SANS NewsBites

Port of Seattle Won't Pay Ransomware Demand; CISA Election Cybersecurity Checklist; D-Link Patches

September 17, 2024  |  Volume XXVI - Issue #71

Top of the News


2024-09-13

CISA Directs Agencies to Update or Remove Ivanti Cloud Service Appliance

On Friday, September 13, Ivanti updated an advisory for a vulnerability in their Cloud Service Appliance (CSA) that was originally released on September 10. The high-severity OS command injection vulnerability (CVE-2024-8190) affects CSA version 4.6, which Òis End-of-Life, and no longer receives patches for OS or third-party libraries.Ó While Ivanti has released a fix for CSA 4.6, it is the final patch that will be backported for this version; users are urged to upgrade to CSA 5.0. The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-8190 to their Known Exploited Vulnerabilities Catalog; federal civilian executive branch agencies have until October 4 to remove CSA 4.6 and/or upgrade to CSA 5.0.

Editor's Note

Two points: (1) This is a decision that needs to be made in advance of any incident; and (2) It is a decision that is above the grade of the CISO. When decisions are made to take a risk (like not patching critical vulnerabilities or not moving to phishing resistant authentication), it is time to reach agreement on what will be done if the risk is realized As a minimum, a table-top exercise each year to walk through reaction/communication/restoration plans and costs should be done.

John Pescatore
John Pescatore

The Port of Seattle has brought many systems back online, but some remain offline, such as their website, SEA Visitor Pass, TSA wait times, and the flySEA app. The port is keeping their site updated with status and FAQs, as well as contact guidance to help those impacted by the offline services.

Lee Neely
Lee Neely

Not surprising that a state government agency chose not to pay the ransom demand. That'd just be a bad, bad look if they had. It would be helpful in any after-action report to know what led to the compromise so others can learn from this event. Said another way, what defenses were in place and what did the ransomware gang exploit to gain access?

Curtis Dukes
Curtis Dukes

Without suggesting that mitigation after a ransomware attack is more efficient than prevention, continued success of ransomware attacks suggests a mitigation strategy that provides for the backup and recovery of mission critical applications in hours to days. The traditional 3-2-1 copy strategy does not facilitate this. Think hot backups.

William Hugh Murray
William Hugh Murray

2024-09-16

CISA's Election Infrastructure Security Checklist

The US Cybersecurity and Infrastructure Security Agency (CISA) has published a cybersecurity checklist for organizations that are part of the election infrastructure. The checklist is designed as a list of questions broken down into topical sections: phishing attempts targeting your email; distributed denial-of-service (DDoS) targeting your websites; ransomware targeting your network; and known exploited vulnerabilities and your internet facing systems. The document also includes a list of resources and cybersecurity quick tips.

Editor's Note

If you're hosting/managing election infrastructure, you need to run down this checklist quickly so you have time to remediate any deficiencies. The rest of us need to use this to make sure we're securing our critical infrastructure. This checklist (and resources list) is not specific to election systems, encapsulating what has to become table stakes for any internet facing services.

Lee Neely
Lee Neely

A reasonable set of questions, in the form of a checklist, that every information security manager should be asking. Or you could just implement group one of the CIS Critical Security Controls. In other words, nothing new here, just repackaging of good practical cybersecurity advice.

Curtis Dukes
Curtis Dukes

2024-09-16

D-Link Patches Five Vulnerabilities

D-Link has released updates to address a total of five vulnerabilities affecting three of the company's router models. The flaws were reported to D-Link by the Taiwan Computer Emergency Response Team (TWCERT). Three of the vulnerabilities are critical; the remaining two are high-severity. Users are urged to upgrade to v1.03B01 for COVR-X1870, v1.04B05 for DIR-X4860, and DIR-X5460A1_V1.11B04 for DIR-X5460.

Editor's Note

CVE-2024-45694, stack-based buffer overflow, CVSS score 9.8, CVE-2024-45695, stack-based buffer overflow, CVSS score 9.8, CVE-2024-45696, force enablement of telnet service, CVSS score 8.8, CVE-2024-45697, Telnet enabled when WAN connected/hard coded credentials, CVSS score 9.8 and CVE-2024-45698, improper input on telnet daemon, CVSS score 8.8 are attention grabbing. D-Link has not reported exploitation in the wild, but D-Link is a common target, so you want to treat these as if they have targeted/active exploit attempts. It's 2024; we really need suppliers to knock off the hard-coded credentials and unsecure services like Telnet and FTP.

Lee Neely
Lee Neely

If you have a D-Link router, no time like the present to download and install the software update, as several of the vulnerabilities are unauthenticated remote access. What's disappointing is that hardcoded credentials exist in the device.

Curtis Dukes
Curtis Dukes

If one has only one or two of these devices, one may find it more efficient to just replace them.

William Hugh Murray
William Hugh Murray

The Rest of the Week's News


2024-09-13

CISA Directs Agencies to Update or Remove Ivanti Cloud Service Appliance

On Friday, September 13, Ivanti updated an advisory for a vulnerability in their Cloud Service Appliance (CSA) that was originally released on September 10. The high-severity OS command injection vulnerability (CVE-2024-8190) affects CSA version 4.6, which 'is End-of-Life, and no longer receives patches for OS or third-party libraries.' While Ivanti has released a fix for CSA 4.6, it is the final patch that will be backported for this version; users are urged to upgrade to CSA 5.0. The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-8190 to their Known Exploited Vulnerabilities Catalog; federal civilian executive branch agencies have until October 4 to remove CSA 4.6 and/or upgrade to CSA 5.0.

Editor's Note

The cat is out of the bag, Ivanti CSA is being actively exploited. Check for IOC's on your CSA device, and if found, build a new one, otherwise update to 5.0 now. Also make sure that the management interface is not internet accessible. The KEV gives agencies until 10/4 to update. Don't wait that long.

Lee Neely
Lee Neely

Every organization should plan and budget for HW/SW obsolescence. You simply cannot count on the vendor to backport a fix, as was done this time, for end-of-life software. If the software is necessary for business continuity, document the exception, with mitigating controls as part of the risk management process.

Curtis Dukes
Curtis Dukes

2024-09-16

SolarWinds Fixes Two Flaws in Access Rights Manager

SolarWinds has released an update to their Access Rights Manager (ARM) to address two vulnerabilities: a high-severity hardcoded credentials authentication bypass flaw, and a critical remote code execution issue. Both are fixed in ARM 2024.3.1.

Editor's Note

Note that ARM 2024.3.1 SR is the same update, it's a service release. SolarWinds highly recommends ARM be installed on a server which is NOT Internet facing. This is a good time to review their best practices for securing SolarWinds Products. https://support.solarwinds.com/SuccessCenter/s/article/Best-practices-to-secure-SolarWinds-products

Lee Neely
Lee Neely

2024-09-16

23andMe Class Action Lawsuit Settles for $30 Million

Pending court approval, a settlement agreement filed in a San Francisco court on September 12 marks the end of a class action suit against 23andMe for their 2023 data breach. Threat actors had leveraged a credential stuffing attack, gaining five months of access to the personal information of 6.4 million customers in the US, and had sold the stolen data online. Stating that 'further conduct of the litigation would be protracted, burdensome and expensive,' 23andMe will pay $30 million to the plaintiff class, and promises a list of 'business practice commitments' including checking passwords against known breaches, requiring 2FA, and implementing a more careful policy for retention of PII.

Editor's Note

The takeaway for the rest of us is that we need to keep an eye on our ability to detect attacks and reduce dwell times. This is unlikely to be the last lawsuit on lost personal data, and the long term effects beyond cyber improvements and scrutiny are not just on stock prices but also on market share. Something to factor into the cyber conversation with the board.

Lee Neely
Lee Neely

2024-09-16

Possible RansomHub Attack on Kawasaki Motors Europe

Kawasaki Motors Europe (KME) has disclosed a cyberattack that took place at the beginning of September. The company's statement describes a process of isolating and checking each of their servers, but does not describe the nature of the attack other than characterizing it as 'not successful.' RansomHub posted 487GB of data allegedly stolen from KME on a Tor-based leak site on September 14, claiming the company refused the ransom demand.

Editor's Note

At this point KME has restored in excess of 90% of their services, prioritizing systems which support dealers, business administration and third-party suppliers. RansomHub is a ransomware-as-a-service (RaaS) variant and has been active since February and has attacked more than 210 victims by the end of August. RansomHub is described, with mitigations and IOC's, in CISA Alert AA24-0242A (https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-242a). Core mitigations are phishing-resistant MFA, keeping systems patched/updated, and training users to recognize/report phishing attempts.

Lee Neely
Lee Neely

2024-09-16

Google Patches Dependency Confusion Flaw in Cloud Composer

A blog post from Tenable details research into a vulnerability in Google Cloud Platform Composer which would allow a hacker to exploit dependency confusion in Python package management to execute unauthorized code, steal data, and/or create a supply chain attack. Tenable calls this vulnerability 'CloudImposer' and tracks it under Tenable Advisory ID TRA-2024-18. Google has addressed the issue by ensuring the vulnerable package is installed only from a private repository and has a verified checksum.

Editor's Note

This flaw was reported to Google on January 18th and was fixed by Google in May. Google also updated their documentation, recommending developers use the "--index-url" argument instead of the "--extra-index-url" as well as making use of an Artifact Registry virtual repository when requiring multiple repositories. The "--index-url" argument forces the package to be searched for (and downloaded) from the named repository, reducing the risk of dependency confusion.

Lee Neely
Lee Neely

2024-09-16

Apple Releases iOS 18

On Monday, September 16, Apple released iOS 18. The updated mobile operating system addresses more than 30 security issues. The fixed vulnerabilities could be exploited to use Siri to access data, control devices, and look at photos; to record the screen without indicating the recording process; to bypass device pairing; to force a disconnect from a secure network, and other malicious activity.

Editor's Note

Apple released both iOS/iPadOS 18 and 17.7. You may want to push 17.7 vs 18 while the first couple of updates to 18 are delivered. 17.7 addresses 16 vulnerabilities, while 18 addresses about 36. Both 17.7 and 18 address a kernel vulnerability which allows VPN bypass, Bluetooth unauthorized access, and Safari private browsing and sandbox bypass. None of these flaws were marked as actively being exploited. iOS 18 introduces Apple Intelligence, Apple's entry into GenAI and requires iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later. Apple also released macOS 15,macOS 14.7, macOS 13.78, tvOS 18, watchOS 11, visionOS 2, Safari 18 and Xcode 16.

Lee Neely
Lee Neely

Apple also released iOS 17.7 to addresses security issues for some devices that do not support iOS 18. Installation of iOS 18 on my iPhone 12 required 14G of free storage and three tries, while upgrade to iOS 17.7 required far less.

William Hugh Murray
William Hugh Murray

2024-09-16

US-Taiwan Defense Conference Threatened by In-Memory Malware

The upcoming 23rd Annual US-Taiwan Defense Industry Conference has been targeted by a malware campaign aimed at stealing data, according to Cyble Research and Intelligence Labs (CRIL) in a post on September 13. The attack was designed to intercept attendees with a counterfeit registration form delivered as a ZIP file, which when opened would trigger a hidden executable to download and compile malicious code in real time, all within system memory. CRIL enumerates MITRE ATT&CK techniques identified in the attack, and suggests risk prevention should include anti-phishing tactics, better monitoring of network traffic and in-memory operations, and management of user privileges.

Editor's Note

In addition to the attacks being fileless/in-memory and hard to detect, they were also using living off the land mechanisms, so scans for installed tools would have not have yielded results. This is a good scenario to mention to your EDR provider to see if they can detect and respond/block this behavior.

Lee Neely
Lee Neely

2024-09-16

Apple Moves to Dismiss Lawsuit Against NSO Group

Apple has moved to drop their 2021 lawsuit against the creators of the Pegasus spyware. The company no longer believes the case is adequate to impact current threats, nor worth the risk to proprietary anti-spyware information, according to a motion filed in San Francisco court on September 13. While Apple stands by the grounds of the suit, they believe "proceeding further with this case has the potential to put vital security information at risk,' and NSO and Pegasus no longer represent a 'significant portion of the threat environment.'

Editor's Note

This is a case of the ROI of the lawsuit, vs. the risk of information about their security disclosed in the course of the suit, which the court may or may not be able to adequately protect. Apple is also now claiming their anti-spyware program is the best in the world, and NSO/Pegasus have a corner on this market. Be careful claiming your solution is the best in the world. Remember unbreakable Linux, or LifeLock's CEO's SSN on bulletin boards? Not the target you want to wear.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

INTERNET STORM CENTER TECH CORNER

Finding Honeypot Clusters Using DBSCAN

https://isc.sans.edu/diary/Finding+Honeypot+Data+Clusters+Using+DBSCAN+Part+2/31194

Managing PE Files with Overlays

https://isc.sans.edu/forums/diary/Managing%20PE%20Files%20With%20Overlays/31268/

Apple Updates

https://support.apple.com/en-us/100100

Microsoft Revises September Update

https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-43461

DLink Vulnerabilities

https://www.twcert.org.tw/en/cp-139-8081-3fb39-2.html (CVE-2024-45694)

https://www.twcert.org.tw/en/cp-139-8091-bcd52-2.html (CVE-2024-45698)

https://www.twcert.org.tw/en/cp-139-8089-32df6-2.html (CVE-2024-45697)

Ivanti EOL Cloud Service Appliances

https://www.cisa.gov/news-events/alerts/2024/09/13/ivanti-releases-security-update-cloud-services-appliance

Ivanti Patches

https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Cloud-Service-Appliance-CSA-CVE-2024-8190?language=en_US

https://www.horizon3.ai/attack-research/attack-blogs/cve-2024-29847-deep-dive-ivanti-endpoint-manager-agentportal-deserialization-of-untrusted-data-remote-code-execution-vulnerability/

Auto IT Credential Flusher

https://research.openanalysis.net/credflusher/kiosk/stealer/stealc/amadey/autoit/2024/09/11/cred-flusher.html

File Sender Vulnerability

https://filesender.org/vulnerability-in-filesender-versions-below-2-49-and-3-x-beta/

Docker Patches

https://docs.docker.com/desktop/release-notes/#4342