The Good, the Bad and the Ugly in Cybersecurity – Week 25
The Good | Rewards for Justice Offers $10 Million Bounty on Cl0p Gang
The crimeware scene has often been likened to the Wild West, so it’s no surprise that just as outlaws run amok in the digital world, bounty hunters will be offered incentives to aid law enforcement. This week, the Department of State put out a bounty of up to $10 million reward for information on the Cl0p ransomware gang and other malicious cyber actors.
Advisory from @CISAgov, @FBI: https://t.co/jenKUZRZwt
Do you have info linking CL0P Ransomware Gang or any other malicious cyber actors targeting U.S. critical infrastructure to a foreign government?
Send us a tip. You could be eligible for a reward.#StopRansomware pic.twitter.com/fAAeBXgcWA
— Rewards for Justice (@RFJ_USA) June 16, 2023
The reward is being offered for information on the identification or location of any person participating in attacks against U.S. critical infrastructure on behalf of foreign governments.
The bounty follows on from CISA’s and the FBI’s recent advisory that Cl0p has been exploiting the MOVEit Transfer vulnerability to target multiple organizations, including The Department of Energy and numerous other federal agencies.
The Rewards for Justice program is run by the Department of State’s Bureau of Diplomatic Security with the remit to combat international terrorism including malicious cyber activity and election interference. Cl0p aren’t the first ransomware gang to be singled out for attention by RfJ: a similar bounty was put on the heads of the now defunct Conti gang as well as Sandworm APT and REvil, all of whom researchers have attributed various attacks on U.S. critical infrastructure to.
The Bad | Apple Security Under Increasing Scrutiny After More 0-days Patched
Apple released emergency patches this week for three zero days across its operating system platforms, including macOS, iOS, iPadOS and WatchOS. Two of the bugs, the company said, were known to be actively exploited in the wild against versions of iOS released prior to iOS 15.7.
CCVE-2023-32434 is an integer overflow vulnerability that could be exploited to execute arbitrary code with kernel privileges, while CVE-2023-32435 is a WebKit memory corruption vulnerability that could allow arbitrary code execution when processing maliciously-crafted web content. Both flaws were reported by researchers at Kaspersky, who published details of an espionage campaign targeting iOS said to have been active since 2019. Analysis of the malware used in the campaign suggests the threat actor may also be targeting macOS.
A third bug, CVE-2023-32439, is a type confusion issue that may lead to arbitrary code execution when processing maliciously-crafted web content. Apple also says this may have been exploited in the wild though it appears unconnected at this time with the campaign reported by Kaspersky.
The bugs come on the heels of three Apple WebKit zero days patched last month, each of which was also said to be actively exploited in the wild, and takes the number of Apple zero days patched in the first half of 2023 to nine.
Given the increasing interoperability and code-sharing between Apple’s various platforms, it’s no surprise that exploitable bugs in one platform represent security risks in others. IT and security teams are urged to treat all their OSs equally in terms of risk and ensure adequate protections and mitigations are in place across all devices in their fleets.
The Ugly | Microsoft Teams Bypass Allows External Accounts to Drop Malware
Microsoft has said that a bypass that can allow malware to be delivered to any Teams account from external accounts did not ‘meet the bar for immediate servicing’. The response may come as an unwelcome surprise to IT and security teams as researchers have showed this week that all MS Teams accounts running in the default configuration are susceptible to the attack.
According to an advisory published on Wednesday, the client-side security controls which are supposed to prevent external tenants sending files can be bypassed simply by switching the internal and external recipient ID on the POST request, a trick which fools the system into treating the external user as an internal one.
#Advisory: IDOR in Teams Allows for new Payload Delivery Avenue! @CorbridgeMax and @tde_sec from our #redteam recently discovered an #IDOR vulnerability in Teams which opens the door to a novel #payload delivery avenue.
Check it out! https://t.co/658nhzm3b3#C2 #microsoft
— Jumpsec Labs (@JumpsecLabs) June 21, 2023
The researchers note that the technique circumvents anti-phishing security controls and training advice. In particular, employees are now widely taught to avoid clicking email links, but a phishing email making use of this attack would appear to contain a file rather than an external link.
They further point out that attackers could socially engineer users via Teams calls and lure them into expecting a legitimate file. In one red team engagement, a fake IT technician asked a target to jump on a call as they needed to apply an update to critical software. Once on the call, the ‘attacker’ leveraged the Teams bypass to deliver the payload.
Organizations using Teams are advised to disable External Access in MS Teams Admin Center, if possible, or change security settings to only allow communications between certain allow-listed domains. Further mitigations and workarounds are detailed at the end of the report.
Leave a Reply
Want to join the discussion?Feel free to contribute!