This Week in Cyber 03 November 2023

Analyst Insight

In the realm of cybersecurity this week, we've witnessed the emergence of new exploitation methods and the discovery of vulnerabilities in critical systems, including Kubernetes and MSIX files. Furthermore, there's been a notable shift towards global cooperation to ensure the future safety of AI. It's a stark reminder that vulnerabilities continue to surface regularly, each carrying the potential to inflict varying degrees of damage on systems.

Among the vulnerabilities disclosed this week, some affect widely used business systems, including Kubernetes, Google Chrome, Microsoft Edge, Windows, and Windows drivers. The challenge lies in the fact that patches aren't always promptly released, leaving systems exposed for a certain period. To combat this, Telesoft's MDR service employs dedicated analysts working around the clock to proactively identify and mitigate threats associated with these vulnerabilities.

Another trend that has been emerging is the use of abuse of DNS by sophisticated attackers. DNS traffic is just as important to monitor as HTTP/HTTPS traffic which is why Telesoft has implemented machine learning to assist analysts when spotting domain-generation-algorithms (DGA). The Puma section below highlights how attackers have been using DGA to bypass detection for years and underscores the essential role of a vigilant and informed security team that stays abreast of emerging threats.

Threat Actor: Prolific Puma

Researchers have unveiled the clandestine activities of a threat actor dubbed Prolific Puma, who has been operating an underground link shortening service for the past four years. Prolific Puma generates domain names using a registered domain generation algorithm, offering this service to malicious actors to distribute phishing, scams, and malware while evading detection. The actor has registered between 35,000 to 75,000 unique domain names, with domains being alphanumeric and pseudo-random, often 3 to 4 characters long.

The real-world identity of Prolific Puma remains unknown, and the actor uses an American domain registrar called NameSilo for registration and name servers due to its affordability and bulk registration capabilities. At Telesoft we are aware of the danger that domain generation algorithms can prove. In our effort to ensure security reliance, we use machine-learning supported automation to identify these anomalous domains, identifying and raising them to the attention of our trained analysts.  

Flaws Discovered in NGINX Ingress Controller for Kubernetes

Security researchers have recently uncovered three unpatched high-severity vulnerabilities in the NGINX Ingress controller for Kubernetes, posing a serious threat to cluster security. These vulnerabilities, denoted as CVE-2022-4886, CVE-2023-5043, and CVE-2023-5044, allow threat actors to bypass path sanitisation, inject arbitrary commands, and execute code via specific annotations, potentially leading to the theft of sensitive credentials from the cluster. Ben Hirschberg, CTO and co-founder of Kubernetes security platform ARMO, emphasised that these flaws enable attackers to gain unauthorised access to crucial data by manipulating the Ingress object configuration.

Addressing these issues is crucial, as they underline the inherent problem of Ingress controllers having access to TLS secrets and Kubernetes API, making them highly vulnerable to external threats and emphasising the importance of robust security measures within Kubernetes environments. Stay vigilant and ensure your Kubernetes clusters are protected against these critical vulnerabilities. Regularly updating NGINX and implementing recommended mitigations can significantly enhance your cluster's security posture and safeguard sensitive data from potential breaches.

Vulnerable Windows Drivers Pose Security Threats to Devices and Systems

Non-privileged threat actors can potentially exploit 34 distinct vulnerable Windows Driver Model (WDM) and Windows Driver Frameworks (WDF) drivers, gaining full control over devices and executing arbitrary code on the underlying systems. This exploitation allows attackers to erase or alter firmware and elevate operating system privileges. The research builds upon previous studies like ScrewedDrivers and POPKORN, which used symbolic execution to discover vulnerable drivers. It specifically targets drivers with firmware access through port I/O and memory mapped I/O.

Some of the vulnerable drivers include AODDriver.sys, ComputerZ.sys, dellbios.sys, GEDevDrv.sys, GtcKmdfBs.sys, IoAccess.sys, kerneld.amd64, ngiodriver.sys, nvoclock.sys, PDFWKRNL.sys (CVE-2023-20598), RadHwMgr.sys, rtif.sys, rtport.sys, stdcdrv64.sys, and TdkLib64.sys (CVE-2023-35841). Six of the drivers allow kernel memory access, potentially elevating privilege, and defeating security solutions. Twelve of the drivers could be exploited to undermine security mechanisms like kernel address space layout randomisation (KASLR).

VMware also identified WDF drivers like WDTKernel.sys and H2OFFT64.sys that, while not vulnerable in terms of access control, could be weaponised by privileged threat actors for a "Bring Your Own Vulnerable Driver" (BYOVD) attack. This technique has been employed by various adversaries, including the notorious Lazarus Group, to gain elevated privileges and disable security software, thereby evading detection.

Global Accord on AI Safety: The Bletchley Declaration and the Push for Cooperation

The Bletchley Declaration, signed by 28 countries including the US, China, and the EU, seeks to enhance global cooperation on AI safety. Published at the AI Safety Summit in the UK, the declaration establishes shared responsibility and agreement on the risks and opportunities related to AI safety. It encourages transparency and accountability among those developing advanced AI technology, focusing on measuring, monitoring, and mitigating potential risks. The declaration outlines a two-pronged agenda, emphasising the identification of shared risks and the development of cross-country policies to address them. British Prime Minister Rishi Sunak views this as a significant achievement in recognising the urgency of understanding AI risks to secure the future. Elon Musk, CEO of Tesla and SpaceX, attending the summit, supports the idea of establishing a "third-party referee" to oversee AI development and raise concerns when necessary. The summit aims to create a framework for insight into AI developments before implementing oversight measures.

Data-Bouncing: Covert Communication in the Digital Shadows

A clandestine technique known as data-bouncing has emerged, posing a significant challenge to traditional security measures. At its core, data-bouncing capitalises on the intricacies of DNS, headers, and web applications, transforming seemingly innocuous web interactions into covert channels for data transfer. This covert communication method operates by manipulating hostnames and headers, enabling adversaries to establish stealthy pathways for data exfiltration. In this blog post, we unravel the layers of data-bouncing, exploring its fundamental principles, real-world applications, and the future possibilities it holds.

In the real world, data-bouncing finds unexpected havens in popular communication platforms, web fetching services, and even email sign-up forms. These unsuspecting features become vehicles for covert communication, creating a pervasive challenge for defenders. The implications extend beyond technical nuances, delving into legal territories, GDPR intricacies, and potential sanctions. As data-bouncing continues to evolve, it prompts a crucial conversation within the cybersecurity community about the ethical considerations, detection challenges, and collaborative efforts required to safeguard digital infrastructures.

Looking ahead, the future of data-bouncing hinges on innovative strategies and adaptive defenses. Exploring HTTP protocols, diverse integration methods, and emerging techniques beyond headers, the cybersecurity community must remain vigilant. Our SOC team is able to analyse DNS traffic patterns, scrutinise headers and monitor for data-transfer. Hypothesis based threat-hunt, supported by proactive intelligence gathering, means that we are always on the hunt for new and emergent threats.