PaperCut vulnerabilities, DDoS amplification and jerks leaking info about schoolkids
Diana Polekhina / Unsplash
Welcome to Changelog for 4/30/23, published by Synack! Nathaniel Mott here with the latest security news and the utmost sympathy for everyone heading home from RSA 2023 with new swag, business cards and bone-deep weariness.
The payload
A pair of vulnerabilities in PaperCut’s print management software have been exploited to deploy the Clop and LockBit ransomware strains.
PaperCut released patches in March related to these vulnerabilities, which were initially reported by the Zero Day Initiative. The company said that one, CVE-2023–27350, is a 9.8-severity flaw that could be exploited to gain remote code execution on a targeted system. (The other, CVE-2023–27351, is an 8.2-severity authentication bypass vulnerability.)
It didn’t take long for attackers to exploit these vulnerabilities. PaperCut said it “has evidence to suggest that unpatched servers are being exploited in the wild” as of April 18, but the managed detection and response firm Huntress said it started to see evidence of exploitation on April 16, and Microsoft Threat Intelligence said exploitation began as early as April 13.
“We’re monitoring other attacks also exploiting these vulnerabilities, including intrusions leading to Lockbit deployment,” Microsoft said. “More threat actors could follow suit. It’s critical for orgs to follow PaperCut’s recommendation to upgrade applications and servers.”
TechCrunch reported that PaperCut’s software is “used by local governments, large enterprises and healthcare and education institutions.” The company’s website claims it has “over 100 million users from more than 70,000 organizations worldwide.” Here’s to hoping those organizations upgrade before this particular cut gets any deeper.
The week, compiled
Most distributed denial-of-service (DDoS) attacks are boring and unsophisticated, especially when they use easily parried DDoS-as-a-service platforms that cost little more than $100 per month. But a new DDoS amplification technique could shake up this threat vector.
This technique arrives courtesy of a vulnerability (CVE-2023–29552) in the Service Location Protocol (SLP) revealed by researchers from Bitsight and Curesec on April 25. “Attackers exploiting this vulnerability could leverage vulnerable instances to launch massive [DoS] amplification attacks with a factor as high as 2200 times,” the researchers said, “potentially making it one of the largest amplification attacks ever reported.”
Although this DDoS amplification technique is novel, the protocol it relies on is anything but. SLP was created in 1997 to “provide a dynamic configuration mechanism for applications in local area networks,” as Bitsight and Curesec put it, which means it “allows systems on a network to find each other and communicate with each other.” The problem arises when the protocol can be used from systems outside that local network.
You can see where this is going. The researchers said that a “recent internet-wide scan revealed more than 54,000 SLP-speaking instances online, belonging to organizations across many sectors and geographies.” Exploiting CVE-2023–29552 on these systems can enable reflective amplification attacks capable of disrupting services even among organizations that are otherwise prepared to defend against DDoS attacks.
Also this week:
BleepingComputer: Google said it banned more than 173,000 developer accounts—and prevented more than 1.43 million apps from reaching the Google Play Store—in 2022 to “combat malicious developers and fraud rings” and prevent “over $2 billion in fraudulent and abusive transactions.”
The Record: A Ukrainian man was arrested this week for selling “passport data, taxpayer numbers, birth certificates, driver’s licenses, and bank account data belonging to citizens of Ukraine and various European countries.” The man reportedly sold data related to more than 300 million people to Russian citizens via the Telegram messaging platform.
Decipher: North Korean threat actors have reportedly started to deploy new malware called “RustBucket” against systems running macOS. The malware is said to be used to establish command-and-control infrastructure on infected systems, though it’s unclear how the attackers choose their targets or what they intend to do with that access.
A message from Synack
Dive deep into the top software flaws of 2022 in Synack’s inaugural State of Vulnerabilities report. Researchers on the elite Synack Red Team uncovered a record 14,800 exploitable vulnerabilities across Synack targets last year, ranging from authentication failures to SQL injections. The report shares insights into the root causes of these security gaps. Learn how Synack finds the vulnerabilities that matter and check out the full report here.
Flash memory
The concept of a bug bounty is well-established: Researchers find vulnerabilities in popular software, and instead of exploiting or selling them, they disclose them to the affected vendor in exchange for a reward. Yet as Fei Protocol demonstrated on April 30, 2022, many cryptocurrency-focused companies have positioned bribes to hackers who stole the equivalent to tens of millions of dollars as retroactive bug bounties.
CoinDesk reported that “a hacker exploited a reentrancy vulnerability in Rari’s Fuse lending protocol” to make off with more than $80 million. That isn’t much compared to other cryptocurrency thefts—Forbes listed several hacks involving anywhere from $100 million to $625 million worth of crypto—but it’s still a respectable chunk of change. So the company said the hacker could keep $10 million if they returned the other $70 million.
This sort of bargaining is fairly common in the cryptocurrency scene. It may not be wise to rely on it, however, because when Uber covered up a 2016 data breach by paying attackers $100,000 to not release stolen information, its chief information security officer was eventually jailed. It also isn’t clear if the tactic proved effective here—I didn’t see any news articles indicating that Fei Protocol got its money back.
Local files
BankInfoSecurity: The second-largest health insurer in Massachusetts, Point32Health, is reportedly struggling to recover from a ransomware incident that caused it to take some of its systems offline in early April.
NBC News: The attackers who compromised Minneapolis Public Schools “have circulated an enormous cache of files that appear to include highly sensitive documents on schoolchildren and teachers, including allegations of teacher abuse and students’ psychological reports,” to various platforms.
WYFF 4: A ransomware attack on Spartanburg County in South Carolina led to “some computer system issues” that also brought some of the county’s phone numbers offline, but officials told WYFF 4 that they are “working with nationally recognized third-party cybersecurity consultants” to recover from the incident and that all critical phone services stayed up.
Off-script
I’m just about ready to give up on Gmail—or at least on the personal account I’ve used since 2011—because it’s become damn near impossible to manage.
I’m partly to blame. Rather than setting up a dedicated email account when I started freelancing, I continued to use my personal account. That was a mistake. I’m on so many public relations-related mailing lists (most of which are entirely irrelevant to me) that my inbox is always full.
But the straw that broke this camel’s back is the sheer amount of spam that’s made it through Google’s filters over the last few months. I’ve “won” more sweepstakes, raffles and giveaways this quarter than I have in the last quarter-century.
All together, this means if I don’t check my inbox for a week, I come back to something like 800 unread emails. I might want to open three of them. (On a good week.) Now I have to decide if I’d rather spend the time switching all my accounts to a new email address or just allow the “unread” count to enter the high thousands. I’m pretty sure I lose either way.
That’s all for now — please send any feedback to nmott@synack.com or bsobczak@synack.com. We’ll be back next Sunday!