Two Terrifying Zero-Day Exploits Guaranteed to Keep You Up at Night

Episode Resources:

• Resilience Cybersecurity & Data Privacy

• Best Small Business VPN Services – Resilience Cybersecurity & Data Privacy

• The Best Cloud Backup Services for Personal Data and Devices – Resilience Cybersecurity & Data Privacy

• The Best Password Managers for Individual and Family Use – Resilience Cybersecurity & Data Privacy

• 10 Easy Ways to Immediately Boost Your Online Security – Resilience Cybersecurity & Data Privacy

• 8 Useful Small Business Cybersecurity Tips You Need to Know – Resilience Cybersecurity & Data Privacy

• Everything We Know About CVE-2023-23397 – Huntress

• Microsoft Mitigates Outlook Elevation of Privilege Vulnerability – Microsoft Security Blog

• Google warns users to take action to protect against remotely exploitable flaws in popular Android phones – TechCrunch

• Multiple Internet to Baseband Remote Code Execution Vulnerabilities in Exynos Modems – Google Project Zero

Episode Transcript

Ryan: Hello and thank you for joining us for another episode of Fearless Paranoia, the cybersecurity podcast that aims to demystify the exciting and intriguing and sometimes challenging-to-understand field that is cybersecurity and bring it to you in chunks that are a bit more consumable, manageable and understandable. I’m going to be taking on that message alone tonight. My name is Ryan. I’m a cybersecurity specialist. And unfortunately, I’ll be flying solo without my good comrade, Brian, the cybersecurity attorney tonight, and we’re going to deviate a little bit since we’re already deviating from the standard form of he and I, might deviate a little bit from the typical education topic. And tonight, what we’re going to do instead is we’re going to talk a little bit about current events, and some of the interesting and terrifying things that are happening right now in the cybersecurity industry.

So we’re going to talk about two different quick cases tonight, these are both zero-day exploits that will not immediately impact potentially the average user, but for the most part, at least, initially should be pretty targeted towards governments, journalists, and other kinds of high-value targets. These are dangerous zero-day exploits. But one of these has already kind of been exploited for quite a while. And the other one is, is a danger lurking in the weeds. So, let’s start with CVE 23 23397. That’s the big fancy term that’s put out the CVE is kind of the indicator or the identifier that stored in the database for the vulnerability itself. This right here is the zero-day exploit. This is one that was identified recently and was patched on March 14, so just a few days ago, was originally identified or was found to originate as far back as April 2022, and was actively in use from April 2022, through December 2022, primarily by the Russians, and in particular, AP T 28. APD. Being advanced, persistent threat. These are kind of big, bad identified groups on the internet that are your big hacking groups. This one here, it also goes by the name fancy bear, and is associated pretty closely with the Russian FSB.

And so these are pretty intense hackers that would have been using this zero-day exploit here, it was noted that there were I had identified that this was used on 15 or fewer targets over the course of the period of time from April through December of 2022, identified again, and patched in March of 2023. So almost a full year after the Zero-Day exploit was first found to be used that it was used successfully before patched. So it just shows again, the danger of zero-day exploits and bad code just being easy to exploit. And the zero days are just becoming something that pops up in the news all that much more frequently.

This one right here is especially unique because it attacks the Outlook client. So Microsoft Outlook, a very common mail client that’s used worldwide. Now this doesn’t affect Outlook on the web that doesn’t affect the Android or the iOS versions. This is purely the desktop in particular a Windows versions of Outlook. And this one unpatched, a specially crafted email with a certain set of extensions or attributes attached to it is enough to trigger it. And all that email has to do is arrive in your client and just do the pre checks that are done with the client. This is actually activated at the system level, it doesn’t even require user interaction in order to exploit and your system will reach out to a foreign address and pass along an authentication token, which can then be used to relay that authentication token back to your system and be used to access anything that would use that level of authentication. Now, thankfully, this is an older method of authentication.

This is NTLM. So, it’s something that is being kind of slowly migrated away from however, is still widely used and at least accepted due to the prevalence of legacy applications. So, it is still easily exploitable. And again, doesn’t even require user interaction. And so, this is extremely volatile, and something that everyone should be patching quickly for to make sure this one doesn’t run a file. Now granted in the past, historically, for the last year plus this has been used by one of the major ABTS, they don’t seem to be targeting residential level customers yet from what’s been known, but typically they hold on to the zero days for their own needs. And then once these get identified and start getting patched, they tend to get sold out very quickly, weaponized quickly, and then turn towards larger groups by other actors that are a little bit more brazen. And so this is one here that any systems that stay unpatched could turn into a relatively ugly RCE exploit against those systems. So again, there’s a patch that’s released for it. There are mitigations in place if for some reason you cannot patch, they’re listed on the MSRC website through Microsoft, so please go ahead and view those. Again. This doesn’t affect Outlook. From the web that doesn’t accept NTLM authentication. But if you are using the Outlook client and are not patched, this one’s pretty bad. So I would recommend going out and getting either a workaround or mitigation in place or better yet, just get the system

Brian:   You’re listening to the Fearless Paranoia podcast. For more information on keeping yourself your family and your company protected against cyber threats, check out the Resilience Cybersecurity and Data Privacy blog. If you’re enjoying this podcast, please like and subscribe using any of your favorite podcast platforms. Also, please share this podcast with anyone you think would find it helpful or useful. We rely on listeners like you to help get the word out about this show, and we appreciate the support. Now, time for some more cybersecurity…

Ryan: The second thing we’re going to talk about tonight is another one that’s kind of sitting in the weeds waiting to pounce. This one here was uncovered by Google’s Project Zero, which is a group that goes through and does a variety of different things. But one of the things they do is hunt through software packages and services, and they look for exploits tools or methods that they can exploit. And then they report these and in doing so through proper disclosure, they go through and help the software become better. They help the developers of the software close up these loopholes to prevent these things from becoming known exploits and part of some of the current attack chains. But Google Project Zero also really relies on the fact that developers will take this information that’s provided to them by projects here and actually do something with it. So they do also have a mandate where they responsibly disclose within a certain period of time after reporting to kind of force the issue and force the developers to do that, because as soon as you make the disclosure, you really give a good inkling as to what is needed to produce an exploit. And if not, you at least give enough direction to make it a lot easier to find out. And there are a lot of great programmers out there that are doing nefarious things with those skills. And they are very quick to weaponize these different exploits and put them together in two full attack shades that are extremely deadly and very good at accomplishing their goals, which is getting onto a system taking data compromising, maintaining persistence, and eventually wreaking any kind of havoc that they desire. So this one in particular is another one of those exploits that doesn’t require any user interaction. And so that is what makes it really, really potentially dangerous. And it’s actually so dangerous, and so apparently easy to exploit that Google’s Project Zero did something that they’ve only done in a few rare instances, and that is they have withheld their disclosure of the details behind this particular CVE or vulnerability here because they know that the widespread impact of this should this actually make it out into the public with how fast this would be weaponized and how easy it is to exploit would cause absolute widespread chaos and havoc. You’ll understand why in just a moment, but it is a rare moment that they ever hold back from their disclosure. And in this case they did Now this right here is an exploit that affects the Samsung Exynos chip line and a certain few versions of it in particular and again, this is kind of technical jargon at this point, but it’s a Samsung Mobile chip that’s used for cellular service and it is the Exynos 51 2350 300-980-1080 and the automotive version auto t 5123. To give you a quick example of just kind of how widespread the use of these are or is these are found in the pixel six and seven models, the International versions so outside the US versions of the Samsung Galaxy S 22. A bunch of the different mid-range phones like the M Series M 1213 33.

The a Series A oh four a 12 a 1321 s a 33 a 53 a 71 The vivo line of phones the x 30x 60x 70 s six s 15 s 16 The Galaxy watch four and five and here’s the fun one automobiles that contain the Samsung Exynos T 5123 automotive chip. That’s some Volkswagen models and a few others. I haven’t really seen a full list of automobiles yet but more and more automobiles nowadays have cellular capabilities and Samsung’s a large producer of chips. So we’re going to probably see a pretty decent list of different impacted automobiles coming out with this as well. The people that have asked me about the Samsung Galaxy phones here in the United States, those Galaxy phones use Qualcomm chips and so they are in this particular case not susceptible directly to this. However, if you do have like an unlocked international Samsung Galaxy phone or something that came from overseas, it I would still recommend at least double checking that you are using one of the Qualcomm chip just to make sure that you’ve got the opportunity Need a patch. And of course, as soon as Samsung releases a patch for your OS, please just go ahead and do it anyways, it’s always a good idea to go ahead and and do those as early as possible. So what without a lot of details having been really released on this yet, while Project Zero identified this as was what is known as an internet to baseband RC, not some pretty interesting technical jargon right there again, but let’s break that down into two different things. Internet, the baseband is the first part. And what that means is that you can send a crafted phone call, or at least a call string effectively from the internet to baseband, which means through to the cellular network and to hit the phone. And in doing so you can trigger an RCE, which is more and more common acronym being used in the cybersecurity world, which is remote code exploit, which means a remote code execution I’m sorry, which means the ability to execute commands remotely without having direct access. So you tie those two pieces together. And it really indicates at the very basic level what this means.

So in layman’s terms, what this means is somebody can sit on a computer and send phone calls to your phone the same way spammers do except they craft that phone call in such a way that it triggers your device just by making a call to you and allows them to execute code on that device. Now take that in for a second. That means that they don’t even need to have you answer the call, it can be a missed call. But just by your phone receiving that call, which means by them having your phone number and targeting you with that call, they can use that call string to execute code on your phone, which means to do just about anything they want execute code to download an app, install an app, use that app to pull the data from your phone and pull passwords from your phone to do all the other things that they can do. It sounds like it’s relatively trivial to put together that type of call string and execute it, the providers for the cell phones are going to be the ones that are going to be saving the day. In this particular instance, Google has already released patches for the pixel lines six, six and seven. Samsung is notably much slower. And in some cases, Samsung doesn’t even deliver those Alas, patches themselves, they deliver it through the carriers. So and in some cases, you’re waiting on Sprint and T Mobile Verizon AT and T et cetera, et cetera, to bring you your OS level patches, which means Samsung then has to send it probably after they approve it on to the carrier who has to run it through all of their red tape and approve it and then deliver it out. And so it could be some time before some of these phones actually get patched for this, which is extremely unfortunate. And the only thing that is really saving us right now is the fact that there has been no proof of concept or actual known exploit that I’ve heard of yet for this outside of the findings of Google project zero, which is again, why they’re avoiding disclosure because all it would take is somebody at a computer with some sort of auto dialer or some sort of dialing software to be able to craft that code together and just start running right down the list phone number after phone number after phone number making calls, and then just sitting back and waiting until they can execute some code and start getting notifications that your phone is now talking back to them and in their control part of the ever growing zombie armies of IoT devices on the internet thanks to a little bit of bad code in a nice new chipset.

Brian:   You’re listening to the Fearless Paranoia podcast, we’re here to help make the complex language of cybersecurity understandable. So if there are topics or issues that you’d like Ryan and I to break down in an episode, send us an email at info@fearlessparanoia.com or reach out to us on Facebook or LinkedIn. For more information about today’s episode, be sure to check out Fearless Paranoia.com where you’ll find a full transcript as well as links to helpful resources and any research and reports discussed during this episode. While you’re there, check out our other posts and podcasts as well as additional helpful resources for learning about cybersecurity. Now, back to the show.

Ryan: So the world is not all doom and gloom. However, the best things you can do is follow best practices as usual, stay patched, make sure that you secure your identity, secure your accounts with strong unique passwords on every single account, multiple factor authentication, in this case, those things wouldn’t even save you. But it will save you in many other cases. In this particular case here. The recommendation initially was to turn off Wi Fi calling which most people won’t have a problem with. But it was to turn off voice over LTE which effectively is shut off voice calling on your phone in most cases where it was easy to do that which for a lot of people is kind of a no go, it takes away a lot of functional usability of the phone. But again, these are the kinds of things that we’re going to be facing going forward into the future. And so it’s important that we all understand these type of threats, we understand the best practices that we can use to keep safe from them. And in this case, the best practice of patch early patch often will be the final answer as soon as the patches are released.

So you know, we’re not here to scare you. We’re just here to educate and kind of make you aware of things. And without Brian here too, that kind of chatter back and forth with me, we’re going to keep this one nice and short today and right there. So really appreciate you guys tuning in today. Again, if you find this content in any of our other content really useful, beneficial or effective, please share it with the others that you know, share it to your networks, like and subscribe to our podcasts on your favorite podcast distribution network on any of our social media channels. You can find us on Facebook, we’re on LinkedIn, and our presence is growing every single day. If you got any ideas for anything that you’d like to hear us talk about in the future, and maybe break down for you whether it’s a complex topic or something that you want to hear us just chew the fat about, please feel free to reach out to us, you can get all of us on our website at Fearless Paranoia.com. And we really really love reading your messages hearing your feedback and getting ideas of what kind of content is beneficial and useful to you. It helps us grow it helps us deliver good useful content to you and helps us achieve our mission of making the world and all of its internet connected services a safer place for everybody to operate in. So again, thank you for your time. We really appreciate you tuning in today and listening to me chat on behalf of Brian, our cybersecurity attorney who couldn’t make it today. I am Ryan the cybersecurity specialist. This is Fearless Paranoia, and we hope you have a wonderful day.