Ransomware/Malware Activity
New Spectre v2 Attack Demonstrated by Researchers
Researchers at the VUSec group from VU Amsterdam have released details of a new Spectre v2 exploit that can impact Linux systems running modern Intel processors via a speculative execution side-channel flaw. The original Spectre attack was disclosed in 2018 and was one of the original attack vectors discovered that involve microarchitectural timing side-channels which exploit speculative execution CPU vulnerabilities. Speculative execution is a performance-enhancing technique modern processors employ to start implementing instructions prior to their actual receipt in the effort to increase processing speed. However, this technique poses a risk by leaving traces of data in CPU caches, which could potentially be accessed by attackers. The attack methods demonstrated by researchers include Branch Target Injection (BTI) and Branch History Injection (BHI). The new Spectre V2 exploit has been assigned CVE-2024-2201 and allows unauthenticated attackers to leak privileged memory from CPU caches by speculatively jumping to a chosen kernel gadget. VUSec group have released a video of the Spectre V2 flaw demonstrating its successful exploitation in leaking arbitrary kernel memory. In addition, researchers have developed a new tool to identify exploitable Linux kernel gadgets named “InSpectre Gadget”. In response, Intel has released an update to its mitigation recommendations for the Spectre V2 attack and has suggested that future processors will include mitigations for the BHI attack method. CTIX analysts will continue to report on new and emerging attack vectors and related campaigns.
- Bleeping Computer: New Spectre v2 attack impacts Linux systems on Intel CPUs
- SecurityWeek: Researchers Resurrect Spectre v2 Attack against Intel CPUs
Threat Actor Activity
Threat Actors Target LastPass with Attempted AI-Generated Phishing Attack
LastPass, a password management platform, recently disclosed an attempted voice phishing attack targeting one of their employees using sophisticated deepfake audio technology to impersonate the company's CEO, Karim Toubba. The threat actor attempted to contact the employee via WhatsApp, leaving a series of calls, text messages, and at least one (1) voicemail that featured audio deepfake impersonation, which is an uncommon business channel used by the company and is originally why the employee identified the activity as suspicious. On top of the attempted communication outside of typical business channels, the messages appeared to include other red flags such as forced urgency that are common in social engineering attempts. This led the employee to ignore the messages and report it to the company's internal security team. LastPass remained unaffected by the threat actor's attempted attack but decided to publicize the incident to highlight the existence of AI-generated deepfakes in the wild and the potential for threat actors to use this technology for executive impersonation fraud campaigns, as it had been used against them. This case emphasizes the increasing sophistication of cyberattacks, with deepfake technology making it challenging to authenticate identities remotely. This incident is part of a broader trend, with recent alerts from the U.S. Department of Health and Human Services (HHS) on similar social engineering tactics and AI voice cloning tools that could be used to target IT help desks, along with a warning from the FBI about the potential widespread use of deepfakes in cyber and foreign influence operations. Europol has also released warnings, predicting that deepfakes could become commonplace in cybercriminal activities such as CEO fraud, evidence tampering, and non-consensual pornography creation. The rise of deepfake technology necessitates heightened awareness and enhanced security measures, including strict verification processes for sensitive requests, training for staff to recognize social engineering, and the revalidation of users with access to critical systems. CTIX analysts will continue monitoring evolving cyber threats in order for organizations to remain vigilant and implement proactive security measures.
Vulnerabilities
Palo Alto Networks Patches Actively Exploited Critical Zero-Day Vulnerability in GlobalProtect VPN
Palo Alto Networks has released an urgent patch for a critical zero-day vulnerability in its GlobalProtect VPN product. The flaw, tracked as CVE-2024-3400 (CVSS score of 10/10), resulting from a command injection issue, allows unauthenticated attackers to execute arbitrary code with root privileges. Hotfixes have been released for various versions of PAN-OS software, with additional patches forthcoming. The vulnerability, actively exploited since at least March 26, 2024, enables attackers to deploy the Python-based backdoor "UPSTYLE," facilitating arbitrary command execution and lateral movement across networks. This severe security risk primarily affects configurations with the GlobalProtect gateway or portal, and device telemetry enabled. The exploitation has prompted rapid response actions including the U.S. Cybersecurity and Infrastructure Security Agency (CISA) mandating Federal Civilian Executive Branch (FCEB) agencies to implement the mitigations by no later than April 19, 2024. Palo Alto's updates and advisories highlight the escalating challenges and risks associated with securing VPN products in an era of widespread remote work. CTIX analysts recommend all administrators ensure that they have installed the latest patches and have added the recommended defense-in-depth countermeasures to prevent future exploitation.
- The Record: CVE-2024-3400 Article
- The Hacker News: CVE-2024-3400 Article
- CISA: CVE-2024-3400 KEV Advisory
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the CTIX Team (ctix@ankura.com) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
