The Good, the Bad and the Ugly in Cybersecurity – Week 2

The Good | Cops Arrest Man Behind Babuk Spinoff, Tortilla Ransomware

Dutch police, in cooperation with cyber security firms, have arrested an individual in Amsterdam alleged to be behind the Tortilla variant of Babuk ransomware. As a result of the operation, the threat actor’s decryptor tool was obtained and cybersecurity researchers were able to analyze it, recover the decryption key and create a public decryptor to share with victims.

The arrest and subsequent development of a decryptor is significant as the Tortilla variant had been resistant to other public decryptors available for Babuk ransomware. The Babuk code was leaked in 2021 and has been causing headaches ever since, as cybercriminals can relatively easily create minor variations to produce an endless stream of novel ransomware payloads, including many variants that are being used to attack Linux and VM ESXi servers as well as Windows systems.

The Tortilla variant appeared shortly after the Babuk code leak, and was soon seen infecting victims in the UK, Finland, Germany, Thailand and Ukraine. Tortilla campaigns initially used a chain of vulnerabilities in Microsoft Exchange Server known as ProxyShell to compromise victims. The ransomware takes its name from the name of the original payload, tortilla.exe.

Developers at Avast have now added the Tortilla keys to the generic Babuk ransomware decryptor. Victims needing to unlock files encrypted by Tortilla can download the free Babuk decryptor from NoMoreRansom.

The increasing availability of decryptor tools, along with organizations learning the lesson of ensuring they have offline backups after high-profile ransomware outbreaks like WannaCry and NotPetya, spurred many threat actors to shift tactics toward double extortion, and in some case, to simply demand ransoms for stolen data without encryption at all – a reminder that while decryptors can be helpful and backups are a must-have for all kinds of potential data loss or outage reasons, a strong prevention policy remains essential.

The Bad | AI Chat Assistant Hacked, Gifting Access and Exposing Data

Concerning news around the safety of AI digital assistants emerged this week as researchers claim to have infiltrated an AI chatbot used by fast food franchises for hiring. AI chatbot outfit Chattr apparently fell victim to a security breach exposing sensitive data including personal information of job applicants and internal details of several fast food chains.

Researchers say the gained unauthorized access to Chattr's management portal
Researchers say the gained unauthorized access to Chattr’s management portal

Researchers say they discovered a vulnerability in Chattr after using a script to search for exposed Firebase credentials, a common backend platform for apps. This led to a Firebase configuration linked to fast food chain KFC, revealing a tranche of data including personal details and internal communications.

Using a tool named Firepwn, the researchers gained further access to the Chattr system, including an administrative dashboard that provided control over job application approvals and rejections for various organizations, including other prominent fast food chains Chick-fil-A and Subway.

The researchers says they were able to view conversations between job applicants and Chattr’s bot, make decisions on the candidates’ applications, and access sensitive company information, including:

  • billing information
  • plaintext passwords
  • phone numbers
  • resumes
  • emails
  • full application conversation
  • candidate notes
  • profile pictures
  • addresses
  • all notifications
  • company phone numbers
  • payment information

KFC reportedly said that a lone franchisee had independently contracted with Chattr and the company had no other associations with the digital assistant provider. Chattr apparently fixed the issue the following day after it was reported without much acknowledgment, according to one of the researchers.

At present, there is no indication that the vulnerability was exploited to cause harm. However, as many organizations move to rapid adoption of AI technologies and digital assistants, the incident highlights the importance of ensuring that robust security measures are in place to protect sensitive data.

The Ugly | Chinese Threat Actors Exploit Zero Days in Enterprise VPN Products

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities catalog this week in light of reports that Chinese threat actors have been actively exploiting two zero-day flaws in the Ivanti Connect Secure and Policy Secure VPN products.

Researchers say that CVE-2023-46805 and CVE-2024-21887 can be chained together to achieve unauthenticated command execution on ICS devices exposed to the public internet. The first of the two CVEs is an authentication bypass that allows remote access to restricted resources by bypassing control checks. The second is a command injection vulnerability that allows an authenticated administrator to spend specially crafted requests that can execute arbitrary commands on the device.

In one observed incident, threat actors used the bugs to “steal configuration data, modify existing files, download remote files, and reverse tunnel from the ICS VPN appliance”. Researchers were alerted to the zero days after finding that logs of an ICS VPN had been wiped and logging disabled. Further inspection of the compromised device revealed suspicious outbound and inbound communication from its management IP address.

Importantly, CVE-2023-46805 and CVE-2024-21887 affect all supported versions and no patches are available as yet. According to Ivanti, software updates are expected around the week of January 22. In the meantime, Ivanti customers are advised to apply workarounds described in their advisory.

This isn’t the first time the product, formerly known as Pulse Secure, has been targeted by APT actors. Chinese and Russian actors conducted extended campaigns targeting Covid-19 research during the pandemic thanks to CVE-2019-11510, a bug that was patched but also added to CISA’s KEV catalog due to the number of incidents that continued to occur.