This Week in Cyber 09th January 2024

Analyst insight

This week in cybersecurity developments, notable events include the release of a decryptor by researchers targeting the Black Basta Ransomware, the discovery of a sophisticated zero-day vulnerability within Apple's iMessage feature leading to zero-click malware incidents, and the identification of vulnerabilities in SSH, OAuth, and Ivanti. As organisations resume their activities post-holidays, the absence of any catastrophic vulnerabilities akin to Log4J provides a sense of reassurance, allowing security teams to return from a well-deserved break. While the current week reflects a relative quietude in cyber news, the anticipation of forthcoming challenges in 2024 underscores the importance of proactive cybersecurity measures. Considering this, having a Managed Detection and Response (MDR) service becomes increasingly imperative to fortify organisational defences throughout the year.

Apple Backdoor: A Truly Persistent Threat

With code that has existed for over ten years; Operation Triangulation, which has certainly been active for at least the last four years, is an APT that has been manipulating and taking advantage of multiple 0 day exploits of Apple devices on an almost routine basis. This attack, designed to exploit iOS versions up to 16.2, is a 0-click iMessage attack that leverages four zero-days. The attackers send a malicious iMessage attachment, which exploits the remote code execution vulnerability CVE-2023-41990 in an undocumented, Apple-only ADJUST TrueType font instruction, all without alerting the user.

More exploits, including patching of the core JavaScript library ensures that the APT is able to execute a privilege escalation. This privilege escalation, written in javascript, is based around another exploit that takes advantage of an existing vulnerability. It is heavily obfuscated to make it entirely unreadable, and to reduce its size to help avoid detection. Once this escalation has taken hold; the attackers are able to manipulate the JavaSriptCore's memory and execute native API fuctions. 

Our blog post only scratches the surface of the research performed by oct0xor, kucher1n, and bzvr_ at Securelist. Their findings were shared at the 37C3 conference, and Apple has since been notified. As a result, iOS versions after 16.2 are largely immune to the zero-day exploits leveraged by the Advanced Persistent Threat (APT) in Operation Triangulation. This operation underscores the pitfalls of relying solely on security through obscurity, echoing the adage, "Three things cannot long stay hidden: the sun, the moon and the truth”. Security through obscurity should primarily serve as a temporary measure to delay the inevitable discovery of operational details. It’s not a matter of if these details will be uncovered, but when. The comprehensive exploitation of Apple’s functionality in this campaign emphasises the importance for companies to adopt more advanced security measures beyond mere obscurity.

Security Researchers Uncover Vulnerability in Black Basta Ransomware, Release Free Decryptor

Security researchers from SRLabs have discovered a vulnerability in the encryption algorithm used by the Black Basta ransomware, allowing them to create a free decryptor. Black Basta, operational since April 2022, follows a double-extortion approach and has reportedly amassed over $107 million in Bitcoin ransom payments. Elliptic and Corvus Insurance conducted joint research, revealing a connection between Black Basta and the Conti Group. The weakness in Black Basta's encryption algorithm enables file recovery based on their size, with full recovery possible for files between 5,000 bytes and 1GB. However, recent fixes by Black Basta developers limit the decryptor's efficacy to attacks conducted before December 2023.

Google 0Auth Endpoint Exploit

An undocumented 0Authentication endpoint named "multilogin" is currently being targeted by a sophisticated malware. This information stealer is using the exploit in order to hijack user sessions and maintain access to google services; with this enabling a persistence that surpasses a password reset. Furthermore, it will generate cookies in order to help maintain persistence and allow threat actors to gain access to valid user sessions.  This technique was first identified in October of 2023, by a threat actor named "Prisma". It has since been incorporated into a variety of Malware-as-a-service families. Including Lumma, Meduza and Whitesnake.

Terrapin Attack Puts Nearly 11 Million Internet-Exposed SSH Servers at Risk

A new security threat called Terrapin, targeting the SSH protocol, poses a risk to nearly 11 million internet-exposed SSH servers. Developed by researchers at Ruhr University Bochum, the attack manipulates sequence numbers during the handshake process, compromising the integrity of SSH channels, especially with specific encryption modes. While the attack requires an adversary-in-the-middle position, the widespread vulnerability raises concerns, with the majority of affected systems located in the United States, China, Germany, Russia, Singapore, and Japan.

Ivanti Addresses Critical Vulnerability

Ivanti has urgently released security updates to rectify a critical vulnerability (CVE-2023-39336) in its Endpoint Manager (EPM) solution. With a CVSS score of 9.6, the flaw affects EPM 2021 and EPM 2022 before SU5, posing a significant risk of remote code execution (RCE) if exploited. The vulnerability stems from an unspecified SQL injection that, when successfully triggered by an attacker within the internal network, allows the execution of arbitrary SQL queries without authentication. This could grant control over machines running the EPM agent, and if the core server is configured to use SQL Express, it may lead to RCE on the core server.

Google Settles Lawsuit Over Alleged Misleading of Users in Incognito Mode

Google has reached a settlement in a class-action lawsuit filed in June 2020, accusing the company of misleading users regarding the privacy of their internet activity in "incognito" or "private" mode. The lawsuit sought over $5 billion in damages, alleging that Google violated federal wiretap laws by tracking users through Google Analytics even in private mode. While Google argued for dismissal based on displayed warnings, the U.S. District Judge ruled that users did not explicitly consent to data collection, highlighting a lack of disclosure from Google. The settlement terms were undisclosed.