homepage
Menu
Open menu

SANS NewsBites

SSL.com DCV Issues Unvalidated Certificates; Blue Shield of California Leaks 4.7M Members' Data; Verizon 2025 Data Breach Investigations Report

April 25, 2025  |  Volume XXVII - Issue #32

Top of the NewsThe Rest of the Week's NewsInternet Storm Center Tech Corner

Top of the News

2025-04-22

Flawed SSL.com DCV Issues Unvalidated Certificates

Certificate authority SSL.com has revoked 11 certificates after a researcher reported a bug in a domain control validation (DCV) method that would allow a user to erroneously validate their ownership of the domain of their verification email address. SSL.com allows DCV establishment via email challenge response, including validation through a DNS TXT record, but the site's implementation of this method mistakenly adds the domain name of the user's email address to their list of verified domains, allowing a user to then request certificates for that domain. Fraudulently obtained TLS certificates could be abused to create spoofed phishing sites, to decrypt HTTPS traffic and enable man-in-the middle attacks, and more. There is no evidence the now-revoked certificates issued using this bug were obtained maliciously; SSL.com has temporarily disabled this DCV process until the flaw is fixed, and will issue an incident report by May 2, 2025.

Editor's Note

SSL.com revoked the misidentified certificates within 24 hours of discovery. Strong validation of the FQDN/email address is in their certificate practices statement, so these actions are consistent with that and should avoid any motions to make their CA untrusted. With shortened certificate lifecycles, automation is key to survival, which includes automated DCV, which needs to remain both scalable and fraud resistant, which can be opposing forces. Expect providers to be working on these to improve security. Double check your validation mechanism to be sure it's active and consistent with your provider's requirements.

Lee Neely
Lee Neely

Issues in implementing the domain ownership verification correctly keep coming up. This should be functionality that is thoroughly tested and reviewed. A lot of effort has been spent in the past to improve the CA ecosystem in recent years, but basic code and implementation quality issues still appear to be a big problem.

Johannes Ullrich
Johannes Ullrich

The DCV seems still in flux. I am somewhat surprised, as we do have a working reference protocol for this with ACME, but these things do tend to happen. It's software. Interesting that it's even being looked at and caught. That is the most fascinating part of the story.

Moses Frost
Moses Frost

2025-04-24

Blue Shield of California Shared 4.7M Members' Data With Google Ads

Health insurance provider Blue Shield of California has posted a notice of a data breach discovered on February 11, 2025, also disclosing in a legally required report to the US Department of Health and Human Services (HHS) that approximately 4.7 million people will be notified their data may have been exposed. No attack nor threat actor was involved: Blue Shield had been using Google Analytics "to internally track website usage of members who entered certain Blue Shield sites," and discovered that Between April 2021 and January 2024 the service "was configured in a way that allowed certain member data to be shared with Google's advertising product, Google Ads, that likely included protected health information," making this a possible breach of HIPAA compliance. Sensitive member data that may have been leaked and subsequently used in focused ad campaigns targeting members as a result include: "Insurance plan name, type and group number; city; zip code; gender; family size; Blue Shield assigned identifiers for members' online accounts; medical claim service date and service provider, patient name, and patient financial responsibility; and 'Find a Doctor' search criteria and results (location, plan name and type, provider name and type)." Social Security Numbers, driver's license numbers, and banking and credit card information were not involved. Blue Shield disconnected Google Analytics from Google Ads on its sites in January 2024, and is reviewing its sites "to ensure that no other analytics tracking software is impermissibly sharing members' protected health information." The notice encourages members to be vigilant, reviewing and protecting their accounts and credit reports.

Editor's Note

Sensitive websites must not use Google Ads or Google Analytics. These and similar tools are designed to record browsing data that often includes PII and other sensitive data.

Johannes Ullrich
Johannes Ullrich

This is not the first data leak attributed to usage tracking. Be careful with trackers and analytics on pages with sensitive information. A free service needs to be paid for somehow; find out how and where your information fits into the equation. If you're not actively using the analytics, remove the trackers.

Lee Neely
Lee Neely

This was preventable, but then, that is often the case with cybersecurity incidents. Use of website analytics or any software app that 'touches' user data should be a risk register entry and regularly reviewed as part of one's risk management program. At a minimum, notice should be given that online tracking technology is employed on the website.

Curtis Dukes
Curtis Dukes

2025-04-24

Verizon 2025 Data Breach Investigations Report

Among the highlights of Verizon's 2025 Data Breach Investigations Report: thirty percent of breaches involved third-party entities, double the figure from the previous year; while forty-four percent of breaches involved ransomware, the number of organizations that refused to pay the ransomware demand was 64 percent, up from 50 two years ago, and the average ransomware payment was $115,000, down from last year's average of $150,000. The report data are drawn from incidents that took place between November 1, 2023 and October 31, 2024.

Editor's Note

The DBIR began the current era of open source intelligence and continues to be valuable. Avail yourself of it.

William Hugh Murray
William Hugh Murray

As always, a huge shout out to the folks at Verizon for publishing the investigations report. Two things, among many, stand out to me: 1) the increase in attacks via a third-party provider; and 2) time to remediate a vulnerability. For the first, bring third-party providers into you risk management review, and that means more than simply sending them a questionnaire. For the second, if we don't find a way to automate patching, the adversary will always win.

Curtis Dukes
Curtis Dukes

It's getting safe to assume a breach will, de facto, include ransomware. At the same time, the need to pay is not required to recover, indicating people have taken mitigation and advance planning to heart. If you don't know what your response plan and mitigations are, find out now. If nobody knows, assume that needs to be addressed and get on it.

Lee Neely
Lee Neely

The Rest of the Week's News

2025-04-24

FBI Internet Crime Report 2024

In 2024, the FBIÕs Internet Crime Complaint Center (IC3) received reports of losses incurred from cyberattacks totaling $16.6 billion, mostly from fraud and ransomware. This marks a 33 percent increase over 2023 reported losses. Deputy Assistant Director of the FBI's Cyber Division Cynthia Kaiser told reporters that the figure is not representative of total losses to cybercrime, as not all cybercrime is reported to contact law enforcement. Ransomware was the largest threat to critical infrastructure organizations. In all, IC3 received nearly 860,000 complaints in 2024.

Editor's Note

While not all cybercrime is reported to IC3, the numbers are significant, not only in the type and volume of attacks, but also in prevention. It is estimated that since 2022, over 800 million USD have been saved by their services, which include providing free decryption keys. If IC3 is not in your resource list, they need to be: establish contact before you need them.

Lee Neely
Lee Neely

IC3 is the latest addition to the FBI's storied history of crime measurement and reporting. When looking at the loss number, keep in mind that direct loss is only a portion of the cost. Some of the other components, for example reputation or lost business, are difficult to quantify but real nonetheless.

William Hugh Murray
William Hugh Murray

2025-04-23

CISA Industrial Control Systems Advisories for Siemens, Schneider, and ABB

The US Cybersecurity and Infrastructure Security Agency (CISA) has published Industrial Control System (ICS) advisories regarding vulnerabilities affecting products from Siemens, Schneider Electric, and ABB. The Siemens advisories address multiple SQL injection vulnerabilities and an improper handling of length parameter inconsistency issue in Siemens TeleControl Server Basic. The Schneider advisories address an information exposure vulnerability in Schneider Electric Wiser Home Controller WHC-5918A and an incorrect calculation of buffer size issue in Schneider Electric Modicon M580 PLCs, BMENOR2200H and EVLink Pro AC. The ABB advisory addresses multiple improper input validation vulnerabilities, an improper restriction of operations within the bounds of a memory buffer vulnerability, and an out-of-bounds write vulnerability in ABB MV Drives.

Editor's Note

A recurring theme here is these are remotely exploitable with low complexity. Beyond applying relevant updates, you need to validate access is limited to authorized systems, and don't expose control systems to the internet. Next, verify your monitoring can detect unwelcome advances, just in case.

Lee Neely
Lee Neely

As our infrastructure becomes more and more automated, the distinction between IT and OT will disappear. Indeed, the distinction between cyber and infrastructure may well disappear.

William Hugh Murray
William Hugh Murray

2025-04-24

Spanish Water Supplier Target of Cyberattack

The computer systems and website of Spanish water supplier Aigues de Matar— experienced a cyberattack; the company, which oversees both drinking water and sewage systems for the town of Matar—, says that while billing and other administrative services have been disrupted, their quality control systems were unaffected by the incident. They have notified customers that their personal information may have been compromised in the attack.

Editor's Note

While it doesn't appear to be the case in this attack, connecting IT and OT systems can have a deleterious effect on critical infrastructure. Organizations should use as a risk management tabletop exercise and actively discuss the threats posed to critical infrastructure.

Curtis Dukes
Curtis Dukes

While it doesn't appear to be the case in this attack, connecting IT and OT systems can have a deleterious effect on critical infrastructure. Organizations should use as a risk management tabletop exercise and actively discuss the threats posed to critical infrastructure.

Lee Neely
Lee Neely

2025-04-23

State Bar of California Discloses Some Bar Exam Questions Were Composed with AI Help

Earlier this week, the State Bar of California disclosed that AI was used to construct some of the multiple-choice questions on the bar exam that was administered in February. The State Bar of California writes that the "questions were developed with the assistance of AI and subsequently reviewed by content validation panels and a subject matter expert in advance of the exam." The admission follows weeks of complaints about the February exam, including reports of test-takers being thrown off online testing platforms, screen lag times, error messages, typos, and confusing questions. The Committee of Bar Examiners (CBE) has recommended that score adjustments be made for the February exam.

Editor's Note

Two big lessons to learn from this item: (1) Invariably, successfully using AI software requires involvement of domain experts in design and verification/validation, and (2) Independent verification and validation (IVV) means independent from the creator/developer/consultancy that was paid to create the system/software. Failure in these areas guarantees Garbage In, Garbage Out (GIGO).

John Pescatore
John Pescatore

The process of generating certification exam questions is expensive (been there, done that, have the T-shirt). Like almost all composition processes, it will become increasingly reliant upon LLMs and generative AI. Those who use a computer for such processes - not the computer, not the process - are responsible for all the properties of the result.

William Hugh Murray
William Hugh Murray

That the third party contracted questions were developed by AI rather than lawyers, while still being subject to the same review process, seems like a distractor from issues with California's new state bar exam system, implemented last year, which is having technical challenges that need to be resolved. Make sure you understand how third parties meet deliverables, including the use of AI, and make sure you have sufficient QA in place to ensure your standards are met. Consider your actions if even so these donÕt meet customer expectations.

Lee Neely
Lee Neely

Is the concern really about the fact that AI generated the questions or that the platform used to administer the test was faulty? Seems like the California Bar, and its surrogate, did the right thing by having the AI generated questions reviewed prior to their inclusion in the test. Whether we like it or not, AI is going to displace some jobs that were typically done by humans.

Curtis Dukes
Curtis Dukes

I imagine we will see AI writing more items; this shouldn't surprise us. The interesting part is the invalidation of the questions,

Moses Frost
Moses Frost

2025-04-24

https://www.calbar.ca.gov/About-Us/News/News-Releases/CBE-Recommends-Scoring-Adjustments-for-February-Bar-Exam

Marks and Spencer Group plc (M&S), a UK-based multinational retailer, filed a notice with the London Stock Exchange (LSE) on April 22, 2024, disclosing a "cyber incident." M&S has reported the incident to relevant authorities and the National Cyber Security Centre, and is working with third-party experts to investigate, noting that stores remain open and the website and app are operational despite "minor, temporary changes to [their] store operations." A further update the following day on the company's website specifies that M&S has proactively taken some "processes" offline; contactless payments and "Click & Collect" orders are currently suspended, and online order deliveries may be delayed. A spokesperson has since told TechCrunch that contactless payments are working again. Details of the nature and scope of the incident have not been disclosed.

Editor's Note

Given the rapid change in which services are available, from no credit card, to no contactless, to fully working, M&S customers need to keep an eye on the website; clearly customer-facing service restoration is their priority.

Lee Neely
Lee Neely

Point of sale systems continue to be a major target and dependency. Contactless payments are increasing as a percentage of revenue. For those of us who no longer carry physical cards, the backup for contactless is to key in the account data, a very inefficient process.

William Hugh Murray
William Hugh Murray

2025-04-22

Abilene, TX, Disrupted by Cyber Incident

The city of Abilene, Texas, published a notice on April 18, 2025, informing residents of IT disruptions and ongoing investigation in the wake of a cyber incident. After officials "received reports of unresponsive servers within [their] internal network" the city disconnected affected systems as part of their incident response plan, notified relevant authorities, and has engaged third-party cybersecurity experts to analyze the incident. Certain systems remain offline, such as credit card payment systems at government offices; emergency services and online water utility payments are fully functional, but past-due accounts will not be shut off. Computer systems and telephones are still being restored and response to service requests may be slow. The notice anticipates weekly updates with additional details.

Editor's Note

Residents can still pay bills in person by check or cash, or online via debit/credit or e-check. While they aren't acting on past due accounts, don't assume this won't change. Keep an eye on the city-provided page for updates and contact information.

Lee Neely
Lee Neely

It's been a rough year for municipalities in the State of Texas. It's time for the State to establish a minimum cybersecurity baseline and have all Texas municipalities be measured against it. While I know that municipalities want to keep their independence, they simply don't have the resources available to protect themselves. I would look to Implementation Group 1 of the CIS Critical Security Controls for that minimum baseline.

Curtis Dukes
Curtis Dukes

"Anything worthy of being called a plan says who will do what and when they will do it." Maintain liaison with those on whom you will call in the event of an attack or breach. This includes, just for example, legal, insurance claims, law enforcement, and computer forensics.

William Hugh Murray
William Hugh Murray

2025-04-24

Healthcare Brief: PIH Health to Pay $600,000 for HIPAA Violations; Breaches at Yale New Haven Health, Frederick Health Medical Group, Bell Ambulance, and Alabama Opthamology Assocoactes Affect Millions of People

California based PIH Health will pay $600,000 for multiple Health Insurance Portability and Accountability Act (HIPAA) violations stemming from a US Department of Health and Human Services Office for Civil Rights (HHS OCR) investigation into a 2019 phishing incident. Breaches recently reported to HHS OCR include Yale New Haven Health System (more than 5.5 million individuals affected), Frederick Health Medical Group in Maryland (934,000+ individuals affected), Milwaukee-based Bell Ambulance (114,000 individuals affected); and Alabama Opthamology Assocoactes (131,000+ individuals affected).

Editor's Note

Fines are not only related to data breach, but also for delays in reporting. Make sure you not only know your reporting interval to regulators, but also have the reporting process, including assigned responsibility and templates, defined. Include reporting in your tabletop exercises.

Lee Neely
Lee Neely

HIPAA Violations are so rare still in the grand scheme of things, I wonder what caused this one.

Moses Frost
Moses Frost

Internet Storm Center Tech Corner

SANS Internet Storm Center StormCast Friday, April 25, 2025

SMS Gateway Scans; Commvault Exploit; Patch Window Shrinkage; More inetpub issues

https://isc.sans.edu/podcastdetail/9424

Attacks against Teltonika Networks SMS Gateways

Attackers are actively scanning for SMS Gateways. These attacks take advantage of default passwords and other commonly used passwords.

https://isc.sans.edu/diary/Attacks+against+Teltonika+Networks+SMS+Gateways/31888

Commvault Vulnerability CVE-2205-34028

Commvault, about a week ago, published an advisory and a fix for a vulnerability in its backup software. watchTowr now released a detailed writeup and exploit for the vulnerability

https://labs.watchtowr.com/fire-in-the-hole-were-breaching-the-vault-commvault-remote-code-execution-cve-2025-34028/

Exploitation Trends Q1 2025

Vulncheck published a summary of exploitation trends, pointing out that about a quarter of vulnerabilities are exploited a day after a patch is made available.

https://vulncheck.com/blog/exploitation-trends-q1-2025

inetpub directory issues

The inetpub directory introduced by Microsoft in its April patch may lead to a denial of service against applying patches on Windows if an attacker can create a junction for that location pointing to an existing system binary like Notepad.

https://doublepulsar.com/microsofts-patch-for-cve-2025-21204-symlink-vulnerability-introduces-another-symlink-vulnerability-9ea085537741

SANS Internet Storm Center StormCast Thursday, April 24, 2025

Honeypot iptables Maintenance; XRPL.js Compromise; Erlang/OTP SSH Vuln affecting Cisco

https://isc.sans.edu/podcastdetail/9422

Honeypot Iptables Maintenance and DShield-SIEM Logging

In this diary, Jesse is talking about some of the tasks to maintain a honeypot, like keeping filebeats up to date and adjusting configurations in case your dynamic IP address changes

https://isc.sans.edu/diary/Honeypot+Iptables+Maintenance+and+DShieldSIEM+Logging/31876

XRPL.js Compromised

An unknown actor was able to push malicious updates of the XRPL.js library to NPM. The library is officially recommended for writing Riple (RPL) cryptocurrency code. The malicious library exfiltrated secret keys to the attacker

https://www.aikido.dev/blog/xrp-supplychain-attack-official-npm-package-infected-with-crypto-stealing-backdoor

https://github.com/XRPLF/xrpl.js/security/advisories/GHSA-33qr-m49q-rxfx

Cisco Equipment Affected by Erlang/OTP SSH Vulnerability

Cisco published an advisory explaining which of its products are affected by the critical Erlang/OTP SSH library vulnerability

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-erlang-otp-ssh-xyZZy

SANS Internet Storm Center StormCast Wednesday, April 23, 2025

More xorsearch Updates; DKIM Replay Attack; SSL.com Vulnerability Fixed

https://isc.sans.edu/podcastdetail/9420

xorsearch.py: Ad Hoc YARA Rules

Adhoc YARA rules allow for easy searches using command line arguments without having to write complete YARA rules for simple use cases like string and regex searches

https://isc.sans.edu/diary/xorsearchpy+Ad+Hoc+YARA+Rules/31856

Google Spoofed via DKIM Replay Attack

DKIM replay attacks are a known issue where the attacker re-uses a prior DKIM signature. This will work as long as the headers signed by the signature are unchanged. Recently, this attack has been successful against Google.

https://easydmarc.com/blog/google-spoofed-via-dkim-replay-attack-a-technical-breakdown/

SSL.com E-Mail Validation Bug

SSL.com did not properly verify which domain a particular email address is authorized to receive certificates for. This could have been exploited against webmail providers.

https://bugzilla.mozilla.org/show_bug.cgi?id=1961406