An inadvertent data leak from a GitHub push update identified an RCE in the Linux Common Unix Printing System (CUPS) service, as an unauthenticated Remote Code Execution vulnerability with a CVE score of 9.9.
The vulnerabilities:
CVE-2024-47176 | cups-browsed <= 2.0.1 binds on UDP INADDR_ANY:631 trusting any packet from any source to trigger a Get-Printer-Attributes IPP request to an attacker controlled URL.
CVE-2024-47076 | libcupsfilters <= 2.1b1 cfGetPrinterAttributes5 does not validate or sanitize the IPP attributes returned from an IPP server, providing attacker controlled data to the rest of the CUPS system.
CVE-2024-47175 | libppd <= 2.1b1 ppdCreatePPDFromIPP2 does not validate or sanitize the IPP attributes when writing them to a temporary PPD file, allowing the injection of attacker controlled data in the resulting PPD.
CVE-2024-47177 | cups-filters <= 2.0.1 foomatic-rip allows arbitrary command execution via the FoomaticRIPCommandLine PPD parameter.
CUPS and cups-browsed (a service responsible for discovering new printers and automatically adding them to the system) ship with many versions of UNIX, including most GNU/Linux distributions, but can also be installed in BSD, Oracle Solaris, and even Google’s Chrome OS.
Essentially the vulnerability permits an unauthenticated attacker who can reach the CUPS service port (UDP 631) to replace or install new printers with a malicious IPP urls without generating alerting. This can result in arbitrary command execution on an attacked computer which starts a print job.
UDP port 631, if exposed to the internet and belonging to an operating system running the affected CUPS service requires no authentication making this particularly impactful, however an adversary who has established a foothold within a network can achieve a similar results.
Recommendation:
In terms of hardening against the vulnerability, removing cups-browsed if it is not needed is probably the easiest solution, failing that ensure that the CUPS package is updated on affected systems, and if it cannot be updated, then use firewalling to ensure only trusted hosts can connect to UDP port 631.
Cybercriminals and security professionals are in an AI arms race. As quickly as cybersecurity teams on the front lines utilise AI to speed up their response to real-time threats, criminals are using AI to automate and refine their attacks.
Tools that generate images, or conversational AI, are improving their quality and accuracy at increasing speeds. The DALL-E text-to-image generator released version 3, three years after the initial release, ChatGPT is currently at its fourth version only two years after its initial release.
The prevalence of this has become much more apparent in recent times.
In line with this accelerated evolution of AI tools, the range of malicious uses that AI can be used for is also expanding rapidly. From social engineering uses like spoofing and phishing, to speeding up the writing of malicious code.
(Deep)fake it till you make it
AI-generated deepfakes have been in the news several times, the higher-profile stories tend to involve political attacks designed to destabilise governments or defame people in the public eye. Such as the deepfake video released in March 20221 that appeared to show Ukrainian president Volodymyr Zelensky urging his military to lay down their weapons and surrender to invading Russian forces. Sophisticated scammers are now using deepfaked audio and video to impersonate CEOs, financial officers, and estate agents to defraud people.
In February 2024, a finance worker in Hong Kong was duped into paying out USD 25.6 million2 to scammers in an elaborate ruse that involved the criminals impersonating the company’s chief financial officer, and several other staff members, on a group live video chat. The victim originally received a message purportedly from the UK-based CFO asking for the funds to be transferred. The request seemed out of the ordinary, so the worker went on a video call to clarify whether it was a legitimate request. Unknown to them, they were the only real person on the call. Everyone else was a real-time deepfake.
The general public is also being targeted by deepfakes, most famously by a faked video purporting to show Elon Musk encouraging people to invest in a fraudulent cryptocurrency3. Unsuspecting victims, believing in Musk’s credibility, are lured into transferring their funds.
Authorities are warning the public to be vigilant and verify any investment opportunities, especially those that seem too good to be true.
The following video which was quickly identified also had a convincing AI Generated voice of Elon Musk dubbed over, instructing users to scan the QR code.
Police forces all over the world are also reporting an increase in deepfakes being used to fool facial recognition software by imitating people’s photos on their identity cards.
Evolution of scamming
Aside from high-profile cases like those above, scammers are also using AI in more simple ways. Not too long ago, phishing emails were relatively easy to spot. Bad grammar and misspellings were well-known red flags, but now criminals can easily craft professional-sounding, well-written emails by using Large Language Models (LLMs).
Spear-phishing has been refined too, using AI to craft a targeted email that uses personal information, scraped from social media, to sound personally written for the target. These attacks can also be sent out at a larger scale than manual attacks.
In place of generic emails, AI allows attackers to send out targeted messages to people at a larger scale, which can also adapt and improve based on the responses received.
WormGTP
LLMs like ChatGPT have restrictions in place to stop them from being used for malicious purposes or answering questions regarding illegal activity. In the past, carefully written prompts have allowed users to temporarily bypass these restrictions.
However, there are LLMs available without any restrictions at all, such as WormGPT and FraudGPT. These chatbots are offered to hackers on a subscription model and specialise in creating undetectable malware, writing malicious code, finding leaks and vulnerabilities, creating phishing pages, and teaching hacking.
At the risk of this becoming a shopping list of depressing scenarios, a brief mention should also be given to how AI is speeding up the time that it takes to crack passwords. Using generative adversarial networks to distinguish patterns in millions of breached passwords, tools like PassGAN can learn to anticipate and crack future passwords. This makes it even more critical for individuals and organisations to use strong, unique passwords and adopt multi-factor authentication.
In summary
Looking ahead, the future of AI in cybercrime is both fascinating and concerning. As AI continues to evolve, so too will its malicious applications. We will see AI being used to find and exploit zero-day vulnerabilities, craft even more convincing social engineering attacks, or automate reconnaissance to identify high-value targets.
This ongoing arms race between attackers and defenders will shape the landscape of cybersecurity for years to come. AI is being exploited by cybercriminals in ways that were unimaginable just a few years ago. However, by raising awareness, investing in robust cybersecurity measures, and fostering collaboration across sectors, we can stay one step ahead in this high-stakes game of Whack-A-Mole.
Prism Infosec’s Senior Security Consultant, Aaron, reviews the “Top 3 Common Networking Attacks”
During this unprecedented period when much of the world’s population is affected by lockdown measures and limited activities, cyber criminals have intensified their attacks. The state of fear and uncertainty has provided them with a new “business opportunity” and whilst most of us are spending more time on the Internet than ever before, several types of cyber-attacks have seen a drastic increase over the last few months.
1. Phishing Attacks
Amid this chaotic situation, many people are seeking out COVID-19 related information online, hoping to find reliable guidelines to stay safe and well. At the same time, hackers are taking advantage of this by ramping up “phishing” attacks that trick internet users into opening malicious files or links that report to provide COVID-19 information.
Cyber criminals do this by impersonating trusted organisations and sending out convincing emails containing attachments that are laden with malicious payloads. On opening, the attachments execute the code and allow an attacker unauthorised access to system resources and data, along with the capability to execute further attacks on other networked devices or resources.
In other phishing attacks, unsuspecting users are tricked into following links that lead the user to realistic login pages for trusted brands. On logging in, the valid usernames and passwords are captured and later used by criminals to conduct financial fraud and impersonation.
Phishing attacks can be mitigated in several ways:
Implement anti-spoofing policy with malware and spam filters on mail servers to keep malicious emails from employees.
Implement email security protection measures such as SPF, DKIM and DMARC. This increases assurance around the validity of the sender associated with a particular domain and verifies whether it has been impersonated and prevents the emails from reaching inboxes.
Training employees on how to identify phishing exploits and the actions to take when they suspect phishing or have already opened an attachment or followed a link.
2. Denial of Service (DoS) and Distributed Denial of Service (DDoS) Attack
At a time when Internet connections are required more than ever, a successful Denial of Service attack will have a more damaging impact than ever before.
A Distributed Denial-of-Service (DDoS) attack is when a collection of computers are infected with malicious code and controlled as a group (botnet). They are then targeted on another Internet service such as a web site, which is flooded with Internet traffic to deny its service to legitimate users. The outcome of a DDoS attack is operational disruption, which is achieved when systems and services are taken offline. Furthermore, attackers can disrupt organisations by threatening to shut down business services unless large sums of money are paid.
Utilising a Web Application Firewall (WAF)
Implementing rate limiting
It is crucial that organisations understand Denial of Service attacks and always be prepared to defend against it.
3. Remote Desktop Server Attack
Recently, many organisations have turned to Microsoft’s Remote Desktop Protocol (RDP) as a method of allowing remote workers access to corporate resources. The sharp increase in corporate services that need to be remotely accessible has significantly increased and with it the requirement to support remote working, however so has the number of reported RDP attacks.
RDP is a simple and cost-efficient method of facilitating remote working and access to corporate resources such as applications or desktops. However, the protocol is not sufficiently secure to be exposed to the internet. Without adequate security configurations in place, it can be easily compromised allowing an external attacker to gain a foothold into internal networks.
RDP attacks typically involve brute-forcing usernames and passwords, attempting all possible combinations until the correct one is found. Upon discovery of a correct combination, an attacker can gain full desktop access to a computer in the target network.
If your organisation must enable RDP, it is crucial that the following protection measures are in place:
Unique, long and random passwords are in use to protect the systems
Two factor authentication
Limiting the use of RDP to devices using a Corporate VPN
Ensure security options such as Network Level Authentication are enabled
Avoid connectivity of the RDP service to a corporate domain
If RDP access is not required, then it should be disabled and access to port 3389 should be blocked at the firewall.
Conclusion
In conclusion, cyber-crime is bound to increase for the rest of 2020 as cyber criminals are constantly engineering new methods to attack business operations. Hence, it is crucial that businesses stay ahead of cyber threats by maintaining good security practices, such as:
Regularly review network security – Audit security controls in place to ensure that network perimeters are well protected and unnecessary access are removed. Continue to monitor all systems and networks for unusual activities.
Maintain user education and awareness – Constantly remind employees of the importance of both physical and cyber security awareness. Develop home working policies and train employees to adhere to it.
Ensure Malware preventionis in place – Ensure that all anti-virus solutions are updated daily and anti-malware policies are in place.
Maintain secure configurationon all systems – Make sure that all servers and end user devices are patched up to date. Ensure that all remote working devices are subject to integrity checks before they are allowed access into corporate networks.
Secure remote access configurations – All remote solutions should utilise secure authentication, encryption technologies and have multifactor authentication enforced where possible.
Monitor user activities and privileges – Continue to monitor user activities for potential malicious activities and ensure that principle of least privilege is actively applied.
Incident response plan – Always be alert and prepared for potential cyber-attacks, ensure that an incident response plan is in place to deal with any emergencies.
During these uncertain times, Prism Infosec are doing their utmost to support the community with information security guidance and advice.
To start, Prism Infosec has published a blog post (longer read) and quick guide (key points) as essential updates for ensuring systems and data availability without compromising security.
A PDF of our full blog post can be downloaded from here.
