The UK's Competition and Markets Authority closed its investigation into Google and Apple app stores on Wednesday (21 August), but new laws that would give it more power to control the dominance of big tech companies could ensure that scrutiny continues.

euractiv.com/section/competiti…

Q2 2024 was eventful in terms of new interesting vulnerabilities and exploitation techniques for applications and operating systems. Attacks through vulnerable drivers have become prevalent as a general means of privilege escalation in the operating system. Such attacks are notable in that the vulnerability does not have to be fresh, since attackers themselves deliver unpatched drivers to the system. This report considers the statistics of research publications that can be used by cybercriminals to attack target systems, and provides statistical snapshots of vulnerabilities.

Statistics on registered vulnerabilities

In this section, we look at statistics on registered vulnerabilities based on data from the cve.org portal.

In Q2 2024, the number of registered vulnerabilities exceeded last year’s figure for the same period, and is likely to grow further, as some vulnerabilities are not added to the CVE list immediately after registration. This trend is in line with the general uptick in the number of registered vulnerabilities that we noted in our Q1 report.

Total number of registered vulnerabilities and number of critical ones, Q2 2023 and Q2 2024 (download)

Comparing the data for the period 2019–2024 we see that in H1 2024 the total number of registered vulnerabilities was slightly less than half of the figure for the whole of 2023. Worth noting is the quarter-on-quarter rise in the number of registered vulnerabilities, for which reason we cannot say for sure that it won’t exceed the 2023 figure by year’s end.

Number of vulnerabilities and the share of critical ones and of those for which exploits exist, 2019–2024 (download)

The chart also shows the share among all registered vulnerabilities of ones that are critical and of ones for which there is a public description or Proof of Concept. The drop in the latter’s share in Q2 illustrates that the number of registered vulnerabilities is growing faster than the number of published exploits for them.

The share of critical vulnerabilities also decreased slightly relative to 2023. But it is critical vulnerabilities that pose the greatest risk. To understand the risks that organizations may face, and how these risks change over time, let’s look at the types of vulnerabilities that make up the total number of critical CVEs registered in Q2 2023 and Q2 2024.

Vulnerability types that critical CVEs registered in Q2 2023 fall under (download)

Vulnerability types that critical CVEs registered in Q2 2024 fall under (download)

As we see from the charts, even with a CVE entry, most issues remain unclassified and require further investigation to obtain details, which can seriously hamper efforts to protect systems where these vulnerabilities may arise. Besides unclassified critical vulnerabilities, other common issues in Q2 2023 were:

• CWE-89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)
• CWE-78: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection)
• CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection)

Other types of vulnerabilities came to the fore in Q2 2024:

• CWE-434: Unrestricted Upload of File with Dangerous Type
• CWE-89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)
• CWE-22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)

Both lists of the most common types indicate that the vast majority of classified critical vulnerabilities get registered for web applications. According to open-source information, vulnerabilities in web applications are indeed the most critical, since web applications include software that can access sensitive data, such as file-sharing systems, consoles controlling VPN access and cloud and IoT systems.

Vulnerability exploitation statistics

This section presents exploit statistics for Q2 2024 obtained from open sources and our in-house telemetry.

Exploits are quite expensive software. Their shelf life can be counted in days, even hours. Conversely, creating them is a lengthy process, which varies depending on the type of exploit. Below are statistics on the most popular platforms where users were attacked with exploits.

Windows and Linux vulnerability exploitation

Since the start of the year, we have seen growth in the number of triggerings of Kaspersky solutions by exploits for Windows, driven primarily by phishing emails and attempts to gain initial access to user systems through vulnerability exploitation. Among the most popular are exploits for vulnerabilities in the Microsoft Office suite:

• CVE-2018-0802 – remote code execution vulnerability in the Equation Editor component
• CVE-2017-11882 – another remote code execution vulnerability in Equation Editor
• CVE-2017-0199 – remote code execution vulnerability in Microsoft Office and WordPad
• CVE-2021-40444 – remote code execution vulnerability in the MSHTML component

Dynamics of the number of Windows users who encountered exploits, Q1 2023 — Q2 2024. The number of users who encountered exploits in Q1 2023 is taken as 100% (download)

Note that due to similar detection patterns, exploits classified as CVE-2018-0802 and CVE-2021-40444 may include ones for the vulnerabilities CVE-2022-30190 (remote code execution in the Microsoft Support Diagnostic Tool (MSDT)) and CVE-2023-36884 (remote code execution in the Windows Search component), which also remain a live threat.

As Linux grows in the corporate segment, it also shows growth in terms of exploits; in contrast to Windows, however, the main exploits for Linux target the kernel:

• CVE-2022-0847 – privilege escalation vulnerability in the Linux kernel
• CVE-2023-2640 – privilege escalation vulnerability in the Ubuntu kernel
• CVE-2021-4034 – privilege escalation vulnerability in the pkexec utility used to execute commands as another user

Dynamics of the number of Linux users who encountered exploits in Q1 2023 — Q2 2024. The number of users who encountered exploits in Q1 2023 is taken as 100% (download)

Most exploits for Linux pertain to privilege escalation and can be used to gain persistence and run malicious code in the system. This may be because attackers often target Linux servers for which high privileges are needed to gain control.

Most common exploits

Q2 saw a shift in the distribution of critical vulnerabilities for which there are public exploits. See the charts below for a visual comparison of Q1 and Q2.

Distribution of exploits for critical vulnerabilities by platform, Q1 2024 (download)

Distribution of exploits for critical vulnerabilities by platform, Q2 2024 (download)

The share of exploits for vulnerabilities in operating systems increased in Q2 against Q1. This is because researchers tend to publish PoCs ahead of the summer season of cybersecurity conferences. Consequently, a great many OS exploits were published in Q2. In addition, the share of exploits for vulnerabilities in Microsoft Sharepoint increased during the reporting period, with almost no new exploits for browsers.

Vulnerability exploitation in APT attacks

We analyzed which vulnerabilities are most often used in advanced persistent threats (APTs). The ranking below is based on our telemetry, research and open sources.

Top 10 vulnerabilities exploited in APT attacks, Q2 2024

Although the list of vulnerabilities common in APT attacks is radically different compared to Q1, attackers most often exploited the same types of software/hardware solutions to gain access to organizations’ internal networks: remote access services, access control mechanisms and office applications. Note that the vulnerabilities of 2024 in this ranking were already being exploited at the time of discovery, that is, they were zero-day vulnerabilities.

Exploiting vulnerable drivers to attack operating systems

This section examines public exploits that use vulnerable drivers to attack the Windows operating system and software for it. According to open sources and our own data, there are hundreds of such vulnerable drivers, and new ones are appearing all the time.

Threat actors use vulnerable drivers as part of the Bring You Own Vulnerable Driver (BYOVD) technique. This involves installing an unpatched driver on the targeted system to ensure the vulnerability is exploited for privilege escalation in the OS or other cybercriminal activity. This method was first used by creators of game cheats, but was later adopted by cybercriminals.

Since 2023, we have noticed an upward trend in the use of vulnerable drivers to attack Windows with a view to escalating privileges and bypassing security mechanisms. In response, we are systematically adding and improving the mechanisms for detecting and blocking malicious operations through vulnerable drivers in our solutions.

BYOVD attack tools

Vulnerable drivers themselves are a serious enough problem for OS security, but truly destructive activity requires a client application to pass malicious instructions to the driver.

Since 2021, we have seen the appearance of 24 online tools for controlling vulnerable drivers in the context of privilege escalation and attacks on privileged processes, such as built-in and third-party security solutions. See below for a year-by-year distribution.

Number of tools published online for controlling vulnerable drivers, 2021–2024 (download)

As we can see, 2023 was the most abundant year for BYOVD attack tools. And more were published in H1 2024 than in 2021 and 2022 combined. We evaluated the trends of using such software in real attacks, as illustrated by blocked attacks on Kaspersky products in Q1 and Q2 2024:

Dynamics of the number of users who encountered attacks using vulnerable drivers on Kaspersky products, Q1 and Q2 2024; data for Q1 2024 is taken as 100% (download)

With the rise in the number of BYOVD attacks, developers of tools exploiting vulnerable drivers began to sell them, so we see a downturn in the number of published tools for attacks using vulnerable drivers. However, as mentioned, they continue to be made publicly available.

Interesting vulnerabilities

This section presents information about vulnerabilities of interest that were registered in Q2 2024.

CVE-2024-26169 (WerKernel.sys)

Werkernel.sys is a driver for the Windows Error Reporting (WER) subsystem, which handles the sending of error messages. CVE-2024-26169 is a zero-day vulnerability discovered during the investigation of an incident related to a ransomware attack. It is caused by werkernel.sys using the null security descriptor, which handles the access level. This allows any user to interact with the driver, for example, to rewrite the value of the registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WerFault.exe. This key stores data about the application that is responsible for error handling for applications in Windows.

An examination of the exploitation algorithm reveals the following events:

List of events generated by the exploit

The exploit tries to perform preparatory actions to create special registry keys that allow the executable file specified in the registry to be restarted with SYSTEM user privileges. The exploit itself is based on a race condition vulnerability, so its success depends on the system where it is launched.

CVE-2024-26229 (csc.sys)

Csc.sys is another driver in Windows, this time related to the Windows Client-Side Caching (CSC) service, which handles data caching on the client side. CVE-2024-26229 is a privilege escalation vulnerability, one that clearly illustrates the problem of insecure code in operating system drivers. Just a few days after the information about this vulnerability was posted on the Microsoft portal, a PoC was released that spread online and was rewritten for various formats and frameworks for penetration testing.

The exploit is very easy to use and comprises a “classic” combination of the Write primitive (writing to an arbitrary kernel location) and the kernel object address leak primitive.

The vulnerability is triggered using IOCTL, meaning that the method of communication with the vulnerable driver is in many ways similar to the BYOVD attack method.

The main algorithm of the exploit aims to modify the PRIMARY_TOKEN structure of the user-run process. This is achieved through the capabilities of the vulnerable driver.

CVE-2024-4577 (PHP CGI)

CVE-2024-4577 stems from bypassing the validation of parameters passed to the web application. Essentially, the vulnerability exists because PHP in CGI mode may not fully validate dangerous characters for pages in some languages. Cybercriminals can use this feature to carry out a standard OS command injection attack.

The validation problem arises in systems using the following language settings:

• Traditional Chinese (code page 950)
• Simplified Chinese (code page 936)
• Japanese (code page 932)

Note that CGI mode is not very popular today, but can be found in products such as XAMPP web servers.

Exploitation of the vulnerability is made possible by the fact that to bypass the filter parameter, it is enough to replace a normal dash with the equivalent of the Unicode symbol “–” (soft hyphen) in writing systems based on Chinese characters. As a result, the query is supplemented with data that can run additional commands. In the process tree, the full exploitation will look as follows:

Tree of processes in the victim system during exploitation of CVE-2024-4577

Takeaways and recommendations

In terms of quality and quantity, vulnerabilities and working exploits for them continue to grow each quarter, and threat actors are finding ways to bring already patched vulnerabilities back to life. One of the main tricks for exploiting closed vulnerabilities is the BYOVD technique, whereby attackers load a vulnerable driver into the system themselves. The wide variety of examples and toolkits in the public domain allow cybercriminals to quickly adapt vulnerable drivers to their needs. Going forward, we will likely only see more active use of this technique in attacks.

To stay safe, you need to react promptly to the changing threatscape, as well as:

• Understand and monitor your infrastructure thoroughly, paying particular attention to the perimeter; knowing your way around your own infrastructure is vital to keeping it secure.
• Introduce effective patch management to promptly detect and eliminate infrastructure vulnerabilities, including vulnerable drivers slipped into your network by attackers. Our Vulnerability Assessment and Patch Management and Kaspersky Vulnerability Data Feed solutions could help you with this.
• Use comprehensive security solutions that deliver robust protection of workstations, as well as early detection and prevention of attacks of any complexity, collection of live cyberattack data from around the globe, and basic digital literacy skills for employees. Our Kaspersky NEXT line of solutions ticks all these boxes and more.

securelist.com/vulnerability-e…

In a double-blast from the past, [Ian Failes]’ 2018 interview with [Phil Tippett] and others who worked on Jurassic Park is a great look at how the dinosaurs in this 1993 blockbuster movie came to be. Originally conceived as stop-motion animatronics with some motion blurring applied using a method called go-motion, a large team of puppeteers was actively working to make turning the book into a movie when [Steven Spielberg] decided to go in a different direction after seeing a computer-generated Tyrannosaurus rex test made by Industrial Light and Magic (ILM).

Naturally, this left [Phil Tippett] and his crew rather flabbergasted, leading to a range of puppeteering-related extinction jokes. Of course, it was the early 90s, with computer-generated imagery (CGI) animators being still very scarce. This led to an interesting hybrid solution where [Tippett]’s team were put in charge of the dinosaur motion using a custom gadget called the Dinosaur Input Device (DID). This effectively was like a stop-motion puppet, but tricked out with motion capture sensors.

This way the puppeteers could provide motion data for the CG dinosaur using their stop-motion skills, albeit with the computer handling a lot of interpolation. Meanwhile ILM could handle the integration and sprucing up of the final result using their existing pool of artists. As a bridge between the old and new, DIDs provided the means for both puppeteers and CGI artists to cooperate, creating the first major CGI production that holds up to today.

Even if DIDs went the way of the non-avian dinosaurs, their legacy will forever leave their dino-sized footprints on the movie industry.

Thanks to [Aaron] for the tip.

Top image: Raptor DID. Photo by Matt Mechtley.

Over at EDN, [Brian Dipert] has been tearing down web cameras. A few months ago, he broke into a bargain basement camera. This time, he’s looking into a premium unit. Although we have to admit from some of what he reports, we are a little surprised at some of the corners cut. For example, it’s a 4K camera that doesn’t quite provide a 4K image. Despite a Sony CMOS sensor, [Brian] found the low-light performance to be poor. However, it does carry a much larger price tag than the previous camera examined.

The interesting part is about half way down the page when he tries to open the unit up. It seems like it is getting harder and harder to get into things and this camera was no exception. The device finally gives up. Inside is a relatively unremarkable board with a host of unknown ICs. One interesting item is a gyro chip that determines if the camera is upside down.

[Brian] managed to get the camera back together with no harm. It is interesting to compare it to the $15 camera he took apart earlier.

If you want maximum cred, do your video calls with a Game Boy camera. Or, at least, add your own lens to a webcam.

Come spiegato nel report di “Perception Point” del 19/08 è stato dimostrato l’uso della riscrittura degli URL, una misura di sicurezza che sostituisce i link e-mail originali con versioni modificate. Questi link modificati reindirizzano il traffico attraverso il server di un fornitore di sicurezza per un’analisi delle minacce in tempo reale, offrendo protezione contro minacce note. Tuttavia, è stato osservato che i criminali informatici sfruttano questa tecnica per inviare link malevoli, approfittando della fiducia riposta negli strumenti di analisi e sicurezza delle e-mail stesse.

Dettagli dell’Attacco ed Implicazioni

Innanzitutto esistono due approcci di analisi per la sicurezza delle mail:

I sistemi legacy si basano su analisi statiche dei pattern delle minacce.

I sistemi con approcci più recenti sfruttano l’apprendimento automatico per il rilevamento dinamico proattivo.

Gli aggressori hanno sfruttato i meccanismi di riscrittura degli URL, rendendoli meno efficaci come strategia di difesa autonoma soprattutto in caso della sola analisi statica.

Fig 1: Schema flusso analisi contenuto mail e riscrittura dell’url

Fig 2: Schema flusso analisi contenuto mail e riscrittura dell’url manomesso dall’ attaccante

Questa tattica di elusione, che aggira le soluzioni di sicurezza della posta elettronica tradizionali, ha trasformato uno strumento difensivo in un’ arma offensiva per gli aggressori.

I criminali informatici sfruttano un accesso iniziale con un account di posta elettronica legittimo compromesso e protetto con strumenti/servizi di riscrittura degli URL.

Vengono quindi inseriti domini malevoli nelle whitelist dei sistemi antispam.

Poi vengono costruite e-mail contenenti link dannosi sfruttando all’ inizio il servizio legittimo di sostituzione dei link, per poi manipolarle e sostituire i link malevoli con altri apparentemente legittimi.

L’URL “brandizzato” aggira gli ulteriori controlli di sicurezza, consentendo agli aggressori di reindirizzare le vittime a siti di phishing, sfruttando la fiducia che gli utenti hanno nei fornitori dei servizi di sicurezza.

Esempio 1 – Double Rewrite Attack – Proofpoint and INKY

In uno dei recenti attacchi di riscrittura degli URL intercettati da Perception Point, un sofisticato phishing prevedeva l’uso di una “doppia riscrittura”, in cui venivano sfruttati due fornitori di sicurezza della posta elettronica, Proofpoint e INKY.

E-mail: l’aggressore ha inviato un messaggio e-mail contenente un collegamento di phishing riscritto, camuffato da notifica di un documento di SharePoint legittimo.

Rewrite: l’URL all’interno di questa e-mail è stato inizialmente riscritto dal sistema di sicurezza di Proofpoint (urldefense.proofpoint.com); la stessa e-mail è stata sottoposta a un secondo processo di riscrittura da parte di INKY, incorporando il proprio collegamento di protezione URL (shared.outlook.inky.com) nella prima riscrittura.

Fig 3: Esempio di mail

Bypass CAPTCHA: se il target avesse cliccato sul link, sarebbe stato indirizzato a una pagina di verifica CAPTCHA personalizzata (come mostrato negli screenshot). Questo passaggio è stato aggiunto per eludere il rilevamento dei controlli automatizzati di analisi/intel sulle minacce da parte dei vendor.

Fig 4: Pagina Captcha

Reindirizzamento finale: dopo aver superato il CAPTCHA, l’utente viene reindirizzato a un sito di phishing che imita la pagina di accesso di Microsoft 365 (mostrata nel quinto screenshot), dove le sue credenziali saranno rubate.

Fig 5:Accesso url pagina sito Phishing

Esempio 2: Exploiting Rewritten URLs Across Multiple Targets – Proofpoint and INKY

In questo sofisticato tentativo di phishing, l’aggressore ha utilizzato una strategia che prevedeva la compromissione di un’ organizzazione protetta da INKY e dal servizio di riscrittura URL di Proofpoint. L’aggressore ha generato un URL riscritto utilizzando l’account compromesso e ha quindi riutilizzato questo collegamento per colpire più organizzazioni.

ifg 6 : E-mail: simile al primo esempio: una notifica di SharePoint.

In questo momento , l’URL originale è già stato segnalato come phishing ed è bloccato, come possiamo vedere nella pagina di protezione dei link INKY:

fig 7 : Sistema protezione phishing attivo

Ora, se clicchiamo sul pulsante “Report a Problem“, possiamo dare un’occhiata al modus operandi degli autori della minaccia. Inizialmente, gli aggressori hanno preso di mira un utente protetto che avevano compromesso in precedenza, generando un URL riscritto tramite i servizi di Proofpoint e INKY. Tuttavia, invece di utilizzare questo collegamento solo all’interno dell’organizzazione compromessa, l’aggressore lo ha sfruttato per prendere di mira utenti di varie altre organizzazioni.

fig 8 : Analisi dei link

Gli screenshot rivelano che il destinatario originale dell’URL riscritto (l’organizzazione compromessa) è diverso dai target successivi che Perception Point sta proteggendo. Ciò indica che gli aggressori non solo hanno sfruttato l’URL riscritto, ma lo hanno anche utilizzato in una campagna di attacco più ampia contro più organizzazioni, sfruttando la fiducia riposta nel marchio e nei servizi di riscrittura di INKY e Proofpoint.

Questo esempio evidenzia come gli aggressori possano manipolare le misure di sicurezza per ampliare il loro raggio d’azione, trasformando un singolo punto di compromissione in una campagna di phishing su larga scala.

Esempio 3 : Exploiting Mimecast’s URL Rewriting

fig 9 : Schema riscrittura link

In questo caso, Perception Point ha impedito un attacco di phishing che probabilmente sfruttava il servizio di riscrittura URL di Mimecast per mascherare un link dannoso. Il link di phishing è stato riscritto dal servizio di protezione URL di Mimecast, conferendogli l’aspetto di un URL sicuro (mimecastprotect.com). Tuttavia, la destinazione finale era un sito di phishing (ycnrw8.com) progettato per rubare credenziali.

Esempio 4 : IRS Phishing Attack via Sophos URL Rewriting

In questo potenziale incidente di phishing, Perception Point ha rilevato un attacco in cui il servizio di riscrittura URL di Sophos è stato utilizzato per mascherare un collegamento dannoso.

Email: l’email di phishing è stata creata per apparire come una richiesta di verifica urgente da parte di un’organizzazione legittima (ID.me + IRS). L’URL nell’ email è stata riscritta da Sophos, aggiungendo un livello di legittimità.

fig 10 : Email di phishing con Sophos URL rewrite

L’attaccante ha sfruttato l’URL riscritto fornito da Sophos (protection.sophos.com) per mascherare la destinazione effettiva del phishing. L’URL sembrava sicuro grazie al dominio Sophos, rendendo difficile per il destinatario riconoscere la minaccia.

fig 11 : Analisi dei link

Sito di phishing: cliccando sul collegamento riscritto, le vittime vengono reindirizzate a un sito web di phishing (strategiclandlording.com), progettato per raccogliere informazioni personali sotto le mentite spoglie di un servizio legittimo.

Servizi abusati identificati:

• Mimecast: url.uk.m.mimecastprotect.com
• Barracuda: linkprotect.cudasvc.com
• Proofpoint: urldefense.proofpoint.com
• Darktrace: us01.z.antigena.com
• Intermedia: url.emailprotection.link
• TitanHq: linklock.titanhq.com
• Bitdefender: linkcan.io
• Hornet Security: atpscan.global.hornetsecurity.com
• Viper Security: url2.mailanyone.net
• Topsec: scanner.nextgen.topsec.com

Raccomandazioni

Lo sfruttamento da parte degli hacker delle funzionalità di riscrittura degli URL sottolinea la necessità di innovazione continua nella sicurezza della posta elettronica. Man mano che gli aggressori diventano più sofisticati, le soluzioni di sicurezza devono evolversi per evitare queste minacce, adottando metodi di rilevamento avanzati e l’aumento sempre e comunque della soglia di attenzione prima di accettare un link e compilare con i propri dati.

• Proactive Detection : analizza e valuta gli URL in tempo reale, impedendo agli attacchi di entrare nella posta in arrivo.
• Advanced Anti-Evasion: equipaggiato per annullare tattiche di elusione come CAPTCHA e geo-fencing.
• Post-Delivery and Meta-Analysis: utilizza big data per riesaminare e rivalutare i collegamenti dopo la consegna in modo autonomo.
• Advanced Browser Security : esegue la scansione degli URL al clic, garantendo il rilevamento in tempo reale di qualsiasi attività dannosa.

Fonti:

cyberpress.org/hackers-exploit…

perception-point.io/blog/rewri…

Hackers Exploit Email URL Rewriting to Insert Phishing Links

lexisnexis.com.tw/blog/8kdaja2…

mimecast.com/threat-intelligen…

linkedin.com/pulse/hackers-exp…

L'articolo Una Campagne di Phishing sfrutta la riscrittura dei link dei sistemi di sicurezza proviene da il blog della sicurezza informatica.

due testi di Luca Zanini

pontebianco.noblogs.org/post/2…

compostxt.blogspot.com/2024/08…