homepage
Menu
Open menu

SANS NewsBites

Breakthrough in Microsoft Majorana 1 Quantum Processor; Signal QR Code Phishing; OpenSSH Patches DoS & MitM Vulnerabilities

February 21, 2025  |  Volume XXVII - Issue #14

Top of the NewsThe Rest of the Week's NewsInternet Storm Center Tech Corner

Top of the News

2025-02-19

Microsoft Announces Majorana Quantum Processor Breakthrough

Microsoft has announced a quantum computing breakthrough in the development of its Majorana 1 chip. At issue is making qubits (quantum bits) as reliable as binary bits; qubits are more sensitive to noise and therefore susceptible to errors. Microsoft writes of their development: 'Built with a breakthrough class of materials called a topoconductor, Majorana 1 marks a transformative leap toward practical quantum computing.' Majorana 1 will potentially comprise one million qubits on a single chip slightly larger than CPUs in desktops and servers.

Editor's Note

This new quantum processor design enabled quantum computing to 'escape the research lab' and become a commercially available and affordable computing solution. Current commercial solutions, like D-Wave's systems, address specific aspects of quantum computing and are rather limited in their applicability. Microsoft appears to have found an engineering solution to create scalable quantum computers, overcoming some of the current designs' error rate problems and scalability issues. The 'Quantum Crypto Deadline' of 2035 set by the federal government does appear to be much more realistic. Don't let the ten-year timeline lead to delays and procrastination. The time to come up with a game plan is now. Cryptographic agility is critical. Do not lock yourself into a specific algorithm; find ways to inventory and adjust used algorithms as needed.

Johannes Ullrich
Johannes Ullrich

The big challenge with quantum computing is the error rate. Microsoft's Majorana 1 is planned to have an error rate of 1 percent, which then leverages a logical qubit array called tetrons for error correction, making quantum computing practical. Even though this is still under development, it makes reference to behavior at absolute zero temperatures, and is a few years out; keep an eye on this space, this could be very exciting when realized.

Lee Neely
Lee Neely

2025-02-19

Signal's Linked Devices Feature Phished by Russian Threat Actors

According to Google Threat Intelligence Group (GTIG), "Russia state-aligned threat actors" have been abusing a legitimate feature in the encrypted messaging app Signal that links devices using a QR code or URL, "allow[ing] one Signal account to be used on multiple devices, like a mobile device, desktop computer, and tablet." The threat actors trick a user into following a QR code or link under false pretenses -- appearing to be a security alert, a group invitation, or even part of a Ukrainian military application -- that actually links the victim's account to an instance controlled by the attacker, meaning "future messages will be delivered synchronously to both the victim and the threat actor in real-time." Signal has released an update designed to protect against this type of phishing attack by requiring authentication when linking devices, and by warning and checking in with users during and after the process. GTIG warns that threats to many messaging applications, including WhatsApp and Telegram, are intensifying, and recommends protective practices: lock mobile device screens using a complex password; ensure devices and apps are updated; enable Google Play Protect on Android devices and consider Lockdown Mode on iPhones; examine the "linked devices" list regularly; be wary of QR codes and links, especially if the context "urge[s] immediate action"; and implement MFA.

Editor's Note

Bad user interface designs are often as dangerous as buffer overflows and SQL injections. In this case, it is difficult for the user to distinguish 'harmless' group chat invites from device pairing requests.

Johannes Ullrich
Johannes Ullrich

e selective if you're linking devices for any encrypted communication, as it increases the number of places which can decode private or sensitive information. Make sure any devices with these services have robust authentication, are kept updated and secure, logically and physically, to include ensuring apps are only loaded from the vendor or company App Store.

Lee Neely
Lee Neely

QR codes usually resolve to text, often to a link. They are more obscure than URLs and should always be suspect.

William Hugh Murray
William Hugh Murray

QR Codes are interesting. People can misunderstand the Desktop to Phone Features. Be careful with those features, and always look at what devices are hooked into your account.

Moses Frost
Moses Frost

2025-02-18

OpenSSH Patches Flaws Allowing DoS and MitM Attacks

Researchers from the Qualys Threat Research Unit (TRU) have disclosed two vulnerabilities stemming from memory errors in OpenSSH. CVE-2025-26465, CVSS score 6.8, would allow an attacker to perform a Man-in-the-Middle (MitM) attack if the VerifyHostKeysDNS option is set to "yes" or "ask" -- notably, this flaw has been present since December 2014 in OpenSSH 6.8p1, and the vulnerable configuration was enabled by default in FreeBSD until March 2023. CVE-2025-26466, CVSS score 5.9, leaves the OpenSSH client and server vulnerable to pre-authentication Denial-of-Service (DoS) attacks. Both flaws have been patched in OpenSSH 9.9p2. OpenSSH is a critical and widely-used tool "which underpins many of the encrypted remote connections across Windows, Linux, and macOS, as well as secure file transfers," and is implemented in high-profile systems including "Facebook, Morgan Stanley, NetApp, Netflix, and Uber."

Editor's Note

The MitM vulnerability is interesting. The VerifyHostKeysDNS option is supposed to help verify server keys, but in this case, it turns out to be counterproductive. Please update if you rely on this option.

Johannes Ullrich
Johannes Ullrich

Beyond installing the updates to your SSH services when released, make sure you're not exposing that service beyond what is needed, ideally only to validated/approved clients.

Lee Neely
Lee Neely

The Rest of the Week's News

2025-02-18

Juniper Patches Critical Authentication Bypass in SSR

Juniper Networks has released a security advisory notifying users of a critical authentication bypass vulnerability affecting Session Smart Routers (SSR), Session Smart Conductors, and WAN Assurance Routers, which has now been patched. CVE-2025-21589, CVSS score 9.3, "may allow a network-based attacker to bypass authentication and take administrative control of the device" using an alternate path or channel. The flaw is fixed in SSR-5.6.17, SSR-6.1.12-lts, SSR-6.2.8-lts, SSR-6.3.3-r2 and later; devices that operate with WAN Assurance connected to the Mist Cloud will have been patched automatically.

Editor's Note

The flaw can be used to take administrative control of your Juniper Session Smart Router. There are no workarounds, and applying the fix will not impact the data functions of the router, but merely cause a brief outage of the management interface. Even better, no active exploitation has been detected yet, but that is expected to change with the release of the advisory, so get this update deployed.

Lee Neely
Lee Neely

2025-02-20

Zero-Day Privilege Elevation Exploited in Microsoft Power Pages

Microsoft has published a security update disclosing the zero-day exploitation and subsequent patching of a high-severity vulnerability in Power Pages, the company's "low-code software as a service (SaaS) platform for creating, hosting, and administering modern external-facing business websites." CVE-2025-24989, CVSS score 8.2, allows unauthorized privilege elevation and possible bypass of user registration control via an improper access control vulnerability. The notice assesses the flaw as "Exploitation Detected," but provides no further details on the exploitation. Microsoft has already patched the service and notified customers who may have been affected, providing "instructions on reviewing their sites for potential exploitation and clean up methods."

Editor's Note

Apparently, this flaw was found by a Microsoft employee; I'd like to the think Microsoft's re-commitment will continue to increase the percentage of vulnerabilities found before attackers or external researchers discover them.

John Pescatore
John Pescatore

If you are using PowerPages, review your access logs, double checking for permission changes, double checking admin users to make sure all are expected, and enforcing MFA across all accounts.

Lee Neely
Lee Neely

Are you still using Microsoft software?

William Hugh Murray
William Hugh Murray

2025-02-18

Update Xerox Firmware to Patch Pass-Back Flaws

Deral Heiland from Rapid7 has identified and disclosed two vulnerabilities, now both patched, in the firmware of Xerox Versalink C7025 Multifunction Printers (MFPs) affecting versions 57.69.91 and earlier. Both bugs are pass-back vulnerabilities: CVE-2024-12510 involves an attacker capturing clear text Lightweight Directory Access Protocol (LDAP) credentials given administrative access and access to the LDAP configuration settings; CVE-2024-12511 allows an attacker to capture SMB or FTP credentials by modifying the server's IP in the address book. Rapid7 notes that successful exploitation and access to Windows Active Directory could allow lateral movement within an organization's environment and lead to further compromises. Rapid7 disclosed these flaws to Xerox in March 2024, showing a timeline of ongoing check-ins with the company until they made patches available in January 2025 and opened disclosure in February 2025. Rapid7 recommends patching MFP firmware immediately, and if updating is not possible, to "set a complex password for the admin account ... avoid using Windows authentication accounts that have elevated privileges ... [and] avoid enabling the remote-control console for unauthenticated users."

Editor's Note

It turns out that some of the attacks I was showing in a presentation to some students have a name. Pass Back. Huh. I never knew that. Well. In the meantime, you should check for this; all printers do this, honestly.

Moses Frost
Moses Frost

Attacking printers has been around for some time. What's surprising, at least to me, is that it took ten months to issue a patch. Granted, an evildoer would need to have previously gained access to the network but still, a long time when the prize is collecting AD credentials without being detected.

Curtis Dukes
Curtis Dukes

Make sure printer firmware updates are being applied as religiously as your other endpoint updates. If you've outsourced printer management/maintenance, make sure their process aligns with your remediation timelines. SMB is used for scan to file services, so you probably need it, but you shouldn't need FTP printer access. Beyond complex admin accounts, make sure that you have visibility to actions, logins, and configuration changes, and can detect any malicious behavior.

Lee Neely
Lee Neely

2025-02-20

Australian Fertility Provider Recovering from Data Breach

Major Australian fertility services provider Genea published a statement on Wednesday, February 19, 2025, confirming that certain systems and servers have been taken offline during investigation of "suspicious activity" including an unauthorized third party's access to the company's data. Genea is still working to understand "the extent to which [the data accessed] contains personal information," and is communicating with any patients whose treatment schedule may be affected by the incident. The Australian Broadcasting Corporation (ABC) reports that Genea is "liaising with the Australian Cyber Security Centre," but that several clinics' phone lines were down five days before the statement was issued, and a number of patients have reported serious disruptions to their treatments as well as unavailability of the MyGenea app, used for tracking cycle and fertility data and viewing test results and forms. "Serious data breaches including leaks of identity, personal or financial information must be reported to the Office of the Australian Information Commissioner (OAIC) within 30 days."

Editor's Note

This is not their first incident, and they are not indicating there is a connection to last week's phone service outage. Genea is attempting to maintain normal service levels while keeping their notification page updated, including providing contact information for patients who are unsure about what to do.

Lee Neely
Lee Neely

One has to love lawyers: "suspicious activity,", "unauthorized third-party access,", "working to understand the extent," Just call it what it is, a ransomware event where data was stolen/encrypted. A court will likely decide whether the provider exercised a 'standard duty of care' in protecting its patients' data. And that rests on whether they had an established cybersecurity program and were reasonable in its implementation.

Curtis Dukes
Curtis Dukes

Perhaps "recovering" but never fully recovered.

William Hugh Murray
William Hugh Murray

2025-02-21

Hard Drives Purchased at Flea Market Contain Medical Data

A Dutch man purchased 15 500GB hard drives at a flea market; when he examined them at home, he found they contained troves of medical data. The man initially purchased just five of the drives, but once he discovered the sensitive nature of the data they held, he returned to the flea market and purchased the rest of the seller's drives from that batch, noting, "luckily they ended up with me and not with criminals." The medical data on the devices are from 2011 through 2019.

Editor's Note

I have seen many doctors' offices and small patient practices that struggle to keep up with patient care. You can see where they have a server or maybe several servers in a small closet, and when those services need to be disposed of, you must wonder how they are handling this. They may have just asked a 3rd party to dispose of the systems, and they may not have adequately done it. There are many ways this thing can happen. The result is that data handling is still a thing.

Moses Frost
Moses Frost

Make sure your decommissioning process includes data wipe, with a record, as well as a process for validation of some percentage to make sure it happens. With encryption, a cryptographic wipe has become faster and easier than prior overwriting processes. If you're using a third party, they likely have options, including a solution for when the wipe process fails, such as shredding the device. Make sure all your media is covered by these processes, not just internal disks.

Lee Neely
Lee Neely

Just a good reminder to touch base with IT and make sure surplusing/disposing of any IT equipment (not just PCs) involves following well-known processes for sanitizing them.

John Pescatore
John Pescatore

Your responsibility for protecting patient doesn't stop once the IT equipment has been disposed of. Make sure you have a policy in place to wipe the hard drives as part of your equipment excessing process.

Curtis Dukes
Curtis Dukes

Valued by the replacement cost for a bit, these drives are not worth the compute power to erase them, much less the human effort to judge the value of any residual data. Best just to use a hammer.

William Hugh Murray
William Hugh Murray

2025-02-20

CISA, FBI, and MS-ISAC Publish Ghost Ransomware Cybersecurity Advisory

The US Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have published a joint cybersecurity advisory to share known indicators of compromise (IoCs) and tactics, techniques, and procedures (TTPs) for Ghost (Cring) ransomware. The advisory recommends several actions to mitigate Ghost-related cyberthreats: 'Maintain regular system backups stored separately from the source systems which cannot be altered or encrypted by potentially compromised network devices; Patch known vulnerabilities by applying timely security updates to operating systems, software, and firmware within a risk-informed timeframe; Segment networks to restrict lateral movement from initial infected devices and other devices in the same organization; and Require Phishing-Resistant MFA for access to all privileged accounts and email services accounts.' The document also lists seven CVEs the Ghost threat actors have been known to exploit: CVE-2018-13379, which affects Fortinet FortiOS appliances; CVE-2010-2861 and CVE-2009-3960, which affect servers running Adobe ColdFusion; CVE-2019-0604, which affects Microsoft SharePoint; and CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207, commonly referred to as the ProxyShell attack chain, which affects Microsoft Exchange.

Editor's Note

These advisories invariably could be one sentence long: "To keep your stakeholders safe from [insert attack type and name here] adopt the Center for Internet Security Critical Security Controls and prioritize reaching at least the Essential Cyber Hygiene levels." That would save a lot energy wasted by AI engines ingesting these long advisories...

John Pescatore
John Pescatore

I'm starting to wonder if threat analysts are paid by the word. Just cut to the chase and implement Reasonable Cybersecurity, starting with Implementation Group 1 of the CIS Critical Security Controls. That's more defensible in court than wading through a cybersecurity missive.

Curtis Dukes
Curtis Dukes

Get these IoCs to your threat hunters and make certain you're clean here. Next make sure you're updated for your Fortinet, SharePoint, Exchange and ColdFusion services. Now, check that you're implementing the recommended ransomware mitigations above, ensuring none of those efforts are stalled or otherwise needing support to get to done.

Lee Neely
Lee Neely

This ransomware group was going after 2018 bugs from Fortinet and 2009/2010 bugs from Adobe ColdFusion. It made me wonder how successful they were, but given how much attention it has gotten, it also makes me wonder how much ColdFusion is still in the wild.

Moses Frost
Moses Frost

As a general rule system backups are a last resort measure. However, they are often cheaper than paying extortion, almost always cheaper than recreating from scratch, but usually more expensive than preventative measures such as strong authentication and network segmentation.

William Hugh Murray
William Hugh Murray

2025-02-18

US House Working Group on Data Privacy

US Congressmen and committee chairmen Brett Guthrie (R-Kan.) and John Joyce (R-Md.) have announced the creation of a working group within the House Committee on Energy and Commerce aimed at discussing and developing legislation for a comprehensive "national data privacy standard." Eight other House Republicans will work with stakeholders in the stated interest of "protect[ing] Americans' rights online and ... [US] leadership in digital technologies, including artificial intelligence." MeriTalk notes that "there is no comprehensive Federal data privacy law, and 20 states have their own individual privacy laws."

Editor's Note

The US has a decades-long history of failing to pass meaningful national data privacy laws, generally because of the commercial world wanting to maintain easy access to and unencumbered use of personal information collected online. This has driven many states to pass their own laws. I hope the goal of this committee will be to set the federal data privacy bar at or near the high water mark established by some of the states, not to set a low bar to appease industry lobbying organizations.

John Pescatore
John Pescatore

This is a twofold problem: first, establishing a national standard, akin to CCPA or GDPR, and second, standing down individual state privacy laws, making it easier to implement and measure as well as assure consistency across the country. Hopefully this will be more successful than the 2022 American Data Privacy and Protection Act or 2024 American Privacy Rights Act which failed due to industry/technology pushback, particularly around lack of provisions preventing states from introducing additional privacy legislation, exacerbating the implementation problem.

Lee Neely
Lee Neely

Glad to see, but a few years late. SEN Cantwell (D-WA) has been making the clarion call for a US National Privacy Standard and even introduced legislation in 2023 and 2024 (The American Privacy Rights Act). Perhaps 2025 is finally the year that Congress acts; I just wouldn't hold my breath waiting.

Curtis Dukes
Curtis Dukes

At best the states have passed similar measures using different language, leaving compliance to the user. Having a single law may well make compliance easier. However, when Congress passes laws that pre-empt state laws, they often do so by setting compliance thresholds at the lowest level chosen by any state.

William Hugh Murray
William Hugh Murray

2025-02-19

Military Health Contractor Fined for Misrepresenting Cybersecurity Compliance

Between March 2015 and March 2018, US military healthcare administration contractor Health Net Federal Services (HNFS) allegedly violated its contract with the US Defense Health Agency (DHA) by failing to meet required cybersecurity standards and misrepresenting its compliance on annual reports. The DHA claims HNFS failed to scan for known vulnerabilities and remedy security flaws; ignored third-party cybersecurity auditors' reports covering many risks and policies; and "falsely attested ... compliance with at least seven of the NIST 800-53 security controls." During this time HNFS administered the TRICARE health plan covering military personnel and their families in 22 US states. A settlement agreement signed in the first week of February 2025 requires HNFS and its parent corporation, Centene, to pay the United States $11,253,400, admitting no liability.

Editor's Note

A good evaluation criteria for the management section of RFP evaluations is "Amount and number of fines paid in past 5 years, including ones where no culpability or liability was admitted."

John Pescatore
John Pescatore

This goes back to 2015, and is only now resulting in a fine, which compared to $162 billion of revenue in their last fiscal year, seems very slight. It is far better to report noncompliance and deal with the resulting audit finding/remediation than to falsely report compliance hoping to not be caught. If you're struggling with regulatory requirements have a conversation with your auditors or regulators about ways they can be met, make sure you arenÕt misinterpreting the requirements, then find a way to meet them.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

SANS Internet StormCast Friday, February 21, 2025

Kibana Queries; Mongoose Injection; U-Boot Flaws; Unifi Protect Camera Vulnerabilities; Protecting Network Devices as Endpoint (Austin Clark @sans_edu)

https://isc.sans.edu/podcastdetail/9334

Using ES|QL In Kibana to Query DShield Honeypot Logs

Using the "Elastic Search Piped Query Language" to query DShield honeypot logs

https://isc.sans.edu/diary/Using+ESQL+in+Kibana+to+Queries+DShield+Honeypot+Logs/31704

Mongoose Flaws Put MongoDB at risk

The Object Direct Mapping library Mongoose suffers from an injection vulnerability leading to the potential of remote code execution in MongoDB

https://www.theregister.com/2025/02/20/mongoose_flaws_mongodb/

U-Boot Vulnerabilities

The open source boot loader U-Boot does suffer from a number of issues allowing the bypass of its integrity checks. This may lead to the execution of malicious code on boot.

https://www.openwall.com/lists/oss-security/2025/02/17/2

Unifi Protect Camera Update

https://community.ui.com/releases/Security-Advisory-Bulletin-046-046/9649ea8f-93db-4713-a875-c3fd7614943f

SANS Internet StormCast Thursday, February 20, 2025

XWorm Cocktail; Quantum Computing Breakthrough; Signal Phishing

https://isc.sans.edu/podcastdetail/9332

XWorm Cocktail: A Mix of PE data with PowerShell Code

Quick analysis of an interesting XWorm sample with PowerShell code embedded inside an executable

https://isc.sans.edu/diary/XWorm+Cocktail+A+Mix+of+PE+data+with+PowerShell+Code/31700

Microsoft's Majorana 1 Chip Carves New Path for Quantum Computing

Microsoft announced a break through in Quantum computing. Its new prototype Majorana 1 chip takes advantage of exotic Majorana particles to implement a scalable low error rate solution to building quantum computers

https://news.microsoft.com/source/features/ai/microsofts-majorana-1-chip-carves-new-path-for-quantum-computing/

Russia Targeting Signal Messenger

Signal is well regarded as a secure end to end encrypted messaging platform. However, a user may be tricked into providing access to their account by scanning a QR code masquerading as a group channel invitation.

https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger/

SANS Internet StormCast Wednesday, February 19, 2025

ModelScan AI Model Security; OpenSSH Vuln; Juniper Patches; Dell BIOS Vulnerability

https://isc.sans.edu/podcastdetail/9330

ModelScan: Protection Against Model Serialization Attacks

ModelScan is a tool to inspect AI models for deserialization attacks. The tool will detect suspect commands and warn the user.

https://isc.sans.edu/diary/ModelScan+Protection+Against+Model+Serialization+Attacks/31692

OpenSSH MitM and DoS Vulnerabilities

OpenSSH Patched two vulnerabilities discovered by Qualys. One may be used for MitM attack in specfic configurations of OpenSSH.

https://www.qualys.com/2025/02/18/openssh-mitm-dos.txt

Juniper Authentication Bypass

Juniper fixed an authentication bypass vulnerability that affects several prodcuts. The patch was released outside the normal patch schedule.

https://supportportal.juniper.net/s/article/2025-02-Out-of-Cycle-Security-Bulletin-Session-Smart-Router-Session-Smart-Conductor-WAN-Assurance-Router-API-Authentication-Bypass-Vulnerability-CVE-2025-21589?language=en_US

DELL BIOS Patches

DELL released BIOS updates fixing a privilege escalation issue. The update affects a large part of Dell's portfolio

https://www.dell.com/support/kbdoc/en-en/000258429/dsa-2025-021