Cleaning products giant Clorox estimates the economic impact of the cyber attack that hit the company in August 2023 at $49 million.

The Clorox Company is a multinational consumer goods company that specializes in the production and marketing of various household and professional cleaning, health, and personal care products.

The cleaning product giant announced in mid-August it was the victim of a cybersecurity incident that forced it to take some systems offline.

At this time, Clorox has yet to share technical details of the cyberattack. The described impacts suggest that the company was likely a ransomware attack.

According to a filing with SEC, Clorox estimates the economic impact of the cyber attack that hit the company in August 2023 at $49 million.

The costs include losses caused by disruptions, as well as expenses for third-party forensics and consultants assisting the company in investigating and remediating the attack.

The company also expects a negative on the fiscal year 2024 results.

“The effects of the cyberattack are expected to negatively impact fiscal year 2024 results, though some of the anticipated net sales not recognized in the first quarter as a result of the disruptions were recognized in the second quarter, and some are expected to be recognized in subsequent quarters of fiscal year 2024 as customers rebuild inventories.” reads the SEC filing. “The Company also incurred incremental expenses of approximately $25 and $49 as a result of the cyberattack for the three and six months ended December 31, 2023, respectively. These costs relate to third-party consulting services, including IT recovery and forensic experts and other professional services incurred to investigate and remediate the attack, as well as incremental operating costs incurred from the resulting disruption to the Company’s business operations. The Company expects to incur lessening costs related to the cyberattack in future periods.”

The company added that it did not record any insurance proceeds in the three and six months ending on December 31, 2023, associated with the cyberattack. The recognition of insurance recoveries, if applicable, may not align with the timing of recognizing the associated expenses.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Clorox)

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box.

Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press.

Clorox estimates the costs of the August cyberattack will exceed $49 Million

Mastodon fixed a flaw that can allow the takeover of any account

Iranian hackers breached Albania’s Institute of Statistics (INSTAT)

Operation Synergia led to the arrest of 31 individuals

Ex CIA employee Joshua Adam Schulte sentenced to 40 years in prison

Cloudflare breached on Thanksgiving Day, but the attack was promptly contained

PurpleFox malware infected at least 2,000 computers in Ukraine

Multiple malware used in attacks exploiting Ivanti VPN flaws

Police seized 50,000 Bitcoin from operator of the now-defunct piracy site movie2k

Crooks stole around $112 million worth of XRP from Ripple’s co-founder

CISA adds Apple improper authentication bug to its Known Exploited Vulnerabilities catalog

Ivanti warns of a new actively exploited zero-day

Threat actors exploit Ivanti VPN bugs to deploy KrustyLoader Malware

Data leak at fintech giant Direct Trading Technologies

Root access vulnerability in GNU Library C (glibc) impacts many Linux distros

Italian data protection authority said that ChatGPT violated EU privacy laws

Juniper Networks released out-of-band updates to fix high-severity flaws

Hundreds of network operators’ credentials found circulating in Dark Web

Cactus ransomware gang claims the Schneider Electric hack

Mercedes-Benz accidentally exposed sensitive data, including source code

Experts detailed Microsoft Outlook flaw that can leak NTLM v2 hashed passwords

NSA buys internet browsing records from data brokers without a warrant

Ukraine’s SBU arrested a member of Pro-Russia hackers group ‘Cyber Army of Russia’

Multiple PoC exploits released for Jenkins flaw CVE-2024-23897

Medusa ransomware attack hit Kansas City Area Transportation Authority

Cybercrime

Who is Alleged Medibank Hacker Aleksandr Ermakov?

Ransomware Revenue Down As More Victims Refuse to Pay  

Energy giant Schneider Electric hit by Cactus ransomware attack

Hundreds Of Network Operators’ Credentials Found Circulating In Dark Web  

Fla. Man Charged in SIM-Swapping Spree is Key Suspect in Hacker Groups Oktapus, Scattered Spider

Data of 750 Million Indian Mobile Subscribers Sold on Hacker Forums     

Hackers steal $112 million of XRP Ripple cryptocurrency  

movie2k.to: Ex-operator hands over BTC worth 2 billion euros 

Portland Man Sentenced to Federal Prison for Role in SIM Swapping Identity Theft and Fraud Scheme  

INTERPOL-led operation targets growing cyber threats  

Malware

New Ransomware Reporting Requirements Kick in as Victims Increasingly Avoid Paying  

KRUSTYLOADER – RUST MALWARE LINKED TO COMPROMISED IVANTI CONNECTSECURE  

Evolution of UNC4990: Uncovering USB Malware’s Hidden Depths  

China’s Hackers Have Entire Nation in Their Crosshairs, FBI Director Warns  

Outsmarting Ransomware’s New Playbook

UAC-0027: DIRTYMOE (PURPLEFOX) affected more than 2000 computers in Ukraine  

Hacking

Outlook Vulnerability Discovery and New Ways to Leak NTLM Hashes 

Thanksgiving 2023 security incident

Exclusive: US disabled Chinese hacking network targeting critical infrastructure   

Iran-linked hackers claim attack on Albania’s Institute of Statistics     

Intelligence and Information Warfare 

Ukraine’s security service detains member of Russian ‘Cyber Army’  

Wyden Releases Documents Confirming the NSA Buys Americans’ Internet Browsing Records

The Bear and The Shell: New Campaign Against Russian Opposition   

Spying From Space 

Wikileaks source and former CIA worker Joshua Schulte sentenced to 40 years jail

Former Cia Officer Joshua Adam Schulte Sentenced To 40 Years In Prison For Espionage And Child Pornography Crimes  

Cybersecurity

How a mistakenly published password exposed Mercedes-Benz source code

Zero-day, supply-chain attacks drove data breach high for 2023      

ChatGPT violated European privacy laws, Italy tells chatbot maker OpenAI

ENISA Single Programming Document 2024 – 2026

Qualys TRU Discovers Important Vulnerabilities in GNU C Library’s syslog()   

Supplemental Direction V1: ED 24-01: Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities         

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

Resecurity identified bad actors offering a significant number of AnyDesk customer credentials for sale on the Dark Web.

Such information being available for cybercriminals could act as a catalyst for new attacks, including targeted phishing campaigns. Having additional context about a particular customer, the probability of a successful compromise could increase significantly. For example, one possible scenario could involve these details being used in malicious emails sent on behalf of the software vendor, managed services providers (MSPs), or IT outsourcing companies with the goal of acquiring sensitive information – in such case, downstream damage may be significant. The sources and methods for acquiring data of this nature may vary depending on threat actors’ unique Tactics, Techniques, and Procedures (TTPs). While this credential leak is widely believed to be the result of infostealer infections, this uncertainty nevertheless creates a new area of concern. Assuming the prevailing infostealer hypothesis is correct and considering the latest incident disclosure, timely password resets would be a mandatory mitigation measure for all AnyDesk customers. The end-users of AnyDesk include IT administrators, who are often targeted by threat actors. Thus, it is critical that AnyDesk ensures this cyberattack hasn’t impacted access to any other critical systems to which their IT admins may have privileged access.. By gaining access to the AnyDesk portal, bad actors could learn meaningful details about the customers – including but not limited to the used license key, number of active connections, duration of sessions, customer ID and contact information, email associated with the account, and the total number of hosts with remote access management software activated, along with their online or offline status and IDs.

 It is possible that cybercriminals familiar with the incident are hurrying to monetize available customer credentials via the Dark Web acquired from different sources, understanding that AnyDesk may take proactive measures to reset their credentials. Such data could be extremely valuable for both initial access brokers and ransomware groups familiar with AnyDesk, often abused as one of the tools following successful network intrusions. Notably, per additional context acquired from the actor, the majority of exposed accounts on the Dark Web didn’t have 2FA enabled.

Notably, the timestamps visible on the shared screenshots by the actor illustrate successful unauthorized access with sessions dated Feb 3, 2024 (post-incident disclosure). Some users may not have changed their password, or this process might still be ongoing. Handling remediation, especially for a large customer base, is complex and may not be instantly executed.

Per a public statement from AnyDesk on February 2, 2024, “as a precaution, we (AnyDesk) are revoking all passwords to our web portal, my.anydesk.com, and we recommend that users change their passwords if the same credentials are used elsewhere.” However, there seems to be an issue with it. Other cybersecurity experts, such as Alon Gal, Co-Founder & CTO of Hudson Rock, have also noticed the issue and alerted the broader community. According to Gal, over 30,000 user credentials could be circulating on the Dark Web due to infostealer activity. Proper mechanisms should be considered to mitigate the risk of customer compromise, regardless of the past incident announcement.

Dark Web actors have expressed a strong interest in AnyDesk customer credentials. The opportunity to acquire them in bulk will be extremely attractive for actors involved in spam, online banking theft, scam, business email compromise (BEC), and account takeover (ATO) activities. The spectrum of cyber risks associated with this new development transforms proportionally, ranging from the use of this information in further fraudulent and scam campaigns to targeted phishing and malicious cyber activity.

Resecurity informed AnyDesk and notified multiple consumers and enterprises whose credentials have been exposed on the Dark Web.

Notably, the activity with AnyDesk comes right after Cloudflare announced it was targeted, along with Microsoft and Hewlett Packard Enterprise disclosing cybersecurity incidents conducted by a suspected nation-state attacker.

Additional details are available in the analysis published by cybersecurity firm Resecurity:

https://www.resecurity.com/blog/article/following-the-anydesk-incident-customer-credentials-leaked-and-published-for-sale-on-the-dark-web

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, AnyDesk)

A cyber attack forced Lurie Children’s Hospital in Chicago to take IT systems offline with a severe impact on its operations.

The Lurie Children’s Hospital in Chicago took IT systems offline after a cyberattack. The security incident severely impacted normal operations also causing the delay of medical care.

Lurie Children’s Hospital is one of the top pediatric hospitals in the United States. Formerly known as Children’s Memorial Hospital, it was renamed in recognition of Ann and Robert H. Lurie, who made a significant donation to the hospital.

Lurie Children’s Hospital offers a wide range of specialized medical services, including pediatric surgery, oncology, cardiology, neurology, and neonatology.

In addition to its clinical services, Lurie Children’s Hospital is actively involved in pediatric research, striving to advance medical knowledge and develop innovative treatments for childhood diseases and disorders.

Lurie Children’s is a Chicago-based pediatric acute care hospital with 360 beds, it is located on the university’s Streeterville campus with more than 1,665 physicians on its medical staff and 4,000 employees.

The hospital announced this week that it promptly started the incident response procedure. The healthcare organization notified law enforcement agencies and is working with leading experts to investigate the incident.

pic.twitter.com/4Smx7S3POj

— Lurie Children's (@LurieChildrens) February 2, 2024

“Lurie Children’s is actively responding to a cybersecurity matter. We are taking this very seriously, are investigating with the support of leading experts, and are working in collaboration with law enforcement agencies. As part of our response to this matter, we have taken network systems offline.” states a first update provided by the hospital. “We recognize the concern and inconvenience the systems outage may cause our patient families and community providers, and are working diligently to resolve this matter as quickly and effectively as possible.”

Lurie confirmed that the attack disrupted the hospital’s access to the internet, email, phone services, and the MyChat platform.

“The incident has impacted phones, emails, internet service, some elective surgeries and procedures even had to be canceled.” reported the website Abc7chicago.

pic.twitter.com/fVdZ9cOcO2

— Lurie Children's (@LurieChildrens) February 3, 2024

A dedicated helpline has been set up to address various requirements, such as handling non-urgent patient inquiries, addressing care-related questions, providing details about scheduled patient appointments, and processing requests for prescription refills.

At this time, no ransomware group has claimed responsibility for the cyber attack on Lurie Children’s Hospital.

Cyber attacks against hospitals are very dangerous, and despite major ransomware gangs imposing restrictions on their affiliates to avoid targeting them, many incidents have recently made headlines.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Lurie Hospital)

The US government issued sanctions against six Iranian government officials linked to cyberattacks against critical infrastructure organizations. 

The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) has imposed sanctions on six Iranian government officials associated with cyberattacks targeting critical infrastructure organizations in the US and abroad.

“Today, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned six officials in the Iranian Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC), an Iranian government organization responsible for a series of malicious cyber activities against critical infrastructure in the United States and other countries.” reads the announcement published by the US OFAC.

The six members of the Iranian Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC) are Hamid Reza Lashgarian, Mahdi Lashgarian, Hamid Homayunfal, Milad Mansuri, Mohammad Bagher Shirinkar, and Reza Mohammad Amin Saberian.

Reza Lashgarian is also the head of the IRGC-CEC. The Iranian Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC) is an organization within the Iranian government responsible for cybersecurity and cyber warfare. It is considered a major threat by many countries, including the United States, due to its involvement in various malicious cyber activities.

The announcement states that these individuals were involved in cyber operations against critical infrastructure, they hacked and posted images on the screens of programmable logic controllers manufactured by the Israeli firm Unitronics. 

The OFAC states that ICS and SCADA systems used in critical infrastructure environments, are sensitive targets. 

“The deliberate targeting of critical infrastructure by Iranian cyber actors is an unconscionable and dangerous act,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson.  “The United States will not tolerate such actions and will use the full range of our tools and authorities to hold the perpetrators to account.”

While this specific operation did not lead to the disruption of critical services, their effects can jeopardize public welfare and result in severe humanitarian consequences.

Iran-linked threat actors are known for their cyber activities against U.S. critical infrastructure, including ransomware attacks. They also targeted entities in European countries and Israel.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Iran)

Remote desktop software company AnyDesk announced that threat actors compromised its production environment.

Remote desktop software company AnyDesk announced on Friday that threat actors had access to its production systems.

The security breach was discovered as a result of a security audit, the company immediately notified relevant authorities. AnyDesk did not reveal if it has suffered a data breach.

AnyDesk is a remote desktop software that allows users to connect to a computer or device remotely. It enables users to access and control a computer from another location as if they were sitting in front of it. AnyDesk is commonly used for remote technical support, online collaboration, and accessing files or applications on a remote computer.

The company started a remediation and response plan with the help of cyber security firm CrowdStrike. AnyDesk pointed out that this security breach is not related to ransomware.

“Following indications of an incident on some of our systems, we conducted a security audit and found evidence of compromised production systems. We immediately activated a remediation and response plan involving cyber security experts CrowdStrike. The remediation plan has concluded successfully. The relevant authorities have been notified and we are working closely with them. This incident is not related to ransomware.” reads the incident response notice published by the company.

In response to the security breach, the company revoked all security-related certificates and systems have been remediated or replaced where necessary.

The company is going to revoke the existing code signing certificate used to sign its binaries.

AnyDesk remarked that its systems don’t store private keys, security tokens or passwords that could be exploited by threat actors to target end-user devices. As a precaution, the company also revoked all passwords to the web portal my.anydesk.com, and recommended that users change their passwords if the same credentials are used elsewhere.

Researchers at cybersecurity firm Resecurity identified threat actors offering a significant number of AnyDesk customer credentials for sale on the Dark Web.

Resecurity experts pointed out that it is possible that cybercriminals familiar with the incident are hurrying to monetize available customer credentials via the Dark Web acquired from different sources, understanding that AnyDesk may take proactive measures to reset their credentials. Such data could be extremely valuable for both initial access brokers and ransomware groups familiar with AnyDesk, often abused as one of the tools following successful network intrusions. Notably, per additional context acquired from the actor, the majority of exposed accounts on the Dark Web didn’t have 2FA enabled.

“The samples provided by the threat actors were related to compromised access credentials that belong to various consumers and enterprises, and which grant access to the AnyDesk customer portal. As a security measure, the threat actor sanitized some of the passwords. The threat actor offered 18,317 accounts for $15,000 to be paid in cryptocurrency.” reported Resecurity. “He also agreed to make a deal via escrow on Exploit. Resecurity reached out to the majority of the contacts identified as potential victims and confirmed they had used AnyDesk products recently or long ago. The threat actor didn’t share any additional information.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, AnyDesk)

What is Data Security Posture Management (DSPM) and how you can mitigate the risks of data leaks such as the ‘Mother of All Breaches’

Cybersecurity researchers recently uncovered what is now being dubbed the ‘Mother of all Breaches.’ With over 26 billion personal records exposed, this data leak has set a new, unfortunate record in the world of cybersecurity. Platforms such as Twitter, LinkedIn, and Dropbox were among the victims, highlighting the pervasive nature of the breach that has sent shockwaves across the digital landscape.

The leaked information includes a staggering amount of sensitive personal details, making users susceptible to identity theft, sophisticated phishing schemes, targeted cyberattacks, and unauthorized access to personal and sensitive accounts. What makes this breach particularly alarming is the inclusion of records from various government organizations across the United States, Brazil, Germany, the Philippines, Turkey, and more.

As the cybersecurity community grapples with the aftermath of this massive data leak, it’s essential to reflect on the implications and consider proactive measures to avoid such catastrophes in the future. One key aspect that emerges from this incident is the growing security gap in the cloud, where the data housed within the infrastructure becomes a vulnerable target.

The Cloud Data Security Gap and the Rise of DSPM

The increasing reliance on cloud storage for sensitive data has given rise to a significant security gap, commonly referred to as the cloud data security gap. According to a recent report, in 2023, cloud-based data breaches made up 45% of all breaches. This gap represents the disparity between the security measures implemented for cloud infrastructure and the actual security of the data residing within it. It is in response to this challenge that the concept of Data Security Posture Management (DSPM) has gained prominence.

DSPM diverges from traditional Cloud Security Posture Management (CSPM) solutions by focusing on the data itself rather than just identifying vulnerabilities in the cloud infrastructure. CSPM may be effective in pinpointing weaknesses in the infrastructure, but it often falls short in addressing the unique challenges posed by securing sensitive data in dynamic and distributed cloud environments.

How DSPM Mitigates the Risk of Catastrophic Data Breaches

Finding and Eliminating Shadow Data:

Shadow data, scattered across various locations without adhering to organizational data management frameworks and security policies, poses a significant risk. DSPM solutions excel in locating shadow data, providing actionable guidance for deletion or remediation. They identify sensitive information across different security postures, discover duplicate copies, and scrutinize privileges, mitigating the risk of unauthorized access.

Identifying Over-Privileged Users and Third Parties:

Controlling access to data is a fundamental principle of cybersecurity, but traditional access controls are tied to specific data stores. DSPM extends access control policies across cloud environments, ensuring that access control travels with the data, even when it is copied or moved. This prevents situations where copied data no longer adheres to the original access control policies.

Identifying Data Movement and Ensuring Security Posture Follows:

In the dynamic landscape of cloud computing, data moves seamlessly, but its security posture may not necessarily follow. DSPM solutions monitor data movement, detect changes in security posture, and alert relevant teams for remediation. By focusing on securing sensitive data rather than just cloud infrastructure, DSPM provides a comprehensive solution to the challenges posed by the distributed nature of cloud computing.

Conclusion

The recent ‘Mother of all Breaches’ serves as a stark reminder of the evolving threats in cyberspace. As organizations grapple with the fallout, adopting a data-centric approach through DSPM emerges as a crucial step in fortifying against catastrophic data breaches. By ensuring that sensitive data always maintains the correct security posture, DSPM not only reduces the risk of breaches but also instills confidence in users and administrators regarding data security in the cloud. As the digital landscape continues to evolve, proactive measures like DSPM are essential for safeguarding the integrity of sensitive information in an increasingly interconnected world.

About the author,  Ron Reiter, CTO and cofounder of Sentra.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Mother of all Breaches)

Scammers stole HK$200 million (roughly $25,5 million) from a multi-national company using a deepfake conf call to trick an employee into transferring the funds.

Scammers successfully stole HK$200 million (approximately $25.5 million) from a multinational company in Hong Kong by employing a deepfake video call to deceive an employee into transferring the funds.

The employee attended a video conference call with deepfake recreations of the company’s chief financial officer (CFO) and other employees who instructed him to transfer the funds.

The news was reported by The South China Morning Post, however the local authorities did not name the company.

“Everyone present on the video calls except the victim was a fake representation of real people. The scammers applied deepfake technology to turn publicly available video and other footage into convincing versions of the meeting’s participants.” reads the post published by The South China Morning Post.

The scammers used publicly available footage of the company employees and used deepfake technology to create fake versions of the participants of the meeting.

Crooks targeted an employee in the finance department of the company. They send an email to the employee urging him to participate in a video call with the UK-based CFO to receive instructions for transactions to be performed.

The employee executed the money transfers during the meeting and transferred around HK$200 million to five bank accounts, with 15 transactions.

The employee discovered the scam a week later and notified the company and local authorities.

“Hong Kong police senior superintendent Baron Chan said that during the video call, the employee was asked to do a self-introduction, but did not interact with anyone else.” reported the website The Star.

“The “fake” colleagues gave orders to the victim, and the meeting ended abruptly after, added Chan.”

The police revealed that the scammers also targeted other employees of the company with the same technique, but the attempts failed.

The investigation is still ongoing, the police have yet to identify the gang behind the scam

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, deepfake)

Airbus Navblue Flysmart+ Manager allowed attackers to tamper with the engine performance calculations and intercept data.

Flysmart+ is a suite of apps for pilot EFBs, helping deliver efficient and safe departure and arrival of flights. Researchers from Pen Test Partners discovered a vulnerability in Navblue Flysmart+ Manager that can be exploited to tamper with the engine performance calculations. The experts pointed out that the issue potentially exposes to tailstrike or runway excursion during departure.

Pen Test Partners says the app helps “deliver efficient and safe departure and arrival of flights”.

The researchers noticed that one of the iOS apps had ATS (App Transport Security) intentionally disabled.

The ATS is a security mechanism that forces the use of the HTTPS protocol, which means that disabling it could open to tamper with and decrypt the traffic.

“With ATS disabled, insecure communication happens. It makes the app susceptible to interception where an attacker could force a victim to use the unencrypted HTTP protocol while forwarding the data to the real server, encrypted.” reads the report published by Pen Test Partners. “An entry in the info.plist file alongside the app allows insecure HTTP loads to any domain.”

Pen Test Partners researchers were able to exploit the issue to view the data being downloaded from the NAVBLUE Servers.

Most of the files downloaded by the researchers were SQLite databases containing information on specific aircraft, and many of them included take-off performance data (PERF).

An attacker can modify aircraft performance data included in these files or adjust airport information such as the. runway lengths with serious consequences.

In a practical attack scenario, threat actors have to tamper with the traffic from the apps when pilots update Flysmart+ EFB apps over a potentially insecure network. The apps would likely be updated once a month.

“Given that airlines typically use the same hotel for pilots who are down route / on a layover, an attacker could target the hotel’s Wi-Fi networks with the goal of modifying aircraft performance data.” continues the experts. “It’s quite easy to identify pilots in layover hotels. It’s also fairly easy to identify the airline and therefore the suite of EFB apps they are likely to be using.”

The experts reported the issue to Airbus in June 2022. The company confirmed that the next version of the software would address the issue. The company also added that it has provided a mitigation measure to its customers in May 2023.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Airbus)

The Ivanti SSRF vulnerability tracked as CVE-2024-21893 is actively exploited in attacks in the wild by multiple threat actors.

The Ivanti Server-Side Request Forgery (SSRF) vulnerability, identified as CVE-2024-21893, is currently being actively exploited in real-world attacks by various threat actors.

Last week Ivanti warned of two new high-severity vulnerabilities in its Connect Secure and Policy Secure solutions respectively tracked as CVE-2024-21888 (CVSS score: 8.8) and CVE-2024-21893 (CVSS score: 8.2). The software company also warned that one of these two vulnerabilities is under active exploitation in the wild.

The flaw CVE-2024-21893 is a server-side request forgery vulnerability in the SAML component of Connect Secure (9.x, 22.x), Policy Secure (9.x, 22.x) and Neurons for ZTA. An authenticated attacker can exploit the issue to access certain restricted resources.

The company warned that the situation is still evolving and multiple threat actors can rapidly adapt their tactics, techniques, and procedures to exploit these issues in their campaigns.

“At the time of publication, the exploitation of CVE-2024-21893 appears to be targeted. Ivanti expects the threat actor to change their behavior and we expect a sharp increase in exploitation once this information is public – similar to what we observed on 11 January following the 10 January disclosure.” reads the advisory.

“Be aware that the situation is still evolving. Ivanti will update this knowledge base article as more information becomes available.”

The software firm recommends importing the “mitigation.release.20240126.5.xml” file via the download portal as temporary workarounds to address CVE-2024-21888 and CVE-2024-21893.

On February 2, 2024, researchers from Rapid7 published a technical analysis of the issue along with a proof-of-concept (PoC) exploit on February 2, 2024. The availability of a PoC exploit code could help threat actors to launch attacks against Internet-facing installs.

Researchers from Shadowserver observed the exploitation of the flaw CVE-2024-21893 in the wild by multiple threat actors, however, they pointed out that the attacks began hours prior to the publication of the Rapid7 PoC code.

As of today you can also track CVE-2024-21893 exploitation on our Dashboard at https://t.co/zpV2pgRlNp

Ivanti products exploitation attempts by CVE over time (now includes CVE-2024-21893, note tag added 2024-02-03):https://t.co/iaH6eRbU98 pic.twitter.com/TcCTNQ1HHQ

— Shadowserver (@Shadowserver) February 4, 2024

The attacks observed by Shadowserver involved hundreds of distinct IP addresses.

On January 1st, for the first time since its establishment, CISA ordered federal agencies to disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure products within 48 hours.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, IVANTI)

Hewlett Packard Enterprise (HPE) is investigating a new data breach after a threat actor claimed to have stolen data on a hacking forum.

Hewlett Packard Enterprise (HPE) is investigating a new data breach, following the discovery of an offer on a hacking forum where a threat actor claimed to be selling the allegedly stolen data.

According to Bleeping Computer, the company has yet to find any evidence suggesting a new security breach.

The announcement was published on BreachForums by a threat actor who uses the moniker IntelBroker.

“Hello BreachForums Community. Today, I am selling the data I have taken from Hewlett Packard Enterprise.” reads the announcement published by IntelBroker. “More specifically, the data includes: CI/CD access , System logs , Config Files , Access Tokens , HPE StoreOnce Files (Serial numbers warrant etc) & Access passwords. (Email services are also included)”

The announcement also published some screenshots containing allegedly stolen HPE credentials.

IntelBroker is considered a reputable threat actor, it was linked to the breaches of DC Health Link and Volvo Cars.

Recently Hewlett Packard Enterprise (HPE) revealed that alleged Russia-linked cyberespionage group Midnight Blizzard gained access to its Microsoft Office 365 cloud-based email environment.

The attackers were collecting information on the cybersecurity division of the company and other functions.

HPE became aware of the intrusion on December 2023 and immediately launched an investigation into the security breach with the help of external cybersecurity experts.

The investigation revealed that the attackers gained access to the company environment and exfiltrated data since May 2023. The cyberspies compromised a small percentage of HPE mailboxes belonging to individuals in our cybersecurity, go-to-market, business segments, and other functions.

“On December 12, 2023, Hewlett Packard Enterprise Company (the “Company,” “HPE,” or “we”) was notified that a suspected nation-state actor, believed to be the threat actor Midnight Blizzard, the state-sponsored actor also known as Cozy Bear, had gained unauthorized access to HPE’s cloud-based email environment. The Company, with assistance from external cybersecurity experts, immediately activated our response process to investigate, contain, and remediate the incident, eradicating the activity.” reads FORM8-K filing with the U.S. Securities and Exchange Commission (SEC). “Based on our investigation, we now believe that the threat actor accessed and exfiltrated data beginning in May 2023 from a small percentage of HPE mailboxes belonging to individuals in our cybersecurity, go-to-market, business segments, and other functions.”

The investigation is still ongoing, however, the IT giant determined that the intrusion is likely linked to another attack conducted by the same APT group, of which they were notified in June 2023.

As early as May 2023, the company discovered unauthorized access to and exfiltration of a limited number of SharePoint files.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, HPE)

The U.S. government imposes visa restrictions on individuals who are involved in the illegal use of commercial spyware.

The U.S. State Department announced it is implementing a new policy to impose visa restrictions on individuals involved in the misuse of commercial spyware.

The policy underscores the U.S. government’s commitment to addressing the misuse of surveillance software, which poses a significant threat to society.

“The misuse of commercial spyware threatens privacy and freedoms of expression, peaceful assembly, and association.  Such targeting has been linked to arbitrary detentions, forced disappearances, and extrajudicial killings in the most egregious of cases.  Additionally, the misuse of these tools presents a security and counterintelligence threat to U.S. personnel.” reads the announcement. The United States stands on the side of human rights and fundamental freedoms and will continue to promote accountability for individuals involved in commercial spyware misuse.”

The policy specifically addresses the abuse of commercial spyware for unlawfully surveilling, harassing, suppressing, or intimidating individuals.

Visa restrictions target individuals believed to facilitate or derive financial benefit from the misuse of commercial spyware and also surveillance companies that act on behalf of governments.

The restrictions are extended to the immediate family members of the targeted individuals, including spouses and children of any age.

In March 2023, the US Government issued an Executive Order on the prohibition on use by the United States Government of commercial spyware that poses risks to national security.

In July 2023, the Commerce Department’s Bureau of Industry and Security (BIS) added surveillance technology vendors Intellexa and Cytrox to the Entity List for trafficking in cyber exploits used to gain access to information systems.

The Entity List maintained by the U.S. Department of Commerce’s Bureau of Industry and Security (BIS) is a trade control list created and maintained by the U.S. government. It identifies foreign individuals, organizations, companies, and government entities that are subject to specific export controls and restrictions due to their involvement in activities that threaten the U.S. national security or foreign policy interests.

The U.S. Government warns of the key role that surveillance technology plays in surveillance activities that can lead to repression and other human rights abuses.

The Commerce Department’s action targeted the above companies because their technology could contribute to the development of surveillance tools that pose a risk of misuse in violations or abuses of human rights.

The financial entities added to the Entity List include Intellexa S.A. in Greece, Cytrox Holdings Crt in Hungary, Intellexa Limited in Ireland, and Cytrox AD in North Macedonia.

In May 2023, Google’s Threat Analysis Group (TAG) researchers discovered three campaigns, between August and October 2021, targeting Android users with five zero-day vulnerabilities.

The attacks aimed at installing the surveillance spyware Predator, developed by the North Macedonian firm Cytrox.

According to Google, the exploits were included in Cytrox’s commercial surveillance spyware that is sold to different nation-state actors, including Egypt, Armenia, Greece, Madagascar, Côte d’Ivoire, Serbia, Spain, and Indonesia.

In December 2022, a report published by CitizenLab researchers detailed the use of the Predator spyware against exiled politician Ayman Nour and the host of a popular news program.

The disconcerting aspect of these attacks is that Ayman Nour’s phone was simultaneously infected with both Cytrox’s Predator and NSO Group’s Pegasus spyware, operated by two different nation-state actors.

The exploits were used to initially deliver the ALIEN Android banking Trojan that acts as a loader for the PREDATOR implant.

In November 2021, the Commerce Department’s Bureau of Industry and Security (BIS) sanctioned four companies for the development of spyware or the sale of hacking tools used by nation-state actors.

The surveillance firms were NSO Group and Candiru from Israel, Computer Security Initiative Consultancy PTE. LTD from Singapore, and Positive Technologies from Russia.

NSO Group and Candiru were sanctioned for the development and sale of surveillance software used to spy on journalists and activists. Positive Technologies and Computer Security Initiative Consultancy PTE. LTD. are being sanctioned because both entities traffic in cyber exploits used by threat actors to compromise computer networks of organizations worldwide. The US authorities have added the companies to the Entity List based on their engagement in activities counter to U.S. national security.

In the last couple of years, like NSO Group and Candiru, made the headlines because their spyware was used by totalitarian regimes to spy on journalists, dissidents, and government opposition.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, commercial spyware)

A Belarusian and Cypriot national linked with the cryptocurrency exchange BTC-e is facing charges that can lead maximum penalty of 25 years in prison.

Aliaksandr Klimenka, a Belarusian and Cypriot national linked with the now-defunct cryptocurrency exchange BTC-e, is facing charges with money laundering conspiracy and operation of an unlicensed money services business.

“An indictment was unsealed on Tuesday charging a Belarusian and Cypriot national with money laundering conspiracy and operation of an unlicensed money services business.” reads the press release published by DoJ. “According to the indictment, between 2011 and July 2017, Aliaksandr Klimenka, 42, allegedly controlled BTC-e, a digital currency exchange, with Alexander Vinnik and others.”

According to the indictment, Klimenka allegedly controlled the platform BTC-e with Alexander Vinnik and others. Klimenka also allegedly controlled a technology services company named Soft-FX, and the financial company FX Open. 

The servers that were hosting the BTC-e were maintained in the United States, and according to the DoJ, they were allegedly leased to and maintained by Klimenka and Soft-FX.

BTC-e was popular in the cybercrime ecosystem, it was an illegal platform because it was not registered as a money services business with the U.S. Department of Treasury and had no anti-money laundering process, no system for appropriate “know your customer” or “KYC” verification, and no anti-money laundering program.  

In 2017, Greek Police arrested the Russian national Alexander Vinnik and they accused the man of running the BTC-e Bitcoin exchange to launder more than US$4bn worth of the cryptocurrency.

The authorities reported that since 2011, 7 million Bitcoin had gone into the BTC-e exchange and 5.5 million withdrawn.

The police arrested Klimenka in Latvia on December 21, 2023, he was extradited to the U.S. and is currently being held in custody. The man is facing charges that can lead maximum penalty of 25 years in prison.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, commercial spyware)

Google released Android ’s February 2024 security patches to address 46 vulnerabilities, including a critical remote code execution issue.

Google released Android February 2024 security patches to address 46 vulnerabilities, including a critical remote code execution flaw tracked as CVE-2024-0031.

The vulnerability resides in the System and impacts Android Open Source Project (AOSP) versions 11, 12, 12L, 13, and 14.

“Source code patches for these issues have been released to the Android Open Source Project (AOSP) repository and linked from this bulletin. This bulletin also includes links to patches outside of AOSP.” reads the advisory published by Google. “The most severe of these issues is a critical security vulnerability in the System component that could lead to remote code execution with no additional execution privileges needed.”

Google released Android’s 2024-02-01 security patch level and Android’s 2024-02-05 security patch level to fix the issues.

The company released two security patch levels to allow partners to resolve a subset of vulnerabilities. However, the company recommends Android partners to address all the issues included in the bulletin.

Users should apply the security patches as soon as the software updates are available for them.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Google)

Google’s TAG revealed that Commercial spyware vendors (CSV) were behind most of the zero-day vulnerabilities discovered in 2023.

The latest report published by Google Threat Analysis Group (TAG), titled “Buying Spying, an in-depth report with our insights into Commercial Surveillance Vendors (CSVs)”, warns of the rise of commercial spyware vendors and the risks to free speech, the free press, and the open internet.

Surveillance software is used to spy on high-risk users, including journalists, human rights defenders, dissidents and opposition party politicians.

The surveillance industry is experiencing exponential growth, fueled by the sustained demand from rogue governments, intelligence agencies, and malicious actors for sophisticated malware and surveillance tools.

Google’s TAG tracked the activity of around 40 CSVs focusing on the types of software they develop.

Google researchers pointed out that governments have lost the monopoly on the most sophisticated capabilities, and many private organizations play a significant role in developing some of the most advanced tools. In 2023, TAG identified 250 days actively exploited in the wild, 20 of which were exploited by Commercial Surveillance Vendors (CSVs). Google also reported that CSVs are responsible for half of the known 0-day exploits targeting Google products and Android devices.

Out of the 72 known in-the-wild 0-day exploits targeting Google products since mid-2014, 35 of them were used by CSVs. The experts highlighted that this is a conservative estimate because many 0-day exploits are still unknown.

“If governments ever had a monopoly on the most sophisticated capabilities, that era is certainly over. The private sector is now responsible for a significant portion of the most sophisticated tools we detect. In 2023, TAG discovered 250 days being actively exploited in the wild, 20 of which were exploited by CSVs.” reads the report published by Google. “Finally, CSVs pose a threat to Google users, and Google is committed to disrupting that threat and keeping our users safe. CSVs are behind half of known 0-day exploits targeting Google products, as well as Android ecosystem devices. Of the 72 known in-the-wild 0-day exploits affecting Google products since mid-2014, TAG attributes 35 of these 0-days to CSVs. This is a lower bounds estimate, as it reflects only known 0-day exploits where we have high confidence in attribution. The actual number of 0-days developed by CSVs is almost certainly higher, including 0-days targeting Google products.”

The report includes the names of CSVs of any size and information about their commercial spyware.

Google hopes this report will serve as a call to action. CSVs will continue to invest in the research of powerful exploits that can allow attackers to take complete control over devices.

The overall earnings generated from the sale of this surveillance software are millionaires. TAG experts also state that CSVs customers receive a full suite for their operations, including the initial delivery mechanism, necessary exploits, command and control infrastructure, and tools for managing data stolen from compromised devices.

“We believe it is time for government, industry, and civil society to come together to change the incentive structure that has allowed these technologies to spread so widely.” concludes Google.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Google)

China-linked APT group breached the Dutch Ministry of Defence last year and installed malware on compromised systems.

Dutch Military Intelligence and Security Service (MIVD) and the General Intelligence and Security Service (AIVD) published a joint report warning that a China-linked APT group breached the Dutch Ministry of Defence last year. The effects of the attack were limited because of the network segmentation implemented in the government infrastructure.

“The Ministry of Defence (MOD) of the Netherlands was impacted in 2023 by an intrusion into one of its networks. The effects were limited because of prior network segmentation” reads the report. “MIVD & AIVD assess with high confidence that the malicious activity was conducted by a state-sponsored actor from the People’s Republic of China. This is part of a wider trend of Chinese political espionage against the Netherlands and its allies.”

The government experts discovered a previously unpublished remote access trojan (RAT), tracked as COATHANGER, specifically designed to target Fortigate appliances. The RAT is used as second-stage malware, the experts pointed out that it doesn’t exploit a new vulnerability. COATHANGER is a stealthy malware that hooks system calls that could reveal its presence. The malware survives reboots and firmware upgrades.

“Notably, the COATHANGER implant is persistent, recovering after every reboot by injecting a backup of itself in the process responsible for rebooting the system. Moreover, the infection survives firmware upgrades.” continues the report. “Even fully patched FortiGate devices may therefore be infected, if they were compromised before the latest patch was applied.”

The attack chain starts with the exploitation of the CVE-2022-42475 vulnerability for FortiGate devices.

In December 2023, Fortinet urged its customers to update their installs to address an actively exploited FortiOS SSL-VPN vulnerability, tracked as CVE-2022-42475, that could be exploited by an unauthenticated, remote attacker to execute arbitrary code on devices.

The CVE-2022-42475 flaw is a heap-based buffer overflow weakness that resides in FortiOS sslvpnd that allowed unauthenticated attackers to crash targeted devices remotely or gain remote code execution

“A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.” reads the advisory published by the security vendor. “Fortinet is aware of an instance where this vulnerability was exploited in the wild,”

Fortinet addressed the issue with the release of FortiOS 7.2.3.

The Chinese spies breached a network that was used for research and development (R&D) of unclassified projects and collaboration with two third-party research institutes.

The Dutch Ministry of Defence already notified the two third-party research institutes.

““For the first time, the MIVD has chosen to make public a technical report on the working methods of Chinese hackers. It is important to attribute such espionage activities by China,” said Defense Minister Kajsa Ollongren. “In this way we increase international resilience against this type of cyber espionage.” s

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, China-linked APT)

The maintainers of Shim addressed six vulnerabilities, including a critical flaw that could potentially lead to remote code execution.

The maintainers of ‘shim’ addressed six vulnerabilities with the release of version 15.8. The most severe of these vulnerabilities, tracked as CVE-2023-40547 (CVSS score: 9.8), can lead to remote code execution under specific circumstances.

The vulnerability CVE-2023-40547 is an RCE in http boot support that can lead to Secure Boot bypass

“A remote code execution vulnerability was found in Shim. The Shim boot support trusts attacker-controlled values when parsing an HTTP response. This flaw allows an attacker to craft a specific malicious HTTP request, leading to a completely controlled out-of-bounds write primitive and complete system compromise.” reads the advisory.

shim is a small piece of code used by most Linux distributions in the boot process to support Secure Boot.

It is frequently employed when either the bootloader or the operating system kernel lacks a signature recognized by the UEFI firmware. The shim, signed with a key trusted by the firmware, enables the loading and execution of an unsigned bootloader or kernel.

The flaw was discovered by Bill Demirkapi of the Microsoft Security Response Center (MSRC).

found a critical bug that exists in every Linux boot loader signed in the past decade https://t.co/kjATsR4uvJ https://t.co/JrECpgGmWD pic.twitter.com/oKEl7PTUSp

— Bill Demirkapi (@BillDemirkapi) January 24, 2024

“Discovered and reported by Bill Demirkapi at Microsoft’s Security Response Center, this particular vulnerability stems from HTTP protocol handling, leading to an out-of-bounds write that can lead to complete system compromise.” reads the post published by Eclypsium.

Demirkapi warns that the vulnerability impacts every Linux boot loader signed in the past decade.

Researchers from Eclypsium illustrated the following attack scenarios:

An attacker could execute a Man-in-the-Middle (MiTM) attack to intercept HTTP traffic between the victim and the HTTP server while serving files in support of HTTP boot. This attack could be conducted from any network segment positioned between the victim and the legitimate server.

Additionally, an attacker with sufficient privileges can trigger the issue to manipulate data in the EFI Variables or on the EFI partition, achieved through a live Linux USB stick. The attacker can modify the boot order to load a remote and vulnerable shim on the system, enabling the execution of privileged code from the same remote server without disabling Secure Boot.

In a third attack path, an attacker on the same network can manipulate PXE to chain-load a vulnerable shim bootloader. Exploiting this vulnerability grants the attacker control over the system before the kernel is loaded, providing privileged access and the ability to bypass any controls implemented by the kernel and operating system.

“An attacker exploiting this vulnerability gains control of the system before the kernel is loaded, which means they have privileged access and the ability to circumvent any controls implemented by the kernel and operating system.” states Eclypsium.

Below are the other vulnerabilities in shim fixed by the maintainers:

• CVE-2023-40546 – Fixes a LogError() invocation (NULL pointer dereference).
• CVE-2023-40548 – Fixes an integer overflow on SBAT section size on 32-bit systems (heap overflow).
• CVE-2023-40549 – Fixes an out-of-bounds read when loading a PE binary.
• CVE-2023-40550 – Fixes an out-of-bounds read when trying to validate the SBAT information.
• CVE-2023-40551 – Fix bounds check for MZ binaries

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Shim)

A new vulnerability in JetBrains TeamCity On-Premises can be exploited by threat actors to take over vulnerable instances.

JetBrains addressed a critical security vulnerability, tracked as CVE-2024-23917 (CVSS score 9.8) in its TeamCity On-Premises continuous integration and continuous deployment (CI/CD) software.

An attacker can trigger the vulnerability to take over vulnerable installs.

“The vulnerability may enable an unauthenticated attacker with HTTP(S) access to a TeamCity server to bypass authentication checks and gain administrative control of that TeamCity server.” reads the advisory. “The vulnerability affects all TeamCity On-Premises versions from 2017.1 through 2023.11.2.”

JetBrains has fixed the flaw with the release of version 2023.11.3.

Administrators who are not able to update their instances to version 2023.11.3 can download a security patch plugin to patch their environment. The security patch plugin can be installed on TeamCity versions 2017.1 through 2023.11.2. It will patch the vulnerability described above.

“The security patch plugin will only address the vulnerability described above. We always recommend upgrading your server to the latest version to benefit from many other security updates.” concludes the advisory. “If your server is publicly accessible over the internet and you are unable to take one of the above mitigation steps immediately, we recommend temporarily making it inaccessible until mitigation actions have been completed.”

The company is not aware of attacks in the wild exploiting this vulnerability.

In December, experts warn that the Russia-linked APT29 group has been observed targeting JetBrains TeamCity servers to gain initial access to the targets’ networks.

The attackers were observed exploiting an authentication bypass issue, tracked as CVE-2023-42793, affecting the on-premises version of TeamCity. An attacker can exploit the flaw to steal source code and stored service secrets and private keys of the target organization. By injecting malicious code, an attacker can also compromise the integrity of software releases and impact all downstream users.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, TeamCity)

Fortinet warns of two critical OS command injection vulnerabilities in FortiSIEM that could allow remote attackers to execute arbitrary code

Cybersecurity vendor Fortinet warned of two critical vulnerabilities in FortiSIEM, tracked as CVE-2024-23108 and CVE-2024-23109 (CVSS score 10), which could lead to remote code execution.

“Multiple improper neutralization of special elements used in an OS Command vulnerability [CWE-78] in FortiSIEM supervisor may allow a remote unauthenticated attacker to execute unauthorized commands via crafted API requests.” reads the advisory published by Fortinet.

The affected products are:

• FortiSIEM version 7.1.0 through 7.1.1
• FortiSIEM version 7.0.0 through 7.0.2
• FortiSIEM version 6.7.0 through 6.7.8
• FortiSIEM version 6.6.0 through 6.6.3
• FortiSIEM version 6.5.0 through 6.5.2
• FortiSIEM version 6.4.0 through 6.4.2

The CERT-EU also published an advisory for the above vulnerabilities:

“In February 2024, Fortinet quietly updated a 2023 advisory, joining two critical flows to the list of OS Command vulnerabilities affecting its FortiSIEM product. If exploited, these vulnerabilities could allow a remote unauthenticated attacker to execute commands on the system.” reads the advisory published by CERT-EU. “Updating is recommended as soon as possible.”

The two issues are linked to the vulnerability CVE-2023-34992 (CVSS score 9.8), which was addressed in October 2023.

The flaw CVE-2023-34992 is an improper neutralization of special elements used in an os command (‘os command injection’) in Fortinet FortiSIEM version 7.0.0 and 6.7.0 through 6.7.5 and 6.6.0 through 6.6.3 and 6.5.0 through 6.5.1 and 6.4.0 through 6.4.2. An attacker can exploit the flaw to execute unauthorized code or commands via crafted API requests.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, FortiSIEM)

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Google Chromium V8 Type Confusion bug to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a Google Chromium V8 Type Confusion bug, tracked as CVE-2023-4762, to its Known Exploited Vulnerabilities (KEV) catalog.

The vulnerability impacts Google Chrome prior to 116.0.5845.179, it allows a remote attacker to execute arbitrary code via a crafted HTML page.

In September 2023, Citizen Lab and Google’s TAG revealed that the three recently patched Apple zero-days (CVE-2023-41993, CVE-2023-41991, CVE-2023-41992) were used to install Cytrox Predator spyware.

The experts reported that the exploit chain of the above flaws was delivered in two ways, one of them was exploiting CVE-2023-4762.

“The attacker also had an exploit chain to install Predator on Android devices in Egypt. TAG observed these exploits delivered in two different ways: the MITM injection and via one-time links sent directly to the target. We were only able to obtain the initial renderer remote code execution vulnerability for Chrome, which was exploiting CVE-2023-4762.” reads the analysis published by Google TAG. “We assess that Intellexa was also previously using this vulnerability as a 0-day.”

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by February 27, 2024.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – Hacking, Google Chromium)

CISCO fixed two critical flaws in Expressway Series collaboration gateways exposing vulnerable devices to cross-site request forgery (CSRF) attacks.

Cisco addressed several vulnerabilities in its Expressway Series collaboration gateways, two of which, tracked as CVE-2024-20252 and CVE-2024-20254, are critical flaws that can lead to cross-site request forgery (CSRF) attacks.

“Multiple vulnerabilities in the Cisco Expressway Series could allow an unauthenticated, remote attacker to conduct cross-site request forgery (CSRF) attacks, which could allow the attacker to perform arbitrary actions on an affected device.” reads the advisory.

An unauthenticated, remote attacker can exploit the flaws to carry out CSRF attacks on an affected system.

The company states that the two flaws are due to insufficient CSRF protections for the web-based management interface of an affected system. An attacker could exploit these vulnerabilities by tricking a user of the API to click on a crafted link.

“A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. If the affected user has administrative privileges, these actions could include modifying the system configuration and creating new privileged accounts.” continues the advisory.

The IT giant also addressed a third CSRF flaw tracked as CVE-2024-20255 can also be exploited to carry out multiple actions, including overwriting system configuration settings, which could prevent the system from processing calls properly and result in a denial of service (DoS) condition.

According to the advisory, CVE-2024-20252 can only be exploited to attack gateways where the cluster database (CDB) API feature has been enabled. CVE-2024-20254 and CVE-2024-20255 only affect Cisco Expressway Series devices in the default configuration.

The company urges customers to upgrade to an appropriate fixed software release:

Cisco Expressway Series Release	First Fixed Release
Earlier than 14.0	Migrate to a fixed release.
14.0	14.3.41
15.0	15.0.01

Cisco’s Product Security Incident Response Team (PSIRT) is not aware of attacks in the wild exploiting these vulnerabilities.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – Hacking, CSRF)

China-linked APT Volt Typhoon infiltrated a critical infrastructure network in the US and remained undetected for at least five years.

US CISA, the NSA, the FBI, along with partner Five Eyes agencies, published a joint advisory to warn that China-linked APT Volt Typhoon infiltrated a critical infrastructure network in the US and remained undetected for at least five years.

“the U.S. authoring agencies have recently observed indications of Volt Typhoon actors maintaining access and footholds within some victim IT environments for at least five years,” reads the alert.

The Volt Typhoon group has been active since at least mid-2021 it carried out cyber operations against critical infrastructure. In the most recent campaign, the group targeted organizations in the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors.

The APT group is using almost exclusively living-off-the-land techniques and hands-on-keyboard activity to evade detection.

In December 2023, Microsoft first noticed that to conceal malicious traffic, the threat actor routes it through compromised small office and home office (SOHO) network devices, including routers, firewalls, and VPN hardware. The group also relies on customized versions of open-source tools for C2 communications and to stay under the radar.

The Chinese cyberespionage group has successfully breached the networks of multiple US critical infrastructure organizations. Most of the impacted organizations are in the Communications, Energy, Transportation Systems, and Water and Wastewater Systems sectors.

“The group also relies on valid accounts and leverage strong operational security, which combined, allows for long-term undiscovered persistence. In fact, the U.S. authoring agencies have recently observed indications of Volt Typhoon actors maintaining access and footholds within some victim IT environments for at least five years.” continues the alert. “Volt Typhoon actors conduct extensive pre-exploitation reconnaissance to learn about the target organization and its environment; tailor their tactics, techniques, and procedures (TTPs) to the victim’s environment; and dedicate ongoing resources to maintaining persistence and understanding the target environment over time, even after initial compromise.”

U.S. agencies fear the possibility that these actors could gain access to the networks of critical infrastructure to cause disruptive effects in the event of potential geopolitical tensions and/or military conflicts.

The Volt Typhoon’s activities suggest that the group primarily aims to establish a foothold within networks to secure access to Operational Technology (OT) assets.

The US agencies also released a technical guide containing recommendations on how to identify and mitigate living off the land techniques adopted by the APT group.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – Hacking, Volt Typhoon)

Several media reported that three million electric toothbrushes were compromised and recruited into a DDoS botnet. Is it true?

The Swiss newspaper Aargauer Zeitung first published the news of a DDoS attack, carried out on January 30, that involved three million compromised electric toothbrushes.

The journalists reported that threat actors gained access to three million electric toothbrushes and installed a malware that joined them to the botnet. The botnet was used to target a Swiss company, causing millions of dollars in damages. The newspaper quoted an employee of cybersecurity firm Fortinet as a source of the information. 

The news made the headlines and was reported by many other media outlets and websites without appropriate verification.

“The three million toothbrush botnet story isn’t true,” the popular cybersecurity expert Kevin Beaumont wrote on Mastodon. Other experts also shared the same opinion of the news.

Bullshit. There's no evidence 3 million toothbrushes performed a DDoS.

What the f*** is wrong with you people???? There are no details, like who is the target of the DDoS? what was the brand of toothbrushes? how are they connected to the Internet (hint: they aren't, they are… https://t.co/kc4DV9RO5v

— Robᵉʳᵗ Graham 𝕏 (@ErrataRob) February 7, 2024

Several experts explained that electric toothbrushes have no direct connections to the internet, they relies on Bluetooth to connect to mobile apps. Only these mobile apps contact the servers of the vendor to upload users’ data. 

In response to the skepticism, the newspaper published a new update on the story which included a statement from Fortinet.

“On Thursday morning, several media outlets, including the Independent, distributed a statement from Fortinet: The case had been used as an example of a DDoS attack during an interview. However, the case is not based on research by Fortinet.” reads the new article published by the newspaper.

“It appears that, due to translations, the narrative on this topic has been stretched to the point where hypothetical and actual scenarios are blurring,” state sthe the cybersecurity vendor.

However, Aargauer Zeitung pointed out that during the interview, Swiss Fortinet representatives described the toothbrush case as a real DDoS.

“What the Fortinet headquarters in California is now calling a “translation problem” sounded completely different during the research: Swiss Fortinet representatives described the toothbrush case as a real DDoS at a meeting that discussed current threats -Attack described.” reads the update provided by the newspaper. “Fortinet provided specific details: information about how long the attack took down a Swiss company’s website; an order of magnitude of how great the damage was.”

The newspaper also states that they have submitted the text of the article to Fortinet for verification before publication and the statement that this was a real case that really happened was not objected to.

Meantime Fortinet has sent this statement to several international media outlets, excluding CH Media. We

“To clarify, the topic of toothbrushes being used for DDoS attacks was presented during an interview as an illustration of a given type of attack, and it is not based on research from Fortinet or FortiGuard Labs. It appears that due to translations the narrative on this topic has been stretched to the point where hypothetical and actual scenarios are blurred.” – Fortinet.

Apart from the electronic toothbrush mess, the Internet of Things (IoT) are privileged targets for many threat actors. Some cases underscore the urgency of securing our smart homes.

IoT devices, such as smart fridges, smart meters, or thermostats, are often designed with connectivity in mind, but lack of security. This leaves them susceptible to exploitation, as cybercriminals exploit vulnerabilities to gain control.

Crooks can leverage insecure IoT devices to expand their botnet armies, creating a massive threat landscape.

In a notable case, smart fridges were hacked to send out malicious emails as part of a botnet. These seemingly innocuous appliances became unwilling accomplices in a larger cybercrime scheme.

The risks associated with IoT devices being recruited into botnets are real and escalating. As we embrace the conveniences of smart technologies, manufacturers, regulators, and users must work together to enhace the security of these devices and protect against potential cyber threats.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – Hacking, electric toothbrushes)

U.S. Government offers rewards of up to $10 million for information that could help locate, identify, or arrest members of the Hive ransomware group.

The US Department of State announced rewards up to $10,000,000 for information leading to the identification and/or location of the leaders of the Hive ransomware group. The US government also offers rewards up to $5,000,000 for information leading to the arrest and/or conviction of any individual in any country who participated or attempted to participate in the Hive ransomware operation.

According to the announcement, the group targeted organizations in over 80 countries. Starting from the end of July 2022, the FBI infiltrated Hive’s computer networks. The law enforcement gained access to the decryption keys and provided them to victims, thereby thwarting potential ransom payments of up to $130 million.

The threat actors behind the Hive RaaS have extorted $100 million in ransom payments from over 1,300 companies worldwide as of November 2022, reported the U.S. cybersecurity and intelligence authorities in January.

As of November 2022, Hive ransomware actors have victimized over 1,300 companies worldwide, receiving approximately US$100 million in ransom payments” reads the alert published by CISA in November 2022.

The authorities reported that from June 2021 through at least November 2022, threat actors targeted a wide range of businesses and critical infrastructure sectors, including Government Facilities, Communications, Critical Manufacturing, Information Technology, and especially Healthcare and Public Health (HPH).

The Hive ransomware operation has been active since June 2021, it provides Ransomware-as-a-Service Hive and adopts a double-extortion model threatening to publish data stolen from the victims on their leak site (HiveLeaks). In April 2021, the Federal Bureau of Investigation (FBI) released a flash alert on the Hive operation attacks that included technical details and indicators of compromise associated with the operations of the gang. According to a report published by blockchain analytics company Chainalysis, the Hive operation is one of the top 10 ransomware strains by revenue in 2021. The group used various attack methods, including malspam campaigns, vulnerable RDP servers, and compromised VPN credentials.

The Hive operation was dismantled in January 2023 by the FBI, in coordination with German and Dutch police forces, as well as Europol. 

“Today’s announcement complements the Department of Justice announcement  that, with Europol, the German and Dutch authorities, and the United States Secret Service, it had seized control of Hive’s servers and websites, thereby disrupting Hive’s ability to further attack and extort victims.  We will continue to work with allies and partners to disrupt and deter ransomware actors that threaten the backbone of our economies and critical infrastructure.” states the announcement. “This reward is offered under the Department of State’s Transnational Organized Crime Rewards Program (TOCRP), which supports law enforcement efforts to disrupt transnational crime globally and bring fugitives to justice.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Hive)

26 key cyber security stats for 2024 that every user should know, from rising cyber crime rates to the impact of AI technology.

• Cyber Crime Surge: During COVID-19, cyber crimes shot up by 600%, showing how threats adapt to global changes.

• Phishing Attacks: Phishing is the top cyber attack, causing 90% of data breaches. Shockingly, 96% of these attacks come through email.

• Ransomware Attacks: In 2023, a whopping 72.7% of organizations faced ransomware. The cost of these attacks could hit $265 billion annually by 2031.

• Data Breach Costs: The average global cost of a data breach in 2023 was $4.45 million, up 15% in three years. The US topped the list at $5.09 million per breach.

• Cyber Insurance: US cyber insurance premiums soared by 50% in 2022, reaching $7.2 billion.

• Cyber Skills Gap: By 2025, there could be 3.5 million unfilled cyber security jobs, showing a big need for skilled professionals.

• Email Threats: More than 75% of targeted attacks start with an email, delivering 94% of malware.

• Soaring Cyber Crime Costs: Cyber crime costs are expected to hit $10.5 trillion annually by 2025, rising by 15% each year.

• Healthcare Spending: From 2020 to 2025, the healthcare sector plans to spend $125 billion on cyber security to tackle its vulnerability.

• Telecom Adoption: 80% of telecom companies now use AI-powered cyber security tools to protect their networks, showing how AI is becoming more common in keeping complex systems safe.

• Executive Opinion: Nearly 70% of top executives see AI as crucial for tackling cyber threats, indicating a growing trust in AI to strengthen online defenses.

• Market Growth: AI cyber security technology is projected to grow by 23.6% every year until 2027, pointing to rapid progress and investment in AI-based security.

• Privacy Compliance: By 2024, 40% of privacy tools will rely on AI, highlighting its expanding role in ensuring data privacy and meeting regulations.

• Reducing Risky Behavior: AI adoption in security policies has led to a 68% drop in risky user actions, proving its effectiveness in promoting safer online habits.

• Generative AI Impact: Generative AI will have a big role in cyber security, especially in areas like email protection and fighting social engineering attacks.

• Market Size: The AI cyber security market was worth around $17.4 billion in 2022 and is expected to grow to about $102.78 billion by 2032, with a yearly growth rate of 19.43%.

• Mobile Threats: Mobile devices are increasingly targeted by cyber criminals, with mobile malware attacks rising by 54%.

• IoT Vulnerabilities: With the proliferation of Internet of Things (IoT) devices, the number of IoT-related cyber attacks is expected to increase by 25% in 2024.

• Social Engineering Attacks: Social engineering attacks, such as phishing and pretexting, remain a top concern, with 65% of organizations experiencing phishing attempts and 47% falling victim to social engineering tactics.

• Zero-Day Exploits: Zero-day vulnerabilities, which are flaws in software unknown to the vendor, continue to be exploited by attackers, with an average of 20 zero-day vulnerabilities discovered each month.

• Cloud Security Concerns: As businesses increasingly migrate to the cloud, cloud security incidents are on the rise, with misconfigured cloud services accounting for 68% of reported incidents.

• Insider Threats: Insider threats pose a significant risk to organizations, with 64% of cyber security incidents involving insiders, either through malicious intent or inadvertent actions.

• Supply Chain Attacks: Supply chain attacks, where attackers target vulnerabilities in third-party vendors or suppliers to gain access to target organizations, have increased by 42% in 2023.

• Ransomware-as-a-Service (RaaS): Ransomware attacks are becoming more accessible to cyber criminals through RaaS platforms, allowing them to launch attacks without advanced technical skills. RaaS usage is expected to increase by 25% in 2024.

• Regulatory Compliance Challenges: Compliance with data protection regulations, such as GDPR and CPRA, remains a challenge for organizations, with non-compliance penalties averaging $5.5 million per incident.

• Cyber Security Spending: Global cyber security spending is projected to reach $172 billion in 2024, reflecting the increasing prioritization of cyber security by businesses and governments worldwide.

Recent Security Events

Recent cyber security events have highlighted the persistent and evolving nature of online threats. Alongside these, it’s essential to consider VPN Chrome extension, which can add an extra layer of security to your online activities, especially when using public Wi-Fi or accessing sensitive information.

The emergence of new threat actors and tactics, including state-sponsored hacking groups and ransomware-as-a-service operations, underscores the need for proactive cyber security measures.

As cyber attacks become increasingly sophisticated and widespread, staying informed and implementing robust security practices are essential for mitigating risks and protecting against potential threats. Without any further ado, let’s have a look at the 7 most recent cyber security events.

• AnyDesk Cyber Attack: AnyDesk, a remote desktop software provider, faced a cyber attack that compromised its systems. As a precaution, they revoked all security certificates and passwords for their web portal.

• APT28 Targets: A state-sponsored group named APT28 has been attacking organizations globally, including in foreign affairs, energy, defense, and transportation, using NTLM Relay Attacks.

• DirtyMoe Malware in Ukraine: Over 2,000 computers in Ukraine were infected by the DirtyMoe malware, capable of cryptojacking and launching DDoS attacks.

• Cloudflare Breach: Cloudflare revealed a breach by likely state actors who accessed some documents and a bit of source code.

• US Sanctions Iranian Officials: The US government sanctioned six Iranian officials in response to cyber attacks on an Israeli PLC vendor.

• Layoffs at Security Companies: Okta and Proofpoint announced layoffs affecting around 1,000 employees in the US and Israel.

• Clorox Cyberattack Costs: Clorox disclosed that a cyberattack has already cost them over $49 million, with more expected expenses in 2024.

Conclusion

The cyber security stats we’ve covered highlight how important it is to protect ourselves online. With cyber crimes on the rise and attacks like phishing and ransomware becoming more common, we need to stay alert.

Using technology like AI can help, but there’s also a shortage of skilled people in cyber security. Recent events, such as the AnyDesk cyber attack and DirtyMoe malware, show that threats are real and can affect anyone.

To stay safe, we should stay informed, use strong security measures, and be cautious online. By taking these steps, we can better protect ourselves from cyber threats and keep our digital world secure.

About Author: Anas Baig

With a passion for working on disruptive products, Anas Baig is currently working as a Product Manager at the Silicon Valley based company – Securiti.ai. He holds a degree of Computer Science from Iqra University and specializes in Information Security & Data Privacy.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Cyber Security)

Ivanti warns customers of a new authentication bypass vulnerability in its Connect Secure, Policy Secure, and ZTA gateway devices.

Ivanti has warned customers of a new high-severity security vulnerability, tracked as CVE-2024-22024 (CVSS score 8.3), in its Connect Secure, Policy Secure, and ZTA gateway devices that could allow attackers to bypass authentication.

The vulnerability was discovered by the software firm as part of an ongoing investigation into the vulnerabilities impacting Ivanti Connect Secure, Ivanti Policy Secure and ZTA gateways (CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, and CVE-2024-21893).

“An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which allows an attacker to access certain restricted resources without authentication.” reads the advisory published by the company.

The vulnerability impacts the following supported versions:

• Connect Secure (version 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1);
• Policy Secure version 22.5R1.1;
• ZTA version 22.6R1.3.

The vendor released patches for Ivanti Connect Secure (versions 9.1R14.5, 9.1R17.3, 9.1R18.4, 22.4R2.3, 22.5R1.2, 22.5R2.3 and 22.6R2.2), Ivanti Policy Secure (versions 9.1R17.3, 9.1R18.4 and 22.5R1.2) and ZTA gateways (versions 22.5R1.6, 22.6R1.5 and 22.6R1.7).

According to the advisory, there is no evidence of this vulnerability being exploited in the wild.

Last week Ivanti warned of two new high-severity vulnerabilities in its Connect Secure and Policy Secure solutions respectively tracked as CVE-2024-21888 (CVSS score: 8.8) and CVE-2024-21893 (CVSS score: 8.2). The software company also warned that one of these two vulnerabilities is under active exploitation in the wild.

This week, researchers warned that a Server-Side Request Forgery (SSRF) vulnerability CVE-2024-21893 is currently being actively exploited in real-world attacks by various threat actors.

On February 2, 2024, researchers from Rapid7 published a technical analysis of the issue along with a proof-of-concept (PoC) exploit on February 2, 2024. The availability of a PoC exploit code could help threat actors to launch attacks against Internet-facing installs.

Researchers from Shadowserver observed the exploitation of the flaw CVE-2024-21893 in the wild by multiple threat actors, however, they pointed out that the attacks began hours before the publication of the Rapid7 PoC code.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, authentication bypass flaw)

Fortinet warns that the recently discovered critical remote code execution flaw in FortiOS SSL VPN, tracked CVE-2024-21762, is being actively exploited.

Fortinet is warning that the recently discovered critical remote code execution vulnerability in FortiOS SSL VPN, tracked as CVE-2024-21762 (CVSS score 9.6), is actively exploited in attacks in the wild.

The security firm did not provide details about the attacks exploiting this vulnerability.

The issue is an out-of-bounds write vulnerability that can be exploited by sending specially crafted HTTP requests to vulnerable instances. The vendor recommends to disable SSL VPN as a workaround.

“A out-of-bounds write vulnerability [CWE-787] in FortiOS may allow a remote unauthenticated attacker to execute arbitrary code or command via specially crafted HTTP requests.” reads the advisory.

“Workaround : disable SSL VPN (disable webmode is NOT a valid workaround). Note: This is potentially being exploited in the wild.”

The following table includes the list of the impacted versions and the available versions that solve the issue.

Version	Affected	Solution
FortiOS 7.6	Not affected	Not Applicable
FortiOS 7.4	7.4.0 through 7.4.2	Upgrade to 7.4.3 or above
FortiOS 7.2	7.2.0 through 7.2.6	Upgrade to 7.2.7 or above
FortiOS 7.0	7.0.0 through 7.0.13	Upgrade to 7.0.14 or above
FortiOS 6.4	6.4.0 through 6.4.14	Upgrade to 6.4.15 or above
FortiOS 6.2	6.2.0 through 6.2.15	Upgrade to 6.2.16 or above
FortiOS 6.0	6.0 all versions	Migrate to a fixed release

The security firm also addressed another critical flaw in FortiOS, tracked as CVE-2024-23113 (CVSS score 9.8).

“A use of externally-controlled format string vulnerability [CWE-134] in FortiOS fgfmd daemon may allow a remote unauthentified attacker to execute arbitrary code or commands via specially crafted requests.” reads the advisory.

The good news is that the vendor is not aware of attacks in the wild exploiting this flaw.

Vulnerabilities in Fortinet devices are often exploited by threat actors in the wild.

In December 2023, Fortinet urged its customers to update their installs to address an actively exploited FortiOS SSL-VPN vulnerability, tracked as CVE-2022-42475, that could be exploited by an unauthenticated, remote attacker to execute arbitrary code on devices.

The CVE-2022-42475 flaw is a heap-based buffer overflow weakness that resides in FortiOS sslvpnd that allowed unauthenticated attackers to crash targeted devices remotely or gain remote code execution

This week, the Dutch Military Intelligence and Security Service (MIVD) and the General Intelligence and Security Service (AIVD) published a joint report warning that a China-linked APT group breached the Dutch Ministry of Defence last year. The effects of the attack were limited because of the network segmentation implemented in the government infrastructure.

The government experts discovered a previously unpublished remote access trojan (RAT), tracked as COATHANGER, specifically designed to target Fortigate appliances. The RAT is used as second-stage malware, the experts pointed out that it doesn’t exploit a new vulnerability. COATHANGER is a stealthy malware that hooks system calls that could reveal its presence. The malware survives reboots and firmware upgrades.

The attack chain starts with the exploitation of the CVE-2022-42475 vulnerability for FortiGate devices.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Fortinet)

Black Basta ransomware gang claims the hack of the car maker Hyundai Motor Europe and the theft of three terabytes of their data.

BleepingComputer reported that the Car maker Hyundai Motor Europe was breached by the Black Basta ransomware gang. The threat actors claim to have stolen three terabytes of data from the company.

In January the company experienced IT issues, the outage was likely caused by the ransomware attack, but the company did not disclose it. Later Hyundai told BleepingComputer that they suffered a cyberattack, without providing details about the incident.

The carmaker launched an investigation into the incident with the help of external cybersecurity and legal experts. Te company also notified relevant local authorities.

Hyundai Motor Europe only reported the discovery of unauthorized access to a limited part of its network.

BleepingComputer learned that the company suffered a Black Basta ransomware attack in early January.

The crooks provided Bleeping Computer with evidence of the data breach, it seems that the gang stole data from various departments, including legal, sales, and human resources.

In April, Hyundai suffered another data breach that impacted Italian and French car owners and customers who booked a test drive.

Threat actors had access to the email addresses, physical addresses, telephone numbers, and vehicle chassis numbers of the impacted individuals.

The data breach letter sent to the impacted individuals informs them that an unauthorized third party had access to the database of customers. Hyundai Italy has notified the privacy watchdog and hired external cybersecurity experts to determine the scope of the incident.

According to the letter, financial data were not exposed.

In December 2019, German media reported that hackers suspected to be members of the Vietnam-linked APT Ocean Lotus (APT32) group breached the networks of the car manufacturers BMW and Hyundai. The intrusion aimed at stealing automotive trade secrets.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Hyundai)

Researcher demonstrated how to exploit a signed Minifilter Driver in a BYOVD attack to terminate a specific process from the kernel.

Exploiting a signed Minifilter Driver that can be used to used the BYOVD attack technique to a program able to terminate a specific process from the kernel.

Exploiting a vulnerable Minifilter Driver to create a process killer

Bring Your Own Vulnerable Driver (BYOVD) is a technique that uses a vulnerable driver in order to achieve a specific goal. BYOVD is often used by malware to terminate processes associated with security solutions such as an EDR. There are many examples of open-source software that (ab)use a vulnerable driver for this purpose. One the most used driver is the Process Explorer driver. In this case we cannot talk about a vulnerability since it is a feature of the application to permit process termination from its UI.

BYOVD is gaining more and more attention since attackers understood that it’s a better strategy to terminate the EDR process instead than relying on obfuscation techniques in order to evade EDR detection.

In this blog post I’ll analyze a signed driver that can be used to create a program able to terminate a specific process from the kernel. The driver is quite old but neverthless usable. The driver hash is 023d722cbbdd04e3db77de7e6e3cfeabcef21ba5b2f04c3f3a33691801dd45eb (probmon.sys).

Exploiting a Minifilter Signed Driver

The mentioned driver is a signed minifilter driver part of a security solution. One of the imported function is ZwTerminateProcess, so my goal is to check if it is possible to call this function on an arbitrary process.

The driver starts by calling the FltRegisterFilter function in order to register the filter. Next, a communication port is created by calling FltCreateCommunicationPort. The call specifies the parameter MessageNotifyCallback, implying that a user mode application can communicate with the minifilter by using the FilterSendMessage function. This callback does not expose the access to the ZwTerminateProcess function, but it is necessary in order to satisfy the needed preconditions.

After the creation of the communication port, the driver sets a process creation notification function by calling the function PsSetCreateProcessNotifyRoutine. The specified callback checks that the third argument of the callback, named Create, is false, if not, the function returns immediatly. This implies that only process termination are monitored by the driver. Under specific conditions, the notification callback function will call the ZwTerminateProcess function.

In order to terminate a process with the vulnerable driver, there are two preconditions that must be satisfied:

1. The handle of the process to terminate is read from a global variable. We have to set this variable, otherwise when the driver tries to terminate a process a KeBugCheckEx will be called generating a BSOD
2. The ZwTerminateProcess is called only if the value of the process ID calling into the minifilter is the same of the one associated with a global variable.

Set the target process handle

This requirement is satisfied by sending a message to the communication port by using the struct from Figure 1

In this case the command_type parameter must assume value 3. This will cause the ZwOpenProcess to be called by using the pid_to_kill parameter, and the result assigned to the above mentioned global variable (let’s call it process_handle_to_terminate).

Enable process termination

The second precondition involves a check on a global variable (let’s call it it_s_a_me, you will understand why I choose this name in a moment). The value of this variable must be the same of the process ID that is exiting (remember that the callback is monitoring for process termination). This check is performed in the PsSetCreateProcessNotifyRoutine notification callback function. As before, this can be achieved by using the struct from Figure 2.

In this case the command_type parameter must assume value 1. The data_count is used to copy the data that follow this parameter. In our case it is ok to set 1 as value (1 DWORD is copied) and set as value of the field my_pid our PID. In this way, our PID is written to the it_s_a_me global variable, satisfied our second precondition.

Triggering process termination

At this point we have set the handle of the process to terminate (variable process_handle_to_terminate) and we can reach the ZwTerminateProcess function thanks to the variable it_s_a_me.

When our process will exit, the PsSetCreateProcessNotifyRoutine notification callback will be called, the PID check will be satisfied by verifying that the variable it_s_a_me is equals to the process ID that is exiting, triggering the ZwTerminateProcess on the process_handle_to_terminate process. All this means that when our process killer program will exit, the target process will be killed

Source Code

Considering the plethora of such programs available on Github, releasing one more shouldn’t be a huge problem. You can find the source code using the analyzed driver in my Github account:

https://github.com/enkomio/s4killer

Be consciuos that the driver is registered by using the flag FLTFL_REGISTRATION_DO_NOT_SUPPORT_SERVICE_STOP implying that the minifilter is not unloaded in response to service stop requests. In addition, the code STATUS_FLT_DO_NOT_DETACH is returned when you try to unload the driver with fltmc. In order to unload the driver you have to reboot your machine.

Conclusion

The goal of this blog post was to demonstrate how the malware use BYOVD technique in order to kill EDR processes. I analyzed a previously unknow vulnerable driver (to the best of my knowledge of course) demonstrating how a minifilter can also be abused for such purpose.

Bonus

I’m currently focused on BYOVD technique used by malware to kill processes, so I haven’t searched for more vulnerabilities in the driver. However, there is a nice buffer overflow in it but I’m unsure if it is exploitable or not

This analysis and other interesting posts are available here:

https://antonioparata.blogspot.com/2024/02/exploiting-vulnerable-minifilter-driver.html

About the author:

Antonio Parata, Principal Security Researcher at CrowdStrike

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, BYOVD)