SANS NewsBites

ownCloud Critical Vulnerabilities Actively Exploited, Idaho National Labs Breached

November 28, 2023  |  Volume XXV - Issue #92

Top of the News


2023-11-27

ownCloud Patches Three Critical Vulnerability - Already Exploited

Last week, open source document sharing software ownCloud released advisories with fixes for three critical vulnerabilities. The first of these vulnerabilities, CVE-2023-49103, allows attackers to access critical credentials. The other vulnerabilities allow arbitrary file deletion and account takeover. The SANS Internet Storm Center detected attacks exploiting CVE-2023-49103 starting this weekend.

Editor's Note

The first of these vulnerabilities is trivial to exploit. In containerized installs, the vulnerability is devastating. Credentials for administrators, mail servers and cloud services used by ownCloud may be leaked. Assume compromise if you have exposed unpatched ownCloud installs.

Johannes Ullrich
Johannes Ullrich

CVE-2023-49103, CVSS score 10.0, can be fixed by deleting the GetPhpInfo.php out of the microsoft-graph/tests directory. Then change your secrets to include ownCloud admin passwords, mail server and database credentials, and Object-Store/S3 access-keys. CVE-2023-49105, CVSS score 9.8, WebDAV API authentication bypass is mitigated by denying the use of pre-signed URLs where no signing-key is configured, and the third vulnerability, CVSS score 8.7, subdomain validation bypass, is ideally mitigated by the updated oauth2.app, or you can disable the "Allow Subdomains" option. until you apply the patch.

Lee Neely
Lee Neely

2023-11-22

Idaho National Lab Suffers Data Breach

The Idaho National Laboratory (INL) nuclear research lab has confirmed a November 19 breach of a system that supports its Human Resources (HR) applications. Compromised data include addresses, Social Security numbers, and financial account information. INL employs more than 5,000 people.

Editor's Note

The politically motivated hacking group SiegedSed is taking credit for the attack. While work to get to the root cause is ongoing, initial indications are a subcontractor account without MFA was used to access data in their Oracle HCM instance. Things to consider here: First, make sure you're consistently implementing MFA across all environments. Second, don't allow unfettered Internet access to systems with sensitive data. Use Conditional Access or similar mechanisms, to include VPN, to limit access to vetted systems running an appropriate security profile. Third, make sure that your IDM processes include every user type so you're not leaving inactive, unauthorized accounts. Lastly, take a look at the logs you get from your SaaS services to not only ensure they are where your responders can analyze them, but that they also contain sufficient information to support forensic activities.

Lee Neely
Lee Neely

The Labs and the DoE have always been of strategic importance. I wonder how many in the general cybersecurity population realize the importance of these labs. I suspect not as many as we would think.

Moses Frost
Moses Frost

While details are sketchy, the breach highlights that no matter the size or security resources available, you too can be a victim of cyber-attack. The data lost to date, mostly affects employees of the Lab as opposed to national lab research, and likely will be used as part of identity theft schemes.

Curtis Dukes
Curtis Dukes

The Rest of the Week's News


2023-11-24

CTS Outage Affects Multiple UK Law Firms

CTS, a managed services provider for UK law firms, disclosed that a service outage was caused by a cyber incident. As of Friday, November 24, CTS was unable to predict when services will be fully restored.

Editor's Note

This appears to be a case of exploiting CitrixBleed at the third-party service provider, CTS. The UK is looking at legislation to increase security requirements for MSPs, but it's not clear when anything will materialize. If you're not in the UK, it's not going to do a lot for you anyway. What is happening is customer guidance is being provided to help you assess your MSP to ensure they are providing appropriate security.

Lee Neely
Lee Neely

Yet another example of an attack on the supply chain of businesses. We need to develop business continuity plans to support the business in the event a vendor is compromised while also ensuring we manage as best we can the cyber-risk in the supply chain.

Brian Honan
Brian Honan

An example of a single attack on a service provider that causes a business disruption for a large portion of an industry. This is not solely an issue with the legal sector, but rather includes other industry segments where service providers have consolidated as part of normal merger and acquisition opportunities.

Curtis Dukes
Curtis Dukes

TIL that in the UK there is a provider specifically tailored for lawyers. This makes a lot of sense. Does that exist in other countries? It should.

Moses Frost
Moses Frost

2023-11-24

Akamai Researchers Observe New Mirai Botnet Activity

Researchers at Akamai’s Security Intelligence Response Team (SIRT) have detected new Mirai botnet activity that exploits two as-yet unpatched vulnerabilities. The flaws target routers and video recorders using default passwords. Both vulnerabilities have been reported to vendors and fixes are expected to be released in December.

Editor's Note

Mirai is not going away. It still haunts us as there appears to be an unlimited supply of easily exploitable IoT vulnerabilities. This is for the first time that Mirai exploited unpatched/0-day vulnerabilities. Usually, Mirai is exploiting well known vulnerabilities.

Johannes Ullrich
Johannes Ullrich

Default passwords, the gift which keeps on giving. While we are pretty good at changing these in our work environment, we need to also encourage the same discipline at home. Then make sure that you're not exposing management interfaces to the Internet. Sure, it's cool to help a friend that way, but make sure it's really disabled when you're not actively doing so. Better still, go in person, don't even enable the risky access.

Lee Neely
Lee Neely

It’s disappointing that default passwords are still used as an initial access vector to enable cyberattacks in 2023. The Center for Internet Security has recommended for well over a decade, that default passwords be changed, and unique passwords be used prior to device deployment. With easy access provided by default passwords, botnet activity and DDoS attacks by extension, will only continue.

Curtis Dukes
Curtis Dukes

Before we start blaming people for not changing default passwords on their devices at home, remember that for the vast majority of the community this is very hard for them. Every device is different, how you access it is different, the interfaces are different, the options are different, etc. It would be like the automotive industry stating that its car owner’s responsibility for making the first oil change for all their cars. If vendors are expecting people to change the default passwords, they should make it as simple as possible.

Lance Spitzner
Lance Spitzner

2023-11-20

Former Cybersec Exec Instigated Attacks Against Hospitals to Drum Up Business

Former cybersecurity firm chief operating officer (COO) Vikas Singla has pleaded guilty to intentional damage to a protected computer related to cyberattacks against two Atlanta-area hospitals. Singla carried out the 2018 attacks, and then attempted to sell the company’s services to the affected hospitals. Singla has agreed to pay more than $800,000 in restitution. Sentencing is set for February 15, 2024.

Editor's Note

Including the attack you committed on the potential customer in your services sales-pitch is pretty low. Even so, this would be a good time to leverage a VDP for a second set of eyes on weaknesses, noting any overlap between the reported issues and offers to secure your firm against those same weaknesses. Don't fail to prioritize and address anything discovered in your VDP.

Lee Neely
Lee Neely

This used to be a mythical story that we all told each other: those evil hackers would hack you to drum up business. I guess some urban legends become self-fulfilling prophecies. Which class will this article show up in as an example?

Moses Frost
Moses Frost

2023-11-27

Secure AI System Development Guidelines

The UK National Cyber Security Centre, the US Cybersecurity and Infrastructure Security Agency (CISA) and similar organizations from 16 other countries have published guidelines for secure AI system development. The guidelines address four stages in the development lifecycle: secure design, secure development, secure deployment, and secure operation and maintenance.

Editor's Note

This guidance is based on AI, which includes machine learning, not just GenAI or LLMs, and while focused on developers of AI systems, it's a good read if you're looking to better understand the problems/risks with incorporating AI into your business processes. Don't overlook that part of the supply chain security in AI includes the model/foundation and the data set it's trained on, then monitoring these continuously, knowing where it's deployed and ensuring adequate testing is don't prior to release or deployment. This guidance also hopes to foster a culture of shared lessons learned to more quickly raise the bar collectively on AI security.

Lee Neely
Lee Neely

Other than an increased focus on data integrity, AI system development really isn’t any different from any other secure software or system development activity. The same secure design, secure development, secure deployment, and secure operation principles still apply. That said, it’s always good to reiterate them as part of AI system development guidelines.

Curtis Dukes
Curtis Dukes

IBM, a pioneer in AI, has a blog post addressing aligning AI with values. They admit that it is a hard problem, not because of the technology, but because of the tension among values. https://research.ibm.com/blog/what-is-alignment-ai

William Hugh Murray
William Hugh Murray

2023-11-23

Kansas Supreme Court Provides Additional Details About October Breach

The Kansas Supreme Court has issued a statement about the October 12 ransomware attack against its systems. The incident disrupted access to court information systems, and more than a month later, many of the court's systems remain offline. The new statement reveals that the perpetrators stole data, including Office of Judicial Administration files, district court case records on appeal, and other confidential information.

Editor's Note

The statement also expresses sorrow for the suffering the citizens face from the attack, as well as re-affirming they will stick to their core values as they work to resolve this case. Consider the value of the human element and acknowledgement of the impact on customers when planning your incident communication.

Lee Neely
Lee Neely

2023-11-21

CISA Pilot Program Will Provide Cybersecurity Shared Services for Critical Infrastructure

The US Cybersecurity and Infrastructure Security Agency (CISA) has announced a pilot program to broaden its scope of managed security services to non-federal entities that support the country’s critical infrastructure. CISA says it “has acted as a managed service provider to the federal civilian government for years and observed significant risk reduction along with the benefits of cost-savings and standardization.”

Editor's Note

In short, CISA is looking to offer their services as a MSP to non-federal organizations. While still a pilot, this could provide coverage for many small, privately owned, utilities which may not otherwise be able to afford this sort of cyber support. Reach out to your local CISA office to learn more.

Lee Neely
Lee Neely

CISA has matured in its selection and delivery of cybersecurity services over the past decade. This pilot has a focus on healthcare, water, and K-12 entities which have become frequent targets of ransomware gangs. The only downside is a limit of 100 entities for the pilot program, but it is a start. Hopefully they can scale up quickly to protect the tens of thousands entities that make up these three critical infrastructure sectors.

Curtis Dukes
Curtis Dukes

CISA Being an MSSP for the government. Thoughts? I know many companies that have this model, and it can work at scale. You do lose control of specific decisions in security but then again, did you have the budget to run the systems yourselves?

Moses Frost
Moses Frost

2023-11-27

Fidelity National Discloses Breach in SEC Filing

In a November 19 filing with the US Securities and Exchange Commission (SEC), Florida-based Fidelity National Financial disclosed that they recently experienced a cybersecurity incident that disrupted operations. The perpetrators reportedly gained access to company data and stole credentials.

Editor's Note

The Alphv/BlackCat ransomware group has already claimed responsibility for the attack, and the posturing has commenced for data release if ransom is not paid. FNF claims the attack used compromised credentials. FNF is one of the largest title insurance entities and underwriters in the US, also offering settlement services to the real estate and mortgage industries. The thing is that at some level, phishing resistant MFA has to be SOP, particularly for larger companies. While SMBs may not be able to afford a comprehensive program, they can look to implement services which are already in their existing services to strengthen authentication.

Lee Neely
Lee Neely

FNF is a massive company with many subsidiaries. Stories are circulating that people can’t pay their mortgages and some have stated that their escrow payments have disappeared. I would keep an eye on this one as I don’t think it will be a permanent issue but this one may have legs.

Moses Frost
Moses Frost

2023-11-27

Pennsylvania Water Utility Acknowledges Cybersecurity Incident

Over the weekend, the Municipal Water Authority of Aliquippa (Pennsylvania) disclosed that one of its booster stations that regulates and monitors water pressure for two towns was breached by a state-sponsored threat actor. An alarm alerted the utility to the intrusion, and they took the affected system offline.

Editor's Note

Too often attackers are leveraging weaknesses in Human Management Interfaces (HMIs) which are exposed to the Internet. Today, the risks far outweigh the convenience of being able to directly reach management interfaces. Require a VPN or other secure access path before granting access to any management interface.

Lee Neely
Lee Neely

Allowing remote access to your OT environment can be a ‘double-edged sword.’ While it creates efficiencies in the management of the critical infrastructure, it also opens a pathway for cyberattack. In this case the water authority had enabled alerting on changes to the environment and quickly took the system off-line. At a minimum, local government should track all remote access to the OT environment and put in place risk mitigation strategies for the eventuality of compromise.

Curtis Dukes
Curtis Dukes

2023-11-27

Google Drive Users Say They’ve Lost Data

Last week, some Google Drive users began reporting that some of their stored files appear to have been lost. The service reverted to a storage snapshot from May 2023, and all new data and file structures created since then have reportedly disappeared.

Editor's Note

If you're affected, the best action is to not change your Google cloud storage, particularly the root/data folder until this is resolved, instead open a support ticket with Google. If you have room, copy your app data folder to a local hard drive. Google Drive tier one support appears to be volunteers, which means the ticket is needed to escalate to the paid support engineers. Take a look at where you're using non-enterprise cloud services to store enterprise data and revisit the backup and recovery processes for those to make sure that you're not needlessly risking data loss.

Lee Neely
Lee Neely

If you haven’t looked at Cloud Backup solutions so that you’re not holding all your data solely in Google Drive, OneDrive, etc. You should.

Moses Frost
Moses Frost

A week since the first reports; no resolution. May be limited to tens to low hundreds of users. May be a desktop client side problem but users complaining have been silent on their configurations. Some workarounds being discussed this AM.

William Hugh Murray
William Hugh Murray

Internet Storm Center Tech Corner