INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Hurricane Helene Aftermath - Cyber Security Awareness Month
Published: 2024-10-01.
Last Updated: 2024-10-01 13:35:16 UTC
by Johannes Ullrich (Version: 1)
For a few years now, October has been "National Cyber Security Awareness Month". This year, it is a good opportunity for a refresher on some scams that tend to happen around disasters like Hurricane Helene. The bigger the disaster, the more attractive it is to scammers.
Fake Donation Sites
Hurricane Katrina was the first event that triggered many fake donation websites. Since then, the number of fake donation websites has decreased somewhat, partly due to law enforcement attention and hopefully due to people becoming more aware of these scams. These scams either pretend to be a new charity/group attempting to help or impersonate an existing reputable charity. People in affected areas need help. Please only donate to groups you are familiar with and who were active before the event.
AI Social Media Posts
I believe these posts are mostly created to gain social media followers, maybe with the intent to later reel them into some scam. They often post dramatic images created with AI tools or copied from legitimate accounts. Some may just be interested in some of the monetization schemes social media and video sites are participating. Do not amplify these accounts. Strictly speaking, they are not "fake news," but legitimate news sources who go out to take pictures and gather information need exposure more than these fake accounts. Often, the fake accounts will contribute to at least exaggeration of the impact of the event and reduce, in some cases, the credibility of legitimate recovery efforts
Malware
Attackers may use the event as a pretense to trick victims into opening attachments. In the past, we have seen e-mails and websites that spread malware claiming to include videos or images of the event. These attachments turn out to be executables installing malware.
Fake Assistance Scams
In the aftermath of a disaster, organizations often provide financial aid through loans. Scammers will apply for these loans using stolen identities traded online. If it may take several months for the victim to become aware of this, they often face a request to repay the loan. Sadly, there is not much, if anything, to protect yourself from these scams. The intend of the assistance is to be quick and unburocratic and to "sort things out later". You may have to prove that someone else used your information to apply for the loan.
"Grandparent Scam"
In this scam, a caller will pretend to be a relative or close friend, asking for money. These scams have improved because they can often identify individuals in the disaster area and use them as a pretense to extort money. The caller may claim to be the individual (often they use SMS or other text messaging services), or they may claim to represent a police department or a hospital. Do not respond to any demands for money. Notify your local police department. If you are concerned, try to reach out to the agency calling you using a published number (note that Google listings can be fake). Due to the conditions in affected areas, the local authorities may be unable to respond. Your local law enforcement agency may be able to assist. They often have a published "non-emergency" number you can use instead of 911. Individuals in the affected area may not be reachable due to spotty power and cell service availability.
Final Word
Please let us know if we missed anything. A final word on some disaster preparedness items with an "IT flavor":
1. Have a plan to get out, and if you can get out: get out. You should not stay in the affected area unless you are part of the recovery effort.
2. Cellular networks fail. Cellular networks tend to work pretty well during smaller disasters, but they need power, towers, and other infrastructure, which will fail in large-scale disasters. Satellite connectivity quickly becomes your only viable option (if you have power). If you have a phone with satellite emergency calling (for example, a recent iPhone), they offer a "demo mode" to familiarize you with the feature.
3. If you are lucky to already have a Starlink setup, bring the antenna inside before the storm and disconnect the equipment from power to avoid spikes destroying it.
4. Disconnect as many electric devices from outlets as possible during a power outage (or before power outages are expected). Power outages often come with power spikes and other irregular power events that can destroy sensitive electronics. Do not plug them back in until power is restored and stable.
5. Even a downed phone or cable TV line can be energized. You may not see the high voltage line that is also down and touches the cable TV line. I took the picture on the right this weekend in my neighborhood of a high-voltage line touching the cable TV and phone line.
https://isc.sans.edu/diary/Hurricane+Helene+Aftermath+Cyber+Security+Awareness+Month/31314/
Patch for Critical CUPS vulnerability: Don't Panic
Published: 2024-09-26.
Last Updated: 2024-09-26 20:49:25 UTC
by Johannes Ullrich (Version: 1)
These last two days, a lot has been talked about a "Doomsday 9.9 RCE bug'" in Linux [1]. We now have some additional details from Simone Margaritelli, who discovered and reported the vulnerabilities.
BLUF:
CUPS may use "filters", executables that can be used to convert documents. The part responsible ("cups-filters") accepts unverified data that may then be executed as part of a filter operation. An attacker can use this vulnerability to inject a malicious "printer". The malicious code is triggered once a user uses this printer to print a document. This has little or no impact if CUPS is not listening on port 631, and the system is not used to print documents (like most servers). An attacker may, however, be able to trigger the print operation remotely. On the local network, this is exploitable via DNS service discovery. A proof of concept exploit has been made available.
There is no patch right now. Disable and remove cups-browserd (you probably do not need it anyway). Update CUPS as updates become available. Stop UDP traffic on Port 631.
For a lot more details, see: https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/
The Vulnerabilities
CVE-2024-47176
This is a vulnerability in cups-browsed (up to version 2.0.1). This daemon listens for UDP packets on port 631. cups-browsed uses DNS service discovery to automatically discover printers and make them available to the user. As part of the exchange with printers, it will receive various URLs that it may use to retrieve additional information. These URLs are not properly validated, allowing attackers to trick cups-browsed to request arbitrary URLs.
CVE-2024-47076
libcupsfilters (up to version 2.1b1) replaces an older filter-architecture. It could be used to modify ("filter") files to adjust formats to make them printable on a specific printer. Like the prior issue, it is subject to the attacker providing malicious data that will be passed to other CUPS components.
CVE-2024-47115
libppd (up to version 2.1b1) also does not validate IPP attributes and adds them to the PPD file that is then passed to drivers and other components.
CVE-2024-47177
cups-filters (2.0.1) is the part that will allow the arbitrary command execution triggered by invalid PPD parameters. cups-filters execute external code ("filters") to convert files. Accepting data from unverified external sources, arbitrary code may be executed. In particular, the "foomatic-rip" filter allows the attacker to provide an arbitrary command line.
[1] https://www.theregister.com/2024/09/26/unauthenticated_rce_bug_linux/
[2] https://openprinting.github.io/cups/
https://isc.sans.edu/diary/Patch+for+Critical+CUPS+vulnerability+Dont+Panic/31302/