SANS NewsBites

AWS Application Load Balancer Configuration Bug Raises Questions of Shared Responsibility; Patch Available for Critical SonicWall Vulnerability; American Relay Radio League Paid Ransomware Demand

August 27, 2024  |  Volume XXVI - Issue #66

Top of the News


2024-08-21

AWS Configuration Bug in Application Load Balancer

A critical configuration bug in AWS Application Load Balancer (ALB) when used for authentication could be exploited to gain unauthorized access to resources and exfiltrate data. The issue was detected by researchers from Miggo Research, who have dubbed the issue ALBeast. Miggo Research reported the issue to AWS in April. AWS has published a document, 'Security best practices when using ALB authentication,' which both offers advice and refers to the AWS Shared Responsibility Model for security and compliance.

Editor's Note

This AWS Load Balancer issue is similar to the Confused Deputy problem. This stems from the fact that many cloud services are shared between customers. Given a configuration that is not restrictive enough, you end up in this very strange situation where if the load balancer works for you, it will also work for everyone else, allowing the check of authentication to pass no matter where it is. This tends to be one of those difficult bugs because the onus is on everyone else, not Amazon, to fix the issue. How do they notify affected customers, and should they? This is a tricky one.

Moses Frost
Moses Frost

Secure configuration of enterprise assets and software is a critical security control. The CIS Community Defense Model documented that establishing and maintaining a secure configuration process (CIS CSC 4) is a safeguard for all five attack types discussed in the defense model. This includes cloud-based assets, for which CIS offers an AWS Foundations Benchmark. Download the benchmark for specific configuration guidance. https://www.cisecurity.org/controls: CIS Critical Security Controls¨

Curtis Dukes
Curtis Dukes

'Cyclomatic complexity' as measured in metrics like McCabe Complexity in the late 70s/80s proved that 'spaghetti code' (high complexity caused by many paths needing to be tested) inevitably had more errors than low complexity code. Today's equivalent is 'spaghetti code as a service' or maybe we should call in the 'spaghetti cloud' as 35 different services with hundreds of calls back and forth are used to complete a transaction. Software testing tools are starting to evolve in this direction but bad guys and smart pen testers (and bug bounty chasers) are finding the gaps.

John Pescatore
John Pescatore

With cloud services, or any other hosted service, you need to follow the providerÕs security best practices to ensure you're not leaving yourself vulnerable. It's also a good idea to understand what they are doing to ensure their service is secure. What's harder is that you need to watch for updates to these practices, and yeah, adjust accordingly. If you can't sign up for proactive notifications, make a calendar reminder to check regularly. If you haven't verified your ALB authentication configuration recently against best practices, today's a good day.

Lee Neely
Lee Neely

Read more in

Miggo: ALBeast Security Advisory by Miggo Research

https://www.miggo.io/resources/albeast-security-advisory-alb-vulnerability

AWS: Security best practices when using ALB authentication

https://aws.amazon.com/blogs/networking-and-content-delivery/security-best-practices-when-using-alb-authentication/

AWS: Shared Responsibility Model

https://aws.amazon.com/compliance/shared-responsibility-model/

Wired: An AWS Configuration Issue Could Expose Thousands of Web Apps

https://www.wired.com/story/aws-application-load-balancer-implementation-compromise/

SC Magazine: 'ALBeast' load balancer flaw may affect 15,000 Amazon Web Services apps

https://www.scmagazine.com/news/albeast-load-balancer-flaw-may-affect-15000-amazon-web-services-apps


2024-08-26

SonicWall Updates Address Improper Access Control Vulnerability

SonicWall has released updates to address what they say is a critical vulnerability in the SonicWall SonicOS management access. The improper access control issue could be exploited to gain unauthorized access to resources, and in some cases, crash the firewall. The vulnerability affects Gen 5 (SOHO), Gen 6 and certain Gen 7 Firewalls.

Editor's Note

The language in the advisory isn't quite clear. Based on the CVSS Score of 9.8, this is not "just" a denial of service vulnerability. Patch now.

Johannes Ullrich
Johannes Ullrich

CVE-2024-40766, improper access control, CVSS score of 9.3, requires a firmware update to fix. Gen 5 - 5.9.2.14-13o, Gen 6, 6.5.8.2.8-2n or 6.5.4.15.116n (device dependent), Gen 7 install the latest firmware, at a minimum 7.0.1-5035. Additionally, restrict access to WAN management of your firewall.

Lee Neely
Lee Neely

2024-08-26

American Relay Radio League Paid $1 Million Ransomware Demand

The American Relay Radio League (ARRL) disclosed that they paid a $1 million ransomware demand in mid-May. ARRL says they paid the threat actors' demand to obtain the decryptor, not to keep data from being leaked. Most AEEL systems have now been restored. According to breach notification documentation filed with Maine's attorney general in July, the breach affected 150 people.

Editor's Note

As a ham radio operator (K3TN), several key applications I use are still down 3 months later. Also, the personal data exposure only impacted a small number of users but the down services impacted several hundred thousand users. Non-profits can use this one as an example of the real world costs of not preventing incidents.

John Pescatore
John Pescatore

As a ham operator this attack was disturbing, and while services are not all online, popular services like Logbook of The World (LoTW) - used to record and track contacts with others - is back, and ARRL is forming an Information Technology Advisory Committee to help guide future efforts to remain secure and prevent recurrence. Note to self: no matter how insignificant your organization may look to you, not-for-profit or otherwise, you need to be prepared to repel boarders. ARRL was able to leverage insurance to cover costs here; don't assume that's the magic bullet. Talk to a broker about the realities for your business in your area.

Lee Neely
Lee Neely

Two questions are relevant: 1. What security mechanisms were in place at ARRL at time of the attack? 2. What influence did the insurance carrier have in the negotiations? For the first, the answer helps others defend against similar attacks. It's clear that ARRL has made architecture changes to the infrastructure because of the attack. For the second, although it is ultimately the company's decision whether to pay, insurers hold a lot of sway. Should the insurer provide the option to pay the ransom? It's a hotly debated topic.

Curtis Dukes
Curtis Dukes

The ARRL may be our communication system of last resort in the face of catastrophe.

William Hugh Murray
William Hugh Murray

The Rest of the Week's News


2024-08-26

Dept. of Justice Office of Inspector General: FBI Failing to Adequately Manage Sensitive Storage Media

According to the results of an audit conducted by the US Justice Department's Office of Inspector General (DOJ OIG), the Federal Bureau of Investigation (FBI) has not been exercising due caution with its 'management of its inventory and disposition for its electronic storage media.' OIG made three recommendations to address the issues; the FBI has concurred with all three.

Editor's Note

The issue is that while drives with sensitive data are removed for appropriate disposal/destruction, they are neither tracked nor labelled commensurate with the data on them. The systems they were removed from were both labelled and tracked. Points for special handling of sensitive data destruction, minus a bunch for tracking and controlling access to the media before it's wiped. In today's environment you really do need to track sensitive data "cradle to grave." Take a look at cryptographic erasure (NIST SP 800-88) rather than multi-pass wipe or even shredding. Regardless of how you're ensuring data is properly disposed of, make sure that you track media with sensitive data, including restricting physical access, and are validating a sample to ensure it's really not retrievable. https://csrc.nist.gov/pubs/sp/800/88/r1/final: Guidelines for Media Sanitization

Lee Neely
Lee Neely

Proper disposal of classified information (SBU, NSI) is a basic requirement of all agencies that handle such information. An individualÕs clearance would be pulled for leaving classified information unprotected. The FBIÕs mission requires access to such information but how do you create a culture of security, when basic security requirements are essentially ignored? Accountability has to start at the top and it can't be by simply concurring with the recommendations.

Curtis Dukes
Curtis Dukes

Those in the private sector should check themselves against the findings in these public reports. These findings do not make news because they are unique to one organization, or even rare, but rather because they are likely to be common.

William Hugh Murray
William Hugh Murray

2024-08-26

Seattle-Tacoma International Airport Confirms Cyber Incident Disrupted IT Operations

The Port of Seattle, which operates Seattle-Tacoma International Airport, is investigating a 'possible cyberattack' that disrupted operations and delayed flights. The incident began over the weekend. Both Alaska Airlines, which has a hub at the airport, and the Transportation Security Administration (TSA) reported experiencing no disruptions.

Editor's Note

The idea of adding cyber event to the list of travel delays to allow for is disturbing. In this case, travelers were able to check-in/obtain boarding passes and flight status through airline online (mobile/web) apps, while in-airport ticket counters had to fall back to paper tickets. The baggage handling/sorting system was also affected, resulting in warnings to passengers to only bring carry-on bags. It appears threat actors are evolving their attacks on critical infrastructure faster than security improvements can be made, which is likely exacerbated by the number of interconnected systems that come together to provide the services we expect.

Lee Neely
Lee Neely

In the last few months, we have seen how fragile our airport infrastructure systems are. I call it the Hospital problem. Hospitals have historically had a hard time understanding the risks of cyber, until ransomware came along and consistently disrupted hospitals' operations. Will that be what it takes for our OT operators to pay attention to things like water, power, and airports? CrowdStrike's outage was a wakeup call.

Moses Frost
Moses Frost

For too long we have relied on organisations and vendors to ensure appropriate levels of security are in place to protect critical infrastructure. However, we regularly see organisations fail cybersecurity audits or indeed be victims of cyberattacks. We are now at the stage where we need such organisations.

Brian Honan
Brian Honan

2024-08-26

Dutch Data Protection Authority Fines Uber Over GDPR Violation

Autoriteit Persoonsgegevens, AP, the Dutch Data Protection Authority (DPA) has fined Uber Û290 million ($324 million) for violations of the European Union's General Data Protection Regulation (GDPR). The Dutch DPA says that Uber transferred European drivers' personal information to the US without properly protecting the data. Uber has reportedly ended the problematic practice.

Editor's Note

In 2018, we saw many organisations rush to become compliant with the requirements of the EU General Data Protection Regulation (GDPR). This is a timely reminder that compliance with the EU GDPR is a journey and not a destination, particularly for organisations that regularly transfer personal data of EU data subjects outside of the EU. If your organisation does transfer such data then you should consider conducting a Transfer Impact Assessment (TIA) and reviewing this guidance from the European Data Protection Board. https://www.edpb.europa.eu/sme-data-protection-guide/international-data-transfers_en: International data transfers

Brian Honan
Brian Honan

2024-08-23

Halliburton Discloses Cybersecurity Incident

Oil field services company Halliburton has confirmed that they suffered a cyberattack last week. In an August 22 filing with the US Securities and Exchange Commission (SEC), Halliburton wrote that they became aware of the incident on August 21 and took certain systems offline to mitigate the situation and prevent it from spreading. In May, the US Transportation Security Administration (TSA) renewed a security directive requiring 'owners and operators of a hazardous liquid and natural gas pipeline or a liquefied natural gas facility notified by TSA that their pipeline system or facility is critical' to implement certain security measures, which include developing incident response plans and network segmentation.

Editor's Note

While there is still a lot of mystery here, it is clear that Halliburton executed their response plan, proactively taking sensitive systems offline to prevent further impact. Beyond having a response plan, and proactively taking systems offline to contain an incident, you also need to make sure that you're paying attention to cyber hygiene. Too often hackers are hitting unpatched vulnerabilities or systems inappropriately exposed to the Internet, or even other unsecure systems. Regardless of how you like the term ZTA, one of the core ideas is important - connections need to not only check for user trustworthiness, but also the suitability of the system. If a system doesn't meet minimum security standards, don't allow it on your net.

Lee Neely
Lee Neely

While it has yet to be determined a ransomware attack, it bears all the hallmarks of one. Many of the TSA security requirements speak to incident planning and notification. To be effective against ransomware attacks, review the Blueprint for Ransomware Defense, hosted by the Institute for Security and Technology. https://securityandtechnology.org/ransomwaretaskforce/blueprint-for-ransomware-defense/: Blueprint for Ransomware Defense

Curtis Dukes
Curtis Dukes

2024-08-26

Credit Union Says Member Data Were Compromised in MOVEit Attack Last Year

On August 23, Texas Dow Employees Credit Union (TDECU) began notifying 500,000 members that their personal data were compromised in an attack last year. The threat actors compromised the data by exploiting the MOVEit file transfer software vulnerability. TDECU says they learned on July 30, 2024, that the data had been compromised.

Editor's Note

Discovering in June of 2024 that data was exfiltrated in May of 2023 is a bit distressing. TDECU with 4.8 billion in assets and 500,000 members, is not a small financial institution, #85 out of 4600 in the US. While TDECU engaged experts to determine if their data were compromised, it still took a year to make a determination. There is a red flag there that should be addressed for future engagements. Even so, it's important to note that even though the information hasn't appeared on the dark web, TDECU is offering 12 months of credit monitoring/protection to their affected members, providing guidance to members and being as transparent as possible. One hopes TDECU has moved to a different, more modern, file interchange service, in today's climate, where members are inclined to switch financial institutions as quickly as they change clothes, they are now going to have to focus on showing how recurrence is being prevented to retain members.

Lee Neely
Lee Neely

2024-08-24

Recent CISA Known Exploited Vulnerabilities Catalog Entries

On the past several days, the US Cybersecurity and Infrastructure Security Agency (CISA) has added two security issues to their Known exploited Vulnerabilities (KEV) catalog. A high-severity type-confusion vulnerability (CVE-2024-7971) in the V8 JavaScript and WebAssembly engine in Google Chrome 'allowed a remote attacker to exploit heap corruption via a crafted HTML page.' Federal Civilian Executive Branch (FCEB) agencies have until September 16 to mitigate this issue. A medium-severity dangerous file type upload vulnerability (CVE-2024-39717) in Versa Director could be exploited to upload malicious files. FCEB agencies have until September 13 to mitigate this vulnerability. Other recently added entries include a pair of Dahua IP Camera authentication bypass issues, a Linux Kernel heap-based buffer overflow vulnerability, a Microsoft Exchange Server information disclosure vulnerability, and a Jenkins Command Line Interface (CLI) path traversal vulnerability.

Editor's Note

Not a bad idea to take a gander at the KEV to see what other (known exploited) vulnerabilities are out there. As MS Exchange is on the list again: I'm going to encourage you to challenge the need for an on-premises Exchange server.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner