Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Briefing, 10 - 16 August
SinkClose vulnerability permits the installation of malware on AMD processors
AMD has issued a warning about a high-severity vulnerability called SinkClose, which affects its EPYC, Ryzen and Threadripper processors and would allow an attacker with kernel-level access (Ring 0) to elevate privileges to Ring -2. Although SinkClose requires kernel-level access to be exploited, it is not uncommon for this type of vulnerability to be used by sophisticated actors since Ring -2 privileges are those that oversee critical system functions such as power management and security and would enable, for example, the installation of nearly undetectable malware.
In any case, the vulnerability has been identified as CVE-2023-31315 with a CVSS of 7.5 and was discovered by IOActive researchers. It has been presented at DEFCON titled "AMD SinkClose: Universal Ring-2 Privilege Escalation." AMD has already released mitigations for EPYC and Ryzen processors, with more patches for other processors expected soon.
Dispossessor ransomware group's servers seized
The FBI has announced the seizing of servers and websites used by the Dispossessor ransomware group, also known as Radar. The operation was reportedly conducted in conjunction with other law enforcement agencies, including the UK's National Crime Agency and the Bavarian State Criminal Police Office (BLKA).
This ransomware group was allegedly led by an individual known as Brain and had attacked more than 40 victims since August 2023, affecting entities in several countries, including the United States, Argentina, Honduras, India, Canada, Croatia and the United Arab Emirates. According to the FBI, in its attacks the group obtains initial access through the exploitation of vulnerabilities, as well as through accounts with weak passwords and without two-factor authentication. Likewise, the group stands out for the republication of leaks from Lockbit3, claiming to be one of its affiliates.
Critical Vulnerability in SolarWinds
A security advisory has recently been published reporting a critical vulnerability in the SolarWinds Web Help Desk solution. Specifically, the security flaw has been reported as CVE-2024-28986, CVSSv3 of 9.8 according to the vendor, and is due to a Java deserialisation that would allow an attacker to execute commands on a vulnerable system.
According to SolarWinds, the vulnerability was reported as being exploitable without authentication, but the company's internal team concluded that it can only be exploited by requiring authentication. It should be noted that the flaw affects all versions of SolarWinds Web Help Desk, except the latest, 12.8.3, so users are advised to update the asset to fix the security flaw.
Head Mare exploits WinRAR vulnerability to deploy ransomware
According to Kaspersky, the hacktivist group Head Mare is targeting Russian and Belarusian organizations using phishing campaigns with WinRAR archives that exploit the CVE-2023-38831 vulnerability as an initial access mechanism. In retaliation, this group deploys ransomware samples such as LockBit and Babuk to encrypt systems and expose stolen data.
Unlike other anti-Russian hacktivists, Head Mare uses advanced methods linked to known malware samples like PhantomDL and PhantomCore, as well as public tools such as Mimikatz and XenAllPasswordPro for credential recovery. Their tactics also include masquerading suspicious applications as legitimate software, using VPS servers to deploy the Sliver C2, and employing other tools like PowerShell scripts for automation, Meterpreter for remote interaction, and various types of PHP web shells to ensure persistence.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
