State Digitalization Minister Christian Pegel (SPD) stated that the attacks closely resemble similar incidents from April and November of last year. “The initial analyses quickly showed that these are again so-called DDoS attacks, where the servers are overwhelmed by massive requests,” Pegel said. According to the Ministry of the Interior, a Russian group claimed responsibility for the incident last year.

The affected websites are provided and maintained by the Data Processing Center (DVZ) Mecklenburg-Vorpommern, the state’s IT service provider. The specialist pages of individual departments are particularly affected. The minister assured that experts are working hard to contain further waves of attacks. However, further attacks and possibly additional disruptions are to be expected in the short term.

Last November, websites of the state police were particularly targeted. Prior to that, in April 2023, cyberattacks had occurred in several federal states, including Mecklenburg-Vorpommern.

Bitlocker is a software for encrypting data drives, which comes pre-installed on modern Windows systems such as Windows 10, 11, as well as Windows Server 2016, 2019, and 2022. Microsoft claims in the Bitlocker documentation that the application, when used with a Trusted Platform Module (TPM), provides “maximum protection”.

The validity of this statement was tested in a video released on Saturday on the YouTube channel Stacksmashing. At least on systems with external TPM chips, the protection seems to be bypassed within a very short time using an inexpensive single-board computer.

A TPM is designed, among other things, to securely store cryptographic keys like the one from Bitlocker and to transfer them to the CPU when needed, allowing the user to access their encrypted data. The key transfer occurs via an LPC bus (Low Pin Count).

The YouTuber identified the contacts of the TPM chip on the motherboard of his notebook, through which he could intercept the data transfer with a Raspberry Pi Pico. It took only 43 seconds to read the Bitlocker key, including the time to open the notebook case.

Subsequently, he was able to access the data on the Bitlocker-protected SSD using a Linux system – both reading and writing – using the key.

It is important to note that this attack is only possible with external TPM chips. Modern CPUs, both from Intel and AMD, typically have integrated TPMs, which means that the key transfer occurs within the CPU and cannot be easily intercepted via contacts on the motherboard.

Security researchers had already pointed out the possibility of such attacks on systems with external TPM chips in the summer of 2021. This is due to the unencrypted transmission of the encryption key, allowing the key to be intercepted via the TPM contacts.

According to JetBrains, the vulnerability could allow threat actors to exploit susceptible instances of TeamCity On-Premises, potentially granting them administrative control. This affects all versions from 2017.1 through 2023.11.2. However, version 2023.11.3 addresses this issue.

The discovery of the flaw is credited to an external security researcher on January 19, 2024. JetBrains advises users to update their servers to version 2023.11.3 or apply a security patch plugin if immediate updating is not feasible. For servers accessible over the internet, JetBrains recommends making them temporarily inaccessible until mitigation measures are in place.

While there’s no evidence of exploitation yet, it’s worth noting that a similar vulnerability (CVE-2023-42793, with a CVSS score of 9.8) in the same product was actively exploited by threat actors shortly after its public disclosure last year, including ransomware groups and state-sponsored entities associated with North Korea and Russia.

According to Ivanti, the vulnerability stems from an XML external entity or XXE flaw within the SAML component of Ivanti Connect Secure (versions 9.x, 22.x), Ivanti Policy Secure (versions 9.x, 22.x), and ZTA gateways. Exploitation of this vulnerability grants unauthorized access to restricted resources.

The company uncovered this issue during an internal review as part of its continuous investigation into various security weaknesses discovered since the beginning of the year. Notable vulnerabilities include CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, and CVE-2024-21893.

Affected versions of the products are as follows:

• Ivanti Connect Secure: 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, and 22.5R1.1
• Ivanti Policy Secure: 22.5R1.1
• ZTA: 22.6R1.3

To address CVE-2024-22024, patches have been released for:

• Connect Secure versions: 9.1R14.5, 9.1R17.3, 9.1R18.4, 22.4R2.3, 22.5R1.2, 22.5R2.3, and 22.6R2.2
• Policy Secure versions: 9.1R17.3, 9.1R18.4, and 22.5R1.2
• ZTA versions: 22.5R1.6, 22.6R1.5, and 22.6R1.7

While Ivanti has not observed any active exploitation of the vulnerability, given the widespread abuse of CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893, prompt application of the latest fixes is strongly recommended.

According to Fortinet’s bulletin released on Thursday, the vulnerability, categorized under CWE-787, involves an out-of-bounds write vulnerability in FortiOS, enabling remote unauthenticated attackers to execute arbitrary code or commands through specifically crafted HTTP requests. The company acknowledges the potential exploitation of this issue in the wild, although specific details regarding the exploitation methods or perpetrators remain undisclosed.

The affected versions include FortiOS 7.4 (from 7.4.0 to 7.4.2), FortiOS 7.2 (from 7.2.0 to 7.2.6), FortiOS 7.0 (from 7.0.0 to 7.0.13), FortiOS 6.4 (from 6.4.0 to 6.4.14), FortiOS 6.2 (from 6.2.0 to 6.2.15), and all versions of FortiOS 6.0, except FortiOS 7.6, which remains unaffected.

This disclosure aligns with Fortinet’s recent issuance of patches for CVE-2024-23108 and CVE-2024-23109, affecting FortiSIEM supervisor, where remote unauthenticated attackers could execute unauthorized commands via manipulated API requests.

Moreover, reports from the Netherlands government earlier this week unveiled a breach in their armed forces’ computer network by Chinese state-sponsored actors, exploiting known vulnerabilities in Fortinet FortiGate devices to implant a backdoor named COATHANGER.

Fortinet’s report this week also highlights the exploitation of N-day vulnerabilities, such as CVE-2022-42475 and CVE-2023-27997, by various threat actors targeting governments, service providers, consultancies, manufacturing, and critical infrastructure entities.

Previous instances have linked Chinese threat actors to zero-day exploitation in Fortinet appliances, deploying various implants like BOLDMOVE, THINCRUST, and CASTLETAP. The advisory from the U.S. government concerning a Chinese nation-state group named Volt Typhoon emphasizes the exploitation of known and zero-day vulnerabilities in networking appliances, including those from Fortinet, Ivanti Connect Secure, NETGEAR, Citrix, and Cisco.

Despite China’s denial of allegations, accusations against the U.S. for conducting cyber attacks persist. These incidents underscore the significant threat posed by internet-facing edge devices, especially due to the absence of endpoint detection and response (EDR) support, making them vulnerable to abuse.

Fortinet states that these attacks typify the use of previously patched N-day vulnerabilities and subsequent living-off-the-land techniques, reminiscent of the tactics employed by the cyber actor or group known as Volt Typhoon, targeting critical infrastructure and potentially other associated entities.

Confirming the active exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-21762 to its Known Exploited Vulnerabilities (KEV) catalog on February 9, 2024. Federal Civilian Executive Branch (FCEB) agencies have been directed to apply the necessary fixes by February 16, 2024, to safeguard their networks against potential threats.

Security researchers from Eclypsium emphasize that Shim is critical software in the boot process, utilized by most Linux distributions to support Secure Boot. While Red Hat maintains this application, it is deployed in all distributions supporting Secure Boot, including Debian, Ubuntu, Suse, and others.

The severity of CVE-2023-40547 has been rated as high by Red Hat and as critical by NIST. According to the Eclypsium researchers, the vulnerability can be exploited both locally and remotely. Remote attacks could occur, for example, through a man-in-the-middle attack on the traffic for providing files to support HTTP boot. Local exploitation is also possible, such as by using a bootable USB stick with a Linux live system, allowing the alteration of the boot order to selectively load an attacker’s Shim application, enabling privileged code execution without disabling Secure Boot.

The researchers caution that an attacker exploiting this vulnerability gains control over the system even before the kernel is loaded. This means the attacker has privileged access and can bypass all security checks implemented by the kernel and operating system. This facilitates the installation of bootkits, a type of malware executed before the operating system starts, typically granting extensive access rights.

Although a patch for CVE-2023-40547 is already available, and the issue has been addressed in Shim version 15.8, the researchers stress that the patch alone is insufficient. Additionally, an update of the Chain of Trust for Secure Boot is required. This entails updating the UEFI Secure Boot DBX (blacklist) to include the hashes of the vulnerable Shim software, as explained in the Eclypsium report.

The order of operations is crucial. Users must first update Shim and then apply the DBX update. The latter can be performed, for instance, using the fwupd tool by employing the “fwupdmgr update” command.

The vulnerabilities, grouped under the name Leaky Vessels, were apparently discovered as early as November 2023. One of the vulnerabilities (CVE-2024-21626) relates to the CLI tool runc (up to version 1.1.11), which is used to create and execute containers in Linux. The severity is rated as high with a CVSS score of 8.6.

The other three vulnerabilities (CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653) are attributed to the toolkit Buildkit (up to version 0.12.4), used for example by the widely-used container virtualization solution Docker. These vulnerabilities range in CVSS scores from 8.7 up to the maximum severity of 10, indicating a high to critical severity level.

Patches have since been made available, with the vulnerabilities being addressed on January 31, 2024, with runc version 1.1.12 and Buildkit version 0.12.5. Relevant information regarding these patches can also be found with Docker, AWS, Ubuntu, and Google Cloud. Snyk strongly recommends users to diligently seek out updates for their container solutions and apply them as soon as possible.

“It is likely that you will need to update your Docker daemons and Kubernetes deployments, as well as any container build tools you use in CI/CD pipelines, on build servers, and on your developers’ workstations,” the company stated. Additionally, it’s crucial to inspect existing containers for potential compromise.

Tools for detecting misuse Snyk has provided two tools via Github intended to assist administrators in detection, emphasizing, however, that these tools do not rectify the vulnerabilities or prevent their exploitation. One of these tools is called the Leaky Vessels Dynamic Detector, which aims to detect exploitation attempts at runtime by searching for characteristic patterns associated with the vulnerabilities.

The second tool is named the Leaky Vessels Static Detector. “It scans Docker files and image layers to identify commands that appear to be attempting to exploit the vulnerabilities,” Snyk stated. However, it’s important to manually verify the findings afterward. Both tools are likely to produce some false negatives and false positives.

This could enable an attacker to tamper with calculations for engine performance, potentially leading to issues like tail strikes and unintended runway departures during aircraft takeoff, as explained by Antonio Cassidy from Pen Test Partners in a blog post.

Manipulating performance data via MitM attack ATS is a security measure that compels apps to use HTTPS, thus preventing unencrypted communication. However, this safeguard was found to be inactive in the examined Flysmart+ app, allowing a potential attacker to intercept, modify, and transmit sensitive data in encrypted form to the legitimate server – a classic Man-in-the-Middle (MitM) attack.

The researchers managed to access data downloaded from Navblue servers, including SQLite databases containing sensitive information about specific aircraft. Cassidy explained, “Many of these database tables are crucial for aircraft performance, weight, and balance.”

Attack via hotel Wi-Fi Nevertheless, the opportunities to exploit the vulnerability effectively seem limited. It appears necessary for an attacker to intercept synchronization with the Aeronautical Information Regulation and Control (Airac) database, which updates occur only approximately once a month.

However, Cassidy cautioned that it is relatively simple to identify pilots in hotels and their corresponding airlines – “and consequently the EFB apps they are likely using.” Since pilots from the same airline are often lodged in the same hotels, an attack could be carried out via the Wi-Fi networks of these accommodations to deliberately manipulate aircraft performance data.

Nevertheless, the vulnerability has since been addressed, nineteen months after the researchers reported it to Airbus. While this timeframe is extensive, according to a report by The Register, such delays are not unusual in the aviation industry due to the certification procedures commonly practiced there.

Three days later, the Federal Office for Information Security (BSI) issued a public security warning about the incident, which was also reported by Golem.de. However, according to this warning, the BSI did not assess the incident as critical.

The communication from Anydesk only mentioned the precautionary reset of passwords for the customer portal and stated that there were no indications of user data compromise. The BSI provided a general warning about potential further attacks due to possible leakage of source code and certificates, including the risk of Man-in-the-Middle or Supply Chain attacks.

There was no mention of a warning issued by the BSI to a selective group of users in critical infrastructure on January 29, 2024, classified as confidential (TLP AMBER-STRICT).

Anydesk released another report on February 5, 2024, advising customers to upgrade to client versions 7.0.15 and 8.0.8 for secure usage of the remote desktop software. While version 8.0.8 is available for Windows end-users, the custom client version 7.0.15 reportedly cannot be generated yet. It is expected to be available in one to two weeks, signed with a new certificate.

The document also refers to Anydesk’s FAQ, which provides specific answers to questions about the cyber incident. Anydesk denies the possibility of sessions being hijacked or malware being distributed through Anydesk servers.

For the first time, Anydesk mentioned that they conducted a security audit in mid-January 2024 following indications of compromise and found evidence of a hack. They claim to have thwarted the attack by executing an emergency plan. Overall, the manufacturer assures that they have the situation under control and have mitigated the consequences of the incident, stating that the remote desktop software can be safely used as long as clients are downloaded from the provider’s servers.

More from the French ANSSI Readers of my blog alerted me to a warning from the French Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI), the French equivalent of the German BSI. In this ANSSI document dated February 5, 2024, the agency states that they were informed by the German BSI about a cyber incident at Anydesk on January 29, 2024.

The French agency not only mentions that all Anydesk clients (Linux, Windows, MacOS, Android, iOS, AppleTV, etc.) are affected but also recommends specific precautions as CERT-FR.

These precautions include identifying all Anydesk installations in companies, documenting them, and classifying them based on their sensitivity regarding machines, workstations, and servers. It is recommended to uninstall Anydesk solutions based on a risk assessment and consider alternative remote access solutions. I discussed the ANSSI suggestions on my blog, noting their advice to analyze systems with Anydesk installations for “oddities” dating back to December 20, 2023. This can only be interpreted as indicating suspicions of a hack at that time.

According to a regulatory filing with the U.S. Securities and Exchange Commission (SEC), HPE stated, “The threat actor accessed and extracted data starting from May 2023 from a small subset of HPE mailboxes belonging to individuals in our cybersecurity, go-to-market, business segments, and other functions.”

The intrusion has been attributed to APT29, a Russian state-sponsored group also known by aliases such as BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard (formerly Nobelium), and The Dukes.

This disclosure follows Microsoft’s recent revelation implicating the same threat actor in breaching its corporate systems in late November 2023, targeting senior executives and personnel in the cybersecurity and legal departments to pilfer emails and attachments.

HPE was made aware of the incident on December 12, 2023, indicating that the hackers operated within its network without detection for over six months.

The company also noted a likely connection to a prior security event, also attributed to APT29, involving unauthorized access and extraction of a limited number of SharePoint files as early as May 2023, with HPE being alerted to the malicious activity in June 2023.

While emphasizing that the incident has not materially impacted its operations to date, HPE did not disclose the full extent of the attack or the specific email data compromised.

APT29, believed to be affiliated with Russia’s Foreign Intelligence Service (SVR), has been responsible for several notable cyber intrusions in recent years, including the 2016 breach of the U.S. Democratic National Committee (DNC) and the 2020 SolarWinds supply chain compromise.