SANS NewsBites

Require Suppliers to Provide Details on Incidents; Smart Device Security Labeling is a Start; Patch Citrix NetScaler ASAP

July 21, 2023  |  Volume XXV - Issue #57

Top of the News


2023-07-19

TOMRA Systems Offline Following Cyberattack

Oslo-based recycling company TOMRA has taken some systems offline following what it has called “an extensive cyberattack.” The incident was detected on Sunday, July 16. TOMRA has asked some employees to work remotely while the issue is addressed. TOMRA makes products that assist with the collection and sorting of recyclable materials.

Editor's Note

The Identity Theft Resource Center noted a trend across 2022, that TOMRA’s communications on this breach typify: public breach notices are not giving out as much (or any) information on how the breach happened. While this practice can be perhaps justified by lawyers to reduce potential liability, it does not reduce risk and it allows any corporate public relations press release writer to claim the company was the victim of “an extensive cyberattack” when it could have really been the keys were left in the ignition with the doors unlocked. To increase supply chain security, we need more visibility into the cause of, and lessons learned from, breaches at potential suppliers, just as investors need it when making investment decisions.

John Pescatore
John Pescatore

While customer facing systems, such as reverse vending machines (for recycling) are largely unimpacted, TOMRA's back-office systems are largely down. Think about their move to have workers go remote, then have a conversation about what to do with workers while your internal/back-office systems are down due to an incident. Make sure that you have conversations about how staff, attempting to do legitimate work, could affect your recovery process and if some mitigation, like paid leave, should be implemented.

Lee Neely
Lee Neely

Although TOMRA has yet to define the type of cyberattack, it’s likely ransomware. More importantly, liability concerns notwithstanding, it would be helpful for us cyber defenders to understand what happened that allowed the attack to occur in the first place. We can only defeat this sort of attack if we know what cyber defenses worked and didn’t work that enabled the cyberattack.

Curtis Dukes
Curtis Dukes

2023-07-19

US Federal Communications Commission and White House Announce Smart Device Labeling Program

The US Federal Communications Commission (FCC), together with the White House and private industry partners, has announced the US Cyber Trust Mark program. According to a White House statement, “The goal of the [voluntary] program is to provide tools for consumers to make informed decisions about the relative security of products they choose to bring into their homes.”


2023-07-20

US and Australian Security Agencies: Patch Critical Citrix Flaw Now

The US Cybersecurity and Infrastructure Security Agency (CXISA) and the Australian Cyber Security Centre are urging organizations to install updates to fix a critical vulnerability in Citrix NetScaler ADC and NetScaler Gateway. The flaw, CVE-2023-3519, is being actively exploited. Citrix has also released updates to address two additional vulnerabilities affecting NetScaler ADC and NetScaler Gateway: a cross-site scripting issue and an improper privilege management issue.

The Rest of the Week's News


2023-07-20

Microsoft Will Make Cloud Security Logs Free Starting in September

Following a series of attacks in which hackers used fraudulent authentication tokens to access sensitive email accounts, Microsoft says it will provide cloud security log access to M365 customers at no extra cost starting in September. Microsoft received pushback from the security community after it became evident that the email attacks were only detectable by users with certain levels of licenses because they had access to cloud security logs.

Editor's Note

Nice change from Microsoft. But customers will still have to process the logs and look at them.

Johannes Ullrich
Johannes Ullrich

Now that you have access to those logs, make sure that you're configured so they are flowing to your system. Come September, you're going to refine your filters and playbooks, as you should have a bunch more information to categorize and create alerts for. File away information, for at least a few months, you don't yet have alerts for rather than deleting it because hindsight knows no mercy.

Lee Neely
Lee Neely

This is a welcome move by Microsoft. Sadly though, it took this incident to force them to provide this access. Hopefully, other cloud providers will provide better access to their logs for their customers.

Brian Honan
Brian Honan

Microsoft’s response to the media backlash is similar to what they did in 2021. Just consider the additional storage costs part of the marketing campaign to get them out of a negative news cycle. Meanwhile what’s the backstory on that inactive signing key that enabled the attack…

Curtis Dukes
Curtis Dukes

This settles my question in the last newsletter. Microsoft is taking the Windows XP SP2 approach and making all M365 users have the necessary logging capabilities to detect attacks like the one experienced with the MSA Key breach. This is good news for many, many customers. Not doing this would have been the equivalent of saying you can purchase this Firewall, but Logging of connections will cost extra. This will likely cost Microsoft extra in their storage costs for services. However, this happens when you have the impressive market share they have. It’s the cost of doing business, I would imagine.

Moses Frost
Moses Frost

We should not let the focus on this limited remedy obscure the fact that Microsoft has been less than forthcoming about breach itself.

William Hugh Murray
William Hugh Murray

2023-07-19

US Dept. of Commerce Adds More Commercial Spyware Makers to Entity List

The US Department of Commerce’s Bureau of Industry and Security has added four organizations to its Entity List, which means the companies’ products are considered a potential threat to US national security. Greece's Intellexa SA, Ireland's Intellexa Limited, North Macedonia's Cytrox AD, and Hungary's Cytrox Holdings were added to the Entity List for developing and selling spyware. According to the BIS, “the Entity List identifies foreign parties that are prohibited from receiving some or all items subject to the Export Administration Regulations unless the exporter secures a license.”


2023-07-20

Academic Researchers Analyzed Satellite Firmware

Researchers from Germany’s Ruhr University Bochum and the CISPA Helmholtz Center for Information Security have published a whitepaper detailing their findings after analyzing firmware images of three small satellites. The researchers found several critical security issues in all three firmware images and note that “that little security research from the last decade has reached the space domain.”


2023-07-19

US House Subcommittee Hearing on Threats to the Electric Power Grid

In an US House Energy and Commerce Committee Oversight and Investigations Subcommittee hearing on Tuesday, July 18, legislators heard testimony from experts regarding emerging threats to the electric energy infrastructure. Witnesses included Manny Cancel, CEO of the Electric Information Sharing and Analysis Center (E-ISAC), and Senior VP of the North American Electric Reliability Corporation (NERC); Sam Chanoski, Technical Relationship Manager, Idaho National Laboratory; the Honorable Paul N. Stockton, Ph.D., Senior Fellow, Johns Hopkins University Applied Physics Laboratory; and the Honorable Bruce Walker, President and Chief Security Office, Alliance for Critical Infrastructure Security, Inc.


2023-07-18

Attackers are Exploiting Known WooCommerce Payments WordPress Plugin

Threat actors are actively exploiting a known vulnerability in the WooCommerce Payments WordPress plugin. Within the past week, the Wordfence Threat Intelligence Team observed attacks targeting hundreds of thousands of vulnerable WordPress websites. A patch for the vulnerability, which can be exploited to gain admin privileges on vulnerable websites, was released earlier this year.


2023-07-20

Adobe Releases New Patches for ColdFusion

On Wednesday, July 19, Adobe released three patches to address vulnerabilities in ColdFusion. One of the newly-addressed vulnerabilities allows attackers to bypass protections put in place by an earlier patch for an access control vulnerability (CVE-2023-29298).

Internet Storm Center Tech Corner

Deobfuscation of Malware Delivered Through a .bat File

https://isc.sans.edu/diary/Deobfuscation+of+Malware+Delivered+Through+a+bat+File/30048

Exploit Attempts for "Stagil navigation for Jira Menus & Themes"

https://isc.sans.edu/diary/Exploit+Attempts+for+Stagil+navigation+for+Jira+Menus+Themes+CVE202326255+and+CVE202326256/30038

Citrix ADC Vulnerability CVE-2023-3519, CVE-2023-3466, CVE-2023-3467

https://isc.sans.edu/diary/Citrix+ADC+Vulnerability+CVE20233519+3466+and+3467+Patch+Now/30044

Citrix Vulnerabilities

https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467

Citrix CVE-2023-3519 Indicators of Compromise

https://www.deyda.net/index.php/en/2023/07/19/checklist-for-citrix-adc-cve-2023-3519/

HAM Radio Enigma Machine Challenge

https://isc.sans.edu/diary/HAM+Radio+Enigma+Machine+Challenge/30042

ssh-agent vulnerability

https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt

Spring Security: WebFlux Security Bypass with Un-Prefixed Double Wildcard Pattern

https://spring.io/security/cve-2023-34034

American Megatrends (AMI) MegaRAC BMC Vulnerabilities

https://eclypsium.com/research/bmcc-lights-out-forever/

Oracle Critical Patch Update

https://www.oracle.com/security-alerts/cpujul2023.html

Microsoft Expanding Cloud Logging

https://www.microsoft.com/en-us/security/blog/2023/07/19/expanding-cloud-logging-to-give-customers-deeper-security-visibility/

Google Cloud Build Service Vulnerability

https://orca.security/resources/blog/bad-build-google-cloud-build-potential-supply-chain-attack-vulnerability