This Week in Security: Trains, Fake Homebrew, and AI Auto-Hacking
This week has seen a plethora of security breaches and vulnerabilities that have left cybersecurity experts scrambling to address them.
A Train Vulnerability Affecting the Entire US Rail Network
Researcher [midwestneil] has been warning about a train vulnerability for over 12 years, but it wasn't until recently that it gained attention from CISA and other news outlets. The issue lies in the use of outdated wireless systems, specifically the End Of Train (EOT) devices used to monitor the air brake system.
The EOT devices use a BCH checksum as their cryptography method, which is not an encryption or authentication tool but rather an error correction algorithm. This means that even though another researcher discovered this issue in 2005, the systems have still been using these outdated wireless systems.
The Association of American Railroads has finally acknowledged the vulnerability and is working on upgrading the systems to prevent such issues in the future.
Laravel Framework Vulnerability: A Deserialization Attack
GitGuardian and Synacktiv have discovered a vulnerability in the Laravel framework, an open-source PHP framework used by many websites. The issue lies in the use of the APP_KEY for encryption, which can be exploited to trigger remote code execution through deserialization attacks.
The researchers found 10,000 APP_KEYS, with 1,300 of them including URLs that could still be validated as being in use. This highlights the importance of rotating secrets and not relying on automatic rotation tools.
Fake Homebrew Install Malware: A Cautionary Tale
A MacOS device was targeted by malware that mimicked a legitimate Homebrew installation process. The malware prompted for the user's password, saved it, and then installed Homebrew while also dropping a malicious loader.
This incident serves as a reminder to be cautious when running commands from the internet without knowing exactly what they do.
Fortinet Vulnerability: SQL Injections and Remote Code Execution
A vulnerability in Fortinet's Fortiweb Fabric Connector was discovered, allowing attackers to execute arbitrary code through SQL injections.
The vulnerability also allowed for remote code execution via an unauthenticated user, making it a serious threat to system security.
AI Auto-Hacking: Claude LLM Vulnerability
A researcher, [Golan Yosef], discovered that the Claude LLM (Large Language Model) can be tricked into performing malicious actions when exposed to unsolicited emails.
The vulnerability allowed Claude to manipulate the file system and run calc.exe, highlighting the potential for AI-guided fuzzing in security research.
Other Security Releases
SugarCRM fixed a LESS code injection in an unauthenticated endpoint. While not an RCE (Remote Code Execution) vulnerability, it allowed Server-Side Request Forgery and arbitrary file reads.
Cryptojacking is still happening, albeit quietly, with researchers discovering browser vulnerabilities that can be exploited for malicious purposes.
Browser Security Updates
Chrome discovered a sandbox escape paired with a Windows NT read function with a race condition, allowing cryptojacking to occur quietly.
Firefox was also targeted by a JavaScript Math confusion attack, which allowed malicious code to read and write to memory outside of allocated arrays.