Free technical content sponsored by Fortinet, Inc.
 Please join the virtual @Fortinet Operational Technology Security Summit on March 12th! Tim Conway will present on the topic of Navigating OT Security: First Steps and Best Practices, where he’ll share actionable insights on balancing IT/OT drivers and constraints, operationalizing cybersecurity, and addressing project planning challenges. https://www.sans.org/info/231760 | |
|
|
Known PHP Vulnerability is Being Exploited in Targeted Attacks
(March 6, 7, & 10, 2025)
There is a critical OS command injection vulnerability (CVE-2024-4577) in PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, and 8.3.* before 8.3.8 that can be exploited to achieve remote code execution. Researchers from Cisco Talos have detected a campaign exploiting this vulnerability, ongoing since at least January of this year, targeting organizations in Japan. The Talos researchers note that “the attacker utilizes plugins of the publicly available Cobalt Strike kit ‘TaoWu’ for-post exploitation activities.” Researchers from GreyNoise now “confirm that exploitation of CVE-2024-4577 extends far beyond initial reports.” There are nearly 80 known exploits for the vulnerability; a patch was made available last year.
Editor's Note
[Ullrich]
We have seen this exploited at least since last June in our ISC honeypots. Attackers exploiting it now are a bit late to the party, mopping up systems that the simpler automated attacks may have missed.
[Frost]
This is a doozy because it requires some history. First, the exploit was originally patched in 2012; CVE-2012-1823. Secondly, this was found by Orange Tsai of the Devcore team in 2024. The vulnerability is very “edge case,” which is why we see the attacks in specific countries. There is a feature of Windows that I knew about in Linux but was unaware of its name, which Windows refers to as “Best-Fit.” The idea is that UTF characters can be upgraded or downgraded to fit different UTF versions. Because of “Best-Fit” in Windows, there is a workaround to the 2012 patch by using different language sets, of which Traditional Chinese, Simplified Chinese, and Japanese are known to be vulnerable. If you have systems implemented in these languages, are running Windows as the OS, have a vulnerable version of PHP, and are running PHP-CGI, then you are vulnerable. What is surprising is that in Japan specifically, many systems have been impacted. Who knew?
Read more in:
- www.greynoise.io: GreyNoise Detects Mass Exploitation of Critical PHP-CGI Vulnerability (CVE-2024-4577), Signaling Broad Campaign
- blog.talosintelligence.com: Unmasking the new persistent attacks on Japan
- labs.watchtowr.com: No Way, PHP Strikes Again! (CVE-2024-4577)
- www.securityweek.com: Mass Exploitation of Critical PHP Vulnerability Begins
- www.scworld.com: Critical 9.8 PHP flaw exploited in US, Japan and Singapore
- therecord.media: Bug affecting PHP scripts demands ‘immediate action from defenders globally’
- thehackernews.com: PHP-CGI RCE Flaw Exploited in Attacks on Japan's Tech, Telecom, and E-Commerce Sectors
- devco.re: Security Alert: CVE-2024-4577 - PHP CGI Argument Injection Vulnerability
- nvd.nist.gov: CVE-2024-4577 Detail (June and December 2024) | |
|
|
Unauthorized Instances of Cobalt Strike Down 80 Percent Over Two Years
(March 7 & 10, 2025)
Cobalt Strike is a legitimate offensive security tool that has been used by threat actors to conduct malicious activity. Fortra, which purchased Cobalt Strike in 2020, notes in a recent blog post that “over the past two years, the number of unauthorized copies of Cobalt Strike observed in the wild has decreased by 80%.” The decline is being attributed to a collaborative effort between Fortra, Microsoft’s Digital Crimes Unit (DCU), and the Health Information Sharing and Analysis Center (Health-ISAC). In March 2023, the three entities obtained a court order allowing them to take down the “malicious infrastructure” used by threat actors exploiting Cobalt Strike for malicious purposes.
Editor's Note
[Ullrich]
At least part of the decline should be attributed to the emergence of different tools that offer an alternative to Cobalt Strike.
[Frost]
On the surface, this would seem like a win. I will, however, state a few things lost in the article here. First, it doesn’t analyze whether the attacker groups have moved to a different C2 infrastructure since the EDRs are tuned to shut down Cobalt Strike. The attacker groups could have moved to an alternative C2, of which there are many now, or their tooling. Second, this is just “known pirated CS.” What about unknown pirated CS? The other interesting thing to note is the three groups involved: Fortra (the makers of Cobalt Strike) Microsoft, and the HS-ISAC. I would suppose it is because of all the ransomware being deployed. What about the other ISACs? A win is always a win; however, I’m not sure what to make of this and how big of a win this is.
[Shpantzer]
This could be a feel good news story as a community, but won't save you as a target. Preventing/Detecting/responding to the use of Cobalt Strike and other tools like it should be the priority, between endpoint and network telemetry and detections, it's non-trivial but can be done.
[Dukes]
Kudos to everyone involved. The key is obtaining a court order and working with ISPs to take the infrastructure offline. Microsoft’s DCU is increasingly acting as a Cyber Health Organization. Keep up the good work! | |
|
|
|
|
|
|
|
|
|
Sponsored Links
Survey | 2025 SANS SOC Survey: Facing Top Challenges in Security Operations | The SANS 2025 SOC Survey uncovers the biggest challenges, trends, and innovations shaping modern SOCs. Your insights help drive industry benchmarks and best practices. Take the survey & shape the future of SOCs! Complete the survey by March 24 for a chance to win a $400 Amazon gift card. https://www.sans.org/info/231765
Webcast | Securing the Future with Microsoft Defender for Cloud: Best Practices and Insights | March 26, 1:00 ET | Join Dave Shackleford, and Microsoft’s Dick Lake, as they explore practical approaches to securing cloud environments. Gain a deeper understanding of key areas such as cloud security posture management, DevOps security, and detection and response strategies—all tailored to help you future-proof your organization in an ever-changing threat landscape. Save your seat today. https://www.sans.org/info/231770
Webcast | ICS Security and Management of Change: Risks and Resilience | April 16, 10:30 ET | Join us for an in-depth webcast exploring the intersection of ICS security and management of change (MoC). Learn how organizations can implement proactive and reactive strategies to identify, evaluate, and mitigate risks associated with change. Whether dealing with scheduled upgrades or unexpected shifts in the operational environment, having a measurable control process is key to maintaining security and stability. https://www.sans.org/info/231775 | |
|
|
|
|
Swiss Critical Infrastructure Operators Will Have 24 Hours to Report Cyberattacks
(March 7 & 10, 2025)
Critical infrastructure operators in Switzerland will soon be required to report cyberattacks within 24 hours. The mandate, which comes in the form of an amendment to the country’s Information Security Act, will take effect on April 1, 2025. Covered organizations will be required to report cyberattacks to Switzerland’s National Cybersecurity Centre (NCSC) when “the functionality of the affected critical infrastructure is endangered; [the incident] has resulted in manipulation or leakage of information remained undetected for a long period of time, especially if there are indications that it was carried out in preparation for further cyberattacks, or involves blackmail, threats or coercion.” Following a six-month grace period, organizations failing to comply with the requirement will face fines of up to CHF 100,000 ($113,500).
Editor's Note
[Frost]
This type of reporting makes sense. If implemented correctly, upon being alerted of an incident in which critical infrastructure is affected, let someone know. Unlike the SEC form, there is arguably less “financial risk” and more of a “people could die risk.” That type of risk seems to be more in line with faster reporting than "we lost another 500,000 identities." Please add to the 2.3 trillion identities we have failed for the 6 billion people who live on this planet. I’m not minimizing the horribleness of either one, but immediate death seems to be prioritized in my head.
[Neely]
24 hours seems a bit short. Recall the response when India put in a similar restrictive timeframe. 48 or 72 hours allows for more analysis and a more organized report.
[Murray]
Given that time to detection of breaches (except for extortion attacks) is measured in weeks to months, the urgency should be on detection rather than reporting.
[Honan]
Re the Swiss reporting requirements, they are similar to those under the EU NIS2 (Network Information Security Directive). Under NIS2 regulated entities must notify their regulator within 24 hours of being aware of a significant incident. Note this is a notification and not a full report. An additional report with more details is required with 72 hours. A full report should be given one month after the incident (note this can be extended if required and agreed with the regulator). The regulator can also request updates as required. | |
|
|
High Severity Vulnerabilities in ICONICS and Mitsubishi SCADA Systems
(Match 7 & 10, 2025)
Last year, researchers from Palo Alto Networks Unit 42 identified five high-severity vulnerabilities affecting Mitsubishi Electric and ICONICS Suite Supervisory Control and Data Acquisition (SCADA) system. The flaws could be exploited to attain elevated privileges, create denial-of-service (DoS) conditions, and in certain cases, completely compromise unpatched systems. Unit 42 notified ICONICS of their findings and ICONICS released patches, advisories, and workarounds to address the issues.
Editor's Note
[Dukes]
A good news story on how responsible vulnerability disclosure can work. The only missing piece is monitoring for exploitation whilst the patch is being developed, distributed, and implemented by affected organizations. | |
|
|
FBI Warning: Ransomware by Snail Mail
(March 6 & 7, 2025)
The US Federal Bureau of Investigation’s (FBI’s) Internet Crime Complaint Center (IC3) has published an alert warning that threat actors have been sending letters to C-suite executives, claiming that the targeted organization’s network has been infiltrated by ransomware actors. The letters claim the threat actors have stolen data and threaten to publish the information unless a ransom is paid.
Editor's Note
[Shpantzer]
Snail mail, USB/CD, email, browser, phone (SMS/call) are all vectors through which social engineering can happen. Be skeptical about any gifts, winnings, punishments and deadlines creating urgency and fear of loss.
[Neely]
This harkens back to chain letters of old. To be honest, as organizations' anti-scam guidance reminds you, they won’t call. This plays into leveraging an official-looking printed communication. Beyond educating users to be wary of this old school approach, also investigate ensuring your EDR and perimeter protections include blocking suspect or bogus sites, including mobile users.
[Dukes]
Cyber criminals going old school using postal mail. Seems horribly inefficient and prone to being ignored. What’s most disconcerting is the delivery to senior executives' homes as a form of intimidation. Just remember, cyber criminals are only after one thing, the payout.
[Frost]
Do people still read physical mail? I just wanted to get this straight: a ransom note for ransomware is being sent out. Does it have the letters cut out like in the movies?
[Murray]
Fast or slow, it is the content of the message that counts.
Read more in:
- www.ic3.gov: Mail Scam Targeting Corporate Executives Claims Ties to Ransomware
- cyberscoop.com: Ransomware poseurs are trying to extort businesses through physical letters
- www.securityweek.com: Fake Ransomware Attack Claims Sent to US Executives via Snail Mail
- www.scworld.com: Cybercriminals go old school with snail mail ransomware scheme | |
|
|
Recently Reported Healthcare Breaches Affect More Than Half a Million People
(March 10, 2025)
Four recently-disclosed breaches affecting healthcare organizations affect amore than 560,000 individuals in total. Kansas-based Sunflower Medical Group became aware of anomalous activity on its network in early January; an investigation revealed that intruders had had access to Sunflower’s systems since mid-December 2024. According to a filing with Maine’s Attorney General, the breach affects nearly 221,000 people. Gastroenterology Associates of Central Florida reported a breach affecting more than 122,000 people; Community Care Alliance in Rhode Island reported a breach affecting nearly 115,000 people; and Hillcrest Convalescent Center in North Carolina reported a breach affecting just over 106,000 people.
Editor's Note
[Neely]
Another week, another healthcare breach. Not hating on that industry; it’s going to take a lot of concentrated, well-resourced effort to stem this tide. Until the state of healthcare security improves, we need to assume breach of our data and take appropriate actions to protect our identities/etc.
[Dukes]
While unfortunate, the breaches serve as a reminder for organizations to regularly review their data retention policies. If you don’t have a business requirement to maintain social security numbers and driver's license numbers, then don’t.
[Frost]
How does a company that technically cannot have a bank account purchase IT equipment and secure systems? Do security vendors take suitcases full of cash? How does all this work?
Read more in:
- www.securityweek.com: 560,000 People Impacted Across Four Healthcare Data Breaches
- therecord.media: Kansas healthcare provider says more than 220,000 impacted by cyberattack
- sunflowermed.com: Notice of a Data Security Incident
- www.maine.gov: Data Breach Notifications (Sunflower)
- www.maine.gov: Data Breach Notifications (Gastroenterology Associates of Central Florida)
- www.maine.gov: Data Breach Notifications (Community Care Alliance)
- www.maine.gov: Data Breach Notifications (Hillcrest Convalescent Center, Inc.) | |
|
|
Microsoft Detected Malvertising Campaign Affecting 1M Windows Devices
(March 6, 7, & 10, 2025)
Late last year, researchers from Microsoft Threat Intelligence detected a malvertising campaign that targeted nearly one million Windows-based devices and attempted to exfiltrate sensitive data. In a detailed blog post, Microsoft Threat Intelligence writes, “The attack originated from illegal streaming websites embedded with malvertising redirectors, leading to an intermediary website where the user was then redirected to GitHub and two other platforms.” The blog offers their analysis of the malvertising campaign and details findings about the payloads used in the attack. | |
|
|
Former Employee Sabotaged Company Systems
(March 7, 8, & 10, 2025)
A US federal jury has convicted Davis Lu on the charge of causing intentional damage to protected computers, for sabotaging systems at his former place of employment. Lu worked as a software developer for an Ohio company from November 2007 until October 2019. “Following a 2018 corporate realignment that reduced his responsibilities and system access, Lu began sabotaging his employer’s systems … creat[ing] “infinite loops” (in this case, code designed to exhaust Java threads by repeatedly creating new threads without proper termination and resulting in server crashes or hangs), deleted coworker profile files, and implemented a ‘kill switch’ that would lock out all users if his credentials in the company’s active directory were disabled.” The charge carries a maximum prison sentence of 10 years.
Editor's Note
[Pescatore]
Eaton is a big company ($20+B revenue in 2024) and apparently has big problems with managing permissions and testing software for vulnerabilities and errors before pushing out to production. Good to see the perpetrator punished, but if I was an Eaton board member I’d want to see a long list of changes to prevent this from happening again. Something more like Eaton’s Zero Incident Safety Program for physical safety.
[Dukes]
Unfortunately this sort of attack continues to be a thing. It can take two forms: the first, a person being removed from the company and access not immediately revoked; the second, the person still employed becoming embittered and lashing out. The first is solvable via process; the second requires focusing on the signs of mental health and is far harder to prevent. This is even more difficult as leaders are increasingly managing a remote workforce.
[Murray]
Happy, well-adjusted employees do not come in and take the place apart. Disaffection grows over time. When the damage comes to light, few are surprised by who did it. Note the signs and take timely action.
Read more in:
- www.justice.gov: Texas Man Convicted of Sabotaging his Employer’s Computer Systems and Deleting Data
- www.securityweek.com: Developer Convicted for Hacking Former Employer’s Systems
- www.theregister.com: Developer sabotaged ex-employer with kill switch activated when he was let go
- www.bleepingcomputer.com: Developer guilty of using kill switch to sabotage employer's systems | |
|
|
City of Mission, Texas Cyberattack Results in State of Emergency
(March 4 & 7, 2025)
The city of Mission, Texas has asked the governor to declare a state of emergency following a cyberattack that compromised city government computer systems. According to a letter from Mission Mayor Norie Gonzalez Garza to Texas Governor Greg Abbott, the incident “could release protected personal information, protected health information, civil and criminal records, and/or any and all other data held by the City of Mission and all departments within the City.” Mission city systems have been taken offline, but emergency services are reportedly operational.
Editor's Note
[Dukes]
Seems like the State of Texas has borne the brunt of cyber-attacks, mostly ransomware, over the last 18 months. It’s probably time for the State to establish a minimum cybersecurity baseline and have all Texas municipalities be measured against it. While I know that municipalities want to keep their independence, they simply don’t have the resources available to protect themselves. I would look to Implementation Group 1 of the CIS Critical Security Controls for that minimum baseline. | |
|
|
|
|
|
|
|
|
|
SANS Internet StormCast Tuesday, March 11, 2025
Shellcode as UUIDs; Moxa Switch Vuln Updates; Opentext Vuln; Livewire Volt Vuln
https://isc.sans.edu/podcastdetail/9358
Shellcode Encoded in UUIDs
Attackers are using UUIDs to encode Shellcode. The 128 Bit (or 16 Bytes) encoded in each UUID are converted to shell code to implement a cobalt strike beacon
https://isc.sans.edu
Moxa CVE-2024-12297 Expanded to PT Switches
Moxa in January first released an update to address a fronted authorization logic disclosure vulnerability. It now updated the advisory and included the PT series switches as vulnerable.
https://www.moxa.com
Opentext Insufficiently Protected Credentials
https://portal.microfocus.com
Livewire Volt API vulnerability
https://github.com | |
SANS Internet StormCast Monday, March 10, 2025
Webshells; Undocumented ESP32 Commands; Camera Used For Ransomware Distribution
https://isc.sans.edu/podcastdetail/9356
Commonly Probed Webshell URLs
Many attackers deploy web shells to gain a foothold on vulnerable web servers. These webshells can also be taken over by parasitic exploits.
https://isc.sans.edu
Undocumented ESP32 Commands
A recent conference presentation by Tarlogic revealed several "backdoors" or undocumented features in the commonly used ESP32 Chipsets. Tarlogic also released a toolkit to make it easier to audit chipsets and find these hidden commands.
https://www.techspot.com
Camera Off: Akira deploys ransomware via Webcam
The Akira ransomware group was recently observed infecting a network with Ransomware by taking advantage of a webcam.
https://www.s-rminform.com | |
|
|
|
