Ransomware/Malware Activity
Bluetooth Compromise Coined "BLUFFS" Allows Attackers to Conduct Adversary-in-the-Middle Attacks
Researchers at EURECOM have developed six (6) new attack packages called “BLUFFS” that break the encryption of Bluetooth sessions. One of the original researchers stated that the attack targets previously unknown flaws in how the Bluetooth standard generates session keys. This is important as it means the Bluetooth standard itself has a flaw and is not limited to any specific hardware or software platform. Tracked as CVE-2023-24023, this issue impacts Bluetooth Core Specification 4.2, released in December 2014, through 5.4, released in February 2023. The issue works by exploiting the session key creation process to force the key created for the communication session to be abnormally short. This short length limits the possible combinations and thus allows the attacker to brute force the key so that decryption of the session is possible. After the initial compromised connection is made the threat actor may then cause the target device to establish a connection with the device in the middle to create a new encryption procedure using legacy encryption favorable to the attacker. While this does require the threat actor using this flaw to be within Bluetooth range of the two (2) communicating devices, it allows the attacker to then impersonate one (1) of the devices and begin an Adversary-in-the-Middle (AiTM) attack. EURECOM tested the various BLUFFS attacks they had devised on real world devices and discovered every device they tested was vulnerable to at least some of the attacks. This highlights the severity of the flaws found as it can be used on devices like Bluetooth enabled keyboards, mice, listening devices, and audio devices, presenting a large risk for a leak of data through an AiTM attack or for the attacker to inject malicious Bluetooth packets.
Threat Actor Activity
Unknown State-Sponsored Hackers XDSpy Targeting Russian Military-Industrial Companies
Researchers have recently observed a known state-controlled cyberespionage group targeting Russian military-industrial enterprises. XDSpy is the name of the group responsible for the recent attacks. They are threat actors that have been active since 2011 and mostly target countries in Eastern Europe and the Balkans. A report noted XDSpy hackers using phishing emails pretending to be researchers from an institute specializing in the design of nuclear weapons in order to gain access to the systems of the Russian metallurgical enterprise as well as a guided missile weapons development and production institute which proved to be unsuccessful. Some researchers see Russia as XDSpy's primary target but there has been limited first-hand visibility into attacks on Russia because of the lack of Western companies with sight of computer systems in the region, especially after many foreign cybersecurity firms left the country following the Ukraine invasion. XDSpy attacks on Russia have none the less been recorded by a number of researchers, with records of the threat actor having previously targeted the country's government, military, and financial institutions, along with their energy, research, and mining companies. This latest attack specifically has drawn unanimous agreement among researchers upon their attribution to XDSpy. Despite the long-standing presence of the threat actors, it has not been determined which country is backing the group. Their operational security sets them apart, having not made mistakes that compromise their identity or affiliation. The hackers don’t operate a particularly complex toolkit, but their focus on obfuscation helps them evade security solutions and likely leads to above average rates of success. The CTIX team will continue to report on threat actor activity across the world.
Vulnerabilities
Healthcare Industry Under Attack by Ransomware Gangs Exploiting "Citrix Bleed" Vulnerability
The U.S. Department of Health and Human Services (HHS) is urging hospitals and healthcare facilities to patch an actively exploited critical vulnerability in Citrix Netscaler ADC and Netscaler Gateway known as Citrix Bleed. Netscaler monitors server health and optimizes resource utilization by allocating network and application traffic to adjacent servers. The flaw, tracked as CVE-2023-4966, is a sensitive information disclosure vulnerability affecting appliances configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA server. The flaw is already being exploited by ransomware actors to bypass password requirements and multifactor authentication (MFA), allowing for successful session hijacking of legitimate user sessions on Citrix NetScaler ADC and Gateway appliances. Currently, thousands of Citrix servers are vulnerable to exploitation, and many may have already been compromised. Although this flaw was patched in October 2023, it has been exploited by threat actors as a zero-day since at least August 2023. Center (HC3) team, the Health Sector Cybersecurity Coordination Center (HC3), has issued an urgent sector alert informing customers that they must immediately apply patches and upgrades to their systems to prevent exploitation. Multiple threat groups have already been identified as exploiting Citrix Bleed, and The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published an advisory report warning that the flaw is already being exploited by threat actors leveraging the Lockbit 3.0 ransomware. CTIX analysts recommend that any administrators responsible for the affected appliances follow the patching and mitigation instructions in the HC3 alert linked below. Within the alert are also instructions for how healthcare organizations can investigate their networks to identify any indicators of compromise (IOCs) that may suggest their network has been compromised.
