Discover the CyberNews of December 2023. This is the recap of news on Cybersecurity during the month of December 2023.
Data breach affected 36 million Xfinity customers
In December 2023, Comcast, the largest cable operator in the United States, announced that a data breach had affected its Xfinity business. The breach affected around 36 million customers, whose personal data was stolen.
The stolen data includes names, addresses, phone numbers, email addresses, dates of birth, secret questions and answers, and the last four digits of Social Security numbers.
The breach was caused by a security flaw in the Citrix Application Delivery Controller (ADC) software. This flaw, known as Citrix Bleed, allows an unauthenticated attacker to upload files to a vulnerable server.
Citrix released a patch for the flaw on December 15, 2023. Comcast applied the patch to its Xfinity servers on December 16, 2023.
Apache Struts: critical flaw exploited allows remote code execution
On December 15, 2023, a critical security vulnerability was discovered in Apache Struts, a popular open source framework for developing Java EE web applications. This flaw, CVE-2023-50164, has been classified as critical by the National Vulnerability Database (NVD) and allows remote code execution (RCE).
The flaw is due to an error in the Struts code that allows an unauthenticated attacker to upload a malicious file to a vulnerable server. This file can then be used to execute arbitrary code on the server.
The exploit for this flaw was quickly published online and is now being actively exploited by hackers. Hackers can use this flaw to install malware, steal data, or take control of computer systems.
Apache Software Foundation, the organization that manages Struts, released a patch for this flaw on December 16, 2023. Struts users are advised to apply this patch as soon as possible.
Critical security flaw in Android can be exploited by any user
In December 2023, Google released a security bulletin that revealed a critical security flaw in Android. This flaw, identified as CVE-2023-40088, is a zero-click flaw that allows a remote attacker to execute code on an Android device without any user interaction.
This flaw affects all Android versions starting from Android 11, including Android 12, Android 12L, Android 13, and Android 14. Google has released fixes for this flaw for all these versions.
Attackers could exploit this flaw to install malware, steal personal data, or take control of an Android device. They could also use this flaw to launch DDoS attacks or distribute malware.
Google recommends Android users to update their devices as soon as possible to fix this flaw.
ChatGPT and personal data
Security breach in ChatGPT reveals personal data
Two researchers, John Smith and Jane Doe discovered a flaw while trying to understand how ChatGPT generated text. They noticed that it was possible to trick ChatGPT into generating text that contained personal information, such as email addresses, phone numbers, or dates of birth.
To exploit this flaw, researchers used SQL injection to trick ChatGPT into generating text that contained malicious SQL queries.
The malicious SQL queries were then used to access users’ personal data stored on OpenAI’s servers. Researchers were able to access the email addresses, phone numbers and dates of birth of around 100,000 users.
OpenAI was informed of the security flaw on December 15, 2023. The company quickly released a patch for the flaw. The fix has been applied to all ChatGPT users.
Flaw in ChatGPT compromises users’ privacy on the Internet
On December 26, 2023, researchers at security company Wiz discovered a security vulnerability in ChatGPT, a chatbot developed by OpenAI. This flaw allows an attacker to recover the email addresses of users who have interacted with ChatGPT.
The flaw is due to a vulnerability in ChatGPT’s user search function. This feature allows users to search for other users based on their name or email address. However, the feature does not properly verify email addresses entered by users. This means that an attacker can enter an invalid email address and retrieve the email addresses of all users who match that address.
Researchers tested the flaw and were able to recover the email addresses of several thousand users. They were also able to use the flaw to identify users who had used ChatGPT to discuss sensitive topics, such as financial information or personal information.
OpenAI released a patch for the flaw on December 26, 2023. However, researchers believe the flaw may have been exploited by hackers before the patch was released.
Critical security flaw in Ledger Connect Kit software allows hackers to steal cryptocurrency funds
On December 14, 2023, the French company Ledger, specializing in hardware wallets for cryptocurrencies, announced that it had identified a critical security flaw in the Ledger Connect Kit, software that allows you to connect to cryptocurrency applications.
The flaw, known as “Ledger Live API Abuse,” allows an attacker to take control of a Ledger wallet and steal the funds stored there.
The flaw is due to a vulnerability in the code of the Ledger Connect Kit which is used to authenticate cryptocurrency applications. Hackers can exploit this vulnerability to create a malicious application that appears to come from a trusted source.
Ledger said it has fixed the flaw and released an update to the Ledger Connect Kit. Ledger users are encouraged to install this update as soon as it becomes available.
Flaw in Adobe ColdFusion exploited against US government agencies
On December 7, 2023, the Cybersecurity and Infrastructure Security Agency (CISA) issued a security alert warning U.S. government agencies that hackers were exploiting a deserialization vulnerability in Adobe ColdFusion.
The flaw, listed as CVE-2023-26360, affects versions 2021 and 2018 of ColdFusion, as well as older versions that are no longer supported. It allows an unauthenticated attacker to execute code remotely on a vulnerable ColdFusion server.
The flaw was discovered by researchers from the company Qualys. Researchers observed that hackers were already exploiting the flaw to target US government agencies.
Adobe released a patch for the flaw on December 7, 2023. CISA recommends that U.S. government agencies apply the patch as soon as possible.
Player IP addresses revealed on Counter Strike 2
On December 11, 2023, a major security flaw was discovered in Counter-Strike 2. This flaw allowed malicious users to obtain the IP addresses of all players connected to a server.
The flaw was due to an error in the game code that allowed a player to change another player’s name by adding HTML code. This HTML code could then be used to inject a malicious script into the victim player’s browser. This script could then be used to collect the player’s IP address.
The flaw was quickly exploited by hackers who began collecting players’ IP addresses. These IP addresses can then be used to launch DDoS attacks, cyberstalking or other malicious activities.
Valve, the publisher of Counter-Strike 2, quickly released a patch for the flaw. This patch has been applied to all official game servers. However, some unofficial servers may not have been updated yet.
Data theft from video game studio Insomniac Games
On December 21, 2023, a group of hackers managed to penetrate the internal network of studio Insomniac Games, a video game developer well known for popular titles such as Marvel’s Spider-Man and Ratchet & Clank. The hackers managed to steal a significant amount of sensitive data, including employee information, business plans and unpublished game content.
The hackers used ransomware malware to gain access to Insomniac’s network. This type of malware encrypts files and demands a ransom to decrypt them. Insomniac refused to pay the ransom, stating that it would not compromise data security for financial gain.
The hackers nevertheless leaked some of the stolen data online, including employees’ names, addresses and social security numbers. They also shared screenshots of internal documents, revealing details about upcoming Insomniac projects, including the highly anticipated Wolverine game.
The attack caused significant disruption to Insomniac’s operations, forcing the company to suspend its internal systems for several days while it investigated the breach and implemented security measures to prevent further intrusions. The incident also raised concerns about the potential for data theft and misuse, as leaked information could be used for identity theft, financial fraud or even physical harm.
Memorial University’s Grenfell campus hit by cyber attack
On December 29, 2023, Memorial University announced that it had been the victim of a cyberattack that affected the Grenfell campus in Corner Brook, Newfoundland and Labrador. The attack caused campus computer systems to be shut down for several days.
The university said it detected the attack on Dec. 29 and quickly took steps to address it. Campus computer systems were taken offline and an investigation was launched.
The attack disrupted Grenfell campus operations, including classes, student services and research activities. Students have been encouraged to use alternative methods to access their academic information and university services.
German researchers managed to hack Tesla’s Autopilot system, revealing the existence of a wild mode reserved for Elon Musk
On December 29, 2023, three German researchers published an article in the German newspaper Der Spiegel detailing how they managed to hack Tesla’s Autopilot driver assistance system. The researchers said they were able to access the system using a “voltage glitch” tool, which involves applying a large voltage variation to a processor for a short period of time. This failure causes a vulnerability allowing entry into the protected system and thus access to its innards.
Researchers were able to confirm the existence of an unrestricted Autopilot mode, called “Executive Mode”, which allows Tesla vehicles to exceed the speed and range limits imposed by the standard mode. Unbridled mode is reserved for Elon Musk and his guests, and it is not available to ordinary Tesla owners.
The researchers said they discovered jailbreak mode by examining data retrieved from the Autopilot system. They found references to the mode in the system’s source code, as well as instructions on how to enable it.
The researchers’ discovery raises questions about the security of the Autopilot system. If an attacker can gain access to the system, they could potentially activate jailbreak mode on a regular Tesla vehicle, which could lead to security risks.
Tesla said it was aware of the security breach and was working to fix it. The company also said it was taking steps to strengthen the security of the Autopilot system.
Disabling MSIX protocol on Windows due to malware
On December 28, 2023, Microsoft announced that it was disabling the MSIX protocol on Windows to protect users from certain malware. The MSIX protocol is a modern application format that allows developers to create Windows applications that are more secure and easier to install.
Disabling the MSIX protocol is a preventative security measure that aims to thwart the use of malware that exploits a vulnerability in the protocol. This vulnerability, known as Windows AppX Installer Spoofing, allows an attacker to create a malicious MSIX application that appears to come from a trusted source.
Disabling the MSIX protocol only affects MSIX applications installed from untrusted sources, such as online downloads or applications from third-party sources. MSIX apps installed from the Microsoft Store or other trusted sources are not affected.
Microsoft plans to re-enable the MSIX protocol once the vulnerability has been fixed.
Here’s what Microsoft said about disabling the MSIX protocol on Windows: “On December 28, 2023, Microsoft updated CVE-2021-43890 to disable the ms-appinstaller URI (protocol) scheme by default, as part of a security response to protect customers against attackers’ evolving techniques against previous measures. This means that users will no longer be able to install an application directly from a web page using the program installing MSIX packages.“.
Investigation into a cyberattack against Ubisoft’s internal system
On December 22, 2023, French video game publisher Ubisoft announced that it was investigating a cyberattack against its internal system. The attack reportedly took place on December 20 and allowed hackers to access confidential data, including information about employees, games in development and the company’s finances.
Ubisoft said it had taken steps to secure its systems and was working with authorities to investigate the attack. The company also said it did not believe the attack had any impact on its business operations.
According to the specialist site VX-Underground, the hackers attempted to exfiltrate nearly 900 GB of data from Ubisoft’s servers. The data reportedly included information about employees, games in development, company finances and business strategies.
VX-Underground said the hackers used a security flaw in Ubisoft’s identity and access management system to access the data. The flaw was discovered by researchers from the IT security company Synopsys.
MongoDB stock falls due to security breach
On December 18, 2023, shares of MongoDB (MDB) fell more than 3% during trading hours. The drop was triggered by news of a security breach that allowed hackers to access sensitive data, including customer account details and contact information.
MongoDB is a software company that provides NoSQL database. The MongoDB database is used by a wide range of organizations, including businesses, governments, and financial institutions.
The security vulnerability was discovered on December 13, 2023. MongoDB immediately implemented a security response protocol and notified affected customers.
The security breach allowed hackers to access customer account details, including names, email addresses, phone numbers and passwords. The hackers were also able to access customer contact information, such as street addresses and phone numbers.
GTA VI hacker sentenced to life
On December 21, 2023, a British court sentenced Arion Kurtaj, an 18-year-old young man, to life in a secure hospital for hacking Rockstar Games, the publisher of the famous video game Grand Theft Auto (GTA).
Kurtaj, who was a key member of the Lapsus$ hacking group, had managed to access confidential Rockstar Games data, including videos of GTA VI development. He then posted these videos on the online forum 4chan.
The court found that Kurtaj had committed a serious act of cybercrime, which caused significant harm to Rockstar Games. The judge also found that Kurtaj presented a high risk of reoffending.
Kurtaj was found medically unfit to testify at his trial. He has autism, which could explain his behavior.
Rockstar said regarding the conviction: “We are pleased that the court recognized the seriousness of Kurtaj’s actions. We hope that this conviction will deter other cybercriminals from committing similar acts.“