SANS NewsBites

US Treasury Breached Using Stolen BeyondTrust Key; Feeling Aftershocks of Salt Typhoon Intrusion; Security Update to HIPAA Proposed

January 3, 2025  |  Volume XXVII - Issue #1

Top of the News


2024-12-31

State-Sponsored Threat Actors Used Compromised BeyondTrust Key to Access US Treasury Workstations

The US Department of the Treasury informed legislators that 'on December 8, 2024, Treasury was notified by a third-party software service provider, BeyondTrust, that a threat actor had gained access to a key used by the vendor to secure a cloud-based service used to remotely provide technical support for Treasury Departmental Offices (DO) end users. With access to the stolen key, the threat actor was able override the service's security, remotely access certain Treasury DO user workstations, and access certain unclassified documents maintained by those users.' The BeyondTrust incident was reported in December (covered in NB 26.97 on December 20, 2024). While BeyondTrust revoked the compromised key upon learning of the incident, 'potentially anomalous behavior' was detected several days before. Current analysis attributes the attack to a state-sponsored threat actor with ties to China.

Editor's Note

Another example of a supply chain attack as we end one year and start a new one. Seems like every software vendor is now offering a SaaS solution as part of the product roadmap. Organizations must now plan and measure third parties as part of their cybersecurity program. A good starting point is CIS Critical Security Control 15, Service Provider Management, that includes seven safeguards to ensure providers are protecting those platforms and data appropriately. https://www.cisecurity.org/controls/service-provider-management

Curtis Dukes
Curtis Dukes

BeyondTrust identified CVE-2024-12356, CVSS score 9.8, and CVE-2024-12686, CVSS score 6.6, command injection vulnerabilities, in their cloud and self-hosted services. The cloud services have been patched. If you're self-hosting, BeyondTrustPrivileged Remote Access (PRA) and/or Remote Support (RS), you need to update to versions newer than 24.3.1. Take this as an example to consider when using cloud/outsourced services for remote access to endpoints. Make sure you have visibility to those accesses, are able to shut down unauthorized attempts, have secured the RS API, and fully understand how that access is managed/secured.

Lee Neely
Lee Neely

It's unclear in many of these articles which cloud or key was used. Interestingly, the IOCs in the 'known IOC' list are all DigitalOcean IP addresses. This particular intrusion is interesting, and I'm waiting for more details about what happened. Is BeyondTrust at fault, or was there a lapse in security, etc.? We will have to wait for more information.

Moses Frost
Moses Frost

Private cryptographic keys should be stored only in hardware security Modules (HSMs) that permit their use but cannot disclose them.

William Hugh Murray
William Hugh Murray

2024-12-30

More Salt Typhoon Intrusions

The White House has confirmed that a ninth telecommunications company was affected by Salt Typhoon; the firm has not been identified. Deputy National Security Advisor for Cyber Anne Neuberger told reporters that the Salt Typhoon intrusions allowed the threat actors to geolocate millions of people and record phone conversations. According to Nextgov's overview of the situation, at least 80 organizations are believed to be affected by the malicious cyber activity attributed to China's state-sponsored Salt Typhoon threat actor group, and over the past few months, several hundred organizations have been notified that they could be at risk of compromise. Salt Typhoon has been concentrating largely on telecommunications companies, but the hundreds notified of potential risk include organizations in other sectors as well. Some of the flaws the group exploits have been known since 2018; while fixes are available, some of the notified organizations have not applied the patches.

Editor's Note

The resulting new security requirements from the FCC are expected to be ruled on January 15th. Until the telecom services implement the expected minimum security improvements, consider the guidance for secure communications from NIST published last month.

Lee Neely
Lee Neely

Do you have "leaked personal phone calls, SMS messages, and cell phone location" in your personnel threat models? Yikes...

Christopher Elgee
Christopher Elgee

2024-12-31

HHS OCR Proposes HIPAA Updates to Improve Data Security

The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) will publish a Notice of Proposed Rulemaking to Strengthen Cybersecurity for Electronic Protected Health Information in the Federal Register on Monday, January 6, 2025. The notice proposed rule comes in response to a 'significant increase in cyberattacks and common compliance deficiencies' and will be the first update to HIPAA in more than a decade.

Editor's Note

HIPAA continues to be in the ditch. Not only are covered entities targets of choice, but the responsibilities imposed by the law have had the perverse effect of slowing the implementation of electronic health records by twenty years. All of this is the result of placing the responsibility for risk assessment on the covered entities. The intent was to avoid "prescription," but the covered entities were not equipped to do the assessment. The right strategy is to require that set of measures, such as strong authentication, least privilege access control, encryption, and network segmentation, that are known to be both essential and efficient.

William Hugh Murray
William Hugh Murray

Adding cybersecurity requirements to HIPAA, given the number of attacks on the medical sector of late, comes as no surprise. The trick is to make sure that your cybersecurity team is aware of the requirements added to HIPAA, as these requirements appear to include financial penalties for non-compliance. Make sure your teams are in agreement with your current protections and requirements, and have each other covered both for audits and all applications dealing with that data.

Lee Neely
Lee Neely

Here's an opportunity for the government to consolidate cybersecurity requirements for critical infrastructure. Why not create a minimum baseline that every critical infrastructure sector will be measured against? Looking at the NPRM, all the technical safeguards are already part of existing security frameworks. Either choose one or enable framework reciprocity.

Curtis Dukes
Curtis Dukes

The Rest of the Week's News


2024-12-26

Law Requires US Federal Agencies to Share Custom Source Code

On December 23, US President Joe Biden signed into law a bill that requires federal agencies to share custom source code with each other. The Source Code Harmonization And Reuse in Information Technology or SHARE IT Act aims to reduce redundant spending on custom code that can serve functions at multiple agencies. Exemptions include classified code, code used in national security systems, and code that would present privacy risks if it were shared.

Editor's Note

I'm not sure how this impacts more sensitive pieces of software, but if the government is building software, I imagine sharing standard source codes would make a ton of sense.

Moses Frost
Moses Frost

The law is based on the belief that multiple agencies are paying to develop the same code, and having a code repository where this code could be shared would avoid those redundant costs. It's not clear how this affects contractors who develop and deploy custom code across multiple agencies. Many agencies are already sharing open source and are familiar with needed security/best practices for GIT and other services. Agencies have 180 days to implement, which should consist of formalizing and broadening existing practices and policies.

Lee Neely
Lee Neely

2024-12-31

Finnish Authorities Seize Ship, Question Crew in Connection with Severed Undersea Cables

Authorities in Finland have seized a Russian ship suspected of dragging its anchor for 60 miles and severing submarine cables in the Baltic Sea on December 25. The damaged equipment includes the Estlink 2 power cable and four telecommunications cables. FinlandÕs national Bureau of Investigation has also begun questioning crew members. Authorities are also examining equipment found onboard the ship.

Editor's Note

The seizure effectively puts a travel ban on the ship and allows the investigation to continue with the ship "captive." Following other undersea cable damage in November, Sweden, Germany, and Lithuania have launched criminal investigations against a Chinese ship exhibiting similar behavior.

Lee Neely
Lee Neely

2024-12-26

DDoS Disrupts Japan Airlines Operations

An apparent distributed denial-of-service (DDoS) attack disrupted operations at Japan Airlines (JAL) on December 26. When JAL became aware of the situation, they shut down a router that was causing problems, temporarily suspending same-day ticket sales. The incident delayed some domestic and international flights; normal services resumed later the same day.

Editor's Note

Know in advance who you will call in the event of a denial of service attack. It should not take you longer to identify that person than it will take to fix the problem. The illustrative case was GRC where it took 12 hours to identify the guy who fixed the problem in ten minutes.

William Hugh Murray
William Hugh Murray

The airline industry continues to be targeted. American Airlines was impacted for an hour late last week; in September Germany's state air traffic control was attacked; in October, 13 of Mexico's airports were targeted. Rather than wait for regulator guidance, look to cyber hygiene best practices, including DDoS prevention, MFA, isolation/segmentation, monitoring, and judicious application of updates. Be sure to document what you're doing.

Lee Neely
Lee Neely

As we begin the new year, organizations should revisit SLAs they have with Internet Service Providers. Additionally, organizations should look to further segment parts of their network to limit the impact of a DDoS attack.

Curtis Dukes
Curtis Dukes

2024-12-30

Update PAN-OS to Fix Denial-of-Service Flaw

Palo Alto Networks has released updates to address a high-severity denial-of-service vulnerability in their PAN-OS firewall software. According to the company, the flaw 'allows an unauthenticated attacker to send a malicious packet through the data plane of the firewall that reboots the firewall. Repeated attempts to trigger this condition will cause the firewall to enter maintenance mode.' The vulnerability has been actively exploited. Users are urged to update to PAN-OS 10.1.15, PAN-OS 10.2.14, PAN-OS 11.1.5, PAN-OS 11.2.3; Palo Alto Networks is not releasing an update for PAN-OS 11.0 as it reached end-of-life in November 2024.

Editor's Note

Never a good time to ask for a patch to be applied, but the holidays are tough. Keep your systems patched; patch them often. There is a workaround for the DoS condition that could be implemented, but that should be a quick band-aid rather than a long-term solution.

Moses Frost
Moses Frost

CVE-2024-3393, Firewall DOS in DNS Security, CVSS 4 score 8.7, is activated by sending a malicious packet through the firewall, and can be mitigated by either applying the PAN-OS update or by updating your security profiles, both custom and out-of-the box, as directed in their bulletin. Note that you'll be making local copies of the OOB policies. Applying the OS update may be far simpler than vetting the changes to the firewall, which you will want to roll back if using OOB policies after the update is applied.

Lee Neely
Lee Neely

2024-12-30

Four-Faith Routers OS Command Injection Vulnerability

A high-severity OS command injection vulnerability affecting certain models of Four-Faith industrial routers is being actively exploited. The issue affects Four-Faith router models F3x24 and F3x36. Successful exploitation requires that the attacker is able to authenticate; the danger lies in unchanged default credentials. The issue was detected by researchers at VulnCheck, who notified Four-Faith and their own customers of their findings on December 20. According to data gathered by Censys, there are more than 15,000 vulnerable internet-facing Four-Faith devices.

Editor's Note

Whether Chinese-made or US-made doesn't really matter, as software vulnerabilities sometimes get through QA checks. What's troubling is that evildoers are simply taking advantage of default credentials to exploit the router. The vulnerability simply accelerates the attack. Let's start the new year with the question, should the vendor be held liable for hard-coding default credentials in their product?

Curtis Dukes
Curtis Dukes

If you're running an affected router, make sure that you've not only updated to the most recent firmware, but also changed all default credentials to something strong and unique.

Lee Neely
Lee Neely

2024-12-26

Critical SQL Injection Flaw in Apache Traffic Control

The Apache Software Foundation has released updates to address a critical SQL injection vulnerability in Apache Traffic Control. The flaw lies in the Traffic Ops component of Apache Traffic Control versions 8.0.0 and 8.0.1; the issue does not affect Apache Traffic Control 7.0.0 before 8.0.0. The vulnerability can be exploited by a privileged user with "admin", "federation", "operations", "portal", or "steering" roles. Users are urged to update to Apache Traffic Control version 8.0.2.

Editor's Note

CVE-2024-45387, Traffic Ops SQL Injection flaw, CVSS score 9.9, affects Apache's Open Source Traffic Control Content Delivery Network (CDN) project. If you're running the older 7.0.0, before 8.0 version of Apache Traffic Control, you really need to update to the current build, minimum 8.0.2. If you're running version 8, make sure you're on 8.0.2 or higher, as no workarounds are mentioned.

Lee Neely
Lee Neely

2024-12-30

Phishing Campaign Uses Phony Zoom Invites to Steal Cryptocurrency

The SlowMist security team investigated reports of a phishing campaign that used phony Zoom invitations as bait. In one case, when the message recipient clicked on the maliciously-crafted meeting link, malware was downloaded which resulted in the theft of millions of dollars' worth of cryptocurrency. SlowMist analysis revealed that the attackers are likely based in Russia and that 'they have been targeting victims and using the Telegram API to monitor whether anyone clicked the download button on the phishing page.'

Editor's Note

Beware of malicious meeting links, as well as invites from unexpected sources. Consider disabling auto-acceptance of meeting invites. Beyond valid links, make sure that your EDR is configured to block installation of malicious updates, and sweeten the deal by blocking access to known bad sites. Lastly, if you're using cryptocurrency, be sure to understand and follow current security best practices, as well as knowing the risks when stolen. While some exchanges offer insurance, it's not always extended to individuals managing their own keys.

Lee Neely
Lee Neely

The evildoers are simply taking advantage of human nature. Standard practice is to stop and think for a minute on whether the message with invite was expected and from a known address. If not, simply discard and report as spam/junk to your provider/security team.

Curtis Dukes
Curtis Dukes

Internet Storm Center Tech Corner

SwaetRAT Delivery Through Python

https://isc.sans.edu/diary/SwaetRAT+Delivery+Through+Python/31554/

Goodware Hash Sets

https://isc.sans.edu/diary/Goodware+Hash+Sets/31556/

No Holiday Season for Attackers

https://isc.sans.edu/diary/No+Holiday+Season+for+Attackers/31552/

Changes in SSL and TLS support in 2024

https://isc.sans.edu/diary/Changes+in+SSL+and+TLS+support+in+2024/31550/

Phishing for Banking Information

https://isc.sans.edu/diary/Phishing+for+Banking+Information/31548/

Capturing Honeypot Data Beyond the Logs

https://isc.sans.edu/diary/Capturing+Honeypot+Data+Beyond+the+Logs/31546/

Compiling Decompyle++ For Windows

https://isc.sans.edu/diary/Compiling+Decompyle+For+Windows/31544/

More SSH Fun!

https://isc.sans.edu/diary/More+SSH+Fun/31542/

Modiloader From Obfuscated Batch File

https://isc.sans.edu/diary/Modiloader+From+Obfuscated+Batch+File/31540/

Christmas "Gift" Delivered Through SSH

https://isc.sans.edu/diary/Christmas+Gift+Delivered+Through+SSH/31538/