SANS NewsBites

CISA: Secure Cloud Environments Directive and Mobile Communications Guidance; Look Out for Google Calendar Phishing

December 20, 2024  |  Volume XXVI - Issue #97

Top of the News


2024-12-19

CISA Directs US Gov't. to Secure Cloud Environments

CISA has issued a Binding Operational Directive (BOD), directing federal agencies and departments to comply with new required actions toward securing cloud environments. BOD 25-01 "requires federal civilian agencies to identify specific cloud tenants, implement assessment tools, and align cloud environments to CISAÕs Secure Cloud Business Applications (SCuBA) secure configuration baselines." The directive highlights the role of improperly configured security controls in recent cyberattacks, stressing the need for regular reviews and updates of "security configuration baselines." Currently the SCuBA Secure Configuration Baselines have been finalized only for Microsoft Office 365. After interim deadlines for identifying cloud tenants and deploying assessment tools, all mandatory SCuBA policies must be implemented by June 20, 2025, with support from CISA and its resources.

Editor's Note

Secure cloud configurations have been vexing in the past - think open S3 buckets and failed MFA Ñ and while FedRAMP goes a long way to help US Government users, we all need to make sure we're hitting the mark. Whether or not you are required to follow BOD 25-01, review their secure configuration guidelines for Microsoft 365 and Google Workspace to see if there are updated settings you need to deploy. CISA has also published two SCuBA tools, ScubaGoggles for GWS and ScubaGear for MS 365, which will let you get an "as built" check on your environment.

Lee Neely
Lee Neely

2024-12-18

CISA Mobile Communications Best Practice Guidance

The US Cybersecurity and Infrastructure Security Agency (CISA) has published Mobile Communications Best Practice Guidance in response to state-sponsored cyber espionage by the Chinese government. The guidance includes using only communication apps that have end-to-end encryption; enabling Fast Identity Online (FIDO) phishing-resistant authentication; using a password manager; setting a Telco PIN; and not using personal virtual private networks (VPNs). The guidance also makes platform-specific security recommendations for iPhones and Android devices.

Editor's Note

I just hope documents like this will put to rest any debate about the need for and feasibility of government encryption back doors. At least for the next 5+ years, at which point we will have forgotten this lesson and will start learning it all over again.

Johannes Ullrich
Johannes Ullrich

Good advice from CISA. Many of the recommendations are part of existing cybersecurity frameworks and should have already been implemented. It is interesting that CISA is now recommending use of end-to-end encryption. This has been a source of contention within the federal government for over a decade.

Curtis Dukes
Curtis Dukes

One needs to distinguish between VPN services (VPNs) that hide the origin but not the content and true end-to-end VPNs that hide both. For "Fast Identity Online (FIDO) phishing-resistant authentication" think Passkeys. These should be used wherever offered; one should prefer services that offer them.

William Hugh Murray
William Hugh Murray

Make sure your targeted/VIP users are onboard with these security measures. All of us need to move away from SMS-based two-factor as the attacks move beyond SIM swapping to MITM, where those messages are readable.

Lee Neely
Lee Neely

2024-12-19

Google Calendar Phishing May Use Legitimate Services

Google Calendar is increasingly a means for phishing attacks, according to researchers from Checkpoint, whose four week period of observation yielded over 4,000 examples of emails abusing Google products to bypass filters. Emails may resemble real Google Calendar invitations, containing Links to Google Forms, Google Drawings, or calendar files that present a counterfeit reCAPTCHA or "support button," and lead the user to a fraudulent "cryptocurrency mining landing page or bitcoin support page" used to steal financial details. This lure abuses legitimate Google services to bypass security scans. The best preventative measures are taking caution with new calendar invitations, using Google's settings to limit who can send you calendar invitations, and implementing MFA to protect all accounts.

Editor's Note

Attackers love legitimate cloud services. It makes filtering malicious requests so much more difficult. Using calendar invites to spam users is nothing new, but this campaign does lean in on using Google's cloud services by using Google Forms and other services to collect data. Google Forms already displays a warning on any pages created with the tool. But the warning is not always visible enough to users.

Johannes Ullrich
Johannes Ullrich

Making sure you've enabled MFA on your Google accounts is the first thing to do, then look into email security solutions to filter out phishing attempts using URL scans, reputation filters, and anomaly detection. If possible, move away from auto-accepting calendar invites. Calendar events often contain more than just the date/time/attendees and meeting link. As such, make sure that you're not sharing your calendar excessively. If you're making your schedule available to others, particularly external parties, maybe just share free/busy information.

Lee Neely
Lee Neely

The operative word here is 'caution.' That is, stop and take a few seconds to think before acting on an email by sharing, downloading, or clicking the link. Specific to calendar invitations, you're usually aware of an invitation forthcoming, so stop and think, were you expecting the calendar appointment?

Curtis Dukes
Curtis Dukes

2024-12-20

Snowmageddon: SANS Holiday Hack Challenge 2024

Santa's elves arrive back at the North Pole and are working hard to get ready for the holiday gift-giving season. You'll get to help Alabaster Snowball, Wombley Cube, and the rest of the gang clean up to restore operations at the North Pole!

"I highly recommend building your infosec skills using the free and incredibly awesome Holiday Hack Challenge by Ed and his team." - SANS Holiday Hack Player

Play for free: https://www.sans.org/mlp/holiday-hack-challenge-2024/

The Rest of the Week's News


2024-12-18

Update Available to Address Actively-Exploited, Critical Apache Struts Vulnerability

Apache has released updates to address a critical remote code execution vulnerability in Struts 2. Users are urged to 'upgrade at least to Struts 6.4.0 (or the latest version) and migrate to the new file upload mechanism.' The flaw is being actively exploited.

Editor's Note

Ahem, Equifax anyone? Point being, beyond the usual mantra of addressing/mitigating flaws on externally reachable services, double quick pay attention to a really shiny target like a Struts weakness. You're going to have me-too attackers going after anything even closely resembling a Struts weakness. CVE-2024-53677, file upload weakness, CVSS score 9.5, is fixed in version 6.4.0. Your WAF, IPS, and monitoring should be leveraged to mitigate some risk, but you still need to update to 6.4.0 as well as migrate to the new file upload mechanism.

Lee Neely
Lee Neely

2024-12-18

US Government Agencies are Investigating TP-Link Router Manufacturer

The US departments of Commerce, Defense, and Justice are all reportedly investigating the manufacturer of TP-Link routers. According to a paywalled article in the Wall Street Journal, the agencies want to determine whether TP-Link routers 'pose a national-security risk and are considering banning the devices.' TP-Link routers account for about 65 percent of home and small business routers in the US. In addition, more than 300 US internet service providers supply new customers with TP-Link routers.

Editor's Note

Supply chain security is a concern and will only increase in 2025. That said, you also must look at poor user practices that led to compromised SOHO routers. Many, many users simply never change the default password that's shipped with the device. More could also be done by manufacturers to require password reset at installation.

Curtis Dukes
Curtis Dukes

TP-Link routers are positioned at attractive price points with desirable features, making the purchase very compelling. The belief is these prices are due to government subsidy, and that the devices are being shipped with embedded malware. Threat actors are targeting numerous SOHO devices for nefarious purposes, and it still remains best practice to keep the firmware updated and disable WAN based management. Given that we're in a buying season, if you're looking at new or lifecycle replacement network gear, look to another, preferably US, brand.

Lee Neely
Lee Neely

Fortunately the replacements for these modems are not expensive and offer improved speed and security.

William Hugh Murray
William Hugh Murray

2024-12-19

BeyondTrust Fixes Pair of Flaws Found During Investigation Into Security Incident

An internal investigation into a security incident earlier this month revealed a compromised API key for BeyondTrust's Remote Support SaaS. The company revoked the key and notified affected customers. The ensuing investigation led to the discovery of two command injection vulnerabilities, one critical (CVE-2024-12356) and one medium-severity (CVE-2024-12686). BeyondTrust has published security advisories for both vulnerabilities, which affect their Remote Support (RS) & Privileged Remote Access (PRA) products. Fixes are Òavailable for all supported releases of RS & PRA 22.1.x and higher.' Patches have been applied to all affected cloud customers as of December 16. On-premises customers who do not subscribe to automatic updates should apply the patch as soon as possible; customers running versions older than 22.1 will need to upgrade to a supported version to apply the patches.

Editor's Note

Here is another example of an API compromise; make sure API security is on your radar these days. CVE-2024-12356 has a CVSS score of 9.8, while CVE-2024-12686 has a CVSS score of 6.6. As both are affecting the same products, and have the same fix, you're going to kill two birds with one update. Update your BeyondTrust RS/RPA installs to the most current supported version.

Lee Neely
Lee Neely

2024-12-18

Meta Faces $260 Million Fine Over 2018 'View As' Breach

Out of 29 million Facebook accounts affected by a 2018 data breach, 3 million belonged to EU citizens, and the Irish Data Protection Commission (DPC) has now reprimanded and fined Meta Platforms Û251 million (approximately $260 million) for infringements of the General Data Protection Regulation (GDPR). Facebook fell short of disclosure, documentation, data protection, and data processing standards laid out in four articles of the GDPR. Facebook's "View As" feature had contained a flaw allowing user tokens to be used by an unauthorized third party, which was exploited to steal "user's full name; email address; phone number; location; place of work; date of birth; religion; gender; posts on timelines; groups of which a user was a member; and children's personal data." The Register notes that "today's bill equates to less than 2 percent of Meta's third quarter profit of $15.7 billion."

Editor's Note

The DPC is serious about GDPR privacy violations. Regardless of the final outcome with Meta, as a company it's a good idea to make sure you're square with GDPR/CCPA/etc. privacy requirements. Your legal team should already be familiar with the issues, though you may need to hire an outside analyst and/or assessor. As an end-user make sure that you're enabling security features, particularly on sites, e.g., Meta, LinkedIn, X, and other social media, where you have personal information, to include MFA, login alerts, as well as reviewing what information you're sharing at what permission levels.

Lee Neely
Lee Neely

2024-12-18

Cyberattacks on India Doubled Since 2023

India has been suffering cyberattacks at an exponentially increasing rate, "doubling year-over-year" from 600 million in Q3, 2023, to 1.2 billion in Q3, 2024, increasing even as global attacks declined. Denial-of-Service (DoS) attacks have been the most common, but Ashish Tandon, CEO of security provider Indusface, credits LLMs with a recent shift toward attacks on APIs and websites. The Reserve Bank of India concurs that "tools such as ChatGPT ... [have] lowered the barrier to entry for cybercriminals." Financial and insurance institutions have been primary targets, as well as energy infrastructure. "Web applications typically had blind SQL injection, server-side request forgery, and HTML injection issues," and Dark Reading suggests that automated API scanning, better API security configuration, and prompt updates may mitigate the escalating risk.

Editor's Note

Generative AI tools have certainly made it easier to craft phishing lures. What's not often talked about is the exploit ecosystem that has built up over the past decade that feeds cyber criminals. The best defense continues to be a cybersecurity framework that prioritizes knowing your environment, patch, and configuration management.

Curtis Dukes
Curtis Dukes

Threat actors are now targeting APIs, particularly in Finance and Banking, as API vulnerabilities have a history of being slow to resolve; more than 30% of critical API vulnerabilities remain unpatched for more than six months. Take the concentration of attacks in India as a heads-up to make sure you're scanning your APIs, have deployed the current best-practice security configuration, and are deploying updates in a timely fashion.

Lee Neely
Lee Neely

2024-12-19

1.4 Million Patients' Data Stolen From Texas Tech University

Texas Tech University Health Sciences Centers (TTUHSCs, HSCs) in Lubbock and El Paso have disclosed information about a cyberattack discovered in September, 2024, revealing that attackers accessed medical environment systems for thirteen days and stole data pertaining to an estimated 1.4 million patients. After noticing a "temporary disruption to some computer systems and applications," HSC investigators discovered that files had been removed and/or accessed, containing "name, date of birth, address, Social Security number, driver's license number, government-issued identification number, financial account information, health insurance information and medical information, including medical records numbers, billing/claims data and diagnosis and treatment information." Affected patients are being notified and offered "complimentary credit monitoring services." The report includes information about freezing or placing a fraud alert on a credit file, and recommends vigilance over account statements, credit reports, and healthcare and insurance billing for signs of identity theft and fraud. The HSCs are "reviewing existing security policies and procedures ... and are implementing additional safeguards to enhance system protection and monitoring."

Editor's Note

The remedy offered, complimentary credit monitoring services, hardly compensates for the damage done. Account application fraud is only a one part of the damage that may be done to data subjects with this information. Much of this information was retained long after its use for identifying the patient/insured. Consider your data collection, use, retention, and protection policies.

William Hugh Murray
William Hugh Murray

The Interlock ransomware group is taking credit for this attack, claiming to have pilfered 2.5-3.2 terabytes of data, including patient information, medical research and multiple SQL databases. Back in July the Meow ransomware group was selling SQL databases from the university along with vulnerability information affecting their website. While the university focuses on notification and preventing recurrence, make sure that you've not only got your credit monitoring/ID restoration in place, but also that your college students are covered as well, which is likely something which wasn't on your radar.

Lee Neely
Lee Neely

Unfortunately not a lot of details on the actual attack. Texas Tech is following the standard response 'playbook' in offering credit monitoring. The question that will ultimately be decided in a court is whether Texas Tech exercised a standard duty of care in protecting the patient PHI.

Curtis Dukes
Curtis Dukes

2024-12-18

US Senate Passes NDAA

The National Defense Authorization Act (NDAA) now only needs the President's approval to become law, having passed 85-14 in the US Senate. The Bill proposes almost $9 billion in defense spending, including international efforts such as cyber assets for Taiwan and programs to "enhance internet freedom in Iran." Domestic funds would go to strengthening and replacing vulnerable telecommunications infrastructure. Additional elements would "protect servicemembers and diplomats from being ensnared by commercial spyware programs"; assess the security of military mobile devices; investigate the possibility of a Cyber Force branch of the Pentagon; report on vulnerabilities in the national airspace system; urge a multi-cloud environment security plan from the DOD; and direct the NSA to create an "artificial intelligence security center."

Editor's Note

With the government shutdown still looming, don't assume DOD can spend the money before that is resolved. Included in the bill is $3 billion for the FCC to remove and replace Chinese networking equipment deemed unsafe to national security (Huawei, ZTE) as well as making needed improvements after the Salt Typhoon incidents.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

PHPUnit and Androxgh0st

https://isc.sans.edu/diary/Command+Injection+Exploit+For+PHPUnit+before+4828+and+5x+before+563+Guest+Diary/31528

A Deep Dive into TeamTNT and Spinning YARN

https://isc.sans.edu/diary/Guest+Diary+A+Deep+Dive+into+TeamTNT+and+Spinning+YARN/31530

Python Delivering AnyDesk Client as RAT

https://isc.sans.edu/diary/Python+Delivering+AnyDesk+Client+as+RAT/31524/

Mirai Attacks Session Smart Routers

https://supportportal.juniper.net/s/article/2024-12-Reference-Advisory-Session-Smart-Router-Mirai-malware-found-on-systems-when-the-default-password-remains-unchanged?language=en_US

FortiWLM Unauthenticated limited file read vulnerability

https://fortiguard.fortinet.com/psirt/FG-IR-23-144

https://securityonline.info/kaspersky-uncovers-active-exploitation-of-fortinet-vulnerability-cve-2023-48788/

Beyond Trust Security Advisory

https://www.beyondtrust.com/trust-center/security-advisories/bt24-10

BadBox Update

https://www.bitsight.com/blog/badbox-botnet-back

SS7 Attacks

https://www.404media.co/email/ac709882-1e4b-42fc-bcca-cf7ce4793716/

Earth Koshchei Coopts Red Team Tools in Complex RDP Attacks

https://www.trendmicro.com/en_us/research/24/l/earth-koshchei.html

Okta Social Engineering Impersonation Report

https://sec.okta.com/articles/2024/okta-social-engineering-report-response-and-recommendation

US considers banning TP-Link routers over cybersecurity risks

https://www.bleepingcomputer.com/news/security/us-considers-banning-tp-link-routers-over-cybersecurity-risks/

CISA Releases Best Practice Guidance for Mobile Communications

https://www.cisa.gov/news-events/alerts/2024/12/18/cisa-releases-best-practice-guidance-mobile-communications

Vishing via Microsoft Teams Facilitates DarkGate Malware Intrusion

https://www.trendmicro.com/en_us/research/24/l/darkgate-malware.html

CrushFTP Vulnerability

https://crushftp.com/crush11wiki/Wiki.jsp?page=Update