Ransomware/Malware Activity:
New Pathfinder Attack Can Recover Encryption Keys and Data
Researchers from the University of California San Diego, Purdue University, UNC Chapel Hill, Georgia Institute of Technology, and Google have uncovered two (2) new attack methods targeting high-performance Intel Core Processing Units (CPUs), collectively named "Pathfinder".
These methods exploit vulnerabilities in the branch predictor, particularly the Path History Register (PHR), to launch attacks that can reconstruct a program's control flow history or execute high-resolution Spectre attacks. Spectre attacks utilize branch prediction and speculative execution to bypass application isolation protections and access privileged data. The new techniques enable attackers to manipulate the PHR and the prediction history tables, leaking historical execution data and potentially allowing them to recover AES encryption keys or extract secret images processed by libraries such as libjpeg.
Intel has responded by noting that existing mitigations for previous Spectre attacks also mitigate these new exploits. The study was responsibly disclosed to Intel in November 2023, and the findings highlight significant vulnerabilities in modern CPU designs that are not present in Advanced Micro Devices (AMD) CPUs. CTIX analysts will continue to report on new and evolving forms of malware and associated campaigns.
Threat Actor Activity:
LockBit Claims Attack on City of Wichita, Same Day Gang's Leader Sanctioned
The city of Wichita, Kansas, found itself grappling with a significant cybersecurity crisis following a disruptive cyberattack attributed to the LockBit ransomware gang. The attack came to light on May 5th followed by swift action by the threat actors to add Wichita to their extortion portal just three (3) days later on May 8th, only a few hours after international law enforcement operations publicly named and sanctioned Dmitry Yuryevich Khoroshev, alias "LockBitSupp," as the leader of the LockBit operation.
The attackers encrypted parts of the city's network, prompting authorities to shut down various IT systems. These systems facilitated critical online services, including payment portals for court fines, water bills, and public transportation, significantly impacting the city's operations and its nearly 400,000 residents. In response to the attack, Wichita's IT specialists took immediate action by shutting down affected computers to contain the damage and prevent further spreading.
Additional ramifications extended beyond the immediate disruption of online services. Key public amenities and services, including public Wi-Fi, library systems, and certain public safety services, were forced to revert to manual operations or halt entirely. Electronic payment systems were also compromised, requiring the city’s residents to make payments in cash or by check. This situation also affected public service facilities like golf courses, parks, and courts, as well as essential city functions like the Wichita Transit buses and landfill services. Per the LockBit extortion portal, the city has until May 15th to pay an undisclosed ransom before the stolen files are published.
Vulnerabilities:
TunnelVision VPN Vulnerability Poses Threat to Individuals’ Operational Security
The recently discovered "TunnelVision" vulnerability poses a serious threat to VPN users by potentially nullifying the protective capabilities of VPN connections. First documented in a report by Leviathan Security, this flaw has been inherent in VPN applications since 2002, specifically exploiting a weakness in the Dynamic Host Configuration Protocol (DHCP) that handles static routes on client systems.
The vulnerability tracked as CVE-2024-3661, is exploited by attackers setting up rogue DHCP servers to reroute VPN traffic away from its secure tunnel, exposing it to easy interception on local networks or through malicious gateways. This process, referred to as “decloaking,” strips the VPN traffic of its encryption, making conventional VPN defenses like control channels and kill switches ineffective. The severity of this vulnerability is particularly critical for individuals who depend heavily on secure communications, such as journalists and whistleblowers.
Leviathan Security suggests that one of the potential solutions could involve the use of network namespaces to isolate interfaces and protect routing tables, thereby safeguarding VPN traffic. The broader implications of this vulnerability highlight a crucial need for urgent measures to patch this flaw and secure VPN infrastructures to protect sensitive user data globally.
- The Cyber Express: TunnelVision Vulnerability Article
- Security Week: TunnelVision Vulnerability Article
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the CTIX Team (ctix@ankura.com) if additional context is needed.
© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
