Free technical content sponsored by Palo Alto Networks
 A SANS Product Review: Optimizing Security Operations with Cortex XSOAR. Security orchestration, automation and response platforms offer a lifeline to SOCs that are struggling to keep up. In this product review, the SANS Institute offers an objective take on the product capabilities of Cortex XSOAR®. Read now. https://www.sans.org/info/230885 | |
|
|
Change Healthcare Clearinghouse Services are Functional
(November 20, 2024)
Nine months after suffering a catastrophic ransomware attack, Change Healthcare says that its healthcare-related transactions clearinghouse services have been restored. Change Healthcare normally handles 15 billion financial transactions annually. The American Hospital Association reported that the February attack disrupted services at 94 percent of US hospitals.
Editor's Note
[Neely]
Nine. Months. Later. Their clearinghouse service is not the last thing needing service restoration. I'm pretty sure none of us have put nine months as a recovery time objective without considerable management buy-in. I'm sure there were many conversations about the restored service stability, ability to handle the prior workload plus any catch-up work, and the zinger, promises that the compromise would never happen again, all of which result in delays. Work these out, including what evidence is expected, in your tabletop exercises. Don't forget to include exercises where you actually rebuild/recover and operate a system.
[Frost]
What fallout will we see from Change Healthcare? I am not sure the blowback has been strong enough yet in the Medical Sector. Does that say more about Healthcare IT or just Healthcare in general?
[Murray]
This may well have been one of the most expensive breaches in history with much of the cost being borne by customers. | |
|
|
CISA Insights from Red Team Assessment of Critical Infrastructure Organization
(November 21, 2024)
The US Cybersecurity and Infrastructure Security Agency (CISA) conducted a red team assessment of a critical infrastructure organization at the organization’s request. CISA has published a cybersecurity advisory detailing the tactics, techniques, and procedures they used. The report also includes lessons learned in the areas of insufficient technical controls, continuous training, support, and resources, and business risk as well as noted strengths demonstrated by the critical infrastructure provided.
Editor's Note
[Elgee]
The western world has a serious problem with critical infrastructure. Don't forget Volt Typhoon! Adversaries have persistence TODAY in water, power, healthcare, etc. and can break our first world bubble at any time. If you aren't a critical infrastructure provider, please consider volunteering with Infragard or local cyber civilian reserves (where available). Note: the red team here did not gain access to OT/ICS systems. That's great news!
[Frost]
Red Team, Blue Team, Purple Team, Architect, in the sector, not in the industry, it doesn’t matter. I highly recommend reading this report. It doesn’t matter if you are early in your career, late in your career, director, or CIO, this is a valuable report. I recommend reading this report if you do nothing else today or next week.
[Neely]
Three takeaways here: First is the importance of defense in depth. Not just EDR but also network layer detection and response. Second is to keep the staff trained and supported with the resources to detect, understand and respond to current threats. Third is management support and understanding of threats for proper risk-based decision making, not supporting updates of known vulnerable software, instead accepting the risk. Where a WAF had been deployed in response to a discovered vulnerability, in the new VDP program, it was never toggled from monitor/learning mode to blocking mode, management should have verified procedures were in place to ensure issues were fully addressed and verified. Take a hard look at your shop in this context, then take steps to avoid a me-too scenario.
Read more in:
- www.cisa.gov: Enhancing Cyber Resilience: Insights from CISA Red Team Assessment of a US Critical Infrastructure Sector Organization
- www.theregister.com: Here's what happens if you don't layer network security – or remove unused web shells | |
|
|
D-Link Tells Users to Replace End-of-Life / End-of-Service Devices
(November 18, 20, & 21, 2024)
In a Security Announcement published this week, D-Link “recommends that D-Link devices that have reached EOL/EOS be retired and replaced.“ Specifically, the advice applies to these D-Link routers: DSR-150 (EOL May 2024), DSR-150N (EOL May 2024), DSR-250 (EOL May 2024), DSR-250N (EOL May 2024), DSR-500N (EOL September 2015), and DSR-1000N (EOL October 2015). The announcement follows the disclosure of a serious buffer overflow vulnerability in the devices that could lead to remote code execution.
Editor's Note
[Frost]
These devices are typically installed in the houses of non-IT individuals. I suspect when you're in the US and going to your parents'/relatives' houses, maybe take a look and see if they are running these older devices. If so, Christmas is around the corner.
[Murray]
These are not expensive devices and most users have gotten good value from them. The replacements will offer improvements in value, performance, features, and functions. Much of the cost of replacing them will be in the setup, configuration, and network downtime. (Hopefully the replacements will not have default passwords.)
[Neely]
It's totally legitimate to set EOL dates and not provide updates beyond that point. And it's on us, as consumers, to plan for that. Having a scored CVE for the vulnerability helps make the case for prompt action, even if these devices are under $200 each.
[Ullrich]
D-Link is at least offering a discount for people who need to switch devices. On the other hand, open source solutions like OpenWRT will often extend the life of these devices by years.
Read more in:
- supportannouncement.us.dlink.com: DSR-150/DSR-150N/DSR-250/DSR-250N/DSR-500N/DSR-1000N: All H/W Revisions / All F/W Versions - End-of-Life / End-of-Service - Please Retire and Replace - Reported Security Vulnerabilities
- www.theregister.com: D-Link tells users to trash old VPN routers over bug too dangerous to identify | |
|
|
|
|
|
|
|
Sponsored Links
Virtual Event | Cloud Security Convergence: How Control Models for A Robust Cloud Security Stack Are Changing | December 6, 1:00 PM ET | As cloud security controls mature, it’s common to find that a wide variety of security controls and configuration capabilities are melding into a single platform or service fabric. What does cloud security look like in 2024 and beyond? Chances are, you are talking to a set of providers that offer many of these features. https://www.sans.org/info/230890
Survey | 2025 ICS Security Budget vs. Modern Risk: Optimizing Cybersecurity Investments for ICS/OT and Critical Infrastructure | With this survey, SANS is looking to understand how organizations in critical infrastructure sectors are allocating resources to defend their ICS/OT environments. Complete the survey for a chance to win a $250 Amazon gift card. https://www.sans.org/info/230895
Special Offer: 20% Off GIAC Applied Knowledge Certifications Applied Knowledge Certifications truly test your mettle and set you apart from your peers in the field of cybersecurity. *For a limited time only, score 20% off your Applied Knowledge certification with code: GX20 https://www.sans.org/info/230900 | |
|
|
|
|
Decade-Old Vulnerabilities in Ubuntu needrestart
(November 19, 20, & 21, 2024)
The Qualys Threat Research Unit (TRU) has published a report on five local privilege escalation vulnerabilities in "needrestart," a Linux utility that helps automatically keep service versions current by flagging them for restart after updates. The utility has had all five flaws since version 0.8, released April 2014, and has been installed by default in Ubuntu Server since version 21.04, and may be manually installed on many older Ubuntu releases and in the package repositories of other distributions. CVE-2024-48990, CVE-2024-48991, and CVE-2024-48992 allow arbitrary code execution by running interpreters with malicious variables or by installing malicious interpreters; CVE-2024-11003 and CVE-2024-10224 allow execution of arbitrary shell commands via unsanitized input data. Updating to 3.8 or later patches the flaws, but a modification to the utility's configuration file to "disable the interpreter scanning feature ... [to] stop needrestart from executing interpreters with potentially attacker-controlled environment variables."
Editor's Note
[Frost]
Qualys team continues to find classic amazing bugs in Legacy Software. It not only feels retro, but in this case, it is retro.
[Neely]
Needrestart can be compelled to execute arbitrary scripts, which can be mitigated by changing /etc/needrestart/needrestart.conf to disable interpreter scanners by setting $nrconf{interpscan} to 0 until you deploy the updated packages. In CVE-2024-48990 and CVE-2024-48922 an attacker can run a script which uses environmental varabiles to execute arbitrary code, while CVE-2024-48991 requires exploiting a time-of-use time-of-check race condition. In CVE-2024-11003 attacker-controlled input is fed to Module::ScanDeps triggering CVE-2024-10224. Tip: it took you longer to read that paragraph than it would to deploy the updated needrestart and libmodule-scandeps-perl.
[Ullrich]
Qualys did not provide a proof of concept exploit, but there is enough detail in their report to assume that an exploit will be released before you read this. This is only a privilege escalation issue, but should still be addressed quickly.
Read more in:
- blog.qualys.com: Qualys TRU Uncovers Five Local Privilege Escalation Vulnerabilities in needrestart
- www.bleepingcomputer.com: Ubuntu Linux impacted by decade-old 'needrestart' flaw that gives root
- www.scworld.com: Ubuntu affected by 10-year-old flaws in needrestart package
- www.theregister.com: 'Alarming' security bugs lay low in Linux's needrestart server utility for 10 years | |
|
|
Google OSS-Fuzz Finds Dozens of Open-Source Vulnerabilities
(November 20 & 21, 2024)
Google’s OSS-Fuzz tool, which now includes AI capabilities, recently detected 26 vulnerabilities in open-source projects. Google announced that it was bringing large language model (LLM) capabilities to bear on the tool, which has been in use since 2016. Google says the vulnerabilities would not have been detected without the targets generated by the LLM component.
Editor's Note
[Pescatore]
Everything we do in security is bounded by resources (people, time, money), and prioritizing those resources towards maximum RRROI (Risk Reduction Return on Investment) is critical. Since by definition fuzzing starts with an infinite number of possible inputs, creating fuzzing targets to increase the odds of finding vulnerabilities, or in particular to maximize code coverage and reduce, is needed. Using AI techniques seems promising, but my worry is what “blind spots” are or will be built into the LLM models being used for this? There have been great demonstrations about how AI-based image recognition models can be easily defeated. Increased code coverage should be a good thing, unless the remaining code area is the real vulnerability swamp.
[Neely]
The AI LLMs are both reducing the time to detection and finding flaws not discovered by "human-written" fuzzing tests. While the ultimate goal is to have the LLM generate a suggested patch for flaws found, consider how leveraging the OSS-Fuzz open-source tool in your SQA processes would help you with discovery with nominal impact on the release process, assuming no issues are found. | |
|
|
Apple Patches Two Exploited Zero-Day Vulnerabilities
(November 19 & 20, 2024)
On Tuesday, November 19, Apple released patches for two zero-day vulnerabilities in macOS and iOS systems; the company "is aware of a report" that these bugs have been exploited in the wild on Intel-based Mac systems, but does not specify details nor indicators of compromise (IoC). Both vulnerabilities stem from "processing maliciously crafted web content": CVE-2024-44308 allows arbitrary code execution through JavaScriptCore, and CVE-2024-44309 allows a cross-site scripting attack through WebKit. To apply the patches, update to macOS Sequoia 15.1.1, iOS/iPadOS 17.7.2 or 18.1.1, and visionOS 2.1.1.
Editor's Note
[Neely]
CVE-2024-44309 is a cookie management flaw, while CVE-2024-44308 impacts the JavaScript core. Note these apply to both iOS 17 & 18. Make sure that you're working to be on devices which can all run iOS 18, it's a lot easier when your fleet is all on the same version. Your Mac users are likely already getting prompts to install 15.1.1 - make sure the updates are actually applied.
[Murray]
Just a reminder that most Apple users should have automatic updates enabled. | |
|
|
Censys: Nearly 150,000 Industrial Control Systems are Internet-Exposed
(November 21, 2024)
According to Censys’s 2024 State of the Internet Report, there are more than 145,000 internet-exposed industrial control systems (ICS) worldwide. Censys detected exposed systems in 175 countries. Thirty-eight percent of the exposed systems are in North America, 35% in Europe, and 22% in Asia. The report indicates that the exposed systems are accessible through certain protocols, including Modbus, Fox, BACnet, WDBRPC (Wind River), EIP, S7 (Siemens), and IEC 60870-5-104.
Editor's Note
[Neely]
The days of nobody caring about ICS, or otherwise discounting the risks of compromise are past. It's going to take a joint effort to secure exposed interfaces without jeopardizing effectiveness or real-time data collection. Where LTE/5G connections are used, talk to your provider about private networks and other security options available. Latency is a nasty four-letter word in this context, and availability rules the roost, still have a discussion after they read the report.
Read more in:
- go.censys.com: The 2024 State of the Internet Report | Internet-Connected Industrial Control Systems (PDF)
- www.securityweek.com: ICS Security: 145,000 Systems Exposed to Web, Many Industrial Firms Hit by Attacks | |
|
|
Oracle Patches Actively Exploited Flaw in Agile Product Lifecycle Management
(November 20 & 21, 2024)
Oracle has released fixes for an actively exploited, high-severity unauthenticated information disclosure vulnerability in their Agile Product Lifecycle Management (PLM). The flaw has been exploited to download files. The issue affects PLM version 9.3.6. Admins are urged to update to a fixed version as soon as possible.
Editor's Note
[Neely]
CVE-2024-21287, PLM information disclosure flaw, CVSS score 7.5, is easily exploited by an unauthenticated user with network access to the PLM system, and can be used to access critical data or even all data in your Oracle PLM framework. Beyond applying the patch, revisit the security configuration of your PLM system to make sure you're applying current best practices. | |
|
|
MITRE’s List of Most Dangerous Software Weaknesses
(November 21, 2024)
MITRE has published their list of 25 Most Dangerous Software Vulnerabilities for 2024. Topping the list is improper neutralization of input during web page generation, or cross-site scripting; followed by out-of-bounds write, improper neutralization of special elements used in an SQL command, or SQL injection; cross-site request forgery; improper limitation of a pathname to a restricted directory, or path traversal; and out-of-bounds read.
Editor's Note
[Pescatore]
While their placement has moved around from a “Most Dangerous” perspective, all of the vulnerabilities were listed last year in the top 40 – none of them are new. If you required all code to get a clean run from most modern app vulnerability testing tools before promoting to production systems, you would have known of these in advance of exposure.
[Frost]
What have we learned? In my lifetime thus far, these bugs haven’t changed in how dangerous they are, they appear to be static in that sense. Take this into account when you consider we are not making any less software as a species, only more software is being made.
[Neely]
Input sanitization (neutralization) has been a challenge and a successful attack vector for a while. The other vulnerabilities aren't new either, so your security testing (static and dynamic) should already be revealing these weaknesses. The focus has to be on secure coding, taking the time to ensure weaknesses are addressed as early as possible in the SDLC. Use this report to bolster the case that secure development is as important as delivery.
Read more in:
- cwe.mitre.org: 2024 CWE Top 25 Most Dangerous Software Weaknesses
- www.securityweek.com: MITRE Updates List of 25 Most Dangerous Software Vulnerabilities | |
|
|
Major Financial Data Handler Finastra Suffers Breach
(November 13, 19, & 20, 2024)
In a statement to customers updated on November 13, Finastra, "which provides software and services to 45 of the world’s top 50 banks," disclosed a data breach in an internal secure file transfer platform (SFTP), mentioning but neither verifying nor disavowing claims that a threat actor allegedly stole and sold the data on the dark web. Finastra's business spans over 8000 clients in 42 countries, often "processing huge volumes of digital files containing instructions for wire and bank transfers on behalf of its clients." The company's Security Operations Center (SOC) believe that malware was not deployed, and no files were accessed, viewed, or tampered with apart from those exfiltrated. The compromised SFTP was not the default platform, and certain products and customers were not affected. Finastra has emphasized "accuracy and transparency" in communication with customers, employing a third-party cybersecurity firm as well as "implement[ing] an alternative secure file sharing platform" while their investigation of the breach continues.
Editor's Note
[Neely]
The threat actor, or at least their persona abyss0, seems to have vanished, abandoning some transactions mid-stream. Given the success of recent law enforcement takedowns, one hopes there is a connection. Regardless, file interchange systems continue to be a target. Fully understand the risks of those used, and offered — Finastra's system was in-house — and make sure you have proactive monitoring. Check those incident response parts of your contracts, making sure all contacts are current and are part of the cyber provisions your procurement team incorporates into contract language. Having a good relationship with that team, as well as your OGC, goes a long way to stacking the deck in your favor. | |
|
|
|
|
|
|
|
|
|
|
|
|
|
