SANS NewsBites

Patch IPv6 Flaw Now; Microsoft's Endpoint Security Ecosystem Summit will Not be Open to the Press; Companies are Opting Out of Letting Apple Scrape Data for AI Training

August 30, 2024  |  Volume XXVI - Issue #67

Top of the News


2024-08-28

POC Code for Critical IPv6 Flaw has Been Released

Users are urged to update Windows to ensure they have addressed CVE-2024-38063, a critical remote code execution vulnerability that Microsoft released on Tuesday, August 13 as part of their August Patch Tuesday. Proof-of-concept exploit code for the integer underflow issue has been made available.

Editor's Note

Luckily, the released code will only cause a system to crash, and triggering even the DoS condition is not fully reliable. Finding paths to code execution will be tricky. Let's hope exploit developers are not going to surprise us with a solution anytime soon.

Johannes Ullrich
Johannes Ullrich

This one is still fragile as an exploit, but it works. However, the exploit is complicated and, over time, maybe weaponized. I'm not a fan of disabling IPv6Ó at the network adapter layer, as I've been through this movie before. We had the same conversations in the Novell IPX/SPX and IPv4 days. Once you get to 'enabling IPv6, you may find it's not as easy as disabling it. I prefer to patch the systems and properly route IPv6; if you cannot, disable IPv6. Do not leave IPv6 untouched; that is also a vector for adversary in-the-middle attacks.

Moses Frost
Moses Frost

You're thinking, 'Switch to IPv6 they said; it'll be secure they said.' They weren't wrong - implementation details are where things can go south. At the time the patch was released on August 13, there weren't any known POCs or exploits. If you've already rolled out the update, you're good. If you're still doing analysis, time to step it up. Then go back and make sure you're following the current best practices for a secure IPv6 rollout.

Lee Neely
Lee Neely

2024-08-27

Microsoft Endpoint Security Ecosystem Summit

Microsoft will host a Windows Endpoint Security Ecosystem Summit on September 10. The event will allow 'Microsoft, CrowdStrike and key partners who deliver endpoint security technologies [to] come together for discussions about improving resiliency and protecting mutual customers' critical infrastructure.' Microsoft is also inviting government representatives to the meeting. A Microsoft spokesperson told the Register that the meeting will not be open to the press.

Editor's Note

Way back in 2003, Microsoft acquired GeCAD, a Romanian antivirus software company and I wrote a Gartner research note urging Microsoft change the game by making Windows and Office apps more secure and not just join in on endpoint security revenue (projected to be over $5B in the US in 2024) - revenue which largely exists because of Microsoft vulnerable code and Microsoft's refusal to force Windows users away from reusable passwords. This area is kind of like the profit attractiveness of drugs to alleviate symptoms vs. development of cure for causes of disease.

John Pescatore
John Pescatore

It's common for Microsoft to ask vendors to come in and discuss their products. I suspect this may be the first time all the vendors are at the same conference on the same topic.

Moses Frost
Moses Frost

A not unexpected follow-on event after the CrowdStrike incident. Cyber Resiliency is critical and making sure our endpoints are as robust as possible, to include detection and prevention of attacks, is a key component here. Part of the discussion will be the efficacy of removing kernel access, something Apple has been working on for the last few years; it's not simple and has nominal return. Even so, cyber improvements are likely to come in small increments.

Lee Neely
Lee Neely

2024-08-29

Opting Out of Apple's AI Scraping

Apple's Applebot web-crawler has a secondary user agent, Applebot-Extended, that gives web publishers additional controls over how their website content can be used by Apple. Since the user agent's introduction several months ago, a sizeable number of news outlets and social media platforms, including the New York Times, Cond Nast, Instagram, and Facebook, have opted out of allowing Applebot to scrape data from their sites for AI training.

Editor's Note

Unlike traditional search engine web crawlers, AI bots will obscure the original source of any information they acquire to train their models. Even if asked for a reference, AI bots in the past have often made up fictitious references. Copyright holders are rightfully concerned about the use of their work by AI bots without being provided any credit or compensation.

Johannes Ullrich
Johannes Ullrich

On the Red Team my first thought is, what happens when I switch my user agents around and become one of these bots? It's always interesting.

Moses Frost
Moses Frost

Applebot respects directives in your robots.txt file, for user-agent Applebot or Googlebot. The directive blocks the data on your site from being used to train their LLM. Google's AI-specific bot, Google-Extended, is blocked by about 43% of websites while OpenAI is blocked by about 53%. Apple competitors like OpenAI and Perplexity are negotiating partnerships with news outlets, social platforms and other sites to allow processing their content. Speculation is businesses want to withhold data until a partnership (typically paid) is established. If you have copyrighted content, you likely don't want the LLM's trained on it, update your robots.txt. With the plethora of new AI bots, consider wildcards to avoid perpetual updates.

Lee Neely
Lee Neely

The Rest of the Week's News


2024-08-28

Botnet Campaign Exploits Multiple Vulnerabilities to Spread Mirai

Researchers from Akamai's Security Intelligence and Response Team (SIRT) have observed a botnet campaign that spreads a Mirai variant. The campaign exploits several known vulnerabilities as well as a zero-day command injection issue (CVE-2024-7029) affecting AVTECH IP Camera. The Akamai write-up includes indicators of compromise.

Editor's Note

CVE-2024-70929 can be exploited over the network without authentication. There isn't a patch for the cameras, so you need to restrict access and monitor for unexpected activity. Mirai continues to be used to exploit unpatched/vulnerable IoT devices, so it's a good time to make sure you're both patching and defending these devices, particularly SOHO and other "set and forget" items, which easily fall of the radar because they "just work."

Lee Neely
Lee Neely

2024-08-28

Fortra Patches FileCatalyst Workflow Vulnerability

Users of Fortra's FileCatalyst Workflow are urged to update their instances to version 5.1.7 or later. The update addresses two vulnerabilities: a critical default credential exposure vulnerability (CVE-2024-6633) and a high-severity SQL injection vulnerability (CVE-2024-6632). Both flaws were discovered by researchers from Tenable in early July.

Editor's Note

Two issues here: First, the default, setup, HSQLDB database credentials were published in a support article. The database was not intended for production use, but some sites missed the guidance to create a replacement, and it is deprecated. Second is a SQLi flaw in their workflow, which requires update to 5.1.7 to fix. Make sure you're not using the default HSQLDB and if you are, limit access (it listens on port 4406), and then follow the guidance to create a replacement.

Lee Neely
Lee Neely

2024-08-29

#StopRansomware Warning: RansomHub

A joint #StopRansomware cybersecurity advisory from the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Department of Health and Human Services (HHS) contains information relevant to RansomHub ransomware-as-a-service (RaaS). The document lists technical details, including the vulnerabilities RansomHub threat actors exploit for initial access, as well as indicators of compromise and tactics, techniques, and procedures.

Editor's Note

Definitely a good document to brush up on your ransomware defenses. First and foremost, make sure you're using phishing resistant MFA wherever possible, eliminate SMS and phone call based two-factor, and make sure users are trained to recognize and report phishing attempts. You'll likely find your products already have the foundation you need to support MFA; this is more of creating (and executing) an implementation plan than rolling up a truckload of new products.

Lee Neely
Lee Neely

2024-08-28

Dutch Defense Ministry Data Center Malfunction

A malfunction at a Dutch Ministry of Defense (MoD) data center is disrupting civilian air traffic control systems, emergency services communications, and preventing MoD civilian employees and others using the same network from accessing workstations. It has also prevented the Dutch National Cyber Security Centre (NCSC-NL) from sending out security advice. As of August 28, MoD did not know the cause of the malfunction.

Editor's Note

Not a lot of specifics are being shared. The Dutch Ministry of Defense is categorizing this as login problems with some service impacts due to phones being offline. The outage is impacting flights to Eindhoven airport which serves as a military base; Schiphol, the country's largest airport, remains unaffected. Given the impact on civilian travelers, it's reasonable to expect better communications on the outage, impacts and related activities.

Lee Neely
Lee Neely

I suspect they will revisit connectivity to other networks as part of the After Action Report (AAR) and look to segment those networks.

Curtis Dukes
Curtis Dukes

2024-08-29

Employee Arrested for Alleged Data Extortion

US law enforcement authorities have arrested a core infrastructure engineer for allegedly attempting to extort funds from his former employer. Daniel Rhyne faces charges of extortion in relation to a threat to cause damage to a protected computer, intentional damage to a protected computer, and wire fraud. In November 2023, some of the company employees received an email warning that all IT admins had been locked out of the company's network, that server backups had been deleted, and more servers would be shut down every day a ransom demand was not paid. Rhyne was arrested on August 27, 2024.

Editor's Note

The phrase "if this goes sideways, delete my browser history" comes to mind. While a privileged insider is tricky to prevent, particularly one with global admin, enforced MFA and monitoring can raise the bar.

Lee Neely
Lee Neely

The court documents call into question the skillset of Mr. Rhyne as an infrastructure engineer. At a minimum, he didn't seem to have familiarity with the 'command line' interface. Oh well, score one for the good guys although it doesn't seem that they had to work that hard to find and charge the culprit.

Curtis Dukes
Curtis Dukes

2024-08-28

Dick's Sporting Goods Discloses Cyber Incident

In a form 8-K filing with the US Securities and Exchange Commission (SEC), Dick's Sporting Goods says that they 'discovered unauthorized third-party access to its information systems' on August 21. Dick's activated their cybersecurity incident response plan and brought in third-party experts.

Editor's Note

So far, Dick's is reporting that this didn't have a substantive impact on their operations, and ransomware wasn't in play. Store phone systems are offline, and employees are reporting that email and other accounts are locked, and access is only being restored after re-verification of employee identities on-camera, indicating the entry point was a compromised credential. Oddly, employees are being told the account lockouts were due to planned activity rather than the cyber incident and further information would be relayed via personal email or text messages rather than relying on the offline internal systems. Employees are being directed not to discuss the incident publicly or put anything in writing. Better guidance would be to direct any inquiries to the communication team. https://www.bleepingcomputer.com/news/security/dicks-shuts-down-email-locks-employee-accounts-after-cyberattack/: DICK'S shuts down email, locks employee accounts after cyberattack

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

INTERNET STORM CENTER TECH CORNER

Why is Python so Popular to Infect Windows Hosts

https://isc.sans.edu/diary/Why+Is+Python+so+Popular+to+Infect+Windows+Hosts/31208

Live Patching DLLs with Python

https://isc.sans.edu/diary/Live+Patching+DLLs+with+Python/31218

Vega-Lite With Kibana To Parse and Display IP Activity Over Time

https://isc.sans.edu/diary/VegaLite+with+Kibana+to+Parse+and+Display+IP+Activity+over+Time/31210

OFBiz Vulnerability Update

https://www.cisa.gov/known-exploited-vulnerabilities-catalog

https://nvd.nist.gov/vuln/detail/CVE-2024-38856

Versa Directory Vulnerability Exploited

https://versa-networks.com/blog/versa-security-bulletin-update-on-cve-2024-39717-versa-director-dangerous-file-type-upload-vulnerability/

Google Chrome Vulnerability Exploited

https://chromereleases.googleblog.com/2024/08/stable-channel-update-for-desktop_21.html

SGX Key Leak

https://x.com/_markel___/status/1828112469010596347

Attack tool update impairs Windows computers

https://news.sophos.com/en-us/2024/08/27/burnt-cigar-2/

Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a

Confluence Vulnerability Exploited for Crypto Miners

https://www.trendmicro.com/en_us/research/24/h/cve-2023-22527-cryptomining.html

Fortra FileCatalyst Workflow Hard Coded HSQLDB Credentials

https://www.fortra.com/security/advisories/product-security/fi-2024-011

Global Protect Phishing

https://www.trendmicro.com/en_us/research/24/h/threat-actors-target-middle-east-using-fake-tool.html

BlackByte Ransomware Update

https://blog.talosintelligence.com/blackbyte-blends-tried-and-true-tradecraft-with-newly-disclosed-vulnerabilities-to-support-ongoing-attacks/

The Risks Lurking in Publicly Exposed GenAI Development Services

https://www.legitsecurity.com/blog/the-risks-lurking-in-publicly-exposed-genai-development-services

Finding Lateral Movement of Adversaries Through the Noise of Systems Administration

https://www.sans.edu/cyber-research/finding-lateral-movement-adversaries-through-noise-systems-administration/

YouTube Channel: https://www.youtube.com/c/CyberAttackDefense