SteganoAmor, Fake IP Scanner, MITRE Corporation Breach - April 14-20, 2024 - This Week in Security
Dharminder from the F5 SIRT team covers Security news of the week, SteganoAmor, Google Ads to distribute fake IP scanner, MITRE Corporation Breach and Vulnerability Disclosure Program for Defense Industrial BaseInSpectre, Rust/PANOS CVEs, X URL blunder and More-April 8-14, 2024-F5 SIRT-This Week in Security
Editor'sIntroduction Hello, Arvin is your editor for This Week in Security. As usual, I collected some interesting security news. Credit to the original articles. Intel processors are affected by a Native Branch History Injection (Native BHI) attack and the tool InSpectre, a tool that can find gadgets (code snippets that can serve as a jumping point to bypass sw and hw protections) in an OS kernel on vulnerable hardware. Spectre style attacks that abuses speculative execution on processors has been around for a while now. Intel updated their previous published article on "Branch History Injection and Intra-mode Branch Target Injection" guidance and included an "Additional Hardening Options" section. The silver lining in this, is the CVEs CVSS score are Medium severity. See the section snippets from the research paper of the researchers from VU Amsterdam that illustrates the use InSpectre tool. Rust has a critical CVE - CVE-2024-24576. It affects the Rust standard library, which was found to be improperly escaping arguments when invoking batch files on Windows using the library's Command API – specifically, std::process::Command. It is specific to the Windows OS cmd exe as it has complex parsing rules and allowed untrusted inputs to be safely passed to spawned processes. Next is a PAN OS Critical CVE, where it affects devices with firewall configurations with GlobalProtect gateway and device telemetry enabled. CVE-2024-3400 affects PAN-OS 10.2, PAN-OS 11.0 and PAN-OS 11, Updates to fully fix this CVE were made available from April 14. Refer tohttps://security.paloaltonetworks.com/CVE-2024-3400 Change Healthcare's worries on effects of a previous breach due to ALPHV ransomware group appears to be not over. Per the report, the victim organization was potentially "exit" scammed by ALPHV and is being pursued by the "contactor/affiliate" of the ransomware attack, RansomHub, demanding another round of ransom to be paid, else, they sell the exfiltrated data to the highest bidder. X/Twitter had an URL blunder where it converts anything with the string twitter in their site's tweets and then converts it to the letter X - example, netflitwitter[.]com will be converted to netflix[.]com. This behavior was reversed and back to usual, but X twitter[.]com URLs now properly converts to X[.]com. Lastly, a round up of issues from MS, Fortinet, SAP, Cisco, Adobe, Google/Android. As in previous TWIS editions, some of these news were a recurrence/follow up. In general, keep your systems up to date on software versions, secure access to them and allow only trusted users and applications to run. Implement layers of protections - updated AV/ED/XDR on Server and End User systems, Firewall/network segmentation rules/IPS to prevent further spread/lateral movement in the event of a ransomware attack (BIG-IP AFM have network firewall, IPS features that you can consider), a WAF to protect your web applications and APIs - BIG-IP ASM/Adv WAF, F5 Distributed Cloud Services, NGINX App Protect have security policy configuration and attack signatures that can mitigate known command injection techniques and other web exploitation techniques. End user security training and awareness, incident response and reporting will help an organization should that first phishing email reaches a target end user mailbox. If it feels "off" and looks suspicious, stop and ponder before clicking. I hope this edition of TWIS is educational. You can also read past TWIS editions and othercontent from the F5 SIRT , so check those out as well. Till next time! Rust rustles up fix for 10/10 critical command injection bug on Windows in std lib Programmers are being urged to update their Rust versions after the security experts working on the language addressed a critical vulnerability that could lead to malicious command injections on Windows machines. The vulnerability, which carries a perfect 10-out-of-10 CVSS severity score, is tracked as CVE-2024-24576. It affects the Rust standard library, which was found to be improperly escaping arguments when invoking batch files on Windows using the library's Command API – specifically, std::process::Command. "An attacker able to control the arguments passed to the spawned process could execute arbitrary shell commands by bypassing the escaping," said Pietro Albini of the Rust Security Response Working Group, who wrotethe advisory. The main issue seems to stem from Windows' CMD.exe program, which has more complex parsing rules, and Windows can't execute batch files without it, according to the researcher at Tokyo-based Flatt Security whoreported the issue. Albini said Windows' Command Prompt has its own argument-splitting logic that works differently from the usual Command::arg and Command::args APIs provided by the standard library, which typically allow untrusted inputs to be safely passed to spawned processes. "On Windows, the implementation of this is more complex than other platforms, because the Windows API only provides a single string containing all the arguments to the spawned process, and it's up to the spawned process to split them," said Albini. "Most programs use the standard C run-time argv, which in practice results in a mostly consistent way arguments are split. "Unfortunately it was reported that our escaping logic was not thorough enough, and it was possible to pass malicious arguments that would result in arbitrary shell execution." https://www.theregister.com/2024/04/10/rust_critical_vulnerability_windows/ It's 2024 and Intel silicon is still haunted by data-spilling Spectre Intel CPU cores remain vulnerable to Spectre data-leaking attacks, say academics at VU Amsterdam. We're told mitigations put in place at the software and silicon level by the x86 giant to thwart Spectre-style exploitation of its processors' speculative execution can be bypassed, allowing malware or rogue users on a vulnerable machine to steal sensitive information – such as passwords and keys – out of kernel memory and other areas of RAM that should be off limits. The boffins say they have developed a tool called InSpectre Gadget that can find snippets of code, known as gadgets, within an operating system kernel that on vulnerable hardware can be abused to obtain secret data, even on chips that have Spectre protections baked in. InSpectre Gadget was used, as an example, to find a way to side-step FineIBT, a security feature built into Intel microprocessors intended to limitSpectre-stylespeculative execution exploitation, and successfully pull off a Native Branch History Injection (Native BHI) attack to steal data from protected kernel memory. "We show that our tool can not only uncover new (unconventionally) exploitable gadgets in the Linux kernel, but that those gadgets are sufficient to bypass all deployed Intel mitigations," the VU Amsterdam teamsaidthis week. "As a demonstration, we present the first native Spectre-v2 exploit against the Linux kernel on last-generation Intel CPUs, based on the recent BHI variant and able to leak arbitrary kernel memory at 3.5 kB/sec." https://www.theregister.com/2024/04/10/intel_cpus_native_spectre_attacks/ fromhttps://download.vusec.net/papers/inspectre_sec24.pdf 2.2 Spectre v2 In 2018, the disclosure of Spectre [29] famously demonstratedhow speculation can be used to leak data across security domains. One variant presented in the paper, originally known asSpectre v2 or Branch Target Injection (BTI), shows how speculation of indirect branches can be used to transiently divertthe control flow of a program and redirect it to an attackerchosen location. The attack works by poisoning one of theCPU predictors, the Branch Target Buffer (BTB), which isused to decide where to jump on indirect branch speculation. Initially, mitigations were proposed at the software leveland, later, in-silicon mitigations such as Intel eIBRS [5] anARM CSV2 [12] were added to newer generations of CPUsto isolate predictions across privilege levels. 2.3 Branch History Injection In 2022, Branch History Injection (BHI) [13] showed that,despite mitigations, cross-privilege Spectre v2 is still possibleon latest Intel CPUs by poisoning the Branch History Buffer(BHB). Figure 1 provides a high-level overview of the attack. In summary, by executing a sequence of conditionalbranches (HA and HV ) right before performing a system call,an unprivileged attacker can cause the CPU to transientlyjump to a chosen target (TA) when speculating over an indirect call in the kernel (CV ). This happens because the CPUpicks the speculative target forCV from a shared structure, theBTB, that is indexed using both the address of the instructionand the history of previous conditional branches, which isstored in the Branch History Buffer (BHB). Finding the rightcombination of histories that will result in a collision can bedone with brute-forcing.To ensure the injected target, TA, contains a disclosure gadget, the original BHI attack relied on the presence of theextended Berkeley Packet Filter (eBPF), through which anunprivileged user can craft code that lives in the kernel. Figure 2: InSpectre gadget workflow. The analyst provides akernel image and a list of target addresses to InSpectre Gadget⃝1 , which performs in-depth inspection to find gadgets thatcan leak secrets and output their characteristics. The gadgetscan be filtered ⃝2 based on the available attacker-controlledregisters and the mitigations enabled, and used to craft Spectrev2 exploits against the kernel ⃝3 . Zero-day exploited right now in Palo Alto Networks' GlobalProtect gateways Palo Alto Networks on Friday issued a critical alert for an under-attack vulnerability in the PAN-OS software used in its firewall-slash-VPN products. The command-injection flaw, with an unwelcome top CVSS severity score of 10 out of 10, may let an unauthenticated attacker execute remote code with root privileges on an affected gateway, which to put it mildly is not ideal. It can, essentially, be exploited to take complete control of equipment and drill into victims' networks. Updates to fully fix this severe hole are due to arrive by Sunday, April 14, we're told. CVE-2024-3400affects PAN-OS 10.2, PAN-OS 11.0 and PAN-OS 11.1 firewall configurations with a GlobalProtect gateway and device telemetry enabled. Cloud firewalls, Panorama appliances, and Prisma Access are not affected, Palo Altosays. Zero-day exploitation of this vulnerability was detected on Wednesday by cybersecurity shop Volexity, on a firewall it was monitoring for a client. After an investigation determined that the firewall had been compromised, the firm saw another customer get hit by the same intruder on Thursday. "The threat actor, which Volexity tracks under the alias UTA0218, was able to remotely exploit the firewall device, create a reverse shell, and download further tools onto the device," the networks security management firm said in ablog post. "The attacker focused on exporting configuration data from the devices, and then leveraging it as an entry point to move laterally within the victim organizations." The intrusion, which begins as an attempt to install a custom Python backdoor on the firewall, appears to date back at least to March 26, 2024. Palo Alto Networks refers to the exploitation of this vulnerability as Operation MidnightEclipse, which at least is more evocative than the alphanumeric jumble UTA0218. The firewall maker says while the vulnerability is being actively exploited, only a single individual appears to be doing so at this point. mitigations include applying a GlobalProtect-specificvulnerability protection, if you're subscribed to Palo Alto's Threat Prevention service, or "temporarily disabling device telemetry until the device is upgraded to a fixed PAN-OS version. Once upgraded, device telemetry should be re-enabled on the device." It urged customers to follow the above security advisory and thanked the Volexity researchers for alerting the company and sharing its findings. ® https://www.theregister.com/2024/04/12/palo_alto_pan_flaw/ https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/ https://unit42.paloaltonetworks.com/cve-2024-3400/ Change Healthcare faces second ransomware dilemma weeks after ALPHV attack Change Healthcare is allegedly being extorted by a second ransomware gang, mere weeks after recovering from an ALPHV attack. RansomHub claimed responsibility for attacking Change Healthcare in the last few hours, saying it had 4 TB of the company's data containing personally identifiable information (PII) belonging to active US military personnel and other patients, medical records, payment information, and more. The miscreants are demanding a ransom payment from the healthcare IT business within 12 days or its data will be sold to the highest bidder. "Change Healthcare and United Health you have one chance in protecting your clients data," RansomHub said. "The data has not been leaked anywhere and any decent threat intelligence would confirm that the data has not been shared nor posted. The org is alleged to have paid a $22 million ransom to ALPHV following the incident – a claim made by researchers monitoring a known ALPHV crypto wallet and one backed up by RansomHub. However, Change Healthcare has never officially confirmed this to be the case. If all of the claims are true, it means the embattled healthcare firm is deciding whether to pay a second ransom fee to keep its data safe. the prevailing theory among infosec watchers is that ALPHV pulled what's known as an exit scam after Change allegedly paid its ransom. While the ratios vary slightly between gangs, generally speaking, ransomware payments are split 80/20 – 80 percent for the affiliate that actually carried out the attack and 20 percent for the gang itself. It's believed that ALPHV took 100 percent of the alleged payment from Change Healthcare, leaving the affiliate responsible for the attack without a commission. Angry and searching for what they believed they were "owed," the affiliate is thought to have retained much of the data it stole and now switched allegiances to RansomHub in one last throw of the dice to earn themselves a payday, or so the theory goes. UnitedHealth, parent company of Change Healthcare,discloseda cybersecurity incident on February 22, saying at the time it didn't expect it to materially impact its financial condition or the results of its operations. It originally suspected nation state attackers to be behind the incident, but the ALPHV ransomware gang later claimed responsibility. Many of its systems were taken down as a result while it assessed and worked to remediate the damage. Hospitals and pharmacies reported severe disruption to services following the attack, with many unable to process prescriptions, payments, and medical claims. Cashflow issues also plagued many institutions, prompting the US government tointervene. The IT biz's data protection standards are soon to be subject to aninvestigationby the US healthcare industry's data watchdog, which cited the "unprecedented magnitude of this cyberattack" in its letter to Change. https://www.theregister.com/2024/04/08/change_healthcare_ransomware/ X fixes URL blunder that could enable convincing social media phishing campaigns Elon Musk's X has apparently fixed an embarrassing issue implemented earlier in the week that royally bungled URLs on the social media platform formerly known as Twitter. Users started noticing on Monday that X's programmers implemented a rule on its iOS app that auto-changedTwitter.comlinks that appeared in Xeets toX.com links. Attackers could feasibly copy legitimate web pages to steal credentials, or skip the trouble and simply use it as a malware-dropping tool, or any number of other possibilities. The potential for abuse here would be rife, given the number of legitimate, well-known brands most people would blindly trust. Netflix, Plex, Roblox, Clorox, Xerox – you get the picture. According to tests at Reg towers on Wednesday morning, the issue appears to have been reversed. Netflitwitter[.]com now reads as such, but Twitter.com is auto-changed to X.com.
Maintainers, Slowloris/2, Kobold Letters - April 1st - 7th, 2024 - F5 SIRT - This Week in Security
Introduction Hello again, Kyle Fox here. This week we have some shorter bits about things, in which I promise two more future articles, which I think means I am up to three non-TWIS articles in the pipeline. We have to talk about project maintainers again. We have all seen that one XKCD comic about dependency maintainers. The xz situation has resurfaced a common plea from Open Source maintainers: We need funds and help. I don't have any real deep commentary here, just a plea that companies heavily dependent on Open Source projects should consider giving back to the community by retaining internal SMEs who can help projects resolve issues by submitting bug fixes, contribute to those projects financially, and possibly consider hiring internal people to work on the major features they want out of these projects. Platforms like GitHub may be able to help by moderating discussions to keep project maintainers from being abused by users. And the community should work better at being a positive force for change. And the same goes for conferences, some of us spend lots of time working on all the little details so you can go to DEF CON, have parties to go to, things to hack and places to hack them in. Its easy to look at something like DEF CON and think that its just another industry conference and everyone is being paid to be there, but very few people are paid to be there. I will further discuss this soon in a post about the current DEF CON situation and venues. Is the HTTP/2 CONTINUATION Attack Just Slowloris/2? On April 3rd the industry got wind of a new attack on HTTP/2, this time you could consume resources by sending a steady stream of CONTINUATION frames, leaving the connection open and consuming resources. This came on the tail end of the HTTP/2 Rapid Reset attack, which consumed resources in an orthogonal way. If this attack sounds familiar, its because it is almost the same attack for HTTP/2 as the Slowloris attack was for HTTP/1.1. You could also compare it to the Slow POST attack as well. How Slowloris worked, for those who may have forgotten since 2009, is the attacker will send a HTTP/1.1 request to a webserver and then slowly send one header at a time, holding the connection open for a very long time with limited traffic. On susceptible webservers they would only need to send headers fast enough to keep the TCP connection from timing out, since the webserver does not have a timeout for the header stage of the request. The Slow POST attack is similar, but slowly sending chunks of POST data rather than headers, relying on the webserver not timing out on those. BIG-IP mitigated Slowloris by its normal behavior of buffering all the headers before forwarding a request to the backend servers. A limit on the number and/or size of headers allows further refinement of this mitigation. When mitigated, these attacks only generate at most an open connection on the backend with no request. This same behavior mitigated the HTTP/2 Rapid Reset attack and now mitigates the HTTP/2 CONTINUATION attack. As we can see from this, old attacks can become new ones when a new or significantly revised protocol comes along. This is why when working on new features F5 performs Threat Modelling Assessments to categorize possible new variations of old attacks or completely new attacks that may apply to a new feature, protocol or service and build in protections against those attacks. Display: none Strikes Again, Now in Email. A recent post over at Lutra Security called Kobold Letters has resurfaced an old trick with CSS, but this time in email. The basic TL;DR of this trick is using display: none attached to CSS in an email to hide text in the email until its forwarded or replied to. Email clients often will convert an email to plain text or try to convert the HTML and CSS slightly. This results in the ability to put blocks of text in divs or other selectable blocks that can be styled in CSS to hide them or otherwise change their display and appearance when they are forwarded or replied to. I don't know if this really changes much in the spear-phishing risk area, at this point organizations should have considerable controls in places to make sure that fund transfers are only acted on with clear verified approval and that the destinations of fund transfers are vetted and verified, not copied from some email and sent without checking. Fortunately in this case the vendors have been informed and they are working to provide solutions to this attack, so it may not be viable for very long. Are Bluetooth Discovery Attacks Drying Up? I don't have much to write here since I have not yet dove into the data that much, but the Bluetooth Discovery attacks that I talked about in December appear to not be as popular as they once were. I used Wall-of-Flippers at a few conventions in March to collect Flipper and Bluetooth Discovery Spam data, but it appears that not a whole lot of spamming was happening. Apple and Google Android have been working on mitigating these attacks, Apple having released several iOS updates to patch it. The lack of impact these days may be driving this trend. I do intend on bringing the Wall-of-Flippers to more events, and will be doing a bigger writeup on the device, the software and the data collected here on DevCentral in the coming month or two. Roundup Not a channel this time, but a single video by TwinkleTwinkie: Understanding & Making PCB Art. Google to delete records made from users using Incognito Mode in lawsuit settlement. Microsoft has announced how much it will cost to keep Windows 10 past the date they want you to move to Windows 11. No word on a better Windows 11 UI. Fake AI lawfirms are sending DMCA takedowns to generate SEA gains. (Original report) A recommendation from my recent trip to Las Vegas: Roberto's Taco Shop. Wi-Fi only works when its raining. This is a lesson in sometimes the observations, while absurd, are correct. Roku wants to insert ads in HDMI inputs? DEF CON now has hotel blocks at the Sahara Las Vegas, The Fontainebleau Las Vegas and Resort World.CPU vulns, LoopDOS, AI worms and Bad Bots - March 18th - 24th - This Week in Security
Editor's introduction Aaron back with you as editor this week, and I'm going to look at a few of the interesting pieces of secrurity news from the week just gone - the good news is, there was a lot of interesting news! The bad news is, that interesting news usually means more work for us all... allow me to walk you through a few of the interesting things I saw this week and give you my take on what their real-world impact is going to be to us all. We in F5 SIRT invest a lot of time understanding the frequently changing behavior of bad actors. Bad actors are a threat to your business, your reputation, and your livelihood. That’s why we take the security of your business seriously. When you’re under attack, we’ll work quickly to effectively mitigate attacks and vulnerabilities, and get you back up and running.So next time you are under security emergency please contact F5 SIRT. Processor architecture back in the news First up; processor architecture and vulnerabilities are back in the news again! In the last week we have seen at least three new processor vulnerabilities disclosed - the first two, GhostRace and IPI, both impact all (or most, at least) processor architectures; x86, ARM, RISC-V etc, and deal with exploiting speculative race conditions. In other words, they are a lot like Spectre & Meltdown (there's a great lightboard session if you need a reminder of that research from 2018). GhostRace (CVE-2024-2193) deals with bypassing of synchronization primitives - that is, code designed to prevent multiple threads from trampling on a common resource - like mutexes and spinlocks by using a Spectre-v1 attack on the speculative execution paths. The research was undertaken specifically on Linux although it is quite likely (at least in my opinion) that other operating systems will be similarly affected, but at least on Linux the research showed that the Linux kernel itself is vulnerable to this style of attack. IPI Storming (CVE-2024-26602) is the second half of the complete attack demonstrated in the paper(s); because successful exploitation requires the attacker to win a race condition, exploitation would be most successful if winning that race could be guaranteed. That's where IPI Storming comes in. IPI stands for Inter-Process Interrupt, and the researchers found they could indefinitely 'pause' the victim process by flooding the CPU core it is executing on with interrupts. This allows the attacker to pause the victim process while it is within it's 'race' window (how much of a race is it if the other competitor isn't moving, though) and carry out an infinite number of Speculative Concurrent Use-After-Free attempts. Once successful this attack can leak memory from a target process or, indeed, the Linux kernel at a rate of 12KB/s. As with Spectre, Meltdown and most other hardware-level vulnerabilities that we have seen, the only real mitigation here is to ensure you never run untrusted code on your systems. While there is partial mitigation being added to the Linux kernel for CVE-2024-26602, completely mitigating these issues would reduce processor and operating system performance so significantly as to be improbable. Most (if not all) processor vendors have responded that the mitigations for GhostRace are idenitcal to those for Spectre v1, in fact. That said, the researchers suggest only a 5% performance overhead for their suggested mitigations, albeit in synthetic benchmarks. Despite that assertion I don't believe we'll see widespread adoption of kernel-level or microarchitecture level fixes for this or any other similar vulnerabilities; simply put, we are too addicted to the performance boost speculative execution gives us in modern processors. Just in case Apple were feeling left out with the focus here being on x86 and Linux, we also saw GoFetchpublished last week. This flaw is specific to Apple's M1, M2 and M3 silicon and can allow an attacker access to cryptographic keys, allowing them to access encrypted files or any other data protected by those keys. Once again the research deals with exploiting speculative predictions - in this case we aren't predicting branches in code (as per Spectre) but rather the processor's Data Memory-dependent Prefetcher (DMP) tries to predict which memory address the running code is going to request next so that it can be pre-fected into cache to improve performance. Apparently sometimes, however, the DMP gets the addresses mixed up with thecontents of those addresses, and the attacker can then use cache side channels to guess parts of a cryptograhic key until they've recovered the entire key, and the entire attack can be carried out by unprivileged code running as a regular user. All of the suggested fixes impact performance in some way (did I mention we are addicted to performance, already?) though they have suggested mitigations that might be acceptable to the average user such as pinning cryptographic functions to the "efficiency" cores (which lack DMP functionality) or disable DMP when running security critical applications, leaving it available for performance-focused applications. But, as with the other issues we've talked about today, what manufacturer wants to reduce performance when performance benchmarks are one of the very things they rely on to differentiate themselves from the competition - especially for Apple, who leaned heavily into their roots of media production with the M-silicon and saw huge performance gains (talking to AubreyKingF5 , This Month in Security editor and vidographer extraordinaire, I know that a 4k video which previously took 4 hours to render on his 12 core Intel Macbook now takes 20 minutes thanks to the M-silicon - or, as he put it: "I used to have to set my videos to render overnight. Now, I go get a cup of decaf and it’s done when I’m back."). Would they really want to give any of that up, or push the responsibility back to the user under the guise of "don't run untrusted code"? https://www.vusec.net/projects/ghostrace/ https://www.macworld.com/article/2276399/gofetch-flaw-m1-m2-m3-processor-cryptographic-performance.html Packet goes in, packet goes out, packet goes in, packet goes out.. If you've worked in the networking space for any amount of time, you've probably created a routing or bridging loop at least once in your career, right? Just me? Oh.. I jest, but at least when trying to reproduce parts of complex environments in the lab, it is (in my experience, anyway!) rather easy to accidentally create a loop and have no spanning tree or other mitigations in place and you can quickly take down an entire switching infrastructure - honestly, I have done it more than once although it has, thankfully, been a while. We see them in the F5 SIRT, too; sometimes what presents as a world-ending Distributed Denial of Service (DDoS) turns out to actually be a loop between devices or within a single device, and that storm of traffic was simply a device talking back to itself as fast as it possibly could. Well, enter LoopDOS. I'm going to say something perhaps contraversial here; LoopDOS should not come as a surprise to any of us. At it's core, LoopDOS simply states that (I'm paraphrasing) "The UDP protocol lacks any protection against IP spoofing, this allows an attacker to spoof the source IP on malicious traffic directed to Victim A and have the responses sent to Victim B" and this isnot really news. In fact that is the core of many well understood (and well used!) attacks like DNS amplification where a small request from the attacker sends a large response from a target DNS server back to the ultimate victim; what's new in LoopDOS, however, is that the researchers have identified a number of UDP-based services which can be exploited such that a single packet from the attacker will cause Victim A and Victim B to talk to each otherforever,importantly, the vulnerable services included some very common services like DNS and NTP (plus TFTP, though I think it is fair to say that TFTP is less widely exposed to the Internet than DNS and NTP!). They also demonstrated that legacy services such as QOTD, Chargen, Echo, Time, Daytime and Active Users were vulnerable to the same attack and linked to an old advisory from 1996, CA-1996-01 and honestly this is where I start to have a problem.. CA-1996-01 describes exactly what LoopDOS describes - and it described it28 years ago. The advice in CA-1996-01 and LoopDOS is also largely the same - be very careful when you expose UDP services, don't expose legacy UDP services like chargen and echo (also widely documented as amplification vectors already) monitor traffic and implement rate limiting mechanisms to prevent a complete denial-of-service should a loop occur (the LoopDOS authors also recommend migrating to TCP where possible); so AFM's L4DOS protections are your friend, here. I'm not discounting the usefulness or validity of the researcher, but giving it a catchy name and all the press coverage it's received seemstoo much for what is a fundamental part of a protocl which has existed for 40 years, and describing a flaw first described nearly 30 years prior. Still, here I am, adding to the news coverage.. https://cispa.de/en/loop-dos https://vuls.cert.org/confluence/display/historical/CERT+Advisory+CA-1996-01+UDP+Port+Denial-of-Service+Attack AI worms No, not the ones in the video game, but the kind that infiltrate computer systems and do damage or steal data. Let's talk about ComPromptMized! My first thought was that this was another piece of research on using generative AI to create malware but no - in fact, this is malware that targets generative AI powered applications like email assistants to coerce those assistance into taking malicious action like sending spam or exfiltrating the legitimate user's data. This is far more intriguing to me than the news we've seen in past months about GenAI writing polymorphic malware; this is bascially automated AI prompt-engineering which could be done at-scale to quietly subvert existing infrastructure (such as email) to very quietly exfiltrate data. That's much harder to detect than a new piece of malware trampling across systems (IMHO) as the exfil channel is legitimate, expected, activity. Once again the only mitigation I can really think of is tightly controlling what software is allowed to run on endpoint devices - ensure users can't download arbitrary executables, white-list only known approved software and so on (of course, antivirus/antimalware/etc tooling has a role to play, but that is shown to be routinely bypassed). As a user, I don't really want to see draconian lockdowns on devices but, as a security professional, I can feel it coming.. https://sites.google.com/view/compromptmized More Bad Bots While we are on the topic of malware, I'd like to reference an article that is from slightly outside of "my week" and point everyone to F5 Labs' 2024 Bad Bots Review published March 14th. This is a great drill down into the kinds and amounts of bot traffic mobile APIs and web applications are seeing in the real world, trends across industry verticals (healthcare and hospitality being the leaders in the charts for web traffic, while entertainment leads the way for mobile APIs) as well as across functionality (e.g., search & giftcards are most often automated). It's a 15 minute read and, in my opinion, well worth giving the time to! Of course if (and when) you find yourself on the receiving end of bot traffic, as most sites will at some point, F5 Distributed Cloud Bot Defense can help, as can the F5 SIRTs Emergency Security Response Process if you would rather mitigate using on premise solutions! https://www.f5.com/labs/articles/threat-intelligence/2024-bad-bots-reviewNISC, NoMoreRansom, AsterX, BTC ETF, March 3rd – March 9th - This Week in Security
Editor's Introduction This week in security editor is Koichi this week. Today's TWIS I chose topics of Japanese related ones, NISC, No More Ransom, AsterX, and Bitcoin ETF. We in F5 SIRT invest a lot of time understanding the frequently changing behavior of bad actors. Bad actors are a threat to your business, your reputation, and your livelihood. That’s why we take the security of your business seriously. When you’re under attack, we’ll work quickly to effectively mitigate attacks and vulnerabilities, and get you back up and running. So next time you are under security emergency please contact F5 SIRT NISC and cyber attack on a port The National Center of Incident Readiness and Strategy for Cybersecurity (NISC) is an organization established in the Cabinet Secretariat to develop the information security policies of the Japanese government, monitor and analyze malicious activities against information systems of administrative departments, provide necessary advice and information, and other assistance in ensuring cyber security, conducts audits, etc. It also serves as a general coordinator for cyber security, not only with administrative agencies but also with certain critical infrastructure operating companies. NISC regularly has meetings to decide its action plans. On March 8, the 39th meeting of the Cybersecurity Strategy Headquarters was held, and according to the publication, ports were added to the critical infrastructure monitoring items for Japan's cybersecurity. As the background of this decision, the ransomware incident in last year is listed. On July 4, 2023, Nagoya United Terminal System (NUTS) at a container terminal at the Port of Nagoya, was attacked by the ransomware group "LockBit", resulting in halted container loading and unloading operations for approximately three days. This incident was the cyber attack of ransomware, conducted by "LockBit," an attacker group believed to be of Russian origin. The incident revealed that there wasn't a person in charge of cyber security for the port operation systems, which needs to be improved. Then, Let us discuss about LockBit in the next item. Source: https://www.nisc.go.jp/pdf/about/nisc_gaiyou.pdf (Japanese) , https://www.nisc.go.jp/pdf/council/cs/dai39/39cs_press.pdf (Japanese) "No More Ransom" LockBit is a ransomware group that provides ransomware as an attack infrastructure, the so-called "RaaS (Ransam as a Service)", explained in the previous TWIS. The news source reports that nearly a quarter of all ransomware submissions are by LockBit. In February, law enforcement agencies of 14 countries joined forces to launch "Operation Cronos" to defend against LockBit and other criminal groups. In addition to arresting some of the individuals involved, they have taken countermeasures such as seizing related assets such as leaked websites, crypto asset (virtual currency) accounts, and decryption keys. The joint team and some security companies also launched "No More Ransom" website to educate the people and give prevention advice. Through Operation Cronos, the European Criminal Police Organization announced the Japanese National Police Agency developed a tool, the "Decryption Checker" which allows users to investigate how much they can decrypt the victim files, but just to know how much, not decrypting it. It is uploaded in "No More Ransom" website. For LockBit, LockBit 3.0 Decrypter is also available in"No More Ransom" website. Source:https://www.security-next.com/154009(Japanese) AsterX Space CyberDefense exercise The French Air and Space Force (Armée de l'Air et de l'Espace Française) conducts AsterX, the space cyber attack/defense exercise annually. However, participants have been limited to Europe countries and the United States until recently. In this year, AsterX (AsterX 24) will be held in France from April 4 to April 15. 16 countries and European-based aerospace companies like MBDA and Ariane Group will participate, and from this year, Japan's Self-Defense Forces will participate as well. The AsterX will be held in the style of a real-time war game. In the scenario, a fictional adversary threatens the space assets of the neighboring countries (it is fictional as well), and a Joint task force of participants will try to defend the allied country. Some sources of this news see the fictional adversary as a simulation of Russian cyberattacks. One of the good effects of participating in international exercises is to increase partnerships with other countries and companies, which will affect when a real cyber-attack happens. Source: https://asia.nikkei.com/Politics/Defense/Japan-to-take-part-in-AsterX-space-defense-drill-with-NATO-members https://air.defense.gouv.fr/asterx/dossier/presentation-asterx-2024 Bitcoin ETF Bitcoin has reached its ATH (all-time high). The Bitcoin ETF is believed to be the reason for the surge, due to the large inflow of funds. You can check the amount of inflows into that ETF and heatmap at Bitcoin ETF Overview. So Bitcoin becomes a more valuable asset. How about security? Over 10 years the Bitcoin system, with its robust system, has not been brought down or stopped by attacks. The only successful thefts to date have occurred outside of the Bitcoin protocol. The Bitcoin network’s security is multi-layered. Transaction hashing, mining, block confirmations, and game theory all work together to make Bitcoin’s blockchain impenetrable. The most well-known threat to Bitcoin might be quantum computing (its ability to decrypt the public key to get its private key). According to researchers at the University of Sussex, a quantum computer with 1.9 billion qubits of processing power would beneeded to break into the Bitcoin network within 10 minutes. (1 block = 10 minutes, so the attacker needs to decrypt within 10 minutes) As far as I know, it is unlikely to happen with the current quantum computer's ability. And if it is going to happen, and the threat comes to mind of Bitcoin developers, a new Bitcoin Improvement Proposal (BIP) will be filed to adapt post-quantum cryptography.Kyle Fox's Security News 2023 in Review - F5 SIRT
Intro I thought we would do a little end of the year roundup of a few subjects I feel are notable from 2023. I will be publishing an article with some things I am looking out for in 2024 and a list of all my YouTube recommendations from 2023 later in January. Software Bill of Materials Back in 2021 the White House put out an executive order aiming to improve cybersecurity in the United States. One of the bullet points of that executive order was to improve the Software Supply Chain security of software sold to the Federal Government. This had been largely spurred by a series of breaches in the Federal Government, most prominently the SolarWinds software supply chain attack. Previously there had been breaches because of vulnerabilities in software used by companies and government organizations, one such famous breach was the Equifax breach in 2017 that resulted in a 700 Million US Dollar settlement. This breach was facilitated by the Apache Struts vulnerability CVE-2017-5638, and Equifax neither patched the vulnerability in Apache Struts, nor did Web Application Firewall protections exist or were configured properly. After the White House Executive Order, software bill of materials work started to pick up steam, there had been calls leading up to the order to establish SBOMs for software as a standard, and those were discussed in places like Y Combinator News. The CISA established efforts to collect and facilitate work on SBOM resources, Anchore released a SBOM tool called Syft to create lists of packages from containers, and also a tool called Grype to create lists of vulnerabilities from that list by using the NVD database. So by time 2023 was underway, regulators were putting pressure on the software industry to produce SBOMs and the White House had incorporated this into its ongoing cybersecurity strategy. We expect SBOMs to be a major part of 2024 as well. What it Means for an Attack to go Mainstream Many of us consider an exploit to be mainstream when a Metasploit module is written for it, and that serves well and good for things that Metasploit does well, such as attacks over a network. But what about attacks over wireless? Well, we now have the Flipper. I have previously written about Flipper exploits, but at that time I did not really dive into what it is, exactly. The Flipper Zero is a small Tamagotchi like device that incorporates a number of wireless and wired technologies and scripts to do things with those technologies. Its wireless capabilities consist of a TI CC1101 driven Sub-1Ghz transceiver that can do things like talk to IoT devices and various access control systems. Also, for even more access control system shenanigans, it incorporates both a 125khz proximity card reader/writer/emulator and a 13.56Mhz NFC module (ST25R3916). Proximity cards are often used for electronic locks on buildings and provide no security, having been developed using technology that predates microcontrollers small enough to fit on a access badge. 13.56Mhz technology presents a more formidable foe to the Flipper, since most modern access control systems use secure contactless smart cards with technology stacks like MiFARE, but the Flipper is able to conduct brute force and dictionary attacks against some of the simpler cards using this technology. One big feature the Flipper has is Bluetooth, which as I had written in the This Week In Security linked above, allows a Flipper, in that case loaded with special software, to conduct a discovery spam attack that at the time it came out, would crash many Apple iOS devices. The Bluetooth is implemented using the onboard Bluetooth support in Flippers processor, an STM32WB55RG from ST's new wireless microcontroller lineup. Other connectivity available on the Flipper is Infrared transmit and receive, allowing it to emulate remote controls, and iButton / 1-Wire support, allowing it to read iButtons, which are sometimes used for access control or security guard tour verification systems. All of this information and the supported protocols is expanded upon in the Flipper documentation. In the SDR field we had been creeping up on this sorta mainstreaming of RF hacking for a long time, starting a long time ago with an ambitious SDR project called the DSP-10, which used the then contemporary Analog Devices ADSP-2181 Digital Signal Processor. Later on Matt Ettus developed the Universal Software Radio Peripheral, originally sold as kits by Ettus Research, which was later bought out by test equipment manufacturer National Instruments. The USRP is often used beside an SDR suite called GNU Radio, which provides a processing block oriented environment allowing quick construction of SDR dataflows between processing blocks, and from that, fast concept to implementation of SDR solutions. The USRP devices continue to be developed to this day, with devices capable of large RF bandwidths and multiple inputs and outputs topping out the lineup. This all eventually resulted in a device called the HackRF developed by Great Scott Gadgets. Which was expanded using the PortaPack to allow portable operation, with expanded software for that called Havoc and Mayhem creating a very capable device. While that was the high end, the low end had its own small revolution when people discovered that you could use a simple DVB-T adapter with the RTL2832 chipset to recieve radio signals and feed them into SDR software such as GNU Radio, SDR++, HDSDR, and Gqrx. Its also important to mention that there are a ton of SDR platforms out there these days, in addition to all those above there is also LimeSDR, BladeRF, and KiwiSDR, to name just a few more. Ransom Attacks Continue As Aaron reported in January of 2023, the year started off with the Royal Mail (UK) being ransomwared. Probably the most widespread issue with ransomware was the MOVEit critical vulnerability CVE-2023-34362 and its exploit by the CL0P ransomware gang. This was such a massive and widespread issue that it affected multiple agencies of the US Federal Government, the UK Government, multitudes of private companies, DMVs in two states and the list keeps going. A cyber attack also hit MGM Resorts costing the company an estimated $100 million US Dollars. I share the sentiment of Megazone when he wrote in May that he is tired of ransomware. We can talk endlessly about solutions, either novel things like zero trust or old standbys like quickly patching vulnerabilities, but as long as IT is considered a cost center and something that is not a priority the entire industry will teeter on the brink of disaster. Fortunately we are seeing more agencies announce rules requiring breaches to be disclosed, including the HHS for HIPAA covered information, and the SEC for anything "material" to stockholders. AI Gathers Mindshare and Criticism 2023 started out with ChatGPT as one of the fastest growing online applications, with millions of users using it to do things like write letters and research topics, but as people quickly found out, it could hallucinate facts, drawing any facts it provides into question. This quickly became a problem in the legal sphere when a law firm filed a ChatGPT generated legal brief and was found out. Many lawyers commented on this, some on youtube as well. Another major conundrum for AI is copyright law, since many of these AI models are trained on copyrighted works most often without the permission of those works' authors, the resulting work could be said to incorporate all those previous works. The United States Library of Congress Copyright Office is working on examining this question and President Biden issued an Executive Order on the matter. Not to be left behind, the New York Times has sued OpenAI over its use of NYT articles in training ChatGPT. Although, its not like human authors are free of this piecemeal copyright infringement. There's also the elephant in the room, the wild ride that was Sam Altman of OpenAI, making a deal with Microsoft, being fired by the OpenAI board, negotiating a position at Microsoft, then being rehired by OpenAI. That was quite a weekend. Outside that, Fullpath is putting out a ChatGPT product to allow chat customer support using AI rather than humans, its had some odd results. And the New York Times explored some of the other oddities.Lockbit resurface after takeover & Lazarus are hitting Feb 25th – March 2nd - This Week in Security
Introduction This week's security editor is Lior Rotkovitch. The latest news highlight was all about the return of Lockbit after the take down of the Lockbit “ransomware-as-a-service” The hacking group responded to the takedown and said they were lazy as they were swimming in money they forgot to update the php servers. This is the nature of security, one goes down one comes up, or the same one. Reading the news is just one way to know what's up. Driving a car in endless traffic jams is a great time for listening to podcasts of your favorite kind. The security podcasts that I listened to last week are : Episode 19 - February 2024 - AI App Security For IoT Edge Devices It is always a pleasure hearing my EMEA partner Aaron B talking YouTube episode page Risky Business #738 -- LockBit is down but not out. Yet. One of my favorite podcasts Episode page Malicious Life - Kevin Mitnick, Part 1 And finally, Malicious Life is back with an episode on Kevin Mitnick Episode page Until next time, keep it safe. LockBit ransomware returns, restores servers after police disruption On February 19, authorities took down LockBit’s infrastructure, which included 34 servers hosting the data leak website and its mirrors, data stolen from the victims, cryptocurrency addresses, decryption keys, and the affiliate panel. Immediately after the takedown, the gang confirmed the breach saying that they lost only the servers running PHP and that backup systems without PHP were untouched. LockBit says that law enforcement, to which they refer collectively as the FBI, breached two main servers “because for 5 years of swimming in money, I became very lazy.” “Due to my personal negligence and irresponsibility, I relaxed and did not update PHP in time.” The threat actor says that the victim’s admin and chat panels server and the blog server were running PHP 8.1.2 and were likely hacked using a critical vulnerability tracked as CVE-2023-3824. https://www.bleepingcomputer.com/news/security/lockbit-ransomware-returns-restores-servers-after-police-disruption/#google_vignette https://www.securityweek.com/lockbit-ransomware-gang-resurfaces-with-new-site/ Critical Flaw in Popular ‘Ultimate Member’ WordPress Plugin The flaw, tracked as CVE-2024-1071 (CVSS score of 9.8), affects websites running the Ultimate Member WordPress membership plugin and could be exploited by unauthenticated attackers to append SQL queries to existing ones and extract information from databases. According to Defiant, the bug exists because of an insecure implementation in users' query functionality, which results in the text sanitization function failing to protect against SQL injection attacks. The company’s researchers also found that the structure of the query only allows attackers to take a time-based blind approach, using SQL CASE statements and the sleep command while observing the response time for the requests to steal information. https://www.securityweek.com/critical-flaw-in-popular-ultimate-member-wordpress-plugin/ The Week in Ransomware - March 1st 2024 - Healthcare Under Siege The most impactful attack of 2024 so far is the attack on UnitedHealth Group's subsidiary Change Healthcare, which has had significant consequences for the US healthcare system. This attack was laterlinked to the BlackCat ransomware operation, with UnitedHealth also confirming the group was behind the attack. In some cases, patients are forced to pay full price for their medications until the issue is resolved. However, some medicines can cost thousands of dollars, making it difficult for many to afford the payments. To make matters worse, the BlackCat ransomware operation, aka ALPHV,claims to have stolen 6TB of data from Change Healthcareduring the attack, containing the personal information of millions of people. The attack has led the FBI, CISA, and the HHS to issue a joint advisorywarning of BlackCat attacks on hospitals. https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-1st-2024-healthcare-under-siege/ Lazarus Exploits Typos to Sneak PyPI Malware into Dev Systems Hacking group Lazarus uploaded four packages to the Python Package Index (PyPI) repository to infect developer systems with malware. The disclosure comes days after Phylumuncoveredseveral rogue packages on the npm registry that have been used to single out software developers as part of a campaign codenamed Contagious Interview. An interesting commonality between the two sets of attacks is that the malicious code is concealed within a test script ("test.py"). In this case, however, the test file is merely a smokescreen for what's an XOR-encoded DLL file, which, in turn, creates two DLL files named IconCache.db and NTUSER.DAT. The attack sequence then uses NTUSER.DAT to load and execute IconCache.db, a malware called Comebacker that's responsible for establishing connections with a command-and-control (C2) server to fetch and run a Windows executable file. https://thehackernews.com/2024/02/lazarus-exploits-typos-to-sneak-pypi.html
