SANS NewsBites

Defining Responsible AI; Never-ending WordPress Vulnerabilities Dictate Looking at Content Management as a Service Approaches; Move Exchange Servers to Auth2.0

May 9, 2023  |  Volume XXV - Issue #37

Top of the News


2023-05-05

Biden Administration Initiatives for Responsible AI Innovation

The Biden administration has announced initiatives “that will further promote responsible American innovation in artificial intelligence (AI) and protect people’s rights and safety.” Vice President Harris met with the CEOs of Alphabet, Anthropic, Microsoft, and OpenAI last week “to underscore this responsibility and emphasize the importance of driving responsible, trustworthy, and ethical innovation with safeguards that mitigate risks and potential harms to individuals and our society.”

Editor's Note

Obviously criminals won’t follow safety guidelines but (like in food and drugs and vulnerability disclosures) it is important to be held to acceptable levels of behavior. AI is out of the bottle and the real move forward to be able to trust content is by having strong authentication of who created it and integrity – proof that the content has not be compromised. Moving to 2FA is a necessary first step on this journey.

John Pescatore
John Pescatore

Legitimate, friendly AI producers, like OpenAI, Microsoft, etc. are not the concern here, I worry there is a false assumption here that those who would do us harm, or are not bound by US regulations will follow these. Continue to explore AI offerings, be certain to understand who is offering them and where their ethical boundaries are.

Lee Neely
Lee Neely

We all want responsible AI innovation. Unfortunately, that may prove difficult given the global race to innovate and the ever-growing list of possible AI use cases. Just a week ago, a major consulting and tax firm announced a $1B investment over three years to expand and scale its AI offerings. Seems like everyone is getting onboard the AI train.

Curtis Dukes
Curtis Dukes

2023-05-08

Fix Available for Vulnerability in Advanced Custom Fields WordPress Plugin

A reflected cross-site scripting (XSS) vulnerability in the Advanced Custom Fields WordPress plugin could be exploited to steal information and perform actions with the user’s privileges. The plugin has at least two million active installs. Users are urged to update the plugin to version 6.1.6 or newer.


2023-05-08

Microsoft Rolling Out Modern Auth for On-Premises Exchange Server Environments

To make Exchange Server 2019 more secure, Microsoft is transitioning on-premises Exchange environments from Basic Authentication to Auth 2.0, also known as Modern Auth. Basic Auth has some serious drawbacks, including sending credentials in plain text and not supporting. multi-factor authentication (MFA). “Modern Authentication is an umbrella term for a combination of authentication and authorization methods between a client … and a server.” Over the [past several years, Microsoft has been rolling out Modern Auth to its customer-facing apps. While Microsoft initially said it would not be rolling Modern Auth out to on-premises environments, it reversed that decision when the release of the next version of Exchange Server was pushed out to the second half of 2025.

The Rest of the Week's News


2023-05-05

Cisco Will Not Fix Vulnerability in Phone Adapters

A missing authentication process in the firmware upgrade function of Cisco SPA112 2-Port Phone Adapters can be exploited to execute arbitrary code will full privileges. Cisco does not plan to release a patch for this flaws, nor do they have workarounds. Instead, Cisco is advising users to migrate to newer adapters. The SPA112 2-Port Phone Adapter reached end of life in June 2020.

Editor's Note

Before blaming Cisco for no longer supporting these devices, consider that they haven't been sold in a few years, and the EOL of these devices was announced several years ago as well. It is important that you note EOL dates for devices in your inventories and have replacement plans in place.

Johannes Ullrich
Johannes Ullrich

These devices let you connect an analog phone/fax to your VoIP system. I have used something similar to put fax machines on my Google Voice number. And they just work, so you've probably forgotten all about them. This is tough, particularly if you have a bunch of these adapters. The thing is, they are almost three years past EOL. One of the hard things to do is incorporate lifecycle planning, to include budget, up front, and we all need to get good at it, to include contingency where a particular solution/feature set is no longer available from your preferred provider.

Lee Neely
Lee Neely

Cisco has made a business decision to not spend the money to patch these adapters (which will have an update come out in 2024), putting customers at risk if they don’t spend to migrate to supported hardware. Customers have to make a business decision to replace the $100 device or switch to a non-Cisco VoIP approach. The bad risk decision is to just stick with the old adapters that use the vulnerable web interface without taking mitigation steps.

John Pescatore
John Pescatore

In this example the phone adapter reached EOL three years ago, and a business decision was made not to patch. The decision most likely tied to a smallish number of customers still using the product. With that, let’s spend a moment discussing cybersecurity using a subscription-based model. In this model, you may pay more annually but you ensure getting regular application updates to include security, and as needed hardware. This model sure beats IT and security professionals scrambling to protect their infrastructure.

Curtis Dukes
Curtis Dukes

For many devices and appliances, it is more efficient to replace them than to repair them.

William Hugh Murray
William Hugh Murray

2023-05-07

Tennessee Healthcare Organization Experiences Ransomware Breach

The Murfreesboro (Tennessee) Medical Clinic & SurgiCenter (MMC) shut down operations for nearly two weeks following an April 22 ransomware attack. As on the morning of Thursday, May 4, MMC was accepting patients at some walk-in clinics. Eleven sites were still closed, and the organization was not taking appointments.


2023-05-08

US Justice Dept. Seizes Domains Associated with DDoS-for-Hire Services

The US Department of Justice (DoJ) has seized 13 domains associated with “booter,” or distributed denial-of-service (DDoS) attacks for hire services. Ten of the recently-seized domains are new versions of similar domains seized in December 2022. Four individuals charged in connection with the booter sites have pleaded guilty to the federal charges.


2023-05-08

Western Digital Discloses Data Theft

On Friday, May 5, Western Digital released a statement acknowledging that a March cyberattack against its computer systems resulted in data theft. The hackers accessed information in a Western Digital database that is associated with the company’s online store. Compromised data include names, addresses, phone numbers, and encrypted hashed passwords and partial payment card numbers. Western Digital has temporarily suspended access to its online store.


2023-05-05

Ransomware Task Force Progress Report

The Institute for Security and Technology’s Ransomware Task Force has published its May 2023 Progress Report. The report looks at headway made on the nearly 50 recommendations made in the task force’s 2021 report. The recommendations center on four pillars: deterrence, disruption, preparation, and response. Fifty percent of the recommendations have seen significant progress, and there has been some forward momentum on more than 90 percent of the recommendations. The report indicates that there is still significant progress to be made in the sharing information about cyber incidents.


2023-05-08

NextGen Healthcare Breach Affects More Than One Million

Nextgen Healthcare, a provider of electronic health records (EHRs), has begun notifying more than one million individuals that their personal data may have been compromised in a breach involving “unauthorized access to database stemming from use of stolen client credentials.” This is reportedly the second data security incident NextGen has investigated since the start of the calendar year.


2023-05-08

California County Paid Ransomware Operators $1.1 Million Following Attack

A spokesperson for San Bernardino County, California, has confirmed that they paid hackers $1.1 million following a ransomware attack against the computer systems of the county’s Sheriff’s Department. The county itself paid just over $500,000 the remainder was covered by its insurance carrier. The spokesperson said the payment was made to “restore the system’s full functionality and secure any data involved in the breach.”


2023-05-08

Microsoft Enforcing Number Matching to Fight Authenticator MFA Push Scams

As of Monday, May 8, Microsoft is enforcing number matching for all Microsoft Authenticator push notifications, which means the notification will provide a number that needs to be entered in the app. The added layer of security aims to prevent scams that rely on multi-factor authentication (MFA) fatigue: push scams bombard users with push notifications asking for authentication to access their accounts, which can result granting access by accident or granting access to stop the endless stream of notifications.

Internet Storm Center Tech Corner

Quickly Finding Encoded Payloads in Office Documents

https://isc.sans.edu/forums/diary/Quickly+Finding+Encoded+Payloads+in+Office+Documents/29818/

Exploratory Data Analysis with CISSM Cyber Attacks Database Part 1

https://isc.sans.edu/forums/diary/Exploratory+Data+Analysis+with+CISSM+Cyber+Attacks+Database+Part+1/29816/

Guildma is now Abusing Colorcpl.exe LOLBIN

https://isc.sans.edu/forums/diary/Guildma+is+now+abusing+colorcplexe+LOLBIN/29814/

Microsoft Edge Update

https://learn.microsoft.com/en-us/deployedge/microsoft-edge-relnote-stable-channel

Facebook Sees More Fake ChatGPT

https://about.fb.com/news/2023/05/metas-q1-2023-security-reports/

QR Codes Used in Fake Parking Tickets and Surveys

https://www.bleepingcomputer.com/news/security/qr-codes-used-in-fake-parking-tickets-surveys-to-steal-your-money/

CyberGhost VPN Vulnerability

https://www.pentestpartners.com/security-blog/bullied-by-bugcrowd-over-kape-cyberghost-disclosure/

Leaked MSI Keys

https://github.com/binarly-io/SupplyChainAttacks/commit/dcadc7a672a8553ac0d174593b5ea79084ea6c18

https://twitter.com/matrosov/status/1654560343295934464

PHP Packages Compromised

https://blog.packagist.com/packagist-org-maintainer-account-takeover/