Cyber Threat Intelligence Briefing - August 12, 2024

In this week's threat intel report, we explore the Windows Downgrade attack, National Public Data leak, and a critical  vulnerability roundup.

Windows Downgrade Attack

Security researcher Alon Leviev from SafeBreach debuted a novel Windows Downgrade attack dubbed Windows Downdate at BlackHat USA 2024 and Defcon 32 last week. This attack works on all Windows systems that support Virtualization Based Security (VBS), which includes Windows 10, Windows 11, Windows Server 2016 and higher, and Azure Virtual Machines. Successful exploitation relies on two currently unpatched vulnerabilities, CVE-2024-21302 and CVE-2024-38202.

What Does The Attack Do?

As part of the normal Windows Update process, an "action list" is created in a file named Pending.xml. It contains crucial update information such as which files to update, what the source and destination files are, registry key changes, and more.

By making simple registry changes, you can set the PoqExec.exe file which parses the Pending.xml file to parse a custom, "downgrading" action list. By doing this, Windows Update is effectively tricked into replacing system files with old and unpatched versions. The attacker needs Administrator permissions to carry out this attack.

Per Alon's research, this attack is:

• Fully undetectable - No malicious code is executed, and the attack is performed by legitimate Windows processes.
• Invisible - Since the system is "updated", it will appear to be fully up-to-date.
• Persistent - The poqexec.exe file is not digitally signed, so this was able to be "patched" to install empty updates, which makes all future updates falsely install.
• Irreversible - The integrity and repair utility sfc.exe is also not digitally signed and could be "patched" to no longer detect any corruptions.

In essence, the system will appear to be fully patched while actually having vulnerable and unpatched files, while also not be able to receive future updates. The research blog shows several proof-of-concept videos highlighting potential attack opportunities.

How To Protect Your Organization

Per Microsoft's advisory, there are currently no patches available, but mitigations are under active development.

In the interim, Microsoft recommends configuring "Audit Object Access" settings to monitor attempts to access files, such as handle creation, read/write operations, or modifications to security descriptors, and then apply that policy to the appropriate files or folders.

Additionally, Microsoft recommends auditing sensitive privileges used to identify access, modification, or replacement of VBS and Backup related files. It should be noted that applying these settings may generate a high volume of logs and create false positives. PacketWatch will continue to monitor for further updates and patches from Microsoft.

Additional Resources

• https://www.safebreach.com/blog/downgrade-attacks-using-windows-updates/
  
• https://msrc.microsoft.com/update-guide/advisory/ADV24216903
  
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21302
  
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38202
  
• https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-sensitive-privilege-use
  
• https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder
  
• https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-file-system
  
• https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs
  
• https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege
  
• https://thehackernews.com/2024/08/windows-downgrade-attack-risks-exposing.html

Data Leaked for Every American

Last week, a data set containing approximately 2.7 billion plaintext records of names, mailing address, and social security number, was leaked on Breachforums.

The data is believed to be sourced from National Public Data, a company that collects and sells personal data for use in background checks and private investigations. This data set first appeared for sale in April, with the threat actor claiming it contained information on every person in the US, UK, and Canada. However, on August 6, this data was posted for free by a threat actor known as "Fenice". 

Initial research into the data shows it does contain some inaccuracies, and also appears to contain older data, indicating that the data may have been taken from a backup device. However, due to the size of the data set, most people living in the United States are likely impacted. It is recommended to monitor credit reports for fraudulent activity and be extra vigilant against phishing attacks.

Links

• https://www.bleepingcomputer.com/news/security/hackers-leak-27-billion-data-records-with-social-security-numbers/

Vulnerability Roundup

Unpatched Office Flaw Leaks NTLM Hashes

A high-severity information disclosure vulnerability, tracked as CVE-2024-38200, which impacts Office 2016, Office 2019, Office LTSC 2021, and Microsoft 365 was recently disclosed by Microsoft. Successful exploitation requires the victim to visit an attacker-controlled webpage that contains a specially crafted file that exploits the vulnerability which then sends the victim's NTLM hash back to the attacker. There are no known cases of this vulnerability being exploited in the wild. A patch for this vulnerability is expected to be in the August 13, 2024 Patch Tuesday release. If unable to patch, administrators are encouraged to block all outbound traffic to TCP port 445. Additionally, administrators can add users to the Protected Users Security Group, which removes the ability to authenticate with NTLM.

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38200
  
• https://www.bleepingcomputer.com/news/security/microsoft-discloses-unpatched-office-flaw-that-exposes-ntlm-hashes/
  
• https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group

Critical Kibana Vulnerability

A critical remote code execution vulnerability, tracked as CVE-2024-37287, was recently disclosed by Elastic for Kibana. While the flaw impacts Kibana self-managed installations, Docker images, Elastic Cloud, Elastic Cloud Enterprise, and Elastic Cloud on Kubernetes, attackers specifically need access to ML and Alerting connector features, as well as write access to internal ML indices. Affected versions are Kibana 8.x prior to 8.14.2 and Kibana 7.x prior to 7.17.23. Administrators are urged to patch to version 8.14.2 or 7.17.23 as soon as possible.

• https://discuss.elastic.co/t/kibana-8-14-2-7-17-23-security-update-esa-2024-22/364424
  
• https://securityonline.info/cve-2024-37287-cvss-9-9-urgent-kibana-patch-for-severe-security-vulnerability/

Cisco IP-Phone RCE 0-Days

Cisco disclosed five vulnerabilities, three of which are critical unauthenticated remote code execution flaws for their SPA 300 and SPA 500 IP phones (CVE-2024-20450, CVE-2024-20452, and CVE-2024-20454). Successful exploitation allows an unauthenticated remote attacker to execute arbitrary commands as root via a simple HTTP request to the web-based management interface. Both of these IP phone models are end-of-life and are no longer supported and will not be receiving security updates. Users are strongly encouraged to transition to a newer model.

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-spa-http-vulns-RJZmX2Xz
  
• https://www.bleepingcomputer.com/news/security/cisco-warns-of-critical-rce-zero-days-in-end-of-life-ip-phones/

Stay updated with PacketWatch's cybersecurity content by subscribing to our monthly newsletter, delivered to your inbox on the last Tuesday of the month.

PacketWatch publishes this report and other cybersecurity threat intel to the security community for free via our blog.

If you want personalized threat intel, contact us today to learn about our enterprise threat intelligence services.

Note: We've also enriched our original threat intelligence report by including resources from our partner in cyber threat intelligence, SOCRadar. You may need a registered SOCRadar account to view their threat intelligence resources.

DISCLAIMER

Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.