US Cyber Trust Mark Will Certify Tech Security; Medical Data Breach Disclosed After a Year; Ivanti Zero-Days Require Action

An initiative voted into action by the US Federal Communications Commission (FCC) in March, 2024, has now finalized and launched the US Cyber Trust Mark Program, which "allows [manufacturers and retailers] to test products against established cybersecurity criteria from the U.S. National Institute of Standards and Technology via compliance testing by accredited labs, and earn the Cyber Trust Mark label, providing an easy way for American consumers to see the cybersecurity of products they choose to bring into their homes," according to a White House press release. Analogous to the Energy Star certification, the label will indicate IoT products vetted and tested for cybersecurity compliance by a group of eleven companies designated "third-party cybersecurity labeling administrators." Anne Neuberger, US Deputy National Security Director for Cybersecurity and Emerging Technology, anticipates the Cyber Trust Mark will soon become a requirement for government technology purchases, and expects consumers to see the label in use in 2025.

Medical billing company Medusind has informed the Maine Attorney General's office that a data breach discovered more than a year ago compromised personal information of more than 360,000 people. The compromised data include basic personal information such as email addresses, street addresses, and dates of birth; Social Security, passport, and driver's license numbers; payment account information; insurance policy numbers and claim data; and medical histories, medical record numbers, and prescriptions. Medusind is sending notification letters to individuals affected by the breach, which the company says it detected on December 29, 2023.

Two zero-day flaws have been discovered in Ivanti Connect Secure, Policy Secure, and ZTA Gateways, one of which is critical and actively exploited. CVE-2025-0282, CVSS score 9.0, is "a stack-based buffer overflow that allows unauthenticated remote attackers to execute arbitrary code." CVE-2025-0283, CVSS score 7.0, is also a stack-based buffer overflow allowing privilege escalation by a local authenticated attacker. Both vulnerabilities affect Connect Secure versions before 22.7R2.5, Policy Secure before 22.7R1.2, and ZTA Gateways before 22.7R2.3. Mandiant believes exploitation of CVE-2025-0282 began as early as mid-December, 2024, involving both novel malware and malware associated with threat actors linked to China. The affected products are ubiquitous, "used widely across local and federal government agencies in the U.S. as well as internationally;" Connect Secure is "the most widely adopted SSL VPN by organizations of every size, across every major industry." Whether or not Ivanti's Integrity Checker Tool returns evidence of an attack on an appliance, the company recommends a factory reset and urges users to update Connect Secure to 22.7R2.5 or later. Patches for Policy Secure (which Ivanti emphasizes should not be exposed to the public internet) and for ZTA Gateways will be released January 21. watchTowr believes the exploits are part of a possible Advanced Persistent Threat (APT) campaign and recommends any Policy Secure and STA Gateway appliances should be taken offline until patches arrive. Customers with "confirmed impact" will receive Indicators of Compromise (IoCs) from Ivanti, but Mandiant has also shared their own IoCs and YARA rules to aid detection. Benjamin Harris, CEO of watchTowr, comments: "Throw your vulnerability SLAs into the proverbial wind in situations like this, they are no longer relevant and the difference between a rapid response, and a response in hours, could be the difference between your organization calling your cyber insurer or not."

This week, the US Cybersecurity and Infrastructure Security Agency (CISA) added four vulnerabilities to their Known Exploited Vulnerabilities (KEV) catalog. The Oracle issue (CVE-2020-2883) is a critical vulnerability in Oracle WebLogic Server and was disclosed nearly five years ago. The Mitel vulnerabilities (CVE-2024-41713 and CVE-2024-55550) are both path traversal issues that can be chained to allow a remote, unauthenticated attacker to read files on the server. The Ivanti stack-based buffer overflow vulnerability is addressed in a separate story in this issue of NewsBites (see above).

In a security advisory published on January 8, Palo Alto Networks provides details of five vulnerabilities in their Expedition migration tool, which reached end-of-life on December 31, 2024. Nonetheless. Palo Alto Network released updates to address these vulnerabilities. One of the flaws (CVE-2025-0103) is a high-severity SQL injection vulnerability that 'enables an authenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys. This vulnerability also enables attackers to create and read arbitrary files on the Expedition system.' A second vulnerability (CVE-2025-0104) is a medium-severity reflected cross-site scripting issue that 'enables attackers to execute malicious JavaScript code in the context of an authenticated Expedition user's browser if that authenticated user clicks a malicious link that allows phishing attacks and could lead to Expedition browser-session theft.' The other three flaws, all low severity, are an arbitrary file deletion vulnerability, a wildcard expansion vulnerability, and an OS command injection vulnerability. Users are urged to update to fixed versions of Expedition. Palo Alto Network notes, 'We added these fixes prior to the EoL date and we do not plan to make any additional updates or security fixes.' In a June 2024 Expedition E0L announcement, Palo Alto Networks offers transition support and suggests alternatives to the Expedition tool.

In a January 7 security advisory, SonicWall provided details of four vulnerabilities. CVE-2024-53704 is a high-severity improper authentication vulnerability in the SSLVPN authentication mechanism; CVE-2024-53706 is a high-severity improper privilege management issue in the Gen7 SonicOS Cloud platform NSv; CVE-2024-40762 is a high-severity use of cryptographically weak pseudo-random number generator (PRNG) issue in the SonicOS SSLVPN authentication token generator; and CVE-2024-53705 is a medium-severity server-side request forgery vulnerability in the SonicOS SSH management interface. Users are urged to apply patches as soon as possible. SonicWall also advises "To minimize the potential impact of SSLVPN vulnerabilities, please ensure that access is limited to trusted sources, or disable SSLVPN access from the Internet" and "to minimize the potential impact of an SSH vulnerability, we recommend restricting firewall management to trusted sources or disabling firewall SSH management from Internet access."

On January 7, 2025, PowerSchool sent letters informing affected parties of a data breach that was detected ten days before, on December 28, 2024. PowerSchool is the "largest provider of cloud-based education software for K-12 education in the U.S., serving more than 75% of students in North America, ... more than 50 million students." The letter states that attackers accessed PowerSchool's School Information System (SIS) using stolen credentials in the customer support portal, and stole personally identifiable information (PII) belonging to students, teachers, and parents and guardians, including but not limited to names and contact information, "Social Security numbers, grades, and medical information." No persistent malware or operational disruptions have been detected by the cybersecurity vendor analyzing the breach, and PowerSchool believes the stolen information "has been deleted without any further replication or dissemination." The breach does not appear to have been a ransomware attack, but the company did negotiate with the threat actors not to leak the data, engaging "cyber-extortion incident response services" from CyberSteward. In response, PowerSchool has "conducted a full password reset and further tightened password and access control," also offering credit monitoring services to affected adults and identity protection services to affected minors.

Investigation by researcher Matt Brown, followed up by additional research by WIRED Magazine, has shown widespread exposure of unsecured live video feeds and data collected by automated license-plate-recognition (ALPR) cameras across the US. After purchasing and reverse-engineering ALPR cameras, Brown uncovered IP addresses of in-use cameras using text from the device's 404 page. Law enforcement employs ALPR systems to collect images, license plate numbers, and metadata to be viewed and used internally for evidence and investigation, but "more than 150 Motorola ALPR cameras have exposed their video feeds and leaking data in recent months." A Motorola executive emphasized the role of user error in setup, stating that "recommended configurations" would have prevented exposure, but mentioned a future firmware update with "additional security hardening." Cooper Quintin, senior staff technologist at the Electronic Frontier Foundation, said: 'Police have not only breached public trust but created a bounty of location data for everyone who drives by which can be abused by stalkers and other criminals ... Police shouldn't be collecting this data at all unless there is an active investigation, and even then, the devices must be strictly scrutinized for security and public safety." Daniel Kahn Gillmor, senior staff technologist at the American Civil Liberties Union sees this as a trend in government negligence when it comes to the impact of technology on civil liberties, and highlights New Hampshire's law requiring ALPR photos to be deleted within 3 minutes of capture and never recorded or transmitted.

A new press release from Casio provides additional details about the breach of their servers on October 11, 2024. Investigation revealed that the ransomware attack arrived via phishing emails sent from overseas; that "internal documents containing personal information" were leaked; and that the customer database and system for handling customer information were not accessed, though 91 customers' data have been leaked. The internal documents contained "personal information about [Casio] employees and also information about ... business partners and customers" totaling around 8,500 people. Casio states that they "[have] not responded to any unreasonable demands from the ransomware group that carried out the unauthorized access." The company plans to strengthen IT security and training, and asks for caution in spreading information about the attack to mitigate and prevent "secondary damage."

Researchers at Eclypsium have published a blog post detailing their identification of nine vulnerabilities (four of which are high severity) in the popular Illumina iSeq 100 DNA sequencer, stemming from "outdated implementation of BIOS firmware using CSM mode and without Secure Boot or standard firmware write protections." The outdated firmware is vulnerable to being overwritten, disabling the device, or could allow attackers to establish persistence in the firmware. Potential harm done by attackers might include "faking presence or absence of hereditary conditions, manipulating medical treatments or new vaccines, faking ancestry DNA research." There is no evidence of exploit in the wild, but Illumina is working to notify any potentially impacted customers and mitigate risk where needed. According to Eclypsium, the vulnerability may apply to many more medical and industrial devices, especially those that include a specific IEI Integration Corp. motherboard. The researchers emphasize that while Illumina estimates the risk to be low, the stakes of a valuable disabled medical device are high and may require "considerable effort" in recovery, noting that "NIST recommends stringent configuration management and integrity checking for [genomic information] devices."