Apple Updates and ARM CPU Vulnerability; StrelaStealer Affecting US and EU Organizations

This update patches only one vulnerability (CVE-2024-1580). But this vulnerability affects two different components, CoreMedia and WebRTC.

Johannes Ullrich

CVE-2024-1580, an integer overflow in the dav1d AV1 decoder, has a CVSS score of 5.9. Exploiting the flaw can result in memory corruption within the decoder. While the fix only addresses the two packages, the code was in use across multiple OSes so you need to make sure you're pushing the update to all the affected devices. Apple has not indicated there is exploitation in the wild, but now that the fixes are out, expect reverse engineering to lead to POC exploits soon.

Lee Neely

This vulnerability is substantially different than prior side channel attacks. But to leak the key material of encryption operations, an attacker must be able to "probe" the system by having it encrypt data. The attack will have to launch a "chosen input attack." M3 processors have the ability to turn off the vulnerable features, but this needs to be specifically done by developers. Any additional patch will likely come from software developers writing encryption code for Macs. It is unlikely that Apple will be able to develop a "universal patch."

Johannes Ullrich

The vulnerability has been named "GoFetch" as it takes advantage of the feature known as data memory-dependent prefetcher (DMP) to target constant-time cryptographic implementations and capture sensitive data from the CPU cache. This is not a flaw which could be remedied via an OS update. The future chip designs would have to be changed to prevent the activities, or applications would need to implement mitigations internally. M3 chips with DIT enabled are not vulnerable to this attack, however in that mode the processor takes the worst-case amount of time to complete the instruction, regardless of the input data.

Lee Neely

While this implementation-induced vulnerability is resistant to an easy fix, it is not of concern for most users. Exploitation requires both special knowledge and possession of the device. Apple offers the user the ability to remotely disable a lost or stolen device.

William Hugh Murray

While the stealer is evolving, it's still initiated by a malicious attachment that initiates the infection chain and DLL payload to evade detection. Leverage your XDR, NGFW and cloud security services to detect the malware. One of the best protections from credential theft is replay-resistant MFA, preferably using a token or other device which is separate from the potentially infected desktop.

Lee Neely

This supply chain attack is much more involved than many of the other GitHub/Python attacks. The attack started in February, and compromised well-respected contributors to Python packages. Malicious code was well concealed by creating a smoke screen of benign changes and selecting plausible domains to host the compromised components.

Johannes Ullrich

This is a particularly well-crafted supply chain attack. It allows the attacker to target the developer community and through them, software products.

Curtis Dukes

The researchers say 36% of vulnerable devices have been upgraded. Odds are much higher that your credit card was compromised from the hotels website or reservation management system.

John Pescatore

When the dust settled, the locks used the known vulnerable MIFARE Classic RFID system and the attack required a $300 Proxmark RFID read-write device, a stack of blank RFID cards, and an Android phone or Flipper Zero. Replace all your keycards and update/replace all your locks, now update your encoders and third-party integrations is a tall order. It's surprising they are not still sitting on the discovery while mitigations are underway; current estimates are about 35% of the vulnerable locks and systems have been replaced or upgraded.

Lee Neely

A serious vulnerability that has been in existence for years. In the short term, don’t keep valuables in your hotel room and use a secondary locking device (door block) whilst in the room. Finally, just remember that back in the day, physical keys could be duplicated or picked; it continues to be a game of cat-and-mouse.

Curtis Dukes

Consider the guidance to have been updated from end-to-end. The guidance includes planning, prevention, detection and response/postmortem information. While it's tempting to argue over the order of the steps for each, focus instead on all the areas to cover making sure you don't skip over one. The process applies not just to on-premises services, but also remote, outsource, cloud or business partner. Keep in mind not only your connectivity, but also the protections to aid application resilience. Also, this is not one and done: review annually as TTPs and mitigations evolve.

Lee Neely

Part of the problem is the lack of diversity in ELDs: while hundreds are registered, only tens are unique devices. By default, they have Bluetooth, Wi-Fi and OTA Firmware updates enabled, and are sitting on the CAN bus, not only facilitating what amounts to a drive-by attack but also a path to the other vehicle services also on that bus. Mitigations include more secure default settings, signed firmware, eliminating unnecessary API functions and more complex/randomized passwords. It's expected the manufacturers will release firmware updates soon which address these concerns.

Lee Neely

Japan is also running a similar program with the Association of Southeast Asian Nations, having launched the ASEAN-Japan Cybersecurity Capacity Building Center in Thailand in 2018. While sidestepping the issue of China's threat to the area, this is a good opportunity to better preserve their nation's security, economic vitality, and resilience.

Lee Neely

Kudos to Japan and the US, indirectly, for establishing the first of what will be several regional cyber defense drills. Through knowledge, smaller, less resourced nations can raise their cybersecurity awareness and hopefully better defend against cyberattack.

Curtis Dukes

Attackers are taking credit for attacks on Tricom, Misto-TV, Linktelecom and the KIM ISPs. The ISPs are slowly restoring service, KIM says their services are restored, Triacom estimates 50% is restored, while Misto-TV simply said the restoration is taking longer than planned and Linktelecom has not published a status update. This is a time to consider how impactful having your ISP offline would be, and what you could do for connection diversity. Consider not just path diversity but also attacks which could take out the modems of multiple providers.

Lee Neely

United Health Group Optum spent over a year and $8B to acquire Change Healthcare and apparently did not do a thorough due diligence around cybersecurity risk. The cost to United Health Group to deal with lawsuits and fines from Change Healthcare’s security failure should include repaying government Change Healthcare/Optum Payment Disruption (CHOPD) accelerated payments to Part A providers and advance payments to Part B suppliers experiencing claims disruptions as a result of the incident.

John Pescatore

This seems like an ideal lesson-learned from the Change Healthcare attack. And, while the bill would not go into effect until two years after being passed, to allow stakeholders to adapt to the required standards, this is reminiscent of the measures taken by cyber insurance to reduce the volume of covered settlements. Careful attention to the details must be made to assure stakeholders will be able to meet requirements for payment of a claim.

Lee Neely

While attention is paid to this specific cyberattack, it can happen in every other industrial sector. This bill in its present form doesn’t address the vendor consolidation that creates single points of failure in critical services. Additionally, it continues to perpetuate the myth that each sector is somehow unique when it comes to cyber-attacks. Have CISA establish a single minimum cybersecurity standard for every industrial sector.

Curtis Dukes

CWU is playing this one close to the chest. While it's become clear their email system was compromised, the only communication to users was to switch to an alternate system, communicating by WhatsApp as other IT services were not available. While they are still mired in establishing scope and response activities, it's still a good idea to share what you know. Make sure that you have a plan for communication when your IT is offline. Communicate rapidly, regularly and clearly to stay ahead of the rumor mill or other answers which will be contrived to fill the void.

Lee Neely