31.01.2024

New Terrapin vulnerability may allow attackers to reduce the security level of the SSH protocol
Security researchers from the Ruhr-University of Bochum have discovered a vulnerability in the Secure Shell (SSH) cryptographic network protocol that could allow an attacker to reduce the security of a connection by compromising the integrity of a secure channel.

The Terrapin exploit (CVE-2023-48795, CVSS score: 5.9) has been described as "the first-ever practically exploitable prefix truncation attack."

"Truncation may lead to the use of less secure client authentication algorithms and the deactivation of specific countermeasures against keystroke synchronization attacks in OpenSSH 9.5." Another critical prerequisite for the attack is using a vulnerable encryption mode, such as ChaCha20-Poly1305 or CBC with Encrypt-then-MAC, to secure the connection. The vulnerability affects many implementations of SSH clients and servers, such as OpenSSH, Paramiko, PuTTY, KiTTY, WinSCP, libssh, libssh2, AsyncSSH, FileZilla, and Dropbear, prompting developers to release patches to mitigate potential risks.

"Because SSH servers and OpenSSH, in particular, are so widely used in cloud-based enterprise application environments, companies must make sure they take the proper steps to patch their servers," said Yair Mizrahi, a senior security researcher at JFrog.

Source: https://thehackernews.com/2024/01/new-terrapin-flaw-could-let-attackers.html

NIST Develops Document to Protect AI from Cyber Threats
The National Institute of Standards and Technology (NIST) has presented a critical document to combat cyber threats against artificial intelligence systems, including chatbots and self-driving cars, entitled "Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations." It defines a standardized approach to assessing and protecting against cyberattacks.

The document is aligned with academia and industry and proposes a taxonomy for attacks on "predictive AI" and "generative AI" systems. It also points out the importance of drawing attention to new security breaches in machine learning.

The document emphasizes the need to develop effective protection strategies while recognizing that existing methods are ambiguous. The paper highlights the significance of the problems of protecting AI algorithms and calls for developing better ways to protect them. The paper was released against US President Biden's executive order on the safe use of artificial intelligence and fits into the AI Risk Management Framework.

Source: https://www.infosecurity-magazine.com/news/nist-chatbots-self-driving-cars/

Windows Hello fingerprint authentication has been bypassed
Security researchers have tested the fingerprint sensors used in Windows Hello on laptops from three of the most popular manufacturers and found a way to bypass authentication on each device. The study was conducted by Blackwing Intelligence, a security research and development company, and Microsoft's Offensive Research and Security Engineering (MORSE) division.

The objects of the study were Dell Inspiron 15 with Goodix fingerprint sensor, Lenovo ThinkPad T14s with Synaptics sensor, and Microsoft Surface Pro X with ELAN sensor. The built-in fingerprint sensors and the host were subject to software and hardware attacks. All the tested sensors are Match-on-Chip, which means that the chip has a microprocessor and memory, and the fingerprint data never leaves the sensor. To bypass authentication, you need to attack the chip itself.

The attack requires physical access to the target device, the attacker will have to steal the device or use the Evil Maid Attack method. The attacks demonstrated by the researchers were carried out by connecting a hacker device to each laptop, via USB, or by connecting the fingerprint sensor to a specially manufactured rig.

Source: https://www.securityweek.com/windows-hello-fingerprint-authentication-bypassed-on-popular-laptops/

Russian Hacker Group Hacked into Microsoft's Corporate Network and Stole Emails from Top Executives
The Russian hacker group Midnight Blizzard/Nobelium has infiltrated Microsoft's network, compromising an inactive production test account using a Password-spraying attack. They gained access to correspondence belonging to senior management.

The attack was detected on January 12, 2024, and the infection began in November 2023. The company noted that the hackers initially attacked their emails to obtain information about the company's awareness of the APT group's operation.

Microsoft has confirmed that the attack was not a result of a vulnerability in their products, and there is no evidence that the threat affected customer environments, production systems, source code, or artificial intelligence systems. The company promised to notify customers if any action is required.

Source: https://www.securityweek.com/microsoft-says-russian-gov-hackers-stole-email-data-from-senior-execs/

Zero-Day Alert: Update Chrome Now to Fix a New Active Directory Vulnerability
Google has released an update to fix four security issues in the Chrome browser, including a zero-day vulnerability being exploited.

The issue, being tracked as CVE-2024-0519, concerns memory accesses outside of the allowed range in the V8 JavaScript and WebAssembly engines, which attackers can exploit to cause a crash.

"Out-of-bounds memory access in V8 in Google Chrome before version 120.0.6099.224 allowed a remote attacker to exploit heap corruption via a crafted HTML page potentially," the vulnerability description in the National Institute of Standards and Technology's (NIST) National Vulnerability Database (NVD) reads.

This development is the first actively exploited Zero-Day vulnerability to be patched by Google in Chrome in 2024. Last year, the tech giant fixed eight such actively exploited vulnerabilities in the browser.

Source: https://thehackernews.com/2024/01/zero-day-alert-update-chrome-now-to-fix.html