Cloudflare Server Compromised Due to Leaked Access Token

0
[ad_1]

On November 23, 2023, Cloudflare detected a threat actor on the self-hosted Atlassian server. The attack was initiated using a single stolen access token and three compromised service account credentials, which were kept the same after the Okta compromise in October 2023.

The security team sought assistance from CrowdStrike’s Forensic team to investigate the security breach. On November 24, all connections and access privileges for the malicious actors were terminated.

“We want to emphasize to our customers that no Cloudflare customer data or systems were impacted by this event,” according to Cloudflare’s blog.

“We took this incident very seriously because a threat actor had used stolen credentials to get access to our Atlassian server and accessed some documentation and a limited amount of source code.”

Document
Run Free ThreatScan on Your Mailbox

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .

Overview of the Incident

Threat actors were surveyed from November 14 to November 17. Following this, they gained access to the organization’s internal wiki, which was powered by Atlassian Confluence, and their bug database, which Atlassian Jira powered.

It was detected that on November 20 and 21, some unauthorized access was made to the system, which suggests that the intruders returned to test the connectivity. On November 22, they made a second visit and used ScriptRunner for Jira to gain persistent access to the Atlassian server.

The intruders managed to gain entry to the Atlassian Bitbucket source code management system. Additionally, they attempted to breach a console server connected to Cloudflare’s data center in São Paulo, Brazil. However, they failed to infiltrate the server as it was still in the testing phase.

“We failed to rotate one service token and three service accounts (out of thousands) of credentials that were leaked during the Okta compromise,” the company said.

A Moveworks service token can be used to access the Atlassian system remotely. In addition, a service account with administrative access to the Atlassian Jira instance is utilized by the SaaS-based Smartsheet application as a second credential.

The third credential was a Bitbucket service account used to access our source code management system. The fourth was an AWS environment with no access to the global network and no customer or sensitive data.

According to reports, the attack was likely carried out by a nation-state attacker seeking continuous, broad access to Cloudflare’s global network.

After analyzing the wiki pages they accessed, bug database issues, and source code repositories, it appears that they were searching for information about the company’s global network architecture, security, and management, possibly to gain a stronger foothold.

Over 130 IT access management business clients were affected by the Okta security breach in October, which included Cloudflare, and were impacted again in 2022 due to another Okta intrusion.

The company focused a significant portion of its technical staff, both inside and outside of the security team, on a single project – addressing the incident known as “Code Red.” 

As part of their efforts, they undertook a comprehensive process. This included rotating more than 5,000 individual credentials, physically segmenting test and staging systems, performing forensic triages on 4,893 systems, and reimaging and rebooting every machine in their global network, including all Atlassian products (Jira, Confluence, and Bitbucket) and all systems that the threat actor accessed. 

The primary goals of this effort were to confirm that the threat actor could not gain entry into the environment and to ensure that all controls were strengthened, verified, and corrected.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.


[ad_2]
Source link

Samsung details February 2024 security patch for Galaxy devices

0
[ad_1]

On Monday, Samsung released the February 2024 security update for the Galaxy Z Fold 3 and Galaxy Z Flip 3 in Europe. The company will soon push the update to the foldable duo as well as other eligible devices globally. In the meantime, it has detailed the content of the latest security patch for the Galaxy family. This month’s release contains 69 vulnerability patches, including three critical patches.

Samsung’s February update patches 69 security issues

According to Samsung‘s updated security bulletin, the February 2024 SMR (Security Maintenance Release) for Galaxy devices contains 61 Android OS patches and 8 Galaxy-specific patches. The former group of vulnerabilities exists on Android OS, meaning they affect Android products from other brands as well. The flaws are patched by Google. The Android maker patched three critical and 58 high-severity issues this month.

Google says the most severe vulnerabilities patched this month could lead to remote code execution without requiring additional execution privileges. In simpler terms, a threat actor could exploit the vulnerabilities to gain remote access to an affected Android product without the user’s knowledge or detection. Android devices updated to the February 2024 security patch no longer have these vulnerabilities and security risks.

Google’s latest ASB (Android Security Bulletin) contains four more patches. However, two of them don’t apply to Samsung products. The other two vulnerabilities have been already patched by the Korean firm on Galaxy smartphones and tablets. As far as the Galaxy-specific patches are concerned, the February SMR addresses four moderate and four high-severity vulnerabilities across the Galaxy family.

Called Samsung Vulnerabilities and Exposures (SVE) items, these issues don’t exist on Android devices from other brands. Samsung patched issues in GameOptimizer, Smart Suggestions, Auto Hotspot, bootloader, and various other system components and services in Galaxy devices. An improper authentication vulnerability in Auto Hotspot allowed adjacent attackers to connect to an affected device’s mobile hotspot without the user’s knowledge.

More Galaxy devices will get these security fixes soon

The Galaxy Z Fold 3 and Galaxy Z Flip 3 are the first two Samsung devices to receive the February 2024 SMR with these security fixes. The Korean firm will soon roll out the update to more products. The Galaxy S24 series, Galaxy S23 series, and many other smartphones and tablets will pick up the new security release in the coming days. We will keep you posted on those rollouts. You can also check for updates from the Settings app on your Galaxy device.


[ad_2]
Source link

Huawei scales back Mate 60 production to prioritize AI chips

0
[ad_1]

Huawei has scaled back the production of the Mate 60 series flagship smartphones. No, the demand hasn’t dwindled. The phones are selling well, crossing 30 million shipments within five months of launch. This is a healthy sales pace for a company beleaguered by various US sanctions. However, the sanctions mean it has limited resources and has to slow down smartphone production to prioritize AI chips.

Huawei is focusing on AI chips at the expense of Mate 60 smartphones

Huawei reportedly uses the same production facility to manufacture its Ascend AI chips and Kirin processors that power the Mate 60 smartphones. According to a Reuters report, which cites three people familiar with the matter, the company is struggling with low yield rates at this semiconductor facility. Yield rate is the percentage of the usable chips produced to the total number of chips that can be made from one wafer.

The sources didn’t provide a precise number but it appears the Chinese firm’s yield rate is poor. Effectively, its chip production capacity is low. As the tech industry rushes to incorporate AI into just about every product, Huawei has decided to scale back the production of Kirin chips for the Mate 60 series, prioritizing AI chips. It will allocate the bulk of its resources to produce the Ascend 910B and other AI chips.

This is a massive decision from Huawei. As said earlier, the Mate 60 series has been selling well in China. The phones helped the firm outsell Apple iPhones in the domestic market last year. They have set the tone for Huawei to achieve its target of doubling its smartphone sales in 2024. It aims to ship 60-70 million smartphones this year. However, unless it improves its chip yield rates soon, the firm might struggle to hit the target.

As far as the decision to prioritize AI chips is concerned, Huawei knows that the US trade restrictions have limited Chinese companies’ access to advanced AI chips like Nvidia’s H100. As the AI trend grows, the demand for domestic solutions will rise. It is looking to tap into the opportunity with early inroads. As Reuters states, “The Ascend 910B is widely considered the most competitive non-Nvidia AI chip available in China.”

This might be a short-term production arrangement

Huawei hopes this production arrangement to be a short-term one. It is reportedly working on improving its yield rates, so it could simultaneously produce the desired amount of Kirin processors and Ascend AI chips at its semiconductor facility. Whether it manages to make that happen anytime soon, time will tell. The firm declined Reuters’ request for a comment on the matter.


[ad_2]
Source link

Gmail’s upgraded reply box is about to reach more users

0
[ad_1]

For Gmail users, responding to emails on the mobile app is about to become even more convenient. Following several months of testing, a new chat-style reply box is now about to be rolled out to a wider audience.

As noticed by AssembleDebug (via Android Police), Gmail is making a change by replacing the Reply button with a sleek quick compose box, and this update is now expanding to a larger user base. The updated message box occupies the bottom position in the email thread, bidding farewell to the traditional Reply, Reply All, and Forward buttons.

In the screenshot, you can see that the buttons are gone, making room for the new message box. The redesign gives off a vibe similar to instant messaging apps. However, you can choose your reply type (reply, reply all, or forward) and edit recipients in the refreshed interface.When you begin typing, the keyboard appears, and the text field moves toward the center of your screen, resembling a typical chat app. Importantly, you still maintain visibility of the email you’re responding to.

This tweak to Gmail’s interface was first spotted in November last year, and now it’s making its way to more users with the 2024.01.14.599541078 version of Gmail for Android. Just a heads up, this change is currently Android-specific, so iOS users might have to wait a bit to see it on their devices.

This Gmail redesign is just one of the ways Google is enhancing the email experience. Recent reports hint at Google developing an AI-powered “Help me write” feature, enabling users to use their voice to draft emails or instruct the AI on the content. Additionally, Google introduced a new Unsubscribe button at the top of emails in the Gmail mobile app, making it easier to stop receiving unwanted emails.


[ad_2]
Source link

Researchers Unvield the Sophisticated Ransomware by Black Hunt

0
[ad_1]

The Black Hunt ransomware has recently become a significant threat to the cybersecurity landscape. This malicious software has already wreaked havoc on around 300 companies in Paraguay, causing significant damage and disruption to their operations.

The impact of this ransomware attack is likely to be far-reaching, affecting not only the affected companies but also their customers, employees, and other stakeholders.

In the year 2022, security researchers have identified a new form of ransomware known as Black Hunt.

This malicious software is specifically designed to target and compromise different types of operating systems, putting the data and privacy of countless users at risk.

The notorious Black Hunt ransomware is known for using advanced file encryption techniques to restrict access to the victim’s data.

This malicious software also goes a step further and alters the filenames of the affected files, making it difficult for the victim to identify and recover their data.

As per Rapid7’s analysis, it has been discovered that Black Hunt shares certain similarities with Lockbit, among other technical details.

Document
Run Free ThreatScan on Your Mailbox

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .

How the Ransomware Works

This malicious software is suspected to have been developed using leaked code from the LockBit ransomware and has several similarities to the infamous REvil ransomware.

Black Hunt encrypts files on the infected system and demands a ransom payment in exchange for the decryption key.

The emergence of this new ransomware variant highlights the ongoing threat posed by cybercriminals and emphasizes the need for robust cybersecurity practices to protect against such attacks.

It checks for a specific file, “Vaccine.txt,” under the directory C:\ProgramData path to determine if the system has already been compromised.

This particular strain of ransomware has the ability to conceal its window from the user’s view and modify its privileges to operate in a covert manner.

Additionally, it has the capability to accept command-line arguments, which allows for further customization of its behavior.

The operation known as Black Hunt appears to have a predetermined list of countries that it targets, and it also seems to have a whitelist of languages that it can use for execution.

The process involves the creation of entries in the computer’s registry to ensure that the malware remains active even after rebooting the system.

Additionally, the malware modifies the Windows settings to disable crucial security features, leaving the system vulnerable to further attacks.

The ransomware uses the file extension “.Hunt2” to encrypt files and also deletes shadow copies.

Black Hunt Ransomware Attack
Ransom note

The malicious software strives to propagate itself to other computers on the network by exploiting vulnerabilities in shared folders and files. In addition, it utilizes a range of techniques to avoid detection by security measures.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.


[ad_2]
Source link

Resonance Hires Cybersecurity Pro George Skouroupathis As Its Offensive Security Lead

0
[ad_1]

George Skouroupathis has previously worked with and for industry giants like Allendevaux & Company, Halborn, Odyssey Cybersecurity, Cisco and several others.

Leading cybersecurity outfit Resonance has hired the prominent industry veteran George Skouroupathis to head up its offensive security engineering team, which helps companies audit their software and smart contracts, and conduct penetration tests to discover vulnerabilities. 

Skouroupathis announced his decision to join Resonance in a post on LinkedIn, saying his new role will involve performing penetration tests, and cloud and browser extension security audits on behalf of the company’s clients. He’s also expected to play a key role in the development of some innovative new cybersecurity tools that the company has in the works. He didn’t reveal what those tools are but said they are expected to launch in the near future. 

The appointment is a major coup for Resonance as Skouroupathis is widely regarded as an expert innovator in the cybersecurity space, having held prominent positions at a host of Web2 and Web3 security firms. He most recently served as a senior cybersecurity analyst at Allendevaux & Company, which he joined after spending a year at the blockchain-focused security firm Halborn, where he also worked on offensive security initiatives.

Before those experiences, he spent a number of years at Odyssey Cybersecurity, organizing and executing web, network and mobile application vulnerability assessments, investigating social engineering attacks and leading red teaming exercises. He has also picked up valuable experience from his tenure as a software developer at Silicon Valley giant Cisco Systems. 

In an interview posted on Resonance’s Medium blog, Skouroupathis said cloud security assessments and pentesting are his biggest interests at the moment. His skills in these areas make him an ideal choice for Resonance, which specializes in full-stack cybersecurity, focusing on browser extensions, decentralized applications and crypto wallets.

The company offers an extensive suite of cybersecurity products, similar to Splunk or Mandiant, only it extends its services to blockchain startups and Web2 companies, acting as a kind of concierge that provides full protection against various cyber threats. 

“I’ve had a natural inclination for problem-solving and tackling challenges since a young age, kind of a ‘bug’ that just stuck with me,” Skouroupathis said. “This passion led me into the fascinating world of cybersecurity since as it turns out solving a complex problem in this line of work is just the extension of solving a puzzle or a challenge as a kid.”

According to Skouroupathis, it was Resonance’s novel approach to cybersecurity and the people on its team that inspired him to join the company. He said he has previously collaborated with a number of Resonance’s staff in the past, so he knows the team well and expects to fit right in. 

“Working alongside experts in various domains is very important,” he explained. “It gives me the opportunity to continuously learn and evolve and also ensures top-notch results for clients by combining expertise from different areas.”

Skouroupathis also cited Resonance’s commitment to providing a full-stack security suite that covers Web2, Web3 and emerging technologies as another reason for joining the company. “I’m looking forward to working with the team, as I know that each of its members excels in their respective fields, and I’m fortunate to be surrounded by such accomplished professionals,” he added. 

  1. Barmak Meftah Joins Stellar Cyber, Innovator of Open XDR
  2. Signal CEO hacks Cellebrite cellphone hacking, cracking tool
  3. If a Cyber Security Report Falls in a Forest, Is Anyone Listening?
  4. Aembit Teams Up with CrowdStrike for Secure Workload Access

[ad_2]
Source link

OnePlus reveals why it doesn’t offer a 7-year software update policy

0
[ad_1]

OnePlus recently announced the OnePlus 12 and 12R smartphones in the global markets. Now, the company’s President Kinder Liu in an interview with Toms Guide has revealed why the company does not offer an extended seven years of software update policy for the OnePlus 12. This is considering, OnePlus’s rivals Samsung and Google who announced seven years of software policy for their respective latest-generation Galaxy S24 Ultra and Pixel 8 series phones.

OnePlus President explains why it doesn’t offer longer software support

The OnePlus 12 offers four years of software updates whereas the 12R scales back to three years. With an additional year of security patches, the software support stretches by one year to five and four years on the number series flagship and the mid-range offering respectively.

In the interview, Liu says “Simply offering longer software update policies completely misses the point. It’s not just software update policies that are important to the user, it’s the fluency of your phone’s user experience too.” The executive means to say that a longer software update policy isn’t necessarily a good thing if the phone’s hardware cannot keep up.

The OnePlus executive goes on to explain further by metamorphically comparing the phone to a sandwich. The filling inside the sandwich is the phone’s software which manufacturers claim that it will be good to eat in seven years. However, they miss out on mentioning about the bread – the user experience which could turn moldy after four years. Hence, a seven-year software update policy won’t matter because the rest of the experience with the phone is terrible due to the hardware issues arising over time.

OnePlus 12 Review AM AH 09

More reasons why OnePlus’s 5 years software policy makes sense

Liu reveals that OnePlus conducted stress tests with TUV SUD for the latest OnePlus 12 and 12R to simulate years of use and guarantee four years of fast and smooth performance. One of the parameters of the stress test included the phone’s battery health which is commonly degradable. It will be the first piece of hardware on any device to wear out. Hence, unless OEMs switch to user-replaceable batteries, longer seven-year software support does not make sense at the moment.

Additionally, Liu also came across a Counterpoint Research report that says Android users seem to upgrade their smartphones within four years of purchasing them. This also lines up with OnePlus’s current software support policy.


[ad_2]
Source link

Samsung & TSMC to keep 2nm chip manufacturing local

0
[ad_1]

Samsung and TSMC are leaping forward to bring the next generation of 2nm chip. It is believed to be a major leap in the world of mobile processors and technology. For instance, the latest is a 3nm-processed chip, used in Apple iPhone 15 Pro models. While the two major chip makers have expanded their 4nm chip manufacturing bases to Japan and the US, they will reportedly manufacture the 2nm chips in their homelands, i.e., South Korea and Taiwan, respectively.

Samsung & TSMC 2nm chips will be manufactured in South Korea and Taiwan

According to recent reports from the South China Morning Post and the Korean Times, Samsung is prepping for 2nm chip production in South Korea next year. The company has set aside a hefty investment totaling KRW 500 trillion ($371 billion) by the year 2047 to establish a sprawling “mega-cluster” semiconductor plant near Seoul. This expansive facility will encompass 13 chip plants and three research centers, all dedicated to manufacturing 2nm chip.

Meanwhile, TSMC wants to construct 2nm chip fabrication plants and science parks in Hsinchu and Kaohsiung in Taiwan. They also have a plan to build another factory in a city called Taichung, but they’re waiting for government approval. Also recently, it offered a 2nm processor prototype’s exclusive look to its major business partners, Apple and NVIDIA.

But why are they keeping 2nm chip production limited to the homeland?

A big reason behind this is because it’s cheaper for them to make processing chips at home. As reported by the South China Morning Post, Eddie Han explained, “Making chips in the US costs a lot more than in Taiwan or Japan.” This means that for Samsung and TSMC, it’s better to build and run their factories in their own countries. They can save money this way, which is important for any big business.

Another reason is that their home countries are helping them out. The government in South Korea, where Samsung is from, is giving them a lot of support. They’re investing a huge amount of money into making more chips in South Korea. And the president there says this will create a lot of new jobs. So, for Samsung and TSMC, it’s not just about money; it’s also about getting help from their governments.


[ad_2]
Source link

YouTube TV subscribers getting “1080p enhanced” support for better picture quality

0
[ad_1]

YouTube TV offers customers multiple options when it comes to streaming quality. The best that the service can offer is 4K, but not many channels can be watched in 4K.

Unfortunately, the majority of the cable channels that YouTube TV streams only broadcast in 720p for most content, and YouTube TV doesn’t enhance the quality of the video.

Sometimes YouTube TV subscribers are getting 4K content that’s been upscaled from 1080p, but the overall sentiment is that picture quality picture is quite low for live streams.

But that’s about to change (hopefully), as YouTube TV is now rolling out a new “1080p enhanced” streaming option for its subscribers. The option will be available on updated 4K-compatible streaming devices and promises to offer the service’s highest video quality below 4K.

So, if you want to benefit from the best possible viewing experience and be able to set the video quality to 1080p Enhanced, you’ll need to upgrade to a 4K- compatible streaming device, if you don’t own one already.

[ad_2]
Source link

Multiple Container Flaws allow attackers to access host OS

0
[ad_1]

Four new vulnerabilities have been identified in containers that could allow a threat actor to escape the container and gain access to the host system.

These vulnerabilities have been named “Leaky Vessels” by researchers that could potentially enable a threat actor to access sensitive data on the host systems and launch further attacks.

The CVEs for these vulnerabilities have been assigned as follows

  • CVE-2024-21626 (runc process.cwd & leaked dfs container breakout – 8.6 (High))
  • CVE-2024-23651 (Buildkit Mount Cache Race – 8.7 (High) )
  • CVE-2024-23653 (Buildkit GRPC SecurityMode Privilege Check – 10.0 (Critical))
  • CVE-2024-23652 (Buildkit Build-time Container Teardown Arbitrary Delete – 9.8 (Critical))
Document
Run Free ThreatScan on Your Mailbox

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .

Leaky Vessels

CVE-2024-21626

This vulnerability exists due to the order of operations defined in the WORKDIR directive of a Dockerfile, which is modified as a path traversal to access privileged directories /proc/self/fd/ that is passed through the chdir argument. 

Successful exploitation of this attack provides complete root access to the filesystem, thus enabling the attacker to control the host. The severity for this vulnerability has been given as 8.6 (High).

CVE-2024-23651

This vulnerability is due to a TOCTOU (time-of-check/time-of-use) race condition during the mounting of a cache volume at container build time. The race condition exists due to the validation of the source path that confirms if the source path inside the cache mount is a directory.

This vulnerability can be exploited by manipulating the cache volume source path from the mount and abusing the race condition, which could result in gaining full root host compromise. The severity for this vulnerability has been given as 8.7 (High).

CVE-2024-23653

This vulnerability occurs due to a missing privilege check on the GRPC endpoint. A custom input format of a Dockerfile can be specified using a # syntax= command, which defines the use of another Docker image for parsing the input. This docker image will have access to the GRPC server to enable the intermediate representation creation and submission.

However, the Container.Start endpoint allows the execution of build-time ephemeral containers which does not validate StartRequest.

The scurityMode argument can be abused by threat actors to elevate their privileges and achieve full host root command execution. The severity for this vulnerability has been given as 10.0 (Critical).

CVE-2024-23652

This vulnerability occurs when the Buildkit attempts to clean up temporary directories after usage. When a Dockerfile is run, some specific directories are targeted based on the configuration of the Dockerfile. If the directories don’t exist, they are created and then removed.

This particular functionality can be abused by changing the targeted directory to a symbolic link that will traverse this symbolic link and lead to deletion.

Successful exploitation of this vulnerability results in the deletion of any file on the file system. The severity for this vulnerability has been given as 9.8 (Critical).

These vulnerabilities have been published by Snyk, which provides detailed information about the exploit code, methodology, and mitigation.

Follow us on LinkedIn for the latest cybersecurity news, whitepapers, infographics, and more. Stay informed and up-to-date with the latest trends in cybersecurity.


[ad_2]
Source link