Login
Microsoft today released software updates to fix at least four dozen security holes in its Windows operating systems and other software, including patches for two zero-day vulnerabilities that are already being exploited in active attacks.
First up in May’s zero-day flaws is CVE-2023-29336, which is an “elevation of privilege” weakness in Windows which has a low attack complexity, requires low privileges, and no user interaction. However, as the SANS Internet Storm Center points out, the attack vector for this bug is local.
“Local Privilege escalation vulnerabilities are a key part of attackers’ objectives,” said Kevin Breen, director of cyber threat research at Immersive Labs. “Once they gain initial access they will seek administrative or SYSTEM-level permissions. This can allow the attacker to disable security tooling and deploy more attacker tools like Mimikatz that lets them move across the network and gain persistence.”
The zero-day patch that has received the most attention so far is CVE-2023-24932, which is a Secure Boot Security Feature Bypass flaw that is being actively exploited by “bootkit” malware known as “BlackLotus.” A bootkit is dangerous because it allows the attacker to load malicious software before the operating system even starts up.
According to Microsoft’s advisory, an attacker would need physical access or administrative rights to a target device, and could then install an affected boot policy. Microsoft gives this flaw a CVSS score of just 6.7, rating it as “Important.”
Adam Barnett, lead software engineer at Rapid7, said CVE-2023-24932 deserves a considerably higher threat score.
“Microsoft warns that an attacker who already has Administrator access to an unpatched asset could exploit CVE-2023-24932 without necessarily having physical access,” Barnett said. “Therefore, the relatively low CVSSv3 base score of 6.7 isn’t necessarily a reliable metric in this case.”
Barnett said Microsoft has provided a supplementary guidance article specifically calling out the threat posed by BlackLotus malware, which loads ahead of the operating system on compromised assets, and provides attackers with an array of powerful evasion, persistence, and Command & Control (C2) techniques, including deploying malicious kernel drivers, and disabling Microsoft Defender or Bitlocker.
“Administrators should be aware that additional actions are required beyond simply applying the patches,” Barnett advised. “The patch enables the configuration options necessary for protection, but administrators must apply changes to UEFI config after patching. The attack surface is not limited to physical assets, either; Windows assets running on some VMs, including Azure assets with Secure Boot enabled, also require these extra remediation steps for protection. Rapid7 has noted in the past that enabling Secure Boot is a foundational protection against driver-based attacks. Defenders ignore this vulnerability at their peril.”
In addition to the two zero-days fixed this month, Microsoft also patched five remote code execution (RCE) flaws in Windows, two of which have notably high CVSS scores.
CVE-2023-24941 affects the Windows Network File System, and can be exploited over the network by making an unauthenticated, specially crafted request. Microsoft’s advisory also includes mitigation advice. The CVSS for this vulnerability is 9.8 – the highest of all the flaws addressed this month.
Meanwhile, CVE-2023-28283 is a critical bug in the Windows Lightweight Directory Access Protocol (LDAP) that allows an unauthenticated attacker to execute malicious code on the vulnerable device. The CVSS for this vulnerability is 8.1, but Microsoft says exploiting the flaw may be tricky and unreliable for attackers.
Another vulnerability patched this month that was disclosed publicly before today (but not yet seen exploited in the wild) is CVE-2023-29325, a weakness in Microsoft Outlook and Explorer that can be exploited by attackers to remotely install malware. Microsoft says this vulnerability can be exploited merely by viewing a specially-crafted email in the Outlook Preview Pane.
“To help protect against this vulnerability, we recommend users read email messages in plain text format,” Microsoft’s writeup on CVE-2023-29325 advises.
“If an attacker were able to exploit this vulnerability, they would gain remote access to the victim’s account, where they could deploy additional malware,” Immersive’s Breen said. “This kind of exploit will be highly sought after by e-crime and ransomware groups where, if successfully weaponized, could be used to target hundreds of organizations with very little effort.”
For more details on the updates released today, check out roundups by Action1, Automox and Qualys, If today’s updates cause any stability or usability issues in Windows, AskWoody.com will likely have the lowdown on that.
Please consider backing up your data and/or imaging your system before applying any updates. And feel free to sound off in the comments if you experience any problems as a result of these patches.
Millions of Americans receiving food assistance benefits just earned a new right that they can’t yet enforce: The right to be reimbursed if funds on their Electronic Benefit Transfer (EBT) cards are stolen by card skimming devices secretly installed at cash machines and grocery store checkout lanes.
On December 29, 2022, President Biden signed into law the Consolidated Appropriations Act of 2023, which — for the first time ever — includes provisions for the replacement of stolen EBT benefits. This is a big deal because in 2022, organized crime groups began massively targeting EBT accounts — often emptying affected accounts at ATMs immediately after the states disperse funds each month.
EBT cards can be used along with a personal identification number (PIN) to pay for goods at participating stores, and to withdraw cash from an ATM. However, EBT cards differ from debit cards issued to most Americans in two important ways. First, most states do not equip EBT cards with smart chip technology, which can make the cards more difficult and expensive for skimming thieves to clone.
More critically, EBT participants traditionally have had little hope of recovering food assistance funds when their cards were copied by card-skimming devices and used for fraud. That’s because while the EBT programs are operated by individually by the states, those programs are funded by the U.S. Department of Agriculture (USDA), which until late last year was barred from reimbursing states for stolen EBT funds.
The protections passed in the 2023 Appropriations Act allow states to use federal funds to replace stolen EBT benefits, and they permit states to seek reimbursement for any skimmed EBT funds they may have replaced from their own coffers (dating back to Oct. 1, 2022).
But first, all 50 states must each submit a plan for how they are going to protect and replace food benefits stolen via card skimming. Guidance for the states in drafting those plans was issued by the USDA on Jan. 31 (PDF), and states that don’t get them done before Feb. 27, 2023 risk losing the ability to be reimbursed for EBT fraud losses.
Deborah Harris is a staff attorney at The Massachusetts Law Reform Institute (MLRI), a nonprofit legal assistance organization that has closely tracked the EBT skimming epidemic. In November 2022, the MLRI filed a class-action lawsuit against Massachusetts on behalf of thousands of low-income families who were collectively robbed of more than $1 million in food assistance benefits by card skimming devices secretly installed at cash machines and grocery store checkout lanes across the state.
Harris said she’s pleased that the USDA guidelines were issued so promptly, and that the guidance for states was not overly prescriptive. For example, some security experts have suggested that adding contactless capability to EBT cards could help participants avoid skimming devices altogether. But Harris said contactless cards do not require a PIN, which is the only thing that stops EBT cards from being drained at the ATM when a participant’s card is lost or stolen.
Then again, nothing in the guidance even mentions chip-based cards, or any other advice for improving the physical security of EBT cards. Rather, it suggests states should seek to develop the capability to perform basic fraud detection and alerting on suspicious transactions, such as when an EBT card that is normally used only in one geographic area suddenly is used to withdraw cash at an ATM halfway across the country.
“Besides having the states move fast to approve their plans, we’d also like to see a focused effort to move states from magstripe-only cards to chip, and also assisting states to develop the algorithms that will enable them to identify likely incidents of stolen benefits,” Harris said.
Harris said Massachusetts has begun using algorithms to look for these suspicious transaction patterns throughout its EBT network, and now has the ability to alert households and verify transactions. But she said most states do not have this capability.
“We have heard that other states aren’t currently able to do that,” Harris said. “But encouraging states to more affirmatively identify instances of likely theft and assisting with the claims and verification process is critical. Most households can’t do that on their own, and in Massachusetts it’s very hard for a person to get a copy of their transaction history. Some states can do that through third-party apps, but something so basic should not be on the burden of EBT households.”
Some states aren’t waiting for direction from the federal government to beef up EBT card security. Like Maryland, which identified more than 1,400 households hit by EBT skimming attacks last year — a tenfold increase over 2021.
Advocates for EBT beneficiaries in Maryland are backing Senate Bill 401 (PDF), which would require the use of chip technology and ongoing monitoring for suspicious activity (a hearing on SB401 is scheduled in the Maryland Senate Finance Commission for Thursday, Feb. 23, at 1 p.m.).
Michelle Salomon Madaio is a director at the Homeless Persons Representation Project, a legal assistance organization based in Silver Spring, Md. Madaio said the bill would require the state Department of Human Services to replace skimmed benefits, not only after the bill goes into effect but also retroactively from January 2020 to the present.
Madaio said the bill also would require the state to monitor for patterns of suspicious activity on EBT cards, and to develop a mechanism to contact potentially affected households.
“For most of the skimming victims we’ve worked with, the fraudulent transactions would be pretty easy to spot because they mostly happened in the middle of the night or out of state, or both,” Madaio said. “To make matters worse, a lot of families whose benefits were scammed then incurred late fees on many other things as a result.”
It is not difficult to see why organized crime groups have pounced on EBT cards as easy money. In most traditional payment card transactions, there are usually several parties that have a financial interest in minimizing fraud and fraud losses, including the bank that issued the card, the card network (Visa, MasterCard, Discover, etc.), and the merchant.
But that infrastructure simply does not exist within state EBT programs, and it certainly isn’t a thing at the inter-state level. What that means is that the vast majority of EBT cards have zero fraud controls, which is exactly what continues to make them so appealing to thieves.
For now, the only fraud controls available to most EBT cardholders include being especially paranoid about where they use their cards, and frequently changing their PINs.
According to USDA guidance issued prior to the passage of the appropriations act, EBT cardholders should consider changing their card PIN at least once a month.
“By changing PINs frequently, at least monthly, and doing so before benefit issuance dates, households can minimize their risk of stolen benefits from a previously skimmed EBT card,” the USDA advised.
Authorities in the United States and United Kingdom today levied financial sanctions against seven men accused of operating “Trickbot,” a cybercrime-as-a-service platform based in Russia that has enabled countless ransomware attacks and bank account takeovers since its debut in 2016. The U.S. Department of the Treasury says the Trickbot group is associated with Russian intelligence services, and that this alliance led to the targeting of many U.S. companies and government entities.
Initially a stealthy trojan horse program delivered via email and used to steal passwords, Trickbot evolved into “a highly modular malware suite that provides the Trickbot Group with the ability to conduct a variety of illegal cyber activities, including ransomware attacks,” the Treasury Department said.
A spam email from 2020 containing a Trickbot-infected attachment. Image: Microsoft.
“During the height of the COVID-19 pandemic in 2020, Trickbot targeted hospitals and healthcare centers, launching a wave of ransomware attacks against hospitals across the United States,” the sanctions notice continued. “In one of these attacks, the Trickbot Group deployed ransomware against three Minnesota medical facilities, disrupting their computer networks and telephones, and causing a diversion of ambulances. Members of the Trickbot Group publicly gloated over the ease of targeting the medical facilities and the speed with which the ransoms were paid to the group.”
Only one of the men sanctioned today is known to have been criminally charged in connection with hacking activity. According to the Treasury Department, the alleged senior leader of the Trickbot group is 34-year-old Russian national Vitaly “Bentley” Kovalev.
A New Jersey grand jury indicted Kovalev in 2012 after an investigation by the U.S. Secret Service determined that he ran a massive “money mule” scheme, which used phony job offers to trick people into laundering money stolen from hacked small to mid-sized businesses in the United States. The 2012 indictment against Kovalev relates to cybercrimes he allegedly perpetrated prior to the creation of Trickbot.
In 2015, Kovalev reportedly began filming a movie in Russia about cybercrime called “Botnet.” According to a 2016 story from Forbes.ru, Botnet’s opening scene was to depict the plight of Christina Svechinskaya, a Russian student arrested by FBI agents in September 2010.
Christina Svechinskaya, a money mule hired by Bentley who was arrested by the FBI in 2010.
Svechinskaya was one of Bentley’s money mules, most of whom were young Russian students on temporary travel visas in the United States. She was among 37 alleged mules charged with aiding an international cybercrime operation — basically, setting up phony corporate bank accounts for the sole purpose of laundering stolen funds.
Although she possessed no real hacking skills, Svechinskaya’s mugshot and social media photos went viral online and she was quickly dubbed “the world’s sexiest computer hacker” by the tabloids.
Kovalev’s Botnet film project was disrupted after Russian authorities raided the film production company’s offices as part of a cybercrime investigation. In February 2016, Reuters reported that the raid was connected to a crackdown on “Dyre,” a sophisticated trojan that U.S. federal investigators say was the precursor to the Trickbot malware. The Forbes.ru article cited sources close to the investigation who said the film studio was operating as a money-laundering front for the cybercrooks behind Dyre.
But shifting political winds in Russia would soon bring high treason charges against three of the Russian cybercrime investigators tied to the investigation into the film studio. In a major shakeup in 2017, the Kremlin levied treason charges against Sergey Mikhaylov, then deputy chief of Russia’s top anti-cybercrime unit.
Also charged with treason was Ruslan Stoyanov, then a senior employee at Russian security firm Kaspersky Lab [the Forbes.ru report from 2016 said investigators from Mikhaylov’s unit and Kaspersky Lab were present at the film company raid].
Russian media outlets have speculated that the men were accused of treason for helping American cybercrime investigators pursue top Russian hackers. However, the charges against both men were classified and have never been officially revealed. After their brief, closed trial, both men were convicted of treason. Mikhaylov was given a 22 year prison sentence; Stoyanov was sentenced to 14 years in prison.
In September 2021, the Kremlin issued treason charges against Ilya Sachkov, formerly head of the cybersecurity firm Group-IB. According to Reuters, Sachkov and his company were hired by the film studio “to advise the Botnet director and writers on the finer points of cybercrime.” Sachkov remains imprisoned in Russia pending his treason trial.
Trickbot was heavily used by Conti and Ryuk, two of Russia’s most ruthless and successful ransomware groups. Blockchain analysis firm Chainalysis estimates that in 2021 alone, Conti extorted more than USD $100 million from its hacking victims; Chainalysis estimates Ryuk extorted more than USD $150 million from its ransomware victims.
The U.S. cybersecurity firm CrowdStrike has long tracked the activities of Trickbot, Ryuk and Conti under the same moniker — “Wizard Spider” — which CrowdStrike describes as “a Russia-nexus cybercriminal group behind the core development and distribution of a sophisticated arsenal of criminal tools, that allow them to run multiple different types of operations.”
“CrowdStrike Intelligence has observed WIZARD SPIDER targeting multiple countries and industries such as academia, energy, financial services, government, and more,” said Adam Meyers, head of intelligence at CrowdStrike.
This is not the U.S. government’s first swipe at the Trickbot group. In early October 2020, KrebsOnSecurity broke the news that someone had launched a series of coordinated attacks designed to disrupt the Trickbot botnet. A week later, The Washington Post ran a story saying the attack on Trickbot was the work of U.S. Cyber Command, a branch of the Department of Defense headed by the director of the U.S. National Security Agency (NSA).
Days after Russia invaded Ukraine in February 2022, a Ukrainian researcher leaked several years of internal chat logs from the Conti ransomware gang. Those candid conversations offer a fascinating view into the challenges of running a sprawling criminal enterprise with more than 100 salaried employees. They also showed that Conti enjoyed protection from prosecution by Russian authorities, as long as the hacker group took care not to target Russian organizations.
In addition, the leaked Conti chats confirmed there was considerable overlap in the operation and leadership of Conti, Trickbot and Ryuk.
Michael DeBolt, chief intelligence officer at cybersecurity firm Intel 471, said the leaked Conti chats showed Bentley oversaw a team of coders tasked with ensuring that the Trickbot and Conti malware remained undetected by the different antivirus and security software vendors.
In the years prior to the emergence of Trickbot in 2016, Bentley worked closely on the Gameover ZeuS trojan, a peer-to-peer malware threat that infected between 500,000 and a million computers with an automated ransomware strain called Cryptolocker, DeBolt said.
The FBI has a standing $3 million bounty offered for the capture of Evgeny “Slavik” Bogachev, the alleged author of the Zeus trojan. And there are indications that Bentley worked directly with Bogachev. DeBolt pointed to an October 2014 discussion on the exclusive Russian hacking forum Mazafaka that included a complaint by a Russian hosting firm against a forum user by the name “Ferrari” who had failed to pay a $30,000 hosting bill.
In that discussion thread, it emerged that the hosting company thought it was filing a complaint against Slavik. But the Mazafaka member who vouched for Ferrari’s membership on the forum said they knew Ferrari as Bentley the mule handler, and at some point Slavik and Bentley must have been sharing the Ferrari user account.
“It is likely that Slavik (aka. Bogachev) and Bentley (aka. Kovalev) shared the same ‘Ferrari’ handle on the Mazafaka forum circa 2014, which suggests the two had a working relationship at that time, and supports the recent US and UK Government announcements regarding Kovalev’s past involvement in cybercrime predating Dyre or the Trickbot Group,” DeBolt said.
CrowdStrike’s Meyers said while Wizard Spider operations have significantly reduced following the demise of Conti in June 2022, today’s sanctions will likely cause temporary disruptions for the cybercriminal group while they look for ways to circumvent the financial restrictions — which make it illegal to transact with or hold the assets of sanctioned persons or entities.
“Often, when cybercriminal groups are disrupted, they will go dark for a time only to rebrand under a new name,” Meyers said.
The prosecution of Kovalev is being handled by the U.S. Attorney’s Office in New Jersey. A copy of the now-unsealed 2012 indictment of Kovalev is here (PDF).
Microsoft Corp. is investigating reports that attackers are exploiting two previously unknown vulnerabilities in Exchange Server, a technology many organizations rely on to send and receive email. Microsoft says it is expediting work on software patches to plug the security holes. In the meantime, it is urging a subset of Exchange customers to enable a setting that could help mitigate ongoing attacks.
In customer guidance released Thursday, Microsoft said it is investigating two reported zero-day flaws affecting Microsoft Exchange Server 2013, 2016, and 2019. CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability that can enable an authenticated attacker to remotely trigger the second zero-day vulnerability — CVE-2022-41082 — which allows remote code execution (RCE) when PowerShell is accessible to the attacker.
Microsoft said Exchange Online has detections and mitigation in place to protect customers. Customers using on-premises Microsoft Exchange servers are urged to review the mitigations suggested in the security advisory, which Microsoft says should block the known attack patterns.
Vietnamese security firm GTSC on Thursday published a writeup on the two Exchange zero-day flaws, saying it first observed the attacks in early August being used to drop “webshells.” These web-based backdoors offer attackers an easy-to-use, password-protected hacking tool that can be accessed over the Internet from any browser.
“We detected webshells, mostly obfuscated, being dropped to Exchange servers,” GTSC wrote. “Using the user-agent, we detected that the attacker uses Antsword, an active Chinese-based opensource cross-platform website administration tool that supports webshell management. We suspect that these come from a Chinese attack group because the webshell codepage is 936, which is a Microsoft character encoding for simplified Chinese.”
GTSC’s advisory includes details about post-compromise activity and related malware, as well as steps it took to help customers respond to active compromises of their Exchange Server environment. But the company said it would withhold more technical details of the vulnerabilities for now.
In March 2021, hundreds of thousands of organizations worldwide had their email stolen and multiple backdoor webshells installed, all thanks to four zero-day vulnerabilities in Exchange Server.
Granted, the zero-day flaws that powered that debacle were far more critical than the two detailed this week, and there are no signs yet that exploit code has been publicly released (that will likely change soon). But part of what made last year’s Exchange Server mass hack so pervasive was that vulnerable organizations had little or no advance notice on what to look for before their Exchange Server environments were completely owned by multiple attackers.
Microsoft is quick to point out that these zero-day flaws require an attacker to have a valid username and password for an Exchange user, but this may not be such a tall order for the hackers behind these latest exploits against Exchange Server.
Steven Adair is president of Volexity, the Virginia-based cybersecurity firm that was among the first to sound the alarm about the Exchange zero-days targeted in the 2021 mass hack. Adair said GTSC’s writeup includes an Internet address used by the attackers that Volexity has tied with high confidence to a China-based hacking group that has recently been observed phishing Exchange users for their credentials.
In February 2022, Volexity warned that this same Chinese hacking group was behind the mass exploitation of a zero-day vulnerability in the Zimbra Collaboration Suite, which is a competitor to Microsoft Exchange that many enterprises use to manage email and other forms of messaging.
If your organization runs Exchange Server, please consider reviewing the Microsoft mitigations and the GTSC post-mortem on their investigations.
FreshRSS 