Ubuntu vulnerabilities and more: First officer's blog - week 63

Ubuntu vulnerabilities, a Korean phishing campaign and more. Here are some of last week's biggest stories from the world of cyber risk.

Mike Parkin | July 31, 2023

The ongoing voyages of the Federation Support Ship USS [REDACTED] 

First Officer’s log, Terrestrial date, 20230731, Officer of the Deck reporting.  

Our away team returned from Dauntless after several hours and, apparently, two bottles of vintage Terran whisky. With the exception of one of the security detail who had received permission to stay several hours in addition to engaging in some close contact Bat’leth training with a member of their security contingent. 

The ultimate outcome from their shared hospitality, training, and storytelling, was enough information on the ship, her captain, and the details of their story, to confirm with Starfleet Command that it was, in essence, entirely true. 

With the provenance of the ship and her crew settled, and an understanding from Starfleet what we’d been asked to do, the ordnance transfer was approved, with the torpedoes and other requested components transferred over and our security officer transferring back. 

During the exchange, we had finished our otherwise uneventful mission on [REDACTED] and prepared to head on to our next destination. 

Though there was a strong suspicion that this was not the last we’d see of the Privateer Dauntless. 

What could possibly go wrong with a custom kernel? 

What happened 

Two privilege escalation vulnerabilities have been identified in the Ubuntu OverlayFS module, which appears to affect up to 40% of Ubuntu workloads in the cloud. The vulnerabilities stem from differences in Ubuntu’s implementation of the OverlayFS module that is widely used in container environments. The vulnerabilities are tracked as CVE-2023-32629 and CVE-2023-2640 and patches are available. 

Why it matters 

One of the beauties of the Open Source Linux kernel is that different distributions can fork it to best meet their needs, differentiating themselves from their peers and adding distro-specific functionality. One of the challenges with the Open Source Linux kernel is that sometimes flaws will creep into a specific distribution that doesn’t exist in others. Which is what happened here. 

The converse is true, of course. Sometimes. A flaw can appear in the main branch that’s not in one distro or another, but that’s less common. Still, as is typical with most OSS projects, the Ubuntu team has addressed the issue and the patches should be deployed as soon as possible. 

What they said 

Plenty. Read more.

Seriously. This is not rocket science. 

What happened 

The ACSC (Australian Signals Directorate’s Australian Cyber Security Centre), CISA (U.S. Cybersecurity and Infrastructure Security Agency), and the NSA (No Such Agency) have released a joint recommendation on the inherent risks of using Insecure Direct Object Reference (IDOR) techniques in production code. The advisory includes a detailed explanation of the issue and a lengthy list of mitigation techniques developers can use to reduce the risk. 

Why it matters 

The key to these vulnerabilities is right in the name of the function: insecure direct object reference (IDOR). While there are legitimate use cases where they’re perfectly valid and don’t add unacceptable security risks, the fact that they are insecure by default means their use should be limited.  

The recommendation here from these three agencies is what developers should have been doing already. In fact, security best practices would have developers use IDOR sparingly and never in a case where a user could compromise the system just by manipulating the calls. Every point in this joint recommendation is something the developers should already be doing. It’s basic secure coding practice, not rocket science. 

What they said 

This got plenty of people talking.

It’s always the users, isn’t it? 

What happened 

A recent targeted Korean language phishing campaign against people in South Korea uses emails with U.S. military recruiting documents placed as lures. The campaign, referred to as Stark#Mule, employs a complex system that makes it more challenging to identify the malware as it’s being dropped. The campaign is tentatively attributed to North Korea. 

Why it matters 

Phishing, whether it’s drift net, cast net, or spear, is a common technique threat actors use for their initial foothold. Regardless of the scope or final target, the users are the attack surface they’re going for. Not that this is a revelation, because I have said it here many, many, times. In this case, the threat actors are showing a higher than usual sophistication and the nature of both the target and the hook make it likely the attribution is correct. 

North Korea has had a long history of blurring the lines between cyber espionage, cyber-warfare, and cyber crime. It’s one of the ways they can lash out at their enemies, make some extra coin, and “project power,” without turning it into a shooting war. Saber-rattling aside, it’s unlikely they actually want a shooting war, and this lets them make waves without dealing with incoming fire. 

They’re one of several nations that are known to go this route, and we’re apt to see more of the same because unless the geopolitical situation changes. A lot. 

What they said

Predictably, this made some waves.


Want to get ahead of the stories?

Free for risk owners

Set up in minutes to aggregate and prioritize cyber risk across all your assets and attack vectors.

"Idea for an overwhelmed secops/security team".

Name Namerson
Head of Cyber Security Strategy