Tag Archive for: open

EU Commission pitches double reporting of open security loopholes in cybersecurity law – EURACTIV.com

/in


The question of who should receive extremely sensitive cyber threat intelligence has been a sticking point in the negotiations on the Cyber Resilience Act. The Commission proposed a middle ground that would double the receivers.

The Cyber Resilience Act is a legislative proposal introducing security requirements for connected devices. The file is being finalised in ‘trilogues’ between the EU Commission, Council and Parliament.

Among the obligations of product manufacturers, there is one to report not only cybersecurity incidents, as has been the case in previous legislation, but also actively exploited vulnerabilities.

If a vulnerability is being actively exploited, it means there is an entry point for hackers that has not been patched yet. As a result, this type of information is highly dangerous if it falls into the wrong hands, and who should handle this task is a politically sensitive question.

In the original Commission text, ENISA, the EU cybersecurity agency, was assigned this complex work – an approach that found support in the Parliament. By contrast, European governments want to move this task to the national Computer Security Incident Response Teams (CSIRTs).

Following the last trilogue on 8 November, Euractiv reported how a possible landing zone could be envisaged by accepting the role of the CSIRTs but with a stronger involvement of ENISA and that the EU executive proposed that both bodies could receive the reporting simultaneously.

In an undated compromise text circulated after the trilogue, seen by Euractiv, the Commission put its idea in black-and-white.

“The manufacturers shall notify any actively exploited vulnerability contained in the product with digital elements that they become aware of to [the CSIRTs designated as coordinators pursuant to Article 12(1) of Directive (EU) 2022/2555 and ENISA],” reads the text.

National CSIRTs would, therefore, be in the driving seat of the reporting process, for instance, to request the manufacturer provide an intermediate report. The notifications would be submitted via a pan-European platform to the end-point of the CSIRT of the country where the company has its main establishment.

“A manufacturer shall…

Source…

Video Encoding Library Leaves Chrome, Firefox and More Open to Zero-Day Attack

/in


Google and Mozilla have patched the zero-day vulnerability, which originates in the libvpx library.

The words Zero Day interrupting a series of bunary zeros and ones.
Image: profit_image/Adobe Stock

Google and Mozilla have patched a zero-day exploit in Chrome and Firefox, respectively. The zero-day exploit was being used by a commercial spyware vendor. The zero-day exploit could leave users open to a heap buffer overflow, through which attackers could inject malicious code. Any software that uses VP8 encoding in libvpx or is based on Chromium (including Microsoft Edge) might be affected, not just Chrome or Firefox.

If you use Chrome, update to 117.0.5938.132 when it becomes available; Google Chrome says it may take “days/weeks” for all users to see the update. In Firefox, the exploit is patched in Firefox 118.0.1, Firefox ESR 115.3.1, Firefox Focus for Android 118.1 and Firefox for Android 118.1.

Jump to:

This zero-day vulnerability originates in libvpx library

The zero-day exploit is technically a heap buffer overflow in VP8 encoding in libvpx, which is a video code library developed by Google and the Alliance for Open Media. It is widely used to encode or decode videos in the VP8 and VP9 video coding formats.

“Specific handling of an attacker-controlled VP8 media stream could lead to a heap buffer overflow in the content process,” the Firefox team wrote in their security advisory.

From there, the vulnerability “allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page,” said the official Common Vulnerabilities and Exposures site.

SEE: Attackers built a fake Bitwarden password manager site to deliver malware targeting Windows (TechRepublic)

The exploit is being tracked by Google as CVE-2023-5217. Clément Lecigne, a security researcher at Google’s Threat Analysis Group, found the flaw on September 25, leading to a patch on September 27.

“A commercial surveillance vendor” was actively using the exploit, researcher Maddie Stone of Google’s Threat Analysis Group noted on X.

There is not a lot more information available about the zero-day exploit at this time. “Google is aware that an exploit for CVE-2023-5217 exists in the wild,” the company wrote in the…

Source…

Whirlpool malware rips open old Barracuda wounds

/in


Advanced persistent threat (APT) attacks targeting a former zero-day remote command injection vulnerability in Barracuda email security gateway (ESG) appliances have been detected by the US cybersecurity and infrastructure security agency (CISA).

The vulnerability, according to a CISA alert, was used to plant malware payloads of Seapsy and Whirlpool backdoors on the compromised devices.

While Seapsy is a known, persistent, and passive Barracuda offender masquerading as a legitimate Barracuda service “BarracudaMailService” that allows the threat actors to execute arbitrary commands on the ESG appliance, Whirlpool backdooring is a new offensive used by attackers who established a Transport Layer Security (TLS) reverse shell to the Command-and-Control (C2) server.

“CISA obtained four malware samples — including Seapsy and Whirlpool backdoors,” the CISA alert said. “The device was compromised by threat actors exploiting the Barracuda ESG vulnerability.”

Tracked as CVE-2023-2868, the vulnerability allows remote command execution on ESG appliances running versions 5.1.3.001 to 9.2.0.006.

A long list of Barracuda offenders

While Seapsy is a known, persistent, and passive Barracuda offender masquerading as a legitimate Barracuda service “BarracudaMailService” that allows the threat actors to execute arbitrary commands on the ESG appliance, Whirlpool backdooring is a new offensive used by attackers who established a Transport Layer Security (TLS) reverse shell to the Command-and-Control (C2) server.

Whirlpool was identified as a 32-bit executable and linkable format (ELF) that takes two arguments (C2 IP and port number) from a module to establish a Transport Layer Security (TLS) reverse shell.

A TLC reverse shell is a method used in cyberattacks to establish a secure communication channel between a compromised system and an attacker-controlled server.

The module that passes the two arguments was not available for CISA analysis.

Apart from Seapsy and Whirlpool, a few other strains of backdooring in Barracuda ESG exploits include Saltwater, Submarine, and Seaside.

CVE-2023-2868 plaguing Barracuda for long

The ESG vulnerability has been a…

Source…

Flipper Zero portable hacking multitool now has an app store for free and open source apps

/in


The Flipper Zero is a pocket-sized tool designed for security researchers, software and hardware hackers, and other folks looking for a portable, versatile, and incredibly geeky toy. Designed to look more like a toy than a hacking tool, it can be used to interact with RFID, NFC, Bluetooth, or IR devices. And there are GPIO pins that let you connect other hardware to extend the capabilities.

When the Flipper Zero first launched through a Kickstarter campaign a few years ago, it shipped with software for basic functionality, but also allowed developers to write their own apps. Now the company behind the Flipper Zero has launched an app store that makes it easy for users to download around a 100 apps.

Store might not really be the best word for it, because all of the apps available are free (and open source). But we’ve gotten used to calling these sorts of software repositories app stores, so I guess it’s handy to have an easy-to-understand name for the place where you can install software for a not-that-easy-to-describe device.

The Flipper Zero app store is built into the official Android and iOS apps for the device, allowing you browse and install software without scouring a bunch of different sources on the internet.

Everything in the store has also been reviewed by the folks at Flipper Devices, so you can ensure they should be fairly safe to use.

The Flipper Zero features a 1.4 inch, 128 x 64 pixel monochrome, sunlight-readable LCD display, a 5-button direction pad for navigation plus a back button, a status LED, microSD card reader, IR transceiver, and sub-1 GHz transceiver with a range of up to 50 meters.

IR support lets you use it to as a TV remote, garage door opener, or controller for an air conditioner or other appliances. An integrated 125 kHz antenna allows you to use the Flipper Zero to read and even clone old-school RFID security badges.

There’s also a built-in 13.56 MHz NFC module and a 433 MHz antenna for communicating with other Flipper devices. You can also use the Flipper Zero as a multi-factor security authentication device.

The GPIO pins let you add a WiFi module or other hardware. And the device’s 2,000 mAh battery should last for 7 days to a month, depending…

Source…