Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Briefing, 4 - 10 May
Lockbit ransomware website compromised, and its leader identified and sanctioned
Law enforcement authorities have again compromised the website used by LockBit ransomware operators, modifying its content, promising to reveal information about the group's members and setting a new countdown that ended on 7 May. However, researchers at VX-underground contradicted this claim, asserting that the group continued to operate normally, adding new victims to its list.
Days later, the UK's National Crime Agency identified and sanctioned LockBit's leader, a Russian-born citizen named Dmitry Yuryevich Khoroshev. The US has offered a $10 million reward for his capture, and detailed information about him has been shared on social media.
New TunnelVision Attack Leaks VPN Traffic
Leviathan Security has identified a new attack called TunnelVision that can direct traffic outside a VPN's encryption tunnel, allowing attackers to eavesdrop on unencrypted traffic while maintaining the appearance of a secure VPN connection. This method relies on abuse of Dynamic Host Configuration Protocol (DHCP) option 121, which makes it possible to configure classless static routes.
Attackers configure a fraudulent DHCP server that alters routing tables, diverting VPN traffic to the local network or to a malicious gateway, bypassing the encrypted VPN tunnel. The root of the problem lies in the absence of a DHCP authentication mechanism for incoming messages that could manipulate routes, and has been assigned vulnerability identifier CVE-2024-3661, CVSSv3 7.6 according to CISA. Researchers have publicly disclosed this issue along with a PoC exploit to generate awareness and pressure VPN providers to implement protective measures.
Android Security Bulletin May 2024
Google has issued the Android operating system security bulletin for the month of May 2024. On this occasion, the security patches resolve up to 35 vulnerabilities affecting the operating system, as well as multiple components, which could lead to an escalation of privileges or disclosure of information. Among the security flaws is one identified as CVE-2024-23706, which was of critical severity.
This is a vulnerability that throws an exception when attempting to instantiate a changelog token without log types, which could lead to local privilege escalation without the need for additional execution privileges. The bulletin also addresses vulnerabilities in the Healthfitness, Media Framework and Permission Controller components, as well as kernel flaws in Arm components, MediaTek hardware and Qualcomm components. Users are advised to update their devices to the latest available version to fix all the flaws listed in the bulletin.
New MFA bypass method in Azure Entra ID
Researchers at Pen Test Partners (PTP) discovered during a Red Team exercise a new bypass method in Microsoft Azure Entra ID that allowed them to gain access to protected resources without the need for passwords. Specifically, PTP claims to have managed to bypass Azure SSO's multi-factor authentication (MFA) by changing the browser's user-agent, as Azure does not always require MFA to be entered on Linux devices.
However, to complete the attack, the researchers had to either join one of their computers to the domain via a proxy or install a portable version of Firefox on a domain joined device, which was configured to allow SSO on Windows. Finally, the researchers injected two TGS tickets previously obtained from the on-premises Active Directory, thus gaining access to the Azure portal, and obtaining the data from the cloud.
Zscaler rules out compromise of its production environment
Zscaler has denied that its corporate, production and customer environments have been compromised by unauthorized access from a threat actor and stressed that there has been no impact or compromise to its customers after a hacking forum user posted that he was selling access to the company's systems.
Zscaler discovered an exposed test environment, which it took offline to perform the appropriate forensic analysis, and claims that it was isolated with no connection to production environments and no customer data. Zscaler also stressed that it will continue its ongoing investigation, adding that it takes all potential threats seriously.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
