The Good, the Bad and the Ugly in Cybersecurity – Week 25

The Good | Rewards for Justice Offers $10 Million Bounty on Cl0p Gang

The crimeware scene has often been likened to the Wild West, so it’s no surprise that just as outlaws run amok in the digital world, bounty hunters will be offered incentives to aid law enforcement. This week, the Department of State put out a bounty of up to $10 million reward for information on the Cl0p ransomware gang and other malicious cyber actors.

The reward is being offered for information on the identification or location of any person participating in attacks against U.S. critical infrastructure on behalf of foreign governments.

The bounty follows on from CISA’s and the FBI’s recent advisory that Cl0p has been exploiting the MOVEit Transfer vulnerability to target multiple organizations, including The Department of Energy and numerous other federal agencies.

The Rewards for Justice program is run by the Department of State’s Bureau of Diplomatic Security with the remit to combat international terrorism including malicious cyber activity and election interference. Cl0p aren’t the first ransomware gang to be singled out for attention by RfJ: a similar bounty was put on the heads of the now defunct Conti gang as well as Sandworm APT and REvil, all of whom researchers have attributed various attacks on U.S. critical infrastructure to.

The Bad | Apple Security Under Increasing Scrutiny After More 0-days Patched

Apple released emergency patches this week for three zero days across its operating system platforms, including macOS, iOS, iPadOS and WatchOS. Two of the bugs, the company said, were known to be actively exploited in the wild against versions of iOS released prior to iOS 15.7.

CCVE-2023-32434 is an integer overflow vulnerability that could be exploited to execute arbitrary code with kernel privileges, while CVE-2023-32435 is a WebKit memory corruption vulnerability that could allow arbitrary code execution when processing maliciously-crafted web content. Both flaws were reported by researchers at Kaspersky, who published details of an espionage campaign targeting iOS said to have been active since 2019. Analysis of the malware used in the campaign suggests the threat actor may also be targeting macOS.

TriangleDB sample contains code suggesting macOS targets

A third bug, CVE-2023-32439, is a type confusion issue that may lead to arbitrary code execution when processing maliciously-crafted web content. Apple also says this may have been exploited in the wild though it appears unconnected at this time with the campaign reported by Kaspersky.

The bugs come on the heels of three Apple WebKit zero days patched last month, each of which was also said to be actively exploited in the wild, and takes the number of Apple zero days patched in the first half of 2023 to nine.

Given the increasing interoperability and code-sharing between Apple’s various platforms, it’s no surprise that exploitable bugs in one platform represent security risks in others. IT and security teams are urged to treat all their OSs equally in terms of risk and ensure adequate protections and mitigations are in place across all devices in their fleets.

The Ugly | Microsoft Teams Bypass Allows External Accounts to Drop Malware

Microsoft has said that a bypass that can allow malware to be delivered to any Teams account from external accounts did not ‘meet the bar for immediate servicing’. The response may come as an unwelcome surprise to IT and security teams as researchers have showed this week that all MS Teams accounts running in the default configuration are susceptible to the attack.

According to an advisory published on Wednesday, the client-side security controls which are supposed to prevent external tenants sending files can be bypassed simply by switching the internal and external recipient ID on the POST request, a trick which fools the system into treating the external user as an internal one.

The researchers note that the technique circumvents anti-phishing security controls and training advice. In particular, employees are now widely taught to avoid clicking email links, but a phishing email making use of this attack would appear to contain a file rather than an external link.

They further point out that attackers could socially engineer users via Teams calls and lure them into expecting a legitimate file. In one red team engagement, a fake IT technician asked a target to jump on a call as they needed to apply an update to critical software. Once on the call, the ‘attacker’ leveraged the Teams bypass to deliver the payload.

Organizations using Teams are advised to disable External Access in MS Teams Admin Center, if possible, or change security settings to only allow communications between certain allow-listed domains. Further mitigations and workarounds are detailed at the end of the report.