US Federal Agencies Urge Encryption after Telecom Breaches; Decade-Old Cisco Vulnerability Exploited in the Wild; OT & IoT Still Need Foundational Cybersecurity

Cybersecurity and intelligence agencies from Australia, Canada, New Zealand, and the US have jointly published Enhanced Visibility and Hardening Guidance for Communications Infrastructure. The document serves to underscore the threat posed by Chinese state-sponsored threat actors who have compromised telecommunications networks. The guidance notes that “although [it is] tailored to network defenders and engineers of communications infrastructure, this guide may also apply to organizations with on-premises enterprise equipment.” The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have also advised US citizens to avoid using plain text communication channels, recommending encrypted phone and messaging apps "prevent[ing] anyone -- including the app makers -- from accessing the communications of its users."

In a security advisory created in 2014 and updated on December 2, 2024, Cisco reports that their Product Security Incident Response Team (PSIRT) has now discovered "attempted exploitation" of a vulnerability in the Cisco Adaptive Security Appliance (ASA), potentially allowing a cross-site scripting attack. The severity of the flaw is rated medium, and "allows remote attackers to inject arbitrary web script or HTML" due to "insufficient input validation of a parameter." Meny Har, co-founder and CEO of Opus Security, emphasizes that the severity is not indicative of the importance: "If you are a target of advanced threat actors, you need to care about the medium-severity issues, especially in critical infrastructure ... this is an XSS in a web VPN, meaning bad actors can hijack a user session and can impersonate them and use their privileges inside the organization. This issue, combined with a targeted email attack to trick someone with elevated privileges to click a link, makes this medium-severity XSS become a powerful chain attack.” There is no workaround for the vulnerability, and Cisco recommends mitigating by updating to a fixed release.

"It’s not novel, but we want to underscore that as something that really helps," said Katherine Rawls about cybersecurity practices for operational technology systems at a December 3 conference on OT hosted by General Dynamics Information Technology (GDIT). From airports to oil pipelines to component supply chains, the criticality of transport infrastructure makes cybersecurity a priority and a challenge. Rawls states that the US Department of Transportation is collaborating with the Department of Homeland Security, the Cybersecurity and Infrastructure Security Agency (CISA), the US Coast Guard, the Transportation Security Administration, and the Department of Energy to implement "baseline cybersecurity requirements." Recommendations include self-assessments, cybersecurity posture, risk assessment, and proper triage in mitigation. CISA Deputy Director Nitin Natarajan spoke at GDIT's conference to highlight workforce gaps and uncertain transition of knowledge as obstacles to OT security in legacy systems, with high risk to cyber-poor, yet high-value environments such as rural schools and hospitals. Meanwhile, a December 4 report by the US Government Accountability Office (GAO) found federal agencies failing to comply with cybersecurity requirements for taking inventory of Internet of Things (IoT) devices. The GAO determined that five of the six agencies requesting waivers for certain requirements did not merit the waivers. "Three agencies said they wouldn’t be able to finish their IoT inventories by Sept. 30, six did not share their time frames for doing so, and one — the Small Business Administration — said it does not use any IoT and therefore would not be compiling an inventory."

Two data brokers, Gravy Analytics (including subsidiary Venntel) and Mobilewalla, have been confronted by the FTC and barred from collecting and selling sensitive identifiable location data without consumer consent. Gravy and Venntel "collected and used consumers’ [non-anonymized] location data for commercial and government uses without obtaining consent from the individuals," and continued to do so with awareness of the lack of consent. "Venntel’s data, either on its own or through how it powers Babel Street, is widely used by law enforcement," with or without a warrant, including by US Customs and Border Protection, Immigration and Customs Enforcement (ICE), and the FBI. Sensitive locations include "medical facilities, such as those relating to substance abuse, reproductive care and psychiatry; religious organizations; correctional facilities; labor union offices; homeless shelters; groups providing services based on race and ethnicity; and military sites." Gravy and Venntel must delete or de-identify "historic location data" going back three years, as well as ensure customer consent for data collection and use through a "supplier assessment program." Any misleading statements about compliance and consent, collection and use of data, and de-identification of data are also prohibited. Mobilewalla unfairly collected data from real-time bidding and third-party data aggregators; data were not anonymized, with no procedure for doing so. "From 2018 to 2020, Mobilewalla collected in excess of 500 million unique consumer advertising identifiers matched to their precise location data," and used the information for targeted advertising profiles, including locations of political protesters, and women who visited health clinics. "The FTC alleges that Mobilewalla’s actions not only compromised consumers’ personal privacy but exposed them to potential discrimination, physical violence, emotional distress, and other harms — risks consumers could not avoid given that most were unaware of the company’s activities." Mobilewalla is held to similar misrepresentation and consent standards as Gravy and Venntel, and is barred from "using, transferring, selling and disclosing sensitive location data." 

Veeam has published an advisory disclosing two vulnerabilities in Veeam Service Provider Console affecting version 8.1.0.21377, as well as all previous 8 and 7 builds. Both flaws were discovered during internal testing. CVE-2024-42448, CVSS score 9.9, allows remote code execution on the VSPC server machine by an authorized agent on the VSPC management agent machine. CVE-2024-42449, CVSS score 7.1, allows an attacker "to leak an NTLM hash of the VSPC server service account and delete files on the VSPC server machine" under the same authorized management agent condition. The only solution provided by Veeam is to update to Veeam Service Provider Console 8.1.0.21999. 

I-O Data has confirmed that three unpatched critical flaws in their routers are being actively exploited. A firmware update for an inclusion of undocumented features issue (CVE-2024-52564) that could be exploited to disable firewalls has been shipped; patches for the other two vulnerabilities – an information disclosure issue (CVE-2024-45841) and a remote arbitrary code execution flaw (CVE-2024-47133) – are not expected to be available until December 18.

Chemonics International, a contractor for the United States Agency for International Development (USAID), suffered a data breach earlier this year that exposed personal information of more than 263,000 people. Chemonics disclosed the breach on December 3, 2024. The company “became aware of suspicious activity related to certain user accounts” in mid-December 2023; an investigation revealed that intruders had access to Chemonics systems starting in May 2023. Affected data include “name, address, email address, date of birth, social security number, driver’s license or state ID information, passport information, US military ID information, tribal ID information, financial information, health and related information, usernames and passwords, biometric information, gender/sexual orientation information, and signatures.”

In May 2024, iVerify launched their Mobile Threat Hunting feature. On December 4, they published a report of finding from the use of the feature. From the 2,500 device scans that users submitted to iVerify, seven found instances of Pegasus spyware, some dating as far back as 2021. iVerify writes that their “investigation detected 2.5 infected devices per 1,000 scans – a rate significantly higher than any previously published reports.”

Stoli Group USA and Kentucky Owl (KO) recently filed for bankruptcy. Both organizations are subsidiaries of Stoli Group, which suffered a ransomware attack in August of this year. According to the bankruptcy filing, “The attack caused substantial operational issues throughout all companies within the Stoli Group, including Stoli USA and KO, due to the Stoli Group’s enterprise resource planning (ERP) system being disabled and most of the Stoli Group’s internal processes (including accounting functions) being forced into a manual entry mode. These systems will be fully restored no earlier than in the first quarter of 2025.”