Researchers find SQL injection to bypass airport TSA security checks
Security researchers Ian Carroll and Sam Curry have identified an exploit in a key air transport security system, FlyCASS, that could potentially allow unauthorized individuals to bypass airport security checks and gain unsanctioned access to airplane cockpits. The vulnerability was observed in the management of the Known Crewmember (KCM) and Cockpit Access Security System (CASS) programs – services used by several airlines to expedite the security process for crew members. The KCM system, operated by Collins Aerospace subsidiary ARINC, verifies crew members’ credentials online, negating the need for physical screening. Similarly, the CASS system verifies pilots looking to access cockpit jumpseats when commuting or traveling.
The flaw in the system was found to be susceptible to SQL injection, a form of cyberattack that enables the attacker to influence database queries with malicious SQL statements. The researchers exploited this flaw to log into the FlyCASS system as an administrator for Air Transport International, a participating airline, and manipulated internal employee data. They added an imaginary employee, “Test TestOnly”, and granted it access to the KCM and CASS programs, thus granting the potential to bypass security and access aircraft cockpits.
Recognizing the gravity of their findings, the researchers notified the Department of Homeland Security (DHS) about the vulnerability on April 23, 2024. In response, the DHS acknowledged the seriousness of the vulnerability and detached FlyCASS from the KCM/CASS systems on May 7, 2024, as a precaution. Subsequently, the flaw in FlyCASS was patched. Despite this, the DHS halted further correspondence regarding the issue. The TSA press office issued a statement downplaying the concern, claiming its vetting process would prevent unauthorized access, but also removed contradictory information from their website following the researchers’ discovery.
Subsequent to the researchers’ disclosure, another researcher, Alesandro Ortiz, found that FlyCASS appeared to have suffered a ransomware attack earlier in the year, in February 2024. Commenting on the issue, TSA press secretary R. Carter Langston informed BleepingComputer that “No government data or systems were compromised and there are no transportation security impacts related to the activities.” Langston added that the TSA did not rely solely on the compromised database to verify the identity of crewmembers, assuring that the TSA was working to mitigate any identified cyber vulnerabilities. The DHS has yet to comment.
North Korean threat actor Citrine Sleet exploiting Chromium zero day
Microsoft Threat Intelligence reported on August 19, 2024 that a North Korean threat actor dubbed Citrine Sleet exploited a zero-day vulnerability, identified as CVE-2024-7971, in Chromium for remote code execution. The exploitation targeted the cryptocurrency sector for financial gain, and while the utilized FudModule rootkit was also linked to another North Korean actor, Diamond Sleet, shared tools and infrastructure led Microsoft to attribute this activity to Citrine Sleet. The exploited CVE-2024-7971 created a type confusion vulnerability in the V8 JavaScript and WebAssembly engine, impacting versions of Chromium before 128.0.6613.84. Google released a fix on August 21, 2024, but this marks the third exploited V8 type confusion vulnerability for the year.
Citrine Sleet is primarily known for targeting financial establishments, particularly those dealing with cryptocurrencies. The group uses extensive social engineering tactics, including fake websites and fraudulent job applications, to trick victims into downloading malicious cryptocurrency wallets or trading applications. The group has also developed a unique Trojan malware, AppleJeus, for the purpose of seizing control of targets’ cryptocurrency assets. Other names associated with Citrine Sleet include AppleJeus, Labyrinth Chollima, UNC4736, and Hidden Cobra.
The exploit used by Citrine Sleet to attack the Chromium zero-day vulnerability followed the typical steps of a browser exploit chain. Victims were first directed to an exploit domain controlled by Citrine Sleet, then exposed to the RCE exploit for CVE-2024-7971. After achieving code execution, a shell code containing a Windows sandbox escape exploit and the FudModule rootkit was downloaded and loaded into memory. Although Microsoft had previously fixed a vulnerability exploited by the same exploit chain, there seems to be no link between this and the Citrine Sleet exploit activity.
Microsoft has recommended measures to counteract this threat, and urged users to update their systems as soon as possible. Recommendations include keeping operating systems and applications updated, applying security patches promptly, and encouraging users to use web browsers that support Microsoft Defender SmartScreen. Various configuration enhancements for Microsoft Defender and Microsoft Antivirus are also suggested. Microsoft Defender Threat Intelligence customers can also receive updates and protection information about the threat actor, malicious activity, and techniques discussed in the Microsoft Threat Intelligence Blog.
Green Berets storm building after compromising its Wi-Fi
In recent Swift Response 24 military exercises, the US Army Special Forces, aka the Green Berets, demonstrated their cyber-warfare skills, including penetrating wireless networks. In an exercise in Skillingaryd, Sweden, members of the 10th Special Forces Group infiltrated a building’s Wi-Fi network and monitored its activity. This wireless compromise gives the military a new set of surveillance capabilities, a clearer understanding of its objectives, and another means of hindering enemy operations.
The building’s Wi-Fi networks were first scanned using an unnamed remote access device (RAD) to identify networks operating its security systems. After cracking the password, the units maneuvered around the network, switching off CCTV cameras, opening locked doors, and disabling other security protocols. This network infiltration and monitoring capabilities help provide a clearer picture of the buildings’ operations, locations, and activities enhancing planning and tactical prowess while staying undetectable.
In the second phase of the operation, another team parachuted roughly seven miles from the intended location. The units conducted area reconnaissance, infiltrated the now compromised facility, and left behind signal jamming equipment to eliminate traces of the cyber attack. The troops demonstrated humor during operations, leaving behind a laptop playing Rick Astley’s “Never Gonna Give You Up.”
Swift Response 24 military exercise is part of a larger NATO operation aimed at showcasing how the alliance would respond to an attack on any member nation. This NATO training drill, one of the most substantial in recent years, involves more than 17,000 US and 23,000 multinational service members. This operation sends a clear message to nations like Russia on NATO’s readiness to defend its member states against attacks. It’s also a demonstration of the new warfare abilities that the defense alliances like Finland and Sweden, new members, bring to NATO.
Cisco warns of backdoor admin account in Smart Licensing Utility
Cisco has announced the removal of a backdoor admin account in the Cisco Smart Licensing Utility (CSLU), a flaw that could allow unauthenticated attackers to gain administrative control over unpatched systems. A Windows application, CSLU enables on-premises license management without connection to Cisco’s cloud-based Smart Software Manager. The vulnerability, listed as CVE-2024-20439, could potentially give attackers access to systems via a static and previously undocumented user credential.
In addition to this, Cisco has issued security updates for another severe information disclosure flaw within CSLU. Threat actors could exploit this vulnerability (CVE-2024-20440) to access sensitive data, such as API credentials, through crafty HTTP requests. These two security issues only affect systems operating on a vulnerable CSLU release and can only be exploited if an operator is running the CSLU, as it is not designed to run in the background.
As of now, the Cisco Product Security Incident Response Team (PSIRT) has not identified any public exploits or evidence of these security lapses being exploited by attackers. Nonetheless, this is not the first time Cisco has had to remove backdoor accounts from its products, with previous instances in their Digital Network Architecture (DNA) Center, IOS XE, and other software. Moreover, last month, Cisco had fixed a high severity vulnerability (CVE-2024-20419) that allowed attackers to change any user password on unpatched versions of Cisco Smart Software Manager On-Prem license servers.
D-Link says it is not fixing four RCE flaws in DIR-846W routers
Network equipment provider D-Link has informed users that it will not be rectifying four critical remote code execution (RCE) flaws found in its DIR-846W router. The decision is due to the company’s end-of-life/end-of-support policies, as the router model is no longer supported. D-Link has advised users to retire this model and replace it with a currently supported version. The vulnerabilities could potentially put devices connected to the router at risk.
The four RCE flaws, rated critical and three of which don’t require authentication, were discovered by a security researcher who published the information but has withheld evidence of concept exploits for now. The given explanation for the flaws indicates that each one allows for remote command execution due to different vulnerabilities in the system parameters, making them exploitable through a crafted POST request or via different parameters on the system’s interface.
While acknowledging the existence and critical severity of these vulnerabilities, D-Link maintains that they fall within its end-of-life/end-of-support policies. As such, the company has ceased all firmware development related to these products. It has also issued strong warnings regarding the potential risk involved in further use of this product for devices connected to it, urging users to retire the routers immediately.
The affected DIR-846W routers were primarily sold outside the U.S, therefore, the impact of these flaws within the U.S should be minimal. However, the global impact remains significant as the model is still sold in some markets like Latin America. The company recommends that users who can’t immediately replace their routers should ensure the device runs the latest firmware, set strong passwords, and enable WiFi encryption to mitigate potential security risks. D-Link vulnerabilities are often exploited by malware to recruit devices into botnets for DDoS attacks, thus securing these routers is crucial.
