Almost letting hackers rule the web.

A Wordpress plugin vulnerability puts 5 million sites at risk. Google releases an emergency Chrome update addressing an actively exploited vulnerability. Cisco patches multiple vulnerabilities. Researchers say Slack AI is vulnerable to prompt injection. Widely used RFID smart cards could be easily backdoored. The FAA proposes new cybersecurity rules for airplanes, engines, and propellers. A member of the Russian Karakurt ransomware group faces charges in the U.S. The Five Eyes release a guide on Best Practices for Event Logging and Threat Detection. The Kremlin claims widespread online outages are due to DDoS, but experts think otherwise. In our Threat Vector segment, guest host Michael Sikorski speaks with Jason Healey, Senior Research Scholar at Columbia University's School of International and Public Affairs. A deadbeat dad dodges debt through death.

Today is Thursday August 22nd 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

A Wordpress plugin vulnerability puts 5 million sites at risk. 

A vulnerability in the LiteSpeed Cache WordPress plugin allows unauthenticated users to escalate their privileges to an administrator level, putting over 5 million sites at risk. The issue stems from a weak security hash in the user simulation feature, which uses insecure random number generation. This flaw allows attackers to brute force the security hash, potentially gaining full control of a site.

The vulnerability was discovered by researcher John Blackbourn, who received a $14,400 bounty for his findings. Although the vulnerability is mitigated by updating to version 6.4 of the plugin, users are urged to act swiftly. The LiteSpeed team has implemented additional security measures, including stronger hash validation and one-time use hashes, to prevent exploitation.

Google releases an emergency Chrome update addressing an actively exploited vulnerability. 

Google has released an emergency Chrome update to address a high-severity zero-day vulnerability, identified as CVE-2024-7971, which is being actively exploited in the wild. The vulnerability, found in Chrome’s V8 JavaScript engine, was reported by Microsoft’s security teams and could allow attackers to execute arbitrary code on unpatched devices. Google has fixed the issue in the latest versions for Windows, macOS, and Linux. The update will be automatically rolled out, but users can manually check and install it via the Chrome menu. Google has withheld further details until most users are protected.

Cisco patches multiple vulnerabilities. 

Cisco has released patches for multiple vulnerabilities, including a high-severity issue (CVE-2024-20375) in its Unified Communications Manager (Unified CM) products. This vulnerability, with a CVSS score of 8.6, affects the SIP call processing function and can be remotely exploited without authentication. Attackers could send crafted SIP messages to trigger a denial-of-service (DoS) condition by causing the device to reload. Cisco has provided patches, with no workarounds available. The issue was reported by the U.S. National Security Agency (NSA), and there are no reports of it being exploited in the wild. Cisco also addressed four medium-severity bugs affecting Identity Services Engine (ISE) and Unified CM, including SQL injection and cross-site scripting vulnerabilities. Further details are available on Cisco’s security advisories page.

Researchers say Slack AI is vulnerable to prompt injection. 

Slack AI, an assistive service within Salesforce’s messaging platform, is vulnerable to prompt injection, according to security firm PromptArmor. This flaw allows attackers to exfiltrate sensitive data, such as API keys, from private Slack channels. The vulnerability arises because Slack AI can fetch data from both public and private channels, including those not joined by the user.

PromptArmor demonstrated how a malicious prompt in a public channel could trick Slack AI into exposing private data through clickable links. The risk is exacerbated by a recent Slack update that allows files from channels and direct messages to be included in AI-generated responses, potentially making user files a target for injection attacks.

PromptArmor has warned that this vulnerability could lead to significant data breaches, urging Slack admins to restrict AI access to documents until the issue is resolved. Slack considers this behavior to be intended, but PromptArmor disagrees.

Widely used RFID smart cards could be easily backdoored. 

Quarkslab, a French security firm, has uncovered a major backdoor in millions of contactless cards produced by Shanghai Fudan Microelectronics Group, a leading Chinese chip manufacturer. This backdoor, detailed by researcher Philippe Teuwen, enables rapid cloning of RFID smart cards, which are widely used for accessing offices and hotel rooms globally.

The vulnerability lies in a specific variant of the MIFARE Classic card, introduced by Fudan in 2020, which contains a “static encrypted nonce” countermeasure. Teuwen discovered that an attacker with just a few minutes of physical proximity to a card could exploit this backdoor to crack its keys, which are uniform across all cards. This flaw extends to other card models from Fudan and even some older cards from NXP Semiconductors and Infineon Technologies.

Quarkslab urges organizations to assess their infrastructure immediately, as these vulnerable cards are found worldwide, including in hotels across the US, Europe, and India.

The FAA proposes new cybersecurity rules for airplanes, engines, and propellers. 

The FAA has proposed new cybersecurity rules for airplanes, engines, and propellers to address the growing threat of cyberattacks as aircraft become increasingly connected to internal and external networks. The proposed regulations aim to standardize and codify the “special conditions” that have been issued on a case-by-case basis since 2009, reducing the complexity and cost of certification. The rules would require applicants to identify cybersecurity risks, protect against unauthorized electronic interactions (IUEI), and develop mitigation strategies.

These efforts stem from the need to protect aircraft systems from potential cyber threats that could affect airworthiness, such as compromised maintenance laptops, wireless sensors, and satellite communications. While the new rules focus on vulnerabilities with tangible impacts on safety, experts like Joseph Saunders argue that they do not go far enough in addressing future unknown vulnerabilities. The proposal follows a significant increase in reported cyberattacks in the airline industry, which grew by 530% from 2019 to 2020.

A member of the Russian Karakurt ransomware group faces charges in the U.S. 

Deniss Zolotarjovs, a member of the Russian Karakurt ransomware group, has been charged in the U.S. with money laundering, wire fraud, and extortion. Zolotarjovs, a Latvian national living in Moscow, was arrested in Georgia, Eastern Europe, in December 2023 and recently extradited to the U.S. The FBI’s investigation revealed his involvement in Karakurt’s extortion operations, where the group stole data from companies and demanded ransoms to prevent its public release.

Operating under the alias “Sforza_cesarini,” Zolotarjovs negotiated extortions, including a case where a victim paid over $1.3 million. His arrest marks the first of a Karakurt member being extradited to the U.S., potentially paving the way for further prosecutions. The charges against him carry a maximum sentence of 20 years in prison, plus significant fines. Karakurt, linked to the notorious Conti cybercrime syndicate, focuses on data exfiltration without using encryption tools.

The Five Eyes release a guide on Best Practices for Event Logging and Threat Detection. 

The Australian Signals Directorate’s Cyber Security Centre, CISA, FBI, NSA, and international partners have released a guide on Best Practices for Event Logging and Threat Detection to help organizations establish a baseline for event logging. The participating agencies say this guide is crucial for detecting and mitigating cyber threats, especially as malicious actors increasingly use techniques like living off the land (LOTL) and fileless malware. CISA urges IT decision-makers, OT operators, and critical infrastructure organizations to review and implement these recommended practices to enhance cybersecurity.

The Kremlin claims widespread online outages are due to DDoS, but experts think otherwise. 

The Kremlin is blaming widespread disruptions on Russian websites and apps, including WhatsApp, Telegram, and Wikipedia, on a supposed DDoS attack targeting telecom operators. However, digital experts are skeptical, noting that it’s highly improbable to launch a DDoS attack affecting all 2,000 Russian telecom providers simultaneously. Major telecom operators like MegaFon and Rostelecom reported no issues, fueling suspicions that these disruptions were state-imposed. Critics suggest the Russian government may be behind the outages, likely attempting to censor access to Western platforms. This aligns with previous incidents where Russian authorities have intentionally slowed or blocked services, such as YouTube and Telegram, under the guise of regulatory enforcement or anti-terrorism measures. Experts believe the disruptions could be an attempt by Roskomnadzor to block Telegram, inadvertently affecting other services. Such actions are consistent with Russia’s ongoing efforts to control digital information within its borders.

 

Coming up on our Threat Vector segment, guest host Michael Sikorski shares a clip of his conversation with guest Jason Healey from Black Hat about the historical challenges and advances in cyber conflict. Jason is Senior Research Scholar at Columbia University's School of International and Public Affairs. 

We’ll be right back

Welcome back. To listen to Mike and Jason’s full conversation, check out the link in our show notes. You can catch new episodes of Threat Vector every Thursday here on the N2K CyberWire network. 

 

A deadbeat dad dodges debt through death. 

And finally, our deadbeat dad desk tells us of a 39-year-old US man, Jesse Kipf, was sentenced to 81 months in jail for a bizarre and ultimately failed attempt at faking his own death. Kipf, who apparently didn’t want to pay child support, hacked into Hawaii’s Death Registry System, posed as a physician, and officially “killed” himself off. His ploy worked—at least for a while—as government databases marked him as deceased. Meanwhile, Kipf enjoyed his new “dead” status, thinking he was off the hook for child support.

But Kipf’s antics didn’t stop there. He hacked into other states’ death registries, corporate networks, and even tried selling access on the dark web. The law caught up with him, though, and now he’s facing over $195,000 in restitution, plus a lengthy stay in the slammer. Turns out, faking your own death isn’t as easy as Googling “how to stop paying child support when you’re dead.”

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.