Free technical content sponsored by Palo Alto Networks
 The State of Automation in Security Operations. As SOCs face ever-increasing threats, the flood of data and tasks calls for cutting-edge automation like SOAR platforms, custom tools and AI. The SANS Institute’s survey on the State of Automation in Security Operations uncovers key trends, benefits and challenges in making automation work. https://www.sans.org/info/230970 | |
|
|
Intelligence and Cybersecurity Agencies Urge Use of Encrypted Communications
(December 4 & 5, 2024)
Cybersecurity and intelligence agencies from Australia, Canada, New Zealand, and the US have jointly published Enhanced Visibility and Hardening Guidance for Communications Infrastructure. The document serves to underscore the threat posed by Chinese state-sponsored threat actors who have compromised telecommunications networks. The guidance notes that “although [it is] tailored to network defenders and engineers of communications infrastructure, this guide may also apply to organizations with on-premises enterprise equipment.” The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have also advised US citizens to avoid using plain text communication channels, recommending encrypted phone and messaging apps "prevent[ing] anyone -- including the app makers -- from accessing the communications of its users."
Editor's Note
[Ullrich]
It’s kind of ironic that agencies who lobbied in the past against encrypted communications realize now that the surveillance mechanisms they built into telecom networks are being used against them. This “Volt Typhoon” compromise of multiple telecommunications providers (even outside the US) is the best argument for strong end-to-end encryption.
[Pescatore]
Lack of end-to-end encryption of email and attachments still increases overall risk more than this issue. But ideally the publicity around this issue and China’s ease of compromising the major telecom carriers will give politicians the courage to pass badly needed legislation to force major improvements in security at all telecoms and messaging providers – which is needed if email is ever to become safe and trustable. Historical note: logins over the Internet were originally in the clear. In the early 1990s, telecoms providers were routinely compromised with network sniffers that harvested bulk account names and passwords. The growth of the World Wide Web and browsers raised the stakes, and in 1994 Netscape introduced SSL and the US Government released FIPS 140-1 standards for crypto. Finally, in 2001 or so, the US government required all web browsers and servers procured to be FIPS 140 compliant – SSL use for transport security exploded across all industries.
[Murray]
Transport Layer Security (TLS) has been the most widespread application of encryption. It is essential to the safe use of public networks. Governments, including the so-called "five eyes" nations have historically resisted the more widespread application of encryption because it raises the cost of law enforcement. This guidance represents a change in favor of national security at the expense of law enforcement.
[Honan]
Let this be a case study to those advocating backdoors into encryption protocols for lawful interception purposes: once you introduce a backdoor you have no guarantee that it will not be abused by various actors.
Read more in:
- www.cisa.gov: Enhanced Visibility and Hardening Guidance for Communications Infrastructure
- www.zdnet.com: FBI, CISA urge Americans to use secure messaging apps in wake of massive cyberattack
- www.forbes.com: FBI Warns iPhone And Android Users—Stop Sending Texts
- www.helpnetsecurity.com: 8 US telcos compromised, FBI advises Americans to use encrypted communications | |
|
|
Cisco Vulnerability Actively Exploited After a Decade
(December 2 & 3, 2024)
In a security advisory created in 2014 and updated on December 2, 2024, Cisco reports that their Product Security Incident Response Team (PSIRT) has now discovered "attempted exploitation" of a vulnerability in the Cisco Adaptive Security Appliance (ASA), potentially allowing a cross-site scripting attack. The severity of the flaw is rated medium, and "allows remote attackers to inject arbitrary web script or HTML" due to "insufficient input validation of a parameter." Meny Har, co-founder and CEO of Opus Security, emphasizes that the severity is not indicative of the importance: "If you are a target of advanced threat actors, you need to care about the medium-severity issues, especially in critical infrastructure ... this is an XSS in a web VPN, meaning bad actors can hijack a user session and can impersonate them and use their privileges inside the organization. This issue, combined with a targeted email attack to trick someone with elevated privileges to click a link, makes this medium-severity XSS become a powerful chain attack.” There is no workaround for the vulnerability, and Cisco recommends mitigating by updating to a fixed release.
Editor's Note
[Dukes]
Ugh, 10 years and we’re still reminding folks to update to fix a known vulnerability. That said, I must commend Cisco for designing an appliance that still performs 10 years later. | |
|
|
Collaboration and Regulation in OT & IoT Security
(December 3, 4, & 5, 2024)
"It’s not novel, but we want to underscore that as something that really helps," said Katherine Rawls about cybersecurity practices for operational technology systems at a December 3 conference on OT hosted by General Dynamics Information Technology (GDIT). From airports to oil pipelines to component supply chains, the criticality of transport infrastructure makes cybersecurity a priority and a challenge. Rawls states that the US Department of Transportation is collaborating with the Department of Homeland Security, the Cybersecurity and Infrastructure Security Agency (CISA), the US Coast Guard, the Transportation Security Administration, and the Department of Energy to implement "baseline cybersecurity requirements." Recommendations include self-assessments, cybersecurity posture, risk assessment, and proper triage in mitigation. CISA Deputy Director Nitin Natarajan spoke at GDIT's conference to highlight workforce gaps and uncertain transition of knowledge as obstacles to OT security in legacy systems, with high risk to cyber-poor, yet high-value environments such as rural schools and hospitals. Meanwhile, a December 4 report by the US Government Accountability Office (GAO) found federal agencies failing to comply with cybersecurity requirements for taking inventory of Internet of Things (IoT) devices. The GAO determined that five of the six agencies requesting waivers for certain requirements did not merit the waivers. "Three agencies said they wouldn’t be able to finish their IoT inventories by Sept. 30, six did not share their time frames for doing so, and one — the Small Business Administration — said it does not use any IoT and therefore would not be compiling an inventory."
Editor's Note
[Frost]
I’m glad to see a focus on K-12 and Healthcare. Having worked in Healthcare at the start of my career, I never encountered considerations for BioMedical and Medical IoT when it came to security. Outside of “patching,” there is no real consensus on leveraging the Purdue model for OT in the medical space. Maybe instead of patching, we will see a move towards segmenting these devices. I don’t want to be hooked up to life-saving devices wondering if they will go down due to ransomware or other attacks.
[Neely]
The friction between regulatory requirements and resources. Regardless, make sure you know what OT systems and components you have and how they are protected, particularly anytime internet accessible. Then keep track.
[Dukes]
Every cybersecurity professional should be already aware of the importance of including internet facing devices within their cybersecurity program. An accurate and up-to-date inventory is a vital first step. That’s why the CIS Critical Security Controls prioritize them as Controls 1, 2, and 3 (Data Protection). It’s a joint responsibility of the IT and security staff. | |
|
Holiday Hack Challenge 2024: Snow-maggedon
 Can you help the elves avoid Snow-maggedon? With the North Pole on the brink of catastrophe, Santa needs your help in cleaning up after massive cyber damage to save the holiday season!
I love how SANS keeps raising the bar!! If you are a cyber defender, this is well worth the time. As a participant over the years, I have learned something valuable every year (keep adding tools to your toolbox). Defenders must understand how attackers work (ttp). No matter your skill level, it will improve your ability to design and secure networks, systems and applications.
- SANS Holiday Hack Player
www.sans.org/mlp/holiday-hack-challenge-2024/ | |
|
|
|
|
|
Sponsored Links
Special Offer: 20% Off GIAC Applied Knowledge Certifications Applied Knowledge Certifications truly test your mettle and set you apart from your peers in the field of cybersecurity. *For a limited time only, score 20% off your Applied Knowledge certification with code: GX20 https://www.sans.org/info/230975
Survey | 2025 SANS Threat Hunting Survey: Chasing Shadows - Advancements in Threat Hunting Amid AI and Cloud Challenges | In this SANS survey, we are asking organizations about how they approach threat hunting, the barriers to success, and how they measure their efforts. Complete the survey for a chance to win a $400 Amazon gift card! https://www.sans.org/info/230980
Virtual Event | Cloud Security Convergence: How Control Models for A Robust Cloud Security Stack Are Changing | Friday, December 6, 1:00 PM ET | As cloud security controls mature, it’s common to find that a wide variety of security controls and configuration capabilities are melding into a single platform or service fabric. What does cloud security look like in 2024 and beyond? Chances are, you are talking to a set of providers that offer many of these features. https://www.sans.org/info/230985 | |
|
|
|
|
FTC Disciplines Data Brokers Over Sensitive Location Misuse
(December 3 & 4, 2024)
Two data brokers, Gravy Analytics (including subsidiary Venntel) and Mobilewalla, have been confronted by the FTC and barred from collecting and selling sensitive identifiable location data without consumer consent. Gravy and Venntel "collected and used consumers’ [non-anonymized] location data for commercial and government uses without obtaining consent from the individuals," and continued to do so with awareness of the lack of consent. "Venntel’s data, either on its own or through how it powers Babel Street, is widely used by law enforcement," with or without a warrant, including by US Customs and Border Protection, Immigration and Customs Enforcement (ICE), and the FBI. Sensitive locations include "medical facilities, such as those relating to substance abuse, reproductive care and psychiatry; religious organizations; correctional facilities; labor union offices; homeless shelters; groups providing services based on race and ethnicity; and military sites." Gravy and Venntel must delete or de-identify "historic location data" going back three years, as well as ensure customer consent for data collection and use through a "supplier assessment program." Any misleading statements about compliance and consent, collection and use of data, and de-identification of data are also prohibited. Mobilewalla unfairly collected data from real-time bidding and third-party data aggregators; data were not anonymized, with no procedure for doing so. "From 2018 to 2020, Mobilewalla collected in excess of 500 million unique consumer advertising identifiers matched to their precise location data," and used the information for targeted advertising profiles, including locations of political protesters, and women who visited health clinics. "The FTC alleges that Mobilewalla’s actions not only compromised consumers’ personal privacy but exposed them to potential discrimination, physical violence, emotional distress, and other harms — risks consumers could not avoid given that most were unaware of the company’s activities." Mobilewalla is held to similar misrepresentation and consent standards as Gravy and Venntel, and is barred from "using, transferring, selling and disclosing sensitive location data."
Editor's Note
[Dukes]
The current patchwork of 18 State Data and Health privacy laws is not enough to protect citizens. It’s way past time for the US legislature to create a national data privacy law to guide how data is collected by apps and used by data aggregators.
[Murray]
A law regulating data brokers — requiring that they notify subjects of all PII held on them; requiring that they notify of any sale or other use or dissemination of that data; and making the brokers financially liable for compromises of that data — should be easier to pass than an omnibus privacy law but goes a long way toward accomplishing the objectives of a broader law. California legislature to the rescue?
[Frost]
The laws around this still need to be clarified. Data brokers will collect data until someone refuses to do so. The laws need to catch up to what they are doing.
[Neely]
Data broker or otherwise, it’s a good time to make sure that you have your content straight for any identifiable data. If you have to tell a story about how you're walking the line, maybe look more closely…
Read more in:
- www.ftc.gov: FTC Takes Action Against Gravy Analytics, Venntel for Unlawfully Selling Location Data Tracking Consumers to Sensitive Sites
- www.ftc.gov: FTC Takes Action Against Mobilewalla for Collecting and Selling Sensitive Location Data
- www.theregister.com: FTC scolds two data brokers for allegedly selling your location to the meter
- techcrunch.com: FTC bans two data brokers from collecting and selling Americans’ sensitive location data | |
|
|
Update to Patch Two Veeam Vulnerabilities, Including Critical RCE Flaw
(December 3 & 4, 2024)
Veeam has published an advisory disclosing two vulnerabilities in Veeam Service Provider Console affecting version 8.1.0.21377, as well as all previous 8 and 7 builds. Both flaws were discovered during internal testing. CVE-2024-42448, CVSS score 9.9, allows remote code execution on the VSPC server machine by an authorized agent on the VSPC management agent machine. CVE-2024-42449, CVSS score 7.1, allows an attacker "to leak an NTLM hash of the VSPC server service account and delete files on the VSPC server machine" under the same authorized management agent condition. The only solution provided by Veeam is to update to Veeam Service Provider Console 8.1.0.21999.
Editor's Note
[Frost]
Veeam is a backup and disaster recovery leader. If you’re a Veeam customer, patch. Anyone that can access these systems can compromise your entire environment. | |
|
|
I-O Data: Router Zero-days are Being Actively Exploited
(December 4 & 5, 2024)
I-O Data has confirmed that three unpatched critical flaws in their routers are being actively exploited. A firmware update for an inclusion of undocumented features issue (CVE-2024-52564) that could be exploited to disable firewalls has been shipped; patches for the other two vulnerabilities – an information disclosure issue (CVE-2024-45841) and a remote arbitrary code execution flaw (CVE-2024-47133) – are not expected to be available until December 18.
Editor's Note
[Murray]
Routers play a major role in perimeter security. They should be chosen and operated for security. Keeping them current is essential to the fulfillment of their role. | |
|
|
Chemonics Breach Affects 263,000 Individuals
(December 5, 2024)
Chemonics International, a contractor for the United States Agency for International Development (USAID), suffered a data breach earlier this year that exposed personal information of more than 263,000 people. Chemonics disclosed the breach on December 3, 2024. The company “became aware of suspicious activity related to certain user accounts” in mid-December 2023; an investigation revealed that intruders had access to Chemonics systems starting in May 2023. Affected data include “name, address, email address, date of birth, social security number, driver’s license or state ID information, passport information, US military ID information, tribal ID information, financial information, health and related information, usernames and passwords, biometric information, gender/sexual orientation information, and signatures.”
Editor's Note
[Murray]
The question arises as to why this information was even collected, much less retained at risk. Consider your data collection, retention, and protection policies.
[Dukes]
Umm, a year to finally notify users of a cyber incident likely affecting their private information. The good news is “that protecting personal information is something that Chemonics takes very seriously.” Perhaps that is what they said back in 2021 when they last suffered a data breach. Seems like cyber criminals have them on a two-year revisit cycle.
Read more in:
- therecord.media: Major USAID contractor Chemonics says 263,000 affected by 2023 data breach
- www.scworld.com: Chemonics discloses months-long breach affecting 263K people
- chemonics.com: Notice of Security Incident | |
|
|
iVerify’s Mobile Threat Hunting Feature Detects Pegasus Instances
(December 4, 2024)
In May 2024, iVerify launched their Mobile Threat Hunting feature. On December 4, they published a report of finding from the use of the feature. From the 2,500 device scans that users submitted to iVerify, seven found instances of Pegasus spyware, some dating as far back as 2021. iVerify writes that their “investigation detected 2.5 infected devices per 1,000 scans – a rate significantly higher than any previously published reports.”
Read more in:
- iverify.io: iVerify Mobile Threat Investigation Uncovers New Pegasus Samples
- www.wired.com: A New Phone Scanner That Detects Spyware Has Already Found 7 Pegasus Infections
- www.darkreading.com: Pegasus Spyware Infections Proliferate Across iOS, Android Devices
- iverify.io: Engineering Threat Hunting for iOS and Android (June 10, 2024) | |
|
|
Ransomware Attack a Factor in Stoli Subsidiaries’ Bankruptcy Filing
(December 3, 2024)
Stoli Group USA and Kentucky Owl (KO) recently filed for bankruptcy. Both organizations are subsidiaries of Stoli Group, which suffered a ransomware attack in August of this year. According to the bankruptcy filing, “The attack caused substantial operational issues throughout all companies within the Stoli Group, including Stoli USA and KO, due to the Stoli Group’s enterprise resource planning (ERP) system being disabled and most of the Stoli Group’s internal processes (including accounting functions) being forced into a manual entry mode. These systems will be fully restored no earlier than in the first quarter of 2025.”
Editor's Note
[Murray]
Enterprise network vulnerability constitutes a risk to the health and continuity of the business. Directors and executive management take heed. Ensure that all essential and efficient measures are in place to ensure a safe and resilient enterprise. | |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
