Top exploited vulnerabilities of 2022 and more - This Week in Security - Dec 26th to Dec 30th
Happy New Year! As we start the year, it's a good time to reflect on the state of cybersecurity. Looking back at the past year, it's clear that cyber threats continue to evolve and pose a significant risk to businesses and individuals alike. The top exploited vulnerabilities of 2022, according to CISA, has a total of 8 vulnerabilities including the notorious Log4J (CVE-2021-44228). F5’s own CVE-2022-1388 made the list at number 5. This is a good reminder that if you have a system impacted by CVE-2022-1388 please remediate this vulnerability as described in https://support.f5.com/csp/article/K23605346. Top Exploited Vulnerabilities of 2022 Vulnerability Description Affected Systems Exploited By Follina (CVE-2022-30190) Zero-click remote code execution vulnerability in Microsoft Windows Support Diagnostic Tool (ms-msdt) Microsoft Windows Chinese APT groups (TA413), APT28 (Russia) Microsoft Office Bug (CVE-2017-11882) Memory corruption glitch in Microsoft Office’s Equation Editor enabling remote code execution on vulnerable devices Microsoft Office Chinese, North Korean, and Russian hackers Log4Shell (CVE-2021-44228) Zero-day vulnerability in Log4j, a popular Java logging framework, involving arbitrary code execution Java applications Chinese and Iranian state threat actors, APT10 and DEV-0270 ProxyNotShell (CVE-2022-41082) Vulnerability in Microsoft Exchange Server 2013, 2016, and 2019 allowing attackers to escalate privileges to run PowerShell and gain arbitrary or remote code execution on compromised servers Microsoft Exchange Server Ransomware groups F5 BIG-IP (CVE-2022-1388) Unauthenticated attacker with network access can execute arbitrary system commands, create or delete files, or disable services F5 BIG-IP systems Multiple state sponsored APTs Chrome zero-day (CVE-2022-0609) Fresh uses after free vulnerability allowing remote attacker to potentially exploit heap corruption via a crafted HTML page Google Spring4Shell (CVE-2022-1388) critical vulnerability in Spring Framework Spring Framework unknown threat actor Atlassian Confluence (CVE-2022-26134) OGNL injection that allows unauthenticated attackers to execute arbitrary code Atlassian Confluence 8220 gang https://media.defense.gov/2022/Oct/06/2003092365/-1/-1/0/Joint_CSA_Top_CVEs_Exploited_by_PRC_cyber_actors_.PDF Breaking RSA with a Quantum Computer Some Chinese researchers have published a paper claiming that they have found a way to break 2048-bit RSA encryption. This is potentially a significant development because RSA encryption is widely used for secure communication. The researchers used a combination of classical lattice reduction techniques and a quantum approximate optimization algorithm, which allowed them to factor numbers using a relatively small quantum computer with only 10 qbits. While the research has not yet been tested on a larger scale, it raises concerns about the security of RSA encryption. The Chinese government has not classified the research, which is notable because it suggests that the government does not view the research as posing a threat to national security. https://www.schneier.com/blog/archives/2023/01/breaking-rsa-with-a-quantum-computer.html https://arxiv.org/pdf/2212.12372.pdf Vulnerabilities affecting hundreds of millions of vehicles Several car brands have fixed vulnerabilities that could have allowed hackers to remotely control various functions of certain cars made after 2012. A security researcher at Yuga Labs discovered the vulnerabilities while researching the mobile apps for several car brands that allow customers to remotely start, stop, lock, and unlock their vehicles. The researcher and other researchers initially studied Hyundai and Genesis cars and found that the verification process for gaining access to a vehicle relied on registered email addresses, which they were able to bypass to gain full control. Top 5: Company Details Impact AT&T Full compromise of an undisclosed system used by AT&T which would've allowed an attacker to send and receive text messages, retrieve live geolocation, and disable hundreds of millions of SIM cards which were installed in the following vehicles: Tesla, Subaru, Toyota, Lexus, Ford, Fiat Chrysler Automobiles, Land Rover, Mazda, Volvo, Honda, BMW, Cruise Affected hundreds of millions of SIM cards managed by tens of thousands of companies. The impact of this vulnerability went far beyond the scope of car hacking and affected nearly every industry (nearly anything which uses a SIM card) Spireon Multiple vulnerabilities, including: Full administrator access to a company-wide administration panel with ability to send arbitrary commands to an estimated 15.5 million vehicles (unlock, start engine, disable starter, etc.), read any device location, and flash/update device firmware. Remote code execution on core systems for managing user accounts, devices, and fleets. Ability to access and manage all data across all of Spireon. Ability to fully takeover any fleet (this would’ve allowed tracking & shutting off starters for police, ambulances, and law enforcement vehicles for a number of different large cities and dispatch commands to those vehicles, e.g. “navigate to this location”). Full administrative access to all Spireon products, including GoldStar, LoJack, FleetLocate, NSpire, and Trailer & Asset. In total, there were 15.5 million devices (mostly vehicles) and 1.2 million user accounts (end user accounts, fleet managers, etc.) Affected 15.5 million devices, mostly vehicles, and 1.2 million user accounts. The impact of this vulnerability went beyond just vehicles and also affected products and user accounts. Mercedes-Benz Access to hundreds of mission-critical internal applications via improperly configured SSO, including multiple Github instances, internal chat tool, SonarQube, Jenkins, internal cloud deployment services, and internal vehicle-related APIs. Remote code execution on multiple systems. Memory leaks leading to employee/customer PII disclosure and account access. Impacted internal systems and applications, potentially leading to the disclosure of employee and customer personal information and access to various internal accounts. BMW, Rolls Royce Company-wide core SSO vulnerabilities which allowed access to any employee application as any employee, including access to internal dealer portals and applications used by remote workers and dealerships. Impacted internal systems and applications, potentially leading to access to various internal accounts and dealer information. Ferrari Full zero-interaction account takeover for any Ferrari customer account Impacted internal systems and applications, potentially leading to access to various internal accounts and dealer information. You can read the complete list on the blog post by Sam Curry. There is a great in-depth coverage of each category of vulnerability. https://samcurry.net/web-hackers-vs-the-auto-industry/ https://twitter.com/samwcyo/status/1610216145142878212 High cost of call center scams Romance-related scams carried out by Indian phishing gangs, have caused losses of more than $3 billion to US citizens in the last two years alone. Total money lost in all internet/call centre-related frauds in the last 11 months has been estimated at $10.2 billion, an increase of 47% against last year’s $6.9 billion. Most of the victims of these frauds are elderly above the age of 60 years. The FBI has deputed a permanent representative at the US embassy in New Delhi to work with the CBI, Interpol, and Delhi Police to bust these gangs and freeze money transferred through wire and crypto currencies to syndicates operating from India. The FBI is ready to supplement the investigative gaps by providing evidence to local law enforcement agencies in prosecuting criminals involved. The scams affecting Americans are also impacting the elderly population in India. The authorities in India have been slow to react to these issues, possibly because the police do not fully understand the impact of these scams or because they are corrupt and involved in the mafia that runs them. This issue is depicted in the Netflix series "Jamtara," which shows how these scams are connected to the political system and driven by the desire for money and anti-American sentiment. https://timesofindia.indiatimes.com/india/illegal-desi-call-centres-behind-10-billion-loss-to-americans-in-2022/articleshow/96501320.cms https://en.wikipedia.org/wiki/Jamtara_%E2%80%93_Sabka_Number_Ayega Private code repositories of Slack stolen from GitHub Slack suffered a security incident over the holidays affecting some of its private GitHub code repositories. According to the details published on their blog: "On December 29, 2022, we were notified of suspicious activity on our GitHub account. Upon investigation, we discovered that a limited number of Slack employee tokens were stolen and misused to gain access to our externally hosted GitHub repository. Our investigation also revealed that the threat actor downloaded private code repositories on December 27. No downloaded repositories contained customer data, means to access customer data, or Slack’s primary codebase." Source code is stolen to explore vulnerabilities and develop zero-day exploits. From security perspective, this is simply about the cost to penetrate security versus the benefit to the attacker. Access to private code is where the benefit to the attacker goes up faster than the company can afford to cover, and the company must cover all the attack surfaces. https://slack.com/blog/news/slack-security-updateMicrosoft's Strike on Cybercriminals and SFX backdoor- April 1st-April 7th - This Week in Security
Hello Everyone, this week your editor is Dharminder. I am back again with another edition of This Week in Security, This week I have looked at a study on how fast AI powered tool can crack any password, hackers using SFX for stealthy backdoor and Microsoft's strike on cyber criminals. We in F5 SIRT invest lot of time to understand the frequently changing behaviour of bad actors. Bad actors are a threat to your business, your reputation, your livelihood. That’s why we take the security of your business seriously. When you’re under attack, we’ll work quickly to effectively mitigate attacks and vulnerabilities, and get you back up and running. So next time you are under security emergency please contact F5 SIRT. Ok so let's get started to find details of security news. A study on AI’s ability to crack password We all have been listening a lot about AI and its capability to do various things. Latest addition to that is cracking password. A latest study published by Home Security Heroes shows that password cracking tool PassGAN can crack 51% of all common passwords in less than one minute, 65% in less than an hour, 71% in less than a day, and 81% in less than a month. Reason behind such a speed is that, instead of having to run manual password analysis on leaked password databases, PassGAN is able to “autonomously learn the distribution of real passwords from actual password leaks.” Here are the stats produced by Home Security Heroes on how much time it takes to crack the password using AI. Result is really alarming. In my opinion time has come that all applications should enforce a password which Use at least 15 characters. Have at least two letters (upper and lower-case), numbers, and symbols in the password. Avoid obvious password patterns, even if they have all the required character lengths and types. User should also follow best practices such as Use 2FA/MFA Avoid re-using passwords across accounts Use auto-generated passwords when possible Change passwords regularly, especially for sensitive accounts https://www.homesecurityheroes.com/ai-password-cracking/ https://leedaily.com/2023/04/10/ai-at-cracking-passwords/ Stealthy back-door using Self Extracting archives (SFX). The CrowdStrike has recently observed that hackers are using SFX archive to install backdoor to the target system. Before we understand more about the exploit let’s understand SFX files. SFX or Self-extracting archives are executable files which extracts information inside it. It does not require any utility to extract the package on the target system hence makes the distribution of archives easy. SFX files can be password-protected to prevent unauthorized access which is a common practice to protect important files. On the same lines, hackers are also using password protected SFX file to exploit. During the investigation and research CrowdStrike has observed that to lay the foundation hacker had abused utilman.exe functionality using stolen credentials to launch a password-protect SFX file which was planted before abusing utilman.exe. Since, utilman utility executes before user login, hence abusing this functionality helped attacker to bypass system authentication. Interestingly the password protected SFX file, executed by utilman in the exploit was an empty text file but the real Moto was hidden in the functionality of Winrar setup options. There is a functionality call setup options in Winrar where you may define what commands would you like to run before or after the extraction. Hacker had used this functionality to run powershell.exe, cmd.exe and taskmgr.exe. Because SFX archive could be run from the logon screen, the adversary effectively had a persistent backdoor that could be accessed to run PowerShell, Windows command prompt and task manager with NT AUTHORITY\SYSTEM privileges, as long as the correct password was provided. As per Crowdstrike, this type of attack is likely to remain undetected by traditional antivirus software that is looking for malware inside of an archive (which is often also password-protected) rather than the behavior from an SFX archive decompressor stub. So far we have understood how the exploit works, but it is equally important to understand the options to combat such exploit. Here are some of tips provided by crowd strike. Examine SFX archives through unarchiving software or other tools to view any potential scripts or executables that are set to extract and run upon execution. Look beyond what is contained within an SFX archive, and examine the functionality provided by the SFX archive decompressor stub itself to identify any commands that will be run either during, before or after successful extraction. Develop a process to validate if a password-protected SFX archive contains malicious or suspicious content. Thoroughly examine any SFX archive that contains only a null-byte file for any added functionality. Wherever possible, use installed unarchiving software to extract or view a SFX archive rather than running the SFX archive itself. Because the archive exists as an overlay, it can also be carved out from the executable using a hex editor if required. https://www.crowdstrike.com/blog/self-extracting-archives-decoy-files-and-their-hidden-payloads/ https://www.bleepingcomputer.com/news/security/winrar-sfx-archives-can-run-powershell-without-being-detected/ Microsoft's legal strike on cybercriminals abusing security tools These days one of the most common type of attack is Ransomware. Cobalt Strike is one of the tools which is commonly used by attackers, after obtaining initial access to a target environment to escalate privileges, lateral move across the network, and other related malicious activities. Cobalt Strike is a legitimate and popular post-exploitation tool used for adversary simulation provided by Fortra. Attackers uses Cobalt Strike cracked versions to launch destructive attack. As per Microsoft, The ransomware families associated with or deployed by cracked copies of Cobalt Strike have been linked to more than 68 ransomware attacks impacting healthcare organizations in more than 19 countries around the world. These attacks have cost hospital systems millions of dollars in recovery and repair costs, plus interruptions to critical patient care services including delayed diagnostic, imaging and laboratory results, canceled medical procedures and delays in delivery of chemotherapy treatments, just to name a few. The government of Costa Rica and Irish Health Service Executive are few known examples. To counter such attacks, Microsoft’s Digital Crime Unit (DCU), Fortra and Health Information Sharing and Analysis Center have come together. This time instead of targeting command and control channel, they are taking technical and legal action to remove cracked, legacy copies of Cobalt Strike and abused Microsoft software which are being used to distribute malware. Forta has vetted the legitimate security practitioner and also helping its customer in determining license compromise. Apart from that, Fortra has adapted the security controls in the Cobalt Strike software to eliminate the methods used by the hackers to crack older versions of Cobalt Strike. In my opinion this is very good initiative, I am hoping that more and more companies will take such initiatives to make environments safe and secure. https://blogs.microsoft.com/on-the-issues/2023/04/06/stopping-cybercriminals-from-abusing-security-tools/ https://thehackernews.com/2023/04/microsoft-takes-legal-action-to-disrupt.htmlLastpass Breach, SBOM, & Cryptocurrency Bounties - This Week in Security - August 22nd to 28th 2022
This Week in Security August 22nd to August 28th 2022 Jordan here as your editor this week. This week I reviewed the LastPass breach, supply chain security efforts lead by the US government, and cryptocurrency bounties. Keeping up to date with new technologies, techniques and information is an important part of our role in the F5 SIRT. The problem with security news is that it's an absolute fire-hose of information, so each week or so we try to distill the things we found interesting and pass them on to you in a curated form. It's also important for us to keep up to date with the frequently changing behaviour of bad actors. Bad actors are a threat to your business, your reputation, your livelihood. That's why we take the security of your business seriously. When you're under attack, we'll work quickly to effectively mitigate attacks and vulnerabilities, and get you back up and running. So next time you are under security emergency please contact F5 SIRT. LastPass Breach Last week, the popular password management company LastPass experienced a data breach. According to the company’s blog post, compromised developer credentials were used by an attacker to infiltrate their development environment. At this time we know the attacker was able to obtain source code and "some proprietary LastPass technical information" before the attacker was isolated from moving further. This is an ongoing investigation so I want to caveat that additional details may come out later which expand the scope of the breach. While quickly identifying and mitigating an active attack is extremely important, the benefits of designing a product architecture with security in mind from the beginning is what I think deserves a highlight here. A key component of the LastPass product architecture is that they make use of zero knowledge encryption (they call it "zero knowledge security"). Now the term "zero knowledge security" to the un-initiated may sound strange, it might even make you think they have zero knowledge of security, but this is not the case. Zero knowledge means LastPass doesn't have the master encryption keys (in the form of a password) the customer uses to encrypt their data. LastPass only stores encrypted secrets and cannot decrypt them, only the end user can do that. LastPass has zero knowledge of the encryption key used. Since there is no centralized key to protect the data, any breach of the system should only turn up encrypted data. Encrypted data is less valuable to an attacker, especially since brute force decryption of AES-256 is in the trillions of years time scale and is not feasible given modern computing constraints. The key takeaway for LastPass customers is that currently there is no action required on your part and your data can be considered safe. The key takeaway for system designers should be that implementing a secure zero knowledge / zero trust architecture from the beginning can minimize the impact of a security incident. https://blog.lastpass.com/2022/08/notice-of-recent-security-incident/ https://www.lastpass.com/security/zero-knowledge-security https://scrambox.com/article/brute-force-aes/ Software Supply Chain Risk Management Supply chain risk management is a topic that is slowly but surely gaining more traction across many industries. In support of this, the US CyberSecurity and Infrastructure Security Agency (CISA) has kicked off various working groups to help shape the future of Software Bill of Materials (SBOM). It's important to note that the working groups are not scoped to recommend or influence US government policy, instead the charter is to facilitate vendor neutral problem solving and collaboration in specific domains such as Cloud & Online Applications, On-Ramps & Adoption, Sharing & Exchanging, and Tooling & Implementation. While the groups are just starting on scoping some of the core problems to solve, I have found the community discussions to be insightful and am excited to see the output from these groups. During a recent meeting, I learned about a few promising technologies for sharing of SBOMs such as the CycloneDX BOM Exchange API and Digital Bill of Materials projects. I was also exposed to an interesting project named GUAC which aims to "create a means to ingest, validate and parse artifact information (i.e. in-toto attestations, SBOM, etc.) from various data sources and represent and store them in a knowledge graph". The complexity of managing multiple SBOMs for a modern enterprise is fundamentally a data management problem and I believe graph databases are an excellent technology choice for the use case. If you are interested in joining the working groups or the aforementioned projects, please visit the links below. https://www.cisa.gov/sbom https://github.com/CycloneDX/cyclonedx-bom-exchange-api https://dbom-project.readthedocs.io/en/latest/what-dbom.html https://github.com/guacsec/guac Cryptocurrency Bug Bounties Ahead of a major event for the Ethereum blockchain commonly referred to as "The Merge", the Ethereum Foundation has raised the bug bounty payouts for critical vulnerabilities to $1 million dollars. This temporary 4x multiplier of their current bug bounty provides a great incentive for ethical hackers to work at discovering security issues. Performing pre-release penetration testing is a great way to discover vulnerabilities before deployment and a sign of a mature security program. As the Ethereum blockchain migrates over from a proof-of-work to proof-of-stake consensus mechanism, the stakes are high for getting it right and security is one of the top concerns. Perhaps surprisingly, this is not the largest bug bounty payout for vulnerabilities found in the cryptocurrency ecosystem. The largest recent payout goes to a vulnerability found in a "bridge", which facilitates transactions across divergent chains. If successfully exploited, the vulnerability would have allowed attackers to hold "the entire protocol ransom with the threat that the Ethereum Wormhole bridge would be bricked, and all the funds residing in that contract lost forever". Along with the ethical hackers finding bugs in the cryptocurrency ecosystem, cyber criminals are increasing the frequency of their attacks as well. The US Federal Bureau of Investigation (FBI) recently issued a public service announcement, warning that criminals are increasing their exploitation of Decentralized Finance platforms citing "between January and March 2022, cyber criminals stole $1.3 billion in cryptocurrencies". Even with the recent downturn in value of crypto currencies, criminals will continue to abuse the ecosystem to seek their fortune, often attacking the trading platforms and smart contracts, as they represent the most likely part of the stack to have a vulnerability which can be exploited. https://ethereum.org/en/bug-bounty/ https://portswigger.net/daily-swig/ethereum-foundation-offers-1m-bug-bounty-payouts-with-proof-of-stake-migration-multiplier https://portswigger.net/daily-swig/blockchain-bridge-wormhole-pays-record-10m-bug-bounty-reward https://www.ic3.gov/Media/Y2022/PSA220829 Defcon 30 - Mobile Hacking CTF A quick congratulations to F5 employee Purvesh Kothari for winning the Girls Hack Village Mobile Hacking CTF at Defcon 30. Congratulations Purvesh ! https://www.linkedin.com/posts/nowsecure_the-results-are-in-the-winner-for-the-activity-6968590642742448129-Dp4E/iOS and Chrome, Supply Chain and new Phishing attacks - This Week in Security - Aug 29 to Sept 4th
This Week in Security August 29th to September 4th "iOS and Chrome again, Supply Chain again and Phishing with telescopes" Aaron back with you as editor this week and as always there is plenty to cover. Security news can be incredibly difficult to keep on top of, so I'm going to pick a few highlights from the last week or so (officially, this issue covers the week of August 29th to September 4th, but you know I often stray!). First, a brief snippet about a story from this week rather than last: The Los Angeles Unified School District suffered a ransomware attack (https://www.latimes.com/california/story/2022-09-05/lausd-cyberattack-takes-down-la-unified-operations-schools-will-open-on-tuesday) over the weekend and I'm highlighting it here for two reasons: firstly, based on the news reports the response was swift and extremely effective, restoring full service within a couple of days and severely limiting the impact of the outage itself, and secondly so that I can remind you that keeping up with the news like this is important to the F5 SIRT, not only so that we can pass the news on to you, but also because it's important for us to keep up to date with the frequently changing behaviour of bad actors. Bad actors are a threat to your business, your reputation, your livelihood. That's why we take the security of your business seriously. When you're under attack, we'll work quickly to effectively mitigate attacks and vulnerabilities, and get you back up and running. So next time you are under security emergency please contact F5 SIRT. Housekeeping out of the way, let's move on to the more interesting news! iOS and Google Chrome updates In the last issue I wrote, I talked about some Apple 0day vulnerabilities for which urgent patches were released and I urged everyone to update to iOS 15.6.1 (and macOS 12.5.1) noting that earlier versions of macOS, at least, did not appear to be affected. Well, Apple has now released patches[1] for one of those two vulnerabilities for earlier iOS versions to support older devices. If you have a device stuck on iOS 12, you should update to iOS 12.5.6 as soon as possible (covering iPhone 5s, 6, 6 Plus, iPad Air, iPad mini 2, 3 and 6th gen iPod touches). I also urged Chrome (and Chromium based browser) users to upgrade to address a Critical vulnerability and, this week, I am going to tell you again to upgrade Chrome. This time, to avoid a known-to-be-exploited vulnerability affecting Mojo[2], a component used within Chrome to provide cross-platform inter-process communication mechanisms. Ensure you update to Chrome 105.0.5195.102 or later, as soon as possible - which should be as simple as restarting your browser in the case of Chrome itself. Handy, because you'll need to upgrade again soon to address a clipboard bug[3] Like the Apple vulnerability above, these are both issues which can be exploited simply by tricking a user into visiting a maliciously crafted webpage - I've seen a few folks asking if WAFs like Advanced WAF could protect against this and, at least in my opinion, that's really asking the wrong question.. if you look at the problem that way around what you are actually asking is: "Can my WAF stop an attacker from injecting the required malicious code into my webserver?" and the answer there is quite likely "Yes, using just the configuration you already have in place". The exception to that would be websites that need to accept arbitrary user input (forums, guest books - remember those?, blog comments etc) and in that case the chances are any WAF configuration sufficient to block the malicious code is going to block legitimate user input as well. If you are trying to look after random visitors then I applaud you, but you are better spending your time in education (help your visitors keep their browser up to date) because your site is just one of many they will visit today. Meanwhile if you are looking after a corporate network, invest your time in client side detection and mitigation - mandate browser updates, have strong endpoint inspection tools and robust anomaly reporting. https://support.apple.com/en-us/HT213428 https://chromereleases.googleblog.com/2022/09/stable-channel-update-for-desktop.html https://thehackernews.com/2022/09/google-chrome-bug-lets-sites-silently.html Hard coding credentials is a bad thing in your supply chain This shouldn't really need saying, but hard coding credentials into an application is a bad idea - especially when that application is going to be distributed to uncontrolled endpoints like mobile handsets. Symantec's researchers[1] recently conducted a survey of mobile applications and found over 1,800 applications that contained hard coded AWS credentials; 98% of those being iOS apps and just 2% being Android! Many of those credentials could be used to directly access private cloud services, including databases that should otherwise be secure, and could allow the exposure of user account details, logs, internal communications and so on depending on the app. In three instances the hard-coded credentials actually existed within SDKs being used by multiple applications and exposed access to private customer data, potentially banking information and, in one particularly egregious example, an SDK which provided full admin access to the back-end infrastructure behind numerous sports betting platforms! Considering that SDKs are often consumed by application developers, tasked with writing full featured applications extremely quickly, they are often used without in depth security audits and, indeed, may be partially closed-source or black-box in nature making audits particularly difficult. This is yet another example of the difficulty of securing the supply chain in modern software, as we have seen in earlier issues of TWIS with the typo-squatting Python and GitHub packages, or more recently where Python package maintainers fell victim to phishing campaigns to take control of legitimate packages[2]. The NSA, CISA and the ODNI have released a joint advisory detailing how they suggest developers secure the software supply chain[3] titled "Securing the Software Supply Chain, Recommended Practices Guide for Developers". Chapter 2.3 deals directly with the verification of third party components including a section on Software Bill of Materials with other chapters on developing secure code, hardening the build environment and delivering code securely to end users. Personally I think that, as an industry, we have come a long way in terms of building security mindset in development teams such that they can develop more secure code from the ground up (Chapter 2.2) and modern language development (e.g. Rust) further tries to address that by providing memory safe languages to develop in. I also think that hardened environments are pretty well understood at this point as is secure software delivery, leaving third party components as our biggest challenge right now. Clearly it has a lot of focus, because we see issues like the ones I've discussed here disclosed with increasing regularity; indeed, Python seems to be a particular focus right now with Checkmarx[4] also noting that a third of Python packages execute code automatically when they are downloaded and installed via pip; when performed by a trusted package this is a useful feature allowing for dependencies to be automatically satisfied, but clearly could be easily mis-used to install malware or exfiltrate sensitive information from a target system. I think we are barely scratching the surface at this point, given the number of different package management systems across the numerous development environments and languages in use today, but it's great that we are at least starting. These efforts being encouraged both by US Government mandates as well as private enterprise like Google, who recently introduced a new bug bounty programme specifically aimed at improving supply chain security[5] https://www.bleepingcomputer.com/news/security/over-1-000-ios-apps-found-exposing-hardcoded-aws-credentials/ https://twitter.com/pypi/status/1562442188285308929 https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3146465/nsa-cisa-odni-release-software-supply-chain-guidance-for-developers/ https://thehackernews.com/2022/09/warning-pypi-feature-executes-code.html https://thehackernews.com/2022/08/google-launches-new-open-source-bug.html The latest phishing lure? Images of space! Phishing is an ever-present threat and one that is probably best countered by user education and vigilance (of course email filtering helps, but the best crafted phish will always slip through) - often the lures are attachments purporting to be something relating to the targets job function - perhaps a fake PDF invoice asking for domain credentials to view or an Office document "sent" by a colleague with embedded macros - or something that a reader just couldn't resist clicking on (like an attachment "LOVE-LETTER-FOR-YOU"). Apparently, the latter category also includes "pictures of space taken with a shiny new telescope"[1].. actually, flippancy aside, the full attack chain goes something like this: Phishing email with an attached Microsoft Office file (Word document, Excel sheet, etc) Office document contains a malicious external entity reference (basically Follina, we've written about this before) The malicious entity is downloaded and executed, which downloads a second stage JPG file The JPG, which is an entirely valid JPG and will display as an image from the Webb telescope if you open it, is passed to certutil.exe and decodes to a binary executable That last step should probably make you stop and go "say, what?". The image actually has a "certificate" included within it which is ignored for the purposes of displaying it as a picture. Certutil, however, will do its best to decode this certificate, which is actually a base64 encoded executable, and then write it out to disk. The resulting executable is malware written in Golang which will, upon execution, begin communicating with a C2 server via TXT DNS requests to an attacker controlled DNS server to both send and receive data. Golang has been steadily rising in popularity over the last couple of years (most recently this, Agenda[2] and BianLian[3]) because it enables easy cross-platform development and simultaneously makes reverse engineering considerably more time consuming and difficult for researchers. Despite that difficulty however, Securonix[4] have a full write-up on their blog which I recommend reading if you'd like more details including indicators of compromise and detection rules; if you haven't the time to read through everything then I recommend at least skipping to the IoC section and onward. At a minimum, consider blocking DNS lookups for, and access to: xmlschemeformat[.]com updatesagent[.]com apiregis[.]com 185[.]247.209.255 139[.]28.36.222 https://www.darkreading.com/vulnerabilities-threats/james-webb-telescope-images-loaded-with-malware-are-evading-edr https://thehackernews.com/2022/08/new-golang-based-agenda-ransomware-can.html https://thehackernews.com/2022/09/researchers-detail-emerging-cross.html https://www.securonix.com/blog/golang-attack-campaign-gowebbfuscator-leverages-office-macros-and-james-webb-images-to-infect-systems/F5 SIRT This Week In Security - Jan 21st-27th-LNKs & XLLs for malware, CVE-2022-34689, FBI on APT28
F5 SIRT This Week In Security Jan 21st - 27th, 2023 LNKs & XLLs for malware, CVE-2022-34689, FBI on APT28 Introduction Hello! Arvin is your editor for F5 SIRT's This Week In Security (TWIS) covering 21-27 January 2023, my first for this year. First on the list, Windows LNK files - the common Windows shortcut - has become the alternate to "Office Macros" previously used by Threat Actors to deliver malware to a victim device. As observed in the past Threat Actors and Malware campaigns, the initial delivery of first stage malware usually thru email phishing and spreading malicious links that downloads a malicious file. In recent years, using Office Documents with Macros enabled, when opened, will execute code that downloads malware. As Microsoft disabled Macros by default, threat actors now need an alternative way of delivering the initial commands to download malware, and this they found in Windows LNK files. Windows LNK files are deceptive and easy to trust as one might think it is relatively harmless, however, research by the security community brings light on how these LNK files might have more sinister use. Another MS Office based file which threat actors used as an alternate to Office Macros, the XLL, an MS Excel add-in, is a file we should be aware of. Similar to windows LNK file, this file type can be easily ignored but may also contain potentially malicious code. In general and mentioned a few times in previous TWIS editions, take care when opening url links and files from emails. A healthy level of awareness goes a long way when dealing with the amount of information we receive every day, phishing emails may be one of them, and recognizing one would help cut off the malware's initial delivery. Akamai released their analysis on CVE-2022-34689 - a Windows spoofing bug in CryptoAPI, particularly, the root of the issue, their research on Certificate thumbprint MD5 collisions. In the past, MD5 collisions were exploited where 2 files with the same MD5 hashes - which in essence, breaks MD5 and any cryptographic hash function promise - NO two distinct message ( in most cases "files", "certificates", "executables" ) should have the same MD5 hash. Microsoft has fixed this vulnerability back in August 2022, however, per the research, a recent scan of previously scanned endpoints are still unpatched. Applications and Web Browsers which uses the Windows Crypto API are potential victims should this CVE is leveraged by an attacker, example, a man in the middle scenario where an attacker presents a spoofed certificate thumbprint. Promptly, it is recommended to update vulnerable systems to mitigate this CVE. FBI confirmed Lazarus Group (APT28) was behind the $100 million worth in crypto assets stolen from the Harmony blockchain - which was what the infosec and crypto communities have been saying for a while now. Back in June 2022, security incident in the Harmony Horizon Ethereum Bridge where closely protected private keys were decrypted by attackers and were able to execute unauthorized transactions and steal crypto assets. It was speculated that the attack was executed using a server/key compromise or thru social engineering. Tracking Lazarus Group (APT28) crypto transactions, it used Tornado Cash – a mixer used to launder stolen crypto assets. The FBI and US agencies will continue to attack Lazarus Group activities. Crypto exchanges and projects should closely secure sensitive assets/keys to prevent future incidents. Borrowing this from a Crypto Expert: Use of multi-signatures to manage high-value assets is best practice. Requiring more validators and ensuring that the compromise of a single private key does not place others at risk. I hope you find these security news educational and informative. See you on my next TWIS edition! Threat Actors and malware's alternative to Office Macros Windows LNK files Microsoft took its macros and went home, so miscreants turned to Windows LNK files Microsoft's move last year to block macros by default in Office applications is forcing miscreants to find other tools with which to launch cyberattacks, including the software vendor's LNK files – the shortcuts Windows uses to point to other files. "When Microsoft announced the changes to macro behavior in Office at the end of 2021, very few of the most prevalent malware families used LNK files as part of their initial infection chain," Guilherme Venere, threat researcher at Talos, wrote in a report dated January 19. "In general, LNK files are used by worm type malware like Raspberry Robin in order to spread to removable disks or network shares." The files are also helping criminals gain initial access into victims' systems before running such threats as the Qakbot backdoor malware, malware loader Bumblebee, and IcedID, a malware dropper, according to the Talos researchers. The advanced persistent threat (APT) group Gamaredon has also put LNK files to work, including a campaign that started in August 2022 against organizations in Ukraine. The shift to other techniques and tools in the wake of Microsoft's VBA macros move was swift. Soon after the macros were blocked, Proofpoint researchers noted that cybercriminals were looking for alternatives, including ISO and RAR attachments, plus LNK files. https://www.theregister.com/2023/01/23/threat_groups_malicious_lnk/ https://blog.talosintelligence.com/following-the-lnk-metadata-trail/ In LNK file, the target part reveals that LNK invokes a process - examople, the Windows Command Processor (cmd.exe). The target path has only 255 characters visible. However, command-line arguments can be up to 4096, so malicious actors can take advantage of this and pass on long arguments as they will be not visible in the properties. https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rise-of-lnk-shortcut-files-malware/#:~:text=An%20LNK%20file%20is%20a,to%20access%20another%20data%20object. The warhawk backdoor initial delivery was thru a Windows LNK file https://www.zscaler.com/blogs/security-research/warhawk-new-backdoor-arsenal-sidewinder-apt-group-0 XLL files, MS Excel Add-in Microsoft closes another door to attackers by blocking Excel XLL files from the internet In December, Cisco's Talos threat intelligence group detailed another tool that cybercriminals were targeting: Excel XLL files. The Talos researchers not only broke down how the crooks use the XLL files but detailed a sharp increase in their use since Microsoft shut the VBA macros door, noting that the first malicious samples were submitted to VirusTotal in 2017. "For quite some time after that, the usage of XLL files is only sporadic and it does not increase significantly until the end of 2021, when commodity malware families such as Dridex and Formbook started using it," Vanja Svajcer, outreach researcher for Talos, wrote in the report. That shouldn't come as a surprise, Dave Storie, adversarial collaboration engineer at LARES Consulting, told The Register. "When organizations like Microsoft reduce the attack surface or otherwise increase the effort required to execute an attack on their product offerings, it forces threat actors to explore alternate avenues," Storie said. "This often leads to exploring previously known, perhaps less ideal, options for threat actors to achieve their objectives." Even before this year, some researchers were seeing miscreants make their way to XLL files. Researchers with HP's Wolf Security said that in Q4 2021, there was a 588 percent year-over-year jump in attackers using the files to compromise systems, adding that they expected the trend to continue in 2022, though it was unclear at the time if Excel add-ins would replace Office macros as the cyber-weapon of choice. XLL files are a type of DLL file that are only opened in Excel and enable third-party applications to add more functionality to spreadsheets. In Excel, if a user wants to open a file with a .XLL extension in Windows Explorer, the system will automatically try to launch Excel and open the file, triggering Excel to display a warning about possible dangerous code, similar to that shown when an Office document containing VBA macro code is opened. And as with VBA macros, users often will disregard the warning. "XLL files can be sent by email, and even with the usual anti-malware scanning measures, users may be able to open them not knowing that they may contain malicious code," Svajcer wrote. Andrew Barratt, vice president at Coalfire, told The Register that reducing the number of dialog boxes which users have to deal with – and that cybercriminals know will be ignored by many – is a win for security teams. "To steal a typical infosec buzzword, the best way to think of these are like 'next-gen' macro attacks," Barratt said. "As with many of these types of attacks, the best position for the software to take is to disable the capability and have a prompt-and-alert process. The challenge is that over time we see the 'are you sure, you're sure' fatigue set in." https://www.theregister.com/2023/01/25/microsoft_excel_xll_closed/ https://blog.talosintelligence.com/xlling-in-excel-malicious-add-ins/ Use of XLL files in delivery of Agent Tesla malware Chains of Infection Two possible chains of infection A victim receives an email with a malicious attachment. The attachment is either a malicious XLL or XLM file. In the case of an XLL, when run it will either: Drop an intermediate dropper that in turn will drop an Agent Tesla payload. Download Agent Tesla payload from Discord. Download Dridex payload from Discord. In the case of an XLM, when run it will drop a VBS downloader that downloads and executes a Dridex sample from Discord. While Agent Tesla and Dridex infection chains are not necessarily distributed by the same actor, they seem to be part of a new trend of infection vectors. https://unit42.paloaltonetworks.com/excel-add-ins-malicious-xll-files-agent-tesla/ MD5 Collissions application - Certificate MD5 thumbprint collisions Months after NSA disclosed Microsoft cert bug, datacenters remain unpatched Most Windows-powered datacenter systems and applications remain vulnerable to a spoofing bug in CryptoAPI that was disclosed by the NSA and the UK National Cyber Security Center (NCSC) and patched by Microsoft last year, according to Akamai's researchers. CryptoAPI helps developers secure Windows-based apps using cryptography; the API can be used, for instance, to validate certificates and verify identities. The vulnerability in question (CVE-2022-34689) can be exploited by miscreants to digitally sign malicious executables in a way that tricks Windows and apps into believing the files are from trusted, legitimate sources and can be opened or installed. Exploiting this will involve getting said files onto victims' machines and run. Alternatively, an attacker can craft a TLS certificate that appears to belong to another organization and trick an application into trusting the cert, if that application uses CryptoAPI to analyze the certificate. The app believes the attacker is the spoofed organization. The bug isn't a remote code execution flaw; it's a vulnerability that allows someone to pretend to be another to an application or operating system, in the context of identity and certificate cryptography checks on Windows. There's a video [MP4] you can watch demonstrating exploitation against Chrome but here's the short version of that spoofing attack simply put. https://user-images.githubusercontent.com/114926055/214040642-beb765f7-4788-45e8-836c-a08dc441b5b4.mp4 At the heart of it, Microsoft used the hashing algorithm MD5 to index and compare security certificates. It's trivial to break MD5 with what's called a collision: a situation where two different blocks of data result in the same MD5 hash value. What's more, Microsoft used the four least-significant bytes of a certificate's MD5 thumbprint to index it. So what you need to do is this: trick an application such as Chrome 48, which uses the Windows CryptoAPI, into connecting to a man-in-the-middle server that wants to pretend to be the website the user actually wanted. The malicious server sends the impersonated website's legit HTTPS cert to the browser, which passes it to CryptoAPI for processing and the cert is cached in memory on the user's PC. The cert is stored in this cache using part of the MD5 thumbprint of the cert's data as the index. The malicious server meanwhile modifies the legit certificate so it can masquerade as the website, and ensures this new tampered-with evil certificate results in the same MD5-computed cache index as the real one. The server causes the browser to ask for the website's certificate again, at which point the server hands over the evil cert. The CryptoAPI library computes the MD5 fingerprint for the evil cert and its index in the cache, sees that there's already a valid cert in the cache for that index, and thus trusts the evil certificate. Now you've tricked the system into thinking the malicious cert is real. How this is exploited in the real world to cause actual harm... well, you need to be a skilled and determined miscreant, and there are probably easier security weaknesses to target. See the above link to Akamai's write-up for full technical details. "The root cause of the bug is the assumption that the certificate cache index key, which is MD5-based, is collision-free," the researcher duo explained. "Since 2009, MD5's collision resistance is known to be broken." https://www.theregister.com/2023/01/26/windows_cryptoapi_bug_akamai/ Certificate spoofing via MD5 collisions MD5 collisions were first used to spoof SSL certificates. There is one major difference between that first attack and the scenario we deal with today: the previous scenario attacked MD5 signatures, but in the current vulnerability we are dealing with MD5 thumbprints. Certificate MD5 thumbprint collisions Now, we can piece things together and provide a recipe for manipulating an existing, already-signed certificate to collide with a malicious certificate’s MD5 thumbprint. Take a legitimate RSA-signed end certificate, such as a website’s TLS certificate (our “target certificate”). Modify any interesting fields (subject, extensions, EKU, public key, etc.) in the TBS part of the certificate to create the malicious certificate. Note: We don’t touch the signature, so the malicious certificate is incorrectly signed. Modifying the public key is important here — this allows the attacker to sign as the malicious certificate. Modify the parameters field of the signatureAlgorithm field of both certificates, so that there is enough space to put MD5 collision blocks starting in the same offset of both certificates. Truncate both certificates at the position where MD5 collision blocks are to be placed. Perform an MD5 chosen prefix collision computation and copy the result into the certificates. Concatenate the legitimate certificate’s signature value (suffix E in the explanation above) to both incomplete certificates. https://www.akamai.com/blog/security-research/exploiting-critical-spoofing-vulnerability-microsoft-cryptoapi MD5 Collision research https://www.mscs.dal.ca/~selinger/md5collision/ https://hackaday.com/2008/12/30/25c3-hackers-completely-break-ssl-using-200-ps3s/ One basic requirement of any cryptographic hash function is that it should be computationally infeasible to find two distinct messages that hash to the same value. MD5 fails this requirement catastrophically; such collisions can be found in seconds on an ordinary home computer. https://en.wikipedia.org/wiki/MD5 FBI catches up with infosec and crypto communities, blames Lazarus Group for $100 million heist The FBI has confirmed what cybersecurity researchers have been saying for months: the North Korean-sponsored Lazarus Group (APT28) was behind the theft last year of $100 million in crypto assets from blockchain startup Harmony. Attackers on June 22, 2022, hit Harmony's Horizon Bridge – a cross-chain service used to transfer assets between Harmony's blockchain and other blockchains – and stole Ethereum, Wrapped Bitcoin, Binance Coin, and Tether. In its January 23 statement on the matter, the FBI said the attack on Harmony was part of a North Korean malware campaign named "TraderTraitor." https://www.fbi.gov/news/press-releases/fbi-confirms-lazarus-group-cyber-actors-responsible-for-harmonys-horizon-bridge-currency-theft The federal investigators said that on January 13, unnamed North Korean criminals used the privacy protocol Railgun to launder more than $60 million of Ethereum stolen during the Horizon Bridge hack and that a portion of the stolen Ethereum was then sent to several virtual asset service providers and converted to Bitcoin. Some of the funds were frozen, while the remaining Bitcoin was sent to almost a dozen addresses. Two crypto exchanges – Binance and Huobi – froze the accounts used by Lazarus Group to launder the stolen Harmony assets. The FBI said it and other US agencies will continue to attack North Korea's cyber crime activities. The Treasury Department last year slapped sanctions on both Tornado Cash and another crypto mixer, Blender – in large part for their work helping the Lazarus Group launder stolen crypto assets. https://www.theregister.com/2023/01/25/fbi_lazarus_harmony_crypto/ Our incident response team has discovered evidence that private keys were compromised, leading to the breach of the Horizon bridge. Funds were stolen on the Ethereum side of the bridge. The private keys were encrypted and stored by Harmony, with the keys doubly encrypted via passphrase and a key management service, and no single machine had access to multiple plaintext keys. The attacker was able to access and decrypt a number of these keys, including those used to sign the unauthorized transactions and take assets in the form of BUSB, USDC, ETH and WBTC. All assets were then swapped to ETH and currently remain on the hacker’s account on the Ethereum network. No steps have currently been taken by the hacker to anonymize ownership of these assets. https://medium.com/harmony-one/harmonys-horizon-bridge-hack-1e8d283b6d66 Next steps and remedial actions taken by the Harmony Protocol The Harmony Protocol team stated that they have upgraded the Ethereum side of the Horizon bridge to a 4-of-5 MultiSig in the wake of the incident, and are working continuously to enhance their operations and infrastructure security. Furthermore, the team emphasized that it is working closely with law enforcement officials and blockchain tracing partners as a part of ongoing investigations. They have also offered $1 million for the return of Horizon bridge funds and any information about the exploit. The Harmony Protocol team also claimed that they will advocate for no criminal charges after the funds are returned. Reportedly, the cryptosphere has raised concerns about the size of the bounty, which is just 1% of the total amount stolen. It has been suggested that the bounty fee may be insufficient to incentivize the attackers to return the stolen funds, particularly considering that our analysis shows funds have already been laundered through Tornado Cash. https://blog.merklescience.com/hacktrack/hacktrack-analysis-horizon-bridge-exploit LESSONS LEARNED FROM THE ATTACK The use of multi-signatures to manage high-value assets is best practice, but a 2 of 5 signature scheme provides little security. Requiring more validators and ensuring that the compromise of a single private key does not place others at risk (i.e. storing keys on separate systems, protecting them with unique passphrases or keys, etc.) can help to prevent similar attacks in the future. https://halborn.com/explained-the-harmony-horizon-bridge-hack/ChatGPT and security - This Week in Security Feb 18th to Feb 25th, 2023
Editor's introduction This week in security editor is Koichi. Not a day goes by these days that we don't hear about AI. In particular, ChatGPT, the OpenAI's AI chat bot, responds in a very natural way which is hard to distinguish from human's response.. This week, I have collected stories about ChatGPT and security for considering what kind of cybersecurity threats this useful and revolutionary tool brings. We in F5 SIRT invest loa t of time to understand the frequently changing behavior of bad actors. Bad actors are a threat to your business, your reputation, and your livelihood. That’s why we take the security of your business seriously. When you’re under attack, we’ll work quickly to effectively mitigate attacks and vulnerabilities, and get you back up and running. So next time you are under security emergency please contact F5 SIRT Editor's introduction ChatGPT can program - therefore, fake application is also possible. No confidential information should be given. ChatGPT had service down. AI synthesized voice can be used for attacking. Cybersecurity Experts Warn the threat of more sophiscated phishing mail. ChatGPT can program - therefore, fake application is also possible. "This massive popularity and rapid growth forced OpenAI to throttle the use of the tool and launched a $20/month paid tier (ChatGPT Plus) for individuals who want to use the chatbot with no availability restrictions." Bleeping Computer reported on February 22, that, many cyber attack taking advantage of the ChatGPT is observed. The methodology is to create a fake services and apps by ChatGPT and place it on the site as a bait of malware infection and information theft. Please be careful not to fall for non-existent apps or non-official websites, now those are easily created. Hackers use fake ChatGPT apps to push Windows, Android malware No confidential information should be given. “If the employees want to chat, they'll just have to talk to each other instead.” JP Morgan had issued a restriction on the use of OpenAI's ChatGPT in the workplace due to compliance concerns. Considering the risk of leakage of confidential information, the ban on the use of ChatGPT is not limited to JP Morgan. For example, if you use a service that requires you to enter information or upload files, you should always consider the risk of that information or file being harvested by the service provider. For example, VirusTotal has a service that checks files for viruses. However, this means that not only the presence or absence of a virus, but also the data it contains will be passed on to VirusTotal. Similarly, if you do not use these services after removing sensitive information, the sensitive information will be harvested by OpenAI. Giant Bank JP Morgan Bans ChatGPT Use Among Employees ChatGPT had service down. On on February 21, ChatGPT (Both of the ChatGPT's website and API ) had down. Down means, it does not give response. When you submit a question to the ChatGPT, you will receive a message saying, "A server error occurred while processing your request. We are sorry. Please retry your request or contact the Help Center if the error persists." It recovered within a day, however, it was observed not only this time, but also last week. When you see similar message, better to check the site below. https://downdetector.com/status/openai/ AI synthesized voice can be used for attacking. “Banks in the U.S. and Europe tout voice ID as a secure way to log into your account. I proved it's possible to trick such systems with free or cheap AI-generated voices.”In this article, AI synthesized voice had passed the voice recognition authentication and break into the bank account. Some banks in the U.S. allow access to bank accounts after a few conversations with voice recognition. One of the text-to-speech service, ElevenLabs' service, wh was able to do pass the authentication. https://vice.com/en/article/dy7axa/how-i-broke-into-a-bank-account-with-an-ai-generated-voice One more for thinking about cyber security (not this week): Cybersecurity Experts Warn the threat of more sophiscated phishing mail. 2 articles discussing about the impact and usage of ChatGPT for cybersecurity. The common threat in the two articles is the increase in phishing e-mails. Usually, phishing e-mails are easily detected because of the unnatural wording and phrasing. This is a barrier for non-native speakers to create effective phishing emails. However, ChatGPT allows non-native speakers to write natural sentences, which risks generating a large number of naturally worded phishing emails. OpenAI's new ChatGPT bot: 10 dangerous things it's capable of ChatGPT and more: What AI chatbots mean for the future of cybersecurityBinance Hack, Data Leak and Supply Chain Attack - F5 SIRT This Week in Security - Oct 1st to Oct 7th
This Week in Security October 1st to October 7th, 2022 Binance Hack, Data Leak, Critical Vulnerbility and Supply Chain Attack Hello Everyone, This week, your editor is Dharminder. I am back again with another edition of This Week in Security, This time I have security news about a critical vulnerability, supply chain attack, Binance Blockchain hack and DNS Data leak. We in F5 SIRT invest lot of time to understand the frequently changing behaviour of bad actors. Bad actors are a threat to your business, your reputation, your livelihood. That’s why we take the security of your business seriously. When you’re under attack, we’ll work quickly to effectively mitigate attacks and vulnerabilities, and get you back up and running. So next time you are under security emergency please contact F5 SIRT. Ok so let's get started to find details of security news. Before we start a gentle reminder about upcoming Quarterly security notification on 19th October 2022. Fortinet - Remote Authentication Bypass Critical vulnerability Fortinet is in the news lately for a critical vulnerability in the various software versions. Fortinet has published a software version which has a fix for the remote authentication bypass critical vulnerability. But since the vulnerability is being exploited, Fortinet has recommended that all Fortinet customers update the software immediately. As per the advisory published by Fortinet, the CVSS score of this vulnerability is 9.6 and the CWE is "CWE-288: Authentication Bypass Using an Alternate Path or Channel". Looking at the CVSS score you may find out that attacker can perform the attack remotely and no authentication is required. Impact is high on confidentiality, integrity and availability. Fortinet has provided IOC (indicator of compromise) in the advisory so that customer may look for those logs and, if required, contact Fortinet customer support for help. So if you are Fortinet customer follow the advisory and update the software. Below mentioned are the list of vulnerable and fixed versions. Vulnerable versions: FortiOS version 7.2.0 through 7.2.1 FortiOS version 7.0.0 through 7.0.6 FortiProxy version 7.2.0 FortiProxy version 7.0.0 through 7.0.6 FortiSwitchManager version 7.2.0 FortiSwitchManager version 7.0.0 Fixed Versions: FortiOS version 7.2.2 or above FortiOS version 7.0.7 or above FortiProxy version 7.2.1 or above FortiProxy version 7.0.7 or above FortiSwitchManager version 7.2.1 or above https://www.fortiguard.com/psirt/FG-IR-22-377 https://www.rapid7.com/blog/post/2022/10/07/cve-2022-40684-remote-authentication-bypass-vulnerability-in-fortinet-firewalls-web-proxies/ Supply Chaing Attack by LofyGang These days, we have been listening a lot about supply chain attack, another addition to that list is LofyGang’s supply chain attack. A researcher from Checkmarx has discovered approx 200 malicious packages which includes password stealers, persistent malware etc on code hosting platforms, such as NPM, GitHub etc. As per the researcher, all these malicious packages are linked to LofyGang and their main focus was to steal and share stolen credit cards, credentials of gaming and streaming platforms like Disney + etc. Interestingly LofyGang has a YouTube channel where they have hosted many video tutorials on how to use its hacking tools. A bot named "Lofy Boost, on Discord can be used by channel members to purchase Nitro using a stolen credit card on behalf of the user. The stolen credit cards comes from NPM supply chain infections and by backdoored hacking tools on GitHub. Many of the NPMs impersonate Discord development packages or packages for color, strings, and file operations. Tools promoted by the gang on GitHub are a Discord spammer, a Nitro generator, a password stealer, a Discord token grabber, and a Discord webhook hiding module. Let's discuss Discord malware, per the researcher it modifies the legitimate version of the Discord app on the infected system with a malicious version, then steals credit card information every time the user pays for a subscription. Researcher has also identified that In most cases instead of infecting the main package, malware was fetched as a dependency. After knowing the way LofyGang has performed the supply chain attack and increase in overall supply chain attacks, it is best for us to be extra cautious and help each other by sharing the knowledge to better tackle with such and many more other type of attacks. https://www.bleepingcomputer.com/news/security/lofygang-hackers-built-a-credential-stealing-enterprise-on-discord-npm/ https://www.infosecurity-magazine.com/news/lofygang-software-supply-chain/ https://cyware.com/news/lofygang-gang-spreads-via-over-200-malicious-packages-and-fake-hacking-tools-c0243233/?web_view=true Binance Blockchain Bridge hacked If you deal in crypto currency, specially in Binance coins then this news is for you. As per the reports, BNB Smart Chain was paused by Binance due to a security incident where hackers have stolen 2 million Binance Coins (BNB) worth worth $566 million, from the Binance Bridge. As per the reports, hackers received a total of 2 million BNB in two transactions of 1 million each. Soon after receiving BNB, the hacker began spreading some of the funds across a variety of liquidity pools, attempting to transfer the BNB into other assets. The security incident was also acknowledged by the CEO of Binance using Twitter, in his tweet he mentioned "An exploit on a cross-chain bridge, BSC Token Hub, resulted in extra BNB. We have asked all validators to temporarily suspend BSC." He also mentioned that the issue has been contained and funds are safe. Although, Binance has confirmed that they will provide postmortem report in future but meanwhile on Benance website it is mentioned that "There was an exploit affecting the native cross-chain bridge between BNB Beacon Chain (BEP2) and BNB Smart Chain (BEP20 or BSC), known as “BSC Token Hub.” A total of 2 million BNB were withdrawn. The exploit was through a sophisticated forging of the low level proof into one common library." Hopefully all cryptocurrency players will be extra cautious after this security incident and take extra steps to avoid such incidents. https://www.theguardian.com/technology/2022/oct/07/binance-crypto-hack-suspended-operations https://www.investopedia.com/binance-got-hacked-6748215 https://www.bleepingcomputer.com/news/security/hacker-steals-566-million-worth-of-crypto-from-binance-bridge/ Russian Retail chain 'DNS' data leaked online DNS (Digital Network System) Russia's second-largest computer and home appliance store chain, with 2,000 branches and 35,000 employees had recently suffered data breach. Personal data belong to both customers and employees was leaked, which includes usernames, passwords, names, phone numbers, and email addresses. DNS, the company, has confirmed that the attack was carried out by a group of hackers from servers located outside the Russian Federation. They also mentioned that user passwords were not affected and the customers’ payment information which is not stored on DNS servers could not be affected. According to some posts, a pro-Ukrainian hacker group ‘NLB team’ was responsible for the attack. So most likely this data breach could be result of cyber war between Pro-Ukrainian and Pro-Russian hack groups. which has been happening since the war started between Russia and Ukraine. https://cybernews.com/cyber-war/retail-chain-dns-data-leaked/ https://www.bleepingcomputer.com/news/security/russian-retail-chain-dns-confirms-hack-after-data-leaked-online/F5 SIRT - This Week in Security - June 6th to 19th - Phishing, QNAP, Atlassian & processor attacks
As Rebecca mentioned last week, we (the F5 SIRT) are now aiming to publish a round-up of the previous week(s) security news under the This Week in Security (henceforth, TWIS) banner. This week we have a bumper issue actually, covering two weeks (June 6th to June 19th 2022) of security news. As always, the security world moves quickly and there were a plethora of articles to read over the last couple of weeks - I've pulled out a handful of the ones I found most interesting, and you can read my commentary on phishing attacks, QNAP ransomware attacks, an Atlassian Confluence vulnerability and two novel processor side-channel attacks within. The ever-present threat of phishing This isn't a new or novel attack, phishing is something that has been with us since the advent of electronic communications, and will probably be around forever; but it popped up in the news again last week driven by new Malware-as-a-Service (MaaS) offerings and, in all likelihood, geopolitical events. Let's look at a couple of them: First, I'd like to talk about Google Drive share spam; this pops up in the news every now and then (at least as far back as 2020[1], again in 2021[2]) but isn't something I've experienced personally - until the last couple of weeks. Since then my personal email account has been absolutely flooded with notifications of files being shared with me via Google Drive - PDFs, Google Slides, Google Docs - all of which contain images along with a link to websites designed to directly or indirectly relieve me of money. It's good to see that the same techniques we saw 20+ years ago (with the ILOVEYOU[3] and Anna Kournikova viruses[4]) is apparently still effective enough for attackers to use today... Still, the Google Drive 'shared document' spam was new to me, and seems to be extremely hard to counter - no amount of reporting stuff as spam in Gmail helps the situation, and it seems like the only thing left is to block individual senders[5]. Interested to hear if anyone else has seen an uptick in this attack recently! Second, MaaS, specifically Matanbuchus[6]. I've linked to Palo Alto's Unit42 excellent write-up, as well as SANS ISC's brilliant summary[7] if you'd like a shorter read with more specific calls to action like the SHA256 hashes of files dropped and outbound traffic. What caught my eye with this was the absurdly low initial rental cost of Matanbuchus; just $2500, putting it firmly within the reach of even the most poorly funded organisations. Other than that, really, this is your typical run-of-the-mill spam attack to deliver malware via malicious links or attachments (in this case, attachments): In SANS example, a ZIP file is delivered via email which, when extracted by the user, presents an HTML file. When that HTML file is opened by the user it opens a fake OneDrive page which then delivers a second ZIP file containing an MSI installer, lauching the installer directly installs the Malware. Meanwhile in Unit 42s example the first stage dropper is an Excel sheet with code embedded across multiple cells to download and execute the malware. Attacks like this and Follina highlight, for me, the need for both layered security as well as whole-network visibility and alerting - outbound traffic inspection (where possible) logging and blocking attempts to access known malicious resources with robust intelligence feeds, endpoint inspection logging and quarantining potentially malicious files. Products like SSLO can help here with outbound access control, APM can enforce endpoint standards, ThreatStack for alerting on cloud workloads should lateral movement off workstations happen which can all be backed up by a robust SIEM solution for visibility. https://www.wired.co.uk/article/google-drive-spam-comments-phishing https://www.varonis.com/blog/attack-lab-spear-phishing-with-google-drive-sharing https://en.wikipedia.org/wiki/ILOVEYOU https://en.wikipedia.org/wiki/Anna_Kournikova_(computer_virus) https://arstechnica.com/gadgets/2021/07/google-is-finally-doing-something-about-google-drive-spam/ https://unit42.paloaltonetworks.com/matanbuchus-malware-as-a-service/ https://isc.sans.edu/forums/diary/Malspam+pushes+Matanbuchus+malware+leads+to+Cobalt+Strike/28752/ NAS ransomware and the importance of supply chain security I feel like I write about supply chain security every time I write an analysis these days, but I spotted something unfold over the last couple of weeks that highlights, yet again, the difficulties and importance of ensuring attention is paid to all of the individual components (often sourced via third parties) which make up a product. That's something that the F5 SIRT and F5's Platform Security organisations spend a lot of time inspecting and a place that is seeing - both at F5 and in the wider industry - significant investment into tooling around visibility and patching, in part driven by last year's Executive Order[1] mandating a Software Bill of Materials (SBOM) for all products and, I think, in part by the sheer volume of supply chain incidents over the last couple of years. Getting back to the topic at hand; around June 17th we started to see reports of widespread ransomware attacks against QNAP Network Attached Storage (NAS) devices using the DeadBolt ransomware[2]. QNAP immediately[3] urged customers to upgrade to allow the built in anti-malware software to quarantine the DeadBolt instance, and only a day or so later reports emerged of QNAP NAS' being targeted by ech0raix ransomware[4]. This smelt to me like a new attack vector had been discovered, and although I haven't seen any detailed analysis of how either ransomware was being dropped onto devices, it seems somewhat suspicious that a week later QNAP would announce patching a PHP vulnerability from 2019 which can allow remote code execution when exploited[5]. The fact that this is a PHP vulnerability from 2019 for which exploits have been available for three years[6] is what circles me back to supply chain security - vendors (like F5 has) must automate at least the visibility into their supply chain so that issues like this are surfaced quickly and fixed in a timely manner in their products, rather than relying on after-the-fact patching. To be clear this is an enormous undertaking for any vendor with more than a trivial number of large products, but it is absolutely essential for the security of all of our lives. F5 has made a commitment to be a force for a safer digital world[7], what do you want to be a force for?[8] https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/ https://www.bleepingcomputer.com/news/security/qnap-thoroughly-investigating-new-deadbolt-ransomware-attacks/ https://www.qnap.com/en/security-advisory/QSA-22-19 https://www.bleepingcomputer.com/news/security/qnap-nas-devices-targeted-by-surge-of-ech0raix-ransomware-attacks/ https://www.qnap.com/en/security-advisory/QSA-22-20 https://github.com/neex/phuip-fpizdam https://www.youtube.com/watch?v=whj5XRoCS8A https://community.f5.com/t5/devcentral-news/what-are-you-a-force-for/ta-p/296437 Atlassian Confluence Atlassian were last on my radar in the summer of 2021[1], but over the last couple of weeks they have popped back up again when an RCE reported in very early June (CVE-2022-26134)[2] hit it's mass-exploitation phase[3] with CISA advising US federal agencies to block access to, or remove, vulnerable instances by June 6th[4]. This mirrors something that we've seen repeatedly with what I would call 'high value' vulnerabilities - the time between disclosure and mass exploitation by worms is measured in a handful of days and sometimes just hours! This makes the task of patching vulnerabilities in internet-facing applications in a 'timely' manner almost impossible for most organisations; the take away here, then, has to be that segmentation - if and when an attacker breaches an internet facing application, you absolutely do not want them to be able to pivot into more sensitive internal infrastructure (and maybe don't put the Jira instance you use to track product development on the Internet?). Zero Trust has a role to play here too, but don't interpret Zero Trust's second name of "perimeterless security" to mean that you do not need boundaries and segmentation between servers and systems.. https://www.zdnet.com/article/us-cybercom-says-mass-exploitation-of-atlassian-confluence-vulnerability-ongoing-and-expected-to-accelerate/ https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html https://portswigger.net/daily-swig/incoming-atlassian-confluence-attacks-prompt-calls-for-rapid-patching https://www.cisa.gov/uscert/ncas/current-activity/2022/06/03/atlassian-releases-new-versions-confluence-server-and-data-center Processor attacks Back to my favourite subject again! There have been a couple (either two or three, depending on how you're counting them!) of new processor vulnerabilities disclosed over the last couple of weeks - one made lots of news while the other seems to have flown more under the radar. First, Hertzbleed[1] - I am pretty sure this got the attention because a) it affects x86 architectures (Intel and AMD) and b) it has a catchy name and logo; and we all know you need a catchy name and a logo for your shiny new vulnerability, right? Hertzbleed is a remotely exploitable timing based side-channel attack which has been shown, in laboratory conditions at least, to allow complete recovery of secret keys and conceivably any other arbitrary information which can be gleaned by sending workloads of different difficulty to the target system. The novel part of this attack is that the timing discrepancies are uncovered due to the dynamic frequency scaling (the frequency of a CPU being measured in Megahertz or Gigahertz, hence Hertz-) causing the same code to execute in a different amount of time depending on the data being processed, allowing a side-channel to leak (hence -bleed) information about the workload itself. Your three bulletpoint summary a-la Aaron is: Are all processors affected? Yes! Is there a workaround? Yes! Disable frequency scaling* Should I be worried? No! At least in my humble opinion. Even the researchers conclude that more research is required to determine what cryptographic systems are actually susceptible to this attack in real world implementations. My gut? Given shared environments (cloud, virtual machines) and shared workloads (imagine a BIG-IP handling traffic from thousands or hundreds of thousands of users concurrently) the chances of this being exploitable in any non-trivial environment are vanishingly small. *I have to add a caveat here - disabling frequency scaling will lock the processor at it's base frequency; you won't get turbo-boost anymore, nor will it scale back when idle. This means you will potentially use more power and generate more heat and the processor will handle less peak load as it can no longer boost above the base frequency; bad for the environment and if you were taking advantage of that turbo boost frequency boost, you might need more processors for your existing workloads. See my point 3 above for why I think the costs of the workaround outweigh the likely benefits. Next up - do you have a new M1 Mac and feel left out? Fear not, PACMAN[2] is here! This vulnerability got a shiny name and logo but doesn't seem to have generated as much traffic or commentary as Hertzbleed - perhaps that's because if you Google Pacman you have to weed out all of the results for the classic video game? PACMAN builds on Spectre and implements similar techniques against the M1 architecture, though much like exploiting Spectre you need to have found a piece of exploitable code, or loaded your own exploitable code, onto the target endpoint - for PACMAN you need a piece of software containing an existing memory corruption bug and a vulnerable piece of kernel code to use as a gadget in order to construct a complete exploit. The report cites this as exploitable via the network and, while I don't dispute that, you do have to have found an awful lot of predicates before you can exploit this (as I noted, some piece of code which is already vulnerable and whose vulnerability you can exploit, a kernel gadget and all of that has to be network accessible). So here's my bullet-points again: Do you think this is exploitable in the real world? Yes! Do you think attackers will exploit this in the real world? No!* Should I be worried? Not particularly, no (IMHO). *The caveat here is that there is a class of attacker who would use this kind of exploit - nation states. Your regular run of the mill attacker will look for much, much easier ways to compromise a system (and we're back to phishing again) because they aren't as concerned with high value targets or noiseless attacks. Actually exploiting this in a real world system would, in my opinion, take so much intelligence gathering and prior research that only the most highly motivated nation-state attacker would use this, and only against the highest value targets. What can you do? Make sure you aren't running vulnerable code .. which is easier said than done. https://www.hertzbleed.com/ https://pacmanattack.com/
