CISA: Secure Cloud Environments Directive and Mobile Communications Guidance; Look Out for Google Calendar Phishing

CISA has issued a Binding Operational Directive (BOD), directing federal agencies and departments to comply with new required actions toward securing cloud environments. BOD 25-01 "requires federal civilian agencies to identify specific cloud tenants, implement assessment tools, and align cloud environments to CISAÕs Secure Cloud Business Applications (SCuBA) secure configuration baselines." The directive highlights the role of improperly configured security controls in recent cyberattacks, stressing the need for regular reviews and updates of "security configuration baselines." Currently the SCuBA Secure Configuration Baselines have been finalized only for Microsoft Office 365. After interim deadlines for identifying cloud tenants and deploying assessment tools, all mandatory SCuBA policies must be implemented by June 20, 2025, with support from CISA and its resources.

The US Cybersecurity and Infrastructure Security Agency (CISA) has published Mobile Communications Best Practice Guidance in response to state-sponsored cyber espionage by the Chinese government. The guidance includes using only communication apps that have end-to-end encryption; enabling Fast Identity Online (FIDO) phishing-resistant authentication; using a password manager; setting a Telco PIN; and not using personal virtual private networks (VPNs). The guidance also makes platform-specific security recommendations for iPhones and Android devices.

Google Calendar is increasingly a means for phishing attacks, according to researchers from Checkpoint, whose four week period of observation yielded over 4,000 examples of emails abusing Google products to bypass filters. Emails may resemble real Google Calendar invitations, containing Links to Google Forms, Google Drawings, or calendar files that present a counterfeit reCAPTCHA or "support button," and lead the user to a fraudulent "cryptocurrency mining landing page or bitcoin support page" used to steal financial details. This lure abuses legitimate Google services to bypass security scans. The best preventative measures are taking caution with new calendar invitations, using Google's settings to limit who can send you calendar invitations, and implementing MFA to protect all accounts.

Santa's elves arrive back at the North Pole and are working hard to get ready for the holiday gift-giving season. You'll get to help Alabaster Snowball, Wombley Cube, and the rest of the gang clean up to restore operations at the North Pole!

"I highly recommend building your infosec skills using the free and incredibly awesome Holiday Hack Challenge by Ed and his team." - SANS Holiday Hack Player

Play for free: https://www.sans.org/mlp/holiday-hack-challenge-2024/

Apache has released updates to address a critical remote code execution vulnerability in Struts 2. Users are urged to 'upgrade at least to Struts 6.4.0 (or the latest version) and migrate to the new file upload mechanism.' The flaw is being actively exploited.

The US departments of Commerce, Defense, and Justice are all reportedly investigating the manufacturer of TP-Link routers. According to a paywalled article in the Wall Street Journal, the agencies want to determine whether TP-Link routers 'pose a national-security risk and are considering banning the devices.' TP-Link routers account for about 65 percent of home and small business routers in the US. In addition, more than 300 US internet service providers supply new customers with TP-Link routers.

An internal investigation into a security incident earlier this month revealed a compromised API key for BeyondTrust's Remote Support SaaS. The company revoked the key and notified affected customers. The ensuing investigation led to the discovery of two command injection vulnerabilities, one critical (CVE-2024-12356) and one medium-severity (CVE-2024-12686). BeyondTrust has published security advisories for both vulnerabilities, which affect their Remote Support (RS) & Privileged Remote Access (PRA) products. Fixes are Òavailable for all supported releases of RS & PRA 22.1.x and higher.' Patches have been applied to all affected cloud customers as of December 16. On-premises customers who do not subscribe to automatic updates should apply the patch as soon as possible; customers running versions older than 22.1 will need to upgrade to a supported version to apply the patches.

Out of 29 million Facebook accounts affected by a 2018 data breach, 3 million belonged to EU citizens, and the Irish Data Protection Commission (DPC) has now reprimanded and fined Meta Platforms Û251 million (approximately $260 million) for infringements of the General Data Protection Regulation (GDPR). Facebook fell short of disclosure, documentation, data protection, and data processing standards laid out in four articles of the GDPR. Facebook's "View As" feature had contained a flaw allowing user tokens to be used by an unauthorized third party, which was exploited to steal "user's full name; email address; phone number; location; place of work; date of birth; religion; gender; posts on timelines; groups of which a user was a member; and children's personal data." The Register notes that "today's bill equates to less than 2 percent of Meta's third quarter profit of $15.7 billion."

India has been suffering cyberattacks at an exponentially increasing rate, "doubling year-over-year" from 600 million in Q3, 2023, to 1.2 billion in Q3, 2024, increasing even as global attacks declined. Denial-of-Service (DoS) attacks have been the most common, but Ashish Tandon, CEO of security provider Indusface, credits LLMs with a recent shift toward attacks on APIs and websites. The Reserve Bank of India concurs that "tools such as ChatGPT ... [have] lowered the barrier to entry for cybercriminals." Financial and insurance institutions have been primary targets, as well as energy infrastructure. "Web applications typically had blind SQL injection, server-side request forgery, and HTML injection issues," and Dark Reading suggests that automated API scanning, better API security configuration, and prompt updates may mitigate the escalating risk.

Texas Tech University Health Sciences Centers (TTUHSCs, HSCs) in Lubbock and El Paso have disclosed information about a cyberattack discovered in September, 2024, revealing that attackers accessed medical environment systems for thirteen days and stole data pertaining to an estimated 1.4 million patients. After noticing a "temporary disruption to some computer systems and applications," HSC investigators discovered that files had been removed and/or accessed, containing "name, date of birth, address, Social Security number, driver's license number, government-issued identification number, financial account information, health insurance information and medical information, including medical records numbers, billing/claims data and diagnosis and treatment information." Affected patients are being notified and offered "complimentary credit monitoring services." The report includes information about freezing or placing a fraud alert on a credit file, and recommends vigilance over account statements, credit reports, and healthcare and insurance billing for signs of identity theft and fraud. The HSCs are "reviewing existing security policies and procedures ... and are implementing additional safeguards to enhance system protection and monitoring."

The National Defense Authorization Act (NDAA) now only needs the President's approval to become law, having passed 85-14 in the US Senate. The Bill proposes almost $9 billion in defense spending, including international efforts such as cyber assets for Taiwan and programs to "enhance internet freedom in Iran." Domestic funds would go to strengthening and replacing vulnerable telecommunications infrastructure. Additional elements would "protect servicemembers and diplomats from being ensnared by commercial spyware programs"; assess the security of military mobile devices; investigate the possibility of a Cyber Force branch of the Pentagon; report on vulnerabilities in the national airspace system; urge a multi-cloud environment security plan from the DOD; and direct the NSA to create an "artificial intelligence security center."