Free technical content sponsored by MirrorTab
 Get practical advice from top cybersecurity executives – register now: https://www.sans.org/info/230700
Join us on 11/21 for insights from Sounil Yu, Creator of the Cyber Defense Matrix; George Werbacher, Director, InfoSec, Live Oak Bank; Renee Kimble, BISO, Toyota Financial Services; and Robert Woodward, BISO, Blackbaud. Discover how they build bridges across business, IT, product, and InfoSec. | |
|
|
Google LLM “Big Sleep” Finds SQLite Zero-Day
(November 1, 3, & 4, 2024)
A November 1 blog post from Google's Project Zero details "possibly the first example of an AI agent finding an exploitable memory safety issue in real-world software," in which their LLM, Project Naptime -- now "Big Sleep," involving both Google and DeepMind -- uncovered a stack-based buffer overflow in the SQLite open source database engine. Rather than open-ended searching, the project has been targeting in-the-wild vulnerabilities by looking for variations on patched flaws. Big Sleep took a known vulnerability as a starting point and investigated recent commits for similar security issues, finding the vulnerability in code yet to be released. Once discovered and disclosed, the flaw was patched by SQLite the same day. Google reports that its AFL fuzzer "has reached a natural saturation point" in its ability to uncover bugs in SQLite; 150 CPU-hours of fuzzing did not detect the same issue. The team still believes a "target-specific fuzzer" would have similar efficacy, but is optimistic about AI's potential for helping defenders gain an "asymmetric advantage."
Editor's Note
[Neely]
SQLite was selected after a null-pointer dereference flaw was discovered by Team Atlanta at the DARPA AixCC event earlier this year. This effort shows how an LLM could be used to augment your SQA processes, with the caveat that it's based on information from fixed flaws to find new flaws. With continued emphasis from CISA and others on secure code and continuous validation (and attestation) of that security/SBOMs/etc., keep an eye on this approach to aid your ability to meet those emerging requirements.
Read more in:
- googleprojectzero.blogspot.com: From Naptime to Big Sleep: Using Large Language Models To Catch Vulnerabilities In Real-World Code
- therecord.media: Google uses large language model to discover real-world vulnerability
- www.securityweek.com: Google Says Its AI Found SQLite Vulnerability That Fuzzing Missed
- thehackernews.com: Google's AI Tool Big Sleep Finds Zero-Day Vulnerability in SQLite Database Engine | |
|
|
Microsoft Delays Recall Feature Another Month
(October 31 & November 1, 2024)
Already held back twice since Microsoft's release of the AI-capable Copilot Plus PC in June 2024, the Recall tool has been delayed again until December, 2024, "pending further internal review," possibly due to privacy and security risks. The feature is meant to allow search, retrieval, and timeline-based browsing of anything previously displayed on screen, by using AI to continually capture and analyze screenshots. Recall has been hailed since its announcement as a cybersecurity "disaster" and "privacy nightmare," as it initially included unsecured and unencrypted database storage of all its screenshots (which were unmoderated, openly storing sensitive data like credentials and bank account information, though not DRM-protected content), and opt-out model installation and activation. Since the second delay in August, Microsoft has added encryption to the screenshot database and switched to an opt-in model. The company has also confirmed that it will be possible for users to completely uninstall Recall. Microsoft characterizes this latest delay as "refin[ing] the experience;" Casey Ellis of Bugcrowd speculated to DarkReading that Microsoft is waiting to observe response to the "Computer Use" feature from Anthropic's Claude AI, which shares some functions and risks with Recall.
Editor's Note
[Neely]
Microsoft is using VBS Enclaves with Windows Help enhanced sign-in security to manage access to the encrypted data, which includes a timeout as well as future session authorization requests from the end-user. That authorization should thwart malware attempting to access or steal the data. With all the pressure to deliver AI-enhanced (or augmented) solutions, it's important to remember to take a pause to ensure the security is right, as well as consider the ROI of adding those functions to a product. It may be that even with user opt-in and enhanced security, the feature remains a bad idea.
Read more in:
- www.darkreading.com: Privacy Anxiety Pushes Microsoft Recall AI Release Again
- www.cnet.com: Microsoft's AI Recall Tool Faces Another Delay Amid Privacy Concerns
- www.theverge.com: Microsoft just delayed Recall again
- www.theverge.com: Windows AI feature that screenshots everything labeled a security ‘disaster’ (June 3, 2024)
- www.theverge.com: Microsoft’s all-knowing Recall AI feature is being delayed (June 13, 2024)
- www.theverge.com: Microsoft’s Recall AI feature won’t be available for Windows testers until October (Aug 21, 2024) | |
|
|
Okta Fixes Long Username Authorization Bypass Vulnerability
(November 2 & 4, 2024)
Okta has published an advisory warning that long usernames (more than 52 characters) could be exploited allow bypass of Okta AD/LDAP delegated authentication (DelAuth). Additional conditions needed to be met for the exploit to work: the user needs to have previously authenticated, creating an authentication cache. The issue did not affect organizations using multi-factor authentication (MFA). The flaw was introduced in a July 2024 update; Okta discovered the problem and it “was resolved in Okta's production environment on October 30, 2024.”
Editor's Note
[Neely]
Long ago, we had a rule: 1, 2 , 3, many. Where you were ready only for short input, or unlimited. Okta switched from the Bcrypt to PKBDF2 cryptographic algorithms to fix the vulnerability. Okta also recommends moving to MFA, particularly phishing-resistant authentication.
[Dukes]
Wow, what a curious bug. Now we’ll have the debate on the use of email addresses as the username, and whether that is or isn’t a good idea. What’s head scratching though, is that Okta, an identity solution provider, doesn’t mandate the use of MFA for all users.
Read more in:
- trust.okta.com: Okta AD/LDAP Delegated Authentication - Username Above 52 Characters Security Advisory
- www.engadget.com: Okta vulnerability allowed accounts with long usernames to log in without a password
- www.theregister.com: Why the long name? Okta discloses auth bypass bug affecting 52-character usernames
- www.darkreading.com: Okta Fixes Auth Bypass Bug After 3-Month Lull | |
|
|
|
|
|
|
|
Sponsored Links
Special Offer: 20% Off GIAC Applied Knowledge Certifications
Applied Knowledge Certifications truly test your mettle and set you apart from your peers in the field of cybersecurity. *For a limited time only, score 20% off your Applied Knowledge certification with code: GX20 https://www.sans.org/info/230755
Virtual Event: SANS 2024 Detection & Response Survey: Transforming Cybersecurity Operations: AI, Automation, and Integration in Detection and Response | November 20, 10:30 AM ET | Join SANS Certified Instructor Josh Lemon and guest speakers as they provide insights into the prevalence of organizations maintaining separate detection and response teams, shedding light on the reasons behind such decisions and their implications for overall security posture. https://www.sans.org/info/230710
Survey: 2025 SANS Threat Hunting Survey: Chasing Shadows - Advancements in Threat Hunting Amid AI and Cloud Challenges | In this SANS survey, we are asking organizations about how they approach threat hunting, the barriers to success, and how they measure their efforts. Complete the survey for a chance to win a $400 Amazon gift card! https://www.sans.org/info/230715 | |
|
|
|
|
Microsoft Threat Intelligence Blog: State-Sponsored Threat Actors Using SOHO Botnet
(October 31 & November 1, 2024)
In a blog post, Microsoft Threat Intelligence writes that over the last 14 months, they have “observed intrusion activity targeting and successfully stealing credentials from multiple Microsoft customers that is enabled by highly evasive password spray attacks.” The source of the attacks appears to be a covert network made up of compromised small office and home office (SOHO) routers used by Chinese state-sponsored threat actors. Microsoft has notified customers affected by this activity.
Editor's Note
[Neely]
Two things going on here — first, the SOHO devices targeted appear to be TP-Link devices. After compromise, the attackers install Telnet and grab the backdoor binary then create a command shell on TCP Port 7777. Second, they begin password spray attacks to compromise services. We can reduce the effectiveness of the spray attacks via MFA. The compromise vector for the SOHO devices is not known; you can make sure that you've disabled WAN admin access, ensure they are updated, and change default passwords.
Read more in:
- www.microsoft.com: Chinese threat actor Storm-0940 uses credentials from password spray attacks from a covert network
- arstechnica.com: Thousands of hacked TP-Link routers used in yearslong account takeover attacks
- thehackernews.com: Microsoft Warns of Chinese Botnet Exploiting Router Flaws for Credential Theft | |
|
|
California County Court Systems Disrupted by Cyber Incident
(November 1, 2024)
The San Joaquin County, California Superior Court became aware of “unusual activity” on some of their systems in late October. They isolated their systems from the Internet, which has disrupted the availability of certain public services, including phones and fax lines, websites that contain reporting instructions for jurors, and “all online services, including e-filing, on-line dispute resolution, support tickets, and online payments are temporarily unavailable.”
Editor's Note
[Neely]
Early detection and prompt action are critical for the current threat environment. While we spend a lot of time talking about MFA, updates and segmentation, monitoring and response are as important if not more so. Talk to your SOC to make sure they have sufficient tooling as well as needed support to take action when an attack is discovered. If you have business with the San Joaquin County courts, read their website for information; it's comprehensive.
[Dukes]
Contrast this with the Irish Technical University cyber-incident, where they were back online within a day or two (story below). Every organization should plan for a ransomware cyberattack and regularly test their incident response plan, adjusting the plan as needed. | |
|
|
Irish Technical University Cancelled Monday Classes Following “Cybersecurity Incident”
(November 1 & 4, 2024)
Ireland’s South East Technological University (SETU) Waterford campus notified students that the institution is “actively dealing with a cybersecurity incident that has targeted [their] IT systems.” SETU cancelled classes scheduled for Monday, November 4th; they expect classes to resume on Tuesday the 5th, but caution that staff and students may still experience disruptions.
Editor's Note
[Neely]
The Waterford campus is operating without Internet, file shares, email, or access to Moodle (their LLM). Classes were cancelled Monday to allow teachers to prepare to deliver without these services, to include printing material from home systems. The incident is still being investigated and it's unlikely they will know the full extent of the damage until next week.
[Dukes]
Although in the early stages of recovery, the University has come back online quickly. Two takeaways: 1) it appears the incident was detected quickly by the IT team; and 2) the recovery plan was rock solid with what appears to be minimal impact on operations. The University should share its lessons learned to the broader education community.
Read more in:
- www.setu.ie: Statement on cybersecurity incident - update
- www.rte.ie: SETU Waterford campuses hit by cyberattack, Monday classes cancelled
- therecord.media: Cyberattack disrupts classes at Irish technology university | |
|
|
Colorado Voting System Passwords Partially Leaked, Changed
(October 29, 30, & 31, 2024)
On October 19, 2024, the Colorado Department of State issued a press release addressing "over 600 BIOS passwords for voting system components in 63 of the state's 64 counties ... not encrypted or otherwise protected," which were accessible for at least two months in a publicly hosted spreadsheet. The release refers to "partial passwords," stating that two separately held passwords must be entered in person for each system component. Jena Griswold, Colorado Secretary of State, gives assurance that "many layers of security," both physical and digital, protect the voting system, including locked rooms secured by ID badge and access log, on-site video surveillance, intelligence clearance by background check, and direct employee supervision. With support from Governor Jared Polis, technicians were sent to reset the passwords, and a team of deputized cybersecurity employees assigned to check for any evidence of tampering. Griswold’s office believes the leak "does not pose an immediate security threat to Colorado's elections," nor its ballot counting process.
Editor's Note
[Neely]
This is a good example of layered defenses. With all that, the state changed the exposed passwords and notified CISA of the event. The passwords were included in a hidden tab of a spreadsheet published on the department's website. As that tab was hidden, it's unlikely normal information review processes would have caught it prior to publication, but even so, make sure you have processes in place to ensure information is checked before being released.
[Dukes]
Split passwords under two-person control – well done Colorado. That, coupled with physical and personnel security controls, is about all you can do to protect voter systems.
Read more in:
- www.sos.state.co.us: Statement from Colorado Department of State on Systems Passwords
- arstechnica.com: Colorado scrambles to change voting-system passwords after accidental leak
- www.cpr.org: Secretary of State Jena Griswold says employee responsible for posting voting equipment passwords is gone | |
|
|
FCC Notice of Proposed Rulemaking Regarding Undersea Cable Security
(October 31 & November 4, 2024)
The US Federal Communications Commission (FCC) will vote later this month on a proposed rulemaking that aims to improve security for undersea cables. Among the proposed changes is a prohibition against the use of services and equipment sold by certain companies in adversarial nations. The is the first time the FCC’s undersea cable licensing rules have been meaningfully reviewed in more than 20 years. “The Notice of Proposed Rulemaking (NPRM) in this proceeding would seek comment on how best to improve and streamline the Commission’s submarine cable rules to facilitate efficient deployment of submarine cables while at the same time ensuring the security, resilience, and protection of this critical infrastructure.”
Editor's Note
[Neely]
NOAA reports that 95% of international voice and data traffic passes through undersea fiber optic cables, with the balance using satellite communications. If passed, existing carriers will have 60 days to disclose whether they use equipment on the covered equipment list. The list includes components already banned in the US for other uses. Additionally, regular certification of the equipment used by the licensees will be required.
[Dukes]
Licensing rules should be reviewed on a periodic basis, that’s just good business practice. One assumes that undersea cable licensees would have already been subject to the requirements of the FCC covered list, but nothing like making it clearer. | |
|
|
Cisco Updates DevHub Event Response
(October 31 & November 4, 2024)
Cisco has notified “a limited set of CX Professional Services customers” that some of their files were among data downloaded by a threat actor from a public-facing DevHub site. The incident was disclosed last month. Cisco notes that “the vast majority of the information on our DevHub site is software artifacts (e.g., software code, templates, and scripts) that we intentionally make publicly available.”
Editor's Note
[Neely]
Cisco is noting the exposed non-public files were stored there as a configuration error, which has been corrected. The attacker claims their access used an exposed API token, which gave them access to source code and configuration files which included database credentials, technical documentation, and SQL files. If you're a CX Professional Services customer, work with Cisco to determine which, if any, non-public files were on their system and what their disposition is. | |
|
|
Meta Notified of Potential CFPA Violation, May Face Litigation
(October 30 & November 1, 2024)
In a 10-Q form filed with the SEC on October 30, containing financial information for the third calendar quarter of 2024, Meta revealed that the Consumer Financial Protection Bureau (CFPB) has been investigating the company's advertising practices and has "initiated a Notice and Opportunity to Respond and Advise (NORA) process," warning that a lawsuit may be imminent. Meta may have violated the Consumer Financial Protection Act by its acquisition and use in "certain advertising tools" of customer data from third parties. Meta deems any legal action "unwarranted," though this is the latest in a years-long series of legal threats to the company over its handling of user data.
Editor's Note
[Neely]
Last year Meta was fined by the EU for moving data to the U.S. from Europe. Now the CFPB is going after them for handling citizens' financial data, as used by advertising. While Meta sorts through this, make sure that you're properly handling user data, not only with an eye to CFPA but also to privacy laws such as the CCPA and GDPR.
Read more in:
- www.sec.gov: Form 10-Q
- therecord.media: Federal agency investigating how Meta uses consumer financial data for advertising | |
|
|
|
|
|
|
|
|
|
|
|
|
|
