SANS NewsBites

Companies Report Progress in Implementing CISA Secure by Design Pledge Goals; FBI: Warns of Compromised Government eMails Used to Request Information; Phishing Campaign Accuses Recipients of Copyright Infringement

November 12, 2024  |  Volume XXVI - Issue #87

Top of the News


2024-11-08

How Organizations are Fulfilling CISA's Secure by Design Pledge

Over the past six months, nearly 250 organizations have signed the US Cybersecurity and Infrastructure Security Agency's (CISAÕs) Secure by Design Pledge. The Pledge comprises seven goals: increasing the use of multi-factor authentication (MFA); reducing default passwords; reducing entire classes of vulnerabilities, such as memory safety, cross-site scripting, and SQL injection vulnerabilities; increasing the level of patch installation; publishing a vulnerability disclosure policy; increasing transparency in vulnerability reporting by publishing CWE and CPE fields in every CVE record; and 'providing artifacts and capabilities to gather evidence of intrusions.' Multiple companies, including Amazon Web Services, Fortinet, Microsoft, Okta, and Sophos, have taken steps to fulfill the pledge.

Editor's Note

There are seven goals here, and the signatories are often touting success focused on one or two of them, or nominal progress across all seven. With CISA threatening to increase the number of goals, it's going to be tricky making sure that all are fully met, not just progress made. When assessing a provider's progress against secure by design, make sure you look at the whole picture with your own measure of acceptable progress/residual risk.

Lee Neely
Lee Neely

Oh good, nothing makes me feel more secure than more vendors giving a pinkie promise to do better at security. We need stronger regulation to enforce responsibility, accountability, and liability on vendors for the security flaws in their products.

Brian Honan
Brian Honan

2024-11-11

FBI Warns of 'Uptick' in Compromised Government eMail Addresses Being Used to Request Information

The US Federal Bureau of Investigation (FBI) has published a Private Industry Notification that warns of an 'uptick' in compromised US and foreign government email addresses being used to make 'fraudulent emergency data requests to US-based companies, exposing personally identifying information (PII).' Suggested mitigations to help prevent exposure of sensitive data include vetting third-party vendors' security posture, and stepping back to examine elements - including images and referenced legal codes - of requests for sensitive information, particularly when the requests have been fabricated to instill a sense of urgency.

Editor's Note

The public sector is as much of a target as the private sector, and both have employees under stress who click the wrong link. Beyond the basics of MFA and technical controls to block malicious sites and attachments, make sure you have required procedures in place for common BEC scenarios, which can help break the momentum and hopefully prevent the planned compromise.

Lee Neely
Lee Neely

2024-11-07

Check Point Researchers Detect Malicious 'Copyright Infringement' Phishing Campaign

Researchers at Check Point have identified a phishing campaign that attempts to scare people into downloading malware by impersonating media and technology companies, and by accusing the email recipient of copyright infringement. The phishing emails come from different Gmail accounts each time; they urge recipients to download an archive file, which employs DLL side-loading to deploy an information stealer known as Rhadamantys.

Editor's Note

The email accounts are used to impersonate the legal department of the supposed copyright complainants and contain a password-protected Zip file. While the AI here is more in the form of machine learning and OCR, it's still prone to errors, notably language errors, so our traditional mitigations help, for now. It'd be a good idea to brief your legal team to be on the lookout for these as users are likely to forward to them for proper handling and response. Then check your (EDR, email, etc.) protections for new features which raise the bar, AI based or otherwise, which you may not have noticed.

Lee Neely
Lee Neely

The Rest of the Week's News


2024-11-08

Anthropic and Meta AI Employed for US Defense Contractors

On November 7, Anthropic announced a partnership with Amazon Web Services (AWS) and US intelligence and defense contractor Palantir. The deal leverages AWS to integrate Claude AI 3 and 3.5 into the Palantir AI Platform, accredited at DOD Impact Level 6 (IL6), which "handles data critical to national security up to the 'secret' classification level." Claude is expected to automate the processing and analysis of large volumes of documents and data, and in the words of Anthropic CTO Shyam Sankar, to bring "decision advantage to [U.S. defense and intelligence communities'] most critical missions." Authority to make those decisions will still rest with human beings. Ars Technica notes that Anthropic is drawing criticism online for this perceived compromise of their proactively "ethics- and safety-focused approach to AI development." Anthropic's announcement arrives in good company: In the words of Scott Rosenberg with Axios, "The public sector AI gold rush is on." While Meta explicitly prohibits use of its Llama AI for use in military and espionage applications, a November 4 announcement disclosed that the platform is now open to "U.S. government agencies, including those that are working on defense and national security applications, and private sector partners supporting their work," including Palantir, Anduril, Booz Allen, and Lockheed Martin. The same day as Meta's press release, Scale AI separately debuted "Defense Llama," a variation on Meta's Llama 3, purpose-built for warfare. Scale AI's Dan Tadross states that protections built into commercial LLMs are too restrictive for military applications: "We needed to figure out a way to get around those refusals in order to act. Because if you're a military officer and you're trying to do something, even in an exercise, and it responds with 'You should seek a diplomatic solution,' you will get very upset. You slam the laptop closed."

Editor's Note

This is going to be an LLM with very specific training, and IL6 environment is very restricted, only operated by a CSP under contract to DoD or other federal agency in a DoD private community or Federal government community cloud. They are configured to both NIST SP 800-53 and CNSS 1253 requirements and can only operate at the NSS CIA Moderate-Moderate-Low level. This is a visible step along the EO 14028 directive which includes increased cloud adoption, and the order was extended to classified systems by National Security Memorandum (NSM) 8, 1/19/22.

Lee Neely
Lee Neely

Not surprising given the large amount of money available within the defense budget and the need for companies to book revenue to justify capital investments in AI. It also helps Anthropic not having to endure the cost of FedRAMP certification. Expect to see more of this sort of partnership.

Curtis Dukes
Curtis Dukes

Given the state the world is currently in, "You should seek a diplomatic solution," seems like a reasonable option to me.

Brian Honan
Brian Honan

2024-11-08

US Federal Agencies Continue to Embrace OpenAI

Several US government entities have partnered or continued developing a relationship with OpenAI technology, including the National Gallery of Art, NASA, the Internal Revenue Service, Los Alamos National Laboratory, the Air Force Research Laboratory, and the Defense Advanced Research Projects Agency (DARPA). Many have purchased ChatGPT licenses for a variety of purposes, often to "reduce administrative burdens and increase efficiency." First among ChatGPT's Enterprise customers was the US Agency for International Development (USAID). The Federal Aviation Administration (FAA) has also published documents indicating interest in "machine learning and artificial intelligence to identify safety risks."

Editor's Note

Licensing and standing up your own LLM, trained on a data set you're managing, provides a safe way to dive into that world without worry about your data being used to enhance another customer's prompt responses. Even so, you're still bound by any restrictions in the LLM's license, such as the prohibition on using the technology to harm people, destroy property, or develop weapons.

Lee Neely
Lee Neely

2024-11-11

Law Firm Data Breach Compromised Protected Health Information

In a data security incident notice, Missouri-based law firm Thompson Coburn LLC says that information belonging to patients of one of their clients, New Mexico-based Presbyterian Healthcare Services (PHS), was compromised. Thompson Coburn 'became aware of suspicious activity within [their] network' in late May. A subsequent investigation revealed that files viewed and/or taken by intruders included some PHS patients' protected health information. The law firm has notified the US Department of Health and Human Services Office for Civil Rights; the number of individuals affected by the breach is estimated to be more than 305,000.

Editor's Note

Thompson Coburn is sending breach notices to folks who they have an address for; otherwise, the message on the TC Notification website covers anyone they missed or don't have addresses for, a nice move which indicates they have good information on where their sensitive data is as well as sufficient information for a forensic analysis. As they haven't determined there is any use of the data, they are providing guidance rather than credit restoration. The PHI came from New Mexico's PHS. If you're a customer, make sure that you're covered for ID theft/credit monitoring & restoration. Consider how well you know where your sensitive data is and what you could do to not only verify it's secured, but also to aid a forensic investigation if needed.

Lee Neely
Lee Neely

A timely reminder to ensure that any third party suppliers you deal with have appropriate security controls in place to protect the data you entrust to them. Remember you can outsource the process but not the responsibility for that process.

Brian Honan
Brian Honan

Law firms are increasingly becoming targets for miscreants, as they often don't have adequate cybersecurity controls in place. Every organization should implement an essential set of security controls. A good place to start is the CIS Critical Security Controls, Implementation Group 1.

Curtis Dukes
Curtis Dukes

2024-11-08

Vulnerabilities in Mazda In-Vehicle Infotainment System

Researchers from Trend Micro's Zero Day initiative detected six vulnerabilities in the Mazda Connect Connectivity Master Unit (CMU) system, which is used in multiple models of Mazda vehicles. All flaws are due to insufficiently sanitized user-supplied input, and could be exploited by an attacker with physical access to the system. Some of the flaws could be exploited to execute arbitrary code with root privileges. The vulnerabilities are currently unpatched.

Editor's Note

Input sanitization and patching aren't new ideas, and the Mazda system assessed does have a history of security updates. Even so, these systems need to be categorized as OT systems with long service lives, so while you could move newer versions to more secure coding practices, you'll still have old systems to maintain, which makes for a challenging support decision, particularly if you move to new languages. Short term, there appears to be an opportunity for researchers to partner with manufacturers to help identify weaknesses they are unable to uncover.

Lee Neely
Lee Neely

2024-11-08

TSA Proposes New Cybersecurity Rules for Pipeline, Rail, and Over-the-Road Bus Operators

The US Transportation Security Administration (TSA) has published a notice of proposed rulemaking that would 'impose cyber risk management (CRM) requirements on certain pipeline and rail owner/operators, and a more limited requirement on certain over-the-road bus (OTRB) owner/operators, to report cybersecurity incidents.' TSA is accepting public comment on the proposed rulemaking through February 5, 2025.

Editor's Note

This is not unlike DoD requiring NIST 800-171 for contractors protecting their data. The rules include annual cybersecurity evaluations, independent (non-biased) assessment plans that identify unaddressed vulnerabilities, a cybersecurity implementation plan which includes systems and how they are protected, detection measures, and incident response plans. The trick is using a risk-based approach to scale the requirements for relevance, as well as securing funding for implementation and oversight.

Lee Neely
Lee Neely

The proposal is simply an extension of a trend by the executive branch to require an annual risk assessment and reporting on cybersecurity incidents. Likely those affected by the proposed rulemaking already complete an annual risk assessment. What may be problematic for the operators is meeting CISA secure by design principles via third-party software providers, when it is voluntary for those vendors.

Curtis Dukes
Curtis Dukes

2024-11-11

Amazon: Employee Information was Compromised in MOVEit Breach

Amazon has confirmed that a security breach of a third-party vendor resulted in the compromise of some Amazon employee data. The breach was among the May 2023 MOVEit incidents; the compromised information includes work contact information, such as work-related email addresses, phone numbers, and building locations.

Editor's Note

Third-party security remains a challenge, as they can and will make decisions around solutions, as well as mitigation of vulnerabilities, without your involvement. Make sure you have contract language that not only requires your controls to flow down valid and current security contacts, but also includes provisions for the validated removal of your data. Make sure these terms are validated regularly. Find out when the security of third-party service providers is assessed and who accepts the risk. Make sure it is sufficiently formalized and at an appropriate level; often risk acceptance involves someone out of the C-suite.

Lee Neely
Lee Neely

2024-11-11

Halliburton Says Costs of August Breach are $35 Million So Far

Halliburton's most recent financial report says a cybersecurity incident disclosed earlier this year has cost the company $35 million so far. In August filings with the US Securities and Exchange Commission (SEC), Halliburton noted that the incident forced the energy services company to temporarily shut down IT systems and disconnect customers, and that the threat actors stole information.

Editor's Note

The August attack, based on the IOCs, was most likely the work of the RansomHub gang. As neither RansomHub nor any other gang has taken credit for the attack, it's likely that Halliburton paid the ransom. The attack, in combination with the storms in the Gulf of Mexico, has cost Halliburton $.02/share in adjusted earnings. As most of us aren't able to absorb a $35 million loss, make sure you've got your ransomware playbook dialed in, remembering not only to verify your position on payment but also where you stand related to any OFAC issues which correspond with making such a payment, if you choose to do so.

Lee Neely
Lee Neely

While the Q3 costs seem high to most folks, Halliburton's revenue in 2023 was 23B. So, it's unlikely that it will have a material effect on the company. It's also likely that Halliburton paid a ransom given that no gang has taken credit, and no data has been leaked. Bottom line, ransomware gangs will continue to attack if they get paid.

Curtis Dukes
Curtis Dukes

Internet Storm Center Tech Corner

PDF Object Streams

https://isc.sans.edu/diary/PDF+Object+Streams/31430

zipdump and pkzip records

https://isc.sans.edu/diary/zipdump+PKZIP+Records/31428

Mazda Infotainment Vulnerabilities

https://www.zerodayinitiative.com/blog/2024/11/7/multiple-vulnerabilities-in-the-mazda-in-vehicle-infotainment-ivi-system

Ruby SAML CVE-2024-45409: As bad as it gets and hiding in plain sight

https://workos.com/blog/ruby-saml-cve-2024-45409

Veeam Backup Enterprise Manager Vulnerability

https://www.veeam.com/kb4682

Security Update for Dell Enterprise SONiC Distribution Vulnerabilities

https://www.dell.com/support/kbdoc/en-us/000245655/dsa-2024-449-security-update-for-dell-enterprise-sonic-distribution-vulnerabilities

Am I Isolated

https://github.com/edera-dev/am-i-isolated

Locked iPhones Reboot

https://www.bleepingcomputer.com/news/security/iphones-now-auto-restart-to-block-access-to-encrypted-data-after-long-idle-times/

https://x.com/naehrdine/status/1854896392797360484

Palo Alto Networks Bulletin

https://security.paloaltonetworks.com/PAN-SA-2024-0015

D-Link Vulnerability

https://netsecfish.notion.site/Command-Injection-Vulnerability-in-name-parameter-for-D-Link-NAS-12d6b683e67c80c49ffcc9214c239a07

Easy Access to Information for Conducting Fraudulent Emergency Data Requests Impacts US-Based Companies and Law Enforcement Agencies

https://www.ic3.gov/CSA/2024/241104.pdf