This month, we saw a number of data breaches caused by misconfiguration issues, attacks against cloud infrastructure targeting AWS and oilfield services giant Halliburton, as well as several new techniques, including a novel persistence technique targeting Linux based operating systems.
New/Improved Techniques
New Linux Malware Using Novel Persistence Technique
A recently discovered Linux malware, named ‘sedexp’, has been operating undetected since 2022 by employing a persistence technique not yet documented in the MITRE ATT&CK framework. The malware has been embedding itself within Linux systems, using sophisticated techniques that have been able to hide and operate undetected by both anti-virus and security researchers until now.
The initial infection vector is known as ‘sedexp’, which typically gains access to victim’s computers via a phishing email or malicious link, leveraging a new persistence mechanism to remain undetected. Once installed, the malware allows for remote access to the victim’s computer through a reverse shell.
‘sedexp’ works by modifying ‘udev’ rules, which are responsible for handling devices such as storage, network, and USB drives / external storage devices. By modifying the ‘udev’ rules, ‘sedexp’ can add a condition for a device being connected to the host that checks for the installation of the malware on the host and reinstalls itself if necessary. As the ‘udev’ rules are a novel attack vector, they are often not looked at by anti-malware software – meaning the persistence technique is generally not spotted and the malware will continue to re-install itself after being removed. It should also technically possible to use this novel technique to spread malware onto other devices as they connect to the host, but this has not yet been seen in the wild.
The impacted distributions and/or versions of Linux have not yet been disclosed, so the current advice is to be cautious with all Linux systems. The malware has been observed in the wild as a tool for adversaries to run credit card scraping software, indicating that this is likely being developed and used by a financially motivated group for monetary theft.
More Quishing with Unicode
Quishing, or QR code phishing, has seen a resurgence with the introduction of Unicode-based techniques. Attackers are sending malicious QR codes to their unsuspecting victims to get them to use a QR code scanner to open a link that is malicious or loaded with malware – with a reported increase of over 500% in quishing attacks in early 2024. As these attacks have grown more prevalent in the wild, security vendors have developed methods over the course of 2024 to block and prevent victims from clicking and following malicious links in QR code.
This new method utilised the Unicode character set, which is used by computers and devices to denote and display different characters. Attackers are using Unicode to create QR codes, which look the same as the typical QR codes, but are interpreted differently by devices when scanned. By using this technique, attackers are able to bypass a number of defensive mechanisms and controls that have been developed to prevent phishing and limit the impact to users or organisations.
As with the initial rise in quishing, MFA is the recommended technical control to mitigate phishing of any kind as credential theft alone will not permit access to a victim’s accounts. Additional security measures such as TPM-signed (Trusted Platform Module) are currently under development by vendors such as Microsoft which will further secure user sessions and credentials, lowering the likelihood that these are compromised or stolen in attacks.
Major Backdoor in Millions of RFID Cards Allows Instant Cloning
A significant backdoor has been discovered in millions of RFID cards manufactured by Shanghai Fudan Microelectronics, allowing for instant cloning. These contactless cards are widely used for access control in office buildings, hotels, and other secure facilities. They have been found to contain a vulnerability that can be exploited with minimal technical expertise.
The backdoor is embedded in the card’s firmware, enabling attackers to clone the cards by simply placing a reader near the target card. This vulnerability affects the FM11RF08S, FM11RF08S, FM11RF32, and FM1208-10 chips, which is commonly used in MIFARE Classic compatible RFID cards. The cloning process involves reading the card’s unique identifier and cryptographic key, which can then be written to a blank card, effectively creating a duplicate. This flaw poses a significant security risk, as it allows unauthorised individuals to gain access to restricted areas using easily cloned access cards.
Organisations relying on RFID cards for security should assess their infrastructure to determine if they are using the affected FM11RF08 chips and if so, migrate to a secure alternative.
Outlook Zero-Click Vulnerability
Researchers at Morphisec have uncovered a critical zero-click remote code execution (RCE) vulnerability in Microsoft Outlook, identified as CVE-2024-38021. This vulnerability allows attackers to execute arbitrary code without user interaction, posing a significant security risk.
The vulnerability stems from how Outlook processes image tags in emails, with Outlook failing to properly handle certain types of URLs embedded in these tags. Attackers can exploit this flaw by sending a specially crafted email containing an image tag with a URL pointing to a malicious resource. When the email is opened, the malicious code is executed automatically, without any action required from the user. This can lead to remote code execution and the leakage of local NTLM credentials, making it particularly dangerous for organisations that rely on Outlook for email communication.
Microsoft released a patch in early July to address this vulnerability, which modifies how Outlook handles these URLs to prevent the automatic execution of malicious code. Organisations should ensure that they remain up to date with Microsoft patches, which are delivered each month and have remediated 15 0-day vulnerabilities in 2024.
Attacks / Threats
[US] National Public Data Confirms Breach Exposing Social Security Numbers
National Public Data (NPD), a consumer data broker, confirmed a significant data breach that exposed the Social Security numbers, names, addresses, and phone numbers of millions of Americans. Data brokers have featured more heavily in the news recently as privacy concerns have risen amongst the public. Data brokers operate by collecting your personal information, sorting it / classifying it, and selling it out to other organisations for purposes such as marketing.
The breach, which dates back to December 2023, was first revealed when 2.9 billion records were leaked on a cybercrime forum in July 2024. NPD discovered the issue and leakage of information in April of 2024, but failed to notify affected individuals, or the relevant authorities, until August. This was a significantly more time than is expected or required by a number of states.
It was found that National Public Data inadvertently published passwords to the back-end systems in an archive accessible on the home page of their website, which is believed to have been stumbled upon and used by a malicious actor to access the underlying IT infrastructure. A class-action lawsuit has been raised against the company, alleging negligence, a violation of privacy rights, and a lack of sufficient and timely notification, among other things.
It will be interesting to continue to observe if the regulatory bodies in the US, and to a lesser extent the EU (which has already tightened regulations) will work to implement policies to curtail these types of organisations who have been operating in a morally grey, but technically legal zone – given the increased public scrutiny on data privacy.
[Global] Massive Cyber Attack on AWS Targets 230 Million Unique Cloud Environments
A large-scale extortion operation has targeted Amazon Web Services (AWS), compromising 230 million unique cloud environments. The attackers exploited a widespread misconfiguration that exposed environment variable files (.env files) containing sensitive credentials belonging to various applications. These files, which are often overlooked, provided the attackers with access to critical systems and data.
The attackers used automated tools to scan over 110,000 domains for publicly exposed ‘.env’ files. These misconfigured files contained AWS access keys, database credentials, API keys, and other sensitive information. Once the attackers gained access, they conducted extensive reconnaissance using AWS API calls, and then elevated their privileges by creating new IAM roles with full administrative rights to deploy malicious functions to perform recursive scans for more ‘.env’ files across multiple AWS regions. The operation concluded with data exfiltration into S3 buckets controlled by the attackers and ransom notes being left in place of the stolen data.
We have seen a number of attacks against unsecured or misconfigured AWS S3 buckets in the past, and it is interesting to see that this is still a widespread issue in 2024. It is recommended that Amazon S3 users harden their cloud environments and review their publicly exposed S3 bucket to confirm that security best practice is followed.
[US] Halliburton Cyber Attack
Halliburton, one of the largest oilfield services companies in the US, experienced a significant cyberattack in August targeting their cloud-based systems. The attack prompted the company to instruct its staff to disconnect endpoints from internal networks and forced the company to take some of their IT systems offline. The attack impacted business operations at Halliburton’s North Belt campus in Houston, and the company has revealed that sensitive information had been exfiltrated from their systems during the attack.
The attack was claimed by a relative newcomer known as RansomHub, who have breached over 200 victims since emerging in February of this year, including a range of critical infrastructure organisations (according to an FBI release). Using the same affiliate framework as organisations such as LockBit, RansomHub have emerged as one of the leaders in the double extortion ransomware-as-a-service (RaaS) space in 2024.
Halliburton has been working closely with Mandiant to understand the scope of the attack, remediate any remaining issues, and are working with customers and other stakeholders to reduce the risk of litigation prior to releasing any finer details about the attack.
[Global] FlightAware Configuration Error Leaked User Data for Years
FlightAware, a popular online flight tracking service, have disclosed a data breach caused by a configuration error that has been exposing user data for over three years. The error, which dates from 1 January 2021, was discovered on 25 July 2024, and involved the inadvertent exposure of personal user information including names, email addresses, social security numbers, passwords, billing addresses, and flight details of FlightAware users.
FlightAware internally discovered the configuration issue and has since corrected the error, notified impacted users and rolled the passwords for all the affected users. There is currently no indication that the exposed data was exfiltrated or is in the hands of any malicious parties – a lucky find for whoever spotted the configuration issue!