Popular searches
October revealed critical vulnerabilities in Windows and Linux, with targeted attacks on healthcare and IT support teams. Read on for detailed insights and recommendations.
This month:
Microsoft patches IPv6 TCP/IP vulnerability
Critical Linux vulnerability discovered – Unauthenticated RCE
Vanilla Tempest targets US Healthcare with INC ransomware
BlackBasta ransomware impersonates IT support on Teams
Microsoft patches high severity RDC vulnerability
On 13 August 2024, Microsoft issued a Windows update that addressed a critical vulnerability (CVE-2024-38063) that existed in the network stack.
This allowed privileged remote access over TCP/IP if IPv6 is enabled. Malicious actors could then execute remote code on a vulnerable system by sending maliciously crafted IPv6 packets to the victim.
The vulnerability is due to how Windows systems process incoming IPv6 packets, specifically in the tcpip.sys driver.
When IPv6 is enabled, the system is responsible for handling and validating all incoming traffic using the protocol. However, due to improper validation of specific IPv6 packets, Windows fails to correctly process certain types of crafted data, creating an opening for exploitation.
An attacker can craft a malicious IPv6 packet designed to exploit this flaw. These packets are engineered in such a way that when they’re received by the vulnerable Windows system, the system mishandles them, resulting in the execution of arbitrary code. The packets trigger the flaw in the TCP/IP stack, bypassing normal security checks and allowing the malicious code to be executed.
No physical access or user interaction is required, making it a highly scalable attack. Once exploited, the attacker can perform numerous malicious activities on the compromised system.
CVE-2024-38063 is critical due to its ease of exploitation, broad impact, and potential for severe damage, including system takeovers and data theft.
Disabling IPv6 or applying patches are key steps to safeguard systems against this threat.
Please see our blog for more information.
Microsoft has released a patch for this exploit in August’s Microsoft Patch Tuesday. It’s recommended that all users download the associated patch.
For further mitigation, Microsoft also recommends the following action to reduce the risk:
A severe Linux vulnerability has been discovered which could allow unauthorised remote command execution (RCE).
The vulnerability is related to the Common UNIX Printing System (CUPS), which is an open source printing component of UNIX based operating systems, including Linux and macOS.
The vulnerability has been given a CVSS score of 9.9 (critical), as attackers can leverage the flaw to execute arbitrary code without requiring any authentication. Malicious actors can gain full control over affected systems, which would subsequently lead to further attacks in the form of:
A well-known security researcher, Simon Margaritelli, discovered the vulnerability and notified developers before releasing the information to the public.
Since the public release of the critical vulnerability, a proof-of-concept (PoC) has been released and makes use of several bugs to achieve RCE:
The security bugs can be leveraged as part of a complex exploit chain, which would result in full remote command execution.
In a nutshell, the improper validation of network data can allow attackers to abuse vulnerable endpoints and install malicious print drivers. Print jobs can then be leveraged to deliver payloads to the fake print drivers and execute arbitrary commands as a non-superuser.
It is reported that about 75,000 machines have CUPS exposed to the internet across several UNIX platforms: Ubuntu, macOS, CentOS, Debian, Fedora, OpenShift, Oracle Linux Server, Red Hat, Rocky Linux, SUSE, openSUSE, AlmaLinux, Amazon Linux, and others.
Sign up to receive the latest threat intelligence articles and reports from our SecOps team.
Vanilla Tempest, otherwise known as DEV-0832 and Vice Society, has been active since June 2021. It frequently targets healthcare, IT, education, and manufacturing, using an array of ransomware strains, including BlackCat and Quantum Locker.
INC ransomware is a ransomware-as-a-service (RaaS) operation whose connections have targeted both public and private sector businesses since July 2023, including the recent breach of Scotland’s National Health Service.
Microsoft Threat Intelligence announced on 18 September that it has observed Vanilla Tempest targeting US Healthcare for the first time.
Vanilla Tempest gained initial access into the environment via the Storm-0494 threat actor that infected machines with the Gootloader malware. Post-compromise, Vanilla Tempest installed backdoors to establish persistence, and utilised the Remote Desktop Protocol to move laterally across the network and the Windows Management Instrumentation Provider Host to deploy the INC ransomware.
Before encrypting the data with INC, Vanilla Tempest has been observed exfiltrating the data to an external C2 server via a PowerShell script.
Officially, the victim of this attack has not been named. However, the INC ransomware strain has been linked to a cyberattack against McLaren Healthcare hospitals in Michigan (August 2024) – the hospitals reported losing access to databases that included patient information. It also caused phone and IT systems to crash.
BlackBasta is a ransomware group that has been active since April 2022. It’s believed to be run by members of the former Conti cybercrime syndicate.
It has recently been observed adjusting their tactics to target social engineering attacks via Microsoft Teams.
In May 2024, Rapid7 researchers released advisories on BlackBasta social engineering campaigns that targeted victims mailboxes and spammed them with thousands of emails – these emails were not malicious in nature and appeared to be generic spam. However, the users were then called by the threat actors, posing as their company’s IT support team, to assist them with their overwhelming emails.
During the call, the threat actors would then trick the user into downloading and installing the AnyDesk remote support tool or giving remote access via the Quick Assist remote control tool.
After installation, the threat actors would run a script that installs other tools, such as Cobalt Strike and ScreenConnect, which would allow them to maintain a persistent foothold in the network.
After persistence has been established, the threat actor moves laterally within the network and exfiltrates data to a malicious C2 server and deploys ransomware.
On 8 October 2024, Microsoft patched CVE-2024-43599 – an exploit in the remote desktop client (RDC). It has a CVSS score of 8.8, which is high severity.
This vulnerability allows an attacker to execute arbitrary code on the connecting client device, provided they can control the remote desktop server (RDS) to which the vulnerable client connects. It means this is exploitable in situations where users connect to untrusted or compromised remote desktop protocol (RDP) servers.
Affected Products include a wide range of Windows versions:
As mentioned above, Microsoft released a security patch addressing this vulnerability on 8 October 2024, as part of its monthly updates. Security teams are advised to apply this patch immediately to all affected systems.
As of now, no public proof-of-concept (PoC) exploit has been observed, and there is no evidence of active exploitation in the wild. However, due to the vulnerability’s high severity, organisations are encouraged to:
Let's talk!
Book a free Discovery Call and learn more about our AI-powered security operations service, XDR Rapid Protect.
Get more information on:
Got a question? Need more information?
Our expert team is here to help.