Advisory ID: NCC-CSIRT-071223-045

Summary: Critical vulnerabilities in Cisco’s IOS XE software have been exploited, allowing attackers to gain unauthorised control over devices. The vulnerabilities (CVE-2023-20198 and CVE-2023-20273). These weaknesses allow unauthorised users to gain high-level access to network devices, potentially leading to unauthorised control and activities on affected networks.  .

Threat Type(s): Vulnerability, and Man-in-the-Middle Attack. 

Impact/Vulnerability: CRITICAL/HIGH

Product(s): Cisco IOS XE Software

Platform(s): Cisco Networking Devices

Version(s): 17.9, 17.6, 17.3, 16.12 

Description: The exploitation of Cisco IOS XE vulnerabilities presents severe consequences, primarily by granting hackers unauthorised high-level access to network devices. This access allows them to control network operations, potentially leading to data breaches, including the theft of sensitive information. Furthermore, these attackers can disrupt network services, significantly impacting business operations and causing financial and reputational damage. The compromised devices could also be used as a launchpad for further attacks or to spread malware across the network, multiplying the risks and potential damage.

Consequences: Potential for compromised network security and unauthorised activities.

Solution: 

• Update to the latest Cisco IOS XE software versions.

• Disable the HTTP Server feature on internet-facing systems.

• Vigilantly monitor networks for signs of malicious activity.

References:

https://www.securityweek.com/exploitation-of-recent-cisco-ios-xe-vulnerabilities-spikes/ 

https://www.owler.com/reports/cisco/cisco--exploitation-of-recent-cisco-ios-xe-vulnera/1701878684398

https://www.itsecuritynews.info/exploitation-of-recent-cisco-ios-xe-vulnerabilities-spikes/

Advisory ID: NCC-CSIRT-061223-044 

Summary: EURECOM researcher Daniele Antonioli discovered multiple novel attacks that break Bluetooth Classic's forward secrecy (a feature of specific key-agreement protocols that gives assurances that session keys will not be compromised even if long-term secrets used in the session key exchange are compromised) and future secrecy guarantees (guarantees the confidentiality of future messages should the past keys get corrupted), resulting in man-in-the-middle (MitM) scenarios between two already connected peers.  .

Threat Type(s): Vulnerability, and Man-in-the-Middle Attack. 

Impact/Vulnerability: CRITICAL/HIGH

Product(s): Bluetooth

Platform(s): Smartphones, Laptops and Earphones 

Version(s): Bluetooth 4.2, released in December 2014, and all versions up to the latest, Bluetooth 5.4, released in February 2023. 

Description: The Bluetooth Forward and Future Secrecy (BLUFFS) Attack, as disclosed by the researchers, exploits four architectural vulnerabilities in the Bluetooth session establishment process specification. This attack involves deriving a weak session key and subsequently brute forcing it to impersonate arbitrary victims. The Man-in-the-Middle (MitM) attacker, posing as the paired device, can then negotiate a connection with the other end to establish subsequent encryption using legacy encryption. Additionally, an attacker in proximity can ensure the use of the same encryption key for every session and force the lowest supported encryption key length. Exploiting these weaknesses allows real-time brute-force attacks on the encryption key, enabling live injection attacks on traffic between vulnerable peers. The attack's success relies on the attacking device being within wireless range during the pairing procedure initiation and the ability to capture Bluetooth packets in plaintext and ciphertext, including the victim's Bluetooth address, and craft Bluetooth packets. 

Consequences: By compromising a session key, an attacker can impersonate devices and establish man-in-the-middle (MitM) attacks, thereby undermining the future and forward secrecy guarantees provided by Bluetooth's pairing and session establishment security mechanisms. 

Solution: 

• Make sure that your Bluetooth devices operate in "Secure Connections Only Mode" to ensure sufficient key strength. 
• Ensure that Bluetooth pairing is done via "Secure Connections" mode as opposed the legacy mode. 
• Maintain a cache of seen session key diversifiers to prevent recycling.
• Requiring an attacker in the Central role to authenticate the pairing key. 

References:

https://cybernews.com/security/bluetooth-connections-no-longer-private-with-bluffs-attacks/ 

https://thehackernews.com/2023/12/new-bluffs-bluetooth-attack-expose.html 

https://www.bitdefender.com/blog/hotforsecurity/new-security-threats-in-bluetooth-technology-the-bluffs-attacks/ 

https://www.bleepingcomputer.com/news/security/new-bluffs-attack-lets-attackers-hijack-bluetooth-connections/ 

https://dl.acm.org/doi/10.1145/3576915.3623066  

Advisory ID: NCC-CSIRT-301123-043

Summary: Significant number of Google Drive users have reported the loss of recent files and folder structure changes, dating back to around April-May 2023. This issue has resulted in the disappearance of critical data stored in the cloud.

Threat Type(s): Data Loss, Service DisruptionData Loss, Service Disruption

Impact/Vulnerability: CRITICAL/HIGH

Product(s): Google Drive

Platform(s): Web-based Cloud Storage Service

Version(s): All Versions

Description: Users of Google Drive have experienced a loss of recent data, with no indications of user error. The situation suggests a failure in thesynchronisation of data between local devices and Google Cloud. Google's support team is investigating the issue, with no resolution or root cause identified yet. Users of Google Drive have experienced a loss of recent data, with no indications of user error. The situation suggests a failure in the synchronisation of data between local devices and Google Cloud. Google's support team is investigating the issue, with no resolution or root cause identified yet.

Consequences: Potential loss of critical data, disruption of personal and business activities, loss of trust in cloud storage services. Potential loss of critical data, disruption of personal and business activities, loss of trust in cloud storage services.

Solution: 

• Do not make changes to the root/data folder in cloud storage.
• Back up important files locally or use an alternative cloud service.
• Monitor for official updates from Google. 

References:

https://www.bleepingcomputer.com/news/google/google-drive-users-angry-over-losing-months-of-stored-data/

https://www.digitaltrends.com/computing/google-drive-data-loss/

https://www.spiceworks.com/tech/data-management/news/google-drive-loses-user-data/amp/

Advisory ID: NCC-CSIRT-291123-042

Summary: Researchers at ThreatFabric, an online fraud detection company, have identified a dropper-as-a-service (DaaS) malware known as SecuriDropper. This malware employs an innovative method to bypass Android's security restrictions during payload delivery. SecuriDropper facilitates the infiltration of devices, enabling malicious actors to distribute spyware and banking Trojans. The deployment of these malicious payloads poses a threat to users' privacy and financial security.

Threat Type(s): Malware, Spyware and Banking Trojans 

Impact/Vulnerability: CRITICAL/HIGH

Product(s): Android 

Platform(s): Android Operating System

Version(s): Android 13

Description: The researchers revealed that the threat employs a 'session-based' installer to load malware, effectively evading Android 13's Restricted Settings feature introduced by Google. Restricted settings act as a safeguard against sideloaded applications seeking accessibility and notification listener permissions, commonly exploited by malware. In the case of apps obtained from a marketplace, a session-based package installer is utilized, distinguishing them from sideloaded counterparts. To overcome these restrictions, SecuriDropper employs a two-step infection process. It initially distributes a seemingly harmless application, functioning as a dropper for the actual malware payload. SecuriDropper utilizes an Android API to emulate the installation process of a marketplace, preventing the operating system from recognizing the payload as sideloaded and thus bypassing Restricted Settings. The dropper requests permissions for external storage access, package installation and deletion, then checks for the payload's presence. If installed, the dropper launches it; otherwise, it prompts the user to 'reinstall' the application, triggering payload delivery. 

Consequences: SecuriDropper bypass Android's 'Restricted Settings' feature, allowing it to install malware on devices and gain access to accessibility services. 

Solution: 

• Caution is advised for Android users against downloading APK files from unfamiliar or untrusted sources or publishers. 
• Android users should be mindful of the permissions granted to apps, as they have control over which permissions an app receives. 

Pay attention to warnings from Google Play Protect and agree to block any apps flagged by Google Play Services for displaying malicious behavior. 

References:

https://www.securityweek.com/dropper-service-bypassing-android-security-restrictions-to-install-malware/ 

https://www.threatfabric.com/blogs/droppers-bypassing-android-13-restrictions 

https://www.bleepingcomputer.com/news/security/cybercrime-service-bypasses-android-security-to-install-malware/ 

https://www.noypigeeks.com/tech-news/securidropper-bypass-android-security/ 

https://thehackernews.com/2023/11/securidropper-new-android-dropper-as.html