Welcome to this week’s Security News. We’ve collated the best articles from the around the internet and put them all into one place. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly.
Vulnerabilities and Patches
New HTTP/2 Vulnerability Exposes Web Servers to DoS Attacks
A newly identified vulnerability within the HTTP/2 protocol, termed the HTTP/2 CONTINUATION Flood by researcher Bartek Nowotarski, poses significant denial-of-service (DoS) attack risks. Reported to CERT/CC on January 25, 2024, the vulnerability arises from the improper limitation or sanitization of CONTINUATION frames by many HTTP/2 implementations. Attackers exploiting this flaw can overload a server with a sequence of CONTINUATION frames, leading to memory allocation issues without actual data appendage, or provoke an out of memory (OOM) crash by inundating the server’s header list. This discovery underscores the critical need for robust server defences and the prompt patching of such protocol-level vulnerabilities to safeguard internet infrastructure.
Google fixes two Pixel zero-day flaws exploited by forensics firms
Google has addressed two zero-day vulnerabilities in Google Pixel devices that were being actively exploited by forensic firms to bypass the phone’s lock screen PIN, enabling unauthorized access to the device’s data. Unlike the broader Android ecosystem, which receives monthly security updates applicable to devices from various OEMs, Pixel devices are directly updated by Google. This distinction allows Google to roll out specific patches for the hardware and exclusive features found in Pixel smartphones. The vulnerabilities, identified as CVE-2024-29745 and CVE-2024-29748, were highlighted in the April 2024 security bulletin specifically for Pixel devices, indicating their active exploitation, despite the general Android April 2024 security bulletin not listing any severe issues.
Cyber Attacks
Vietnam-Based Hackers Steal Financial Data Across Asia with Malware
CoralRaider, a cyber espionage group of suspected Vietnamese origin identified by Cisco Talos, has been actively targeting various Asian and Southeast Asian countries since at least May 2023. Focused on financial gain, the group employs sophisticated malware, including a customized variant of Quasar RAT named RotBot and the XClient stealer, to harvest a wide range of sensitive information such as credentials, financial data, and social media accounts from victims in countries like India, China, South Korea, and several others. The specificity of their targeting and the advanced nature of their tools underline the necessity for targeted organizations to bolster their cyber defences through enhanced security protocols, employee awareness, and international cybersecurity collaboration to mitigate the threats posed by such actors.
US Cancer Center Data Breach Impacting 800,000
City of Hope, a National Cancer Institute-designated comprehensive cancer center located in Duarte, California, experienced a data breach between September 19 and October 12, 2023. An unauthorized party accessed and copied files from a subset of the center’s systems, compromising a wide range of personal and sensitive information. The data exposed includes names, birth dates, email addresses, phone numbers, driver’s license and ID numbers, Social Security numbers, bank account details, credit card information, health insurance data, and medical information. The breach’s scope and the variety of stolen data raise significant concerns for the privacy and security of the individuals impacted.
Articles
U.S. Cyber Safety Board Slams Microsoft Over Breach by China-Based Hackers
The U.S. Cyber Safety Review Board (CSRB) has issued a report criticizing Microsoft for a series of security oversights, which it says allowed a China-based nation-state group named Storm-0558 to breach nearly two dozen companies across Europe and the U.S. last year. According to the Department of Homeland Security (DHS), these incidents could have been prevented and were the result of a combination of Microsoft’s mistakes, reflecting a corporate culture that seemingly placed less emphasis on security investments and risk management. This critique underscores the significant role Microsoft plays in the global technology ecosystem and highlights the gap between the level of security customers expect from the tech giant and what was delivered in these instances.
Ukraine gives award to foreign vigilantes for hacks on Russia
The involvement of the vigilante hacker group One Fist in cyber-attacks against Russian military firms and their efforts to spy on troops using hacked cameras has been acknowledged by Ukraine’s military with awards of gratitude. This development is a notable example of the evolving nature of modern warfare, where cyber operations by non-state actors are increasingly playing a role. However, the practice of states expressing appreciation for or encouraging civilian hackers raises ethical and legal concerns, highlighting the complex dynamics of digital warfare and the blurring lines between state and non-state actions in cyberspace.