Welcome to Security Sunday – Week 49. our weekly summary from the world of cybersecurity (04. 12. – 10. 12. 2023).

We’re collecting notable incident and vulnerability reports from the past week.

CISA and international partners issue recommendations regarding Star Blizzard Group, operating in Russia

CISA and its international partners have recently issued recommendations regarding the Star Blizzard group, a cyber threat operating in Russia. The joint efforts of the Cyber and Infrastructure Security Agency (CISA), the United Kingdom National Cyber Security Centre (UK-NCSC), the Australian Cyber Security Centre (ACSC), the Australian Signals Directorate (ASD), the Canadian Cyber Security Centre (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), the United States National Cyber Security Centre (U.S.A.), the U.S. National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and the Cyber National Mission Force (CNMF) have issued a joint Cyber Security Advisory (CSA) regarding FSB cyber actor Star Blizzard, which continues to engage in global spear-phishing campaigns.

The goal of this joint CSA is to raise awareness of the specific tactics, techniques, and delivery methods that Star Blizzard uses to attack individuals and organizations. The Russian group’s well-known techniques include impersonating the email accounts of known contacts, creating fake social media profiles, using web-based email addresses from providers such as Outlook, Gmail and others, and creating malicious domains masquerading as legitimate organizations. CISA urges network administrators and critical infrastructure organizations to carefully analyze and improve their cybersecurity to protect against similar exploits by threat actors. It also calls on software manufacturers to integrate secure-by-design and secure-by-default principles into their software development practices to minimise the impact of cyber threat activity. These measures are key to strengthening organisations’ resilience to cyber-attacks.

Link: https://www.cisa.gov/news-events/alerts/2023/12/07/cisa-and-international-partners-release-advisory-russia-based-threat-actor-group-star-blizzard

SLAM attack: new Spectre-based vulnerability affects Intel, AMD and Arm processors.

Researchers at the Vrije Universiteit Amsterdam have unveiled a new cyber attack called SLAM, which exploits vulnerabilities in Spectre and affects processors from Intel, AMD and Arm. This end-to-end exploit exploits a new feature in Intel processors called Linear Address Masking (LAM) and its equivalents in AMD processors (Upper Address Ignore or UAI) and Arm (Top Byte Ignore or TBI). SLAM uses unmasked gadgets to extract sensitive information from kernel memory into user space. This attack can be used to leak sensitive data, including root password hashes, within minutes. Although presented as a security feature, LAM has been shown to paradoxically reduce security and significantly increase the attack surface of Spectre, allowing attackers to exploit speculative execution to obtain sensitive data through a hidden cache channel.

This new SLAM attack technique affects current AMD processors vulnerable to CVE-2020-12965, and future Intel processors with LAM support, future AMD processors with UAI and 5-level paging support, and future Arm processors with TBI and 5-level paging support. Arm assures that Arm’s systems already mitigate the risks associated with Spectre v2 and BHB, and that the techniques described are more likely to extend the attack surface to existing vulnerabilities. AMD and Intel are taking steps to address this vulnerability, with Intel planning to provide software guidance for future LAM-enabled processors and Linux administrators developing patches to disable LAM by default.

These revelations come two months after VUSec’s clarification of the quarantine, which offers a software approach to mitigate transient boot attacks and achieve isolation of physical domains through last-level cache (LLC) partitioning. These developments highlight the constant need to improve cyber security and monitor new threats.

Link: https://thehackernews.com/2023/12/slam-attack-new-spectre-based.html

Norton Healthcare reveals data leak after May ransomware attack

Norton Healthcare, a health system in Kentucky, confirmed that a May ransomware attack exposed personal information of patients, employees and dependents. Norton Healthcare provides health care services at more than 40 clinics and hospitals in the Greater Louisville area, Southern Indiana and the state of Kentucky, employs more than 20,000 people and is the second largest employer in Louisville with more than 140 locations. The company detected a cyber incident on 9. May 2023, labeled as a ransomware attack. Norton Healthcare immediately notified federal authorities and worked with a forensic security specialist to investigate and remove the unauthorized access. The attackers had access to network storage devices but did not compromise the health records system or Norton MyChart.

During the attack, sensitive information was stolen, including names, contacts, social security numbers, dates of birth, medical information, and physician identification numbers. For some people, financial data, driver’s licenses or state identification numbers may have been stolen. Potentially affected individuals will receive two years of free credit protection. The attack was reported by the group ALPHV (BlackCat), which claims to have stolen 4.7 TB of data. The security team is working to resolve the situation, and the outage of the ALPHV website may be linked to a law enforcement operation.

Norton Healthcare is not the first healthcare organisation to fall victim to ransomware in the US. Organizations such as Ardent Health Services have also been hit recently. The U.S. government has issued a warning about the increase in ransomware attacks on healthcare facilities and provided recommendations for increasing cybersecurity in the industry.

Link: https://www.bleepingcomputer.com/news/security/norton-healthcare-discloses-data-breach-after-may-ransomware-attack/

LogoFAIL vulnerability affects the vast majority of devices

Almost all commercially available computers are vulnerable to a new vulnerability in the process of displaying the logo at startup, allowing hackers to bypass modern security controls. Cybersecurity firm Binarly has discovered a serious vulnerability known as LogoFAIL, affecting all x86 and ARM-based devices such as Windows and Linux. This bug is in the software that displays the manufacturer’s logo at the beginning of the boot process.

LogoFAIL has a huge impact, potentially affecting approximately 95% of consumer devices on the market. It mainly concerns the largest BIOS boot software vendors such as AMI, Insyde Software and Phoenix Technologies. This also affects many devices from manufacturers such as Lenovo, Intel and Acer. Exploiting this vulnerability is relatively simple, all a hacker needs to do is modify a malicious image that is loaded by a program called the manufacturer’s logo image parser. Thus, a hacker can execute arbitrary code with minimal or no restrictions before modern security programs can intervene.

The LogoFAIL vulnerability is worrisome because it is located at the beginning of the boot process, allowing malicious actors to bypass security measures that check the safety of software at boot time. This vulnerability could potentially compromise the entire system and weaken security measures “under the operating system”, such as Secure Boot. Several affected manufacturers have already released patches to address this vulnerability. However, accessing this vulnerability allows the malicious actors deep control over the affected systems, which increases the severity of the situation. Coordination between the many parties involved was necessary to identify and address this error, but its disclosure raised concerns about the ethics and effectiveness of communication between researchers and manufacturers.

Link: https://cyberscoop.com/logofail-vulnerability-boot-process/

Ransomware as a service: a growing threat that cannot be ignored

Ransomware attacks are a growing threat in cybersecurity, especially with the emergence of a new trend called Ransomware-as-a-Service (RaaS). This model significantly changes the dynamics of cybercrime by enabling individuals with limited technical knowledge to carry out devastating attacks. Traditional ransomware used to focus on encrypting the victim’s files and then extorting a ransom to restore access to the data. But newer variations add another tactic to the mix – copying compromised data and threatening to publish sensitive information online unless the victim pays the ransom. This dual approach increases the complexity of the attack and the potential harm to victims.

Ransomware-as-a-Service (RaaS) represents a new business model where inexperienced hackers can use special tools to carry out malicious activities. Instead of creating their own ransomware, they have the option to pay a fee, choose a target and execute the attack through a service provider. This model significantly reduces the time and cost required to carry out a ransomware attack, which has resulted in the time between network penetration and file encryption dropping below 24 hours. RaaS also promotes economies of scale as providers are incentivised to create new versions that can bypass security defences. Customers, referred to as “partners,” have a variety of payment options, including flat fees, subscriptions, or a percentage of revenue. This competition on the dark web increases the quality of the tools, which is disadvantageous for potential victims.

Defending against RaaS requires proactively identifying and addressing security vulnerabilities. Penetration testing and red teaming can strengthen an organisation’s defences, and working with a penetration testing as a service (PTaaS) provider can provide continuous monitoring and expert verification of web application security. In addition, Cyber Threat Intelligence is a key role-playing service that provides up-to-date threat intelligence and enhances the ability to respond quickly to potential ransomware attacks. In summary, it is essential to use targeted tools supported by the latest information to more effectively defend your organization against the growing threat of ransomware. 

Link: https://thehackernews.com/2023/12/ransomware-as-service-growing-threat.html

OpenCMS vulnerability with unauthenticated version XXE (CVE-2023-42344)

OpenCms is a popular open-source Java framework developed by Alkacon Software that provides a platform for designing and developing web applications. The current version of the framework is 16.0.

The recent identification of a vulnerability identified as CVE-2023-42344 is a critical security issue in OpenCms. This vulnerability allows users to execute code without authentication, which means that an attacker can make malicious requests to the OpenCms server. If successful, an unauthenticated XML External Entity (XXE) vulnerability may be exploited. OpenCMS versions 9.0.0 to 10.5.0 are vulnerable, so it is important to upgrade to a newer version that fixes this vulnerability. Qualys has released QID 150773 (CVE-2023-42344) to detect vulnerable versions of OpenCMS. You can use Qualys Web Application Scanning (WAS) to run a scan during which an HTTP POST request is sent to the server. This request contains an XXE payload that attempts to access the server’s /etc/passwd file. The response is to confirm the vulnerability of the target system.

To protect against this vulnerability, it is important to regularly update OpenCms to the latest version and monitor for security updates. In addition, it is advisable to perform regular security audits and tests to ensure the overall security of web applications developed using OpenCms.

Link: https://blog.qualys.com/product-tech/2023/12/08/opencms-unauthenticated-xxe-vulnerability-cve-2023-42344

Interested in cyber security? Check out the next episodes of our weekly magazine Security Sunday.