WME Security Briefing 28 August 2024

WME Cybersecurity Briefings No. 024

GhostWrite Vulnerability in T-Head CPUs Exposes Devices to Unrestricted Access

Overview

A critical architectural flaw in T-Head’s XuanTie C910 and C920 RISC-V CPUs was uncovered by recent research from the CISPA Helmholtz Center for Information Security. Dubbed GhostWrite, the vulnerability is baked directly into the CPU hardware, which makes it tremendously hazardous, as most security measures are incapable of intercepting the attack. GhostWrite, unlike any side-channel or transient execution attacks, leverages faulty instructions in the CPU’s vector extension. That makes it decidedly hazardous to any device running on those processors.

Impact

GhostWrite exposes an unprivileged attacker to full access to the memory & peripheral devices on a device. Basically, it works on physical memory and not on virtual memory; this vulnerability works around the isolation of processes that most operating systems & hardware implement. As such, attackers can read and write every location in memory. Ultimately, they can bypass security protocols & completely take over devices like network interface cards.

Such vulnerabilities render the security functions of a CPU useless and make devices completely vulnerable. The attack is quite capable and has the potential to be performed within microseconds, which makes it dangerous. Even complex security measures like Docker containerization or sandboxing are rendered useless against GhostWrite. Disabling the CPU vector extension mitigates the risk but turns off roughly 50% of the functionality of a CPU, which will significantly impact performance.

Recommendation

Users and admins should switch off the vector extension on affected CPUs to mitigate GhostWrite. While this will prevent the exploitation of this vulnerability, it will come at a considerable cost in terms of CPU performance. For apps with heavy dependence on these features, other ways will have to be found to keep functionality.

Critical Vulnerabilities Discovered in Microsoft’s Azure Health Bot Service

Overview

Two Azure Health Bot Service vulnerabilities have been discovered in Microsoft AI-powered virtual health assistants which are being used in healthcare organizations. Nevertheless, these defects already have been repaired by Microsoft. They allowed potential attackers to break through the lateral movement in the customers’ environments, thus, gaining unauthorized access to personal patient data.

Impact

If persisted, the security breaches could facilitate an intrusion of unwanted hackers in cross-tenants’ resources of the Data Connections feature of the Azure bot AI. The flaws were listed under the ‘Data Connections’ section of the Azure Health Bot Service. The provision, which is meant to enable the interconnectedness of information sources from external devices, was revealed to be amenable to corruption through a backward referral. The corrupt operating entity would thus, send a 301 or 302 code to a valid metadata; permit the attacker to get the token and issue permits to list and access restricted files across varied Azure subscriptions.

That said, an additional endpoint associated with the Fast Healthcare Interoperability Resources (FHIR) format for data exchange integrity was also found to be vulnerable to the potentially exploited flaws. These were so that intruders could use the networks to roam within the system. They could have also gotten information about the patients and also been able to temporarily suspend the healthcare services.

Recommendation

After discovering this matter, Microsoft has sketched the security patches for all the regions to solve the problem. Enterprises that use the Azure Health Bot Service have been advised that they should update their systems with recent patches. It is also recommended that admins review their security configurations and access mechanisms to prevent unauthorized access in the future.

FBI Takes Down Dispossessor Ransomware Group’s Servers in Major International Operation

Overview

On August 13, 2024, the FBI disrupted the Dispossessor ransomware group, also known as Radar. This takedown dismantled key online infrastructure in the U.S., U.K., and Germany. Dispossessor is a ransomware-as-a-service (RaaS) group that has quickly become a major global threat since August 2023.

Impact

The FBI dismantled three servers in the U.S., three in the U.K., and 18 in Germany. Dispossessor had already attacked 43 companies across multiple countries, including the U.S., U.K., and Germany. It affected industries like healthcare, education, finance, transportation, and whatnot.

Dispossessor used a dual-extortion model to exfiltrate sensitive data and encrypt systems. It would then demand ransom for both. The group was known for its aggressive tactics i.e. direct contact with victims to pressure them into paying. They also sold stolen data, increasing the damage to victims.

Recommendation

Despite this major takedown, the threat of ransomware persists. FBI urges organizations to remain vigilant.

Ukraine’s Government Computers Targeted in New Phishing Campaign

Overview

The Computer Emergency Response Team of Ukraine (CERT-UA) issues an alert regarding a new phishing campaign. The campaign began in July 2024 and it targets govt. computers in Ukraine. It impersonates the Security Service of Ukraine (SSU) to distribute malware capable of remote desktop access. This campaign is being tracked under the identifier UAC-0198. It has already compromised 100+ govt. Computers so far.

Impact

The phishing attacks involve the mass distribution of emails to deliver a malicious ZIP archive. This archive contains an MSI installer file, which, when executed, deploys malware- ANONVNC. It is based on MeshAgent (an open-source remote management tool) and allows attackers to gain unauthorized access to the infected systems.

The potential consequences of this campaign are significant. They can gain remote access to govt. systems and steal sensitive info. In fact, they can disrupt critical operations and even compromise their national security. Experts also link this campaign to other phishing attacks by the hacking group UAC-0102. That said, there has been a surge in attacks involving the PicassoLoader malware, which is being used to deploy Cobalt Strike Beacon.

Recommendation

We advise the Ukrainian govt. agencies to:

✔️ Implement strict email filtering for ZIP & MSI files

✔️ Educate staff on phishing & reporting

✔️ Keep software updated with the latest patches

✔️ Tighten access controls

✔️ Develop & test incident response plans

Critical Vulnerabilities in Solarman and Deye Solar Systems Could Lead to Power Disruptions

Overview

Major security issues have been pointed out in photovoltaic (PV) system management platforms from Chinese companies Solarman and Deye. These platforms are used for monitoring/managing solar power systems. They have several weaknesses that could be exploited to cause widespread disruptions, including blackouts. Although Solarman and Deye have addressed these issues as of July 2024, the latest flaw discovery emphasizes the need for stronger security measures.

Impact

If exploited, attackers could gain control over solar inverter settings. These settings are crucial for managing solar power systems. This could lead to disruptions in power grids and potential outages.

Vulnerabilities include:

  • Full Account Takeover: Manipulating authorization tokens through the /oauth2-s/oauth/token API.
  • Token Reuse: A flaw in Deye Cloud allowing reuse of JSON Web Tokens (JWTs) to access Solarman accounts.
  • Information Leakage: Exposure of sensitive data via vulnerable API endpoints.
  • Hard-Coded Accounts: Default accounts with unrestricted access due to weak passwords.
  • Unauthorized Token Generation: The ability for attackers to generate authorization tokens for any user.

Recommendation

✔️ Update to versions after July 2024.

✔️ Secure all default accounts with unique passwords.

✔️ Apply the latest security patches.

✔️ Implement monitoring tools to detect unauthorized access.

✔️ Follow best practices, including MFA and regular security audits.

Share:

Facebook
Twitter
LinkedIn
Picture of Matt Tinney

Matt Tinney

Professional IT executive & business leader having decades of experience with Microsoft technologies delivering modern-day cloud & security solutions.

Contact Us

=
On Key

More Posts

Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.

=