CCTR
CCTR
  • Brewing Cyber Coffee
  • CCTR.23.MAY.24
  • CCTR.22.MAY.24
  • CCTR.21.MAY.24
  • CCTR.20.MAY.24
  • CCTR.19.May.24
  • CCTR.18.April.24
  • CCTR.17.April.24
  • CCTR.16.April.24
  • CCTR.15.April.24
  • CCTR.14.April.24
  • CCTR.13.March.24
  • CCTR.12.March.24
  • CCTR.11.March.24
  • CCTR.10.FEB.24
  • CCTR.9.FEB.24
  • CCTR.8.FEB.24
  • CCTR.7.FEB.24
  • CCTR.6.FEB.24
  • CCTR.5.JAN.24
  • CCTR.4.JAN.24
  • CCTR.3.JAN.24
  • CCTR.2.JAN.24
  • CCTR.1.JAN.24
Powered by GitBook
On this page

CCTR.1.JAN.24

LockBit, Black Basta, Operation Triangulation

PreviousCCTR.2.JAN.24

Last updated 1 year ago

Monday morning Cyber coffee read CCTR.1.JAN.23. Well..This is a special one. It's the first CCTR of a brand new year! A big year indeed!

LockBit Attacking Hospitals

It has been a quiet week, with even threat actors appearing to take some time off for the holidays. The alarming development is that LockBit affiliates are increasingly focusing on hospitals in their attacks, despite the ransomware operation officially stating that such actions go against their rules. LockBit attacked three hospitals in Germany last week, causing disruptions. Additionally, two New York hospitals seeking a court order to have a cloud storage company to return stolen data stored on one of its servers. LockBit affiliate was renting this cloud storage to store stolen data.

  • Read on https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-29th-2023-lockbit-targets-hospitals/

Black Basta Buster - A free decryptor

Security Research Labs (SRLabs) has created a decryptor that exploits a vulnerability in Black Basta ransomware, enabling victims to recover their files for free. The decryptor is applicable to Black Basta victims from November 2022 to December 2023, potentially allowing them to recover their files without cost. Black Basta addressed the vulnerability in their encryption routine in late December, preventing the use of this decryption technique in newer attacks.

Initially identified in early 2022, Black Basta gained recognition for its double extortion tactics. This Russian-speaking group not only carries out ransomware attacks but also exfiltrates sensitive data. They operate a cybercrime marketplace, threatening to publicly release the compromised information if a victim does not comply with the ransom demands.

  • Black Basta Buster decryptor https://github.com/srlabs/black-basta-buster

  • Black basta actor profile https://www.hhs.gov/sites/default/files/black-basta-threat-profile.pdf

Operation Triangulation - A work of Art

The Kaspersky GReAT team identified number of crucial vulnerabilities in Apple's System on a Chip (SoC), a key factor in the recent iPhone attacks referred to as Operation Triangulation. This chain of flaws allows threat actors to circumvent hardware-based memory protection on iPhones running iOS versions up to iOS 16.6. Operation Triangulation, classified as an Advanced Persistent Threat (APT) campaign targeting iOS devices, utilizes sophisticated (yes, this is real “sophisticated” stuffs) zero-click exploits distributed through iMessage.

These exploits grant threat actors complete control over the targeted device, enabling access to user data. In response, Apple issued security updates addressing four zero-day vulnerabilities: CVE-2023-32434, CVE-2023-32435, CVE-2023-38606, and CVE-2023-41990. These vulnerabilities affect a wide range of Apple products, including iPhones, iPods, iPads, macOS devices, Apple TV, and Apple Watch.

What's even more eye-catching is that the threat actor developed an entire zero-click-to-kernel chain, only to subsequently compel the device to open a web page and trigger the "real" chain. Despite Operation Triangulation being a cutting-edge technique, it's essential to recognise that similar capabilities have existed since at least 2007.

  • Chaos Computer Club (CCC) presentation https://youtu.be/WW39dsbffMw

  • Operation Triangulation Attack chain (Technical analysis) https://securelist.com/operation-triangulation-the-last-hardware-mystery/111669/

  • Operation Triangulation Indications of compromises (IoCs) https://securelist.com/triangulation-validators-modules/110847/

Operation Triangulation Attack chain in English

Attackers use a malicious iMessage attachment that exploits a vulnerability (CVE-2023-41990) in Apple's TrueType font instruction ADJUST. This vulnerability, present since the early '90s, was patched, but the attackers still manage to execute remote code.

The attack involves techniques, such as return/jump-oriented programming and multiple stages written in NSExpression/NSPredicate query language. The attackers patch the JavaScriptCore library environment for privilege escalation using obfuscated JavaScript code. This code manipulates JavaScriptCore and kernel memory.

The exploit targets both old and new iPhones, including a Pointer Authentication Code (PAC) bypass for newer models. An integer overflow vulnerability (CVE-2023-32434) in XNU's memory mapping syscalls allows the attackers to gain read/write access to the entire physical memory of the device. They use hardware memory-mapped I/O (MMIO) registers to bypass the Page Protection Layer (PPL), mitigated as CVE-2023-38606.

Once the vulnerabilities are exploited, the attackers gain control over the device. Instead of running malware immediately, they choose to launch the imagent process, clean up exploitation artifacts, and run Safari in invisible mode, forwarding it to a web page for the next stage. A true beauty.

The web page checks the victim and, if successful, delivers the Safari exploit, utilizing CVE-2023-32435. This exploit executes a shellcode, initiating another kernel exploit in the form of a mach object file. While sharing some vulnerabilities (CVE-2023-32434 and CVE-2023-38606), this kernel exploit is distinct from the JavaScript-based one. It gains root privileges and executes post-exploitation utilities to load malware onto the device.