Brief #26: ALPHV/BlackCat's SEC Exploit, Appin's Espionage, CitrixBleed and More

Mandos Brief #26 for week 46, 2023: Alphv/BlackCat's SEC extortion, Appin's cyberespionage transformation, CitrixBleed attacks, Microsoft's zero-day fixes, and Reptar's Intel CPU threat.

Brief #26: ALPHV/BlackCat's SEC Exploit, Appin's Espionage, CitrixBleed and More


Alphv/BlackCat Ransomware Group Exploits SEC Regulations in Extortion Scheme

  • Innovative Extortion Strategy: The Alphv/BlackCat ransomware group filed a complaint with the U.S. Securities and Exchange Commission (SEC) against MeridianLink for failing to disclose a data breach. This move represents a novel tactic in ransomware extortion, using regulatory measures to pressure victims into complying with ransom demands​​.
  • Details of the Attack: The attack on MeridianLink, which occurred on or around November 7, involved significant data theft but reportedly did not use file-encrypting ransomware. This approach indicates a strategic shift in the group's operations, focusing on data exfiltration and leveraging regulatory frameworks for extortion​​.
  • SEC Rules and Timing: This incident occurs ahead of the new SEC data breach disclosure rules, set to take effect in mid-December 2023. These rules require companies to report cybersecurity incidents within four business days if they are material to investors. Alphv/BlackCat's action underscores the increasing intersection of cybersecurity and regulatory compliance​​.
  • BlackCat's Evolving Tactics: Known for its active and innovative ransomware operations, BlackCat's filing with the SEC demonstrates its willingness to explore new methods to coerce payment from its victims. This incident highlights the evolving landscape of cyber threats and the need for companies to be vigilant in cybersecurity and regulatory compliance​​.

How Appin Transformed From EdTech to Global Cyberespionage Syndicate

  • Evolution and Global Operations: Appin, initially an educational startup, evolved into a prominent hack-for-hire organization, engaging in global cyber intrusions, espionage, surveillance, and disruptive actions. Their activities have been linked to various countries including Norway, Pakistan, China, and India, with clients spanning government organizations and private businesses worldwide​​.
  • Targeting and Techniques: Appin's operations included keylogger deployment against Pakistani government officials, data theft from Chinese military officers, and domestic cyber operations within India. They employed sophisticated methods like phishing, email breach, and malware deployment, showcasing a diverse technical capability in cyberespionage​​.
  • Infrastructure and Malware Development: Appin utilized an array of servers for different purposes like exfiltration, command and control, and phishing. They used covert communication platforms like GoldenEye and MyCommando for project management and client interaction. Appin also engaged in developing and purchasing malware, using platforms like Elance (now Upwork) to acquire tools like USB Propagators, and exploited vulnerabilities for their operations​​.
  • Operational Dynamics and Security Practices: The organization's operational security (OPSEC) appeared robust in theory but was poorly executed in practice. Individual roles within Appin were defined by skill sets rather than formal responsibilities, with a focus on innovation and the development of new tools and techniques to fulfill customer demands. This flexible approach in roles and tasks facilitated the creation of sophisticated and targeted cyberespionage campaigns​​.

CitrixBleed: A Critical Vulnerability in Citrix NetScaler Leveraged in Global Cyberattacks

  • Widespread Exploitation of CVE-2023-4966: CitrixBleed, officially known as CVE-2023-4966, is a critical vulnerability in Citrix NetScaler systems. It has been heavily exploited in a series of cyberattacks targeting major organizations globally, including Boeing, the Industrial and Commercial Bank of China (ICBC), port operator DP World, and international law firm Allen & Overy​​.
  • Vulnerability Characteristics and Impact: This flaw, affecting on-premise versions of Citrix NetScaler ADC and NetScaler Gateway platforms, allows remote unauthenticated attackers to extract significant data from a device’s memory. The ease of exploiting this bug enables hackers to hijack legitimate session tokens, bypassing the need for passwords or two-factor authentication, and leading to network compromise​​.
  • Early Exploitations and Diverse Targets: Investigations by cybersecurity firms Mandiant and Rapid7 revealed early exploitations of CitrixBleed in various sectors, including professional services, technology, government, healthcare, manufacturing, and retail. Attackers have been observed performing lateral movements and accessing sensitive data within compromised networks​​.
  • Ransomware Groups Capitalizing on CitrixBleed: At least four threat groups, including the Russia-linked LockBit ransomware gang, have been exploiting CitrixBleed. LockBit has been particularly active, claiming responsibility for several high-profile breaches, and reportedly receiving ransom payments from some victims like ICBC. The Medusa ransomware gang has also been reported to exploit this vulnerability​​​​.

Microsoft's Fixes 5 New Zero-Days in November 2023 Patch Tuesday

  • Comprehensive Security Updates: Microsoft's November 2023 Patch Tuesday addressed a total of 63 security bugs, including five zero-day vulnerabilities. The update resolved a diverse range of vulnerabilities, with 14 remote code execution (RCE) bugs, 16 elevation of privilege vulnerabilities, and others spanning security feature bypass, information disclosure, denial of service, and spoofing. Notably, three critical issues were patched: an Azure information disclosure bug, an RCE in Windows Internet Connection Sharing (ICS), and a Hyper-V escape flaw​​​​.
  • Zero-Day Vulnerability Details: The five zero-day vulnerabilities addressed include CVE-2023-36025 (Windows SmartScreen Security Feature Bypass), CVE-2023-36033 (Windows DWM Core Library Elevation of Privilege), and CVE-2023-36036 (Windows Cloud Files Mini Filter Driver Elevation of Privilege). CVE-2023-36025 is notable for allowing attackers to bypass Windows Defender SmartScreen checks, requiring user interaction with a crafted Internet Shortcut. The other vulnerabilities, CVE-2023-36033 and CVE-2023-36036, could enable an attacker to gain SYSTEM privileges​​​​​​​​.
  • Exploitation and Disclosure: Three of the zero-day vulnerabilities (CVE-2023-36025, CVE-2023-36033, and CVE-2023-36036) had been actively exploited in attacks. Microsoft also fixed two other publicly disclosed zero-day bugs: CVE-2023-36413 (Microsoft Office Security Feature Bypass Vulnerability) and CVE-2023-36038 (ASP.NET Core Denial of Service Vulnerability), although these were not actively exploited. The active exploitation of these flaws underlines the criticality of timely patch application to mitigate potential security risks​​.
  • Additional Context and Security Recommendations: This Patch Tuesday release reflects Microsoft's ongoing efforts to address emerging threats and vulnerabilities in its software ecosystem. The inclusion of these patches in the Known Exploited Vulnerabilities (KEV) catalog by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) further highlights the importance of these updates. Organizations are urged to apply these patches promptly to protect against potential exploits and maintain a secure computing environment​​.

Reptar: High-Severity Intel CPU Vulnerability Disrupts Multi-Tenant Virtualized Environments

  • Discovery and Impact of Reptar: Google's Information Security Engineering team discovered a critical side-channel vulnerability named Reptar (CVE-2023-23583) in various Intel CPUs, including those used in cloud computing environments. This vulnerability, with a CVSS score of 8.8, allows attackers to leak information from affected systems and potentially steal sensitive data like credit card numbers and passwords. It's particularly concerning for multi-tenant virtualized environments where one compromised tenant could impact others sharing the same hardware​​.
  • Technical Details of Reptar: Reptar exploits an issue in how Intel CPUs handle speculative execution, a process where CPUs execute instructions before being fully validated. The vulnerability stems from the processor's interpretation of redundant prefixes, which, if exploited, allows attackers to bypass the CPU's security boundaries. This flaw can cause host machines to crash in a virtualized environment, resulting in a denial of service to other guest machines on the same host and potentially leading to privilege escalation or information disclosure​​.
  • Intel's Response and Mitigation Measures: Intel acknowledged the issue, providing an advisory and releasing a patch for the vulnerability. The affected processors include the 10th and 11th Generation Intel® Core™ Processor Families, 3rd Generation Intel® Xeon® Processor Scalable Family, and Intel® Xeon® D Processor. Intel advises users to patch their devices immediately and is working on a long-term fix for this high-security vulnerability​​.
  • Security Analysis and Recommendations: Security experts stress the seriousness of the Reptar bug, warning that it could be exploited to cause system crashes and recommend prioritizing patch implementation to mitigate the risk. Since Reptar can disrupt multi-tenant systems and potentially allow access to other tenants’ data through the same vulnerability, it poses a significant threat in shared computing environments​​​​​​.