Canary Trap’s Bi-Weekly Cyber Roundup – Canary Trap

Canary Trap’s Bi-Weekly Cyber Roundup - Canary Trap


Welcome to this week’s edition of the “Bi-Weekly Cyber Roundup” by Canary Trap. At Canary Trap, it is our mission to keep you up-to-date with the most crucial news in the world of cybersecurity and this bi-weekly publication is your gateway to the latest news.

This week’s cybersecurity round-up covers critical developments across the industry. We begin with a persistent Spectre vulnerability affecting AMD and Intel processors, then move to a significant error that exposed the French president’s location. Next, we look at a novel attack technique that can revert patched systems to their vulnerable states. We conclude with a substantial lawsuit against CrowdStrike and a new ransomware attack targeting SonicWall vulnerabilities.

  • New Research Reveals Spectre Vulnerability Persists in Latest AMD and Intel Processors

Six years after the discovery of the Spectre vulnerability in modern CPUs, new research reveals that even the latest AMD and Intel processors remain vulnerable to speculative execution attacks. ETH Zürich researchers Johannes Wikner and Kaveh Razavi have uncovered a new speculative execution attack that bypasses the Indirect Branch Predictor Barrier (IBPB) on x86 processors, an essential defense mechanism against Spectre-like attacks.

Speculative execution optimizes CPU performance by predicting and executing certain instructions in advance. When these predictions are incorrect, the instructions are discarded, but sensitive data may still be loaded into the processor cache via misprediction, exposing it to potential malicious access.

Intel’s IBPB, a barrier for indirect branch prediction, was designed to mitigate Spectre v2 (CVE-2017-5715), which exploits indirect branch predictors to speculatively execute instructions that could leak sensitive information via covert channels. However, ETH Zürich’s latest findings reveal a microcode bug in Intel’s Golden Cove and Raptor Cove architectures that allows attackers to circumvent IBPB, leading to what the researchers call an “end-to-end cross-process Spectre leak.” The microcode flaw “retains branch predictions,” meaning they can still be accessed post-IBPB, allowing attackers to bypass boundaries across processes and virtual machines.

The research also highlights a similar vulnerability in AMD processors due to how the Linux kernel applies IBPB. Dubbed Post-Barrier Inception (PB-Inception), this attack lets unprivileged users leak privileged memory on AMD Zen 1(+) and Zen 2 processors. To counter these threats, Intel has released a microcode patch (CVE-2023-38575, CVSS 5.5), and AMD has advised users to install kernel updates to address CVE-2022-23824. The study underscores the persistent challenges of speculative execution and memory vulnerabilities, pushing for further refinement in CPU design and software mitigations.

  • Macron’s Bodyguards Reveal His Location by Sharing Fitness App Data

A recent investigation by Le Monde has revealed a significant security lapse within the Security Group for the Presidency of the Republic (GSPR), the elite team tasked with protecting French President Emmanuel Macron. Through a popular fitness app, GSPR members were inadvertently disclosing their workout locations, providing detailed, geolocated information that effectively reveals Macron’s whereabouts and travel patterns. Given that a dozen of Macron’s security personnel had shared this sensitive data, the President’s movements, including hotel stays, meeting venues, and more, could potentially be inferred by anyone with access to the app.

The fitness app’s Heatmap feature has previously been flagged for similar issues: in 2018, data from the app exposed the locations of secret U.S. and Australian military bases, prompting the Pentagon to review soldiers’ app usage. While the app allows users to hide location data, it defaults to public sharing, which in this case proved risky given the security implications. It’s suspected that GSPR agents may have prioritized the social or competitive aspects of their workouts over secure settings, despite a long history of similar incidents illustrating the need for stricter location privacy.

Other fitness apps have also faced scrutiny for similar vulnerabilities. Polar, another popular app, was previously found to expose users’ locations, prompting significant security updates only after public criticism. Even when users are aware of the risks, many still value the social and creative possibilities of sharing their data.

With potential security threats emerging from every digital channel, this incident serves as a reminder to security personnel to review app settings and usage habits to prevent further exposures.

  • Windows ‘Downdate’ Attack Reverts Patched PCs to a Vulnerable State

Fully patched Windows 11 systems are vulnerable to sophisticated downgrade attacks, allowing adversaries to install custom rootkits, evade endpoint security, conceal malicious activity, and maintain persistence on compromised systems. This exploit leverages a Windows OS downgrade method, demonstrated by SafeBreach researcher Alon Leviev at Black Hat USA 2024, using a custom tool called Windows Downdate. Leviev’s tool shows how attackers with administrative access can manipulate the Windows Update process, reverting critical components—such as libraries, drivers, and even the OS kernel—to insecure, previously patched versions.

During his demonstration, Leviev downgraded key virtualization-based security (VBS) features like Secure Kernel and Credential Guard’s Isolated User Mode Process, exposing them to privilege escalation vulnerabilities that Microsoft had previously addressed. “I was able to make a fully patched Windows machine susceptible to past vulnerabilities, making ‘fully patched’ a meaningless term,” Leviev noted.

In response, Microsoft has addressed two specific vulnerabilities in Leviev’s attack chain (CVE-2024-21302 and CVE-2024-38202) but has not yet remedied the broader exploit path that allows attackers with admin-level access to downgrade OS components through the Windows Update process. Microsoft’s position on this vulnerability is that crossing from admin privileges to the kernel is not a security boundary, hence it is not addressed as a security vulnerability. “Microsoft has fixed every issue that crosses a defined security boundary,” Leviev explained, but the ability of an admin to gain kernel execution remains outside these definitions. On October 26, Leviev released a new version of the downgrade exploit, bypassing driver signature enforcement (DSE) to load unsigned drivers—an exploit Microsoft had previously mitigated with CVE-2024-21302. This exploit leverages “False File Immutability” (FFI), a flaw that researchers at Elastic Security recently identified as arising from incorrect assumptions about file immutability in Windows.

Using Windows Downdate, Leviev demonstrated how downgrading a specific module (CI.dll) reintroduces this vulnerability, enabling the attacker to load unsigned kernel drivers and deploy rootkits, even on systems with VBS enabled.

Windows’ failure to validate DLL version numbers when loading them allows attackers to leverage outdated files susceptible to exploitation. “If attackers can downgrade Windows Defender, they gain an advantage in executing malicious files that would normally be detected,” (Tim Peck).

Microsoft has since acknowledged these risks and is developing mitigations to prevent the exploitation of unpatched VBS files, although no release timeline has been provided. The company noted that blocking such a broad range of outdated files requires extensive testing to prevent compatibility issues.

  • Delta Launches $500M Lawsuit Against CrowdStrike

Delta Air Lines has initiated a lawsuit against CrowdStrike, seeking to recover $500 million in lost revenue tied to the widespread CrowdStrike outage in July, which disrupted airlines, healthcare, and other critical services worldwide.

The outage was triggered by a flawed threat intelligence update for CrowdStrike’s Falcon Sensor, an endpoint detection and prevention tool. CrowdStrike’s investigation revealed a memory scanning bug that bypassed testing, leading to global system failures and triggering the “blue screen of death” on Microsoft servers. As a result, Delta reported that it canceled over 7,000 flights, impacting 1.3 million customers and facing several class-action lawsuits. In a filing with the SEC, Delta estimated recovery costs from the disruption at $170 million.

Delta’s lawsuit, filed in Georgia, alleges that CrowdStrike failed to perform adequate testing, arguing that the firm “caused a global catastrophe by cutting corners for profit.” In response, CrowdStrike claims Delta’s assertions are “based on misinformation” and shift blame from the airline’s outdated IT infrastructure, which hindered its recovery efforts. The Department of Transportation has also launched an inquiry into Delta’s prolonged recovery time, as well as customer service failures that left unaccompanied minors and other passengers stranded during the outage.

While CrowdStrike attempted to resolve the matter out of court, both parties disagreed on the extent of liability, with CrowdStrike estimating its responsibility to be under $10 million. The cybersecurity firm has filed for declaratory judgment to refute Delta’s claims of gross negligence, maintaining that the airline declined assistance from both CrowdStrike and Microsoft during the incident.

  • Fog and Akira Ransomware Attacks Exploit SonicWall VPN Flaw CVE-2024-40766

Fog and Akira ransomware groups are actively exploiting the critical SonicWall VPN vulnerability, CVE-2024-40766, to gain unauthorized access to enterprise networks. This flaw in SonicWall’s SSL VPN, identified as an Improper Access Control Vulnerability with a CVSS score of 9.3, affects SonicOS on Gen 5, Gen 6, and certain Gen 7 devices, which run version 7.0.1-5035 and earlier. SonicWall released a patch for this vulnerability in August 2024, warning that unpatched systems are at high risk of compromise, as the vulnerability could lead to unauthorized access and firewall crashes.

SonicWall has urged affected users to apply the latest patch immediately, available on mysonicwall.com. The company also recommends a temporary workaround for those unable to patch, such as restricting management access to trusted sources and disabling WAN and SSLVPN access from the internet.

Research by Arctic Wolf Labs reveals that since August 2024, Fog and Akira ransomware operators have exploited unpatched SonicWall VPNs in over 30 intrusions, deploying Akira ransomware in approximately 75% of cases, with Fog ransomware used in the remaining 25%. The attacks appear opportunistic, impacting a wide range of industries and organization sizes. Initial SSL VPN access to ransomware deployment has been alarmingly swift, with attackers reaching encryption goals within 1.5 to 10 hours after breach in some cases.

The report notes, however, that while CVE-2024-40766 provides a clear route for exploitation, there is no conclusive evidence that this vulnerability alone enabled all the intrusions. Some instances suggest compromised VPN credentials may have been obtained through other breaches or unauthorized access to existing accounts, as visibility gaps in firewall logs have complicated a definitive analysis. 

Organizations using SonicWall SSL VPN services are strongly advised to review their security postures, apply the latest patches, and monitor for signs of suspicious activity to mitigate the risk of exploitation by these ransomware operators.

 

References:

https://thehackernews.com/2024/10/new-research-reveals-spectre.html

https://www.theregister.com/2024/10/29/macron_location_strava/

https://www.darkreading.com/application-security/windows-downdate-attack-patched-pcs-vulnerable-state

https://www.darkreading.com/cyberattacks-data-breaches/delta-launches-500m-lawsuit-crowdstrike

https://securityaffairs.com/170359/cyber-crime/fog-akira-ransomware-sonicwall-vpn-flaw.html

Share post:



Source link
lol

Welcome to this week’s edition of the “Bi-Weekly Cyber Roundup” by Canary Trap. At Canary Trap, it is our mission to keep you up-to-date with the most crucial news in the world of cybersecurity and this bi-weekly publication is your gateway to the latest news. This week’s cybersecurity round-up covers critical developments across the industry.…

Leave a Reply

Your email address will not be published. Required fields are marked *