SANS NewsBites

Shortening Certificate Lifecycles; SolarWinds Hardcoded Credential Vulnerability; State-Sponsored Hackers are Targeting Critical Infrastructure

October 18, 2024  |  Volume XXVI - Issue #80

Top of the News


2024-10-15

Apple and Google Want Shorter Certificate Lifecycles

Apple has proposed significantly reducing the length of time that SSL/TLS certificates remain valid. Currently, the certificates are valid for 398 days; Apple's proposal describes a gradual reduction in the length of certificate lifecycles, ending with a 45 day validity period by 2027. Similarly, Google plans 'to study the impact of reducing domain validation reuse periods to 90 days or less.' Sysadmins have made known their unhappiness with the plans.

Editor's Note

This change has been discussed for about a year now. It is important to automate certificate renewals, if possible with standard protocols like ACME. Some certificate authorities may also offer their own solutions, but be careful before you lock yourself into a proprietary solution.

Johannes Ullrich
Johannes Ullrich

The CA Browser Forum has now been around for almost 20 years and has always been slow to make needed progress in making an SSL trust chain actually trustable. In 2011, compromise of a Comodo affiliate Registration Authority resulted in bogus certificates being issued for domains at Yahoo, Google, Skype, Mozilla and others. This pointed out how weak the strength of registration validation was, and in 2014 the Heartbleed OpenSSL vulnerability was discovered and we saw how badly certificate revocation was handled. The changes recommended are long overdue. Imagine if we said 'Let's only patch Windows once every 398 days because sys admins are complaining.' CIOs like to talk about rapid development and CI/CD pipelines - if IT operations can really do that they should be able to patch operating systems every 2 weeks and renew certificates every 45 days by 2027.

John Pescatore
John Pescatore

With the advent of Let's Encrypt, I would say this is an excellent idea for a large set of websites on the internet. Where this is problematic are protocols that live outside of the web. Some certificates are used internally between services in various places. One example is 802.1X/NAC with EAP and EAP-TLS. Another example is Smart Cards. There are just some places where renewing certificates is more problematic and impactful. Let's do this where we can and consider something longer-term where we cannot.

Moses Frost
Moses Frost

There will have to be agreement on duration: 90, 45, etc. Shorter lifetime reduces the amount of time a compromised certificate can be used, reducing risk and improving security. This will also require automation as we're busy putting certificates on endpoints, mobile devices, and about any service which supports it, and there is no good way continue manual updates. Let's Encrypt already only issues 90-day certificates. Even with 398-day expirations, start automating certificate updates; your future self, who isn't getting the expired certificate ticket, will thank you.

Lee Neely
Lee Neely

2024-10-16

CISA: SolarWinds Hardcoded Credential Bug is Being Actively Exploited

The US Cybersecurity and Infrastructure Security Agency (CISA) says that there is a hardcoded credential vulnerability in SolarWinds Web Help Desk; CISA has added this to their Known Exploited Vulnerabilities (KEV) catalog. The vulnerability 'could allow a remote, unauthenticated user to access internal functionality and modify data.' SolarWinds has released a hotfix to address the flaw.

Editor's Note

I hope Solarwinds does not blame the intern this time. The password isn't Solarwinds123 É is it?

Moses Frost
Moses Frost

CVE-2024-28986, Java Deserialization RCE flaw, CVSS score 9.8, and CVE-2024-28987, hardcoded credential flaw, CVSS score 9.1, are fixed in SolarWinds Web Help Desk (WHD) 12.8.3 Hotfix 2 or 3. As WHD 12.8.3 Hotfix 3 is now available, if you've not already applied HF 2, go straight to HF3. Per the NIST KEV, you have until November 5th to remediate this vulnerability.

Lee Neely
Lee Neely

This was expected as soon as the credentials became public.

Johannes Ullrich
Johannes Ullrich

Ugh, hardware credential baked into the product. That's bad enough, but to have to announce another hot fix in the span of six months after the last bugaboo that gained so much notoriety Not a good look for the company after it tried to calm jittery customers with an independent third-party audit and security focused marketing blitz.

Curtis Dukes
Curtis Dukes

2024-10-17

Security Agencies from US, Canada, and Australia Warn Iranian State-Sponsored Cyberthreat Actors are Targeting Critical Infrastructure

In a joint cybersecurity advisory, the US Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and National Security Agency (NSA); the Communications Security Establishment Canada (CSE); the Australian Federal Police (AFP), and the Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC) warn that Iranian state-sponsored cyberthreat actors are targeting critical infrastructure organizations in multiple sectors. The attackers' techniques include password spraying and MFA push bombing to gain access to targeted accounts. The advisory includes a list of tactics, techniques, and procedures used by the threat actors, as well as indicators of compromise.

Editor's Note

MFA push bombing attacks are why you should be looking at phishing resistant MFA. If you've rolled out MFA, make sure that you're covering all Internet facing services. Train users to detect unsuccessful login attempts, deny MFA requests they didn't generate, and ensure that MFA, where enabled, is properly configured. Make sure that passwords, where used, are strong and follow the latest NIST 800-63 guidance, and that you're disabling accounts in an expeditious fashion. Make sure that you're tracking password reset requests for attempts to bypass your processes.

Lee Neely
Lee Neely

Can't we just get to the point where we say, if you're internet facing, you're being targeted? I mean, nation state, cyber-criminal, hacktivist, they're all using the same tactics listed. If I'm a defender, I already know I'm a target of some organization. The best thing I can do is be religious in the patching, configuring, and monitoring of my enterprise. Have we 'over-rotated' on the value of threat intelligence?

Curtis Dukes
Curtis Dukes

Even the most obvious bears repeating.

William Hugh Murray
William Hugh Murray

The Rest of the Week's News


2024-10-16

Readiness for Post-Quantum Cryptography Means Renovation and Innovation

Nearly fifty percent of US federal cybersecurity "experts and decision-makers" surveyed by General Dynamics Information Technology (GDIT) identified legacy systems as a major obstacle to implementing post-quantum cryptography (PQC) in "defense, civilian, and intelligence agencies." About the same proportion of respondents are "actively developing strategies for PQC readiness," but resource limitations may account for the 17 percent with "no defined plans" nor priorities for the transition. The study asserts that "the ability to consistently monitor and update cryptographic systems will be crucial as new algorithms and standards are adopted." In August, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) published guidance for strategizing and tracking US agencies' adoption of PQC, and the National Institute of Standards and Technology (NIST) released the finalized ML-KEM, ML-DSA, and SLH-DSA algorithms "designed to withstand the attack of a quantum computer." Days prior to GDIT's survey results, a consortium was announced comprising three companies, all developers of powerful encryption-focused hardware: the Fully Homomorphic Encryption Technical Consortium (FHETCH). "Fully homomorphic encryption is a quantum-resilient cryptography method that allows encrypted data to be processed without first decrypting it," and the consortium's goal is "to collaborate on technical standards necessary to develop commercial fully homomorphic encryption solutions and lower adoption barriers."

Editor's Note

While we tend to think of NSA in its SIGINT mission, they also have responsibility for COMSEC. They will get it right in time.

William Hugh Murray
William Hugh Murray

We can barely get companies on TLS 1.3 or just on TLS 1.2, released in 2008. Some work is already being done out of various universities claiming to have 'broken' RSA and possibly AES. Broken is probably the wrong way of thinking about it. They have proven prime number factorization to decrypt RSA in a reasonably fast amount of time using Quantum computing. This means that there may not be a reasonably good enough cryptographic set of algorithms that would be truly secure for some time. This is the current thinking, which probably means that we need to be much more agile in quickly changing ciphers.

Moses Frost
Moses Frost

With luck, the FHETECH efforts will speed and enhance releasing of PQC hardware and software solutions. While Q-Day remains in the future, upgrading your encryption is anything but a finger snap, so careful planning and testing, particularly interoperability, is called for. Government agency or otherwise, you need to be getting smart on PQC. Start with the CISA strategy for migration, which includes identifying where you have encryption. Then work with your suppliers to develop test and implementation plans which you can then use to develop a realistic plan.

Lee Neely
Lee Neely

2024-10-17

CISA/FBI 'Bad Practices' Guidance Open to Feedback

"Product Security Bad Practices," a joint guidance document from the US Cybersecurity and Infrastructure Security Agency (CISA) and FBI, is open to public comment until December 2, 2024. The guidance is not set of requirements, but rather recommendations "urg[ing] software manufacturers to reduce customer risk," outlining "exceptionally risky" software design practices and how to best avoid them. Three categories define the list: 1. "Product properties," including development in memory unsafe languages, user input in SQL queries and OS command strings, use of default passwords, and inclusion of known KEVs; 2. "Security features," including lack of MFA and lack of available logs in the baseline product for providing evidence of intrusion; and 3. "Organizational processes and policies," including failure to publish "timely CVEs with CWEs," and failure to publish a vulnerability disclosure policy.

Editor's Note

CISA continues to shine the light on bad coding practices in support of their Secure by Design, Secure by Default, and Secure Operations initiatives. Those old shortcuts and bad practices need to become a thing of the past. Regrettably, some systems may need a forklift replacement rather than the end-to-end revamping of the security. The best plan is to work with your suppliers on what their plans are, and make sure that your internal SQA practices are set up to catch these bad practices.

Lee Neely
Lee Neely

Trying to teach good practice is not working. Calling out bad practice is worth a try.

William Hugh Murray
William Hugh Murray

2024-10-17

US Defense Department Publishes Cybersecurity Maturity Model Certification Rule

The US Department of Defense (DoD) has published the final version of the Cybersecurity Maturity Model Certification Program Rule in the Federal Register. The rule, which aims to help 'verify contractors have implemented required security measures necessary to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI),' takes effect in mid-December.

Editor's Note

Requirements for protecting CUI and FCI have been solidifying for about 10 years now. CMMC is designed to enforce these requirements, and this ruling now creates a standardized measurement to ensure this information is properly protected. This will be a part of awarding contracts. The DCMA DIBCAC website (https://www.dcma.mil/DIBCAC/) includes pre-assessment documents, a publicly releasable version of the assessment database, FAQs, and other reference material you'll need.

Lee Neely
Lee Neely

What's it been, like seven or eight years in the making? So, over all that time, it's still essentially NIST 800-171, broken into groups, with a bit of acquisition guidance sprinkled in. Just imagine if the department had only held companies accountable to meeting 800-171 from the beginning, which they were. Yep, there's that nasty word, accountable, being used.

Curtis Dukes
Curtis Dukes

2024-10-17

Pilots Flying With Spotty GPS in Parts of Norway Due to Jamming Attacks

GPS jamming is so prevalent in parts of Norway that the country's communication authority (NKOM) has stopped logging the events, accepting the situation as a 'new normal.' A captain and senior safety advisor with the Norwegian airline Widere said the jamming incidents last around seven minutes, and that they are experienced 'every day.' The jamming causes the GPS to stop working; pilots are able to navigate by communicating with ground stations. In recent years, some smaller airports have begun using GPS exclusively in place of ground-based equipment.

Editor's Note

Good practice in navigation, land, sea, and air, is to use more than one method. It is equally good practice in security.

William Hugh Murray
William Hugh Murray

Pilots compare flying during the jamming, which lasts 6-8 minutes at a time, to being transported back 30 years in time. The ground-based systems are becoming less common due to their increased cost versus GPS. Currently, these attacks are largely in the vicinity of the Russia/Ukraine conflict and now also include jamming of the GNSS satellite and ground communications bands. Even devices like iPads, which use multiple GPS satellites for accuracy and resiliency, are impacted by the jamming.

Lee Neely
Lee Neely

2024-10-17

Microsoft's Digital Defense Report 2024

Microsoft's Digital Defense Report 2024 addresses a range of topics, including nation-state threat actors, ransomware, identity and social engineering, strategic approaches to cybersecurity, the emerging threat landscape, AI for defense, and advancing global AI security. The main report summary page includes links to a general executive summary, as well as executive summaries tailored to CISOs and to Government and Policy Makers.

Editor's Note

Except for the Actionable Insights sections, this should really be called the Microsoft Digital Threat Report 2024. I tried to get the Chat GPT AI bot to just pull those sections - most of them started with 'Move to Multi-Factor Authentication' - but could not get it to do it. To save you a lot of reading, 70 pages in I found this summary for OT security that really is the same for IT: 'Based on this work we've identified three core actions that, if taken by the operations technology industry, would significantly improve the security of systems across the industry: 1 Adopt modern authentication for users and devices. 2 Enable centralized device configuration management and secure apps and devices by default. 3 Implement a Secure Development Lifecycle (SDLC) program for product development that is certified by independent security experts.'

John Pescatore
John Pescatore

The top targeted sectors worldwide are, IT (24%), Education and Research (21%), Government (12%), Think tanks and NGOs (5%), Transportation (5%), Consumer Retail (5%), Finance (5%), Manufacturing (4%), Communications (4%), and other (16%). From 2023 to 2024 there is an increase of over 13 trillion security signals per day with over 1500 unique threat groups tracked. While many of the recommended mitigations are familiar, note that OT is even more firmly on the radar as trends show an increasing focus on attacking these components. The report is 114 pages, while the summaries are about 14, so you want to start there first.

Lee Neely
Lee Neely

The report weighs in at a beefy 114 pages. As always, chock full of interesting tidbits on the evolving threat and security, including AI. Here's the bottom line by Tom Burt: "We all can, and must, do better, hardening our digital domains to protect people at all levels." That quote was applicable in 2023, in 2022, in 2021, É you get the picture.

Curtis Dukes
Curtis Dukes

2024-10-17

US DoJ Indicts Sudanese Brothers for Alleged Roles in Multiple Damaging DDoS Attacks

The US Justice Department (DoJ) unsealed a June 2024 indictment against two Sudanese brothers for allegedly operating Anonymous Sudan, a hacktivist group that has claimed responsibility for numerous significant distributed denial-of-service (DDoS) attacks. The group's targets include ChatGPT, Microsoft, Telegram, X, and the Associated Press, as well as government websites in several countries, an alert system warning of incoming missiles, and hospitals in multiple countries. The indictment charges Ahmed Salah Yousif Omer and Alaa Salah Yusuuf Omer with conspiracy and impairing computers. The brothers were arrested in March and are being held in an undisclosed location.

Editor's Note

The brothers' tens of thousands of attacks, targeting visible targets, government, hospitals, and large companies earned them a reputation for being callous and brazen. Their primary attack was DDoS. The good news is that preventing against those attacks is a known quantity. While you've been talking to your network team and service providers about their protections for a bit, make sure you doubled back to cover any new services which weren't in business when you last ran this cycle, particularly anything Internet facing.

Lee Neely
Lee Neely

Score one for the good guys. That said, too many servers are left misconfigured and unpatched that enable DDoS attacks. What accountability, if any, should those organizations bear for not exhibiting a standard 'duty of care' in properly maintaining the devices?

Curtis Dukes
Curtis Dukes

Read more in

Europol: Charges unveiled in ongoing effort to de-anonymise DDoS group Anonymous Sudan

Justice: Two Sudanese Nationals Indicted for Alleged Role in Anonymous Sudan Cyberattacks on Hospitals, Government Facilities, and Other Critical Infrastructure in Los Angeles and Around the World

Justice: Indictment

Wired: Hacker Charged With Seeking to Kill Using Cyberattacks on Hospitals

Washington Post: U.S. charges Sudanese men with running powerful cyberattack-for-hire gang

The Record: Sudanese brothers charged for 'Anonymous Sudan' attacks targeting critical infrastructure, government agencies and hospitals

The Register: Anonymous Sudan isn't any more: Two alleged operators named, charged

Security Week: Anonymous Sudan DDoS Service Disrupted, Members Charged by US

Krebs on Security: Sudanese Brothers Arrested in 'AnonSudan' Takedown


2024-10-16

Critical Vulnerability in VM Images Built with Kubernetes and Proxmox

Virtual machines (VMs) running an image built with Kubernetes Image Builder 0.1.37, or any previous versions, are vulnerable to unauthorized SSH connection leading to access with root privileges, with especially high risk to images made with the Proxmox provider. The SSH connection would allow a threat actor to use default credentials which were "enabled during the image-building process and not disabled afterward." The Kubernetes/Proxmox flaw (CVE-2024-9486) carries a critical 9.8 CVSS rating; images built with other providers are still vulnerable, but not as severely (CVE-2024-9594, CVSS 6.3). A security advisory on the Kubernetes forum recommends mitigation by rebuilding and redeploying affected images, disabling the builder account on affected VMs, and upgrading to Image Builder 0.1.38 or later.

Editor's Note

A pox on default passwords. We need to get beyond them, like yesterday. The updated rebuild process sets a randomly generated password for the builder account during the build and then disables account when finished.

Lee Neely
Lee Neely

2024-10-15

Jetpack Updates 100+ Versions of Plugin to Fix Critical Flaw

Jetpack has released updated versions of its WordPress plugin to address a critical flaw in the Jetpack Content Form feature. The vulnerability was reportedly discovered during a security audit. Jetpack has updated versions of the plugin as far back as version 3.9.10; in all, they released updates for 101 versions. So far, there is no assigned CVE for the vulnerability.

Editor's Note

Make sure that you've got automated updates of your plugins enabled and your copy of Jetpack is up to date. It's a bit crazy that Jetpack released updates for 101 versions of their plugins; most vendors would have a smaller subset, outside of which you need to install a supported version. Even with this model, it'd be a good idea to make a deliberate plan to move to the version 13.9.1 or later. While you're in your WordPress plugin list, uninstall unused or disabled plugins. Not only do they leave potentially unsecure code on your server, but also, they can contribute to instability of your WordPress site.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Scanning Activity from Subnet 15.184.0.0/16.

https://isc.sans.edu/diary/Scanning+Activity+from+Subnet+151840016/31362

The Top 10 Not So Common SSH Usernames and Passwords

https://isc.sans.edu/diary/The+Top+10+Not+So+Common+SSH+Usernames+and+Passwords/31360

Angular-base64-upload Demo Script Exploited

https://isc.sans.edu/diary/Angularbase64update+Demo+Script+Exploited+CVE202442640/31354

Gatekeeper Bypass

https://unit42.paloaltonetworks.com/gatekeeper-bypass-macos/

Oracle Critical Patch Update

https://www.oracle.com/security-alerts/cpuoct2024.html

Cisco ATA 190 Series Analog Telephone Adapter Firmware Vulnerabilities

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ata19x-multi-RDTEqRsy

SAP Vulnerability

https://redrays.io/blog/poc-sap-note-3433192-code-injection-vulnerability-in-sap-netweaver-as-java/

Dept. of Commerce Sites Advertising Medication

https://x.com/tliston/status/1833542884047654984

CISA Product Security Bad Practices

https://www.cisa.gov/resources-tools/resources/product-security-bad-practices

Kubernetes Image Builder Vulnerability CVE-2024-9486 CVE-2024-9594

https://discuss.kubernetes.io/t/security-advisory-cve-2024-9486-and-cve-2024-9594-vm-images-built-with-kubernetes-image-builder-use-default-credentials/30119

SolarWinds Hardcoded Password Exploited CVE-2024-28987

https://www.bleepingcomputer.com/news/security/solarwinds-web-help-desk-flaw-is-now-exploited-in-attacks/

Bypassing noexec and executing arbitrary binaries

https://iq.thc.org/bypassing-noexec-and-executing-arbitrary-binaries

Quantum Annealing Public Key Cryptographic Attack Algorithm Based on D-Wave Advantage

https://www.theregister.com/2024/10/14/china_quantum_attack/

EDRSilencer

https://github.com/netero1010/EDRSilencer

Synchronizing Passkeys

https://fidoalliance.org/specifications-credential-exchange-specifications/