This week in cybersecurity has been a rollercoaster, with revelations ranging from critical vulnerabilities to sophisticated cyber espionage activities. As we navigate these complex threats, it's vital to stay informed and prepared.
But before we jump into the details, here's what you might have missed:
Widespread Impact: CVE-2023-40547, identified by Microsoft's Security Response Center, is a critical vulnerability in the Shim bootloader affecting most Linux distributions. It arises from improper HTTP protocol handling, leading to potential system compromise.
Technical Details: Shim, integral for Linux's Secure Boot process, mishandles HTTP boot, enabling out-of-bounds write. The issue, fixed in December 2023, affects all distributions supporting Secure Boot, highlighting the broad risk to Linux environments.
Exploitation Paths: Attackers could exploit CVE-2023-40547 via Man-in-the-Middle (MiTM) attacks, manipulating EFI variables or the EFI partition, and via PXE to chain-load a vulnerable Shim, gaining early system control.
Remediation and Detection: Patching involves updating Shim and the UEFI Secure Boot DBX (revocation list). Tools like fwupd facilitate this, while detection strategies include monitoring bootloader versions and integrity, plus tracking the DBX list for compliance.
Intricate Exploit Tactics: By utilizing CVE-2022-42475 for initial access, the Chinese state-backed actors deployed the COATHANGER malware, a sophisticated Remote Access Trojan (RAT), targeting FortiGate appliances to facilitate espionage against the Dutch Ministry of Defense.
Malware Mechanics: COATHANGER, designed for stealth and persistence, evades detection and maintains functionality across reboots and firmware updates by manipulating system calls and injecting malicious code into critical processes.
Detection and Analysis: Detailed technical analysis reveals COATHANGER's complex behavior, including its methods for maintaining persistence, evading detection, and communicating with C2 servers, underscoring the advanced capabilities of state-sponsored actors.
Mitigation and Response: The advisory emphasizes incident response strategies, including isolation and forensic analysis of affected systems, and underscores the importance of timely patching and robust security practices to mitigate the risks posed by such sophisticated threats.
Ready for the next week's brief? Stay informed with the latest key developments.
Expansive Campaign: Between November and December 2023, ResumeLooters targeted employment agencies and retail websites across the APAC region using SQL injection and XSS attacks, compromising 65 websites to steal sensitive user data including resumes.
Technical Sophistication: The group employed advanced penetration tools such as sqlmap, Acunetix, and the Beef Framework for exploiting vulnerabilities and injecting malicious scripts, indicating high technical proficiency.
Tactics and Techniques: Initial access was often gained through SQL injection, followed by XSS attacks to inject phishing scripts on legitimate job search websites, aiming to capture admin credentials and sensitive information.
Prevention and Mitigation: Recommendations include using parameterized queries to prevent SQL injections, validating and sanitizing user inputs to thwart XSS attacks, and deploying Web Application Firewalls (WAFs) for an additional security layer.
Critical Security Update: Ivanti has patched a high-severity vulnerability, CVE-2024-22024, affecting Ivanti Connect Secure, Policy Secure, and ZTA gateways. The flaw, an XML External Entity (XXE) issue, could allow unauthenticated attackers to access restricted resources, highlighting the importance of timely patch application for affected versions.
Technical Details and Impact: The vulnerability is present in the SAML component of the affected products and has a CVSS score of 8.3. It impacts a limited number of supported versions, underscoring the need for organizations to verify their software versions and apply the necessary patches to mitigate potential risks.
Patch Availability and Recommendations: Ivanti has released patches for specific versions of Connect Secure, Policy Secure, and ZTA gateways. The company emphasizes the critical importance of updating to these patched versions to protect against potential exploitation of this vulnerability.
CISA Guidance: The Cybersecurity and Infrastructure Security Agency (CISA) has also issued guidance urging organizations to update their software in line with Ivanti's recommendations to mitigate risks associated with CVE-2024-22024. Additionally, CISA has updated its Emergency Directive and Supplemental Direction regarding Ivanti vulnerabilities, emphasizing the importance of implementing these patches
Broad Overview: A recent demonstration by YouTuber stacksmashing has shown that Microsoft's BitLocker encryption can be bypassed in less than a minute using a Raspberry Pi Pico, costing less than $10. This method exploits the Trusted Platform Module (TPM) used by BitLocker for encryption keys storage.
Attack Method: The attack method involves intercepting the communication between the TPM and the CPU during system boot-up. The TPM, which stores critical data like the Volume Master Key, communicates over an unencrypted LPC bus, which can be tapped into to steal encryption keys.
Vulnerability: This vulnerability is particularly concerning for devices with external TPMs. stacksmashing demonstrated the attack on a Lenovo laptop by connecting a Raspberry Pi Pico to an unused LPC connector on the motherboard, capturing the binary data transmitted during boot-up, and decrypting the drive using the stolen Volume Master Key.
fTPM: Devices with integrated Firmware TPM (fTPM) and preboot authentication enabled are not vulnerable to this specific attack. Microsoft has acknowledged the possibility of such attacks, suggesting the use of a BitLocker PIN and Group Policy configurations as mitigation strategies.
Subscribe to the Mandos Way
Join security professionals, CISOs and tech leaders for cybersecurity strategies & weekly Briefs.