🎓️ Vulnerable U | #038
Ransomware gang files SEC complaint, Google disabling uBlock and Third Party Cookies, Citrix Bleed Victims continue, YouTube and AI, LockBit ransoms Boeing, FBI chasing Scattered Spider, a State of Cloud Security Report, SSH and Zimbra 0-days, and more!
Read Time: 9 minutes
I’m starting to hear the “let’s touch base on this after the holidays” phrase a few times. Seems we’re entering that time of year when people simultaneously try to get everything done, and people start disappearing into hibernation, making that very difficult.
I'm also getting kind of sick of crypto getting into everything…
I break down an essential concept in the Vulnerable U-niverse in this week’s blog on Resilience:
🖊️ Something I wrote: I couldn’t go anywhere this week without hearing about the growth mindset. Revisiting my piece on it from my blog.
🎧️ Something I heard: The new Blink-182 album is killer.
🎤 Something I said: The ghost of breaches past and my take on the SEC charging the SolarWinds CISO
🔖 Something I read: Absolute success is Luck. Relative success is hard work by James Clear.
I just had to make this one the lead story today. It’s the audacity of it for me.
Step 1: hack into a company.
Step 2: demand ransom.
Step 3: Get pissed at the lack of ransom payment.
Step 4: Tell SEC your victim isn’t complying with the new breach disclosure rule.
Alphv/BlackCat claims they breached MeridianLink's systems, stealing customer and operational data. They're now leveraging an SEC complaint to pressure the company into acknowledging the breach.
The company, MeridianLink, confirmed the attack. They say they've contained the threat and engaged experts for investigation.
“Based on our investigation to date, we have identified no evidence of unauthorized access to our production platforms, and the incident has caused minimal business interruption.”
We’ve seen extortion techniques leveling up but this is a first. I’m guessing it won’t be the last. (read more)
Staying on the ALPHV ransomware gang for a second, they have been leveraging Google Ads to disseminate the Nitrogen malware, as reported by eSentire. This strategy marks a significant evolution in the gang's approach, targeting public entities and corporations primarily in the Americas and Europe.
Malvertising Strategy: BlackCat affiliates are using deceptive Google ads promoting software like Advanced IP Scanner and WinSCP. These ads redirect to sites that distribute Nitrogen malware.
Targeted Entities: Public institutions and businesses in the Americas and Europe have been primary targets, with breaches reported in a manufacturer, a law firm, and a warehouse provider.
Infection Methods: The gang uses compromised credentials, exploitation of vulnerabilities in remote management tools, and browser-based attacks.
Nitrogen Malware: Discovered in June 2023, this malware uses obfuscated Python libraries and DLL sideloading for evasion, establishing a foothold for further attacks.
By masquerading malicious ads as legitimate software offerings on popular search engines, they've been able to trick professionals into inadvertently downloading malware. (read more)
Its a ransomware kind of week. LockBit had come out claiming Boeing as a victim last week, then Boeing confirmed but said it was just a limited scope of a parts section of the company. Well just like ALPHV, LockBit got impatient and upped the pressure on the extortion.
The leaked data, not yet verified for authenticity, includes compressed archives and backup files for various systems, along with sensitive company information such as financial and marketing details, supplier data, and corporate emails.
Data Leak Details: The leak consists of about 50GB of data, including system backups and potentially sensitive corporate information.
Speculated Entry Point: Evidence suggests LockBit may have utilized the Citrix Bleed vulnerability for system access, although Boeing has not confirmed this.
Boeing's Response: The aerospace giant acknowledged the IT intrusion, focusing on its parts and distribution business segment, and assured that the incident poses no threat to aircraft or flight safety.
This cybersecurity breach, initially confirmed by Boeing on November 2, has raised concerns over the methods employed by LockBit, possibly exploiting vulnerabilities like "Citrix Bleed." (read more)
Let’s get away from breaches for a second. This is an interesting announcement that seems to have more implications than just uBlock Origin, but that is a standout. Chrome is moving from MV2 to MV3 (Manifest Version 3).
From some Twitter threads on this, I’m piecing together the changes that are supposed to "improve content filtering support" for the Declarative Net Request API, which many ad-blocking plugins use. Google states these changes are for API security concerns.
The EFF stated they believe MV3 puts unnecessary restrictions on developers.
uBlock Origin is prepared for MV3 with uBlock Lite, however, this version is limited in its functionality
I’ve said it before. If you can make ads not disruptive, not privacy invading, and not riddled with malware, I’ll happily turn off my blockers. Until then, I’ll have to keep myself safe. (read more)
Speaking of Google. They have announced the commencement of phasing out third-party cookies from its Chrome browser starting in the first quarter of 2024, marking a significant shift in the digital advertising landscape. This gradual phaseout, initially impacting one percent of Chrome users, is part of a broader move towards a more privacy-centric web. However, this transition is not without its challenges and controversies, particularly regarding the implications for online privacy and advertising ecosystems.
Initial Phaseout: Starting in early 2024, one percent of Chrome users will stop using third-party cookies, a move that signals a major shift in online advertising and tracking.
Privacy Sandbox Initiative: Google's Privacy Sandbox, including the Topics API, aims to replace third-party cookies by allowing websites to ask Chrome about user interests directly, purportedly enhancing privacy.
Technical and Regulatory Challenges: The phaseout represents a complex overhaul of the technical foundation of internet advertising, attracting regulatory scrutiny to ensure fairness and competition in the market.
Critics, including the EFF and privacy experts, are skeptical about whether these alternatives will truly enhance privacy or if they will continue to allow covert tracking in different forms. (read more)
Just what we all wanted for Christmas. A new version of CVSS. Now I can use all new lingo to have no idea if a vuln is exploitable or not.
I’m cynical, but I’m keen to stay on top of this to see if there is any improvement. I’ve long been part of the community sharing research that you’re better off throwing a dart at your pile of vulns to decide what to fix rather than stack rank on CVSS.
I’m not exaggerating. You’d be better off picking at random to pick a vuln that would be used in an exploit. Anyway, let’s look at some critical points of this CVSS update.
4.0 introduces finer granularity in base metrics, additional supplemental metrics, and a new nomenclature system to improve how we evaluate and manage vulnerabilities.
New Supplemental Metrics: Includes Automatable, Recovery, Value Density, Vulnerability Response Effort, and Provider Urgency, expanding applicability to Operational Technology (OT), Industrial Control Systems (ICS), and Internet of Things (IoT).
Revised Nomenclature: Introduces Base (CVSS-B), Base + Threat (CVSS-BT), Base + Environmental (CVSS-BE), and Base + Threat + Environmental (CVSS-BTE) severity ratings. (read more)
MOVEit strikes again.
Maine state officials have recently announced a data breach affecting approximately 1.3 million individuals. The breach has impacted various government agencies, pension funds, and private businesses, compromising sensitive personal information, including dates of birth, driver’s license numbers, social security numbers, and health and medical information. (read more)
DP World Australia, a major port operator responsible for 40% of maritime freight in the country, has shut down land operations at its ports in Melbourne, Sydney, Brisbane, and Fremantle due to a cybersecurity incident. The incident has caused significant disruptions, as freight can be unloaded from ships but cannot leave the port sites. (read more)
We knew it was a lot, but now we know how big.
A recent disclosure revealed that Google pays Apple Inc. a substantial 36% of the revenue generated from search advertising through the Safari browser. This information came to light during a testimony by Kevin Murphy, an economics expert, at the Justice Department's antitrust trial. (read more)
YouTube has announced significant policy changes to address the growing use of generative AI in video content creation. These changes, aimed at enhancing transparency and viewer awareness, require creators to disclose the use of generative AI, especially when it creates realistic scenes or depicts real people saying fictional things.
This is big, and I believe it is a good thing. It is now a content-removable offense to publish AI-generated content without disclosing it. We are seeing an explosion in AI web content, some of which are easier to spot than others. (read more)
A cybersecurity flaw potentially affecting $1 billion in Bitcoin has been discovered in wallets created before 2016. The vulnerability, named "Randstorm," was identified by a company called Unciphered during efforts to recover lost Bitcoin. It stems from insufficient randomness in cryptographic key generation in the BitcoinJS code, which is used by many cryptocurrency services, including Blockchain.info. (read more)
The FBI has been facing significant challenges in disrupting a hyper-aggressive cybercrime gang, known among some security professionals as "Scattered Spider," which has been targeting corporate America over the past two years. This group, responsible for high-profile break-ins at casino operators like MGM Resorts International and Caesars Entertainment, has caused substantial financial damage and operational disruptions. Despite knowing the identities of at least a dozen members, many based in the U.S., law enforcement has yet to make arrests, raising concerns in the cybersecurity community. (read more)
Here is why the FBI warns against paying ransom. It doesn’t guarantee a happy ending.
Dolly.com, an on-demand moving and delivery platform, reportedly fell victim to a ransomware attack and opted to pay the ransom. However, in a classic betrayal by the cybercriminals, the attackers deemed the payment insufficient and released the stolen data anyway. (read more)
Datadog's recent report on cloud security provides a great analysis of the current state of cloud security, focusing on common risks that lead to security incidents in public clouds.
Long-Lived Credentials Risk: These static, non-expiring credentials are a significant cause of security breaches. In AWS, 76% of IAM users have active access keys, while in Azure AD, 50% of applications have active credentials.
MFA Underutilization: Despite its effectiveness against account takeovers, MFA is not enforced sufficiently. In AWS, nearly a third of IAM users with console access have no MFA enforced.
Lagging IMDSv2 Adoption: Critical for protecting against SSRF attacks, only 21% of EC2 instances enforce IMDSv2, though there is an increasing trend in its adoption. (read more)
Researchers have demonstrated a new attack method that compromises cryptographic keys used to protect SSH connections. This technique can expose private keys during SSH session establishment due to naturally occurring computational errors.
The study revealed that about one in a million RSA signatures in SSH connections could leak the host's private key. While affecting a small percentage of connections, this discovery has significant implications for the security of SSH traffic and potentially IPsec connections.
Vulnerability in RSA Signatures: The attack targets keys using the RSA cryptographic algorithm found in roughly a third of SSH signatures.
SSH and IPsec Affected: The researchers successfully calculated almost 200 unique SSH keys' private portions and suspect IPsec keys might be vulnerable, too.
Methodology: The attack exploits errors during signature generation, leveraging advanced cryptanalytic techniques using lattice-based cryptography. (read more)
Google's Threat Analysis Group (TAG) has uncovered a serious security vulnerability in Zimbra Collaboration, a widely used email server, that multiple threat actors have exploited. Designated as CVE-2023-37580, this 0-day reflected cross-site scripting (XSS) vulnerability has been exploited in various campaigns targeting government organizations across the globe.
Notable Campaigns: TAG identified four distinct campaigns exploiting this vulnerability:
Email-Stealing Framework: Targeting a Greek government organization, using the vulnerability to steal emails and attachments.
Winter Vivern Exploitation: After the hotfix was published on Github, this group targeted government organizations in Moldova and Tunisia.
Credential Phishing: An unidentified group targeted a Vietnamese government organization for credential theft.
Authentication Token Theft: Against a Pakistani government organization, stealing Zimbra authentication tokens.
Despite a patch being released, the vulnerability was exploited both before and after the fix was publicly available, underscoring the challenges in timely patch application and the opportunistic nature of attackers. (read more)
Ransomware Attack Details: Medusa ransomware listed TFS on its dark web data leak site, demanding $8 million to delete the allegedly stolen data and giving Toyota 10 days to respond with an extension fee of $10,000 per day.
Data Compromise: The attackers claim to have exfiltrated files, including financial documents, purchase invoices, hashed account passwords, user IDs and passwords, passport scans, and more, indicating a breach of Toyota's systems in Central Europe.
Toyota's Response: TFS acknowledged the unauthorized activity and has begun collaborating with law enforcement while taking affected systems offline to reduce risk.
Potential Exploitation of Citrix Bleed: Security analysts speculate that the attack may have exploited the Citrix Bleed vulnerability (CVE-2023-4966), a critical security issue affecting Citrix Gateway endpoints. This vulnerability has been exploited in recent attacks on other major organizations. (read more)
Stop, @Microsoft, stop. He's already dead!
— Corey Quinn (@QuinnyPig)
Nov 16, 2023
We launched the discord for @ctbbpodcast this morning - already a lot of good convos going on!
Also, all the past pod guests are already in there, so hop in and get in on that conversation!
— Justin Gardner (@Rhynorater)
Nov 16, 2023
Let me hear it!
Screaming into a newsletter void is rough - feedback helps me make sure I'm giving you something you want to read every week.
Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.
Stay safe, Matt Johansen