In today’s cybersecurity news…
Security initiative from Japanese auto companies
Dozens of companies in the Japan Automotive Information Sharing and Analysis Center signed on to a collaborative initiative to improve cybersecurity for automobiles. These include industry heavyweights like Toyota and Mazda, parts manufacturers Aisin and Denso, and component supplier Hitachi. Their initial proposal would standardize software bill of materials, SBOMs, between companies. The idea is to make it easier to determine vulnerable components across connected cars. The group began working with the Japan Automobile Manufacturers Association to assess practical issues with the proposal, with hopes to adopt the standard as early as fiscal 2025.
Feds tapping into encrypted messaging haul
According to a review of court records by 404 Media, US law enforcement agencies ramped up access to encrypted chat messages obtained as part of a trove of messages from European agencies from the phone company Sky back in 2021. Records show no indication US agencies have bulk access to this data, rather received from European partners for particular people under investigation. It’s unclear how authorities obtained this trove of messages, but Sky itself claimed someone created a fake version of the app and sold phones loaded with it on “unauthorized channels.” The cases profiled by 404 Media all involved prosecutions involving narcotics smuggling and distribution.
Microsoft breaks Linux dual-boot systems
File this under “This is why we can’t have nice things.” Last week, Linux users reported boot failures on machines running both Linux and Windows. This came as a result of issues with a patch to a two-year-old secure boot bypass vulnerability on devices with the open-source GRUB bootloader installed. Microsoft said the update would only install an SBAT to revoke components in the boot path causing the issue on systems with only Windows installed, but multiple Linux distributions dual-booted with Windows, including Debian, Ubuntu, and my beloved Puppy Linux saw boot issues. Disabling Secure Boot or deleting the SBAT Microsoft pushed in the update remediates the issue, but so far no comment from Microsoft on the issue.
Microchip Technology hit by cyberattack
The US chipmaker reported to the Securities and Exchange Commission that “potentially suspicious activity” over the weekend inhibited the use of “certain servers and some business operations.” As of this recording, it says it’s still operating “at less than normal levels,” with order volume impacted. Its response to the incident sounds bog-standard: isolating impacted systems, shutting down services, and calling in third-party experts to help investigate. No other specific on who orchestrated the attack, but we’ll follow up as more details come to light.
Huge thanks to our sponsor, Nudge Security
Bypass flaw discovered on GitHub Server
GitHub disclosed a vulnerability in its Enterprise Server that opens the door for an attacker to “forge a SAML response to provision and/or gain access to a user account with site administrator privileges.” GitHub released patches for the issue going back to version 3.10. The company cautioned that admins may see errors in the configuration process after applying the update, but that instances will still boot correctly. There are currently over 36,000 GitHub Enterprise Server instances exposed online, but it’s not clear how many remain vulnerable.
More North Korean-linked malware
Two items of note. Elastic Security Labs detailed a new macOS malware called TodoSwift, which is the same C2 domain used by known North Korean threat actor BlueNoroff. This malware targets cypto firms with a TodoTasks signed PDF, which spurs a further payload malware when opened, ultimately in the hopes of draining crypto wallets.
Cisco Talos documented a separate malicious cyber campaign from the group UAT-5394, which shows an overlap with the North Korean group Kimsuky. This uses a remote access trojan called MoonPeak, a variant of the open-source Xeno RAT with the added abilities to load plugins, start and stop processes, and loop in a C2 server. Talos research sees signs of active development from MoonPeak, and shows that North Korean threat actors can increasingly use their own infrastructure rather than weaponize cloud services.
Poisoning LLMs to create insecure code
At the USENIX Security Symposium, a team of academic researchers presented details CodeBreaker, a set of techniques to poison large language model training sets to make them more likely to suggest vulnerable code. This saw the researchers systematically create code samples that don’t register as malicious with static analysis tools. This builds on previous research that used malicious code in comments and split workloads to introduce vulnerabilities to the training set. Of course, this kind of poisoning isn’t new. Research has previously found malicious code popping up in StackOverflow tutorials. And given the lack of quality control when ingesting code scaped from the internet, vulnerable code suggestions are already a reality in these training sets.
QNAP adds ransomware protection
We’ve covered a lot of ransomware stories involving attacks on QNAP NAS devices over the years. In response, the company added a new Security Center to the latest version of its QTS operating system, which will look for suspicious file operations to stop further ransomware attacks. Users can set the device to automatically switch to read-only mode or create a snapshot when activity is detected. The company already recommended customers disable Port Forwarding and UPnP to protect from ransomware.