Week 24th July - 28th July 2023 (Week 30)

:tada: Welcome to this edition of ‘This Week in Cybersecurity’ where we explore a common subject that affects us all: cybersecurity and privacy in the digital age. :tada:

:lock: Delve into these short summaries to stay informed on the latest cybersecurity trends of the week. Here are some interesting questions we have for you: have you updated to the latest apple updates? What are your thoughts on the Online Safety Bill? :newspaper:

Leave your comment below and let’s start a conversation. :partying_face:

1. Major security flaw discovered in Metabase BI software - urgent update required

Metabase users are advised to update to the latest version due to the discovery of an “extremely severe” flaw that could result in pre-authenticated remote code execution on affected installations. The issue, which is tracked as CVE-2023-38646, is seen to affect open source editions prior to and Metabase enterprise versions before The vulnerability is linked to the JDBC connection issue in the API endpoint, enabling an SQL injection attack to obtain a reverse shell on the system. Users are advised to apply patches immediately to secure their system.

Date: Jul 28, 2023
Source: The Hacker News
Author: THN
Tag: Software Security, Vulnerability

2. GameOver(lay): Two server Linux vulnerabilities impacted 40% of ubuntu users

Cybersecurity researchers, Wiz, have discovered two high-severity security flaws in Ubuntu kernels that could lead to a local privilege escalation attack. These vulnerabilities called GameOver(lay) are said to have the potential to affect 40% of Ubuntu servers, especially those OS in cloud environments.The flaws are found in the OverlayFS module and stem from inadequate permissions checks, thereby enabling a local attacker to gain privilege attack. Ubuntu fixed the vulnerabilities on July 24th, 2023. Wiz CTO emphasised that the subtle changes introduced in the Linux kernel by Ubuntu could have unforeseen implications.

Date: Jul 27, 2023
Source: The Hacker News
Author: THN
Tag: Vulnerability, Cyber Risk/Cyber Threats

3. The U.K. government is very close to eroding encryption worldwide

The U.K Parliament is moving forward with the Online Safety Bill which gives the British government the ability to backdoor into messaging services and destroy end-to-end encryption. Despite the resistance from various groups, the amendments that would address the most concerning aspect of the bill have not been accepted. Companies like Whatsapp, Element and Signal have echoed concerns regarding the dangerous precedents of the bill on privacy, security, and democracy when passed, which will have implications beyond U.K. borders. Survey showed that the majority of U.K. citizens want the highest level of security and privacy in their messaging apps.

Date: Jul 26, 2023
Source: EFF
Author: Joe Mullin
Tag: Data Privacy, Encryption

4. Dark web markets offer new FraudGPT AI tool

After discovering WormGPT, a ChatGPT-like bot that creates phishing messages and malware, another generative AI tool FraudGPT has been identified by cybersecurity experts. It has been circulating in the dark web since July 22, 2023. FraudGPT is involved in crafting spear-phishing emails, undetectable malware, generating phishing pages, identifying vulnerable websites and even giving hacking tutorials. Experts are concerned that generative AI tools provide criminals the ability to operate at greater speed and scale. Therefore, in order to mitigate such threats it is required to have better security awareness, phishing and behaviour training.

Date: Jul 26, 2023
Source: Infosecurity Magazine
Author: Alessandro Mascellino
Tag: Cyber Risk/Cyber Threats, AI

5. Apple rolls out urgent patches for zero-day flaws impacting iPhones, iPads and Macs

Apple has rolled urgent security patches to iOS, iPadOS, macOS, tvOS, watchOS, and Safari to address several security vulnerabilities including one zero-day flaw exploited in the wild. The flaw, tracked as CVE-2023-38606, allows malicious apps to potentially modify sensitive kernel state. This flaw is the third security vulnerability in connection with Operation Triangulation which is a mobile espionage campaign targeting iOS devices. In order to mitigate against such threats, don’t forget to update to the latest version: iOS 16.6, iPadOS 16.6, macOS Ventura 13.5, macOS Monterey 12.6.8, macOS Big Sur 11.7.9, tvOS 16.6, watchOS 9.6.

Date: Jul 25, 2023
Source: The Hacker News
Author: THN
Tag: New Releases, Vulnerability

6.EU governments reject requiring manufacturers to report vulnerabilities to central cyber agencies

The European Union (EU) governments rejected a proposal that requires manufacturers to report actively exploited vulnerabilities to the European Union Agency for Cybersecurity (ENISA). Instead they proposed the amended Cyber Resilience Act (CRA) which calls for manufacturers to disclose the vulnerabilities to the National Computer Security Incident Response Team (CSIRT) of the country they’re based in, who will then share the information through a new intelligence sharing platform maintained by ENISA. The main purpose of this is to address concerns about ENISA stockpiling information, becoming a target for hostile states and criminals. This will be debated in the European Parliament later this year.

Date: Jul 24, 2023
Source: The Record
Author: Alexander Martin
Tag: Cyber Risk/Cyber Threats, Vulnerability


:tada: That concludes the ‘This Week in Cybersecurity’ roundup. We hope these curated short summaries will help you stay informed on the latest trend and encourage you to implement the best security practices in the digital world. :newspaper:

Don’t hesitate to share any interesting articles you come across in the ‘In the News’ category of the Passbolt community forum. :heart:

We handpick the most interesting article/articles of the week to be featured in our monthly video edition of “This Month in Cybersecurity” :video_camera: :partying_face:

Cast your vote below for the article(s) you’d like to see featured in the video: :white_check_mark:

  • :one: Metabase BI software flaw
  • :two: GameOver(lay)
  • :three: Online Safety Bill
  • :four: FraudGPT
  • :five: Apple security updates
  • :six: ENISA
0 voters

Hi Community members

All around the world the internet is going to be changing for the worse if we don’t fight to keep it free!

Make sure you are following your countries internet laws and take action!

If in the USA; Tell your representatives to vote no on the current internet safety bills!

They will change the way US citizen are able to use the internet. Freedoms will disappear!

These bills are dangerous for the USA and I urge you to take action! Tell your friends!

The below links will find your US representatives and then send an email to them (easy-peasy):

If you are in the UK; tell your representatives to vote No:
This bill is a threat to internet privacy around the world!