PowerPoint, ArcaneDoor, the Z80 and Kaiser Permanente
Notable security news from the week of April 21st with a small side of nostalgia for the Z80 CPU; we'll dive into the exploitation of an old PowerPoint CVE from 2017, ArcaneDoor and the targeting of Cisco perimiter devices and an enormous breach of Kaiser Permanente user information!303Views3likes2CommentsApple Passwords, Microsoft Recall, and DJI - May 10th - 16th - This Week In Security
This time we touch on Apple's new password manager, Microsoft's attempt to AI everything in Windows and ongoing attempts to ban DJI drones from use in the United States. Included at the end is a roundup of other news from last week.213Views4likes0CommentsInSpectre, Rust/PANOS CVEs, X URL blunder and More-April 8-14, 2024-F5 SIRT-This Week in Security
Editor'sIntroduction Hello, Arvin is your editor for This Week in Security. As usual, I collected some interesting security news. Credit to the original articles. Intel processors are affected by a Native Branch History Injection (Native BHI) attack and the tool InSpectre, a tool that can find gadgets (code snippets that can serve as a jumping point to bypass sw and hw protections) in an OS kernel on vulnerable hardware. Spectre style attacks that abuses speculative execution on processors has been around for a while now. Intel updated their previous published article on "Branch History Injection and Intra-mode Branch Target Injection" guidance and included an "Additional Hardening Options" section. The silver lining in this, is the CVEs CVSS score are Medium severity. See the section snippets from the research paper of the researchers from VU Amsterdam that illustrates the use InSpectre tool. Rust has a critical CVE - CVE-2024-24576. It affects the Rust standard library, which was found to be improperly escaping arguments when invoking batch files on Windows using the library's Command API – specifically, std::process::Command. It is specific to the Windows OS cmd exe as it has complex parsing rules and allowed untrusted inputs to be safely passed to spawned processes. Next is a PAN OS Critical CVE, where it affects devices with firewall configurations with GlobalProtect gateway and device telemetry enabled. CVE-2024-3400 affects PAN-OS 10.2, PAN-OS 11.0 and PAN-OS 11, Updates to fully fix this CVE were made available from April 14. Refer tohttps://security.paloaltonetworks.com/CVE-2024-3400 Change Healthcare's worries on effects of a previous breach due to ALPHV ransomware group appears to be not over. Per the report, the victim organization was potentially "exit" scammed by ALPHV and is being pursued by the "contactor/affiliate" of the ransomware attack, RansomHub, demanding another round of ransom to be paid, else, they sell the exfiltrated data to the highest bidder. X/Twitter had an URL blunder where it converts anything with the string twitter in their site's tweets and then converts it to the letter X - example, netflitwitter[.]com will be converted to netflix[.]com. This behavior was reversed and back to usual, but X twitter[.]com URLs now properly converts to X[.]com. Lastly, a round up of issues from MS, Fortinet, SAP, Cisco, Adobe, Google/Android. As in previous TWIS editions, some of these news were a recurrence/follow up. In general, keep your systems up to date on software versions, secure access to them and allow only trusted users and applications to run. Implement layers of protections - updated AV/ED/XDR on Server and End User systems, Firewall/network segmentation rules/IPS to prevent further spread/lateral movement in the event of a ransomware attack (BIG-IP AFM have network firewall, IPS features that you can consider), a WAF to protect your web applications and APIs - BIG-IP ASM/Adv WAF, F5 Distributed Cloud Services, NGINX App Protect have security policy configuration and attack signatures that can mitigate known command injection techniques and other web exploitation techniques. End user security training and awareness, incident response and reporting will help an organization should that first phishing email reaches a target end user mailbox. If it feels "off" and looks suspicious, stop and ponder before clicking. I hope this edition of TWIS is educational. You can also read past TWIS editions and othercontent from the F5 SIRT , so check those out as well. Till next time! Rust rustles up fix for 10/10 critical command injection bug on Windows in std lib Programmers are being urged to update their Rust versions after the security experts working on the language addressed a critical vulnerability that could lead to malicious command injections on Windows machines. The vulnerability, which carries a perfect 10-out-of-10 CVSS severity score, is tracked as CVE-2024-24576. It affects the Rust standard library, which was found to be improperly escaping arguments when invoking batch files on Windows using the library's Command API – specifically, std::process::Command. "An attacker able to control the arguments passed to the spawned process could execute arbitrary shell commands by bypassing the escaping," said Pietro Albini of the Rust Security Response Working Group, who wrotethe advisory. The main issue seems to stem from Windows' CMD.exe program, which has more complex parsing rules, and Windows can't execute batch files without it, according to the researcher at Tokyo-based Flatt Security whoreported the issue. Albini said Windows' Command Prompt has its own argument-splitting logic that works differently from the usual Command::arg and Command::args APIs provided by the standard library, which typically allow untrusted inputs to be safely passed to spawned processes. "On Windows, the implementation of this is more complex than other platforms, because the Windows API only provides a single string containing all the arguments to the spawned process, and it's up to the spawned process to split them," said Albini. "Most programs use the standard C run-time argv, which in practice results in a mostly consistent way arguments are split. "Unfortunately it was reported that our escaping logic was not thorough enough, and it was possible to pass malicious arguments that would result in arbitrary shell execution." https://www.theregister.com/2024/04/10/rust_critical_vulnerability_windows/ It's 2024 and Intel silicon is still haunted by data-spilling Spectre Intel CPU cores remain vulnerable to Spectre data-leaking attacks, say academics at VU Amsterdam. We're told mitigations put in place at the software and silicon level by the x86 giant to thwart Spectre-style exploitation of its processors' speculative execution can be bypassed, allowing malware or rogue users on a vulnerable machine to steal sensitive information – such as passwords and keys – out of kernel memory and other areas of RAM that should be off limits. The boffins say they have developed a tool called InSpectre Gadget that can find snippets of code, known as gadgets, within an operating system kernel that on vulnerable hardware can be abused to obtain secret data, even on chips that have Spectre protections baked in. InSpectre Gadget was used, as an example, to find a way to side-step FineIBT, a security feature built into Intel microprocessors intended to limitSpectre-stylespeculative execution exploitation, and successfully pull off a Native Branch History Injection (Native BHI) attack to steal data from protected kernel memory. "We show that our tool can not only uncover new (unconventionally) exploitable gadgets in the Linux kernel, but that those gadgets are sufficient to bypass all deployed Intel mitigations," the VU Amsterdam teamsaidthis week. "As a demonstration, we present the first native Spectre-v2 exploit against the Linux kernel on last-generation Intel CPUs, based on the recent BHI variant and able to leak arbitrary kernel memory at 3.5 kB/sec." https://www.theregister.com/2024/04/10/intel_cpus_native_spectre_attacks/ fromhttps://download.vusec.net/papers/inspectre_sec24.pdf 2.2 Spectre v2 In 2018, the disclosure of Spectre [29] famously demonstratedhow speculation can be used to leak data across security domains. One variant presented in the paper, originally known asSpectre v2 or Branch Target Injection (BTI), shows how speculation of indirect branches can be used to transiently divertthe control flow of a program and redirect it to an attackerchosen location. The attack works by poisoning one of theCPU predictors, the Branch Target Buffer (BTB), which isused to decide where to jump on indirect branch speculation. Initially, mitigations were proposed at the software leveland, later, in-silicon mitigations such as Intel eIBRS [5] anARM CSV2 [12] were added to newer generations of CPUsto isolate predictions across privilege levels. 2.3 Branch History Injection In 2022, Branch History Injection (BHI) [13] showed that,despite mitigations, cross-privilege Spectre v2 is still possibleon latest Intel CPUs by poisoning the Branch History Buffer(BHB). Figure 1 provides a high-level overview of the attack. In summary, by executing a sequence of conditionalbranches (HA and HV ) right before performing a system call,an unprivileged attacker can cause the CPU to transientlyjump to a chosen target (TA) when speculating over an indirect call in the kernel (CV ). This happens because the CPUpicks the speculative target forCV from a shared structure, theBTB, that is indexed using both the address of the instructionand the history of previous conditional branches, which isstored in the Branch History Buffer (BHB). Finding the rightcombination of histories that will result in a collision can bedone with brute-forcing.To ensure the injected target, TA, contains a disclosure gadget, the original BHI attack relied on the presence of theextended Berkeley Packet Filter (eBPF), through which anunprivileged user can craft code that lives in the kernel. Figure 2: InSpectre gadget workflow. The analyst provides akernel image and a list of target addresses to InSpectre Gadget⃝1 , which performs in-depth inspection to find gadgets thatcan leak secrets and output their characteristics. The gadgetscan be filtered ⃝2 based on the available attacker-controlledregisters and the mitigations enabled, and used to craft Spectrev2 exploits against the kernel ⃝3 . Zero-day exploited right now in Palo Alto Networks' GlobalProtect gateways Palo Alto Networks on Friday issued a critical alert for an under-attack vulnerability in the PAN-OS software used in its firewall-slash-VPN products. The command-injection flaw, with an unwelcome top CVSS severity score of 10 out of 10, may let an unauthenticated attacker execute remote code with root privileges on an affected gateway, which to put it mildly is not ideal. It can, essentially, be exploited to take complete control of equipment and drill into victims' networks. Updates to fully fix this severe hole are due to arrive by Sunday, April 14, we're told. CVE-2024-3400affects PAN-OS 10.2, PAN-OS 11.0 and PAN-OS 11.1 firewall configurations with a GlobalProtect gateway and device telemetry enabled. Cloud firewalls, Panorama appliances, and Prisma Access are not affected, Palo Altosays. Zero-day exploitation of this vulnerability was detected on Wednesday by cybersecurity shop Volexity, on a firewall it was monitoring for a client. After an investigation determined that the firewall had been compromised, the firm saw another customer get hit by the same intruder on Thursday. "The threat actor, which Volexity tracks under the alias UTA0218, was able to remotely exploit the firewall device, create a reverse shell, and download further tools onto the device," the networks security management firm said in ablog post. "The attacker focused on exporting configuration data from the devices, and then leveraging it as an entry point to move laterally within the victim organizations." The intrusion, which begins as an attempt to install a custom Python backdoor on the firewall, appears to date back at least to March 26, 2024. Palo Alto Networks refers to the exploitation of this vulnerability as Operation MidnightEclipse, which at least is more evocative than the alphanumeric jumble UTA0218. The firewall maker says while the vulnerability is being actively exploited, only a single individual appears to be doing so at this point. mitigations include applying a GlobalProtect-specificvulnerability protection, if you're subscribed to Palo Alto's Threat Prevention service, or "temporarily disabling device telemetry until the device is upgraded to a fixed PAN-OS version. Once upgraded, device telemetry should be re-enabled on the device." It urged customers to follow the above security advisory and thanked the Volexity researchers for alerting the company and sharing its findings. ® https://www.theregister.com/2024/04/12/palo_alto_pan_flaw/ https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/ https://unit42.paloaltonetworks.com/cve-2024-3400/ Change Healthcare faces second ransomware dilemma weeks after ALPHV attack Change Healthcare is allegedly being extorted by a second ransomware gang, mere weeks after recovering from an ALPHV attack. RansomHub claimed responsibility for attacking Change Healthcare in the last few hours, saying it had 4 TB of the company's data containing personally identifiable information (PII) belonging to active US military personnel and other patients, medical records, payment information, and more. The miscreants are demanding a ransom payment from the healthcare IT business within 12 days or its data will be sold to the highest bidder. "Change Healthcare and United Health you have one chance in protecting your clients data," RansomHub said. "The data has not been leaked anywhere and any decent threat intelligence would confirm that the data has not been shared nor posted. The org is alleged to have paid a $22 million ransom to ALPHV following the incident – a claim made by researchers monitoring a known ALPHV crypto wallet and one backed up by RansomHub. However, Change Healthcare has never officially confirmed this to be the case. If all of the claims are true, it means the embattled healthcare firm is deciding whether to pay a second ransom fee to keep its data safe. the prevailing theory among infosec watchers is that ALPHV pulled what's known as an exit scam after Change allegedly paid its ransom. While the ratios vary slightly between gangs, generally speaking, ransomware payments are split 80/20 – 80 percent for the affiliate that actually carried out the attack and 20 percent for the gang itself. It's believed that ALPHV took 100 percent of the alleged payment from Change Healthcare, leaving the affiliate responsible for the attack without a commission. Angry and searching for what they believed they were "owed," the affiliate is thought to have retained much of the data it stole and now switched allegiances to RansomHub in one last throw of the dice to earn themselves a payday, or so the theory goes. UnitedHealth, parent company of Change Healthcare,discloseda cybersecurity incident on February 22, saying at the time it didn't expect it to materially impact its financial condition or the results of its operations. It originally suspected nation state attackers to be behind the incident, but the ALPHV ransomware gang later claimed responsibility. Many of its systems were taken down as a result while it assessed and worked to remediate the damage. Hospitals and pharmacies reported severe disruption to services following the attack, with many unable to process prescriptions, payments, and medical claims. Cashflow issues also plagued many institutions, prompting the US government tointervene. The IT biz's data protection standards are soon to be subject to aninvestigationby the US healthcare industry's data watchdog, which cited the "unprecedented magnitude of this cyberattack" in its letter to Change. https://www.theregister.com/2024/04/08/change_healthcare_ransomware/ X fixes URL blunder that could enable convincing social media phishing campaigns Elon Musk's X has apparently fixed an embarrassing issue implemented earlier in the week that royally bungled URLs on the social media platform formerly known as Twitter. Users started noticing on Monday that X's programmers implemented a rule on its iOS app that auto-changedTwitter.comlinks that appeared in Xeets toX.com links. Attackers could feasibly copy legitimate web pages to steal credentials, or skip the trouble and simply use it as a malware-dropping tool, or any number of other possibilities. The potential for abuse here would be rife, given the number of legitimate, well-known brands most people would blindly trust. Netflix, Plex, Roblox, Clorox, Xerox – you get the picture. According to tests at Reg towers on Wednesday morning, the issue appears to have been reversed. Netflitwitter[.]com now reads as such, but Twitter.com is auto-changed to X.com.207Views2likes0CommentsCDK breach, Qilin Synnovis attack, Velvet Ant and Nobelium Threat Groups
Hello, ArvinFyour editor for F5 SIRT's This Week in Security covering 17-23 June 2024. Here's a summary of the security news. CDK Global had a cyber security incident and affected car dealerships across the US that use their DMS and had to go offline. There were no specifics in the reference article on what the cause of the outage was, but it’s speculated it may be related to a ransomware attack. It also coincided during a US public holiday. Qilin, a suspected Russia-based ransomware gang, executed a cyber attack on Synnovis and affected London-based hospitals. Many surgeries and appointments were pushed back due to this ransomware event. The ransomware gang dumped extracted data from Synnovis as it perceived it stalled during the negotiation phase. Kraken cryptocurrency exchange accuses blockchain security company CertiK of extortion — "the researchers refused to provide a full account of their activity related to the exploit, demonstrate a proof of concept, or to return funds withdrawn via the vulnerability." per Kraken's representative. This stemmed from a "UX change that would credit client accounts before assets actually cleared to create an artificial sense of real-time cryptocurrency trades" security researchers from Certik who found the flaw and had a dispute in the awarding of the bounty when Kraken fixed the flaw. Kraken claims the vulnerability exploited by Certik researchers allowed them to widthdraw $3M US from the platform. Certik says "Kraken' security operation team threatened individual CertiK employees to repay a mismatched amount of crypto in an unreasonable time, even without providing repayment addresses". A report published by France’s computer emergency response team (CERT-FR) highlights the Nobelium, a Russian cyber crew latest tricks as the country prepares for a major election and to host this year's Olympic and Paralympic Games. The researchers say its main focus is espionage, and claim it often targets the email accounts of diplomatic staff, their institutions, embassies, and consulates using phishing emails sent from foreign institutions that have already been previously compromised by Nobelium. CERT-FR's report states that the French public sector has been attacked several times by the group using this business email compromise (BEC) style of attack. The forensic report from Sygnia documents how a threat group maintained persistence in a major organization and one of the pivot point were BIG-IP appliances with outdated software and exposed interfaces to the public internet. Quote "Velvet Ant is a sophisticated and innovative threat actor. The investigation confirmed the threat actor maintained a prolonged presence in the organization’s on–premises network for about three years. The overall goal behind this campaign was to maintain access to the target network for espionage." "One of the mechanisms utilized for persistence was a legacy F5 BIG-IP appliance, which was exposed to the internet and which the threat actor leveraged as an internal Command and Control (C&C)." "The compromised organization had two F5 BIG-IP appliances which provided services such as firewall, WAF, load balancing and local traffic management. These appliances were directly exposed to the internet, and both of which were compromised. Both F5 appliances were running an outdated, vulnerable, operating system. The threat actor may have leveraged one of the vulnerabilities to gain remote access to the appliances." Ransomware gangs and suspected state-sponsored cyber threat groups are continuously exploiting known and unknown vulnerabilities. Organizations should implement wholistic protections such as security awareness training and safe use of business tools. Phishing and spear phishing is the age-old vector for delivering malware, and a well-trained and security-aware business user is the human firewall that prevents the initial execution of malware in business email compromise by identifying the potential malicious email and flagging it with the IT Security organization for further handling. Organizations should/must keep their systems software up to date to minimize potential vulnerabilities or flaws that can be exploited. Strong and intelligent email phishing filters/protection should be implemented. Anti-malware software such as Anti-virus and EDR/XDR solutions would be helpful in the protection of an organization's systems to detect, prevent further spread of malware and contain it. Implementing network micro-segmentation helps in preventing further spread of malware by limiting attackers’ lateral movement options. From a F5/BIG-IP perspective, keep your BIG-IP / F5 software updated, secure access to your device management interfaces , andallow access only to trusted users and networks. I hope these news items are informative. Credit to the original articles/source. Till next time, stay safe and secured. Car dealer software bigshot CDK pulls systems offline twice amid 'cyber incident' The vendor behind the software on which nearly 15,000 car dealerships across the US rely says an ongoing "cyber incident" has forced it to pull systems offline for a second time in as many days. CDK Global first shut down its systems in the early hours of June 19 and brought key products such as its Dealer Management System (DMS), phone line support, Digital Retail platform, and the Unify portal page, back online later in the day. That means thousands of dealerships throughout the United States have been left to operate without their usual IT systems, sparking disruption. The business began notifying dealerships and other stakeholders of a service disruption at around 0200 ET, before updating them again at 0800 ET blaming the problems on a "cyber incident," according to a trade mag Automotive News, which cited various industry sources and missives from CDK. We'd give you good odds on the attack being timed to coincide with the US public holiday Juneteenth – June 19 – to cause maximum disruption. When disclosures mention third-party experts being drafted after an outage, it often signals the potential for ransomware being involved. As of today and following the most recent development, some dealerships are preparing for systems to be down all weekend, according to one Reddit post, while others are simply cracking on with the old-fashioned pen-and-paper methods. https://www.theregister.com/2024/06/20/cdk_global_offline/ Qilin: We knew our Synnovis attack would cause a healthcare crisis at London hospitals Cybercriminals claim they used a zero-day to breach pathology provider’s systems The ransomware gang responsible for a healthcare crisis at London hospitals says it has no regrets about its cyberattack, which was entirely deliberate, it told The Register in an interview. Qilin says Synnovis, a partnership between pathology services company Synlab and two London NHS Trusts, wasn't targeted by accident. Asked if it knew a healthcare crisis in the UK capital would ensue as a result of its attack on that organization, should they be successful, a spokesperson for the group said: "Yes, we knew that. That was our goal." Louise Ferrett, senior threat intelligence analyst at Searchlight Cyber, questioned the alleged idealogy of the attack, suggesting it could have been fabricated given the media attention surrounding the incident. "Qilin was considered a financially-motivated threat actor so political targeting doesn't align with their usual modus operandi," she said. "It is possible that, in this case, the gang decided to mix financial gain with proving a political point. Despite the deliberate intent of the attack, Qilin somewhat backhandedly said it was sympathetic to the people of London who are now suffering as a result. Zero-day claim Asked about how Qilin gained an initial foothold in Synnovis' systems, Qilin wouldn't reveal much in the way of details. Despite being named after a Chinese mythological creature, Qilin is widely believed to be an operation running out of Russia. It operates much like others in Russia have in the past and appears to target Western organizations and not those in countries allied to Russia, which would allow it to maintain its protected status at the Kremlin. https://www.theregister.com/2024/06/20/qilin_our_plan_was_to/?td=rt-3a Qilin cyber scum leak data they claim belongs to London hospitals’ pathology provider The ransomware gang responsible for the chaos at London hospitals kept true to its word and released a trove of data that it claims belonged to pathology services provider Synnovis. National Health Service (NHS) officials have battled crippling service disruptions across various hospitals in the UK capital after Synnovis – a partnership between Synlab and two London NHS Trusts – pulled its systems offline following a Qilin cyberattack. Qilin told The Register in an interview earlier this week that it would publish the data on June 20, as it did, after the gang severed communications with Synnovis over its perceived unacceptable stalling during the negotiation phase. Without reviewing the data that's been made available via the group's Telegram channel, which is Qilin's typical preferred method of leaking victim data, we can see that more than 400GB worth of compressed files were made available for download. Qilin claimed that it stole over 1TB worth of Synnovis' data. The publication of the data, coupled with Qilin's claims that it grew tired of Synnovis during negotiations, all but confirms the company adhered to the UK's official stance on not paying cybercriminals' ransom demands. NHS issues another update For two weeks now, the UK's health service has published once-weekly updates on the situation at London hospitals, and this week's edition illustrated just how bad things have become in the space of seven days. In total, 1,134 elective surgeries have been postponed because of Qilin's attack on Synnovis, which began June 4, and 2,194 outpatient appointments have also been pushed back. https://www.theregister.com/2024/06/21/qilin_cyber_scum_leak_the/ https://www.synnovis.co.uk/news-and-press/cyberattack-update-21-june-2024 Crypto exchange Kraken accuses blockchain security outfit CertiK of extortion Researchers allegedly stole $3M using the vulnerability, then asked how much it was really worth Kraken, one of the largest cryptocurrency exchanges in the world, has accused a trio of security researchers of discovering a critical bug, exploiting it to steal millions in digital cash, then using stolen funds to extort the exchange for more. The exchange wrote about the issue yesterday, saying the exploit allowed some users "to artificially increase the value of their Kraken account balance without fully completing a deposit." Kraken chief security officer Nicholas Percoco said on X that the researchers didn't provide any details in their bug bounty report, but that his team discovered the bug within an hour. Simply reporting the bug would have been enough for a sizable bounty, Percoco added. The researcher who disclosed the vulnerability, who Kraken didn't name "because they didn't comply with any [bug bounty] industry expectations," didn't stop there, however. According to Percoco, the analyst behind the find shared it with a couple of coworkers, who then exploited the vulnerability to withdraw nearly $3 million from the platform. Kraken noted that the funds stolen in this way were from the Kraken treasury and weren't client assets. Percoco said the researchers refused to provide a full account of their activity related to the exploit, demonstrate a proof of concept, or to return funds withdrawn via the vulnerability. "Instead, they demanded a call with their business development team … and have not agreed to return any funds until we provide a speculated [dollar] amount that this bug could have caused if they had not disclosed it," Percoco said. "This is not white-hat hacking, it is extortion!" Researchers strike back Kraken may not have wanted to name the researchers behind the alleged extortion attempt, but the researchers themselves aren't being quiet — they're accusing Kraken of misconduct. US-based blockchain security firm CertiK said on X that it was the other party in this dispute, and said the conversation began well enough until Kraken's security team fixed the issue. "After initial successful conversions on identifying and fixing the vulnerability, Kraken's security operation team has THREATENED individual CertiK employees to repay a MISMATCHED amount of crypto in an UNREASONABLE time even WITHOUT providing repayment addresses," CertiK said on X. CertiK also claimed that it had offered to return the funds and never tried to withhold them, however, the crypto community on X isn't going easy on the company. A number of respondents have claimed that wallets associated with CertiK have been caught using US-sactioned cryptocurrency mixers like TornadoCash and crypto-swapping platform ChangeNOW, while others highlighted what they claim were inconsistencies with CertiK's public disclosures and records on the blockchain. Additionally, while Percoco said all funds have been returned, minus a portion that was lost to blockchain fees, several commentators allege that the amount CertiK said it owed Kraken was tens of thousands of dollars less than what Kraken said was stolen. https://www.theregister.com/2024/06/20/kraken_certik_crypto_dispute/ Russia's cyber spies still threatening French national security, democracy Publishing right before a major election is apparently just a coincidence A fresh report into the Nobelium offensive cyber crew published by France's computer emergency response team (CERT-FR) highlights the group's latest tricks as the country prepares for a major election and to host this year's Olympic and Paralympic Games. Most infoseccers will know Nobelium/Midnight Blizzard as the Russian intelligence (SVR)-linked criminals responsible for the major supply chain attack on SolarWinds in 2021, but CERT-FR believes sharing information about the latest exploits may stifle the gang's threat to national security in the coming months. Nobelium's activity is often also tied to the APT29 moniker, but the French cybersecurity agency (ANSSI) believes Nobelium is in fact a distinct intrusion set. It says the true APT29 was active between 2008-2019 and was responsible for the attack on the US DMC, while Dark Halo was the group that carried out the SolarWinds breach. To ANSSI, Nobelium is a separate entity but like the other two, is linked to the Russian intelligence service. ANSSI says it was spun up in October 2020. It's targeting diplomats, ministry officials The researchers say its main focus is espionage, and claim it often targets the email accounts of diplomatic staff, their institutions, embassies, and consulates using phishing emails sent from foreign institutions that have already been previously compromised by Nobelium. CERT-FR's report states that the French public sector has been attacked several times by the group using this business email compromise (BEC) style of attack. China-Nexus Threat Group ‘Velvet Ant’ Abuses F5 Load Balancers for Persistence Key Takeaways In late 2023, a large organization was the victim of a serious cyber attack. Sygnia’s forensic investigation into the attack revealed a sophisticated threat actor who exhibited robust capabilities and employed a methodical approach. The evidence gathered suggests the involvement of a China-nexus state-sponsored threat actor. Velvet Ant is a sophisticated and innovative threat actor. The investigation confirmed the threat actor maintained a prolonged presence in the organization’s on–premises network for about three years. The goal behind this campaign was to maintain access to the target network for espionage. The threat actor achieved remarkable persistence by establishing and maintaining multiple footholds within the victim company’s environment. One of the mechanisms utilized for persistence was a legacy F5 BIG-IP appliance, which was exposed to the internet and which the threat actor leveraged as an internal Command and Control (C&C). After one foothold was discovered and remediated, the threat actor swiftly pivoted to another, demonstrating agility and adaptability in evading detection. The threat actor exploited various entry points across the victim’s network infrastructure, indicating a comprehensive understanding of the target’s environment. This incident highlights the importance of establishing resilient defense strategies against sophisticated threats — particularly those posed by state-sponsored groups. A holistic approach to mitigating these threats combines continuous monitoring with proactive response mechanisms – including periodic and systematic threat hunts – alongside stringent traffic control and system hardening practices for both legacy and public-facing devices. By embracing such an approach, organizations can enhance their ability to detect, deter, and counteract the persistent threat presented by state-sponsored groups. The compromised organization had two F5 BIG-IP appliances, which provided services such as firewall, WAF, load balancing, and local traffic management. These appliances were directly exposed to the internet, both of which were compromised. Both F5 appliances were running an outdated, vulnerable, operating system. The threat actor may have leveraged one of the vulnerabilities to gain remote access to the appliances. However, visibility limitations hinder the ability to identify exactly how the appliances were compromised. https://www.sygnia.co/blog/china-nexus-threat-group-velvet-ant/ https://www.bleepingcomputer.com/news/security/hackers-use-f5-big-ip-malware-to-stealthily-steal-data-for-years/ K000140032: China-Nexus Threat Group ‘Velvet Ant’ Abuses F5 Load Balancers for Persistence https://my.f5.com/manage/s/article/K000140032 Recommended Actions To protect systems from exploitation F5 recommends customers: Run the most current version to optimize the security and performance of their systems Do not expose the control plane network to untrusted sources including the Internet Utilize the BIG-IP iHealth Diagnostic Tool to verify the proper operation of their system and ensure it is functioning at peak efficiency. F5 does not have any additional information beyond the public analysis and is not aware of any zero-day or unknown vulnerabilities being exploited by this threat actor. Based on the public information available, it seems most likely that the devices were compromised because their management interfaces were exposed to the Internet (which is contrary to F5 advice and best practices) and they were running an old version of BIG-IP software impacted by a disclosed vulnerability for which a fixed version is available.108Views3likes0CommentsMaintainers, Slowloris/2, Kobold Letters - April 1st - 7th, 2024 - F5 SIRT - This Week in Security
Introduction Hello again, Kyle Fox here. This week we have some shorter bits about things, in which I promise two more future articles, which I think means I am up to three non-TWIS articles in the pipeline. We have to talk about project maintainers again. We have all seen that one XKCD comic about dependency maintainers. The xz situation has resurfaced a common plea from Open Source maintainers: We need funds and help. I don't have any real deep commentary here, just a plea that companies heavily dependent on Open Source projects should consider giving back to the community by retaining internal SMEs who can help projects resolve issues by submitting bug fixes, contribute to those projects financially, and possibly consider hiring internal people to work on the major features they want out of these projects. Platforms like GitHub may be able to help by moderating discussions to keep project maintainers from being abused by users. And the community should work better at being a positive force for change. And the same goes for conferences, some of us spend lots of time working on all the little details so you can go to DEF CON, have parties to go to, things to hack and places to hack them in. Its easy to look at something like DEF CON and think that its just another industry conference and everyone is being paid to be there, but very few people are paid to be there. I will further discuss this soon in a post about the current DEF CON situation and venues. Is the HTTP/2 CONTINUATION Attack Just Slowloris/2? On April 3rd the industry got wind of a new attack on HTTP/2, this time you could consume resources by sending a steady stream of CONTINUATION frames, leaving the connection open and consuming resources. This came on the tail end of the HTTP/2 Rapid Reset attack, which consumed resources in an orthogonal way. If this attack sounds familiar, its because it is almost the same attack for HTTP/2 as the Slowloris attack was for HTTP/1.1. You could also compare it to the Slow POST attack as well. How Slowloris worked, for those who may have forgotten since 2009, is the attacker will send a HTTP/1.1 request to a webserver and then slowly send one header at a time, holding the connection open for a very long time with limited traffic. On susceptible webservers they would only need to send headers fast enough to keep the TCP connection from timing out, since the webserver does not have a timeout for the header stage of the request. The Slow POST attack is similar, but slowly sending chunks of POST data rather than headers, relying on the webserver not timing out on those. BIG-IP mitigated Slowloris by its normal behavior of buffering all the headers before forwarding a request to the backend servers. A limit on the number and/or size of headers allows further refinement of this mitigation. When mitigated, these attacks only generate at most an open connection on the backend with no request. This same behavior mitigated the HTTP/2 Rapid Reset attack and now mitigates the HTTP/2 CONTINUATION attack. As we can see from this, old attacks can become new ones when a new or significantly revised protocol comes along. This is why when working on new features F5 performs Threat Modelling Assessments to categorize possible new variations of old attacks or completely new attacks that may apply to a new feature, protocol or service and build in protections against those attacks. Display: none Strikes Again, Now in Email. A recent post over at Lutra Security called Kobold Letters has resurfaced an old trick with CSS, but this time in email. The basic TL;DR of this trick is using display: none attached to CSS in an email to hide text in the email until its forwarded or replied to. Email clients often will convert an email to plain text or try to convert the HTML and CSS slightly. This results in the ability to put blocks of text in divs or other selectable blocks that can be styled in CSS to hide them or otherwise change their display and appearance when they are forwarded or replied to. I don't know if this really changes much in the spear-phishing risk area, at this point organizations should have considerable controls in places to make sure that fund transfers are only acted on with clear verified approval and that the destinations of fund transfers are vetted and verified, not copied from some email and sent without checking. Fortunately in this case the vendors have been informed and they are working to provide solutions to this attack, so it may not be viable for very long. Are Bluetooth Discovery Attacks Drying Up? I don't have much to write here since I have not yet dove into the data that much, but the Bluetooth Discovery attacks that I talked about in December appear to not be as popular as they once were. I used Wall-of-Flippers at a few conventions in March to collect Flipper and Bluetooth Discovery Spam data, but it appears that not a whole lot of spamming was happening. Apple and Google Android have been working on mitigating these attacks, Apple having released several iOS updates to patch it. The lack of impact these days may be driving this trend. I do intend on bringing the Wall-of-Flippers to more events, and will be doing a bigger writeup on the device, the software and the data collected here on DevCentral in the coming month or two. Roundup Not a channel this time, but a single video by TwinkleTwinkie: Understanding & Making PCB Art. Google to delete records made from users using Incognito Mode in lawsuit settlement. Microsoft has announced how much it will cost to keep Windows 10 past the date they want you to move to Windows 11. No word on a better Windows 11 UI. Fake AI lawfirms are sending DMCA takedowns to generate SEA gains. (Original report) A recommendation from my recent trip to Las Vegas: Roberto's Taco Shop. Wi-Fi only works when its raining. This is a lesson in sometimes the observations, while absurd, are correct. Roku wants to insert ads in HDMI inputs? DEF CON now has hotel blocks at the Sahara Las Vegas, The Fontainebleau Las Vegas and Resort World.59Views1like0Comments