Free technical content sponsored by Palo Alto Networks
 Forrester names Palo Alto Networks a Leader in Attack Surface Management. If you're researching ASM, add Cortex Xpanse to your study. With Cortex Xpanse, your SecOps team can proactively find and fix exposures on your internet-connected assets before attackers can exploit them. Get Forrester’s complete analysis and see the results for yourself. Read the report: https://www.sans.org/info/230735 | |
|
|
Google Cloud Will Require MFA by the End of Next Year
(November 4 & 6, 2024)
Google Cloud plans to establish mandatory multi-factor authentication by the end of 2025. This month (November 2024), Google Cloud will begin encouraging the 30 percent of users who have not yet adopted MFA to do so. In early 2025, Google Cloud will start “requiring MFA for all new and existing Google Cloud users who sign in with a password.” By the end of 2025, Google Cloud expects to “extend the MFA requirement to all users who federate authentication into Google Cloud.” They will offer flexible options for MFA adoption.
Editor's Note
[Honan]
This is a welcome move by Google, and to be frank, mandatory MFA should be considered as table stakes for any cloud service provider.
[Dukes]
The time for passwords as the single method of authentication has come to an end. Kudos to Google and other tech companies for ‘forcing’ transition to multi-factor authentication. This will make credential harvesting much more difficult for the adversary. Well done in setting an end date.
[Murray]
Google has been a leader in promoting strong authentication (at least two kinds of evidence, at least one of which is resistant to replay). Its solutions have offered users options that minimize any inconvenience. For example, passkeys are both more secure and more convenient than passwords. In part to avoid alienating users and customers, Google has offered, not mandated, strong authentication. It is now clear that in most applications, clearly so in infrastructure applications, relying on fraudulently reusable passwords is reckless. While the end date that they have set, end 2025, seems inconsistent with the urgency of the situation, it is probably proportionate to the size of the effort. Let us hope for early progress.
[Neely]
I may sound like a broken record, but MFA needs to be ubiquitous. Google is taking a three-phase approach, with notification and reminders, and you don't have to wait to implement MFA. Given the publicity, assume attackers will work to take advantage of remaining password-only accounts. Google will integrate with existing MFA in your IDP or you can use their MFA, meaning there is no reason to not succeed here. | |
|
|
Interpol Global Crackdown on Phishing, Ransomware, and Info Stealers Nets 40+ Arrests
(November 5 & 6, 2024)
An INTERPOL operation involving law enforcement agencies and private sector partners in multiple countries has resulted in more than 40 arrests and the disruption of dozens of servers allegedly used to conduct criminal activity. Operation Synergia II targeted criminal operations involved in phishing, ransomware, and information stealers. More than 22,000 suspicious IP addresses were taken down and nearly 60 servers seized.
Editor's Note
[Neely]
Talk about International cooperation: over 95 INTERPOL member countries participated in the takedown, as well as INTERPOL partners Group-IB, Trend Micro, Kaspersky, and Tem Cymru. While I am certain replacement services will appear, so we need to remain vigilant, I am also confident that INTERPOL (and others) will continue these takedowns, removing any appearance of these being consequence-free attacks.
[Honan]
Well done to all involved in this operation. It is welcoming to see so many arrested for their alleged participation in crime, but it is more welcoming to see the amount of servers and data seized. This should provide a treasure trove of intelligence which law enforcement will put to good use in the future.
[Dukes]
This is the money line: “The global nature of cyber crime requires a global response…" My only quibble: increase the frequency of such takedowns; it was nine months between Synergia I and II.
Read more in:
- www.interpol.int: INTERPOL cyber operation takes down 22,000 malicious IP addresses
- www.securityweek.com: 22,000 IPs Taken Down in Global Cybercrime Crackdown
- www.theregister.com: Operation Synergia II sees Interpol swoop on global cyber crims
- www.bleepingcomputer.com: Interpol disrupts cybercrime activity on 22,000 IP addresses, arrests 41
- thehackernews.com: INTERPOL Disrupts Over 22,000 Malicious Servers in Global Crackdown on Cybercrime
- therecord.media: Interpol operation nets 41 arrests, takedown of 22,000 malicious IPs | |
|
|
German Legislators Propose Amendment to Protect Researchers Who Look for Vulnerabilities
(November 4, 6, & 7, 2024)
Germany’s Federal Ministry of Justice is proposing an amendment to computer criminal law “to clearly distinguish legally between actions in IT security research that are not to be disapproved of and behavior that is punishable. The bill is intended to eliminate the existing legal uncertainty and also to increase the scope of punishment for serious offenses that endanger or impair critical infrastructure.”
Editor's Note
[Neely]
The categorization of common tools as criminal creates a perception challenge and a need to have a definition whereby their use is legal. The increased occurrence of living-off-the-land attacks demonstrates that the activities, not the tools, needed to be categorized, which then puts ethical hackers in the crosshairs. As I recall repeated guidance from Ed Skoudis about having a get-out-of-jail memo (permission) before doing any testing, I suggest adding a check of the local laws/regulations to that list, to avoid running afoul of less forward-looking jurisdictions.
[Dukes]
This has been a legal gray area for years in most national cybersecurity crime statutes, although there has been some movement in past years to define cybersecurity research. By creating a clear use case for ethical hackers/cybersecurity researchers, you strengthen efforts to root out vulnerabilities in vendor products. Let’s hope the amendment passes the German legislature and that other countries follow suit.
[Murray]
The line between so-called "researchers" and rogue hackers has always been thin, with individuals crossing back and forth between roles. This proposal is intended to clarify the roles and to make the line more clear.
Read more in:
- www.bmj.de: Legal certainty for the investigation of IT security gaps: Federal Ministry of Justice publishes draft law on computer criminal law (press release)
- www.bmj.de: Law Amending the Criminal Code - Modernization of Computer Criminal Law
- thecyberexpress.com: Germany Drafts Law to Shield Ethical Hackers, Tighten Penalties for Cybercrime
- www.bleepingcomputer.com: Germany drafts law to protect researchers who find security flaws
- www.darkreading.com: German Law Could Protect Researchers Reporting Vulns | |
|
|
|
|
|
|
|
Sponsored Links
Virtual Event: SANS 2024 Detection & Response Survey: Transforming Cybersecurity Operations: AI, Automation, and Integration in Detection and Response | November 20, 10:30 AM ET | Join SANS Certified Instructor Josh Lemon and guest speakers as they provide insights into the prevalence of organizations maintaining separate detection and response teams, shedding light on the reasons behind such decisions and their implications for overall security posture. https://www.sans.org/info/230740
Survey: 2025 SANS Detection Engineering Survey | This survey aims to understand the current landscape of Detection Engineering, capturing the experiences, challenges, and aspirations of professionals in the field. Our goal is to provide insights that will benefit the entire cybersecurity community while highlighting the evolving nature of detection strategies in modern environments. Complete the survey for a chance to win a $250 Amazon gift card. https://www.sans.org/info/230745
Special Offer: 20% Off GIAC Applied Knowledge Certifications | Applied Knowledge Certifications truly test your mettle and set you apart from your peers in the field of cybersecurity. *For a limited time only, score 20% off your Applied Knowledge certification with code: GX20 https://www.sans.org/info/230765 | |
|
|
|
|
Canada Arrests Hacker Suspected in Snowflake Breaches and Extortions
(November 5, 2024)
On October 30, 2024, Canadian authorities arrested Alexander Moucka, a.k.a. Connor Riley Moucka, who is accused of extorting companies after stealing hundreds of millions of customer records from Snowflake cloud data storage accounts. The 26-year-old was taken into custody under a provisional US arrest warrant, and appeared in court on November 5, 2024 "as part of extradition proceedings." Mandiant has been tracking threat cluster UNC5537 and its compromise and sale of Snowflake-stored data since April, 2024, and believes that the cloud storage accounts were breached using credentials previously stolen and leaked in infostealer attacks; the accounts in question were not protected by MFA. Among the 165 compromised accounts were Live Nation Entertainment (Ticketmaster), Advanced Auto Parts, Lending Tree, Neiman Marcus, Santander Bank, State Farm, and AT&T, who reportedly paid $370,000 (US) for deletion of stolen phone records. KrebsOnSecurity identifies aliases and actors associated with UNC5537 including John Erin Binns – who was arrested in Turkey in May, 2024, for involvement in a 2021 T-Mobile breach – and two nicknames believed to be used by Moucka, associated with SIM-swapping attacks, data breaches, and violent online harassment, swatting, doxxing, and extortion from extremist "harm groups." Allison Nixon, Chief Research Officer at Unit 221B, is aware that other closely-associated threat actors are still at large, but calls Moucka's arrest "a good start," as he is "one of that tiny minority that causes disproportionate harm."
Editor's Note
[Neely]
UNC5537 aka Alexander 'Connor' Moucka has been declared by Mandiant to be one of the most consequential threat actors of 2024, which highlights the impacts of using off-the-shelf tools for attacks. The current trial is to have him extradited to the US, at which point the competing jurisdictions will have to decide where to prosecute which crimes. There appear to be at least two other threat actors associated with UNC5537 based in North America and Turkey. Interesting wrinkle, Turkish constitution prohibits citizens being extradited to a foreign state.
Read more in:
- krebsonsecurity.com: Canadian Man Arrested in Snowflake Data Extortions
- arstechnica.com: Suspect arrested in Snowflake data-theft attacks affecting millions
- www.wired.com: Man Arrested for Snowflake Hacking Spree Faces US Extradition
- www.scworld.com: Snowflake data theft suspect arrested in Canada
- www.darkreading.com: Canadian Authorities Arrest Attacker Who Stole Snowflake Data
- cloud.google.com: UNC5537 Targets Snowflake Customer Instances for Data Theft and Extortion (June 10, 2024) | |
|
|
Cisco Releases Updates to Fix Critical Command Injection Vulnerability in Unified Industrial Wireless Software
(November 6 & 7, 2024)
On Wednesday, November 6, Cisco released updates to address a critical command injection vulnerability in the web-based management interface of their Cisco Unified Industrial Wireless Software for Cisco Ultra-Reliable Wireless Backhaul (URWB) Access Points. The improper validation of input issue could be exploited to execute arbitrary command with root privileges on vulnerable systems. Users running Cisco Unified Industrial Wireless Software Release version 17.15 are urged to update to version 17.15.1. Users running Cisco Unified Industrial Wireless Software Release versions 17.14 and earlier are urged to migrate to a fixed release. Cisco also released updates to address more than a dozen additional vulnerabilities in their products.
Editor's Note
[Neely]
Update your Cisco devices, then make sure none of your management interfaces are exposed. Comprehensive input validation has to become a survival skill. Make sure you're fully testing EVERY input, no matter how difficult you think it would be to supply bogus data. | |
|
|
Georgia Hospital Ransomware Attack
(November 5 & 6, 2024)
Memorial Hospital and Manor in the US state of Georgia is experiencing IT outages related to a ransomware attack. Specifically, hospital staff are unable to access their electronic health record (EHR) system. The attack has also disrupted the availability of Memorial Hospital and Manor’s email system and website. The hospital posted a notification on their Facebook page on Sunday, November 3, noting that they had detected a ransomware attack the previous day.
Editor's Note
[Neely]
The Embargo ransomware gang is taking credit for the attack and claims to have 1.15 terabytes of data they will leak on November 8th if not paid. Embargo's claim to fame is they have a tool which appears to be able to disable EDR as well as using the double extortion play to get paid. They have attacked other hospitals including Idaho's Weiser Memorial Hospital and California's NorthBay Vacaville Hospital. Things to think about here include what to do when your electronic records are not available, and frequency of updates to your breach notification; five days seems a bit long.
Read more in:
- therecord.media: Georgia hospital unable to access record system after ransomware attack
- www.securityweek.com: Ransomware Attack Disrupts Georgia Hospital’s Access to Health Records
- www.hipaajournal.com: Memorial Hospital and Manor Recovering from Ransomware Attack | |
|
|
Washington State Court System is Experiencing IT Outages Following “Unauthorized Activity”
(November 5 & 6, 2024)
Court systems in the northwestern US state of Washington are experiencing outages after the Washington State Administrative Office of the Courts (AOC) detected “unauthorized activity on the Washington courts network.” AOC “proactively took down [their] systems to secure them.” Some Washington state court systems have reported that their electronic filing systems and phones were unavailable; others have rescheduled certain hearings. The suspicious activity was identified over the weekend; the systems have been offline since Sunday, November 3.
Editor's Note
[Dukes]
It’s been a very busy year for ransomware gangs – on par if not exceeding last year. By now we all know about ransomware attacks, and we know how to protect ourselves from attack. So, the question becomes, why aren’t we?
[Neely]
The outage is impacting courts in the counties of Thurston, Monroe, Renton, Puyallup, Bainbridge, King, Pierce, Whatcom and Lewis as well as several city municipal courts. Check the website for your local court before attempting any planned business with them.
Read more in:
- therecord.media: Outages impact Washington state courts after ‘unauthorized activity’ detected on network
- www.securityweek.com: Cyberattack Blamed for Statewide Washington Courts Outage
- www.bleepingcomputer.com: Washington courts' systems offline following weekend cyberattack
- www.theregister.com: Washington courts grapple with statewide outage after 'unauthorized activity'
| |
|
|
AI Civil Rights Bill Enters House
(November 6, 2024)
“From housing to health care to national security, algorithms are making consequential decisions, diagnoses, recommendations, and predictions that can significantly alter our lives,” says Senator Ed Markey (D-MA), who introduced the Eliminating Bias in Algorithmic Systems (BIAS) Act to the US Senate in December, 2023. The same bill was introduced in the House of Representatives on November 1, 2024, and is co-sponsored by a total of eighteen Democrats in the House and Senate. Sen. Markey emphasizes that the impact of AI and "Big Tech" compounds the risks, requiring the federal government to "protect [marginalized] communities and ... address algorithmic harms." The law would direct "all Federal agencies that use AI technology to create an office of civil rights." These offices would investigate and enact measures to mitigate algorithmic discrimination through their agencies' relationships with "industry, representatives, businesses, [and] civil rights advocates;" these reports would then be passed to congressional committees to generate additional legislative and administrative recommendations.
Editor's Note
[Neely]
The Eliminating BIAS act was introduced to mitigate the impacts of algorithmic decision making, and the widespread adoption of AI increases the potential impacts. Recent conversations with (qualified) applicants about how they have to game the screening systems to get an interview indicates we need to be looking at what is rejected (and passed) to assess, monitor and tweak our algorithms, AI-driven or otherwise, regardless of legislative action.
[Dukes]
While I applaud the civil rights bill, the best solution is enriching data sets used to train the large language models. Until we have accessible data sets that represent marginalized communities, you unfortunately will have increased chances of algorithmic bias. | |
|
|
South Korean Privacy Commission Fines Meta $15.6 million
(November 5, 6, & 7, 2024)
The South Korean government's Personal Information Protection Commission (PIPC) has stated that Meta violated the Personal Information Protection Act (PIPA) by illegally collecting data from approximately 980,000 users and sharing those data with advertisers, and has fined the company 21.6 billion won ($15.6 million US). Meta disregarded legal safeguards for personal data, "reject[ed] access to personal data without legitimate rationale," and was negligent in identity verification during account recovery, leading to data breaches for at least 10 users. The PIPC press release issued on November 7, 2024, states that "Put simply, Meta analyzed users’ behavioral data, including the pages they hit the ‘Like’ button, ads they clicked on Facebook, etc., to create and operate advertising topics associated with sensitive data (specific religious affiliations, homosexuality, whether a user is a transgender or North Korean defector) collected from the users." Both Meta and Google have repeatedly incurred tens of millions in fines from the PIPC for similar violations.
Editor's Note
[Neely]
Privacy is a big deal, not just in the EU, and you need to make sure you're not inadvertently crossing the lines. Consider the use of an external assessor to counter any internal bias. No matter your company size, you really don't want to see if you can weather this sort of storm.
Read more in:
- www.pipc.go.kr: PIPC Sanctions against Meta for Collection and Use of Sensitive Data without Lawful Basis of Processing
- therecord.media: South Korean authorities fine Meta $15.6 million for sharing user data with advertisers
- www.securityweek.com: South Korea Fines Meta $15 Million for Illegally Collecting Information on Facebook Users | |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
