← Risky Bulletin
Risky Bulletin
Risky Bulletin: Radio equipment vulnerability can bring trains to sudden stops
00:07:12
Loading summary
Transcript1 lines
- [00:04]
Claire Aird
A radio equipment vulnerability can bring trains to sudden stops Researchers prevent a Lazarus crypto attack, Spain hands Huawei control over its phone wiretapping system and CISA warns of ongoing Citrix bleed 2 attacks. This is the risky bulletin prepared by Catalytic and Kim Panu and read by me, Claire Aird today. Today is the 14th of July and this podcast episode is brought to you by Zero Networks. The emergency brakes on North American trains can be activated via radio without authorisation. The issue impacts equipment mounted on the last car. Known as an end of train device, the EOT lets engineers remotely test brake pressure and apply emergency brakes. The communications protocol lacks authentication and the signals can be easily generated with software defined radios. Security researcher Neil Smith discovered the issue in 2012 and has since been urging for it to be addressed. The association of American Railroads has announced plans to replace the equipment. According to Smith, the replacement may cost between 7 and $10 billion. In other news, Huawei has been contracted to manage the Spanish government's phone wiretapping infrastructure. Spain awarded the contract to Huawei despite US and EU concerns about the Chinese government's control over the company. Huawei has been excluded from the 5G infrastructure of many European countries due to concerns about espionage and national security. The French government has launched a criminal investigation into X over alleged manipulation of its algorithms. The social media platform has been accused of changing its algorithm to spread hateful and racist content designed to skew democratic debate in France. Authorities say the manipulation is considered foreign interference. A team of security researchers have foiled a supply chain attack against the cryptocurrency community. A backdoor in thousands of smart contracts could have allowed hackers to steal more than $10 million worth of assets. Researchers worked with crypto companies to move funds last week before the attackers could exploit the issue. The team believes North Korean hackers were behind the back door. Meantime, the Moonpay cryptocurrency exchange has fallen victim to a BEC scam. The exchange sent $250,000 to scammers who were impersonating the Donald Trump inaugural committee and seeking donations. The FBI recovered 16% of the funds. A hacker has stolen $2.2 million worth of crypto assets from the Textjet DeFi platform. Textjet says it was able to negotiate with the hacker and recover 90% of the funds the following day. The hacker kept the rest as a bug bounty r reward. A hacker has also returned stolen assets from the GMX cryptocurrency platform. GMX allowed the hacker to keep $5 million worth of assets as a bug bounty. The company offered the reward last week after losing $42 million following a smart contract exploit. GMX promised not to pursue charges if the hacker returned 90% suspected Chinese hackers have breached the email service of a law firm in Washington, D.C. while Erane notified its clients last week attributed the intrusion to hackers affiliated with the Chinese government. While Iran represents clients in regulatory and transnational cases, many of its lawyers have held positions within the US Government. A Russian national has been extradited from Indonesia to face cybercrime charges in Moscow. Alexander Zveryev allegedly spent years selling Russian citizen data on Telegram before fleeing the country in 2022. Russian officials claim Zveryev sourced the information from government and code databases. 71 people have been sentenced to prison in Thailand for their involvement in a cyber scam operation. The group included 52 Chinese and 19 Thai nationals. They were detained in March last year. Authorities describe the group as the country's biggest cyber scam gang to date. The gang's leaders each received sentences of 24 years. A crypto scammer has been sentenced to an additional 12 years in a US prison after failing to pay back a victim. Nicholas Trullia was initially sentenced to 18 months. In 2022, he used a SIM swapping attack to steal more than $20 million worth of crypto assets from a single victim. U.S. officials said that Trulia is worth $53 million. CISA says hackers are actively exploiting the Citrix Bleed 2 vulnerability. Last week, it gave federal agencies only a single day to patch the floor. CISA typically allows three weeks for patches to be implemented. Security researchers have published proof of concept code for a major Vulnerability in Fortinet FortiWeb Firewalls. The bug is a pre authentication SQL injection in the device's web interface. It allows attackers to inject malicious code in the authentication header and take over the firewall. Fortinet released security updates last week. Motherboard manufacturer Gigabyte has failed to patch four vulnerabilities in its UEFI firmware. The flaws can allow attackers to take over the highly privileged system management mode, according to the Carnegie Mellon University cert. Gigabyte failed to implement patches from upstream vendor ami. The initial vulnerabilities were discovered by firmware security company Binaly. AMD has patched four new side channel attacks in its processes. The vulnerabilities were discovered last year by Microsoft. Microsoft developed a tool that would test micro architectural isolation between virtual machines. The kernel and OS processes affected CPU use include AMD's EPYC, Ryzen and Athlon series, the Rowhammer attack has been adapted for use on GPU memory. The modified attack can trigger bit flips in graphics processor memory and tamper with another user's data in shared GPU environments. The attack was successfully demonstrated against GPUs that were used for AI. It sabotaged a model and reduced its accuracy from 80% to almost zero. And finally, Microsoft has replaced JScript with a new scripting engine. JScript 9 Legacy is now the default scripting engine in Windows 11 for versions 24H2 and later. Microsoft says the new engine uses more modern standards and includes more security features. The original JScript has been the default script engine in windows since the mid-1990s. And that is all for this podcast edition. Today's show was brought to you by Zero Networks. Find them at zeronetworks. Com. Thanks to your company.