Cyber Security Headlines: Barracuda backdoors, undocumented iPhone hardware, NYT sues OpenAI
December 28, 2023
Threat actors install backdoor on Barracuda appliances
The company revealed that Chinese-linked threat actors exploited a zero-day vulnerability in its Email Security Gateway appliances. This resulted in deployed backdoors on a “limited number” of devices. The attacks used a code execution flaw on the open-source Spreadsheet::ParseExcel library. Mandiant tied the attacks to UNC4841, which it linked to previous exploits against Barracuda hardware. The company deployed an automatic security exploit to resolve the issue on December 21st, with no other customer action required. The flaw in the Spreadsheet library remains unpatched, so this may cause more downstream issues over time.
iPhone triangulation exploit used undocumented features
Researchers at Kaspersky reverse engineered the Operation Triangulation spyware attacks impacting iPhones. It initially discovered this zero-click campaign in June, but found evidence the attack chain began back in 2019. The threat actors start the exploit chain with a malicious iMessage attachment. Part of the attack chain uses an undocumented MMIO register in Apple silicon, going back to the A12 Bionic CPU. The attackers used these registers to control direct memory access during the attack. It’s unclear if Apple used this undocumented feature for debugging or if developers left it in by mistake.
New York Times starts the publisher LLM lawsuits
The vaunted publisher filed a lawsuit against OpenAI and Microsoft, claiming that ChatGPT and its other large language models trained on millions of its articles, often generating “verbatim excerpts” of its content. The Times claims “billions of dollars” in damages. The lawsuit also claims it approached both companies to reach “an amicable resolution” before filing legal action. While other groups of authors and individual creators filed lawsuits against LLM providers, this marks the first case brought by a major publisher.
(BBC)
Anti-stalking protocol for AirTags proposed
Since their introduction, small trackers like AirTags raised concerns about their use against unwitting third-parties, essentially stalking. Both iOS and Android introduced notifications about unpaired AirTag trackers in close proximity for a significant amount of time as a mitigation. Now researchers at the University of California, San Diego and Johns Hopkins University developed a cryptographic scheme to both better find illicitly placed AirTags and preserve legitimate user privacy. This includes a method of “secret sharing” that allows for reconstructing a true, static device identity. This is combined with “error correction coding,” that allows for reconstructing those secrets when in a noisy environment, like with lots of other AirTags around. Currently AirTags rotate device IDs on AirTags every 24 hours. The researchers submitted their paper to Apple and a wider industry consortium, although no word on plans to implement.
(Wired)
Japan to regulate third-party app stores
Nikkei Asia’s sources say Japanese legislators began preparing regulations to require Google and Apple to allow third-party payments and app stores on their mobile platforms. Under these regulations the Japan Fair Trade Commission could impose fines for violations. Japanese antitrust law allows for fines of up to 6% of annual revenue. The exact requirements of what platforms would need to comply is still under debate, but plans call for a high enough bar not to encumber any Japanese platforms. The legislation should go to parliament in 2024.
Ransomware group claims to have Nissan data
Nissan already confirmed an unauthorized third party accessed its systems in Australia and New Zealand last week. At the time it said it was still determined what information the threat actors accessed. Now the ransomware group Akira took credit for the attack, saying it stole roughly 100 gigabytes of data, including personal information of employees and corporate files. The group plans to begin leaking data in the coming days, indicating Nissan did not pay a ransom.
GitHub warns of 2FA deadline
The prominent code repository sent emails to users warning that all users must enable two-factor authentication by January 19th or see limited functionality on the site. The warning also appears when logging in to the site. The requirement only impacts GitHub.com, so no impact to business and enterprise accounts. Those not enrolling by the deadline will not see any changes to Personal Access Tokens, SSH keys or apps, but making changes or new ones will require 2FA. GitHub gave users plenty of notice on this, initially announcing a 2FA requirement by the end of 2023 back in May.
Police warn of European skimmer infections
Europol and 17 law enforcement agencies worked to identify infected ecommerce sites, advising it found over 400 with active card skimmer infections. This doesn’t appear as a coordinated effort by one threat actor, with law enforcement finding a variety of active skimmers stealing account and card information from otherwise legitimate sites. Europol warned consumers might not see an impact from a skimmer attack right away, as this data generally gets sold to other threat actors. Group-IB assisted Europol in this investigation, saying it identified 132 skimmer families to date.