This Week in Cyber 30th August 2024

Overview

This week we have a major SonicWall vulnerability that requires immediate patching. We also saw an earlier vulnerability for Apache OFBiz being added to CISA's Known Exploited Vulnerabilities catalog showing how threat actors are pouncing on the unpatched with increasing speed. Telegrams CEO has been arrested by French authorities over Telegrams non-cooperation with law enforcement and decidedly relaxed moderation policies.

The Dutch Data Protection Authority has enforced a €290 million fine on Uber for transferring and over-retention of driver data on their servers. Finally, the APT-C-60 Cyberespionage group has been found leveraging a Zero-Day vulnerability in WPS Office to deliver SpyGlace malware, interestingly in this case, updates patching the issue were released for WPS Office, but the CVE was not disclosed. As always this should serve as an essential reminder that you should be constantly practicing proper patch and vulnerability management. 

Sonic Wall Releases Patch for Critical Vulnerability

SonicWall has issued critical security updates to address a severe vulnerability (CVE-2024-40766) in its firewalls that could allow unauthorised access to devices. With a CVSS score of 9.3, this flaw is an improper access control issue affecting SonicWall Firewall Gen 5, Gen 6, and specific Gen 7 devices running older firmware versions.

If exploited, it could lead to unauthorised resource access and potentially cause firewall crashes. SonicWall has provided updated firmware versions to mitigate the risk and urges users to apply the patches promptly. For those unable to update immediately, it's recommended to restrict firewall management access to trusted sources or disable WAN management access from the internet.

Critical Apache OFBiz Vulnerability Seen Being Exploited

At the start of this month a, the vulnerability CVE-2024-38856 was disclosed alongside a vendor patch. The vulnerability has been described as an incorrect authorisation issue which could result in remote code execution exploits.

Since this disclosure the US Cyber Security Agency CISA added the vulnerability to their Known Exploited Vulnerabilities (KEV) catalogue. This is similar to another remote code execution vulnerability seen in May, tracked as CVE-2024-32113. This vulnerability was also added to the KEV catalogue. At the time of addition to the KEV catalogue the SANS Institute had reported seeing usage of the vulnerability in attempts to integrate it into new variants of the Mirai botnet.

SonicWall who reported the newest vulnerability to Apache had at the time not seen attacks exploiting the newest vulnerability. Since the disclosure Proof-of-concept exploits were seen resulting in the most recent CISA warning over the exploits.

The speed of exploit we see here is an alarming addition to the existing trend of threat actors working on disclosed vulnerabilities in the hope of exploiting listed vulnerabilities before end users move to secure patches. As always this should serve as a stark reminder to conduct vulnerability management and monitor/implement vendor patches with the appropriate urgency.

Telegram CEO Charged by French Authorities

Perhaps the loudest news of the week, Telegram CEO Pavel Durov was arrested at Le Bourget airport on Saturday. French authorities have charged the CEO with "refusal to communicate, at the request of competent authorities, information or documents necessary for carrying out and operating interceptions allowed by law".

Telegram is a widely used messages and media platform that like many others, boasts a privacy first mindset. This includes the typical end-to-end encryption as well as a unique standpoint of not sharing data with any third parties. Law enforcement included. Regardless of security and anonymity, most services are required to comply with law enforcement warrants for data related to relevant investigations. With most organisations in the west, the Police rarely need escalate it to a warrant and make a non-mandatory request for data.

Telegram has been frequently criticised for its relaxed moderation toward extremist and criminal activity on its platform. The organisation has also repeatedly refused to join child protection schemes in the UK such as the Internet Watch Foundation (IWF) or the National Centre for Missing and Exploited Children (NCMEC). The IWF provides services to help block, prevent and disrupt the sharing of child sexual abuse imagery, which Telegram has turned down.

According to a Wall Street Journal investigation, an operation conducted jointly by French and UAE intelligence hacked Durov's iPhone. The investigation suggests "French security officials were acutely concerned about Islamic State's use of Telegram to recruit operatives and plan attacks". The eventual outcome of this arrest could well end this dangerous rise of non-compliance with investigations. With other major organisations also taking relaxed policies on moderation this may end up being a kick that reaffirms the need for strong content moderation.

Dutch DPA Imposes 290 Million Euro Fine On Uber Because Of Transfers Of Drivers Data To US

The Dutch Data Protection Authority (DPA) enforces a 290 million euro fine on taxi company Uber. According to Autoriteit Persoonsgegevens, The DPA found that Uber was transferring drivers sensitive personal data of EU taxi drivers to the United States and retaining that data on their servers. The data included: account details, taxi licences, location data, photos, payment details, identity documents, criminal and medical data of drivers.

According to the DPA, this act from Uber was a serious violation of the General Data Protection Regulation (GDPR). Due to Uber not utilising the appropriate mechanisms for transferring data between the EU and US. "Because Uber no longer used Standard Contractual Clauses from August 2021, the data of drivers from the EU, were insufficiently protected, according to the Dutch DPA" the agency said. In response, Uber has since ended the practice.

APT-C-60 Leverages Zero-Day Vulnerability Within WPS Office Suite

WPS Office is a free Microsoft Office alternative which reportedly, has over 500 million active users worldwide. The zero day which is tracked as CVE-2024-7262 allows attackers to craft malicious hyperlinks that lead to arbitrary code execution. According to ESET, APT-C-60 created spreadsheet documents (MHTML files) with embedded malicious hyperlinks that trigger the exploit. The hyperlinks would utilise the arbitrary code execution vulnerability within WPS Office to deliver "SpyGlace" malware, providing the attackers with extensive cyberespionage capabilities.

Kingsoft has "silently" patched the vulnerability in March without notifying customers about the flaw. ESET in response created a detailed report informing users of WPS Office about the vulnerabilities affecting the software, which in addition brought up a second severe vulnerability (CVE-2024-7263), which Kingsoft patched in May 2024. Neglecting to notify users of known exploited vulnerabilities that they are patching is a confusing and harmful decision. 

Analyst Insight

This week marks yet another week critical vulnerabilities are discovered in commonly used software and services. Interestingly we are now seeing an increased rate of exploits being leveraged by threat actors from the point of disclosure. The Apache OFBiz vulnerabilities disclosed and patched earlier this month and in May have both been added to CISA's KEV. It will be interesting to see if we see the same for other vulnerabilities like SonicWalls's CVE-2024-40766. Avid readers of Telesoft's This Week In Cyber might remember at the beginning of March this year, our analysts identified scanners probing our network for the JetBrains CVE-2024-27198 and CVE-2024-27199 within hours of their disclosure. Soon enough we may see day 1 exploits of disclosed vulnerabilities. In Kingsoft's case, owner of WPS Office they neglected to even disclose their vulnerabilities potentially leading many to have not updated. As always, patch!

European authorities are also proving that data is very much a regulated space, with both Telegram and Uber getting in legal trouble for their actions. As always compliance is important, not least to avoid legal trouble.