Vulnerability in AirPods allows interception

The authentication issue, tracked as CVE-2024-27867, affects AirPods (2nd generation and later), AirPods Pro (all models), AirPods Max, Powerbeats Pro, and Beats Fit Pro.

“When your headphones seek a connection request to one of your previously paired devices, an attacker within Bluetooth range may be able to spoof the intended source device and gain access to your headphones,” Apple said

In other words, an adversary in physical proximity could exploit the vulnerability to eavesdrop on private conversations. Apple said the issue has been resolved with improved status management.

Jonas Dreßler is credited with discovering and reporting the bug. Apple fixed the bug as part of AirPods firmware update 6A326, 6F8 and Beats firmware update 6F8.

Lockbit has announced that it has penetrated the U.S. Federal Reserve

Ransomware group Lockbit has announced that it has infiltrated the systems of the United States Federal Reserve and exfiltrated 33TB of sensitive data.

“33 terabytes of juicy banking information containing Americans’ banking secrets”

The group has not released any sample of the stolen data.

Many experts are skeptical about the criminal group’s announcement. The Federal Reserve is a high-profile target and a data breach could have serious consequences. Many believe that the group’s announcement is just to attract attention.

In early June, the FBI reported that it had obtained more than 7,000 LockBit decryption keys.

Probllama: Ollama Remote Code Execution vulnerability (CVE-2024-37032)

Ollama is one of the most popular open-source projects for running AI models with over 70k stars on GitHub and hundreds of thousands of monthly downloads on Docker Hub.

Wiz Research discovered an easily exploitable Remote Code Execution vulnerability in Ollama, tracked as CVE-2024-37032 and named “Probllama”.

Research shows that as of June 10, there are a large number of instances of Ollam with a vulnerable version that are exposed to the Internet without any authentication.

It is important to note that Ollama does not support out-of-the-box authentication. It is generally recommended to deploy Ollama behind a reverse proxy to force authentication.

Ollama carried out the repair in approximately 4 hours after receiving the first report of the problem, demonstrating their impressive speed of response and commitment to product security.

Users of Ollama are advised to update their installation to version 0.1.34 or later.

P2Pinfect targets Redis servers

Researchers at Cado Security have warned that the P2Pinfect worm is being used in attacks on Redis servers. The goal of the attack is to deploy ransomware or cryptocurrency mining software.

In July 2023, researchers from Palo Alto Networks’ Department 42 first discovered the P2P worm P2PInfect, which targets Redis servers running on both Linux and Windows.

In December 2023, Cado Security Labs discovered a new variant of P2Pinfect targeting routers and IoT. This variant was compiled for the MIPS architecture.

The worm is written in the Rust programming language and targets Redis instances using the CVE-2022-0543 vulnerability (CVSS score 10.0).

In September 2023, Cado Security Labs announced that it has seen a 600-fold increase in P2Pinfect traffic since August 28. Researchers pointed out that the malware ultimately had no other goal than to spread, however, a new P2Pinfect update introduced ransomware and crypto miner payload.

The last campaign started on June 23, 2024. The malware is spread using Redis’ replication features.

“P2Pinfect is a worm, so all infected computers search the Internet for other servers that might be infected with the same vector described above. P2Pinfect also includes a basic bruteforce SSH tool where it tries several common passwords on several common users, but the success rate of this infection vector appears to be much lower than Redis. After a successful attack, the worm inserts the SSH key into the authorized key file for the current user and executes a series of commands that prevent access to the Redis instance,” according to a report published by Cado.

The researchers believe that P2Pinfect can also be used as a rental botnet that allows its customers to deploy additional payloads.

TeamViewer attacked by hackers

TeamViewer is warning that its corporate environment has been compromised by a cyber attack, with the cybersecurity firm saying it was the APT hacking group.

“On Wednesday, June 26, 2024, our security team discovered an irregularity in our internal corporate IT environment. We immediately activated our response team and procedures, initiated an investigation with a team of globally recognized cybersecurity experts, and implemented the necessary corrective actions.” TeamViewer said

The news of the breach was first posted on Mastodon by IT security expert Jeffrey, who shared parts of an alert shared on the Digital Trust Center, a Dutch portal used by the government, security experts and Dutch companies to share information about cyber security threats.

On 27 June 2024, Health-ISAC received information from a trusted intelligence partner that APT29 was actively using Teamviewer. APT29 is a Russian group affiliated with the Russian Foreign Intelligence Service (SVR).

“Health-ISAC recommends checking the logs and detecting unusual traffic on the remote desktop. Threat actors have been observed to use remote access tools. Teamviewer has been observed to be used by attackers connected to APT29.”

TeamViewer states that it intends to be transparent about the breach and will continuously update the status of the investigation as more information becomes available.

Although it says it tries to be transparent, the “TeamViewer IT security update” page contains the HTML tag noindex , which prevents search engines from indexing the document.

Interested in cyber security? Check out more episodes of our weekly Security Sunday.