BOOK THIS SPACE FOR AD
ARTICLE ADInfosec In Brief The recent indictment of a massive SIM-swapping ring may mean convicted crypto conman Sam Bankman-Fried is innocent of at least one allegation still hanging over his head: The theft of more than $400 million in crypto hacked from wallets belonging to his crypto firm, FTX, just before it declared bankruptcy.
As reported earlier this week, a trio of individuals, led by Chicago resident Robert Powell, were indicted [PDF] on charges of committing SIM swapping attacks on over 50 victims in 13 US states from 2021 until 2023, stealing hundreds of millions of dollars in the process.
The trio's biggest haul was the theft of more than $400 million in cryptocurrency from an unnamed "Victim Company-1" on November 11, 2022 – the same day that FTX declared bankruptcy and an unknown attacker stole roughly $415m in crypto from the firm.
Brian Krebs was the first to make the connection between the indictment of the Powell gang and the FTX theft, and blockchain analytics firm Elliptic backed him up, noting "we are not aware of any other thefts from crypto businesses on this scale, on these dates."
"It therefore appears likely that FTX is the 'Victim Company-1' named in the indictment," Elliptic concluded, while admitting that it's not clear if Powell and his co-conspirators stole the money themselves, or facilitated the theft on behalf of another party.
Bloomberg, citing unnamed sources familiar with the case, said it's received confirmation that Victim Company-1 is, indeed, FTX.
Powell was reportedly arrested in Chicago last week and is being held without bond pending transfer to Washington, DC to face charges. His co-conspirators, Carter Rohn of Indianapolis, Indiana, and Emily Hernandez of Colorado Springs, Colorado, have also been apprehended.
While SBF might be off the hook for this element of his mismanagement of FTX, that won’t help him to walk free as was convicted on seven charges in October 2023 and faces up to 110 years in prison when sentenced next month.
Critical vulnerabilities: Apple Vision Pro gets pre-release patch
It's been a busy week in vulnerability land, with Apple patching security holes in its Vision Pro headset before it even hit the market.
This isn't a new vulnerability – it's the same WebKit vuln we reported last week that appeared across Apple OSes and has already been patched. The fact that Apple users will have to install a release-day patch for the $3,499 goggles is just an inconvenience, really – just be sure you actually install it if you bought one, as this vuln is known to be under active exploit.
Moby and the Open Container Initiative (OCI) released updates addressing several Docker-related vulnerabilities, so be sure to install updates for the following:
CVSS 10.0 – CVE-2024-23652: Malicious frontends for Moby BuildKit can trick systems into removing files outside of containers from host systems. CVSS 9.8 – CVE-2024-23653: BuildKit APIs can be misused to ask BuildKit to run a container with elevated privileges. CVSS 8.7 – CVE-2024-23651: Malicious steps in BuildKit builds can lead to host system files being accessible to the build container. CVSS 8.6 – CVE-2024-21626: OCI's runc CLI tool version 1.1.11 and earlier contain an internal file descriptor leak that can be abused to trigger container escape.Elsewhere:
CVSS 9.8 – Multiple CVEs: Gessler GmbH WEB-MASTER emergency lighting management systems v7.9 are storing weak hard-coded credentials and using weak hashing algorithms, making it easy to take control of the system. CVSS 9.8 – Multiple CVEs: Several models of Emerson Rosemount gas chromatographs running software v4.1.5 are vulnerable to command injection and are improperly authenticating users. CVSS 9.8 – Multiple CVEs: Multiple Mitsubishi Electric FA engineering software products are missing authentication for critical functions and can have malicious libraries added through unsafe reflection. CVSS 9.8 – CVE-2024-21917: Rockwell Automation FactoryTalk versions prior to 6.4 are improperly validating cryptographic signatures, allowing an attacker to obtain service tokens. CVSS 9.8 – CVE-2023-3346: A wide range of Mitsubishi Electric CNC devices are vulnerable to classic buffer overflow. CVSS 8.8 – Multiple CVEs: Several Rockwell Automation Operator Panels are vulnerable to stack-based buffer overflow and other issues that could lead to DoS and RCE. CVSS 8.6 – CVE-2024-21916: Rockwell Automation ControlLogix and GuardLogix firmware are vulnerable to writing to memory outside of buffers, potentially crashing devices. CVSS 8.1 – Multiple CVEs: Several models of Hitron DVRs are improperly validating input, opening them to DoS attacks.Qualys spots more nasty glibc vulns
Security researchers at Qualys have discovered several vulnerabilities in the GNU C Library – aka glibc – a fundamental part of many Linux systems.
The issues were identified in glibc's syslog and qsort functions, and while an attacker needs to be local to execute the vulnerabilities, the result could be root access for an unprivileged user on Linux distributions including Debian, Fedora and Ubuntu.
The first, CVE-2023-6246 (CVSS 7.8), is a heap-based buffer overflow found in __vsyslog_internal() and affects both syslog that was inadvertently introduced in glibc 2.37 way back in 2022, and back-ported to 2.36 after that.
While analyzing that vulnerability, Qualys researchers spotted two additional minor vulnerabilities, plus a memory corruption issue in qsort(). Qualys warned the bug affects all versions of glibc going back to 1992, but the glibc team believes the issue lies in calling applications that pass bad data, and thus any CVE issued should be on those apps, not glibc.
"Even the most foundational and trusted components are not immune to flaws," Qualys said of the discovery, which isn't the first it's found in glibc lately.
DraftKings hacker sentenced, co-conspirators arrested
The Wisconsin teenager behind the theft of $600,000 from users of sports betting website DraftKings has been sentenced to 18 months in prison.
Along with his time in the clink, 19 year old Joseph Garrison, who pled guilty to one of six charges on which he was indicted, will have to submit to three years of supervised release and pay more than $1.5 million in forfeiture and restitution costs to victims, the US Department of Justice announced.
Garrison, who committed his crimes in late 2022, relied on credential stuffing to break into some 1,600 accounts. It's not clear where he acquired the reused username and password combinations used to break into DraftKings, though such information is easily purchased on the dark web.
The US Attorney's Office for the Southern District of New York announced two additional indictments and arrests in the DraftKings case earlier this week. ®