Supply Chain Attack Theorized in Hezbollah Device Explosions

(September 17, 18 & 19, 2024)
 

At 3:30pm on September 17, thousands of pagers exploded simultaneously in Lebanon and Syria, killing 12 and injuring over 2800. The following day, 20 more deaths and over 450 injuries resulted from a second wave of explosions, this time from walkie-talkies. Lebanese officials attribute the attacks to Israeli military intelligence; experts have theorized that the devices – purchased by Hezbollah in a recent initiative to protect communications by using older technology – were intercepted in the supply chain and modified. Analysis suggests the explosions were not consistent with induced battery malfunction, but more likely involved detonation of embedded explosives.
 

Editor's Note

[Pescatore]
Obviously, launching a physical supply compromise like this one takes a very sophisticated threat actor and long planning. Mailing explosive devices or poisoned/compromised USB sticks (or having them delivered) to key employees at your company does not. Use the publicity around this one to make sure mailroom security still exists and extends to how supplies are delivered to remote employees and board members – USPS Pub 166 (about.usps.com) is a good starting point.

[Dukes]
Supply chain attacks are difficult to detect and defeat. Although this one had a kinetic component, the same principle applies for software supply chain attacks – deny use or compromise communication of the device. As with most everything, supply chain attacks have a shelf-life before they are discovered or used.

[Neely]
It's not clear if the hardware was manipulated at the third-party manufacturer, or in transit to distribution center. What we can do is make sure that we've verified the integrity of our devices when received, to include the distribution channel, and make sure that our issuance process is secure, particularly when sending devices to remote workers or locations. When purchasing through a third-party, or low-bidder, VAR/DSB/etc., make sure you've had a conversation with them about supply chain security, and you understand and accept the risk of their processes. Even so, trust but verify. This is also a lesson in contingency planning. They moved from cell phones to pagers/walkie-talkies due to risk of compromise, what's plan C? RFC 1149 (IP over Avian Carriers)? Messengers with notes? Always have a plan C, D, E ready to go.

[Murray]
This attack exploited the target population's need for secure communication among its members and the attacker's total disregard for collateral damage.  The conditions for its success are rare and the lessons so stark that it is not likely to be copied.  The lessons include that the supply chain is long, opaque, and vulnerable.

[Frost]
There are many questions about how the interception happened, how the targeting happened, and why exactly this date was chosen. Now, what about fallout? Well, there will be heightened thoughts and scrutiny over physical devices. It is unclear how this would be done, given how many physical devices we all have, but the actual use case shows others how effective this can be.

Read more in:
- www.wired.com: Walkie-Talkies Explode in New Attack on Hezbollah
- www.wired.com: First Israel’s Exploding Pagers Maimed and Killed. Now Comes the Paranoia
- www.nextgov.com: Device detonations reveal ‘incredible’ intelligence abilities: ex-NSA chief
- www.theregister.com: Lebanon: At least nine dead, thousands hurt after Hezbollah pagers explode
- www.theregister.com: Lebanon now hit with deadly walkie-talkie blasts as Israel declares ‘new phase’ of war
- www.cnn.com: Walkie-talkies explode in Lebanon day after deadly pager attack

Human Rights Activists File Complaint Over Pegasus Spyware

(September 19, 2024)
 

Four human rights activists have filed a complaint with the London (UK) Metropolitan Police alleging that their mobile phones were targeted with Pegasus spyware by people working on behalf of certain nation states. The individuals filling the complaint hope that it will lead to charges being filed against NSO Group, which developed Pegasus. The complaint is detailed in a blog post from the Global Legal Action Network (GLAN).
 

Editor's Note

[Neely]
One of the mesasges from Apple withdrawing their lawsuit against NSO/Pegasus was they are no longer the only game in town, and even with the increased security options for devices, we need to remember others have developed capabilities. I hope lawsuits like this serve to emphasize there are consequences for these attacks, and we still need to prepare our users travelling in areas where they can be targeted; e.g., current (hardware and software), fully updated burner devices with minimal data, in lockdown mode, checked for malware regularly.

[Murray]
The NSO business model is based upon the pretense that all their customers are legitimate and that software will not be copied. Government officials, journalists, and social activists are at particular risk and should take special precautions.

Read more in:
- www.glanlaw.org: New Criminal Complaint Over Pegasus Spyware Hacking of journalists and activists in the UK 
- therecord.media: UK spyware victims file criminal complaint against NSO Group
- www.theregister.com: UK activists targeted with Pegasus spyware ask police to charge NSO Group

Dark Reading Confidential Podcast: Pen Test Arrests, Five Years Later

(September 10, 2024)
 

Five years ago this month, cybersecurity professionals Gary De Mercurio and Justin Wynn working for Coalfire were arrested while they were conducting a pen test at the Dallas County, Iowa courthouse. De Mercurio, Wynn, and Coalfire CEO Tom McAndrew join Dark Reading editor-in-chief Kelly Jackson Higgins and editor Becky Bracken to talk about “how the arrest and fallout has shaped their lives and careers as well as how it has transformed physical penetration tests for the cybersecurity industry as a whole.”
 

Editor's Note

[Dukes]
Fascinating discussion, highly recommend listing to the podcast. The law and its administration are a sight to behold. Bottomline, ensure contracts are in place before engaging in any work.

[Neely]
The Dark Reading interview brings out a lot of details which couldn't be shared five years ago, not only highlighting the importance of in-depth validation of permission for security testing, but the importance of support from all levels as well as the importance of politics and fully understanding not only who your stakeholders are but also who thinks (and will act like) they are.

Read more in:
- www.darkreading.com: Dark Reading Confidential: Pen Test Arrests, Five Years Later

Hackers are Accessing Construction Company Systems Through Accounting Software Default Credentials

(September 17 & 18, 2024)
 

Researchers from Huntress have discovered an attack campaign targeting construction companies. The threat actors have been using default credentials to access instances of FOUNDATION Accounting Software. According to Huntress, the “software includes a Microsoft SQL Server (MSSQL) instance to handle its database operations” which is accessible via a mobile app.
 

Editor's Note

[Pescatore]
If a building collapsed because a supplier sold a construction company scaffolding made of balsa wood but painted grey to look like metal, financial liability would easily flow to the offending supplier. Knowingly selling businesses software with balsawood-strength authentication should incur that same level of liability.

[Dukes]
Two wrongs here.  First the use of default credentials (administrator); and second, not limiting password attempts by timed lockout. For the first, the application should not ship with default passwords but rather require the user to create a password during setup. For the second, the software vendor should include a disabled feature for its application after a defined number of password attempts.  Both techniques are well established secure design practices.

[Neely]
We should all get a wee bit disturbed when we see default credentials. FOUNDATION uses an Internet accessible MSSQL server, with default SA and DBA passwords. Rotate these passwords,  make sure xp_cmdshell is disabled, and limit internet access to Foundation. While the mobile app requires access to the MSSQL server, consider requiring a per-app VPN rather than exposing the service to anyone.

[Murray]
The software comes with default settings intended to make installation as easy and smooth as possible.  This is particularly true for software likely to be installed by those who do not do it often.  Once the application is up and running, it is easy to forget or forego changing those settings.  Developers can do a better job of ensuring that the application is secure when the installation process is complete.

[Ullrich]
In particular less "tech savvy" industries have a hard time securing their IT services. But it is important for them to realize that every industry is to some extent in the "IT Business" and relies on these systems to do their work effectively.

[Frost]
This one is interesting. Construction and home building are high-cost industries, and there is lots of money in this industry. The way this reads is that the mobile app connects directly to the MSSQL Database. I’m not sure if that is the case, but if it is, the app needs an architecture.

Read more in:
- www.huntress.com: Cracks in the Foundation: Intrusions of FOUNDATION Accounting Software
- www.helpnetsecurity.com: Hackers breaching construction firms via specialized accounting software

Patches Available for Vulnerabilities in VMware vCenter

(September 17, 2024)
 

Broadcom has released updates to address two security issues in VMware vCenter, which affects VMware vSphere and VMware Cloud Foundation. The vulnerabilities are a critical heap overflow issue (CVE-2024-38812) and a high-severity privilege elevation issue (CVE-2024-38813). Users are urged to update to VMware vCenter Server 8.0 U3b or VMware vCenter Server 7.0 U3s.
 

Editor's Note

[Pescatore]
Important to both prioritize this update and check on all cloud/application service providers' update progress.

[Neely]
These vulnerabilities are both addressed with the same update.  Make sure that you can login to your Broadcom support account to download the updates. If you haven't logged in since the acquisition, allow extra time. If you're still on vCenter 7 or Cloud Foundation 4.5, it's time to upgrade.

[Frost]
This is a nightmare. I have not heard of a glowing review of the acquisition, and one of the items that seems to have broken is the ability to download and gain access to software. If you use vCenter and the patches are fully available over vCenter, could you do so? Instead, you may have to call Broadcom, which has been less than great. One person told me that after hours on the phone trying to download a purchased copy of Fusion, the support person just emailed them a box link. Things are not going well, but don’t let that dissuade you from patching. The good news is that we have patches to fix; the bad news is that this may have been in the works for months, and I’m not exactly sure how many other patches we may be missing.

Read more in:
- blogs.vmware.com: VMSA-2024-0019: Questions & Answers
- support.broadcom.com: VMSA-2024-0019:VMware vCenter Server updates address heap-overflow and privilege escalation vulnerabilities (CVE-2024-38812, CVE-2024-38813)
- www.theregister.com: VMware patches remote make-me-root holes in vCenter Server, Cloud Foundation
- nvd.nist.gov: CVE-2024-38812 Detail
- nvd.nist.gov: CVE-2024-38813 Detail

FTC Report on Social Media and Video Streaming Data Privacy Practices

(September 19, 2024)
 

In December 2020, the US Federal Trade Commission (FTC) ordered nine social media and video streaming services to disclose how they collect, use, and present information. The report represents the synthesis of the information these companies provided. Among the FTC’s findings: “Many companies collected and could indefinitely retain troves of data from and about users and non-users, and they did so in ways consumers might not expect; … they relied on selling advertising services to other businesses based largely on using the personal information of their users; there was a widespread application of algorithms, data analytics, or artificial intelligence (“AI”), to users’ and non-users’ personal information; and the trend … was that [the companies] failed to adequately protect children and teens.
 

Editor's Note

[Dukes]
Just remember, free is not always free. At the end of the day, these social media companies are businesses, and they need a revenue model to stay satisfy their investors. The question becomes what ‘rights’ did users sign away as part of the account activation process. Bottomline, people like free services even with ‘strings’ attached.

[Neely]
The information on their practices was collected back in 2020 and is being released now as Congress is considering the Kids Online Safety Act (KOSA) and Children and Teens' Privacy and Protection Act (COPPA 2.0) to better regulate companies. The reality is that collecting, selling and leveraging this data is big business, and legislation plus user action is necessary to change these practices. It's not clear if consumers are willing to pay for a service which is free of both tracking and advertising, which will drive alternative means of monetizing user information for free services.

Read more in:
- www.ftc.gov: A Look Behind the Screens | Examining the Data Practices of Social Media and Video Streaming Services (PDF)
- www.ftc.gov: FTC Issues Orders to Nine Social Media and Video Streaming Services Seeking Data About How They Collect, Use, and Present Information (December 2020)
- therecord.media: FTC: Social media and video streaming companies violate user privacy on 'vast' scale
- www.bleepingcomputer.com: FTC exposes massive surveillance of kids, teens by social media giants

GitLab Critical Patch Release

(September 17 & 19, 2024)
 

GitLab’s most recent critical patch release addresses a critical SAML authentication bypass vulnerability that affects both GitLab Community Edition and Enterprise Edition. The issue exists because of improper verification of cryptographic signatures. Users are urged to update to versions 1.17.0 or 1.12.3.
 

Editor's Note

[Ullrich]
The patch updates libraries used to implement SAML.

[Frost]
Can we just all stop using SAML? It’s like the NTLMv1/v2 of IdPs. Basic Auth would be the LANMAN of IdPs.

[Neely]
CVE-2024-45409, CVSS score 10.0, in the ruby-saml library could allow login as any arbitrary user. If you're using omniauth-saml, this flaw is fixed in 2.21. The GitLab fix update the dependencies for omniauth-saml to version 2.2.1 and ruby-saml to 1.17.0. Beyond updating your GitLab installation, consider GitLab's recommended mitigation to enable 2FA for all accounts and disallow the SAML two-factor bypass option.

Read more in:
- about.gitlab.com: GitLab Critical Patch Release: 17.3.3, 17.2.7, 17.1.8, 17.0.8, 16.11.10
- thehackernews.com: GitLab Patches Critical SAML Authentication Bypass Flaw in CE and EE Editions
- nvd.nist.gov: CVE-2024-45409 Detail

Another Ivanti Cloud Services Appliance Vulnerability Added to KEV Catalog

(September 19, 2024)
 

A critical path traversal vulnerability (CVE-2024-8963) affecting Ivanti’s Cloud Services Appliance (CSA) version 4.6, which is being actively exploited. The flaw “allow[s] a remote unauthenticated attacker to access restricted functionality.” The flaw is being chained with another Ivanti CSA vulnerability (CVE-2024-8963) that was disclosed earlier this month. Both vulnerabilities have been added to the Cybersecurity and Infrastructure Security Agency’s (CISA’s) Known Exploited Vulnerabilities Catalog.
 

Editor's Note

[Ullrich]
Luckily, this flaw was patched "incidentally" with the September 10th update that patched other flaws. But remember that this was the last patch to be released for CSA 4.6. Upgrade to CSA 5 and please restrict access to CSA as much as possible to reduce your attack surface. There are likely more vulnerabilities to come given the history of the product.

[Neely]
Ivanti CSA remains in the vulnerability crosshairs. While this latest issue (CVE-2024-8963) was addressed in 4.6 patch 519, it's still best to move to 5.0 as 4.6 is unsupported at this time. Unlike prior versions which were delivered as an appliance with an older OS, 5.0 can be built on your standard/current Linux, to include your EDR and hardening settings. Even so, don't forget to limit access to the management console.

Read more in:
- forums.ivanti.com: Security Advisory Ivanti CSA 4.6 (Cloud Services Appliance) (CVE-2024-8963)
- forums.ivanti.com: Security Advisory Ivanti Cloud Service Appliance (CSA) (CVE-2024-8190)
- nvd.nist.gov: CVE-2024-8963 Detail
- nvd.nist.gov: CVE-2024-8190 Detail
- www.bleepingcomputer.com: Ivanti warns of another critical CSA flaw exploited in attacks

Atlassian Security Updates

(September 19, 2024)
 

Atlassian’s September 2024 Security Bulletin includes fixes for four high-severity vulnerabilities. The flaws affect Bamboo Data Center and Server, Bitbucket Data Center and Server, Confluence Data Center and Server, and Crowd Data Center and Server. Two of the flaws affect multiple products. All of the vulnerabilities could be exploited to achieve remote code execution.
 

Editor's Note

[Neely]
Atlassian continues to release security bulletins about once a month.  All four DoS CVE's have a CVSS score of 7.5 (high) and were reported via their bug bounty program. Atlassian has provided guidance on version updates, take note of the recommended paths. Make sure you're on distribution for their bulletins and watching their vulnerability disclosure portal.

Read more in:
- confluence.atlassian.com: Security Bulletin - September 17 2024
- www.securityweek.com: Atlassian Patches Vulnerabilities in Bamboo, Bitbucket, Confluence, Crowd