Microsoft has uncovered a common vulnerability pattern in several apps allowing code execution; at least four of the apps have more than 500 million installations each; and one, Xiaomi's File Manager, has at least 1 billion installations.

Source: rafapress via Shutterstock

Researchers from Microsoft recently discovered many Android applications — including at least four with more than 500 million installations each — to be vulnerable to remote-code execution attacks, token theft, and other issues because of a common security weakness.

Microsoft informed Google's Android security research team of the problem and Google has published new guidance for Android app developers on how to recognize and remediate the issue.

**Billions of Installations at Risk of Compromise**

Microsoft has also shared its findings with vendors of affected Android apps on Google's Play store. Among them were Xiaomi Inc.'s File Manager product, which has more than 1 billion installations, and WPS Office with some 500 million downloads.

Microsoft said vendors of both products have already fixed the issue. But it believes there are more apps out there that are fallible to exploit and compromise because of the same security weakness. "We anticipate that the vulnerability pattern could be found in other applications," Microsoft's threat intelligence team said, in a blog post this week. "We're sharing this research so developers and publishers can check their apps for similar issues, fix as appropriate, and prevent introducing such vulnerabilities into new apps or releases."

The issue that Microsoft discovered affects Android applications that share files with other applications. To facilitate the sharing in a secure manner, Android implements a so-called "content provider" feature that basically acts as an interface for managing and exposing an app's data to other installed applications on a device, Microsoft said. An app that needs to share its files — or a file provider in Android speak — declares the specific paths that other apps can use to get to the data. File providers also include an identifying feature that other apps can use as an address to find them on a system.

**Blind Trust & Lack of Content Validation**

"This content provider-based model provides a well-defined file-sharing mechanism, enabling a serving application to share its files with other applications in a secure manner with fine-grained control," Microsoft said. However, in many cases when an Android app receives a file from another app, it does not validate the content. "Most concerning, it uses the filename provided by the serving application to cache the received file within the consuming application's internal data directory."

This gives attackers an opening to create a rogue app that can send a file with a malicious filename directly to a receiving app — or file share target — without the user's knowledge or approval, Microsoft said. Typical file share targets include email clients, messaging apps, networking apps, browsers, and file editors. When a share target receives a malicious filename, it uses the filename to initialize the file and trigger a process that could end with the app getting compromised, Microsoft said.

The potential impact will vary depending on an Android application's implementation specifics. In some cases, an attacker could use a malicious app to overwrite a receiving app's settings and cause it to communicate with an attacker-controlled server, or get it to share the user's authentication tokens and other data. In other situations, a malicious application could overwrite malicious code into a receiving app's native library to enable arbitrary code execution. "Since the rogue app controls the name as well as the content of the file, by blindly trusting this input, a share target may overwrite critical files in its private data space, which may lead to serious consequences," Microsoft said.

Both Microsoft and Google have provided tips to developers on how to avoid the issue. End users, meanwhile, can mitigate the risk by ensuring their Android apps are up to date and by only installing apps from trusted sources.

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Billions of Android Devices Open to 'Dirty Stream' Attack

Organizations can go a long way toward preventing spoofing attacks by changing one basic parameter in their DNS settings.

Source: Panther Media GmbH via Alamy Stock Photo

North Korean hackers are taking advantage of weak DMARC configurations to impersonate organizations in phishing attacks against individuals of strategic significance to the Kim Jong Un regime.

DMARC, short for Domain-based Message Authentication, Reporting & Conformance, is a security protocol for preventing email-based attacks. Unlike most security solutions, however, which potential victims implement for themselves, DMARC policies are set by email senders. In part for this reason, it can be easily overlooked.

On Thursday, the FBI and National Security Agency released a joint cybersecurity advisory detailing how the APT Kimsuky (aka APT 43, Thallium) is taking advantage. For some time now, it has been masquerading as organizations that have weak or nonexistent DMARC policies in convincing spear phishing emails.

"This is a highly effective new tool in the arsenal of one of the more prolific social engineering threat groups that Mandiant tracks," Gary Freas, Mandiant senior analyst with Google Cloud, said in an email. "Organizations in a variety of industries around the world are at risk of leaving themselves unnecessarily exposed. Proper DMARC configuration, in conjunction with proper management of SPF/DKIM, is low-hanging fruit to deliver high-impact prevention of phishing and spoofing of an organization."

**The Difference DMARC Makes**

Kimsuky's primary objective is to steal valuable intelligence — regarding geopolitical events, other nations' foreign policy strategies, and more — for the Kim regime. To do that, it aims cyberattacks at journalists, think tanks, government organizations, and the like.

To add legitimacy to these attacks, it often impersonates individuals from trusted organizations like these in highly targeted emails. Such emails are extra convincing when Kimsuky gains access to their puppet's legitimate account or domain (often through a separate spear phishing attack) to send emails on their behalf.

A Kimsuky phishing email sent from late 2023 to early 2024. Source: FBI/NSA

This is what DMARC is designed to prevent. It combines two authentication mechanisms: the Sender Policy Framework (SPF), which checks that a sender's IP address is authorized to send emails from their specified domain, and DomainKeys Identified Mail (DKIM), which uses public key cryptography for anti-tampering. Domain owners can set a DMARC record in their domain name system (DNS) settings to determine what happens should an email-en-route fail one of these checks: either block it (p=reject), treat it with suspicion (p=quarantine), or do nothing (p=none).

The FBI-NSA joint advisory suggests organizations favor p=reject or p=quarantine to prevent threat actors like Kimsuky from sending emails from their domains.

"DMARC hygiene is critical," says Jeremy Fuchs, Harmony Email analyst at Check Point. "It's a fantastic way to ensure that when someone gets an email from your company, it’s actually from your company. It can be a big project, though, to ensure p=reject state, especially when you have many domains. This is why reporting, monitoring, and consistent hygiene is key.

"DMARC is not a silver bullet, as hackers have plenty of ways to spoof, but it can be a good starting point."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

DPRK's Kimsuky APT Abuses Weak DMARC Policies, Feds Warn

DMARC adoption is more important than ever following Google's and Yahoo's latest mandates for large email senders. This Tech Tip outlines what needs to be done to enable DMARC on your domain.

Source: Tapati Runchumrus via Shutterstock

For cybersecurity professionals in email security and anti-phishing, the beginning of 2024 marked the start of an evolution. 

In January, adoption of the email standard for protecting domains from spoofing by fraudsters — Domain-based Messaging Authentication, Reporting and Conformance, or DMARC — became a necessity as companies prepared for the enforcement of mandates by email giants Google and Yahoo. DMARC uses a domain record and other email-focused security technologies to determine whether an email comes from a server authorized to send messages on behalf of a particular organization. 

Yet three months later, DMARC adoption is already starting to taper off, and many companies have completed only the most minimal configuration of their domains, such as setting DMARC to flag issues rather than quarantine or even reject messages. 

Unfortunately, many organizations remain concerned that DMARC is just another security control that, if done wrong, could break critical email services, says Rahul Powar, CEO of Red Sift, a threat intelligence provider.

"Many organizations are rightly concerned that if they go and they do a DMARC policy and it's not correct, that they could block something that's really material to the business, such as a massive marketing campaign, or that the CEO's email won't land in the right inbox," he says. "There's a concern about getting it wrong."

As of the end of April, about 7.9 million domains have some sort of DMARC record (yellow), but only 32% are BIMI ready (green). Source: BIMIRadar.com

However, DMARC — and the underlying technologies of Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) — are not difficult to set up for small or midsize businesses that have simple email infrastructure through a third-party service, such as Google Workspace or Microsoft 365. However, if there are older systems or some segmentation using subdomains, the configuration can get complex — fast, says Gerasim Hovhannisyan, co-founder and CEO at service provider EasyDMARC.

"The problem comes when you have legacy systems and multiple sending sources and infrastructure," he says. "Not only enterprises, but the midmarket can have huge problems during email authentication deployment. It's straightforward or easy to do at first glance, but if you do something wrong, totally valid emails will be rejected."

Here is what to keep in mind when setting up DMARC for your organization.

**1\. SPF Alerts Recipients to Emails From Nonapproved Sources**

The first DNS record that an organization needs to set up is SPF, a string that lists the IP addresses and domain names of the mail servers authorized to send email on behalf of the domain. This record is typically set up through your domain provider or email hosting provider. 

A typical SPF record is a DNS TXT record and looks like:

v=spf1 ip4:192.168.1.1 ip4:192.168.2.1 include:example.com -all

The "v=spf1" designates the string as an SPF record and is required for all SPF records. The "ip4" fields list the IP addresses that are allowed to send email on behalf of the domain and can include network addresses using the slash notation. The "include" tag lists the third-party domains that are authorized to send email for the domain, while the "-all" flag specifies that every other domain is not allowed. Other variants, such as "~all," are possible and specify that mail from other domains are allowed but marked insecure, while "+all" allows any server to send email on behalf of the domain.

While the SPF record is a good first step, spammers could exploit the fact that other organizations using a common third-party server, such as Google's, would be authorized to send email on behalf of every other organization using that server.

**2\. DKIM Uses PKI to Verify Email Messages**

DKIM solves the problem of multiple tenants on the same email server and adds email verification as well. The DKIM selector and key is generated by your email provider and then registered as a TXT record in your DNS service provider. 

A typical DKIM record is a DNS TXT record with a selector — a name — such as "\[third party\].\_domainkey" and a value of:

v=DKIM1; k=rsa; p={public key string}

The "v=DKIM1" designates the TXT string as a DKIM record and is required for all DKIM records. The "k=rsa" designates the type of encryption used for the public-key data, with RSA as the default and other values, such as Edwards-curve Digital Signature Algorithm (EdDSA), allowed as well. The "p=" tag contains the public-key data generated by the email service provider. 

As with any public-key encryption infrastructure, organizations should make sure to regularly rotate the keys for their domain infrastructure, says EasyDMARC's Hovannisyan. 

"We have password management systems or rotating passwords for other \[types of\] keys, but we don't do that with DKIM keys," he says. "This is something that should be in place and each time something can be broken, you need to have alerting."

**3\. DMARC Establishes Policies for Email Recipients**

DMARC uses the already-established controls of SPF and DKIM and specifies an organization's email policy — not for emails coming into the organization, but for emails claiming to be sent on behalf of the organization. Organizations that specify a DMARC record gain two benefits: They can tell a receiving server what to do with an email that fails authentication — such as allow delivery, quarantine the message, or reject it — and they direct the receiving server to generate reports about any messages sent to the domain. 

The result is that an organization using DMARC gains visibility into how its domain name and brand is being used by unauthorized parties. 

A typical DMARC record is a DNS TXT record with a "\_DMARC" and a value that is a string with a number of fields, such as:

v=DMARC1; p=reject; adkim=s; aspf=s; rua=mailto:\[email protected\]

In this example, the "v=DMARC1" is the required identifier, the authentication policies for both SPF and DKIM at set to strict — as designated by the "aspf=s" and "adkim=s" tags — and the DMARC reports are sent to an organization-specific email at a third-party provider. In this case, the policy is set to reject, but companies can start with a policy of "none" to gain access to the reporting and move to a policy of "quarantine."

**4\. Check Your DMARC Reports Regularly and Maintain Records**

Establishing a DMARC policy is fairly simple, but using the added information as part of an email-security and brand-protection program requires an alerting mechanism and regular oversight. Often companies will just insert a valid DMARC record in their DNS with a policy of "none" and then forget about the added threat intelligence, Hovannisyan says.

"One of the biggest mistakes with DMARCs is \[a company saying\] that once it's done, I don't need to do anything more," he says. 

Instead, companies should advance through the different policies, starting with "none" but quickly moving to "quarantine" and then finally "strict."

While DMARC can be easy to manage for small companies, large enterprises will likely want to adopt a service to manage the configuration of its email infrastructure and make use of the added capabilities.

"For a small deployment, where you basically just have a Google or an Office 365 on your domain, it's pretty straightforward," says Red Sift's Powar. "I mean, the spec is quite simple, but as soon as you add a little bit of complexity — once you start including a marketing department, an HR department, or maybe a procurement department — you're going to find a lot of senders suddenly start to appear out of your infrastructure."

**5\. Consider BIMI to Increase Trust**

Finally, companies have a fourth standard that can help add more trust to their email messages. The Brand Indicators for Message Identification, or BIMI, standard allows companies to register their logos for use in email clients, but only after they have adopted the maximum level of strictness for their DMARC policies. 

While almost three-quarters of large organizations (73%) have adopted the most basic version of DMARC, the share of those organizations that would pass the most stringent standards vary significantly by nation: In the US, 77% of companies have a strict policy, while only 40% in Germany and 15% in Japan do, according to data from Red Sift. Of all domains, only 3% are considered ready for BIMI, but 32% of the 7.9 million DMARC-enabled domains have strict enough policies to adopt BIMI, according to the BIMIRadar tracking site.

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Why Haven't You Set Up DMARC Yet?

Weaponizing Microsoft's own services for command-and-control is simple and costless, and it helps attackers better avoid detection.

Source: Robert K Chin Storefronts via Alamy Stock Photo

Nation-state espionage operations are increasingly using native Microsoft services to host their command-and-control (C2) needs.

A number of unrelated groups in recent years have all come to the same realization: Rather than building and maintaining their own infrastructure, it's more economical and effective to simply use Microsoft's own services against their targets. Besides the costs and headaches saved from not having to set up and maintain their own infrastructure, using legitimate services allows attackers' malicious behavior to more subtly mix in with legitimate network traffic.

This is where Microsoft Graph comes in handy. Graph offers an application programming interface (API) that developers use to connect to a wide range of data — email, calendar events, files, etc. — across Microsoft cloud services. Harmless on its own, it provides an easy means for hackers to run C2 infrastructure using those same cloud services.

Recently, for example, Symantec threat hunters discovered a novel malware they call "BirdyClient," used against an organization in Ukraine. BirdyClient's purpose is to connect to the Graph API in order to upload and download files using OneDrive.

Dark Reading is awaiting comment on this story from Microsoft.

**Hackers Abuse Microsoft Graph**

Long before BirdyClient, there was Bluelight, a second-stage tool for command-and-control via several different Microsoft cloud services. It was first discovered in 2021, having been developed by North Korea's APT37 (aka ScarCruft, Reaper, Group123).

"We see it frequently with cybercrime groups and espionage groups: Somebody hits on a new technique, and everybody copies it," says Dick O'Brien, principal intelligence analyst at Symantec. "This is the case here. They've realized how they can leverage this, and now all of these major players are jumping on board."

After Bluelight came Backdoor.Graphon, used by the Harvester group in a nation-state-backed espionage operation against organizations in southern Asia. Then, there was Graphite, spread via spear-phishing attacks against governments in Europe and Asia, and SiestaGraph, which made an appearance in a December 2022 breach of a southeast Asian foreign affairs office.

Last June brought Backdoor.Graphican, used by APT15 (aka Flea, Nickel, Vixen Panda, KE3CHANG, Royal APT, and Playful Dragon) against foreign affairs ministries in the Americas. A month later, researchers spotted Russia's Cozy Bear (aka APT29, Cloaked Ursa, UAC-0004, Midnight Blizzard/Nobelium) using the same trick in attacks against global diplomatic missions, and Symantec identified a further case from November involving a target in Asia it has yet to disclose.

Despite their myriad differences, all the malware in these cases share the use of Graph API to make C2s out of 365 services, primarily OneDrive.

"From an organization's perspective, you need to start being a lot more aware of people using unsanctioned cloud accounts," O'Brien says. And this doesn't just apply to malicious attacks. For example, "It's quite common to hear people say that they access their personal OneDrive account from a work network. The danger in allowing wholesale access to these cloud platforms is that malware may be less likely to raise red flags," he says.

"Look at ensuring that any connections are to your own tenants — accounts that belong to your enterprise — and lock down everything else."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Microsoft Graph API Emerges as a Top Attacker Tool to Plot Data Theft

Ukraine needs small drones to combat Russian forces—and is bootstrapping its own industry at home.

Inside Ukraine’s Killer-Drone Startup Industry

Red Hat and Intel are collaborating on a joint solution that more seamlessly integrates Intel® IPU with Red Hat OpenShift, propelling cloud and edge computing into a new era of performance and scalability.The solution brings together Intel’s latest leading programmable network device, the Intel® Infrastructure Processing Unit (Intel® IPU) E2000 Series with Red Hat OpenShift. This solution, shown in the following diagram, is designed for performance at scale under real world workloads and opens up a wide array of use cases through the ability to flexibly service chain network functions at

Red Hat and Intel are collaborating on a joint solution that more seamlessly integrates Intel® IPU with Red Hat OpenShift, propelling cloud and edge computing into a new era of performance and scalability.

The solution brings together Intel’s latest leading programmable network device, the Intel® Infrastructure Processing Unit (Intel® IPU) E2000 Series with Red Hat OpenShift. This solution, shown in the following diagram, is designed for performance at scale under real world workloads and opens up a wide array of use cases through the ability to flexibly service chain network functions at the edge. 

Integrating network function chaining on the Intel® IPU and orchestrating it with business logic running on OpenShift worker nodes can help conserve energy through optimized resource utilization, enhanced efficiency, reduced overall power consumption, and industry-leading security practices.

OpenShift offers the industry’s leading hybrid cloud application platform powered by Kubernetes, enhancing security across infrastructure. Its capabilities enable integration of security into applications, automated policies for container deployment security, and enhanced protection of the container runtime. This presents systems security as a top priority while maximizing performance and efficiency.

**Challenges that exist with traditional infrastructure solutions**

As network speeds continue advancing towards 100Gb Ethernet and beyond, and the complexity of supporting and managing new network infrastructure use cases at the edge grows in parallel, it places significant additional demands on components like standard Network Interface Cards (NICs) that were not designed for supporting this increased network complexity at these data rates.

Traditional monolithic applications constructed in virtual machines also do not translate well to how modern microservices are developed independently using containers. The level of agility required to rapidly deploy new edge capabilities on an on-demand basis is difficult with rigid legacy architectures.

Finally, delivering advanced network functions like compression, encryption/decryption, traffic filtering and firewalling at the network edge with greater security imposes new demands that strain traditional shared-resource server models, as they were not designed with strong isolation between edge services and infrastructure processing.

To address these challenges, service providers and enterprises are investing heavily in data center modernization to deliver more efficient compute for cloud native applications and microservices at the edge. The applications delivering these services must have access to high-speed networking infrastructure with a strong security footprint and low latency storage.

Network infrastructure based on the Intel® IPU is optimized for these emerging edge use cases whose potential can be fully realized through interfacing to OpenShift worker nodes to truly deliver innovative real-time applications.

Traditional SmartNICs can accelerate some infrastructure tasks like packet processing through static or semi-programmable logic to offload work from server CPUs. The IPU goes far beyond this by integrating both programmable hardware acceleration and a highly efficient multi-core CPU to enable full offloading and distributed processing of the entire software stack. Infrastructure services such as virtual switching, security, and storage that consume a significant number of CPU cycles can be offloaded to the IPU, freeing up CPU cores for improved application performance.

By leveraging the capabilities of OpenShift, the Intel® IPU-based solution maximizes performance, scalability, efficiency and provides a layered approach to container and Kubernetes security across your network infrastructure.

In parallel to the technical benefits, the key to unlocking this potential lies also in openness and scalability. To that end, Intel and Red Hat are building an open, standards-based solution that is fully Open Programmable Infrastructure (OPI) compliant.

**Simplifying infrastructure provisioning**

The ease of use associated with provisioning and managing OpenShift is well documented and understood in the industry.

This solution extends the ease of provisioning and management to the IPU through the integration of the Redfish standard from DMTF into the IPU’s Integrated Management Complex (IMC). Integrated with the Intel® IPU Software Development Kit (Intel® IPU SDK), which now comes equipped with Redfish support, administrators can seamlessly perform out-of-band provisioning tasks.

Redfish enables administrators to interact with the IPU through standard web services, such as HTTP and REST APIs. The provided HTTP provisioning interface greatly simplifies the Red Hat Enterprise Linux install process, with clients only needing to know the URI path to access this resource.

**Ease of use and manageability**

Red Hat provides a comprehensive set of tools to help you manage your newly deployed solution. With Red Hat Enterprise Linux (RHEL) seamlessly running on the IPU, you gain access to all the normal Red Hat manageability tools for free. The IPU is treated just like any other server and can be managed effortlessly using the same familiar tools as any other component in your infrastructure.

The single pane of glass interface provided to all Red Hat subscribers, known as the Red Hat Portal, streamlines management tasks, offering a unified experience for overseeing your entire infrastructure.

The Red Hat Portal is a web-based interface that provides a centralized location for managing Red Hat subscriptions, accessing Red Hat tools and services, and monitoring infrastructure. It allows users to more easily manage their Red Hat environments, including deploying and managing RHEL, Red Hat OpenShift, and other Red Hat solutions.

Red Hat provides security updates for its products through the Red Hat Security Advisories and alerts. These updates are available on the Red Hat Customer Portal and include information on vulnerabilities, patches, and workarounds. This ecosystem helps keep your solution up-to-date with the latest security fixes and empowers you to take steps to protect your system from potential security threats.

In addition, the OpenShift web console provides a graphical user interface to visualize your project data and perform administrative, management, and troubleshooting tasks. The web console is designed to be user-friendly and intuitive, and it provides a wide range of features and capabilities for managing your workloads.

**Chaining network functions**

Network Function Chaining, also known as Service Function Chaining (SFC), is a technique used in software-defined networking (SDN) that creates a chain of connected network services.

The solution developed by Intel and Red Hat enables the deployment of these network functions on the IPU at the edge where latency, bandwidth and resource constraints are critical. Offloading the chaining of network functions on the IPU is facilitated through its P4-programmable packet processing engine, freeing up valuable CPU resources on the OpenShift worker nodes which can result in decreased capital expenditure (CAPEX) and operational expenditure (OPEX).

The robust security boundary established between the OpenShift worker nodes and the IPU empowers infrastructure administrators with full autonomy to enforce network functionality transparently. This provides confidence that critical network operations cannot be tampered with or disabled from the host side, providing an added layer of protection and reliability.

OpenShift worker nodes can focus on delivering the business logic workflows. Resource intensive packet processing workflows can be executed on the IPU and network functions like firewalls, packet filtering and compression can be chained to deliver complex services with the added benefit of enhanced efficiency and reduced overall power consumption.

**Summary**

The collaboration between Red Hat and Intel represents a significant leap forward in edge computing. By combining the power of the Intel® IPU with Red Hat's OpenShift platform, organizations can be poised to achieve unparalleled performance, scalability, flexibility, and robust security.

Red Hat and Intel’s joint solution allows you to embrace the future of edge computing, trusting in the knowledge that your infrastructure is not only high-performing and capable of supporting key revenue-generating use cases, but also that it is more securely positioned from end-to-end.

Unleashing the potential of Intel® IPU with Red Hat OpenShift 

The breach was carried out with stolen Citrix credentials for an account that lacked multifactor authentication. Attackers went undetected for days, and Change's backup strategy failed.

Source: STANCA SANDA via Alamy Stock Photo

UnitedHealth's Change Healthcare subsidiary paid $22 million in ransom to the attackers who broke into its systems in February, according to Congressional testimony today. And it revealed that the scope of the breach could be much larger than anyone imagined — even as it remains unclear whether the ransom payment secured the data from being used in follow-on attacks.

UnitedHealth's CEO Andrew Witty testified before the US House Energy and Commerce Committee today after weeks of disruption at the nation's largest health insurer, during which a series of concerning revelations about the breach came to light.

**Poor Security: Stolen Credentials, No MFA**

For instance, the BlackCat/ALPHV ransomware affiliate hackers who broke into Change in February didn't have to work very hard to achieve success. According to the testimony, they were able to use previously compromised credentials to log into Change's Citrix platform, possibly obtained via an initial access broker — and that account wasn't protected with multifactor authentication (MFA).

Also, the attack was discovered when BlackCat deployed ransomware on Feb. 23, but the attackers actually had unfettered access to the environment for more than a week before that, indicating a woefully lacking intrusion detection apparatus.

“On February 12, criminals used compromised credentials to remotely access a Change Healthcare Citrix portal, an application used to enable remote access to desktops," according to Witty's prepared testimony, released ahead of the hearing. "The portal did not have multifactor authentication. Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfiltrated data. Ransomware was deployed nine days later."

In his oral testimony, Witty also spilled additional details that, when added to the unchanged Citrix credentials (it's evident that the company doesn't have processes in place to track compromised credentials that may be part of prior breaches) and lack of MFA, point to an overall lack of security maturity. For instance, the company has had to perform a complete rebuild on its systems, even after decrypting files; and its backups weren't sequestered with network segmentation or infrastructure gapping, so the attackers were able to lock those up too, blocking any recovery path from the initial attack.

"This attack exemplifies ... why it is important to have controls in place to regularly review access entitlements. Compromised credentials or not, the attackers were able to leverage an account that gave them access to carry out their attack," said Piyush Pandey, CEO at Pathlock, in an emailed statement. "In this case, MFA could have been an effective gate to the proliferation of this attack. The additional layers of security would make the breach more challenging ... in a broader view, this is a great example of the importance of layering technologies and processes, such as MFA, combined with strong application access controls and data security technologies, such as data masking, which can help mitigate widespread data breaches."

**Impact on Data Security for PII, PHI Unclear**

Also in the oral testimony today, Witty confirmed that the adversaries made off with a large amount of personally identifiable information (PII) and personal health information (PHI). While Witty didn't talk hard numbers, the data in question "could cover a substantial proportion of people in America," he said. He did not address whether the data is still at risk.

To put that comment into perspective, "Change Healthcare processes roughly 15 billion healthcare transactions annually, and a third of Americans' patient records pass through its digital doors," Sen. Ron Wyden (D-Ore.) noted in a statement ahead of the hearing.

The senator added, "Change specializes in moving patient data from doctor's office to doctor's office, or to and from your insurance company. That means medical bills that are chock full of sensitive diagnoses, treatments, and medical histories that reveal everything from abortions to mental health disorders to diagnosis of cancer to sexually transmitted infections. Military personnel are included in this data."

Wyden also warned that the breach could end up being a clear national security threat.

"I don't think it's a stretch \[that\] the impact here rivals the 2015 hack of government personnel data from the Office of Personnel Management, which the FBI called a 'treasure trove' of counterintelligence information for foreign intelligence services," he said.

**UnitedHealth's Next Steps Unknown**

UnitedHealth is the nation's largest insurer and the fifth largest company in the US, with $324 billion in revenue and housing data on 152 million individuals. The breach is easily the largest cyber incident to ever affect the healthcare landscape. But it's unclear what's next for Change and UnitedHealth; Wyden pointed out that existing regulations, such as they are, carry only "slap on the wrist" enforcement actions. The companies also haven't detailed how or when they plan to improve their cyber defense postures (UnitedHealth has no cybersecurity executive on its board).

Meanwhile, in the weeks since the breach was made public, the company has seen copycat activity from the RansomHub cybercrime outfit, and because the incident wreaked havoc across the healthcare supply chain, the Department of Health & Human Services responded with a policy game plan to address cyber-risk at insurers (though it still does not require healthcare orgs to meet minimum cybersecurity standards). It is almost certain that there will be additional developments in the saga going forward.

**About the Author(s)**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

UnitedHealth Congressional Testimony Reveals Rampant Security Fails

PRESS RELEASE

Intel 471, a global provider of cyber threat intelligence (CTI) solutions, today announced that the company acquired Cyborg Security, founded in 2019, to provide organizations with advanced threat hunting capabilities and expertise. With this acquisition, Intel 471 is setting the standard for intelligence-led threat hunting by cementing CTI as a key requirement to enable accurate hunts and proper measurements for operational success, ensuring return on investment for customers’ threat hunt programs. 

“We are excited to add Cyborg Security’s innovative platform and approach to threat hunting to our solution portfolio," said Jason Passwaters, CEO and Co-Founder of Intel 471. “Our customers have grown to rely upon Intel 471’s expertise to unlock the power of cyber threat intelligence and support all aspects of their business. This acquisition is a natural extension of our leadership by including advanced behavioral threat hunting packages that are fully customized to the client’s environment. Customers will benefit from the HUNTER Platform fueled by our premier cyber threat intelligence to streamline the hunt process, improve their team’s efficiency, and stay ahead of emerging threats.”

The convergence of CTI and threat hunting practices across the cybersecurity industry is evidenced by the rapid adoption of complementary use cases, defined methodologies, and a growing trend to integrate the two within the same organizational construct and budget. Economic buyers and practitioners alike increasingly recognize the need for intelligence-led threat hunting as a core component of their overall cybersecurity program. Intel 471 is well-positioned to meet these emerging security requirements with the merging of Cyborg Security and its innovative Hunter Platform into its solution portfolio.

“Intel 471 is a company that embraces the same values as Cyborg Security. Our organizations were built by practitioners – threat hunters, threat intelligence analysts, and security researchers who appreciate the importance of defending the threat landscape,” said David Amsler, CEO and Founder of Cyborg Security. “Threat hunting requires continuous monitoring of the threat landscape, which includes ever-evolving cyber adversary behaviors, TTPs and targeted technologies, as observed across various phases of the attack lifecycle. Intel 471’s CTI prowess and data contextualization deliver those relevant and timely insights. Together, our capabilities provide enterprises the tools and systems to deliver best-in-class threat hunting.”

For more information, please visit: https://intel471.com/

About Intel 471

Intel 471 empowers enterprises, government agencies, and other organizations to win the cybersecurity war using near-real-time insights into the latest malicious actors, relationships, threat patterns, and imminent attacks relevant to their businesses. The company's TITAN platform collects, interprets, structures, and validates human-led, automation-enhanced results. Clients across the globe leverage this threat intelligence with our proprietary framework to map the criminal underground, zero in on key activity, and align their resources and reporting to business requirements. Intel 471 serves as a trusted advisor to security teams, offering ongoing trend analysis and supporting your use of the platform. Learn more at https://intel471.com/.

You May Also Like

Intel 471 Acquires Cyborg Security

By Deeba Ahmed
Uncover the "Muddling Meerkat," a China-linked threat actor manipulating the DNS. Infoblox research reveals a sophisticated group with deep DNS expertise and potential ties to the Great Firewall. Learn their tactics and how to stay protected.
This is a post from HackRead.com Read the original post: Muddling Meerkat Group Suspected of Espionage via Great Firewall of China

Infoblox, a provider of cloud networking and security solutions, has discovered a highly skilled Chinse State threat actor known as “Muddling Meerkat.” This actor appears to be able to control the Great Firewall of China (GFW), a previously undisclosed phenomenon.

This group operates through the Domain Name System (DNS), a critical internet infrastructure component. In a joint research involving undisclosed security vendors, threat researchers, an independent non-profit corporation, Merit Network, and DomainTools, researchers revealed that Muddling Meerkat operates through the Domain Name System (DNS), a critical internet infrastructure component, and has remained under the radar since 2019.

“Muddling Meerkat operations are complex and demonstrate that the actor has a strong  
understanding of DNS, as well as internet savvy” Infoblox’s Threat Intelligence Team wrote in the report.

For your information, Meerkat is a mongoose species known for its cleverness, persistence, and ferocity despite its small size. Muddling Meerkat activity is characterized by its “popping up and down” over time and location, similar to meerkats from their burrows.

Here’s what makes Muddling Meerkat unique:

1.  **DNS Expertise:** Their operations demonstrate a deep understanding of DNS, uncommon among most threat actors. This highlights the growing weaponization of DNS for malicious purposes.
2.  **Great Firewall Control:** Muddling Meerkat manipulates China’s Great Firewall (GFW), the system controlling internet access within China. This ability to influence a national-level infrastructure raises serious concerns.
3.  **False MX Records:** A key tactic involves generating false MX (mail exchange) records from Chinese IP addresses for specific domains. This behaviour has never been observed before and suggests a direct connection with the GFW operators.
4.  **Global Reach:** Muddling Meerkat leverages open DNS resolvers worldwide, creating a vast network to conduct their activities, potentially for reconnaissance or laying the groundwork for future attacks.
5.  **Unclear Motive:** While the ultimate goal remains unclear, Infoblox experts suggest it could be information gathering or setting the stage for a large-scale DNS denial-of-service (DDoS) attack.

This research validates the threat posed by the Chinese Communist Party (CCP) to the US’s critical infrastructure. The FBI calls CCP a “broad and unrelenting” hybrid threat involving crime, counterintelligence, and cybersecurity. 

According to FBI Director Christopher Wray, this threat is “driven by the CCP’s aspirations to wealth and power,” adding that the PRC wants to “seize economic development in the areas most critical to tomorrow’s economy.” 

Muddling Meerkat is a skilled actor, demonstrating their sophistication in DNS-based attacks and ability to manipulate the Great Firewall. Implementing advanced DNS security measures is crucial to understand and defend against this evolving threat.

1.  Why are Google and Facebook banned in China?
2.  Great Firewall of China at Work, Apple News Blocked
3.  Chinese Man Who Sold VPNs Gets 9 Months Prison Sentence
4.  ‘Great Cannon’ of China Blocks Websites Like No One Else Can
5.  Chinese Great Cannon resurfaces against Hong Kong protestors
6.  Cyberattacks Surge 325% in Philippines Amid South China Sea Standoff

Muddling Meerkat Group Suspected of Espionage via Great Firewall of China

Talos also recently helped to responsibly disclose and patch other vulnerabilities in the Foxit PDF Reader and two open-source libraries that support the processing and handling of DICOM files.

Wednesday, May 1, 2024 12:00

Cisco Talos’ Vulnerability Research team has disclosed more than a dozen vulnerabilities over the past three weeks, five in a device that allows employees to check in and out of their shifts, and another that exists in an open-source library used in medical device imaging files. 

The Peplink Smart Reader contains several vulnerabilities, including one issue that could allow an adversary to obtain the administrator’s login credentials and the MD5-hashed version of their password. 

Talos also recently helped to responsibly disclose and patch other vulnerabilities in the Foxit PDF Reader and two open-source libraries that support the processing and handling of DICOM files. 

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.  

**Code execution, information disclosure vulnerabilities in Peplink Smart Reader **

_Discovered by Matt Wiseman._ 

The Peplink Smart Reader is an internet-connected device associated with the PepXIM Time-Logging and Security System. Companies’ employees use this device to check in and out of their shifts, allowing administrators to keep track of time cards and pay. It also can control access to certain buildings, and even public transportation. 

There are two information disclosure vulnerabilities, TALOS-2023-1863 (CVE-2023-43491) and TALOS-2023-1865 (CVE-2023-45209), that are triggered if an adversary sends a specially crafted HTTP message to the targeted device.  

If successful, the attacker could eventually view the active administrator’s username and MD5-hased password. And in the case of TALOS-2023-1865, it goes a step further, potentially allowing the adversary to view wireless network credentials, network configuration details and SNMP configuration details. 

With those credentials (or admin credentials obtained by other means), an adversary could exploit TALOS-2023-1868 (CVE-2023-40146), a privilege escalation vulnerability in the Smart Reader. An adversary could execute a specially crafted command line argument to cause a limited-shell escape and execute unblocked, default busybox functionality to eventually gain access to an uninhibited root shell. 

TALOS-2023-1866 (CVE-2023-45744) is also triggered by a specially crafted HTTP request, but in this case, could allow an adversary to manipulate certain configuration settings on the device. 

The most serious of the issues Talos discovered in the Smart Reader is TALOS-2023-1867 (CVE-2023-39367), a command injection vulnerability that could allow an attacker to execute arbitrary commands. This vulnerability has a 9.1 CVSS score out of 10. An authenticated attacker can leverage this vulnerability to execute arbitrary commands on the device with root privileges and elevate their access to the vulnerable system. 

**Silicon Labs Gecko Platform invalid pointer dereference vulnerability **

_Discovered by Kelly Patterson._ 

An invalid pointer dereference vulnerability exists in the HTTP server header parsing functionality of the Silicon Labs Gecko Platform.  

The Gecko Platform SDK is the collection of Silicon Labs’ wireless software development kits and Gecko Platform into an integrated package. It allows users to develop applications inside Silicon Labs’ internet-of-things software ecosystem. 

TALOS-2024-1945 (CVE-2023-51391) is triggered if an adversary sends the target a specially crafted network packet, which could lead to a denial-of-service condition. 

_Discovered by Emmanuel Tacheau._ 

There is an incorrect type conversion vulnerability in OFFIS DCMTK, an open-source library often used to manage, store and convert DICOM files. DICOM is the commonly used file type to transfer, send and store medical imaging files, such as X-rays and ultrasounds.  

Hospitals and companies use DCMTK for various purposes, ranging from product testing to being a building block for research projects, prototypes and commercial products. 

TALOS-2024-1957 (CVE-2024-28130) could allow an adversary to execute arbitrary code on the targeted machine if they trick the user into opening a specially crafted file.  

_Discovered by Emmanuel Tacheau._ 

Another open-source library for handling DICOM files, Grassroots DiCoM, contains three out-of-bounds writer vulnerabilities.  

TALOS-2024-1944 (CVE-2024-25569) and TALOS-2024-1935 (CVE-2024-22373) can be triggered if an adversary tricks the target into opening a specially crafted, malicious DICOM file, eventually allowing them to read out-of-bounds memory. 

TALOS-2024-1924 (CVE-2024-22391) works in the same way, but in this case, causes a heap-based buffer overflow, leading to memory corruption.  

**Three vulnerabilities in Foxit PDF Reader could lead to arbitrary code execution **

_Discovered by KPC._ 

Three vulnerabilities exist in Foxit PDF Reader that could allow an adversary to execute arbitrary code on the targeted machine. 

Foxit PDF Reader is one of the most popular pieces of PDF-reading software currently available and aims to have feature parity with Adobe Acrobat Reader. It also includes a browser plugin to allow users to open files in their web browsers.  

TALOS-2024-1959 (CVE-2024-25648) and TALOS-2024-1958 (CVE-2024-25938) are use-after-free vulnerabilities that can be triggered if an attacker tricks a user into opening a malicious, specially crafted PDF. This could also work if the user has the browser plugin enabled and the adversary tricks them into opening an attacker-controlled webpage. These vulnerabilities could lead to a use-after-free issue, potentially leading to memory corruption and arbitrary code execution. 

There is also a type confusion vulnerability, TALOS-2024-1963 (CVE-2024-25575), that could also lead to memory corruption and arbitrary code execution.

Tag

#intel