Persistent Threat from Russian State-Sponsored Actor: Star Blizzard, formerly known as SEABORGIUM and also referred to as COLDRIVER and Callisto Group, is a Russian state-sponsored actor that Microsoft Threat Intelligence has been actively tracking. Their operations, believed to be aligned with both espionage and cyber influence objectives, primarily target international affairs, defense, academia, and entities involved in logistics support to Ukraine. Microsoft, in collaboration with international cybersecurity entities like the UK National Cyber Security Centre and the US National Security Agency, continues to refine defenses against Star Blizzard's evolving spear-phishing tactics.
Evolving Evasive Techniques: In recent developments, Star Blizzard has enhanced its detection evasion capabilities, employing five new techniques. These include utilizing server-side scripts to evade automated scanning, leveraging email marketing services to mask email sender addresses, using a DNS provider to obscure IP addresses, deploying password-protected PDF lures or links to cloud-based file-sharing platforms, and employing a more randomized domain generation algorithm (DGA) for actor-registered domains.
Operational Focus and Tactics: Star Blizzard remains focused on email credential theft, primarily targeting cloud-based email providers. They use the Evilginx framework for spear-phishing, directing targets to Evilginx server infrastructure configured for credential theft. Their tactics include the use of custom-built PDF lures to initiate browser sessions that follow a redirection chain ending at their controlled infrastructure.
CISA and International Advisory: The Cybersecurity and Infrastructure Security Agency (CISA), alongside international partners, has issued a joint advisory against Star Blizzard. The group has been noted for targeting specific sectors in the US and UK, as well as other NATO countries, with activities expanding to include defense-industrial targets and US Department of Energy facilities. Star Blizzard predominantly sends spear-phishing emails to personal email addresses to circumvent corporate network security controls, using open-source tools for credential harvesting.
Confirmed Practice of Push Notification Spying: Apple has confirmed that foreign governments have been using legal orders to acquire push notification details from iPhones and Android smartphones. This practice, termed "push notification spying," involves governments serving secret legal orders to Apple and Google, compelling them to hand over these details. This form of surveillance had been restricted from public release, preventing Apple from disclosing it in their transparency reports.
Discovery and Investigation by Senator Wyden: The issue was brought to light by Senator Ron Wyden, a member of the Senate intelligence committee, who initiated an investigation following a tip about foreign governments demanding smartphone push notification records from Apple and Google. Push notifications, which pass through digital services operated by Apple and Google, can be secretly compelled by governments to hand over user information, raising privacy concerns.
Legal and Transparency Implications: Senator Wyden has written an open letter to the US Department of Justice, urging them to allow Apple and Google to be transparent about such legal demands. He advocates for these companies to be able to reveal whether they have been compelled to facilitate surveillance, publish aggregate statistics about demands, and notify specific customers about data requests unless prohibited by a court order.
Data Revealed and Impact on Privacy: Push notifications can provide detailed information about app usage, including which app received a notification and when, as well as details about the phone and associated Apple or Google account. In some cases, companies may also receive encrypted content, including the actual text displayed in the notification. This data can reveal user behavior patterns and personal information, albeit the content of end-to-end encrypted messages remains protected.
Mandos Brief GPT
Analyze any cybersecurity topic 100 times faster by focusing on key takeaways and zero noise.
Exploitable Across Various Platforms: CVE-2023-45866, a critical Bluetooth security flaw, allows attackers to remotely take control of devices running Android, Linux, macOS, and iOS. This vulnerability permits an authentication bypass, enabling attackers to connect to vulnerable devices without user confirmation and inject keystrokes to execute arbitrary commands. The flaw affects a wide range of devices, including those running Android versions as far back as 4.2.2, iOS, Linux, and macOS, and doesn't require specialized hardware for exploitation.
Mechanism of Attack and Execution: The vulnerability operates by tricking the Bluetooth host state-machine into pairing with a fake keyboard, exploiting an unauthenticated pairing mechanism defined in the Bluetooth specification. Once paired, an attacker in close physical proximity can connect to a device and transmit keystrokes to install apps and run commands, especially on systems not requiring a password or biometric authentication for certain actions.
Patch Availability and Affected Versions: Google has released fixes for Android versions 11 through 14, with currently-supported Pixel devices receiving the fix via December OTA updates. However, there is no fix available for Android versions 4.2.2 through 10. On the Linux side, while a fix was issued in 2020, it was not widely implemented across all distributions, leaving many, including various versions of Ubuntu, vulnerable.
Specific Risk to Apple Devices: The bug poses a particular threat to macOS and iOS when Bluetooth is enabled and an Apple Magic Keyboard has been paired with the device. Notably, the flaw is also effective in Apple's LockDown Mode, designed to protect against sophisticated digital threats. Apple has confirmed the vulnerability but has not yet shared a timeline for a patch.
Innovative Process Injection Techniques Discovered: SafeBreach has identified eight new process injection techniques using Windows thread pools, collectively named "Pool Party." These techniques allow the injection of malicious code as a result of legitimate actions and operate across all processes without limitations. This discovery is significant because it demonstrates the capability to bypass current endpoint detection and response (EDR) systems from major vendors like Microsoft, SentinelOne, CrowdStrike, Cybereason, and Palo Alto Networks.
Technical Breakdown of Pool Party Techniques: The techniques exploit the Windows user-mode thread pool, a standard component of all Windows processes. They leverage four areas within the thread pool architecture for process injection: the worker factories (managing worker threads), and three types of queues (task, I/O completion, and timer queues). Each of these areas offers a unique method for process injection, with varying applications and impacts.
EDR Evasion and Security Implications: EDR solutions typically detect process injections based on the execution primitive. The Pool Party techniques, however, are based on allocation and writing primitives and are triggered by legitimate actions, making them undetectable by the EDRs tested. This finding underscores the need for continuous evolution in EDR solutions and highlights the sophistication of threat actors who are constantly developing new methods to evade detection.
Response and Future Outlook: SafeBreach reported their findings to the affected EDR vendors, who are believed to be updating their systems to better detect such techniques. The firm emphasizes the importance of proactive defense against sophisticated threat actors and the continuous exploration of novel process injection methods. This development illustrates the ongoing arms race in cybersecurity, where both attackers and defenders are constantly evolving their tactics and countermeasures.
Widespread Impact Across Various Devices: LogoFail, a set of vulnerabilities discovered by security researchers at Binarly, exploits flaws in the processing of startup logos during boot, impacting BIOS software from major vendors like AMI, Insyde, and Phoenix. These BIOS are used in a vast range of devices, including those from Intel, Acer, and Lenovo, making approximately 95% of all computers potentially vulnerable.
Technical Details and Attack Mechanism: The vulnerability is rooted in image parsers used during boot to display vendor logos. These parsers, plagued with security flaws, can be exploited by replacing the vendor image with a malicious one. This substitution can bypass significant security features such as Secure Boot and hardware-based Verified Boot systems like Intel Boot Guard, AMD Hardware-Validated Boot, and ARM TrustZone-based Secure Boot.
Exploitation Requirements and Consequences: Attackers need administrative access to target devices, which can be obtained through malicious software or other exploits. Once accessed, they can replace the boot logo with a malicious one, disabling UEFI security features like SecureBoot and executing malicious software. While firmware updates are being released for some affected devices, not all will receive them, particularly those no longer supported.
Broader Implications and Mitigation Measures: The vulnerabilities highlight a new attack surface associated with the customization features of the UEFI (Unified Extensible Firmware Interface) system. Attackers need local privileged access to exploit these vulnerabilities, either through security flaws or physical attack vectors. Users are advised to update their firmware and exercise caution, especially on devices without available updates.
Subscribe to Mandos Way
Join CISOs and Tech Leaders for Information Security Strategies & Weekly Briefs.