COATHANGER isn’t hanging up just quite yet.

Dutch military intelligence warns of the Chinese Coathanger RAT. Pure Storage joins the growing list of Snowflake victims. JetBrains patches a GitHub IDE vulnerability. A data broker hits the brakes on selling driver location data. Flaws in VLC Media player allow remote code execution. Patch Tuesday updates. On our Learning Layer segment, host Sam Meisenberg and Joe Carrigan continue their discussion of Joe's ISC2 CISSP certification journey, taking on Domain 8, Software Development Security. Farewell, computer engineering legend Lynn Conway.

Today is Wednesday June 12th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Dutch military intelligence warns of the Chinese Coathanger RAT. 

The Dutch military intelligence and security service (MIVD) has issued a warning about an extensive Chinese cyber-espionage campaign. According to the National Cyber Security Centre (NCSC), state-sponsored hackers exploited a vulnerability in FortiGate devices (CVE-2022-42475) for two months before it was disclosed. This zero-day attack infected 14,000 devices, targeting Western governments, international organizations, and defense companies. The MIVD and the Dutch signals intelligence service (AIVD) revealed that the hackers breached the Dutch Ministry of Defence's network, deploying the COATHANGER remote access trojan (RAT). The ongoing investigation shows the hackers accessed at least 20,000 FortiGate systems globally in 2022 and 2023. Identifying and removing the COATHANGER malware remains challenging, and many systems likely remain compromised.

Pure Storage joins the growing list of Snowflake victims. 

Cloud storage provider Pure Storage confirmed a breach in its Snowflake workspace, exposing telemetry data, customer names, usernames, and email addresses. No credentials or customer data were compromised. The breach was promptly addressed, and Pure Storage found no evidence of further malicious activity. Over 11,000 customers, including high-profile companies like Meta and NASA, use Pure Storage's platform.

Snowflake, working with Mandiant and CrowdStrike, have confirmed that attackers exploited stolen credentials from infostealer malware to breach accounts lacking multi-factor authentication. These attacks, linked to the threat actor UNC5537, have impacted around 165 organizations. Recent breaches at Santander, Ticketmaster, and Advance Auto Parts are associated with this campaign, highlighting the ongoing threat to Snowflake customers.

JetBrains patches a GitHub IDE vulnerability. 

 Integrated development environment provider JetBrains has fixed a critical vulnerability (CVE-2024-37051) in its GitHub plugin for IntelliJ-based IDEs, which could expose GitHub access tokens. The flaw, reported on May 29, 2024, allowed malicious content in pull requests to access these tokens, risking unauthorized access to GitHub accounts and repositories.

Affected IDEs include Aqua, CLion, DataGrip, DataSpell, GoLand, IntelliJ IDEA, MPS, PhpStorm, PyCharm, Rider, RubyMine, RustRover, and WebStorm. Users should update their IDEs and revoke any GitHub tokens used by the plugin. Google's IntelliJ-based Android Studio users should also upgrade and revoke tokens.

JetBrains confirmed no evidence of active exploitation before the fix but emphasized prompt updates to minimize risks.

Meanwhile, GitHub users are facing a phishing and extortion campaign exploiting the site's notification system and a malicious OAuth app. Attackers mention users in comments, triggering legitimate email notifications from GitHub. These comments mimic GitHub staff, offering jobs or alerting to security breaches, and direct users to fake GitHub domains.

Approving the OAuth request allows attackers to wipe repositories and demand ransom via Telegram to recover data. Compromised accounts are then used to perpetuate the scam.

Max Gannon from Cofense highlights that while the attackers, dubbed "Gitloker," seem low-skill and extortion-focused, the incident underscores the risk of supply chain attacks and the need for vigilance in tracking code sources. Further evidence links Gitloker to additional extortion attempts demanding payments to prevent data exposure.

A data broker hits the brakes on selling driver location data. 

General Motors faced backlash for selling driver behavior data to brokers, who then resold it to insurers. In response, data broker Verisk stopped accepting data from car makers like GM, Honda, and Hyundai and ceased providing driving behavior reports to insurers. Privacy4Cars confirmed this after inquiring with Verisk.

However, LexisNexis Risk Solutions continues to promote its driver behavior data product to insurers despite criticism from state governments and consumer groups. Their Telematics OnDemand service still markets partnerships with automakers, including Kia, Subaru, and Mitsubishi. LexisNexis emphasizes responsible data use and transparency, but the auto industry's data-sharing practices face increasing scrutiny from state and federal authorities.

Flaws in VLC Media player allow remote code execution. 

VideoLAN disclosed critical vulnerabilities in the popular VLC Media Player that could allow remote code execution. Both desktop and iOS versions are affected.

SB-VLC3021 (Desktop): An integer overflow in handling MMS streams can lead to a heap overflow, potentially crashing the player or executing arbitrary code. Users should update to version 3.0.21 and avoid untrusted MMS streams.

SB-VLC-iOS359 (iOS): A WiFi file-sharing path traversal vulnerability could allow local network attacks, leading to a denial of service. Users should update to version 3.5.9 to mitigate this risk.

Patch Tuesday updates. 

Yesterday was patch Tuesday, and Microsoft's released updates for 51 security flaws. Key updates include:

18 RCE vulnerabilities with one critical flaw in Microsoft Message Queuing (MSMQ).

25 Elevation of Privilege Vulnerabilities

3 Information Disclosure Vulnerabilities

5 Denial of Service Vulnerabilities

The disclosed zero-day, CVE-2023-50868, involves a DNSSEC validation flaw causing CPU exhaustion, potentially leading to a denial of service. It was previously disclosed in February and has been patched in multiple DNS implementations.

Other notable fixes include Microsoft Office RCEs and Windows Kernel privilege elevation flaws, enhancing overall system security.

June 2024's Patch Tuesday brings critical security updates from several ICS vendors, including Siemens, Schneider Electric, Aveva, and the US cybersecurity agency CISA.

Siemens issued 14 new advisories addressing over 120 vulnerabilities, with patches and mitigations available. Most flaws affect third-party components, known since last year. Notable issues include a critical authentication bypass in the PowerSys service for PowerLink 50/100 and SWT 3000, allowing local attackers to gain admin privileges. High-severity code execution vulnerabilities were also patched.

Aveva released two advisories. One highlights a high-severity local code execution vulnerability in the PI Asset Framework Client. The other addresses a remote code execution flaw in the PI Web API, both related to deserialization of untrusted data.

Schneider Electric published five advisories covering 11 vulnerabilities. In SAGE RTUs, a critical authentication bypass and other high-severity issues were fixed, including disruption and unauthorized uploads. Additional medium-severity flaws were addressed in Modicon M340 controllers, PowerLogic P5 relays, EVlink Home Smart EV chargers, and SpaceLogic controllers, preventing unauthorized firmware updates, device hijacking, and DoS attacks.

CISA released several ICS advisories, including a high-severity DoS vulnerability in Rockwell Automation controllers, critical code execution, and data exposure in Intrado 911 Emergency Gateway, and high-severity information disclosure and code execution flaws in MicroDicom software.

 

Coming up on our Learning Layer segment, host Sam Meisenberg and Joe Carrigan continue their discussion of Joe's ISC2 CISSP certification journey using N2K’s comprehensive CISSP training course, CISSP practice test, and CISSP practice labs. Sam and Joe dive into Domain 8 which focuses on Software Development Security. You can check out a sample question in our show notes. We’ll be right back

Welcome back. Thanks Sam and Joe. Don’t forget, we’ve got details on the course Joe is using to prepare for his CISSP and today’s sample question in our show notes. 

 

Farewell, computer engineering legend Lynn Conway. 

And finally, we note the passing of Former IBM and Xerox PARC engineer Lynn Conway. She achieved remarkable success in the 1960s and 1970s despite facing intense personal and professional challenges, including her transgender transition.

Conway passed away Sunday from a heart condition, leaving behind a legacy of groundbreaking contributions to technology and society. Her pivotal work in computer engineering began at IBM and later at Xerox PARC, where she collaborated with Carver Mead on VLSI design, revolutionizing microprocessor technology and impacting millions of PCs. She also led a supercomputer program at DARPA and became a professor at the University of Michigan.

In 2020, IBM formally apologized for firing Conway in 1968 due to her gender transition, recognizing her courage and influence. Beyond her technical achievements, Conway was a beacon of hope and inspiration for the transgender community. She fought against discrimination and provided guidance through her personal website, offering role models and hope for many undergoing gender transition.

Conway's story of resilience includes overcoming being barred from seeing her daughters for 14 years and working her way up through various start-ups before her significant contributions at Xerox PARC. Her life's work enriched both the technological and transgender communities, providing profound inspiration and advancing the cause of equality and acceptance.

Lynn Conway's legacy is one of remarkable bravery and resilience. She not only faced her challenges but prevailed over them, leaving an indelible mark on the world and enriching the lives of countless individuals.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.