SANS NewsBites

Internet Routing Security Enhancement Roadmap; Security Camera Company Faces Financial Repercussions Over Inadequate Data Security and CAN-SPAM Violations

September 6, 2024  |  Volume XXVI - Issue #68

Top of the News


2024-09-04

White House: Internet Routing Security Enhancement Roadmap

The White House Office of the National Cyber Director has published a roadmap to enhancing Internet routing security. The document “aims to address a key security vulnerability associated with the Border Gateway Protocol (BGP),” and advocates for the adoption of Resource Public Key Infrastructure (RPKI). The roadmap offers recommended actions for network operators, network service providers, Federal Government and Communications and Information Technology Sector Stakeholder Collaboration, and policy actions specific to the federal government.

Editor's Note

Combatting all forms of hijacking and forgery requires strong authentication and integrity services, which in turn need reliable and ubiquitous cryptographic key infrastructure services – BGP and RPKI is just one example. The US government needs to use its market power to require all suppliers and recipients of government funding to move to strongly protected services – much the way years ago the US federal government required strong crypto to be used in browsers and that drove the overall adoption and improvement of SSL.

John Pescatore
John Pescatore

Improvements in routing security have been ongoing. Many larger IPSs have implemented RPKI over the last few years. Let’s hope this initiative will help us cross the finish line to a more secure routing infrastructure.

Johannes Ullrich
Johannes Ullrich

This directive is intended to require network providers to implement ROA, RPKI and ROV, which are the current best practices for BGP security, including disclosure of the status of those implementations, ultimately resulting in restrictions or requirements in purchase agreements or contracts. This follows the June requirement from the FCC for the nine largest US broadband providers to file confidential reports on their plans to bolster BGP security. At this point about 70% BGP route originations on the global Internet are ROA-valid.

Lee Neely
Lee Neely

It is high time this issue was addressed. We need a robust, resilient, and trustworthy infrastructure. That said, a quarter of a century of history and experience suggests that it represents a tolerable risk.

William Hugh Murray
William Hugh Murray

Setting up the infrastructure for RPKI comes at additional cost and complexity; and that, perhaps, is the reason it hasn’t been implemented in North America. Absent a mandate by the USG, it’s just another nice document to put on the shelf.

Curtis Dukes
Curtis Dukes

2024-09-05

Security Camera Vendor Verkada Faces $2.95 Million Fine Over CAN-SPAM Act Violation

The US Federal Trade Commission (FTC) intends to fine security camera company Verkada nearly $3 million for violating the US’s CAN-SPAM Act, which requires entities to offer a means of opting out of receiving emails from them. The FTC will also require Verkada to develop and implement an information security program; Verkada failed to adequately protect customer data and intruders were able to access customer’s cameras.

Editor's Note

The Verkada incident started in 2021, where credentials were compromised allowing access to as many as 150,000 CCTV cameras. The investigation then revealed many security flaws including lack of data protection, even possible HIPAA violations. Now, in addition to the fine, they need to not only address the shortfalls but also implement a security program for the next twenty years. The FTC is putting companies on notice that they need to take protecting customer data seriously.

Lee Neely
Lee Neely

Interesting settlement, using an email SPAM law to focus attention on a non-existent information security program. Might I suggest the CIS Critical Security Controls, Implementation Group 1, as the cybersecurity framework to use for the next 20-years. https://www.cisecurity.org/controls/implementation-groups/ig1

Curtis Dukes
Curtis Dukes

The Rest of the Week's News


2024-09-04

Cryptographic Flaw in YubiKey 5

Researchers from NinjaLab have detected a cryptographic flaw in the YubiKey 5 two-factor authentication FIDO-based hardware token. According to the researchers, an attacker with physical access to the token could exploit the side-channel flaw to clone it. The vulnerability affects all YubiKeys running firmware older than version 5.7; it is not possible to update firmware on YubiKey.

Editor's Note

There is no need to panic. Extracting the secrets not only requires physical access, but also requires the attacker to open the key, which is usually destructive to the housing. Remind users to properly secure keys with PINs and expedite reporting of misplaced keys.

Johannes Ullrich
Johannes Ullrich

The flaw is specific to the Infineon ECDSA implementation and could be used to recover ECDSA private keys. It requires physical access to the device, knowledge of the accounts they wish to compromise, the device PIN or authentication key, expensive equipment and expertise to exploit. Risks to the FIDO key can be reduced by requiring more frequent FIDO authentication. Risks to PIV/OpenPGP signing keys can be mitigated by using the RSA algorithms. Yubico has removed the Infineon cryptographic library in favor of their own library in current devices. Historically, Yubico has addressed security flaws by working with customers to issue replacement devices as the firmware doesn't support updates.

Lee Neely
Lee Neely

2024-09-04

Zyxel Releases Updates to Address Multiple Vulnerabilities in Routers and Firewalls

Zyxel has released eight security updates to fix vulnerabilities in multiple products, including CVE-2024-7261, a critical OS command injection vulnerability in certain access point and security router versions; the issue affects dozens of products. The seven other vulnerabilities have CVSS scores ranging from 4.9 – 8.1 and affect various Zyxel firewalls.

Editor's Note

CVE-2024-7261 has a CVSS score of 9.8, and is due to lack of input sanitization. This CVE affects different products than the other seven CVE's. The fix is for you to update to the most current firmware; there is no workaround, with the exception of their security router which should have auto-updated. Refer to the Zyxel support articles for your specific products as updates are only released for supported products.

Lee Neely
Lee Neely

2024-09-05

Transport for London Cybersecurity Incident

Transport for London (TfL), the UK government organization that manages London’s public transportation system, is experiencing a cyber incident. The issue reportedly affects TfL’s corporate backroom systems. According to BBC London, TfL has asked employees to work from home. The ongoing incident began September 2.

Editor's Note

We are at the point where services, such as the Oyster portal, are offline, but TfL is not providing specifics, and rumors about what happened are flying. Saying all is well, declining to comment on reported details, yet turning off or disabling services isn't ideal. Make sure your communication plan includes as much transparency as possible. By day four, you should have identified entry points and potential root causes. Don't assume communication to staff will not be released to the media.

Lee Neely
Lee Neely

My question: does this sort of response help or it’s simply a lawyer crafted response to a regulatory requirement?

Curtis Dukes
Curtis Dukes

2024-09-05

Tewkesbury Borough Council Suffers Cyberattack

The Tewkesbury Borough Council in Gloucestershire, UK, is in the process of recovering from a cyberattack. The borough, which has nearly 100,000 residents, is also home to the UK’s Government Communications Headquarters (GCHQ). A statement on the council’s website says, “We are having to assume that our systems have been compromised, and we are taking the necessary cyber response steps, including shutting down our systems.”

Editor's Note

Tewkesbury is still assessing the impact of the attack; it appears to have had no impact on GCHQ. The UK is seeing a surge of incidents, with 160 reported in 2023 as opposed to 176 for the prior four years, and 30 incidents declared in the first quarter of 2024. The trend in these attacks is to exfiltrate personal data and try to leverage that data to get the companies to pay the ransom demand.

Lee Neely
Lee Neely

2024-09-03

Swatting Indictment

A recently unsealed US federal indictment identifies two people – Thomasz Szabo, 26, of Romania, and Nemanja Radovanovic, 21, of Serbia – who were behind a swatting attack that targeted Cybersecurity and Infrastructure Security Agency (CISA) director Jen Easterly in December 2023. The pair also targeted a former US president, US legislators, and senior law enforcement officials.

Editor's Note

There is a long laundry list of actions these two took, from threats to swatting to compromising PII, all of which tied up response resources. The indictment puts would-be perpetrators on notice this is not a consequence-free prank.

Lee Neely
Lee Neely

2024-09-03

Updated 8-K: Halliburton: Intruders Accessed and Exfiltrated Data

Halliburton has submitted an updated 8-K filing with the US Securities and Exchange Commission (SEC) that says they believe an “unauthorized third party accessed and exfiltrated information from the Company’s systems.” Halliburton also says the incident disrupted and limited access to parts of their IT system. An earlier 8-K filing (August 21) indicated that the company was aware of unauthorized third-party access to their system and that the company had activated their cybersecurity response plan.

Editor's Note

Halliburton is one of the world's largest fracking operators, and as such is a critical infrastructure target. This attack has been attributed to the RansomHub ransomware gang, whose activities were described in the CISA, FBI, HHS and MS-ISAC joint advisory AA24-242A. https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-242a: #StopRansomware: RansomHub Ransomware

Lee Neely
Lee Neely

As expected, a ransomware attack. We still have weeks to go before we find out what sort of data was exfiltrated.

Curtis Dukes
Curtis Dukes

2024-09-05

Updated 8-K: Microchip Technology Says Intruders Stole Personal Data

In an updated 8-K filing with the US Securities and Exchange Commission (SEC) Microchip Technologies says they believe that intruders “obtained information stored in certain Company IT systems, including, for example, employee contact information and some encrypted and hashed passwords” during a cybersecurity incident last month. An August 20 8-K filing from Microchip Technology indicated that servers and operations had been disrupted, and that affected systems had been isolated.

Editor's Note

Microchip is still validating their claims for legitimacy and has restored critical systems, resumed order processing and shipping; while the recovery is not complete, indications are they will not be paying any ransom.

Lee Neely
Lee Neely

Again, no mention of financial materiality. This kind of defensive reporting is defeating the purpose of the requirement to report, i.e., to inform investment decisions.

William Hugh Murray
William Hugh Murray

Internet Storm Center Tech Corner

INTERNET STORM CENTER TECH CORNER

Wireshark 4.4: Converting Display Filters to BPF Capture Filters

https://isc.sans.edu/diary/Wireshark+44+Converting+Display+Filters+to+BPF+Capture+Filters/31224

Protected OOXML Text Documents

https://isc.sans.edu/diary/Protected+OOXML+Text+Documents/31078

Scans for Moodle Learning Platform Following Recent Update

https://isc.sans.edu/diary/Scans+for+Moodle+Learning+Platform+Following+Recent+Update/31230

Enrichment Data: Keeping it Fresh

https://isc.sans.edu/diary/Enrichment+Data+Keeping+it+Fresh/31236

Veeam Update

https://www.veeam.com/kb4649

New OFBiz Vulnerabilities

https://www.rapid7.com/blog/post/2024/09/05/cve-2024-45195-apache-ofbiz-unauthenticated-remote-code-execution-fixed/

Cisco Smart License Manager Patches

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cslu-7gHMzWmw

PyPi Revival HiJack

https://jfrog.com/blog/revival-hijack-pypi-hijack-technique-exploited-22k-packages-at-risk/

Android Updates

https://source.android.com/docs/security/bulletin/2024-09-01

Mediatec WAPPD PoC Exploit

https://blog.coffinsec.com/0day/2024/08/30/exploiting-CVE-2024-20017-four-different-ways.html#wrapping-up

Sextortion E-Mails with Photos

https://krebsonsecurity.com/2024/09/sextortion-scams-now-include-photos-of-your-home/

Zyxel OS Command Injection Vulnerability

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-os-command-injection-vulnerability-in-aps-and-security-router-devices-09-03-2024

D-Link DIR-846W Unpatched RCE Vulnerabilities

https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10411

VMWare Privilege Escalation Vulnerability CVe-2024-38811

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24939

YubiKey Sidechannel Attack

https://ninjalab.io/wp-content/uploads/2024/09/20240903_eucleak.pdf

https://www.yubico.com/support/security-advisories/ysa-2024-03/

GitHub Comments Used to Spread Malware

https://www.reddit.com/r/Malware/comments/1f2n1h4/comment/lkbi5gi/

Voldemort Malware Curses Orgs Using Global Tax Authorities

https://www.darkreading.com/threat-intelligence/voldemort-malware-curses-orgs-global-tax-authorities

Analysis of CVE-2024-43044 From file read to RCE in Jenkins through agents

https://blog.convisoappsec.com/en/analysis-of-cve-2024-43044/