Cybersecurity Week in Review (15/03/24) 

Researchers Detail Kubernetes Vulnerability That Enables Windows Node Takeover 

Details have been made public about a now-patched high-severity flaw in Kubernetes that could allow a malicious attacker to achieve remote code execution with elevated privileges under specific circumstances. 

Tracked as CVE-2023-5528 (CVSS score: 7.2), the shortcoming impacts all versions of kubelet, including and after version 1.8.0. It was addressed as part of updates released on November 14, 2023, in the following versions – 

• kubelet v1.28.4 
• kubelet v1.27.8 
• kubelet v1.26.11, and 
• kubelet v1.25.16 

“Kubernetes maintainers stated in an advisory released at the time that they had identified a security problem within Kubernetes. They explained that a user with the ability to create pods and persistent volumes on Windows nodes might potentially elevate their privileges to admin status on those nodes. They further noted that Kubernetes clusters are solely impacted if they utilize an in-tree storage plugin for Windows nodes.” 

Successful exploitation of the flaw could result in a complete takeover of all Windows nodes in a cluster. It’s worth noting that another set of similar flaws was previously disclosed by the web infrastructure company in September 2023. 

The issue stems from the use of “insecure function call and lack of user input sanitization,” and relates to feature called Kubernetes volumes, specially leveraging a volume type known as local volumes that allow users to mount disk partition in a pod by specifying or creating a PersistentVolume. 

This provides a loophole that an attacker can exploit by creating a PersistentVolume with a specially crafted path parameter in the YAML file, which triggers command injection and execution by using the “&&” command separator. 

The disclosure comes as a critical security flaw discovered in the end-of-life (EoL) Zhejiang Uniview ISC camera model 2500-S (CVE-2024-0778, CVSS score: 9.8) is being exploited by threat actors to drop a Mirai botnet variant called NetKiller that shares infrastructure overlaps with a different botnet named Condi. 

Source- https://thehackernews.com/2024/03/researchers-detail-kubernetes.html 

Nissan confirms ransomware attack exposed data of 100,000 people 

Nissan Oceania is warning of a data breach impacting 100,000 people after suffering a cyberattack in December 2023 that was claimed by the Akira ransomware operation. 

In early December, the Japanese automaker’s regional division covering distribution, marketing, sales, and services in Australia and New Zealand announced it was investigating a cyberattack on its systems. 

A data breach was not confirmed then, but Nissan suggested that its customers be vigilant across their accounts and look out for potential scam attempts. 

Two weeks later, the Akira ransomware gang took responsibility for the attack and claimed it had stolen 100GB of data, including documents containing personal employee information, NDAs, project data, and information on partners and clients. 

Nissan’s latest update confirms some of Akira’s claims, admitting that hackers stole data on some current and former employees, as well as customers of Nissan, Mitsubishi, Renault, Skyline, Infiniti, LDV, and RAM dealerships in the region. 

 
“Nissan’s updated statement indicates that they anticipate formally informing around 100,000 individuals about the cyber breach in the upcoming weeks.” 

Up to 10% of these individuals had government identification compromised, including Medicare cards, driver’s licenses, passports, and tax file numbers. 

 
Nissan’s statement further explains that “the specific information compromised varies for each individual. Initial assessments suggest that around 10% of individuals may have experienced some form of government identification compromise”. 

“The dataset comprises of roughly 4,000 Medicare cards, 7,500 driver’s licenses, 220 passports, and 1,300 tax file numbers.” 

The remaining 90% had other personal information impacted, such as loan-related documents, employment details, and dates of birth. 

Nissan promised to notify impacted customers individually to inform them exactly what information was exposed, what they can do, and what forms of support are available. 

Unfortunately, Akira has already leaked the stolen data through its extortion page on the dark web. 

To support impacted customers, Nissan provides free access to IDCARE, free credit monitoring services through Equifax in Australia and Centrix in New Zealand, and reimbursement for the replacement of compromised government IDs. 

The automaker also advises customers to remain vigilant for suspicious activity on their accounts and to report it to the authorities, enable multi-factor authentication where possible, and update passwords regularly. 

Source- https://www.bleepingcomputer.com/news/security/nissan-confirms-ransomware-attack-exposed-data-of-100-000-people/ 

ChatGPT plugins prone to threat actors, says study 

Salt Labs research team uncovered three flaws, within ChatGPT itself, PluginLab used with the AI model, and OAuth used to approve interactions between applications. 

Salt Labs mentioned that “while plugins serve developers effectively for leveraging AI models such as ChatGPT for particular tasks, they also pose a risk of exploitation by cybercriminals due to their capability to facilitate the exchange of third-party data”. 

The ChatGPT glitch occurred when the AI model redirected users to a plugin website to get a security access code approved by them. When the user inputs this code into ChatGPT, it installs the plugin and can then interact with it on their behalf. 

However, Salt Labs researchers discovered that an attacker could exploit this function to instead deliver a code approval with a malicious plugin, enabling an attacker to automatically install their credentials on a victim’s account. 

What this means is that any message that the user writes in ChatGPT could be forwarded to the infected plugin, giving the threat actor behind it access to sensitive or proprietary data. 

The second vulnerability was the AI website PluginLab, which came to light when Salt Labs researchers discovered that it did not properly authenticate user accounts, which would have allowed a potential attacker to insert another user ID and get a code representing the victim, allowing account takeover on the plugin. 

This security flaw pertains to the popular coding developer forum GitHub because one of the affected plugins spotted by Salt Labs was “AskTheCode,” which integrates between it and ChatGPT. In other words, by exploiting this vulnerability, an attacker could gain access to a victim’s GitHub account. 

The final issue concerned several plugins with regard to OAuth redirection – this could be manipulated by a threat actor sending an infected link to an unsuspecting user. Because the plugins highlighted by Salt Labs don’t verify URLs, their use would have left a victim open to having their credentials stolen. This, too would pave the way for account takeover by an attacker. 

Fortunately, Salt Labs appears to have sounded the alarm in good time – it reached out to OpenAI, which fixed the glitches with no evidence they had been exploited in the wild. 

Source-  https://cybernews.com/news/chatgpt-plugins-cybersecurity-flaws-open-ai/ 

RedCurl Cybercrime Group Abuses Windows PCA Tool for Corporate Espionage 

The Russian-speaking cybercrime group called RedCurl is leveraging a legitimate Microsoft Windows component called the Program Compatibility Assistant (PCA) to execute malicious commands. 

Trend Micro, in an analysis released this month, said that “the Program Compatibility Assistant Service (pcalua.exe) is a Windows service created to detect and resolve compatibility issues associated with older software programs”. 

RedCurl, which is also called Earth Kapre and Red Wolf, is known to be active since at least 2018, orchestrating corporate cyber espionage attacks against entities located in Australia, Canada, Germany, Russia, Slovenia, the U.K., Ukraine, and the U.S. 

In July 2023, F.A.C.C.T. revealed that a major Russian bank and an Australian company were targeted by the threat actor in November 2022 and May 2023 to pilfer confidential corporate secrets and employee information. 

The attack chain examined by Trend Micro entails the use of phishing emails containing malicious attachments (.ISO and .IMG files) to activate a multi-stage process that starts with the use of cmd.exe to download a legitimate utility called curl from a remote server, which then acts as a channel to deliver a loader (ms.dll or ps.dll). 

The malicious DLL file, in turn, leverages PCA to spawn a downloader process that takes care of establishing a connection with the same domain used by curl to fetch the loader. 

Also used in the attack is the use of the Impacket open-source software for unauthorized command execution. 

The connections to Earth Kapre stem from overlaps in the command-and-control (C2) infrastructure as well as similarities with known downloader artifacts used by the group. 

Trend Micro emphasized that this particular case “highlights the persistent and live danger posed by Earth Kapre, a threat actor known for targeting various industries across multiple countries”. 

The development comes as the Russian nation-state group known as Turla (aka Iron Hunter, Pensive Ursa, Secret Blizzard, Snake, Uroburos, Venomous Bear, and Waterbug) has begun employing a new wrapper DLL codenamed Pelmeni to deploy the .NET-based Kazuar backdoor. 

Source-   https://thehackernews.com/2024/03/redcurl-cybercrime-group-abuses-windows.html 

Fortinet Warns of Severe SQLi Vulnerability in FortiClientEMS Software 

Fortinet has warned of a critical security flaw impacting its FortiClientEMS software that could allow attackers to achieve code execution on affected systems. 

The company stated in an advisory that “a vulnerability in FortiClientEMS, known as ‘SQL Injection’ (CWE-89), involves the improper handling of special elements within SQL Commands. This flaw could potentially enable an unauthenticated attacker to execute unauthorized code or commands by sending carefully crafted requests”. 

The vulnerability, tracked as CVE-2023-48788, carries a CVSS rating of 9.3 out of a maximum of 10. It impacts the following versions – 

• FortiClientEMS 7.2.0 through 7.2.2 (Upgrade to 7.2.3 or above) 
• FortiClientEMS 7.0.1 through 7.0.10 (Upgrade to 7.0.11 or above) 

Horizon3.ai, which plans to release additional technical details and a proof-of-concept (PoC) exploit next week, said the shortcoming could be exploited to obtain remote code execution as SYSTEM on the server. 

Fortinet has credited Thiago Santana from the ForticlientEMS development team and the U.K. National Cyber Security Centre (NCSC) for discovering and reporting the flaw. 

Also fixed by the company two other critical bugs in FortiOS and FortiProxy (CVE-2023-42789 and CVE-2023-42790, CVSS scores: 9.3) that could permit an attacker with access to the captive portal to execute arbitrary code or commands via specially crafted HTTP requests. 

The below product versions are impacted by the flaws – 

• FortiOS version 7.4.0 through 7.4.1 (Upgrade to FortiOS version 7.4.2 or above) 
• FortiOS version 7.2.0 through 7.2.5 (Upgrade to FortiOS version 7.2.6 or above) 
• FortiOS version 7.0.0 through 7.0.12 (Upgrade to FortiOS version 7.0.13 or above) 
• FortiOS version 6.4.0 through 6.4.14 (Upgrade to FortiOS version 6.4.15 or above) 
• FortiOS version 6.2.0 through 6.2.15 (Upgrade to FortiOS version 6.2.16 or above) 
• FortiProxy version 7.4.0 (Upgrade to FortiProxy version 7.4.1 or above) 
• FortiProxy version 7.2.0 through 7.2.6 (Upgrade to FortiProxy version 7.2.7 or above) 

• FortiProxy version 7.0.0 through 7.0.12 (Upgrade to FortiProxy version 7.0.13 or above) 
• FortiProxy version 2.0.0 through 2.0.13 (Upgrade to FortiProxy version 2.0.14 or above) 

While there is no evidence that the aforementioned flaws have come under active exploitation, unpatched Fortinet appliances have been repeatedly abused by threat actors, making it imperative that users move quickly to apply the updates. 

Source-   https://thehackernews.com/2024/03/fortinet-warns-of-severe-sqli.html 

French unemployment agency data breach impacts 43 million people 

France Travail, formerly known as Pôle Emploi, is warning that hackers breached its systems and may leak or exploit personal details of an estimated 43 million individuals.  

France Travail is the French governmental agency responsible for registering unemployed individuals, providing financial aid, and assisting them in finding jobs. 

Yesterday, the agency disclosed that hackers stole details belonging to job seekers registered with the agency in the last 20 years in a cyberattack between February 6 and March 5. Data from individuals with a job candidate profile was also exposed. 

A notice on France’s portal for assisting victims of cyberattacks informs that affected individuals will receive a notification from the agency regarding the personal data violation as a result of the incident. 

France Travail has informed the country’s data protection agency, the National Commission of Informatique and Liberties (CNIL), which stated that up to 43 million people may be impacted. 

The types of the data that have been exposed from this attack include: 

• Full name 
• Date of birth 
• Place of birth 
• Social security number (NIR) 
• France Travail identifier 
• Email address 
• Postal address 

• Phone number 

This data increases the risk of identity theft and phishing for the exposed individuals, so the agency recommends potentially impacted people to be particularly vigilant with emails, phone calls, and SMS they receive. 

France Travail clarified that the data breach incident does not impact people’s bank details or account passwords, but CNIL warns that cybercriminals may use what’s available to correlate with missing data points from other breaches. 

Those impacted by the data breach incident at France Travail can file a complaint with the Paris prosecutor’s office to help with the investigation. 

Last August, France Travail suffered a massive data breach, which impacted approximately 10 million individuals. 

That incident was indirectly attributed to the Clop ransomware group breaching the agency’s systems by exploiting a zero-day vulnerability in the MOVEit Transfer software tool. 

The current cyberattack on the agency sets a new record in France, as it affects the largest number of individuals, more than the 33 million people impacted by the Viamedis and Almerys breach in February. 

Source-   https://www.bleepingcomputer.com/news/security/french-unemployment-agency-data-breach-impacts-43-million-people/ 

Duty Free Americas claimed by Black Basta ransom group 

The Russian-linked ransom gang is claiming to have stolen about 1.5 terabytes of sensitive information from its corporate network systems, giving DFA a six-day deadline of March 18th to make a deal with the criminal outfit. 

Headquartered in Florida, DFA is known as the largest duty-free-tax-free retailer in the Western Hemisphere with over 1000 employees, and runs its own warehouses and distribution centers. 

The company boasts 250 of its brand-filled stores inside airports and seaports across the US, Central, and South America, as well as locations on stretches of both US borders with Mexico and Canada. 

Black Basta claims to have stolen files from multiple departments including accounting, financial, legal, human resources, including large swaths of sensitive employee data, and more. 

The group posted roughly 15 sample leak pages filled with dozens of passports, social security cards, and drivers licenses from what seems to be DFA employees. 

Photocopies of credit cards with account numbers in full view are also on display. 

Duty Free Americas is a wholly owned subsidiary of The Falic Group (aka Falic Fashion Group), a luxury brand fragrance empire run by the Falic family. 

This is important to note because scores of sensitive documents belonging to Falic family members have appeared as leak samples on the Black Basta site, identified by the cartel as “Home folders and Personal users.” 

Samples of birth certificates, marriage certificates, religious documents, US Justice Department fingerprint clearance documents, boarding passes, and even a $379,000 credit card bill are shown on the leak site (as seen above) – all belonging to various Falic family members. 

Black Basta is believed to be an offshoot of the notorious Russian-affiliated Conti ransomware gang, raking in over $100 million in Bitcoin ransom payments since it came on the scene in 2022. 

Other victims listed in the Black Basta site Tuesday included the Flemish ‘Duvel’ Moortgat Brewing Company, Xcel luxury brand licensing and management company, and Imperial Trading Company, one of the largest convenience store distributors in North America. 

Source-   https://cybernews.com/news/duty-free-americas-black-basta-ransomware/ 

Chrome’s Standard Safe Browsing Now Has Real-Time URL Protection 

  

The real-time protection was previously available if the Enhanced protection mode was enabled in Safe Browsing, while the standard settings checked the visited sites against a list stored on the device that was refreshed every 30 to 60 minutes. 

Now, the standard Safe Browsing checks every site against a list of bad domains stored on Google’s servers. According to Google, bad sites exist, on average, for less than 10 minutes, and the new improvement is meant to close that window of opportunity. 

“Should we identify a website as potentially harmful to you or your device, you’ll receive a warning with additional details. With real-time website checks, we anticipate an increase in blocking phishing attempts by 25%,” Google mentions. 

By keeping the list server-side, Safe Browsing also avoids scenarios where devices do not have the necessary resources to store the full list, which grows at a rapid pace, or apply updates in a timely manner. 

 
Google explains that the “server-side list can swiftly incorporate unsafe websites upon discovery, enabling it to detect rapidly changing sites. Furthermore, the list can expand without limitations, as the Safe Browsing server isn’t restricted in the same manner as user devices.” 

When the user visits a site, Chrome first checks the cache to see if the destination is safe. If the site is not in the cache, the browser converts the URL into 32-byte full hashes, truncates them into 4-byte long hash prefixes, encrypts them and sends them to a privacy server that removes user identifiers and forwards them to the Safe Browsing server, where they are decrypted and checked against the database. If a match is found, Chrome will display a warning. 

To keep user data private, Google partnered with Fastly to operate the Oblivious HTTP (OHTTP) privacy server between Chrome and Safe Browsing, ensuring that user privacy is preserved while Safe Browsing does its job. 

The improved protection is now rolling out to Chrome users on desktop and iOS and is expected to become available on Android later this month. No user action is required. 

According to Google, Safe Browser checks over 10 billion URLs and files daily, protecting over 5 billion devices globally against phishing, malware, unwanted software, and other threats. 

Safe Browsing’s Enhanced Protection mode, which relies on AI to block attacks, performs deep file scans, and can protect against malicious extensions, remains available too. 

Google also announced today that Password Checkup on iOS is now flagging weak and reused passwords, in addition to compromised ones. 

Source-   https://www.securityweek.com/chromes-standard-safe-browsing-now-has-real-time-url-protection/ 

Hackers exploit Windows SmartScreen flaw to drop DarkGate malware 

A new wave of attacks by the DarkGate malware operation exploits a now-fixed Windows Defender SmartScreen vulnerability to bypass security checks and automatically install fake software installers. 

SmartScreen is a Windows security feature that displays a warning when users attempt to run unrecognized or suspicious files downloaded from the internet.  

The flaw tracked as CVE-2024-21412 is a Windows Defender SmartScreen flaw that allows specially crafted downloaded files to bypass these security warnings. 

Attackers can exploit the flaw by creating a Windows Internet shortcut (.url file) that points to another .url file hosted on a remote SMB share, which would cause the file at the final location to be executed automatically. 

Microsoft fixed the flaw in mid-February, with Trend Micro disclosing that the financially motivated Water Hydra hacking group previously exploited it as a zero-day to drop their DarkMe malware onto traders’ systems. 

Today, Trend Micro analysts reported that DarkGate operators are exploiting the same flaw to improve their chances of success (infection) on targeted systems. 

This is a significant development for the malware, which, together with Pikabot, has filled the void created by QBot’s disruption last summer and is used by multiple cybercriminals for malware distribution. 

The attack begins with a malicious email that includes a PDF attachment with links that utilize open redirects from Google DoubleClick Digital Marketing (DDM) services to bypass email security checks. 

When a victim clicks on the link, they are redirected to a compromised web server that hosts an internet shortcut file. This shortcut file (.url) links to a second shortcut file hosted on an attacker-controlled WebDAV server. 

Using one Windows Shortcut to open a second Shortcut on a remote server effectively exploits the CVE-2024-21412 flaw, causing a malicious MSI file to execute automatically on the device. 

These MSI files masqueraded as legitimate software from NVIDIA, the Apple iTunes app, or Notion. 

Upon execution of the MSI installer, another DLL sideloading flaw involving the “libcef.dll” file and a loader named “sqlite3.dll” will decrypt and execute the DarkGate malware payload on the system. 

Once it’s initialized, the malware can steal data, fetch additional payloads and inject them into running processes, perform key logging, and give attackers real-time remote access. 

According to Trend Micro, this campaign “utilizes DarkGate version 6.1.7, which differs from the older version 5 by incorporating XOR-encrypted configuration, introducing new configuration options, and updating command and control (C2) values”. 

The configuration parameters available in DarkGate 6 enable its operators to determine various operational tactics and evasion techniques, such as enabling startup persistence or specifying minimum disk storage and RAM size to evade analysis environments. 

The first step to mitigate the risk from these attacks would be to apply Microsoft’s February 2024 Patch Tuesday update, which fixes CVE-2024-21412. 

Source-   https://www.bleepingcomputer.com/news/security/hackers-exploit-windows-smartscreen-flaw-to-drop-darkgate-malware/ 

US gov opens probe into UnitedHealth hack as systems come back online 

The HHS Office for Civil Rights (OCR) issued a “Dear Colleague” letter addressing the cybersecurity incident and its impact on Change as well as other healthcare entities throughout the nation. 

The goal of the investigation, the letter states, is whether the breach of protected health information occurred, as laid out in the US The Health Insurance Portability and Accountability Act of 1996 (HIPAA) which enforces the proper protection of a person’s private health information among healthcare entities in the US. 

The investigation will determine if Change Healthcare and UnitedHealth Group (UHG) were in compliance with the HIPAA Rules. 

The February 21st Change Healthcare attack disrupted healthcare and billing information operations nationwide, posing a direct threat to critically needed patient care and essential operations of the healthcare industry, the OCR said. 

Under HIPAA Rules, healthcare providers, health plans, and healthcare clearinghouses, as well as business associates must adhere to the ACT’s data processing and security requirements, as well as the regulations to notify the HHS and affected individuals following a breach. 

The March 13th letter then provided nearly a dozen links to HIPAA compliance and cybersecurity resources for reference. 

UnitedHealth said it would cooperate with the OCR investigation, although it has not yet said what types of information or how much patient data may have been exposed in the attack. 

Healthcare entities under HIPAA, which includes health insurance plans, have within 60 days of discovery to report breaches to patients whose data may have been compromised. 

Change Healthcare processes about 50% of medical claims in the U.S. for around 900,000 physicians, 33,000 pharmacies, 5,500 hospitals and 600 laboratories, . 

Due to the large scope of the breach, it may be difficult for Change and UHG to stay compliant with the regulations, which could result in monetary fines and/or legal action. 

Source-   https://cybernews.com/news/us-gov-opens-probe-into-unitedhealth-hack-as-systems-come-online/ 

Smarttech247