China-linked APT Volt Typhoon infiltrated a critical infrastructure network in the US and remained undetected for at least five years.

US CISA, the NSA, the FBI, along with partner Five Eyes agencies, published a joint advisory to warn that China-linked APT Volt Typhoon infiltrated a critical infrastructure network in the US and remained undetected for at least five years.

“the U.S. authoring agencies have recently observed indications of Volt Typhoon actors maintaining access and footholds within some victim IT environments for at least five years,” reads the alert.

The Volt Typhoon group has been active since at least mid-2021 it carried out cyber operations against critical infrastructure. In the most recent campaign, the group targeted organizations in the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors.

The APT group is using almost exclusively living-off-the-land techniques and hands-on-keyboard activity to evade detection.

In December 2023, Microsoft first noticed that to conceal malicious traffic, the threat actor routes it through compromised small office and home office (SOHO) network devices, including routers, firewalls, and VPN hardware. The group also relies on customized versions of open-source tools for C2 communications and to stay under the radar.

The Chinese cyberespionage group has successfully breached the networks of multiple US critical infrastructure organizations. Most of the impacted organizations are in the Communications, Energy, Transportation Systems, and Water and Wastewater Systems sectors.

“The group also relies on valid accounts and leverage strong operational security, which combined, allows for long-term undiscovered persistence. In fact, the U.S. authoring agencies have recently observed indications of Volt Typhoon actors maintaining access and footholds within some victim IT environments for at least five years.” continues the alert. “Volt Typhoon actors conduct extensive pre-exploitation reconnaissance to learn about the target organization and its environment; tailor their tactics, techniques, and procedures (TTPs) to the victim’s environment; and dedicate ongoing resources to maintaining persistence and understanding the target environment over time, even after initial compromise.”

U.S. agencies fear the possibility that these actors could gain access to the networks of critical infrastructure to cause disruptive effects in the event of potential geopolitical tensions and/or military conflicts.

The Volt Typhoon’s activities suggest that the group primarily aims to establish a foothold within networks to secure access to Operational Technology (OT) assets.

The US agencies also released a technical guide containing recommendations on how to identify and mitigate living off the land techniques adopted by the APT group.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – Hacking, Volt Typhoon)

Several media reported that three million electric toothbrushes were compromised and recruited into a DDoS botnet. Is it true?

The Swiss newspaper Aargauer Zeitung first published the news of a DDoS attack, carried out on January 30, that involved three million compromised electric toothbrushes.

The journalists reported that threat actors gained access to three million electric toothbrushes and installed a malware that joined them to the botnet. The botnet was used to target a Swiss company, causing millions of dollars in damages. The newspaper quoted an employee of cybersecurity firm Fortinet as a source of the information. 

The news made the headlines and was reported by many other media outlets and websites without appropriate verification.

“The three million toothbrush botnet story isn’t true,” the popular cybersecurity expert Kevin Beaumont wrote on Mastodon. Other experts also shared the same opinion of the news.

Bullshit. There's no evidence 3 million toothbrushes performed a DDoS.

What the f*** is wrong with you people???? There are no details, like who is the target of the DDoS? what was the brand of toothbrushes? how are they connected to the Internet (hint: they aren't, they are… https://t.co/kc4DV9RO5v

— Robᵉʳᵗ Graham 𝕏 (@ErrataRob) February 7, 2024

Several experts explained that electric toothbrushes have no direct connections to the internet, they relies on Bluetooth to connect to mobile apps. Only these mobile apps contact the servers of the vendor to upload users’ data. 

In response to the skepticism, the newspaper published a new update on the story which included a statement from Fortinet.

“On Thursday morning, several media outlets, including the Independent, distributed a statement from Fortinet: The case had been used as an example of a DDoS attack during an interview. However, the case is not based on research by Fortinet.” reads the new article published by the newspaper.

“It appears that, due to translations, the narrative on this topic has been stretched to the point where hypothetical and actual scenarios are blurring,” state sthe the cybersecurity vendor.

However, Aargauer Zeitung pointed out that during the interview, Swiss Fortinet representatives described the toothbrush case as a real DDoS.

“What the Fortinet headquarters in California is now calling a “translation problem” sounded completely different during the research: Swiss Fortinet representatives described the toothbrush case as a real DDoS at a meeting that discussed current threats -Attack described.” reads the update provided by the newspaper. “Fortinet provided specific details: information about how long the attack took down a Swiss company’s website; an order of magnitude of how great the damage was.”

The newspaper also states that they have submitted the text of the article to Fortinet for verification before publication and the statement that this was a real case that really happened was not objected to.

Meantime Fortinet has sent this statement to several international media outlets, excluding CH Media. We

“To clarify, the topic of toothbrushes being used for DDoS attacks was presented during an interview as an illustration of a given type of attack, and it is not based on research from Fortinet or FortiGuard Labs. It appears that due to translations the narrative on this topic has been stretched to the point where hypothetical and actual scenarios are blurred.” – Fortinet.

Apart from the electronic toothbrush mess, the Internet of Things (IoT) are privileged targets for many threat actors. Some cases underscore the urgency of securing our smart homes.

IoT devices, such as smart fridges, smart meters, or thermostats, are often designed with connectivity in mind, but lack of security. This leaves them susceptible to exploitation, as cybercriminals exploit vulnerabilities to gain control.

Crooks can leverage insecure IoT devices to expand their botnet armies, creating a massive threat landscape.

In a notable case, smart fridges were hacked to send out malicious emails as part of a botnet. These seemingly innocuous appliances became unwilling accomplices in a larger cybercrime scheme.

The risks associated with IoT devices being recruited into botnets are real and escalating. As we embrace the conveniences of smart technologies, manufacturers, regulators, and users must work together to enhace the security of these devices and protect against potential cyber threats.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – Hacking, electric toothbrushes)

U.S. Government offers rewards of up to $10 million for information that could help locate, identify, or arrest members of the Hive ransomware group.

The US Department of State announced rewards up to $10,000,000 for information leading to the identification and/or location of the leaders of the Hive ransomware group. The US government also offers rewards up to $5,000,000 for information leading to the arrest and/or conviction of any individual in any country who participated or attempted to participate in the Hive ransomware operation.

According to the announcement, the group targeted organizations in over 80 countries. Starting from the end of July 2022, the FBI infiltrated Hive’s computer networks. The law enforcement gained access to the decryption keys and provided them to victims, thereby thwarting potential ransom payments of up to $130 million.

The threat actors behind the Hive RaaS have extorted $100 million in ransom payments from over 1,300 companies worldwide as of November 2022, reported the U.S. cybersecurity and intelligence authorities in January.

As of November 2022, Hive ransomware actors have victimized over 1,300 companies worldwide, receiving approximately US$100 million in ransom payments” reads the alert published by CISA in November 2022.

The authorities reported that from June 2021 through at least November 2022, threat actors targeted a wide range of businesses and critical infrastructure sectors, including Government Facilities, Communications, Critical Manufacturing, Information Technology, and especially Healthcare and Public Health (HPH).

The Hive ransomware operation has been active since June 2021, it provides Ransomware-as-a-Service Hive and adopts a double-extortion model threatening to publish data stolen from the victims on their leak site (HiveLeaks). In April 2021, the Federal Bureau of Investigation (FBI) released a flash alert on the Hive operation attacks that included technical details and indicators of compromise associated with the operations of the gang. According to a report published by blockchain analytics company Chainalysis, the Hive operation is one of the top 10 ransomware strains by revenue in 2021. The group used various attack methods, including malspam campaigns, vulnerable RDP servers, and compromised VPN credentials.

The Hive operation was dismantled in January 2023 by the FBI, in coordination with German and Dutch police forces, as well as Europol. 

“Today’s announcement complements the Department of Justice announcement  that, with Europol, the German and Dutch authorities, and the United States Secret Service, it had seized control of Hive’s servers and websites, thereby disrupting Hive’s ability to further attack and extort victims.  We will continue to work with allies and partners to disrupt and deter ransomware actors that threaten the backbone of our economies and critical infrastructure.” states the announcement. “This reward is offered under the Department of State’s Transnational Organized Crime Rewards Program (TOCRP), which supports law enforcement efforts to disrupt transnational crime globally and bring fugitives to justice.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Hive)

26 key cyber security stats for 2024 that every user should know, from rising cyber crime rates to the impact of AI technology.

• Cyber Crime Surge: During COVID-19, cyber crimes shot up by 600%, showing how threats adapt to global changes.

• Phishing Attacks: Phishing is the top cyber attack, causing 90% of data breaches. Shockingly, 96% of these attacks come through email.

• Ransomware Attacks: In 2023, a whopping 72.7% of organizations faced ransomware. The cost of these attacks could hit $265 billion annually by 2031.

• Data Breach Costs: The average global cost of a data breach in 2023 was $4.45 million, up 15% in three years. The US topped the list at $5.09 million per breach.

• Cyber Insurance: US cyber insurance premiums soared by 50% in 2022, reaching $7.2 billion.

• Cyber Skills Gap: By 2025, there could be 3.5 million unfilled cyber security jobs, showing a big need for skilled professionals.

• Email Threats: More than 75% of targeted attacks start with an email, delivering 94% of malware.

• Soaring Cyber Crime Costs: Cyber crime costs are expected to hit $10.5 trillion annually by 2025, rising by 15% each year.

• Healthcare Spending: From 2020 to 2025, the healthcare sector plans to spend $125 billion on cyber security to tackle its vulnerability.

• Telecom Adoption: 80% of telecom companies now use AI-powered cyber security tools to protect their networks, showing how AI is becoming more common in keeping complex systems safe.

• Executive Opinion: Nearly 70% of top executives see AI as crucial for tackling cyber threats, indicating a growing trust in AI to strengthen online defenses.

• Market Growth: AI cyber security technology is projected to grow by 23.6% every year until 2027, pointing to rapid progress and investment in AI-based security.

• Privacy Compliance: By 2024, 40% of privacy tools will rely on AI, highlighting its expanding role in ensuring data privacy and meeting regulations.

• Reducing Risky Behavior: AI adoption in security policies has led to a 68% drop in risky user actions, proving its effectiveness in promoting safer online habits.

• Generative AI Impact: Generative AI will have a big role in cyber security, especially in areas like email protection and fighting social engineering attacks.

• Market Size: The AI cyber security market was worth around $17.4 billion in 2022 and is expected to grow to about $102.78 billion by 2032, with a yearly growth rate of 19.43%.

• Mobile Threats: Mobile devices are increasingly targeted by cyber criminals, with mobile malware attacks rising by 54%.

• IoT Vulnerabilities: With the proliferation of Internet of Things (IoT) devices, the number of IoT-related cyber attacks is expected to increase by 25% in 2024.

• Social Engineering Attacks: Social engineering attacks, such as phishing and pretexting, remain a top concern, with 65% of organizations experiencing phishing attempts and 47% falling victim to social engineering tactics.

• Zero-Day Exploits: Zero-day vulnerabilities, which are flaws in software unknown to the vendor, continue to be exploited by attackers, with an average of 20 zero-day vulnerabilities discovered each month.

• Cloud Security Concerns: As businesses increasingly migrate to the cloud, cloud security incidents are on the rise, with misconfigured cloud services accounting for 68% of reported incidents.

• Insider Threats: Insider threats pose a significant risk to organizations, with 64% of cyber security incidents involving insiders, either through malicious intent or inadvertent actions.

• Supply Chain Attacks: Supply chain attacks, where attackers target vulnerabilities in third-party vendors or suppliers to gain access to target organizations, have increased by 42% in 2023.

• Ransomware-as-a-Service (RaaS): Ransomware attacks are becoming more accessible to cyber criminals through RaaS platforms, allowing them to launch attacks without advanced technical skills. RaaS usage is expected to increase by 25% in 2024.

• Regulatory Compliance Challenges: Compliance with data protection regulations, such as GDPR and CPRA, remains a challenge for organizations, with non-compliance penalties averaging $5.5 million per incident.

• Cyber Security Spending: Global cyber security spending is projected to reach $172 billion in 2024, reflecting the increasing prioritization of cyber security by businesses and governments worldwide.

Recent Security Events

Recent cyber security events have highlighted the persistent and evolving nature of online threats. Alongside these, it’s essential to consider VPN Chrome extension, which can add an extra layer of security to your online activities, especially when using public Wi-Fi or accessing sensitive information.

The emergence of new threat actors and tactics, including state-sponsored hacking groups and ransomware-as-a-service operations, underscores the need for proactive cyber security measures.

As cyber attacks become increasingly sophisticated and widespread, staying informed and implementing robust security practices are essential for mitigating risks and protecting against potential threats. Without any further ado, let’s have a look at the 7 most recent cyber security events.

• AnyDesk Cyber Attack: AnyDesk, a remote desktop software provider, faced a cyber attack that compromised its systems. As a precaution, they revoked all security certificates and passwords for their web portal.

• APT28 Targets: A state-sponsored group named APT28 has been attacking organizations globally, including in foreign affairs, energy, defense, and transportation, using NTLM Relay Attacks.

• DirtyMoe Malware in Ukraine: Over 2,000 computers in Ukraine were infected by the DirtyMoe malware, capable of cryptojacking and launching DDoS attacks.

• Cloudflare Breach: Cloudflare revealed a breach by likely state actors who accessed some documents and a bit of source code.

• US Sanctions Iranian Officials: The US government sanctioned six Iranian officials in response to cyber attacks on an Israeli PLC vendor.

• Layoffs at Security Companies: Okta and Proofpoint announced layoffs affecting around 1,000 employees in the US and Israel.

• Clorox Cyberattack Costs: Clorox disclosed that a cyberattack has already cost them over $49 million, with more expected expenses in 2024.

Conclusion

The cyber security stats we’ve covered highlight how important it is to protect ourselves online. With cyber crimes on the rise and attacks like phishing and ransomware becoming more common, we need to stay alert.

Using technology like AI can help, but there’s also a shortage of skilled people in cyber security. Recent events, such as the AnyDesk cyber attack and DirtyMoe malware, show that threats are real and can affect anyone.

To stay safe, we should stay informed, use strong security measures, and be cautious online. By taking these steps, we can better protect ourselves from cyber threats and keep our digital world secure.

About Author: Anas Baig

With a passion for working on disruptive products, Anas Baig is currently working as a Product Manager at the Silicon Valley based company – Securiti.ai. He holds a degree of Computer Science from Iqra University and specializes in Information Security & Data Privacy.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Cyber Security)

Ivanti warns customers of a new authentication bypass vulnerability in its Connect Secure, Policy Secure, and ZTA gateway devices.

Ivanti has warned customers of a new high-severity security vulnerability, tracked as CVE-2024-22024 (CVSS score 8.3), in its Connect Secure, Policy Secure, and ZTA gateway devices that could allow attackers to bypass authentication.

The vulnerability was discovered by the software firm as part of an ongoing investigation into the vulnerabilities impacting Ivanti Connect Secure, Ivanti Policy Secure and ZTA gateways (CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, and CVE-2024-21893).

“An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which allows an attacker to access certain restricted resources without authentication.” reads the advisory published by the company.

The vulnerability impacts the following supported versions:

• Connect Secure (version 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1);
• Policy Secure version 22.5R1.1;
• ZTA version 22.6R1.3.

The vendor released patches for Ivanti Connect Secure (versions 9.1R14.5, 9.1R17.3, 9.1R18.4, 22.4R2.3, 22.5R1.2, 22.5R2.3 and 22.6R2.2), Ivanti Policy Secure (versions 9.1R17.3, 9.1R18.4 and 22.5R1.2) and ZTA gateways (versions 22.5R1.6, 22.6R1.5 and 22.6R1.7).

According to the advisory, there is no evidence of this vulnerability being exploited in the wild.

Last week Ivanti warned of two new high-severity vulnerabilities in its Connect Secure and Policy Secure solutions respectively tracked as CVE-2024-21888 (CVSS score: 8.8) and CVE-2024-21893 (CVSS score: 8.2). The software company also warned that one of these two vulnerabilities is under active exploitation in the wild.

This week, researchers warned that a Server-Side Request Forgery (SSRF) vulnerability CVE-2024-21893 is currently being actively exploited in real-world attacks by various threat actors.

On February 2, 2024, researchers from Rapid7 published a technical analysis of the issue along with a proof-of-concept (PoC) exploit on February 2, 2024. The availability of a PoC exploit code could help threat actors to launch attacks against Internet-facing installs.

Researchers from Shadowserver observed the exploitation of the flaw CVE-2024-21893 in the wild by multiple threat actors, however, they pointed out that the attacks began hours before the publication of the Rapid7 PoC code.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, authentication bypass flaw)

Fortinet warns that the recently discovered critical remote code execution flaw in FortiOS SSL VPN, tracked CVE-2024-21762, is being actively exploited.

Fortinet is warning that the recently discovered critical remote code execution vulnerability in FortiOS SSL VPN, tracked as CVE-2024-21762 (CVSS score 9.6), is actively exploited in attacks in the wild.

The security firm did not provide details about the attacks exploiting this vulnerability.

The issue is an out-of-bounds write vulnerability that can be exploited by sending specially crafted HTTP requests to vulnerable instances. The vendor recommends to disable SSL VPN as a workaround.

“A out-of-bounds write vulnerability [CWE-787] in FortiOS may allow a remote unauthenticated attacker to execute arbitrary code or command via specially crafted HTTP requests.” reads the advisory.

“Workaround : disable SSL VPN (disable webmode is NOT a valid workaround). Note: This is potentially being exploited in the wild.”

The following table includes the list of the impacted versions and the available versions that solve the issue.

Version	Affected	Solution
FortiOS 7.6	Not affected	Not Applicable
FortiOS 7.4	7.4.0 through 7.4.2	Upgrade to 7.4.3 or above
FortiOS 7.2	7.2.0 through 7.2.6	Upgrade to 7.2.7 or above
FortiOS 7.0	7.0.0 through 7.0.13	Upgrade to 7.0.14 or above
FortiOS 6.4	6.4.0 through 6.4.14	Upgrade to 6.4.15 or above
FortiOS 6.2	6.2.0 through 6.2.15	Upgrade to 6.2.16 or above
FortiOS 6.0	6.0 all versions	Migrate to a fixed release

The security firm also addressed another critical flaw in FortiOS, tracked as CVE-2024-23113 (CVSS score 9.8).

“A use of externally-controlled format string vulnerability [CWE-134] in FortiOS fgfmd daemon may allow a remote unauthentified attacker to execute arbitrary code or commands via specially crafted requests.” reads the advisory.

The good news is that the vendor is not aware of attacks in the wild exploiting this flaw.

Vulnerabilities in Fortinet devices are often exploited by threat actors in the wild.

In December 2023, Fortinet urged its customers to update their installs to address an actively exploited FortiOS SSL-VPN vulnerability, tracked as CVE-2022-42475, that could be exploited by an unauthenticated, remote attacker to execute arbitrary code on devices.

The CVE-2022-42475 flaw is a heap-based buffer overflow weakness that resides in FortiOS sslvpnd that allowed unauthenticated attackers to crash targeted devices remotely or gain remote code execution

This week, the Dutch Military Intelligence and Security Service (MIVD) and the General Intelligence and Security Service (AIVD) published a joint report warning that a China-linked APT group breached the Dutch Ministry of Defence last year. The effects of the attack were limited because of the network segmentation implemented in the government infrastructure.

The government experts discovered a previously unpublished remote access trojan (RAT), tracked as COATHANGER, specifically designed to target Fortigate appliances. The RAT is used as second-stage malware, the experts pointed out that it doesn’t exploit a new vulnerability. COATHANGER is a stealthy malware that hooks system calls that could reveal its presence. The malware survives reboots and firmware upgrades.

The attack chain starts with the exploitation of the CVE-2022-42475 vulnerability for FortiGate devices.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Fortinet)

Black Basta ransomware gang claims the hack of the car maker Hyundai Motor Europe and the theft of three terabytes of their data.

BleepingComputer reported that the Car maker Hyundai Motor Europe was breached by the Black Basta ransomware gang. The threat actors claim to have stolen three terabytes of data from the company.

In January the company experienced IT issues, the outage was likely caused by the ransomware attack, but the company did not disclose it. Later Hyundai told BleepingComputer that they suffered a cyberattack, without providing details about the incident.

The carmaker launched an investigation into the incident with the help of external cybersecurity and legal experts. Te company also notified relevant local authorities.

Hyundai Motor Europe only reported the discovery of unauthorized access to a limited part of its network.

BleepingComputer learned that the company suffered a Black Basta ransomware attack in early January.

The crooks provided Bleeping Computer with evidence of the data breach, it seems that the gang stole data from various departments, including legal, sales, and human resources.

In April, Hyundai suffered another data breach that impacted Italian and French car owners and customers who booked a test drive.

Threat actors had access to the email addresses, physical addresses, telephone numbers, and vehicle chassis numbers of the impacted individuals.

The data breach letter sent to the impacted individuals informs them that an unauthorized third party had access to the database of customers. Hyundai Italy has notified the privacy watchdog and hired external cybersecurity experts to determine the scope of the incident.

According to the letter, financial data were not exposed.

In December 2019, German media reported that hackers suspected to be members of the Vietnam-linked APT Ocean Lotus (APT32) group breached the networks of the car manufacturers BMW and Hyundai. The intrusion aimed at stealing automotive trade secrets.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Hyundai)

Researcher demonstrated how to exploit a signed Minifilter Driver in a BYOVD attack to terminate a specific process from the kernel.

Exploiting a signed Minifilter Driver that can be used to used the BYOVD attack technique to a program able to terminate a specific process from the kernel.

Exploiting a vulnerable Minifilter Driver to create a process killer

Bring Your Own Vulnerable Driver (BYOVD) is a technique that uses a vulnerable driver in order to achieve a specific goal. BYOVD is often used by malware to terminate processes associated with security solutions such as an EDR. There are many examples of open-source software that (ab)use a vulnerable driver for this purpose. One the most used driver is the Process Explorer driver. In this case we cannot talk about a vulnerability since it is a feature of the application to permit process termination from its UI.

BYOVD is gaining more and more attention since attackers understood that it’s a better strategy to terminate the EDR process instead than relying on obfuscation techniques in order to evade EDR detection.

In this blog post I’ll analyze a signed driver that can be used to create a program able to terminate a specific process from the kernel. The driver is quite old but neverthless usable. The driver hash is 023d722cbbdd04e3db77de7e6e3cfeabcef21ba5b2f04c3f3a33691801dd45eb (probmon.sys).

Exploiting a Minifilter Signed Driver

The mentioned driver is a signed minifilter driver part of a security solution. One of the imported function is ZwTerminateProcess, so my goal is to check if it is possible to call this function on an arbitrary process.

The driver starts by calling the FltRegisterFilter function in order to register the filter. Next, a communication port is created by calling FltCreateCommunicationPort. The call specifies the parameter MessageNotifyCallback, implying that a user mode application can communicate with the minifilter by using the FilterSendMessage function. This callback does not expose the access to the ZwTerminateProcess function, but it is necessary in order to satisfy the needed preconditions.

After the creation of the communication port, the driver sets a process creation notification function by calling the function PsSetCreateProcessNotifyRoutine. The specified callback checks that the third argument of the callback, named Create, is false, if not, the function returns immediatly. This implies that only process termination are monitored by the driver. Under specific conditions, the notification callback function will call the ZwTerminateProcess function.

In order to terminate a process with the vulnerable driver, there are two preconditions that must be satisfied:

1. The handle of the process to terminate is read from a global variable. We have to set this variable, otherwise when the driver tries to terminate a process a KeBugCheckEx will be called generating a BSOD
2. The ZwTerminateProcess is called only if the value of the process ID calling into the minifilter is the same of the one associated with a global variable.

Set the target process handle

This requirement is satisfied by sending a message to the communication port by using the struct from Figure 1

In this case the command_type parameter must assume value 3. This will cause the ZwOpenProcess to be called by using the pid_to_kill parameter, and the result assigned to the above mentioned global variable (let’s call it process_handle_to_terminate).

Enable process termination

The second precondition involves a check on a global variable (let’s call it it_s_a_me, you will understand why I choose this name in a moment). The value of this variable must be the same of the process ID that is exiting (remember that the callback is monitoring for process termination). This check is performed in the PsSetCreateProcessNotifyRoutine notification callback function. As before, this can be achieved by using the struct from Figure 2.

In this case the command_type parameter must assume value 1. The data_count is used to copy the data that follow this parameter. In our case it is ok to set 1 as value (1 DWORD is copied) and set as value of the field my_pid our PID. In this way, our PID is written to the it_s_a_me global variable, satisfied our second precondition.

Triggering process termination

At this point we have set the handle of the process to terminate (variable process_handle_to_terminate) and we can reach the ZwTerminateProcess function thanks to the variable it_s_a_me.

When our process will exit, the PsSetCreateProcessNotifyRoutine notification callback will be called, the PID check will be satisfied by verifying that the variable it_s_a_me is equals to the process ID that is exiting, triggering the ZwTerminateProcess on the process_handle_to_terminate process. All this means that when our process killer program will exit, the target process will be killed

Source Code

Considering the plethora of such programs available on Github, releasing one more shouldn’t be a huge problem. You can find the source code using the analyzed driver in my Github account:

https://github.com/enkomio/s4killer

Be consciuos that the driver is registered by using the flag FLTFL_REGISTRATION_DO_NOT_SUPPORT_SERVICE_STOP implying that the minifilter is not unloaded in response to service stop requests. In addition, the code STATUS_FLT_DO_NOT_DETACH is returned when you try to unload the driver with fltmc. In order to unload the driver you have to reboot your machine.

Conclusion

The goal of this blog post was to demonstrate how the malware use BYOVD technique in order to kill EDR processes. I analyzed a previously unknow vulnerable driver (to the best of my knowledge of course) demonstrating how a minifilter can also be abused for such purpose.

Bonus

I’m currently focused on BYOVD technique used by malware to kill processes, so I haven’t searched for more vulnerabilities in the driver. However, there is a nice buffer overflow in it but I’m unsure if it is exploitable or not

This analysis and other interesting posts are available here:

https://antonioparata.blogspot.com/2024/02/exploiting-vulnerable-minifilter-driver.html

About the author:

Antonio Parata, Principal Security Researcher at CrowdStrike

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, BYOVD)

Bitdefender Researchers linked a new macOS backdoor, named RustDoor, to the Black Basta and Alphv/BlackCat ransomware operations.

Researchers from Bitdefender discovered a new macOS backdoor, dubbed RustDoor, which appears to be linked to ransomware operations Black Basta and Alphv/BlackCat.

RustDoor is written in Rust language and supports multiple features. The malware impersonates a Visual Studio update and was designed to support Intel and Arm architectures.

The malware has been active since at least November 2023, but it was fist spotted on February 2^nd 2024.

Researchers identified multiple RustDoor variants, and most of the samples share the same core functionalities with minor variations. The experts grouped these variants into Variant 1, 2 and Zero.

All the variants support commands that allow operators to gather and upload files, and gather information about the machine.

The first variant of the backdoor that was detected in November 2023 was likely a test version that did not support a persistence mechanism. The researchers noticed that the backdoor contained a plist file named ‘test’.

The second variant was spotted at the end of November, it contained a complex JSON configuration as well as an embedded Apple script used for exfiltration.

“We identified multiple variants of the embedded Apple script, but all of them are meant for data exfiltration.” reads the report published by Bitdefender. “The script is used to exfiltrate documents with specific extensions and sizes from Documents and Desktop folders, as well as the notes of the user, stored in SQLITE format”

The configuration files included a list of applications for impersonation, the backdoor used this trick to spoof the administrator password presenting dialog.

“Some configurations also include specific instructions about what data to collect, such as the maximum size and maximum number of files, as well as lists of targeted extensions and directories, or directories to  exclude” Bitdefender continues.

The “Variant Zero,” first spotted on 02.11.2023, is less complex than the other variants and doesn’t include apple script and embedded configuration.

The analysis of artifacts and IoCs revealed a possible link with the BlackBasta and (ALPHV/BlackCat) ransomware operation.

“Specifically, three out of the four command and control servers have been previously associated with ransomware campaigns targeting Windows clients. ALPHV/BlackCat is a ransomware family (also written in Rust), that first made its appearance in November 2021, and that has pioneered the public leaks business model.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, backdoor)

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Fortinet FortiOS bug to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a Fortinet FortiOS Out-of-Bound write vulnerability, tracked as CVE-2024-21762, to its Known Exploited Vulnerabilities (KEV) catalog.

This week Fortinet warned that the recently discovered critical remote code execution vulnerability in FortiOS SSL VPN, tracked as CVE-2024-21762 (CVSS score 9.6), is actively exploited in attacks in the wild.

The security firm did not provide details about the attacks exploiting this vulnerability.

The issue is an out-of-bounds write vulnerability that can be exploited by sending specially crafted HTTP requests to vulnerable instances. The vendor recommends to disable SSL VPN as a workaround.

“A out-of-bounds write vulnerability [CWE-787] in FortiOS may allow a remote unauthenticated attacker to execute arbitrary code or command via specially crafted HTTP requests.” reads the advisory.

“Workaround : disable SSL VPN (disable webmode is NOT a valid workaround). Note: This is potentially being exploited in the wild.”

The following table includes the list of the impacted versions and the available versions that solve the issue.

Version	Affected	Solution
FortiOS 7.6	Not affected	Not Applicable
FortiOS 7.4	7.4.0 through 7.4.2	Upgrade to 7.4.3 or above
FortiOS 7.2	7.2.0 through 7.2.6	Upgrade to 7.2.7 or above
FortiOS 7.0	7.0.0 through 7.0.13	Upgrade to 7.0.14 or above
FortiOS 6.4	6.4.0 through 6.4.14	Upgrade to 6.4.15 or above
FortiOS 6.2	6.2.0 through 6.2.15	Upgrade to 6.2.16 or above
FortiOS 6.0	6.0 all versions	Migrate to a fixed release

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by February 16, 2024.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – Hacking, Fortinet)

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box.

Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press.

CISA adds Fortinet FortiOS bug to its Known Exploited Vulnerabilities catalog

macOS Backdoor RustDoor likely linked to Alphv/BlackCat ransomware operations

Exploiting a vulnerable Minifilter Driver to create a process killer

Black Basta ransomware gang hacked Hyundai Motor Europe

Fortinet warns of a new actively exploited RCE flaw in FortiOS SSL VPN

Ivanti warns of a new auth bypass flaw in its Connect Secure, Policy Secure, and ZTA gateway devices

26 Cyber Security Stats Every User Should Be Aware Of in 2024

US offers $10 million reward for info on Hive ransomware group leaders Unraveling the truth behind the DDoS attack from electric toothbrushes

China-linked APT Volt Typhoon remained undetected for years in US infrastructure

Cisco fixes critical Expressway Series CSRF vulnerabilities

CISA adds Google Chromium V8 Type Confusion bug to its Known Exploited Vulnerabilities catalog

Fortinet addressed two critical FortiSIEM vulnerabilities

Experts warn of a critical bug in JetBrains TeamCity On-Premises

Critical shim bug impacts every Linux boot loader signed in the past decade

China-linked APT deployed malware in a network of the Dutch Ministry of Defence

Commercial spyware vendors are behind most zero-day exploits discovered by Google TAG

Google fixed an Android critical remote code execution flaw

A man faces up to 25 years in prison for his role in operating unlicensed crypto exchange BTC-e

U.S. Gov imposes visa restrictions on individuals misusing Commercial Spyware

HPE is investigating claims of a new security breach

Experts warn of a surge of attacks targeting Ivanti SSRF flaw

How to hack the Airbus NAVBLUE Flysmart+ Manager

Crooks stole $25.5 million from a multinational firm using a ‘deepfake’ video call

Software firm AnyDesk disclosed a security breach

The ‘Mother of all Breaches’: Navigating the Aftermath and Fortifying Your Data with DSPM

US government imposed sanctions on six Iranian intel officials

A cyberattack impacted operations at Lurie Children’s Hospital

AnyDesk Incident: Customer Credentials Leaked and Published for Sale on the Dark Web

Cybercrime

Following The AnyDesk Incident: Customer Credentials Leaked And Published For Sale On The Dark Web  

Another Chicago hospital announces cyberattack  

HK firm scammed of RM120mil after employee duped by video call with deepfake of CFO  

Foreign National Charged for International Money Laundering Conspiracy and Role in Operation of Unlicensed Digital Currency Exchange BTC-e  

THE $6M DOLLAR SCAM: BLING WATCHES, BROKEN HEARTS, AND THE CURIOUS TALE OF “CLASSIC BAGGIE”  

Malware

Outsmarting Ransomware’s New Playbook

Buying Spying: How the commercial surveillance industry works and what can be done about it 

New MacOS Backdoor Written in Rust Shows Possible Link with Windows Ransomware Group  

RASPBERRY ROBIN KEEPS RIDING THE WAVE OF ENDLESS 1-DAYS 

Hacking

AnyDesk Incident Response 2-2-2024 

CVE-2024-21893 Technical Analysis

Hacking Electronic Flight Bags. Airbus NAVBLUE Flysmart+ Manager  

THE REAL SHIM SHADY – HOW CVE-2023-40547 IMPACTS MOST LINUX SYSTEMS 

HijackLoader Expands Techniques to Improve Defense Evasion 

New Fortinet RCE flaw in SSL VPN likely exploited in attacks

Iran accelerates cyber ops against Israel from chaotic start  

Intelligence and Information Warfare 

Treasury Sanctions Actors Responsible for Malicious Cyber Activities on Critical Infrastructure  

Why China Can’t Export Its Model of Surveillance   

MIVD reveals Chinese espionage methods in the Netherlands  

PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure

AI-Generated Voices in Robocalls Are Now Illegal  

Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer (English ver.)  

Cybersecurity          

Announcement of a Visa Restriction Policy to Promote Accountability for the Misuse of Commercial Spyware   

Critical Security Issue Affecting TeamCity On-Premises (CVE-2024-23917) – Update to 2023.11.3 Now

Cybersecurity expert says the next generation of identity theft is here: ‘Identity hijacking’     

Were 3 Million Toothbrushes Really Used for a DDoS Attack?

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

Raspberry Robin continues to evolve, it was spotted using two new one-day exploits for vulnerabilities either Discord to host samples. 

Raspberry Robin is a Windows worm discovered by cybersecurity researchers from Red Canary, the malware propagates through removable USB devices.

The malicious code uses Windows Installer to reach out to QNAP-associated domains and download a malicious DLL. The malware uses TOR exit nodes as a backup C2 infrastructure.

The malware was first spotted in September 2021, the experts observed it targeting organizations in the technology and manufacturing industries. Initial access is typically through infected removable drives, often USB devices.

The malware uses cmd.exe to read and execute a file stored on the infected external drive, it leverages msiexec.exe for external network communication to a rogue domain used as C2 to download and install a DLL library file.

Checkpoint researchers now detailed the evolution of the threat, Raspberry Robin authors integrated two new 1-day LPE (local privilege escalation) zero-day exploits. The experts believe that the operators have access to an exploit seller or the malware authors have developed the exploits.

The researchers noticed that Raspberry Robin is continually updated with new features and supports new evasion capabilities.

The malicious code also changed its communication method and lateral movement to avoid detection.

Raspberry Robin is now spreading by disguising itself as a legitimate Windows component.

“Since last October, we have seen large waves of attacks against our customers worldwide. Since our last report, it is clear that Raspberry Robin hasn’t stopped implementing new features and tricks that make it even harder to analyze.” reads the report published by Checkpoint. “Most importantly, Raspberry Robin continues to use different exploits for vulnerabilities either before or only a short time after they were publicly disclosed. Those 1-day exploits were not publicly disclosed at the time of their use. An exploit for one of the vulnerabilities, CVE-2023-36802, was also used in the wild as a 0-day and was sold on the Dark Web.”

The vulnerability CVE-2023-36802 is a Type Confusion issue in Microsoft Streaming Service Proxy. A local attacker can exploit the flaw to escalate privileges to SYSTEM (Local Privilege Escalation). The vulnerability is triggered when one of the following IOCTLs.

The vulnerability was disclosed on September 12, but researchers reported it had been exploited in the wild for some time before becoming a zero-day. Researchers from cybersecurity Cyfirma reported that an exploit for CVE-2023-36802 was available for sale on Dark Web forums in February 2023, while Microsoft and CISA warned about its exploitation in September.

Raspberry Robin started using an exploit for CVE-2023-36802 in October 2023. In 2023: Valentina Palmiotti published details of CVE-2023-36802 and its exploitation.

The analysis of the samples before October, revealed that the operators also used an exploit for CVE-2023-29360. The exploit for the vulnerability CVE-2023-29360 was publicly disclosed in June, and Raspberry Robin employed it in August.

“Even though this is a pretty easy vulnerability to exploit, the fact that the exploit writer had a working sample before there was a known exploit in GitHub is impressive as is how quickly Raspberry Robin used it.” continues the report.

The researchers conclude that Raspberry Robin operators have purchased the 1-day exploits from an exploit developer for the following reasons:

• “The exploits are used as an external 64-bit executable. If the Raspberry Robin authors were the developers of the exploits, then they would have probably used the exploits in the main component itself. In addition, the exploits would be packed in the same way and have the same format as the different stages of the main component.“
• The exploits are only available for 64-bit.
• The exploits are not heavily obfuscated and don’t have Control flow flattening and variable masking as in Raspberry Robin’s main component.

The report includes Indicators of Compromise (IoCs) for this threat.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – Hacking, malware)

The U.S. Justice Department (DoJ) seized the infrastructure that was used to sell the remote access trojan (RAT) Warzone RAT.

The Justice Department announced the seizure of internet domains used to sell the remote access Trojan Warzone RAT (www.warzone[.]ws).

The seizure is the result of an international law enforcement operation, federal authorities in Atlanta and Boston charged individuals in Malta and Nigeria, for their involvement in selling the malware.

According to court documents, the FBI covertly purchased and analyzed the Warzone RAT.

“Federal authorities in Boston seized www.warzone.ws and three related domains, which together offered for sale the Warzone RAT malware — a sophisticated remote access trojan (RAT) capable of enabling cybercriminals to surreptitiously connect to victims’ computers for malicious purposes.” reads the press release published by DoJ. “According to court documents authorizing the seizures, the Warzone RAT provided cybercriminals the ability to browse victim file systems, take screenshots, record keystrokes, steal victim usernames and passwords, and watch victims through their web cameras, all without the victims’ knowledge or permission.”

Investigations conducted by the US authorities led to two indictments against two men, Daniel Meli (27) and Prince Onyeoziri Odinakachi (31).

The two individuals are charged with selling and supporting the Warzone RAT and other malware.

Meli allegedly provided cybercriminals with malware products and services via online hacking forums. He is suspected of aiding cybercriminals in deploying Remote Access Trojans (RATs) for malicious purposes and selling instructional tools, including an eBook. Meli sold the Warzone RAT and, previously, the Pegasus RAT, distributed through the criminal organization Skynet-Corporation. Furthermore, he allegedly offered customer support to buyers of both RATs.

Meli offered malware products and services for sale to cybercriminals through online computer-hacking forums. Specifically, Meli allegedly assisted cybercriminals seeking to use RATs for malicious purposes and offered teaching tools for sale, including an eBook. Meli also allegedly sold both the Warzone RAT and, before that, malware known as the Pegasus RAT, which he sold through an online criminal organization called Skynet-Corporation. The man also provided online customer support to purchasers of both RATs.

The second man, Prince Onyeoziri Odinakachi, from Nigeria, was indicted by a federal grand jury in the District of Massachusetts on January 30. He is accused of conspiracy to commit various cybercrimes, such as gaining authorized access to protected computers and causing unauthorized damage to protected computers. Between June 2019 and March 2023, Odinakachi provided online customer support to individuals who purchased and utilized the Warzone RAT malware.

The two individuals were arrested on February 7, 2024.

“The charges of conspiracy, obtaining authorized access to protected computers to obtain information, illegally selling an interception device, and illegally advertising an interception device each provide for a sentence of up to five years in prison, three years of supervised release and a fine of $250,000, or twice the gross gain or loss, whichever is greater.” concludes DoJ. “The charge of causing unauthorized damage to protected computers provides for a sentence of up to 10 years in prison, three years of supervised release, and a fine of $250,000, or twice the gross gain or loss, whichever is greater.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – Hacking, malware)

Exploring the Risks: Unveiling 9 Potential Techniques Hackers Employ to Exploit Public Wi-Fi and Compromise Your Sensitive Data

We’ve all used public Wi-Fi: it’s convenient, saves our data, and speeds up browsing. But while we enjoy its benefits, hackers do too. Here, we’ll explore how cybercriminals exploit public Wi-Fi to access your private data and possibly steal your identity. Plus, we’ll discuss ways to protect yourself when using public Wi-Fi, even when you have no other option.

1.   Man-in-the-Middle Attacks (MITM)

When a hacker intercepts communication between two parties, it’s called a Man-in-the-Middle (MITM) attack. Instead of data going directly between you and the server, the hacker sneaks in and can even show you their own version of a website, including fake messages.

Public Wi-Fi users are prime targets for MITM attacks because the information they send is often not encrypted, meaning it’s easy for hackers to access your data. Once they’re in, they can grab your emails, usernames, passwords, and more. They might even lock you out of your own accounts by resetting your passwords.

Look for the “https” in the website’s URL—it means there’s some level of encryption. Avoid entering any data if you see a warning message about a site’s authenticity. Most browsers will alert you if a site isn’t secure.

2.   Fake Wi-Fi Connections

Also known as the “Evil Twin,” this type of attack tricks you into joining a fake Wi-Fi network set up by a hacker. They can then intercept all the data you send over that network, without you even realizing it.

Creating a fake Wi-Fi network is surprisingly easy for cybercriminals, and they often do it near genuine hotspots to lure in unsuspecting victims.

Be cautious if you see two Wi-Fi networks with similar names. If you’re unsure, ask the staff at the place where you’re connecting to Wi-Fi. Also, consider using a Virtual Private Network (VPN) to encrypt your data and make it unreadable to hackers.

3.   Packet Sniffing

This method allows hackers to capture data packets flying through unencrypted networks and analyze them at their leisure. Packet sniffing isn’t always illegal – IT departments use it to maintain security but it’s also a favorite tool for cybercriminals looking to steal passwords and other sensitive information.

Invest in a VPN to encrypt your data and ensure websites you use have SSL/TSL certificates (look for “https” in the URL).

4.   Sidejacking (Session Hijacking)

Sidejacking or Session Hijacking is like packet sniffing in real-time. Hackers use intercepted data to hijack your current session on a website, giving them access to your private accounts and information.

While they can’t directly read your password, they can still download malware or gather enough information to steal your identity.

Use a VPN to encrypt your data and always log out of your accounts when you’re finished using them, especially on public Wi-Fi. Check your social media accounts for active sessions and log out of any you don’t recognize.

5.   Shoulder-Surfing

Sometimes, the simplest scams are the most effective. Shoulder-surfing involves someone watching over your shoulder as you type in passwords or other personal information.

Be aware of your surroundings and who might be watching you. If you’re unsure, avoid entering sensitive information or use a privacy screen to block prying eyes.

6.   DNS Spoofing

DNS (Domain Name System) is like the internet’s phone book, translating domain names into IP addresses. Hackers can manipulate DNS settings to redirect your internet traffic to malicious websites, even if you entered the correct web address.

Consider using a reputable DNS service or a VPN that offers DNS encryption to prevent your traffic from being redirected.

7.   Wi-Fi Phishing

Similar to email phishing scams, Wi-Fi phishing involves setting up fake Wi-Fi networks that mimic legitimate ones. When users connect to these networks, hackers can intercept their data or trick them into entering sensitive information.

Always verify the authenticity of Wi-Fi networks before connecting, especially in public places. Avoid connecting to networks with generic names like “Free Wi-Fi” and be cautious of any network that requires you to input personal information to connect.

8.   Rogue Access Points

Hackers can set up their own wireless access points in public spaces, posing as legitimate hotspots. Once connected, they can monitor and capture users’ data or launch attacks on their devices.

Use a VPN to encrypt your internet traffic and avoid connecting to unfamiliar Wi-Fi networks. If you’re unsure about a network’s legitimacy, ask an employee or look for signage indicating the official Wi-Fi network.

9.   Keyloggers

Keyloggers are malicious software or hardware devices that record keystrokes on a computer or mobile device. If a hacker manages to install a keylogger on a public computer or compromised device, they can capture usernames, passwords, and other sensitive information entered by users.

Avoid using public computers for sensitive activities like online banking or entering passwords. If you must use a public computer, consider using a virtual keyboard or typing sensitive information in a secure document and then copying and pasting it into the intended fields.

Wrapping Up

In conclusion, while public Wi-Fi offers convenience and connectivity, it also presents numerous security risks. Hackers employ various tactics such as man-in-the-middle attacks, fake Wi-Fi connections, and packet sniffing to steal sensitive data from unsuspecting users. It’s essential to consider a VPN as it can provide an extra level of security to your online activities, especially when you’re using public Wi-Fi or handling sensitive information. When you change your virtual location on an iPhone, computer, or any other device and hide your real IP address, you can protect yourself from potential security threats.

However, by implementing security measures like using VPNs, verifying Wi-Fi network authenticity, and practicing vigilance against common threats, individuals can safeguard their personal information and minimize the risks associated with using public Wi-Fi. It’s crucial to remain vigilant and take proactive steps to protect oneself in an increasingly interconnected digital world.

About Author: Anas Baig

With a passion for working on disruptive products, Anas Baig is currently working as a Product Manager at the Silicon Valley based company – Securiti.ai. He holds a degree of Computer Science from Iqra University and specializes in Information Security & Data Privacy.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Public Wi-Fi)

A bug in the split tunneling feature implemented in ExpressVPN exposed the domains visited by the users.

ExpressVPN addressed a bug in the split tunneling feature that exposed the domains visited by the users to configured DNS servers.

The company opted to temporarily remove the feature in the Windows app to address the issue. The bug will be enabled in a future release when the company will fix it.

The issue was introduced in ExpressVPN Windows versions 12.23.1 – 12.72.0 from May 19, 2022, it was fixed with the release of Version 12 app for Windows.

The issue was discovered by Attila Tomaschek, a VPN expert and staff writer at the tech publication CNET. Tomaschek noticed that DNS requests on his Windows machine weren’t being directed to ExpressVPN’s dedicated servers when he had activated the split tunneling feature, which is used to limit which apps send their traffic through the VPN. The expert noticed that the DNS queries were sent to the DNS server configured on the computer.

“When a user is connected to ExpressVPN, their DNS requests are supposed to be sent to an ExpressVPN server. But the bug allowed some of those requests to go instead to a third-party server, which in most cases would be the user’s internet service provider or ISP.” reads the advisory. “This lets the ISP see what domains are being visited by that user, such as google.com, although the ISP still can’t see any individual webpages, searches, or other online behavior. All contents of the user’s online traffic remain encrypted and unviewable by the ISP or any other third party.”

The advisory published by the company states that the issue is believed to impact less than 1% of users on a single app platform, Version 12 for Windows. The company also announced an investigation into the bug.

“We were only able to replicate the issue when using the specific split tunneling mode “Only allow selected apps to use the VPN,” and even then, we found that it only occurred in some cases. In our testing, users who had not activated split tunneling at all, or who had chosen the other mode, “Do not allow selected apps to use the VPN,” had their DNS requests handled properly. No other VPN protections, such as encryption, were affected.” reads the advisory. 

Anyway, disabling the split tunneling feature will prevent the leak of the DNS requests.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – Hacking, ExpressVPN)

The Canadian government is going to ban the tool Flipper Zero because it is abused by crooks to steal vehicles in the country.

The Canadian government announced that it plans to ban the tool Flipper Zero, and similar hacking devices, to curb the surge in car thefts.

Flipper Zero is a portable multi-tool for pentesters and geeks in a toy-like body. It allows hacking digital stuff, such as radio protocols, access control systems, hardware, and more, reads the official website. The tool is fully open-source and customizable, so you can extend it in whatever way you like.

Car thieves can use the tool to carry out replay attacks that can unlock the vehicles.

“Auto theft is a problem the government can’t tackle alone.” said Canadian Industry Minister François-Philippe Champagne. “Criminals have been using sophisticated tools to steal cars. And Canadians are rightfully worried.   Today, I announced we are banning the importation, sale and use of consumer hacking devices, like flippers, used to commit these crimes.”

Criminals have been using sophisticated tools to steal cars. And Canadians are rightfully worried.
 
Today, I announced we are banning the importation, sale and use of consumer hacking devices, like flippers, used to commit these crimes.

: https://t.co/K4MA3u68kP

— François-Philippe Champagne (FPC) (@FP_Champagne) February 8, 2024

In Canada, the authorities estimated that 90,000 vehicles are stolen, equating to one car stolen every six minutes. Beyond the social implications, auto theft imposes significant economic burdens on Canadian car owners, resulting in approximately $1 billion in annual losses. This includes substantial costs for insurers, reaching an estimated $542 million annually, to repair or replace stolen vehicles.

“As a participant in the National Summit on Combatting Auto Theft, we recognize the need to coordinate and enhance efforts to combat auto theft in Canada, with a particular focus on regions that are being disproportionately impacted.” reads the Statement of Intent on Combatting Auto Theft published by the Canadian Government. “We recognize that combatting auto theft is complex, consisting of many points of possible deterrence and intervention including prevention, detection, enforcement and recovery.”

Innovation, Science and Economic Development Canada will work with Canadian companies, and the automotive industry, to develop new solutions to protect vehicles against theft and to assist with recovery of stolen vehicles.

The Canadian government’s Innovation, Science and Economic Development (ISED) is focused on banning any tool that can be abused to steal cars.

“ISED will pursue all avenues to ban devices used to steal vehicles by copying the wireless signals for remote keyless entry, such as the Flipper Zero, which would allow for the removal of those devices from the Canadian marketplace through collaboration with law enforcement agencies.” reads a statement from the Canadian Government.

Flipper Zero denied the use of their tool to steal vehicles.

“We’d appreciate it if you could provide any evidence of Flipper Zero being involved in any criminal activities of this kind. We’re not aware of any events like this and frankly speaking not sure what was the reason for this discussion to begin with.” reads a message published by the company on X.

Dear François-Philippe,

We'd appreciate it if you could provide any evidence of Flipper Zero being involved in any criminal activities of this kind. We're not aware of any events like this and frankly speaking not sure what was the reason for this discussion to begin with.

— Flipper Zero (@flipper_zero) February 9, 2024

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – Hacking, Flipper Zero)

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a Roundcube Webmail Persistent Cross-Site Scripting (XSS) vulnerability, tracked as CVE-2023-43770, to its Known Exploited Vulnerabilities (KEV) catalog.

Roundcube is an open-source web-based email client. It provides a user-friendly interface for accessing email accounts via a web browser. Users can send and receive emails, manage their contacts, organize messages into folders, and perform various other email-related tasks. Roundcube supports standard email protocols such as IMAP and SMTP, making it compatible with a wide range of email servers.

The exploitation of the vulnerability can lead to information disclosure via malicious link references in plain/text messages.

The vulnerability was discovered by Niraj Shivtarka, it impacts Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3. The vulnerability was fixed with the release of version 1.6.3.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by March 4, 2024.

In October, Russia-linked APT group Winter Vivern (aka TA473) was observed exploiting another zero-day flaw in Roundcube webmail software.

ESET researchers pointed out that is a different vulnerability than CVE-2020-35730, that the group exploited in other attacks.

ESET reported the zero-day to Roundcube, and the company patched the issue on October 14^th, 2023. The vulnerability affects Roundcube versions 1.6.x before 1.6.4, 1.5.x before 1.5.5, and 1.4.x before 1.4.15.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – Hacking, Known Exploited Vulnerabilities catalog)

Researchers discovered a vulnerability in the code of the Rhysida ransomware that allowed them to develop a decryption tool.

Cybersecurity researchers from Kookmin University and the Korea Internet and Security Agency (KISA) discovered an implementation vulnerability in the source code of the Rhysida ransomware.

The experts exploited the vulnerability to reconstruct encryption keys and developed a decryptor that allows victims of the Rhysida ransomware to recover their encrypted data for free.

“This study examines Rhysida ransomware, which caused significant damage in the second half of 2023, and proposes a decryption method. Rhysida ransomware employed a secure random number generator to generate the encryption key and subsequently encrypt the data. However, an implementation vulnerability existed that enabled us to regenerate the internal state of the random number generator at the time of infection.” reads the paper published by the researchers “We successfully decrypted the data using the regenerated random number generator. To the best of our knowledge, this is the first successful decryption of Rhysida ransomware.”

The implementation vulnerability resides in the encryption scheme implemented by the ransomware, specifically, the random number generator (CSPRNG).

The CSPRNG is used to generate the encryption key, which is unique for each attack.

“The random number generator takes a seed as input, sets it as the initial internal state, and generates a sequence of random numbers according to a defined rule. Therefore, if we can identify the initial internal state, regenerating the random number becomes feasible.” reads the paper.

By exploiting the flaw, the researchers demonstrated that is possible to recover the internal state of CSPRNG and use it to create a key to decrypt the data.

The Rhysida ransomware uses CSPRNG, which is based on the ChaCha20 algorithm provided by the LibTomCrypt library.

The researchers noticed that the random number generated by the CSPRNG is based on the execution time of the ransomware. The time value used as a seed is 32-bit data, which implies that the number of possible cases of CSPRNG is up to 2^32.”

The experts also discovered that the ransomware manages a list of files that it is going to encrypt. The ransomware uses various concurrent threads that encrypt the files in a specific order.

“In the encryption process of the Rhysida ransomware, the encryption thread generates 80 bytes of random numbers when encrypting a single file. Of these, the first 48 bytes are used as the encryption key and the Initial Vector.” continues the paper.

Based on these observations, the researchers successfully obtained the initial seed for decrypting the ransomware, identified the order used to encrypt the files, and ultimately restored the data without paying any ransom.

“By exploiting these vulnerabilities, we managed to reconstruct the encryption key and recover the encrypted system. This challenges the common belief that ransomware makes data irretrievable without fulfilling the ransom demand. While these findings are based on a limited scope, it is crucial to recognize that certain ransomwares, as demonstrated in this paper, can indeed be successfully decrypted.” concludes the paper.

The Rhysida ransomware group has been active since May 2023. According to the gang’s Tor leak site, at least 62 companies are victims of the operation.

The ransomware gang hit organizations in multiple industries, including the education, healthcare, manufacturing, information technology, and government sectors. The victims of the group are “targets of opportunity.”

In December 2023, FBI and CISA published a joint Cybersecurity Advisory (CSA) to warn of Rhysida ransomware attacks. The advisory is part of the ongoing #StopRansomware effort, disseminating information about tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with ransomware groups.

The report includes IOCs and TTPs identified through investigations as recently as September 2023.

Rhysida actors leverage external-facing remote services (e.g. VPNs, RDPs) to gain initial access to the target network and maintain persistence. The group relied on compromised credentials to authenticate to internal VPN access points. According to the advisory, the threat actors have exploited Zerologon (CVE-2020-1472) in Microsoft’s Netlogon Remote Protocol in phishing attempts.

The group relies on living off-the-land techniques such as native (built into the operating system) network administration tools to perform malicious operations.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – Hacking, ransomware)

Residential Proxies vs. Datacenter Proxies: this blog post examines the contours of each type and provides info on how to choose the perfect proxy option

In the robust landscape of the digital era, our need for privacy, security, and accessibility on the internet has never been more acute. Whether it’s for gathering market intelligence, ensuring your privacy, or bypassing geographical restrictions, proxies have become the unsung heroes for individuals and enterprises alike. But when it’s time to pick the right proxy for your needs, you might find yourself at a crossroads between residential and datacenter proxies. Let’s embark on a journey to discover the contours of each type and traverse the path to choosing the perfect proxy option for you.

Proxies serve as intermediaries between you and the internet, a kind of digital masquerade that conceals your IP address, lending you another. Imagine walking into a virtual masquerade ball; the mask you choose—whether the suave residential or the discrete datacenter—determines how you interact with other guests (websites) and how hosts (servers) perceive you.

Understanding the Difference Between Residential and Datacenter Proxies

At the heart of this decision is understanding the two main contestants: residential proxies and datacenter proxies.

Residential Proxies: The Noble Disguise Residential proxies are like the knights in shining armour of the proxy world; they come with legitimate, ISP-issued IP addresses that trace back to an actual device in a real location. These proxies give you the appearance of a genuine user, blending in with the crowd seamlessly. They’re exceptionally useful for tasks that require a high level of legitimacy and are less likely to be blocked or banned, making them ideal for sensitive operations like web scraping, ad verification, and accessing geo-restricted content.

Imagine you’re doing market research and you need access to local pricing across different regions. Residential proxies ensure that your requests are seen as coming from a resident of the target location. In this guise, websites are much more hospitable, allowing you uninhibited access to the data that is usually hidden from outsiders.

Datacenter Proxies: The Efficient Masquerade In contrast, datacenter proxies are the mavericks of the proxy world. They’re not affiliated with any ISP and don’t correspond to a particular residential address. Instead, they’re housed in data centres around the globe, providing you with a non-residential IP address. Their strength lies in speed and cost-effectiveness, making them perfect for tasks that require swift execution, like brand protection or bulk account creation.

Due to their nature, datacenter proxies can raise red flags for some websites, leading to a higher chance of being blocked if used recklessly. However, with proper rotation and usage, they can offer a speedy solution for your internet endeavours without the higher price tag of their residential counterparts.

So, how do you choose between the knight and the maverick? It really boils down to your specific needs.

The Case for Residential Proxies Residential proxies are your go-to for high-stake tasks that necessitate undisputed legitimacy. If you’re managing social media accounts for influencer marketing or performing competitor analysis, residential proxies provide the reliability you need. They’re less likely to get blocked or blacklisted, offering you a sustainable solution for long-term operations.

Consider a brand that needs to ensure its advertisements are appearing properly across different regions. Residential proxies can facilitate the process by enabling the brand to see what their ads look like from various locations around the globe.

The Argument for Datacenter Proxies But what if your task is more about straightforward functionality than cloak-and-dagger finesse? Datacenter proxies have you covered. With their swift connectivity and lower costs, they gleam with the allure of efficiency. They’re particularly well-suited for situations where you need a large number of IPs at your disposal or when you’re executing tasks that are less sensitive to the authenticity of your IP address.

Imagine a scenario where you’re validating the integrity of your website by performing numerous stress tests. In this case, datacenter proxies provide the anonymity and variation required without the added cost of residential IPs.

The beauty lies in the balance. Some prefer the chivalrous assurance of residential proxies, while others opt for the cost-effective agility of datacenter proxies. Also, it’s worth noting that advancements in technology have introduced rotating proxies—a service like GoProxies promises to offer the best of both worlds. It combines the stealth of residential proxies with the efficiency of datacenter proxies, as IPs rotate, reducing the risk of detection and banning.

Choosing the Right Option Choosing between residential and datacenter proxies is no light matter and it prompts introspection into the nature of your online activities. Assess your needs, from the level of scrutiny you can withstand to the speed you require. Are you someone who needs to manoeuvre through cyberspace undetected for data scraping, or do you need the power of numbers for simpler automated tasks?

Regardless of your choice, ensure that you select a reliable proxy provider that can give you the assurance of quality and the support you need. Explore the options, ask questions, and even test out the services to find the perfect match. Your digital adventures hinge on this critical choice between residential and datacenter proxies.

In the end, no matter which mask you don, remember that your online quests deserve the most fitting digital façade. Whether it’s the robust authenticity of a residential proxy or the swift anonymity of a datacenter proxy, choose a sidekick that complements your online strategy and propels you towards your goals.

In this ever-evolving affair of digital disguises and internet sleuthing, the right proxy could mean the difference between success and setback. So choose wisely, and let this subtle but crucial cog in your internet mechanism set the stage for a safer, smarter, and more efficient online presence.

About Author: Anas Baig

With a passion for working on disruptive products, Anas Baig is currently working as a Product Manager at the Silicon Valley based company – Securiti.ai. He holds a degree of Computer Science from Iqra University and specializes in Information Security & Data Privacy.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Public Wi-Fi)

Resecurity has identified a growing trend of malicious cyber-activity targeting sovereign elections globally

With more voters than ever in history heading to the polls in 2024, Resecurity has identified a growing trend of malicious cyber-activity targeting sovereign elections globally. In an era of unprecedented geopolitical volatility, this trend is particularly concerning, as Time Magazine notes that 64 countries (plus the European Union) are set to hold national elections this year. According to Time Magazine, “2024 is not just an election year. It’s perhaps the election year.”

Collectively, some two billion eligible voters represented in these races constitute roughly 49% of the global population. For many of these voters, the results of these elections “will prove consequential for years to come,” according to Time Magazine. By far, the most significant contest this year is the U.S. presidential election, the outcome of which could radically alter the destinies of geopolitical relations and military conflicts globally.

Besides the continued targeting of the U.S. and its allies, activity observed by Resecurity between 2023 and early 2024 indicates a 100 percent increase from the previous analysis period. This assessment is based on multiple incidents that Resecurity observed and reported to relevant authorities globally in the following jurisdictions: Africa, the European Union, the United Kingdom, Ecuador, Bangladesh, Indonesia, Israel, Iraq, Turkey, and Mexico.

These types of incidents generally act as precursors for more significant malicious activity that can be further amplified by foreign interference campaigns. Besides cyberespionage, threat actors aim to sow uncertainty about the integrity of elections via operations that aim to disrupt and manipulate public opinion globally. Unfortunately, these incidents remain complicated from an investigation perspective and are often imperceptible to the public.

With the 2024 General Election rapidly approaching in the U.S., the intelligence collected about the incidents discussed in this report serves as a stark reminder that threat actors are actively trying to acquire and exploit voter data. While some of the threat actors behind these leak operations are purely motivated by profit and opportunistic hacktivism driven (by ideology), other cogs in this cybercriminal supply chain may be looking to weaponize voter data to craft targeted propaganda campaigns and subvert democracies worldwide.

Similar to the phenomenon of account compromise due to password reuse across multiple platforms, leaked voter data remains exploitable years after the initial leak.

This is one of the most crucial issues that governments should address. In the backdrop of rapidly increasing cyber-threats, ensuring comprehensive identity protection for voters has become foundational to preserving the integrity of the democratic process. Cyberespionage groups, operating under the direction of nation-state actors, are targeting voter PII, plotting to use it as a long-term weapon for electoral interference. This data reveals crucial demographic insights and context about target populations during both pre-election and post-election stages.

A detailed technical analysis of the activities targeting elections is available here:

https://www.resecurity.com/blog/article/global-malicious-activity-targeting-elections-is-skyrocketing

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – Hacking, elections)

Maintainers behind the Ransomfeed platform have released Q3 Report 2023 including activities of 185 criminal groups operating worldwide.

A comprehensive report delving into the intricate landscape of ransomware threats during the last four months of 2023 is out, with a meticulous focus on the monitoring activities conducted by the OSINT Ransomfeed platform (www.ransomfeed.it). Throughout this period, the platform diligently tracked 185 criminal groups operating worldwide, meticulously tracing 342 servers employed for ransomware activities. The data collected unearthed a total of 1771 ransomware claims, with 55 recorded incidents in Italy. This report meticulously scrutinizes the geographical localization of these attacks, as well as the industries predominantly targeted.

As customary, the ensuing data, as reiterated, were procured via the primary activity of the Ransomfeed platform, involving periodic scraping from various renowned dark websites. For this report, the focus is directed toward the outcomes gathered concerning the third quarter of the past year, commencing with a global overview encompassing all monitored ransomware groups and culminating with a specific emphasis on Italy.

During this period of 2023, the platform meticulously monitored 185 cybercriminal groups operating with ransomware technologies across over 342 servers and mirrors, consequently tallying a definition of 1771 ransomware claims identified globally.

The months of May, June, July, and August each presented unique challenges in the realm of cybersecurity. Remarkably, December emerged as the most prolific month of the four months with 484 attacks, closely trailed by November with 482, September with 458, and October with 347. Notably, the year’s end witnessed an escalation in criminal claims, almost akin to concluding a productive year. Let us now delve into the detailed breakdown of the days.

This report offers an exhaustive account of ransomware threats in the third quarter of 2023, spotlighting activities monitored by the OSINT Ransomfeed platform.

In conclusion, the report underscores the paramount importance of international collaboration and the adoption of advanced defense strategies to effectively counter the burgeoning phenomenon of ransomware threats and safeguard the integrity of data and information systems.

Ransomfeed trusts this report (results of no-profit activity) will serve as a vital resource for cybersecurity professionals, researchers, and stakeholders alike, providing valuable insights into the evolving ransomware landscape and paving the way for robust defense mechanisms against such malicious activities.

The complete report is available here:

https://ransomfeed.it/data/reports/2023/DRM-Report-Q3-2023-%5BENG%5D.pdf

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – Hacking, ransomware)

Bank of America revealed that the personal information of some customers was stolen in a data breach affecting a third-party services provider.

Bank of America began notifying some customers following a data breach at the third-party services provider Infosys McCamish System (IMS). The bank has sent notification letters to 57,000 customers, informing them that their personal information has been compromised

Infosys disclosed the security breach on November 3, 2023, in a filing with SEC the company reported it was the victim of a cyberattack that resulted in the non-availability of certain applications and systems.

McCamish immediately launched an investigation into the incident and worked on the remediation with the help of cybersecurity consultants.

The effects of the cyberattack described by the victim suggest it was targeted by a ransomware attack. On November 4, the LockBit ransomware gang claimed responsibility for the attack.

The company restored the impacted systems by December 31, it also estimated the losses caused by the incident will be at least of $30 million.

“On the basis of analysis conducted by the cybersecurity firm, McCamish believes that certain data was exfiltrated by unauthorized third parties during the incident and this exfiltrated data included certain customer data. McCamish has engaged a third-party e- discovery vendor in assessing the extent and nature of such data. This review process is ongoing. McCamish may incur additional costs including indemnities or damages/claims, which are indeterminable at this time.” reads the statement sent to the SEC. “Infosys had previously communicated the occurence of this cybersecurity incident to BSE Limited, National Stock Exchange of India Limited, New York Stock Exchange and to United States Securities and Exchange Commission on November 3, 2023.”

On February 1, Bank of America started notifying 57028 customers impacted by the data breach.

the Maine Attorney General’s Office, Bank of America noted that it cannot determine “with certainty what personal information was accessed” during the attack.

“On or around November 3, 2023, IMS was impacted by a cybersecurity event when an unauthorized third party accessed IMS systems, resulting in the non-availability of certain IMS applications. On November 24, 2023, IMS told Bank of America that data concerning deferred compensation plans serviced by Bank of America may have been compromised. Bank of America’s systems were not compromised.” reads the letter sent to the impacted customers. “It is unlikely that we will be able to determine with certainty what personal information was accessed as a result of this incident at IMS. According to our records, deferred compensation plan information may have included your first and last name, address, business email address, date of birth, Social Security number, and other account information.”

According to the financial institution, exposed data may include first and last name, address, business email address, date of birth, Social Security number, and other account information.

Bank of America states that they are not aware of any misuse involving the compromised information, however, the bank will provide a complimentary two-year membership in an identity theft protection service provided by Experian IdentityWorks.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – Hacking, Bank of America) 

Authorities in Romania reported that at least 100 hospitals went offline after a ransomware attack hit the Hipocrate platform.

Authorities in Romania confirmed that a ransomware attack that targeted the Hipocrate Information System (HIS) has disrupted operations for at least 100 hospitals.

Hipocrate Information System (HIS) is a software suite designed to manage the medical and administrative activities of hospitals and other healthcare institutions.

The attack took place on February 11 and encrypted data in the production servers.

“During the night of February 11 to 12, 2024, a massive cyber ransomware attack took place on the production servers on which the HIS IT system runs. As a result of the attack, the system is down, files and databases are encrypted.” reported the Romanian Ministry of Health.

The initial number of impacted hospitals was 21, but later the authorities confirmed that the number had increased to 25. Another 79 hospitals took their systems down as a precautionary measure.

Romanian Ministry of Health added that cybersecurity specialists, including cybersecurity experts from the National Cyber Security Directorate, are monitoring the situation. The Romanian government also announced extraordinary preventive measures to prevent other hospitals from being impacted by the incident.

DNSC reported that ransomware operators employed a variant of the Phobos ransomware family known as Backmydata ransomware. The threat actors demand the payment of 3.5 BTC (about 157,000 EURO).

“Hospitals using the HIPOCRATE platform, regardless of whether they were affected or not, have since yesterday received a series of recommendations from the DNSC to properly manage the situation” reported DNSC.

• Identify affected systems and immediately isolate them from the rest of the network as well as from the Internet
• Keep a copy of the ransom message and any other communications from the attackers. This information is useful to the authorities or for further analysis of the attack
• Do not shut down the affected equipment. Stopping it will remove the evidence stored in the volatile memory (RAM)
• Collect and keep all relevant log information, from the affected equipment, but also from network equipment, firewall
• Examine the system logs to identify the mechanism by which IT infrastructure has been compromised
• Immediately inform all employees and notify affected customers and business partners of the incident and its extent
• Restore affected systems based on data backups after a full system cleanup has been performed . It is absolutely necessary to ensure that backups are intact, up-to-date and secure against attack
• Ensure that all programs, applications and operating systems are updated to the latest versions and that all known vulnerabilities are patched

At this time, it is still unclear if the threat actors have stolen sensitive data from the impacted organizations.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – ransomware, Romanian hospitals) 

Microsoft Patch Tuesday security updates for February 2024 addressed 72 flaws, two of which are actively exploited in the wild.

Microsoft Patch Tuesday security updates for February 2024 resolved a total of 72 vulnerabilities, including two actively exploited zero-days.

The vulnerabilities affect Microsoft Windows and Windows Components; Office and Office Components; Azure; .NET Framework and ASP.NET; SQL Server; Windows Hyper-V; and Microsoft Dynamics.

Five vulnerabilities are rated Critical, 65 are rated Important, and two are rated Moderate in severity.

The two flaws actively exploited are:

CVE-2024-21412 (CVSS score 8.1) – Internet Shortcut Files Security Feature Bypass Vulnerability. An unauthenticated attacker can trigger the flaw by sending the victim a specially crafted file that is designed to bypass displayed security checks. The attacker has to trick the victims into clicking the file link. The flaw was reported by:

• dwbzn with Aura Information Security
• Dima Lenz and Vlad Stolyarov of Google’s Threat Analysis Group
• Peter Girnus (gothburz) of Trend Micro’s Zero Day Initiative with Trend Micro

CVE-2024-21351 (CVSS score 7.6) – Windows SmartScreen Security Feature Bypass Vulnerability. An authorized attacker can trigger the flaw to bypass the SmartScreen user experience. The attacker can exploit the vulnerability by sending a malicious file to the user and convincing him to open it.

Below is the list of the critical flaws fixed by Microsoft Patch Tuesday security updates for February 2024.

As usual the ZDI has published the full list of CVEs released by Microsoft for February 2024 here:

https://www.zerodayinitiative.com/blog/2024/2/13/the-february-2024-security-update-review

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – ransomware, Patch Tuesday) 

Adobe Patch Tuesday security updates for February 2024 addressed more than 30 vulnerabilities in multiple products, including critical issues.

Adobe Patch Tuesday security updates released by Adobe addressed over 30 vulnerabilities across various products, including critical issues.

The software maker warned of critical flaws in popular products such as Adobe Acrobat and Reader, Adobe Commerce and Magento Open Source, Substance 3D Painter, and FrameMaker.

The company fixed 13 vulnerabilities in the Adobe Acrobat and Reader software, including arbitrary code execution, application denial of service and memory leak vulnerabilities.

“Adobe has released a security update for Adobe Acrobat and Reader for Windows and macOS. This update addresses critical and important vulnerabilities.” reads the advisory. “Successful exploitation could lead to arbitrary code execution, application denial-of-service, and memory leak.”

Below is the list of vulnerabilities addressed by the software vendor:

Vulnerability Category	Vulnerability Impact	Severity	CVSS base score	CVSS vector	CVE Number
Out-of-bounds Write (CWE-787)	Arbitrary code execution	Critical	7.8	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	CVE-2024-20726
Out-of-bounds Write (CWE-787)	Arbitrary code execution	Critical	7.8	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	CVE-2024-20727
Out-of-bounds Write (CWE-787)	Arbitrary code execution	Critical	7.8	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	CVE-2024-20728
Use After Free (CWE-416)	Arbitrary code execution	Important	7.8	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	CVE-2024-20729
Integer Overflow or Wraparound (CWE-190)	Arbitrary code execution	Critical	7.8	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	CVE-2024-20730
Use After Free (CWE-416)	Arbitrary code execution	Critical	8.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	CVE-2024-20731
Improper Input Validation (CWE-20)	Application denial-of-service	Important	5.5	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H	CVE-2024-20733
Use After Free (CWE-416)	Memory leak	Important	5.5	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N	CVE-2024-20734
Out-of-bounds Read (CWE-125)	Memory leak	Important	5.5	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N	CVE-2024-20735
Out-of-bounds Read (CWE-125)	Memory leak	Important	5.5	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N	CVE-2024-20736
Out-of-bounds Read (CWE-125)	Memory leak	Important	5.5	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N	CVE-2024-20747
Out-of-bounds Read (CWE-125)	Memory leak	Important	5.5	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N	CVE-2024-20748
Out-of-bounds Read (CWE-125)	Memory leak	Important	5.5	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N	CVE-2024-20749

Below is the list of vulnerabilities addressed by the software firm that impact Adobe Commerce and Magento Open Source products:

Vulnerability Category	Vulnerability Impact	Severity	Authentication required to exploit?	Exploit requires admin privileges?	CVSS base score	CVSS vector	CVE number(s)
Cross-site Scripting (Stored XSS) (CWE-79)	Arbitrary code execution	Critical	Yes	Yes	9.1	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H	CVE-2024-20719
Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) (CWE-78)	Arbitrary code execution	Critical	Yes	Yes	9.1	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H	CVE-2024-20720
Uncontrolled Resource Consumption (CWE-400)	Application denial-of-service	Important	Yes	Yes	5.7	CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:N/I:N/A:H	CVE-2024-20716
Cross-site Scripting (Stored XSS) (CWE-79)	Arbitrary code execution	Important	Yes	Yes	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	CVE-2024-20717
Cross-Site Request Forgery (CSRF) (CWE-352)	Security feature bypass	Moderate	Yes	No	4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N	CVE-2024-20718

According to the advisory, the above vulnerabilities can be exploited only by an authenticated attacker.

“Exploit requires admin privileges: The vulnerability is (or is not) only exploitable by an attacker with administrative privileges.” states the advisory.

The good news is that the software vendor is not aware of attacks in the wild exploiting these vulnerabilities.

Microsoft Patch Tuesday security updates for February 2024 resolved a total of 72 vulnerabilities, including two actively exploited zero-days.

The vulnerabilities affect Microsoft Windows and Windows Components; Office and Office Components; Azure; .NET Framework and ASP.NET; SQL Server; Windows Hyper-V; and Microsoft Dynamics.

Five vulnerabilities are rated Critical, 65 are rated Important, and two are rated Moderate in severity.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – ransomware, Patch Tuesday) 

Zoom addressed seven vulnerabilities in its desktop and mobile applications, including a critical flaw (CVE-2024-24691) affecting the Windows software.

The popular Video messaging giant Zoom released security updates to address seven vulnerabilities in its desktop and mobile applications, including a critical issue, tracked as CVE-2024-24691 (CVSS score of 9.6), in Windows software.

The vulnerability CVE-2024-24691 is an improper input validation bug that could be exploited by an attacker with network access to escalate privileges.

“Improper input validation in Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom Meeting SDK for Windows may allow an unauthenticated user to conduct an escalation of privilege via network access.” reads the advisory.

The vulnerability impacts the following products:

• Zoom Desktop Client for Windows before version 5.16.5
• Zoom VDI Client for Windows before version 5.16.10 (excluding 5.14.14 and 5.15.12)
• Zoom Rooms Client for Windows before version 5.17.0
• Zoom Meeting SDK for Windows before version 5.16.5

The company also addressed a high-severity escalation of privilege vulnerability, tracked as CVE-2024-24697, impacting Windows software.

“Untrusted search path in some Zoom 32 bit Windows clients may allow an authenticated user to conduct an escalation of privilege via local access.” reads the advisory.

The issue impacts the following products:

• Zoom Desktop Client for Windows before version 5.17.0
• Zoom VDI Client for Windows before version 5.17.5 (excluding 5.15.15 and 5.16.12)
• Zoom Meeting SDK for Windows before version 5.17.0
• Zoom Rooms Client for Windows before version 5.17.0

The video messaging company also resolved a high-severity escalation of privilege defect in these Windows applications, noting that it can be exploited locally, without authentication.

Tracked as CVE-2024-24697 and described as an untrusted search path issue, the vulnerability impacts Desktop Client before version 5.17.0, VDI Client before version 5.17.5 (excluding 5.15.15 and 5.16.12), Meeting SDK before version 5.17.0, and Rooms Client before version 5.17.0.

Below is the complete list of the addressed issues:

ZSB	Title	Severity	CVE	Date Published	Date Updated
ZSB-24008	Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom Meeting SDK for Windows – Improper Input Validation	Critical	CVE-2024-24691	02/13/2024	02/13/2024
ZSB-24007	Zoom Clients – Improper Input Validation	Medium	CVE-2024-24690	02/13/2024	02/13/2024
ZSB-24006	Zoom Clients – Business Logic Error	Medium	CVE-2024-24699	02/13/2024	02/13/2024
ZSB-24005	Zoom Clients – Improper Authentication	Medium	CVE-2024-24698	02/13/2024	02/13/2024
ZSB-24004	Zoom Clients – Untrusted Search Path	High	CVE-2024-24697	02/13/2024	02/13/2024
ZSB-24003	Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom Meeting SDK for Windows – Improper Input Validation	Medium	CVE-2024-24696	02/13/2024	02/13/2024
ZSB-24002	Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom Meeting SDK for Windows – Improper Input Validation	Medium	CVE-2024-24695	02/13/2024	02/13/2024

It’s unclear if one of the above vulnerabilities has been actively exploited in the wild.

Zoom recommends its users to update their applications to the latest available releases as soon as possible.

In November 2023, the company fixed a critical vulnerability in Zoom Room allowed threat actors to take over meetings and steal sensitive data.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Zoom)

Researchers reported that attackers can exploit the ‘command-not-found’ utility to trick users into installing rogue packages on Ubuntu systems.

Cybersecurity researchers from cloud security firm Aqua discovered that it is possible to abuse, the popular utility ‘called ‘command-not-found’ that can lead to deceptive recommendations of malicious packages.

“Aqua Nautilus researchers have identified a security issue that arises from the interaction between Ubuntu’s command-not-found package and the snap package repository.” reads the report published by Aqua. “While command-not-found serves as a convenient tool for suggesting installations for uninstalled commands, it can be inadvertently manipulated by attackers through the snap repository, leading to deceptive recommendations of malicious packages.”

The default installation of Ubuntu includes the command-not-found package, it provides suggestions for package installations when users attempt to execute a command in Bash or Zsh that is not available on their system. The command relies on the implementation of the command_not_found_handle function, which Bash invokes when encountering an unrecognized command.

The package provides recommendations for both APT and snap packages. For example, if a user tries to execute “ifconfig” and it’s not installed, the package will suggest installing “net-tools” through apt.

The utility uses a local database located at /var/lib/command-not-found/commands.db to link commands to their corresponding APT packages.

An attacker can claim a Snap name associated with a package for which the maintainers haven’t yet claimed the Snap name. Then the attacker can register a snap name and the upload of a dummy “rogue” package.

“The maintainers of the jupyter-notebook APT package had not claimed the corresponding snap name. This oversight left a window of opportunity for an attacker to claim it and upload a malicious snap named jupyter-notebook.” reads the analysis published by Aqua. “We can observe that the command-not-found utility suggests the snap package first, even before the original APT package. This behavior could potentially mislead users into installing the snap package.”

Moreover, the researchers discovered that up to 26% of commands linked to APT (Advanced Package Tool) packages may be exposed to impersonation. This vulnerability could expose users to supply chain attacks impacting both Linux users and Windows systems running WSL.

The researchers also warn of typosquatting attacks in which attackers requesting commands with typographical errors (e.g., ifconfigg instead of ifconfig) are suggested malicious snap packages that were claimed by the attackers.

“For instance, consider what could occur if a user accidentally types ifconfigg instead of ifconfig” continues the analysis. “the command-not-found package helpfully corrects the user, suggesting the net-tools package for the mistyped ifconfig command. However, the situation becomes more problematic when an attacker capitalizes on these common mistakes by registering a snap with the typo, such as ifconfigg.”

The potential for attackers to exploit the command-not-found utility by suggesting their rogue Snap packages is worrisome.

“It remains uncertain how extensively these capabilities have been exploited, underscoring the urgency for heightened vigilance and proactive defense strategies,” Aqua concludes.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Ubuntu)

Microsoft and OpenAI warn that nation-state actors are using ChatGPT to automate some phases of their attack chains, including target reconnaissance and social engineering attacks.

Multiple nation-state actors are exploiting artificial intelligence (AI) and large language models (LLMs), including OpenAI ChatGPT, to automate their attacks and increase their sophistication.

According to a study conducted by Microsoft in collaboration with OpenAI, the two companies identified and disrupted operations conducted by five nation-state actors that abused their AI services to carry out their attacks.

The researchers observed the following APT groups using artificial intelligence (AI) and large language models (LLMs) in various phases of their attack chain:

• China-linked APT groups Charcoal Typhoon and Salmon Typhoon;
• Iran-linked APT group Crimson Sandstorm;
• North Korea-linked APT group Emerald Sleet;
• Russia-linked APT group Forest Blizzard.

“Language support is a natural feature of LLMs and is attractive for threat actors with continuous focus on social engineering and other techniques relying on false, deceptive communications tailored to their targets’ jobs, professional networks, and other relationships.” reads the report published by Microsoft. “Importantly, our research with OpenAI has not identified significant attacks employing the LLMs we monitor closely.”

The researchers pointed out that at this time the attackers have yet to use LLMs to devise novel attacks, malicious use of LLMs observed by the researchers include:

• LLM-informed reconnaissance: Employing LLMs to gather actionable intelligence on technologies and potential vulnerabilities.
• LLM-enhanced scripting techniques: Utilizing LLMs to generate or refine scripts that could be used in cyberattacks, or for basic scripting tasks such as programmatically identifying certain user events on a system and assistance with troubleshooting and understanding various web technologies.
• LLM-aided development: Utilizing LLMs in the development lifecycle of tools and programs, including those with malicious intent, such as malware.
• LLM-supported social engineering: Leveraging LLMs for assistance with translations and communication, likely to establish connections or manipulate targets.
• LLM-assisted vulnerability research: Using LLMs to understand and identify potential vulnerabilities in software and systems, which could be targeted for exploitation.
• LLM-optimized payload crafting: Using LLMs to assist in creating and refining payloads for deployment in cyberattacks.
• LLM-enhanced anomaly detection evasion: Leveraging LLMs to develop methods that help malicious activities blend in with normal behavior or traffic to evade detection systems.
• LLM-directed security feature bypass: Using LLMs to find ways to circumvent security features, such as two-factor authentication, CAPTCHA, or other access controls.
• LLM-advised resource development: Using LLMs in tool development, tool modifications, and strategic operational planning.

Microsoft report details the use of LLMs for each APT group, for instance, the Iranian nation-state actor Crimson Sandstorm (CURIUM) used its AI services to generate various phishing emails, to generate code snippets and for assist in developing code to evade detection.

OpenAI reported that the above APT group used its AI services to carry out the following tasks respectively: 

• Charcoal Typhoon used our services to research various companies and cybersecurity tools, debug code and generate scripts, and create content likely for use in phishing campaigns.
• Salmon Typhoon used our services to translate technical papers, retrieve publicly available information on multiple intelligence agencies and regional threat actors, assist with coding, and research common ways processes could be hidden on a system.
• Crimson Sandstorm used our services for scripting support related to app and web development, generating content likely for spear-phishing campaigns, and researching common ways malware could evade detection.
• Emerald Sleet used our services to identify experts and organizations focused on defense issues in the Asia-Pacific region, understand publicly available vulnerabilities, help with basic scripting tasks, and draft content that could be used in phishing campaigns.
• Forest Blizzard used our services primarily for open-source research into satellite communication protocols and radar imaging technology, as well as for support with scripting tasks.

Microsoft announced principles shaping Microsoft’s policy and actions mitigating the risks associated with the abuse of its AI services by nation-state actors, advanced persistent manipulators (APMs), and cybercriminal syndicates.

The principles include Identification and action against malicious threat actors’ use, Notification to other AI service providers, Collaboration with other stakeholders, and Transparency.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – AI services, OpenAI ChatGPT)

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds 2 Microsoft Windows flaws to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following two vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog:

• CVE-2024-21412 Microsoft Windows Internet Shortcut Files Security Feature Bypass Vulnerability
• CVE-2024-21351 Microsoft Windows SmartScreen Security Feature Bypass Vulnerability

This week. Microsoft released Patch Tuesday security updates for February 2024 that resolved a total of 72 vulnerabilities, including the above vulnerabilities that are actively exploited in the wild.

Below are the details of the two vulnerabilities:

CVE-2024-21412 (CVSS score 8.1) – Internet Shortcut Files Security Feature Bypass Vulnerability. An unauthenticated attacker can trigger the flaw by sending the victim a specially crafted file that is designed to bypass displayed security checks. The attacker has to trick the victims into clicking the file link. The flaw was reported by:

• dwbzn with Aura Information Security
• Dima Lenz and Vlad Stolyarov of Google’s Threat Analysis Group
• Peter Girnus (gothburz) of Trend Micro’s Zero Day Initiative with Trend Micro

CVE-2024-21351 (CVSS score 7.6) – Windows SmartScreen Security Feature Bypass Vulnerability. An authorized attacker can trigger the flaw to bypass the SmartScreen user experience. The attacker can exploit the vulnerability by sending a malicious file to the user and convincing him to open it.

Trend Micro researchers reported that the flaw CVE-2024-21412 was used in a zero-day attack chain by the APT group Water Hydra.

A new vulnerability discovered by @thezdi was used in a zero-day attack chain by the APT group Water Hydra.

Watch Trend Micro Sr. Threat Researcher @gothburz share his expert insights on CVE-2024-21412. pic.twitter.com/AZasBtG2Ot

— Trend Micro Research (@TrendMicroRSRCH) February 13, 2024

The popular researcher Will Dormann speculates that CVE-2024-21412 results from the partial fix of the vulnerability CVE-2023-36025. The fix for CVE-2023-36025 didn’t consider the case where a .URL file points to a .URL file, Dormann explained.

Ah, so it looks like CVE-2024-21412 is to address a bypass for CVE-2023-36025, which was the fact that remote targets inside of a ZIP didn't get SmartScreen love. The fix for CVE-2023-36025 didn't consider the case where a .URL file points to a .URL file.https://t.co/SLpw0L7mtY pic.twitter.com/x3lskKmBRi

— Will Dormann (@wdormann) February 13, 2024

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by March 5, 2024.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – Hacking, Known Exploited Vulnerabilities catalog)