Security Roundup

This month:

Microsoft patches IPv6 TCP/IP vulnerability

On 13 August 2024, Microsoft issued a Windows update that addressed a critical vulnerability (CVE-2024-38063) that existed in the network stack.

This allowed privileged remote access over TCP/IP if IPv6 is enabled. Malicious actors could then execute remote code on a vulnerable system by sending maliciously crafted IPv6 packets to the victim.

The vulnerability is due to how Windows systems process incoming IPv6 packets, specifically in the tcpip.sys driver.

When IPv6 is enabled, the system is responsible for handling and validating all incoming traffic using the protocol. However, due to improper validation of specific IPv6 packets, Windows fails to correctly process certain types of crafted data, creating an opening for exploitation.

An attacker can craft a malicious IPv6 packet designed to exploit this flaw. These packets are engineered in such a way that when they’re received by the vulnerable Windows system, the system mishandles them, resulting in the execution of arbitrary code. The packets trigger the flaw in the TCP/IP stack, bypassing normal security checks and allowing the malicious code to be executed​.

No physical access or user interaction is required, making it a highly scalable attack. Once exploited, the attacker can perform numerous malicious activities on the compromised system.

CVE-2024-38063 is critical due to its ease of exploitation, broad impact, and potential for severe damage, including system takeovers and data theft.

Disabling IPv6 or applying patches are key steps to safeguard systems against this threat.

Please see our blog for more information.

Recommendations

Microsoft has released a patch for this exploit in August’s Microsoft Patch Tuesday. It’s recommended that all users download the associated patch.

For further mitigation, Microsoft also recommends the following action to reduce the risk:

• Disable IPv6: If IPv6 is not necessary for your environment, disabling it can mitigate the risk completely, as systems that do not have IPv6 enabled are not affected.

Critical Linux vulnerability discovered – Unauthenticated RCE

A severe Linux vulnerability has been discovered which could allow unauthorised remote command execution (RCE).

The vulnerability is related to the Common UNIX Printing System (CUPS), which is an open source printing component of UNIX based operating systems, including Linux and macOS.

The vulnerability has been given a CVSS score of 9.9 (critical), as attackers can leverage the flaw to execute arbitrary code without requiring any authentication. Malicious actors can gain full control over affected systems, which would subsequently lead to further attacks in the form of:

• Data loss
• Sensitive data theft
• Service outages

A well-known security researcher, Simon Margaritelli, discovered the vulnerability and notified developers before releasing the information to the public.

Since the public release of the critical vulnerability, a proof-of-concept (PoC) has been released and makes use of several bugs to achieve RCE:

• CVE-2024-47176 | cups-browsed <= 2.0.1 binds on UDP INADDR_ANY:631 trusting any packet from any source to trigger a Get-Printer-Attributes IPP request to an attacker controlled URL.
• CVE-2024-47076 | libcupsfilters <= 2.1b1 cfGetPrinterAttributes5 does not validate or sanitise the IPP attributes returned from an IPP server, providing attacker controlled data to the rest of the CUPS system.
• CVE-2024-47175 | libppd <= 2.1b1 ppdCreatePPDFromIPP2 does not validate or sanitise the IPP attributes when writing them to a temporary PPD file, allowing the injection of attacker-controlled data in the resulting PPD.
• CVE-2024-47177 | cups-filters <= 2.0.1 foomatic-rip allows arbitrary command execution via the FoomaticRIPCommandLine PPD parameter.

The security bugs can be leveraged as part of a complex exploit chain, which would result in full remote command execution.

In a nutshell, the improper validation of network data can allow attackers to abuse vulnerable endpoints and install malicious print drivers. Print jobs can then be leveraged to deliver payloads to the fake print drivers and execute arbitrary commands as a non-superuser.

It is reported that about 75,000 machines have CUPS exposed to the internet across several UNIX platforms: Ubuntu, macOS, CentOS, Debian, Fedora, OpenShift, Oracle Linux Server, Red Hat, Rocky Linux, SUSE, openSUSE, AlmaLinux, Amazon Linux, and others.

Recommendations

• Prepare to patch affected systems: Developers are working on updates to mitigate these flaws.
• Disable and remove: The cups-browsed service can be disabled or removed if not required or not critical.
• Block or restrict: Prevent traffic to UDP on port 631 by blocking inbound connection attempts.

Vanilla Tempest targets US Healthcare with INC ransomware

Vanilla Tempest, otherwise known as DEV-0832 and Vice Society, has been active since June 2021. It frequently targets healthcare, IT, education, and manufacturing, using an array of ransomware strains, including BlackCat and Quantum Locker.

INC ransomware is a ransomware-as-a-service (RaaS) operation whose connections have targeted both public and private sector businesses since July 2023, including the recent breach of Scotland’s National Health Service.

Microsoft Threat Intelligence announced on 18 September that it has observed Vanilla Tempest targeting US Healthcare for the first time.

Vanilla Tempest gained initial access into the environment via the Storm-0494 threat actor that infected machines with the Gootloader malware. Post-compromise, Vanilla Tempest installed backdoors to establish persistence, and utilised the Remote Desktop Protocol to move laterally across the network and the Windows Management Instrumentation Provider Host to deploy the INC ransomware.

Before encrypting the data with INC, Vanilla Tempest has been observed exfiltrating the data to an external C2 server via a PowerShell script.

Officially, the victim of this attack has not been named. However, the INC ransomware strain has been linked to a cyberattack against McLaren Healthcare hospitals in Michigan (August 2024) – the hospitals reported losing access to databases that included patient information. It also caused phone and IT systems to crash.

BlackBasta ransomware impersonates IT support on Teams

BlackBasta is a ransomware group that has been active since April 2022. It’s believed to be run by members of the former Conti cybercrime syndicate.

It has recently been observed adjusting their tactics to target social engineering attacks via Microsoft Teams.

In May 2024, Rapid7 researchers released advisories on BlackBasta social engineering campaigns that targeted victims mailboxes and spammed them with thousands of emails – these emails were not malicious in nature and appeared to be generic spam. However, the users were then called by the threat actors, posing as their company’s IT support team, to assist them with their overwhelming emails.

During the call, the threat actors would then trick the user into downloading and installing the AnyDesk remote support tool or giving remote access via the Quick Assist remote control tool.

After installation, the threat actors would run a script that installs other tools, such as Cobalt Strike and ScreenConnect, which would allow them to maintain a persistent foothold in the network.

After persistence has been established, the threat actor moves laterally within the network and exfiltrates data to a malicious C2 server and deploys ransomware.

Microsoft patches high severity RDC vulnerability

On 8 October 2024, Microsoft patched CVE-2024-43599 – an exploit in the remote desktop client (RDC). It has a CVSS score of 8.8, which is high severity.

This vulnerability allows an attacker to execute arbitrary code on the connecting client device, provided they can control the remote desktop server (RDS) to which the vulnerable client connects. It means this is exploitable in situations where users connect to untrusted or compromised remote desktop protocol (RDP) servers.

Affected Products include a wide range of Windows versions:

• Windows 10 (versions 1507, 1607, 1809, 21H2, 22H2)
• Windows 11 (versions 21H2, 22H2, 23H2, and 24H2)
• Windows Server (2008 R2, 2012, 2016, 2019, 2022, and 2022 23H2)

Recommendations

As mentioned above, Microsoft released a security patch addressing this vulnerability on 8 October 2024, as part of its monthly updates. Security teams are advised to apply this patch immediately to all affected systems.

As of now, no public proof-of-concept (PoC) exploit has been observed, and there is no evidence of active exploitation in the wild. However, due to the vulnerability’s high severity, organisations are encouraged to:

• Patch affected systems promptly
• Consider disabling unnecessary remote desktop services
• Enforce network segmentation as precautionary measures

References

• Critical Linux CUPS Printing System Flaws Could Allow Remote Command Execution (The Hacker News)
• Multiple bugs leading to info leak and remote code execution (GitHub)
• DEV-0832 (Vice Society) opportunistic ransomware campaigns impacting US education sector (Microsoft Security Blog)
• Vanilla Tempest’ Now Using INC Ransomware in Health Sector (Bank Info Security)
• INC Ransom threatens to leak 3TB of NHS Scotland stolen data (BleepingComputer)
• Microsoft: Vanilla Tempest hackers hit healthcare with INC ransomware (BleepingComputer)
• oss-sec: CUPS printing system vulnerabilities (SecLists)
• Vice Society TTPs: Insights from a Real-World Ransomware Investigation (Sygnia)
• Microsoft Threat Intelligence: ‘Vanilla Tempest’ (X Post)
• Black Basta ransomware poses as IT support on Microsoft Teams to breach networks (BleepingComputer)