SANS NewsBites

Apple Updates and ARM CPU Vulnerability; StrelaStealer Affecting US and EU Organizations

March 26, 2024  |  Volume XXVI - Issue #24

Top of the News


2024-03-23

Apple Updates for iOS, iPadOS, macOS, and visionOS

On Thursday, March 21, Apple released the following updates: iOS and iPadOS 17.4.1; iOS and iPadOS 16.7.7; and visionOS 1.1.1. On Monday, March 25, Apple released updates for macOS Sonoma (14.4.1) and Ventura (13.6.6). All of the updates fix an out-of-bounds write issue (CVE-2024-1580) in CoreMedia and WebRTC.

Editor's Note

This update patches only one vulnerability (CVE-2024-1580). But this vulnerability affects two different components, CoreMedia and WebRTC.

Johannes Ullrich
Johannes Ullrich

CVE-2024-1580, an integer overflow in the dav1d AV1 decoder, has a CVSS score of 5.9. Exploiting the flaw can result in memory corruption within the decoder. While the fix only addresses the two packages, the code was in use across multiple OSes so you need to make sure you're pushing the update to all the affected devices. Apple has not indicated there is exploitation in the wild, but now that the fixes are out, expect reverse engineering to lead to POC exploits soon.

Lee Neely
Lee Neely

2024-03-22

Apple Chip Side-Channel Vulnerability

Apple M-series chips have a vulnerability that can be exploited to steal cryptographic keys from vulnerable devices. The issue lies in a flawed implementation of a processing optimization technique known as prefetching. Kim Zetter writes, “The bottom line for users is that there is nothing you can do to address this. The fix lies with cryptographic application developers, who need to implement mitigations for the problem and then issue updates to their applications.”

Editor's Note

This vulnerability is substantially different than prior side channel attacks. But to leak the key material of encryption operations, an attacker must be able to "probe" the system by having it encrypt data. The attack will have to launch a "chosen input attack." M3 processors have the ability to turn off the vulnerable features, but this needs to be specifically done by developers. Any additional patch will likely come from software developers writing encryption code for Macs. It is unlikely that Apple will be able to develop a "universal patch."

Johannes Ullrich
Johannes Ullrich

The vulnerability has been named "GoFetch" as it takes advantage of the feature known as data memory-dependent prefetcher (DMP) to target constant-time cryptographic implementations and capture sensitive data from the CPU cache. This is not a flaw which could be remedied via an OS update. The future chip designs would have to be changed to prevent the activities, or applications would need to implement mitigations internally. M3 chips with DIT enabled are not vulnerable to this attack, however in that mode the processor takes the worst-case amount of time to complete the instruction, regardless of the input data.

Lee Neely
Lee Neely

While this implementation-induced vulnerability is resistant to an easy fix, it is not of concern for most users. Exploitation requires both special knowledge and possession of the device. Apple offers the user the ability to remotely disable a lost or stolen device.

William Hugh Murray
William Hugh Murray

2024-03-25

Recent StrelaStealer Campaign Targeted US and EU Organizations

Researchers from Palo Alto Networks Unit 42 detected a StrelaStealer campaign that took place over the past five months. The campaign targeted more than 100 organizations in the US and the European Union. StrelaStealer, which was first documented in late 2022, steals email login credentials and sends then back to the attacker’s command and control server.

Editor's Note

While the stealer is evolving, it's still initiated by a malicious attachment that initiates the infection chain and DLL payload to evade detection. Leverage your XDR, NGFW and cloud security services to detect the malware. One of the best protections from credential theft is replay-resistant MFA, preferably using a token or other device which is separate from the potentially infected desktop.

Lee Neely
Lee Neely

2024-03-25

Thousands of Developers Affected by Software Supply Chain Attack

Researchers at Checkmarx detected a software supply chain attack that has affected more than 170,000 developers. The associated malware steals data from browsers, crypto wallets, files, and from Discord. The attackers used multiple vectors to achieve infiltration. According to the researchers, “An attacker distributed a malicious dependency hosted on a fake Python infrastructure, linking it to popular projects on GitHub and to legitimate Python packages. GitHub accounts were taken over, malicious Python packages were published, and social engineering schemes were used by the threat actors.”

Editor's Note

This supply chain attack is much more involved than many of the other GitHub/Python attacks. The attack started in February, and compromised well-respected contributors to Python packages. Malicious code was well concealed by creating a smoke screen of benign changes and selecting plausible domains to host the compromised components.

Johannes Ullrich
Johannes Ullrich

This is a particularly well-crafted supply chain attack. It allows the attacker to target the developer community and through them, software products.

Curtis Dukes
Curtis Dukes

The Rest of the Week's News


2024-03-21

Labor-Intensive Fix is Available for Hotel Keycard Lock Vulnerability

In 2022, a hand-picked group of researchers at Black Hat/Defcon was given the chance to discover vulnerabilities in a Las Vegas hotel room’s gadgets. A team focusing on the digital door lock uncovered a vulnerability that allowed them to use two modified keycards to open any hotel door using the Saflok system made by Dormakaba. The issue was reported to Dormakaba in autumn of 2022 and disclosed just this month. The researchers note that “upgrading each hotel is an intensive process. All locks require a software update or have to be replaced. Additionally, all keycards have to be reissued, front desk software and card encoders have to be upgraded, and 3rd party integrations (e.g. elevators, parking garages and payment systems) may require additional upgrades.”

Editor's Note

The researchers say 36% of vulnerable devices have been upgraded. Odds are much higher that your credit card was compromised from the hotels website or reservation management system.

John Pescatore
John Pescatore

When the dust settled, the locks used the known vulnerable MIFARE Classic RFID system and the attack required a $300 Proxmark RFID read-write device, a stack of blank RFID cards, and an Android phone or Flipper Zero. Replace all your keycards and update/replace all your locks, now update your encoders and third-party integrations is a tall order. It's surprising they are not still sitting on the discovery while mitigations are underway; current estimates are about 35% of the vulnerable locks and systems have been replaced or upgraded.

Lee Neely
Lee Neely

A serious vulnerability that has been in existence for years. In the short term, don’t keep valuables in your hotel room and use a secondary locking device (door block) whilst in the room. Finally, just remember that back in the day, physical keys could be duplicated or picked; it continues to be a game of cat-and-mouse.

Curtis Dukes
Curtis Dukes

2024-03-22

CISA, FBI, MS-ISAC Guidance on DDoS Response

The US Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have published an updated version of their “Understanding and Responding to Distributed Denial-of-Service Attacks” guidance. The document categorizes both DoS and DDoS attacks into three categories: volume-based attacks, protocol-based attacks, and application layer-based attacks. It also suggests steps to take to harden organizations against these attacks and to respond to the attacks.

Editor's Note

Consider the guidance to have been updated from end-to-end. The guidance includes planning, prevention, detection and response/postmortem information. While it's tempting to argue over the order of the steps for each, focus instead on all the areas to cover making sure you don't skip over one. The process applies not just to on-premises services, but also remote, outsource, cloud or business partner. Keep in mind not only your connectivity, but also the protections to aid application resilience. Also, this is not one and done: review annually as TTPs and mitigations evolve.

Lee Neely
Lee Neely

2024-03-22

Commercial Truck Logging Device Vulnerabilities

Researchers from Colorado State University have discovered several security flaws in Electronic Logging Devices (ELDs), which track driving hours and perform other functions in most commercial trucks. The US Federal Motor Carrier Safety Administration (FMCSA) mandated the use of ELDs in 2015. The researchers say the devices can be wirelessly manipulated to alter data, take control of trucks, and spread malware from vehicle to vehicle. They presented their paper at the 2024 Network and Distributed System Security Symposium.

Editor's Note

Part of the problem is the lack of diversity in ELDs: while hundreds are registered, only tens are unique devices. By default, they have Bluetooth, Wi-Fi and OTA Firmware updates enabled, and are sitting on the CAN bus, not only facilitating what amounts to a drive-by attack but also a path to the other vehicle services also on that bus. Mitigations include more secure default settings, signed firmware, eliminating unnecessary API functions and more complex/randomized passwords. It's expected the manufacturers will release firmware updates soon which address these concerns.

Lee Neely
Lee Neely

2024-03-25

Japan Runs Cyber Defense Drills for Five Pacific Island Nations

In February, Japan conducted cyber defense drills with five Pacific Island nations, with the intention of fostering cooperation. The exercises were conducted from Guam. Participants included telecom cybersecurity experts and government officials from Japan, Kiribati, the Marshall Islands, Micronesia, Nauru, and Palau. The US Cybersecurity and Infrastructure Security Agency (CISA) provided an instructor and training materials.

Editor's Note

Japan is also running a similar program with the Association of Southeast Asian Nations, having launched the ASEAN-Japan Cybersecurity Capacity Building Center in Thailand in 2018. While sidestepping the issue of China's threat to the area, this is a good opportunity to better preserve their nation's security, economic vitality, and resilience.

Lee Neely
Lee Neely

Kudos to Japan and the US, indirectly, for establishing the first of what will be several regional cyber defense drills. Through knowledge, smaller, less resourced nations can raise their cybersecurity awareness and hopefully better defend against cyberattack.

Curtis Dukes
Curtis Dukes

2024-03-22

Researchers Say Updated Wiper Malware Use in Attacks Against Ukrainian ISPs

Researchers at Sentinel Labs have detected a new variant of the AcidRain wiper malware that was used to brick/disable Viasat KA-SAT modems in Ukraine and parts of the EU two years ago. Sentinel Labs has dubbed the new variant AcidPour; they say that it has recently been used to disrupt several Ukrainian ISPs, which have been offline since March 13. AcidPour has new capabilities that allow it to target a broader range of devices.

Editor's Note

Attackers are taking credit for attacks on Tricom, Misto-TV, Linktelecom and the KIM ISPs. The ISPs are slowly restoring service, KIM says their services are restored, Triacom estimates 50% is restored, while Misto-TV simply said the restoration is taking longer than planned and Linktelecom has not published a status update. This is a time to consider how impactful having your ISP offline would be, and what you could do for connection diversity. Consider not just path diversity but also attacks which could take out the modems of multiple providers.

Lee Neely
Lee Neely

2024-03-22

US Senator Proposes Healthcare Security Funding Bill

In the wake of the Change Healthcare cyberattack that caused cashflow problems for healthcare providers across the country, US Senator Mark Warner (D-Virginia) has proposed a bill that would accelerate payments through the Centers for Medicare & Medicaid Services (CMS) to healthcare providers experiencing cyberattacks if the providers have adhered to a yet-to-be-determined set of cybersecurity standards. The standards would be set by the Department of Health and Human Services (HHS) Secretary. The bill also says that if a healthcare provider experiences a breach through a vendor, that vendor must also meet the HHS standards for the provider to be eligible for the accelerated payments.

Editor's Note

United Health Group Optum spent over a year and $8B to acquire Change Healthcare and apparently did not do a thorough due diligence around cybersecurity risk. The cost to United Health Group to deal with lawsuits and fines from Change Healthcare’s security failure should include repaying government Change Healthcare/Optum Payment Disruption (CHOPD) accelerated payments to Part A providers and advance payments to Part B suppliers experiencing claims disruptions as a result of the incident.

John Pescatore
John Pescatore

This seems like an ideal lesson-learned from the Change Healthcare attack. And, while the bill would not go into effect until two years after being passed, to allow stakeholders to adapt to the required standards, this is reminiscent of the measures taken by cyber insurance to reduce the volume of covered settlements. Careful attention to the details must be made to assure stakeholders will be able to meet requirements for payment of a claim.

Lee Neely
Lee Neely

While attention is paid to this specific cyberattack, it can happen in every other industrial sector. This bill in its present form doesn’t address the vendor consolidation that creates single points of failure in critical services. Additionally, it continues to perpetuate the myth that each sector is somehow unique when it comes to cyber-attacks. Have CISA establish a single minimum cybersecurity standard for every industrial sector.

Curtis Dukes
Curtis Dukes

2024-03-25

UK Communication Workers Union Confirms Cyberattack

The UK’s Communication Workers Union (CWU) now says that an IT outage reported last week was due to a cyberattack. Third-party experts have been on-site since March 21, and CWU has pre-emptively taken down some systems. CWU has notified the Information Commissioner’s Office (ICO) of the incident.

Editor's Note

CWU is playing this one close to the chest. While it's become clear their email system was compromised, the only communication to users was to switch to an alternate system, communicating by WhatsApp as other IT services were not available. While they are still mired in establishing scope and response activities, it's still a good idea to share what you know. Make sure that you have a plan for communication when your IT is offline. Communicate rapidly, regularly and clearly to stay ahead of the rumor mill or other answers which will be contrived to fill the void.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner