SANS NewsBites

Supply Chain Security Needs to Include Corporate Law Firms; Patch Everything Apple; Update Awareness and Mailroom Guidance on Risk of Unsolicited Devices and Packages

June 23, 2023  |  Volume XXV - Issue #50

Top of the News


2023-06-20

Mondelez Employee Data Compromised in Law Firm Cyberattack

Mondelēz International is notifying more than 50,000 current and former employees that their personal data were compromised when a hacking group stole data from a law firm, Bryan Cave Leighton Paisner LLP. The intrusion was detected in late February 2023; the law firm notified Mondelēz of the incident in late March. In late May, “based upon additional information received from Bryan Cave, Mondelēz determined that it finally had enough information to determine who was impacted and that affected individuals should be notified.”

Editor's Note

Another reminder of how complex supply chains are – law firms, outsourced employee benefit services, etc. are part of the attack surface in your “supply” chain that can lead to data exposure.

John Pescatore
John Pescatore

This and the HWL Ebsworth attack [second story in Rest of the News] remind me of the ‘quote by the bank robber Willie Sutton: “I rob banks because that’s where the money is.” In this case, law firms are ‘cyber robbed’ because that’s where the data is. Specific to this cyber breach a couple reminders: 1) data owners have a responsibility to understand how the law firm protects the information entrusted to them; and, 2) details of the attack and victim notification should be shared more quickly, and not wait for all the information to be stitched together.

Curtis Dukes
Curtis Dukes

Mondelēz owns multiple brands including Sour Patch Kids, Chips Ahoy, Triscuit, Wheat Thins, Oreo and Ritz, and was not directly penetrated. This is a case of the third-party service provider being compromised. Bryan Cave was compromised in February and started notifying impacted clients in March; it wasn't until May 22 that Mondelēz had enough information to understand who was impacted and start their notification process. Consider your third-party notifications, not only that they have a timeliness requirement, but consider the impacts of having sufficient information to begin your own analysis and response. Maybe sit down with those who are processing/storing sensitive information for you and see what can be optimized.

Lee Neely
Lee Neely

2023-06-22

Apple Releases Fixes for Zero-days

Apple has released updates to address vulnerabilities that are being actively exploited to install spyware. Two of the vulnerabilities affect Webkit and can be exploited to execute arbitrary code. The third vulnerability can be exploited to gain elevated privileges. Updates are available for iOS, iPadOS, macOS, and watchOS.


2023-06-22

Cyber Espionage Group Using USB Drives to Spread Malware

Cyber espionage actors with ties to China have been using malware that spreads through USB drives. Researchers from Check Point have found evidence of attacks using the compromised drives on systems at originations in Myanmar, South Korea, Great Britain, India, and Russia.

The Rest of the Week's News


2023-06-22

US Military Personnel Report Unsolicited Smartwatches

Members of the US military have reported receiving unsolicited smartwatches via mail. According to the Department of the Army Criminal Investigation Division, the “smartwatches, when used, have auto-connected to Wi-Fi and began connecting to cell phones unprompted, gaining access to a myriad of user data.”

Editor's Note

Like picking up a USB drive in the parking lot, unsolicited IT, including smart watches, needs to be considered hostile until proven otherwise. You're going to spend way more than that device costs cleaning up any damage. Beyond training employees to use caution, make sure that you're not making purchases of those devices hard or impossible thus encouraging creative workarounds.

Lee Neely
Lee Neely

2023-06-20

Australian Law Firm Discloses Cyberattack

Australian law firm HWL Ebsworth has confirmed that a “threat actor had accessed and exfiltrated certain information” on its systems. HWL Ebsworth learned of the incident on April 28. The law firm has high profile clients, including governments and financial institutions; the firm has obtained an injunction that prohibits media from reporting on the specifics of the leaked data.


2023-06-22

NIST Plans to Develop Water and Wastewater Cybersecurity Framework

The US National Institute of Standards and Technology (NIST) has published a notice in the Federal register “invit[ing] organizations to provide letters of interest describing products and technical expertise to support and demonstrate security platforms for the Cybersecurity for the Water and Wastewater Sector: A Practical Reference Design for Mitigating Cyber Risk in Water and Wastewater Systems.” The collaborative effort will begin no earlier than July 20, 2023.


2023-06-22

Patch Cisco Secure Client Software for Windows

Users are being urged to install patches to fix a high-severity vulnerability in Cisco Secure Client Software for Windows (formerly Cisco AnyConnect Secure Mobility Client) that could be exploited to gain SYSTEM-level privileges. Cisco released updates to address the arbitrary file delete vulnerability earlier this month; patching is now more urgent as a proof-of-concept exploit has been released.


2023-06-21

MOVEit-Enabled Breach List Grows

Gen Digital, the parent company of Avast, Avira, AVG, Norton, and Lifelock, has disclosed that its systems were compromised via a vulnerability in the MOVEit managed file transfer software. Gen Digital said the ransomware attack resulted in the exposure of employee data. Other organizations reporting that they were victims of MOVEit-related attacks include the Minnesota Department of Education and the Illinois Department of Innovation & Technology.


2023-06-21

Zyxel Urges Users to Update Firmware

Zyxel has released firmware updates to fix a critical vulnerability in its Network Attached Storage (NAS) devices. The pre-authentication command injection vulnerability could be exploited to remotely execute operating system commands using a maliciously-crafted HTTP request. The issue affects MAS326, NAS540, and NAS542, and are addressed in firmware versions V5.21(AAZF.14)C0, V5.21(AATB.11)C0, V5.21(ABAG.11)C0, respectively.


2023-06-22

CISA Warns of Unpatched Vulnerabilities in Enphase Products

The US Cybersecurity and Infrastructure Security Agency (CISA) has published two Industrial Control Systems (ICS) security advisories for vulnerabilities in the Enphase Envoy energy monitoring device and the Enphase Installer Toolkit Android App. Both vulnerabilities – a command injection issue and a hard-coded credentials issue – are remotely exploitable. Enphase has indicated that it is working on mitigations for the vulnerabilities.

Internet Storm Center Tech Corner

Analyzing a YouTube Sponsorship Phishing E-Mail

https://isc.sans.edu/diary/Analyzing+a+YouTube+Sponsorship+Phishing+Mail+and+Malware+Targeting+Content+Creators/29966

Malicious Code Can Be Anywhere

https://isc.sans.edu/diary/Malicious+Code+Can+Be+Anywhere/29964

Apple Updates Already Exploited Vulnerabilities

https://isc.sans.edu/diary/Apple+Patches+Exploited+Vulnerabilities+in+iOSiPadOS+macOS+watchOS+and+Safari/29972

Heap Buffer Overflow in VMWare VCenter

https://www.vmware.com/security/advisories/VMSA-2023-0014.html

GitHub RepoJacking

https://blog.aquasec.com/github-dataset-research-reveals-millions-potentially-vulnerable-to-repojacking

Zyxel Vulnerability

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-pre-authentication-command-injection-vulnerability-in-nas-products

Huawei Vulnerability

https://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-thvihr-7015cbae-en

Asus Vulnerability

https://www.asus.com/content/asus-product-security-advisory/

VMWare Aria Vuln Exploited

https://www.vmware.com/security/advisories/VMSA-2023-0012.html