CCTR
CCTR
  • Brewing Cyber Coffee
  • CCTR.23.MAY.24
  • CCTR.22.MAY.24
  • CCTR.21.MAY.24
  • CCTR.20.MAY.24
  • CCTR.19.May.24
  • CCTR.18.April.24
  • CCTR.17.April.24
  • CCTR.16.April.24
  • CCTR.15.April.24
  • CCTR.14.April.24
  • CCTR.13.March.24
  • CCTR.12.March.24
  • CCTR.11.March.24
  • CCTR.10.FEB.24
  • CCTR.9.FEB.24
  • CCTR.8.FEB.24
  • CCTR.7.FEB.24
  • CCTR.6.FEB.24
  • CCTR.5.JAN.24
  • CCTR.4.JAN.24
  • CCTR.3.JAN.24
  • CCTR.2.JAN.24
  • CCTR.1.JAN.24
Powered by GitBook
On this page

CCTR.22.MAY.24

Cloud bugs, Github bugs, Bitlocker (bugs?), Chinese ORBs

PreviousCCTR.23.MAY.24NextCCTR.21.MAY.24

Last updated 11 months ago

Monday morning Cyber coffee read CCTR.24.MAY.24

Tenable identified a critical memory corruption vulnerability (CVE-2024-4323) in Fluent Bit’s built-in HTTP server. This flaw could lead to denial of service (DoS), information leakage, or remote code execution (RCE). Fluent Bit, an open-source data collector, is widely used for logging in cloud environments. Organisations should update these tools, apply strong security measures, and limit access to prevent exploitation.

GitHub has released fixes for a critical flaw (CVE-2024-4985 CVSS 10) in GitHub Enterprise Server (GHES) that allows attackers to bypass authentication. This vulnerability could enable unauthorized access without prior authentication on instances using SAML single sign-on (SSO) with encrypted assertions, potentially letting attackers forge SAML responses to gain administrative privileges.

Attackers often find creative ways to bypass security measures. How about using BitLocker for ransomware attacks? In a recent incident, attackers repurposed BitLocker for unauthorized file encryption. This is not the first time BitLocker has been used for encrypting drives and demanding a ransom, but in this case, the threat actor took additional steps to maximize the damage and hinder an effective response to the incident.

Bitdefender Labs observed that a series of cyberattacks targeting at least eight military and government victims in South China Sea countries was traced back to 2018. The investigation revealed a previously unknown threat actor, Unfading Sea Haze, likely linked to a Chinese nation-state. The fact that the threat actor remained undetected for over five years is particularly concerning. The attackers repeatedly regained access to compromised systems, exploiting poor credential hygiene and inadequate patching practices on exposed devices and web services.

On a similar note, Mandiant has uncovered China's use of stolen and leased proxies, such as home office routers, to build "ORB networks" (operational relay box networks) for espionage. These networks, similar to botnets, include virtual private servers (VPS) and compromised IoT devices, smart devices, and end-of-life routers. Chinese APT actors use ORB networks to disguise espionage activities, hiding traffic between attacker infrastructure and victim environments. This trend shows China's long-term investment in sophisticated tactics and tools to enhance their cyber espionage capabilities and success rates in accessing high-value networks.

So, what's Australia's take on the South China Sea from a security angle?

https://www.infosecurity-magazine.com/news/github-maximum-severity-flaw/
https://securelist.com/ransomware-abuses-bitlocker/112643/
https://www.bitdefender.com/blog/businessinsights/deep-dive-into-unfading-sea-haze-a-new-threat-actor-in-the-south-china-sea/
https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-orb-networks/
https://www.defence.gov.au/sites/default/files/research-publication/2015/Keir_aug15.pdf
https://www.tenable.com/blog/linguistic-lumberjack-attacking-cloud-services-via-logging-endpoints-fluent-bit-cve-2024-4323
BitLocker recovery screen