Daily Drop (614): CN: Cybersecurity Administration: Policy, CloudFlare bypass, Royal Family: DDoS, Russian Assets Exposed, China's 'BlackTech', CVE-2023-5217, UK's Passport Database

10-03-23

Tuesday, Oct 03, 2023 // (IG): BB // Financial Enabler PODCAST // Coffee for Bob

Cloudflare's Security Mechanisms Vulnerable to Bypass

Bottom Line Up Front (BLUF): Cloudflare's firewall and DDoS protection can be bypassed by exploiting vulnerabilities in its cross-tenant security controls. Attackers can potentially defeat these security measures by leveraging the shared infrastructure available to all Cloudflare tenants.

Analyst Comments: The vulnerabilities in Cloudflare's security mechanisms underscore the challenges associated with shared infrastructure in cybersecurity. The implicit trust that comes with such shared setups can be a double-edged sword, potentially opening doors for attackers even as it offers convenience and scalability for users. Organizations relying on Cloudflare for their security needs should be vigilant and consider implementing additional security measures to bolster their defenses.

FROM THE MEDIA: Cloudflare, a major web infrastructure and security company, has vulnerabilities in its security mechanisms that can be exploited to bypass its firewall and DDoS protection. One of the primary issues arises from the feature called Authenticated Origin Pulls. This feature, designed to ensure requests sent to the origin server come from Cloudflare and not an external threat actor, can be exploited by an attacker with a Cloudflare account. They can send malicious payloads via the platform, exploiting the fact that all connections coming from Cloudflare are allowed, even if they originate from a malicious tenant. Another vulnerability involves the abuse of allowlisting Cloudflare IP addresses, which can be exploited to send rogue inputs and target other users on the platform. Following a responsible disclosure, Cloudflare acknowledged the findings and added a warning in its documentation.

READ THE STORY:  THN

Royal Family Website Hit by DDoS Attack

Bottom Line Up Front (BLUF): The official website of the UK royal family, royal.uk, experienced a DDoS attack on October 1st, with the pro-Russian hacktivist group, KillNet, claiming responsibility. The attack lasted for approximately 90 minutes, and as a precaution, visitors to the site are now subjected to a Cloudflare security check.

Analyst Comments: The DDoS attack on the royal family's website underscores the evolving threat landscape and the audacity of hacktivist groups like KillNet. While their attacks might not be as damaging as other cyber threats, they are effective in garnering media attention and sending political messages. The UK National Cyber Security Center had previously warned about Russian-aligned threat actors targeting Britain. Eli Nussbaum, managing director at Conversant Group, suggests that defending against such DDoS attacks requires protecting Domain Name Servers and ensuring systems can handle amplified loads. The attack on the royal family's website serves as a stark reminder of the vulnerabilities even high-profile entities face and emphasizes the need for robust cybersecurity measures.

FROM THE MEDIA: On the morning of Sunday, October 1st, the UK royal family's official website was targeted by a distributed denial-of-service (DDoS) attack. The downtime began around 10 a.m. BST and persisted for about 90 minutes. While the site was down, the Russian threat actor group, KillNet, took responsibility, labeling it as an "attack on pedophiles." The group's founder, Killmilk, announced the attack in a Telegram post. Security experts have yet to independently verify KillNet's involvement. This attack aligns with KillNet's history of launching DoS and DDoS attacks, especially against entities in Ukraine and NATO member countries. Their actions typically aim to draw attention to their political cause, notably supporting Russia in the Russia/Ukraine conflict. The timing of this attack is notable, occurring shortly after King Charles condemned the Russian invasion of Ukraine in a speech at the Palais du Luxembourg.

READ THE STORY:  DarkReading

Russian Assets Exposed: Anonymous-affiliated Hackers Leak Data

Bottom Line Up Front (BLUF): Hackers affiliated with the Anonymous collective have leaked significant data related to Russian assets, ranging from social media accounts promoting propaganda to information about the Russian space agency, Roscosmos. The data was shared and discussed on the popular messaging platform, Discord.

Analyst Comments: The data leak orchestrated by Anonymous-affiliated hackers underscores the escalating cyber tensions and the vulnerabilities that even state-affiliated entities can face. The use of Discord as a platform for sharing and coordinating attacks highlights the adaptability of hacktivist groups and their ability to leverage popular platforms for their operations. The exposure of data related to Russian assets, especially in the context of the ongoing geopolitical tensions, could have significant implications for cyber-espionage and retaliatory cyber operations. The incident serves as a stark reminder of the evolving cyber threat landscape and the need for robust cybersecurity measures across all digital platforms.

FROM THE MEDIA: Anonymous-affiliated hackers have utilized Discord to share vast amounts of data concerning Russian assets. The shared information includes details from various Russian sources, some of which were obtained from data leaks, while others were gathered using Open-Source Intelligence (OSINT) methods. The data encompasses dedicated folders named after specific organizations, such as "Roscosmos", and others that hold information about Russian TV outlets, individuals, and state-affiliated companies. One notable folder titled "Leaked data of corrupt officials" suggests its contents relate to Russian officials. The data also provides insights into vulnerable Russian CCTV cameras, which could be invaluable for planning attacks or monitoring Moscow's military assets. The hackers have shown particular interest in pro-Russian attackers, such as members of the Killnet group, and have exposed critical Russian infrastructure and social media accounts of prominent Russian figures. The Cybernews research team highlighted that the website of the President of the Russian Federation is still hosted by cybersecurity firm Kaspersky, indicating ongoing ties with the Russian state. The shared data on Discord can potentially be used for targeted cyberattacks on organizations and individuals.

READ THE STORY:  CyberNews

China's 'BlackTech' Hackers: A Global Cyber Threat

Bottom Line Up Front (BLUF): Online payment businesses across Asia Pacific, North America, and Latin America have been under siege from a web skimming campaign, dubbed "Silent Skimmer," for over a year, targeting their payment data.

Analyst Comments: The activities of BlackTech highlight the escalating cyber espionage capabilities of state-affiliated entities like China. Their sophisticated methods and focus on critical sectors underscore the strategic nature of their operations, aiming to gather intelligence and potentially disrupt key infrastructures. The alert from US security agencies serves as a stark reminder of the evolving cyber threat landscape. Organizations, especially those in sensitive sectors, must prioritize cybersecurity measures, continuously monitor for threats, and collaborate with international partners to share threat intelligence and best practices.

FROM THE MEDIA: The US security agencies have released a joint cybersecurity alert detailing the operations of the China-linked cyber group known as BlackTech. This group, also identified by other names such as Palmerworm, Temp.Overboard, Circuit Panda, and Radio Panda, has been active since 2010. Their primary targets include the US and Japanese militaries, as well as sectors like government, industrial, technology, media, electronics, and telecommunications. BlackTech is known for its advanced capabilities, including modifying router firmware undetected and exploiting routers' domain-trust relationships. They employ specialized malware, dual-use tools, and stealth tactics like disabling logging on routers to mask their operations. The group has also exploited various router manufacturers and versions, allowing them to hide configuration changes and commands. The alert emphasizes the importance for multinational companies to review subsidiary connections and consider implementing Zero Trust models to mitigate potential BlackTech compromises.

READ THE STORY:  FirstPost

Draft Regulations Propose Easing Restrictions on Export of Personal and "Important" Data

Bottom Line Up Front (BLUF): China's cybersecurity regulator has proposed draft regulations that aim to relax rules on the export of personal information and "important" data overseas. If approved, these changes will benefit foreign companies and multinationals, making it easier for them to comply with China's cross-border data transfer (CBDT) rules.

Analyst Comments: The draft regulations, if passed, will significantly ease the current CBDT rules, addressing several concerns raised by foreign companies and business groups. For instance, the draft regulations propose allowing companies to export potentially important data without undergoing CBDT mechanisms if the data hasn't been specifically defined as "important." This move will help reduce uncertainties and facilitate companies' regular operations. The draft also suggests raising the thresholds for various CBDT mechanisms, benefiting especially smaller companies dealing with lesser volumes of data.

FROM THE MEDIA: The Cybersecurity Administration of China (CAC) has unveiled draft regulations titled "Regulations on Standardizing and Promoting Cross-Border Data Flows." These regulations suggest easing restrictions on CBDT, particularly for foreign companies and multinationals. The draft regulations offer several allowances for the export of "important data" and personal information in specific scenarios, aiming to reduce uncertainties and compliance burdens for businesses. The public can provide feedback on these draft regulations until October 15, 2023.

READ THE STORY:  China Briefing

North Korea's Lazarus Group Deploys Advanced Backdoor in Aerospace Attack

Bottom Line Up Front (BLUF): North Korea's state-sponsored Lazarus Group has deployed an advanced backdoor malware, "LightlessCan," in a cyberattack on a Spanish aerospace company. This new malware, based on their flagship BlindingCan RAT, is designed to evade real-time monitoring solutions and forensic tools, marking a significant escalation in the group's cyber capabilities.

Analyst Comments: The introduction of LightlessCan represents a significant enhancement in the Lazarus Group's cyber arsenal. Its design, which allows for the execution of native Windows commands within the RAT itself, coupled with its machine-specific decryption capabilities, makes it a formidable threat. Organizations globally need to be vigilant and proactive in updating their cybersecurity measures to detect and counter such evolving threats.

FROM THE MEDIA: The Lazarus Group, notorious for its high-profile attack on Sony Pictures in 2014 and various other cyber heists, gained initial access to the aerospace company through a spear-phishing campaign. Posing as a recruiter for Meta, they targeted specific employees via LinkedIn. An unsuspecting employee who responded was sent malicious coding challenges that, when attempted, downloaded payloads onto their system. The payloads included an HTTPS downloader called NickelLoader and two RATs: a simpler version named miniBlindingCan and the more advanced LightlessCan. The latter supports up to 68 distinct commands, many of which mimic native Windows commands, making it stealthier and harder to detect.

READ THE STORY:  DarkReading

Active Exploitation of Mali GPU Kernel Driver Vulnerability Detected

Bottom Line Up Front (BLUF): Arm has issued security patches for a vulnerability in the Mali GPU Kernel Driver that is currently being actively exploited. Identified as CVE-2023-4211, this flaw affects multiple versions of the driver and allows a local non-privileged user to access previously freed memory, potentially compromising system security.

Analyst Comments: The active exploitation of the Mali GPU Kernel Driver vulnerability underscores the importance of timely patching and system updates. With evidence pointing towards targeted spyware campaigns, organizations and individuals using affected versions of the driver should prioritize updating to the patched version. The collaboration between Arm and Google in identifying and addressing these vulnerabilities highlights the significance of cross-industry cooperation in cybersecurity.

FROM THE MEDIA: The vulnerability in the Mali GPU Kernel Driver, which spans across several versions of the driver, was discovered to be under active exploitation. Arm's advisory on Monday highlighted that the flaw could be exploited by a local non-privileged user to conduct improper GPU memory processing operations, thereby gaining access to already freed memory. The vulnerability was identified by Maddie Stone of Google's Threat Analysis Group (TAG) and Jann Horn of Google Project Zero. Google's Android Security Bulletin for October 2023 also noted targeted exploitation of this vulnerability, alongside another severe flaw in the Chrome web browser. While the exact details of the attacks remain undisclosed, there are indications that these vulnerabilities may have been used in a spyware campaign targeting high-risk individuals. Additionally, Arm addressed two other flaws in the Mali GPU Kernel Driver that also allow for improper GPU memory processing operations.

READ THE STORY:  THN

UK's Passport Database to Aid Criminal Investigations

Bottom Line Up Front (BLUF): The UK government plans to utilize the facial images of over 45 million individuals from the country's passport database to aid in identifying suspects in criminal investigations. This move, announced by the crime and policing minister, Chris Philp, aims to enhance the efficiency of criminal investigations, especially in cases where suspects remain unidentified.

Analyst Comments: The decision to use the passport database for criminal investigations has sparked concerns about privacy and misuse. While facial recognition technology can be a powerful tool for law enforcement, its accuracy and ethical implications remain debated. The UK currently lacks specific laws governing the police use of facial recognition technology, although there are regulations for other biometric data. Past instances, such as the High Court's 2012 ruling against including facial images of individuals who were arrested but not charged, highlight the potential for misuse. Furthermore, real-time use of the technology has been controversial, with concerns about false positives and the potential wrongful arrest of innocent individuals. Civil liberties organizations and human rights groups have expressed concerns about this move, emphasizing the need for clear regulations and oversight to prevent potential misuse and protect citizens' privacy.

FROM THE MEDIA: Chris Philp, during the Conservative Party conference in Manchester, revealed that while the police already possess the authority to access the passport database, a new data platform will be operational within the next two years to facilitate its practical use. This modern data platform, which the Home Office has been working on for nearly a decade, will integrate several databases, including the immigration and asylum biometrics system. The goal is to allow the police to match input images from various sources, such as CCTV, doorbell cameras, and dashcams, with the database. This initiative follows complaints from the retail industry about the police's lack of response to violent attacks on staff and thefts from stores. The Home Office's data indicates that in over 54% of reported shoplifting incidents last year, no suspect was identified.

READ THE STORY:  The Record

Microsoft Defender Corrects Tor Browser Misidentification

Bottom Line Up Front (BLUF): Microsoft Defender has rectified its error of mistakenly identifying the latest version of the Tor Browser as a trojan. This correction comes after the antivirus tool had previously flagged and quarantined the browser's core tor.exe program, causing disruptions in its functionality.

Analyst Comments: The misidentification of benign software like the Tor Browser by antivirus tools like Microsoft Defender underscores the challenges in striking a balance between security and functionality. While it's crucial for antivirus tools to remain vigilant against potential threats, false positives can disrupt users and erode trust in the software. It's essential for companies like Microsoft to continuously refine their threat detection algorithms and promptly address any misidentifications to maintain user confidence and ensure seamless software functionality.

FROM THE MEDIA: The Tor Project's developers and users reported that Microsoft Defender was incorrectly flagging the tor.exe program of the Tor Browser as "Win32/Malgent!MTB" malware. This misidentification led to the software's malfunction when users tried to launch the recently released Tor Browser version 12.5.6. The Tor Browser, an open-source Firefox-based web browser, uses the Tor network to enable anonymous web browsing. Its tor.exe program is responsible for routing the browser's connections through Tor network nodes, thereby concealing the user's actual public IP address. Over a recent weekend, Defender began to misidentify the browser's tor.exe, attempting to remove it due to perceived security threats.

READ THE STORY:  The Register

AWS Unveils MadPot: A Secret Threat-Intelligence Tool

Bottom Line Up Front (BLUF): Amazon Web Services (AWS) has revealed MadPot, its clandestine threat-intelligence tool, which has been instrumental in countering espionage activities from Chinese and Russian agents and in detecting millions of bot threats.

Analyst Comments: The unveiling of MadPot underscores AWS's dedication to cybersecurity and its proactive stance in detecting and countering threats. The tool's versatility, from emulating behaviors of devices not typically found in the cloud to detecting credential-stuffing attacks, showcases AWS's comprehensive approach to threat intelligence. As cyber threats continue to evolve, tools like MadPot will be instrumental in safeguarding digital infrastructures and providing actionable intelligence to counteract malicious actors.

FROM THE MEDIA: MadPot, a vast honeypot system developed by AWS, has been operational since the late 2000s. It comprises tens of thousands of threat sensors that monitor malicious attempts to connect with AWS decoys. On a daily basis, these sensors detect over 100 million potential threats, of which approximately 500,000 are identified as malicious activities. Despite being in use for 13 years, AWS only recently disclosed details about MadPot and its capabilities. Among its achievements, MadPot prevented Chinese spies from infiltrating US critical infrastructure networks earlier this year. It also played a role in the Five Eyes' advisory concerning Volt Typhoon, a cyber-espionage group backed by Beijing. Using data from MadPot, Amazon identified a unique payload signature linked to Volt Typhoon.

READ THE STORY:  The Register

Items of interest

Hackers Capitalize on Vulnerabilities in Popular Web Browsers and WS_FTP Server

Bottom Line Up Front (BLUF): Hackers are actively exploiting vulnerabilities in widely-used web browsers and a popular file transfer tool, prompting warnings from government agencies and cybersecurity experts. The vulnerabilities in question affect Google's Chrome, Mozilla's Firefox, and the WS_FTP Server.

Analyst Comments: The active exploitation of these vulnerabilities underscores the persistent threats posed by cybercriminals and the importance of timely patching and updates. The rapid release of PoCs following the disclosure of vulnerabilities can inadvertently aid threat actors, emphasizing the need for responsible vulnerability disclosure practices. Organizations and individuals should remain vigilant, ensure their systems are updated, and monitor for any signs of compromise.

FROM THE MEDIA: The Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about hackers exploiting CVE-2023-5217, a vulnerability present in Google’s Chrome and Mozilla’s Firefox browsers. This vulnerability, linked to the open-source tool "libvpx," was initially thought to only affect Google products. However, other browser manufacturers have since identified the same issue. This follows a similar vulnerability discovered last month related to the "libwebp" tool. Such vulnerabilities have raised concerns about the security of open-source software, leading to a White House summit on the topic. In a separate development, cybersecurity experts have raised alarms about vulnerabilities in the WS_FTP Server, a product of Progress Software. While initial assessments suggested no active exploitation of the most critical vulnerability, CVE-2023-40044, cybersecurity company Rapid7 reported instances of exploitation shortly after. The release of a proof-of-concept (PoC) exploit for this vulnerability has been criticized for potentially aiding cybercriminals.

READ THE STORY:  The Record

CVE-2023-4863 PoC (Video)

FROM THE MEDIA: Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)

How Zero Click Exploit Spyware Accessed Mic & Camera Without Permission/Notifications (Video)

FROM THE MEDIA: QuaDream Spyware is another commercial surveillance for hire that Citizen Lab and Microsoft Exposed. Like NSO group's Pegasus Spyware they are using Zero Click Exploits on iPhones, exploiting Zero Days in iOS.

The Cyber Initiatives Group (CIG) is a organization of cyber leaders with deep government and private sector experience who come together four times a year to share information on threats and emerging trends in cyberspace and how this will affect public-private sector collaboration.These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.