SANS NewsBites

Thousands of Vulnerable Microsoft Exchange Servers Detected; EU Cyber Resilience Act; 23andMe Breach Upgraded to Millions

December 5, 2023  |  Volume XXV - Issue #94

Top of the News


2023-12-03

ShadowServer Foundation Detects Thousands of Vulnerable Microsoft Exchange Servers

Scans from the ShadowServer Foundation indicate that there are nearly 20,000 publicly available Microsoft Exchange servers that are running software that is no longer supported. More than half of the vulnerable servers are located in Europe; just over 6,000 are located in North America, and 2,200 are located in Asia.

Editor's Note

It really is time to not host your own Exchange server. The cost of keeping it updated as well as keeping up with security settings needed in today's threat landscape generally exceeds the cost of M365 or other hosted service.

Lee Neely
Lee Neely

As all these exchange servers are externally facing, they can, and likely will be targeted by evil doers. What’s unknown is whether some of these servers are simply honeypots used to collect malware. In any event the only solution is to upgrade to a supported version of the mail server.

Curtis Dukes
Curtis Dukes

If your company cafeteria still serves sandwiches using mayonnaise with a “Use before April 12th, 2007” warning, you should probably fire the cafeteria manager. The same is probably true for whoever has made the decision to continue using Exchange Server 2007.

John Pescatore
John Pescatore

2023-12-01

EU Cyber Resilience Act

The European Union’s Cyber Resilience Act (CRA) establishes mandatory cybersecurity requirements for all hardware and software products. Developers will be required to implement cybersecurity measures throughout the lifecycle of their products. European Parliament and the EU Council reached a political agreement on the measure over the weekend; CRA must still be formally approved by both entities. Once CRA takes effect, organizations will have 21 months to implement incident and vulnerability reporting measures, and three years to adopt the other requirements.

Editor's Note

This is a significant piece of regulation that is going to have a major, and in my opinion positive, impact on cybersecurity. Vendors will have to ensure their products, software and/or hardware, meet a minimum level of requirements. For far too long the onus on securing a product has been laid at the consumer; vendors now have to be responsible for ensuring the security of their products. This will have far reaching implications for cybersecurity outside of the EU and should only be seen as a net positive in making systems more secure.

Brian Honan
Brian Honan

The act inserts the EU as the single authority of what’s good enough from a security perspective for all digital products destined for the European market. In today’s global marketplace, that’s all the world’s digital products. As written, there are 15 sets of ‘essential cybersecurity requirements’ for all products with digital elements and an even larger set of requirements for products deemed ‘critical.’ The act also imposes sanctions and substantial fines for non-compliance. Perhaps the act is nothing more than a new revenue source for the EU under the guise of increasing cybersecurity resiliency. What’s unclear is whether vendors a) ignore the CRA, tempting enforcement action; b) seek State-level diplomacy; or c) simply abandon the EU market altogether.

Curtis Dukes
Curtis Dukes

I’m excited about this one as there are millions of devices on the Internet with absolutely no security baked into them (wide open ports, no updating processes, default passwords, confusing interfaces, difficult to maintain). This is a first step requiring vendors to bake security into this devices. What will be interesting is a huge number of those devices are designed and manufactured in China.

Lance Spitzner
Lance Spitzner

2023-12-04

23andMe Data Breach Affects Millions of People

In a filing with the US Securities and Exchange Commission (SEC), the genetic testing company 23andMe said that an October breach of its systems compromised data belonging to nearly seven million people. The information includes ancestry reports and health-related data. The SEC filing amends an earlier filing that estimated the number of affected people to be 14,000. In early November, 23andMe implemented two-factor authentication for account access.

Editor's Note

An article by CNBC from 2018 states about companies offering DNA testing: "their business future depends on maintaining the trust of consumers." The article was written after the FTC started investigating some of these companies, including 23 and me, for their data handling and sharing practices. Consumers need to carefully compare the risk of having their data stolen over the health benefit. Sadly, most consumers will just compare price, which means that companies are better off saving money on data protection and adding additional revenue from data sharing agreements to offer cheaper tests. https://www.cnbc.com/2018/06/16/5-biggest-risks-of-sharing-dna-with-consumer-genetic-testing-companies.html

Johannes Ullrich
Johannes Ullrich

This really doesn’t come as a surprise to anyone as organizations typically underestimate the data loss while the forensics investigation continues. Perhaps the standard should be, assume 100 percent data loss until the investigation concludes.

Curtis Dukes
Curtis Dukes

These include credential stealing attacks. Whether you’re actively using 23andMe or you did their DNS test and nothing more, go to your account and enable two-factor authentication. Help users leverage a password manager to make sure that credentials aren’t reused.

Lee Neely
Lee Neely

The Rest of the Week's News


2023-12-04

US Credit Unions IT Systems Disrupted After Ransomware Attack on Third-Party Provider

More than 50 US credit unions are experiencing outages following a ransomware attack on cloud services provider Ongoing Operations. A National Credit Union Administration (NCUA) spokesperson said that Ongoing Operations notified several credit unions that it was hit with a ransomware attack on November 26.

Editor's Note

Trellance owns Ongoing Operations. Users of any Trellance services should check for compromise and obtain assurances from Trellance about their vulnerability management processes.

John Pescatore
John Pescatore

Unlike big banks, Credit Unions often depend on service providers to provide the services members need. Like an outsource called a Credit Union Service Organization (CUSO). While they work hard to make sure they are secure, just as when one of our third party providers falls they are similarly affected. What’s interesting here is the affected credit unions are working together with the CUSO on the recovery.

Lee Neely
Lee Neely

An example of a ransomware attack on a managed service provider (MSP) affecting a segment of the financial industry. Intentional and unintentional (in this case) supply chain attacks are becoming all too common. Disruption of IT services should be a normal part of risk management planning and part of the risk register for regular review by the executive team.

Curtis Dukes
Curtis Dukes

2023-12-02

Health Sector Urged to Patch Citrix Vulnerability

The US Department of Health and Human Services (HHS) Health Sector Cybersecurity Coordination Center (HC3) has published an alert urging health care entities to patch their systems against the Citrix Bleed vulnerability. Citrix released updated versions of NetScaler ADC and NetScaler Gateway in October.

Editor's Note

Citrix users need to go beyond patching. Review the controls you have enabled around your Citrix deployment, and what else you can do to detect compromise. Citrix's history suggests that there will be more vulnerabilities in the future. In particular for installs that are critical for remote access, you will need to enable whatever controls you can to prevent compromise. Do not just rely on reactive patching.

Johannes Ullrich
Johannes Ullrich

Threat actors are actively scanning for systems vulnerable to CitrixBleed. This going to be like MOVEit or other recent vulnerabilities, apply the patch and make sure these services are not internet accessible.

Lee Neely
Lee Neely

What’s troubling is that HHS still felt the need to publish an alert 50-ish days after initial vulnerability disclosure by Citrix. That’s like an eternity is attacker time. If hospitals haven’t prioritized the patch by now, well, frankly, it’s too late.

Curtis Dukes
Curtis Dukes

2023-12-04

Android December 2023 Security Bulletin

Google’s December 2023 security update release for Android includes fixes for more than 80 vulnerabilities, including a critical vulnerability in Android’s System component. The flaw can be exploited to remotely execute code with no additional privileges. The other vulnerabilities include three critical flaws that could lead to remote code execution and information disclosure.

Editor's Note

CVE-2023-40088, is the zero-click RCE which requires no added privileges to execute, doesn’t yet have a CVSS score. Treat this like you would a zero day or mitigating the Pegasus malware. Push this update to your devices as soon as it’s available from your OEMs. This is a good time to verify the level of visibility you have to your devices and patch levels.

Lee Neely
Lee Neely

Google both issues these security bulletins and provides software updates for its Pixel devices at the same time. Unfortunately, the rest of the Android ecosystem must test their devices prior to releasing patches. This presents an opportunity for attackers to reverse engineer the Google supplied patches, find the root vulnerability, and target unpatched devices – a vicious cycle that currently favors evil-doers.

Curtis Dukes
Curtis Dukes

2023-12-04

Threat Actors Targeting US Aerospace Firm

The BlackBerry Threat Research and Intelligence Team is tracking a cyberthreat actor that has been targeting the US aerospace company. Dubbed AeroBlade, the threat actor gained initial presence in the targeted system through spear phishing. Their likely goal is espionage. BlackBerry researchers say the active offensive portion of the attack took place in July 2023.


2023-12-04

Multiple Agencies Warns of Threat Actors Exploiting PLCs at Water Utilities

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Environmental Protection Agency (EPA), and the Israel National Cyber Directorate (INCD) have jointly released a cybersecurity advisory regarding cyber threat actors exploiting weaknesses in programmable logic controllers (PLCs) in water and wastewater systems. The advisory includes indicators of compromise (IoCs) and recommends that water utilities implement multifactor authentication, check PLCs for default passwords, and employ strong, unique passwords.

Editor's Note

Beyond the above recommendations, protect PLCs with segmented or isolated networks, always require VPN/bastion hosts and similar measures. Never allow direct access from the Internet or other untrusted network.

Lee Neely
Lee Neely

2023-12-04

P2Pinfect Botnet Variant Takes Aim at New Target

A newly-observed variant of the P2Pinfect botnet is targeting Microprocessor without Interlocked Pipelined Stages (MIPS) architecture. Researchers at Cado Security Labs, which has been monitoring the botnet since July 2023, says the new target indicates the botnet operators are focusing efforts on embedded devices, such as routers and other Internet of Things (IoT) devices.

Internet Storm Center Tech Corner

Zarya Hacktivists: More than just Sharepoint

https://isc.sans.edu/diary/Zarya+Hacktivists+More+than+just+Sharepoint/30450

ICANN Registration Data Request Service (RDRS)

https://rdrs.icann.org/

Android Updates

https://source.android.com/docs/security/bulletin/2023-12-01

Fake Phishing Scan Tricks Users into Installing Backdoor Plugin

https://www.wordfence.com/blog/2023/12/psa-fake-cve-2023-45124-phishing-scam-tricks-users-into-installing-backdoor-plugin/

GitLab Patches

https://about.gitlab.com/releases/2023/11/30/security-release-gitlab-16-6-1-released/

UEFI Exploit via Boot Image

https://binarly.io/posts/The_Far_Reaching_Consequences_of_LogoFAIL/index.html

Qlik Sense Exploited by Cactus Ransomware

https://arcticwolf.com/resources/blog/qlik-sense-exploited-in-cactus-ransomware-campaign/

https://www.praetorian.com/blog/qlik-sense-technical-exploit/

VMWare Vulnerability Patched

https://www.vmware.com/security/advisories/VMSA-2023-0026.html