SANS NewsBites

US Federal Agencies Urge Encryption after Telecom Breaches; Decade-Old Cisco Vulnerability Exploited in the Wild; OT & IoT Still Need Foundational Cybersecurity

December 6, 2024  |  Volume XXVI - Issue #93

Top of the News


2024-12-05

Intelligence and Cybersecurity Agencies Urge Use of Encrypted Communications

Cybersecurity and intelligence agencies from Australia, Canada, New Zealand, and the US have jointly published Enhanced Visibility and Hardening Guidance for Communications Infrastructure. The document serves to underscore the threat posed by Chinese state-sponsored threat actors who have compromised telecommunications networks. The guidance notes that “although [it is] tailored to network defenders and engineers of communications infrastructure, this guide may also apply to organizations with on-premises enterprise equipment.” The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have also advised US citizens to avoid using plain text communication channels, recommending encrypted phone and messaging apps "prevent[ing] anyone -- including the app makers -- from accessing the communications of its users."

Editor's Note

It’s kind of ironic that agencies who lobbied in the past against encrypted communications realize now that the surveillance mechanisms they built into telecom networks are being used against them. This “Volt Typhoon” compromise of multiple telecommunications providers (even outside the US) is the best argument for strong end-to-end encryption.

Johannes Ullrich
Johannes Ullrich

Lack of end-to-end encryption of email and attachments still increases overall risk more than this issue. But ideally the publicity around this issue and China’s ease of compromising the major telecom carriers will give politicians the courage to pass badly needed legislation to force major improvements in security at all telecoms and messaging providers – which is needed if email is ever to become safe and trustable. Historical note: logins over the Internet were originally in the clear. In the early 1990s, telecoms providers were routinely compromised with network sniffers that harvested bulk account names and passwords. The growth of the World Wide Web and browsers raised the stakes, and in 1994 Netscape introduced SSL and the US Government released FIPS 140-1 standards for crypto. Finally, in 2001 or so, the US government required all web browsers and servers procured to be FIPS 140 compliant – SSL use for transport security exploded across all industries.

John Pescatore
John Pescatore

Transport Layer Security (TLS) has been the most widespread application of encryption. It is essential to the safe use of public networks. Governments, including the so-called "five eyes" nations have historically resisted the more widespread application of encryption because it raises the cost of law enforcement. This guidance represents a change in favor of national security at the expense of law enforcement.

William Hugh Murray
William Hugh Murray

Let this be a case study to those advocating backdoors into encryption protocols for lawful interception purposes: once you introduce a backdoor you have no guarantee that it will not be abused by various actors.

Brian Honan
Brian Honan

2024-12-03

Cisco Vulnerability Actively Exploited After a Decade

In a security advisory created in 2014 and updated on December 2, 2024, Cisco reports that their Product Security Incident Response Team (PSIRT) has now discovered "attempted exploitation" of a vulnerability in the Cisco Adaptive Security Appliance (ASA), potentially allowing a cross-site scripting attack. The severity of the flaw is rated medium, and "allows remote attackers to inject arbitrary web script or HTML" due to "insufficient input validation of a parameter." Meny Har, co-founder and CEO of Opus Security, emphasizes that the severity is not indicative of the importance: "If you are a target of advanced threat actors, you need to care about the medium-severity issues, especially in critical infrastructure ... this is an XSS in a web VPN, meaning bad actors can hijack a user session and can impersonate them and use their privileges inside the organization. This issue, combined with a targeted email attack to trick someone with elevated privileges to click a link, makes this medium-severity XSS become a powerful chain attack.” There is no workaround for the vulnerability, and Cisco recommends mitigating by updating to a fixed release.

Editor's Note

Ugh, 10 years and we’re still reminding folks to update to fix a known vulnerability. That said, I must commend Cisco for designing an appliance that still performs 10 years later.

Curtis Dukes
Curtis Dukes

2024-12-05

Collaboration and Regulation in OT & IoT Security

"It’s not novel, but we want to underscore that as something that really helps," said Katherine Rawls about cybersecurity practices for operational technology systems at a December 3 conference on OT hosted by General Dynamics Information Technology (GDIT). From airports to oil pipelines to component supply chains, the criticality of transport infrastructure makes cybersecurity a priority and a challenge. Rawls states that the US Department of Transportation is collaborating with the Department of Homeland Security, the Cybersecurity and Infrastructure Security Agency (CISA), the US Coast Guard, the Transportation Security Administration, and the Department of Energy to implement "baseline cybersecurity requirements." Recommendations include self-assessments, cybersecurity posture, risk assessment, and proper triage in mitigation. CISA Deputy Director Nitin Natarajan spoke at GDIT's conference to highlight workforce gaps and uncertain transition of knowledge as obstacles to OT security in legacy systems, with high risk to cyber-poor, yet high-value environments such as rural schools and hospitals. Meanwhile, a December 4 report by the US Government Accountability Office (GAO) found federal agencies failing to comply with cybersecurity requirements for taking inventory of Internet of Things (IoT) devices. The GAO determined that five of the six agencies requesting waivers for certain requirements did not merit the waivers. "Three agencies said they wouldn’t be able to finish their IoT inventories by Sept. 30, six did not share their time frames for doing so, and one — the Small Business Administration — said it does not use any IoT and therefore would not be compiling an inventory."

Editor's Note

I’m glad to see a focus on K-12 and Healthcare. Having worked in Healthcare at the start of my career, I never encountered considerations for BioMedical and Medical IoT when it came to security. Outside of “patching,” there is no real consensus on leveraging the Purdue model for OT in the medical space. Maybe instead of patching, we will see a move towards segmenting these devices. I don’t want to be hooked up to life-saving devices wondering if they will go down due to ransomware or other attacks.

Moses Frost
Moses Frost

The friction between regulatory requirements and resources. Regardless, make sure you know what OT systems and components you have and how they are protected, particularly anytime internet accessible. Then keep track.

Lee Neely
Lee Neely

Every cybersecurity professional should be already aware of the importance of including internet facing devices within their cybersecurity program. An accurate and up-to-date inventory is a vital first step. That’s why the CIS Critical Security Controls prioritize them as Controls 1, 2, and 3 (Data Protection). It’s a joint responsibility of the IT and security staff.

Curtis Dukes
Curtis Dukes

The Rest of the Week's News


2024-12-04

FTC Disciplines Data Brokers Over Sensitive Location Misuse

Two data brokers, Gravy Analytics (including subsidiary Venntel) and Mobilewalla, have been confronted by the FTC and barred from collecting and selling sensitive identifiable location data without consumer consent. Gravy and Venntel "collected and used consumers’ [non-anonymized] location data for commercial and government uses without obtaining consent from the individuals," and continued to do so with awareness of the lack of consent. "Venntel’s data, either on its own or through how it powers Babel Street, is widely used by law enforcement," with or without a warrant, including by US Customs and Border Protection, Immigration and Customs Enforcement (ICE), and the FBI. Sensitive locations include "medical facilities, such as those relating to substance abuse, reproductive care and psychiatry; religious organizations; correctional facilities; labor union offices; homeless shelters; groups providing services based on race and ethnicity; and military sites." Gravy and Venntel must delete or de-identify "historic location data" going back three years, as well as ensure customer consent for data collection and use through a "supplier assessment program." Any misleading statements about compliance and consent, collection and use of data, and de-identification of data are also prohibited. Mobilewalla unfairly collected data from real-time bidding and third-party data aggregators; data were not anonymized, with no procedure for doing so. "From 2018 to 2020, Mobilewalla collected in excess of 500 million unique consumer advertising identifiers matched to their precise location data," and used the information for targeted advertising profiles, including locations of political protesters, and women who visited health clinics. "The FTC alleges that Mobilewalla’s actions not only compromised consumers’ personal privacy but exposed them to potential discrimination, physical violence, emotional distress, and other harms — risks consumers could not avoid given that most were unaware of the company’s activities." Mobilewalla is held to similar misrepresentation and consent standards as Gravy and Venntel, and is barred from "using, transferring, selling and disclosing sensitive location data." 

Editor's Note

The current patchwork of 18 State Data and Health privacy laws is not enough to protect citizens. It’s way past time for the US legislature to create a national data privacy law to guide how data is collected by apps and used by data aggregators.

Curtis Dukes
Curtis Dukes

] A law regulating data brokers — requiring that they notify subjects of all PII held on them; requiring that they notify of any sale or other use or dissemination of that data; and making the brokers financially liable for compromises of that data — should be easier to pass than an omnibus privacy law but goes a long way toward accomplishing the objectives of a broader law. California legislature to the rescue?

William Hugh Murray
William Hugh Murray

The laws around this still need to be clarified. Data brokers will collect data until someone refuses to do so. The laws need to catch up to what they are doing.

Moses Frost
Moses Frost

Data broker or otherwise, it’s a good time to make sure that you have your content straight for any identifiable data. If you have to tell a story about how you're walking the line, maybe look more closely…

Lee Neely
Lee Neely

2024-12-04

Update to Patch Two Veeam Vulnerabilities, Including Critical RCE Flaw

Veeam has published an advisory disclosing two vulnerabilities in Veeam Service Provider Console affecting version 8.1.0.21377, as well as all previous 8 and 7 builds. Both flaws were discovered during internal testing. CVE-2024-42448, CVSS score 9.9, allows remote code execution on the VSPC server machine by an authorized agent on the VSPC management agent machine. CVE-2024-42449, CVSS score 7.1, allows an attacker "to leak an NTLM hash of the VSPC server service account and delete files on the VSPC server machine" under the same authorized management agent condition. The only solution provided by Veeam is to update to Veeam Service Provider Console 8.1.0.21999. 

Editor's Note

Veeam is a backup and disaster recovery leader. If you’re a Veeam customer, patch. Anyone that can access these systems can compromise your entire environment.

Moses Frost
Moses Frost

2024-12-05

I-O Data: Router Zero-days are Being Actively Exploited

I-O Data has confirmed that three unpatched critical flaws in their routers are being actively exploited. A firmware update for an inclusion of undocumented features issue (CVE-2024-52564) that could be exploited to disable firewalls has been shipped; patches for the other two vulnerabilities – an information disclosure issue (CVE-2024-45841) and a remote arbitrary code execution flaw (CVE-2024-47133) – are not expected to be available until December 18.

Editor's Note

Routers play a major role in perimeter security. They should be chosen and operated for security. Keeping them current is essential to the fulfillment of their role.

William Hugh Murray
William Hugh Murray

2024-12-05

Chemonics Breach Affects 263,000 Individuals

Chemonics International, a contractor for the United States Agency for International Development (USAID), suffered a data breach earlier this year that exposed personal information of more than 263,000 people. Chemonics disclosed the breach on December 3, 2024. The company “became aware of suspicious activity related to certain user accounts” in mid-December 2023; an investigation revealed that intruders had access to Chemonics systems starting in May 2023. Affected data include “name, address, email address, date of birth, social security number, driver’s license or state ID information, passport information, US military ID information, tribal ID information, financial information, health and related information, usernames and passwords, biometric information, gender/sexual orientation information, and signatures.”

Editor's Note

The question arises as to why this information was even collected, much less retained at risk. Consider your data collection, retention, and protection policies.

William Hugh Murray
William Hugh Murray

Umm, a year to finally notify users of a cyber incident likely affecting their private information. The good news is “that protecting personal information is something that Chemonics takes very seriously.” Perhaps that is what they said back in 2021 when they last suffered a data breach. Seems like cyber criminals have them on a two-year revisit cycle.

Curtis Dukes
Curtis Dukes

2024-12-04

iVerify’s Mobile Threat Hunting Feature Detects Pegasus Instances

In May 2024, iVerify launched their Mobile Threat Hunting feature. On December 4, they published a report of finding from the use of the feature. From the 2,500 device scans that users submitted to iVerify, seven found instances of Pegasus spyware, some dating as far back as 2021. iVerify writes that their “investigation detected 2.5 infected devices per 1,000 scans – a rate significantly higher than any previously published reports.”


2024-12-03

Ransomware Attack a Factor in Stoli Subsidiaries’ Bankruptcy Filing

Stoli Group USA and Kentucky Owl (KO) recently filed for bankruptcy. Both organizations are subsidiaries of Stoli Group, which suffered a ransomware attack in August of this year. According to the bankruptcy filing, “The attack caused substantial operational issues throughout all companies within the Stoli Group, including Stoli USA and KO, due to the Stoli Group’s enterprise resource planning (ERP) system being disabled and most of the Stoli Group’s internal processes (including accounting functions) being forced into a manual entry mode. These systems will be fully restored no earlier than in the first quarter of 2025.”

Editor's Note

Enterprise network vulnerability constitutes a risk to the health and continuity of the business. Directors and executive management take heed. Ensure that all essential and efficient measures are in place to ensure a safe and resilient enterprise.

William Hugh Murray
William Hugh Murray

Internet Storm Center Tech Corner

Business E-Mail Compromise

https://isc.sans.edu/diary/Guest+Diary+Business+Email+Compromise/31474

Data Analysis: The Unsung Hero of Cybersecurity Expertise

https://isc.sans.edu/diary/Data+Analysis+The+Unsung+Hero+of+Cybersecurity+Expertise+Guest+Diary/31494

Extracting Files Embedded Inside Word Documents

https://isc.sans.edu/diary/Extracting+Files+Embedded+Inside+Word+Documents/31486

Alan Paller Inducted into the Cybersecurity Hall of Fame

https://cybersecurityhalloffame.org/

HPE Aruba Vulnerabilities

https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04761en_us&docLocale=en_US

FBI Warns iPhone and Android Users Stop Sending Texts

https://www.forbes.com/sites/zakdoffman/2024/12/03/fbi-warns-iphone-and-android-users-stop-sending-texts/

IdentityIQ Improper Access Control Vulnerability – CVE-2024-10905

https://www.sailpoint.com/security-advisories/identityiq-improper-access-control-vulnerability-cve-2024-10905

Where There’s Smoke, There’s Fire - Mitel MiCollab CVE-2024-35286, CVE-2024-41713 And An 0day

https://labs.watchtowr.com/where-theres-smoke-theres-fire-mitel-micollab-cve-2024-35286-cve-2024-41713-and-an-0day/

https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-misa-2024-0029

Lorex 2K Indoor Wi-Fi Security Camera

https://www.rapid7.com/globalassets/_pdfs/research/pwn2own-iot-2024-lorex-2k-indoor-wi-fi-security-camera-research.pdf

https://www.lorex.com/products/2k-indoor-wi-fi-security-camera

Solana web3.js Backdoor

https://socket.dev/blog/supply-chain-attack-solana-web3-js-library

Korea arrests CEO for adding DDoS feature to satellite receivers

https://www.bleepingcomputer.com/news/security/korea-arrests-ceo-for-adding-ddos-feature-to-satellite-receivers/

Veeam Vulnerabilities

https://www.veeam.com/kb4679

WPTaskScheduler Persistence and CVE-2024-49039 PoC

https://github.com/je5442804/WPTaskScheduler_CVE-2024-49039