Infosec In Brief The recent indictment of a massive SIM-swapping ring may mean convicted crypto conman Sam Bankman-Fried is innocent of at least one allegation still hanging over his head: The theft of more than $400 million in crypto hacked from wallets belonging to his crypto firm, FTX, just before it declared bankruptcy.
As reported earlier this week, a trio of individuals, led by Chicago resident Robert Powell, were indicted [PDF] on charges of committing SIM swapping attacks on over 50 victims in 13 US states from 2021 until 2023, stealing hundreds of millions of dollars in the process.
Bloomberg, citing unnamed sources familiar with the case, said it's received confirmation that Victim Company-1 is FTX. Powell was reportedly arrested in Chicago last week and is being held without bond pending transfer to Washington, DC to face charges.
While SBF might be off the hook for this element of his mismanagement of FTX, that won't help him to walk free as was convicted on seven charges in October 2023 and faces up to 110 years in prison when sentenced next month.
Critical vulnerabilities: Apple Vision Pro gets pre-release patch.
It's been a busy week in vulnerability land, with Apple patching security holes in its Vision Pro headset before it even hit the market.
This isn't a new vulnerability - it's the same WebKit vuln we reported last week that appeared across Apple OSes and has already been patched.
CVSS 9.8 - Multiple CVEs: Gessler GmbH WEB-MASTER emergency lighting management systems v7.9 are storing weak hard-coded credentials and using weak hashing algorithms, making it easy to take control of the system.
CVSS 9.8 - Multiple CVEs: Several models of Emerson Rosemount gas chromatographs running software v4.1.5 are vulnerable to command injection and are improperly authenticating users.
CVSS 9.8 - Multiple CVEs: Multiple Mitsubishi Electric FA engineering software products are missing authentication for critical functions and can have malicious libraries added through unsafe reflection.
CVSS 9.8 - CVE-2024-21917: Rockwell Automation FactoryTalk versions prior to 6.4 are improperly validating cryptographic signatures, allowing an attacker to obtain service tokens.
CVSS 9.8 - CVE-2023-3346: A wide range of Mitsubishi Electric CNC devices are vulnerable to classic buffer overflow.
CVSS 8.8 - Multiple CVEs: Several Rockwell Automation Operator Panels are vulnerable to stack-based buffer overflow and other issues that could lead to DoS and RCE. CVSS 8.6 - CVE-2024-21916: Rockwell Automation ControlLogix and GuardLogix firmware are vulnerable to writing to memory outside of buffers, potentially crashing devices.
CVSS 8.1 - Multiple CVEs: Several models of Hitron DVRs are improperly validating input, opening them to DoS attacks.
Security researchers at Qualys have discovered several vulnerabilities in the GNU C Library - aka glibc - a fundamental part of many Linux systems.
The issues were identified in glibc's syslog and qsort functions, and while an attacker needs to be local to execute the vulnerabilities, the result could be root access for an unprivileged user on Linux distributions including Debian, Fedora and Ubuntu.
The first, CVE-2023-6246, is a heap-based buffer overflow found in vsyslog internal() and affects both syslog that was inadvertently introduced in glibc 2.37 way back in 2022, and back-ported to 2.36 after that.
While analyzing that vulnerability, Qualys researchers spotted two additional minor vulnerabilities, plus a memory corruption issue in qsort().
The Wisconsin teenager behind the theft of $600,000 from users of sports betting website DraftKings has been sentenced to 18 months in prison.
The US Attorney's Office for the Southern District of New York announced two additional indictments and arrests in the DraftKings case earlier this week.
This Cyber News was published on go.theregister.com. Publication date: Mon, 05 Feb 2024 01:43:04 +0000