SANS NewsBites

ArcaneDoor Uses Novel Cisco Bugs for Persistence; Cybersecurity Practitioner Licensing; PAN-OS Updated Remediation Knowledge Base; Presidents Cup Cybersecurity Competition Winners

April 26, 2024  |  Volume XXVI - Issue #33

Top of the News


2024-04-25

ArcaneDoor Cyber Espionage Campaign Targeted Perimeter Network Devices

Cisco Talos has published a report detailing a cyber espionage campaign that targeted Cisco Adaptive Security Appliances (ASA) to gain access to government networks in several countries around the world. Cisco has released updates to address the vulnerabilities exploited in the campaign: a denial-of-service issue (CVE-2024-20353) and a persistent local execution flaw ((CVE-2024-20359). While most of the activity occurred in December 2023 and January 2024, Cisco Talos found evidence that the campaign, dubbed ArcaneDoor, was being tested last summer.

Editor's Note

The flaws patched by Cisco require authentication. Cisco states that they do not know how the attacker obtained initial access, but verify that authentication is configured properly and verify the password security for any devices. There have been persistent brute force attacks against these devices in the past.

Johannes Ullrich
Johannes Ullrich

The attackers are using an in-memory implant called Line Dancer which is used to disable syslog, exfiltrate the configuration, create packet captures, write to memory, and hook the crash dump and AAA processes to allow authentication and bypass/disable crash dumps needed for forensic analysis. Persistence is maintained with a backdoor called "Line Runner" which leverages the legacy capability to pre-load updated VPN clients and plugins on ASA devices. The update from Cisco prevents this technique from working, however it doesn't remove Line Runner so you need to check for new or unusual zip files, copying them off and reporting to Cisco as requested. Details on removing them are in the Talos blog.

Lee Neely
Lee Neely

Brute force attacks against operator-less public network facing devices have been increasing. It is important to know if your devices are seeing and resisting such attack traffic.

William Hugh Murray
William Hugh Murray

Read more in

Talos Intelligence: ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices

Cisco: Cisco Adaptive Security Appliance and Firepower Threat Defense Software Web Services Denial of Service Vulnerability

Cisco: Cisco Adaptive Security Appliance and Firepower Threat Defense Software Persistent Local Code Execution Vulnerability

Wired: ArcaneDoor Cyberspies Hacked Cisco Firewalls to Access Government Networks

The Register: Governments issue alerts after 'sophisticated' state-backed actor found exploiting flaws in Cisco security boxes

Ars Technica: Nation-state hackers exploit Cisco firewall 0-days to backdoor government networks

SC Magazine: Cisco firewalls targeted in sophisticated nation-state espionage hack

Dark Reading: Cisco Zero-Days Anchor 'ArcaneDoor' Cyber Espionage Campaign

Gov Infosecurity: Cisco Fixes Firewall 0-Days After Likely Nation-State Hack


2024-04-22

Licensing Cybersecurity Practitioners

Three countries Ghana, Singapore, and Malaysia have passed legislation requiring cybersecurity companies to be licensed. In some cases, the requirement applies to independent practitioners as well. Singapore has required cybersecurity service providers to be licensed since 2022; Ghana has required licensing since 2023. Malaysia passed legislation requiring cybersecurity practitioner licensing earlier this month.

Editor's Note

Businesses in general would never use an electrician or plumber that wasn't licensed and didn't carry an active business insurance policy. The same should certainly be true in selecting cybersecurity service providers. But in the US, states generally determine standards of workmanship as well as apprenticeship/licensing/certification requirements for skills/capabilities that are judged to be needed to adhere to those standards of workmanship. Federal requirements in the US for cybersecurity workmanship (let alone software quality and liability) aren't likely to happen anytime soon, if ever, in the US.

John Pescatore
John Pescatore

This will be worth watching. Licensing has benefits as it validates a certain level of knowledge by individuals (certification) and business process by companies (accreditation). The devil will be in the details as the requirements for licensing comes later and whether they will grandfather in existing certification schemes.

Curtis Dukes
Curtis Dukes

The idea is to offset risks of hiring unqualified professionals, possibly resulting in a registry of talent to draw upon, but the regulations also strengthen government oversight and regulation capabilities related to cyber activities, in some cases allowing for unlimited search and seizure powers as well as making activities by non-licensed cyber security researchers difficult if not illegal.

Lee Neely
Lee Neely

It is not clear what problem such licensing is intended to solve, though our field is rife with pretenders. One recalls the abortive attempt by the state of New Jersey to license software "engineers" that was killed by the opposition of mere "programmers." One supports a requirement that one who holds oneself out as an engineer be held to the traditional standards of that profession, including licensing.

William Hugh Murray
William Hugh Murray

2024-04-25

Palo Alto Networks Offers Knowledge Base Article on Remediation of PAN-OS

Palo Alto Networks has updated its security advisory for the command injection vulnerability in the GlobalProtect feature of their PAN-OS software to include a link to a knowledge base article that contains information about remediating the vulnerability.

Editor's Note

This update contains additional insight you can leverage to make sure the updates you applied are indeed the droids you're looking for. Also note that they now state that disablement of device telemetry as NOT an effective mitigation as it is not required to exploit the vulnerability.

Lee Neely
Lee Neely

2024-04-19

Presidents Cup Cybersecurity Competition Winners

The US Cybersecurity and Infrastructure Security Agency (CISA) hosted the final round of the fifth annual Presidents Cup Cybersecurity Competition last week, a national competition designed to recognize the top federal cybersecurity talent. This year's winning team, known as Artificially Intelligent, was composed of members of the Department of Defense, U.S. Army, and the U.S. Air Force.

Editor's Note

The President's Cup was established in 2019, and is designed to organize and train members of the federal workspace, who can participate individually or in teams of up to five. The winners had to survive three rounds of competition, which are categorized into tasks and work roles in the NICE framework. Kudos to all who participated, and to the winners, who will likely be in high demand to keep this nation secure. The Award Ceremony is May 20th.

Lee Neely
Lee Neely

The Rest of the Week's News


2024-04-24

Chrome Update

Google has updated the Chrome Stable channel to versions 124.0.6367.78/.79 for Windows and Mac and 124.0.6367.78 to Linux. The updates address fixes for four security issues, including a critical type confusion vulnerability in the ANGLE graphic layer engine.

Editor's Note

Restart your browser at least once a day, and once a week, double check if your browser is up to date. Restarting your browser is the simplest way to make sure automatic updates are applied.

Johannes Ullrich
Johannes Ullrich

Of the fixes, CVE-2024-4058 (ANGLE type confusion) is rated a critical while CVE-2024-4059 (out of bounds read in V8) and CVE-2024-4060 (use after free om Dawn) are rated high. Chromium-based browsers have become really good at restoring your windows and tabs after a restart, so encourage users not to hesitate to click the restart/relaunch button when it appears. Your managed Chrome install should have an enforced time limit for that relaunch, a 48-72 hours max.

Lee Neely
Lee Neely

2024-04-24

Google Delays Phasing Out Third-Party Cookies in Chrome

Google has pushed back the date for phasing out third-party cookies in Chrome to early 2025. Implementing the change depends on Google reaching agreements with the UK's Competition and Markets Authority (CMA) and Information Commissioner's Office (ICO). Google had initially planned to begin deprecating third-party cookies in Chrome in the second half of 2024.

Editor's Note

Google wants to phase these out as both a security and privacy measure (reduction of cross-site and cross-application tracking) while keeping online content and services free for all. Ad providers are claiming Privacy Sandbox removes site owners, agencies and marketers to target and measure campaigns using their technologies in favor of a Google provided option. Some of you are saying, yes, that is kind of the point. Use this time to get a better understand of what Google's Privacy Sandbox provides and what you'd need to do to continue to have that measurement in the future or if you want to better know how to not be tracked.

Lee Neely
Lee Neely

2024-04-23

Threat Actors Were Exploiting eScan Antivirus Update Mechanism to Spread Malware

Researchers from Avast have published a report detailing how threat actors with ties to North Korea hijacked the eScan antivirus update mechanism for five years. The campaign used the vulnerability to deliver backdoors and cryptocurrency miners. The Avast researchers notified eScan of the issue, and the company fixed the vulnerability in July 2023.

Editor's Note

There are not a lot of examples of insecure update mechanisms being exploited by bad actors. Interesting to see this product being affected.

Johannes Ullrich
Johannes Ullrich

The attackers were able to MITM the antivirus service, which used HTTP to deliver updates, allowing them to infect end-users with malware. For. Five. Years. Beyond not using HTTPS, the AV client didn't sufficiently enforce digital signing of updated content, so the replacement malicious content wasn't detected. My gut says when they started deploying crypto miners, the resource hit gave them away. That gives you a couple of pointed questions to ask your EDR provider.

Lee Neely
Lee Neely

This attack exposed two secure by design flaws by the vendor: 1) updates not digitally signed, and 2) using HTTP vice HTTPS. Both are common design principles and would have significantly raised the cybersecurity bar for the cybercriminal to execute the attack.

Curtis Dukes
Curtis Dukes

Evilgrade is still a thing. It's also a thing that we barely test for anymore, isn't it?

Moses Frost
Moses Frost

2024-04-23

PAN-OS Firewall Vulnerability Affects Siemens Ruggedcom

Siemens has acknowledged that the command injection vulnerability in Palo Alto Networks PAN-OS software may affect their Ruggedcom APE 1808 devices that are configured with a Palo Alto networks next-generation firewall. Siemens is developing fixes and have suggested workarounds and mitigations to use until the fixes are ready.

Editor's Note

The Siemens Ruggedcom APE 1808 integrates security solutions from Palo Alto Networks, Fortinet and Nozomi Networks, and is an industrial application hosting platform for edge computing and cyber security in an industrial environment. As such, vulnerabilities in those components apply, in this case the updates to GlobalProtect which are pending release from Siemens. The workaround is to disable GlobalProtect gateway and portal, (these are disabled by default) until the update can be applied.

Lee Neely
Lee Neely

Cisco, Palo Alto, and others have OEM agreements with Siemens and other vendors. Expect that as firewall issues occur (or switching issues occur), there will be some lag time for these OEMs to roll them into the equipment upgrade paths. That alone does not mean that they will be immediately pushed out to these OT systems.

Moses Frost
Moses Frost

2024-04-24

Octapharma Beginning to Recover from Ransomware Attack

Switzerland-based Octapharma is starting to recover from a ransomware attack that began on April 17 and resulted in the temporary closure of 180 plasma donation centers last week. Octapharma began reopening centers earlier this week.

Editor's Note

They are opening more locations, albeit with modified hours, in attempts to restore services to customers. They advise customers with appointments to verify their local office is open and operating. In today's climate, that is a fairly rapid return of services, and should spark conversations about whether you want to do partial service restoration, or a full waterfall, and how you'd communicate in either situation.

Lee Neely
Lee Neely

2024-04-25

Los Angeles (California) County Health Services Notifies Affected Patients of Data Compromise

The Los Angeles (California) County Department of Health Services (DHS) has sent notification letters regarding a phishing attack that resulted in compromised patient data. According to the letters, email account credentials belonging to 23 DHS employees were stolen earlier this year. The associated mailboxes contained patient data, including names, medical record numbers, medical diagnoses, treatment, medication, and test result information.

Editor's Note

This attack exposes an inconvenient truth: large amounts of data (i.e., PHI, PII, company confidential) are often stored on company email and messaging servers. Email is still the preferred communication method, even more so, now that most companies employ a remote workforce. Encrypt data in transit, at rest, and on end-user devices.

Curtis Dukes
Curtis Dukes

Internet Storm Center Tech Corner

Struts2 devmode Still a Problem Ten Years Later

https://isc.sans.edu/diary/Struts+devmode+Still+a+problem+ten+years+later/30866

API Rug Pull - The NIST NVD Database and API

https://isc.sans.edu/diary/API+Rug+Pull+The+NIST+NVD+Database+and+API+Part+4+of+3/30868

Does it matter if iptables isn't running on my honeypot?

https://isc.sans.edu/diary/Does+it+matter+if+iptables+isnt+running+on+my+honeypot/30862

Matthew Alan Vorhees: Prevention Strategies for Modern Living Off the Land Usage

https://www.sans.edu/cyber-research/prevention-strategies-modern-living-off-land-usage/

Unplugging PlugX: Singholing the PlugX USB worm botnet

https://blog.sekoia.io/unplugging-plugx-sinkholing-the-plugx-usb-worm-botnet/

pfSense Updates

https://docs.netgate.com/advisories/index.html

GitLab Updates

https://about.gitlab.com/releases/2024/04/24/patch-release-gitlab-16-11-1-released/

Cisco Patches Vulnerabilities and Discovers Arcane Backdoor

https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/

Vulnerabilities across keyboard apps reveal keystrokes to network eavesdroppers

https://citizenlab.ca/2024/04/vulnerabilities-across-keyboard-apps-reveal-keystrokes-to-network-eavesdroppers/

MySQL2: Dangers of User-Defined Database Connections

https://blog.slonser.info/posts/mysql2-attacker-configuration/

Netgear Nighthawk Vulnerabilities

https://jvn.jp/en/vu/JVNVU91883072/

Analyzing Forest Blizzard's Custom Post-Compromise Tool for exploiting CVE-2022-38028

https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/

April 2024 Exchange Server Hotfix Update

https://techcommunity.microsoft.com/t5/exchange-team-blog/released-april-2024-exchange-server-hotfix-updates/ba-p/4120536

CVE-2024-2389: Command Injection Vulnerability in Progress Flowmon

https://rhinosecuritylabs.com/research/cve-2024-2389-in-progress-flowmon/

GuptiMiner: Hijacking Antivirus Updates for Distributing Backdoors and Casual Mining

https://decoded.avast.io/janrubin/guptiminer-hijacking-antivirus-updates-for-distributing-backdoors-and-casual-mining/