Free technical content sponsored by Palo Alto Networks Cortex
 Symphony 2025: The ultimate SOC transformation event Join us on February 19, 2025 for a one-hour global virtual summit. Packed with exclusive insights, live demos, and transformation stories from SecOps leaders who’ve achieved shockingly better security outcomes with Cortex XSIAM, you don’t want to miss this. Register now. https://www.sans.org/info/231250 | |
|
|
FBI and French Authorities Delete PlugX Malware from US Devices
(January 14 & 15, 2025)
An affidavit unsealed in January, 2025 from a Pennsylvania district court authorized and described an operation by the FBI that took place in August, 2024, during which US agents collaborated with French law enforcement and cybersecurity firm Sekoia.io to unilaterally remove PlugX malware from thousands of Windows machines in the US. PlugX is a remote access trojan (RAT) that can spread via contaminated USB devices, maintaining persistence using registry keys that run the malware on startup. The global malware campaign is associated with a Chinese state-sponsored hacking group tracked under various names including Mustang Panda and Twill Typhoon. French authorities seized the PlugX command and control (C2) IP address in 2023, which the FBI then used to send a self-destruct command, which deleted all files created by the malware, deleted the malware's startup registry keys, and stopped and deleted the malware application and its directory. This operation affected any US-based device containing a version of PlugX that contacted the C2 server; any affected device owners will be notified by their internet service providers.
Editor's Note
[Frost]
This is not the first time we have seen governments make this move; however, it does raise the question of what happens when international companies do this. I know this will sound off the wall, but what if you wanted to run PlugX? No one should, but this was forcefully uninstalled. Something rather interesting to consider is the line of delineation. Almost 100% of all users wanted this to occur, yet it is a thought experiment.
[Neely]
The PlugX takedown follows other actions against Volt Typhoon, Flax Typhoon and Fancy Bear, and it provides hints as to the resources and aggressiveness of these state-sponsored adversaries. For now, we've got a mulligan in that PlugX has been destroyed; what we still have to be aware of is risks of malware spreading via USB drive. I know, that feels very Stuxnet like. Make sure that your EDR is configured to scan USB drives. If possible, limit to only authorized devices, even better, require them to be encrypted.
Read more in:
- www.theregister.com: FBI wipes Chinese PlugX malware from thousands of Windows PCs in America
- regmedia.co.uk: Affidavit In Support of an Application for a Ninth Search and Seizure Warrant (PDF)
- therecord.media: DOJ deletes China-linked PlugX malware off more than 4,200 US computers
- www.nextgov.com: FBI deleted Chinese malware from 4,200 US computers | |
|
|
Biden Issues Comprehensive Executive Order on Cybersecurity
(January 16, 2025)
US President Joseph Biden has issued a sweeping Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity, which among other directives mandates verification of security standards in government systems and federal software contractors. The Department of commerce is directed to issue guidance to businesses on cybersecurity best practices, creating a required baseline for any "companies seeking to do business with the government," and vendors who fail validation risk investigation by the Attorney General. All government IoT devices must carry the new Cyber Trust Mark label by January 4, 2027. The order gives CISA more access to agencies' security platforms to centralize defensive information and broaden its impact. Agencies must also shore up cloud platform authentication in the wake of recent attacks by China. President Biden directs the Department of Homeland Security (DHS), the Department of Commerce, and the National Science Foundation to prioritize comprehensive AI research, and directs DHS and the Department of Energy to investigate the application of AI to protect infrastructure. The order promotes agencies' adoption of digital identity documents, and includes "a provision requiring [The Office of Management and Budget] to help agencies reduce risks associated with concentration in the IT market," which WIRED calls "a not-so-veiled shot at Microsoft." Notably the order also "gives the U.S. more authority to sanction hackers, namely ransomware groups that hold victims’ systems hostage in exchange for ransom payments."
Editor's Note
[Dukes]
Another EO on cybersecurity packed with a lot of "must do’s" for government systems and federal software contractors. While there is a lot to like in this EO, I’d first like to see full implementation by the government on the cybersecurity EOs that were issued four years ago. You know, things like implementing a zero-trust architecture and securing cloud instantiations. And, for the record, there already exists excellent guidance to businesses on cybersecurity best practices (i.e., NIST CSF, ISO 27001, CIS CSC, etc.).
[Neely]
It is not clear if this will get rolled back or modified with the change in administration, so agencies need to move forward as if it's going to be required. Increased pressure for secure-by-design software, and use of AI to increase the effectiveness of threat analysis and response are not unexpected, although the technology may not yet be mature enough to operate without considerable human oversight. The direction to provide CISA direct access to agency security platforms and conduct unannounced threat hunting exercises, if not handled properly, could undermine the existing security teams and decrease their effectiveness. If you're a supplier to US Agencies, you should bone up on new requirements which will affect you.
[Murray]
The Biden administration has taken more interest in infrastructure robustness and resilience than any since Clinton. (Dick Clarke, where are you when we really need you?) The recent success of Salt Typhoon has demonstrated the fragility of our infrastructure. It is to be hoped that the new administration will follow through on these initiatives. The SolarWinds fiasco goes beyond Windows to the von Neumann Architecture. We have known about the monoculture risk since before most computer users were born. We need more fundamentally securable systems (e.g. IBM iSeries) and application-only systems.
[Frost]
I would read through this EO a bit further, specifically around CTM (Cyber Trust Mark); however, bear in mind that this is a government-focused item, and in many portions of the Government, the technology is not always up to date. I see this as an obvious move forward. On the IoT side, remember that IoT also has a very long shelf life, so it could be after the following two presidential terms when you see these devices updated.
Read more in:
- www.whitehouse.gov: Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity
- www.wired.com: A New Jam-Packed Biden Executive Order Tackles Cybersecurity, AI, and More
- www.nextgov.com: Biden signs executive order inspired by lessons from recent cyberattacks | |
|
|
Microsoft Patch Tuesday, January 2025
(January 14, 25, & 16, 2025)
Microsoft’s Patch Tuesday for January 2025 includes fixes for more than 200 vulnerabilities, 23 of which have been designated critical. Three of the flaws have been actively exploited, and five were disclosed prior to the security release. The three actively exploited vulnerabilities (CVE-2025-21333, CVE-2025-21334, and CVE-2025-21335) affect the Hyper-V hypervisor, and are rated important. They can be exploited to attain system privileges. The critical flaws include remote code execution vulnerabilities in Windows Object Linking and Embedding (OLE) and Reliable Multicast Transport Driver (RMCAST).
Editor's Note
[Neely]
Microsoft is kicking of 2025 with a bang, providing the largest number of fixes in a single update since 2017. Microsoft is claiming to be leveraging AI in detecting bugs. A side effect is that the number of fixes may be larger for a bit, and with luck this will eventually decrease the number of newly discovered flaws. With this volume of fixes, you're going to need to choose carefully where you do regression testing to get the updates fully deployed before the next update is released. The fix to Bitlocker (CVE-2025-21210) specifically closes a weakness where hibernation images could only be partially encrypted allowing sensitive information to be retrieved. Hibernation has become preferable to sleep mode as it allows the laptop to power off, eliminating emissions detectable by thieves.
[Murray]
As good as Microsoft is at finding these vulnerabilities, it would be nice if they found and fixed them before distributing the code in the first place. The same methods should be applied to testing and quality assurance. The number of patches is once again in the high tens to low hundreds. As we have seen (SolarWinds), some large enterprises cannot accept the risk to mission-critical applications of applying patches without testing them in their own environments. The cost of such testing may go up with the number of patches. Patching is an inefficient way of making code fit for use, that is to say merchantable.
[Frost]
Speaking of Patch Tuesday, on the 16th of January, Synaktiv published their writeup of an October 2024 Patch for SCCM that includes an Unauthenticated SQL Injection. I highly recommend you read through the entire writeup but, more importantly, patch SCCM as it is a critical piece of infrastructure. It’s been about 20 years, patches should be a regular thing for your environment by now, yet I still see companies running outdated systems.
www.synacktiv.com: Microsoft Configuration Manager (ConfigMgr) 2403 Unauthenticated SQL injections | |
|
|
|
|
|
|
|
Sponsored Links
Webcast | Google SecOps: The SIEM’s Third Act - January 22, 2025, 3:30 pm ET | Join Certified SANS Instructor Mark Orlando and Google Cloud Solution Architect Greg Kushmerek to learn how security information and event management (SIEM) function remains a cornerstone in security operations. The webcast will cover: The Evolution of SIEM, Introducing Google SecOps, Deep Dive into Key Features, and Differentiation in a Crowded Market. https://www.sans.org/info/231255
Webcast: February 26 at 1:00 ET | 2025 ICS Security Budget vs. Modern Risk Webcast: Optimizing Cybersecurity Investments for ICS/OT and Critical Infrastructure | Join Dean Parsons as he explores actionable insights into balancing security budgets with the unique needs and risks of ICS/OT systems in the face of escalating cyber threats. https://www.sans.org/info/231260
Webcast | Empowering Responders with Automated Investigation, February 19, 1:00 ET | Join Megan Roddie-Fonseca and Lee Sult from Binalyze as they discuss how with the right tooling, analysts of all backgrounds can effectively handle incidents, reducing the response time by removing the need for frequent escalation. https://www.sans.org/info/231265 | |
|
|
|
|
Six Vulnerabilities in Rsync; Patches are Available
(January 14 & 15, 2025)
A half-dozen recently disclosed vulnerabilities in the Rsync file synchronization tool include a pair of flaws that when combined could allow arbitrary code execution: CVE-2024-12084 is a critical heap-based buffer overflow vulnerability in the rsync daemon “due to improper handling of attacker-controlled checksum lengths (s2length) in the code.” CVE-2024-12085 is a high-severity vulnerability in the Rsync daemon that be “be triggered when rsync compares file checksums.” The other four vulnerabilities are medium-severity issues. The results of a Shodan search by Bleeping Computer revealed “over 660,000 IP addresses with exposed Rsync servers.”
Editor's Note
[Frost]
Rsync is more heavily used than you think. This is a significant issue for many people and something most people have not considered. I highly encourage patching, specifically old systems.
[Neely]
Combining the heap buffer overflow and information leak flaws would allow a client to execute arbitrary code, requiring unauthenticated (anonymous) access. Step one, install the updated Rsync, not just the OS version, but also embedded copies provided with packages. While this affects version 3.3.0 and below, some of the updates, which address the issues, may not bring you up to version 3.3.1. The CMU site lists 78 different Linux versions and their state, and the majority are marked unknown. | |
|
|
Drone Manufacturer Shifts Compliance with FAA No-Fly Zone Rules to Consumers
(January 13, 14, & 15, 2025)
Chinese drone manufacturer DJI has updated its geofencing software in most US-sold products so that it no longer automatically enforces keeping the drones from entering US Federal Aviation Administration (FAA) designated no-fly zones. Drone operators will receive in-app alerts if their drones are approaching no-fly zones, but will bear sole responsibility for ensuring they do not enter areas where they are not permitted. DJI implemented a similar policy in the European Union last year. The announcement about drones sold in the US comes about a week after a DJI drone damaged and grounded a firefighting plane in California.
Editor's Note
[Ullrich]
This change affects, in particular, consumer devices that are predominantly used by hobbyists who may not always be aware of current regulations. Professionals with the respective licenses could always request an override for the geo-fencing feature. This change could be especially problematic for smaller devices that do not automatically broadcast their location.
[Neely]
The change in is in part due to changes in regulations which make the geofencing a non-essential control. DJI is moving the accountability for a drone operating inappropriately to the pilot, reminding them to always operate safely within local laws and regulations. No more pointing to the manufacturer when a drone is found where it's not supposed to be.
Read more in:
- viewpoints.dji.com: DJI Updates GEO System in U.S. Consumer & Enterprise Drones
- www.theregister.com: DJI loosens flight restrictions, decides to trust operators to follow FAA rules
- www.theverge.com: DJI will no longer stop drones from flying over airports, wildfires, and the White House
- www.pcmag.com: DJI Ditches Geofencing for Drones, Adds FAA Data Instead | |
|
|
FTC Will Require GoDaddy to Implement Data Security Program
(January 15 & 16, 2025)
According to a proposed settlement order, the US Federal Trade Commission (FTC) is requiring GoDaddy to “implement a robust information security program to settle charges that the company failed to secure its website-hosting services against attacks that could harm its customers and visitors to the customers’ websites.” The FTC’s complaint alleges that since 2018, GoDaddy has failed to adopt “reasonable and appropriate security measures” and has misled customers regarding security protections provided by their web hosting services. According to the complaint, GoDaddy failed to “inventory and manage assets and software updates; assess risks to its shared hosting services; adequately log and monitor security-related events in the hosting environment; and segment its shared hosting from less-secure environments.” While the FTC voted to accept the consent agreement, it will remain open to public comment for 30 days, at which time the commissioners will decide whether or not to finalize the agreement.
Editor's Note
[Dukes]
The FTC’s terminology is important here “…failed to provide reasonable security…” Another example of an organization failing in implementing reasonable cybersecurity on its platform. The Center for Internet Security recently published ‘A Guide to Defining Reasonable Cybersecurity’ to specify what an organization must do to meet the standard of reasonable cybersecurity. Give it a look. www.cisecurity.org
[Neely]
GoDaddy has roughly 5 million hosting clients, and the security failings refer to breaches which occurred between 2019 and 2020. The FTC is hoping other web hosting companies take note of the GoDaddy situation and take action before they are subject to a similar requirement or complaint. Note that an FTC consent order, issued on a final basis, carries the weight of law, so this isn't something GoDaddy or others could casually ignore or sweep under the rug. This would be a good time to review your hosting provider's claims of security, monitoring, and updating, as well as how they are assessed and how often.
[Murray]
It seems insufficient to simply require that they do only what they should have been doing in the first place. Perhaps a fine large enough to impact profitability? | |
|
|
Gravy Analytics Discloses Data Breach
(January 7, 10, & 13, 2025)
A report filed with the Norwegian Data Protection Authority discloses a data breach of Unacast/Gravy Analytics' Amazon Web Services (AWS) cloud storage environment by an "unauthorized person" using a "misappropriated access key." The data broker was not aware of the breach until notified by the hacker on January 4, 2025, and has since taken its main website and associated domains offline and secured its AWS environment. Unacast posits that the stolen data are "associated with users of third-party services that supply this data to Gravy Analytics," which according to 404 Media may include "Tinder, Grindr, Candy Crush and several religious and pregnancy tracking apps." The total duration of unauthorized access and exact scope of data stolen remain under investigation, but this breach has the potential to expose millions of people's sensitive and personally-identifiable location information. Norway's Unacast is the parent company of Gravy Analytics and its subsidiary Venntel, a major supplier of location data to US law enforcement. In December, 2024, Gravy and Venntel were reprimanded for violations of the FTC Act, and barred from collecting and selling sensitive data without consent.
Editor's Note
[Dukes]
Yet another cyberattack that has at its core a compromise of identity credentials. Remember, two-factor authentication can help protect identity credentials and is widely considered a requirement for implementing reasonable cybersecurity.
[Neely]
Gravy Analytics is already banned from providing location data on Americans without consumer consent. Much of this data is gleaned from online ads. The best fix is to use ad blockers, or mobile content blocker, as well as not enabling personalized advertising or tracking; on iOS this is under the Tracking settings and on Android this is under Privacy/Ads. If you don't have such a setting, regularly delete/reset your advertising ID. Lastly, only allow apps (and your browser) to access your location when needed.
[Murray]
It is fundamental and essential that private keys should be stored in high security modules (HSMs) such that they can be used but not read or duplicated.
Read more in:
- www.documentcloud.org: Datatilsynet Unacast Security Incident Notification Redacted
- www.nrk.no: Oppdaget datainnbrudd da hackeren tok kontakt
- techcrunch.com: A breach of Gravy Analytics’ huge trove of location data threatens the privacy of millions
- therecord.media: Major location data broker reports hack to Norwegian authorities
- www.404media.co: Hackers Claim Massive Breach of Location Data Giant, Threaten to Leak Data (Paywall) | |
|
|
PowerSchool Breach Update: Historical Data Were Included
(January 13 & 15, 2025)
Additional information about the late 2024 data breach of PowerSchool systems has been shared with TechCrunch by school districts affected by the attack. Reports indicate that the attack was not limited to the approximately 18,000 school districts and their current students served by PowerSchool; rather, it also included data belonging to inactive former customers, and in some cases included historical data of alumni, former students, and former personnel going back over a decade, all accessible to the single subcontractor account compromised by the attacker. Mark Racine, co-founder of RootED solutions, notes "PowerSchool has achieved SOC 2 Type 2 certification," but suggests that the details of the attack "raises questions" about the company's compliance and monitoring.
Editor's Note
[Neely]
The short version is that ALL the PowerSchool data was accessed, affecting about 60 million students. The attack used a single compromised credential belonging to a sub-contractor. Beyond making sure a service provider has a SOC 2 Type 2 certification, make sure that you're not only using MFA, and supported monitoring to include timely account removal or lock-out, but also that you're performing permission reviews. Make sure that only current authorized accounts exist, but also that they are in the correct groups and that those groups only have the minimum access needed. Involve data, service, and process owners, who really know who should or should not have access to their data, and perform these reviews at least annually.
[Dukes]
Two points to make here, 1) Stolen credentials enabled the attack, and 2) Lack of basic cyber hygiene by the EdTech company led to loss of data. We’ve seen a dramatic increase in the theft of identity credentials over the last few years. It’s the easiest way for an evildoer to get into an organizations network. Once there, not doing the basics, patching, secure configuration, and monitoring leads to privilege escalation and complete compromise. Bottom line, the company didn’t implement reasonable cybersecurity on its platform leading to the loss of PII.
Read more in:
- techcrunch.com: PowerSchool data breach victims say hackers stole ‘all’ historical student and teacher data
- k12techpro.com: One week later and we still have questions about the PowerSchool breach | |
|
|
UK May Ban Ransomware Payments in Public Sector
(January 13 & 14, 2025)
In the wake of rising ransomware attacks on the UK's public sector, the government is consulting on proposals aimed at discouraging attackers by "banning all public sector bodies and critical national infrastructure, including the NHS, local councils, and schools, from making ransomware payments." Government departments are already banned from making such payments. Three main proposals are under consideration: banning ransomware payments by critical national infrastructure and public sector entities; involving the National Crime Agency (NCA) in intelligence gathering, guidance, and blocking payments; and instituting mandatory reporting of ransomware incidents. The announcement of the consultation highlights the threat of Russian attackers, and notes that the National Cyber Security Center (NCSC) calls ransomware the "most immediate and disruptive threat to the UK's critical national infrastructure." The government's response and any resulting legislation will be introduced after the consultation period ends on April 8, 2025.
Editor's Note
[Neely]
Part of the plan is to force organizations to increase their ability to operate in spite of successful ransomware attacks. Beyond backups, tested plans need to be in place to continue operations, including rebuilding systems from backups.
[Dukes]
While I agree, organizations shouldn’t pay ransoms, it can’t be a one-size-fits-all answer. Look at the recent discovery of an attacker using AWS’s Server-Side Encryption with Customer provided keys (SSE-C) to encrypt data. Recovery is impossible without the encryption key, controlled by the evildoer. Granted, the organization failed in other aspects of its cybersecurity program (i.e., credential loss), but now you’re doubling the penalty – loss of business opportunity with loss of data; and liability for not implementing reasonable cybersecurity measures.
[Murray]
The risk is that such measures may have unintended consequences. We really need to be devoting more resources and creativity to identifying and punishing the perpetrators.
Read more in:
- www.gov.uk: World-leading proposals to protect businesses from cybercrime
- techcrunch.com: UK plans to ban public sector organizations from paying ransomware hackers
- therecord.media: UK proposes banning hospitals and schools from making ransomware payments
- www.theregister.com: UK floats ransomware payout ban for public sector | |
|
|
US Department of Health and Human Services Office for Civil Rights (HHS OCR) 2024 Overview
(January 16, 2025)
The US Department of Health and Human Services Office for Civil Rights (HHS OCR) maintains a database of all reported healthcare sector data security incidents that are currently under investigation and affect 500 or more individuals. A SecurityWeek analysis of the 2024 data found that the 585 reported breaches affected nearly 180 million user records. Of those 585 incidents, 440 were at healthcare providers, and nearly 100 were healthcare business associates. The significant majority of the breaches were classified as hacking or IT incidents.
Editor's Note
[Murray]
The irony is that HIPAA, well-intended to not be prescriptive, has contributed to this situation by leaving too much responsibility to the healthcare providers that they are ill-equipped to meet. We should be prescribing those measures that are known to be both essential and efficient (e.g., strong authentication, network segmentation, encryption, hot backups) and not leaving it to each enterprise to discover and apply them.
[Dukes]
A concise summary of what we’ve known for the past few years, the healthcare sector is under constant attack. Will levying additional security controls on the sector, as being proposed by HHS help; or, simply add to the security and cost burden the sector is dealing with?
[Neely]
These healthcare breaches are impacting many providers. Top impacts, out of a list of 873 are: Change Healthcare: 100 million individuals, Kaiser Permanente: 13.4 million, Ascension Health: 5.5 million, HealthEquity: 4.3 million, Concentra Health Services: 3.9 million, Centers for Medicare & Medicaid Services: 3.1 million, Acadian Ambulance Service: 2.8 million, A&A services (Sav-Rx): 2.8 million, and Integris Health: 2.3 million. The hard part is switching to a secure-by-design model for healthcare providers where life-safety is job 1. This is not entirely an IT problem, except that cyber & IT need to be prepared with secure implementations which meet mission objectives so they can execute rapidly. | |
|
|
|
|
|
|
|
|
|
Internet Storm Center StormCast, Friday, January 17, 2025
In this episode, we explore the efficient storage of honeypot logs in databases, issues with Citrix's Session Recording Agent and Windows Update. Ivanti is having another interesting security event and our SANS.edu graduate student Rich Green talks about his research on Passkeys. https://isc.sans.edu/podcastdetail/9284
Internet Storm Center StormCast, Thursday, January 16, 2025
Today's episode covers an odd 12 year old Netgear vulnerability that only received a proper CVE number last year. Learn about how to properly identify OpenID connect users and avoid domain name reuse. Good old rsync turns out to be in need of patching and Fortinet: Not sure if it needs patching. Probably it does. Go ahead and patch it.
https://isc.sans.edu/podcastdetail/9282
Internet Storm Center StormCast, Wednesday, January 15, 2025
Today, Microsoft Patch Tuesday headlines our news with Microsoft patching 209 vulnerabilities, some of which have already been exploited. Fortinet suspects a so far unpatched Node.js authentication bypass to be behind some recent exploits of FortiOS and FortiProxy devices.
https://isc.sans.edu/podcastdetail/9280
Microsoft January 2025 Patch Tuesday
This month's Microsoft patch update addresses a total of 209 vulnerabilities, including 12 classified as critical. Among these, 3 vulnerabilities have been actively exploited in the wild, and 5 have been disclosed prior to the patch release, marking them as zero-days.
https://isc.sans.edu/diary/rss/31590
Fortinet Security Advisory FG-IR-24-535 CVE-2024-55591
An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS and FortiProxy may allow a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.
https://fortiguard.fortinet.com/psirt/FG-IR-24-535
PRTG Network Monitor Update:
Update for an already exploited XSS vulnerability in Paessler PRTG Network Monitor CVE-2024-12833
https://www.paessler.com/prtg/history/stable | |
|
|
|
