Hack Highlights: Mid-Year Review of 2024’s Top Cybersecurity Discoveries
2024, more specifically, the first half of it, was a busy (half) year for the security community. While I cannot say whether it an was exception compared to years past, there is no denying that it was a happening six months. I, for one, counted at least 15 new exploits about which information was released in addition to dozens of security incidents and tons of other interesting security related news.
Thus, from amongst all the very many happenings, I compiled a list of…wait for it…
THREE most scandalous, most sensational, most delightful new discoveries!
This article provides a brief high-level view of these select exploits and events, starting with:
#3 SnailLoad: when latency isn’t an annoyance… for attackers, that is
What is it?
This new attack exploits the victim’s network latency as a side channel tied to activities on the victim system. In other words, attackers observe victim’s latency and create something like a fingerprint of the action through the latency measurement. This fingerprint is then compared with known fingerprints using convolutional neural networks to decipher what the victim is doing.
Here are some resources to read to learn more:
- This article offers a nice overview of the attack.
- For those inclined to learn more, including mitigation measures, I recommend perusing the source.
What can it reveal?
In this non-PITM (PITM = person in the Middle), a single SnailLoad trace can be used to infer what video a victim is watching at a given moment!
What makes it special?
- Anybody and everybody is vulnerable to it.
- It requires only a simple download of a file from attackers, which is not at all a difficult task to accomplish.
- No person-in-the-middle is required.
To quote the researchers,
“We show that neither specific code on the victim machine nor direct observation of the possibly encrypted network traffic is required to infer browsing activity on the victim system. We show that these attacks are possible from arbitrary Internet servers, with distances of more than 8 hops to the victim, and with only minimal network activity.”
They write in their paper that the attack requires NO JavaScript, NO form of code execution on the victim system, and NO user interaction. The only requirement is a constant exchange of network packets.
Do you need to worry about it?
The attack requires computational resources and data analysis, which attackers may easily be able to handle, but for the average layman, my verdict is: Unlikely, save as a guinea pig.
#2 DNS KeyTrap
What is it?
The KeyTrap has existed since the beginning of time DNSSEC and is a flaw in DNSSEC, short for DNS Security Extensions (ironic much?). Presseportal writes that this flaw is “rooted in the design philosophy of DNSSEC, and are not just mere software implementation bugs”.
What are its effects?
The KeyTrap vulnerability could be exploited to exhaust all computing power of a server and thus stall common DNS implementations for up to 16 hours! It could affect “widely used DNS implementations and public DNS providers, such as Google Public DNS and Cloudflare” (Presseportal). Furthermore, it would be easy for malicious actors to attack multiple servers simultaneously and cripple the basic infrastructure.
How does it work?
This single sentence from DarkReading explains it quite succinctly:
A single packet sent to a DNS server implementation using the DNSSEC extension to validate traffic could force the server into a resolution loop that causes it to consume all of its own computing power.
For a technical view (but not too much), check out this article.
Do you need to worry about it?
The vulnerability, CVE-2023–50387, is labelled high severity and is remotely exploitable. It isn’t as much a direct threat to the individual netizen as it is to the underlying infrastructure of the internet. Mitigation involves disabling DNSSEC validation (maybe don’t) or upgrading to patched releases of the affected programs.
And finally! I present…
#1 The Scandalous Sensational Happenings… of SSH
What is it?
Revealed in March 2024, this was an ongoing attack (unlike #3 and #2) intended to create backdoors in major Linux distributions including RedHat and Debian by injecting malicious code into XZ Utils, a compression utility. Luckily, the attack was discovered (and that’s quite the story itself!) and thwarted before the backdoor could make it into production versions of major distros.
How does it work?
According to ArsTechnica,
The malicious versions, researchers said, intentionally interfere with authentication performed by SSH, a commonly used protocol for connecting remotely to systems.
What makes it significant?
SSH is a widely used and trusted method of connecting to remote systems in a secure manner. It provides encryption and authentication services to ensure that only those who are authorized can connect and that they can do it securely. This attack worked by interfering with the authentication process itself! Oh the horror!
Do you need to worry about it?
Since the attack was discovered in time, the backdoor did not make it onto production versions of any distros. However, it did make its way to some test versions. So, if you think you use any of those, or use the backdoored version of the XZ utility, cross-check and remove the compromised versions.
Side note #1:
How did they do it?
A complex, delicious mix of social engineering and technical skills was used. It makes for a great case study for new cybersecurity students and you can find some of the details at ArsTechnica. (I definitely recommend a read.) Those more technically inclined should certainly take a look at how the code injection was accomplished and worked.
Side note #2:
The best part…? (Or one of them, depending on your interests.)
How it was found out. Look it up, it’s great material for a Hollywood plot, with suitable music and dramatization, of course.
Conclusion
These were my picks for the three most notable attack/ vulnerability discoveries of the past six months.
