Flair Data Systems-Brent Forrest Cybersecurity News Update 12-13-2023

I hope you are enjoying the winterish' weather we have been experiencing here lately and getting ready for the Christmas holidays, I know some of you are winding down and others are going full speed to close out projects before the end of the year. With that being said, let’s jump into this week's cyber news update... 

LogoFail Firmware Attack 

• LogoFail is a group of two dozen newly discovered vulnerabilities that affect the UEFI (Unified Extensible Firmware Interfaces) 
• As the name of the attack relates - it involves the logo (specifically those of the hardware seller) that are displayed on the device screen early in the boot process 
• By replacing the legitimate logo images with identical-looking ones that have been specially crafted to exploit these vulnerabilities, LogoFail makes it possible to execute malicious code at the most sensitive stage of the boot process (DXE) 
• Once done, LogoFail can deliver a second-stage payload that drops an executable onto the hard drive before the main OS has even started (the Link above has a lot of information around this attack) 
• Best way to prevent these types of attacks is to update the UEFI security updates that are being released - check with your vendors 

Link (1): https://arstechnica.com/security/2023/12/just-about-every-windows-and-linux-device-vulnerable-to-new-logofail-firmware-attack/ 
 

Microsoft changes their CISO 

• Microsoft has announced that as part of its new strategic focus on security, Bret Arsenault be moved out of his role as the CISO and over to a Chief Security Advisor position. 
• Igo Tsyganskiy will assume the CISO role in 2024, who came to Microsoft in September as the Chief Strategy Officer for Security - but has no prior CISO experience in his past. 
• These changes come on the heels of recent security incidents within the Microsoft ecosystem. 

Link (1): https://www.darkreading.com/cybersecurity-operations/microsoft-is-getting-new-ciso-in-new-year 

Insurance firm sees cyberattacks as more likely than fire or theft 

• Aviva, insurance provider, has performed research that shows businesses are 67% more likely to experience a cyber incident than a physical theft and almost 5x more as likely to have an attack than a fire. 
• 1/5th of UK businesses has fallen victim to cyber-attacks in the past year 
• 10% of small businesses and 35% of large corporations experienced an incident. 
• One of the bigger concerns is around 20% have admitted to not being confident in knowing what to do if it should happen. 
• Another kicker is that only 17% have a cyber insurance policy - being on the partner side, we are being asked by customers that "we" carry cyber insurance coverage (some have actually put high limit requirements in their MSA) 

Link (1): https://www.infosecurity-magazine.com/news/cyberattacks-more-likely-than-fire/#:~:text=New%20research%20from%20insurance%20provider,an%20attack%20as%20a%20fire. 

Vulnerability discovered in fleet management software CVE-2023-6248 

• Syrus4 IoT Gateway (CVE-2023-6248): utilizes an unsecured MQTT server to download and execute arbitrary commands, allowing a remote unauthenticated attacker to execute code on any Syrus4 device connected to the cloud service. 
• As of Dec 8th, DCT (Digital Communications Technologies) has yet to resolve the vulnerability but were notified by the researchers in April of this year. 
• The vulnerability permits the unauthorized access to the gateway's software, providing control over commands gaining control over live locations, engine diagnostics, speakers, airbags, and the ability to execute arbitrary code on vulnerable devices - including remotely turning off the vehicle. 
• As of now, there are no known exploitations in the wild 

Link (1): https://socradar.io/syrus4-iot-gateway-vulnerability-could-allow-code-execution-on-thousands-of-vehicles-simultaneously-cve-2023-6248/ 

Link (2): https://nvd.nist.gov/vuln/detail/CVE-2023-6248 

Autospill - android and password managers 

• Presented at Black Hat Europe, researchers have shown that most password managers for Android devices are vulnerable to AutoSpill 
• It was discovered that the researchers were able to exploit weaknesses in in the WebView framework to capture the auto-filled credentials on the invoking app, even without JavaScript Injection 
• If JavaScript injections are enabled, all password managers on Android are vulnerable to this attack. 
• Based on the Password Managers tested: 1Password, LastPass, Enpass, Keepass2Android and Keeper are vulnerable to this attack (without JavaScript) 
• Google Smart Lock and Dashlane were only affected if JavaScript injections were used. 
• Take some time and review the responses from the vendors above regarding the attack method. 

Link (1): https://www.bleepingcomputer.com/news/security/autospill-attack-steals-credentials-from-android-password-managers/ 

Bluetooth Flaw 

• CVE-2023-45866: authentication bypass that enables attackers to connect to susceptible devices and inject keystrokes to achieve code execution as the victim. 
• Affecting Android, Linux, macOS, and iOS devices - all of which have had patches released to fix this vulnerability. 
• Limitation of this attack would require the threat actor to be within close proximity of the device being targeted. 
• Bluetooth has another CVE (CVE-2023-24023) out that has been called BLUFFS (Link 2) 
• Bluetooth BR/EDR devices with Secure Simple Pairing and Secure Connections pairing in Bluetooth Core Specification 4.2 through 5.4 allow certain man-in-the-middle attacks that force a short key length, and might lead to discovery of the encryption key and live injection. 

Link (1): https://thehackernews.com/2023/12/new-bluetooth-flaw-let-hackers-take.html 

Link (2): https://hackaday.com/2023/12/02/update-on-the-bluffs-bluetooth-vulnerability/ 

Feds Fine Medical Facility for Phishing Attack Compromise of HIPAA data 

• In 2021, Louisiana-based Lafourche Medical Group, experienced an incident where 35,000 individuals ePHI was compromised. 
• The incident was a result of a successful phishing attack - which has now landed a settlement of $480,000, on top of the fine Lafourche Medical Group must implement a corrective action plan that includes developing, maintaining, and revising a security risk management plan as well as practices and policies that comply with HIPAA. 
• HHS OCR (Office for Civil Rights) found that prior to the 2021 breach, the clinic had failed to conduct an enterprise-wide risk analysis to identify potential threats or vulnerabilities to ePHI (required under HIPAA) 
• Also discovered that Lafourche Medical Group had no policies or procedures in place to regularly review information systems activity to safeguard ePHI against cyber attacks. 

Link (1): https://www.healthcareinfosecurity.com/feds-levy-first-ever-hipaa-fine-for-phishing-breach-a-23812?rf=2023-12-08_ENEWS_SUB_HIS__Slot1_ART23812 

North Korea finds continued success with Log4Shell 

• Lazarus group has been seen still exploiting Log4Shell around the world, and attacking organizations with three new remote access Trojans written in "D" programing language - to be honest, this a new one on me, dlang 
• The group is called Andariel, an entity within Lazarus, which specializes in obtaining initial access and persistence for long-term espionage campaigns. 
• The intent with the malware being written in "D" is to throw off detection mechanisms. 
• The recent attacks have been exploiting exposed VMware Horizon servers carrying Log4Shell - which Veracode reported last week that more than a third (38%) of all in-use applications are still using vulnerable versions of Log4J. 
• Most organizations are not even aware they are running applications that are still vulnerable to Log4J. 

Link (1): https://www.darkreading.com/threat-intelligence/lazarus-group-still-juicing-log4shell-rats-written-d 

Apache Struts2 Exploit CVE-2023-50164 

• CVE-2023-50164: a flawed upload logic that could enable unauthorized path traversal and could be exploited under the circumstances to upload a malicious file and achieve execution of arbitrary code 
• The vulnerability is affecting the following versions and no workarounds that would remediate the issue (only through patches) 
• Struts 2.3.37 (EOL) 
• Struts 2.5.0 - Struts 2.5.32 (patch available for 2.5.33 or greater) 
• Struts 6.0.0 - Struts 6.3.0 (patch available for 6.3.0.2 or greater) 
  
• As of now, there is no evidence that the vulnerability is being maliciously exploited in the wild - however CVE-2017-5638 was weaponized by threat actors to breach Equifax in 2017 

Link (1): https://thehackernews.com/2023/12/new-critical-rce-vulnerability.html 

Until next week, it’s Brent Forrest signing off. Be cyber safe my friends!