SANS NewsBites

National Public Data Breach Affects 3 Billion; NIST Releases Post Quantum Cryptography Standards; Microsoft Patch Tuesday; and Lots of Other Patches

August 16, 2024  |  Volume XXVI - Issue #63

Top of the News


2024-08-12

PII of 2.9 Billion Individuals Stolen from Background Check Company

According to a class-action lawsuit against Jerico Pictures, Inc., doing business as National Public Data, personally identifiable information belonging to 2.9 billion people was stolen and offered for sale on the dark web. National Public data provides background check and fraud prevention services. Of particular concern is that most people are likely unaware that National Public Data collected their information, as the company regularly scraped PII from non-public sources without consent.

Editor's Note

First of all: This data was likely stolen multiple times before in prior breaches. Secondly: Why does any one entity collect that much data? I have seen a lot of less-than-brilliant advice to victims. Using strong passwords and running up to date antivirus will not help you if organizations aggregating your data without your knowledge are missing fundamental controls like that. The only option you have is to first of all freeze your credit, and secondly opt out of whatever data collection possible. Assume that your data was breached and be careful even if someone uses supposedly confidential data to attempt to establish trust. There have been a number of reports of more sophisticated law enforcement impersonation scams that used data like SSN, address, phone numbers and such to establish authority.

Johannes Ullrich
Johannes Ullrich

This is basically the OPM hack all over again but on steroids. It really calls into question the right of individuals not to have their personal information collected by data brokers. We sorely need a national data privacy law akin to the EU's GDPR.

Curtis Dukes
Curtis Dukes

The prudent position for most people today is to assume that all their PII is public, or at least on the Dark Web. They should freeze their data on the credit bureaus and be vigilant.

William Hugh Murray
William Hugh Murray

Legitimate background check companies exist to help companies, people, and law enforcement. While those companies do exist and require extensive credentialing to access those databases, there are also 3rd party downstream brokers that take these feeds and aggregate them. These 3rd parties need more well-defined practices and well. If what is said here is true, this broker, who appears to be a 3rd party downstream aggregator with an address located in a residence, may be one of these smaller brokers. Getting 280GB of structure data from one of these 3rd parties would have taken a long time, and this is potentially one of the biggest breaches in history. Given that there are only 350 million people in the US and the breach is supposedly for 3 billion people, I am wondering who the remaining 2.65 billion people are. Are these people who are no longer alive, or is it that are we looking at duplicate records? It's hard to say without looking at the data itself.

Moses Frost
Moses Frost

This is the largest breach since the Yahoo breach of 3 billion in 2013. It appears we are finding out about this breach due to the lawsuit rather than a notification by the company. The lawsuit was triggered by an alert the lead plaintiff received from his identity monitoring service. While we could pull the lack of notification thread, the better move is to make sure you have identity monitoring and that you've fully configured it to watch for issues. In this day and age, we need background check companies like this to support the integrity of our hiring process. That said, with ever growing collections of information, with increased fidelity, you need to be proactive in monitoring breaches of your own data.

Lee Neely
Lee Neely

2024-08-14

NIST Releases Post-Quantum Cryptography Standards

The US National Institute of Standards and Technology (NIST) has published three post-quantum cryptography (PQC) algorithms: ML-KEM (Kyber), ML-DSA (Dilithium), and SLH-DSA (Sphincs+). A fourth algorithm, FN-DSA (FALCON), is expected to be finalized later this year. NIST first called for PQC submissions in 2016 and then again in 2022.

Editor's Note

The release of these new standards is an important first step to start implementing quantum safe encryption. Next we will need verified implementations. Judging based on experience with prior encryption standards, it will take a bit of time to get the bugs worked out. Expect some "not equal time" and "sidechannel" vulnerabilities. But start experimenting with implementations now.

Johannes Ullrich
Johannes Ullrich

Work is underway for hybrid encryption options to be built into protocols for using both standard and quantum-resistant crypto. It will be interesting to see how quickly any of these are adopted, as I still see TLS 1.0 being used. I always mention that TLS 1.0 and TLS 1.1 are theoretically weak, but practically, they are not weak. When was the last time someone broke through your TLS 1.1 system? This all goes out the window with Quantum. If someone does reach quantum supremacy where you can render certain algorithms weak, then TLS 1.1 and TLS 1.2 become insufficient. Does your threat model include that?

Moses Frost
Moses Frost

While quantum computing still has a huge error rate problem to overcome, AI, as it becomes more, well general AI, has the potential to leapfrog the mathematical constraints on current encryption and Optical or Photonic computing, introduce added threat-vectors which could arrive before Q-Day. Start working on how you'd cut over to post-QC encryption now, and test those plans so you can make the switch before technology makes it mandatory.

Lee Neely
Lee Neely

Most of the data in the Internet has a very short life. It will no longer be sensitive at the point in the future when breaking RSA becomes efficient. However, perhaps as much as one percent of the traffic in the Internet already uses PQC algorithms. This is to protect long-lived data from store now, decrypt later (SNDL) attacks. Those of you who deal in such data know who you are and know what to do. That said, converting all our systems to PQC is not a trivial task and will take years. We should move forward at a deliberate pace.

William Hugh Murray
William Hugh Murray

2024-08-14

Microsoft Patch Tuesday

On Tuesday, August 13, Microsoft released software updates to address roughly 90 vulnerabilities in a range of their products. Among the flaws fixed in the updates are nine flaws that are rated critical and six that are being actively exploited. Of particular concern is a critical (CVSS 3.1 9.8 / 8.5) Windows TCP/IP Remote Code Execution Vulnerability (CVE-2024-38063) could be exploited to allow 'an unauthenticated attacker could repeatedly send IPv6 packets, that include specially crafted packets, to a Windows machine which could enable remote code execution.'

Editor's Note

There were two "highlights" in Microsoft's patch Tuesday. First of all, the vague IPv6 vulnerability. Microsoft did not provide enough details to judge the risk of this vulnerability. It sounds bad (CVSS score of 9.8). But are exploit packets routable? Will common firewalls be able to block the exploits (once we know what to filter)? For now: Patch quickly, so you won't have to worry this weekend. The second interesting patch fixes a secure boot bypass vulnerability. Microsoft stopped applying the patch automatically, due to some conflicts with systems that do not have the newer secure boot CA data applied. Remember that these CAs need to be updated soon. The original secure boot CAs will expire in about two years and going forward, firmware will be signed using a new set of CAs.

Johannes Ullrich
Johannes Ullrich

A particularly bad month for Microsoft. It appears there has been an uptick in vulnerabilities [err, software defects] disclosed over the last few months across a variety of vendor products. Bottom line: we must reduce the patch cycle if we are to stay ahead of the adversary.

Curtis Dukes
Curtis Dukes

RCE is a common thread amongst the critical flaws fixed. Get these updates to critical services, and endpoints, then keep picking away at the rest until they are updated. Note there are fixes to both the OS and layered products such as Office, .NET, Visual Studio, Co-Pilot, Microsoft Dynamics, Teams and Secure boot. If you're still an IPv4 only environment, then you should be monitoring for unexpected IPv6 traffic. If you're transitioning (dual stack or full IPv6 cutover) make sure that you're monitoring for malicious or malformed packets as indication of potential unwelcome behavior.

Lee Neely
Lee Neely

This patch Tuesday is a doozy. Lots of critical bugs but the one that everyone is talking about is a wormable IPv6 one. If you are not using IPv6, disable it; if you don't wish to disable IPv6, properly route it. Either way, patch this one immediately.

Moses Frost
Moses Frost

The Rest of the Week's News


2024-08-14

More Patch Tuesday Releases: Adobe, Ivanti, Fortinet, Zoom

On Tuesday, August 13, Adobe released security updates for multiple products, including Adobe Illustrator, Adobe Dimension, Adobe Photoshop, Adobe Acrobat Reader, and Adobe Commerce. In all, the Adobe updates address more than 70. Other Patch Tuesday releases this month include updates for eight vulnerabilities in Ivanti, two critical; updates for three vulnerabilities in Fortinet products; and updates for nine vulnerabilities in Zoom, two high severity.

Editor's Note

I'll use this news item for a general comment on all the patching news in this issue: I think it is pretty clear that the time between releases of new versions of software (and AI model updates count as software) has shortened so much that Secure Software Development advances have not been able to keep up with the advances bad guys have made in finding non-trivial vulnerabilities. The patch curve will not flatten anytime soon; faster patching is already badly needed since the reality is that test time is not going to increase before vendors release new versions and enterprises move the insufficiently tested versions to production use.

John Pescatore
John Pescatore

Don't overlook these updates for Zoom, Adobe, Ivanti and Fortinet. Dealing with MS Patch Tuesday will likely distract your team from these added updates. Make sure you're checking for updated versions of all the products users are installing.

Lee Neely
Lee Neely

What can I say? Software needs to stay up to date. Inventory your items and keep things patched.

Moses Frost
Moses Frost

2024-08-14

Patch Tuesday: Industrial Control Systems

Tuesday, August 13 also saw security advisories for multiple industrial control system (ICS) vulnerabilities, including products from Siemens, Schneider Electric, Rockwell Automation, and Aveva. Siemens published nine advisories addressing about 50 vulnerabilities. Schneider Electric published advisories addressing more than 30 CVEs. Aveva published three security bulletins. Rockwell Automation has published nine advisories addressing a total of 10 vulnerabilities. In addition, the US Cybersecurity and Infrastructure Security Agency (CISA) has published 10 ICS advisories.

Editor's Note

Aside from applying the needed patches to these devices, make sure that you're following security best practices including only allowing authorized hosts to access these devices and services, that you've got monitoring at the demarcation point, remote access requires a VPN, and you're segmenting these systems from both your mainstream IT and your other OT/ICS systems.

Lee Neely
Lee Neely

2024-08-15

Solar Winds Releases Fix for Web Help Desk Vulnerability

Solar Winds has released a hot fix a Java deserialization remote code execution vulnerability in their Web Help Desk IT help desk solution. Solar Winds recommends that users upgrade their Web Help Desk installations to version 12.8.3 and then apply the hotfix. However, the hotfix 'should not be applied if SAML Single Sign-On (SSO) is utilized.'

Editor's Note

I suspect we all cringe when we see Solar Winds in a security bulletin. This Java Deserialization RCE flaw, CVE-2024-28986 has a CVSS score of 9.8.

Lee Neely
Lee Neely

2024-08-15

Palo Alto Networks Addresses 34 Vulnerabilities

Palo Alto Networks has published security advisories to address multiple vulnerabilities affecting an array of their products, including Cortex XSOAR CommonScripts Pack and Prisma Access Browser. The Cortex XSOAR vulnerability is a high-severity command injection issue. The flaw affects only certain configurations of Cortex XSOAR CommonScripts. The advisory for the Prima Access Browser lists more than 30 CVEs and has a high-severity rating.

Editor's Note

Getting the impression you need to patch everything this month? Palo Alto Networks would like you to apply all the relevant patches to the PAN equipment you own. Given the use cases of this equipment, you should be prioritizing any and all updates.

Lee Neely
Lee Neely

2024-08-14

CISA Advisory Details Multiple Vulnerabilities in Vonets WiFi Bridge Devices

An advisory from the US Cybersecurity and Infrastructure Security Agency (CISA) provides details about seven vulnerabilities affecting Vonets WiFi Bridge devices. The flaws could be exploited to bypass authentication, execute arbitrary commands, and create denial-of-service conditions. The most serious vulnerability is a critical stack-based buffer overflow (CVSSv4 10.0) that could be exploited to take control of vulnerable devices without authentication. CISA says that Vonets has not responded to requests to work with CISA to mitigate these vulnerabilities; CISA's advisory includes recommended defensive measures.

Editor's Note

First and foremost a company must stand behind their product(s). Given the non-responsiveness of the China based company to patch a critical RCE vulnerability, the best thing for users is to switch out the device for one that is properly supported.

Curtis Dukes
Curtis Dukes

Updates aren't available yet. Another excuse to make sure that you're not exposing the management interface to the Internet, ever, let alone failing to review activities by others.

Lee Neely
Lee Neely

One hopes that those of you using this product know who you are.

William Hugh Murray
William Hugh Murray

2024-08-14

Enzo Biochem Fined $4.5 for Failing to Protect Data

Enzo Biochem will pay $4.5 million for failing to protect personal, sensitive data of 2.4 million people. The intruders gained access to Enzo Biotech systems using two sets of employee login credentials that were shared between five employees; one of the sets of credentials had not been changed in at least a decade. The money will be shared between New York, New Jersey, and Connecticut.

Editor's Note

The point here is not only were there shared credentials in use, but also those credentials had not been changed in at least a decade. Long-term credentials need to meet all of the 800-63-3 requirements, including breach monitoring and notification, minimum length and uniqueness. Even so, there is still no real substitute for phishing resistant MFA. If you need shared credentials, leverage a PAM type service to check them out when needed and change them immediately afterword.

Lee Neely
Lee Neely

If you think that you have no choice but to share credentials, please consider Privileged Access Management software. Sharing credentials comes at the cost of accountability, the most important control over privileged insiders.

William Hugh Murray
William Hugh Murray

The NY AG and NY DFS Director have been on a tear these last few years holding organizations accountable for not exhibiting a standard of reasonableness when it comes to protecting information. The is the latest installment. For companies wishing to stay out of the AG and DFS crosshairs, the Center for Internet Security recently published a 'Guide to Defining Reasonable Cybersecurity' that specifies what must be done to meet the standard of reasonable cybersecurity.

Curtis Dukes
Curtis Dukes

2024-08-15

Russian Man Draws Prison Sentence for Selling Stolen Personal Data Linked to Fraud

A US court has sentenced Russian national Georgy Kavzharadze to 40 months in prison for selling stolen financial, account access, and personal data. The sold credentials led to more than $1.2 million in fraudulent transactions. Kavzharadze pleaded guilty to bank fraud and wire fraud conspiracy earlier this year.

Editor's Note

Initial estimates were that he'd defrauded the bank $5 million and this has since been reduced to $1.2 million, which he is expected to repay. The Justice Department is taking a zero-tolerance stance on selling stolen identities, and is upping cooperation with other law enforcement agencies to stop those attempting this type of activity.

Lee Neely
Lee Neely

We will continue to receive such reminders to use strong authentication (at least two kinds of evidence, at least one of which is resistant to replay) until we get it done.

William Hugh Murray
William Hugh Murray

Congratulations to law enforcement. That said, with time already served, he has just over a year left. More interesting is whether the $1.2M will be repaid.

Curtis Dukes
Curtis Dukes

Internet Storm Center Tech Corner

Microsoft August 2024 Patch Tuesday

https://isc.sans.edu/diary/Microsoft+August+2024+Patch+Tuesday/31164

MSI Malware

https://isc.sans.edu/diary/Multiple+Malware+Dropped+Through+MSI+Package/31168

Wireshark 4.4.0 rc 1 Custom Columns

https://isc.sans.edu/diary/Wireshark+440rc1s+Custom+Columns/31174

Github Repo Artifact Leak Tokens

https://unit42.paloaltonetworks.com/github-repo-artifacts-leak-tokens/

BitLocker Security Feature Bypass Vulnerability

https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-38058

SolarWinds Hotfix

https://support.solarwinds.com/SuccessCenter/s/article/WHD-12-8-3-Hotfix-1

Ed Skoudis, Paul Maurer: The Code of Honor

https://cybercodeofhonor.com/

Microsoft IPv6 Vulnerability CVE-2024-38063

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38063

https://x.com/XiaoWei___/status/1823532146679799993/photo/1

Critical Ivanti Virtual Traffic Manager Patch CVE-2024-7593

https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Virtual-Traffic-Manager-vTM-CVE-2024-7593?language=en_US

Adobe Patches

https://helpx.adobe.com/security/security-bulletin.html

NIST Finalizes Post Quantum Encryption Standards

https://www.nist.gov/news-events/news/2024/08/nist-releases-first-3-finalized-post-quantum-encryption-standards

Zabbix Network Monitoring Updates

https://support.zabbix.com/browse/ZBX-25016

https://support.zabbix.com/browse/ZBX-25013

(and others)