SANS NewsBites

FIDO Alliance Announced New Passkey Initiatives; Old Fortinet and Log4J Vulnerabilities are Still Lurking

October 15, 2024  |  Volume XXVI - Issue #79

Top of the News


2024-10-14

FIDO Alliance Making Passkeys More Portable

The FIDO Alliance has announced two supplementary projects meant to address current challenges putting its passkey authentication method into widespread practice. The first is a set of technical standards drafted collaboratively with researchers from major tech firms and password manager companies: The Credential Exchange Protocol (CXP). CXP "aims to standardize the technical process for securely transferring [passkeys] between platforms," avoiding the risk of "user lock-in" and the unsecure migration process of exporting credentials from a conventional password manager. The second project is Passkey Central, a website offering an implementation guide and set of informational resources and tools for supporting and facilitating passkey adoption. Among other materials, the site contains basic introductory guides and use cases, business metrics, and technical documentation for developers.

Editor's Note

Passkeys are meant to be a more useful form of the FIDO2 protocols. Defining a standard export/import format will hopefully make it easier to adopt this important authentication technology.

Johannes Ullrich
Johannes Ullrich

A secure and standard Credential Exchange Protocol is badly needed, but a vulnerable protocol needs to be avoided Ð there should be a lot of pounding and external penetration testing before any release. The focus should for now be on narrow but secure support for supplanting reusable passwords vs. some broad approach to exchanging generic 'secrets.'

John Pescatore
John Pescatore

If you're feeling the pressure to adopt passkeys, read the information on the Fido Alliance: Passkey Central site, from the introduction to rollout, resources, and developer documentation Ñ you need this information for a successful implementation. With sync capabilities and reduced lock-in, user acceptance will be easier, and you can continue to move forward towards password-less authentication, and a smoother user experience across strongly authenticated applications.

Lee Neely
Lee Neely

Passkeys have indeed come a long way in a relatively short time. These announcements may be the final components needed to realize the tipping point away from passwords. On portability, it is important, but I think the OS vendors realized that most people tend to stay with one ecosystem, whether it be Microsoft, Linux, Apple, or Android. Hence their support in creating the exchange protocol.

Curtis Dukes
Curtis Dukes

I am glad to see this. Adopt passkeys and get out of the password game. It's about time.

Moses Frost
Moses Frost

2024-10-14

Shadowserver: 86,000+ Fortinet Instances are Still Vulnerable to Known Format String Flaw

According to data gathered by Shadowserver, more than 86,000 Fortinet instances remain vulnerable to a known format string flaw in FortiOS fgfmd daemon. The critical vulnerability (CVE-2024-23113) was disclosed in February 2024, more than eight months ago. The majority of unpatched instances (38,778) are in Asia, followed by North America (21,262) and Europe (16,381). The US Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to their Known Exploited Vulnerabilities (KEV) catalog last week; Federal Civilian Executive Branch (FCEB) agencies have until October 30 to mitigate the issue.

Editor's Note

86,000. This isn't a firewall manufacturer's problem right now. This is a problem on the general internet, where 'critical' security devices that are meant to keep customers safe have been unpatched for a lengthy amount of time. This reminds me of how we 'solved' errors-based SQL injection. It was basically Lulzsec going around and 'owning' everyone because it was for the ÒLULZ.Ó It only takes one very motivated group to take this from 'we didn't patch our firewalls all that often' to 'a group has owned us because they thought it was funny.' Regardless of who makes the product, this is the equivalent of having unpatched Windows on the internet and hoping no one takes over your device.

Moses Frost
Moses Frost

CVE-2024-23113, externally controlled format string vulnerability, CVSS score 9.8, can be used to allow a remote attacker to execute arbitrary commands. The flaw was discovered in February, but apparently attackers were busy going after other Fortinet flaws and are now actively exploiting the flaw. The fix is to update your installation of FortiWeb, FortiProxy, FortiPAM or FortiOS to the latest version. You can mitigate the flaw by disabling fgfm access to portX, which prevents FortiGate discovery from FortiManager, but even so this workaround isn't a complete fix.

Lee Neely
Lee Neely

This format string vulnerability isn't all that straightforward to exploit. Exploitation may be blocked if the Fortinet SSLVPN verified the certificate authority of the certificate used by the client, something the patch enforces. Refer to the Watchtowr writeup to understand the impact. Fortinet's bulletin is a bit short on the details. labs.watchtowr.com/fortinet-fortigate-cve-2024-23113-a-super-complex-vulnerability-in-a-super-secure-appliance-in-2024/: Fortinet FortiGate CVE-2024-23113 - A Super Complex Vulnerability In A Super Secure Appliance In 2024

Johannes Ullrich
Johannes Ullrich

2024-10-10

Sonatype Report: 13 Percent of Log4J Installations are Still Vulnerable

According to Sonatype's 10th Annual State of the Software Supply Chain report, 13 percent of Log4J open-source logging utility installations are unpatched nearly three years after the Log4Shell vulnerability was disclosed. In 2022, Sonatype found that 40 percent of Log4J downloads were vulnerable. Ken Dunham, Director of Threat Research at Qualys' Threat Research Unit, noted that 'Some vulnerabilities are easy to patch and to mitigate and remove, and others are more integrated and multilayered and various dependencies.'

Editor's Note

Pour one out for Log4J. It is still affecting systems.

Moses Frost
Moses Frost

Sonatype is introducing the concept of "Persistent Risk:" a combination of unfixed and corrosive vulnerabilities which erode the security integrity of software over time. The first example given is "Log4J." While there are updated versions of Log4J packages, the fix isn't as simple as just replacing your jar file. You need to redo the code which uses it, which may necessitate a culture change in how you react to changes in third-party components used in your applications. With the increased demand for SBOMs, the choice to accept the risk and move on will become problematic.

Lee Neely
Lee Neely

It's not surprising. As a point of reference, the EternalBlue exploit was leaked 7+ years ago and remains active today. Like Log4j, a patch for EternalBlue is available, but for various reasons, some operational, some lackadaisical, vulnerable installations exist. The question becomes, should those organizations be held liable if the vulnerable device is used to further a cyber incident?

Curtis Dukes
Curtis Dukes

The Rest of the Week's News


2024-10-14

The Internet Archive is Back Online

As of the evening of Sunday, October 13, the Internet Archive's Wayback Machine is back online, albeit 'in a provisional, read-only manner,' according to a social media post from Internet Archive founder Brewster Kahle. The site was offline last week after suffering a spate of distributed denial-of-service (DDoS) attacks. They also experienced a data breach in September, which affected 31 million user records.

Editor's Note

Attacking the Internet Archive is pointless and equivalent of throwing stones to break the window to a food bank. The Internet Archive's wayback machine provides a unique and useful service. Consider donating to help them recover from the incident.

Johannes Ullrich
Johannes Ullrich

Consider the volume here: the WayBack machine, which started in 1996, has 916 billion saved web pages, even after being required to remove 500,000 books after losing a court case. The service is back with a caveat that they may have to do further maintenance, which would add more downtime. They also ask users to be gentle. Note the "Save Page Now" button is still disabled.

Lee Neely
Lee Neely

Hackers took out the Internet Archive. That's a sad state of affairs, but hasn't it become critical infrastructure?

Moses Frost
Moses Frost

2024-10-11

Thousands of Dutch Traffic Lights Susceptible to Remote Manipulation

A researcher in the Netherlands discovered that thousands of traffic lights in that country are vulnerable to remote hijacking. The researcher was able to access the network emergency services use to connect to traffic lights to change lights on their route to green to expedite their arrival at emergencies or hospitals. By manipulating a mechanism used in older traffic signals, they were able to remotely change the lights to green. The Dutch government plans to replace the affected traffic signals, a task which will likely not be completed until 2030.

Editor's Note

The affected traffic lights can be controlled by a radio signal, known as KAR, which was developed and deployed when the threat landscape and the practicality of this type of exploit were negligible. The risk with long-lived purpose-built equipment such as this, is that the current threat landscape will eclipse the security they were designed with; the fix is a forklift upgrade. Make sure that you're tracking the current security settings/best practices for these systems. Make sure you understand the complexity and impact of a full replacement before championing that path.

Lee Neely
Lee Neely

We've all see movies where bad (sometimes good) characters manipulate the traffic system to hasten the getaway. Now we know it's rather simple and was built as a feature supporting first responders. What will be interesting is how the national government protects the integrity of the traffic system over the next five years as they look to replace all the traffic lights. Miscreants read the news just like we do.

Curtis Dukes
Curtis Dukes

If anyone actually pulls this attack off, they better be rollerblading and yelling hack the planet. It's only fair.

Moses Frost
Moses Frost

"Updates via Landfill" will sadly become more and more common for various "smart technologies" in the future.

Johannes Ullrich
Johannes Ullrich

2024-10-10

Massachusetts State Payroll Taken Down After Phishing Attack

The Massachusetts state "HR/CMS Employee Self-Service Time and Attendance (SSTA) system" was offline from October 8 to October 9, 2024 following a breach which the Office of the Comptroller described as "credential harvesting." While it is unclear how the phishing attack was delivered, an announcement on October 9 reported that a number of employees entered credentials into a counterfeit login page, exposing their account and direct deposit information. The system was temporarily taken down for further investigation, but apart from certain affected employees receiving paper checks, payroll will proceed unaffected. The announcement recommends employees vet and bookmark any portal links, change their passwords, and take basic anti-phishing precautions.

Editor's Note

It's hard to prevent users from falling for credential harvesting sites. Requiring phishing resistant MFA makes a significant impact on the value of these sites. Couple that with services such as protective DNS and layer seven filtering, you'll be a lot less reliant on the strength of your training program alone.

Lee Neely
Lee Neely

The human element is the most difficult to defend against. No matter the amount of anti-phishing training one receives, stuff happens. The best thing a defender can do is limit the exposure with rigorous patching, configuration, and active monitoring. It appears that the MA state IT department did just that.

Curtis Dukes
Curtis Dukes

2024-10-11

India's Star Health Acknowledges Data Breach

India's Star Health insurance provider has acknowledged that cyber threat actors gained 'unauthorized and illegal access to certain data' in earlier this year but maintain that the incident has not affected business operations. The breach made news in September when threat actors claimed to have posted data belonging to more than 30 million individuals. The data were being leaked through two Telegram chatbots. After being notified of the situation, Telegram removed the bots and moderators are monitoring activity to ensure they are not recreated.

Editor's Note

The attacker, who goes by the name of xenZen, claims to have obtained the data from the Star Health CISO Amarjeet Khanuja. Meanwhile, Star Health claims their CISO was not involved and threats against him are to create panic. Since the breach of 31 million policy holders plus over 5.8 million insurance claims, totaling about 7.24 terabytes, Star Health's shares have dropped 11% and they are suffering reputation damage. On top of all that, Star Health has a ransom demand of $68,000. Star Health is suing Telegram (bots that leaked the data), Cloudflare (hosting the data), and xenZen. Put this scenario into your tabletop playbook and see what happens when you have to restore company and C-Level reputations as well as share values. This becomes much more than a cyber/IT scenario.

Lee Neely
Lee Neely

2024-10-14

Colorado's Axis Health Care Cyber Incident

Axis Health System, which operates 13 healthcare facilities in western and southwestern Colorado has acknowledged that they 'experienced a cyber incident.' The incident has disrupted the portal that patients use to communicate with healthcare providers. A ransomware group known for targeting healthcare organizations claimed responsibility for the attack on Thursday, October 10.

Editor's Note

Researchers have discovered a significant number of healthcare devices, with medical information, which are exposed the internet: 36% of these process medical images while 28% are EHR systems. While many of these are tied to small practices and positioned to share information with other medical professionals and hospital networks in their areas, steps need to be taken to limit access to only authorized partners. While it's simplest to open services to "all" to avoid steps to incorporate new users/partners, the threat is significant enough to warrant stronger controls such as MFA and device signaling to raise the bar. censys.com/state-of-internet-of-healthcare-things/: The Global State of Internet of Healthcare Things (IoHT) Exposures on Public-Facing Networks

Lee Neely
Lee Neely

2024-10-14

Two More Healthcare Breaches

Two separate US healthcare entities recently began notifying affected patients that their personal information was compromised. In information provided to the Maine Attorney General's office, Texas-based Gryphon Healthcare indicated that the breach of their systems affected more than 390,000 patients; California-based Tri-City Healthcare District indicated that a breach of their systems compromised information of more than 108,000 patients. In a patient notification letter, Gryphon wrote that they 'became aware of a data security incident involving a partner that Gryphon provides medical billing services for, which resulted in unauthorized access to certain personal and/or protected health information maintained by Gryphon.'

Editor's Note

The Gryphon breach compromised names, addresses, DOBs, SSNs, dates of services, diagnosis & health insurance information, treatment & prescription, provider details and medical record numbers; they are offering 12 months of identity protection/credit restoration. Tri-City was breached in November of 2023, but the investigation took until late September 2024 to determine that personal information such as names and other identifiers was released. Like dwell time, breach content discovery/investigation time needs to be reduced dramatically, affected individuals need to know their information is at risk as rapidly as possible.

Lee Neely
Lee Neely

2024-10-14

Tor Browser Update Addresses Firefox Vulnerability

The Tor Project has updated Tor Browser to version 14.0a9 to include a fix for a critical use-after-free vulnerability in Firefox. (Tor Browser is based on Firefox ESR). The vulnerability could be exploited 'to achieve code execution in the content process by exploiting a use-after-free in Animation timelines.' Mozilla released updates to address the flaw last week.

Editor's Note

Tor Browser still uses Mozilla Firefox, arguably one of the most significant installations.

Moses Frost
Moses Frost

Internet Storm Center Tech Corner

Phishing Page Delivered Through a Blob URL

https://isc.sans.edu/diary/Phishing+Page+Delivered+Through+a+Blob+URL/31350

Fortinet Fortigate CVE 2024-23113 deep dive

https://labs.watchtowr.com/fortinet-fortigate-cve-2024-23113-a-super-complex-vulnerability-in-a-super-secure-appliance-in-2024/

This New Supply Chain Attack Technique Can Trojanize All Your CLI Commands

https://checkmarx.com/blog/this-new-supply-chain-attack-technique-can-trojanize-all-your-cli-commands/

Windows PPTP and L2TP Deprecation

https://techcommunity.microsoft.com/t5/windows-server-news-and-best/pptp-and-l2tp-deprecation-a-new-era-of-secure-connectivity/ba-p/4263956

BIG-IP LTM Systems Unencrypted Cookie Exploitation

https://www.cisa.gov/news-events/alerts/2024/10/10/best-practices-configure-big-ip-ltm-systems-encrypt-http-persistence-cookies

Telekopye Toolkit Used in Hotel Booking Scams

https://www.welivesecurity.com/en/eset-research/telekopye-hits-new-hunting-ground-hotel-booking-scams/