CISA Urges Patching of Actively Exploited Linux Kernel Vulnerability

Overview

CISA just issued an urgent advisory concerning a newly discovered security flaw in the Linux kernel. The flaw is being actively exploited to affect the netfilter component of the Linux kernel. It poses a big threat due to its potential to escalate local privileges.

Impact

CVE-2024-1086: A high-severity vulnerability with a CVSS score of 7.8.

It is a use-after-free bug in the netfilter: nf_tables component. It can allow a local attacker to escalate privileges from a regular user to root arbitrary code. Netfilter is a Linux kernel framework that supports packet filtering and port translation. Its successful exploitation seriously compromises the affected systems.

Another flaw, CVE-2024-24919, in Check Point network gateway security products got a CVSS score of 7.5. It also allows unauthorized access to sensitive info on connected gateways with VPNs or mobile access enabled.

Recommendation

CISA advises all federal agencies/organizations using affected systems to apply patches immediately. Patches should be applied by June 20, 2024. Also, conduct a thorough review of current systems to address any vulnerabilities of Linux kernel and Check Point products.

Widespread Cyber Attack Disables 600,000+ Routers in the U.S.

Overview

A cunning cyberattack, “Pumpkin Eclipse” knocked out internet access for hundreds of thousands of Americans in the later part of 2023. It’s a large-scale disruption believed to have been perpetrated by a government-backed group targeting specific router models provided by a major ISP.

Impact

Nearly half of the affected routers were permanently disabled. So, it mandates a massive hardware replacement effort. Also, millions of people lost access to the internet as it’s now evident that US critical internet infrastructure has severe weaknesses with a potential for widespread disruption.

Recommendation

Patch it up immediately. Update the firmware on all affected router models to plug the security holes exploited in the attack. That said, ISPs need to be more watchful of their networks to spot/stop these threats before they cause havoc. Also, we all need stronger security measures on our network devices.

Surge in Cyber Attacks Targeting Internet-Exposed OT Devices

Overview

Microsoft issues a warning about a sharp rise in cyberattacks targeting critical industrial operational technology (OT) (think power plants, water treatment facilities) directly connected to the internet.

Hackers have messed with control panels in factories to disrupt production. Tensions in the Middle East have led to attacks on Israeli infrastructure by Iranian-backed groups. A nasty piece of malware called Fuxnet is being used to cause serious damage.

Impact

Many of these industrial systems haven’t been designed with top-notch security in mind. They might have weak passwords, outdated software, or be directly exposed to the internet, making them easy targets. So, this isn’t just about financial gain. Recent attacks seem linked to geopolitical tensions, with pro-Russia hackers targeting industrial control systems (ICSs) in North America and Europe.

Recommendation

Keep software updated and fix any known security holes. That said, minimize exposure and don’t connect these systems to the internet unless absolutely necessary. If you do, keep them separate from other networks. Trust no one: use advanced security measures to make sure only authorized users can access the systems, even if someone hacks in elsewhere. Disconnect if not needed: If a system doesn’t need internet access, cut it off!

Russian Hackers Target Europe with HeadLace Malware and Credential Harvesting

Overview

Cyberattacks have been linked to APT28, a hacking group backed by Russia’s GRU intelligence agency. From April to December 2023, BlueDelta launched a series of remarkably stealthy attacks, targeting European networks for months. They used a cunning approach to avoid detection, masking their malicious activities with everyday online services (think social media platforms) and existing programs on computers (like calculators). This nasty program was deployed in three stages, starting with emails to trick people into clicking malicious links. BlueDelta set up fake web pages resembling legitimate services like Yahoo! and Ukrainian email providers.

Impact

European networks are particularly vulnerable, especially those linked to Ukraine. They even used special tools to limit their reach to specific geographic locations. Unsuspecting victims entered their login credentials, giving the attackers access to their accounts. They also spied on Ukraine to gather intelligence on Ukrainian military operations, likely to support Russia’s ongoing aggression. They used a complex chain of seven different online resources to deliver malicious scripts that could carry out further attacks. These scripts were also programmed to avoid detection by security software and only activate in specific locations.

Recommendation

Strengthen your email filtering system to catch phishing attempts. Train your employees to be suspicious of emails that seem too good to be true. Also, use advanced tools to spot unusual network activity. That said, keep your software updated, especially your Windows OS. The latest security patches can block known vulnerabilities.

OpenAI, Meta, and TikTok Crack Down on Covert Influence Campaigns

Overview

There’s been a major push by tech giants like OpenAI, Meta, and TikTok to tackle undercover AI-driven OPs to manipulate public opinion. These campaigns are traced back to China, Iran, Israel, and Russia, aimed to sway political conversations with fake online personas.

Impact

Action by OpenAI: A Russian operation Bad Grammar that targeted Ukraine, Moldova, the Baltics, and the US with clunky content in both Russian and English, has been countered. They also countered Russia’s notorious Doppelganger Network that had pushed pro-Russian narratives by cooking up multilingual content to influence audiences in Europe/North America. On the other hand, they targeted China’s Spamouflage which had created content across platforms in various languages, spreading propaganda. Suspectedly, Iran’s IUVM has also been pushed back as they translated lengthy articles and headlines for their website. Meta also removed nearly 500 compromised accounts ( STOIC used them) to influence users in Canada and the U.S. TikTok dismantled several covert influence networks from countries including Bangladesh, China, Ecuador, Germany, Guatemala, Indonesia, etc, and exposed Emerald Divide ( an influence campaign targeting Israeli society) among other actions.

Recommendation

Spot AI-generated disinformation by using advanced systems. That said, shore up cybersecurity with regular updates and secure systems to prevent malicious activities. Also, follow CISA guidelines and security practices. Make sure your employees are aware of the tactics used in these influence campaigns and can respond to potential threats.

The post WME Security Briefing 10 June 2024 appeared first on Windows Management Experts – Microsoft Solution Partner.