The Good | Public-Private Partnership to Crackdown on Commercial Spyware
The private and public sectors have done a rare thing this week: they agreed that something must be done about the proliferation and abuse of commercial spyware, a problem that has exploded in recent years.
On Monday, the State Department announced a new policy to impose visa restrictions on individuals involved with the misuse of spyware. The restrictions, which extend to spouses and children, can be imposed on anyone believed to be involved in the targeting, unlawful surveillance, harassment, suppression or intimidation of others including journalists, activists and dissidents.
This was quickly followed on Tuesday by the announcement of an international agreement dubbed The Pall Mall Process, in which a range of public and private entities agreed to tackle the threat posed by the proliferation and abuse of commercial cyber intrusion tools and services. The agreement included tech corps like Google and Microsoft and a host of government agencies from the US, UK, Europe, Japan and Singapore.
The explosion in spyware and spyware services has led to a rapid expansion in the pool of state and non-state actors, tracked as private sector offensive actors (PSOAs) by cyber defenders, who can access and deploy sophisticated cyber intrusion tools to commit cyber crimes against nations, organizations and individuals.
Recognizing the need for greater oversight of the development and distribution of commercial spyware, the Pall Mall Process will aim to establish guiding principles and policy options for governments, industry and civil society regarding the development, purchase, and use of commercially available cyber intrusion capabilities.
The Bad | Volt Typhoon Prepares Attacks on US Critical Infrastructure
CISA, the NSA and the FBI have warned this week that China-backed state-sponsored actor Volt Typhoon has been conducting a long-running campaign to infiltrate and hide within the networks of US critical infrastructure organizations. In a detailed joint advisory, they warned that the campaign avoids typical tactics, techniques and procedures of other threat actors and will easily evade simple security solutions.
The threat actor’s MO involves initial access through N-day and Zero-day vulnerabilities in network gear such as Ivanti, Citrix, Cisco and Fortinet (see below) appliances. Volt Typhon operators then use VPN sessions to maintain persistent access and blend in with regular traffic. Notably, they tend to avoid dropping malware on the victim’s network to help avoid discovery, preferring direct control via command line sessions and LOLBins.
@CISAgov with our government and international partners released a joint guide to help network defenders mitigate and detect living off the land techniques exploited by the PRC-sponsored #VoltTyphoon group to target U.S. critical infrastructure. https://t.co/1ytakMzE87 pic.twitter.com/Y4GUQ10hCm
— CISA Cyber (@CISACyber) February 7, 2024
Top among these is heavy use of PowerShell to perform targeted queries on Windows security event logs, and vssadmin to access the sensitive Active Directory’s NTDS.dit file from a Volume shadow copy, a technique which allows the attacker to bypass the file locking mechanism that protects the file on the live Windows environment. NTDS.dit contains hashed versions of passwords, which are then subject to brute force attacks offline to reveal clear text credentials.
Following credentials dumping, Volt Typhoon remains silent on the network. CISA says the threat actor is pre-positioning itself in preparation for a future disruptive or destructive cyber attack on US critical infrastructure. Security teams, particularly those defending critical infrastructure entities, can review the detailed detection and hunting recommendations here.
The Ugly | Host of New Bugs Disclosed for Ivanti, Cisco and Fortinet
While Volt Typhoon operators may feel down about this week’s exposure, the tranche of new bugs in the very appliances that they target will no doubt be cheering them up. Ivanti, Fortinet, and Cisco have all disclosed new serious vulnerabilities this week.
A critical security bug in Fortinet’s FortiOS, rated 9.6 on the CVSSv3 scale, was disclosed this Thursday. The flaw, CVE-2024-21762, could allow a remote unauthenticated attacker to execute arbitrary code.
Fortinet says that the vulnerability is potentially being exploited in the wild, though few other details are available at this time. The bug affects versions prior to FortiOS 7.4.3. Users that cannot upgrade may disable SSL VPN, but the company explicitly warns that simply disabling webmode is not a valid workaround. The latest bug comes on the back of other further updates to address vulnerabilities previously patched as CVE-2023-34992 (CVSSv3 9.7) in FortSIEM supervisor.
Meanwhile, Cisco Expressway Series devices were found to have multiple vulnerabilities that could allow unauthenticated remote attackers to perform CSRF (Cross-site forgery request) attacks. CVE-2024-20254 and CVE-2024-20255 affect Cisco Expressway Series devices in the default configuration; CVE-2024-20252 affects devices only if the cluster database (CDB) API feature has been enabled. It is disabled by default.
To cap off a worrying week for network admins, Ivanti this week disclosed yet another flaw affecting Ivanti Connect Secure. CVE-2024-22024 is an 8.3 CVSSv3 rated bug that could allow an attacker to access a subset of restricted resources without authentication. It is not known to be currently exploited in the wild, but patch now, while threat actors are busy elsewhere.