Canary Trap’s Bi-Weekly Cyber Roundup – Nov. 24, 2023

Welcome to the fourth edition of the Canary Trap Cyber Roundup! In this bi-weekly report, we delve into the intricate web of cybersecurity, presenting the latest, most pressing headlines that have dominated the digital security landscape. As threats continue to evolve and adversaries become more sophisticated, staying informed about cybersecurity developments is essential for individuals and businesses alike.

This edition unveils critical incidents and emerging threats that demand attention and strategic action. From bypassing Windows Hello to significant data breaches impacting governments, zero-day vulnerabilities addressed by tech giants, and the emergence of sophisticated malware, each story encapsulates the ever-evolving challenges of the cyber realm. Additionally, stringent regulations combating fraud and breaches in telecommunications and the vulnerabilities within essential infrastructure underscore the pressing need for heightened cybersecurity measures.

• Attackers Able to Bypass Windows Hello

A recent cybersecurity concern has emerged with the discovery of vulnerabilities in the Windows Hello fingerprint authentication system. Researchers from Blackwing Intelligence, during a study sponsored by Microsoft’s Offensive Research and Security Engineering group, identified these flaws in embedded fingerprint sensors of specific laptop models, including Dell Inspiron, Lenovo ThinkPad, and Microsoft Surface Pro X. The sensors in question, manufactured by ELAN, Synaptics, and Goodix, are Match-on-Chip (MoC) types, which contain their own microprocessor and storage for internal fingerprint matching. These MoC sensors, while designed to prevent replay attacks of stored fingerprint data, were found to be susceptible to malicious sensors mimicking legitimate sensor communications, potentially leading to false authentication.

To mitigate such attacks, Microsoft developed the Secure Device Connection Protocol (SDCP). However, the researchers successfully circumvented the Windows Hello authentication using man-in-the-middle attacks on all three laptop models, exploiting a combination of software and hardware reverse-engineering, and breaking cryptographic implementation flaws in the Synaptics sensor’s custom TLS protocol.

On Dell and Lenovo laptops, the researchers achieved authentication bypass by manipulating valid user IDs and enrolling an attacker’s fingerprint. For the Surface device, which lacked SDCP protection, the attack involved spoofing the fingerprint sensor. The researchers observed that while Microsoft’s SDCP design was robust, its implementation by device manufacturers was not fully aligned with its security objectives, and often SDCP was not enabled, leaving a considerable attack surface exposed.

These findings are particularly significant given the widespread adoption of Windows Hello; Microsoft reported that the percentage of Windows 10 users utilizing this feature for sign-in grew from 69.4% in 2019 to 84.7% three years later​​​​.

• Canadian Government Responds to Significant Data Breach Involving Contractors

Recently, the Canadian government disclosed a major data breach affecting two of its contractors, Brookfield Global Relocation Services (BGRS) and SIRVA Worldwide Relocation & Moving Services. The breach, which occurred last month, exposed sensitive data dating back to 1999 from BGRS and SIRVA Canada systems. This data pertains to various government employees, including members of the Royal Canadian Mounted Police, Canadian Armed Forces, and other government staff.

The LockBit ransomware gang has claimed responsibility for the breach at SIRVA’s systems, alleging to have leaked 1.5TB of documents along with backups of Customer Relationship Management systems for different regional branches. The Canadian government, upon learning about the breach on October 19th, immediately reported the incident to the Canadian Centre for Cyber Security and the Office of the Privacy Commissioner.

The full extent of the breach, including the specific number of affected individuals, is still under analysis. However, preliminary assessments indicate potential exposure of personal and financial information for those who have utilized relocation services since 1999. In response, the government is taking proactive measures, offering services such as credit monitoring and reissuing compromised documents to affected personnel.

Affected individuals are advised to update login credentials, enable multi-factor authentication, and closely monitor their online financial and personal accounts. In cases of suspected unauthorized account access, they should immediately contact their financial institutions, local law enforcement, and the Canadian Anti-Fraud Centre​​​​.

• Microsoft Addresses Multiple Zero-Day Vulnerabilities in Latest Patch

In November 2023, Microsoft released patches for 63 security flaws in its software suite, including three that were actively exploited. Among these, five zero-day vulnerabilities were of particular significance:

1. CVE-2023-36025 (CVSS score: 8.8) – A Windows SmartScreen Security Feature Bypass Vulnerability. This flaw, which could allow attackers to bypass Windows Defender SmartScreen checks, is the third Windows SmartScreen zero-day vulnerability exploited in 2023 and the fourth in two years.
2. CVE-2023-36033 (CVSS score: 7.8) – A Windows DWM Core Library Elevation of Privilege Vulnerability. This is the first time in two years that a DWM Core Library vulnerability has been exploited as a zero-day.
3. CVE-2023-36036 (CVSS score: 7.8) – A Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability. Both CVE-2023-36033 and CVE-2023-36036 could be exploited to gain SYSTEM privileges.
4. CVE-2023-36038 (CVSS score: 8.2) – An ASP.NET Core Denial of Service Vulnerability.
5. CVE-2023-36413 (CVSS score: 6.5) – A Microsoft Office Security Feature Bypass Vulnerability.

Additionally, the update addressed two critical remote code execution flaws in Protected Extensible Authentication Protocol and Pragmatic General Multicast, along with a critical heap-based buffer overflow flaw in the curl library and an information disclosure vulnerability in Azure CLI. The latter could allow attackers to recover plaintext passwords and usernames from log files.

In response to these vulnerabilities, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) urged federal agencies to apply the fixes by December 5, 2023. Microsoft also hardened Azure CLI (version 2.54) against inadvertent usage that could lead to secrets exposure​​​​​​​​​​.

• WailingCrab Malware Emerges as a Sophisticated Threat via Shipping-Themed Emails

A new malware loader named WailingCrab, also known as WikiLoader, has been detected spreading through delivery- and shipping-themed emails. This sophisticated malware, first documented by Proofpoint in August 2023, was originally observed in December 2022. It is a complex assembly of components including a loader, injector, downloader, and backdoor, requiring communication with command-and-control (C2) servers to proceed to each stage. 

The malware was developed by a threat actor known as TA544, alternatively identified as Bamboo Spider and Zeus Panda, and labeled Hive0133 by IBM X-Force. WailingCrab is designed with stealth in mind, evading detection through the use of legitimate, compromised websites for initial C2 communications. Notably, it employs well-known platforms like Discord for storing malware components and has recently integrated MQTT, a lightweight messaging protocol, for C2, a method rarely seen in the threat landscape.

The attack begins with emails containing PDF attachments with URLs. When clicked, these URLs trigger the download of a JavaScript file from Discord, which then retrieves and launches the WailingCrab loader. The latest version of WailingCrab includes an encrypted backdoor component, requiring a decryption key from its C2 server. This backdoor establishes persistence on infected hosts and contacts the C2 server using MQTT for additional payloads. Recent versions have moved away from using Discord for payload retrieval, opting instead for MQTT directly from C2, enhancing stealth and evasion capabilities.

The increasing use of Discord’s content delivery network by threat actors for malware distribution has been noted, with Discord planning to switch to temporary file links by year-end to counteract this trend​​​​​​.

• FCC Introduces Stringent Regulations to Combat SIM Swapping and Port-Out Fraud

The U.S. Federal Communications Commission (FCC) has announced the implementation of new regulations aimed at safeguarding consumers from SIM swapping and port-out fraud. SIM swapping involves unauthorized transfer of a user’s account to a SIM card under the control of a scammer, while port-out fraud occurs when a criminal, impersonating the victim, switches their phone number to a different service provider without their consent. These frauds can lead to unauthorized access to victims’ online accounts, including financial and social media accounts, by bypassing SMS-based two-factor authentication.

The new rules, first proposed in July 2023, require wireless providers to securely authenticate a customer’s identity before transferring their phone number to a new device or provider. Additionally, customers must be immediately alerted of any SIM change or port-out requests on their accounts, enabling them to take timely action against potential threats. This development reflects the FCC’s commitment to consumer protection, ensuring secure verification procedures and reliable privacy guarantees from wireless providers.

In parallel, the FCC is investigating the role of artificial intelligence in robocalls and robotexts, examining its potential both as a tool for blocking unwanted communications and as a means for fraudsters to deceive consumers more effectively​​​​​​.

• Exploitation of MOVEit Software Impacts Over 2.6K Organizations and 77M Individuals

A massive exploitation of Progress Software’s MOVEit file transfer application has led to the breach of data from over 2,620 organizations and more than 77 million individuals. The Russian ransomware gang Clop exploited a security hole in MOVEit, resulting in widespread data access and leakage.

Among the affected is antivirus company Avast, which acknowledged unauthorized access to some of its customers’ low-risk personal information. Following the breach, Avast informed impacted customers and offered free dark web monitoring services. Despite this, leaked data reportedly appeared on a hacking forum, including names, contact information, and details of purchased products from Avast. No sensitive financial or account details were reportedly compromised.

Avast’s response to the breach has drawn criticism for its marketing tactics, prompting user complaints about the company’s approach to recommending additional paid services in the wake of the security incident. Additionally, healthcare communications provider Welltok has been notifying over 1.6 million patients about potential data breaches. This includes patients associated with various health plans and hospitals, with compromised data potentially including names, addresses, birth dates, and health information. Welltok learned of the MOVEit instance compromise in July and has been issuing notifications since October. The breach also impacted about one million Corewell Health patients and 2,500 Priority Health members, exposing sensitive personal and health information​.

• Denmark’s Critical Infrastructure Endures Largest Cyber Attack in History

In May, Denmark’s critical infrastructure experienced its most significant online attack to date. SektorCERT, Denmark’s cybersecurity agency for critical infrastructure, reported that 22 companies were compromised within a few days. Many organizations had to isolate their networks from the internet due to unpatched vulnerabilities in Zyxel firewalls, which were exploited in these attacks.

The first wave, beginning on May 11, targeted 16 energy organizations, exploiting the CVE-2023-28771 vulnerability. Eleven of these organizations were immediately compromised. This phase was believed to be reconnaissance, with attackers obtaining firewall configurations and credentials. After 10 days of inactivity, a second wave commenced. One organization, already compromised, inadvertently alerted SektorCERT when it began downloading firewall updates over an insecure connection. 

This incident was part of a Mirai botnet attack, involving DDoS attacks against targets in the US and Hong Kong. It’s suspected that attackers used two Zyxel firewall zero days, not known to SektorCERT at the time. Hours later, another Mirai attack occurred, forcing further isolation measures. In the following days, six additional organizations were compromised through their Zyxel firewalls, with some unaware they possessed such devices.

The final wave started on May 24, marked by SektorCERT detecting advanced persistent threat (APT) traffic linked to the Russian GRU cyber unit, Sandworm. This was a first for SektorCERT in its three-year operation. Although attribution couldn’t be confidently assigned, the impact was limited to loss of visibility into remote locations of one organization. Despite these challenges, there was no significant disruption to Denmark’s critical infrastructure. SektorCERT commended the rapid response of its experts and the affected organizations. Moving forward, a focus on systemic vulnerabilities has been advised, with emphasis on prevention, detection, and response strategies against such cyber attacks​​​​​​​​​.

These headlines serve as an urgent reminder of the continuous battle in the realm of cybersecurity. The threats outlined here underscore the importance of constant vigilance, proactive security measures, and strategic readiness against evolving cyber threats.

Share post: