Daily Brief

Russian and Moldovan national Sergei Makinin pleaded guilty to building and operating the IPStorm botnet, which commandeered tens of thousands of machines worldwide. The IPStorm botnet, which relied on the IPFS protocol, allowed illegal activities to be masked as legitimate IPFS traffic and infected Windows, Mac, Linux, and Android devices. Makinin utilized the botnet as a proxy network service, selling access to infected devices to clients wanting to hide their Internet activities, and made over $500,000. The FBI successfully dismantled the botnet, and Makinin faces up to 30 years in prison if convicted on all three counts of computer misuse. Despite the dismantling of IPStorm, concerns remain about the potential abuse of the IPFS platform for hosting malicious content including future botnets. Trustwave researchers have highlighted the challenges of IPFS's decentralized nature, which allows data persistence and poses concerns for regulation and control of malicious activities.

Intel has fixed a high-severity CPU flaw affecting desktop, server, mobile, and embedded processors, including its latest Alder Lake, Raptor Lake, and Sapphire Rapids microarchitectures. The vulnerability, identified as CVE-2023-23583, could enable attackers to escalate privileges, access sensitive data, or cause denial of service disruptions. Intel's internal security validation identified the potential for privilege escalation under certain microarchitectural conditions involving a 'Redundant Prefix Issue' with the REP MOVSB instruction. The flaw has been mitigated with microcode updates for affected processors, and system owners are advised to update their BIOS and system software. The issue, which Intel believes will not be encountered by non-malicious real-world software, was also independently discovered by Google researchers, who named it 'Reptar.' The vulnerability relates to unexpected CPU behavior when handling redundant prefixes, which could compromise CPU security boundaries if exploited.

VMware has disclosed an unpatched, critical authentication bypass vulnerability in its Cloud Director appliance. The flaw only affects VCD Appliance 10.5 installations that have been upgraded from older versions and not fresh installs or other deployments. The vulnerability permits unauthenticated remote attackers to exploit the system without user interaction, specifically on ports 22 (SSH) and 5480 (appliance management console). No patch is currently available, but VMware has provided a temporary workaround involving a custom script that doesn't disrupt functionality or require system downtime. Past security issues addressed by VMware included an ESXi zero-day exploited by Chinese hackers and a severe bug in the Aria Operations for Networks tool. The company has actively engaged in patching critical vulnerabilities, including one in October for the vCenter Server which could lead to remote code execution attacks.

New fault injection attack named CacheWarp discovered, targeting AMD SEV-protected virtual machines. CacheWarp can escalate privileges, allowing hackers to obtain root access and execute remote code. The attack exploits CVE-2023-20592 vulnerabilities in AMD's Secure Encrypted Virtualization technologies (SEV-ES and SEV-SNP). Researchers demonstrated CacheWarp's ability to recover RSA private keys, bypass OpenSSH authentication, and gain root access via sudo. CacheWarp manipulates cache line write-back behavior, potentially reverting variable states and altering a program's control flow. AMD acknowledges the vulnerability in the INVD instruction on certain processors, not affecting their latest 4th Gen 'Genoa' EPYC CPUs. AMD released a hot-loadable microcode patch and updated firmware for 3rd Gen EPYC processors to mitigate CacheWarp without impacting performance.

LockBit ransomware is leveraging the Citrix Bleed vulnerability (CVE-2023-4966) to launch attacks against large organizations. Citrix has released patches for CVE-2023-4966, but over 10,000 servers globally have yet to apply the fixes, exposing a significant attack surface. High-profile organizations like the Industrial and Commercial Bank of China (ICBC), DP World, Allen & Overy, and Boeing are reported victims, primarily through their vulnerable Citrix servers. The US Treasury has acknowledged the exploitation of this vulnerability by LockBit in a cyberattack against ICBC. LockBit operates as a Ransomware-as-a-Service, with various affiliates conducting attacks; the current campaign is likely driven by an affiliate specifically using the Citrix Bleed flaw. Vulnerable servers are majorly concentrated in the US, Germany, China, and the UK, with critical organizations at risk across multiple countries. The Citrix Bleed vulnerability enables attackers to steal sensitive session tokens post-multi-factor authentication, providing them with unauthorized access to system information.

Microsoft's November 2023 Patch Tuesday features security updates for 58 vulnerabilities and 5 zero-day issues. RCE vulnerabilities have been addressed, with one flagged as critical, alongside critical flaws in Azure, Windows ICS, and Hyper-V. Five zero-day vulnerabilities were corrected, including three that were actively exploited and three that were publicly disclosed. Exploited zero-days include flaws in Windows Cloud Files Mini Filter Driver, Windows DWM Core Library, and Windows SmartScreen, which could lead to SYSTEM-level privileges or security feature bypass. Two additional zero-day vulnerabilities in Microsoft Office and ASP.NET Core, while publicly disclosed, were not known to be exploited in the wild. The security updates are part of Microsoft's routine to proactively mitigate risks alongside other vendor updates this month.

Researchers disclosed a vulnerability in AMD Secure Encrypted Virtualization (SEV) technology, which could be exploited to infiltrate and escalate privileges within encrypted virtual machines (VMs). The attack, named CacheWarp (CVE-2023-20592), was identified by CISPA Helmholtz Center for Information Security and targets AMD CPUs supporting all variants of SEV, including SEV-SNP. SEV-SNP, designed to protect against malicious hypervisor activities by encrypting VM memory, was found to be susceptible to CacheWarp, potentially enabling attackers to control the VM's execution flow. Two attack primitives demonstrated were "timewarp," which tricks the computer into re-executing old code with new data, and "dropforge," which resets changes in VM data, such as bypassing OpenSSH authentication or granting unauthorized admin privileges. AMD has released a microcode update to address the issue, but the discovery suggests that even AMD's claims of comprehensive integrity protection can be circumvented. This revelation comes shortly after the same CISPA researchers unveiled a power side-channel attack, Collide+Power (CVE-2023-20583), that affects CPUs across several manufacturers, including Intel and AMD.

Microsoft has rectified a severe security flaw in Azure CLI that risked credential exposure in GitHub Actions and Azure DevOps logs. The vulnerability, identified as CVE-2023-36052, was discovered by Palo Alto's Prisma Cloud team and could allow unauthenticated remote access to plaintext credentials. Users must upgrade to Azure CLI version 2.53.1 or later to mitigate risks associated with this issue, which also affected log files from Azure DevOps and GitHub Actions. Security notifications were issued to customers who may have used vulnerable Azure CLI commands, prompting them to update via the Azure Portal. Microsoft has updated Azure CLI to prevent the inadvertent disclosure of sensitive data, with defaults now restricting secrets in output for App Service-related updates. A broader application of credential redaction has been implemented across GitHub Actions and Azure Pipelines, albeit not all patterns of secrets are currently covered. Microsoft is working on expanding and optimizing secret pattern detection to further safeguard against unintentional data leaks in CI/CD log outputs.

A group of researchers discovered a vulnerability in AMD's Secure Encrypted Virtualization (SEV) technology, named CacheWarp. CacheWarp allows an attacker to create memory inconsistencies by interrupting context switches, potentially leading to arbitrary code execution or data exposure. The technique involves the use of the APIC timer to induce selective state resets, undermining the SEV's protection mechanisms. The vulnerability affects all versions of AMD SEV, including enhancements like SEV-ES and SEV-SNP, with the latter being more resistant but still vulnerable. CacheWarp is a software-fault attack, not a side-channel or transient execution attack, and operates by introducing errors in page table entries. The researchers demonstrated CacheWarp's potential by extracting private keys, accessing an OpenSSH server without credentials, and gaining root privileges via sudo. AMD was informed about the issue on April 25, 2023, and has plans to release a microcode patch for SEV-SNP and an SEV firmware update for Zen 3 EPYC Milan CPUs. A hardware-level fix is ultimately necessary, and AMD is scheduled to publish details in an upcoming bulletin.

Intel has issued an out-of-band patch for a privilege escalation vulnerability in its Sapphire Rapids, Alder Lake, and Raptor Lake chip families. The flaw, known as 'Redundant Prefix', was identified by Intel researchers and could be exploited for denial-of-service (DoS) or privilege escalation attacks. Initially planned for a March 2024 update, the patch was accelerated to November 2023 due to the flaw's severity, with a CVSS 3.0 score of 8.8. A Google researcher independently discovered the same DoS issue, prompting Intel to synchronize its patch release with Google's planned disclosure under a 90-day policy. Intel will be releasing a technical paper and video detailing the Redundant Prefix issue, specifically instruction encoding that could lead to unpredictable behavior or system crashes. The microcode update has been made available to all customers on supported Intel platforms without the need for a reboot and with no observed performance impact or behavioral changes.

Pharmacy provider Truepill experienced a data breach compromising personal information of approximately 2.3 million individuals. Unauthorized access to Truepill's network was detected on August 31, 2023, with the breach occurring a day earlier. Exposed data may include customer names, contact details, prescription information, but not Social Security numbers. Some affected customers report being unaware of their association with Truepill, raising questions about data management. Legal consequences loom as class action lawsuits claim Truepill failed to adequately secure sensitive healthcare data. Critics are targeting the delay in breach notification and the lack of detail and guidance in the notification letters. Affected individuals noticed suspicious activities on their accounts, with some confirming that their personal data appeared on the dark web. The leaked data may also include addresses, birth dates, medical, diagnostic, and health insurance information, which Truepill did not disclose in their notice.

AlphaLock, a Russian group billing itself as a "pentesting training organization," has a unique approach to cybercrime including performances and a sleek user interface. The group's business model combines hacker training with an affiliate program to monetize these skills in a marketplace called Bazooka Code Pentest Training. Trained hackers are offered a platform to perform "pentesting services" for clients, allowing the threat actors to potentially target specific organizations. Initial contact with AlphaLock was through a public Telegram channel, which they've since switched to a private setting, utilizing the decentralized chat application Matrix. The group also plans to move their communications and recruitment further onto platforms like a YouTube channel. Flare, a threat exposure management company that sponsored the article, offers services to monitor illegal activities, revealing insights into evolving cybercrime ecosystems.

The FBI and CISA have issued fresh guidance on the Royal ransomware, hinting at a potential rebrand or emergence of a spinoff variant due to similarities with BlackSuit ransomware. Evidence of code overlaps and comparable intrusion methods between Royal and BlackSuit suggests a close relationship, possibly indicative of a rebranding effort. Security researchers have discovered nearly identical code between the Royal and BlackSuit ransomware strains, with minor distinctions. Threat actors associated with these ransomware groups have utilised legitimate software and tools, such as AnyDesk, LogMein, and SSH clients, for network tunneling and maintaining persistent access. The Royal ransomware group has amassed over $275 million in ransom demands from more than 350 victims, with individual demands ranging between $250,000 and $11 million. Royal is known for targeting critical national infrastructure sectors, including manufacturing, healthcare, and education, posing serious concerns for national security. CISA and the FBI's advisory provide comprehensive indicators of compromise (IOCs) and mitigation strategies for organizations to defend against these ransomware threats.

Public Docker Engine API instances are under attack, being forcibly integrated into the OracleIV DDoS botnet. Attackers deploy malicious Docker containers using misconfigured public Docker APIs, facilitated by an HTTP POST request. The oracleiv_latest image masquerades as a MySQL Docker image and has been downloaded 3,500 times, but it is used for DDoS attacks rather than its purported purpose. The attack leverages a shell script to execute DDoS strategies including slowloris, SYN floods, and UDP floods. Although the counterfeit container has capabilities to mine cryptocurrency, such activities were not observed by the cloud security firm. Vulnerable MySQL servers have also been identified as targets for the Ddostf DDoS botnet, which can execute commands on new C&C servers sold as DDoS services. Several new DDoS botnets have emerged, showing an increase in such threat actors using sophisticated methods to evade detection and carry out their attacks. XorDdos malware has witnessed a resurgence, targeting Linux devices to turn them into bots for DDoS purposes, with a peak in activity noted in August 2023.

The global average cost of a data breach in 2023 is $4.45 million, bringing severe financial and reputational damages. Traditional cybersecurity defenses are no longer sufficient due to the increasing frequency and costs of data breaches. Continuous security monitoring is advocated as a crucial strategy, providing ongoing vigilance against vulnerabilities and threats. Continuous monitoring offers a dynamic, 24/7 approach to security, unlike periodic assessments that provide only a snapshot of security posture. A report reveals that 74% of internet-exposed web apps containing personal identifiable information (PII) are vulnerable to attack. Organizations must choose between pen testing as a service (PTaaS) or standard pen testing to protect web applications, based on specific needs. PTaaS and standard pen tests each have unique advantages for maintaining robust cybersecurity in an evolving digital landscape. Outpost24 provides solutions for continuous monitoring that help prioritize vulnerabilities and optimize cybersecurity postures.