SANS NewsBites

Supply Chain Attack Theorized in Hezbollah Device Explosions; Human Rights Complaint Over Pegasus; Podcast: Pen Test Arrests, Five Years Later

September 20, 2024  |  Volume XXVI - Issue #72

Top of the News


2024-09-19

Supply Chain Attack Theorized in Hezbollah Device Explosions

At 3:30pm on September 17, thousands of pagers exploded simultaneously in Lebanon and Syria, killing 12 and injuring over 2800. The following day, 20 more deaths and over 450 injuries resulted from a second wave of explosions, this time from walkie-talkies. Lebanese officials attribute the attacks to Israeli military intelligence; experts have theorized that the devices - purchased by Hezbollah in a recent initiative to protect communications by using older technology - were intercepted in the supply chain and modified. Analysis suggests the explosions were not consistent with induced battery malfunction, but more likely involved detonation of embedded explosives.

Editor's Note

Obviously, launching a physical supply compromise like this one takes a very sophisticated threat actor and long planning. Mailing explosive devices or poisoned/compromised USB sticks (or having them delivered) to key employees at your company does not. Use the publicity around this one to make sure mailroom security still exists and extends to how supplies are delivered to remote employees and board members Ð USPS Pub 166 (https://about.usps.com/publications/pub166.pdf) is a good starting point.

John Pescatore
John Pescatore

Supply chain attacks are difficult to detect and defeat. Although this one had a kinetic component, the same principle applies for software supply chain attacks Ð deny use or compromise communication of the device. As with most everything, supply chain attacks have a shelf-life before they are discovered or used.

Curtis Dukes
Curtis Dukes

It's not clear if the hardware was manipulated at the third-party manufacturer, or in transit to distribution center. What we can do is make sure that we've verified the integrity of our devices when received, to include the distribution channel, and make sure that our issuance process is secure, particularly when sending devices to remote workers or locations. When purchasing through a third-party, or low-bidder, VAR/DSB/etc., make sure you've had a conversation with them about supply chain security, and you understand and accept the risk of their processes. Even so, trust but verify. This is also a lesson in contingency planning. They moved from cell phones to pagers/walkie-talkies due to risk of compromise, what's plan C? RFC 1149 (IP over Avian Carriers)? Messengers with notes? Always have a plan C, D, E ready to go.

Lee Neely
Lee Neely

This attack exploited the target population's need for secure communication among its members and the attacker's total disregard for collateral damage. The conditions for its success are rare and the lessons so stark that it is not likely to be copied. The lessons include that the supply chain is long, opaque, and vulnerable.

William Hugh Murray
William Hugh Murray

There are many questions about how the interception happened, how the targeting happened, and why exactly this date was chosen. Now, what about fallout? Well, there will be heightened thoughts and scrutiny over physical devices. It is unclear how this would be done, given how many physical devices we all have, but the actual use case shows others how effective this can be.

Moses Frost
Moses Frost

2024-09-19

Human Rights Activists File Complaint Over Pegasus Spyware

Four human rights activists have filed a complaint with the London (UK) Metropolitan Police alleging that their mobile phones were targeted with Pegasus spyware by people working on behalf of certain nation states. The individuals filling the complaint hope that it will lead to charges being filed against NSO Group, which developed Pegasus. The complaint is detailed in a blog post from the Global Legal Action Network (GLAN).

Editor's Note

One of the messages from Apple withdrawing their lawsuit against NSO/Pegasus was they are no longer the only game in town, and even with the increased security options for devices, we need to remember others have developed capabilities. I hope lawsuits like this serve to emphasize there are consequences for these attacks, and we still need to prepare our users travelling in areas where they can be targeted; e.g., current (hardware and software), fully updated burner devices with minimal data, in lockdown mode, checked for malware regularly.

Lee Neely
Lee Neely

The NSO business model is based upon the pretense that all their customers are legitimate and that software will not be copied. Government officials, journalists, and social activists are at particular risk and should take special precautions.

William Hugh Murray
William Hugh Murray

2024-09-10

Dark Reading Confidential Podcast: Pen Test Arrests, Five Years Later

Five years ago this month, cybersecurity professionals Gary De Mercurio and Justin Wynn working for Coalfire were arrested while they were conducting a pen test at the Dallas County, Iowa courthouse. De Mercurio, Wynn, and Coalfire CEO Tom McAndrew join Dark Reading editor-in-chief Kelly Jackson Higgins and editor Becky Bracken to talk about 'how the arrest and fallout has shaped their lives and careers as well as how it has transformed physical penetration tests for the cybersecurity industry as a whole.'

Editor's Note

Fascinating discussion, highly recommend listing to the podcast. The law and its administration are a sight to behold. Bottomline, ensure contracts are in place before engaging in any work.

Curtis Dukes
Curtis Dukes

The Dark Reading interview brings out a lot of details which couldn't be shared five years ago, not only highlighting the importance of in-depth validation of permission for security testing, but the importance of support from all levels as well as the importance of politics and fully understanding not only who your stakeholders are but also who thinks (and will act like) they are.

Lee Neely
Lee Neely

The Rest of the Week's News


2024-09-18

Hackers are Accessing Construction Company Systems Through Accounting Software Default Credentials

Researchers from Huntress have discovered an attack campaign targeting construction companies. The threat actors have been using default credentials to access instances of FOUNDATION Accounting Software. According to Huntress, the 'software includes a Microsoft SQL Server (MSSQL) instance to handle its database operations' which is accessible via a mobile app.

Editor's Note

If a building collapsed because a supplier sold a construction company scaffolding made of balsa wood but painted grey to look like metal, financial liability would easily flow to the offending supplier. Knowingly selling businesses software with balsawood-strength authentication should incur that same level of liability.

John Pescatore
John Pescatore

Two wrongs here. First the use of default credentials (administrator); and second, not limiting password attempts by timed lockout. For the first, the application should not ship with default passwords but rather require the user to create a password during setup. For the second, the software vendor should include a disabled feature for its application after a defined number of password attempts. Both techniques are well established secure design practices.

Curtis Dukes
Curtis Dukes

We should all get a wee bit disturbed when we see default credentials. FOUNDATION uses an Internet accessible MSSQL server, with default SA and DBA passwords. Rotate these passwords, make sure xp_cmdshell is disabled, and limit internet access to Foundation. While the mobile app requires access to the MSSQL server, consider requiring a per-app VPN rather than exposing the service to anyone.

Lee Neely
Lee Neely

The software comes with default settings intended to make installation as easy and smooth as possible. This is particularly true for software likely to be installed by those who do not do it often. Once the application is up and running, it is easy to forget or forego changing those settings. Developers can do a better job of ensuring that the application is secure when the installation process is complete.

William Hugh Murray
William Hugh Murray

In particular less "tech savvy" industries have a hard time securing their IT services. But it is important for them to realize that every industry is to some extent in the "IT Business" and relies on these systems to do their work effectively.

Johannes Ullrich
Johannes Ullrich

This one is interesting. Construction and home building are high-cost industries, and there is lots of money in this industry. The way this reads is that the mobile app connects directly to the MSSQL Database. I'm not sure if that is the case, but if it is, the app needs an architecture.

Moses Frost
Moses Frost

2024-09-17

Patches Available for Vulnerabilities in VMware vCenter

Broadcom has released updates to address two security issues in VMware vCenter, which affects VMware vSphere and VMware Cloud Foundation. The vulnerabilities are a critical heap overflow issue (CVE-2024-38812) and a high-severity privilege elevation issue (CVE-2024-38813). Users are urged to update to VMware vCenter Server 8.0 U3b or VMware vCenter Server 7.0 U3s.

Editor's Note

These vulnerabilities are both addressed with the same update. Make sure that you can login to your Broadcom support account to download the updates. If you haven't logged in since the acquisition, allow extra time. If you're still on vCenter 7 or Cloud Foundation 4.5, it's time to upgrade.

Lee Neely
Lee Neely

This is a nightmare. I have not heard of a glowing review of the acquisition, and one of the items that seems to have broken is the ability to download and gain access to software. If you use vCenter and the patches are fully available over vCenter, could you do so? Instead, you may have to call Broadcom, which has been less than great. One person told me that after hours on the phone trying to download a purchased copy of Fusion, the support person just emailed them a box link. Things are not going well, but donÕt let that dissuade you from patching. The good news is that we have patches to fix; the bad news is that this may have been in the works for months, and IÕm not exactly sure how many other patches we may be missing.

Moses Frost
Moses Frost

2024-09-19

FTC Report on Social Media and Video Streaming Data Privacy Practices

In December 2020, the US Federal Trade Commission (FTC) ordered nine social media and video streaming services to disclose how they collect, use, and present information. The report represents the synthesis of the information these companies provided. Among the FTCÕs findings: 'Many companies collected and could indefinitely retain troves of data from and about users and non-users, and they did so in ways consumers might not expect; É they relied on selling advertising services to other businesses based largely on using the personal information of their users; there was a widespread application of algorithms, data analytics, or artificial intelligence (ÒAIÓ), to users' and non-users' personal information; and the trend was that [the companies] failed to adequately protect children and teens.

Editor's Note

Just remember, free is not always free. At the end of the day, these social media companies are businesses, and they need a revenue model to stay satisfy their investors. The question becomes what 'rights' did users sign away as part of the account activation process. Bottomline, people like free services even with 'strings' attached.

Curtis Dukes
Curtis Dukes

The information on their practices was collected back in 2020 and is being released now as Congress is considering the Kids Online Safety Act (KOSA) and Children and Teens' Privacy and Protection Act (COPPA 2.0) to better regulate companies. The reality is that collecting, selling and leveraging this data is big business, and legislation plus user action is necessary to change these practices. It's not clear if consumers are willing to pay for a service which is free of both tracking and advertising, which will drive alternative means of monetizing user information for free services.

Lee Neely
Lee Neely

2024-09-19

GitLab Critical Patch Release

GitLab's most recent critical patch release addresses a critical SAML authentication bypass vulnerability that affects both GitLab Community Edition and Enterprise Edition. The issue exists because of improper verification of cryptographic signatures. Users are urged to update to versions 1.17.0 or 1.12.3.

Editor's Note

The patch updates libraries used to implement SAML.

Johannes Ullrich
Johannes Ullrich

Can we just all stop using SAML? It's like the NTLMv1/v2 of IdPs. Basic Auth would be the LANMAN of IdPs.

Moses Frost
Moses Frost

CVE-2024-45409, CVSS score 10.0, in the ruby-saml library could allow login as any arbitrary user. If you're using omniauth-saml, this flaw is fixed in 2.21. The GitLab fix update the dependencies for omniauth-saml to version 2.2.1 and ruby-saml to 1.17.0. Beyond updating your GitLab installation, consider GitLab's recommended mitigation to enable 2FA for all accounts and disallow the SAML two-factor bypass option.

Lee Neely
Lee Neely

2024-09-19

Another Ivanti Cloud Services Appliance Vulnerability Added to KEV Catalog

A critical path traversal vulnerability (CVE-2024-8963) affecting Ivanti's Cloud Services Appliance (CSA) version 4.6, which is being actively exploited. The flaw 'allow[s] a remote unauthenticated attacker to access restricted functionality.' The flaw is being chained with another Ivanti CSA vulnerability (CVE-2024-8963) that was disclosed earlier this month. Both vulnerabilities have been added to the Cybersecurity and Infrastructure Security Agency's (CISA's) Known Exploited Vulnerabilities Catalog.

Editor's Note

Luckily, this flaw was patched "incidentally" with the September 10th update that patched other flaws. But remember that this was the last patch to be released for CSA 4.6. Upgrade to CSA 5 and please restrict access to CSA as much as possible to reduce your attack surface. There are likely more vulnerabilities to come given the history of the product.

Johannes Ullrich
Johannes Ullrich

Ivanti CSA remains in the vulnerability crosshairs. While this latest issue (CVE-2024-8963) was addressed in 4.6 patch 519, it's still best to move to 5.0 as 4.6 is unsupported at this time. Unlike prior versions which were delivered as an appliance with an older OS, 5.0 can be built on your standard/current Linux, to include your EDR and hardening settings. Even so, don't forget to limit access to the management console.

Lee Neely
Lee Neely

2024-09-19

Atlassian Security Updates

Atlassian's September 2024 Security Bulletin includes fixes for four high-severity vulnerabilities. The flaws affect Bamboo Data Center and Server, Bitbucket Data Center and Server, Confluence Data Center and Server, and Crowd Data Center and Server. Two of the flaws affect multiple products. All of the vulnerabilities could be exploited to achieve remote code execution.

Editor's Note

Atlassian continues to release security bulletins about once a month. All four DoS CVE's have a CVSS score of 7.5 (high) and were reported via their bug bounty program. Atlassian has provided guidance on version updates, take note of the recommended paths. Make sure you're on distribution for their bulletins and watching their vulnerability disclosure portal.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

23:59, Time to Exfiltrate!

https://isc.sans.edu/diary/2359+Time+to+Exfiltrate/31272

Python Infostealer Patching Windows Exodus App

https://isc.sans.edu/diary/Python+Infostealer+Patching+Windows+Exodus+App/31276

Fake GitHub Site Targeting Developers

https://isc.sans.edu/diary/Fake+GitHub+Site+Targeting+Developers/31282

Ivanti CSA 4.6 Advisory

https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-CSA-4-6-Cloud-Services-Appliance-CVE-2024-8963?language=en_US

Ever wonder how crooks get the credentials to unlock stolen phones?

https://arstechnica.com/security/2024/09/cops-bust-website-crooks-used-to-unlock-1-2-million-stolen-mobile-phones/

Google Adds Latest Post Quantum Encryption Standard to Chrome

https://security.googleblog.com/2024/09/a-new-path-for-kyber-on-web.html

Service Now Knowledge Bases Data Exposures

https://appomni.com/ao-labs/servicenow-knowledge-bases-data-exposures-uncovered/

Gitlab Patch

https://about.gitlab.com/releases/2024/09/17/patch-release-gitlab-17-3-3-released/

Aruba Patch

https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04709en_us&docLocale=en_US

Critical VMware vCenter Vulnerability

https://blogs.vmware.com/cloud-foundation/2024/09/17/vmsa-2024-0019-questions-answers/

Zero-Click Calendar invite - Critical zero-click vulnerability chain in macOS

https://mikko-kenttala.medium.com/zero-click-calendar-invite-critical-zero-click-vulnerability-chain-in-macos-a7a434fc887b

German Police Deanonymizes Tor User

https://blog.torproject.org/tor-is-still-safe/