Free technical content sponsored by Wiz
 Secure Your Azure: Proactive Tips for Cloud Protection
Staying ahead in Azure security requires a solid strategy to keep your cloud environment protected from new and hidden risks.
Our new Azure Security Best Practices Cheat Sheet outlines practical steps to help you maintain control and visibility. Learn more.
https://www.sans.org/info/231285 | |
|
|
Telefónica Discloses Breach
(January 10, 13, & 14, 2025)
Spanish multinational telecommunications firm Telefónica has disclosed a breach of their internal ticketing system. The disclosure was made following the appearance of information from Telefónica’s Jira database on a hacking forum. The system was reportedly breached using stolen employee credentials; Telefónica has reset passwords on affected accounts.
Editor's Note
[Honan]
In today's threat environment, implementing Multi-Factor Authentication (MFA) is now table stakes for all systems, but in particular sensitive systems, whether they are internal or external-facing. MFA should now be viewed in the same regard as seat belts in a car, and those that don't use MFA viewed in the same way as those who don't wear seat belts.
[Murray]
Strong authentication, multi-factor and resistant to fraudulent reuse, is both essential and efficient. Well-chosen and implemented, it is more convenient than so-called strong passwords, whose convenience goes down as their strength goes up.
[Neely]
The breach resulted in exfiltration about 2.3GB of documents, tickets and data. Make sure you're tied into credential breach notification for proactive password changing, or better still, move away from reusable passwords. As this internal Jira system was breached with compromised credentials, I would ask what other controls should have been in place to prevent external access to an internal system.
[Dukes]
Credential harvesting has been on the rise over the last couple years. It is perhaps the easiest means for an evildoer to access an organization and compromise. Multi-factor authentication (MFA) has proven to be effective in mitigating loss of passwords. It’s a best practice as part of Implementation Group 1 of the CIS Critical Security Controls. | |
|
|
UN Aviation Agency Data Breach
(January 8, 10, & 13, 2025)
The United Nations’ (UN’s) International Civil Aviation Organization (ICAO) has acknowledged that a data breach compromised more than 42,000 recruitment-related documents. ICAO has determined that the incident affects 11,929 people who applied to the agency between April 2016 and July 2024; compromised data include names, dates of birth, email addresses, and employment history.
Editor's Note
[Ullrich]
The ICAO statement that the breach does not affect the security of airtraffic is solely based on the compromised system not being connected to any aviation systems. However, this does not consider whether the stolen data could be used to disrupt air traffic in the future. It is also unclear if this was a targeted attack or if ICAO just got caught in a threat actor vacuuming up data spilled by careless employment application systems, regardless of where the data originated.
[Dukes]
While the compromise is unfortunate, it would be helpful to understand what “…additional security measures [were implemented] to protect its systems from future attacks.” This way we all learn and can offer better protection against cyber-attacks.
[Murray]
Deciding whether one is a likely target of choice is fundamental to choosing one's risk tolerance and security policy. Most large enterprises should assume that they are targets of choice for so-called APTs and that they must be prepared to resist resourceful and persistent attacks.
[Neely]
This appears to be work of the Natohub threat actor, who is claiming to have released the information. ICAO is reaching out to the affected individuals directly. While it is common to have resume/CV data online, during an application or background check additional sensitive data is combined with that information, and as an individual you should be prepared in case that data gets compromised. As an employer, make sure you have contingency plans for the compromise of these systems, which are often outsourced these days, to include notification, ID monitoring/restoration for individuals as well as having your responsibilities and liabilities clearly defined. Include your legal team.
Read more in:
- www.icao.int: Update-2: ICAO statement on reported security incident
- therecord.media: UN aviation agency ICAO confirms its recruitment database was hacked
- www.techmonitor.ai: UN aviation agency confirms nearly 12,000 affected by data breach
- www.bleepingcomputer.com: UN aviation agency confirms recruitment database security breach | |
|
|
Slovakian Land Registry Suffers Cyberattack
(January 10, 2025)
The Office of Geodesy, Cartography and Cadastre of the Slovak Republic (UGKK), the country’s land registry, suffered a cyberattack last week. The agency’s system has been temporarily removed from the internet while restoration is underway; it is not clear how long the recovery will take. Some reports indicate that a ransom demand has been made; government officials say the agency’s data are backed up. According to Pavlina Pavlova, a cyber policy expert from Slovakia and New America Fellow, “the real estate and mortgage markets are paralyzed, property transactions are stalled, purchases delayed, and some connected public services, such as issuing parking permits in Bratislava, are rendered inaccessible.”
Editor's Note
[Murray]
One question executive management might well ask is "what is the expected mean time to recovery from a ransomware attack." The answer to the question would be useful in choosing between prevention and recovery.
[Neely]
This appears to be another politically motivated attack; in this case indications are it came from the Ukraine. The bigger concern is how long it will take to restore systems. Make sure that you have clear understanding of your RTO and RPO, and that both your backups and team are sufficient (training, experience and equipment) to meet these. Be sure you've executed restorations, not just tabletops, which included running dummy transactions. You don't want to figure this out when the chips are down. | |
|
|
|
|
|
|
|
Sponsored Links
Webcast | Google SecOps: The SIEM’s Third Act - January 22, 2025, 3:30 pm ET | Join Certified SANS Instructor Mark Orlando and Google Cloud Solution Architect Greg Kushmerek to learn how security information and event management (SIEM) function remains a cornerstone in security operations. The webcast will cover: The Evolution of SIEM, Introducing Google SecOps, Deep Dive into Key Features, and Differentiation in a Crowded Market. https://www.sans.org/info/231215
Webcast | Empowering Responders with Automated Investigation, February 19, 1:00 ET | Join Megan Roddie-Fonseca and Lee Sult from Binalyze as they discuss how with the right tooling, analysts of all backgrounds can effectively handle incidents, reducing the response time by removing the need for frequent escalation. https://www.sans.org/info/231220
Webcast: February 25, 3:30 pm ET | Insights into Detection Engineering: Findings from a SANS and Anvilogic Survey | Join SANS Certified Instructor Terrence Williams and Anvilogic’s Kevin Gonzalez as they discuss insights from this survey, including effective detection types and the most popular tools and technologies used by detection engineers, the impact of AI on detection efforts, cloud architectures, automation in detection workflows, the integration of Detection Engineering with other operational areas, and much more! https://www.sans.org/info/231225 | |
|
|
|
|
Hackers Who Breached US Treasury Systems Accessed Committee on Foreign Investment in the US Office
(January 10 & 13, 2025)
When Chinese state-sponsored cyberthreat actors breached the US Treasury Department’s network in December, their targets included the network of the Committee on Foreign Investment in the US (CFIUS). CFIUS routinely investigated foreign investments in businesses and real estate transactions to determine whether they pose national security risks. Late last year, a new rule “significantly expand[ed CFIUS’s] ability to review certain real estate transactions by foreign persons near more than 60 military bases and installations across 30 states.”
Editor's Note
[Murray]
The security of any government systems, even those not essential to national security, may be essential to public trust and confidence and should be managed accordingly.
[Neely]
There is no shortage of political wrangling around foreign investment and control of US companies and assets, which will drive a lot of high level conversations about what is behind the attack. There was also a similarly motivated attack targeting the Office of Foreign Assets Control (OFAC). The trick will be focusing on remediation and prevention of recurrence. The Treasury compromise leveraged an API key for the BeyondTrust remote support agent as well as a corresponding zero-day. Have you considered the risks of any remote support/assistance agents you have on systems, to include factoring in not only working from home but also changes relating to a zero-trust environment? Check in on that ubiquitous MFA implementation as well as your monitoring and response capabilities. Compare what information you're capturing against OMB's M-21-31 logging levels for possible gaps.
Read more in:
- www.cnn.com: Chinese hackers breached US government office that assesses foreign investments for national security risks
- www.theregister.com: Chinese cyber-spies peek over shoulder of officials probing real-estate deals near American military bases
- www.scworld.com: Chinese hackers breach office that reviews foreign investments in US
- www.securityweek.com: China Targeted Foreign Investment, Sanctions Offices in Treasury Hack: Reports
- www.bleepingcomputer.com: Treasury hackers also breached US foreign investments review office
- home.treasury.gov: Treasury Issues Final Rule Expanding CFIUS Coverage of Real Estate Transactions Around More Than 60 Military Installations | |
|
|
Microsoft Files Complaint Alleges Defendants are Operating an Azure Abuse Network
(January 10, 2025)
Microsoft has filed a complaint in US District Court in Virginia, seeking “to disrupt cybercriminals who intentionally develop tools specifically designed to bypass the safety guardrails of generative AI services, including Microsoft’s, to create offensive and harmful content.” The December 19, 2024, complaint alleges that the unnamed individuals violated the Computer Fraud and Abuse Act, the Digital Millennium Copyright Act, the Lanham Act, and the Racketeer Influence and Corrupt Organizations Act, as well as Virginia state laws.
Editor's Note
[Murray]
Given the focus on the potential for misuse and abuse of AI, one is left to wonder if the potential increase in productivity will be sufficient to justify its use.
[Neely]
The actors appear to have used API keys obtained from code repositories to access the Microsoft AI services. Microsoft provides guidance to not include these in code repositories, and states that advice is regularly ignored. Make sure that you're not including these in your code repositories. When discovered, have required procedures to not only purge them but also update these keys.
Read more in:
- blogs.microsoft.com: Taking legal action to protect the public from abusive AI-generated content
- cyberscoop.com: Microsoft moves to disrupt hacking-as-a-service scheme that’s bypassing AI safety measures
- arstechnica.com: Microsoft sues service for creating illicit content with its AI platform
- www.csoonline.com: Microsoft sues overseas threat actor group over abuse of OpenAI service
- storage.courtlistener.com: Complaint (PDF) | |
|
|
Phony LDAP Proof-of-Concept is Being Used to Deploy Infostealer
(January 10, 2025)
Researchers from TrendMicro have detected a fake proof-of-concept (PoC) exploit for a known vulnerability in Windows Lightweight Directory Access Protocol (LDAP) that is being used to install an infostealer. The code is being hosted on GitHub. The high-severity out-of-bounds read vulnerability (CVE-2024-49113) could be exploited to create denial-of-service conditions. Microsoft addressed the vulnerability in their December Patch Tuesday security release.
Editor's Note
[Neely]
There are two issues. First, CVE-2024-49113, LDAP denial of service flaw, CVSS score 7.5, which needs to be patched. Second, the fake POC exploit for CVE-2024-49113, dubbed LDAPNightmare, which installs an infostealer on your system. Address the LDAP flaw by rolling the December 2024 patch bundle, which also addresses CVE-2024-49112, a remote code execution flaw. Next, get the IOCs from the TrendMicro blog post to check for LDAPNightmare activity. Make sure your exploit POC researchers are using reputable/validated sources as well as sufficiently isolated environments. Consider not only reviewing the POC code but also uploading binaries to VirusTotal before executing. | |
|
|
Aviatrix Controller Vulnerability
(January 11 & 13, 2025)
A critical OS command injection vulnerability in Aviatrix Controller is being actively exploited, according to researchers at Wiz. The vulnerability (CVE-2024-50603) “allows unauthenticated attackers to execute arbitrary commands on the system remotely.” Aviatrix recommends that users “install security patch CVE-2024-50603 - Critical Vulnerability Security Patch or update the Controller to either 7.1.4191 or 7.2.4996. Additionally, Aviatrix recommends following the Controller IP Access guidance and ensuring that the controller does not have port 443 exposed to the Internet.”
Editor's Note
[Neely]
CVE-2024-50603, improper handling of user parameters, has a CVSS score of 10.0. When the Aviatrix Controller is deployed to AWS, it allows privilege escalation by default. You need to take three steps here. First, upgrade to the latest version; second, restrict access to the controller regardless of how implemented; and lastly, forensicate your environment looking for the IOCs in the Wiz blog.
[Dukes]
Given that exploit code has existed for a week and that the controller operates with elevated privileges makes this a must patch immediately.
Read more in:
- www.wiz.io: Wiz Research Identifies Exploitation in the Wild of Aviatrix Controller RCE (CVE-2024-50603)
- docs.aviatrix.com: Remote Code Execution Vulnerability in Aviatrix Controllers
- thehackernews.com: Hackers Exploit Aviatrix Controller Vulnerability to Deploy Backdoors and Crypto Miners
- www.theregister.com: Cryptojacking, backdoors abound as fiends abuse Aviatrix Controller bug
- www.bleepingcomputer.com: Hackers exploit critical Aviatrix Controller RCE flaw in attacks
- www.scworld.com: Critical 10.0 Aviatrix Controller flaw exploited in the wild
- www.darkreading.com: Cloud Attackers Exploit Max-Critical Aviatrix RCE Flaw
- nvd.nist.gov: CVE-2024-50603 Detail | |
|
|
Card Skimmer Malware Targets WordPress Sites
(January 9 & 13, 2025)
Researchers at Sucuri have identified payment card skimming malware that is being used to target WordPress websites by injecting JavaScript code into database tables. Sucuri writes that “the malicious code was embedded in the WordPress database under the wp_options table,” which allows it to evade detection by file-scanning tools and to maintain persistence on compromised sites.
Editor's Note
[Neely]
This is a database compromise, where malicious code is injected into the wp_options table, which isn't where you're normally looking for issues. Beyond looking for the IoC in the table, make sure you've got an active/enabled WAF, are actively keeping plugins updated, enforcing MFA on your WordPress accounts, and lastly (this is the hard one), remove and replace deprecated/abandoned/no-longer-supported plugins.
[Murray]
It is time to ask whether the vulnerability of WordPress is simply implementation-induced or fundamental? Whether the risk of its use can be managed to an acceptable level, or whether it is a bad choice?
Read more in:
- blog.sucuri.net: Stealthy Credit Card Skimmer Targets WordPress Checkout Pages via Database Injection
- www.scworld.com: Malicious WordPress database entry, widget steals credit card info
- thehackernews.com: WordPress Skimmers Evade Detection by Injecting Themselves into Database Tables
- www.techradar.com: WordPress users targeted by devious new credit card skimmer malware | |
|
|
CISA Adds Another BeyondTrust Vulnerability to KEV
(January 13 & 14, 2024)
The US Cybersecurity and Infrastructure Security Agency (CISA) has added a second BeyondTrust vulnerability to their Known Exploited Vulnerabilities (KEV) catalog. The medium-severity OS command injection vulnerability (CVE-2024-12686), which affects BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) products, was initially disclosed in December 2024. US Federal Civilian Executive Branch (FCEB) agencies have until February 3, 2025 to mitigate the issue. CISA added another BeyondTrust vulnerability to the KEV catalog in mid-December.
Editor's Note
[Neely]
BeyondTrust applied a patch to all their cloud hosted RS/RPA customers on December 16th. On-premises RS/RPA environments need to apply the patch, which fixes all versions 22.1.x and higher. If you're running versions older than 22.1, you'll need to upgrade before you'll be able to apply the patch. | |
|
|
|
|
|
|
|
|
|
|
|
SANS ISC Stormcast, Jan 14, 2025
This episode covers brute-force attacks on the password reset functionality of Hikvision devices, a macOS SIP bypass vulnerability, Linux rootkit malware, and a novel ransomware campaign targeting AWS S3 buckets.
https://isc.sans.edu/podcastdetail/9278
SANS ISC Stormcast, Jan 13, 2025 | |
|
|
|
