SANS NewsBites

CISA Warns of ColdFusion Exploits; Microsoft Provides Windows 10 EOS Guidance; All Five Eyes on Memory Safety

December 8, 2023  |  Volume XXV - Issue #95

Top of the News


2023-12-06

CISA ColdFusion Advisory

The US Cybersecurity and Infrastructure Security Agency (CISA) has published a cybersecurity advisory confirming the exploitation of an improper access control vulnerability in Adobe ColdFusion. The vulnerability (CVE-2023-26360) was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on March 15 with a mitigation date of April 5.Threat actors used the vulnerability to compromise servers at a federal civilian executive branch (FCEB) agency. The advisory includes tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs) and recommendations for detection and protection.

Editor's Note

It’s time to bid adieu to Cold Fusion. CVE-2023-26360, CVSS score of 8.6, is being actively exploited and is present in older ColdFusion 2016 and ColdFusion 11 which are unsupported as well as the 2018 and 2021 versions which have updates. If you can’t migrate off, look to add a WAF in front as well as implementing signed executable policies, in addition to MFA and aggressive patch management.

Lee Neely
Lee Neely

2023-12-06

Microsoft: End of Support Date for Windows 10

Microsoft has announced that it will stop providing full security support for Windows 10 as of October 14, 2025. Microsoft recommends upgrading to Windows 11, but will offer extended security updates for an annual subscription fee.

Editor's Note

Interesting that Microsoft offers extended support for Windows 10 Home. I doubt they are expecting a lot of home users to sign up for it. But there may be more Windows 10 Home in use in enterprises than expected. This in itself could be an issue. Windows Home does not include all the security and management features enterprises need to properly configure these systems.

Johannes Ullrich
Johannes Ullrich

This is above the security organization, but it is really time for CIOs to say, “At the end of 2025, should we really be supporting user devices that run big honking operating systems when they need to be patched more frequently than monthly, and are mostly (if not exclusively) accessing applications that are running in the cloud vs. on device?” From a security perspective, removing Windows from the threat chain is a major raising of the bar. If Windows stays in the user device picture, cost of patching/mitigating/re-imaging has to be part of budget planning.

John Pescatore
John Pescatore

Windows 11 was released in October 2021, as a free upgrade. With the upgrade to Windows 11 came a set of system requirements that many users likely did not meet. That said, four years is plenty of time to implement a migration plan from Windows 10, that includes the needed hardware refresh.

Curtis Dukes
Curtis Dukes

2023-12-07

Five Eyes Countries Guidance to Help Eliminate Memory Safety Issues

Intelligence agencies from the Five Eyes nations (Australia, Canada, New Zealand, the UK, and the US) have jointly published The Case for Memory Safe Roadmaps, guidance to help software developers and C-suite executives create memory safe code. The document urges developers to transition to memory safe programming languages (MSLs) and migrate codebases to MSLs.

Editor's Note

This short list of problems account for a major part of the vulnerability of our infrastructure. It seems clear that we cannot rely upon programmers using popular tools to avoid them. It is past due time to switch to new tools.

William Hugh Murray
William Hugh Murray

2023-12-08

Holiday Hack Challenge

The much-anticipated SANS #HolidayHack Challenge is officially open for play!

As Santa Claus triumphantly surfs the waves of cybersecurity in the Geese Islands, he invites you to join him in an epic quest to save the holidays from cyber attacks.

Play for free now: https://www.sans.org/mlp/holiday-hack-challenge-2023/

The Rest of the Week's News


2023-12-06

Sierra Router Vulnerabilities

Researchers at Forescout Vedere Labs have detected more than 20 vulnerabilities affecting Sierra routers. Some of the flaws affect the OpenNDS and TinyXML open source components. Sierra’s Wireless AirLink cellular routers are used in operational technology (OT) systems and Internet of Things (IoT) devices in the critical infrastructure sector.

Editor's Note

The most severe vulnerability in this set is a vulnerability in the Captive Portal code, OpenNDS, which was also known as "nodogsplash". We observed just this week scans for this component by some Russian hacktivists: https://isc.sans.edu/diary/rss/30450: Zarya Hacktivists: More than just Sharepoint.

Johannes Ullrich
Johannes Ullrich

The TinyXML open source component is essentially abandoned but Sierra created fixes for the flaws in their routers. The updates address all of the 20 vulnerabilities. While you may be thinking you’re off the hook in that exploitation has to be done from the WiFi interface, a compromised system could be leveraged here, so you really need to get those updates out.

Lee Neely
Lee Neely

The addition of 21 vulnerabilities is even more troubling when the same research also indicates two-thirds of deployed routers remain unpatched for previously reported vulnerabilities. Internet facing OT devices must be part of an organizations patch management process.

Curtis Dukes
Curtis Dukes

2023-12-07

HHS Fines Clinic $480,000 for Phishing-based HIPAA Violation

The US Department of Health and Human Services (HHS) has reached a settlement with Lafourche Medical Group over a Health Insurance Portability and Accountability Act (HIPAA) violation stemming from a phishing attack. The incident, which was reported in 2021, involved the compromise of personal health information belonging to 35,000 people.

Editor's Note

What is being targeted is the lack of a security monitoring/risk posture assessment program. Something which has to be continually done and updated. If you’re in a regulated industry, you’re aware of the requirements. What’s new is substantial fines after an incident. Maybe go make sure you’re not just checking a box here.

Lee Neely
Lee Neely

A relatively small incident like this will typically have hard react/recover/restore/communicate costs in the $4-5M range so the fine is just a 10% uplift. This one is smaller example of the previous item on the East River Imaging compromise.

John Pescatore
John Pescatore

Over the last 18 months or so, we’ve seen several settlements at both the state and federal level for violations of basic cybersecurity requirements that led to a data breach. This is but the latest enforcement action. Besides the fine, Lafourche Medical Group must implement several corrective actions to comply with HIPAA cybersecurity rules. This, and the other settlements, should serve as a wakeup call that basic cybersecurity requirements will be enforced.

Curtis Dukes
Curtis Dukes

2023-12-07

Medical Imaging Service Center Breach

East River Medical Imaging (ERMI) has begun notifying more than 600,000 people that their personal information may have been compromised in a breach of the company’s systems. ERMI detected suspicious activity on its network on September 20; an investigation determined that intruders had access to the network for three weeks prior to the discovery. ERMI reported the incident to the department of Health and Human Services Office for Civil Rights (HHS OCR) on November 22.

Editor's Note

Mid-sized medical services firms are attractive targets because of the billing data they store and the fact that they are often not large enough to have strong security teams or management focus on security/safety as they went online – and attackers have been taking advantage of both factors. If you are in a similar situation, use this one to convince management that the cost of avoiding a $50M incident is lower than going through one.

John Pescatore
John Pescatore

The attackers had access to their systems from August 31st to September 20th. Impacted people were notified starting around thanksgiving. ERMI is offering complimentary credit monitoring to those whose Social Security or driver’s numbers were part of the impacted data. If you’re a customer of ERMI, you want to check for fraudulent activity and, even if not impacted, setup credit monitoring and identity restoration services.

Lee Neely
Lee Neely

2023-12-07

HHS’s Proposed Healthcare Sector Cybersecurity Strategy

The US Department of Health and Human Services (HHS) has published a cybersecurity strategy to help hospitals address cybersecurity concerns. HHS is seeking comments on proposed cybersecurity requirements that could tie Medicare and Medicaid funding to implementation of baseline security standards. The document also proposes updates to the Health Insurance Portability and Accountability Act (HIPAA) that would impose new cybersecurity requirements.

Editor's Note

Restaurants that have unhealthy/unsanitary food handling conditions are routinely shut down and produce containing deadly bacteria is routinely removed from grocery store shelves. The HHS plan has steps to push out (voluntary standards which largely exist already) and to “Provide resources to incentivize and implement these cybersecurity practices.” After that, enforcement has to be part of the strategy.

John Pescatore
John Pescatore

As cybersecurity strategies go nothing surprising here. Instead of creating yet another set of voluntary cybersecurity requirements leverage what already exists and enforce them. Accountability has to be the crucial component of the strategy.

Curtis Dukes
Curtis Dukes

2023-12-07

WordPress Update Fixes RCE Vulnerability

WordPress version 6.4.2 addresses a remote code execution flaw that could be chained with another flaw to execute arbitrary PHP code. The Property Oriented Programming (POP) chain issue was introduced in WordPress core 6.4, which was released in early November.

Editor's Note

For a change this flaw impacts WordPress core. The flaw was introduced in version 6.4 and is patched in 6.4.2. While this should be automatically installed, check your servers to be sure. WordFence released a WAF rule 12/6 for paid users which will be available 1/5 for the free version.

Lee Neely
Lee Neely

2023-12-06

US Government and Military Contractor Austal Confirms Breach

Austal USA has confirmed that their systems were the target of a cyberattack. A company spokesperson said they were able to mitigate the attack and that their operations were not affected. An investigation is underway.

Internet Storm Center Tech Corner

5G Vulnerabilities

https://isc.sans.edu/diary/5Ghoul+Impacts+Implications+and+Next+Steps/30462

Revealing the hidden Risks of QR Codes

https://isc.sans.edu/diary/Revealing+the+Hidden+Risks+of+QR+Codes+Guest+Diary/30458

Whose packet is it anyway: a new RFC for attribution of internet probes

https://isc.sans.edu/diary/Whose+packet+is+it+anyway+a+new+RFC+for+attribution+of+internet+probes/30456

Cobalt Strike's "Runtime Configuration"

https://isc.sans.edu/diary/Cobalt+Strikes+Runtime+Configuration/30426

Holiday Hack Challenge

https://www.sans.org/mlp/holiday-hack-challenge-2023/

Windows 10 End of Support

https://techcommunity.microsoft.com/t5/windows-it-pro-blog/plan-for-windows-10-eos-with-windows-11-windows-365-and-esu/ba-p/4000414

Apache Struts 2 Vulnerability CVE-2023-50164

https://cwiki.apache.org/confluence/display/WW/S2-066

MLFlow Vulnerability

https://www.contrastsecurity.com/security-influencers/discovering-mlflow-framework-zero-day-vulnerability-machine-language-model-security-contrast-security

https://mlflow.org/category/news/index.html

Abusing STS Tokens

https://redcanary.com/blog/aws-sts/

Atlassian Vulnerabilities

https://confluence.atlassian.com/security/security-advisories-bulletins-1236937381.html

Adobe ColdFusion Exploit Abused

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-339a

Atos Unify OpenScape Vulnerability

https://sec-consult.com/vulnerability-lab/advisory/argument-injection-vulnerability-in-multiple-atos-unify-openscape-products/

ExtremeXOS Vulnerabilities

https://rhinosecuritylabs.com/research/extreme-networks-extremexos-vulnerabilities/