Apache Ofbiz ZeroDay, Another Azure outage, Android Kernal ZeroDay, Crowdstrike & Delta Faceoff

from the cyberhub bunker in studio you're tuning in to the cyberhub podcast and now for your host and seeiso James [Music] AAR good morning from hacker summer camp and welcome to another episode of the cyberhub podcast a packed packed show today including multiple zero days so just because you're in Vegas doesn't mean those stop and and also escalation between crowd strike Delta the finger pointing has begun and how good or bad is that for the industry we're about to find out on today's episode and a whole lot more so without further Ado thank you for tuning in let's go ahead and get the show started I don't have my traditional espresso it's very early here in Vegas so with that being said let's go ahead move on coffee cup cheers for everyone drinking a cup of coffee let's start off with this latest Apache zero day that's in the Apache off Biz open source enterprise resource planning Erp system that could allow threat actors to achieve remote code execution on affected instances cve 2024 2024 38856 the flaw has a CVSs score of Niner point8 out of a maximum of 10 and it affects all versions of Apache off Biz prior to 18.1 12.15 the root cause of the vulnerability lies in a flaw in the authentication mechanism sonical which discovered and reported the shortcoming said in a statement the flaw would allow an unauthentic indicated user to access functionalities that generally required a user to be logged in Paving the way for remote access execution however this CV cve is also a batch pip pass for cve 2024 36104 which is a path traversal vulnerability which was addressed in early June with that release as well so all in all you've got multiple different vulnerabilities here that impact the Apache offis open- Source Erp system you want to get that patched a ASAP Microsoft Azure with yet another uh day with an outage this outage lasting more than two hours it took down multiple services for customers across North and Latin America primarily uh impacting Azure front door and its modern cloud content delivery Network the incident started around 622 UTC the issue is impacting multiple Geographic uh geographies mostly in North America and Latin America uh it first acknowledged outage on the Azure status page saying it was caused by what it described as a configuration change here we go they've rolled back the change about an hour after they started it the majority of services are seeing recovery many Microsoft Services have failed away from afd in response to this issue and if you're asking me James what is going on very very easy to understand here's the thing about Cloud had this discussion um um Monday night right like as I got here went out to dinner had a bunch of meetings kind of talking about Cloud Hardware you know people kind of dissent Hardware but I I I love Hardware I think physical Hardware is is is something to enjoy and love and build and see and hold in your hand and feel but at the end of the day when you're on a cloud infrastructure and if you put all of your eggs in the Azure basket or or whatever other basket you want whatever other provider you're setting yourself up for these types of failures that could impact and again this impact Asher devops it impacted front door it impacted CDN down detector had also received thousands of reports from users and if think about it if you're the CTO you're you're the VP of of of infrastructure you're the VP of Enterprise architecture and you're looking at Azure and azure's kind of been your go-to are you not discussing hybrid Cloud especially August like like this is the time where you're planning for 2025 2026 you're looking at your budgets you're looking at your goals you're trying to align the business you're looking at risks you're looking at performance thus far if you're an Azure shop can you wholeheartedly right now tell me look me in the eyes and tell me we're an Azure shop through and through these are just coincidences or or are you considering are you considering that change are you considering a hybrid environment are you considering a multicloud environment does that start to ring a bell in your ears for events like this that are becoming all too common for cloud provider ERS and this is one of those right inherently inherently we need to rethink the way we look at Cloud infrastructure there's that an Android security update this month patches 46 different vulnerabilities including a high severity remote code execution exploited and targeted attacks this specific zero days is cve 2024 36 ner 71 it's a use after free weakness in the Linux Colonel's Network route management it requires system execution privileges for successful exploitation and allows altering the behavior of certain network connections Google says there are indications that it may be under limited targeted exploitation predominantly when they say that just so you know if you read between the lines it means nation states are using it or potentially spyware companies are using it in order to uh to to develop this Ser in order to get access to the Android devices that's what that means whenever they say if you want targeted under limited targeted exploitation it's SP where they just don't want to say it's spyware just get that like put that in the Urban Dictionary wherever it is it's there Google's tag team was tagged uh with discovering and reporting deser a vulnerability even though Google has yet to give details about the flaw primarily because they're probably either still exploring it or they're working with the spyware potentially uh there's an investigation piece to it which is why they're not releasing everything which keeps us practitioners in the shadow and again part of weighing the balance between information and transparency to investigation and responsibility uh this is one of those situations where as a practitioner if you've built a product ever if you ran a security team with different products this is a decision you constantly have to weigh and it's never never easy if you haven't subscribed to our substack James a.s substack docomo check that out let's go ahead move on to crowd strike vowing to respond aggressively to the litigation from Delta Airlines Delta claiming to have lost $500 million due to the outage from crowd strike in a letter published on Sunday crowd strike lawyer Michael krinsky said that the company is highly disappointed by Delta's suggestion that crowd strike acted inappropriately it strongly rejects any allegations that it was gross negligence or committed willful misconduct by the way that's the part of the contract that Delta's got approved Crow strike did they're going to bring this lawsuit in hopes of Discovery would prove gross negligence or committed willful misconduct that's the point here Delta's trying to prove this through Discovery they don't have evidence they don't have a Smoking Gun they have rumors they've got maybe employees telling them X Y or Z they've got some testimony they may have some contracts but the contract language that Delta is going to take action against crowd strike on is gross negligence and willful misconduct Delta CEO at Bastion told CNBC last week that the company will end up losing more than 500 Millions after cancelling more than 5,000 flights darland had to issue millions of dollars worth of food and hotel vouchers more than than 40,000 servers had to be manually restarted according to Bastion who added darland had no choice but to follow lwuit for James because they had to protect their shareholders customers and employees due to the damage not just the cost of it but to the brand and the reputational Damage that's the other path the reputational damage and this is where this lawsuit gets very very interesting because in the court of public opinion Delta customers were mad at Delta not crowd strike they don't know who crowd strike is they don't care who crowd strike is they know they bought a Airline ticket with Delta that uh flight never took place because of the crowd strike outage and so they're mad at Delta and some customers may not return to Delta because of that some customers may be getting compensated in thousands and thousands of dollars and so now you have something that's significant in this in this scenario and by the way this is legal precedent here once this lawsuit go through once the if and if they don't settle if this goes to deposition Discovery testimony and a potential trial this could be law of land and this could change irrespectively our entire industry as we know it so keep that in mind M um a Cyber attack discovered in May by manufacturer kronic has cost the company more than $17 million according according to a regulatory filing on Friday on May 6 the printed circuit circuit board assembly fabricator first detected unusual activity on its servers they shut down operations in Mexico and the US for two weeks during remediation efforts the black pasta Ransom or gang claimed uh the attack on its website leaked whatever information was sensitive to kronic data on Friday kronic reported to the SEC that it had incurred $2.3 million of expenses connected to the Cyber attack and believed that it lost approximately $15 million of Revenue during the fourth quarter Spokan Washington based company says the orders are recoverable can be fulfilled by next year however this sets them back their fourth quarter revenue is expected to be 125 million which is below previous estimates last year it had revenue of more than 596 million so there's that AWS is using a massive neural network graph model with three and a half billion nodes and 48 billion edges to speed up the detection of malicious domains crawling around its infrastructure the home brute system code name ra after a mythological Rising Sun uses algorithms for threat Intel and provides AWS with a reputational scoring system designed to identify malicious domains floating around its sprawling infrastructure they're absorbing a significant number of DNS requests per day up to 200 trillion in a single AWS region alone and Mera detects an average of 182,000 new malicious domains daily according to the company they assigning reputation score that ranks every domain names queries within AWS on a daily basis is very very interesting we'll see how this does in terms of curbing cyber fraud on AWS and moving it to other platforms so there's that risk there South Korea's national cyber security Center is warning that the Democratic People's Republic of Korea that's North Korea those are the bad guys are hijacked flaws in a VPN software update to deploy malware and breach networks The Advisory connects this activity with a nationwide industrial Factory modernization project Kim Jong-un the North Korean dictator announced in January of 2023 believing the attackers are looking to steal trade secrets from their southern Korean neighbors the two thread groups implicated in this are kamsky ap43 and andreal ap45 both linked to the Lazarus group Trojan I updates and installs this is the first case in the advisory dated January 2024 where kamsky compromised the website of a South Korean construction Trade Organization to dism to decimate malware to visitors and now this is happening on domestic VPN software communication protocols and that's how they're pushing out fake software updates to install Dora rat they're saying the vulnerability allowed the threat actors to SP packets to use their SPC which misidentified them as legitimate server updates allowing the militia versions to be observed so there's that from the south Koreans and in Russia an unknown and likely state sponsored threat actor has been using a previously unseen mobile spyware tool despy an unknown number of Android smartphone users the activi has been ongoing for at least three years according to researchers the campaign has focused mainly on targeted individuals in Russia according to researchers at kasperski tracking the threat as Leon spy but the tactics in the Spy operators used in deploying the malware could be easily applied to other regions as well lean spies a post post exploitation Trojan meaning the attacker either exploited vulnerabilities to root Android devices or modified the firmware by gaining physical access to victim devices it's like the first not the ladder according to Dimitri Ken in a block post it remains unclear which was exploited uh in the former scenario this is the latest in a fast growing list of spyware tools the list includes widely tools like nsos Pegasus uh and and inexa alliance's Predator all in all uh spyware is there in a three-year campaign against specific targets within Russia they're looking at data harvesting and exfiltration and you can pin that anywhere in the world uh and you'll likely find a reason why someone would be doing that that's it for our show this morning thank you all for tuning in please make sure to like comment subscribe share let us know your feedback on these stories again you can go to our website cyberhub podcast.com you can also go to our substack James a. substack docomo as well till then have a great rest your day enjoy hacker summer camp we'll be back tomorrow 9:00 am Eastern live or 6: am Pacific if you're one of those weird people that wakes up that early after a long night at black hat till then thank you all for being here have a great rest of your day and stay cyber safe we love feedback so make sure to connect with us on social media And subscribe to our podcast on your favorite podcast listening platform