alleged exploit.

"It is unlikely that the exploit code will work and we do not expect it to be malicious in nature," Narang wrote. "Instead, it is more likely that the attackers are seeking to make money from the interest in the exploit code for this vulnerability."

**CVE-2024-4040: Potential for RCE**

The vulnerability as described by the vendor is an arbitrary read flaw that allows an attacker with low privileges to escape the server's virtual file system (VFS) sandbox to access and download system files.

However, there is evidence that it is more to the flaw than has so far been reported, Rapid7 researchers noted in a blog post published on April 23.

"Although the vulnerability has been formally described as an arbitrary file read, Rapid7 believes that it can be more accurately categorized as a server-side template injection (SSTI)," Caitlin Condon, Rapid7's director of vulnerability intelligence, wrote in the post.

CVE-2024-4040 is a "fully unauthenticated flaw" and is easy to exploit; successful exploitation allows not only or arbitrary file read as root, but also authentication bypass for administrator account access and full remote code execution (RCE), she observed.

"Successful exploitation allows a remote, unauthenticated attacker to access and potentially exfiltrate all files stored on the CrushFTP instance," Condon wrote.

**Exploit Code Available**

The PoC exploit posted by Garrelou includes two scripts. The first, scan\_host.py, attempts to use the vulnerability to read files outside the sandbox, according to the GitHub post.

"If it succeeds, the script writes Vulnerable to standard output and returns with exit code 1," according to Garrelou. "If exploiting the vulnerability does not succeed, the script writes Not vulnerable and exits with status code 0."

The second script, scan\_logs.py, looks for indicators of compromise in a CrushFTP server installation directory and, upon finding them, will attempt to extract the IP that tried to exploit the server.

**Patch Now for Full Protection**

The best way for organizations with CrushFTP present in their environment to mitigate the situation is to update their systems to the patched version of the product now, the company and security researchers alike advised.

Customers using a front-end demilitarized zone (DMZ) server to process protocols and connections in front of their main CrushFTP instance are afforded partial protection from exploit due to the protocol translation system used in the DMZ, according to CrushFTP.

"A DMZ, however, does not fully protect you, and you must update immediately," the company advised customers in its advisory. One of the factors complicating an organization's detection of exploitation of CVE-2024-4040 is that payloads "can be delivered in many different forms," Rapid7's Condon noted.

"When certain evasive techniques are leveraged, payloads will be redacted from logs and request history, and malicious requests will be difficult to discern from legitimate traffic," she wrote.

For this reason, Rapid7 recommends that CrushFTP customers harden their servers against administrator-level RCE attacks by enabling Limited Server mode with the most restrictive configuration possible. Condon added that they also should use firewalls wherever possible to aggressively restrict which IP addresses are permitted to access CrushFTP services.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Patch Now: CrushFTP Zero-Day Cloud Exploit Targets US Orgs

Just like you should check the quality of the ingredients before you make a meal, it's critical to ensure the integrity of AI training data.

Source: Nico El Nino via Shutterstock

COMMENTARY

Picture this: It's a Saturday morning, and you made breakfast for your family. The pancakes were golden brown and seemingly tasted OK, but everyone, including you, got sick shortly after eating them. Unbeknown to you, the milk that you used to make the batter expired several weeks ago. The quality of the ingredients impacted the meal, but everything looked fine on the outside.

The same philosophy can be applied to artificial intelligence (AI). Regardless of its purpose, AI's output is directly related to the quality of its input. As the popularity of AI continues to rise, security concerns around the data being fed into AI are coming into question.

A majority of today's organizations are integrating AI into business operations at some capacity — and threat actors are taking note. Over the past few years, a tactic known as AI poisoning has become increasingly prevalent. This new malicious practice involves injecting deceptive or harmful data into AI training sets. The tricky part about AI poisoning is that, despite the input being compromised, the output can initially continue as normal. It isn't until a threat actor gets a firm grip on the data and begins a full-fledged attack that deviations from the norm become obvious. The consequences range from slightly inconvenient to damaging a brand's reputation.

It's a risk affecting organizations of all sizes, even today's most prominent tech vendors. For example, over the past few years, adversaries launched several large-scale attacks to poison Google's Gmail spam filters and even turned Microsoft's Twitter chatbot hostile.

**Defending Against AI Data Poisoning**

Fortunately, organizations can take the following steps to shield AI technologies from potential poisoning.

*   Build a comprehensive data catalog. First, organizations should create a live data catalog that serves as a centralized repository of information that is being fed to its AI systems. Any time new data is added to AI systems, it should be tracked in this index. In addition, the catalog should be able to categorize the data flowing into AI systems by the who, what, when, where, why, and how to ensure transparency and accountability.
    
*   Develop a normal baseline for users and devices interacting with AI data. Once the security and IT teams have a solid understanding of all of the data in AI systems and who has access to it, it's important to develop a baseline of normal user and device behavior.
    

Compromised credentials are one of the easiest ways for cybercriminals to break into networks. All a threat actor has to do is either play a guessing game or buy one of the 24 billion username and password combinations available on the cybercriminal marketplace. Once they have access, a threat actor can easily maneuver their way into accessing AI training datasets.

By establishing user and device baseline behavior, security teams can easily detect abnormalities that might be indicative of an attack. Often, this helps stop a threat actor before an incident escalates into a full-blown data breach. For example, say you have an IT executive who typically works from the New York office and who oversees the AI data training sets. One day, it shows that he is active in another country and is adding large amounts of data to the AI. If your security team already has a baseline of user behavior, they can quickly tell that this is abnormal. Then security could either talk to the executive and verify that he was performing the action or, if he wasn't, temporarily disable his account until the alert is thoroughly investigated to prevent any further damage.

**Taking Responsibility of AI Training Sets**

Just like you should check the quality of the ingredients before you make a meal, it's critical to ensure the integrity of AI training data. AI intelligence is intricately linked to the quality of data it processes. Implementing guidelines, policies, monitoring systems, and improved algorithms plays a pivotal role in ensuring the safety and effectiveness of AI. These measures safeguard against potential threats and empower organizations to harness the transformative potential of AI. It is a delicate balance where organizations must learn to leverage AI's capabilities, while remaining vigilant in the face of the ever-evolving threat landscape.

**About the Author(s)**

CISO, Exabeam

Tyler Farrar is the Chief Information Security Officer (CISO) at Exabeam. He graduated from the United States Naval Academy in 2012, and received his Bachelor of Science in Aerospace Engineering. Tyler continued his education at Robert H. Smith School of Business, where he earned a Master of Business Administration in Accounting and Finance.

Fortify AI Training Datasets From Malicious Poisoning

By Waqas
Update Windows Now or Get Hacked: Microsoft Warns of Actively Exploited Vulnerability!
This is a post from HackRead.com Read the original post: Russian APT28 Exploiting Windows Vulnerability with GooseEgg Tool

Hackers exploiting a critical Windows flaw (CVE-2022-38028) in the Print Spooler service. Patch immediately to block APT28 (Forest Blizzard and Fancy Bear) attacks & protect your system!

Microsoft issued a security warning about a critical vulnerability (CVE-2022-38028) in the Windows Print Spooler service that attackers are actively exploiting. This vulnerability allows attackers to escalate privileges on a compromised system, potentially granting them complete control.

The vulnerability resides in how the Print Spooler processes JavaScript code. By manipulating a specific file, attackers can execute malicious code with administrator privileges.

Microsoft attributes these attacks to the APT28 hacking group (also known as Fancy Bear or Forest Blizzard) which is using a custom malware tool called GooseEgg. While the exact timeframe for GooseEgg’s activity is unknown, Microsoft has observed it being operational since at least June 2020.

> Microsoft has identified longstanding activity by the Russian-based threat actor we track as Forest Blizzard using a custom tool we call GooseEgg to exploit CVE-2022-38028 in the Windows Print Spooler service to elevate permissions and steal credentials: https://t.co/YKHvxqJa61
> 
> — Microsoft Threat Intelligence (@MsftSecIntel) April 22, 2024

Targets of these attacks include organizations in North America, Western Europe, and Ukraine across various sectors such as government, non-governmental organizations (NGOs), education, and transportation.

To mitigate this risk, Microsoft strongly recommends that all users install the security patch they released in October 2022. This patch addresses the vulnerability and prevents attackers from exploiting it.

While Microsoft offers temporary mitigation steps for those who cannot patch immediately, patching remains the most effective way to address this vulnerability and protect your system.

Nevertheless, it’s crucial to consistently update your Windows systems with the latest security patches, as this is the most effective defence against vulnerabilities. Additionally, exercise caution when interacting with attachments or links, particularly in emails from unfamiliar sources, as phishing attempts are a prevalent method used by attackers to compromise systems.

It is also important to know that the Cybersecurity and Infrastructure Security Agency (CISA) has also flagged CVE-2022-38028 as a high-risk vulnerability, given its ongoing exploitation.

1.  Microsoft Executives’ Emails Breached by Russia Hackers
2.  Russian Hackers Target Ubiquiti Routers for Data, Botnet Creation
3.  Russian Operatives Expose German Military Webex Conversations
4.  Russian Midnight Blizzard Hackers Breached Microsoft Source Code
5.  Russian Hackers Hit Mail Servers in Europe for Political, Military Intel

Russian APT28 Exploiting Windows Vulnerability with GooseEgg Tool

By Waqas
Popular keyboard apps leak user data! Citizen Lab reports 8 out of 9 Android IMEs expose keystrokes. Change yours & protect passwords!
This is a post from HackRead.com Read the original post: Popular Keyboard Apps Leak User Data: Billion Potentially Exposed

Citizen Lab investigated the security of cloud-based pinyin keyboard apps and found that eight out of nine vendors transmitted user keystrokes in an insecure manner. This means keystrokes could be intercepted by eavesdroppers on the network.

A new report by Citizen Lab has uncovered critical security vulnerabilities in popular keyboard apps, potentially exposing the keystrokes of nearly a billion users to eavesdroppers.

The report, titled “The not-so-silent type: Vulnerabilities across keyboard apps reveal keystrokes to network eavesdroppers,” investigates cloud-based pinyin input method editors (IMEs) used on a vast majority of Android devices in China.

Researchers analyzed keyboard apps from nine major vendors: Baidu, Honor, Huawei, iFlytek, OPPO, Samsung, Tencent, Vivo, and Xiaomi. Alarmingly, they found vulnerabilities in eight of these apps that could allow attackers to steal users’ keystrokes as they type.

The report details various weaknesses in how these apps transmit data. Some apps, like Samsung Keyboard, send keystrokes completely unencrypted, making them easy for anyone snooping on the network to intercept. Others rely on flawed encryption methods that can be cracked.

The ease of eavesdropping varies depending on the app. In some cases, a malicious actor on the same Wi-Fi network could steal your data. Even more concerning, some vulnerabilities are exploitable by entirely passive eavesdroppers, who can intercept data without needing any interaction from the user.

The report highlights Huawei as the only vendor whose keyboard app did not exhibit these vulnerabilities. This offers some peace of mind for Huawei users but leaves a significant number of users potentially exposed.

Citizen Lab estimates that the combined market share of Baidu, Sogou (mentioned in a previous report by Citizen Lab), and iFlytek represents over 95% of the third-party IME market in China, translating to roughly one billion users at risk.

This security lapse has serious consequences. Keystrokes can contain sensitive information like passwords, credit card details, and private messages. If intercepted, this data could be used for identity theft, financial fraud, and other malicious activities.

Nevertheless, the report shows the importance of using secure keyboard apps. Users should prioritize apps with a strong reputation for security and that encrypt user data properly. Additionally, it’s recommended to avoid using sensitive information on public Wi-Fi networks.

Researchers urge app developers to address these vulnerabilities immediately by implementing strong encryption methods and secure data transmission protocols.

1.  AI Model Listens to Typing, Compromising Sensitive Data
2.  Keyboard app collecting users data after 31M records leaked online
3.  Intel removes remote Android keyboard app rather than fixing its flaws
4.  Chinese Keyboard Developer Spies on User Through Built-in Keylogger
5.  Android Emoji keyboard app makes millions with unauthorized purchases

Popular Keyboard Apps Leak User Data: Billion Potentially Exposed

PRESS RELEASE

DOWNERS GROVE, Ill., April 23, 2024 – CompTIA, the world’s leading information technology (IT) certification and training body, announced today that eight of its certifications are included in U.S. Department of Defense efforts to create, qualify and upskill a more diverse workforce to protect the nation’s interests, information and infrastructure.

The Cyber Workforce Qualification Program, which includes U.S. Department of Defense Manual 8140.03 (DoDM 8140.03), modernizes DoD talent management, allowing for more targeted and flexible approaches and options to manage and achieve a qualified cyber workforce in IT, cybersecurity, cyber effects, cyber intelligence and cyber enablers.

"As a leader in cybersecurity and IT upskilling, we have worked for years to create, qualify and upskill a more diverse workforce," said Dr. James Stanger, chief technology evangelist, CompTIA. "The DoD has adopted a targeted, role-based approach to identify, develop and qualify cyber personnel. This includes clear, standards-based certifications and training options for military personnel, civilian staff and government contractors."

The eight CompTIA certifications approved for DoDM 8140.03 cover 31 different work roles within the DoD cyber workforce. These job roles range from technical support and network operations specialists to cyber defense forensic analysts, cyber policy and strategy planners and information systems security developers and managers.

"It's exciting to see how CompTIA and the DoD have taken independent paths to achieve the same goals,” Dr. Stanger said. "Pathways are vital, and we're pleased to see how the U.S. DoD has specified the need for standards-based certifications and training options for military personnel, civilian staff and government contractors."

CompTIA certifications validate essential skills through performance-based exams that assess an individual’s ability to solve problems in real-world settings. These certifications are vendor-neutral, internationally recognized and accredited by the American National Standards Institute (ANSI) to comply with the ISO 17024 standard. CompTIA has awarded 3.5 million certifications to technology professionals around the world, including more than 800,000 in cybersecurity-related disciplines.

CompTIA will lead an education session on "Navigating and Implementing DoD 8140" at TechNet Cyber, the flagship event presented annually by the Armed Forces Communications & Electronics Association International (AFCEA). This year’s conference is June 25-27 at the Baltimore Convention Center.

To learn how CompTIA certifications map to DoDM 8140.03 work roles visit https://www.comptia.org/content/tools/comptia-and-dodm-8140.

About CompTIA

The Computing Technology Industry Association (CompTIA) is the world’s leading information technology (IT) certification and training body. CompTIA is a mission-driven organization committed to unlocking the potential of every student, career changer or professional seeking to begin or advance in a technology career. Millions of current and aspiring technology workers around the world rely on CompTIA for the training, education and professional certifications that give them the confidence and skills to work in tech. https://www.comptia.org/

Tag

#intel