Cybersecurity bulletin April 2024

Simple priv-esc exploit created for most Linux kernels

Annoyingly simple privilege escalation was reported, affecting Debian, Ubuntu, Red Hat, Fedora, and probably other distributions. There is also an easy-to-run Proof of Concept available. Even though this security flow by itself does not allow remote code execution it is mandatory to patch it, also to monitor all users on Linux systems for suspicious entries that might be probably controlled by an attacker.

References:

https://www.theregister.com/2024/03/29/linux_kernel_flaw/

https://github.com/Notselwyn/CVE-2024-1086

https://pwning.tech/nftables/

Vulnerability management lifecycle

Constantly looking for new vulnerabilities in the code base, in the infrastructure in the RBAC is a great hassle. Creating a system that can put a framework to standardize that effort can be priceless.

C.J. May from Vermeer Corporation has compiled a program that outlines the stages of vulnerability management with very useful explanation of each and elaboration of the smaller steps included. In brief, here they can be sumarrized as:

I. Stages of vulnerability management

1. Identification

• Version Control System
• Code
• Secrets
• Dependencies/SBOM
• IaC
• Containers
• Deployment

2. Observability

3. Management

II. Roles and responsibilities

• Software Engineers and Product Owners
• Managers, Directors, Tech Executives
• Security Team

His blog post shows very well how to approach vulnerability management in the Dev(Sec)Ops and to keep sane.

Reference:

https://blog.gitguardian.com/vulnerability-management-lifecycle-in-devsecops/

Injecting ransomware via OneNote - chilling story

A very detailed write-up was posted by the DIFR report about the complete ransomware/data exfiltration deployment that happened in the winter of 2023. It started with malicious OneNote attachments, that executed script, downloading IcedID (popular trojan) DLL and establishing persistence. For 3 weeks there was no activity and on the 21st day routine scanning of the host was initiated. That was followed by deploying Cobalt strike beacons, that when activated it initiated Active Directory mapping process.

Eventually, two PowerShell scripts were deployed to install AnyDesk (remote desktop software) and to relay the AnyDesk ID to the command & control server.

Unfortunately, the initially compromised account had already elevated privileges the bad actors proceeded with mapping the network and identifying the backup server.

They managed the setup of FileZilla and using sftp they exfiltrated the latest backups. Eventually, they were ready to execute the ransomware.

Take-home messages are always - follow the best practices, do not allow outbound traffic to unknown destinations, and follow the practices of least privileges.

Read the full write-up in the references.

Reference:

https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/