This Week In Security: Spandex Tempest, Supply Chain Chain, And NTP

Microsoft’s Threat Intelligence group has announced a new naming scheme for threat actors. It sounds great, naming groups after weather phenomenon, based on the groups motivations or nation of origin. Then each discreet group is given an additional adjective. That’s where things get interesting.

It seems like the adjectives were chosen at random, giving rise for some suitably impressive names, like Ghost Blizzard, Ruby Sleet, or Granite Typhoon. Some of the other names sound like they should be desserts: Caramel Tsunami, Peach Sandstorm, Aqua Blizzard, or Raspberry Typhoon. But then there the really special names, like Wine Tempest and Zigzag Hail. But the absolute winner is Spandex Tempest. No word yet on whether researchers managed to keep a straight face when approving that name.

Chrome 0-day Double

A pair of Chrome browser releases have been minted in the past week, both to address vulnerabilities that are actively being exploited. Up first was CVE-2022-2033, type confusion in the V8 JS engine. That flaw was reported by Google’s Threat Analysis Group, presumably discovered in the wild, and the fix was pushed as stable on the 14th.

Then, on th 18th, yet another released rolled out to fix CVE-2023-2136, also reported by the TAG, also being exploited in the wild. It seems likely that both of these 0-days were found in the same exploitation campaign. We look forward to hearing the details on this one.

3CX Was Supply-Chain Chain

Mandiant has released their initial findings regarding the 3CX supply chain attack. It appears that this one was enabled by an older supply chain attack, against Trading Technologies’ X_TRADER. That was a futures trading platform, and it was deprecated back in 2020. It’s believed that a compromise against the Trading Technologies website in February 2022 was when the X_TRADER installer was tampered with. What’s interesting is that the signature for this malicious installer was still valid.

It’s unknown how or why this application was installed on the 3CX employee’s computer, particularly given its deprecated state. Regardless, this was the foot in the door that allowed the attacker to move laterally, harvesting credentials and installing backdoors. Mandiant makes the case that this was the work of North Korean attackers APT43 — “Emerald Sleet” in Microsoft’s new naming scheme. This is the first time we’ve seen one supply chain attack used to pull off a second one, and it was only possible because the first one went unnoticed for so long. But for state-sponsored actors willing to play the long game, it’s a very appealing force multiplier.

NTP Vulnerabilities

A quintet of vulnerabilities were identified in libntp, with the initial diagnosis that this out-of-bounds write could lead to Remote Code Execution. Further analysis has led developers to conclude that this is really two vulnerabilities, and that NTPD itself is only vulnerable if configured to talk to a very specific local GPS receiver. The other remaining vulnerability applies to ntpq, and that one would require querying a malicious NTP server to trigger the vulnerable code. So while an NTP vulnerability is unnerving, these appear to be quite minor issues, unlikely to cause serious issues.

Google Fails a Vulnerability Response

This is our old friend, dependency confusion, the problem of public and private dependency name collisions. [Giraffe Security] found some Google code on GitHub that referred to non-public dependencies. In the name of research, it was an obvious step to register one of those package names on PyPi and include a simple callback. And after a couple weeks of silence, the test package started getting downloads on Google machines, about one per day.

The report was initially categorized as an S0, highest severity, and a fix rolled out. And then silence, until the bogus package started getting downloads again. [Giraffe] opened a new issue, and was surprised when it was marked as a won’t fix. That second response called the problem social engineering, in a seemingly spectacular misunderstanding of how dependency confusion works. [Giraffe] was rewarded a whopping $500 for the high severity find. It’s a disappointing decision by the Google Bug Hunter team. While it’s very likely that this private package isn’t a part of any production systems, it’s still bad policy to knowingly allow a problem like this one to go unchecked.

Bits and Bytes

If you manage a Papercut install, it’s time to roll out an update. This popular print management software is invaluable for some offices that need to track printer usage by client. A pair of RCE issues have admins pulling our collective hair out, one clocking in at a 9.8 out of 10. To make matters worse, it looks like there are already attacks rolling out using these issues. At least the update procedure is relatively painless.

OpenAI has opened a Bugcrowd program, inviting you to break the AI for profit. Though there are some interesting caveats about what isn’t in scope. Namely, the interesting AI jailbreaks that the internet has been having fun with over the past couple months are all out. Convinced the AI that it’s a Linux computer, and then crashed that hallucinated machine? No bounty. Crash a real OpenAI server? Bounty!

14 thoughts on “This Week In Security: Spandex Tempest, Supply Chain Chain, And NTP

  1. Disappointing naming conventions, sound way too cool. May I propose a different set of family names? [“tossers”, “wankers”, “bollocks”, “incels”, “pedos”, …] would make reporting much more satisfying.

    Though I may be stealing some of MS’s names for magic items in my D&D game…

  2. “So while an NTP vulnerability is unnerving, these appear to be quite minor issues, unlikely to cause serious issues.” Unless you have a Chinese made IP camera that has its default NTP server set to a PLA controlled server in mainland China _and_ that when you change that setting it mysteriously changes itself back to the original setting while the rest of your network config changes remain stable. This is exactly what I found 2 years ago, and it is about time everyone woke up to the very real risk that does in fact pose.

      1. The issue is with the fact that these networked devices are at risk of being turned into attack vectors, not those belonging to people who notice the traffic and manage it as you suggest but the tens of thousands of naive users who don’t.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.