SANS NewsBites

Before Disposal, Double Check Sanitization of Anything With a Network Interface; Require Vendors to Assure Secure Implementation of UEFI and Secure Boot; Another Top Exploited Vulnerabilities List Highlights Need to Patch Faster

August 4, 2023  |  Volume XXV - Issue #61

Top of the News


Manually Reset Canon Inkjet Printers’ WiFi Before Discarding

Canon says that some data stored in the memory of some of its inkjet printers might not be removed by a factory reset. Canon urges customers to manually reset its inkjet printers’ wifi settings before handing off the devices, whether that be to sell, to have repaired, or to discard.

Editor's Note

Reading the instructions, it appears the trick is that you need to reset the printer twice. Leaking a WiFi password may not be a huge deal to most users of these consumer level printers, but manufacturers need to do better in making reset procedures easy and reliable.

Johannes Ullrich
Johannes Ullrich

Make sure that you have sanitization processes for all devices with storage. In this case, Canon has you re-enable WiFi after resetting settings one time, then reset them again. Some devices, such as copiers, may have hidden storage you need to physically remove to sanitize. Don't forget to check for other things like originals or output quietly forgotten.

Lee Neely
Lee Neely

This one by itself is not a major risk, but a good reminder to pass on to home workers and to trigger a review of your organizations process for disposal of anything with a WiFi interface – don’t forget to check equipment used in the shipping office, reception desk, etc.

John Pescatore
John Pescatore


CISA: Shore Up UEFI Security

In a blog post, the US Cybersecurity and Infrastructure Security Agency (CISA) urges the cyber industry to strengthen Unified Extensible Firmware Interface (UEFI) security. “In particular, UEFI secure boot developers haven’t all implemented public key infrastructure (PKI) practices that enable patch distribution (the Linux ecosystem implements it well).” The blog post also offers suggestions for improving UEFI security.


Five Eyes: 2022’s Top Vulnerabilities

Cybersecurity agencies in the US, the UK, Canada, Australia, and New Zealand have jointly published a list of the 12 most exploited vulnerabilities in 2022. At the top of that list is the Fortinet FortiOS and FortiProxy SSL VPN credential exposure vulnerability, followed by three Microsoft Exchange Proxy Shell vulnerabilities that can be exploited to attain remote code execution, security feature bypass, and privilege elevation. The document “encourage[s] vendors, designers, developers, and end-user organizations to implement the recommendations found within the Mitigations section of [the] advisory.”

The Rest of the Week's News


Ivanti Discloses Another Vulnerability

Ivanti has disclosed a third vulnerability (CVE-2023-35082) in its Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core, in less than two weeks. The critical authentication bypass vulnerability could be exploited “to allow unauthorized users to access restricted functionality or resources of the application without proper authentication.” The US Cybersecurity and Infrastructure Security Agency (CISA) and the Norwegian National Cyber Security Centre (NCSC-NO) have released a joint advisory warning of active exploitation of the two earlier disclosed vulnerabilities (CVE-2023-35078 and CVE-2023-35081). According to the advisory, threat actors have been exploiting CVE-2023-35078 since at least April 2023.

Editor's Note

Luckily, Ivanti appears to start copying the attackers and is reviewing its code for vulnerabilities now. This vulnerability was addressed before it was exploited in the wild.

Johannes Ullrich
Johannes Ullrich

The vulnerability (CVE-2023-35082, CVSS 10.0) affects MobileIron Core 11.2 and below. Version 11.2 has been out of support since March 15, 2022, and was resolved in version 11.3. There will be no fix for 11.2 or below, upgrade to a supported, patched version, e.g. 11.10.

Lee Neely
Lee Neely


Google Threat Horizons Report August 2023

Google has published its August 2023 Treat Horizons report, which “provides decision-makers with strategic intelligence about threats to cloud enterprise users, along with cloud-specific research … [and] delivers recommendations from Google’s intelligence and security teams.” Among the report’s findings: 60 percent of the cloud compromise factors in Q1 2023 as observed by Google Cloud’s incident response teams involved credentials issues. The report also notes that threat actors are using a technique called versioning to bypass the Google Play Store’s malware detection.


Citrix Servers Compromised

According to the most recent data from the Shadowserver Foundation, more than 500 Citrix Netscaler ADC and Gateway servers have been compromised via a critical unauthenticated remote code execution vulnerability (CVE-2023-3519). Citrix released fixes for the vulnerability in mid-July.


Serco Discloses MOVEit-Related Data Breach

US government contractor Serco, Inc. has disclosed that a third-party vendor’s MOVEit managed file transfer server was breached and data were stolen. The incident affects more than 10,000 people. The data were taken from the MOVEit server of CBIZ, Serco’s benefits administration provider. Serco was made aware of the incident on June 30, 2023.


Mozilla Releases Updates for Firefox and Thunderbird

Mozilla has released updates for Firefox and Thunderbird to address a total of 14 security issues. Users are encouraged to update to Firefox 116, Firefox ESR 115.1, Firefox ESR 102.14, Thunderbird 115.1, and Thunderbird 102.14 or newer.


Hawaiian Observatory Suspends Operations After Cyberattack

A US national astronomical observatory in Hawaii has suspended operations following a cyberattack. The National Science Foundation’s National Optical-Infrared Astronomy Research Laboratory (NOIRLab) on Mauna Kea on Hawaii’s big island says that while the NOIRLab website is online, they have shut down the Gemini Observatory computer systems. Both the Gemini North telescope in Hawaii and the Gemini South telescope in Chile will be closed while the incident is investigated.

Internet Storm Center Tech Corner

DNS Over HTTPS Summary

Zeek and Defender Endpoint

From small LNK to large malicious BAT file with zero VT score

Social Engineering via Microsoft Teams

Automating the Search for LOLBAS

Sneaky Versioning Used to Bypass Scanners

Aruba Patches

Mitel Patches

New Ivanti MobileIron Core Vulnerability

Salesforce Phishing

Abusing the Amazon Web Services SSM Agent as a Remote Access Trojan

Malware Infects Airgapped Networks

Google Deleting Inactive Accounts

Google AMP Service Used for Phishing