Transcript
A (0:04)
Redis patches a remote code execution vulnerability Oracle out of band fixes a zero day used in a recent extortion campaign. Medusa Ransomware Group was behind a recent Fortra zero day and India fixes a tax filing system flaw. This is the risky bulletin prepared by Catalyn Kim Panu and read by me, Claire Airdrop. Today is the 8th of October and this podcast episode is brought to you by Corelight. In today's top story, Redis has patched a 13 year old vulnerability that could enable remote code execution attacks. It's a used after free bug in the LUA scripting runtime that supports eval in Redis. LUA is enabled by default. According to Google Wiz, Redis is used in 75% of all cloud environments. Its scans suggest more than 60,000 deployments are Internet facing with no authentication. The vulnerability has a severity rating of 10 out of 10. In other news, Oracle has released an out of band security update to fix a zero day that's being exploited in the wild. The zero day allows attackers to bypass authentication and run code on Oracle E business suite platforms. The vulnerability has recently been used by hackers to steal data and extort Oracle customers. This attacks have been linked to the CLOP extortion group. The Medusa ransomware gang is behind a recent zero day in the Fortra Go Anywhere file transfer appliance. Fortra patched the vulnerability at the end of September, more than two weeks after the attacks began. According to Microsoft, Meduza used the zero day to steal data rather than deploy ransomware. The Pentagon has ordered the military to reduce the amount of cybersecurity training that stage staff must complete. In a memo, Defence Secretary Pete Hegseth ordered departments to reduce distractions and focus on combat readiness, training for handling of classified materiel, spotting human trafficking and privacy and civil liberties will also be reduced. The U.S. state Department is considering reactivating its units that combat foreign disinformation and propaganda. The department shuttered most of its efforts to counter disinformation shortly after President Donald Trump was sworn in. The Trump administration has previously characterised anti disinformation work as censorship of conservative voices. ICE is hiring an investigations team to find leads for arrests and deportations through social media. Almost 30 contractors will staff the new surveillance team in Vermont and South California, according to documents obtained by Wired. The staff will be forbidden from creating fake profiles or interacting with people online. The agency is also purchasing vehicles equipped with CEL tower simulators designed to intercept nearby mobile communications. Estonia and Ukraine will jointly train more than 500 cyberspecialists Estonia will fund the process with €1 million. Initial training sessions were held in Kyiv last month. Russia will block foreign SIM cards for the first 24 hours after they join a mobile network. The move is designed to counter Ukrainian drone strikes. Some drones use a SIM card and Russian mobile networks to navigate while in flight. France is investigating Apple over the company's collection of Siri voice recordings. The prosecutor's office in Paris launched an investigation following a complaint from a whistleblower. Apple's subcontractor Thomas Leboniek, said Siri conversations contained data that could identify users. More than 40 European tech companies have signed an open letter opposing the EU's chat control proposal. The proposed law would require tech companies to carry out client side content scanning for child sexual abuse material. Signatories say the regulation would benefit U.S. and Chinese companies as European users may switch to alternative products. Sports betting website DraftKings has confirmed a security breach after a credential stuffing attack last month. The company said hackers used credentials stolen from other services. DraftKings did not say how many accounts were affected. The Indian government has fixed a leak in its tax filing system that was exposing taxpayer information, according to TechCrunch. The exposed data included full names, contact details and bank accounts. The leak was a direct object reference flaw. Simply replacing the account number was sufficient to see another user's data. Hackers have breached a company that makes radios for the US Military and law enforcement. The breach of BK Technologies occurred in late September. The company's SEC filing said it has evicted the intruder from its network. Meantime, hackers have stolen sensitive data from electronic component distributor Avnet. The data was taken from an internal sales tool. The company says the attack did not disrupt global operations and it will notify affected customers and suppliers. Hackers have stolen $1.7 million worth of crypto assets from Defi lending platform Abracadabra Finance. The attacker exploited a smart contract bug that allowed them to lend more funds than they provided in Collab collateral. Abracadabra previously lost $13 million to a hack in March and another $6.5 million in January last year. And finally, Google has released a new AI agent to find and fix vulnerabilities in source code. Codemender is built on top of Google's larger Gemini LLM system. Google says the agent has contributed 72 security fixes to several open source projects this year and that is all for this podcast edition. Today's show was brought to you sponsor Corelite. Find them@callite.com thanks for your company.