It feels like last week, but it's a month already. I'll do my possible best to make it next week. Anyways, here is the review.
Introduction
Welcome, in this week's review, the story that we'll cover is mostly about bugs and data breaches that affected big names in the tech industry. From Samsung, Intel, AMD, and Nvidia. So, sit back and relax and let's do some review.
Cybercriminals who breached Nvidia issue one of the most unusual demands ever
This story is hilarious. First, they [the hackers] requested that Nvidia push updates that allow them to mine cryptocurrencies on its GPU. Then they changed their mind. Like, we do not need that anymore, you have to open source the entire thing. I am thinking they taught "if you don't do it, we'll do it ourselves. Now you'll ask: What gave the courage to make such demands, well, they stole some data from Nvidia.
We have an excerpt below, but you'll love to read the entire story.
"We decided to help mining and gaming community," Lapsus$ members wrote in broken English. "We want nvidia to push an update for all 30 series firmware that remove every lhr limitations otherwise we will leak hw folder. If they remove the lhr we will forget about hw folder (it's a big folder). We both know lhr impact mining and gaming."
Samsung confirms hackers stole Galaxy devices source code
Nothing is more damaging to a company than theft of intellectual properties. That's what Samsung is going currently going through.
Excerpt from the article:
Lapsus$ shared the data they claim to be from Samsung along with a description of the contents. If the summary is accurate, Samsung has suffered a major data breach and details of many of its technologies and algorithms are now public.
DDoS attacks now use new record-breaking amplification vector
DDoS attacks are not new. However, they are getting sophisticated year after year. Meanwhile, this attack abuse insecure devices.
Excerpt from the article:
As detailed in a report that Akamai shared with Bleeping Computer before publication, a new attack vector relies on the abuse of insecure devices that serve as DDoS reflectors/amplifiers.
For this new DDoS method, threat actors are abusing a vulnerability tracked as CVE-2022-26143 in a driver used by Mitel devices that incorporate the TP-240 VoIP interface, such as MiVoice Business Express and MiCollab.
“Dirty Pipe” Linux kernel bug lets anyone write to any file
It's a scary thing when Operating System users can write to any file. The impact of such permission can harm the system. That's the summary of the bug in two sentences.
Excerpt from the article:
He called the vulnerability Dirty Pipe, because it involves insecure interaction between a true Linux file (one that’s saved permanently on disk) and a Linux pipe, which is a memory-only data buffer that can be used like a file.
New 16 High-Severity UEFI Firmware Flaws Discovered in Millions of HP Devices
This is scary. However, a story like this serves as a reminder that No System Is Safe.
Excerpt from the article:
The shortcomings, which have CVSS scores ranging from 7.5 to 8.8, have been uncovered in HP's UEFI firmware. The variety of devices affected includes HP's laptops, desktops, point-of-sale (PoS) systems, and edge computing nodes.
Critical RCE Bugs Found in Pascom Cloud Phone System Used by Businesses
If your business uses the Pascom Cloud Phone System, you need to update ASAP.
Excerpt from the article:
The set of three flaws includes those stemming from an arbitrary path traversal in the web interface, a server-side request forgery (SSRF) due to an outdated third-party dependency (CVE-2019-18394), and a post-authentication command injection using a daemon service ("exd.pl").
In other words, the vulnerabilities can be stringed in a chain-like fashion to access non-exposed endpoints by sending arbitrary GET requests to obtain the administrator password, and then use it to gain remote code execution using the scheduled task.
Intel, AMD, Arm warn of new speculative execution CPU bugs
These bugs remind me of Spectre and Meltdown.
Excerpted from the article:
Researchers at VUSec detail in a technical report today a new method to bypass all existing mitigations by leveraging what they call Branch History Injection (BHI).
The paper underlines that while the hardware mitigations still prevent unprivileged attackers from injecting predictor entries for the kernel, relying on a global history to select the targets creates a previously unknown attack method.
Support Me
I am on a journey to keep you updated about important security stories that affect you and me. I'll appreciate your support.
Credits
Cover photo by Debby Hudson on Unsplash.
That's it for this week, I'll see you next Friday (In Shaa' Allah).