Free technical content sponsored by CrashPlan
 Data loss happens. Be prepared with CrashPlan’s robust backup and recovery solutions for endpoints, servers, and Microsoft 365. From ransomware to accidental deletion, our secure, automated approach ensures your data is always protected and recoverable. Trust CrashPlan to help you keep your business running smoothly—secure your data now. https://www.sans.org/info/230995 | |
|
|
FCC and US Legislators Urge Better Telecom Security after Wiretap Breaches
(December 5 & 6, 2024)
Federal Communications Commission (FCC) Chairwoman Jessica Rosenworcel announced in a press release on December 5 that the FCC is taking decisive steps in holding telecommunications companies accountable for cybersecurity in the wake of the 2024 breach of US wiretap systems. The proposed regulations constitute "urgent action to safeguard the nation's communications systems from real and present cybersecurity threats, including from state-sponsored cyber actors from the People's Republic of China." The commission's drafted Declaratory Ruling states that communications companies are responsible for securing their networks "from unlawful access of interruption" to comply with the Communications Assistance for Law Enforcement Act (CALEA), the same piece of legislation which originally mandated the creation of the wiretap system. Communications providers would be directed to undergo a yearly certification process "attesting that they have created, updated, and implemented a cybersecurity risk management plan." Headline purposes for the proposed measures include strengthening national security, adapting to future threats, and building public trust in the safety of critical communications infrastructure. On December 6, House Homeland chair Mark Green (R-TN) expressed “bipartisan frustration” on behalf of Congress over the breach, urging that companies cooperate with an upcoming investigation of the breach by the Cybersecurity and Infrastructure Security Agency’s (CISA) Cyber Safety Review Board.
Editor's Note
[Neely]
Note that the telecom security plans need to also address submarine cable security. In effect this updates the 30-year-old legislation (notably section 105) which requires telecom providers to be able to comply with wiretap requests while also making certain that any interception of communications can only be carried out with lawful authorization. The trick is to make sure these annual security reports don't turn into check-the-box exercises, but actually reflect risk-based decisions to secure these services.
[Dukes]
Certainly the increased oversight by the FCC is warranted, but just now coming to the opinion that telco providers must secure their networks is a bit underwhelming. With today’s use of information technology in every sector isn’t that a ‘standard duty of care’ expectation for all companies?
[Murray]
It seems unlikely that law enforcement in general, and the FBI in particular, not even to mention the NSA, is likely to be supportive of this guidance. CALEA cuts both ways.
Read more in:
- docs.fcc.gov: Chairwoman Rosenworcel Announces Agency Action to Require Telecom Carriers to Secure their Networks (PDF)
- www.theregister.com: Salt Typhoon forces FCC's hand on making telcos secure their networks
- www.scworld.com: Secure your networks from hacks like China’s Salt Typhoon
- therecord.media: Cooperate with Salt Typhoon probe, House chairman tells telecoms
- cdn.meritalk.com: FCC Pushing Telcos to Certify Security Amid Salt Typhoon Hacks | |
|
|
Romanian Election Annulled after Cyberattacks and Interference Campaign
(December 5 & 6, 2024)
Romania's election infrastructure suffered ongoing cyberattacks in the month leading up to first round of voting in the country's presidential election on November 24, 2024. The estimated 85,000 attacks included the compromise of a Permanent Electoral Authority (AEP) map data server connected to the public web; the leaking of official election and voter registration site credentials; and attempted breaches of voting systems via "SQL injection and cross-site scripting (XSS) vulnerabilities from devices in more than 33 countries." The attacks were concurrent with an "influence campaign" possibly conducted via payments to Romanian Tik Tok influencers in exchange for distributing promotional content for the "outsider" candidate who nominally won the first round. The country's intelligence service (SRI) and Ministry of Internal Affairs (MAI) suspect the cyberattacks and social media interference to be associated with "foreign state interests" aligning with Russia. On December 6, the Romanian Constitutional Court (CCR) annulled the results of the first round of voting.
Editor's Note
[Pescatore]
There is a critical issue here: In order to trust government, citizens must be able to trust the election process. But in order to trust the election process when software is involved, there has to be transparency and verification that is done outside of government agencies – or else selective release of previously classified information can be used to skew courts and legislators. We learned this lesson in commercial software, and election system use of software needs the same transparency and external validation. Another key issue: if online credentials are shareable, they are not sufficiently strong for use in online voting in elections, at any level.
[Neely]
While the decision to annul the first election is, itself, a tough call, what is not clear is what is being done to prevent recurrence. Ignoring the claims of social media influence, election system isolation, credential strengthening, and vulnerability management need to addressed immediately so the integrity of the results can be ensured.
Read more in:
- www.ccr.ro: PRESS RELEASE, 6 December 2024
- www.bleepingcomputer.com: Romania's election systems targeted in over 85,000 cyberattacks
- therecord.media: Romania annuls presidential election over alleged Russian interference
- apnews.com: Romania’s top court annuls first round of presidential vote won by far-right candidate | |
|
|
Romanian Power Company Suffers Cyberattack
(December 9, 2024)
In a December 9 press release shared by the London Stock Exchange, Electrica Group CEO Alexandru Aurelian Chirita disclosed an ongoing cyberattack. Electrica Group is a major supplier of power throughout Romania, providing electricity and energy system maintenance to approximately one fifth of the country's population. The statement assures customers that "critical systems have not been affected, and any disruptions in interaction with our consumers are the result of protective measures for internal infrastructure." While "response protocols" are being implemented, Chirita commits to communicating any developments and continuing to prioritize "continuity in the distribution and supply of electricity" and the protection of personal and company data. Chirita recommends carefully vetting any suspicious messages appearing to come from Electrica, and to "avoid providing personal data through unsecured channels." Romania's Ministry of Energy believes that Electrica suffered a ransomware attack, but that the company's industrial Supervisory Control and Data Acquisition (SCADA) systems were not affected.
Editor's Note
[Neely]
Critical infrastructure attacks are happening globally, and defenses need to be addressed. Regardless of the threat actor, basic measures such as segmentation and strong authentication need to be implemented and measured. Use a framework to organize your approach. It is likely the Romanian SCADA systems were not impacted simply because they are isolated.
[Dukes]
Another attack on critical infrastructure. While details are scant, Russia has in the past launched cyber-attacks on neighboring countries' electrical grids. The timing of the attack also coincides with the recent presidential election in Romania and claims of Russian election interference. | |
|
|
|
|
|
|
|
Sponsored Links
Survey | 2025 SANS Threat Hunting Survey: Chasing Shadows - Advancements in Threat Hunting Amid AI and Cloud Challenges | In this SANS survey, we are asking organizations about how they approach threat hunting, the barriers to success, and how they measure their efforts. Complete the survey by December 30 for a chance to win a $400 Amazon gift card! https://www.sans.org/info/231005
Survey | 2025 ICS Security Budget vs. Modern Risk: Optimizing Cybersecurity Investments for ICS/OT and Critical Infrastructure | With this survey, SANS is looking to understand how organizations in critical infrastructure sectors are allocating resources to defend their ICS/OT environments. Complete the survey by December 30 for a chance to win a $250 Amazon gift card! https://www.sans.org/info/231010
Special Offer: 20% Off GIAC Applied Knowledge Certifications Applied Knowledge Certifications truly test your mettle and set you apart from your peers in the field of cybersecurity. *For a limited time only, score 20% off your Applied Knowledge certification with code: GX20 https://www.sans.org/info/231015 | |
|
|
|
|
Neuberger Says Chinese State-Sponsored Threat Actors Recorded US Officials’ Phone Calls
(December 7 & 9, 2024)
Speaking at a security conference in Bahrain, US deputy national security advisor for cyber and emerging technology Anne Neuberger said that Chinese state-sponsored threat actors recorded phone calls made by senior US officials. Last week, “Neuberger confirmed eight US telecom providers had been compromised by Salt Typhoon along with organizations” in many other countries.
Editor's Note
[Neely]
Increased attention needs to be paid to critical infrastructure security. Salt Typhoon reminded us our telecom security wasn't where it needed to be, and we have had similar reminders in healthcare, water and power sectors. If you're in the critical infrastructure business, don't wait for regulators to require increased security. While the proposed updated legislation from the FCC seeks to address the security of the networks which allows these attacks, telcos are going to need time to implement countermeasures to prevent recurrence. It remains a good idea to use end-to-end encrypted mechanisms for sensitive conversations. Even so, make sure you understand where the connection is protected and how.
[Murray]
It is not as though the authorities had not been warned that the mechanisms that they insisted upon in CALEA would be abused, misused, and attacked. It is a little late to take note of all the warnings and cautions.
Read more in:
- www.theregister.com: China's Salt Typhoon recorded top American officials' calls, says White House
- www.reuters.com: US alleges China hacked calls of 'very senior' political figures, official says | |
|
|
Water Utilities Cyber Readiness Program Enters Phase 2
(December 4, 2024)
The Cyber Readiness Institute (CRI), Foundation for Defense of Democracies (FDD), and Microsoft have published an interim report detailing feedback and strategy adjustments after Phase 1 of implementing a pilot Cyber Readiness Program for small and medium-sized US water utilities. The program aims to train a "Cyber Ready" culture, providing an identified Cyber Leader with guidance on "policies and incident response procedures," including learning modules, a playbook, training resources, and expert coaching. The report notes that 35 utilities have completed the program, and "there appears to be no statistically significant correlation between utility size and completion rates, nor between utility size and the impact of the Cyber Readiness Program." Feedback highlights the importance of the Cyber Coach, the impact of time limitations as an obstacle, and overall satisfaction with the impact of the program. In Phase 2, "CRI projects to recruit about three hundred utilities in Phase 2 to reach the goal of supporting one hundred and fifty utilities," with additional focus on coaches, improvements to the playbook, and revisions to streamline module completion.
Editor's Note
[Evans]
Most participants said the program was easy to follow and comprehend when compared to educational resources they encountered elsewhere. Even those participants with strong cyber backgrounds noted the program provided tools to help educate their colleagues. Multiple participants commented that the support they received from their cyber coach was invaluable in helping them implement the cybersecurity best practices the program articulates. Based on feedback, CRI is also remodeling the Cyber Readiness Playbook to make it even more intuitive and easy to use.
[Neely]
The CRI includes a CyberCoach which has proven successful in aiding the identification and adoption of appropriate security improvements. The trick is maintaining, to include updates as the threat landscape changes, an appropriate cyber security posture. I wonder if a similar approach would help other critical infrastructure providers. | |
|
|
Third-Party Micropatch for Windows NTLM Zero-Day
(December 5 & 6, 2024)
Researchers from ACROS security have discovered a flaw affecting "all systems from Windows 7 and Server 2008 R2 to the latest Windows 11 v24H2 and Server 2022," which could expose a user's NTLM credentials "by simply having the user view a malicious file in Windows Explorer - e.g., by opening a shared folder or USB disk with such file, or viewing the Downloads folder where such file was previously automatically downloaded from attacker's web page." Microsoft has been informed, but so far only the unofficial patch exists: ACROS maintains a service called 0patch which has released a free "micropatch" for this vulnerability. Micropatches are binary patches designed to apply to processes without restarting them or rebooting the system. Bleeping Computer raises a manual alternative, which is to reconfigure network security in Windows security settings to disable NTLM authentication, though the publication recommends testing this on non-critical machines first, understanding it can disrupt an environment's NTLM networking. Microsoft has responded to both The Register and Bleeping Computer with word that "We are investigating," and has previously stated plans to work on decommissioning the NTLM authentication protocol in favor of Kerberos.
Editor's Note
[Murray]
NTLM continues to be a source of vulnerabilities after only three decades. While it is to be hoped that none of our readers still use it, its continued use puts us all at risk.
[Neely]
The long-term fix is moving from NTLM to Kerberos. The short-term dilemma is weather to wait for Microsoft to publish a fix for Windows 10, 11, Server 2012, 2016, 2019 and 2022, disable NTLM, or to apply the micro patch from ACROS's 0patch service. NTLM can be disabled via GPO, (Security Settings > Local Policies > Security Options, Network Security: Restrict NTLM), but test first. The 0patch fix, which doesn't require a reboot, does require an account and running their agent, which you can do by creating a free trial. Have a discussion on the risks of deploying unofficial patches as well as licensing a service selected for this purpose.
Read more in:
- blog.0patch.com: URL File NTLM Hash Disclosure Vulnerability (0day) - and Free Micropatches for it
- www.bleepingcomputer.com: New Windows zero-day exposes NTLM credentials, gets unofficial patch
- www.theregister.com: Micropatchers share 1-instruction fix for NTLM hash leak flaw in Windows 7+ | |
|
|
OpenWrt Attended Sysupgrade Vulnerability
(December 9, 2024)
OpenWrt users are being urged to upgrade their images to ensure that a critical command injection and hash truncation flaw in OpenWrt Attended Sysupgrade is fixed. The vulnerability could have been exploited to distribute malicious firmware packages. Once the vulnerability was disclosed to OpenWrt developers, they fixed the issue within hours.
Editor's Note
[Neely]
Exploiting the flaw, CVE-2024-54143, CVSS 4 score 9.3, relies on hash collisions, due to SHA-256 hashes being truncated to 48 bits, (12 characters), rather than the full 256. The Attended SysUpgrade (ASU) function allows updating to new firmware while preserving previous manually installed/configured packages and settings, facilitating keeping OpenWrt devices updated. Update to the latest commits to address the flaw.
[Dukes]
Another supply chain attack to end the year on. What’s particularly interesting is the truncating of the hash to 48 bits, which speaks to a possible nation-state operation. Open-source software will continue to be targeted as it's become a key part of the software development cycle. Follow the developer’s guidance and update immediately.
Read more in:
- lists.openwrt.org: Security Advisory 2024-12-06-1 - OpenWrt Attended SysUpgrade server: Build artifact poisoning via truncated SHA-256 hash and command injection (CVE-2024-54143)
- www.securityweek.com: Critical OpenWrt Flaw Exposes Firmware Update Server to Exploitation
- www.theregister.com: OpenWrt orders router firmware updates after supply chain attack scare
- www.bleepingcomputer.com: OpenWrt Sysupgrade flaw let hackers push malicious firmware images
- nvd.nist.gov: CVE-2024-54143 Detail | |
|
|
Medical Device Manufacturer Suffers Data Breach
(December 9, 2024)
Artivion, Inc. has filed an 8-K form with the Securities and Exchange Commission (SEC) disclosing a "cybersecurity incident" and subsequent response measures beginning November 21. The company is a manufacturer and worldwide supplier of "implantable tissues for cardiac and vascular transplant applications." The form describes the attack as "the acquisition and encryption of files," and informs shareholders that though the effects of the attack are largely mitigated, ordering, shipping, and some corporate operations were disrupted, potentially leading to "additional costs that will not be covered by insurance." Artivion does not believe their "overall financial condition" will be materially impacted, but disclaims that this is not a guarantee.
Editor's Note
[Neely]
It looks like Artivon, formerly CyroLife, is recovering from a ransomware attack and is not certain what the long-term impacts will be, so they are hedging their bets on the material impact statement. What appears missing is communication, other than the 8-K, on the outage and recovery/system status. If an incident warrants an SEC filing, it warrants transparent communication.
[Dukes]
The use of terms like ‘acquisition and encryption’ tell us this was a ransomware attack. Also, that no ransomware gang has claimed responsibility tells us that a ransom was likely paid. We can look forward to more ransomware events in 2025.
Read more in:
- techcrunch.com: US medical device giant Artivion says hackers stole files during cybersecurity incident
- www.securityweek.com: Medical Device Maker Artivion Scrambling to Restore Systems After Ransomware Attack
- www.sec.gov: Form 8-K, Artivion Inc. | |
|
|
Another Scattered Spider Suspect Charged
(December 6, 2024)
US federal prosecutors have charged a California resident with wire fraud and aggravated identity theft for allegedly conducting phishing attacks that targeted telecommunications companies and a financial institution. Remington Ogletree is believed to be at least the sixth alleged member of a hacking group known as Scattered Spider.
Editor's Note
[Neely]
Ogletree used a combination of techniques including social engineering to obtain credentials needed to access target networks, then leveraging stolen API keys to access customer accounts as well as trying to send about 8.5 million phishing texts intended to steal cryptocurrency, which allowed investigators to track back to the iCloud account being used to test the account, and ultimately to Ogletree himself. Make sure to leverage available message filtering options, and ensure your users are aware of attempts to engineer unauthorized access, backed up by broad use of MFA, segmentation, and monitoring for inappropriate or unexpected interactions. | |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
