Share

Canary Trap’s Bi-Weekly Cyber Roundup

Canary Trap’s Bi-Weekly Cyber Roundup

Welcome to this week’s edition of the “Bi-Weekly Cyber Roundup” by Canary Trap. At Canary Trap, it is our mission to keep you up-to-date with the most crucial news in the world of cybersecurity and this bi-weekly publication is your gateway to the latest news.

In this week’s round-up, we cover several critical cybersecurity developments impacting various industries. We’ll explore a major vulnerability in NVIDIA’s Container Toolkit that allows full host takeovers, serious flaws in gas station tank gauge systems that open doors to remote attacks, and Microsoft’s identification of a new ransomware threat, Storm-050. Additionally, we’ll look at Meta’s €91 million fine from Ireland for storing user passwords in plaintext, and the recent issues caused by the Windows 11 KB5043145 update, which has led to reboot loops and blue screens.

  • Critical Flaw in NVIDIA Container Toolkit Allows Full Host Takeover

A critical vulnerability (CVE-2024-0132) has been identified in the NVIDIA Container Toolkit, affecting all AI applications—whether cloud-based or on-premises—that rely on the toolkit for accessing GPU resources. This flaw, rated with a critical severity score of 9.0, enables container escape attacks, allowing malicious actors to gain full access to the host system, execute arbitrary commands, or steal sensitive data.

The NVIDIA Container Toolkit, which comes pre-installed in numerous AI platforms and virtual machine images, is the standard tool for managing GPU resources in environments leveraging NVIDIA hardware. According to Wiz Research, over 35% of cloud environments are at risk due to this vulnerability.

The issue stems from improper isolation between the containerized GPU and the host system, allowing attackers to mount sensitive parts of the host filesystem or access critical runtime resources, such as Unix sockets used for inter-process communication (e.g., `docker.sock` and `containerd.sock`). While many filesystems are mounted with “read-only” permissions, these Unix sockets are writable, enabling direct interaction with the host. An attacker can exploit this flaw by executing a specially crafted container image, leading to host-level compromise. 

This vulnerability affects NVIDIA Container Toolkit versions 1.16.1 and earlier, as well as GPU Operator versions 24.6.1 and older. NVIDIA has since acknowledged the vulnerability and released a fix on September 26th, following a report from Wiz Research on September 1st.

At present, technical details about the exploit have been withheld to provide organizations with time to implement mitigations. However, Wiz Research plans to release more technical information at a later date, potentially offering deeper insight into the vulnerability and its exploitation mechanisms. Organizations using affected versions of NVIDIA’s toolkit are strongly advised to apply the necessary patches and updates to prevent potential exploitation.

  • Critical Flaws in Tank Gauge Systems Expose Gas Stations to Remote Attacks

Recent disclosures have revealed critical vulnerabilities in six Automatic Tank Gauge (ATG) systems from five manufacturers, exposing them to potential remote attacks with serious consequences. According to Bitsight researcher Pedro Umbelino, these vulnerabilities pose significant risks, ranging from physical damage to environmental hazards and economic losses. The analysis highlights that thousands of ATGs are internet-exposed, making them attractive targets for malicious actors looking to disrupt critical infrastructure such as gas stations, hospitals, airports, and military bases.

ATGs are sensor systems used to monitor storage tank levels (e.g., fuel tanks), and exploitation of these flaws could lead to denial-of-service (DoS) attacks or physical damage. The vulnerabilities span several ATG models, including Maglink LX, OPW SiteSentinel, Proteus OEL8000, and Franklin TS-550. Eight of the eleven flaws are rated as critical, with CVE-2024-45066 and CVE-2024-43693 (both with a CVSS score of 10.0) being among the most severe. These flaws enable full administrative control and, in some cases, complete access to the underlying operating system.

Further security issues have been identified in other industrial systems, including the open-source OpenPLC solution, which suffers from a critical stack-based buffer overflow (CVE-2024-34026, CVSS 9.0) that could allow remote code execution. Riello NetMan 204, a network communications card used in uninterruptible power supply (UPS) systems, has also been found vulnerable to SQL injection (CVE-2024-8877) and unauthenticated password resets (CVE-2024-8878), allowing attackers to take over the UPS and tamper with log data.

Similarly, AJCloud’s IP camera management platform contains several critical vulnerabilities that could expose sensitive user data and grant attackers remote control over connected cameras. These vulnerabilities include arbitrary write access to key configuration files and buffer overflow risks that could be exploited for remote code execution. Efforts to contact AJCloud regarding these issues have so far been unsuccessful.

These vulnerabilities come at a time of heightened concern over security in operational technology (OT) and industrial control systems (ICS). The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about increasing threats to internet-accessible OT/ICS devices, particularly in the Water and Wastewater Systems (WWS) sector. Such devices are frequently targeted through default credentials or brute force attacks, exposing them to significant operational risks.

Earlier this year, the U.S. government sanctioned six individuals linked to the Iranian intelligence agency for attacks on critical infrastructure. These attacks exploited publicly exposed Israeli-made Unitronics PLCs with default passwords. In response, Claroty, an industrial cybersecurity firm, has released tools to help users extract forensic data from compromised PLCs and has emphasized the growing risk posed by remote access solutions in OT environments. The firm’s research found that over half of organizations deploy four or more remote access tools, expanding their attack surfaces and increasing operational complexity.

To mitigate these risks, experts advise minimizing the use of low-security remote access tools, particularly those lacking essential features like multi-factor authentication (MFA), and focusing on securing OT systems through robust access control and vulnerability management strategies.

  • Storm-050: A New Ransomware Threat Identified by Microsoft

Microsoft’s Threat Intelligence team has identified a new ransomware group, Storm-050, that is targeting critical sectors in the U.S., including government, manufacturing, transportation, and law enforcement. Most concerning, the group has recently expanded its focus to U.S. hospitals, posing significant threats to both public safety and cybersecurity.

In its latest report, Microsoft describes Storm-050 as a highly sophisticated actor, exploiting system vulnerabilities to infiltrate networks and demand ransom payments. Initially concentrating on government and industrial targets, the group’s pivot toward healthcare introduces serious risks, given the sensitivity of medical data and the potential disruptions to critical, life-saving services.

The report states, “Storm-0501 is exploiting weak credentials and over-privileged accounts to transition from on-premises to cloud environments. By stealing credentials, they gain network control, eventually creating persistent backdoors to deploy ransomware.” Similar tactics have been observed in other threat groups like Octo Tempest and Manatee Tempest, which exploit the gaps between on-premises and cloud infrastructures.

Storm-050 leverages advanced social engineering methods, such as phishing campaigns, to deceive victims into granting access to internal systems. They also exploit vulnerabilities in outdated or poorly secured systems, ultimately deploying ransomware to encrypt files and demand hefty payments. The group employs double extortion, threatening to release sensitive data publicly if their demands are unmet.

Patrick Tiquet, VP of Security & Architecture at Keeper Security, emphasized the importance of securing hybrid cloud environments, noting that attackers increasingly exploit their larger attack surfaces. He advocates for a zero-trust architecture to minimize exposure, stating, “Weak credentials are a critical vulnerability in hybrid environments, and groups like Storm-0501 are quick to exploit them. Strengthening password policies and enforcing multi-factor authentication (MFA) are essential steps for defense.”

Storm-050’s recent focus on hospitals is particularly alarming due to the potential consequences for patient care, emergency services, and the confidentiality of medical records. Many healthcare institutions operate with outdated systems that are highly susceptible to modern cyber threats, making them prime targets. The issue has garnered attention at the federal level, with two U.S. senators proposing legislation aimed at compelling large healthcare organizations to prioritize cybersecurity.

As Storm-050 continues to target high-value entities, the urgency for robust cybersecurity strategies has never been greater. Organizations, especially in critical sectors like healthcare, must strengthen their defenses, ensure systems are updated, and train employees to recognize phishing and other cyber threats. A coordinated effort between the private sector, public agencies, and law enforcement is crucial to countering these increasingly sophisticated attacks.

The Microsoft Threat Intelligence team recommends several measures to mitigate the risks posed by ransomware groups like Storm-050:

  • Regularly patch systems to address vulnerabilities.
  • Enforce multi-factor authentication to prevent unauthorized access.
  • Implement advanced threat detection tools to block ransomware early.
  • Provide comprehensive employee training on recognizing phishing and social engineering attacks.

Also highlighted was the importance of identity and access management in securing hybrid environments, stating, “Security teams should prioritize least privilege principles and ensure timely patching of internet-facing systems.” He added that advanced email and messaging security solutions can prevent initial access attempts, a common entry point for ransomware.

Furthermore, the need for centralizing Endpoint Device Management (EDM) to ensure consistent security patching across environments was identified. As deploying advanced monitoring tools can help detect suspicious activity early, allowing security teams to respond swiftly before a full-scale breach occurs.

With Storm-050’s growing capabilities and expanding targets, the need for proactive, comprehensive cybersecurity measures is critical to safeguard public and private sector operations from these escalating threats.

  • Ireland Fines Meta €91 million for Storing Passwords in Plaintext

The Data Protection Commission (DPC) of Ireland has imposed a €91 million ($100 million) fine on Meta Platforms Ireland Limited (MPIL) for storing the passwords of hundreds of millions of users in plaintext—a significant violation of data protection laws.

This incident, which dates back to 2019, involved Meta discovering during a routine security review that certain user passwords were stored in plaintext on internal systems without encryption or cryptographic protection. Meta promptly disclosed the issue publicly and notified the DPC, which subsequently launched an investigation into the company’s data security practices.

At the time, Meta indicated that the incident affected “hundreds of millions of Facebook Lite users,” along with tens of millions of Facebook users and millions of Instagram users. Despite the severity of the issue, Meta maintained that no unauthorized access or misuse of the exposed passwords had been identified, and the plaintext data was not accessible to external parties. The DPC’s investigation found that Meta’s handling of user passwords breached several key provisions of the General Data Protection Regulation (GDPR), particularly those related to data security and breach notification:

  • Article 33(1) – Notification of a Personal Data Breach**: Meta failed to notify the DPC promptly of the plaintext password storage, which constitutes a data breach under GDPR.
  • Article 33(5) – Documentation of a Personal Data Breach**: Meta did not adequately document the breaches, failing to maintain appropriate records of the incidents.
  • Article 5(1)(f) – Integrity and Confidentiality**: Meta’s lack of encryption or cryptographic protection for stored passwords reflected insufficient security measures to protect users’ sensitive data.
  • Article 32(1) – Security of Processing**: Meta did not implement appropriate technical and organizational safeguards, such as encryption, to protect passwords and ensure their confidentiality.

Considering these violations, the DPC issued an official reprimand in addition to the €91 million administrative fine. The DPC also acknowledged that Meta had voluntarily disclosed the issue, which factored into the final decision. The DPC will publish its full decision and further details about the case at a later date.

  • Windows 11 KB5043145 Update Causes Reboot Loops, Blue Screens

Microsoft has issued a warning regarding a potential issue affecting some Windows 11 systems following the installation of the September 2024 KB5043145 preview update. Users running Windows 11 versions 22H2 and 23H2 may experience reboot loops or system freezes, occasionally resulting in blue or green screens.

The KB5043145 update, released to address various issues—including freezing problems with Microsoft Edge and Task Manager—has introduced this new complication. In a recent update to the support document, Microsoft acknowledged that some devices have entered automatic restart cycles, with a few users also encountering BitLocker recovery prompts after multiple failed restart attempts.

Microsoft’s Automatic Repair tool, which is designed to resolve common boot issues by diagnosing and repairing system problems, may launch automatically in affected cases. However, Microsoft has urged users facing these problems to report them through the Feedback Hub, offering detailed information to assist in resolving the matter.

This isn’t the first time in recent months that Windows updates have triggered system stability issues. In August 2024, Microsoft resolved a known problem that caused boot failures on Windows Server 2019 and is also addressing a separate bug affecting Linux booting on dual-boot systems with Secure Boot enabled. Additionally, previous updates in June and July introduced their own set of complications, including restart loops, taskbar issues, and BitLocker recovery triggers. Microsoft has since worked to rectify these problems in subsequent updates.

References:

Share post: