At a glance.
- AMNESIA:33 vulnerabilities in TCP/IP stacks.
- TrickBot turns its attention to firmware vulnerabilities.
- Zero-click iPhone exploit analyzed.
- Phishing campaign targets COVID-19 vaccine supply chain.
AMNESIA:33 vulnerabilities in TCP/IP stacks.
Forescout uncovered thirty-three vulnerabilities across four open-source TCP/IP stacks (uIP, FNET, PicoTCP, and Nut/Net), affecting IoT, OT, and IT devices from at least 150 vendors. Like the Ripple20 vulnerabilities disclosed by JSOF in June, the full scope of AMNESIA:33 is difficult to quantify, since the stacks are widely distributed and implemented by individual vendors themselves. Many devices will likely remain unpatched for this reason.
26 of the flaws could trigger a denial-of-service condition, five could leak potentially sensitive information, two could lead to DNS cache poisoning, and four can be used to achieve remote code execution. Four of the flaws are deemed critical, although the researchers note that the consequences of the vulnerabilities vary widely depending on the circumstances. (A denial-of-service flaw, for example, can be much more serious in an OT environment.)
The researchers write, "We contacted the ICS-CERT and the CERT Coordination Center to help in the disclosure, patching and vendor communication for the AMNESIA:33 vulnerabilities. They in turn got the help of GitHub’s security team to find and contact affected repositories. Despite much effort from all the parties, official patches were only issued by the Contiki-NG, PicoTCP-NG, FNET and Nut/Net projects. At the time of writing, no official patches have been issued for the original uIP, Contiki and PicoTCP projects, which we believe have reached end-of-life status but are still available for download. Some of the vendors and projects using these original stacks, such as open-iscsi, issued their own patches."
TrickBot turns its attention to firmware vulnerabilities.
The TrickBot banking Trojan now has a module that probes for UEFI vulnerabilities on infected machines, researchers at Advanced Intelligence and Eclypsium have found. The malware hasn't been observed actually installing bootkits yet, but the researchers believe this is imminent (if it's not already taking place). They explain that "the malware already contains code to read, write, and erase firmware. These primitives could be used to insert code to maintain persistence, as has been seen previously with the LoJax or MosaicRegressor. Attackers could also simply erase the BIOS region to completely disable the device as part of a destructive attack or ransomware campaign." The researchers also note that "[i]t is quite possible that threat actors are already exploiting these vulnerabilities against high-value targets."
Zero-click iPhone exploit analyzed.
Project Zero researcher Ian Beer was able to develop a "wormable" radio-proximity exploit that would allow him to take complete control over a nearby iPhone with no user interaction required. The exploit made use of a flaw in the Apple Wireless Direct Link (AWDL) protocol, which Beer describes as a "fairly trivial buffer overflow programming error in C++ code in the kernel parsing untrusted data, exposed to remote attackers." The exploit could enable someone to "View all the photos, read all the email, copy all the private messages and monitor everything which happens on there in real-time." Apple patched the vulnerability (CVE-2020-3843) in January 2020 after Beer reported it. iPhone users should ensure they're running iOS 12.4.7 or later.
In a very long but accessible blog post, Beer explains how he crafted the exploit by himself over the course of six months, and he notes that exploit vendors and other motivated parties could likely develop such an exploit much faster. He also points out that "with directional antennas, higher transmission powers, and sensitive receivers the range of such attacks can be considerable."
Phishing campaign targets COVID-19 vaccine supply chain.
IBM's X-Force discovered a spearphishing campaign targeting the COVID-19 vaccine "cold chain," the link in the supply chain responsible for maintaining the vaccine's temperature during storage and transit. The campaign began in September and focused on organizations affiliated with the Vaccine Alliance's Cold Chain Equipment Optimization Platform (CCEOP) program. IBM says the "targets included the European Commission’s Directorate-General for Taxation and Customs Union, as well as organizations within the energy, manufacturing, website creation and software and internet security solutions sectors. These are global organizations headquartered in Germany, Italy, South Korea, Czech Republic, greater Europe and Taiwan."
The spearphishing emails impersonated an employee at the legitimate cold chain supplier Haier Biomedical, and contained HTML attachments designed to harvest credentials. IBM's Claire Zaboeva told Reuters that the attackers expended "an exceptional amount of effort" in crafting the phishing lures, noting that "Whoever put together this campaign was intimately aware of whatever products were involved in the supply chain to deliver a vaccine for a global pandemic."
The researchers don't offer attribution, but they suspect a nation-state actor is responsible. The immediate motive would seem to be espionage related to vaccine distribution (and that may turn out to be the case), but Reuters cites some experts who think the campaign may be "a subset of activity" in a much broader operation.