The Common UNIX Printing System, or CUPS, can be abused to run malicious code on vulnerable endpoints remotely, experts have warned.

CUPS is an open-source printing system developed by Apple for Unix-like operating systems, including Linux and macOS. It provides a standardized way to manage print jobs and queues, supporting both local and network printers. CUPS uses the Internet Printing Protocol (IPP) as its primary protocol, allowing seamless printer discovery and job submission across networks. It also includes a web-based interface for managing printers, print jobs, and configurations.

Cybersecurity researcher Simone Margaritelli of Evil Socket discovered a problem in the system’s ability to discover new printers. As the researcher explains, CUPS has four vulnerabilities: CVE_2024-47076, CVE-2024-47175, CVE-2024-47176, and CVE-2024-47177. These vulnerabilities, when chained together, allow threat actors to create a fake, malicious printer, and have CUPS discover it.

Roadblocks to exploitation

The moment a user tries to print something using this new device, a malicious command gets executed locally on their device.

While it sounds like a major vulnerability, Red Hat deemed it ‘important’ rather than ‘critical’, and this is mostly because there are many hoops to jump through, before the flaw can be exploited for RCE.

The first, and biggest one, is that the component named cups-browsed daemon, which looks for shared printers on the local network and enables them for printing, needs to be turned on. The researcher said that sometimes it’s turned off by default, and sometimes it’s turned on.

The second major hoop is making the victim pick the new printer that suddenly appeared out of nowhere, instead of their usual machine.

Red Hat is currently working on a fix, so a patch is not yet available. However, the easy fix is to stop the cups-browsed service from running, and to prevent it from being started on reboot.

Via BleepingComputer

More from TechRadar Pro

• Microsoft says Russian hackers are exploiting an ancient printer security flaw
• Here's a list of the best firewalls around today
• These are the best endpoint security tools right now

NVIDIA Container Toolkit and GPU Operator were carrying a critical vulnerability that allowed threat actors access to the underlying host’s file system, experts have warned.

Cybersecurity researchers at Wiz discovered and reported the flaw, tracked as CVE-2024-0132, and carries a vulnerability score of 9.0/10 - critical, to Nvidia on September 1, 2024.

It is described as a Time-of-Check Time-of-Use (TOCTOU) vulnerability. To be abused the tools need to be set up in default configurations - then, a threat actor could craft a special container image that grants them access to the host file system.

Different environments at risk

"A successful exploit of this vulnerability may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering,” the company said in a security advisory.

The bug affected all NVIDIA Container Toolkit versions to v.1.16.2, and all NVIDIA GPU Operator versions until 24.6.2, which were the first ones to have addressed the flaw. It is also worth mentioning that the vulnerability does not work when Container Device Interface (CDI) is used.

“The urgency with which you should fix the vulnerability depends on the architecture of your environment and the level of trust you place in running images,” the researchers said in their technical write-up. “Any environment that allows the use of third party container images or AI models – either internally or as-a-service – is at higher risk given that this vulnerability can be exploited via a malicious image.”

They stressed that single-tenant compute environments could be at risk if a user downloads a malicious container image from an untrusted source, giving the crooks access to the workstation. In orchestrated environments such as Kubernetes (K8), an attacker with permission to deploy a container could access data and secrets of other applications running on the same node or cluster.

Via The Hacker News

More from TechRadar Pro

• A Google Kubernetes security flaw could let anyone with a Gmail account compromise your business
• Here's a list of the best firewalls around today
• These are the best endpoint security tools right now

HPE has revealed Aruba Access Points (APs), the company’s high-performance Wi-Fi devices, could have been vulnerable to a threat granting threat actors the ability to execute malicious code remotely.

The company confirmed the news in a security advisory, noting APs carried three critical vulnerabilities in the Command Line Interface (CLI) service: CVE:2024-42505, CVE-2024-42506, and CVE-2024-42507. By sending specially crafted packets to UDP port 8211 of the AP management protocol, PAPI, the crooks could elevate their privileges and thus gain the ability to execute arbitrary code.

APs running Instant AOS-8 and AOS-10 are all affected by these flaws, which includes AOS-10.6.x.x: 10.6.0.2 and below, AOS-10.4.x.x: 10.4.1.3 and below, Instant AOS-8.12.x.x: 8.12.0.1 and below, and Instant AOS-8.10.x.x: 8.10.0.13 and below.

Patches and workarounds

A patch is already available for download, and given the severity of the flaws in question, HPE (Aruba’s parent company) urges users to apply it without hesitation. Those unable to install the patch on Instant AOS-8.x should enable “cluster-security”, while those with AOS-10 endpoints should block access to port UDP/8211 from all untrusted networks.

Other Aruba products, such as Networking Mobility Conductors, Mobility Controllers, and SD-WAN Gateways, were confirmed safe. The good news is that there is no evidence of in-the-wild exploits, and no one has yet shared a Proof-of-Concept (PoC).

Aruba Access Points are wireless networking devices designed to provide high-performance, secure, and reliable Wi-Fi coverage in various environments, such as offices, campuses, and public spaces. They are part of Aruba's broader networking solutions, which focus on simplifying network management while ensuring strong connectivity for users and IoT devices.

Via BleepingComputer

More from TechRadar Pro

• A Google Kubernetes security flaw could let anyone with a Gmail account compromise your business
• Here's a list of the best firewalls around today
• These are the best endpoint security tools right now

A vulnerability in a piece of software could have allowed hackers to discover, unlock, and start any Kia vehicle built after 2013, experts have warned.

The news was broken by cybersecurity researcher and bug bounty hunter Sam Curry, previously known for finding similar flaws in 15 million Ferraris, BMWs, Porches, and other vehicles.

Curry found a way to grab tokens from the Kia website, which gave him access to a lot of things. After registering an account on the Kia dealership site and logging in, the site gave Curry a token that allowed him access to backend dealer APIs. There, with nothing more than license plate numbers, he is able to find the location of any Kia car built after 2013, unlock it, honk, start, or stop it completely.

Exposing private data

Furthermore, the token gives him access to plenty of sensitive customer information: full names, phone numbers, email addresses, and postal addresses. Curry was also able to add himself as a second user on any of the vehicles, without the first user knowing.

"The HTTP response contained the vehicle owner's name, phone number, and email address. We were able to authenticate into the dealer portal using our normal app credentials and the modified channel header," Curry said.

Soon after reporting his findings to the company, Kia patched the hole up: "These vulnerabilities have since been fixed, this tool was never released, and the Kia team has validated this was never exploited maliciously," Curry concluded.

Ever since software was introduced in personal cars, privacy became a major pain point. Most car makers, including Toyota, or Mercedes, have had data-related incidents in the past.

Via BleepingComputer

More from TechRadar Pro

• Millions of Toyota drivers have had data exposed - here's what you need to know
• Here's a list of the best firewalls around today
• These are the best endpoint security tools right now

Star Health and Allied Insurance, one of the biggest health insurance organizations in India, has suffered a cyberattack that saw sensitive customer data stolen and then leaked on Telegram via a number of bots.

The information stolen and subsequently leaked included people’s full names, phone numbers, postal addresses, medical reports, and insurance claims.

Furthermore, for some people it included copies and scans of ID cards and certain tax details - more than enough information to run identity theft campaigns, phishing, and possibly even wire fraud.

Investigation under way

When Star Health and Allied Insurance learned of the breach, it moved to contain it. Since the data was leaking via Telegram, it sued the instant messaging platform for facilitating crime. Hackers apparently also propped up websites to hold the data, which were hosted on Cloudflare, which is allegedly being mentioned in the lawsuit, too.

A local court issued a legal order, forcing Telegram and Cloudflare to restrict access to the stolen information, which appaears to have been only partially successful, since the sites are still accessible from some ISPs in the country - and it's not known if the bots are still active on Telegram.

At press time, the victim did not yet issue any statement. It told TechCrunch a “forensic investigation” is underway, and added that it would be premature for a public company to comment before the investigation is concluded.

We don’t know exactly how many customers are affected by this incident. According to Life Insurance International - everyone, and that means more than 31 million people. The stolen data reportedly totalled 7.24 terabytes. We also don’t know if this is the work of a ransomware organization, and if the company was asked for payment to keep the data private. The breach happened in August.

Via TechCrunch

More from TechRadar Pro

• Millions of Toyota drivers have had data exposed - here's what you need to know
• Here's a list of the best firewalls around today
• These are the best endpoint security tools right now

Hackers are using TikTok in new phishing attacks as they attempt to steal people’s Microsoft Office 365 credentials, a new report from Cofense has warned.

The company's researchers detected someone sending out phishing emails threatening victims that all of their emails will be deleted unless they press a button. What’s new about this campaign is that the button actually leads to TikTok.

To make the attack work, the attackers employ TikTok URLs. A TikTok URL usually appears in the bios of a profile that has links to external websites, the researchers explained - so therefore, the TikTok URL can redirect the visitor to whatever site the profile holder chooses.

Spotting the scam

If the phishing email recipient does not spot the trick and clicks the button in the message, they will be sent through a number of redirects, ultimately landing on a web page that looks like a Microsoft 365 login site, with the company logo and all. The malicious site even autofills the user’s email address in order to improve legitimacy.

However, since this is a fake website, controlled by the attackers, any information - including passwords - submitted there, go straight to the hackers.

The use of TikTok URLs may be novel, but the overall methodology does not differ much from what we’re used to seeing. The email still comes from a completely unrelated domain. It is still full of grammar and spelling mistakes. Finally, the URL of the landing page does not even come close to resembling a Microsoft domain.

Therefore, spotting the attack should not be too difficult - it only takes being a little mindful of the emails coming in, and not trusting everything in the inbox.

More from TechRadar Pro

• An ID verification service for TikTok, Uber and X reportedly left its credentials open for a year
• Here's a list of the best firewalls around today
• These are the best endpoint security tools right now

Hackers are now mostly focusing new phishing attacks against mobile devices, which are generally weaker and more often unmanaged compared to laptops or desktop PCs, experts have warned.

The new “2024 Global Mobile Threat Report” from Zimperium claims 82% of phishing sites today target mobile devices, and as they start adopting a mobile-first strategy on a grander scale, the hackers leverage multiple techniques to make their way into enterprise systems.

What’s more, three-quarters (76%) of phishing sites aimed at large enterprises are using HTTPS, a secure communications protocol which increases the perceived legitimacy of malicious websites, and makes victims lower their guard. Furthermore, since the screen real estate on mobile devices is smaller, victims are less likely to spot security indicators, such as the URL bar.

Moving quickly

Speaking of boosting perceived legitimacy, in late March 2024, researchers at Netcraft spotted a unique phishing-as-a-service tool called Darcula.

This tool allows crooks to send messages using the Rich Communication Services (RCS) protocol for Google Messages and iMessage, rather than the usual Short Message System (SMS). This improves the sense of legitimacy, and makes the messages impossible to intercept or block based solely on the contents (since the messages are end-to-end encrypted).

For hackers interested in phishing on mobile (or “mishing”, as Zimperium calls it), they know that time is of the essence. Almost immediately after creating a phishing site, it becomes operable. A quarter is up and running less than 24 hours after being created, it was said.

Shridhar Mittal, Chief Executive Officer at Zimperium, warned the only logical solution is to adopt a multi-layered security strategy, including mobile threat defense and mobile app vetting.

More from TechRadar Pro

• This new phishing attack targets iPhone and Android alike via RCS
• Here's a list of the best firewalls around today
• These are the best endpoint security tools right now

The majority of users still protect their prized virtual possessions with nothing more than passwords, despite the method being deemed susceptible to all sorts of attacks, a new report from Yubico has claimed.

The hardware authentication key provider surveyed 20,000 people around the world to gauge their perception on cybersecurity, and found the majority (58%) still use usernames and passwords to log into personal accounts (as opposed to biometrics, for example). Furthermore, 54% use the same method to log into work accounts.

At the same time, many (39%) are under the impression that the username and password is the most secure means of authentication. A similar percentage (37%) think the same of SMS-based authentication, despite both being proven to be susceptible to phishing.

Compromised accounts

Interestingly enough, the vast majority of respondents - 72% - is also aware that online scams and phishing attacks have become more sophisticated. For two-thirds (66%), they’ve also gotten more successful. They all agree that the rapid advancement of Artificial Intelligence (AI) played a key role in this.

As a result, people lose access to their accounts all the time. The most commonly compromised passwords are also the ones protecting the most valuable of possessions - personal and financial information. That being said, social media accounts are most often breached (44%), followed by payment app accounts (24%), online retailer accounts (21%), messaging apps (17%), and banking apps (13%).

To add insult to injury, 40% of respondents never received any form of cybersecurity training from the organization they work for. Furthermore, just a quarter (27%) believe the security options their businesses placed are sufficient.

“This includes adopting stronger authentication methods to become phishing-resistant, fostering a culture of security awareness through consistent employee training, and more,” said Derek Hanson, VP of standards and alliances at Yubico.

“Ultimately, building a unified front against cyber threats requires a concerted effort to bridge the gap between perceived and actual security. By integrating advanced security measures into all aspects of our digital lives, we can better protect ourselves, our data, and our organizations.”

More from TechRadar Pro

• Password management is still too much for people — and many of us still write them down
• Here's a list of the best firewalls around today
• These are the best endpoint security tools right now

Hackers are increasingly targeting internet-connected operational technology (OT) and industrial control system (ICS) endpoints, a stark warning from the US Cybersecurity and Infrastructure Security Agency (CISA) has said.

In its warning, the agency did not say who the hackers are, but hinted they might be Russian, claiming hackers are going after devices through “unsophisticated means” - mostly brute-force attacks, and are trying to log into the devices by using default credentials.

They seem to be successful, too, and in many instances, they are compromising devices in the Water and Wastewater Systems (WWS) Sector. This allows them to do real-life, physical harm, since these devices regulate water treatment processes, distribution, and pressure. By targeting endpoints in the WWS sector, they could disrupt the continuous, safe water supply for many people.

Attacks on the rise

To defend their devices, OT and ICS operators in critical infrastructure sectors should apply the recommendations listed in Defending OT Operations Against Ongoing Pro-Russia Hacktivist Activity article, CISA stressed. The agency also urged organizations to visit CISA’s Secure by Design web page and learn more about the secure-by-design principles and practices.

CISA is hardly the first agency to warn about OT systems being hit as hard as never before. In mid-June 2024, Fortinet gave a similar assessment, after surveying more than 550 OT pros around the world, having found almost three quarters (73%) of businesses faced OT attacks this year.

In 2023, this figure was 49%, suggesting a significant increase in mere 12 months.

It’s not just about the breadth of the attacks, either. The frequency has also significantly increased, as a third (31%) of respondents reported more than six intrusions in the past year. The year before, just 11% reported the same thing.

Fortinet suggests cybercriminals have been quick to adapt to current security measures, while organizations lagged behind.

Via BleepingComputer

More from TechRadar Pro

• "Perfect storm" - CrowdStrike VP apologizes as Congress hearing into outage begins
• Here's a list of the best firewalls around today
• These are the best endpoint security tools right now

Chinese hackers have allegedly broken into multiple internet service providers (ISP) in the United States, and are using their position to steal sensitive information and lay the groundwork for future attacks.

An investigation by the Wall Street Journal, which cited “people familiar with the matter”, did not name the compromised ISPs, but did mention there has been a “handful” of victims, and that the group behind the intrusions has been dubbed Salt Typhoon.

Given the name, Salt Typhoon has quickly been linked to other Chinese state-sponsored groups, all of which Microsoft named ‘typhoon’ - Flax Typhoon, Volt Typhoon, and Brass Typhoon.

Crippling the US response

While these groups focus on different things, and target different victims, the goal seems to be the same - to steal sensitive information, and disrupt critical infrastructure organizations in the US. These groups are reportedly working in coordination to assist the Chinese government in achieving its geo-political goals, including a possible invasion of Taiwan.

At the same time, US Cybersecurity and Infrastructure Security Agency (CISA) Executive Assistant Director for Cybersecurity, Jeff Greene, told The Register that the agency is aware of the reports of compromised ISPs, and basically said it’s business as usual, since China is known for pulling these kinds of stunts:

"CISA and our partners continue to emphasize the risk posed by PRC state-sponsored cyber actors, who have compromised the IT environments across multiple critical infrastructure sectors and organizations," he said in a statement.

"We encourage all organizations to review our latest advisories and guidance, to include our joint Cybersecurity Advisory on identifying and mitigating living off the land techniques, and take action, as appropriate."

Via The Register

More from TechRadar Pro

• Chinese hackers are switching to new malware for government attacks
• Here's a list of the best firewalls around today
• These are the best endpoint security tools right now

Google’s attempt to block infostealer malware grabbing data stored in its Chrome browser seems to have been short-lived, with multiple variants claiming to have already successfully bypassed it.

In late July 2024, Google released Chrome 127, which introduced App-Bound Encryption, a feature which looked to ensure sensitive data stored by websites or web apps was only accessible to a specific app on a device. It works by encrypting data in such a way that only the app that created it can decrypt it, and was advertised as particularly useful for protecting information like authentication tokens or personal data.

Now, mere months after it was introduced, the protection mechanism has already been cracked by some of the most popular infostealers out there, BleepingComputer reports, claiming the likes of MeduzaStealer, Whitesnake, Lumma Stealer, Lumar, Vidar, and StealC have all introduced some form of bypass.

Prioritizing impact

Some of the upgrades are also confirmed to be working with Chrome 129, the newest version of the browser available at press time. TechRadar Pro has reached out to Google for comment, and will update our article if we hear back.

“Added a new method of collecting Chrome cookies,” Lumma’s developers allegedly told its customers recently. “The new method does not require admin rights and/or restart, which simplifies the crypt build and reduces the chances of detection, and thus increase the knock rate.”

Exfiltrating information from browsers is a key feature for most prominent infostealers out there. Many people save things like passwords, or payment data, inside their browsers for convenience and quick access. Many also use cryptocurrency wallet add-ons for their browsers, as well. By stealing cookies, crooks are even able to log into services protected by multi-factor authentication (MFA). All of this makes browsers one of the most important targets during data theft.

More from TechRadar Pro

• This new phishing attack uses a sneaky infostealer to cause maximum damage
• Here's a list of the best firewalls around today
• These are the best endpoint security tools right now

It’s been more than a year since news of the MOVEit breach first emerged, and we’re still getting information on new victims.

The latest firm to add to the list is The Centers for Medicare & Medicaid Services (CMS), a US federal agency within the U.S. Department of Health and Human Services (HHS) that oversees the nation’s major healthcare programs, including Medicare, Medicaid, and the Children’s Health Insurance Program (CHIP), and so plays a critical role in administering health coverage to millions of Americans.

The agency has now confirmed suffering a data breach incident as a result of the MOVEit vulnerability that saw sensitive data belonging to 3,112,815 people stolen. Many of those are either deceased, or not Medicare beneficiaries, since CMS only notified roughly 950,000 people.

Personally identifiable information stolen

In the breach notification letter, which was also sent to the HHS, CMS said crooks took people’s names, social security numbers, individual taxpayer identification numbers, birth dates, mailing addresses, gender data, hospital account number, dates of service, Medicare beneficiary identifiers, and health insurance claim numbers.

This is more than enough data to mount identity theft or phishing attacks that could result in even more disruptive attacks.

CMS explained that it patched its MOVEit Transfer instance in early June last year, and assumed it would be safe. However, by the time the patch was installed, Cl0p operatives had already extracted all of the information they needed, and CMS only realized that in May this year.

Last year, ransomware operators Cl0p found a flaw in the managed file transfer service and used it to steal sensitive data from hundreds of organizations around the world, leading to the SEC launching a full investigation.

Via BleepingComputer

More from TechRadar Pro

• This new Android malware impersonates VPN and browser tools, but don't be fooled
• Here's a list of the best firewall software around today
• These are the best endpoint security tools right now