The Cybersecurity Express – 11 October 2024

The wind carries a subtle chill as you stand on the platform, the rhythmic hum of distant machinery heightening your anticipation. In the dimly lit station, a sign overhead flickers, spelling out “Cybersecurity Express” in bold, electric letters. Your pulse quickens as the soft echo of a train approaches—its sleek, metallic body emerging from the shadows like a guardian of hidden knowledge. This isn’t just any train ride; you know it’s about to take you on a journey through the digital landscapes of today’s most pressing cybersecurity headlines.

As you board, the door hisses shut behind you, sealing you into a world of information, intrigue, and the ever-evolving threat of cyberattacks. Each carriage promises a new stop, with stories ranging from global breaches to cutting-edge tech defenses. The air is electric, and the thrill of the unknown beckons you forward. Your seat awaits, and as you settle in, the conductor’s voice echoes: “Next stop, the latest in cybersecurity.” Buckle in—your ride through the digital frontier is about to begin.

Critical GitLab Vulnerability Puts CI/CD Pipeline Security at Risk

GitLab has issued urgent security updates for its Community Edition (CE) and Enterprise Edition (EE) platforms to address eight vulnerabilities, including a critical flaw that could allow unauthorized execution of Continuous Integration and Continuous Delivery (CI/CD) pipelines. The vulnerability, tracked as CVE-2024-9164, carries a high Common Vulnerability Scoring System (CVSS) rating of 9.6, signaling its severe potential impact.

According to GitLab’s advisory, the critical issue affects all EE versions starting from 12.5 up to 17.2.9, versions 17.3 prior to 17.3.5, and versions 17.4 prior to 17.4.2. This vulnerability allows attackers to trigger pipelines on arbitrary branches, giving them the ability to run jobs that could potentially interfere with sensitive operations or be used for malicious purposes.

In addition to the critical flaw, GitLab addressed seven other vulnerabilities of varying severities, including four rated as high:

• CVE-2024-8970 (CVSS score: 8.2) – This flaw enables attackers to trigger pipelines as another user under certain conditions, potentially compromising the integrity of the CI/CD environment.
• CVE-2024-8977 (CVSS score: 8.2) – This vulnerability allows Server-Side Request Forgery (SSRF) attacks on instances with Product Analytics Dashboard configured and enabled, opening doors for unauthorized access to internal systems.
• CVE-2024-9631 (CVSS score: 7.5) – A performance issue that causes significant slowness when viewing diffs of merge requests with conflicts, impacting user experience and productivity.
• CVE-2024-6530 (CVSS score: 7.3) – This vulnerability results in an HTML injection via OAuth pages when authorizing a new application, which could be exploited for cross-site scripting (XSS) attacks.

This release is the latest in a series of patches addressing pipeline-related vulnerabilities. Just last month, GitLab resolved a critical vulnerability, CVE-2024-6678, with a CVSS score of 9.9. That flaw allowed attackers to run pipeline jobs as an arbitrary user, significantly escalating the risk of unauthorized actions within CI/CD environments. In addition, previous patches in 2023 and early 2024 targeted similar critical vulnerabilities, such as CVE-2023-5009, CVE-2024-5655, and CVE-2024-6385, all with CVSS scores of 9.6.

While GitLab has not observed any active exploitation of these vulnerabilities to date, the company strongly urges users to update to the latest versions to prevent potential attacks. Keeping systems updated is critical, as flaws in CI/CD pipeline security can be exploited to gain unauthorized access, deploy malware, or disrupt critical development operations.

With the continuous discovery of pipeline vulnerabilities, it’s essential for organizations to remain vigilant and proactively apply security patches. GitLab’s ongoing commitment to addressing these issues demonstrates the growing complexity of CI/CD environments and the importance of securing them against emerging threats.

To ensure protection, users are encouraged to update their GitLab installations to the latest versions: 17.2.9, 17.3.5, and 17.4.2, all of which contain the necessary patches to resolve these critical vulnerabilities.

OpenAI Blocked 20 Global Disinformation Campaigns Organizations

OpenAI revealed on Wednesday that it successfully disrupted more than 20 malicious campaigns worldwide that attempted to misuse its artificial intelligence models since the beginning of 2024. These campaigns spanned a range of cyber activities, including debugging malware, writing disinformation articles, creating fake social media accounts, and generating images for profiles on platforms like X (formerly Twitter).

In its report, OpenAI stated that while threat actors continue to probe and test their models, no meaningful breakthroughs have been achieved in terms of creating new malware or launching viral disinformation efforts. The famous AI company highlighted that the blocked activities were primarily experimental and did not result in large-scale malicious outcomes.

Some of the malicious activity targeted by OpenAI included efforts to interfere with social media content related to elections in the U.S., India, Rwanda, and the European Union. Notably, none of these efforts gained significant viral engagement. One operation, led by Israeli commercial firm STOIC (also known as Zero Zeno), aimed to manipulate social media commentary related to Indian elections, an activity also reported by Meta earlier this year.

Among the cyber operations disrupted by OpenAI, several notable campaigns stood out:

• SweetSpecter, a suspected China-based adversary, utilized AI models for reconnaissance, vulnerability research, and scripting support. This group was linked to spear-phishing attempts aimed at OpenAI employees to deliver a malware payload known as SugarGh0st RAT.
• Cyber Av3ngers, a group associated with the Iranian Islamic Revolutionary Guard Corps (IRGC), reportedly used AI models to conduct research on programmable logic controllers (PLCs) for their operations.
• Storm-0817, another Iranian threat actor, leveraged AI models to debug Android malware and scrape social media profiles via automation tools like Selenium. They also translated LinkedIn profiles into Persian to facilitate information gathering.

OpenAI further revealed that it had taken action to block clusters of accounts involved in disinformation campaigns. Two such campaigns, codenamed A2Z and Stop News, generated English and French-language content across multiple social media platforms. Notably, Stop News used OpenAI’s DALL·E to create attention-grabbing cartoon-style images to accompany posts on various websites.

Additionally, OpenAI exposed operations called Bet Bot and Corrupt Comment. Bet Bot used AI to converse with social media users and direct them to gambling sites, while Corrupt Comment created AI-generated conversations to manipulate discussions on X.

The report also described influence operations linked to the upcoming U.S. presidential election, specifically highlighting an Iranian network named Storm-2035 that was using OpenAI’s ChatGPT for disinformation purposes. Despite these attempts, OpenAI asserted that such malicious efforts typically occur at an intermediate phase — after basic tools like email accounts and social media profiles have been acquired, but before the final deployment of disinformation or malware.

OpenAI emphasized the importance of continuously monitoring AI usage to prevent its misuse and to block cyber and influence campaigns before they can inflict significant harm. The company continues to collaborate with law enforcement and cybersecurity partners to safeguard against evolving threats.

Qualcomm Alerts to Potential Zero-Day Exploited in Targeted Attacks

Qualcomm has issued a security advisory addressing 20 vulnerabilities across its products, including a potentially critical zero-day vulnerability. This specific flaw, tracked as CVE-2024-43047, has raised concerns after Google’s Threat Analysis Group (TAG) indicated that it might be actively exploited in targeted attacks. In case you did not know, Qualcomm is one of the largest semiconductor producers and has chips in almost every mobile and IoT device you can think of.

CVE-2024-43047 is classified as a high-severity use-after-free vulnerability in the DSP (Digital Signal Processing) service of Qualcomm chips. Use-after-free vulnerabilities occur when a program does not properly manage memory, leading to potential code execution or system compromise. The flaw could be particularly dangerous in targeted cyberattacks, especially given Qualcomm’s significant presence in mundane devices.

According to Seth Jenkins, a researcher at Google’s Project Zero, both Google TAG and Amnesty International have detected possible evidence of exploitation in the wild. Jenkins shared this information on X (formerly Twitter), indicating that the flaw could be used by attackers to infiltrate Android devices, possibly as part of commercial spyware campaigns. While Qualcomm has released a patch for CVE-2024-43047, it will take time for the update to reach end users, and many older or unmaintained devices may never receive it.

CVE-2024-43047 affects over 60 Qualcomm chipsets, including widely used series such as FastConnect, Snapdragon, QCA, QCS, and WCN, among others. Qualcomm has not provided detailed information on specific attacks leveraging this flaw, but the fact that it was reported by both Google and Amnesty International suggests that the vulnerability may be exploited by commercial spyware vendors. Such vendors typically target high-profile individuals or entities, such as government officials, journalists, and activists, often for surveillance purposes.

The vulnerability was reported to Qualcomm in late July 2024, and a patch has now been developed. However, the deployment of this patch to devices will vary depending on manufacturers and carriers, a process that can sometimes take months. Qualcomm has noted that many devices, especially those that are not frequently updated, may remain vulnerable for an extended period.

This is not the first time Qualcomm has faced the challenge of chipset vulnerabilities being exploited in the wild. Since 2021, Qualcomm has had eight known exploited vulnerabilities listed in the Cybersecurity and Infrastructure Security Agency (CISA)’s Known Exploited Vulnerabilities (KEV) catalog. This underscores the frequent targeting of Qualcomm technologies, which power billions of mobile devices, from smartphones to IoT systems.

While there is no immediate evidence of widespread attacks, Qualcomm’s advisory emphasizes the importance of patching devices as soon as updates are available. The potential for this zero-day to be exploited by cybercriminals for malicious purposes, such as espionage or financial gain, is a reminder of the risks posed by vulnerabilities in widely used hardware.

In light of this, users are encouraged to ensure that their devices receive security updates and remain vigilant for signs of compromise. As Qualcomm and Google continue to investigate, further details about the scope and nature of this vulnerability’s exploitation may emerge.

This wraps up today’s issue. Wherever you are out there in the digital world just stay safe, install the latest patches and keep a watchful eye out for anything that might want to deceive you. Thank you so much for being a wanderer on The Cybersecurity Express and we look forward to welcoming you on board the next time.