Hey there, it's your weekly dose of "what the heck is going on in cybersecurity land" – and trust me, you NEED to be in the loop this time. We've got everything from zero-day exploits and AI gone rogue to the FBI playing crypto kingpin – it's full of stuff they don't 🤫 want you to know.
So let's jump in before we get FOMO.
⚡ Threat of the Week
GoldenJackal Hacks Air-Gapped Systems: Meet

Hey there, it's your weekly dose of "_what the heck is going on in cybersecurity land_" – and trust me, you NEED to be in the loop this time. We've got everything from zero-day exploits and AI gone rogue to the FBI playing crypto kingpin – it's full of stuff they don't 🤫 want you to know.

So let's jump in before we get FOMO.

****⚡ Threat of the Week****

**GoldenJackal Hacks Air-Gapped Systems:** Meet GoldenJackal, the hacking crew you've probably never heard of – but should definitely know about now. They're busting into super-secure, air-gapped computer systems with sneaky worms spread through infected USB drives (yes, really!), proving that even the most isolated networks aren't safe. ESET researchers caught them red-handed using two different custom-made tools to target high-profile victims, including a South Asian embassy in Belarus and a European Union government organization.

****🔔 Top News****

*   **Mozilla Patches Firefox 0-Day:** Mozilla patched a critical zero-day flaw in its Firefox browser that it said has been actively exploited in the wild to target Tor browser users. While there are currently no details on the attacks, users are advised to update to Firefox 131.0.2, Firefox ESR 128.3.1, and Firefox ESR 115.16.1.
*   **Contagious Interview Remains Lucrative for N. Korea:** Ever since details about a North Korean hacking campaign called Contagious Interview came to light nearly a year ago, it has continued to target the technology sector with no signs of stopping anytime soon. These attacks aim to deliver backdoors and information-stealing malware by deceiving developers into executing malicious code under the pretext of a coding assignment as part of a job interview after approaching them on platforms like LinkedIn.
*   **OpenAI Disrupts Malicious Operations:** OpenAI said it has disrupted over 20 malicious cyber operations since the start of the year that abused its generative artificial intelligence (AI) chatbot, ChatGPT, for debugging and developing malware, spreading misinformation, evading detection, and vulnerability research. One of the activity clusters was observed targeting OpenAI employees via spear-phishing attacks to deploy the SugarGh0st RAT.
*   **FBI Creates Fake Crypto to Disrupt Fraudulent Operation:** The U.S. Federal Bureau of Investigation (FBI) took the "unprecedented step" of creating its own cryptocurrency token and a company called NexFundAI to take down a fraud operation that allegedly manipulated digital asset markets by orchestrating an illegal scheme known as wash trading. A total of 18 people and entities have been charged in connection with the pump-and-dump scam, with three arrests reported so far.
*   **Gorilla Botnet Launches 300,000 DDoS Attacks Across 100 Countries:** A botnet malware family called Gorilla issued over 300,000 attack commands in the month of September 2024 alone, targeting universities, government websites, telecoms, banks, gaming, and gambling sectors. China, the U.S., Canada, and Germany. The botnet is based on the leaked Mirai botnet source code.

****📰 Around the Cyber World****

*   **Microsoft Announces Windows 11 Security Baseline:** Microsoft has released the Windows 11, version 24H2 security baseline with added protections to LAN Manager, Kerberos, User Account Control, and Microsoft Defender Antivirus. It also includes Windows Protected Print (WPP), which the company described as the "new, modern and more secure print for Windows built from the ground up with security in mind." In a related development, the tech giant announced a redesigned Windows Hello experience and API support for third-party passkey providers like 1Password and Bitwarden to plug into the Windows 11 platform.
*   **Apple macOS iPhone Mirroring is Broken:** Apple announced a new iPhone mirroring feature with macOS 15.0 Sequoia, but cybersecurity firm Sevco has uncovered a privacy risk that could expose metadata associated with apps on an employee's personal iPhone to their corporate IT department. The issue stems from the fact that the iOS apps mirrored to the Mac populate the same application metadata as native macOS applications, thereby leaking information about the apps that may be installed on their phones. Apple has acknowledged the problem and is said to be working on a fix.
*   **Social Engineering Via Phone Calls:** Threat actors have found an effective social engineering vector in phone calls in order to trick users into performing an unintended action, a technique also called telephone-oriented attack delivery (TOAD), callback phishing, and hybrid vishing (a combination of voice and phishing). Intel 471 said it has observed a "sharp increase in underground offers for illicit call center services that can aid in malware delivery, ransomware-related calls, and other fraud-oriented social-engineering attempts."
*   **Malicious Extensions Can Bypass Manifest V3:** Google has said Manifest V3, its latest version of the extensions platform, avoids the security loopholes of its predecessor, which allowed browser add-ons to have excessive permissions and inject arbitrary JavaScript. However, new research has found that it's still possible for malicious actors to exploit minimal permissions and steal data. The findings were presented by SquareX at the DEF CON conference back in August. The research also coincides with a study that discovered "hundreds of extensions automatically extracting user content from within web pages, impacting millions of users."
*   **What can a USB reveal?:** A new analysis from Group-IB goes into detail about the artifacts generated in the USB device when files are accessed or modified on devices running various operating systems. "USB formatted with NTFS, FAT32, and ExFAT often create temporary files, particularly during file modifications," the company said. "USB formatted with NTFS on Windows provided more information on file system changes from the $Logfile due to its journaling capabilities." USB formatted with HFS+ has been found to store versions of files that have been edited with GUI tools in a versioning database. Likewise, USB formatted with FAT32/ExFAT on macOS generates ". \_filename" files to ensure file system compatibility for storing extended attributes.

**🔥 **Cybersecurity Resources & Insights****

*   **Expert Webinars**
    *   **Building a Successful Data Security Posture Management Program**: Drowning in data security headaches? Hear directly from Global-e's CISO how Data Security Posture Management (DSPM) transformed their data security. Get real-world insights, and practical advice, get your questions answered and actionable strategies in this exclusive webinar, and walk away with a clear roadmap. Reserve your seat today!
    *   **Ex-Mandiant Expert Exposes Identity Theft Tactics**: LUCR-3 is breaching organizations like yours through identity-based attacks. Learn how to protect your cloud and SaaS environments from this advanced threat. Cybersecurity expert Ian Ahl (former Mandiant) reveals the latest tactics and how to defend your organization. Register for this crucial webinar to gain the upper hand.
*   **Ask the Expert**
    *   **Q: With mobile devices increasingly targeted by cybercriminals, how can individuals protect their devices from network-based attacks, especially in unfamiliar or high-risk environments, such as when traveling?**
    *   **A:** When you're traveling, your mobile device can be a target for attacks like rogue base stations—fake cell towers set up to steal data or track your location. To protect yourself, start by enabling Lockdown Mode on iPhones, which blocks vulnerable 2G connections. Always use a VPN to keep your internet traffic encrypted and avoid using public Wi-Fi without it. A great tool to boost your awareness is the CellGuard app for iOS. It scans your network for suspicious activity, like rogue base stations, by analyzing things like signal strength and network anomalies. While it may flag some false alarms, it gives you an extra layer of protection.
*   **Cybersecurity Tools**
    *   **Broken Hill: A New Tool to Test AI Models' Weaknesses** \- It is an advanced tool that makes it easy to trick large AI models into misbehaving by bypassing their restrictions. It uses the Greedy Coordinate Gradient (GCG) attack to craft clever prompts that push popular models, like Llama-2 and Microsoft's Phi, to respond in ways they normally wouldn't. The best part? You can run it on consumer GPUs, like the Nvidia RTX 4090, without needing costly cloud servers. Ideal for researchers and security testers, Broken Hill helps uncover and fix vulnerabilities in AI models, making it a must-have tool in the fight against AI threats.
*   **Tip of the Week**
    *   **Your Browser Extensions Are Spying on You:** Browser extensions can be useful but also risky, with potential access to your data or hidden malware. Protect yourself by removing unused extensions, checking their permissions, and only allowing them to run on specific sites. Enable "Click to activate" for more control, and use tools like Chrome's Extension Source Viewer to spot any suspicious behavior. Keep extensions updated, monitor network traffic for unusual activity, and consider using a separate browser for sensitive tasks. Features like Firefox's Temporary Container Tabs can also help by isolating extension access. These simple steps can keep your browsing safer.

****Conclusion****

And that's how the cybersecurity cookie crumbles this week! But listen, before you log off and chill, remember this: always double-check the sender's email address before clicking any links, even if it looks like it's from your bestie or your bank. Phishing scams are getting sneakier than ever, so stay sharp! Until next time, stay safe and cyber-aware!

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

THN Cybersecurity Recap: Top Threats, Tools and Trends (Oct 7 - Oct 13)

Red Hat Security Advisory 2024-7433-03 - An update for kpatch-patch-4_18_0-372_118_1 and kpatch-patch-4_18_0-372_91_1 is now available for Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_7433.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: kpatch-patch-4_18_0-372_118_1 and kpatch-patch-4_18_0-372_91_1 security updateAdvisory ID:        RHSA-2024:7433-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:7433Issue date:         2024-10-01Revision:           03CVE Names:          CVE-2024-41071====================================================================Summary: An update for kpatch-patch-4_18_0-372_118_1 and kpatch-patch-4_18_0-372_91_1 is now available for Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:This is a kernel live patch module which can be loaded by the kpatch command line utility to modify the code of a running kernel.  This patch module is targeted for kernel-4.18.0-372.91.1.el8_6.Security Fix(es):* kernel: wifi: mac80211: Avoid address calculations via out of bounds array indexing (CVE-2024-41071)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-41071References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2300448

Red Hat Security Advisory 2024-7433-03

Red Hat Security Advisory 2024-7432-03 - An update for kpatch-patch-5_14_0-427_13_1 and kpatch-patch-5_14_0-427_31_1 is now available for Red Hat Enterprise Linux 9.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_7432.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: kpatch-patch-5_14_0-427_13_1 and kpatch-patch-5_14_0-427_31_1 security updateAdvisory ID:        RHSA-2024:7432-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:7432Issue date:         2024-10-01Revision:           03CVE Names:          CVE-2024-41071====================================================================Summary: An update for kpatch-patch-5_14_0-427_13_1 and kpatch-patch-5_14_0-427_31_1 is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:This is a kernel live patch module which can be loaded by the kpatch command line utility to modify the code of a running kernel.  This patch module is targeted for kernel-5.14.0-427.13.1.el9_4.Security Fix(es):* kernel: wifi: mac80211: Avoid address calculations via out of bounds array indexing (CVE-2024-41071)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-41071References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2300448

Red Hat Security Advisory 2024-7432-03

Red Hat Security Advisory 2024-7431-03 - An update for kpatch-patch-5_14_0-284_52_1 and kpatch-patch-5_14_0-284_79_1 is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_7431.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: kpatch-patch-5_14_0-284_52_1 and kpatch-patch-5_14_0-284_79_1 security updateAdvisory ID:        RHSA-2024:7431-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:7431Issue date:         2024-10-01Revision:           03CVE Names:          CVE-2024-41071====================================================================Summary: An update for kpatch-patch-5_14_0-284_52_1 and kpatch-patch-5_14_0-284_79_1 is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:This is a kernel live patch module which can be loaded by the kpatch command line utility to modify the code of a running kernel.  This patch module is targeted for kernel-5.14.0-284.52.1.el9_2.Security Fix(es):* kernel: wifi: mac80211: Avoid address calculations via out of bounds array indexing (CVE-2024-41071)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-41071References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2300448

Red Hat Security Advisory 2024-7431-03

Red Hat Security Advisory 2024-7430-03 - An update for kpatch-patch-4_18_0-477_43_1 and kpatch-patch-4_18_0-477_67_1 is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_7430.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: kpatch-patch-4_18_0-477_43_1 and kpatch-patch-4_18_0-477_67_1 security updateAdvisory ID:        RHSA-2024:7430-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:7430Issue date:         2024-10-01Revision:           03CVE Names:          CVE-2024-41071====================================================================Summary: An update for kpatch-patch-4_18_0-477_43_1 and kpatch-patch-4_18_0-477_67_1 is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:This is a kernel live patch module which can be loaded by the kpatch command line utility to modify the code of a running kernel.  This patch module is targeted for kernel-4.18.0-477.43.1.el8_8.Security Fix(es):* kernel: wifi: mac80211: Avoid address calculations via out of bounds array indexing (CVE-2024-41071)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-41071References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2300448

Red Hat Security Advisory 2024-7430-03

Red Hat Security Advisory 2024-7429-03 - An update for kpatch-patch-4_18_0-553 and kpatch-patch-4_18_0-553_16_1 is now available for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_7429.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: kpatch-patch-4_18_0-553 and kpatch-patch-4_18_0-553_16_1 security update  
Advisory ID:        RHSA-2024:7429-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:7429  
Issue date:         2024-10-01  
Revision:           03  
CVE Names:          CVE-2024-41071  
====================================================================

Summary: 

An update for kpatch-patch-4_18_0-553 and kpatch-patch-4_18_0-553_16_1 is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

This is a kernel live patch module which can be loaded by the kpatch command line utility to modify the code of a running kernel.  This patch module is targeted for kernel-4.18.0-553.16.1.el8_10.

Security Fix(es):

* kernel: virtio-net: tap: mlx5_core short frame denial of service (CVE-2024-41090)

* kernel: virtio-net: tun: mlx5_core short frame denial of service (CVE-2024-41091)

* kernel: wifi: mac80211: Avoid address calculations via out of bounds array indexing (CVE-2024-41071)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-41071

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2299240  
https://bugzilla.redhat.com/show_bug.cgi?id=2299336  
https://bugzilla.redhat.com/show_bug.cgi?id=2300448

Red Hat Security Advisory 2024-7429-03

Red Hat Security Advisory 2024-7428-03 - An update for kpatch-patch-5_14_0-70_112_1 and kpatch-patch-5_14_0-70_85_1 is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_7428.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: kpatch-patch-5_14_0-70_112_1 and kpatch-patch-5_14_0-70_85_1 security updateAdvisory ID:        RHSA-2024:7428-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:7428Issue date:         2024-10-01Revision:           03CVE Names:          CVE-2024-41071====================================================================Summary: An update for kpatch-patch-5_14_0-70_112_1 and kpatch-patch-5_14_0-70_85_1 is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:This is a kernel live patch module which can be loaded by the kpatch command line utility to modify the code of a running kernel.  This patch module is targeted for kernel-5.14.0-70.85.1.el9_0.Security Fix(es):* kernel: wifi: mac80211: Avoid address calculations via out of bounds array indexing (CVE-2024-41071)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-41071References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2300448

Red Hat Security Advisory 2024-7428-03

Red Hat Security Advisory 2024-7427-03 - An update for kpatch-patch-4_18_0-305_120_1 and kpatch-patch-4_18_0-305_138_1 is now available for Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Issues addressed include code execution and use-after-free vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_7427.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: kpatch-patch-4_18_0-305_120_1 and kpatch-patch-4_18_0-305_138_1 security updateAdvisory ID:        RHSA-2024:7427-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:7427Issue date:         2024-10-01Revision:           03CVE Names:          CVE-2024-36886====================================================================Summary: An update for kpatch-patch-4_18_0-305_120_1 and kpatch-patch-4_18_0-305_138_1 is now available for Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:This is a kernel live patch module which can be loaded by the kpatch command line utility to modify the code of a running kernel.  This patch module is targeted for kernel-4.18.0-305.120.1.el8_4.Security Fix(es):* kernel: TIPC message reassembly use-after-free remote code execution vulnerability (CVE-2024-36886)* kernel: wifi: mac80211: Avoid address calculations via out of bounds array indexing (CVE-2024-41071)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-36886References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2277238https://bugzilla.redhat.com/show_bug.cgi?id=2300448

Red Hat Security Advisory 2024-7427-03

A critical vulnerability in Kia vehicles allowed hackers to control cars remotely using only license plates. The flaw…

A critical vulnerability in Kia vehicles allowed hackers to control cars remotely using only license plates. The flaw has been patched, but it highlights the growing threat of cyberattacks on connected cars.

A severe security vulnerability has been discovered in Kia vehicles, allowing hackers to remotely control key functions using only a license plate. Security researchers Neiko Rivera, Sam Curry, Justin Rhinehart, and Ian Carroll uncovered a set of vulnerabilities that could have been exploited to gain unauthorized access to Kia vehicles by exploiting the Kia dealership infrastructure,

The attack involved attackers remotely registering for a fake account and generating access tokens. These tokens would then be used in conjunction with another HTTP request to a dealer APIGW (API Gateway) endpoint and the vehicle’s VIN (vehicle identification number) to obtain the owner’s name, phone number, and email address, potentially adding themselves as an “invisible” second user on the car without the owner’s knowledge.

Researchers discovered that a victim’s vehicle could be accessed by executing four HTTP requests and internet-to-vehicle commands. These commands include generating a dealer token, fetching the victim’s email and phone number, modifying the owner’s previous access using a leaked email address and VIN, and adding an attacker as the primary owner of the vehicle. The victim would not receive any notification about modifications to their access permissions. Here’s a quick explanation of which functionalities are vulnerable:

*   **Remote Lock/Unlock: They could lock or unlock the doors.**
*   **Geolocate Vehicle: Hackers could pinpoint the car’s location.**
*   **Remote Start/Stop: They could start or turn off the engine remotely.**
*   **Remote Horn/Light: They could activate the car’s horn and lights.**
*   **Remote Camera: In some cases, they could even access the car’s cameras.**

A hypothetical attack scenario could allow a bad actor to enter a Kia vehicle’s license plate, retrieve the victim’s information, and execute commands after 30 seconds. The vulnerability allows hackers to remotely start or stop the engine, potentially stealing the vehicle, causing damage, or endangering occupants. It impacted a wide range of Kia vehicles, including models manufactured after 2013. This means that a significant number of cars were potentially at risk.

Kia addressed these issues in August 2024 following a responsible disclosure in July 2024. While no evidence of exploitation in the wild exists, researchers warn that car manufacturers could introduce similar vulnerabilities to Meta, allowing someone to take over a vehicle’s information. As cars become increasingly connected, manufacturers must prioritize security measures to protect their customers from potential threats.

This is not the first time a team involving ethical hackers like Sam Curry has compromised the security of internet-connected cars for good. In December 2022, hackers used application vulnerabilities to hack Honda and Nissa vehicles just by knowing their VIN.

Commenting on this, Akhil Mittal, senior security consulting manager at the Synopsys Software Integrity Group, said, “This Kia vulnerability isn’t just a technical flaw—it’s a red flag for the entire automotive industry. It shows how modern cars have become prime targets for cybercriminals, shifting from physical theft to digital exploitation. The idea that a hacker could unlock, track, or even start your car using just a license plate number sounds like science fiction, but it’s happening today.”

Akhil further explained that “Kia’s quick patch is encouraging, but it raises a bigger question: Is the auto industry ready for these high-tech threats? This wasn’t just about controlling a car—it exposed personal data, too. In a few simple steps, a hacker could access sensitive information, change ownership, and take control of the vehicle without the owner’s knowledge. With nearly all Kia models made after 2013 affected, it’s clear that modern cars are now connected devices and vulnerable to the same cybersecurity risks as our phones and computers.”

“Automakers must take cybersecurity as seriously as crash safety. Cars aren’t just machines anymore—they are smart devices loaded with data that needs protection. Regular software updates, stronger encryption, and better communication with drivers are critical. If the industry doesn’t act soon, these risks could become problems for everyday drivers,” he warned.

1.  How Hackers Can Remotely Unlock/Start Honda Cars
2.  Cybercriminals Exploit CAN Injection Hack to Steal Cars
3.  Globally Used Points.com Loyalty System Hacked for Good
4.  Tesla cars can be remotely hacked using drone, WIFI dongle
5.  Internet Connected Car Hacked and DDoSed via Smartphone

Hackers Could Remotely Control Kia Cars by Exploiting License Plates

A researcher claims to have found a decade-old vulnerability rated 9.9 that affects all GNU/Linux systems, allowing attackers…

A researcher claims to have found a decade-old vulnerability rated 9.9 that affects all GNU/Linux systems, allowing attackers to gain control of vulnerable devices. The flaw is under investigation, with full disclosure expected next week.

Simone Margaritelli, a cybersecurity researcher and Linux developer has discovered a critical Linux vulnerability that could allow attackers to gain complete control of vulnerable systems. This Linux vulnerability affects GNU/Linux systems, specifically for Linux Remote code execution. If confirmed, it could be one of the worst vulnerabilities in history.

****A Decade-Old Flaw:****

The vulnerability, which has reportedly existed for over a decade, impacts all GNU/Linux systems. While specific details remain confidential, the severity score of 9.9 out of 10, confirmed by major Linux distributors like Canonical and Red Hat, indicates the immense potential for damage if exploited.

****The Controversy:** **

Despite the severity of the issue, no Common Vulnerabilities and Exposures (CVE) identifiers have been assigned yet, and developers are still debating whether certain aspects of the vulnerability pose a security risk. This disagreement has led to delays in addressing the issue and has caused frustration among security researchers.

Margaritelli has publicly expressed his disappointment with the handling of the disclosure. He claims to have provided proof-of-concept exploits, but developers have been more focused on debating the vulnerability’s impact rather than working towards a solution.

He has, therefore, decided not to go for responsible disclosure instead of full disclosure of the flaw. While his decision could accelerate the fix race but will also expose millions of Linux systems to malicious attacks if no swift countermeasures are taken.

For your information, Simone Margaritelli, aka evilsocket, is a renowned cybersecurity expert who has created numerous tools for professionals and researchers worldwide. One of his most notable contributions is Bettercap, an open-source tool designed for Man-in-the-Middle (MITM) hacking attacks and network penetration testing.

The vulnerability may affect known exposed services like OpenSSH and possibly filtering services like Net Filter, although there is no indication of which service may be affected, and these are just hypotheses.

As per the latest updates, the flaw will be initially disclosed to the Openwall security mailing list on September 30th, followed by full public disclosure on October 6th. Linux users are advised to stay informed about official updates and patch systems as soon as patches are available.

> \* Unauthenticated RCE vs all GNU/Linux systems (plus others) disclosed 3 weeks ago.  
> \* Full disclosure happening in less than 2 weeks (as agreed with devs).  
> \* Still no CVE assigned (there should be at least 3, possibly 4, ideally 6).  
> \* Still no working fix.  
> \* Canonical, RedHat and… pic.twitter.com/N2d1rm2VeR
> 
> — Simone Margaritelli (@evilsocket) September 23, 2024

Brian Fox, CTO of software security platform, Sonatype, and governing board member of the Open Source Security Foundation, has found similarities between this vulnerability and the **Log4j/Log4Shell** vulnerability (CVE-2021-44228). Fox is working closely with Sonatype’s research team and the open-source security community to understand the gravity of the issue and possible mitigation methods.

“While we don’t have the technical details yet, a vulnerability with a 9.9 CVSS indicates a low complexity to exploit and signs are pointing to the flaw existing at the core of the system. Considering this is Linux, the scope of this vulnerability is massive and successful exploitation could be devastating — everything from your wifi router to the grid keeping the lights on runs on Linux,” Brain explained.

He further added “This combination of low complexity and high usage is reminiscent of Log4Shell, though the scale of usage here is much more significant. I understand the logic in phasing out disclosure, as this vulnerability will take time to find and fix, however, we should also expect threat actors to be scrutinizing the commit history and looking for clues to exploit.”

“As we wait for more details to come out, enterprise security teams must scour their environments and SBOMs to understand where they might be vulnerable and be prepared to patch. Cancel your vacations because, on October 6, it could be a race against attackers,” Brian emphasised.

1.  **Telegram-Controlled TgRat Trojan Targets Linux Servers**
2.  **Critical Flaws Found in GNU C Library, Major Linux Distros at Risk**
3.  **Goldoon Botnet Hits D-Link Devices by Exploiting 9-Year-Old Flaw**
4.  **9-year-old Windows flaw dropped ZLoader malware in 111 countries**
5.  **7-Year-Old 0-Day in Microsoft Office Exploited to Drop Cobalt Strike**

Tag

#wifi