Another BreachForums Takedown; Microsoft Patch Tuesday; Google Chrome Patches Three 0-Days in a Week

The BreachFormus site operated from June 2023 until May 2024, replacing the Raid Forums site. Now that law enforcement has taken over the site, it's hoped that they have sufficient data to identify and prosecute the operators.

Lee Neely

These law enforcement take downs are important but until you remove the incentive, cyber-crime will continue to be a problem. At the end of the day, itÕs all about the payout. Law enforcement can have more impact by making it difficult to pay. That means denying payment or the means of transfer to the attacker.

Curtis Dukes

While you're getting your head around the three important vulnerabilities in the MS patch set, don't overlook the updates from Apple and Adobe released this week. Attackers are leveraging CVE-2024-30051, privilege escalation, CVSS score 7.8, in phishing campaigns to bypass OLE mitigations and escalate privileges. CVE-2024-30040, an input validation flaw in MSHTML has a CVSS score of 8.8, CVE-2024-30044, remote code execution, CVSS score 7.2, is a deserialization flaw. Deserialization is the gift that keeps on giving: prioritize fixes for these flaws.

Lee Neely

Three zero-days in one week is likely a new record. The best way to stay up to date: Restart Google Chrome once a day, and visit the "About" page once a week to make sure you are up to date.

Johannes Ullrich

As we're running to keep up with Chrome updates, keep an eye out for issues caused by the default enablement of the PQC (Kyber) algorithm. You may have to push out the PostQuantumKeyAgreementEnabled enterprise policy to disable that as not all TLS implementations properly handle increased size of the TLS ClientHello. (Kyber adds about 1KB to the ClientHello.)

Lee Neely

I just had a major medical equipment vendor in healthcare tell me that their system that is hooked up to patients can't be scanned with Qualys or Nessus because it fills up the memory of the server and will cause the application to fail, just exclude it.

Moses Frost

This report reinforces the need for cybersecurity education for engineers. Yes, each is a distinct discipline but today everything uses software and is internet accessible. Every sector needs more cybersecurity professionals but there are simply not enough to go around. In the meantime, schedule the devices for an off-cycle patch as the integrity of the data can be called into question.

Curtis Dukes

The concern here is that these appliances are used, not managed; many will never be patched.

William Hugh Murray

Nigeria is one of the largest economies in Africa, next to South Africa and Egypt. Nigeria is facing keen struggles with inflation and a soaring cost of living; the tax would have hit those working to survive in that environment the hardest. The tax was intended to fund their current efforts to increase cybersecurity, predicted to raise about $1.9 billion annually. Regrettably, there is no tie to the amount of money needed for the initiative and the tax amount; transparency is critical here, particularly when the time are tough.

Lee Neely

The takeaway from this vulnerability: Do not operate different networks (SSID) using the same passphrase.

Johannes Ullrich

Long term mitigations require changes to the Wi-Fi standard to include the SSID in the 4-way handshake as well as increased beacon protection to ensure it belongs to the desired SSID. As the attack is leveraging known passwords, consider whether posting Wi-Fi passwords is wise, and how frequently they should be changed.

Lee Neely

This update includes patches for exploited vulnerabilities in older Apple operating systems. If you still use an older device, make sure you apply these updates.

Johannes Ullrich

The patches for the newer operating systems include more CVES, iOS/iPadOS 17.5 included 14, macOS 14.5, 21, while the older OSs, iOS/iPadOS 16.7.8 two, and macOS 13.6.7 three. Don't let those low numbers fool you: those are back-ported fixes and due to larger applicability going to be more highly targeted.

Lee Neely

Make sure you're tracking updates for both Acrobat Reader and Acrobat, both the DC and Classic 2020 versions. If you have users resistant to updating due to Adobe's new menu/look, remind them they can disable new Acrobat mode post-install and it will remain disabled for subsequent updates.

Lee Neely

Adobe Acrobat Reader is on par with Google Chrome when it comes to having a large install base. That makes reverse engineering of the patch and discovery of the underlying vulnerability a high priority in the exploit marketplace. Bottom line: check for the update, and let it update automatically.

Curtis Dukes

Over the years, we've seen many SSLVPN flaws, (most recently Cisco, Fortinet and Sonic Wall.) At core, the IPsec VPN is an open standard while SSLVPN is not, so manufacturers are creating their own implementations. This means that you need to double down on security best practices and applying fixes/updates if you're using a SSLVPN.

Lee Neely

I'm not sure if moving from SSLVPNs to IKEv2 or IKEv1 standards will by itself solve all problems. What I will say is that IKE was designed for this type of traffic. Maybe it is time to consider alternatives.

Moses Frost

If your team is trying to get their arms around DoH/DoT, this should help. Even if you're not bound by M-22-09, this provides guidance on creating a more secure DNS environment for your shop, to include how to handle clients bypassing enterprise DNS with built-in DoH/DoT.

Lee Neely

This is an interesting article. Although it applies to CISA and Agencies, it can be used to build a more secure DNS infrastructure in your environment.

Moses Frost