SANS NewsBites

Flaws Exploited by Salt Typhoon Still Unpatched; Update Exchange Servers for Emergency Mitigations; Faulty Zyxel Signature Causes Firewall Issues

January 28, 2025  |  Volume XXVII - Issue #7

Top of the News


2025-01-24

Tenable Analysis: Many Exchange Servers Remain Unpatched Against ProxyLogon

Tenable researchers' analysis of Salt Typhoon's activity indicates that at least one of the vulnerabilities exploited by the state-sponsored threat actors remains largely unpatched. More than 90 percent of publicly-exposed Microsoft Exchange Servers are not patched against a critical remote code execution vulnerability, known as ProxyLogon, that was disclosed nearly four years ago. Tenable researchers contrast that number with other vulnerabilities exploited by Salt Typhoon: analysis of unpatched instances of 'Ivanti vulnerabilities (CVE-2023-46805 and CVE-2024-21887) ... found that these devices were fully remediated in over 92% of cases.'

Editor's Note

Well that's just embarrassing. The Tenable research doesn't factor in attacker stealthiness, just whether the patch was applied. No way that an organization can claim they practiced a 'standard duty of care' should they suffer a cyber breach.

Curtis Dukes
Curtis Dukes

Are Microsoft products difficult to administer?

William Hugh Murray
William Hugh Murray

If you're running an old exchange and have ProxyLogon vulnerabilities in your system, it's probably no longer just YOUR system.

Moses Frost
Moses Frost

With all the targeting of Exchange servers, there should be no reason they are not being updated, publicly-accessible or otherwise. If you don't have the resources to keep them updated, it's time to move to hosted services; the cost of a compromise, and recovery, will easily eclipse the cost of moving to a hosted solution.

Lee Neely
Lee Neely

2025-01-27

Older Exchange Servers Cannot Receive Emergency Mitigation Definitions

Microsoft is cautioning users that outdated Exchange servers are unable to receive emergency mitigation definitions due to a deprecated Office Configuration Service certificate type. The Exchange Emergency Mitigation Service (EEMS), which was introduced in September 2021 'automatically applies interim mitigations for high-risk (and likely actively exploited) security flaws to secure on-premises Exchange servers against attacks. It detects Exchange Servers vulnerable to known threats and applies interim mitigations until security updates are released.' Exchange server versions older than 2023 are urged to update so they can receive emergency mitigations.

Editor's Note

Simply patching Microsoft products is not adequate. Some must also be replaced on a timely basis, either because they cannot be patched or because patches are no longer being provided.

William Hugh Murray
William Hugh Murray

If you're continuing to run your own Exchange servers, update them to newer than the March 2023 Cumulative or Security Update. Next, review when you can move to hosted Exchange servers as it's going to continue to be increasingly challenging to keep your own service sufficiently secure and updated.

Lee Neely
Lee Neely

If you're running an outdated exchange, don't be. If you're running on-premises, keep these things up to date. That's all I have to say.

Moses Frost
Moses Frost

2025-01-27

Zyxel Application Signature Update Causes Firewall Boot Loops

A faulty Zyxel application signature update is causing issues for USG FLEX and ATP Series firewalls. Zyxel has disabled the problematic application signature on its servers. According to the Zyxel advisory, the bug 'may cause reboot loops, ZySH daemon failures, or login access problems.' The faulty signature was phased out between January 24 and 25. Fixing the problem requires physical access to the firewall and a Console/RS232 cable.

Editor's Note

Follow the Zyxel instructions to determine if you're affected. Only version "1.0.0.20250123.0" is affected, unless you are using Nebula, USG FLEX X Series, or have no active security licenses on the device. The recovery requires installing a special firmware version, via the console connection. Read the guidance twice, and enlist someone to cross-check you before attempting.

Lee Neely
Lee Neely

This is a nasty bug in the Zyxel equipment (which is very popular in Europe and in ISPs). I'm not sure how many systems this impacted, but the fact that you need to plug into the device physically is concerning.

Moses Frost
Moses Frost

The Rest of the Week's News


2025-01-27

Microsoft WSUS Driver Synchronization Deprecation

Microsoft has published a reminder that driver synchronization updates via Windows Server Update Services (WSUS) will be deprecated as of April 18, 2025. Microsoft initially announced the deprecation in June 2024, at which time they encouraged users to adopt newer cloud-based driver services. WSUS was introduced in 2005.

Editor's Note

While many organisations have migrated their core email services to cloud-based solutions, many still run on-premises Exchange servers to support legacy systems or enable ongoing migration of accounts to the cloud. However, it is important to remember that just because you have moved your core email services to the cloud you should not forget your on-premises environments and ensure they remain secure.

Brian Honan
Brian Honan

When this was announced last year, Microsoft said no new features or capabilities would be added to WSUS, and they would continue to publish updates through the WSUS channel as well as support existing content in that channel. It is time to look at Windows Autopatch, Azure Update Manager, and Microsoft Intune for your driver updates. Maybe even revisit your Windows patching implementation to make sure you're following current best practices.

Lee Neely
Lee Neely

2025-01-28

Apple Updates Include Fix for Actively Exploited Vulnerability

On Monday, January 27, Apple released updates to address vulnerabilities in multiple products, including iOS and iPadOS, macOS, Safari, watchOS, tvOS, and visionOS. One of the vulnerabilities addressed in the patch release is an actively exploited use-after-free issue in the CoreMedia component found in multiple products. Apple says it fixed the problem by improving memory management. Apple has also released instructions for updating AirPod firmware.

Editor's Note

These releases include updates for both current and prior OS versions (e.g., iOS 17 & 18). For Apple Intelligence capable devices you will be prompted to enable it, at this time you can still turn it off in settings. You can also manage Apple Intelligence settings in your MDM/MAM. Test before wide deployment and determine what exceptions, if any, you will permit.

Lee Neely
Lee Neely

2025-01-27

Researchers Identify 100+ Vulnerabilities in LTE / 5G Network Implementations

Researchers from the University of Florida and North Carolina State University have identified nearly 120 vulnerabilities in the LTE / 5G core infrastructure. The flaws affect seven LTE implementations and three 5G implementations, both open source and commercial, and could be exploited to cause 'persistent denial of cell service to an entire metropolitan area or city and [in some cases] remotely compromise and access the cellular core.' The researchers contacted affected maintainers and allowed a minimum of 90 days for patch development before disclosing the issues. In all, the 119 discovered vulnerabilities resulted in 97 unique CVEs. Their whitepaper, 'RANsacked: A Domain-Informed Approach for Fuzzing LTE and 5G RAN-Core Interfaces,' describes their methods and process.

Editor's Note

They used two threat models, any unauthenticated device, and an adversary with an authenticated device with base-station access to the cellular core. By unauthenticated device, they mean a device which doesn't need a valid SIM, it only needs to be able to send the right malformed packet sequence. By base-station access, they are mostly referencing home "femtocell" devices (signal boosters) which typically act as a base station "under the hood" which can then be physically manipulated to obtain persistent access. If you have cellular repeaters in your environment, make sure they are not only updated but also running legitimate firmware. Home units are typically updated automatically, but you can check via the management interface from your provider.

Lee Neely
Lee Neely

Our reliance on 5G is increasing rapidly. One hopes that these vulnerabilities are remedied promptly and with minimum disruption to service.

William Hugh Murray
William Hugh Murray

2025-01-27

Patch to Shore Up Git Credential Leaks

Researcher RyotaK from GMO Flatt Security has disclosed four vulnerabilities that could leak user credentials from GitHub Desktop and other projects involving Git. CVE-2024-53858, CVSS score 6.5, allows the GitHub command line interface to leak an access token to an arbitrary host through recursive repository cloning; CVE-2025-23040, CVSS score 6.6, could give an attacker access to user credentials via a "maliciously crafted remote URL"; CVE-2024-50338, CVSS score 7.4, allows a malicious repository to leak credentials due to a mismatch in how .NET and Git interpret a carriage return; and CVE-2024-53263, CVSS score 8.5, exploits Git LFS to leak credentials by using a specially crafted HTTP URL. Updating to the latest versions of GitHub Desktop and Git-related projects will patch the flaws. RyotaK concludes by noting that "text-based protocols are often vulnerable to injection, and a small architecture flaw can lead to a big security issue."

Editor's Note

An interesting bug from the folks at Flatt. They have some great writeups, and this one is no exception. Read through it.

Moses Frost
Moses Frost

2025-01-27

Change Healthcare Breach Numbers Updated

UnitedHealth has confirmed that the number of individuals affected by the February 2024 Change Healthcare breach is now estimated to be 190 million. An earlier estimate placed that number at 100 million. When the final number of affected people is determined, that information will be reported to the US Department of Health and Human Services Office for Civil Rights. The attackers were able to access the Change healthcare system using stolen account credentials; the targeted account was not protected with multi-factor authentication (MFA). The compromised data include names, addresses, government identity documents, medical diagnoses, test results, and health insurance information. A January 16 report from UnitedHealth includes information about incurred breach-related costs.

Editor's Note

By comparison there were just over 210 million registered voters in the US for the 2024 elections, total population of the US is estimated at 340 million. This is one of the strongest examples of the need for pervasive use of MFA as well as active account management, to include compromised credential monitoring and response. These need to become table stakes. At this point it is reasonable to assume you are included in the breach. Even if you've not been notified, take action to protect your information.

Lee Neely
Lee Neely

No real surprise here, the number usually goes up as the investigation winds down. It still doesn't change the fact that the company failed to implement and maintain reasonable cybersecurity in protecting customer data.

Curtis Dukes
Curtis Dukes

Of course the compromise of PII of subscribers is not the measure of severity of this breach, but rather the healthcare providers who were not paid on a timely basis.

William Hugh Murray
William Hugh Murray

2025-01-27

British Museum Temporarily Shut Down Some Exhibits Following Tech Sabotage

The British Museum temporarily closed some exhibits and galleries over the weekend after a disgruntled former contractor shut down some of the museum's IT systems. The contractor was dismissed prior to the incident and was arrested after entering the museum on January 23, accessing an area without authorization, and 'caus[ing] damage to the museum's security and IT systems.'

Editor's Note

A reminder to ensure that the L part of your Joiners Movers and Leavers (JML) process should ensure that physical access to sensitive areas need to be removed or changed should someone leave the organisation. The British Museum were victims of a ransomware attack in 2022, and this incident reinforces that security is an ongoing journey that constantly needs to be reviewed and improved.

Brian Honan
Brian Honan

This one is a timely reminder: there is increasing pressure to bring employees back into the office, which will cause a lot of 'disgruntlement' and increased turnover. Make sure that employee/contractor termination immediately triggers both access revocation and testing to revocation took hold.

John Pescatore
John Pescatore

We have talked about removing logical access for terminated employees, and this also needs to apply to physical access. Both need to be applied immediately in the case of involuntary separation, and in a timely fashion otherwise. While things may need to be on hold for potentially returning staff, that access can still be disabled during that interval rather than left 'as-is.'

Lee Neely
Lee Neely

The question becomes how did the former employee gain access to the restricted area, (access card, keypad on door)? The incident serves as a reminder to IT, HR, and Security teams that all access permissions, physical or electronic should be reset at the time of employee termination and staff properly notified.

Curtis Dukes
Curtis Dukes

Ensure that all separations are complete and timely, with special attention to those that are less than friendly. In this age, when contractors are often privileged, such separations must include them.

William Hugh Murray
William Hugh Murray

2025-01-24

Starlink Vulnerability Exposed Subaru Remote Functions and Data

Sam Curry and Shubham Shah have released a report demonstrating a now-patched vulnerability in Starlink, Subaru's multipurpose onboard services system, that would have allowed an attacker to remotely manipulate any vehicle and exfiltrate data given the owner's last name and "ZIP code, email address, phone number, or license plate." The researchers accessed an employee admin portal through JavaScript flaws in the login process, and bypassed 2FA on the site by simply removing the UI overlay. Any attacker with this access could perform remote operations on the vehicle, starting or stopping the engine, locking or unlocking the doors, and tracking the vehicle's current location and past 12 months of location history, as well as steal extensive customer PII and data about the vehicle's status and history, all without alerting the owner. Subaru patched the flaw within 24 hours of its report.

Editor's Note

No, not that Starlink, the other STARLINK (sic). Shubham Shah always comes up with something novel, so this is a fun read.

Moses Frost
Moses Frost

In 2023, Sam Curry discovered and reported weaknesses in the Kia car owner's website, and with a team of six other researchers discovered weaknesses in the Telematic systems of 16 other car manufacturers. It is noteworthy that the vulnerability was fixed within 24 hours of notification and was never maliciously exploited. The 2FA bypass highlights the importance of properly implementing MFA. Like cryptography, rolling your own MFA is risky and needs in-depth testing/validation.

Lee Neely
Lee Neely

2025-01-27

Another Baltic Sea Data Cable Damaged

On January 26, Swedish authorities received word from Latvia that an undersea fiber optic cable belonging to the Latvian State Radio and Television Center (LVRTC), had taken "significant" external damage. Within hours Sweden seized and boarded a cargo ship named the Vezhen, sailing under the flag of Malta, suspected of causing the damage; the Swedish Security Service alongside "the National Operations Department of the Police, the Coast Guard and the Swedish Armed Forces" are investigating, but no further information has been released. The cable in question runs in the Baltic Sea from the town of Ventspils in Latvia to Gotland Island in Sweden, and is the third Baltic Sea cable to be damaged in just over a month. On January 22, Finland's lead investigator into the severing of two undersea cables by an oil tanker on December 25, 2024, stated that the National Bureau of Investigation "suspects intent, but is still evaluating it."

Editor's Note

Physical attacks on undersea cables continue, and Sweden is putting would-be perpetrators on notice that there will be consequences, to include active investigation and detainment of suspected parties. This is also resulting in increased NATO actions in the North Sea. In the meantime, if you're dependent on undersea cables, investigate path diversity options. If you haven't investigated in a couple of years, it's time to revisit.

Lee Neely
Lee Neely

There are approximately three cable cuts a week. There is even a working group trying to establish standards around these. To underscore how impactful this is, it probably takes a month to fix. The backlog may be growing at this point, but it's hard to tell. Considering the sensitivity of this area, it would be interesting to see if any vessels get confiscated. There is a strange thing going on with insurance and the Russian shadow fleet since the Ukraine war. I'm unsure if this is a Russian shadow fleet ship, but this may be something to watch as it can only go on for so long before something more serious occurs.

Moses Frost
Moses Frost

Once can be written off as an accident, twice, bad luck, but three times in the span of a month, umm yes, something untoward is happening to underseas cables. Determining intent will be the tricky part and hard to prove.

Curtis Dukes
Curtis Dukes

Cables are fundamentally vulnerable to breakage, both accidental and malicious. Redundancy is important. They should not be allowed to be single points of failure.

William Hugh Murray
William Hugh Murray

Internet Storm Center Tech Corner

SANS ISC Stormcast, Tuesday, January 28, 2025

This episode shows how attackers are bypassing phishing filter by abusing the "shy" softhyphen HTML entity. We got an update from Apple fixing a 0-day vulnerability in addition to a number of other issues. watchTowr show how to exploit an interesting FortiOS vulnerability and we have patches for Github Desktop and Apache Solr

https://isc.sans.edu/podcastdetail/9298

An unusal shy z-wasp phish

How the soft hyphen "shy" HTML entity can be abused to bypass e-mail filters

https://isc.sans.edu/diary/An+unusual+shy+zwasp+phishing/31626

Apple Patches

Apple released patches for all of its operating systems, fixing a 0-day vulnerability among many others issues

https://support.apple.com/en-us/100100

Get Fortirekt I am the Super_admin now

Details about a recent FortiOS Vulnerability

https://labs.watchtowr.com/get-fortirekt-i-am-the-super_admin-now-fortios-authentication-bypass-cve-2024-55591/

GitHub Desktop Vulnerability

https://thehackernews.com/2025/01/github-desktop-vulnerability-risks.html

Apache Solr Vulnerability

https://solr.apache.org/security.html#cve-2024-52012-apache-solr-configset-upload-on-windows-allows-arbitrary-path-write-access

SANS ISC Stormcast, Monday, January 27, 2025

Access Brokers; Llama Stack Vuln; ESXi SSH Tunnels; Zyxel Boot Loops; Subaru StarLeak

https://isc.sans.edu/podcastdetail/9296

Guest Diary: How Access Brokers Maintain Persistence

Explore how cybercriminals utilize access brokers to persist within networks and the impact this has on organizational security.

https://isc.sans.edu/forums/diary/Guest+Diary+How+Access+Brokers+Maintain+Persistence/31600/

Critical Vulnerability in Meta's Llama Stack (CVE-2024-50050)

A deep dive into CVE-2024-50050, a critical vulnerability affecting Meta's Llama Stack, with exploitation details and mitigation strategies.

https://www.oligo.security/blog/cve-2024-50050-critical-vulnerability-in-meta-llama-llama-stack

ESXi Ransomware and SSH Tunneling Defense Strategies

Learn how to fortify your infrastructure against ransomware targeting ESXi environments, focusing on SSH tunneling and proactive measures.

https://www.sygnia.co/blog/esxi-ransomware-ssh-tunneling-defense-strategies/

Zyxel USG FLEX/ATP Series Application Signature Recovery Steps

Addressing issues with Zyxel's USG FLEX/ATP Series application signatures as of January 24, 2025, with a detailed recovery guide.

https://support.zyxel.eu/hc/en-us/articles/24159250192658-USG-FLEX-ATP-Series-Recovery-Steps-for-Application-Signature-Issue-on-January-24th-2025

Subaru Starlink Vulnerability Exposed Cars to Remote Hacking

Discussing how a vulnerability in Subaru's Starlink system left vehicles susceptible to remote exploitation and the steps taken to resolve it.

https://www.securityweek.com/subaru-starlink-vulnerability-exposed-cars-to-remote-hacking/