Security Skim: October 11th

“If it’s smart, it’s vulnerable.”

Twitter User

Well, there was supposed to be an audio recording for this post but I just had my wisdom teeth pulled (all 4)! My mouth is a bit swollen so this post will just be another skim like the last one. Since I last wrote, the security landscape has been absolute hell. Zero days seem to be coming out of the woodwork and large corporations continue to get hit. Here goes nothing:

MGM Breach Update

In my last Security Skim I wrote about the recent cyberattack, MGM Resorts faced. More details have come out since the breach which left customers’ data exposed. The attackers, reportedly a group called Scattered Spider, utilized a technique called vishing, a form of social engineering that manipulates victims through convincing phone calls. The hackers impersonated an employee, gaining access to MGM’s systems and causing widespread disruptions.

Key Points:

1. The Attack: MGM Resorts suffered a cyberattack, impacting their systems for several days. The attack, initiated through vishing, led to disruptions in services, including digital keys, slot machines, and online platforms.
2. Attackers’ Identity: Scattered Spider, a group skilled in social engineering, claimed responsibility. They impersonated an MGM employee, exploiting publicly available information from LinkedIn to access the company’s IT help desk and gain credentials.
3. Data Compromised: Personal customer data, including names, contact details, birthdates, and official identification numbers, was accessed. MGM Resorts has offered affected customers free credit monitoring services.
4. Vishing Technique: Vishing, a blend of voice and phishing attacks, exploits human vulnerability. Attackers use phone calls to impersonate trusted entities, making it a potent method to gain access to systems. Vishing attacks, though not new, have gained prominence due to their effectiveness.
5. Post-Breach Actions: Affected MGM customers should monitor their accounts for unusual activities, consider freezing their credit, and be cautious about phishing emails. Regularly checking bank statements and avoiding suspicious links enhances security.

Another Twitter user noticed that MGM is emergency hiring cloud engineers to come to Reno to completely rebuild their cloud environment. I’ve seen a lot of breaches in my day but the amount of damage that has been done versus the level of effort that was required is very astonishing. It also sounds like in a panic, MGM shut off the agent to sync Okta to whatever their active directory system was. In doing so, when systems came back on, the attackers still had access as Okta had not synced. I haven’t seen businesses do this enough but I have worked at a couple of places where we do a practice breach with corporate. No one wants a breach but not having a plan and panicking doesn’t help.

CURL Vulnerability is Coming to you this Thursday!

The maintainers of the cURL data transfer project have identified and are actively patching two significant vulnerabilities, including a high-severity bug affecting both the libcurl library and the curl command-line tool. cURL, a widely used open-source tool, facilitates data transfer via various network protocols such as SSL, TLS, HTTP, FTP, and SMTP.

Key Points:

1. Vulnerabilities Identified: The vulnerabilities, tracked as CVE-2023-38545 and CVE-2023-38546, are currently being addressed. The high-severity CVE-2023-38545 is regarded as one of the most severe flaws in the open source tool’s history, prompting an urgent response from the maintainers.
2. Release Date: A new version, curl 8.4.0, is set to be released on October 11, containing fixes for the high-severity CVE and another low-severity vulnerability. The maintainers have shortened the release cycle to address these critical issues promptly.
3. Severity Warning: While specific details about the vulnerabilities and affected versions have not been disclosed publicly, organizations have been alerted to the severity of the high-severity flaw. All versions released over the “last several years” are believed to be vulnerable.
4. Preparation and Response: Organizations using curl and libcurl are advised to inventory and scan their systems to identify potentially vulnerable versions. Immediate implementation of the updates upon release is crucial to safeguard systems against these pressing vulnerabilities. Member distributions have been notified in advance to prepare patches.
5. Impact: Unknown, and details won’t be released until tomorrow!
6. Restricted Disclosure: Details about the vulnerabilities will be disclosed only with the release of curl 8.4.0 on October 11. Access to specific problem details before this date requires a support contract and a valid reason, emphasizing the urgency of preparing for the upcoming updates.

I’ve seen a lot of vulnerabilities this year and in my lifetime but this one scares the crap out of me. Curl is used everywhere, and on many Linux distributions, it comes standard with the install. There are also thousands of devices out there that use Curl, but the manufacturer no longer updates. Expect a lot of patches to be issued over the next couple of days. This one isn’t going to be pretty.

Prolific Cyber Threat Exploits WordPress Vulnerability, Compromising Thousands of Sites

Summary:

A significant cybersecurity threat has emerged as hackers exploit a recently patched vulnerability in the widely used tagDiv Composer plugin for WordPress. This mandatory plugin for the popular themes Newspaper and Newsmag, available through Theme Forest and Envato marketplaces, has been compromised due to a cross-site scripting (XSS) flaw (CVE-2023-3169). This flaw, discovered by researcher Truoc Phan, enables hackers to inject malicious code into webpages, leading to a severity rating of 7.1 out of 10.

Key Points:

1. Exploited Vulnerability: The tagDiv Composer plugin vulnerability allows hackers to inject web scripts that redirect visitors to fraudulent websites, including tech support scams, lottery fraud, and push notification scams. The flaw was partially fixed in version 4.1 and completely patched in version 4.2.
2. Scope of Compromise: Security firm Sucuri has been monitoring this malware campaign, named Balada, since 2017. It estimates that Balada has compromised over 1 million sites in the past six years. In recent months, the number of infections has surged, with more than 17,000 sites affected, nearly double the previous month’s count. Over 9,000 of these new infections were facilitated by exploiting CVE-2023-3169.
3. Attack Techniques: The attackers employ sophisticated techniques, including randomized injections, obfuscation, use of multiple domains and subdomains, abuse of services like CloudFlare, and various approaches to target administrators of infected WordPress sites.
4. Persistence and Control: The Balada threat actor aims for persistent control over compromised sites. They create accounts with administrator privileges and inject scripts targeting logged-in site administrators. These scripts, when loaded, can emulate administrator activities, enabling unauthorized access.
5. Mitigation Measures: Website administrators using the Newspaper or Newsmag themes should diligently inspect their sites and event logs for signs of infection. Sucuri’s post provides indicators of compromise for identification. Removing malicious scripts is crucial, but it’s equally important to check for backdoor code and unauthorized admin accounts to prevent persistent access.

WordPress is such a versatile content management system that I don’t envy the developers who work on the product. Add to that plugins and themes, and the attack surface just gets bigger and bigger. That being said, I love WordPress and don’t plan on using something else.

23andMe Data Breach Exposes User Information

Summary:

Genetic testing company 23andMe confirmed a data breach where a subset of its users’ data was compromised. Hackers accessed the data by guessing login credentials and scraping information from the DNA Relatives feature, impacting users who opted to share their information. The breached data was posted on the BreachForums platform, revealing details about Ashkenazi Jews and users of Chinese descent. The hackers began selling 23andMe profiles for $1 to $10 per account, including display names, sex, birth years, and genetic ancestry results, without raw genetic data.

Key Points:

1. Breach Details: The breach did not involve a system breach but resulted from attackers guessing login credentials and scraping data from the DNA Relatives feature. The compromised information was posted on BreachForums, including details of high-profile individuals like Mark Zuckerberg, Elon Musk, and Sergey Brin.
2. Data Compromised: The breached data included display names, sex, birth years, and some genetic ancestry information but did not contain raw genetic data. The breach involved “credential stuffing,” where attackers reused passwords exposed in other breaches.
3. Credential Stuffing and Account Compromise: The technique of credential stuffing, wherein attackers use exposed credentials to infiltrate accounts with reused logins, was employed. The compromised accounts were then leveraged to scrape data visible in DNA Relatives.
4. Broader Implications: The incident raises concerns about the security of genetic information and the risks associated with sharing sensitive data on platforms designed like social networks. The breach underscores the challenges in safeguarding genetic databases and the potential consequences of making such data publicly available.

In my personal opinion, genetic information should be protected like your bank account is protected. Come up with some form of HIPPA or PCI version for genetic data and require companies like 23andMe to go through the compliance process. The good thing is that the raw genetic data was not compromised. Off the top of my head, I don’t know of many uses for raw genetic data but I have no doubt someone will find a terrible use for it.

Cloudflare, Google, and Amazon AWS Disclose HTTP/2 Rapid Reset Zero-Day Vulnerability

Summary:

Cloudflare, in collaboration with Google and Amazon AWS, has disclosed a novel zero-day vulnerability called the “HTTP/2 Rapid Reset” attack. This vulnerability exploits a weakness in the HTTP/2 protocol, enabling threat actors to generate massive Distributed Denial of Service (DDoS) attacks. By automating a trivial “request, cancel, request, cancel” pattern at scale, attackers can create a denial of service, incapacitating servers or applications using standard HTTP/2 implementations. Cloudflare detected this zero-day vulnerability in late August 2023 and has since mitigated numerous attacks, including one reaching a record-breaking 201 million requests per second.

Key Points:

1. Vulnerability Details: The Rapid Reset attack leverages the HTTP/2 protocol’s stream cancellation feature. Attackers send requests and immediately cancel them repeatedly, overwhelming servers or applications running standard HTTP/2 implementations. Despite using a relatively small botnet of around 20,000 machines, attackers achieved unprecedented request volumes, highlighting the vulnerability’s potency.
2. Impact and Mitigation: Cloudflare mitigated attacks exceeding 201 million requests per second, leading to intermittent edge instability and affecting a small number of customers with 4xx and 5xx errors. Cloudflare has developed purpose-built technology to counter this vulnerability, enhancing its mitigation capabilities. Cloudflare users are protected against this attack.
3. Responsible Disclosure: Cloudflare collaborated with industry partners and initiated responsible disclosure processes to ensure widespread protection against this vulnerability. Web server software partners are developing patches to prevent exploitation.
4. Industrywide Implications: Cloudflare’s transparency enabled early detection of the attack. Threat actors often test their tools on Cloudflare before targeting more vulnerable entities. Organizations are urged to assume a breach mindset, emphasizing proactive measures and ongoing incident management.
5. Recommendations for CSOs: CSOs are advised to understand their network’s external connectivity, assess existing security protections, deploy DDoS protection outside data centers, ensure patches for web servers and operating systems, and consider cloud-based DDoS providers for resilience. Turning off HTTP/2 and HTTP/3 is a last resort option.

I highly recommend you go and read the Cloudflare write-up linked in the first paragraph. I’d be curious to see what the resolution on this will be as HTTP/3 is most likely compromised as well. Reverting back to HTTP/1.1 isn’t really an option, as that comes with a ton of performance hits.

Conclusion

I hope you enjoyed the skim, and I will see you all next week. PLEASE make sure to keep your eye on Curl and libcurl tomorrow! Good luck to all the engineers out there, and until next time, stay safe!