TLDR Information Security 2024-04-17

Ivanti fixed 27 vulnerabilities in its Avalanche MDM solution, including critical flaws that allowed remote attackers to execute commands. These security updates are crucial for protecting over 100,000 mobile devices from potential attacks. It is recommended that customers update to the latest Avalanche 6.4.3 version to stay secure.

Security researchers discovered a takeover attempt targeting the OpenJS Foundation similar to a recent incident with the XZ Utils project. Suspicious emails urged OpenJS to update a JavaScript project and designate new maintainers without proper involvement. Maintainers of open-source projects should be cautious of social engineering attacks targeting their sense of duty and community.

A vulnerability in PuTTY 0.68-0.80 could allow attackers with access to 60 cryptographic signatures from a user to compute the private keys offline. These signatures could come from an attacker-controlled SSH server or signed git commits. The vulnerability arises from the way that PuTTY generates ECDSA nonces, which lacks robust cryptographic random number generators on specific Windows versions.

Delinea Secret Server is a PAM that helps organizations secure, manage, and monitor privileged accounts. This post delves through the process of hunting for an AuthN/AuthZ bypass, decompiling the relevant code sections, and crafting the exploit. It includes detailed reproduction steps and a proof of concept for obtaining admin access.

This post describes the reasoning and process followed to deploy Tailscale for a fully remote company. It goes over the motivation for this deployment, its advantages, and some tips and potential pitfalls in this setup. The post concludes with some features that were introduced since the original deployment that would have been helpful for future deployments.

This post provides an overview of SIEM correlation techniques. It begins by defining correlation, introducing the MITRE ATT&CK framework, and presenting an example of a simple correlation rule. The post then continues to work through an example of detecting a Brute Force Okta Login, while combining multiple TTPs and log sources.

A repository of libraries in different languages that provide secure-by-default functions to eliminate bug classes.

Cloud-Key-Rotator is a program written in Golang that helps manage cloud service account key rotation. Not only does it support many different services, the tool also attempts to verify its actions as much as possible and aborts immediately if it encounters an error.

CVENotifier is a customizable notifier for CVEs based on keywords. This tool scrapes the CVE feed from vuldb.com, filters it based on keywords, and notifies via Slack about the latest CVEs only for the technology or the products you have listed as keywords.

Cryptographer and Professor Matthew Green addresses the new e-print authored by Yilei Chen, “Quantum Algorithms for Lattice Problems," which could potentially threaten current lattice-based encryption schemes. Despite the significance of this discovery, it may not immediately affect widely used schemes like Kyber or Dilithium. The cryptography community is closely monitoring this development for potential implications for future encryption security.

The FTC fined Cerebral $7 million for sharing users' sensitive health data with third parties without consent. Cerebral misled consumers about its privacy practices and failed to protect their information. The company must now improve its privacy policies and delete unnecessary consumer data.

Stedi discovered a vulnerability in AWS STS that arose from its usage of IAM role trust policies that relied upon resource tags and request tags. AWS first denied the issue, then found that the scope of the problem was larger than initially believed, but still took 6 months to deploy a fix. A major issue is that the AWS IAM Policy Simulator lacks many IAM features, which makes it difficult and time consuming to properly test IAM policies.

The NSA has released guidance aimed at national security and defense companies deploying AI systems for securing AI systems to prevent malicious activities.

Chirp Systems' smart locks have a security flaw allowing remote access to 50,000 homes - the company hasn't fixed it despite being notified in 2021.

Cloudflare's DDOS Threat Report for 2024 Q1 contains interesting tidbits like how Sweden experienced a 466% surge in DDoS attacks following its acceptance to the NATO alliance.