IEEE Cipher --- Items from security-related news (E186)
Prior news summaries from Cipher
Summary:
Back in March we mentioned the uncertainty about the fate of Biden's
executive order on software security. This article is an in depth
analysis of Trump's recent EO on the same topic. It is interesting to
note that neither order requires that software producers provide
any guarantee of security. Instead, they attest to the integrity of
their development processes.
Cars have become systems of systems, and each new system have its growing pains when it comes to security. In this case, the infotainment system gave unrestricted entry via Bluetooth connections.
Bluetooth Hack Exposes Millions of Cars to Remote Risk
Summary:
Hacking car computer systems may seem laughably out-of-date in a
world in which we are only a few steps away from self-driving
vehicles. Surely they've got security worked out by now? But it
doesn't get much worse than PerfektBlue: "Researchers demonstrated
remote code execution on production vehicles using only a Bluetooth
connection no cables, no ports, no physical access required." Four
separate vulnerabilities were leveraged to carry out the deep access
to the car's data, and potentially to driving controls. "If your car
runs on BlueSDK and hasn’t been patched since September 2024, it’s
potentially exposed." The SDK is the basis for some infotainment
systems on cars.
Summary:
Researchers at PCA Cyber Security (formerly formerly PCAutomotive)
in 2024 identified 4 security flaws in the Bluetooth code provided by
Open Synergy's in their SDK for Bluetooth. BlueSDK is a widely used
framework used in cars. BlueSDK is a widely used framework used in
cars. One of the vulnerabilities was designated "critical", and the
PCA team did not disclose it until recently, after consultation with
the software provider about the availability of patches. This article
gives brief descriptions of the vulnerabilities and links to their CVE
entries. Nonetheless, there is no further information available from
CVE.org about the critical flaw: "Use-After-Free in AVRCP service"
Summary:
The UK ministry of Defence has released a report about operations of the
Russian
GRU.
"The UK is concerned that the GRU has used Ukraine as a testing
ground for the development of a range of cyber capabilities,
integrated into its military doctrine, since 2014 onwards." For example,
email hacking was used as part the plot to poison of Sergei and Yulia
Skripal in 2018 in the UK. The report covers actions of various
GRU units, particularly Unit 29155 "also known as the 161st Specialist Training Center (TsPS), which has a cyber wing known in open source as Cadet Blizzard "
Summary:
GPUs are essential workhorses for artificial intelligence and many
other applications today, but they recapitulate the security flaws
of early computers, making them vulnerable to some well-known attacks.
Researcher have demonstrated that RowHammer attacks are feasible on
multi-tenant GPUs.
"The most concerning consequence of this behavior, University of
Toronto researchers found, is the degradation of an artificial
intelligence (AI) model's accuracy from 80% to less than 1%."
NVidia recommends enabling their error-correction code (ECC) option
to protect the integrity of computations. Doing so can reduce the
speed of computation by several per cent, and that may change the
cost of doing AI business.
Summary:
The British transport company KNPT has been in business for a very
long time, but modern technology and a small mistake led to its
demise. At least one employee computer account had a weak
password that was exploited to launch a ransomware attack.
The ransom demand was exorbitant, and the company lost all its
data. Although it had insurance against cyberattacks, it was
no longer able to operate.
The UK faces an increasing number of disruptive ransomware attacks from organized crime. The average demand is for 4 million pounds. One proposal for dealing with the crime wave would bar any company or governmental body from paying ransom.
A zero day RCE exploit against Microsoft's SharePoint servers has dominated the security news cycle for several days. A previous patch for the problem, revealed at a hackathon last May, was easily overcome by Chinese hacking groups. Some hundreds of servers have been compromised. Updated patches are available, but ransomware on vulnerable servers is still spreading.
Critical Unpatched SharePoint Zero-Day Actively Exploited, Breaches 75+ Company Servers
Summary:
Microsoft released an advisory message on July 19, 2025 about a
severe security problem with their SharePoint Server implementations:
"[D]eserialization of untrusted data in on-premises Microsoft
SharePoint Server allows an unauthorized attacker to execute code over
a network" The code hidden in the deserialization is executed before
authentication takes place, allowing unfettered access to data. The
exploit point s the HTTP Referer header "provided to the ToolPane
endpoint."
Summary:
Researchers were investigating "unusual activity" on a SharePoint
server, when they discovered something seriously awry:
"... a malicious file had been uploaded, enabling exfiltration of
cryptographic keys. These keys can be abused to bypass authentication
and maintain persistent access to SharePoint environments, even after
standard patching. During the triage, Eye Security learned it had
stumbled upon a SharePoint 0-day used in the wild." This has impacted
hundreds of systems.
Summary:
This article has more details about how the Remote Code Execution
attack works, how to detect its activity, and which patches to
apply.
Summary:
Microsoft appears to have have stumbled in its efforts to provide
patches for a SharePoint server vulnerability. "The vulnerability
opening the way for the attack was first identified in May at a Berlin
hacking competition, opens new tab organised by cybersecurity firm
Trend Micro (4704.T), opens new tab that offered cash bounties for
finding computer bugs in popular software." Although Microsoft
provided patches on July 8, hackers reopened the wound 10 days later
and mounted active attacks. The attacks have been attributed to
Chinese hackers.
Summary:
Microsoft said that the Chinese hacking groups Linen Typhoon and
Violet Typhoon were actively exploiting unpatched SharePoint servers.
The company has tracked the groups for several years and identified
many of their targets.
The cybersecurity firm Eye Security said that its investigations
showed that about 6% of SharePoint servers worldwide had been
infected.
Summary:
Microsoft announced that a hacker group known as "Storm-2603" has used
the SharePoint vulnerability for launching ransomware attacks.