SANS NewsBites

NIST Revised Identity Guidelines Address Human Element in Authentication; Linux CUPS Vulnerability; Attackers are Targeting Critical Infrastructure Systems

September 27, 2024  |  Volume XXVI - Issue #74

Top of the News


2024-09-25

NIST Revises Identity Guidelines, Including Password Requirements

Special Publication 800-63-4 is the second public draft of guidelines on "the authentication of subjects who interact with government information systems over networks" published by the National Institute of Standards and Technology (NIST). The document is both "informative" and "normative" on many dimensions of authentication, including MFA, user privacy, phishing-resistant measures, and biometrics, as well as the usability and equity of authentication policies. Notably the draft redefines what Credential Service Providers (CSPs) may and may not require in password composition. Hard rules include an 8-character minimum (15 minimum and 64 maximum recommended); no special character rules; no arbitrary scheduled password changes; no publicly visible password hint, and no knowledge-based credentials or security questions.

Editor's Note

In this document, Authentication Assurance Level 1 still says reusable passwords provide 'basic confidence that the claimant controls an authenticator bound to the subscriber account being authenticated.' Note: this is NOT confidence about identity, it is confidence that the account name entered and password match - every successful phishing attacker gains this 'basic confidence' level. AAL 2 requires phishing-resistant authentication be in use and should be the starting point. Also note: the guidelines remove requirements for regular password reset but require immediate reset when a password is compromised. That requires monitoring one of the many (often free) password compromise exposure feeds and will very likely result in resets needed more frequently! Moving away from reusable passwords avoids that increased cost.

John Pescatore
John Pescatore

This change has been a long time coming. What NIST has done (and congrats for it) is start addressing the human element in authentication. Requiring extremely complex, time-consuming, and unrealistic behaviors only frustrates people to the point that we drive them to the wrong behaviors. These new password requirements dramatically simplify passwords for people, enabling them to exhibit the behaviors we do want. Now, what I would love to see is the discussion shift to how can we make MFA as simple as possible for people. The simpler a behavior, the more likely people will exhibit it.

Lance Spitzner
Lance Spitzner

These updated requirements are a great refresh to move us forward to more sensible authentication policies. Must read for anybody defining authentication requirements.

Johannes Ullrich
Johannes Ullrich

To my old co-worker Jason: we tried for years back in 2009-2010 to tell PCI auditors that having us change our 20+ character passwords every 90 days was a silly idea. IT ONLY TOOK 15+ YEARS!

Moses Frost
Moses Frost

NIST has slowly been evolving its thinking on password creation and management. This revised draft guidance continues that trend. Bottom line, a set of practical rules that consider the threat, changing identity and access management technology, and dare I say it, common sense. Hurry up and go final before the cybersecurity 'borg' consumes you!

Curtis Dukes
Curtis Dukes

It's been repeatedly proven that frequent password changes results in a lowering of security, as does special character requirements (as opposed to long complex passphrases) as composition requirements can, again, lead to weaker passwords. Beyond getting sane about password requirements, MFA, particularly phishing-resistant MFA, needs to be SOP. The window for comments on this draft close at 11:59 Eastern on October 7th. PCI's DSS 4.0 will need to catch up as it still requires a 12-character password with upper/lower/numbers and a unique symbol. DSS 4.0 does include MFA requirements.

Lee Neely
Lee Neely

Bits are bits and it is true that length is a more convenient way to get them than awkward complexity rules (introduced to get bits when password length was restricted for efficiency). However, one should NOT infer from this discussion that strong but replayable passwords are useful, secure, or appropriate for any but the most trivial applications. While strong passwords do protect against brute force, "fuzzing," spraying, and dictionary attacks, we are not seeing these attacks. They do not protect against the fraudulent reuse of compromised credentials, implicated in so many breaches. They are not even more convenient than such strong authentication mechanisms as Passkeys.

William Hugh Murray
William Hugh Murray

2024-09-26

Patch for CUPS Vulnerability Less Critical Than Anticipated

On Thursday, September 26, the Linux Openprinting project released updates fixing four vulnerabilities in components of CUPS, the Linux printer framework. The underlying vulnerabilities turned out to be less severe than anticipated

Editor's Note

Bug hunters need some soft skills in reporting vulnerabilities. In particular for a volunteer run project like CUPS, a little bit of empathy and recognition for their work goes a long way. The now public GitHub exchange between Margaritelli and CUPS developers show that while Margaritelli had great technical skills, they were lacking professionalism in communicating these issues.

Johannes Ullrich
Johannes Ullrich

The person who discovered this bug alludes to a few things. First, they verified 200-300K machines that responded to malicious IPP requests and were vulnerable. It's hard to know; default Ubuntu 24.0.4.2 systems have this service running, while something like Kali Linux does not. There is a lot of drama here; the author also mentioned that they baked the exploit into Bettercap, their adversary in the middle tool. This is getting exploited right now. It appears to be trivial to do. Second, and maybe more interesting, this is one of many blog posts, and the Apple logo keeps showing up.

Moses Frost
Moses Frost

Initially, around September 23rd, a disclosure of an unauthenticated RCE flaw with a CVSS score of 9.9 rating which affected multiple Linux distributions was made. When the dust settled, this became vulnerabilities which affect CUPS. Four vulnerabilities were released for CUPS, CVSS scores ranging from 8.4 to 9.1. The exploit consists of sending a carefully crafted packet to UDP port 631. Odds are you don't need to allow UDP 631 inbound through your firewall, doubly so until fixes can be made. Also you're going to want to disable cups-browsed until patches are available.

Lee Neely
Lee Neely

2024-09-26

Spearphishing Campaign Targets US Transportation and Logistics

A report from researchers at Proofpoint outlines three months of malware attacks designed to steal information from a handful of US transport and logistics companies. The payloads, which Proofpoint enumerates as at least five varieties of 'commodity malware' - Lumma Stealer, StealC, NetSupport, DanaBot, and Arechclient2 - were sent from compromised employee email accounts, and delivered by lures engineered with industry-specific software and workflow information. The researchers recommend extra anti-phishing caution; they situate this attack in a trend toward more complex and well-researched infiltration strategies rather than 'unique malware.'

Editor's Note

One thing you can always count on, the adversary changing TTPs as defenses stiffen. Generative AI will only hasten changes in TTPs. What's common though is the use of stolen credentials. And while we point to anti-phishing training as a means to mitigate, lures do get through, especially if they are using legitimate credentials. The best defense remains patch (update), configure, and actively monitor your network for signs of compromise.

Curtis Dukes
Curtis Dukes

These attacks are very sophisticated as they start with BEC (Business Email Compromise) attacks - cyber threat actors taking over individuals' email accounts and then interjecting themselves in existing email threads. At this point itÕs very difficult to train and unrealistic to expect people to detect these attacks. This is where we need to start at the source, securing these accounts with MFA making it that much harder to take over them.

Lance Spitzner
Lance Spitzner

BEC largely relies on social engineering and compromised credentials. Help users help themselves by making sure you've got your MFA enabled on your email accounts, and that you've enabled your email security tools. Not just DMARC/SPF/DKIM, but also tagging and quarantine capabilities. Consider a one-button widget for user reporting. Consider that these attacks will not remain focused on one sector or another, they are not just "someone else's problem."

Lee Neely
Lee Neely

2024-09-25

Kansas Water Treatment Facility Suffers Cyber Incident Amid Warnings from EPA, WaterISAC, and CISA

Over the weekend of September 21/22, a water treatment facility in Arkansas City, Kansas suffered a cybersecurity incident that forced them to roll over to manual operations. Within the days preceding the event, the US Environmental Protection Agency (EPA) published Guidance on Improving Cybersecurity and Drinking Water and Wastewater Systems, and the Water Information Sharing and Analysis Center (WaterISAC) issued TLP:AMBER threat advisory warning that the water sector is being targeted by threat actors (access to the advisory is restricted to WaterISAC members). The US Cybersecurity and Infrastructure Security Agency (CISA) also published an advisory warning that threat actors are targeting operational technology (OT) and industrial control systems (ICS) through 'unsophisticated means.'

Editor's Note

CISA is reporting that compromises of OT/ICS systems continue via unsophisticated means. In other words, these systems are still Internet accessible (often via VNC port 5900) or exposed to the business' Intranet without proper isolation and protection. Do you know what's externally available over RDP and VNC port ranges in your shop? Are there ad-hoc relay services, e.g., LogMeIn, VNC cloud connection, etc.? Make sure such remote access services are vetted and secured. The cost and friction from a VPN is far lower than recovery from a compromise.

Lee Neely
Lee Neely

One cautions against equating power and water. The grid may make multiple power systems vulnerable to a successful attack on one. Said another way, the grid is one big attack surface. A successful attack on one water system may reduce the cost of attack against others only to the extent that they use similar software and controls.

William Hugh Murray
William Hugh Murray

Power and Water should be at the top of everything we should be worried about. Maybe this is a sign that we should, you know, invest in these areas.

Moses Frost
Moses Frost

2024-09-24

Automated Tank Gauge Vulnerabilities

Researchers at Bitsight have detected 10 security issues affecting Automated Tank Gauge (ATG) systems from multiple vendors. The technology is used to monitor and manage fuel storage tanks at gas stations, hospitals, airports, power plants, and other critical infrastructure facilities. Seven of the CVEs are rated critical, and all 10 could be exploited to gain full admin privileges. Fixes are available for seven of the vulnerabilities. The US Cybersecurity and Infrastructure Security Agency (CISA) has published related Industrial Control Systems (ICS) advisories.

Editor's Note

Critical infrastructure vulnerabilities have been a growing concern over the last twelve months. What's been common is the use of hardcoded credentials by vendors and remote accessibility by users. While the first requires a secure design change by the vendor, the second is controlled by the user and is easily mitigated by isolating the OT network or restricting remote access. This is yet another wake-up call to protect critical infrastructure components.

Curtis Dukes
Curtis Dukes

A good reminder that almost all 'automated monitor/manage' vendor (and not just to OT systems) connections are vulnerable out of the box even today. Good idea to have annual inventory and pen test/vulnerability assessment of all such connections.

John Pescatore
John Pescatore

The vulnerability CVSS scores range from 5.1 to 10.0, and most are over 8. The fix is to apply the vendor provided updates as well as minimize access to these systems over the network, behind firewalls; don't expose them to the Internet and isolate control systems from the business network. To which I would add monitoring. Make sure that you've got eyes on traffic associated with your control system to detect anomalous behavior expeditiously.

Lee Neely
Lee Neely

The Rest of the Week's News


2024-09-27

Elusive Global SOHO/IoT Botnet Linked to China

A botnet comprising a 'constantly fluctuating' multi-tiered infrastructure of Small Office/Home Office (SOHO) and Internet of Things (IoT) devices may have been active since 2020, according to researchers, and as of June 2024 included over a quarter of a million devices on six continents. Lumen's Black Lotus Labs found that devices are compromised both by known and zero-day exploits, and are in use for an average of 17 days before being rotated out. The botnet's base tier malware is Nosedive, a difficult to detect variety of Mirai that operates entirely in system memory, with a front-end control interface enabling "remote command execution, file transfers, vulnerability management, and distributed denial-of-service (DDoS) attack capabilities.' A joint cybersecurity advisory on September 18, 2024 (FBI, Cyber National Mission Force, and NSA) identified Integrity Technology Group as the botnetÕs operators and indicated use of network addresses openly associated with PRC-backed cyberattacks. Both Lumen and the joint advisory recommend users monitor traffic closely; shore up services and ports; segment networks; patch, update, and reboot regularly; change any default credentials, and replace any devices no longer supported by vendors.

Editor's Note

There has always been significant overlap in botnets between those used "for fun" and botnets used by nation state or organized crime actors to build attack infrastructure. The differences in code are often minor and it is frequently impossible to tell them apart. There is no need for sophisticated attackers to step out of the noise if these simple tactics work.

Johannes Ullrich
Johannes Ullrich

Botnet herders, purportedly China in this case, are simply taking advantage of poor cyber hygiene practices by consumers. By simply patching, updating, and regular rebooting your device you solve a world of potential cybersecurity problems. The question becomes, what is your liability for not following standard duty of care practices and one of your devices gets used as part of a wider cyber-attack?

Curtis Dukes
Curtis Dukes

IOC's for RaptorTrain are in Black Lotus Lab's full report: Derailing the Raptor Train (https://assets.lumen.com/is/content/Lumen/raptor-train-handbook-copy) along with enumeration of campaigns which stretch back to May 2020. The good news is that mitigations are straightforward and center around updates, lifecycle management, using strong credentials and not allowing unauthorized devices access to management capabilities, which is not terrible for a business, but harder for many "set it and forget it" home users. Which is where we hope to see inroads made with secure by default configurations, and device certification efforts.

Lee Neely
Lee Neely

Hot Take. Things like this make me consider telling family and friends to use a VPN full-time. The one place I cannot do proper telemetry is my ISP router/modem. If it's compromised, I will be slightly at a loss to figure this out correctly, at least not from inside my network. We need to do better in this regard.

Moses Frost
Moses Frost

2024-09-26

Joint Guidance on Detecting and Mitigating Active Directory Compromises

Cybersecurity agencies from Australia, Canada, New Zealand, the UK, and the US have published joint guidance for detecting and mitigating Active Directory compromises. The document describes 17 common techniques threat actors have used to compromise Active Directory, and suggests mitigation strategies for each technique. The guidance notes that 'every user in Active Directory has sufficient permission to enable them to both identify and exploit weaknesses. These permissions make Active Directory's attack surface exceptionally large and difficult to defend against.'

Editor's Note

Microsoft's good intentions notwithstanding, the popularity of their products makes them prime targets.

William Hugh Murray
William Hugh Murray

This should become required reading for our AD admins, as well as the cyber team so they are on the same page. Beyond the attacks, guidance is provided on tools to aid our team getting their arms around our AD implementation and its security. The 17 techniques include Tim Medin's Kerberoasting, password spraying, Golden/Silver tickets, SAML, and even Entra Connect; with each is not only a description of the attack but also how to detect, including event IDs, and mitigate each.

Lee Neely
Lee Neely

2024-09-26

Talos Researchers Find Multiple Vulnerabilities in OpenPLC

Researchers from Cisco's Talos research and intelligence group have provided details about five vulnerabilities in the OpenPLC open-source programmable logic controller. One of the flaws, a critical stack-based buffer overflow vulnerability (CVE-2024-34026) in the OpenPLC Runtime EtherNet/IP parser functionality of OpenPLC can be exploited with a specially-crafted EtherNet/IP request to achieve remote code execution. The other four vulnerabilities are also exploitable through a specially-crafted EtherNet/IP requests, but result in denial-of-service conditions. All the vulnerabilities were patched on September 17.

Editor's Note

The DOS flaws are tracked as CVE-2024-36980, CVE-2024-36981, CVE-2024-39589 and CVE-2024-39590. Aside from deploying the updated OpenPLC, make sure that you're properly isolating your PLCs. DoS conditions in an ICS system can have dramatic effect, where it is not so easy to put that genie back in the bottle.

Lee Neely
Lee Neely

2024-09-26

Critical Flaws in NVIDIA Container Toolkit and GPU Operator

On September 26, NVIDIA released updates to address two vulnerabilities in NVIDIA Container Toolkit and GPU Operator. The issues were detected by Wiz Research. Both flaws are Time-of-check Time-of-Use (TOCTOU) race condition vulnerabilities. One on the flaws, CVE-2024-0132, is rated. Critical and could be exploited to achieve code execution, denial-of-service conditions, privilege elevation, information disclosure, and data tampering. The second, CVE-2024-0133, is rated medium severity and could be exploited to achieve data tampering.

Editor's Note

This doesn't just impact cloud environments, but it does affect many cloud systems.

Moses Frost
Moses Frost

TOCTOU vulnerabilities are pervasive though rarely exploited. They are pervasive because developers are not taught that they must bind conditions that they will later rely upon. Nonetheless, they are difficult to exploit.

William Hugh Murray
William Hugh Murray

Both vulnerabilities affect Container Toolkit versions 1.16.1 and below as well as GPU Operator versions 24.6.1. The fix is to update to version 1.16.2 and 24.6.2 respectively.

Lee Neely
Lee Neely

2024-09-26

Cisco's Semiannual IOS and IOS XE Software Security Advisory

Cisco's Semiannual IOS and IOS XE Software Security Advisory incudes fixes for 11 CVEs, including seven high-severity vulnerabilities. Of those, six are denial-of-service issues that affect Cisco Catalyst SD-WAN routers; Cisco IOS and IOS XE Software Resource Reservation Protocol; Cisco IOS XE Software HTTP Server Telephony Services; Cisco IOS XE Software IPv4 Fragmentation Reassembly; Cisco IOS XE Software Protocol Independent Multicast; and Cisco IOS XE Software SD-Access Fabric Edge Node. The seventh high-severity flaw is a cross-site request forgery vulnerability affecting Cisco IOS XE Software Web UI.

Editor's Note

My network engineers, please patch. While you're at it, turn off Smart Install; we keep finding it.

Moses Frost
Moses Frost

Take note that the six DoS flaws can be remotely exploited without authentication. Cisco also warns that CVE-2024-20381 (improper authorization checks) which could allow an attacker to create a new account or elevate privileges, affects multiple products including the RV340 VPN, and won't be getting an update as it is EOL. You need to not only check all your Cisco devices for updates and apply them, but also review your Cisco inventory for EOL products which need forklift replacements. Don't forget to clear EOL items out of your storage/just-in-case closet, as well as update supported devices; you're not going to have time for that when you press these into service.

Lee Neely
Lee Neely

2024-09-25

CrowdStrike is Making Changes to Address Problems Behind July Outage

On July 19, a problematic CrowdStrike rapid response content update disabled more than 8.5 million Windows devices, causing outages for airport, airline, government, and business operations around the world. In testimony before US legislators on Tuesday, September 24, CrowdStrike Senior VP, Counter Adversary operations Adam Meyers said the company has 'taken steps to help ensure that this issue cannot recur.' Among the changes: Customers will have the option of choosing whether they receive updates as soon as they are available or schedule them for a later date; and the content updates will now be treated as code.

Editor's Note

I'm not 100% sure this is a good thing. We permanently 'lose' something when fundamental changes are made. What we are losing here is the fact that many customers may delay needed updates. What we do in policy and what happens in practice are typically not the same thing, so we will see if this ends up being a new vulnerability to individuals.

Moses Frost
Moses Frost

CrowdStrike's testimony before the Congressional committee is available on YouTube. I found it very disappointing. Instead of improving the management controls over the release of updates, CrowdStrike is transferring the responsibility to their customers to control the application of the updates. CrowdStrike is also attempting to limit its responsibility to "make its victims whole" to helping them recover.

William Hugh Murray
William Hugh Murray

*Not* treating 'content as code' is what has enabled buffer overflow attacks to succeed for many years and why fuzzing is an important element in thorough code testing. Query all your security vendors about their practices in this area.

John Pescatore
John Pescatore

While CrowdStrike is getting pushback for having kernel level access, EDR products need kernel access as malware and threat actors are gaining kernel access, so kernel access is needed to detect and stop their activity. Until such time as we're all out of the kernel, take a look at your settings for deploying content updates, and consider staggering it for servers or critical systems which are not Internet-facing. This is not one of those cases where, like we did in the old AV days, having multiple EDR products would have prevented the impact, which is why you need to tune your settings to mitigate a future event. It's estimated that the flawed update cost Fortune 500 companies more than $5.4 billion, not to mention impact on shareholders when the share prices took a dive, so expect the litigation attempts to continue.

Lee Neely
Lee Neely

2024-09-26

Flaw in Kia Web Portal Can be Exploited to Control Some Automobile Functions Remotely

Researchers have found a vulnerability in a Kia web portal that can be exploited to take control of multiple Internet-connected features of Kia automobiles. With the use of the vulnerability and a custom app, the researchers were able to scan license plate of connected Kia cars and track the vehicle's location, unlock the car, honk the horn, and start the ignition. The researchers reported the issue to Kia in June and the vulnerability appears to have been fixed.

Editor's Note

This vulnerability and similar ones in the past demonstrate a lack of cyber-informed engineering. This will only continue as the world continues to connect devices to the Internet. Two possible remedies: 1) Start teaching cybersecurity as part of the engineering discipline; and 2) Embed cybersecurity engineers as part of the product design team. The first will take time. The second will take resources and added costs.

Curtis Dukes
Curtis Dukes

This affects most Kia vehicles made after 2013 and doesn't require an active Kia Connect subscription. Attackers would generate a dealer token, fetch the victim phone/email associated with the VIN, demote the owner, add the attacker as primary owner, then use that account to execute commands via VIN. There was no indication to the user that their vehicle had been accessed or their permissions changed. With increased connectivity for vehicles, appliances and other traditionally stand-alone devices, comes a requirement for increased security testing and validation to minimize opportunities for abuse.

Lee Neely
Lee Neely

Here comes our next installment of the CT Kia Boyz on TikTok. If you don't know about this, watch some videos and be shocked.

Moses Frost
Moses Frost

Internet Storm Center Tech Corner

Patch for Critical CUPS vulnerability: Don't Panic

https://isc.sans.edu/diary/Patch+for+Critical+CUPS+vulnerability+Dont+Panic/31302

DNS Reflection Update and Corrupted DNS Requests

https://isc.sans.edu/diary/DNS+Reflection+Update+and+Odd+Corrupted+DNS+Requests/31296

Exploitation of RAISECOM Gateway Devices CVE-2024-7120

https://isc.sans.edu/diary/Exploitation+of+RAISECOM+Gateway+Devices+Vulnerability+CVE20247120/31292

CVE-2024-28987 Solarwinds Web Help Desk Hardcoded Credentials Vulnerability

https://www.horizon3.ai/attack-research/cve-2024-28987-solarwinds-web-help-desk-hardcoded-credential-vulnerability-deep-dive/

Infostealers Overcome Chrome's App-Bound Encryption

https://securityonline.info/infostealers-overcome-chromes-app-bound-encryption-threatening-user-data-security/

WatchGuard Unauthenticated and Unencrypted SSO Protocol

https://www.redteam-pentesting.de/en/advisories/rt-sa-2024-006/

https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00014

Cellopoint Vulnerability CVE-2024-9043

https://www.twcert.org.tw/en/cp-139-8103-b0568-2.html

Cisco Smart Licensing Vulnerability Details

https://starkeblog.com/cve-wednesday/cisco/2024/09/20/cve-wednesday-cve-2024-20439.html

Ivanti Virtual Traffic Manager Exploited

https://www.cisa.gov/known-exploited-vulnerabilities-catalog

GNU Linux Systems Possible Critical Vulnerability

https://securityonline.info/severe-unauthenticated-rce-flaw-cvss-9-9-in-gnu-linux-systems-awaiting-full-disclosure/