A significant amount of vulnerabilities in the Linux kernel have been resolved that include use-after-free and race conditions.

    Linux kernel vulnerabilitiesA security issue affects these releases of Ubuntu and its derivatives:-   Ubuntu 20.04 LTS-   Ubuntu 18.04 LTS-   Ubuntu 16.04 LTS-   Ubuntu 22.04 LTS-   Ubuntu 14.04 LTSSummarySeveral security issues were fixed in the kernel.Software Description-   linux - Linux kernel-   linux-aws - Linux kernel for Amazon Web Services (AWS) systems-   linux-azure - Linux kernel for Microsoft Azure Cloud systems-   linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems-   linux-gke - Linux kernel for Google Container Engine (GKE) systems-   linux-gkeop - Linux kernel for Google Container Engine (GKE) systems-   linux-ibm - Linux kernel for IBM cloud systems-   linux-oracle - Linux kernel for Oracle Cloud systemsDetailsIn the Linux kernel, the following vulnerability has been resolved:inet: inet_defrag: prevent sk release while still in use ip_local_out()and other functions can pass skb->sk as function argument. If the skb isa fragment and reassembly happens before such function call returns, thesk must not be released. This affects skb fragments reassembled vianetfilter or similar modules, e.g. openvswitch or ct_act.c, when run aspart of tx pipeline. Eric Dumazet made an initial analysis of this bug.Quoting Eric: Calling ip_defrag() in output path is also implyingskb_orphan(), which is buggy because output path relies on sk notdisappearing. A relevant old patch about the issue was : 8282f27449bf(“inet: frag: Always orphan skbs inside ip_defrag()”) [..net/ipv4/ip_output.c depends on skb->sk being set, and probably to aninet socket, not an arbitrary one. If we orphan the packet in ipvlan,then downstream things like FQ packet scheduler will not work properly.We need to change ip_defrag() to only use skb_orphan() when reallyneeded, ie whenever frag_list is going to be used. Eric suggested tostash sk in fragment queue and made an initial patch. However there is aproblem with this: If skb is refragmented again right after,ip_do_fragment() will copy head->sk to the new fragments, and sets updestructor to sock_wfree. IOW, we have no choice but to fix up sk_wmemaccouting to reflect the fully reassembled skb, else wmem willunderflow. This change moves the orphan down into the core, to lastpossible moment. As ip_defrag_offset is aliased with sk_buff->sk member,we must move the offset into the FRAG_CB, else skb->sk gets clobbered.This allows to delay the orphaning long enough to learn if the skb hasto be queued or if the skb is completing the reasm queue. In the formercase, things work as before, skb is orphaned. This is safe because skbgets queued/stolen and won’t continue past reasm engine. In the lattercase, we will steal the skb->sk reference, reattach it to the head skb,and fix up wmem accouting when inet_frag inflates truesize.(CVE-2024-26921)In the Linux kernel, the following vulnerability has been resolved:af_unix: Fix garbage collector racing against connect() Garbagecollector does not take into account the risk of embryo getting enqueuedduring the garbage collection. If such embryo has a peer that carriesSCM_RIGHTS, two consecutive passes of scan_children() may see adifferent set of children. Leading to an incorrectly elevated inflightcount, and then a dangling pointer within the gc_inflight_list. socketsare AF_UNIX/SOCK_STREAM S is an unconnected socket L is a listeningin-flight socket bound to addr, not in fdtable V’s fd will be passed viasendmsg(), gets inflight count bumped connect(S, addr) sendmsg(S, [V]);close(V) __unix_gc() —————- ————————- ———– NS = unix_create1() skb1 =sock_wmalloc(NS) L = unix_find_other(addr) unix_state_lock(L)unix_peer(S) = NS // V count=1 inflight=0 NS = unix_peer(S) skb2 =sock_alloc() skb_queue_tail(NS, skb2[V]) // V became in-flight // Vcount=2 inflight=1 close(V) // V count=1 inflight=1 // GC candidatecondition met for u in gc_inflight_list: if (total_refs ==inflight_refs) add u to gc_candidates // gc_candidates={L, V} for u ingc_candidates: scan_children(u, dec_inflight) // embryo (skb1) was not// reachable from L yet, so V’s // inflight remains unchanged__skb_queue_tail(L, skb1) unix_state_unlock(L) for u in gc_candidates:if (u.inflight) scan_children(u, inc_inflight_move_tail) // V count=1inflight=2 (!) If there is a GC-candidate listening socket, lock/unlockits state. This makes GC wait until the end of any ongoing connect() tothat socket. After flipping the lock, a possibly SCM-laden embryo isalready enqueued. And if there is another embryo coming, it can notpossibly carry SCM_RIGHTS. At this point, unix_inflight() can not happenbecause unix_gc_lock is already taken. Inflight graph remainsunaffected. (CVE-2024-26923)In the Linux kernel, the following vulnerability has been resolved: mm:swap: fix race between free_swap_and_cache() and swapoff() There waspreviously a theoretical window where swapoff() could run and teardown aswap_info_struct while a call to free_swap_and_cache() was running inanother thread. This could cause, amongst other bad possibilities,swap_page_trans_huge_swapped() (called by free_swap_and_cache()) toaccess the freed memory for swap_map. This is a theoretical problem andI haven’t been able to provoke it from a test case. But there has beenagreement based on code review that this is possible (see link below).Fix it by using get_swap_device()/put_swap_device(), which will stallswapoff(). There was an extra check in _swap_info_get() to confirm thatthe swap entry was not free. This isn’t present in get_swap_device()because it doesn’t make sense in general due to the race between gettingthe reference and swapoff. So I’ve added an equivalent check directly infree_swap_and_cache(). Details of how to provoke one possible issue(thanks to David Hildenbrand for deriving this): –8<—–__swap_entry_free() might be the last user and result in “count ==SWAP_HAS_CACHE”. swapoff->try_to_unuse() will stop as soon as soon assi->inuse_pages==0. So the question is: could someone reclaim the folioand turn si->inuse_pages==0, before we completedswap_page_trans_huge_swapped(). Imagine the following: 2 MiB folio inthe swapcache. Only 2 subpages are still references by swap entries.Process 1 still references subpage 0 via swap entry. Process 2 stillreferences subpage 1 via swap entry. Process 1 quits. Callsfree_swap_and_cache(). -> count == SWAP_HAS_CACHE [then, preempted inthe hypervisor etc.] Process 2 quits. Calls free_swap_and_cache(). ->count == SWAP_HAS_CACHE Process 2 goes ahead, passesswap_page_trans_huge_swapped(), and calls __try_to_reclaim_swap().__try_to_reclaim_swap()->folio_free_swap()->delete_from_swap_cache()->put_swap_folio()->free_swap_slot()->swapcache_free_entries()->swap_entry_free()->swap_range_free()-> … WRITE_ONCE(si->inuse_pages,si->inuse_pages - nr_entries); What stops swapoff to succeed afterprocess 2 reclaimed the swap cache but before process1 finished its callto swap_page_trans_huge_swapped()? –8<—– (CVE-2024-26960)In the Linux kernel, the following vulnerability has been resolved:Bluetooth: Fix use-after-free bugs caused by sco_sock_timeout When thesco connection is established and then, the sco socket is releasing,timeout_work will be scheduled to judge whether the sco disconnection istimeout. The sock will be deallocated later, but it is dereferencedagain in sco_sock_timeout. As a result, the use-after-free bugs willhappen. The root cause is shown below: Cleanup Thread | Worker Threadsco_sock_release | sco_sock_close | __sco_sock_close |sco_sock_set_timer | schedule_delayed_work | sco_sock_kill | (wait atime) sock_put(sk) //FREE | sco_sock_timeout | sock_hold(sk) //USE TheKASAN report triggered by POC is shown below: [ 95.890016================================================================== [95.890496] BUG: KASAN: slab-use-after-free insco_sock_timeout+0x5e/0x1c0 [ 95.890755] Write of size 4 at addrffff88800c388080 by task kworker/0:0/7 … [ 95.890755] Workqueue: eventssco_sock_timeout [ 95.890755] Call Trace: [ 95.890755][ 95.890755] dump_stack_lvl+0x45/0x110 [ 95.890755]print_address_description+0x78/0x390 [ 95.890755print_report+0x11b/0x250 [ 95.890755] ? __virt_addr_valid+0xbe/0xf0 [95.890755] ? sco_sock_timeout+0x5e/0x1c0 [ 95.890755kasan_report+0x139/0x170 [ 95.890755] ? update_load_avg+0xe5/0x9f0 [95.890755] ? sco_sock_timeout+0x5e/0x1c0 [ 95.890755kasan_check_range+0x2c3/0x2e0 [ 95.890755] sco_sock_timeout+0x5e/0x1c0 [95.890755] process_one_work+0x561/0xc50 [ 95.890755worker_thread+0xab2/0x13c0 [ 95.890755] ? pr_cont_work+0x490/0x490 [95.890755] kthread+0x279/0x300 [ 95.890755] ? pr_cont_work+0x490/0x490 [95.890755] ? kthread_blkcg+0xa0/0xa0 [ 95.890755]ret_from_fork+0x34/0x60 [ 95.890755] ? kthread_blkcg+0xa0/0xa0 [95.890755 ret_from_fork_asm+0x11/0x20 [ 95.890755][ 95.890755] [ 95.890755 Allocated by task 506: [ 95.890755]kasan_save_track+0x3f/0x70 [ 95.890755 __kasan_kmalloc+0x86/0x90 [95.890755] __kmalloc+0x17f/0x360 [ 95.890755 sk_prot_alloc+0xe1/0x1a0 [95.890755] sk_alloc+0x31/0x4e0 [ 95.890755 bt_sock_alloc+0x2b/0x2a0 [95.890755] sco_sock_create+0xad/0x320 [ 95.890755]bt_sock_create+0x145/0x320 [ 95.890755 __sock_create+0x2e1/0x650 [95.890755] __sys_socket+0xd0/0x280 [ 95.890755__x64_sys_socket+0x75/0x80 [ 95.890755] do_syscall_64+0xc4/0x1b0 [95.890755] entry_SYSCALL_64_after_hwframe+0x67/0x6f [ 95.890755] [95.890755] Freed by task 506: [ 95.890755] kasan_save_track+0x3f/0x70 [95.890755] kasan_save_free_info+0x40/0x50 [ 95.890755poison_slab_object+0x118/0x180 [ 95.890755] __kasan_slab_free+0x12/0x30[ 95.890755] kfree+0xb2/0x240 [ 95.890755] __sk_destruct+0x317/0x410 [95.890755] sco_sock_release+0x232/0x280 [ 95.890755]sock_close+0xb2/0x210 [ 95.890755] __fput+0x37f/0x770 [ 95.890755]task_work_run+0x1ae/0x210 [ 95.890755] get_signal+0xe17/0xf70 [95.890755 arch_do_signal_or_restart+0x3f/0x520 [ 95.890755syscall_exit_to_user_mode+0x55/0x120 [ 95.890755]do_syscall_64+0xd1/0x1b0 [ 95.890755]entry_SYSCALL_64_after_hwframe+0x67/0x6f [ 95.890755] [ 95.890755] Thebuggy address belongs to the object at ffff88800c388000 [ 95.890755]which belongs to the cache kmalloc-1k of size 1024 [ 95.890755 The buggyaddress is located 128 bytes inside of [ 95.890755] freed 1024-byteregion [ffff88800c388000, ffff88800c388400) [ 95.890755] [ 95.890755]The buggy address belongs to the physical page: [ 95.890755 page:refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800c38a800pfn:0xc388 [ 95.890755] head: order:3 entire_mapcount:0nr_pages_mapped:0 pincount:0 [ 95.890755] ano —truncated—(CVE-2024-27398)In the Linux kernel, the following vulnerability has been resolved:watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_triggerWhen the cpu5wdt module is removing, the origin code uses del_timer() tode-activate the timer. If the timer handler is running, del_timer()could not stop it and will return directly. If the port region isreleased by release_region() and then the timer handlercpu5wdt_trigger() calls outb() to write into the region that isreleased, the use-after-free bug will happen. Change del_timer() totimer_shutdown_sync() in order that the timer handler could be finishedbefore the port region is released. (CVE-2024-38630)Update instructionsThe problem can be corrected by updating your kernel livepatch to thefollowing versions:Ubuntu 20.04 LTS    aws - 107.1    aws - 107.2    azure - 107.1    azure - 107.2    gcp - 107.1    gcp - 107.2    generic - 107.1    generic - 107.2    gke - 107.1    gkeop - 107.1    gkeop - 107.2    ibm - 107.1    ibm - 107.2    lowlatency - 107.1    lowlatency - 107.2    oracle - 107.1    oracle - 107.2Ubuntu 18.04 LTS    aws - 107.1    aws - 107.2    azure - 107.1    azure - 107.2    gcp - 107.1    gcp - 107.2    generic - 107.1    generic - 107.2    lowlatency - 107.1    lowlatency - 107.2    oracle - 107.1    oracle - 107.2Ubuntu 16.04 LTS    aws - 107.1    aws - 107.2    azure - 107.1    azure - 107.2    gcp - 107.1    gcp - 107.2    generic - 107.1    generic - 107.2    lowlatency - 107.1    lowlatency - 107.2Ubuntu 22.04 LTS    aws - 107.1    aws - 107.2    azure - 107.1    azure - 107.2    gcp - 107.1    gcp - 107.2    generic - 107.1    generic - 107.2    gke - 107.1    gke - 107.2    ibm - 107.1    ibm - 107.2    oracle - 107.1Ubuntu 14.04 LTS    generic - 107.1    lowlatency - 107.1Support InformationLivepatches for supported LTS kernels will receive upgrades for a periodof up to 13 months after the build date of the kernel.Livepatches for supported HWE kernels which are not based on an LTSkernel version will receive upgrades for a period of up to 9 monthsafter the build date of the kernel, or until the end of support for thatkernel’s non-LTS distro release version, whichever is sooner.References-   CVE-2024-26921-   CVE-2024-26923-   CVE-2024-26960-   CVE-2024-27398-   CVE-2024-38630

Kernel Live Patch Security Notice LSN-0107-1

High-profile entities in India have become the target of malicious campaigns orchestrated by the Pakistan-based Transparent Tribe threat actor and a previously unknown China-nexus cyber espionage group dubbed IcePeony.
The intrusions linked to Transparent Tribe involve the use of a malware called ElizaRAT and a new stealer payload dubbed ApoloStealer on specific victims of interest, Check Point

High-profile entities in India have become the target of malicious campaigns orchestrated by the Pakistan-based Transparent Tribe threat actor and a previously unknown China-nexus cyber espionage group dubbed IcePeony.

The intrusions linked to Transparent Tribe involve the use of a malware called ElizaRAT and a new stealer payload dubbed ApoloStealer on specific victims of interest, Check Point said in a technical write-up published this week.

"ElizaRAT samples indicate a systematic abuse of cloud-based services, including Telegram, Google Drive, and Slack, to facilitate command-and-control communications," the Israeli company said.

ElizaRAT is a Windows remote access tool (RAT) that Transparent Tribe was first observed using in July 2023 as part of cyber attacks targeting Indian government sectors. Active since at least 2013, the adversary is also tracked under the names APT36, Datebug, Earth Karkaddan, Mythic Leopard, Operation C-Major, and PROJECTM.

Its malware arsenal includes tools for compromising Windows, Android, and Linux devices. The increased targeting of Linux machines is motivated by the Indian government's use of a custom Ubuntu fork called Maya OS since last year.

Infection chains are initiated by Control Panel (CPL) files likely distributed via spear-phishing techniques. As many as three distinct campaigns employing the RAT have been observed between December 2023 and August 2024, each using Slack, Google Drive, and a virtual private server (VPS) for command-and-control (C2).

ApoloStealer is designed to gather files matching several extensions (e.g., DOC, XLS, PPT, TXT, RTF, ZIP, RAR, JPG, and PNG) from the compromised host and exfiltrate them to a remote server.

In January 2024, the threat actor is said to have tweaked the modus operandi to include a dropper component that ensures the smooth functioning of ElizaRAT. Also observed in recent attacks is an additional stealer module codenamed ConnectX that's engineered to search for files from external drives, such as USBs.

The abuse of legitimate services widely used in enterprise environments heightens the threat as it complicates detection efforts and allows threat actors to blend into legitimate activities on the system.

"The progression of ElizaRAT reflects APT36's deliberate efforts to enhance their malware to better evade detection and effectively target Indian entities," Check Point said. "Introducing new payloads such as ApolloStealer marks a significant expansion of APT36's malware arsenal and suggests the group is adopting a more flexible, modular approach to payload deployment."

**IcePeony Goes After India, Mauritius, and Vietnam**

The disclosure comes weeks after the nao\_sec research team revealed an advanced persistent threat (APT) group it calls IcePeony has targeted government agencies, academic institutions, and political organizations in countries such as India, Mauritius, and Vietnam since at least 2023.

"Their attacks typically start with SQL Injection, followed by compromise via web shells and backdoors," security researchers Rintaro Koike and Shota Nakajima said. "Ultimately, they aim to steal credentials."

One of the most noteworthy tools in its malware portfolio is IceCache, which is designed to target Microsoft Internet Information Services (IIS) instances. An ELF binary written in the Go programming language, it's a custom version of the reGeorg web shell with added file transmission and command execution features.

The attacks are also characterized by the use of a unique passive-mode backdoor referred to as IceEvent that comes with capabilities to upload/download files and execute commands.

"It seems that the attackers work six days a week," the researchers noted. "While they are less active on Fridays and Saturdays, their only full day off appears to be Sunday. This investigation suggests that the attackers are not conducting these attacks as personal activities, but are instead engaging in them as part of organized, professional operations."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

IcePeony and Transparent Tribe Target Indian Entities with Cloud-Based Tools

Cybersecurity researchers have flagged a new malware campaign that infects Windows systems with a Linux virtual instance containing a backdoor capable of establishing remote access to the compromised hosts.
The "intriguing" campaign, codenamed CRON#TRAP, starts with a malicious Windows shortcut (LNK) file likely distributed in the form of a ZIP archive via a phishing email.
"What makes the CRON#

Cybersecurity researchers have flagged a new malware campaign that infects Windows systems with a Linux virtual instance containing a backdoor capable of establishing remote access to the compromised hosts.

The "intriguing" campaign, codenamed **CRON#TRAP**, starts with a malicious Windows shortcut (LNK) file likely distributed in the form of a ZIP archive via a phishing email.

"What makes the CRON#TRAP campaign particularly concerning is that the emulated Linux instance comes pre-configured with a backdoor that automatically connects to an attacker-controlled command-and-control (C2) server," Securonix researchers Den Iuzvyk and Tim Peck said in an analysis.

"This setup allows the attacker to maintain a stealthy presence on the victim's machine, staging further malicious activity within a concealed environment, making detection challenging for traditional antivirus solutions."

The phishing messages purport to be an "OneAmerica survey" that comes with a large 285MB ZIP archive that, when opened, triggers the infection process.

As part of the as-yet-unattributed attack campaign, the LNK file serves as a conduit to extract and initiate a lightweight, custom Linux environment emulated through Quick Emulator (QEMU), a legitimate, open-source virtualization tool. The virtual machine runs on Tiny Core Linux.

The shortcut subsequently launches PowerShell commands responsible for re-extracting the ZIP file and executing a hidden "start.bat" script, which, in turn, displays a fake error message to the victim to give them the impression that the survey link is no longer working.

But in the background, it sets up the QEMU virtual Linux environment referred to as PivotBox, which comes preloaded with the Chisel tunneling utility, granting remote access to the host immediately following the startup of the QEMU instance.

"The binary appears to be a pre-configured Chisel client designed to connect to a remote Command and Control (C2) server at 18.208.230\[.\]174 via websockets," the researchers said. "The attackers' approach effectively transforms this Chisel client into a full backdoor, enabling remote command and control traffic to flow in and out of the Linux environment."

The development is one of the many constantly evolving tactics that threat actors are using to target organizations and conceal malicious activity -- case in point is a spear-phishing campaign that has been observed targeting electronic manufacturing, engineering, and industrial companies in European countries to deliver the evasive GuLoader malware.

"The emails typically include order inquiries and contain an archive file attachment," Cado Security researcher Tara Gould said. "The emails are sent from various email addresses including from fake companies and compromised accounts. The emails typically hijack an existing email thread or request information about an order."

The activity, which has mainly targeted countries like Romania, Poland, Germany, and Kazakhstan, starts with a batch file present within the archive file. The batch file embeds an obfuscated PowerShell script that subsequently downloads another PowerShell script from a remote server.

The secondary PowerShell script includes functionality to allocate memory and ultimately execute the GuLoader shellcode to ultimately fetch the next-stage payload.

"Guloader malware continues to adapt its techniques to evade detection to deliver RATs," Gould said. "Threat actors are continually targeting specific industries in certain countries. Its resilience highlights the need for proactive security measures."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New CRON#TRAP Malware Infects Windows by Hiding in Linux VM to Evade Antivirus

SteelFox malware targets software pirates through fake activation tools, stealing credit card data and deploying crypto miners. Learn…

SteelFox malware targets software pirates through fake activation tools, stealing credit card data and deploying crypto miners. Learn about this new threat affecting users worldwide and how to protect yourself from this sophisticated cybercrime campaign.

Cybersecurity researchers at Securelist have identified a new type of malware that has been spreading through online forums, torrent trackers, and blogs, posing as legitimate software like Foxit PDF Editor, AutoCAD, and JetBrains.

Dubbed “SteelFox” by researchers; the malware’s main targets are those Microsft Windows users who are involved in downloading pirated software and fake software activation tools (cracks).

The campaign, which began in February 2023, combines cryptocurrency mining and data stealing capabilities through fake software activation tools. So far, the malware has infected over 11,000 users worldwide.

According to Securelist’s **blog post** shared with Hackread.com ahead of publishing, SteelFox is a full-featured _“_crimeware bundle_“_ that extracts sensitive data from infected devices, including credit card information, browsing history, and login credentials. It also collects system information, such as installed software, running services, and network configurations.

The malware’s initial attack vector involves fake software activators, which are advertised on online forums and torrent trackers as a way to activate legitimate software for free. Once installed, the malware creates a service that stays on the system, even after reboots and uses a vulnerable driver to advance its privileges.

Malicious dropper advertisement (Via Securelist)

The malware operates through a multi-stage attack chain, beginning with a dropper that requires administrator privileges. Once executed, it installs itself as a Windows service and uses AES-128 encryption to hide its components. The malware achieves system-level access by exploiting vulnerable drivers and implements TLS 1.3 with SSL pinning for secure communication with its command servers.

> _“SteelFox’s Highly sophisticated usage of modern C++ combined with external libraries grants this malware formidable power. Usage of TLSv1.3 and SSL pinning ensures secure communication and harvesting of sensitive data.”_
> 
> Securelist

****Global Impact****

SteelFox does not appear to target specific individuals or organizations, instead operating on a larger scale to infect as many users as possible. The malware has already infected users in over 10 countries, including the following:

*   **UAE**
*   **India**
*   **Brazil**
*   **China**
*   **Russia**
*   **Egypt**
*   **Algeria**
*   **Mexico**
*   **Vietnam**
*   **Sri Lanka**

James McQuiggan, a security awareness advocate at **KnowBe4**, emphasized the importance of organizations being cautious about the sources of their software downloads. He also highlighted the necessity of training employees through cybersecurity awareness programs.

“The dual functionality of SteelFox’s droppers—providing both software “cracks” and malware indicates the complex tools used by cybercriminals and using an outdated driver for privilege escalation highlights the critical need for organizations to ensure they are implementing patches.”

“Organizations must ensure they verify software sources, maintain the least user privilege access control, and leverage endpoint protection to detect suspicious installation behaviours,” James explained.

“Furthermore and more importantly, ensure that cybersecurity awareness programs are provided to users about the dangers of unverified software, like open source software or these common applications. Allow for an IT-managed software solution to install and monitor all applications,” he advised.

****Protecting Yourself from SteelFox****

To avoid becoming victims of SteelFox, users should only download software from official sources and use a **reliable security solution** that can detect and prevent the installation of infected software. Additionally, users should be cautious when clicking links or downloading attachments from unknown sources, as these can often be used to spread malware.

1.  **Winos4.0 Malware Targeting Windows via Fake Gaming Apps**
2.  **Fabrice Malware on PyPI Stealing AWS Credentials for 3 Years**
3.  **SideWinder hit Android users with malware apps on Play Store**
4.  **TodoSwift Malware Targets macOS, Disguised as Bitcoin PDF App**
5.  **Octo2 Malware Uses Fake NordVPN Apps to Infect Android Phones**

New SteelFox Malware Posing as Popular Software to Steal Browser Data

PRESS RELEASE

Clearwater, Fla. – October 29, 2024 – According to a new AI Opportunity Report from remote connectivity and workplace digitalization solution company TeamViewer, 80% of U.S. business leaders say their organization’s AI adoption is mature, and 65% are sick of the hype and demand practical implementations of AI for their businesses. Leading from the C-suite, 81% of U.S. key decision makers currently use AI at least weekly, up from 60% last year, a notable 35% increase year-over-year. 

Most U.S. business leaders (72%) also agree that AI is vital to improving their organization’s financial outcomes. Along these lines, two-thirds (66%) agree that AI will positively affect revenue over the next year, with respondents saying that the technology makes an average of 249% revenue growth possible. Nearly a quarter of U.S. respondents (23%) believe that not implementing AI technology risks falling behind competitors and 24% foresee increased costs due to a lack of automation.

Successfully integrating AI into remote connectivity support is a prime example of how efficiencies can lead to better financial outcomes. Enter TeamViewer’s new AI-powered Session Insights.

AI-Powered Session Insights 

Aimed at helping IT teams boost efficiency and streamline operations, Session Insights is now being added to TeamViewer’s Tensor remote connectivity solution to automate session documentation and provide analytics, enabling faster handovers and smarter decision-making. By optimizing resources and capturing valuable knowledge, the new capabilities empower IT support teams to resolve issues faster, improve customer satisfaction, and scale expertise, even with limited staff.  

The new features will help internal IT teams better manage employee help desk requests and will also aid customer support teams providing remote assistance to keep their products onsite and customers up and running and aligned with uptime agreements. 

“AI adoption is growing rapidly as businesses increasingly recognize its tangible benefits in driving productivity and streamlining operations. Our research reveals that 81% of decision-makers now engage with AI at least weekly, a substantial rise from last year’s 60%. With the launch of TeamViewer’s new AI-powered Session Insights, we're enabling organizations to make smarter decisions and optimize processes while adhering to the highest security and data privacy standards. We uphold stringent encryption practices to safeguard customer data, ensuring secure processing, while also providing admins the control to enforce company-wide policies and keeping users informed every step of the way,” said Mei Dent, Chief Product and Technology Officer, TeamViewer. 

Trust, Security, Career Advancement & Equality

The report also delves into a variety of other topics gauging business leaders’ current perceptions of AI, including: 

*   Trust in AI: 50% of U.S. business leaders trust AI to act on business forecasts and make business decisions with an impressive 42% trusting AI to make decisions without human oversight.
    
*   Security: 75% of U.S. business leaders are concerned about data management in the use of AI and 67% would consider banning the use of AI outside of the IT team.
    
*   Career Advancement: 75% of U.S. business leaders believe AI is a key skill to enhance their career and 73% say AI has given them the chance to learn new skills they otherwise would not have.
    
*   The Great Equalizer: 72% of U.S. business leaders believe AI can help create equal job opportunities for parents and caregivers while 79% think AI can help increase accessibility in the workplace.
    

With 73% of U.S. respondents believing AI will drive the biggest productivity boom in a century and business leaders reporting that AI saves U.S. IT professionals approximately 16 hours per month, there is clearly huge momentum for increasing AI use in business, including TeamViewer’s AI-powered Session Insights, which integrates with Microsoft Teams and ServiceNow. More information can be found here.  

Survey Methodology 

In The AI Opportunity Report, TeamViewer uncovers the attitudes of 1,400 (500 in the U.S.) information technology, business, and operational technology decision makers towards Artificial Intelligence, across the UK, France, Germany, Australia, Singapore, and the U.S. The research was conducted online by Sapio Research in August and September 2024. 

About TeamViewer

TeamViewer is a leading global technology company that provides a connectivity platform to remotely access, control, manage, monitor, and repair devices of any kind – from laptops and mobile phones to industrial machines and robots. Although TeamViewer is free of charge for private use, it has more than 640,000 subscribers and enables companies of all sizes and from all industries to digitalize their business-critical processes through seamless connectivity. Against the backdrop of global megatrends like device proliferation, automation and new work, TeamViewer proactively shapes digital transformation and continuously innovates in the fields of Augmented Reality, Internet of Things and Artificial Intelligence. Since the company’s foundation in 2005, TeamViewer’s software has been installed on more than 2.5 billion devices around the world. The company is headquartered in Göppingen, Germany, and employs more than 1,500 people globally. In 2023, TeamViewer achieved a revenue of around EUR 627 million. TeamViewer SE (TMV) is listed at Frankfurt Stock Exchange and belongs to the MDAX. Further information can be found at www.teamviewer.com.

Business Leaders Shift to Tangible AI Results, Finds New TeamViewer Study

PRESS RELEASE

TORONTO, Oct. 30, 2024 /PRNewswire/ -- In 2024, Canadian banks have seen just 34% of the reported fraud cases they experienced a year ago. And yet, Canadian retail banking customers appear on pace to lose as much as or more than the $569 million they lost to fraud in 2023 (triple what they lost in 2021). BioCatch – the global leader in digital fraud detection and financial crime prevention powered by behavioral biometric intelligence – says these findings suggest fraudsters have altered their strategies, honing attacks to target fewer Canadians for more money per scam.

"While fraud volumes have decreased significantly over the last year, we're observing an increase in the average value of these cases," BioCatch Director of Global Fraud Intelligence Tom Peacock said. "We can attribute much of this to the rise in social engineering scams in Canada, particularly impersonation scams, which are notoriously higher value than other fraud types. More than 70% of impersonation scam losses in Canada originate from five-figure cases, greatly boosting the country's scam-loss average."

BioCatch's 2024 Digital Banking Fraud Trends in Canada report, also highlights that most Canadian fraud victims are now ages 20-49 instead of 50-89, debunking the common misconception that older people provide easier and more lucrative targets.

"Artificial Intelligence is super-charging fraud," BioCatch Global Advisory Director Seth Ruden said, "compounding its impact, and allowing bad actors to scale and sophisticate their scams with deepfakes and other devices. As the industry deploys the newest authentication methods in both account opening and account takeover processes, fraudsters will undoubtedly attack these as well."

BioCatch also found one in seven scam sessions in Canada showed signs of remote access trojans (RAT), whether active RAT (where the fraudster tricks the victim into granting them control of the session so they can execute the fraud themselves) or passive RAT (where the fraudster guides the victim through payment process).

Click here to access BioCatch's complete 2024 Digital Banking Fraud Trends in Canada report.

BioCatch fraud prevention experts Tom Peacock and Seth Ruden will hold a live conversation about the growth of social engineering scams in Canada and the other latest fraud trends in the country on Nov. 14. To register for that exclusive session, click here.

About BioCatch:

BioCatch stands at the forefront of digital fraud detection, pioneering behavioral biometric intelligence grounded in advanced cognitive science and machine learning. BioCatch analyzes thousands of user interactions to support a digital banking environment where identity, trust, and ease coexist. Today, 32 of the world's largest 100 banks and 210 total financial institutions rely on BioCatch Connect™ to combat fraud, facilitate digital transformation, and grow customer relationships. BioCatch's Client Innovation Board – an industry-led initiative featuring American Express, Barclays, Citi Ventures, HSBC, and National Australia Bank – collaborates to pioneer creative and innovative ways to leverage customer relationships for fraud prevention. With more than a decade of data analysis, 92 registered patents, and unmatched expertise, BioCatch continues to lead innovation to address future challenges. For more information, please visit www.biocatch.com.

Canadians Expected to Lose More Than $569M to Scams in 2024

Ubuntu Security Notice 7088-4 - Ziming Zhang discovered that the VMware Virtual GPU DRM driver in the Linux kernel contained an integer overflow vulnerability. A local attacker could use this to cause a denial of service. Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-7088-4November 07, 2024linux-aws, linux-azure-5.4, linux-kvm, linux-oracle, linux-xilinx-zynqmpvulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTS- Ubuntu 18.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-kvm: Linux kernel for cloud environments- linux-oracle: Linux kernel for Oracle Cloud systems- linux-xilinx-zynqmp: Linux kernel for Xilinx ZynqMP processors- linux-azure-5.4: Linux kernel for Microsoft Azure cloud systemsDetails:Ziming Zhang discovered that the VMware Virtual GPU DRM driver in theLinux kernel contained an integer overflow vulnerability. A localattacker could use this to cause a denial of service (system crash).(CVE-2022-36402)Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:  - ARM64 architecture;  - PowerPC architecture;  - User-Mode Linux (UML);  - x86 architecture;  - Block layer subsystem;  - Cryptographic API;  - Android drivers;  - Serial ATA and Parallel ATA drivers;  - ATM drivers;  - Drivers core;  - CPU frequency scaling framework;  - Device frequency scaling framework;  - GPU drivers;  - HID subsystem;  - Hardware monitoring drivers;  - InfiniBand drivers;  - Input Device core drivers;  - Input Device (Miscellaneous) drivers;  - IOMMU subsystem;  - IRQ chip drivers;  - ISDN/mISDN subsystem;  - LED subsystem;  - Multiple devices driver;  - Media drivers;  - EEPROM drivers;  - VMware VMCI Driver;  - MMC subsystem;  - Network drivers;  - Near Field Communication (NFC) drivers;  - NVME drivers;  - Device tree and open firmware driver;  - Parport drivers;  - PCI subsystem;  - Pin controllers subsystem;  - Remote Processor subsystem;  - S/390 drivers;  - SCSI drivers;  - QCOM SoC drivers;  - Direct Digital Synthesis drivers;  - TTY drivers;  - Userspace I/O drivers;  - DesignWare USB3 driver;  - USB Gadget drivers;  - USB Serial drivers;  - BTRFS file system;  - File systems infrastructure;  - Ext4 file system;  - F2FS file system;  - JFS file system;  - NILFS2 file system;  - BPF subsystem;  - Core kernel;  - DMA mapping infrastructure;  - Tracing infrastructure;  - Radix Tree data structure library;  - Kernel userspace event delivery library;  - Objagg library;  - Memory management;  - Amateur Radio drivers;  - Bluetooth subsystem;  - CAN network layer;  - Networking core;  - Ethtool driver;  - IPv4 networking;  - IPv6 networking;  - IUCV driver;  - KCM (Kernel Connection Multiplexor) sockets driver;  - MAC80211 subsystem;  - Netfilter;  - Network traffic control;  - SCTP protocol;  - Sun RPC protocol;  - TIPC protocol;  - TLS protocol;  - Wireless networking;  - AppArmor security module;  - Simplified Mandatory Access Control Kernel framework;  - SoC audio core drivers;  - USB sound devices;(CVE-2024-35848, CVE-2024-43853, CVE-2024-41017, CVE-2024-26607,CVE-2024-43839, CVE-2024-41072, CVE-2024-46815, CVE-2023-52614,CVE-2024-46798, CVE-2024-46676, CVE-2024-43914, CVE-2024-43841,CVE-2024-41012, CVE-2024-27051, CVE-2024-46738, CVE-2024-47663,CVE-2024-46723, CVE-2024-46740, CVE-2024-42287, CVE-2024-46750,CVE-2024-43894, CVE-2023-52531, CVE-2024-47668, CVE-2024-47669,CVE-2024-46685, CVE-2024-41011, CVE-2024-41064, CVE-2024-42305,CVE-2024-41073, CVE-2024-46829, CVE-2024-43860, CVE-2024-46679,CVE-2024-44999, CVE-2024-46817, CVE-2024-26800, CVE-2024-46689,CVE-2024-43908, CVE-2024-46739, CVE-2024-43893, CVE-2024-46828,CVE-2024-46777, CVE-2024-46721, CVE-2024-36484, CVE-2024-46822,CVE-2024-46840, CVE-2024-43880, CVE-2024-46781, CVE-2024-46673,CVE-2024-26669, CVE-2024-41098, CVE-2024-46737, CVE-2024-43871,CVE-2024-42281, CVE-2024-42301, CVE-2024-44995, CVE-2024-43879,CVE-2024-26668, CVE-2024-44965, CVE-2024-41068, CVE-2024-41059,CVE-2024-42229, CVE-2024-44987, CVE-2024-46745, CVE-2024-26891,CVE-2024-46719, CVE-2024-42292, CVE-2024-44952, CVE-2024-46756,CVE-2024-45028, CVE-2024-42283, CVE-2024-45025, CVE-2024-46743,CVE-2024-43867, CVE-2024-46771, CVE-2024-41081, CVE-2024-42244,CVE-2024-42284, CVE-2024-43858, CVE-2024-44998, CVE-2024-46758,CVE-2024-46800, CVE-2024-45003, CVE-2024-44935, CVE-2024-38611,CVE-2024-46844, CVE-2024-44954, CVE-2024-42313, CVE-2024-46783,CVE-2024-42311, CVE-2024-46761, CVE-2024-41022, CVE-2024-43829,CVE-2024-43835, CVE-2024-43846, CVE-2024-46755, CVE-2024-47667,CVE-2024-42259, CVE-2024-41090, CVE-2024-42310, CVE-2024-42265,CVE-2024-42295, CVE-2024-46818, CVE-2024-46780, CVE-2024-44948,CVE-2024-44960, CVE-2024-44988, CVE-2024-46757, CVE-2024-45021,CVE-2024-46747, CVE-2024-43854, CVE-2024-42304, CVE-2021-47212,CVE-2024-42309, CVE-2024-44946, CVE-2024-46744, CVE-2024-42285,CVE-2024-46782, CVE-2024-43856, CVE-2024-41091, CVE-2024-42131,CVE-2024-43830, CVE-2024-42290, CVE-2024-45008, CVE-2024-42276,CVE-2024-47659, CVE-2024-40929, CVE-2024-46714, CVE-2023-52918,CVE-2024-44947, CVE-2024-42289, CVE-2024-42246, CVE-2024-41071,CVE-2024-43883, CVE-2024-46722, CVE-2024-38602, CVE-2024-43882,CVE-2024-42280, CVE-2024-46759, CVE-2024-42271, CVE-2024-44969,CVE-2024-44944, CVE-2024-46675, CVE-2024-41020, CVE-2024-41042,CVE-2024-42306, CVE-2024-46677, CVE-2024-42288, CVE-2024-41070,CVE-2024-45026, CVE-2024-41065, CVE-2024-26885, CVE-2024-42286,CVE-2024-41063, CVE-2024-43884, CVE-2024-42297, CVE-2024-43890,CVE-2024-43861, CVE-2024-45006, CVE-2024-26640, CVE-2024-26641,CVE-2024-41015)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS  linux-image-5.4.0-1054-xilinx-zynqmp  5.4.0-1054.58  linux-image-5.4.0-1123-kvm      5.4.0-1123.131  linux-image-5.4.0-1134-oracle   5.4.0-1134.143  linux-image-5.4.0-1135-aws      5.4.0-1135.145  linux-image-aws-lts-20.04       5.4.0.1135.132  linux-image-kvm                 5.4.0.1123.119  linux-image-oracle-lts-20.04    5.4.0.1134.127  linux-image-xilinx-zynqmp       5.4.0.1054.54Ubuntu 18.04 LTS  linux-image-5.4.0-1140-azure    5.4.0-1140.147~18.04.1          Available with Ubuntu Pro  linux-image-azure               5.4.0.1140.147~18.04.1          Available with Ubuntu ProAfter a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-7088-4  https://ubuntu.com/security/notices/USN-7088-3  https://ubuntu.com/security/notices/USN-7088-2  https://ubuntu.com/security/notices/USN-7088-1  CVE-2021-47212, CVE-2022-36402, CVE-2023-52531, CVE-2023-52614,  CVE-2023-52918, CVE-2024-26607, CVE-2024-26640, CVE-2024-26641,  CVE-2024-26668, CVE-2024-26669, CVE-2024-26800, CVE-2024-26885,  CVE-2024-26891, CVE-2024-27051, CVE-2024-35848, CVE-2024-36484,  CVE-2024-38602, CVE-2024-38611, CVE-2024-40929, CVE-2024-41011,  CVE-2024-41012, CVE-2024-41015, CVE-2024-41017, CVE-2024-41020,  CVE-2024-41022, CVE-2024-41042, CVE-2024-41059, CVE-2024-41063,  CVE-2024-41064, CVE-2024-41065, CVE-2024-41068, CVE-2024-41070,  CVE-2024-41071, CVE-2024-41072, CVE-2024-41073, CVE-2024-41081,  CVE-2024-41090, CVE-2024-41091, CVE-2024-41098, CVE-2024-42131,  CVE-2024-42229, CVE-2024-42244, CVE-2024-42246, CVE-2024-42259,  CVE-2024-42265, CVE-2024-42271, CVE-2024-42276, CVE-2024-42280,  CVE-2024-42281, CVE-2024-42283, CVE-2024-42284, CVE-2024-42285,  CVE-2024-42286, CVE-2024-42287, CVE-2024-42288, CVE-2024-42289,  CVE-2024-42290, CVE-2024-42292, CVE-2024-42295, CVE-2024-42297,  CVE-2024-42301, CVE-2024-42304, CVE-2024-42305, CVE-2024-42306,  CVE-2024-42309, CVE-2024-42310, CVE-2024-42311, CVE-2024-42313,  CVE-2024-43829, CVE-2024-43830, CVE-2024-43835, CVE-2024-43839,  CVE-2024-43841, CVE-2024-43846, CVE-2024-43853, CVE-2024-43854,  CVE-2024-43856, CVE-2024-43858, CVE-2024-43860, CVE-2024-43861,  CVE-2024-43867, CVE-2024-43871, CVE-2024-43879, CVE-2024-43880,  CVE-2024-43882, CVE-2024-43883, CVE-2024-43884, CVE-2024-43890,  CVE-2024-43893, CVE-2024-43894, CVE-2024-43908, CVE-2024-43914,  CVE-2024-44935, CVE-2024-44944, CVE-2024-44946, CVE-2024-44947,  CVE-2024-44948, CVE-2024-44952, CVE-2024-44954, CVE-2024-44960,  CVE-2024-44965, CVE-2024-44969, CVE-2024-44987, CVE-2024-44988,  CVE-2024-44995, CVE-2024-44998, CVE-2024-44999, CVE-2024-45003,  CVE-2024-45006, CVE-2024-45008, CVE-2024-45021, CVE-2024-45025,  CVE-2024-45026, CVE-2024-45028, CVE-2024-46673, CVE-2024-46675,  CVE-2024-46676, CVE-2024-46677, CVE-2024-46679, CVE-2024-46685,  CVE-2024-46689, CVE-2024-46714, CVE-2024-46719, CVE-2024-46721,  CVE-2024-46722, CVE-2024-46723, CVE-2024-46737, CVE-2024-46738,  CVE-2024-46739, CVE-2024-46740, CVE-2024-46743, CVE-2024-46744,  CVE-2024-46745, CVE-2024-46747, CVE-2024-46750, CVE-2024-46755,  CVE-2024-46756, CVE-2024-46757, CVE-2024-46758, CVE-2024-46759,  CVE-2024-46761, CVE-2024-46771, CVE-2024-46777, CVE-2024-46780,  CVE-2024-46781, CVE-2024-46782, CVE-2024-46783, CVE-2024-46798,  CVE-2024-46800, CVE-2024-46815, CVE-2024-46817, CVE-2024-46818,  CVE-2024-46822, CVE-2024-46828, CVE-2024-46829, CVE-2024-46840,  CVE-2024-46844, CVE-2024-47659, CVE-2024-47663, CVE-2024-47667,  CVE-2024-47668, CVE-2024-47669Package Information:  https://launchpad.net/ubuntu/+source/linux-aws/5.4.0-1135.145  https://launchpad.net/ubuntu/+source/linux-kvm/5.4.0-1123.131  https://launchpad.net/ubuntu/+source/linux-oracle/5.4.0-1134.143  https://launchpad.net/ubuntu/+source/linux-xilinx-zynqmp/5.4.0-1054.58

Ubuntu Security Notice USN-7088-4

Ubuntu Security Notice 7095-1 - Chenyuan Yang discovered that the USB Gadget subsystem in the Linux kernel did not properly check for the device to be enabled before writing. A local attacker could possibly use this to cause a denial of service. Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-7095-1November 07, 2024linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 24.04 LTS- Ubuntu 22.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-nvidia: Linux kernel for NVIDIA systems- linux-nvidia-lowlatency: Linux low latency kernel for NVIDIA systems- linux-nvidia-6.8: Linux kernel for NVIDIA systemsDetails:Chenyuan Yang discovered that the USB Gadget subsystem in the Linuxkernel did not properly check for the device to be enabled beforewriting. A local attacker could possibly use this to cause a denial ofservice. (CVE-2024-25741)Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:  - ARM32 architecture;  - MIPS architecture;  - PA-RISC architecture;  - PowerPC architecture;  - RISC-V architecture;  - S390 architecture;  - x86 architecture;  - Cryptographic API;  - Serial ATA and Parallel ATA drivers;  - Null block device driver;  - Bluetooth drivers;  - Cdrom driver;  - Clock framework and drivers;  - Hardware crypto device drivers;  - CXL (Compute Express Link) drivers;  - Cirrus firmware drivers;  - GPIO subsystem;  - GPU drivers;  - I2C subsystem;  - IIO subsystem;  - InfiniBand drivers;  - ISDN/mISDN subsystem;  - LED subsystem;  - Multiple devices driver;  - Media drivers;  - Fastrpc Driver;  - Network drivers;  - Microsoft Azure Network Adapter (MANA) driver;  - Near Field Communication (NFC) drivers;  - NVME drivers;  - NVMEM (Non Volatile Memory) drivers;  - PCI subsystem;  - Pin controllers subsystem;  - x86 platform drivers;  - S/390 drivers;  - SCSI drivers;  - Thermal drivers;  - TTY drivers;  - UFS subsystem;  - USB DSL drivers;  - USB core drivers;  - DesignWare USB3 driver;  - USB Gadget drivers;  - USB Serial drivers;  - VFIO drivers;  - VHOST drivers;  - File systems infrastructure;  - BTRFS file system;  - GFS2 file system;  - JFFS2 file system;  - JFS file system;  - Network file systems library;  - Network file system client;  - NILFS2 file system;  - NTFS3 file system;  - SMB network file system;  - Memory management;  - Netfilter;  - Tracing infrastructure;  - io_uring subsystem;  - BPF subsystem;  - Core kernel;  - Bluetooth subsystem;  - CAN network layer;  - Ceph Core library;  - Networking core;  - IPv4 networking;  - IPv6 networking;  - IUCV driver;  - MAC80211 subsystem;  - Network traffic control;  - Sun RPC protocol;  - Wireless networking;  - AMD SoC Alsa drivers;  - SoC Audio for Freescale CPUs drivers;  - MediaTek ASoC drivers;  - SoC audio core drivers;  - SOF drivers;  - Sound sequencer drivers;(CVE-2024-42271, CVE-2024-42068, CVE-2024-42086, CVE-2024-42132,CVE-2024-42074, CVE-2024-41017, CVE-2024-42090, CVE-2024-42280,CVE-2024-41030, CVE-2024-41037, CVE-2024-42248, CVE-2024-42084,CVE-2024-41057, CVE-2024-42252, CVE-2024-41055, CVE-2024-42158,CVE-2024-42097, CVE-2024-42101, CVE-2024-42095, CVE-2024-41084,CVE-2024-41051, CVE-2024-41032, CVE-2024-41046, CVE-2024-42231,CVE-2024-42133, CVE-2024-42089, CVE-2024-41062, CVE-2024-41033,CVE-2024-41012, CVE-2024-41077, CVE-2024-41064, CVE-2024-41082,CVE-2024-41090, CVE-2024-42065, CVE-2024-41096, CVE-2024-42119,CVE-2024-41054, CVE-2024-42064, CVE-2024-42253, CVE-2024-42237,CVE-2024-42120, CVE-2024-41066, CVE-2024-41083, CVE-2024-42129,CVE-2024-41085, CVE-2024-41058, CVE-2024-42146, CVE-2024-42156,CVE-2024-42076, CVE-2024-42149, CVE-2024-42069, CVE-2024-41039,CVE-2024-42110, CVE-2024-42150, CVE-2024-41015, CVE-2024-39486,CVE-2024-42144, CVE-2024-42131, CVE-2024-42087, CVE-2024-42091,CVE-2024-42236, CVE-2024-42088, CVE-2024-42112, CVE-2024-42142,CVE-2024-42082, CVE-2024-42111, CVE-2024-41028, CVE-2024-45001,CVE-2024-42077, CVE-2024-42102, CVE-2024-42239, CVE-2024-42140,CVE-2024-41091, CVE-2024-41050, CVE-2024-41034, CVE-2024-43858,CVE-2024-42145, CVE-2024-42227, CVE-2024-41029, CVE-2024-42230,CVE-2024-42096, CVE-2024-42238, CVE-2024-41027, CVE-2024-42063,CVE-2024-41023, CVE-2024-41041, CVE-2024-41038, CVE-2024-41073,CVE-2024-41067, CVE-2024-41025, CVE-2024-42152, CVE-2024-42247,CVE-2024-41065, CVE-2024-42121, CVE-2024-42157, CVE-2024-42080,CVE-2024-41076, CVE-2024-41059, CVE-2024-42108, CVE-2024-42251,CVE-2024-42093, CVE-2024-42130, CVE-2024-42126, CVE-2024-42079,CVE-2024-42246, CVE-2024-41081, CVE-2024-42092, CVE-2024-43855,CVE-2024-42235, CVE-2024-42118, CVE-2024-42067, CVE-2024-41047,CVE-2024-42155, CVE-2024-41010, CVE-2024-41061, CVE-2024-41007,CVE-2024-42245, CVE-2024-42106, CVE-2024-42066, CVE-2024-41078,CVE-2024-42113, CVE-2024-41087, CVE-2024-41092, CVE-2024-42234,CVE-2024-42124, CVE-2024-42100, CVE-2024-42128, CVE-2024-41072,CVE-2024-41022, CVE-2024-41049, CVE-2024-42229, CVE-2024-42225,CVE-2024-41052, CVE-2024-42151, CVE-2024-41094, CVE-2024-41098,CVE-2024-41035, CVE-2024-41042, CVE-2024-42114, CVE-2024-42250,CVE-2024-41095, CVE-2024-42138, CVE-2024-42241, CVE-2024-42103,CVE-2024-42094, CVE-2024-41045, CVE-2024-41075, CVE-2024-42073,CVE-2024-42153, CVE-2024-41048, CVE-2024-42085, CVE-2024-41074,CVE-2024-42244, CVE-2024-41018, CVE-2024-41079, CVE-2024-42127,CVE-2023-52887, CVE-2023-52888, CVE-2024-41071, CVE-2024-41020,CVE-2024-41036, CVE-2024-42117, CVE-2024-41068, CVE-2024-41056,CVE-2024-39487, CVE-2024-42243, CVE-2024-41019, CVE-2024-41070,CVE-2024-41044, CVE-2024-41060, CVE-2024-41088, CVE-2024-41021,CVE-2024-41053, CVE-2024-42137, CVE-2024-41086, CVE-2024-42104,CVE-2024-42109, CVE-2024-42105, CVE-2024-42136, CVE-2024-41080,CVE-2024-42098, CVE-2024-41093, CVE-2024-41063, CVE-2024-42161,CVE-2024-42147, CVE-2024-42223, CVE-2024-41097, CVE-2024-41069,CVE-2024-42240, CVE-2024-42135, CVE-2024-42070, CVE-2024-41089,CVE-2024-42141, CVE-2024-42115, CVE-2024-41031, CVE-2024-42232)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 24.04 LTS  linux-image-6.8.0-1017-nvidia   6.8.0-1017.19  linux-image-6.8.0-1017-nvidia-64k  6.8.0-1017.19  linux-image-6.8.0-1017-nvidia-lowlatency  6.8.0-1017.19.1  linux-image-6.8.0-1017-nvidia-lowlatency-64k  6.8.0-1017.19.1  linux-image-nvidia              6.8.0-1017.19  linux-image-nvidia-64k          6.8.0-1017.19  linux-image-nvidia-lowlatency   6.8.0-1017.19.1  linux-image-nvidia-lowlatency-64k  6.8.0-1017.19.1Ubuntu 22.04 LTS  linux-image-6.8.0-1017-nvidia   6.8.0-1017.19~22.04.1  linux-image-6.8.0-1017-nvidia-64k  6.8.0-1017.19~22.04.1  linux-image-nvidia-6.8          6.8.0-1017.19~22.04.1  linux-image-nvidia-64k-6.8      6.8.0-1017.19~22.04.1  linux-image-nvidia-64k-hwe-22.04  6.8.0-1017.19~22.04.1  linux-image-nvidia-hwe-22.04    6.8.0-1017.19~22.04.1After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-7095-1  CVE-2023-52887, CVE-2023-52888, CVE-2024-25741, CVE-2024-39486,  CVE-2024-39487, CVE-2024-41007, CVE-2024-41010, CVE-2024-41012,  CVE-2024-41015, CVE-2024-41017, CVE-2024-41018, CVE-2024-41019,  CVE-2024-41020, CVE-2024-41021, CVE-2024-41022, CVE-2024-41023,  CVE-2024-41025, CVE-2024-41027, CVE-2024-41028, CVE-2024-41029,  CVE-2024-41030, CVE-2024-41031, CVE-2024-41032, CVE-2024-41033,  CVE-2024-41034, CVE-2024-41035, CVE-2024-41036, CVE-2024-41037,  CVE-2024-41038, CVE-2024-41039, CVE-2024-41041, CVE-2024-41042,  CVE-2024-41044, CVE-2024-41045, CVE-2024-41046, CVE-2024-41047,  CVE-2024-41048, CVE-2024-41049, CVE-2024-41050, CVE-2024-41051,  CVE-2024-41052, CVE-2024-41053, CVE-2024-41054, CVE-2024-41055,  CVE-2024-41056, CVE-2024-41057, CVE-2024-41058, CVE-2024-41059,  CVE-2024-41060, CVE-2024-41061, CVE-2024-41062, CVE-2024-41063,  CVE-2024-41064, CVE-2024-41065, CVE-2024-41066, CVE-2024-41067,  CVE-2024-41068, CVE-2024-41069, CVE-2024-41070, CVE-2024-41071,  CVE-2024-41072, CVE-2024-41073, CVE-2024-41074, CVE-2024-41075,  CVE-2024-41076, CVE-2024-41077, CVE-2024-41078, CVE-2024-41079,  CVE-2024-41080, CVE-2024-41081, CVE-2024-41082, CVE-2024-41083,  CVE-2024-41084, CVE-2024-41085, CVE-2024-41086, CVE-2024-41087,  CVE-2024-41088, CVE-2024-41089, CVE-2024-41090, CVE-2024-41091,  CVE-2024-41092, CVE-2024-41093, CVE-2024-41094, CVE-2024-41095,  CVE-2024-41096, CVE-2024-41097, CVE-2024-41098, CVE-2024-42063,  CVE-2024-42064, CVE-2024-42065, CVE-2024-42066, CVE-2024-42067,  CVE-2024-42068, CVE-2024-42069, CVE-2024-42070, CVE-2024-42073,  CVE-2024-42074, CVE-2024-42076, CVE-2024-42077, CVE-2024-42079,  CVE-2024-42080, CVE-2024-42082, CVE-2024-42084, CVE-2024-42085,  CVE-2024-42086, CVE-2024-42087, CVE-2024-42088, CVE-2024-42089,  CVE-2024-42090, CVE-2024-42091, CVE-2024-42092, CVE-2024-42093,  CVE-2024-42094, CVE-2024-42095, CVE-2024-42096, CVE-2024-42097,  CVE-2024-42098, CVE-2024-42100, CVE-2024-42101, CVE-2024-42102,  CVE-2024-42103, CVE-2024-42104, CVE-2024-42105, CVE-2024-42106,  CVE-2024-42108, CVE-2024-42109, CVE-2024-42110, CVE-2024-42111,  CVE-2024-42112, CVE-2024-42113, CVE-2024-42114, CVE-2024-42115,  CVE-2024-42117, CVE-2024-42118, CVE-2024-42119, CVE-2024-42120,  CVE-2024-42121, CVE-2024-42124, CVE-2024-42126, CVE-2024-42127,  CVE-2024-42128, CVE-2024-42129, CVE-2024-42130, CVE-2024-42131,  CVE-2024-42132, CVE-2024-42133, CVE-2024-42135, CVE-2024-42136,  CVE-2024-42137, CVE-2024-42138, CVE-2024-42140, CVE-2024-42141,  CVE-2024-42142, CVE-2024-42144, CVE-2024-42145, CVE-2024-42146,  CVE-2024-42147, CVE-2024-42149, CVE-2024-42150, CVE-2024-42151,  CVE-2024-42152, CVE-2024-42153, CVE-2024-42155, CVE-2024-42156,  CVE-2024-42157, CVE-2024-42158, CVE-2024-42161, CVE-2024-42223,  CVE-2024-42225, CVE-2024-42227, CVE-2024-42229, CVE-2024-42230,  CVE-2024-42231, CVE-2024-42232, CVE-2024-42234, CVE-2024-42235,  CVE-2024-42236, CVE-2024-42237, CVE-2024-42238, CVE-2024-42239,  CVE-2024-42240, CVE-2024-42241, CVE-2024-42243, CVE-2024-42244,  CVE-2024-42245, CVE-2024-42246, CVE-2024-42247, CVE-2024-42248,  CVE-2024-42250, CVE-2024-42251, CVE-2024-42252, CVE-2024-42253,  CVE-2024-42271, CVE-2024-42280, CVE-2024-43855, CVE-2024-43858,  CVE-2024-45001Package Information:  https://launchpad.net/ubuntu/+source/linux-nvidia/6.8.0-1017.19  https://launchpad.net/ubuntu/+source/linux-nvidia-lowlatency/6.8.0-1017.19.1  https://launchpad.net/ubuntu/+source/linux-nvidia-6.8/6.8.0-1017.19~22.04.1

Ubuntu Security Notice USN-7095-1

Ubuntu Security Notice 7089-3 - Chenyuan Yang discovered that the USB Gadget subsystem in the Linux kernel did not properly check for the device to be enabled before writing. A local attacker could possibly use this to cause a denial of service. Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-7089-3November 07, 2024linux-aws, linux-aws-6.8, linux-oracle, linux-oracle-6.8 vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 24.04 LTS- Ubuntu 22.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-oracle: Linux kernel for Oracle Cloud systems- linux-aws-6.8: Linux kernel for Amazon Web Services (AWS) systems- linux-oracle-6.8: Linux kernel for Oracle Cloud systemsDetails:Chenyuan Yang discovered that the USB Gadget subsystem in the Linuxkernel did not properly check for the device to be enabled beforewriting. A local attacker could possibly use this to cause a denial ofservice. (CVE-2024-25741)Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:  - ARM32 architecture;  - MIPS architecture;  - PA-RISC architecture;  - PowerPC architecture;  - RISC-V architecture;  - S390 architecture;  - x86 architecture;  - Cryptographic API;  - Serial ATA and Parallel ATA drivers;  - Null block device driver;  - Bluetooth drivers;  - Cdrom driver;  - Clock framework and drivers;  - Hardware crypto device drivers;  - CXL (Compute Express Link) drivers;  - Cirrus firmware drivers;  - GPIO subsystem;  - GPU drivers;  - I2C subsystem;  - IIO subsystem;  - InfiniBand drivers;  - ISDN/mISDN subsystem;  - LED subsystem;  - Multiple devices driver;  - Media drivers;  - Fastrpc Driver;  - Network drivers;  - Microsoft Azure Network Adapter (MANA) driver;  - Near Field Communication (NFC) drivers;  - NVME drivers;  - NVMEM (Non Volatile Memory) drivers;  - PCI subsystem;  - Pin controllers subsystem;  - x86 platform drivers;  - S/390 drivers;  - SCSI drivers;  - Thermal drivers;  - TTY drivers;  - UFS subsystem;  - USB DSL drivers;  - USB core drivers;  - DesignWare USB3 driver;  - USB Gadget drivers;  - USB Serial drivers;  - VFIO drivers;  - VHOST drivers;  - File systems infrastructure;  - BTRFS file system;  - GFS2 file system;  - JFFS2 file system;  - JFS file system;  - Network file systems library;  - Network file system client;  - NILFS2 file system;  - NTFS3 file system;  - SMB network file system;  - Memory management;  - Netfilter;  - Tracing infrastructure;  - io_uring subsystem;  - BPF subsystem;  - Core kernel;  - Bluetooth subsystem;  - CAN network layer;  - Ceph Core library;  - Networking core;  - IPv4 networking;  - IPv6 networking;  - IUCV driver;  - MAC80211 subsystem;  - Network traffic control;  - Sun RPC protocol;  - Wireless networking;  - AMD SoC Alsa drivers;  - SoC Audio for Freescale CPUs drivers;  - MediaTek ASoC drivers;  - SoC audio core drivers;  - SOF drivers;  - Sound sequencer drivers;(CVE-2024-42239, CVE-2024-42079, CVE-2024-41080, CVE-2024-42064,CVE-2024-42127, CVE-2024-41049, CVE-2024-41086, CVE-2024-42142,CVE-2024-42244, CVE-2024-41060, CVE-2024-42131, CVE-2024-42085,CVE-2024-42246, CVE-2024-41062, CVE-2024-42115, CVE-2024-42234,CVE-2024-42080, CVE-2024-41095, CVE-2024-41063, CVE-2024-42227,CVE-2024-41089, CVE-2024-42133, CVE-2024-43858, CVE-2024-42135,CVE-2024-42113, CVE-2024-42120, CVE-2024-42149, CVE-2024-42132,CVE-2024-41038, CVE-2024-41069, CVE-2024-41090, CVE-2024-41059,CVE-2024-41028, CVE-2024-42126, CVE-2024-42121, CVE-2024-42155,CVE-2024-42110, CVE-2024-41021, CVE-2024-41044, CVE-2024-42098,CVE-2024-42235, CVE-2024-41083, CVE-2024-41065, CVE-2024-42094,CVE-2024-42229, CVE-2024-42240, CVE-2024-42225, CVE-2024-42230,CVE-2024-41088, CVE-2024-42073, CVE-2024-42145, CVE-2024-42076,CVE-2024-42087, CVE-2024-42241, CVE-2024-41019, CVE-2024-41052,CVE-2024-42093, CVE-2024-42063, CVE-2024-41039, CVE-2024-42106,CVE-2024-42108, CVE-2024-42237, CVE-2024-41048, CVE-2024-41033,CVE-2023-52888, CVE-2024-41096, CVE-2024-41032, CVE-2024-41091,CVE-2024-42238, CVE-2024-41056, CVE-2024-42091, CVE-2024-42088,CVE-2024-41047, CVE-2024-42271, CVE-2024-41064, CVE-2024-42223,CVE-2024-42129, CVE-2024-42102, CVE-2024-42146, CVE-2024-42138,CVE-2024-41079, CVE-2024-42232, CVE-2024-42112, CVE-2024-39487,CVE-2024-42245, CVE-2024-41093, CVE-2024-41066, CVE-2024-43855,CVE-2024-41055, CVE-2024-42100, CVE-2024-41053, CVE-2024-42069,CVE-2024-42252, CVE-2024-42243, CVE-2024-42124, CVE-2024-41054,CVE-2024-42151, CVE-2024-42118, CVE-2024-42251, CVE-2024-42137,CVE-2024-41071, CVE-2024-41010, CVE-2024-41087, CVE-2024-41050,CVE-2024-42068, CVE-2024-42158, CVE-2024-41075, CVE-2024-42141,CVE-2024-42236, CVE-2024-41068, CVE-2024-42157, CVE-2024-42140,CVE-2024-41058, CVE-2024-41076, CVE-2024-42097, CVE-2024-41029,CVE-2024-41097, CVE-2024-42109, CVE-2024-41051, CVE-2024-41061,CVE-2024-42156, CVE-2024-42101, CVE-2024-41031, CVE-2024-41017,CVE-2024-42247, CVE-2024-42128, CVE-2024-41085, CVE-2024-41072,CVE-2024-42248, CVE-2024-41045, CVE-2024-42104, CVE-2024-42253,CVE-2024-42117, CVE-2024-41078, CVE-2024-42130, CVE-2024-42090,CVE-2024-42280, CVE-2024-42250, CVE-2024-42231, CVE-2024-41042,CVE-2024-42077, CVE-2024-42153, CVE-2024-41015, CVE-2024-41035,CVE-2024-41082, CVE-2024-42114, CVE-2024-41007, CVE-2024-41073,CVE-2024-42161, CVE-2024-42082, CVE-2024-42150, CVE-2024-42111,CVE-2024-42086, CVE-2024-42095, CVE-2024-41025, CVE-2024-41081,CVE-2024-42105, CVE-2024-41027, CVE-2024-42089, CVE-2024-39486,CVE-2024-41084, CVE-2024-42092, CVE-2024-42152, CVE-2024-41022,CVE-2024-41077, CVE-2024-41098, CVE-2024-41023, CVE-2024-42066,CVE-2024-41034, CVE-2024-41037, CVE-2024-41046, CVE-2023-52887,CVE-2024-42147, CVE-2024-42065, CVE-2024-42096, CVE-2024-41018,CVE-2024-42067, CVE-2024-41041, CVE-2024-42103, CVE-2024-42084,CVE-2024-42074, CVE-2024-41094, CVE-2024-42119, CVE-2024-41012,CVE-2024-41020, CVE-2024-41074, CVE-2024-42144, CVE-2024-41067,CVE-2024-42070, CVE-2024-41057, CVE-2024-41036, CVE-2024-42136,CVE-2024-41030, CVE-2024-41070, CVE-2024-41092)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 24.04 LTS  linux-image-6.8.0-1015-oracle   6.8.0-1015.16  linux-image-6.8.0-1015-oracle-64k  6.8.0-1015.16  linux-image-6.8.0-1018-aws      6.8.0-1018.20  linux-image-aws                 6.8.0-1018.20  linux-image-oracle              6.8.0-1015.16  linux-image-oracle-64k          6.8.0-1015.16Ubuntu 22.04 LTS  linux-image-6.8.0-1015-oracle   6.8.0-1015.15~22.04.1  linux-image-6.8.0-1015-oracle-64k  6.8.0-1015.15~22.04.1  linux-image-6.8.0-1018-aws      6.8.0-1018.19~22.04.1  linux-image-aws                 6.8.0-1018.19~22.04.1  linux-image-oracle              6.8.0-1015.15~22.04.1  linux-image-oracle-64k          6.8.0-1015.15~22.04.1After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-7089-3  https://ubuntu.com/security/notices/USN-7089-2  https://ubuntu.com/security/notices/USN-7089-1  CVE-2023-52887, CVE-2023-52888, CVE-2024-25741, CVE-2024-39486,  CVE-2024-39487, CVE-2024-41007, CVE-2024-41010, CVE-2024-41012,  CVE-2024-41015, CVE-2024-41017, CVE-2024-41018, CVE-2024-41019,  CVE-2024-41020, CVE-2024-41021, CVE-2024-41022, CVE-2024-41023,  CVE-2024-41025, CVE-2024-41027, CVE-2024-41028, CVE-2024-41029,  CVE-2024-41030, CVE-2024-41031, CVE-2024-41032, CVE-2024-41033,  CVE-2024-41034, CVE-2024-41035, CVE-2024-41036, CVE-2024-41037,  CVE-2024-41038, CVE-2024-41039, CVE-2024-41041, CVE-2024-41042,  CVE-2024-41044, CVE-2024-41045, CVE-2024-41046, CVE-2024-41047,  CVE-2024-41048, CVE-2024-41049, CVE-2024-41050, CVE-2024-41051,  CVE-2024-41052, CVE-2024-41053, CVE-2024-41054, CVE-2024-41055,  CVE-2024-41056, CVE-2024-41057, CVE-2024-41058, CVE-2024-41059,  CVE-2024-41060, CVE-2024-41061, CVE-2024-41062, CVE-2024-41063,  CVE-2024-41064, CVE-2024-41065, CVE-2024-41066, CVE-2024-41067,  CVE-2024-41068, CVE-2024-41069, CVE-2024-41070, CVE-2024-41071,  CVE-2024-41072, CVE-2024-41073, CVE-2024-41074, CVE-2024-41075,  CVE-2024-41076, CVE-2024-41077, CVE-2024-41078, CVE-2024-41079,  CVE-2024-41080, CVE-2024-41081, CVE-2024-41082, CVE-2024-41083,  CVE-2024-41084, CVE-2024-41085, CVE-2024-41086, CVE-2024-41087,  CVE-2024-41088, CVE-2024-41089, CVE-2024-41090, CVE-2024-41091,  CVE-2024-41092, CVE-2024-41093, CVE-2024-41094, CVE-2024-41095,  CVE-2024-41096, CVE-2024-41097, CVE-2024-41098, CVE-2024-42063,  CVE-2024-42064, CVE-2024-42065, CVE-2024-42066, CVE-2024-42067,  CVE-2024-42068, CVE-2024-42069, CVE-2024-42070, CVE-2024-42073,  CVE-2024-42074, CVE-2024-42076, CVE-2024-42077, CVE-2024-42079,  CVE-2024-42080, CVE-2024-42082, CVE-2024-42084, CVE-2024-42085,  CVE-2024-42086, CVE-2024-42087, CVE-2024-42088, CVE-2024-42089,  CVE-2024-42090, CVE-2024-42091, CVE-2024-42092, CVE-2024-42093,  CVE-2024-42094, CVE-2024-42095, CVE-2024-42096, CVE-2024-42097,  CVE-2024-42098, CVE-2024-42100, CVE-2024-42101, CVE-2024-42102,  CVE-2024-42103, CVE-2024-42104, CVE-2024-42105, CVE-2024-42106,  CVE-2024-42108, CVE-2024-42109, CVE-2024-42110, CVE-2024-42111,  CVE-2024-42112, CVE-2024-42113, CVE-2024-42114, CVE-2024-42115,  CVE-2024-42117, CVE-2024-42118, CVE-2024-42119, CVE-2024-42120,  CVE-2024-42121, CVE-2024-42124, CVE-2024-42126, CVE-2024-42127,  CVE-2024-42128, CVE-2024-42129, CVE-2024-42130, CVE-2024-42131,  CVE-2024-42132, CVE-2024-42133, CVE-2024-42135, CVE-2024-42136,  CVE-2024-42137, CVE-2024-42138, CVE-2024-42140, CVE-2024-42141,  CVE-2024-42142, CVE-2024-42144, CVE-2024-42145, CVE-2024-42146,  CVE-2024-42147, CVE-2024-42149, CVE-2024-42150, CVE-2024-42151,  CVE-2024-42152, CVE-2024-42153, CVE-2024-42155, CVE-2024-42156,  CVE-2024-42157, CVE-2024-42158, CVE-2024-42161, CVE-2024-42223,  CVE-2024-42225, CVE-2024-42227, CVE-2024-42229, CVE-2024-42230,  CVE-2024-42231, CVE-2024-42232, CVE-2024-42234, CVE-2024-42235,  CVE-2024-42236, CVE-2024-42237, CVE-2024-42238, CVE-2024-42239,  CVE-2024-42240, CVE-2024-42241, CVE-2024-42243, CVE-2024-42244,  CVE-2024-42245, CVE-2024-42246, CVE-2024-42247, CVE-2024-42248,  CVE-2024-42250, CVE-2024-42251, CVE-2024-42252, CVE-2024-42253,  CVE-2024-42271, CVE-2024-42280, CVE-2024-43855, CVE-2024-43858Package Information:  https://launchpad.net/ubuntu/+source/linux-aws/6.8.0-1018.20  https://launchpad.net/ubuntu/+source/linux-oracle/6.8.0-1015.16  https://launchpad.net/ubuntu/+source/linux-aws-6.8/6.8.0-1018.19~22.04.1  https://launchpad.net/ubuntu/+source/linux-oracle-6.8/6.8.0-1015.15~22.04.1

Ubuntu Security Notice USN-7089-3

North Korean hackers are targeting cryptocurrency businesses with a sophisticated new malware campaign, dubbed “Hidden Risk.” Learn how…

North Korean hackers are targeting cryptocurrency businesses with a sophisticated new malware campaign, dubbed “Hidden Risk.” Learn how this stealthy attack works, the techniques used, and how to protect yourself from this growing threat.

North Korean state-sponsored APT group ‘**BlueNoroff**‘ is targeting crypto-related businesses in a campaign dubbed ‘Hidden Risk’, according to SentinelOne’s findings shared with Hackread.com. 

SentinelLabs’ threat researchers reportedly discovered that BlueNoroff, a subgroup of the larger North Korean state-backed **Lazarus Group**, is targeting cryptocurrency and DeFi businesses using use email and PDF-based lures with fake news headlines/crypto-related stories in a campaign that began in July 2024.

Examples of fake news, posts and announcements used in the attack (Via SentinelOne)

****Analyzing the Attack****

Researchers noted that attackers have employed unique tactics to evade detection and compromise victim systems. The attack begins with a **well-crafted phishing email** that lures unsuspecting victims into clicking on a malicious link that leads to a seemingly legitimate PDF document, which is actually hiding a malicious Swift-language-based Mac application cleverly disguised as a PDF reader (signed/notarized on 19 October 2024).

“The application is disguised as a link to a PDF document relating to a cryptocurrency topic such as “Hidden Risk Behind New Surge of Bitcoin Price”, “Altcoin Season 2.0-The Hidden Gems to Watch” and “New Era for Stablecoins and DeFi, CeFi”,” researchers **explained**.

Once executed, this application discreetly downloads a decoy PDF (Hidden Risk) and then downloads/executes a malicious x86-64 binary (“growth”) on both Intel and Apple silicon machines. 

Growth installs itself persistently and acts as a backdoor. It gathers sensitive information about the infected system, communicates with a remote server controlled by the attackers, and can potentially receive and execute commands.

****Persistence Mechanism****

To ensure persistence, the attackers have opted for a unique method of modifying the Zsh configuration file (zshenv) by adding malicious code to ensure its continued presence. This is a critical file used by the Zsh shell and is sourced during every Zsh session, allowing the backdoor to automatically execute upon system startup, even after a reboot.

****The BlueNoroff Connection****

SentinelLabs’ researchers have linked this campaign with BlueNoroff because it resembles techniques from their past campaigns, including parsing server commands and saving them in hidden files. The campaign’s network infrastructure analysis also reveals connections to domains used in previous campaigns using services like **NameCheap** and Quickpacket for hosting.

Furthermore, the malware uses a User-Agent string previously linked to BlueNoroff’s “**RustBucket**” malware and exploits a developer account to get their malware notarized by Apple, bypassing security measures like **Gatekeeper**.

****Staying Protected****

BlueNoroff has a history of targeting cryptocurrency exchanges, venture capital firms, and banks and poses a constant threat to the industry. They prefer using PDF-based lures mainly because PDF documents are widely used and trusted, making them ideal for malicious payloads.

Hackread recently **reported** BlueNoroff-linked malware, TodoSwift, disguised as a legitimate PDF viewer and ObjCShellz malware **targeting macOS** to run remote shell commands on Intel and Arm Macs.

Therefore, it is important to double-check email addresses, watch out for emails from anonymous sources, and avoid clicking on links in unknown emails, especially if they ask for downloading applications/PDFs. MacOS users must remain aware of risks given the sudden rise in **macOS-oriented attacks**.

1.  **Fake North Korean IT Workers Infiltrate Western Firms**
2.  **North Korean Hackers Team Up with Play Ransomware**
3.  **N Korean hackers stole $1.7 billion from crypto exchanges**
4.  **North Korean Hackers Drop Linux Malware for ATM Cashouts**
5.  **SnatchCrypto attack hits DeFi, Blockchain Firms with backdoor**

Tag

#mac