SANS NewsBites

Alan Paller Inducted into Cyber Security Hall of Fame; FCC Calls on Telecoms to be Accountable for Cybersecurity; Romania Annuls Election Following Cyber Interference; Romanian Power Company Discloses Cyber Attack

December 10, 2024  |  Volume XXVI - Issue #94

Top of the News


2024-12-10

Alan Paller Inducted into Cybersecurity Hall of Fame

On Thursday evening, December 5, Alan Paller was inducted into the Global Cyber Security Hall of Fame, joining Hall of Fame members Vint Cerf, Adm. Mike Rogers, Gene Spafford, Howard Schmidt, Peter Neumann, Richard Clarke, Mark Weatherford, and others. https://cybersecurityhalloffame.org/

Alan's daughter, Channing, spoke eloquently about her father's career and passions, including his commitment to building and supporting the country's cyber work force:

'He thought through and acted upon the entire lifecycle of a cyber security professional: Identify talent, create opportunities, teach them new skills they can use, ensure their employment, provide ongoing education, remove barriers, and connect people. He worked to ensure that his graduates had jobs at the end of their training. Many of our current cyber security industry leaders have dedicated much of their success to meeting Alan.'

What better way to pay tribute to Alan's vision than hearing from people whose lives he touched:

I've always been on the lookout for people in security who want to 'fight the good fight' - focusing on making it harder for the bad guys and easier for the good guys, and to put that before profit or pushing a particular solution. I first met Alan on some congressional advisory committee we were both on years ago, and I immediately knew he was on the same side of the battle. Alan had two core beliefs: more really skilled practitioners were key to increasing security, and finding really, really skilled practitioners who could also teach others was the key. He was generous in supporting anything and anyone aligned with that, and he was really energetic in finding ways around obstacles to advancing those goals!

- John Pescatore

Alan was such an inspiration for so many people throughout the cybersecurity community, including me. We all learned so much from him, and I think about his advice almost every day in solving complex problems with a smile.

- Ed Skoudis

Alan was an incredible inspiration for me and the community; he changed my life in so many ways. I admired him for his focus on mission and doing the right thing, on focusing on quality not quantity, but most importantly how he would take time out for people and talk to and ultimately develop them. He also took a chance on me, not only as an instructor but investing in my Security Awareness company in 2010. My goal is to take Alan's passion and continue channeling it to the community for as long as I work at SANS.

- Lance Spitzner

I first met Alan Paller around 1999 and as we became friends, he also became one of the greatest influences in my professional life. I'm sure many other people in the cybersecurity community feel the same way.

What made Alan extraordinary wasn't just his business, technical, and political skills - though they were considerable - but rather, his remarkable ability to always see the bigger picture. Every piece of advice he ever offered me took into account not only my individual goals, but how that growth could strengthen our entire industry.

When I first moved to DC, Alan and I tried to have breakfast at least one Saturday a month. After I was offered a role in the Obama administration, Alan was the first person I called and the first person to say, 'you can't say no to a job like this.' Month after month, over coffee and conversation, he showed me what true mentorship looks like. We'd discuss everything from family to politics, from immediate career decisions to long-term industry trends, and our time together was much more valuable to me than it was to him. ThatÕs what made these times special to me.

In a field often dominated by tech talk, Alan took the time to truly understand both problems and people. His thoughtful approach to mentorship wasn't about providing quick answers, but about helping others find their path while considering their potential impact on the broader cybersecurity community.

Alan's vision and dedication is largely responsible for shaping the cybersecurity profession. His induction into the Global Cyber Security Hall of Fame is a fitting tribute to someone who spent their life building others up. If I was asked though, I'd say that his greatest legacy isn't in the accolades or achievements - it's in the countless lives he touched and the wisdom he shared that continues to ripple through our industry.

We don't have a lot of giants in the cybersecurity community, but Alan Paller was surely one.

- Mark Weatherford


2024-12-06

FCC and US Legislators Urge Better Telecom Security after Wiretap Breaches

Federal Communications Commission (FCC) Chairwoman Jessica Rosenworcel announced in a press release on December 5 that the FCC is taking decisive steps in holding telecommunications companies accountable for cybersecurity in the wake of the 2024 breach of US wiretap systems. The proposed regulations constitute "urgent action to safeguard the nation's communications systems from real and present cybersecurity threats, including from state-sponsored cyber actors from the People's Republic of China." The commission's drafted Declaratory Ruling states that communications companies are responsible for securing their networks "from unlawful access of interruption" to comply with the Communications Assistance for Law Enforcement Act (CALEA), the same piece of legislation which originally mandated the creation of the wiretap system. Communications providers would be directed to undergo a yearly certification process "attesting that they have created, updated, and implemented a cybersecurity risk management plan." Headline purposes for the proposed measures include strengthening national security, adapting to future threats, and building public trust in the safety of critical communications infrastructure. On December 6, House Homeland chair Mark Green (R-TN) expressed 'bipartisan frustration' on behalf of Congress over the breach, urging that companies cooperate with an upcoming investigation of the breach by the Cybersecurity and Infrastructure Security Agency's (CISA) Cyber Safety Review Board.

Editor's Note

Note that the telecom security plans need to also address submarine cable security. In effect this updates the 30-year-old legislation (notably section 105) which requires telecom providers to be able to comply with wiretap requests while also making certain that any interception of communications can only be carried out with lawful authorization. The trick is to make sure these annual security reports don't turn into check-the-box exercises, but actually reflect risk-based decisions to secure these services.

Lee Neely
Lee Neely

Certainly the increased oversight by the FCC is warranted, but just now coming to the opinion that telco providers must secure their networks is a bit underwhelming. With today's use of information technology in every sector isn't that a 'standard duty of care' expectation for all companies?

Curtis Dukes
Curtis Dukes

It seems unlikely that law enforcement in general, and the FBI in particular, not even to mention the NSA, is likely to be supportive of this guidance. CALEA cuts both ways.

William Hugh Murray
William Hugh Murray

2024-12-06

Romanian Election Annulled after Cyberattacks and Interference Campaign

Romania's election infrastructure suffered ongoing cyberattacks in the month leading up to first round of voting in the country's presidential election on November 24, 2024. The estimated 85,000 attacks included the compromise of a Permanent Electoral Authority (AEP) map data server connected to the public web; the leaking of official election and voter registration site credentials; and attempted breaches of voting systems via "SQL injection and cross-site scripting (XSS) vulnerabilities from devices in more than 33 countries." The attacks were concurrent with an "influence campaign" possibly conducted via payments to Romanian Tik Tok influencers in exchange for distributing promotional content for the "outsider" candidate who nominally won the first round. The country's intelligence service (SRI) and Ministry of Internal Affairs (MAI) suspect the cyberattacks and social media interference to be associated with "foreign state interests" aligning with Russia. On December 6, the Romanian Constitutional Court (CCR) annulled the results of the first round of voting.

Editor's Note

There is a critical issue here: In order to trust government, citizens must be able to trust the election process. But in order to trust the election process when software is involved, there has to be transparency and verification that is done outside of government agencies Ð or else selective release of previously classified information can be used to skew courts and legislators. We learned this lesson in commercial software, and election system use of software needs the same transparency and external validation. Another key issue: if online credentials are shareable, they are not sufficiently strong for use in online voting in elections, at any level.

John Pescatore
John Pescatore

While the decision to annul the first election is, itself, a tough call, what is not clear is what is being done to prevent recurrence. Ignoring the claims of social media influence, election system isolation, credential strengthening, and vulnerability management need to addressed immediately so the integrity of the results can be ensured.

Lee Neely
Lee Neely

2024-12-09

Romanian Power Company Suffers Cyberattack

In a December 9 press release shared by the London Stock Exchange, Electrica Group CEO Alexandru Aurelian Chirita disclosed an ongoing cyberattack. Electrica Group is a major supplier of power throughout Romania, providing electricity and energy system maintenance to approximately one fifth of the country's population. The statement assures customers that "critical systems have not been affected, and any disruptions in interaction with our consumers are the result of protective measures for internal infrastructure." While "response protocols" are being implemented, Chirita commits to communicating any developments and continuing to prioritize "continuity in the distribution and supply of electricity" and the protection of personal and company data. Chirita recommends carefully vetting any suspicious messages appearing to come from Electrica, and to "avoid providing personal data through unsecured channels." Romania's Ministry of Energy believes that Electrica suffered a ransomware attack, but that the company's industrial Supervisory Control and Data Acquisition (SCADA) systems were not affected.

Editor's Note

Critical infrastructure attacks are happening globally, and defenses need to be addressed. Regardless of the threat actor, basic measures such as segmentation and strong authentication need to be implemented and measured. Use a framework to organize your approach. It is likely the Romanian SCADA systems were not impacted simply because they are isolated.

Lee Neely
Lee Neely

Another attack on critical infrastructure. While details are scant, Russia has in the past launched cyber-attacks on neighboring countries' electrical grids. The timing of the attack also coincides with the recent presidential election in Romania and claims of Russian election interference.

Curtis Dukes
Curtis Dukes

The Rest of the Week's News


2024-12-09

Neuberger Says Chinese State-Sponsored Threat Actors Recorded US Officials' Phone Calls

Speaking at a security conference in Bahrain, US deputy national security advisor for cyber and emerging technology Anne Neuberger said that Chinese state-sponsored threat actors recorded phone calls made by senior US officials. Last week, ÒNeuberger confirmed eight US telecom providers had been compromised by Salt Typhoon along with organizationsÓ in many other countries.

Editor's Note

Speaking at a security conference in Bahrain, US deputy national security advisor for cyber and emerging technology Anne Neuberger said that Chinese state-sponsored threat actors recorded phone calls made by senior US officials. Last week, 'Neuberger confirmed eight US telecom providers had been compromised by Salt Typhoon along with organizations' in many other countries.

Lee Neely
Lee Neely

It is not as though the authorities had not been warned that the mechanisms that they insisted upon in CALEA would be abused, misused, and attacked. It is a little late to take note of all the warnings and cautions.

William Hugh Murray
William Hugh Murray

2024-12-04

Water Utilities Cyber Readiness Program Enters Phase 2

The Cyber Readiness Institute (CRI), Foundation for Defense of Democracies (FDD), and Microsoft have published an interim report detailing feedback and strategy adjustments after Phase 1 of implementing a pilot Cyber Readiness Program for small and medium-sized US water utilities. The program aims to train a "Cyber Ready" culture, providing an identified Cyber Leader with guidance on "policies and incident response procedures," including learning modules, a playbook, training resources, and expert coaching. The report notes that 35 utilities have completed the program, and "there appears to be no statistically significant correlation between utility size and completion rates, nor between utility size and the impact of the Cyber Readiness Program." Feedback highlights the importance of the Cyber Coach, the impact of time limitations as an obstacle, and overall satisfaction with the impact of the program. In Phase 2, "CRI projects to recruit about three hundred utilities in Phase 2 to reach the goal of supporting one hundred and fifty utilities," with additional focus on coaches, improvements to the playbook, and revisions to streamline module completion.

Editor's Note

Most participants said the program was easy to follow and comprehend when compared to educational resources they encountered elsewhere. Even those participants with strong cyber backgrounds noted the program provided tools to help educate their colleagues. Multiple participants commented, if not for their coach, they would not have been able to implement the cybersecurity best practices the program articulates. Based on feedback, CRI is also remodeling the Cyber Readiness Playbook to make it even more intuitive and easy to use.

Karen Evans
Karen Evans

The CRI includes a CyberCoach which has proven successful in aiding the identification and adoption of appropriate security improvements. The trick is maintaining, to include updates as the threat landscape changes, an appropriate cyber security posture. I wonder if a similar approach would help other critical infrastructure providers.

Lee Neely
Lee Neely

2024-12-06

Third-Party Micropatch for Windows NTLM Zero-Day

Researchers from ACROS security have discovered a flaw affecting "all systems from Windows 7 and Server 2008 R2 to the latest Windows 11 v24H2 and Server 2022," which could expose a user's NTLM credentials "by simply having the user view a malicious file in Windows Explorer - e.g., by opening a shared folder or USB disk with such file, or viewing the Downloads folder where such file was previously automatically downloaded from attacker's web page." Microsoft has been informed, but so far only the unofficial patch exists: ACROS maintains a service called 0patch which has released a free "micropatch" for this vulnerability. Micropatches are binary patches designed to apply to processes without restarting them or rebooting the system. Bleeping Computer raises a manual alternative, which is to reconfigure network security in Windows security settings to disable NTLM authentication, though the publication recommends testing this on non-critical machines first, understanding it can disrupt an environment's NTLM networking. Microsoft has responded to both The Register and Bleeping Computer with word that "We are investigating," and has previously stated plans to work on decommissioning the NTLM authentication protocol in favor of Kerberos.

Editor's Note

NTLM continues to be a source of vulnerabilities after only three decades. While it is to be hoped that none of our readers still use it, its continued use puts us all at risk.

William Hugh Murray
William Hugh Murray

The long-term fix is moving from NTLM to Kerberos. The short-term dilemma is weather to wait for Microsoft to publish a fix for Windows 10, 11, Server 2012, 2016, 2019 and 2022, disable NTLM, or to apply the micro patch from ACROS's 0patch service. NTLM can be disabled via GPO, (Security Settings > Local Policies > Security Options, Network Security: Restrict NTLM), but test first. The 0patch fix, which doesn't require a reboot, does require an account and running their agent, which you can do by creating a free trial. Have a discussion on the risks of deploying unofficial patches as well as licensing a service selected for this purpose.

Lee Neely
Lee Neely

2024-12-09

OpenWrt Attended Sysupgrade Vulnerability

OpenWrt users are being urged to upgrade their images to ensure that a critical command injection and hash truncation flaw in OpenWrt Attended Sysupgrade is fixed. The vulnerability could have been exploited to distribute malicious firmware packages. Once the vulnerability was disclosed to OpenWrt developers, they fixed the issue within hours.

Editor's Note

Exploiting the flaw, CVE-2024-54143, CVSS 4 score 9.3, relies on hash collisions, due to SHA-256 hashes being truncated to 48 bits, (12 characters), rather than the full 256. The Attended SysUpgrade (ASU) function allows updating to new firmware while preserving previous manually installed/configured packages and settings, facilitating keeping OpenWrt devices updated. Update to the latest commits to address the flaw.

Lee Neely
Lee Neely

Another supply chain attack to end the year on. What's particularly interesting is the truncating of the hash to 48 bits, which speaks to a possible nation-state operation. Open-source software will continue to be targeted as it's become a key part of the software development cycle. Follow the developer's guidance and update immediately.

Curtis Dukes
Curtis Dukes

2024-12-09

Medical Device Manufacturer Suffers Data Breach

Artivion, Inc. has filed an 8-K form with the Securities and Exchange Commission (SEC) disclosing a "cybersecurity incident" and subsequent response measures beginning November 21. The company is a manufacturer and worldwide supplier of "implantable tissues for cardiac and vascular transplant applications." The form describes the attack as "the acquisition and encryption of files," and informs shareholders that though the effects of the attack are largely mitigated, ordering, shipping, and some corporate operations were disrupted, potentially leading to "additional costs that will not be covered by insurance." Artivion does not believe their "overall financial condition" will be materially impacted, but disclaims that this is not a guarantee.

Editor's Note

It looks like Artivon, formerly CyroLife, is recovering from a ransomware attack and is not certain what the long-term impacts will be, so they are hedging their bets on the material impact statement. What appears missing is communication, other than the 8-K, on the outage and recovery/system status. If an incident warrants an SEC filing, it warrants transparent communication.

Lee Neely
Lee Neely

The use of terms like 'acquisition and encryption' tell us this was a ransomware attack. Also, that no ransomware gang has claimed responsibility tells us that a ransom was likely paid. We can look forward to more ransomware events in 2025.

Curtis Dukes
Curtis Dukes

2024-12-06

Another Scattered Spider Suspect Charged

US federal prosecutors have charged a California resident with wire fraud and aggravated identity theft for allegedly conducting phishing attacks that targeted telecommunications companies and a financial institution. Remington Ogletree is believed to be at least the sixth alleged member of a hacking group known as Scattered Spider.

Editor's Note

Ogletree used a combination of techniques including social engineering to obtain credentials needed to access target networks, then leveraging stolen API keys to access customer accounts as well as trying to send about 8.5 million phishing texts intended to steal cryptocurrency, which allowed investigators to track back to the iCloud account being used to test the account, and ultimately to Ogletree himself. Make sure to leverage available message filtering options, and ensure your users are aware of attempts to engineer unauthorized access, backed up by broad use of MFA, segmentation, and monitoring for inappropriate or unexpected interactions.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner