The Most Sophisticated Attack Chain...Ever

Plus: An emerging trend with stock exchanges and cyber attacks

Good morning. I hope everyone is enjoying the holidays and will be ringing in the new year in style. My family tradition is just how I like it…boring. We order Chinese food and go to bed early; that’s my kind of party. That tradition started with a binge-watch of The Walking Dead many years ago when I first got married.

In the last newsletter of the year, we’re covering:

  • Cyber attacks halting stock trading, a new trend?

  • The most sophisticated attack chain ever…no really, not an exaggeration.

  • A new ransomware group hit the lottery.

-Jason

Spotlight
Cyber Attacks Halt Stock Trades

Background

On December 27, the Australian-based Eagers Automative paused trading on the Australian stock market following a cyber incident (presumably ransomware). The company is the largest operator of car dealerships in Australia and New Zealand.

In a disclosure the following day (while trading was still halted), the company said it acted to “enable it to manage its continuous disclosure obligations in relation to a cyber incident which it had just become aware.”

Impact

While the company stated there would be no material impact, they commented that the cyber incident impacted their ability to finalize transactions for certain new vehicles. This will delay recognizing certain transactions in the last five days of the year.

Who Cares Then?

While all of that is interesting, what really stood out to me was that they halted trading on the Australian Stock Exchange (ASX). This is something I have never seen before. More research found a few other examples this year on the ASX, including the law firm IPH in March and the tech company Technology One in May.

Like the US Stock exchange, the ASX has a continuous disclosure obligation. This requires a company to promptly disclose any information that a reasonable person would expect to have a material effect on the stock price, like a cyber attack.

The ASX also allows companies to request up to a two-day trading halt when it considers trading in the market could occur on an uninformed basis, which is what Eagers Automative did. You can see the flat plateau during the two-day halt in the company’s stock chart below:

From Yahoo Finance on December 29, 2023

Where Does It Go From Here?

I’m by no means an expert on financial markets and reporting obligations. I’m merely fascinated that a (maybe) new trend is emerging of halting trading following a cyber incident. I couldn’t find examples in the US, so perhaps it’s just a regional thing for now, but something I’ll be keeping an eye on regardless.

Deep Dive
“The Most Sophisticated Attack Chain”

While I would love to see a “classy” attack chain with a nice top hat and monocle, that doesn’t apply here. When we’re talking about a sophisticated attack chain, we’re talking about an incredibly complex zero-click iMessage attack that used four iOS zero-days.

In cybersecurity, the term “sophisticated” gets thrown around a lot. And it’s usually a gross exaggeration. In this case, you have three super nerds who have reported on more than 30 in-the-wild zero-days in Adobe, Apple, Google, and Microsoft products saying this…so it means something.

Let’s de-sophistisize (yes, we can make up words) this attack chain.

What’s a Zero-Click: The panacea of mobile vulnerabilities. This doesn’t require the user to click on anything to exploit the vulnerability, so it’s a big deal. I wrote a bit about this and how much these go for in a prior newsletter.

Zero-Day #1 (CVE-2023-41990)

The attacker sends a malicious iMessage attachment to their target. The message is processed without user interaction (e.g. they don’t have to click on it).

The attachment includes a JavaScript exploit that has ~11K lines of code, which is huge. It packed everything needed to conduct the first stage of the attack, including code for the first three zero-days.

The first zero-day exploits a vulnerability in Apple’s TrueType font, which, when exploited, allowed the attacker to run code on the device. It’s a good starting point, but the attacker only had minimum system privileges, so they couldn’t do much.

But it was enough to lead to the next exploit…

Zero-Day #2 (CVE-2023-32434)

The attacker then had to access the iOS kernel, which is the core of the device’s operating system. Gain access to the kernel, and you have access to everything.

This zero-day vulnerability allowed access to the iOS kernel and, by association, the ability to execute code with kernel privileges, the highest privileges possible on the device.

But not so fast. Apple planned for this and had a security feature in place to stop someone from doing this.

Zero-Day #3 (CVE-2023-38606)

The attacker had to find a way to bypass Apple’s Page Protection Layer (PPL) for its mobile devices. PPL protects against code injection and kernel modification (which the second zero-day set up to do). It’s a beautifully layered defense that the attacker successfully bypassed with the third zero-day.

Three zero-days in, the attacker has finally gained the ability to execute anything on the device they want, with zero user interaction. It’s quite amazing, really. And now, it was time to start the next stage of the attack.

At this point, the original exploit code clears evidence of the prior exploitations on the device and then starts Safari in invisible mode (so the user doesn’t see it). The exploit code then has Safari visit a web page that verifies the target victim is the intended target (this focuses the attack and helps maintain stealth) and delivers the final zero-day…

Zero-Day #4 (CVE-2023-32435)

The final zero-day impacts, you guessed it, the Safari browser. This vulnerability allowed for more arbitrary code execution. The attacker combined this with the second and third zero-day vulnerabilities again to gain root privileges and download and install spyware on the device.

The Spyware

The spyware included the ability to remotely interact with the device, record from the microphone, extract the Keychain, steal messaging app messages, and monitor GPS location.

From Boris Larin, one of the researchers who discovered the attack

Who Is Behind It?

Let’s start with who was targeted…This included employees at Kaspersky, a Moscow-based security company (note that the researchers work for Kaspersky), and Russian officials also stated that it impacted thousands of people working inside diplomatic missions and embassies in Russia. Russia came out and blamed the attack on the US National Security Agency (NSA).

The level of sophistication suggests it was a nation-state threat with a deep bench of talent and resources. And the targeting of Russia narrows down the field of possible suspects. So, while we may never get a public confirmation from the country behind this, you can take a few guesses on who was behind it…

News
What Else is Happening?

🐟️ An 18-year-old hacker tied to the Lapsus$ group was sentenced to an indefinite hospital stay. Lapsus$ was behind high-profile cyber attacks, including Uber, Nvidia, and Rockstar Games. The sentence was based on the judge’s determination that the hacker's skills and desire to commit more cybercrime posed too great a threat to the public.

🕹️ Ubisoft stopped the theft of 900GB of intellectual property on Rainbow Six Siege, a huge video game title for the company. The attackers had access for ~48 hours before Ubisoft detected the activity and shut the account down.

🐉 A new ransomware gang known as DragonForce hit the lottery. But not how you think. On Christmas Eve, the group stole data from the Ohio State Lottery and encrypted its systems. 

🏥 In another Christmas Eve attack, a Lockbit affiliate encrypted a hospital system that impacted three hospitals, shutting down access to emergency care. At least, people thought it was Lockbit. Turns out, according to vx-underground, it was an unknown group that used the leaked Lockbit Black ransomware builder.

See you next week!

Reply

or to participate.