Security Roundup December 2023

December 2023: Kyivstar Shines in the Darkness of War, Strike 2 for 3CX, ALPHV/Blackcat Ransomware Site is Seized, then Unseized, and More! 

Kyivstar Shines in the Darkness of War

On Tuesday December 12th, Russian hackers launched a Cyber attack on Kyivstar the largest telecoms provider in Ukraine. According to Reuters, Kyivstar, which has 24.3 million mobile subscribers and more than 1.1 million home internet subscribers, decided to shut the entire network down when they detected the attack.

Although there is no proof of who conducted the attack, Wired reports that a Telegram post by a hacker group known as Solntsepek is claiming responsibility. Solntsepek has been linked to the state-sponsored hacking group Sandworm, part of the Russian intelligence service, the GRU (formerly the KGB). 

The group Sandworm has been targeting Ukraine for several years, with previous attacks on critical infrastructure, banking systems, media and government agencies. But by far, the most infamous attack came in 2017 when they unleashed the NotPetya ransomware variant, which encrypted millions of computers and caused $10 billion in global damage.

Despite the attack, Kyivstar resumed normal operations on December 14th, saying that fixed-line services were partially restored late on Tuesday evening, and other services were back online by Wednesday.

3(CX) Strikes and You’re Out?

VoIP provider 3CX has disclosed an SQL injection vulnerability in its server databases tracked under CVE-2023-49954. This brings the incident tally up to two for the company in 2023. 

Researchers have found that the new database vulnerability can be exploited on any public-facing 3CX server not protected by a Web Application Firewall (WAF). As a precautionary measure, the chief information security officer of 3CX, Pierre Jourdan, advised customers to disable the database until a hotfix is released to mitigate the vulnerability.

This comes several months after a significant supply chain attack in March, which saw the 3CX desktop application Trojanized by Korean hackers to distribute Malware.

Is this the point where customers start looking elsewhere for their voice communication solutions?

ALPHV/Blackcat Ransomware Site is Seized, then Unseized

On December 7th, websites belonging to the ALPHV (aka Blackcat) ransomware gang started to go offline, rumoured to be a result of law enforcement agency action. The sites impacted include sites and blogs used by the gang for leaking data and carrying out negotiations. 

Then, on December 19th, the US Department of Justice announced that the FBI had taken action against the group and had offered a decryption tool to over 500 victim companies. 

A day later, some of the group’s sites were back online after being unseized, and a splash page was observed with an aggressive message that they would now begin to target hospitals and nuclear power plants outside of the Commonwealth of Independent States (CIS). Previously, the group had rules not to target such facilities. As things stand, there is an ongoing tussle between ALPHV and law enforcement agencies to gain control of their sites. 

The FBI estimated the ransomware group to have made around $300m from about 1000 victims as of September 2023. 

Some of This Month’s Other Vulnerabilities 

Microsoft Patch Tuesday

Microsoft’s Patch Tuesday updates this month were relatively few compared to recent months. The vendor addressed 33 CVEs this month without disclosing zero-day vulnerabilities. 

Microsoft rolled out updates to address vulnerabilities across various elements, encompassing Microsoft Office and Components, Windows Win32K, Windows Kernel, Microsoft Bluetooth Driver, Windows DHCP Server, Windows ODBC Driver, and various other components.

Please find out more from our partners at Tenable here.

Google Chrome

Google released patches to address a critical heap-based buffer overflow vulnerability in the open-source WebRTC framework in its Chrome browser. The flaw affects Google Chrome versions before 120.0.6099.129.

Google has advised that an exploit exists in the wild. We recommend patching Chrome immediately. 

Atlassian 

As reported by CSO Online, Atlassian released patches for several products vulnerable to remote code execution (RCE) and denial-of-service attacks. One of the RCE flaws, CVE-2022-1471, relates to a SnakeYAML library vulnerability impacting the following products:

• Automation for Jira app (including Server Lite edition)
• Bitbucket Data Center
• Bitbucket Server
• Confluence Data Center
• Confluence Server
• Confluence Cloud Migration App
• Jira Core Data Center
• Jira Core Server
• Jira Service Management Data Center
• Jira Service Management Server
• Jira Software Data Center
• Jira Software Server

Atlassian is no stranger to critical RCE vulnerabilities, with its products such as Jira falling victim to several public exploits in recent years. In October, a vulnerability related to broken access control in Confluence Data Centre and Server (CVE-2023-22515) was exploited in the wild. Exploits of Atlassian products have been a common finding by our penetration testers in recent years. 

That’s all for 2023. We wish you a Happy New Year!