December Security Roundup

From Kocho’s Security Operations Centre (SOC)

Published: 12 December 2024

This month’s security threats range from breaches at major technology firms to new malware developments targeting Linux. Read on for critical insights and recommendations to protect your systems.

This month:

US space and technology giant, Maxar, discloses breach
Critical RCE vulnerability in VMware vCenter Server
US company breached via novel Wi-Fi technique
Threat actors weaponise legitimate applications such as Dropbox
First UEFI bootkit malware for Linux discovered by researchers

Reported breach at US space and technology giant, Maxar

On 18 November 2024, Colorado-based tech giant Maxar Space Systems reported a data breach that exposed sensitive employee data.

Maxar, which operates one of the largest satellite constellations in orbit and provides satellite imagery to the US government, detected unauthorised access on 11 October 2024.

The breach originated from a Hong Kong-based IP address and compromised systems containing the following information:

Names
Home addresses
Social Security numbers
Business contact details
Employment status, job titles, and department information

Maxar employs over 2,500 people, many holding US security clearance, amplifying the severity of the breach.

The company has not disclosed details about how the breach occurred.

Critical RCE vulnerability in VMware vCenter Server

Broadcom has reported exploitation of two new VMware vCenter Server vulnerabilities:

CVE-2024-38812: A critical heap-overflow flaw in the DCERPC protocol, allowing attackers with network access to execute remote code. This affects vCenter Server versions 7.0, 8.0, and related products, including VMware Cloud Foundation.
CVE-2024-38813: A privilege escalation vulnerability that allows attackers to escalate privileges to root. It has a CVSSv3 score of 7.5 (medium-to-high severity).

While no widespread exploitation was initially noted, recent reports confirm exploitation “in the wild.”

Systems running unsupported versions (for example, vSphere 6.5) are particularly vulnerable unless extended support is applied.

Recommendations

VMware has released patches addressing these vulnerabilities – the most recent and comprehensive on 21 October 2024.

vCenter Server 7.0: Update to 7.0 U3t
vCenter Server 8.0: Update to 8.0 U2e or 8.0 U3d
Cloud Foundation: Updates available for versions 4.x and 5.x

Affected users are strongly urged to apply these updates immediately.

Keep pace with the latest security threats

US company breached via novel Wi-Fi technique

A Russian state-sponsored group, APT28 (also known as Fancy Bear), has breached a US company by exploiting its enterprise Wi-Fi network. The target company is working on projects related to Ukraine.

Despite being located thousands of miles away, APT28 employed a “nearest neighbour attack” to pivot through a nearby organisation’s compromised Wi-Fi network.

The attack was first discovered on 4 February 2022 by cybersecurity firm Volexity.

APT28 initially used a password-spraying attack to obtain the target company’s Wi-Fi credentials, but they were thwarted by multi-factor authentication and conditional access policies. The group then switched tactics and compromised organisations nearby, searching for dual-homed devices (laptops with both wired and wireless connections).

After breaching multiple organisations, APT28 ultimately found a device within range of the target’s Wi-Fi, enabling them to access the intended network.

Threat actors continue to weaponise legitimate applications such as Dropbox

Earlier this month, Kocho’s SOC team observed an increase in phishing campaigns exploiting legitimate file-sharing platforms, particularly Dropbox. While abuse of SharePoint and OneDrive continues, Dropbox-based attacks are now more prevalent.

Without user education and training, these campaigns often trick users into revealing identity-based information by mimicking legitimate file shares.

In a typical attack, a malicious email might say:

“Jack Fisher shared ‘Kocho SecOps Project’ with you,” and include a Microsoft logo to build trust. The link directs to Dropbox and hosts a credential-harvesting page.

More sophisticated and convincing campaigns now involve threat actors creating genuine Dropbox accounts to share files, making detection harder.

For more details, read our blog.

First UEFI bootkit malware for Linux discovered by researchers

Cybersecurity firm ESET has discovered a UEFI (Unified Extensible Firmware Interface) bootkit targeting Linux systems, dubbed “Bootkitty.”

Bootkitty is a proof-of-concept targeting Ubuntu systems. The malware compromises the machine’s boot process, loading before the operating system and evading most security tools. ESET found Bootkitty in a suspicious .efi file on VirusTotal in November 2024.

Traditionally, UEFI bootkits focused on Windows, making this a significant shift in malware development.

Characteristics

Boot process attack: The malware executes at the system level, evading OS-level security programs.
Limitations: Bootkitty relies on a self-signed certificate and fails on systems with Secure Boot enabled. It also shows compatibility issues with different kernel versions, often leading to crashes.
Early stage: No evidence suggests Bootkitty is in active use; it appears to be under development.