Severe regreSSHion Vulnerability Could Lead to System Takeover on Some Linux Servers

Researchers at Qualys discovered a new OpenSSH unauthenticated remote code execution (RCE) vulnerability dubbed "regreSSHion" gives root privileges on glibc-based Linux systems that could have severe consequences for the targeted servers, potentially leading to complete system takeover.

Discovered in May 2024, the flaw, assigned the identifier CVE-2024-6387, is due to a signal handler race condition in sshd that allows unauthenticated remote attackers to execute arbitrary code as root.

A Debian security bulletin explains that "If a client does not authenticate within LoginGraceTime seconds (120 by default), then sshd's SIGALRM handler is called asynchronously and calls various functions that are not async-signal-safe."

Despite the flaw's severity, Qualys says regreSSHion is hard to exploit and requires multiple attempts to achieve the necessary memory corruption.

The regreSSHion flaw impacts OpenSSH servers on Linux from version 8.5p1 up to, but not including 9.8p1.

Versions 4.4p1 up to, but not including 8.5p1 are not vulnerable to CVE-2024-6387 thanks to a patch for CVE-2006-5051, which secured a previously unsafe function. Versions older than 4.4p1 are vulnerable to regreSSHion unless patched for CVE-2006-5051 and CVE-2008-4109.

Qualys also notes that OpenBSD systems are not impacted by this flaw thanks to a secure mechanism introduced in 2001.

The security researchers also note that while regreSSHion likely also exists on macOS and Windows, its exploitability on these systems hasn't been confirmed. A separate analysis is required to determine if those operating systems are vulnerable.

Scans from Shodan and Censys reveal over 14 million internet-exposed OpenSSH servers, but Qualys confirmed a vulnerable status for 700,000 instances based on its CSAM 3.0 data.

Among the recommended mitigations, organizations are advised to apply the latest available update for the OpenSSH server (version 9.8p1), which fixes the vulnerability. (Bill Toulas / Bleeping Computer)

Related: Qualys, Debian, The Register, Dark Reading, Bank Info Security, Security Affairs, The Stack, IT Pro, Computing, Heise Online, r/cybersecurity, r/InfoSecNews, HackRead, SC Media, Silicon Angle, SANS Internet Storm Center, CSO Online

The money transfer and fintech company Wise announced that some of its customer’s personal data might have been stolen in the recent data breach at Evolve Bank and Trust.

Wise said the company worked with Evolve from 2020 until 2023 “to provide USD account details.” And given that Evolve was breached recently, “some Wise customers’ personal information may have been involved.”

“We’ll be emailing all Wise customers who we think may have been affected by this data breach directly,” the company wrote.

Wise said that it shared US customers’ personal data with Evolve, information that included names, addresses, date of birth, contact details, and Social Security numbers or Employer Identification Numbers. For non-U.S. customers, Wise also shared “another identity document number.”

Affirm, EarnIn, Marqeta, Melio, and Mercury, all Evolve partners, have acknowledged that they are investigating how the Evolve breach impacted their customers. On Monday, fintech reporter Jason Mikula shared on X a notification that Branch, another Evolve partner, had sent to a customer. (Lorenzo Franceschi-Bicchierai / TechCrunch)

Related: Evolve Bank & Trust, TechCrunch, Wise, Affirm, The Cyber Express, Senator Sherrod Brown, EarnIn, Mercury Help Center, Cybernews, Reuters, Affirm, TechCrunch, Bloomberg, Protos, Tech Radar

Researchers from EVA Information Security report that vulnerabilities fixed last October in a “trunk” server used to manage CocoaPods, a repository for open-source Swift and Objective-C projects that roughly 3 million macOS and iOS apps depend on, went undetected for a decade, leaving thousands of macOS and iOS apps susceptible to supply-chain attacks.

When developers make changes to one of their “pods,” a term for individual CocoaPods code packages, dependent apps typically incorporate them automatically through app updates, typically with no interaction required by end users.

EVA said, “Injecting code into these applications could enable attackers to access this information for almost any malicious purpose imaginable—ransomware, fraud, blackmail, corporate espionage… In the process, it could expose companies to major legal liabilities and reputational risk.”

The three vulnerabilities EVA discovered stem from an insecure verification email mechanism used to authenticate developers of individual pods. The developer entered the email address associated with their pod. The trunk server responded by sending a link to the address. When a person clicks on the link, they gain access to the account.

With one vulnerability, tracked as CVE-2024-38367, an attacker could manipulate the URL in the link to make it point to a server under the attacker’s control. The server accepted a spoofed XFH, an HTTP header for identifying the target host specified in an HTTP request. The EVA researchers found that they could use a forged XFH to construct URLs of their choice.

A separate vulnerability tracked as CVE-2024-38368 allowed attackers to take control of pods abandoned by their developers but continued to be used by apps.

The third vulnerability, CVE-2024-38366, allowed attackers to execute code on the trunk server.

CocoPods maintainers disclosed and patched the vulnerabilities last October. At the time, they said they weren’t aware of any active attempts to exploit the vulnerabilities. However, they confirmed that the scenarios described by the researchers were plausible. (Dan Goodin / Ars Technica)

Related: EVA Information Security, Dark Reading, The Cyber Express, The Register, Techzine, Computing

Cisco and cybersecurity firm Sygnia published advisories about a newly identified zero-day vulnerability, tracked as CVE-2024-20399 and exploited by a group called Velvet Ant, that affects a popular line of Cisco devices and was used in an April attack on an unnamed large organization by state-backed hackers from China.

Sygnia incident response research manager Amnon Kushir said, “The threat actors gathered administrator-level credentials to gain access to Cisco Nexus switches and deploy a previously unknown custom malware that allowed them to remotely connect to compromised devices, upload additional files, and execute malicious code.”

Cisco released software updates that address the vulnerability, but they noted that there are no workarounds. The company said its Product Security Incident Response Team (PSIRT) became aware of attempted exploitation in April.

The vulnerability affects multiple Cisco products running a vulnerable release of Cisco NX-OS Software.

Sygnia published a blog profiling Velvet Ant calling it a sophisticated and innovative threat actor noting that it maintained a prolonged presence in the targeted organization’s on-premises network for about three years for espionage purposes.

One of the mechanisms utilized for persistence was a legacy F5 BIG-IP appliance, which was exposed to the internet and which the threat actor leveraged as an internal Command and Control (C&C). After one foothold was discovered and remediated, the threat actor swiftly pivoted to another, demonstrating agility and adaptability in evading detection. (Jonathan Greig / The Record and Sygnia)

Related: Cisco, Sygnia, Infosecurity Magazine, Security Week, Cyber Daily

Over the weekend, Patelco Credit Union, one of the largest credit unions nationwide, suffered a “serious security incident,” leading to a shutdown of several banking systems.

As of Monday afternoon, critical functions such as Zelle transfers, direct deposits, and balance inquiries remained inaccessible, and debit and credit card operations were limited. (Aidin Vaziri / San Francisco Chronicle)

Related: Patch, ABC7News, The US Sun, Credit Union Times, KRON4, CBS News, Berkelyside, Sacramento Bee

After rumors began circulating on social media, marketing and sales software giant HubSpot confirmed that it’s investigating a cybersecurity incident.

HubSpot’s chief information security officer, Alyssa Robinson, said the company “identified a security incident that involved bad actors targeting a limited number of HubSpot customers and attempting to gain unauthorized access to their accounts.”

Robinson said, “HubSpot triggered our incident response procedures, and since June 22, we have been contacting impacted customers and taking necessary steps to revoke the unauthorized access and protect our customers and their data.”

HubSpot said it believes “the bad actors were able to gain unauthorized access to less than 50 HubSpot accounts” and that as of 4:00 p.m. ET on Friday, June 28, “we have seen no new instances of unauthorized access in the last 24 hours, and we have contacted all impacted customers at this time.” (Lorenzo Franceschi-Bicchierai / TechCrunch)

Related: HubSpot, SC Media, WebProNews, Security Week, Tech Radar

Global financial services company Prudential Financial revealed that over 2.5 million people had their personal information compromised in a February data breach.

In March, the company said it had notified over 36,000 people whose personal information (including names, driver's license numbers, and non-driver identification card numbers) had been stolen during the breach.

In an update notice filed with the Maine Attorney General, Prudential said the incident impacted 2,556,210 people.

While Prudential has yet to share additional information regarding the threat actors behind the February 2024 data breach, the ALPHV/Blackcat ransomware gang claimed the attack on February 13. (Sergiu Gatlan / Bleeping Computer)

Related: Maine Attorney General, The Cyber Express, Security Week, Dark Reading, The Record

Auto dealer software provider CDK Global said it anticipates all dealers to be live on its dealer management system (DMS) by late July 3 or early morning on July 4, about two weeks after a ransomware attack by the BlackSuit gang upended operations across car dealerships in the US.

CDK's dealer management system streamlines operations at about 15,000 auto dealerships in the US. However, since June 19, dealers have been forced to return to the traditional pen-and-paper format for conducting operations. (Ananta Agarwal / Reuters)

Related:  BleepingComputer, Inc.com, CRN, Reuters, Bloomberg, Quartz, ZDNet, The Cyber Express, CNN, Wall Street Journal

The LockBit ransomware group claimed a ransomware attack on the University Hospital Centre in Zagreb, Croatia, one week after the medical facility confirmed it had been hit by a cyber incident.

Hospital officials said the June 27th attack had incapacitated its networks, forcing emergency patients to be diverted to other Zagreb hospitals, taking the facility “back 50 years - to paper and pencil.”

KBC Zagreb appeared on LockBit’s dark leak site and was named the ransomware group’s latest victim.

The Russian-affiliated gang claims to have stolen a large cache of files, including “medical records, patient exams and studies; doctors' research papers; surgery, organ and donor data; organ and tissue banks; employee data, addresses phone numbers etc; employee legal documents; data on donations and relationships with private companies; donation book; medication reserve data; personal data breach reports and much more.”

The group uploaded an alleged sample of its stolen wares consisting of 12 documents as its proof of exfiltration. (Stefanie Schappert / Cybernews)

Related: TVPWorld, Security Affairs, Help Net Security, HRT

The Supreme Court issued its decision in Moody v. NetChoice and NetChoice v. Paxton, two consequential cases about the future of speech on the Internet, extending First Amendment protections to how social media platforms organize, curate, and moderate their feeds.

The Court ruled that the compilation and curation of “others’ speech into an expressive product of its own” is entitled to First Amendment protection and that “the government cannot get its way just by asserting an interest in better balancing the marketplace of ideas.”

The NetChoice cases concern a pair of similar laws in Florida and Texas that aimed to limit how large social media companies could moderate content on their sites. The legislation took shape after conservative politicians in both states criticized major tech companies for allegedly exerting bias against conservative viewpoints.

Tech industry groups NetChoice and the Computer & Communications Industry Association sued to block both laws. Appeals courts in each state came to different conclusions about whether the statutes could be upheld, setting up the Supreme Court to make the final call. (Lauren Feiner / The Verge)

Related: CBS News, Supreme Court Of The United States, Tech Policy Press, Reuters, Techdirt, PCMag, Gizmodo, PYMNTS.com, Ars Technica, TechCrunch, Los Angeles Times, CCIA, Engadget, The Verge, New York Times, Associated Press, Forbes, Knight First Amendment Institute, Reason, Quartz, Fast Company, NBC News, NetChoice, Deadline, ReadWrite, RouteFifty, CNN, Bloomberg, Semafor, New York Post, Media Play News, SCOTUSblog, Reclaim the Net

Best Thing of the Day: Cyber Insurance is Getting Cheaper

Insurance broker Howden reports that despite the rise in ransomware attacks, cyber insurance rates have dropped by double digits.

Worst Thing of the Day: Just Go to the F*cking Bar

An app called 2Night (formerly NightEye) has a network of cameras across San Francisco venues that lets app users see how busy events are in real-time so revelers can decide if the vibe is right for them, raising a host of privacy concerns. (h/t Bruce Schneier)

Closing Thought