Brief #45: NHS Ransomware, XZ Utils Backdoor, PyPI Malware Flood

Week 13 already? Time flies!

In this week's cybersecurity roundup, we cover critical vulnerabilities in XZ Utils and Microsoft Edge, thousands of exposed Exchange servers in Germany, an NHS ransomware attack, and a flood of malicious PyPI packages.

🌐 This Week in Cybersecurity

UK's NHS Suffers Ransomware Attack, Patient Data Leaked

• Ransomware Group Publishes Patient Data: A known ransomware group has published clinical data relating to a small number of patients from NHS Dumfries and Galloway. This follows a recent cyber attack on the health board's IT systems where hackers accessed a significant amount of data, including patient and staff information.
• Services Running Normally, Investigation Ongoing: Despite the attack, patient-facing services at NHS Dumfries and Galloway continue to function normally. The health board is working with Police Scotland, the National Cyber Security Centre, the Scottish Government, and other agencies to investigate the incident, assess the full extent of the data breach, and prevent further data sharing.
• Patients Contacted, Advised to Stay Vigilant: NHS Dumfries and Galloway will contact patients whose data has been leaked. All patients and staff are advised to be on guard for anyone trying to access their systems or claiming to have their personal information. Any such incidents should be reported to Police Scotland immediately.

Critical Backdoor Discovered in XZ Utils Affecting Most Unix Distributions

• Severity: A highly critical backdoor (CVE-2024-3094) with a CVSS score of 10.0 was found in XZ Utils versions 5.6.0 and 5.6.1, allowing potential unauthorized remote access.
• Impact: The malicious code, introduced through obfuscated commits, interferes with the sshd daemon via systemd. Under certain circumstances, it could enable threat actors to break sshd authentication and gain full remote system access. Fedora 41, Fedora Rawhide, and some Debian testing/unstable versions were impacted.
• Detection: OSS Security has shared a script to detect vulnerable versions on the system. Scroll down to detect.sh.
• Mitigation: Red Hat and Debian have reverted to the safe 5.4.x XZ Utils versions in their repositories. CISA advises all users to downgrade to an uncompromised version (e.g., 5.4.6 Stable) immediately and monitor for suspicious activity. The backdoored XZ Utils GitHub repo has been disabled.

PyPI Temporarily Suspends New Projects and Users After Flood of Malicious Package Uploads

• Temporary Suspension: The Python Package Index (PyPI) halted new project creation and user registration for 10 hours on Wednesday evening following an onslaught of malicious package uploads that executed malicious code on devices that installed them.
• Typosquatting Attack: Attackers used automated means to upload malicious packages with names similar to popular legitimate packages, hoping to trick users into installing them by mistake. The malicious payloads aimed to steal crypto wallets, sensitive browser data, and credentials.
• Ongoing Threats to Software Repositories: The PyPI incident highlights the increasing threats facing open source software repositories. Similar attacks have recently targeted GitHub, npm, and RubyGems, often using techniques like repository cloning, code obfuscation, and account hijacking to distribute malware to developers.

Thousands of Microsoft Exchange Servers in Germany Vulnerable to Critical Flaws

• Exposed Servers: The German Federal Office for Information Security (BSI) found that around 45,000 Microsoft Exchange servers in Germany have Outlook Web Access (OWA) enabled and are accessible from the Internet. Approximately 17,000 of these servers are severely vulnerable.
• Outdated Versions: 12% of the exposed Exchange servers still use outdated versions (2010 or 2013) which have not received security updates since October 2020 and April 2023, respectively. For Exchange 2016 or 2019 servers, roughly 28% have not been patched for at least four months.
• Affected Organizations: Many schools, colleges, clinics, doctor's offices, nursing services, other medical institutions, lawyers, tax consultants, local governments, and medium-sized companies are impacted by these vulnerabilities. The BSI urges admins to use current Exchange versions, install all available security updates, and securely configure exposed instances.
• Mitigation Steps: Admins should ensure the March 2024 security updates are installed, restrict access to web-based Exchange services to trusted IPs or secure them via VPN, and enable Extended Protection using a dedicated PowerShell script to protect against the critical CVE-2024-21410 privilege escalation vulnerability. Microsoft is now automatically enabling Extended Protection after installing the February 2024 H1 Cumulative Update.

Microsoft Edge Vulnerability Allowed Silent Extension Installation

• Vulnerability Discovery: Guardio Labs discovered a vulnerability (CVE-2024-21388) in Microsoft Edge that could allow attackers to silently install browser extensions with broad permissions by exploiting a private API meant for marketing purposes.
• Exploit Mechanism: The edgeMarketingPagePrivate API, accessible from Microsoft domains like bing.com, contained an installTheme method that did not properly validate input. This allowed installing any extension, not just themes, without user interaction if the attacker could inject JavaScript into a privileged context.
• Potential Impact: Attackers could trick users into installing a seemingly benign extension that then silently installs a more powerful, potentially malicious extension. This could enable tracking user actions, taking over accounts, and stealing information. The vulnerability highlights risks in relying solely on domain-based access to powerful private APIs.

🛠️ Security Tools

• RedEye - A visual analytic tool that supports both Red and Blue Team operations, facilitating advanced analysis.
• SharpEDRChecker - Checks for the presence of defensive products like AVs, EDRs, and logging tools in running processes, DLLs, services, and drivers.
• AzureC2Relay - An Azure Function that validates and relays Cobalt Strike beacon traffic, aligning with the Cobalt Strike Malleable C2 profile.

🚀 Startup Watch

• StealthMole, an AI-powered dark web intelligence startup, has raised $7 million in Series A funding to expand its R&D centers and support more commercial uses of its technology in monitoring cyber threats and detecting cybercrime.
• Coro, an Israeli cybersecurity startup, has raised $100 million in a Series D funding round, bringing its total funding to $255 million over the past two years.
• Symmetry Systems, a data store and object security provider, has raised $15 million in a Series A funding round led by ForgePoint Capital and Prefix Capital. The company's DataGuard solution offers unified visibility and access control over data assets across hybrid cloud environments, helping organizations manage data risks and maintain compliance.

📚 Recommended Reads

• The Oligo research team has recently discovered an active attack campaign targeting a vulnerability in Ray, a widely used open-source AI framework. Thousands of companies and servers running AI infrastructure are exposed to the attack through a critical vulnerability that is under dispute and thus has no patch.
• Super interesting write-up and in-depth analysis of the Lucee CFML server, uncovering critical vulnerabilities that could lead to remote code execution and potential supply chain attacks. Through their persistent efforts, the authors successfully achieved RCE on Apple's production server running Lucee, responsibly disclosed the findings, and worked with the Lucee team to implement necessary fixes, underscoring the importance of collaborative security research.
• Unsaflok is a series of critical security vulnerabilities in dormakaba's Saflok electronic RFID locks, impacting over 3 million hotel doors in 131 countries and allowing attackers to unlock all rooms using a single pair of forged keycards.

⭐️ 3 Ways I Can Help You

1. Work with me. I love helping people! Let's discuss your challenges, career, or ask me anything about cybersecurity in 25 minutes.
2. Get access to Cyber Strategy OS. My curated collection of valuable resources for every cybersecurity professional..
3. Looking for something different? Reach out.

If this sparked your interest, I'd love to hear from you in the comments. Stay tuned for more and consider following me on LinkedIn and X.

Nikoloz