Hello everyone, I hope that you're all doing well!
Introduction
This week's review is about everything you could think of in a security review. We have news about a software flaw, software abuse, technical glitch causing a "payday" in Ireland, an exploit for iOS 16, and the US Department of Defense urging hackers to hack Artificial Intelligence. Let's get to it!
New Python URL Parsing Flaw Could Enable Command Execution Attacks
They've fixed the flaw in Python versions, so when you read the article, if your version is not there, you need to update, fast. Still, you should know about it. It gets interesting because the flaw happened due to a lack of input validation. Here is an excerpt for you:
The flaw has been assigned the identifier CVE-2023-24329 and carries a CVSS score of 7.5. CVE-2023-24329 arises as a result of a lack of input validation, thereby leading to a scenario where it's possible to get around blocklisting methods by supplying a URL that starts with blank characters.
Cybercriminals Abusing Cloudflare R2 for Hosting Phishing Pages, Experts Warn
This is one of the "abuse" that I mentioned in the introduction. And the article title says it all. Also, they're leveraging security mechanisms to prevent online scanners from reaching the phishing page. Quick read:
The phishing campaigns identified by Netskope not only abuse Cloudflare R2 to distribute static phishing pages, but also leverage the company's Turnstile offering, a CAPTCHA replacement, to place such pages behind anti-bot barriers to evade detection.
Tech glitch let people with empty bank accounts withdraw hundreds in cash
It happened in Ireland and it's a fun read. Here is an excerpt to get you started:
According to the Independent, the glitch resulted in "huge queues at ATMs in Dublin, Limerick, Dundalk and other parts of the country." Northern Ireland customers could have tried to pull money they didn't have from ATMs
Windows feature that resets system clocks based on random data is wreaking havoc
I don't mean to scare you, but it's a long read. Among the "havoc" was the inability for calls to get to their required destination. An excerpt of what caused it:
The culprit was a little-known feature in Windows known as Secure Time Seeding. Microsoft introduced the time-keeping feature in 2016 as a way to ensure that system clocks were accurate. Windows systems with clocks set to the wrong time can cause disastrous errors when they can’t properly parse timestamps in digital certificates...
Thousands of Systems Turned Into Proxy Exit Nodes via Malware
When you read that title, I'll guess you'll echo "Not good". Well, it's not. Here is why:
“The rise of malware delivering proxy applications as a lucrative investment, facilitated by affiliate programs, highlights the cunning nature of adversaries’ tactics. These proxies, covertly installed via alluring offers or compromised software, serve as channels for unauthorized financial gains,” AT&T Alien Labs notes.
New Apple iOS 16 Exploit Enables Stealthy Cellular Access Under Fake Airplane Mode
It's as crafty as you can think of: make the user feel at ease while doing what you want on the device. Here is how they ate doing it:
The method "tricks the victim into thinking their device's Airplane Mode works when in reality the attacker (following successful device exploit) has planted an artificial Airplane Mode which edits the UI to display Airplane Mode icon and cuts internet connection to all apps except the attacker application
DEF CON 31: US DoD urges hackers to go and hack ‘AI’
Go! Go!! Go!!! It's a truly serious matter given the popularity of Large Language Models (LLMs). Moreover, it's very rare when a government official urges hackers to go:
Dr. Martell then challenged the audience to ‘go hack the hell out of those things, tell us how they break, tell us the dangers, I really need to know’
Credits
Cover photo by Debby Hudson on Unsplash.
That's it for this week, and I'll see you next time.