SANS NewsBites

Verizon Breach Report; UnitedHealth Attempts to Silence Victims With ID Theft Monitoring; Increasing GPT Attacks

May 3, 2024  |  Volume XXVI - Issue #35

Top of the News


2024-05-02

Verizon’s Data Breach Investigations Report 2024

Verizon’s 17th annual Data Breach Investigations Report reveals that vulnerability exploits as initial access points in breaches was up 180% in 2023 over 2022. In addition, human error still plays a part in most breaches; ransomware and other extortion attacks account for about one-third of all breaches; and pure extortion attacks are on the rise.

Editor's Note

It is not "human error". It is technology that is not protecting humans and abstracting security leading to a failure to communicate risk to users.

Johannes Ullrich
Johannes Ullrich

The term “human error” is actually incorrect. What VZ DBIR pointed out is the human element is involved in over 65% of all breaches (not including malicious insiders). That number is people, primarily victims of cyberattacks (social engineering) or people making mistakes (that is human error). What really popped this year is people making mistakes represents 28% of all breaches globally; that is a big number. One of the biggest problems we have is that security is really hard for most people, the behaviors we are demanding of them are often confusing, difficult, and overwhelming. Security is no longer just a technology challenge but also a human challenge, and the first step to addressing the human side is making security as simple as possible for people (which is not easy).

Lance Spitzner
Lance Spitzner

Well done Verizon, another excellent report. For me, a few key takeaways: 1) the human is still the weak link to building an effective cybersecurity program – exploitation of authentication credentials; 2) Ransomware had a very good year in 2023 – increase in both attacks and payouts; and 3) software supply chain attacks also had a good year and has become a major concern for security professionals.

Curtis Dukes
Curtis Dukes

One of the discoveries is it’s taking an average of 55 days to resolve 50% of vulnerabilities. While we’re likely nailing desktop and commodity system patching, those boundary devices, including VPN and remote access services need to be doubled down on. Make sure that you’re not just relying on your WAF to protect applications, code flaws need to be fixed as well.

Lee Neely
Lee Neely

2024-05-01

UnitedHealth CEO Testifies at US Congressional Hearing

UnitedHealth CEO Andrew Witty appeared before the US Senate Finance Committee to answer questions about the Change Healthcare ransomware attack. Witty said they paid the ransom demand and that it was his call to do so. Witty also noted that the breached Citrix portal lacked multi-factor authentication (MFA). UnitedHealth is offering affected individuals two years of credit and identity theft protection.

Editor's Note

Two years of credit and identity theft protection is a very bad joke. How will that help people affected whose health records got stolen, and who probably have already free identity theft protection from one of a dozen other breaches? Without meaningful penalties, there is absolutely no reason to improve basic cyber security practices. Free identity theft protection is the "thoughts and prayers" of breaches.

Johannes Ullrich
Johannes Ullrich

This breach is similar to the Equifax breach in 2017, to include the size and scope of breach, the appearances before Congress and the impact. Just like Equifax, I expect there will be a report published on the details of why and how the breach happened. Just like Equifax, this is most likely more than just an issue of lack of MFA, but we will see a much bigger issue of a weak security culture.

Lance Spitzner
Lance Spitzner

The big lesson to be learned is the impact that mergers/acquisitions have on one’s cybersecurity program. (UnitedHealth’s acquisition of Change Healthcare was completed in October 2022.) There’s the due diligence part during company acquisition; but then comes the part in merging different security technologies into a common cybersecurity program. Yes, lack of MFA is a big whiff, but I suspect there were other factors at play that led to this sizeable security incident.

Curtis Dukes
Curtis Dukes

Beyond credit protection, and the touted neatly $900 million this breach has cost, there should also be consequences from the regulators.

Lee Neely
Lee Neely

2024-04-30

GPS and GNSS Attacks are on the Rise

Attacks against the global positioning system (GPS) and global navigation satellite systems (GNSS) are increasing in the Baltic States, the Eastern Mediterranean region, and Resilient Navigation and Timing Foundation, and Ukraine and the Black Sea. The attacks have targeted aircraft and ships with both jamming and spoofing attacks. The UK’s Civil Aviation Authority has published a Safety Notice on GNSS outage that includes recommendations for operational safety.

Editor's Note

Some airports in the area had to cancel flights as their approaches require GPS. For network security, GPS is often used as a time source. So far, I have not seen any measured effects on time keeping, but it is something to keep in mind as you are designing a time synchronization infrastructure. Maybe we have tomust consider internal time standards again.

Johannes Ullrich
Johannes Ullrich

2024-05-03

President’s Cup Cybersecurity Competition Awards Ceremony

In last Friday’s NewsBites (NB 26.33), we mistakenly indicated that the Awards Ceremony for the President’s Cup Cybersecurity Competition would be held on May 13. The ceremony will be held on May 20.

The Rest of the Week's News


2024-05-02

CISA and FBI Urge Developers to Eliminate Path Traversal Vulnerabilities

The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have published a Secure By Design alert urging software developers to eliminate path traversal vulnerabilities from their products prior to shipping. Also known as directory traversal vulnerabilities, the flaws can be exploited by manipulating inputs to access files and directories that developers did not intend users to access. CISA’s Known Exploited Vulnerabilities (KEV) catalog currently includes 55 directory traversal vulnerabilities.

Editor's Note

I like how CISA recently focuses on essentials like SQL Injection and Path Traversal. Sadly, it won’t matter because the money needed to fix old code is wasted on buying GPUs to train machine learning models that can identify hot dogs. The new ML model will keep investors happy, but the data breach caused by path traversal will just require a subscription to an identity protection service.

Johannes Ullrich
Johannes Ullrich

2024-05-02

Dropbox Discloses Dropbox Sign Breach

Dropbox has disclosed that the Dropbox Sign e-signature service production environment experienced a breach. The unauthorized access was detected on April 24. The intruder accessed the system through a compromised back-end service account and accessed customer data, including email addresses, usernames, hashed passwords, API keys, OAuth tokens, and MFA information. Until October 2022, Dropbox Sign was known as HelloSign.

Editor's Note

An interesting note in the breach report indicates the leak of MFA information. I assume these are the seeds for one-time pass codes. These seeds are usually not encrypted (and can't be hashed like passwords).

Johannes Ullrich
Johannes Ullrich

The compromise of the service account didn’t appear to access payment information or user documents. They did access the Sign user database, usernames, email, hashed passwords, preferences and authentication data. Dropbox is terminating Sign sessions and having users change passwords, including MFA tokens, as well as changing API keys and OAuth tokens. It’s not clear how they are preventing recurrence, something to consider including with you breach communication plan.

Lee Neely
Lee Neely

2024-05-02

GitLab Vulnerability Added to KEV

The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-7028, an improper access control vulnerability in GitLab Community and Enterprise editions to the Known Exploited Vulnerabilities (KEV) catalog. The flaw, which can be exploited to take control of vulnerable accounts, was introduced in May 2023 with the release of GitLab 16.1.0.; it affects all later versions through 16.7.1. GitLab has already released updates that address the vulnerability. Federal Civilian Executive Branch (FCEB) agencies have until May 22 to update.

Editor's Note

While introduction into the KEV signals active exploitation, the flaw has been known since January when the patch was made available. Hopefully, organizations were already using multi-factor authentication in which case they are safe. For those that haven’t, patch, implement some form of multi-factor authentication, and review your code now to protect against future software supply chain attacks.

Curtis Dukes
Curtis Dukes

2024-05-02

Upgrade Available to Address Vulnerability in R Programming Language

The R Project has released R Core Version 4.4.0 to address a high-severity deserialization of untrusted data vulnerability that could allow arbitrary code execution. The vulnerability could be exploited in supply chain attacks. Users are urged to upgrade to the most recent version of the open-source programming language.


2024-04-30

White House National Security Memorandum on Critical Infrastructure

The White House has issued a National Security Memorandum “to secure and enhance the resilience of U.S. critical infrastructure.” The memorandum replaces a decade-old policy document regarding critical infrastructure protection. The new memorandum designates the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) as the lead agency for securing the country’s critical infrastructure; aims to improve public/private partnerships through intelligence and threat information sharing; and reaffirms 16 designated infrastructure sectors and the associated federal departments and agencies that serve as each sector’s Sector Risk management Agency.


2024-05-02

Fact Sheet: Defending OT Operations Against Hacktivist Activity

The US Cybersecurity and Infrastructure Security Agency (CISA), along with several other US agencies, the Canadian Centre for Cyber Security, and the UK’s National Cyber Security Centre, have published a fact sheet with information and recommended mitigations to help organizations defend operational technology (OT) operations against current activity conducted by pro-Russian hacktivists. The document offers an overview of the threat actor activity and recommended mitigations, which include hardening HMI remote access; strengthening security posture; and limiting adversarial use of common vulnerabilities.

Editor's Note

All good mitigation recommendations that should be applied regardless of the threat actor. If the OT device is Internet-facing it becomes part of the attack surface available to the evildoer. Address the easy to fix vulnerabilities first, by changing default passwords and updating the software.

Curtis Dukes
Curtis Dukes

2024-04-30

Vastaamo Data Thief Sentenced to Prison

A Finnish man has been sentenced to six years and three months in prison for stealing data from the Vastaamo Psychotherapy Center in 2020 and using the data to extort money from patients. Julius Kivimäki was found guilty of multiple counts of aggravated dissemination of information infringing on individuals' private lives, aggravated attempted blackmail, and aggravated blackmail. Last year, Vastaamo’s CEO received a tree-month suspended sentence for failing to protect the privacy of patient data.

Internet Storm Center Tech Corner

Another Day, Another NAS: Attacks against Zyxel NAS326 Devices CVE-2023-4473, CVE-2023-4474

https://isc.sans.edu/diary/Another+Day+Another+NAS+Attacks+against+Zyxel+NAS326+devices+CVE20234473+CVE20234474/30884

Linux Trojan - Xorddos with Filename eyshcjdmzg

https://isc.sans.edu/diary/Linux+Trojan+Xorddos+with+Filename+eyshcjdmzg/30880

Scans Probing for LB-Link and Vinga WR-AC1200 routers CVE-2023-24796

https://isc.sans.edu/diary/Scans+Probing+for+LBLink+and+Vinga+WRAC1200+routers+CVE202324796/30890

Buffer Overflow Vulnerabilities in ArubaOS

https://www.arubanetworks.com/support-services/security-bulletins/

The Cuttlefish Malware

https://blog.lumen.com/eight-arms-to-hold-you-the-cuttlefish-malware/

EU iOS Safari Allows User Tracking

https://www.mysk.blog/2024/04/28/safari-tracking/

AWS S3 Denial of Wallet Amplification Attack

https://medium.com/@maciej.pocwierz/how-an-empty-s3-bucket-can-make-your-aws-bill-explode-934a383cb8b1

https://blog.limbus-medtec.com/the-aws-s3-denial-of-wallet-amplification-attack-bc5a97cc041d

BentoML Critical Deserialization Vuln CVE-2024-2912

https://nvd.nist.gov/vuln/detail/CVE-2024-2912

R-Bitrary Code Execution: Vulnerability in R's Deserialization

https://hiddenlayer.com/research/r-bitrary-code-execution/

Coordinated Docker Hub Attacks using Malicious Repositories

https://jfrog.com/blog/attacks-on-docker-with-millions-of-malicious-repositories-spread-malware-and-phishing-scams/

NVMe-oF/TCP Vulnerabilities

https://www.cyberark.com/resources/threat-research-blog/your-nvme-had-been-syzed-fuzzing-nvme-of-tcp-driver-for-linux-with-syzkaller