SANS NewsBites

Maryland's Bug Bounty Program; UN Cybercrime Convention; Microsoft Patch Tuesday

November 15, 2024  |  Volume XXVI - Issue #88

Top of the News


2024-11-14

StateScoop Priorities Podcast: Maryland's Successful Bug Bounty

"There's no other state that's done a bug bounty with a scope this large," says Lance Cleghorn, Senior Director of State Cybersecurity for the state of Maryland. In an interview with StateScoop's Keely Quinlan, Cleghorn posits that the capability of bug bounty programs is unique, allowing them to find vulnerabilities that otherwise might go unnoticed. Tracing the development of Maryland's program out of his experiences with the Defense Digital Service and "Hack the Pentagon" program, he emphasizes "diversity of thought" and the human element in the program's success. He and Katie Savage, Maryland's chief information officer, look forward to applying lessons learned in the process, and may look into fostering a state vulnerability disclosure program.

Editor's Note

Well-managed bug bounty programs that are run by organizations have a good track record. But 'well-managed' also includes making sure your software inventory, update and configuration management processes are accurate, rapid and thorough. One of the common failings is updating all managed devices when vulnerabilities are found but a full network scan results in only 80% (or less!) of devices found showing up in Active Directory, etc. Another key point: have a plan in place about what to do when a vulnerability is discovered that cannot be fixed.

John Pescatore
John Pescatore

'Well-managed' in this case should include a requirement that such activity be conducted under management and supervision and with the permission of the target. The line between research and hacking is thin and obscure. Those incenting such activity have a special responsibility to those that they encourage.

William Hugh Murray
William Hugh Murray

Kudos to Maryland for finding a force multiplier. Note that if you're operating a bug bounty program, you need to be prepared to not only run the program, which can be outsourced, but also to remediate findings, including validation the issue is indeed fixed, which is trickier to outsource.

Lee Neely
Lee Neely

Bug bounty programs have proven their worth over the past decade. It's also reassuring to see the concept applied at the State level. My only quibble is to ensure that you've done the basics well (patching, secure configuration, monitoring) before spending precious cybersecurity dollars on finding implementation bugs.

Curtis Dukes
Curtis Dukes

2024-11-14

UN Cybercrime Convention Still Draws Concern Ahead of Vote

In December, 2019, the United Nations resolved "to elaborate a comprehensive international convention on countering the use of information and communications technologies for criminal purposes." The draft of the UN Convention Against Cybercrime was approved on Monday, Nov 11, and will be up for a general assembly vote in December. Eleven articles enumerate actions that would be criminalized when taken "without right," including: access to computer systems or parts of systems; interception of "non-public" electronic data transmission; interference with data, such as deletion, damage, or alteration; and interference with a computer system's function. Because these actions also represent elements of good-faith cybersecurity work, the treaty may criminalize legitimate research, ethical hacking, protective interception of signals, penetration testing, and red-team activities, and may discourage vulnerability disclosure programs. Acknowledgement of these cases is not explicit in the treaty, and any protection for researchers would therefore rely on national laws. The Cybersecurity Tech Accord, comprising over 100 major tech companies "including Microsoft, Meta, Oracle, Cisco, SalesForce, Dell, GitHub, HP and more" has voiced objection to the treaty, citing potential threats to cybersecurity research, specifically AI system safety research. Ilona Cohen with CyberScoop argues for proactive steps from US agencies to "develop and disseminate best practices for implementing the treaty," laying a cooperative and globally visible foundation for the protection of good-faith researchers. Human rights groups and the Electronic Frontier Foundation have also expressed alarm over potential abuses of the treaty as a "tool of repression." Six US Senators have formally submitted their disapproval of the treaty over its possible risks to "privacy rights, freedom of expression, [and] cybersecurity and artificial intelligence safety." The Tech Accord's representative noted that a feature of the treaty codifying inter-governmental transfer of personal information "virtually guarantees the Convention's provisions will be used abusively."

Editor's Note

This was prompted after Russia took issue with the existing Budapest Convention, demanding the addition of a framework to address cybercrime. The trick will be the balancing act between processing actual crimes versus criminalizing security research, potentially torpedoing the effectiveness of bug bounty programs such as the success story from Maryland above.

Lee Neely
Lee Neely

Drafting legislation that accomplishes its intent while avoiding unintended consequences is difficult. It should be approached with both humility and caution. That is particularly true with Copyright, a law that is arbitrary in both intent and application.

William Hugh Murray
William Hugh Murray

2024-11-13

Microsoft Patch Tuesday

On Tuesday, November 12, Microsoft released updates to address more than 80 security issues in their products. Of those, three are rated critical, two have been actively exploited in the wild, and two were disclosed previously disclosed. The actively exploited vulnerabilities are a hash disclosure spoofing issue in Windows NT LAN Manager (CVE-2024-43451) and a privilege elevation vulnerability in Windows Task Scheduler (CVE-2024-49039).

Editor's Note

Microsoft vulnerabilities constitute a pervasive and attractive attack surface. The success of Microsoft products makes their quality essential to the security of the world's infrastructure. While patching is an inefficient way to achieve quality, in this case it is also essential.

William Hugh Murray
William Hugh Murray

Can you say 89 fixes? I knew you could. Now make sure that you already sent the notice that you'll be patching and rebooting endpoints this weekend. There are only two zero-day issues identified in this set, but there are three critical flaws, two of which are being exploited in the wild. Of note: CVE-2024-46039, Kerberos RCE flaw, CVSS score 9.8, which is being actively exploited; CVE-2024-49039, Task Scheduler privilege escalation flaw, CVSS score 8.8; CVE-2024-43625, VMSwitch privilege escalation flaw, CVSS score 8.1; and CVE-2024-49019, AD Certificate Services privilege escalation flaw, CVSS score 7.8, all need to be addressed smartly, with the release the list of what's being exploited is going to evolve quickly.

Lee Neely
Lee Neely

The Rest of the Week's News


2024-11-14

US Agencies Confirm Telecom Breach by Chinese Threat Actors

The US Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) issued a joint statement on November 13, 2024, reporting breaches and compromised data in the networks of US telecommunications companies by threat actors associated with the People's Republic of China (PRC). The unauthorized access, which was first disclosed in another joint statement in October 2024, is now confirmed to involve "theft of customer call records data, the compromise of private communications of a limited number of individuals who are primarily involved in government or political activity, and the copying of certain information that was subject to U.S. law enforcement requests pursuant to court orders." The agencies state they are working on defense and support of those affected, and they ask any potential victims to contact their local FBI field office or CISA.

Editor's Note

Recall the reports of Salt-Typhoon breaching systems at AT&T, Verizon and Lumen, specifically targeting the systems U.S. law enforcement agencies use for wiretaps. A focus on proper isolation, multi-factor, and validation of connection requests when paired with updates and a secure configuration goes a long way to make this sort of attack hard to duplicate.

Lee Neely
Lee Neely

2024-11-14

NIST Clears KEV Backlog, But CVEs Remain

Since early 2024, the National Institute for Standards and Technology (NIST) has communicated delays in their analysis and metadata enrichment of vulnerability catalog entries due to a critical lack of resources. As of November 13, 2024, NIST has processed their full backlog of Known Exploited Vulnerabilities (KEVs), though their previous estimate for completing work on outstanding Common Vulnerabilities and Exposures (CVEs) by the end of the year was "optimistic" and will not be met, they stated in a news update. NIST stated "This is due to the fact that the data on backlogged CVEs that we are receiving from Authorized Data Providers (ADPs) are in a format that we are not currently able to efficiently import and enhance." The agency is working on new systems for processing these data, and has "a full team of analysts on board."

Editor's Note

As of November 13th they claim to be fully staffed to work the incoming CVEs. Hopefully the updated data feeds will facilitate the analysis; it's not clear what it'll take to process the backlog. Their November 15th announcement describes how the incoming data from CNAs and ADPs will need to be enhanced for effective processing, and includes removal of some tags requiring more information. These changes start November 18h and will be reflected immediately in the 2.0 API. The 1.1 legacy feed changes will be staggered over a few days.

Lee Neely
Lee Neely

2024-11-14

Malware in Snail Mail

Switzerland's National Cyber Security Centre, Federal Office of Meteorology and Climatology MeteoSwiss, and Federal Office for Civil Protection (FOCP) have been receiving reports of people receiving letters containing malicious QR codes. The letters claim the code leads to a Severe Weather Warning app. In fact, when people scan the code, it downloads infostealing malware to their phones.

Editor's Note

A new twist on what's become referred to as a 'quishing' attack. This one takes a bit more effort as the miscreant must print, place in envelope, and mail (at a cost). Just remember: stop, and think before acting, lest you become a victim.

Curtis Dukes
Curtis Dukes

The QR code leads to a download for the Coper and Octo2 malware, which targets stealing credentials from as many as 383 banking and other mobile apps. Currently the attack only works on Android devices. Remediation included a recommended factory reset of the device. With the prevalence of QR codes and the install being doctored up to mimic the Alertswiss app developed by their Office of Civil Protection, users have to be particularly wary of being fooled. Even so, making sure to only install apps from known vetted app stores is a good first step.

Lee Neely
Lee Neely

QR tags have proved their worth, but they constitute the same risk as any other link. Knowledge and trust are crucial.

William Hugh Murray
William Hugh Murray

2024-11-13

Canada Passes Right to Repair Bills

Canada has passed a pair of right to repair bills that amend the country's Copyright Act to allow circumvention of technological protection measures (TPMs) in the service of 'maintaining or repairing a product, including any related diagnosing,' and 'mak[ing] the program or a device in which it is embedded interoperable with any other computer program, device or component.' While the amendments allow the circumvention of TPMs in these cases, they do not provide access to the tools needed for the circumvention.

Editor's Note

As a consumer, having options for repair services, including self-service, is a bonus. The trick now will be how to find trained/certified repair technicians with legal copies of the needed tools and supplies. Even so, that won't prevent motivated folks from either going without the proper tools or misrepresenting the tools and parts used. Trust but verify while this gets sorted.

Lee Neely
Lee Neely

Umm, ok, now what? Hire a cryptographer to circumvent the technological protection measures? Not sure I would call this a win for the right to repair lobby.

Curtis Dukes
Curtis Dukes

2024-11-13

Prison Sentence for Former National Guardsman Who Leaked Sensitive Data

A federal judge in Massachusetts has sentenced former National Guardsman Jack Teixeira to 15 years in prison for leaking 'hundreds of pages of classified National Defense Information (NDI), including many documents designated top secret.' Earlier this year, Teixeira pleaded guilty to multiple counts of 'willful retention and transmission of classified information relating to the national defense.' Teixeira served as a cyber defense operations journeyman in the National Guard from 2019 until he was arrested last year.

Editor's Note

Teixeira is accused of leaking Top-Secret Information. The consequence of loss for Top Secret information is categorized as causing exceptionally grave damage to national security and carries a much more severe consequence than losing Secret information, and your clearance briefing includes terms like Leavenworth and throwing away the key to incentivize proper handling of this type of data. By admitting his guilt his maximum sentence was reduced from 60 to 15 years; his goal had been the lightest possible sentence of 11 years. While most of you don't deal with classified data, have you considered the consequence of loss and consequences for your most sensitive data? (Not just privacy or health data.) Do you have data handling training in your onboarding? How about when staff are granted access to more sensitive data? Verify those briefings are kept current, required and repeated.

Lee Neely
Lee Neely

This was a classic case of failure to supervise. While failure to supervise is not a crime, it is subject to discipline. It should be instructive to our audience to know that 15 enlisted personnel (NCOs) and officers faced disciplinary action in this case. Both this case and the Snowden case demonstrated that supervision was not appropriate to the privileges of the perpetrators. Consider the use of Privilege Management software to improve control and accountability.

William Hugh Murray
William Hugh Murray

The unauthorized disclosure of Top Secret' information is considered to cause exceptionally grave damage to the national security. Reality Winters got five years. Chelsea Manning got 35 years (commuted after 7). The words 'exceptionally grave damage' don't seem to mean as much as they used to.

Curtis Dukes
Curtis Dukes

2024-11-14

10-Year Sentence for Computer Fraud and Abuse

A judge in the US state of Georgia has sentenced Robert Purbeck to 10 years in prison for gaining unlawful access to computers and stealing personal data. Purbeck's targets included a medical clinic and a Georgia municipality; he purchased access to these organizations on a darkweb marketplace. He also tried to extort bitcoin from a dentist in exchange for not leaking patient records. Purbeck was convicted of computer fraud and abuse earlier this year and has been ordered to pay more than $1 million in restitution.

Editor's Note

The attack pattern consisted of purchasing purloined credentials then accessing the systems to steal documents, reports, and personal information. While he was smart enough to not attack businesses in his vicinity (Meridian ID), the extortion attempts unwound his attempts at anonymity. Sadly, this sort of attack could have been mitigated by the use of MFA. Reusable credentials need to become a thing of the past.

Lee Neely
Lee Neely

2024-11-13

Swatting Guilty Plea

A California teenager has pleaded guilty to multiple charges of 'making interstate threats to injure the person of another.' Eighteen-year-old Alan W. Filion targeted schools, religious institutions, government officials, and others; he also offered swatting-as-a-service. According to the plea agreement, Filion made approximately 375 swatting/threatening calls between August 2022 and January 2024, when he was arrested.

Editor's Note

While not strictly a cybersecurity problem, swatting is a life and limb risk. So called "swat" teams should act with due caution and the crime should be punished like attempted murder.

William Hugh Murray
William Hugh Murray

Filion now faces a maximum of five years in prison for each of four counts of making interstate threats to injure the person of another state. Expect the state to make an example of Filion to discourage others attempting similar shenanigans.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner