SSM On-Prem Flaw is a 10/10 disaster.

Cisco has identified a critical security flaw in its SSM On-prem. The world's largest recreational boat and yacht retailer reports a data breach. The UK’s NHS warns of critically low blood stocks after a ransomware attack. Port Shadow enables VPN person in the middle attacks. Ivanti patches several high-severity vulnerabilities. FIN7 is advertising a security evasion tool on underground forums. Indian crypto exchange WazirX sees $230 million in assets suspiciously transferred. Wiz documents vulnerabilities in SAP AI Core. DDoS for hire team faces jail time. Guest Tomislav Pericin, Founder and Chief Software Architect of ReversingLabs, joins us to discuss their "Free Resource to Conduct Risk Assessments on Open-Source Software." Playing red-light green-light with traffic light controllers.

Today is Thursday July 18th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Cisco has identified a critical security flaw in its SSM On_prem. 

Cisco has identified a critical security flaw in its Smart Software Manager On-Prem (SSM On-Prem), scoring a perfect 10.0 on the Common Vulnerability Scoring System (CVSS). Announced on July 17, this vulnerability, CVE-2024-20419, allows attackers to change any user’s password, including administrators, without needing to log in. The flaw is due to the improper implementation of the password-change process, exploitable via specially crafted HTTP requests.

SSM On-Prem is used for managing software licenses within local network environments. This vulnerability could enable attackers to gain full control over the system, leading to potential disruptions and data theft. Although primarily used in local networks, poor remote access security or a compromised internal network increases exploitation risks.

Cisco has no workarounds for this issue, and the only remedy is applying the latest updates. Cisco confirmed no known malicious use of this vulnerability at the time of disclosure, and it was promptly addressed following a report by security researcher Mohammed Adel.

The world's largest recreational boat and yacht retailer reports a data breach. 

MarineMax, the world's largest recreational boat and yacht retailer, is notifying over 123,000 individuals about a security breach in March, claimed by the Rhysida ransomware gang. The breach compromised personal information, which MarineMax initially denied but later confirmed. The Florida-based company, operating over 130 locations worldwide, reported $2.39 billion in revenue last year.

The attackers accessed MarineMax's systems from March 1 to March 10, 2024, and stole personal data, including names and identifiers. The breach was detected on March 10, and an investigation confirmed data exfiltration. Rhysida published a 225GB archive of stolen data, including financial documents and IDs, on their dark web site. This gang has previously targeted high-profile entities, including the Chilean Army and the British Library.

The UK’s NHS warns of critically low blood stocks after a ransomware attack. 

The recent ransomware attack on several London hospitals has put UK national blood stocks in a "very fragile position." NHS chief executives warned that blood supplies might move to "amber alert" status, restricting transfusions to the most critical cases.

The attack on Synnovis, a pathology services provider, disrupted blood matching tests, depleting universal donor stocks and affecting blood banks nationwide. Affected hospitals are performing blood matching at about 54% of their usual capacity, with O-negative stocks critically low.

NHS London declared a regional incident, postponing over 6,000 outpatient appointments and 1,400 surgeries, including cancer treatments. The Qilin ransomware gang is blamed for the attack, with disruptions expected to last until September.

Port Shadow enables VPN person in the middle attacks. 

Researchers from Arizona State University, University of New Mexico, University of Michigan, and the University of Toronto's Citizen Lab have identified a vulnerability in VPNs that enables person-in-the-middle (PitM) attacks. Named Port Shadow (CVE-2021-3773), this technique allows attackers to intercept and redirect traffic by exploiting a shared resource called a port on VPN servers. The vulnerability affects OpenVPN, WireGuard, and OpenConnect on Linux and FreeBSD, though FreeBSD is less vulnerable.

Port Shadow enables attackers to shadow their own information on a victim's port, acting as an in-path router to intercept encrypted traffic, deanonymize VPN peers, and conduct port scans. While VPN software developers were informed, mitigation involves specific firewall rules rather than code fixes. The best protection for users is connecting to a private VPN server. ShadowSocks and Tor remain unaffected.

Ivanti patches several high-severity vulnerabilities. 

Ivanti has announced patches for several high-severity vulnerabilities in Endpoint Manager (EPM) and Endpoint Manager for Mobile (EPMM). The most critical, CVE-2024-37381, is an SQL injection flaw with a CVSS score of 8.4, affecting EPM 2024 flat. Authenticated attackers with network access could exploit it to execute arbitrary code. A hotfix is available, with full security updates forthcoming. No known exploitation of this vulnerability has occurred.

Additionally, patches for four vulnerabilities in EPMM have been released. Three high-severity flaws (CVE-2024-36130, CVE-2024-36131, and CVE-2024-36132) enable command execution and authentication bypass. A medium-severity improper authentication issue was also fixed.

Ivanti also patched CVE-2024-37403, a medium-severity path traversal vulnerability in Docs@Work for Android, which could allow malicious apps to read sensitive data. Docs@Work version 2.26.1 addresses this flaw. Ivanti reports no known public exploitation of these vulnerabilities.

FIN7 is advertising a security evasion tool on underground forums.

The cybercrime group FIN7 is advertising a security evasion tool, AvNeutralizer (also known as AuKill), on underground forums, according to cybersecurity firm SentinelOne. This tool can bypass security solutions and has been used by various ransomware groups, including AvosLocker, MedusaLocker, BlackCat, Trigona, and LockBit. SentinelOne researchers discovered a new version of AvNeutralizer that uses the Windows driver ProcLaunchMon.sys to evade security measures.

FIN7 uses multiple pseudonyms to mask their identity, with advertisements for the tool appearing on forums such as exploit[.]in, xss[.]is, and RAMP, with prices ranging from $4,000 to $15,000. The tool has advanced capabilities to disable endpoint security solutions through various techniques, including leveraging a previously undocumented Windows driver capability. SentinelOne highlights FIN7's adaptability and persistence in evolving its threat operations.

Indian crypto exchange WazirX sees  $230 million in assets suspiciously transferred. 

Indian crypto exchange WazirX confirmed a security breach, with $230 million in assets suspiciously transferred from one of its multisig wallets. This type of wallet requires multiple keys for authentication. Affected assets include SHIB, Ethereum, Matic, Pepe, USDT, and Gala tokens. Blockchain data indicates the attackers are offloading assets on Uniswap, and they may be affiliated with North Korea. Liminal, the wallet infrastructure provider, stated that the breach occurred outside its ecosystem. Other Indian crypto exchanges, CoinSwitch and CoinDCX, assured customers of their security. This incident follows WazirX's separation from Binance earlier this year.

Wiz documents vulnerabilities in SAP AI Core. 

The Wiz Research Team found significant vulnerabilities in multiple AI service providers, focusing on tenant isolation issues. Their latest research on SAP AI Core, presented at the Black Hat conference, uncovered a vulnerability chain named "SAPwned." This allowed attackers to access sensitive customer data, including cloud credentials for AWS, Azure, and SAP HANA, by exploiting SAP’s infrastructure.

Attackers could execute arbitrary code, move laterally, and gain cluster administrator privileges, compromising Docker images, and artifacts. Key vulnerabilities included bypassing network restrictions, accessing AWS tokens, exploiting unauthenticated EFS shares, and Helm servers.

All issues were reported to and fixed by SAP, with no customer data compromised. The research highlights the need for improved isolation and sandboxing standards in AI infrastructure to protect against such attacks.

DDoS for hire team faces jail time. 

Scott Raul Esparza, 24, from Katy, Texas, along with co-conspirator Shamar Shattock, 21, from Margate, Florida, operated Astrostress.com, a DDoS-as-a-service website. This platform allowed users to launch DDoS attacks, overloading and disrupting victims’ devices and networks. Esparza and Shattock ran the site from 2019 to 2022, offering subscriptions for varying levels of attack power. They used infected devices to create botnets, which were then directed to overwhelm targets’ IP addresses. The Department of Justice (DoJ) stated that Esparza managed the attack servers and marketing, while also employing a customer service representative. After the site’s shutdown in 2022, both men were apprehended. Esparza faces nine months in prison, while Shattock awaits sentencing and could face up to five years.

Up next, we’ve got Founder and Chief Software Architect of ReversingLabs Tomislav Pericin talking about their "Free Resource to Conduct Risk Assessments on Open-Source Software."

We’ll be right back.

Welcome back. You can find a link to ReversingLabs’ free resource in our show notes. 

Playing red-light green-light with traffic light controllers. 

And finally, Andrew Lemon, a researcher at Red Threat, discovered a flaw in the Intelight X-1 traffic light controller that could let hackers create chaotic traffic jams. Lemon found that the device’s web interface had no authentication. “I was just in disbelief,” Lemon told TechCrunch. Despite trying, he couldn’t pull off a full “Italian Job” scenario, thanks to a device called the Malfunction Management Unit. However, he could still mess with light timings, causing major traffic headaches.

Lemon found about 30 vulnerable devices online and reported the issue to Q-Free, Intelight’s owner. Instead of thanks, Q-Free sent a legal letter implying Lemon’s research might violate anti-hacking laws and urging him not to publish his findings for national security reasons. Lemon also noted similar issues in Econolite traffic controllers, which Econolite claimed were outdated and shouldn’t be online anyway.

Nothing says ‘thanks for the heads up’ like a good old-fashioned legal threat.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

And that’s the CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.