Brief #65: Critical Windows IPv6 Flaw, Malicious Browser Extensions, EDR-Killing Malware, and AI-Generated Election Influence

Before you start your Monday, catch up on the latest in cybersecurity!

A widespread malware campaign is forcefully installing malicious browser extensions, while OpenAI takes action against accounts linked to an Iranian influence operation using ChatGPT. On the business front, CrowdStrike is in talks to acquire Action1, potentially enhancing their update processes.

Critical Windows IPv6 RCE Vulnerability Likely to Be Exploited

Microsoft warned customers to patch a critical TCP/IP remote code execution (RCE) vulnerability (CVE-2024-38063) affecting all Windows systems using IPv6, which is enabled by default.
The vulnerability, caused by an Integer Underflow weakness, could be exploited by unauthenticated attackers in low-complexity attacks by sending specially crafted IPv6 packets, potentially leading to arbitrary code execution.
Microsoft tagged the vulnerability as "exploitation more likely" and advised customers to treat it with high priority, as the company is aware of past instances of similar vulnerabilities being exploited.

Widespread Malware Campaign Forcefully Installs Malicious Browser Extensions

ReasonLabs Research Team identified a new widespread polymorphic malware campaign that forcefully installs malicious extensions on Google Chrome and Microsoft Edge, affecting at least 300,000 users since 2021.
The trojan malware, originating from imitations of download websites, delivers various malicious payloads ranging from simple adware extensions that hijack searches to sophisticated scripts that steal private data and execute commands.
The malware adds registry values to force extension installation, tampers with browser ".lnk" files to load a local extension, communicates with C2 to report status and get next stages, and modifies browser DLLs to override the default search engine.

New EDR-Killing Malware Loader Discovered: EDRKillShifter

Sophos analysts recently encountered a new EDR-killing utility called EDRKillShifter being deployed by criminals attempting to attack an organization with RansomHub ransomware.
EDRKillShifter is a loader that delivers legitimate but vulnerable drivers (BYOVD) to gain privileges and unhook an EDR tool's protection, with the final Go-based payload terminating processes from a hardcoded list.
The loader and final payloads may be developed by separate threat actors, with the loader potentially acquired on the dark net and the payloads delivered by the loader itself.

GitHub Open Source Projects Exposed to Attack via Workflow Artifacts

Palo Alto Networks' Unit 42 researchers discovered an attack vector affecting open source projects on GitHub owned by major companies like Google, Microsoft, and Amazon Web Services.
The attack abuses GitHub Actions artifacts, causing them to leak both third-party cloud service tokens and GitHub tokens, making them accessible to anyone with read access to the repository.
Leaked GitHub tokens could allow attackers to push malicious code to production through the CI/CD pipeline, or access secrets stored in the GitHub repository and organization.

0.0.0.0 Day: Browsers Allow Websites to Exploit Local Services

Oligo Security researchers disclosed the "0.0.0.0 Day" vulnerability, which allows malicious websites to bypass browser security and interact with services running on an organization's local network, potentially leading to unauthorized access and remote code execution.
The issue stems from inconsistent implementation of security mechanisms across different browsers, along with a lack of standardization in the browser industry. Browsers are working on fixes, with Chrome gradually blocking access to 0.0.0.0 and Safari already implementing changes in WebKit.
The discovery of active exploitation campaigns, such as ShadowRay, further underscores the urgency of addressing this vulnerability. Oligo researchers demonstrated the ability to execute ShadowRay from the browser using 0.0.0.0, as well as exploit other vulnerable applications like Selenium Grid and PyTorch TorchServe.

At SecureIT New York, a panel of CISOs including Laura Deaner of Northwestern Mutual, Nada Noaman of The Estée Lauder Companies, and Liz Rodgers of RAND discussed how to empower a cyber-resilient culture amid a growing threat landscape.
The CISOs emphasized the importance of connecting cybersecurity to the business mission, with Noaman stating that her team members understand their purpose and contribution to the overarching goal of customer-focused security.
To build credibility and get buy-in for security initiatives, the CISOs highlighted the need for clear, unambiguous communication using the language of business rather than technical jargon, while also understanding the realities and priorities of business colleagues.

Securing Development Workflows: Insights from Field CISO Paul Davis

In an interview with Adrian Sanabria, Paul Davis, Field CISO at Jfrog, discusses the critical challenges facing information security leaders in securing development workflows, emphasizing the growing complexity and evolving threats targeting development environments.
Davis highlights the increasing vulnerability of development workflows, noting that the traditional model of developer autonomy is becoming problematic as malicious actors shift their focus toward developers and their infrastructure, necessitating the consolidation and streamlining of "developer islands" to enable better visibility across the software development lifecycle.
The conversation explores the balance between speed and security in software development, with Davis emphasizing the importance of early intervention in the development cycle to mitigate risks and reduce the time developers spend fixing bugs, while also discussing the potential role of automation in enhancing security without impeding development.

Security is a Subset of Software Quality, But Challenges Remain

Chris Hughes discusses the ongoing debate that security is a subset of software quality, citing CISA Director Jen Easterly's recent comments at BlackHat.
The software iron triangle of schedule, budget, and scope presents challenges, along with information asymmetries between producers and consumers, constraints, competing interests, and lack of a universal definition of quality.
Underpinning the discussion is the question of what "secure" means, as the industry lacks a clear definition and risk management exists on a spectrum, with attempts at quantification still outliers rather than standards.

Suspicious Activity Discovered During Windows Forensic Investigation

Baris Dincer, the author, demonstrates a forensic analysis methodology for a compromised Windows Server 2016 system in an AWS EC2 environment.
Investigation reveals suspicious user "John" with recent login activity, questionable scheduled tasks like "Clean file system" running malicious nc.ps1 script, and unusual registry entries pointing to a suspicious IP.
Further analysis uncovers unauthorized web server modifications, firewall rules allowing inbound access on port 1337, and evidence of remote connections in IIS logs, indicating a potential backdoor.

Sysadmins who experienced breaches share how attackers gained access, with one noting that the attacker impersonated a legitimate software vendor and snuck in unattended access during a demo.
Another sysadmin mentioned a successful phishing email that allowed the attacker to pivot to AD accounts and eventually obtain Domain Admin access, leading to ransomware being pushed to the entire company.
One breach occurred through an old, unknown server in a remote location that had been running for over 15 years with a 1:1 NAT, nearly allowing attackers to breach the entire corporate network.

Foundations of Operationalizing MITRE ATT&CK Course Introduces Key Concepts

AttackIQ's "Foundations of Operationalizing MITRE ATT&CK" course, which has been replaced by a newer version, introduces students to the basics of the MITRE ATT&CK Framework, including its history, evolution, and why organizations are adopting it.
The course covers how organizations can use MITRE ATT&CK to improve the efficiency and effectiveness of their security programs, as well as tools and resources for supplementing MITRE ATT&CK testing, such as ATT&CK Navigator and MITRE CAR.
Topics include threat-informed defense, cyber threat intelligence analysis, operationalizing MITRE ATT&CK through threat intelligence, detection and analytics, and adversary emulation and red teaming. The course also serves as a foundation for AttackIQ's "The Dummies Guide to MITRE ATT&CK" book.

OpenAI Bans Accounts Linked to Iranian Influence Operation Using ChatGPT

OpenAI said it banned a set of accounts linked to an Iranian covert influence operation called Storm-2035 that used ChatGPT to generate content focused on topics like the upcoming U.S. presidential election.
The AI-generated content was shared via social media accounts and websites posing as progressive and conservative news outlets, but achieved negligible engagement according to OpenAI.
Microsoft also highlighted Storm-2035's activity, while warning of increased foreign malign influence targeting the U.S. election from Iranian and Russian networks in the past six months.

Securing LLM-Backed Systems Requires Careful Authorization Design

The Cloud Security Alliance provides guidance on authorization best practices for systems using large language models (LLMs), as formal guidance is lacking despite rapid adoption.
Key principles include keeping LLMs out of authorization decisions, continuously verifying identities and permissions, limiting system complexity, and validating all inputs and outputs to safeguard against prompt injection attacks.
Common architecture patterns like Retrieval Augmented Generation (RAG) using vector databases, relational databases, or API calls require the orchestrator to handle identity and perform authorization checks before passing data to the LLM context window.

MIT Researchers Create "Living Database" of 777 AI Risks

MIT researchers have created a "living database" of 777 risks extracted from 43 taxonomies to help manage potential dangers of adopting AI, such as bias, falsehoods, addiction, or even the creation of new biological or chemical weapons.
The AI Risk Repository provides an accessible overview of the AI risk landscape, a regularly updated source of information, and a common frame of reference for various stakeholders, classifying risks into seven domains like Discrimination & Toxicity, Privacy & Security, and AI system safety.
Despite some limitations, the repository is seen as an incredibly helpful tool for leaders establishing AI governance in their organizations, providing a foundation for a more coordinated, coherent, and complete approach to defining, auditing, and managing AI risks.

CrowdStrike in Talks to Acquire Action1 for $1B After Falcon Update Mishap

According to an internal email from Action1 CEO Alex Vovk, CrowdStrike is in talks to acquire the cloud-based patch management and vulnerability remediation company for close to $1 billion.
The acquisition could help CrowdStrike improve testing and deployment of updates to avoid incidents like the recent Falcon update error that caused a global Windows outage.
For customers, the potential acquisition brings both benefits of enhanced security and reliability, as well as uncertainties about pricing, service delivery, and overall business strategy.

Medical Device Cybersecurity Solutions Market to Reach $32.94 Billion by 2028

The Business Research Company reports that the global medical device cybersecurity solutions market is expected to grow to $32.94 billion by 2028, with a CAGR of 25.5%, driven by advances in AI, increasing cyberattacks, and higher investments in cybersecurity.
Major trends in the forecast period include the incorporation of blockchain technology, increased usage of AI-based detection systems, and more partnerships between medical device manufacturers and cybersecurity companies.
The market is segmented by type, solution, device type, and end-user, with key players including IBM, Cisco, NTT DATA, Philips, GE HealthCare, Palo Alto Networks, Fortinet, Trend Micro, and Sophos, among others.

Insight Partners and Sixth Street Invest $456M in Kiteworks at $1B+ Valuation

Insight Partners and Sixth Street Partners have invested $456 million in cybersecurity company Kiteworks, valuing it at over $1 billion, according to CEO Jonathan Yaron.
Kiteworks focuses on security systems for data, files, and documents as they are transmitted or shared, helping customers handle large files securely and control access through private-content networks.
The increasing importance of data protection and more stringent regulation should help Kiteworks expand its market reach and grow contracts with existing customers, which include the SEC, NHS, Porsche, AXA, and Shell.

Bane

Custom AppArmor profile generator for Docker containers with file globbing.

Chaosreader

Chaosreader is a tool for ripping files from network sniffing dumps and replaying various protocols and file transfers.

Whatweb

A next-generation web scanner that identifies websites and recognizes web technologies, including content management systems, blogging platforms, and more.

Thank You

If you found this newsletter useful, I'd really appreciate if you could forward it to your friends and share your feedback below!

Have questions? Let me know in the comments or on LinkedIn and Mastodon.

Best,
Nikoloz