Welcome to this edition of ‘This Week in Cybersecurity.’Together, let’s explore a topic that affects all of us: cybersecurity and privacy in the digital age.
This week’s stories cover topics ranging from a critical vulnerability in the GET VPN and how the EU Cyber Resilience Act could be used for exploitation to Meta’s ‘Pay for your Right’ approach and Apple’s security patches. These incidents are a reminder to stay vigilant and keep your software updated. Dive into these short summaries to keep yourself informed. Happy reading!
1. Cisco warns of attempted exploitation of zero-day in VPN software
Cisco has discovered a vulnerability in the Group Encrypted Transport VPN (GET VPN) feature of Cisco IOS software and Cisco IOS XE software. The flaw, identified as CVE-2023-20109, could allow an attacker to execute arbitrary code and take control of the affected system or cause it to reload, resulting in a Denial of Service (DoS) condition. While the vulnerability is considered serious, experts believe that hackers would need access to an organisation’s system to exploit it, especially for hackers looking to gain access privileges in an already compromised system. Cisco has issued patches to mitigate such attacks.
| Date: | Oct 2, 2023 |
|---|---|
| Source: | The Record |
| Author: | Jonathan Greig |
| Tag: | Vulnerability, Cyber Risk/Cyber Threats |
2. EU Cyber Resilience Act could be exploited for surveillance, experts warn
A group of 50 cybersecurity professionals and academics have expressed concerns about the EU’s Cyber Resilience Act (CRA), in particular Article 11 of the CRA regarding vulnerability disclosure requirements. Article 11 requires software vendors to quickly disclose unpatched vulnerabilities to government agencies. They fear this requirement will give government agencies access to a real-time database of vulnerabilities that could be exploited to gather intelligence or monitor organisations and individuals. The experts have urged the EU to reconsider Article 11, suggesting a risk-based approach to vulnerability disclosure, prohibiting the use or sharing of disclosed vulnerabilities for intelligence or surveillance purposes, and focusing on reporting mitigatable vulnerabilities within 72 hours of countermeasures being available.
| Date: | Oct 3, 2023 |
|---|---|
| Source: | Infosecurity Magazine |
| Author: | James Coker |
| Tag: | Vulnerability, Data Privacy |
3. Microsoft Edge, Teams get fixes for zero-days in open-source libraries
Microsoft has released emergency security updates for Edge, Teams, and Skype to address two zero-day flaws in open source libraries. The first vulnerability is a heap buffer overflow in the WebP code library (libwebp) that could lead to crashes and the execution of arbitrary code. The second vulnerability is a heap buffer overflow in the VP8 encoding of the libvpx video codec library. Both vulnerabilities have been exploited in the wild, although details of these attacks are not available. Microsoft has released patches for the two open source vulnerabilities, with patches for Edge, Teams, Skype and Webp Image Extension.
| Date: | Oct 3, 2023 |
|---|---|
| Source: | Bleeping Computer |
| Author: | Sergiu Gatlan |
| Tag: | Vulnerability, Software Security |
4. Meta (Facebook/Instagram) to move to a “Pay for your Rights” approach
Meta, the parent company of Facebook and Instagram, is reportedly considering a “pay for your rights” approach for EU users. Under this model, EU users will have to pay $168 a year (€160 a year) if they don’t agree to give up their fundamental right to privacy on platforms such as Instagram and Facebook. The company has used the six words from a recent European Court of Justice (CJEU) ruling which mentioned an alternative to ads “if necessary for an appropriate fee” to support its approach. However, this approach is controversial, with strong opposition from privacy advocates who argue that fundamental rights should not be for sale. Meta may face legal challenges when taking this approach.
| Date: | Oct 3, 2023 |
|---|---|
| Source: | noyb |
| Tag: | Data Privacy, Data Protection |
5. They’ve begun: Attacks exploiting vulnerability with maximum 10 severity rating
Ransomware hackers are exploiting recently fixed vulnerabilities, including one rated 10 out of 10 and another rated 9.9. This resides in Progress Software’s file sharing application, WS_FTP Server. These vulnerabilities allow attackers to execute malicious code with high system privileges without requiring authentication, posing a threat to enterprise networks around the world. Researchers have discovered active exploitation of these vulnerabilities, with Huntress researchers stating that some threat actors are attempting to establish a permanent presence on the server. While the WS_FTP Server vulnerability may not be as widespread as the previously exploited MOVEit vulnerability, it is still advisable for admins to prioritise patching and attention to prevent potential network damage.
| Date: | Oct 4, 2023 |
|---|---|
| Source: | Ars Technica |
| Author: | Dan Goodin |
| Tag: | Ransomware, Cyber Crime |
6. Apple rolls out security patches for actively exploited iOS zero-day flaw
Apple has issued security patches for a zero-day vulnerability in iOS and iPadOS, which are being tracked as CVE-2023-42824. These vulnerabilities are being actively exploited in the wild. This kernel vulnerability could be exploited by a local attacker to elevate privileges. Apple has addressed a total of 17 actively exploited zero-day vulnerabilities in its software since the beginning of the year. Apple acknowledges this security issue and urges users to update to the latest versions, iOS 17.0.3 and iPadOS 17.0.3, to mitigate against such attacks. This latest patch comes after Apple resolved three unrelated issues exploited by Israeli spyware earlier this year.
| Date: | Oct 5, 2023 |
|---|---|
| Source: | The Hacker News |
| Author: | Newsroom |
| Tag: | Vulnerability, Cyber Risk/Cyber Threats |
7. GitHub’s Secret Scanning feature now covers AWS, Microsoft, Google, and Slack
GitHub has announced it is expanding its secret scanning feature to include validity checks for tokens used with popular services such as Amazon Web Service (AWS), Google, Microsoft, and Slack. The feature will alert users if exposed tokens found through secret scanning are active, helping to ensure effective remediation. The development comes as Amazon announced that it will make MFA mandatory for ‘root’ AWS accounts by mid-2024. GitHub’s move to improve security follows its earlier expansion of secret scan alerts for all public repositories and its push protection feature, which helps developers secure their code by scanning for highly identifiable secrets before it is pushed.
| Date: | Oct 5, 2023 |
|---|---|
| Source: | The Hacker News |
| Author: | Newsroom |
| Tag: | Software Security, New Features |
Conclusion
In conclusion, staying updated and vigilant in the world of cybersecurity is crucial to protect yourself in the digital realm.
The ‘This Week in Cybersecurity’ recap aims to keep you informed – Providing you with the knowledge and insights into this week’s news that you need to stay safe. Remember: keep an eye out for more In The News and take proactive security measures.
Connect with us and contribute any interesting articles you discover in the ‘In the News’ category of the community to earn a community badge.
Vote below: What was the most interesting article this week?
Cisco Warns: Exploitation in GET VPN
Cyber Resilience Act - Privacy Flaws
Edge patches open source libraries
Meta “pay for your rights” approach
Attacks with max severity rating
Security patches for iOS and iPadOS
Github expands Secret Scanning