Cybersecurity Bulletin December 2023

“LogoFAIL” reveals potential backdoor to UEFI that skips Secure boot

During the initial boot process of every computer, while parsing the images (pictures, logos of the manufacturer, etc.) a carefully crafted custom image might trigger several recently disclosed vulnerabilities, that all the major UEFI/BIOS vendors (Insyde, AMI, and Phoenix) and PC manufacturers (Acer, Gigabyte, HP, Intel, Lenovo, MSI, Samsung, Supermicro, Fujitsu) are vulnerable to.

Exploiting these vulnerabilities allows attackers to hijack the execution flow and achieve arbitrary code execution. Even more dangerously – this exploit can bypass secure boot!

Solution is to never use untrusted firmware and acquire it only from official sources. Check for signatures, even though since the recent MSI private key leak that does not seem to be sufficient.

Adobe ColdFusion CVE-2023-26360 was exploited for entrypoint to Government Servers

The Federal Civilian Executive Branch (FCEB) agency in the US was targeted and an initial foothold was established exploiting CVE-2023-26360. It is present in already EOL (end of life) and unpatched Adobe ColdFusion, which is commonly used for web-application development

Two systems were affected and both times they were running more outdated software, allowing the attackers to map the network that the servers were on. No evidence of exfiltration of data or network pivoting were detected.

Still running outdated and unpatched public facing servers can lead to unnecessary risks.

15 000 Go module repositories can be victim to Repojacking attack

Repojacking is a novel way of attacking Github repositories that allows a bad actor to take over an account that had its username changed and to create a repository with the same name and the old username to deploy supply chain attacks.

Most of the Go modules are decentralized and do not have a single repository like PyPI or npm and need to be fetched from the wild open-source repositories.

Github has employed a “popular repository namespace retirement” tool that is supposed to help with repository duplication, but as always – caution for securing the application supply chain and up to date SBOMs (Software Bill of Materials) are advised.

Recent Bluetooth hack allows unauthorized access to Android, Linux, macOS, and iOS devices

CVE-2023-45866 shows that authentication bypass allows bad actors to connect to vulnerable devices and carry out arbitrary remote code execution, not unsimilar like the ones in the TV series Mr. Robot.

The attack device identifies itself as HID (Human Interface Device) and imitates keystrokes and also leverages an "unauthenticated pairing mechanism" that's explained in the Bluetooth specifications.

Hidden Linux rootkit found in the wild after more than 24 months

Krasue is a Linux RAT (remote access trojan) that, even though it was based on 3 other Linux RATs, stayed undetected for more than 2 years. It is mainly deployed in Thailand and mainly in telecommunication companies in the later stages of exploitation to maintain access.

Several IPs for its C2 servers have been identified and more efforts are put towards vector of infections and potential botnet involvement.

Spectre leveraged exploit can attack Intel, Arm, and AMD CPUs

SLAM (Spectre based on Linear Masking) is a type of attack based on transient execution that leverages memory features that allow the software to use untranslated data bits in 64-bit linear addresses to store kernel metadata.

Instructions in software code can be manipulated to trigger execution in a way that reveals sensitive data, including information from various programs and even the operating system. The issue was responsibly disclosed and either patches were applied or the companies stated that existing protection is sufficient.

The 2023 Kubernetes Security Report

Wiz have published their Kubernetes security report for 2023 based on around 200,000 instances and the main take home messages are:

• The control plane is more secure than the data plane – more protection is needed to directly expose containers to the public.
• Lateral movement is still a problem – not enough network segmentation is in place and a lot of vulnerable pods are able to talk back to the cloud.
• Most egregiously – a lot of internal kubernetes security tools and controls are left unused. More efforts for security adoptions is required.