This is your easyDNS #AxisOfEasy Briefing for the week of September 9th, 2024 our Technology Correspondent Joann L Barnes and easyCEO Mark E. Jeftovic send out a short briefing on the state of the ‘net and how it affects your business, security and privacy.

To Listen/watch this podcast edition with commentary and insight from Joey Tweets, and Len the Lengend click here.

In this issue: 

• Malaysia Blocks Global DNS Resolvers
• YubiKey Security Vulnerability Exposes Devices to Cloning Attacks
• Revival Hijack Attack on PyPI Exposes Thousands to Malware
• WhatsApp View Once Bug Exposes Privacy Flaw on Web App
• Cisco Patches Critical Backdoor in Smart Licensing Utility Amid Ongoing Security Flaws

Elsewhere Online:

• North Korean Hackers Launch New Attack on Blockchain Professionals
• Head Mare Hacktivist Group Leverages WinRAR Vulnerability to Target Russia and Belarus
• WordDrone: Malware Targets Taiwanese Drone Makers
• North Carolina Man Faces Charges for AI Music Fraud
• Sophos Exposes Chinese Cyber Attacks in Southeast Asia

Malaysia Blocks Global DNS Resolvers

In an effort to combat “harmful content” (whatever that means) – the Malaysian Communications and Multimedia Commission (MCMC) has ordered all foreign DNS resolvers (like OpenDNS or Google) to be blocked.

All ISPs within the nation have until September 30th to reroute all DNS queries to local resolvers, where the government can impose block lists to censor anything it doesn’t want to be accessible by the citizens.

Some blocks seem to be in place already, and numerous threads have popped up across social media to step people through the process of circumventing the blocks. It’s not very difficult, especially in this age of AI and LLMs that can step you through the process.

Also – in case you were wondering, this doesn’t affect DNS providers like easyDNS in the sense that we are not a resolver service, but an authorative one (resolvers ask questions, authoritative nameservers answer them).

I also made a quick whiteboard video, explaining the situation here. 

Read: https://axisofeasy.com/freespeech/malaysia-blocks-global-dns-resolvers-another-salvo-in-the-censorship-battle/

YubiKey Security Vulnerability Exposes Devices to Cloning Attacks

Researchers revealed that YubiKey 5 devices, widely used for two-factor authentication, are vulnerable to cloning due to a cryptographic flaw. On Tuesday, NinjaLab disclosed that attackers with brief physical access can exploit the device. However, they need the user’s login, password, advanced electronics knowledge, and about $11K in specialized equipment.
The flaw stems from the Infineon microcontroller used in YubiKeys and other security devices. Patching isn’t possible, leaving all YubiKey 5s running older firmware permanently vulnerable. Yubico’s advisory confirmed, “An attacker could exploit this issue… to recover affected private keys.”
The attack measures electromagnetic radiation during authentication to reveal cryptographic secrets. Even brief physical access can lead to key recovery within hours.
Devices running firmware versions prior to 5.7, released in May 2024, are affected. This flaw potentially impacts other devices using Infineon cryptographic libraries, some dating back 14 years. While the attack is highly sophisticated, its complexity limits its threat to everyday users.

Read: https://arstechnica.com/security/2024/09/yubikeys-are-vulnerable-to-cloning-attacks-thanks-to-newly-discovered-side-channel/


Revival Hijack Attack on PyPI Exposes Thousands to Malware

Researchers from JFrog uncovered a new malware threat, known as “Revival Hijack,” on the PyPI package repository. Attackers re-register malicious packages under the names of previously removed legitimate ones, allowing malware to be downloaded by unsuspecting users. This tactic, discovered this week, exploits a loophole in PyPI’s name-reuse policy.

“This method can easily infiltrate organizations’ environments,” warned JFrog. Attackers need no errors from victims, making the threat more serious than typical typosquatting.

The issue arises when developers remove a project, making the name available for anyone to claim. Attackers can upload malicious updates disguised as legitimate versions, causing automatic downloads in CI/CD systems. JFrog identified 22,000 previously removed packages vulnerable to hijacking, with nearly 200,000 downloads of their own test packages within three months.

To mitigate this, JFrog suggests PyPI should block the reuse of abandoned names. Developers must stay vigilant when upgrading packages and avoid relying on updates from previously removed projects. This attack demonstrates how easily malware can infiltrate critical systems without detection, making it a significant supply chain threat.

Read: https://www.darkreading.com/application-security/revival-hijack-on-pypi-disguises-malware-with-legitimate-file-names

WhatsApp View Once Bug Exposes Privacy Flaw on Web App

Security researcher Tal Be’ery discovered a bug in WhatsApp’s “View Once” feature, which allows users to send disappearing photos and videos. The bug, revealed on Monday, affects WhatsApp’s web app, allowing recipients to save media meant to vanish after being viewed.
Be’ery demonstrated the flaw, showing how it bypasses WhatsApp’s privacy protections. He emphasized, “The only thing worse than no privacy is a false sense of privacy.”

The feature, rolled out in 2021, works on WhatsApp’s mobile apps but not on the desktop or web version, where users can exploit the bug. Be’ery reported the issue to Meta, WhatsApp’s parent company, on August 26.

WhatsApp spokesperson Zade Alsawah confirmed updates are in progress but encouraged users to share View Once media only with trusted contacts. The flaw has also been discussed on social media, with browser extensions available to exploit it.
While WhatsApp is working on a fix, the timeline for the update remains unclear. This discovery raises concerns about the security of private media on the platform, especially for its web app users.

Read: https://techcrunch.com/2024/09/09/bug-lets-anyone-bypass-whatsapps-view-once-privacy-feature/

Cisco Patches Critical Backdoor in Smart Licensing Utility Amid Ongoing Security Flaws

Cisco has patched a critical backdoor (CVE-2024-20439) in its Smart Licensing Utility (CSLU), which allowed unauthenticated attackers to log into unpatched systems using a static, undocumented credential for administrative access. This vulnerability affected specific CSLU versions (2.0.0, 2.1.0, and 2.2.0), requiring users to migrate to a fixed release to prevent exploitation. The vulnerability only became exploitable when the CSLU application was actively running, as it isn’t designed to operate in the background.

Simultaneously, Cisco addressed another critical flaw, CVE-2024-20440, which exposed sensitive data through crafted HTTP requests, allowing attackers to access log files containing API credentials. Although these vulnerabilities pose a serious risk, Cisco’s Product Security Incident Response Team (PSIRT) has yet to find evidence of public exploits or attacks exploiting these flaws. Cisco’s security updates aim to preemptively mitigate the risk.

Read: https://www.bleepingcomputer.com/news/security/cisco-warns-of-backdoor-admin-account-in-smart-licensing-utility/

Elsewhere Online:

North Korean Hackers Launch New Attack on Blockchain Professionals
Read: https://hackread.com/lazarus-group-blockchain-fake-video-conferencing-job-scam/

Head Mare Hacktivist Group Leverages WinRAR Vulnerability to Target Russia and Belarus
Read: https://securityaffairs.com/168030/hacktivism/head-mare-hacktivist-group-winrar.html

WordDrone: Malware Targets Taiwanese Drone Makers
Read: https://www.darkreading.com/ics-ot-security/ancient-msft-word-bug-taiwanese-drone-maker-attacks

North Carolina Man Faces Charges for AI Music Fraud
Read: https://www.infosecurity-magazine.com/news/man-charged-ai-fake-music-scheme/

Sophos Exposes Chinese Cyber Attacks in Southeast Asia
Read: https://therecord.media/chinese-crimson-palace-keeps-hacking-asia