Google's AI Driven Fuzz Tool Finds Decades Old Vulnerability: Cyber Security Today, Friday November 22, 2024

KJ Burke

This episode of Cybersecurity Today is brought to you by CDW Canada. Tech Talks if you're passionate about technology and innovation, this is the podcast for you. Join my friend and host KJ Burke as he and industry experts dive into the latest trends, insights and strategies shaping the tech landscape in Canada. Apple Patches Two zero day flaws targeting intel based Macs An American fintech giant has 400 gigabytes of customer data stolen before a hacker mysteriously disappears. Beware of two step phishing and SVG attachments A new secure phone system is launched for high risk individuals and Google's OSS fuzz uncovers a decades old bug in OpenSSL. This is cybersecurity Today. I'm your host Jim Love. Cybersecurity experts are warning of two emerging phishing attack strategies, two step phishing using Microsoft Visio files and Scalable Vector Graphics SVG attachments. These tactics designed to evade detection, exploit trust and human error to steal credentials and deploy malware. Researchers from Perception Point highlight a surge in two step phishing attacks that weaponize Microsoft Visio VSDX files commonly used for data visualization. These files are now embedded with malicious URLs. The attack unfolds in layers. Victims receive a seemingly legitimate email containing a business proposal or purchase order. Clicking a URL leads to a compromised Microsoft SharePoint page hosting a Visio file inside the file. Another clickable URL redirects victims to a fake Microsoft 365 login page designed to steal credentials. A key tactic involves instructing victims to hold down the control key and click, a move designed to bypass automated security scanners. Threat actors are also leveraging SVG attachments, which can execute JavaScript or display credential stealing forms. Unlike traditional image formats, SVG files use mathematical formulas, making them harder for security software to detect. SVGs can mimic Excel spreadsheets or forms, tricking users into entering sensitive information. And in some cases, JavaScript embedded in SVGS redirects users to malicious websites upon opening the attachment. For Visio based attacks, avoid following unexpected instructions like holding down the control key and clicking Verify the sender and the context of any email. And for SVG attachments, treat these files as suspicious, especially if they're uncommon. In your workflow, verify the sender's identity and intent before opening them. By combining these strategies with technical safeguards like two factor authentication and robust email security, individuals and organizations can better protect themselves against these sophisticated phishing campaigns. Finastra, a global financial technology leader serving 45 of the world's top 50 banks is investigating a significant data breach involving its internal file transfer platform. Cybercriminals reportedly exfiltrated over 400 gigabytes of customer data, which has since been advertised for sale on Dark web forums. On November 7, Finastra's security team detected suspicious activity and the company immediately notified affected customers. In a statement, Finaster revealed that no malware was deployed and no files beyond the exfiltrated data were accessed. Investigations point to compromised credentials as the likely root cause. A cybercriminal known as Abizo Abyss Zero began selling the stolen data in late October, initially pricing it at $20,000 before reducing it to $10,000. The data includes sensitive information from Finastra's major banking clients, though the cybercriminal subsequent disappearance has raised questions about the breach's resolution. Finastra has replaced the compromised platform with a secure alternative and is working to identify affected customers. The company's chief information security officer is actively engaged with client security teams and sharing indicators of compromise to prevent further incidents. This breach comes after a ransomware attack in 2020 that disrupted Finaster's operations but apparently did not result in a ransom payment. And the hacker Abso has apparently mysteriously disappeared and his Telegram and Breach forum accounts were closed. A new privacy focused telecom service Kape is launching today offering public figures, executives, journalists and activists a secure way to use mobile networks with minimal data collection. The service aims to address rising concerns over government surveillance and cyberattacks, particularly from state sponsored actors. Kape's service, built on the US Cellular network, uses proprietary software to limit users data collection. Unlike traditional carriers, Kape stores only essential subscriber information for 60 days and enables users to rotate identifiers like Device and advertiser IDs on demand. This makes it harder for apps and brokers to track and monetize user data. Kape's device, a standard Android phone with modified data settings, is optional. Customers can use their own phones and port their numbers with updates handled via eSIM. Technology CEO John Doyle, a former Palantir executive and U.S. army Special Forces sergeant, explained that Kape tested its services with national security professionals, government officials and privacy advocates to refine its offering. While the service offers robust privacy protections, it comes at a steep cost, with some plans reaching $1,000 monthly. Cape is working to make its service more affordable for groups like journalists and domestic violence survivors and plans to expand to the general public next year with competitive pricing. Apple has released emergency updates to address two zero day vulnerabilities affecting intel based Mac systems. The flaws found in macOS, Sequoia's JavaScript Core and WebKit components were exploited in attacks, according to an advisory issued by the company on Tuesday. CVE202444308 allows remote code execution through maliciously crafted Web content, and CVE202444309 enables cross site scripting attacks. Both vulnerabilities were discovered by Clemente Lysine and Benoit Sevens of Google's Threat Analysis Group. And while Apple has not disclosed how the exploits were used, it confirmed that the flaws have been addressed in macOS Sequoia 15.1.1, as well as updates for iOS, iPadOS and VisionOS. These fixes bring Apple's total number of patched 0 days in 2024-6, a marked improvement compared to 2023, when the company addressed 20 such vulnerabilities. Security researchers recommend users update their devices immediately to mitigate potential risks. And finally, Google's AI powered fuzzing tool, OSS Fuzz has identified over 26 previously undetected vulnerabilities, including a critical flaw in the OpenSSL library2024 9143. This bug, reportedly present for two decades, highlights the transformative potential of these large language models in security research. OSS Fuzz uses fuzzing techniques, injecting random data into software to uncover errors that traditional human driven fuzzing might miss. According to Google's Open Source Security team, this AI tool has discovered vulnerabilities in widely used software like OpenSS and the Cjson project, demonstrating its ability to detect complex bugs that could evade human scrutiny. Introduced in 2023, OSS Fuzz has progressively automated more steps in the fuzzing process, now handling the first four phases of vulnerability detection, including drafting fuzz targets, resolving compilation issues and triaging crashes. Google plans to further enhance the tool by enabling it to generate vulnerability patches. Aiming for fully automated workflow. AI driven tools like OSS Fuzz are gaining traction across the industry. Google's separate LLM based tool Big Sleep recently found a memory safety flaw and protect AIs vulnhunter has uncovered zero day vulnerabilities in Python projects. These advancements signal a shift in cybersecurity as researchers increasingly rely on AI to preemptively address threats that may already be exploited by malicious actors. And that's our show for today, thanks to our sponsors, CDW and K.J. burke's CDW Canada Tech Talks. Check it out if you get the chance. You can find it like us on Spotify, Apple or wherever you get your podcasts you can find links to reports and other details in our show notes@technewsday.com we welcome your comments, tips and the occasional bit of constructive Criticism and editorial. TechNewsday CA I'm your host, Jim Love. Thanks for listening.