For the latest discoveries in cyber research for the week of 11th December, please download our Threat_Intelligence Bulletin.

TOP ATTACKS AND BREACHES

The American Greater Richmond Transit Company (GRTC), which provides services for millions of people, has been a victim of cyber-attack that impacted certain applications and parts of the GRTC network. The Play ransomware gang claimed responsibility for the attack.

Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Ransomware.Win.Play; Ransomware.Wins.PLAY)

Multinational retailer Aldo has acknowledged a ransomware attack that impacted the systems of an unspecified franchise partner. The LockBit ransomware gang has claimed responsibility for the attack.

Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Ransomware.Wins.LockBit.ta*; Ransomware.Win.Lockbit; Gen.Win.Crypter.Lockbit.AI, Ransomware_Linux_Lockbit)

AlphV (aka BlackCat) ransomware gang claimed responsibility for cyber-attacks on three victims: American medical provider Norton Healthcare; IT services and business consulting company HTC Global Services; and Tipalti, an Israeli fintech software provider startup with headquarters in Canada. The attack on Tipalti has allegedly resulted in the compromise of over 265GB of confidential information belonging to the company and its customers, including the video game Roblox and streaming platform Twitch. According to AlphV, an insider from Tipalti was and is still actively involved in the attack.

Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Ransomware.Win.BlackCat; Ransomware.Wins.BlackCat.ta*, Ransomware_Linux_BlackCat,)

American multinational confectionery company Hershey has disclosed a data breach that affected more than 2,200 people as the result of a successful email phishing attack against the company. The stolen data potentially includes full names, health and medical details, debit and credit card data, financial account information and more.
Japanese car manufacturer Nissan has confirmed a cyber-attack that affected Nissan Oceania, its Australian and New Zealand regional division, and took systems offline as a precaution. The company did not share specific information on the type or extent of the breach.
The Hunters International ransomware group claimed responsibility for cyber-attacks on the Australian shipbuilder Austal USA and Florida water agency, St. Johns River Water Management District. The attacks affected Florida water agency’s information technology environment and potentially impacted Austal’s USA documents, recruiting information, finance details, certifications, and engineering data.

VULNERABILITIES AND PATCHES

Google’s December 2023 Android security update addresses 85 vulnerabilities, notably including a critical zero-click remote code execution flaw (CVE-2023-40088) in the Android System component. The update addresses 84 other security vulnerabilities, with three critical ones related to privilege escalation and information disclosure in Android Framework and System components (CVE-2023-40077, CVE-2023-40076, and CVE-2023-45866), and another critical flaw in Qualcomm’s closed-source components (CVE-2022-40507).
Atlassian has released software fixes to address four critical vulnerabilities that could lead to remote code execution (RCE). These flaws include a deserialization vulnerability in the SnakeYAML library (CVE-2022-1471), and RCE vulnerabilities in Confluence Data Center and Confluence Server, Assets Discovery for Jira Service Management and in Atlassian Companion app for macOS (CVE-2023-22522, CVE-2023-22524, CVE-2023-22523).

THREAT INTELLIGENCE REPORTS

Check Point Research has examined various attack vectors in modern Outlook and compared the user interoperability required for each scenario when attackers use Outlook to deliver their exploits. The attack vectors have been observed in three categories: the “obvious” Hyperlink attack vector, the “normal” attachment attack vector, and the “advanced” attack vector.

Check Point Threat Emulation and IPS provide protection against this threat.

Check Point Research has identified a shift in the targeting of the Iranian hacktivist proxies which are now extending their cyber operations to include targets in other countries besides Israel, with a particular emphasis on the United States. Moreover, groups such as CyberAv3ngers and Cyber Toufan appear to be adopting a narrative of retaliation in their cyberattacks. They claim to target US entities using Israeli technology, suggesting a strategy of simultaneously targeting both Israeli and US interests.
Check Point Research exposes a troubling trend in the cryptocurrency landscape. Deceptive actors are manipulating pool liquidity, sending token prices soaring by 22,000%. The manipulation of pool liquidity resulted in a swift and calculated theft of $80,000 from unsuspecting token holders. This incident sheds light on the evolving strategies scammers employ to exploit decentralized finance platforms.
The Russia-based actor Star Blizzard (aka COLDRIVER/Callisto Group) persistently employs spear-phishing attack techniques for information-gathering purposes. The threat actor has been observed targeting individuals and organizations in the UK and US that involved in international affairs, defense, and logistics support to Ukraine.

The post 11th December – Threat Intelligence Report appeared first on Check Point Research.

Check Point Research – ​Read More

Cloud computing has become an integral part of IT infrastructure for businesses of all sizes, providing on-demand access to a wide range of services and resources. The evolution of cloud computing has been driven by the need for more efficient, scalable and cost-effective ways to deliver computing resources.

Cloud computing enables on-demand access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) over the internet. Instead of owning and maintaining physical hardware and infrastructure, users can leverage cloud computing services provided by third-party providers.

Cloud service and deployment models

Cloud computing is commonly categorized into service and deployment models:

Service models

Infrastructure as a Service (IaaS): Provides virtualized computing resources over the internet. Users can rent virtual machines and storage and networking components.
Platform as a Service (PaaS): Offers a platform that includes tools and services for application development, testing and deployment. Users can focus on building applications without managing the underlying infrastructure.
Software as a Service (SaaS): Delivers software applications over the internet on a subscription basis. Users access the software through a web browser without worrying about installation or maintenance.

Deployment models

Public cloud: A third-party cloud service provider owns and operates resources and makes them available to the general public. Some providers include Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform.
Private cloud: A single organization exclusively uses resources. Either the organization or a third-party provider can manage the infrastructure, which can be located on-premises or off-site.
Hybrid cloud: Combines public and private cloud models to allow data and applications to be shared between them. This provides greater flexibility and optimization of existing resources and infrastructure.

4 common cloud attack scenarios

Unfortunately, every rapidly growing industry attracts not only enthusiastic entrepreneurs but also malicious actors whose goal is to take advantage of any security holes that would be unable to defend against various attacks. Here are some examples of common attack scenarios in the cloud.

1. DDoS attacks

A distributed denial of service (DDoS) attack occurs when a web application is overloaded with a high volume of traffic. DDoS protection services, like AWS Shield, can mitigate such attacks.

AWS Shield uses machine learning algorithms to analyze incoming traffic, identify patterns indicative of a DDoS attack and take action to stop the attack.

2. Data breaches

A data breach involves exploiting vulnerabilities to access and exfiltrate sensitive data. But regularly updating software, encrypting sensitive data, monitoring for unusual activity and building a good incident response can help prevent data breaches.

Below is an incident response example code (AWS Lambda for Incident Response) in Python (Boto3 is a Python software development kit [SDK] for AWS).

3. Man-in-the-middle attacks

A man-in-the-middle (MitM) attack occurs when communication between two parties is intercepted for malicious intent. The use of encryption (SSL/TLS) and implementing secure communication protocols can help prevent a MitM attack. Without encryption, data transmitted over the network can be intercepted.

The code below is an example of encrypting S3 Objects with AWS SDK for Python-Boto3.

4. Brute force attacks

A brute force attack is a hacking method that uses trial and error to crack passwords, login credentials and encryption keys. It is a simple yet reliable tactic for gaining unauthorized access to individual accounts and organizational systems and networks.

AWS CloudWatch Alarms can provide logging and monitoring services where repeated login attempts might go unnoticed.

Cloud configuration security best practices

Security in cloud computing involves implementing measures to protect data, applications and infrastructure in a cloud environment from potential threats. Here are some best practices in key areas of cloud configurations in AWS and Azure associated with securing cloud environments.

 AWS

 Identity and access management (IAM):

Use the principle of least privilege when assigning permissions to users, roles and groups
Regularly review and audit IAM policies to align with business requirements
Enable multi-factor authentication (MFA) for enhanced user authentication.

Example AWS IAM policy:

If IAM policies are not properly configured, an attacker might gain access to sensitive resources.

VPC (virtual private cloud) configuration:

Utilize separate subnets for public and private resources.

 Example code (AWS CloudFormation):

S3 Bucket Security:

Regularly audit and review access controls for S3 buckets
Enable versioning and logging to track changes and access to objects
Consider using S3 bucket policies to control access at the bucket level
Enforce server-side encryption for S3 buckets.

Example code (AWS CLI):

Azure

Azure role-based access control (RBAC):

Assign the principle of least privilege using Azure RBAC.

 Example code (Azure PowerShell):

Azure Blob storage security:

Enable Blob storage encryption.

 Example code (Azure PowerShell):

 Azure virtual network:

Implement network security groups (NSGs) for access control.

 Example code (Azure Resource Manager Template):

Keeping digital assets secure in the cloud

Securing cloud configurations is essential to safeguard digital assets and maintain a resilient cybersecurity posture. Organizations should focus on continuous monitoring, compliance checks and proactive incident response planning to address the dynamic nature of cyber threats in the cloud.

In addition, implementing the principles of least privilege, encryption, identity and access management and network security best practices not only protects the cloud environment against potential vulnerabilities but also contributes to a culture of security awareness and responsiveness within the organization.

As cloud computing continues to evolve, organizations should commit to staying ahead of emerging security challenges and adapting configurations to maintain a resilient and secure digital presence.

Not sure how to start? IBM Security has a range of cloud security services to protect your cloud environment.

The post Best practices for cloud configuration security appeared first on Security Intelligence.

Security Intelligence – ​Read More

On October 30, 2023, President Biden issued an executive order (EO) to set new standards for the safety and security of Artificial Intelligence (AI). The move sets out the government’s intentions to regulate and further advance the growth of AI technology in the years ahead.

Yet the question remains if it goes far enough to protect the American public from AI’s exponential development — and if it does, will this stance from the president’s office stifle the nation’s ability to remain the leading force in AI’s evolution?

What the executive order means for the future of AI

Since the middle of 2022, AI has quickly infiltrated almost every industry. The rapid evolution in AI technology has led to a huge boom in business opportunities and new jobs — early reports suggest AI could contribute nearly $16 trillion to the global economy by 2030.

But many fear the impact this evolving tech may have on individuals and industries alike. The executive order is the Biden administration’s first significant step in countering any negative repercussions of AI.

White House Deputy Chief of Staff Bruce Reed claims, “It’s the next step in an aggressive strategy to do everything on all fronts to harness the benefits of AI and mitigate the risks.”

Key inclusions of this executive order

The lengthy document provides a sweeping set of regulatory principles. This new executive order is ambitious, outlining the government’s intentions to use AI to achieve several key goals:

New standards for AI safety and security
Protecting the American public’s privacy
Advancing equity and civil rights
Supporting the American workforce
Promoting innovation and competition
Advancing American leadership abroad
Ensuring responsible and effective government use of AI.

Let’s take a closer look at some notable inclusions of Biden’s Executive Order:

Labeling AI-generated content

With more AI-generated content created by the day, it’s becoming more challenging for the general public to discern between what is real and what is not. This mandate offers guidance on watermarking and clearly labeling AI-generated content so Americans can easily understand which ads, content and communications are authentic.

Supporting the American workforce

This executive order places great emphasis on recruiting AI talent, ensuring America becomes the leading destination for the most skilled leaders in their field. From changes to visas and green cards to investments in resources, tools and infrastructure, there’s a clear focus on making America a leader in the AI revolution.

Promoting innovation and competition

Although the EO places potential restrictions on developers and companies alike, it encourages investment in the space. There is immense potential to democratize AI advancements, giving people and private companies more autonomy rather than relying on major tech companies. Moreover, with proper regulations, the government can drive more innovation with AI technology to prioritize societal benefits.

Explore AI solutions

What the executive order is missing

While there is a lot of optimism around this announcement from the Biden administration, there are skeptics. Senator Ted Cruz argues these guidelines place “barriers to innovation disguised as safety measures” and that the order “undermines exactly what AI technologies promise to do: create efficiencies, spur economic growth and improve our lives.”

It leads us to wonder what is missing and the potential obstacles the EO faces.

A Forrester senior analyst, Alla Valente, states, “We don’t need more ‘voluntary’ frameworks for regulating AI — we need clear direction and mandated requirements.”

Many analysts fear the EO will become nothing more than words that appear strong but have no practical merit. Lloyd Whitman echoes this sentiment: “An executive order can only do so much, limited by the existing authorities and appropriations of the executive branch agencies.”

Currently, the EO provides an alarming lack of repercussions to those who don’t follow the guidelines. There is also little clarity on how the rules will be enforced — especially compared to the European Union AI Act, which enforces significant fines for those failing to meet standards.

The first steps of a longer journey

As AI continues to advance, there’s a fine line for legislators to protect the people without stifling innovation. The jury is out on whether these guiding principles from the president will achieve this balance.

The consensus is that although this EO provides positive steps forward, it lacks enough detail to achieve its ambitious goals.

There’s no doubt that the exponential rise of AI is set to continue. But although it will lead to massive opportunities, this technology is an area that needs clear and significant regulation. The executive order from the Biden administration is the first meaningful step, although one that is very much a work in progress.

The post How the White House sees the future of safeguarding AI appeared first on Security Intelligence.

Security Intelligence – ​Read More

Being part of the Adversary Services team at IBM, it is important to keep your skills up to date and learn new things constantly. macOS security was one field where I decided to put more effort this year to further improve my exploitation and operation skills in macOS environments.

During my research, I decided to try and discover vulnerabilities in software that I had pre-installed on my laptop, which resulted in the discovery of this vulnerability. In this article, I will go through the analysis of the vulnerability, how I discovered it, and the exploitation and disclosure process. Although we made several efforts to get the vendor to fix the vulnerability, it remains unpatched at the time of writing this blog post.

Vulnerability details

CVE-2023-40713
Affected version: Version 2.0.65 (11)
Impact: Privilege Escalation
CVSS: 7.8 — HIGH

When GOG Galaxy is installed, it creates a new file in the /Library/LaunchDaemons directory with the name of com.galaxy.ClientService.plist. This behavior results in the creation of a Launch Daemon, which is a background process running with high privileges. Usually, these processes are used as helper tools to perform privileged actions by a low privileged application.

Inspecting the PLIST file created by GOG Galaxy, it shows that an XPC service named com.gog.galaxy.ClientService is exposed by the Privileged Helper tool located in /Library/PrivilegedHelperTools/com.gog.galaxy.ClientService.

These are highlighted in the contents of the PLIST file below:

?xml version=”1.0″ encoding=”UTF-8″?>

<!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN”

“http://www.apple.com/DTDs/PropertyList-1.0.dtd”>

<plist version=”1.0″>

<dict>

  <key>Label</key>

  <string>com.gog.galaxy.ClientService</string>

  <key>MachServices</key>

  <dict>

    <key>com.gog.galaxy.ClientService</key>

    <true/>

  </dict>

  <key>Program</key>

  <string>/Library/PrivilegedHelperTools/com.gog.galaxy.ClientService<

/string>

  <key>ProgramArguments</key>

  <array>

  

<string>/Library/PrivilegedHelperTools/com.gog.galaxy.ClientService</string>

  </array>

</dict>

</plist>

Quick intro to XPC service

An XPC service is an inter-process communication mechanism heavily used in macOS. It allows you to create helper tools that can perform certain tasks on behalf of an application. This is typically used for tasks that run in the background or tasks that require elevated privileges. It is usually composed of the XPC service acting as a server and an application that connects to the XPC service.

The following diagram shows a connection between the application and the XPC service:

Figure 1: NSXPC architecture (Source: Apple Developer)

I will not go into details of XPC as it is a complex topic but just think of it as the usual inter-process communication where a client can call methods that are exposed by the XPC service.

Connection validation in GOG Galaxy

The ability to call methods exposed by a service running with high privileges sounds like a bad idea. An application can just connect to the XPC service, call exposed methods, and perform actions on behalf of the XPC service. Although this is possible, most applications verify the client application and only allow specific applications to call the exposed methods.

For example, in the GOG Galaxy Privileged Helper tool, the function responsible for checking if a connection is valid (shouldAcceptNewConnection) is shown below:

-(char)listener:(void *)arg2 shouldAcceptNewConnection:(void *)arg3 {

    r14 = self;

    rax = [arg3 retain];

    r15 = rax;

    if ([r14 areRequirementsValidForProcessId:[rax processIdentifier]] !=

0x0) {

            rax = [NSXPCInterface

interfaceWithProtocol:@protocol(ClientServiceProtocol)];

            rax = [rax retain];

            [r15 setExportedInterface:rax];

            [rax release];

            [r15 setExportedObject:r14];

            rbx = 0x1;

            [r15 resume];

            

  [REDACTED]

The application calls the areRequirementsValidForProcessId function with the processIdentifier parameter which is the PID of the connecting process. If this function returns 0, it will export the object and allow the connection, otherwise, it will exit.

Reviewing the areRequirementsValidForProcessId function, it receives the processID as a parameter, copies the security attributes of the process using the PID and checks them against the following security requirements:

[REDACTED]

void galaxy::service_library::Logger::Info<char const*>(“Validating
signature of calling process at path {}.”, 0x33);

rax = SecRequirementCreateWithString(@”identifier ”com.gog.galaxy” and
anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /*
exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */
and certificate leaf[subject.OU] = ”9WS36Q8886”“, 0x0, &var_48);

[REDACTED]

The security check itself is valid as it checks if the package identifier is com.gog.galaxy, if the certification is a valid Apple certificate, and if the team identifier is 9WS36Q8886 (which is the team identifier for GOG Galaxy).

The PID re-use problem

The problem exists because all these checks are performed against a PID which is not safe. In macOS, PIDs can be reused and we can even replace current executables with a different process with posix_spawn() while keeping the old PID. This was originally published on Warcon 18 in the presentation, Don’t Trust the PID (PDF).

This attack is based on a race condition where an exploit is going to send several messages to the XPC service and just after that, execute posix_spawn with the binary that fulfills all the security requirements to replace the malicious binary PID. By queuing a lot of messages, the time between the message processing and process validation will allow the exploit to replace the exploit PID with the real application validating the connection.

The following image shows a graphical representation of the attack:

Figure 2: Race condition when queuing XPC messages (Source: IBM)

Exposed methods of the Privileged Helper tool

Although we can manipulate the Privileged Helper and invoke any exposed methods, it is not useful unless these methods offer an opportunity for exploitation. The protocol used between the XPC service and client was called ClientServiceProtocol.

This protocol exposed the following methods:

 

– (void)requestShutdown; – (void)removeOldClientService; 

– (void)fillProcessInformationForPids:(NSArray *)arg1 authorization: (NSData
*)arg2 withReply:(void (^)(NSArray *))arg3; 

– (void)createFolderAtPath:(NSString *)arg1 authorization:(NSData *)arg2
withReply:(void (^)(NSError *))arg3; 

– (void)renameClientBundleAtPath:(NSString *)arg1 withReply:(void (^)
(NSError *))arg2; 

– (void)changeFolderPermissionsAtPath:(NSString *)arg1 authorization:
(NSData *)arg2 withReply:(void (^)(NSError *))arg3; 

– (void)getVersionWithReply:(void (^)(NSString *))arg1;

While multiple methods were exposed, the most interesting one was changeFolderPermissionsAtPath, which required three arguments.

Arg1 – Authorization data
Arg2 – The path to change permissions to
Arg3 – An array for the response

The function first checks the authorization data which can be bypassed by creating an authorization structure without any rights. After authorization is checked, the function performs a variety of actions, but the most important is calling the chmod function. The chmod function is called with the path provided in arg2 and 0x1ff, which makes any targeted file globally readable, writable, and executable.

-(void)changeFolderPermissionsAtPath:(void *)arg2 authorization:(void *)arg3

withReply:(void *)arg4 {

    r13 = [arg2 retain];

    r14 = [arg3 retain];

    var_C8 = [arg4 retain];

    rax = objc_retainAutorelease(r13); <—- RAX is initated from r13, which

is initiated from arg2

    

    var_F8 = rax;

 

[REDACTED]

    rax = [NSFileManager defaultManager];

    rax = [rax retain];

    r13 = rax;

    var_E8 = [[rax subpathsAtPath:var_F8] retain];

    rax = objc_retainAutorelease(var_F8);

    var_E0 = rax;

    rax = [rax UTF8String];

    rax = chmod(rax, 0x1ff); <— Permissions are changed using chmod

    var_B4 = rax;

    

    if (rax == 0x0) goto loc_1000c1be9;

 

 [REDACTED]

As a low-privileged user, we can communicate with the XPC service and change the permissions of any file in the system. This can be used to abuse the system in several ways, such as by modifying a Launch Daemon to execute a malicious binary when the daemon is loaded. However, this method requires a restart, so a better alternative is to modify the /etc/pam.d/login file.

The /etc/pam.d/login file is a configuration file for the Pluggable Authentication Modules (PAM) system on macOS. It contains the default authentication configuration for all services that use PAM. Modifying the auth entries to use the pam_permit.so module will allow any authentication attempt to succeed. This means that we will be able to run sudo on the target machine without entering a password.

Original File:

sh-3.2# cat /etc/pam.d/login

# login: auth account password session

auth       optional       pam_krb5.so use_kcminit

auth       optional       pam_ntlm.so try_first_pass

auth       optional       pam_mount.so try_first_pass

auth       required       pam_opendirectory.so try_first_pass

account    required       pam_nologin.so

account    required       pam_opendirectory.so

password   required       pam_opendirectory.so

session    required       pam_launchd.so
session    required       pam_uwtmp.so
session    optional       pam_mount.so
sh-3.2#

Replaced File:

sh-3.2# cat /etc/pam.d/login

# login: auth account password session

auth       optional       pam_permit.so

auth       optional       pam_permit.so

auth       optional       pam_permit.so

auth       required       pam_permit.so

account    required       pam_nologin.so

account    required       pam_opendirectory.so

password   required       pam_opendirectory.so

session    required       pam_launchd.so

session    required       pam_uwtmp.so

session    optional       pam_mount.so

sh-3.2#

Exploitation steps

Here are the required steps to successfully exploit the vulnerability:

Connect to the XPC through forked processes and replace the child processes with the legitimate binary.
Call the changeFolderPermissionsAtPath method that is exposed by the XPC modifying permissions of the /etc/pam.d/login file.
Replace the login file with one that allows authentication without password.
Escalate to root running sudo su.

We chose not to release the exploit code for this vulnerability, as it is still a 0-day. However, we have provided all the information needed to reproduce the vulnerability.

Defensive considerations

Adversaries abuse XPC services to execute malicious code, perform application white-listing bypass, and escalate privileges. On macOS, applications can leverage XPC services to send messages to the XPC service daemon, which runs with root privileges on the system. These attacks often take advantage of improper XPC client validation and poor input validation to allow code to be executed with elevated privileges.

Securing XPC can be challenging as it requires secure coding practices from the application vendor such as enabling the hardened runtime for XPC services and notarizing the application. Organizations can and should look for unsigned XPC client services and understand the risks associated with their operation in the environment. Additionally, monitoring for processes that make suspicious calls to processes with elevated privileges could be an early indication of this type of attack.

Disclosure timeline

Below is the disclosure timeline:

25 November 2022 — Vulnerability reported to GOG Galaxy
25 November 2022 — GOG Galaxy Support team responds saying details have been passed to the security team.
01 December 2022 — Asking for an update
01 December 2022 — GOG Galaxy Support team responds saying no updates were received from the security team.
09 December 2022 — Asking for update
09 December 2022 — GOG Galaxy Support team responds saying no updates were received from the security team.
12 January 2023 — Asking for an update, no response from GOG Galaxy Support team 08 February 2023 — Asking for an update
16 February 2023 — GOG Galaxy Support team responds saying no updates were received from the security team
06 March 2023 — Vendor was notified that we plan on publishing and advisory as 90 days have passed since reporting the vulnerability.
June 2023 — Disclosure

To learn how IBM X-Force can help you with anything regarding cybersecurity including incident response, threat intelligence, or offensive security services schedule a meeting here.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

The post Exploiting GOG Galaxy XPC service for privilege escalation in macOS appeared first on Security Intelligence.

Security Intelligence – ​Read More