SANS NewsBites

Check for Compromised Magento 2 Applications; Patch All PLCs Using CodeSys V3 SDK; Obtain Legal Counsel Review of Zoom and Other Collaboration Platform Privacy Policies

August 15, 2023  |  Volume XXV - Issue #64

Top of the News


2023-08-11

Akamai: Hackers Exploiting Known Magento Vulnerability

Researchers from Akamai have detected “an ongoing server-side template injection campaign” targeting Magento 2 shops that have not been patched against an input validation flaw for which a patch was released in February 2022. Akamai says that this particular campaign. Has been ongoing since at least January 2023.

Editor's Note

Akamai’s good news is that Web App Firewall filters were effective against the attack and they only saw a small number of targets. But, Magento has been a major target for almost a decade now - going unpatched for 18 months is reckless behavior.

John Pescatore
John Pescatore

Make sure that you're applying patches and you have a WAF in active (non-learning) mode. Even if you've applied the updates you should check for the IOCs as this vulnerability dates back to January. If you've outsourced web/app services to a provider, make sure that you understand what security checks and updates they do, versus your responsibilities, as well as verifying that any notifications are appropriately routed, preferably not to a single point of failure.

Lee Neely
Lee Neely

This story highlights two things: 1) the importance of an organization knowing its environment; and 2) the criticality of having an effective patch management process. Knowing your environment has three components: identifying all hardware, all software, and the location of all sensitive data on the network. That is extremely important when it comes to maintaining software updates. If you don’t do either particularly well, you become a statistic.

Curtis Dukes
Curtis Dukes

I would say patch, but I suspect the people affected by this will not patch anytime soon. At least not until rampant fraud, theft, or ransomware affects the site they are neglecting. My dad was an auto mechanic. Most people need to be made aware of how to deal with car maintenance. I suspect most store owners will also be unaware of website maintenance, but not in this respect.

Moses Frost
Moses Frost

2023-08-14

Microsoft Finds CodeSys Vulnerabilities

According to a Microsoft Threat Intelligence blog post, Microsoft “cyberphysical system researchers recently identified multiple high-severity vulnerabilities in the CODESYS V3 software development kit (SDK), a software development environment widely used to program and engineer programmable logic controllers (PLCs).” The vulnerabilities affect CODEDSYS V3 earlier than version 3.5.19.0. Microsoft disclosed the vulnerabilities to Codesys in September 2022; the vulnerabilities were patched earlier this year.


2023-08-14

Zoom Clarifies Terms of Service to Assuage Users’ Privacy Concerns

Zoom has added clarification to its recently-updated terms of service that appeared to allow the company to train AI models on the content of customers’ calls. Customer pushback prompted the company to update the terms of service to clarify that “Zoom does not use any of your audio, video, chat, screen sharing, attachments or other communications-like Customer Content (such as poll results, whiteboard and reactions) to train Zoom or third-party artificial intelligence models.”

The Rest of the Week's News


2023-08-14

DHS Cyber Safety Review Board Releases Lapsus$ Report and Turns its Focus to Cloud Security

The US Department of Homeland Security’s Cyber Safety Review Board (CSRB) has completed its report on Lapsus$ and will next turn its attention to the attacks that led to Microsoft Exchange government email account compromise. “The CSRB found that Lapsus$ leveraged simple techniques to evade industry-standard security tools that are a lynchpin of many corporate cybersecurity programs and“ has outlined 10 recommendations for protecting systems from Lapsus$. The CSRB will now examine “the malicious targeting of cloud computing environments.”

Editor's Note

Like most after action reports, this one states: “…Lapsus$ and related threat actors used primarily simple techniques, like stealing cell phone numbers and phishing employees, to gain access to companies and their proprietary data.” They also pointed out that the cell phone issue (like in many other cases) supported bypass of weak MFA implementations.

John Pescatore
John Pescatore

No rest for the CSRB. Straight off publishing its second report it already has been assigned a third study. The Lapsus$ study highlights the dependency on mobile carriers to prevent SIM swapping and the use of social engineering to enable an attack. The first is preventable, but it comes at a cost to user experience; so, a balancing act for the mobile carrier. The second is far more difficult, as social media platforms are now fully integrated into society and people believe what they want to believe. The upcoming cloud security study will be interesting, I look forward to what new findings the board uncovers.

Curtis Dukes
Curtis Dukes

I would highly recommend reading through the recommendations. Not all of them will apply to everyone. You may only be looking at the Outsourcing Responsibilities, or maybe just plain IAM and Passwordless. Nevertheless, worth the read!

Moses Frost
Moses Frost

Just as the CSRB found that simple things were leveraged by Lapsus$ to be effective, I'm worried they will find low-hanging fruit in cloud environments also aids compromise. While I'm pretty sure we're past the non-secured storage phase, there are likely still shortcuts relating to rapid adoption of and migration to cloud services. Key things to check here is MFA use, particularly on Internet facing services, rigorous identity management and logging and monitoring, as you would for on-premises services are the starting points. Don't forget the CSP can make mistakes with the best of us, verify things are as requested.

Lee Neely
Lee Neely

The recommendations from the initial report are the equivalent of the NTSB saying, “Keep your seatbelt fastened.” Jumping from the compromise of a private key by one cloud service provider all the way to cloud security does not seem well focused. That said, it may be that a CSRB investigation is the only way that we are likely to find out how that happened.

William Hugh Murray
William Hugh Murray

2023-08-10

Amazon Using Badge Swipe Data to Detect Return-to-Office Noncompliance

Amazon is using data from building entry badger-swipe systems to warn employees who appear not to be coming into the office as often as mandated by the company’s new return-to-office policy. The employee notifications came directly from Amazon to individual employees. The company shares anonymized badge swipe data with managers.


2023-08-14

Ford Acknowledges Infotainment System Vulnerability

A buffer overflow vulnerability in the SYNC3 onboard entertainment system used in Ford vehicles could be exploited to achieve remote code execution and potentially hijack the system. Ford recommends disabling the system’s WiFi until a fix is available, and that its vehicles are safe to drive despite the security issue. Ford is currently developing a patch that customers can download and install with a USB. Once the fix is available, customers should be able to connect their cars’ entertainment systems to a network and receive the patch over the air, if they choose.


2023-08-12

DEF CON: Wardle Details Security Problems with macOS Task Manager

At the DEF CON security conference in Las Vegas last week, researcher Patrick Wardle delivered a presentation about vulnerabilities in the macOS Background Task Management tool that could be exploited to bypass the tool’s monitoring activity. Background Task Manager debuted in October 2022 with the launch of macOS Ventura. It is designed to notify users and security tools of unexpected persistent software.


2023-08-14

Colorado Healthcare Agency Discloses Data Security Incident Related to MOVEit

Late last week, Colorado’s Department of Health Care Policy and Financing (HCPF) disclosed a data security incident that exposed personal information and protected health information of millions of people. The data were compromised due to attackers exploiting a vulnerability in the MOVEit file management software being used by HCPF third-party contractor IBM.


2023-08-14

Unknown Threat Actor Targets African Utility

An electric utility in an unnamed country in southern Africa was targeted with malware known as DroxiDat. Researchers from Kaspersky say the incident occurred in March of this year. DroxiDat appears to be a variant of System BC, a backdoor sometimes used in ransomware attacks, although no ransomware was delivered to the utility’s network. The attackers used DroxiDat in conjunction with a Cobalt Strike tool.

Internet Storm Center Tech Corner