Unknown Attacker Tries To Frame Security Researcher: Cyber Security Today for Monday, November 18th, 2024 - Cybersecurity Today

Summary5 min read

Cybersecurity Today: Detailed Summary of November 18, 2024 Episode

Host: Jim Love
Release Date: November 18, 2024

1. Framing Attempt on Security Researcher via GitHub

The episode opens with Jim Love discussing a sophisticated attempt to tarnish the reputation of security researcher Mike Bell through malicious activities on GitHub.

Incident Overview:
Multiple GitHub projects were compromised through malicious code commits and pull requests aimed at injecting backdoors into open-source repositories. A notable case involved Exo Labs, an AI and machine learning startup, which identified a seemingly benign pull request that altered a Python file to include a sequence of Unicode numbers. When decoded, this sequence formed a script designed to download and execute a remote payload from evildojo.com, effectively creating a backdoor for remote code execution on user systems.

Impersonation Tactics:
The malicious pull request originated from a deleted GitHub account, EvilDojo666, which impersonated Texas-based security researcher Mike Bell. Bell vehemently denied any involvement, labeling the incident as a smear campaign. A similar account, darkimage666, was also linked to comparable malicious activities before being removed.

Insight from Jim Love:
“At [05:30], Jim Love remarked, ‘This evidence strongly suggests a coordinated effort to frame Bell, exploiting the ease with which impersonation can occur on platforms like GitHub.’”

Scope and Detection:
At least 18 similar pull requests were detected across various open-source projects, including the popular video downloader ytdip. Threat Intelligence reports traced many of these attacks to Indonesia-based actors. The swift detection was largely due to vigilant project maintainers and automated defense tools like Pre Submits AI Reviewer, which flagged the Exo Labs pull request with a critical security alert at [07:45].

Conclusion:
Jim Love emphasized the increasing risks associated with open-source supply chains, stating, “[10:15] While the attack was thwarted, it underscores the persistent vulnerabilities in our software supply chains and the critical need for robust code review processes.”

2. Microsoft’s November Patch Tuesday Reveals Four Zero Days

Jim Love delves into Microsoft's November Patch Tuesday, highlighting over 90 security issues, including four zero-day vulnerabilities, two of which are currently exploited in the wild.

Key Vulnerabilities Discussed:

CVE-2024-43451: An NTLM hash disclosure spoofing attack that exposes NTLM manager authentication hashes, allowing attackers to authenticate as users. Exploitation requires user interaction, such as opening a malicious file delivered via phishing ([15:20]).
CVE-2024-49039: A Windows Task Scheduler elevation of privilege vulnerability. Attackers can gain elevated privileges on a compromised system using Remote Procedure Call (RPC) functions. This requires access to the target system and the ability to run a malicious application ([18:05]).
CVE-2024-43498: A .NET vulnerability permitting unauthenticated remote attacks on .NET Web Apps, scoring 9.8 out of 10 on the CVSS ([19:45]).
CVE-2024-43639: A Windows Kerberos vulnerability enabling unauthenticated attackers to execute code, also scoring 9.8 CVSS ([20:30]).

Expert Opinion:
Tyler Reguli, a security expert at Fortra, was quoted by Jim Love: “[22:10] Exploitation could lead to significant systems compromise, making prompt updates essential.”

Recommendations:
Jim Love advises listeners to update Windows systems and Microsoft software immediately to mitigate these vulnerabilities. He stresses the importance of timely patching as the primary defense against these high-severity threats.

3. Veeam Backup Software Targeted by New Ransomware Variant FRAG

The podcast shifts focus to the alarming rise in ransomware attacks targeting Veeam backup and replication software.

Attack Details:
A new ransomware variant named FRAG is actively exploiting a critical vulnerability in Veeam software, scoring 9.8 on the Common Vulnerability Scoring System (CVSS). This marks a continuation of attacks following similar campaigns by threat groups Akira and FOG.

Attack Mechanism:
Attackers initially gain access through compromised VPN appliances before exploiting the Veeam vulnerability to infiltrate systems. They establish persistence by creating new administrator accounts, often named Point and Point2, to maintain control over the affected networks.

Industry Impact:
Jim Love highlights that FRAG utilizes tactics consistent with Akira and FOG ransomware groups, indicating a possible overlap or shared methodologies among these attackers ([30:55]). This similarity suggests that organizations must brace for ongoing and potentially more sophisticated assaults.

Preventative Measures:
Listeners are urged to:

Patch Immediately: Ensure Veeam backup and replication software is updated with the latest security patches.
Audit Access: Review VPN and remote access configurations to detect unauthorized accounts like Point or Point2.
Monitor for Compromise: Look for signs such as suspicious admin account activity or unusual file access ([33:20]).

Conclusion:
Jim Love warns that the persistent exploitation of the Veeam vulnerability underscores the critical need for organizations to maintain up-to-date security measures, especially for backup systems that are prime targets for ransomware deployment.

4. Microsoft Exchange Update Causes Disruption to Mail Transport Rules

The episode concludes with a discussion on Microsoft's problematic Exchange Server update released in November 2024.

Issue Summary:
Microsoft temporarily halted the deployment of its November Exchange Server security update on November 14th after it was discovered that the update disrupts transport rules—a vital feature for email compliance and flow.

Impact on Organizations:
The flawed update affected hybrid and on-premises setups, leading to interrupted email delivery. Organizations relying on transport rules for inspecting emails, enforcing compliance, and managing exceptions experienced periodic failures and, in some cases, complete stoppage of email flow ([40:10]).

Microsoft’s Response:
Following customer complaints on social media and forums, Microsoft recommended that affected users uninstall the patch and await a revised version. Jim Love commented, “[42:35] It’s a challenging situation where the necessity of early patching is pitted against the operational risks of disrupted core functionalities.”

Broader Implications:
This incident raises critical questions about Microsoft’s testing procedures for updates. Jim Love emphasizes the importance of maintaining security through updates while ensuring that essential business operations remain unaffected. He notes, “[45:00] It’s difficult to fault organizations for delayed patching when updates can jeopardize key systems and processes.”

Final Thoughts

Jim Love wraps up the episode by reiterating the importance of vigilance and proactive security measures in the face of evolving cyber threats. He encourages listeners to stay informed and prioritize both security and operational stability within their organizations.

Notable Quotes:

“[05:30] This evidence strongly suggests a coordinated effort to frame Bell, exploiting the ease with which impersonation can occur on platforms like GitHub.”
“[10:15] While the attack was thwarted, it underscores the persistent vulnerabilities in our software supply chains and the critical need for robust code review processes.”
“[22:10] Exploitation could lead to significant systems compromise, making prompt updates essential.”
“[30:55] FRAG utilizes tactics consistent with Akira and FOG ransomware groups, indicating a possible overlap or shared methodologies among these attackers.”
“[42:35] It’s a challenging situation where the necessity of early patching is pitted against the operational risks of disrupted core functionalities.”
“[45:00] It’s difficult to fault organizations for delayed patching when updates can jeopardize key systems and processes.”

This comprehensive summary encapsulates the key discussions, insights, and conclusions from the November 18, 2024 episode of Cybersecurity Today, providing listeners and non-listeners alike with a thorough understanding of the latest cybersecurity threats and responses.

Loading summary

Transcript1 lines

[00:01]
KJ Burke
This episode of Cybersecurity Today is brought to you by CDW Canada. Tech Talks if you're passionate about technology and innovation, this is the podcast for you. Join host KJ Burke as he and industry experts dive into the latest trends, insights and strategies shaping the tech landscape in Canada. Visit CDW CA Tech Talks to tune in today. There's a link in the show notes. And now back to our regularly scheduled programming Microsoft confirms four zero days in November Patch Tuesday New ransomware targets Veeam backup software and Microsoft Exchange Update Fixes security flaws but disrupts mail transport rules. This is Cybersecurity Today. I'm your host, shib love multiple GitHub projects have been targeted with malicious code commits and pull requests, seemingly aiming to inject backdoors into open source repositories. The attack recently came to light with Exo Labs, an AI and machine learning startup flagged an innocent looking pull request, attempting to compromise its code base. The pull request modified a Python file, embedding a sequence of Unicode numbers that, when decoded, formed a script to download and execute a remote payload from evildojo.com if merged, this code would have created a functional back door allowing remote code execution on user systems. However, the payload URL never hosted any content, suggesting the intent was more complex than a direct cyber attack. The pull request originated from the now deleted GitHub account Evil Dojo666, which impersonated Texas based security researcher Mike Bell. Bell has denied any involvement, stating there was never any payload. This is a smear campaign. A second impersonator account, darkimage666, has also been linked to a similar malicious activity. Both accounts have since been removed. The evidence suggests a coordinated effort to frame Bell, as anyone can create a GitHub account using another person's details and submit pull requests under their name. The absence of a payload at the linked URL further supports the theory that this was a reputation attack, but it wasn't an isolated incident. At least 18 similar pull requests were identified across open source projects, including ytdip, a popular video downloader. Many accounts linked to these attacks have been traced to Indonesia based actors. According to Threat Intelligence reports. The malicious commits were caught early by vigilant project maintainers and automated tools like Pre Submits AI Reviewer, which flagged the Exo Labs pull request with a critical security alert. These Tools, powered by GitHub Actions, are increasingly vital in defending against such threats in open source supply chains. While the attack was thwarted, it underscores the risk of supply chain vulnerabilities in open source software. It also highlights the ease with which impersonation can occur in online ecosystems, leaving individuals and projects exposed to reputational as well as security risks. This incident follows other high profile attacks on open source projects, demonstrating the ongoing need for robust code review processes and vigilance against malicious activity. Microsoft has disclosed over 90 security issues in its November Patch Tuesday release, including four zero day vulnerabilities, two of which are being actively exploited. These vulnerabilities impact multiple Microsoft projects, including Windows Office and Exchange Server. Immediate updates are recommended to mitigate potential risks. The key zero day vulnerabilities include CVE2024 43451 it's an NTLM hash disclosure spoofing attack. This vulnerability exposes NTLAN manager authentication hashes, potentially allowing attackers to authenticate as users. Exploitation requires user interaction, such as opening a malicious file delivered via phishing and the CVE 2024 49039, a Windows Task Scheduler elevation of privilege. Attackers could exploit this vulnerability to gain elevated privileges on a compromised system using Remote Procedure call or RPC functions. Exploitation requires access to the target system and the ability to run a malicious application. Two Additional vulnerabilities scored 9.8 out of 10 on the Common Vulnerability Scoring System CVSS. CVE2024 43498 is a net vulnerability that allows unauthenticated remote attackers to target. Net Web Apps, and CVE2024 43639 is a Windows Kerberos vulnerability enabling code execution by unauthenticated attackers. These vulnerabilities indicate high attack, said Tyler Reguli, a security expert at Fortra. Exploitation could lead to significant systems compromise, making prompt updates essential. Security experts are emphasizing that updating Windows systems and Microsoft software immediately is the best defense. A critical vulnerability in VEEAM backup and replication software with a CDS score of 9.8 is actively exploited by a new ransomware variant called Frag, according to a report from Sophos X Ops. This marks the latest in a series of attacks targeting the same flaw following similar campaigns by Akira and FOG threat groups. Attackers gain initial access to a compromised VPN appliance and then exploit the VEEAM vulnerability to infiltrate systems. They create new administrator accounts to establish persistence. Recent incidents have seen accounts named Point and Point two being set up by attackers. FRAG employs tactics, techniques, and procedures consistent with Akira and FOG ransomware groups, indicating a possible overlap or a shared playbook among these operators. The cve, unpatched in some environments, offers attackers significant control, enabling data exfiltration and ransomware deployment with ease. The continued exploitation of this veeam vulnerability highlights the increasing danger for organizations relying on unpatched or outdated backup systems. Ransomware groups are intensifying their efforts, and the proliferation of similar ttps suggests the vulnerability remains a high value target. What to do Patch immediately ensure the Veeam backup and replication software is updated with the latest security patches. Audit Access Reviewing VPN and remote access configurations to detect unauthorized accounts like Point or Point two, and monitor for threat indicators. Watch for signs of compromise, including suspicious admin account activity or unusual file access. And as much as everyone recommends early patching of systems, Microsoft has paused the rollout of its November 2024 Exchange Server security update after discovering it disrupts transport rules, a feature critical to email compliance and flow. The update, designed to address vulnerabilities in Exchange Server, caused issues for hybrid and on premises setups, leaving some organizations with interrupted email delivery. The update led to periodic failures of transport rules and data loss protection policies for some customers. In worst case scenarios, email flow stopped altogether. Organization without transport or DLP rules appear unaffected and can continue using the update. Transport rules are essential for inspecting emails in transit, enforcing compliance, and managing exceptions before delivery. These rules are widely used for tasks such as inspecting attachments or adding disclaimers to emails. Failures caused by the update rendered these functions unreliable or completely inoperative. After customer complaints surfaced on social media and forums, Microsoft pulled the update on November 14th. For effective users, the company recommends uninstalling the patch and waiting for a revised version. While Microsoft acted quickly to pause the rollout, the incident raises questions about its testing procedures. Exchange Server remains a key target for cyberattacks, and maintaining security through updates is critical. However, breaking a core function like mail flow risks significant disruption for businesses in a world where early patching is not a luxury, it's a necessity. It's hard to blame organizations for not patching quickly if the patches are going to break key areas of their systems and operations. And that's our show for today. Thanks to our sponsors CDW and KJ Burks, CDW Canada Tech Talks. Check it out if you get the chance. You can find it like us on Spotify, Apple, or wherever you get your podcasts. Reach me at editorialechnewsday ca. I'm your host Jim Love. Thanks for listening.