Free technical content sponsored by SANS
 Virtual Event: AI Summit Solutions Track on October 29th | Join us for our upcoming free virtual event to learn how industry leading technologies and techniques can enhance your ability to examine and analyze incidents like never before using AI. Save your seat today! https://www.sans.org/info/230595 | |
|
|
CISA Adds Five Flaws to KEV Catalog, Including Three-Month-Old Microsoft SharePoint Deserialization Vulnerability
(October 21, 22, 23, & 24, 2024)
The US Cybersecurity and Infrastructure Security Agency (CISA) has added five vulnerabilities to their Known Exploited Vulnerabilities (KEV) database, including a Microsoft SharePoint deserialization flaw (CVE-2024-38094) that was initially disclosed in July. The other flaws added to KEV include an unspecified vulnerability in ScienceLogic SL1; a missing authentication vulnerability in Fortinet FortiManager (see story below); a cross-site scripting (XSS) Vulnerability in RoundCube Webmail; and a denial-of-service vulnerability in Cisco ASA and FTD (see story below).
Editor's Note
[Neely]
The fix for SharePoint has been out for three months, it should already be in place. The KEV due date is November 12. Ask why you’re still running SharePoint on premises, and, if viable, insist on a plan to move to the hosted version.
[Dukes]
With these additions, CISA is up to 150 KEV entries for 2024. In comparison, VulnCheck had over 390 in the first 6 months. Why the disparity in numbers? Bottom line: defenders are best served by updating their software as patches become available; don’t wait for it to be catalogued in a known exploited vulnerability database.
Read more in:
- www.theregister.com: Microsoft SharePoint RCE flaw exploits in the wild – you've had 3 months to patch
- thehackernews.com: CISA Warns of Active Exploitation of Microsoft SharePoint Vulnerability (CVE-2024-38094)
- nvd.nist.gov: CVE-2024-38094 Detail
- www.cisa.gov: Known Exploited Vulnerabilities Catalog | |
|
|
RCE Flaw in FortiManager Actively Exploited Since June 2024
(October 22, 23, & 24, 2024)
Fortinet privately informed customers about a remote code execution flaw in FortiManager, and is receiving criticism for waiting days to publish a public advisory. CVE-2024-47575 is rated critical (CVSS 9.8), and allows remote code execution due to "missing authentication for critical function ... in FortiManager fgfmd daemon." While some specifics remain unclear, independent researcher Kevin Beaumont posits the issue is "a default FortiManager setting that allows devices with unknown or unauthorized serial numbers to register themselves into an organization’s FortiManager dashboard." The US Cybersecurity and Infrastructure Security Agency (CISA) says this vulnerability is actively being exploited in the wild, and has added it to the Known Exploited Vulnerability database. Analysts at Mandiant consider this a "mass exploit situation," which they believe to be ongoing since June 27, 2024, tracked as threat cluster UNC5820. Fortinet urges users of FortiManager 7.6 and below to update, detailing version-specific workarounds.
Editor's Note
[Pescatore]
Fortinet recently released an analysis of exploitation of zero-day flaws in Ivanti’s products but seems to be much more closemouthed on actively exploited vulnerabilities in their own products. This is not good for Fortinet’s customers or anyone else. Fortinet management should issue a statement on how they plan to change whatever corporate policies are driving this behavior.
[Neely]
Fortinet has historically remained opaque about vulnerabilities and their details. Target updating to the latest version of 7.6 rather than remaining on a patched but older version. CVE-2024-47575 has a CVSS score of 9.8, and doesn’t look that hard to exploit. The KEV due date is November 13; I suggest you deploy before Halloween.
[Dukes]
An interesting debate: should the vendor privately inform its users of a critical vulnerability first before going public, or simply default to public announcement? Both have advantages and disadvantages. Regardless, Fortinet product users should update their software now. | |
|
|
Cisco Patches Actively Exploited Flaw in ASA and FTD Software
(October 23 & 24, 2024)
Cisco has released updates to address an actively exploited denial-of-service vulnerability affecting the Remote Access VPN service in their Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software. The issue is due to resource exhaustion. While the vulnerability is rated medium severity, it is being actively exploited and has been added to CISA’s Known exploited Vulnerabilities (KEV) catalog. Cisco’s advisory includes a list of affected products as well as a list of indicators of compromise.
Editor's Note
[Neely]
This is being categorized as an emergency patch release. That should be an indication to you about the seriousness of the flaw and associated exploit activity. KEV due date is November 14.
Read more in:
- sec.cloudapps.cisco.com: Cisco Adaptive Security Appliance and Firepower Threat Defense Software Remote Access VPN Brute Force Denial of Service Vulnerability
- www.securityweek.com: Cisco Patches Vulnerability Exploited in Large-Scale Brute-Force Campaign
- thehackernews.com: Cisco Issues Urgent Fix for ASA and FTD Software Vulnerability Under Active Attack
- www.theregister.com: Emergency patch: Cisco fixes bug under exploit in brute-force attacks
- nvd.nist.gov: CVE-2024-20481 Detail | |
|
|
|
|
|
|
|
Sponsored Links
Virtual Event: SANS 2024 Detection & Response Survey: Transforming Cybersecurity Operations: AI, Automation, and Integration in Detection and Response | November 20, 10:30 AM ET | Join SANS Certified Instructor Josh Lemon and guest speakers as they provide insights into the prevalence of organizations maintaining separate detection and response teams, shedding light on the reasons behind such decisions and their implications for overall security posture. https://www.sans.org/info/230600
Survey: 2025 SANS Threat Hunting Survey: Chasing Shadows - Advancements in Threat Hunting Amid AI and Cloud Challenges | In this SANS survey, we are asking organizations about how they approach threat hunting, the barriers to success, and how they measure their efforts. Complete the survey for a chance to win a $400 Amazon gift card! https://www.sans.org/info/230605
Survey: 2025 SANS Detection Engineering Survey | This survey aims to understand the current landscape of Detection Engineering, capturing the experiences, challenges, and aspirations of professionals in the field. Our goal is to provide insights that will benefit the entire cybersecurity community while highlighting the evolving nature of detection strategies in modern environments. Complete the survey for a chance to win a $250 Amazon gift card! https://www.sans.org/info/230610 | |
|
|
|
|
Microsoft Report on Ransomware and Healthcare
(October 22 & 24, 2024)
Microsoft’s report, "US Healthcare at risk: Strengthening resiliency against ransomware attacks," is packed with facts and data about how cybersecurity incidents in the healthcare sector affect patient care, including the ripple effect at healthcare facilities closest to those affected by breaches. In a video Threat Intelligence Briefing, Sherrod DeGrippo, Director of Threat Intelligence Strategy for Microsoft Threat Intelligence first leads a roundtable discussion with Microsoft senior security researchers and the Health-ISAC’s CSO. She then visits the University of California San Diego’s (UCSD’s) Center for Healthcare Cybersecurity where she speaks with doctors about how ransomware attacks affect patients and healthcare providers and how they envision helping healthcare providers improve outcomes in these dangerous and frustrating situations.
Editor's Note
[Pescatore]
If you work in healthcare, you can find plenty of numbers in this report to help you fight for budget but really nothing new or all that impactful in this report. Summary: like all other sectors, healthcare has been slow to move away from reusable passwords which has resulted in many expensive damaging ransomware incidents that cost way more to deal with than would have been spent to prevent them.
[Neely]
Microsoft joins others helping the healthcare industry understand the ransomware landscape and how it targets them. The trick is finding the resources and time to implement security enhancements in a 24x7x365 environment with few downtime windows. | |
|
|
Mobile Ad Data Industry Endangers Privacy, Violates Laws
(October 23, 2024)
"Anyone can now access [surveillance] capability, thanks to a proliferation of commercial services that hoover up the digital exhaust emitted by widely-used mobile apps and websites," reports Brian Krebs. His article details an ongoing privacy crisis created by an industry of data brokers selling invasively trackable ad data. Investigation by Atlas Data Privacy Corp. led to a lawsuit against Babel Street, a company whose technology "allows customers to draw a digital polygon around nearly any location on a map of the world, and view a slightly dated ... time-lapse history of the mobile devices seen coming in and out of the specified area." Atlas Corp's private investigator was given a trial of Babel Street with no verification that he was authorized to use it as a "contractor of the government." The investigator was able to demonstrate Babel Street's capability to effectively identify visitors to "mosques, synagogues, [and] courtrooms," as well as patients and employees of abortion clinics, and to track those individuals' movements and identify their home addresses and workplaces, even merely by association with family members' devices. The basis for the lawsuit is violation of "Daniel’s Law, a New Jersey statute allowing law enforcement, government personnel, judges and their families to have their information completely removed from commercial data brokers." Personally identifiable details including name, email address, social media profile, GPS coordinates, and "consumer category" associated with a device's Mobile Advertising ID (MAID) -- referred to in Google devices as "Android Advertising ID" (AAID), and in Apple devices as "Identifier for Advertisers" (IDFA) -- may be sold to brokers by any number of apps, or widely broadcast unsecured when being served a "realtime bid" online advertisement. The article notes that "Android users can delete their ad ID permanently," and Apple users can turn off apps' ability to request tracking, and disable Apple's own "personalized ads" feature. Zach Edwards, senior threat analyst at SilentPush comments: "The privacy risks here will remain until Apple and Google permanently turn off their mobile advertising ID schemes and admit to the American public that this is the technology that has been supporting the global data broker ecosystem."
Editor's Note
[Neely]
The Krebs article is worth a read to understand the issues of how your advertising and tracking data are used, as well as the fight between data brokers and privacy advocates like Atlas. While that sorts itself out, disable tracking services on your devices, delete the advertising ID if on Android, disable personalized ads on iOS, and in general deny applications location access except when they truly need it. While many of these settings are default secure, you need to check and make sure they still are set that way, including checking the location service settings for your applications.
Read more in:
- krebsonsecurity.com: The Global Surveillance Free-for-All in Mobile Ad Data
- arstechnica.com: Location tracking of phones is out of control. Here’s how to fight back. | |
|
|
VMware Releases New Patches for Critical Flaws in vCenter Server
(October 21 & 22, 2024)
VMware has released patches to address two vulnerabilities in vCenter Server that were inadequately addressed by patches released last month. The issues affect VMware vCenter Server and Cloud Foundation products. One of the vulnerabilities is a critical heap overflow issue (CVE-2024-38812). The flaw lies in the implementation of the DCEDRPC protocol. The second vulnerability is a high-severity privilege elevation issue (CVE-2024-38812).
Editor's Note
[Neely]
CVE-2024-38812, out of bound write/heap overflow, CVSS score 9.8, has no workarounds. The fix is to update to the patched version of vCenter. If you’re on version 4, 5, or 5.1, update to version 8, there is no other patch. Also make sure that you isolate your management interface.
Read more in:
- support.broadcom.com: VMSA-2024-0019:VMware vCenter Server updates address heap-overflow and privilege escalation vulnerabilities (CVE-2024-38812, CVE-2024-38813)
- www.theregister.com: VMware fixes critical RCE, make-me-root bugs in vCenter - for the second time
- nvd.nist.gov: CVE-2024-38812 Detail | |
|
|
Samsung Exploits, One Wild, One Domesticated
(October 7, 23, & 24, 2024)
On October 7, 2024, Samsung disclosed and patched a high severity use-after-free vulnerability (CVE-2024-44068) affecting "Samsung Exynos mobile processors versions 9820, 9825, 980, 990, 850, and W920." Google Threat Analysis Group (TAG) researchers have since asserted that this vulnerability has already been used as a component of an exploit enabling remote code execution "in a privileged cameraserver process." Another exploit, not "in the wild," but in the Pwn2Own Ireland hacking challenge on October 24, 2024, allowed competitor Ken Gannon to successfully "get a shell and install an app" by chaining five flaws "including path traversal" on the Samsung Galaxy S24 smartphone.
Editor's Note
[Neely]
CVE-2024-44068 has a CVSS score of 8.1. Samsung released security updates to address the flaw; make sure that you’re applying them. | |
|
|
US Insurance Third-Party Administrator Reports Data Breach
(October 24, 2024)
Landmark, a Texas-based third-party insurance administrator, has disclosed a data breach that affects more than 800,000 individuals. The incident was detected in May; the compromised data include names, Social Security numbers, tax ID numbers, drivers’ license and state-issued identification card numbers, passport numbers, bank account and routing numbers, medical information, health insurance policy information, dates of birth, and/or life and annuity policy information. A forensic investigation determined that “data [were] encrypted and exfiltrated from Landmark’s system,” according to the Supplemental Notice of Data Breach Involving Landmark Admin, LLC (link available on the Maine AG data breach notification page for Landmark).
Editor's Note
[Neely]
This is another third-party service provider compromise, and should be a motivator to make sure that you’re assessing third-party security, not just as part of the contract award, but regularly while you’re in business. Dig deep on breach notification and response; make sure you understand roles and responsibilities before the chips are down.
[Dukes]
Five months after the data breach, notification letters are finally sent. The good news is they are offering 12 months of credit monitoring service and an insurance reimbursement policy. The bad news is it does nothing for the past five months when key attributes that make up one’s digital identity could have been used for criminal use.
Read more in:
- therecord.media: Landmark, an administrator for insurance firms, says 800,000 affected by data breach
- www.maine.gov: Data Breach Notifications | Landmark Admin | |
|
|
Companies Agree to Pay Civil Penalties to Settle SEC Charges Related to “Materially Misleading Disclosures”
(October 22, 2024)
Four companies have agreed to monetary penalties to settle charges of “materially misleading disclosures” brought by the US Securities and Exchange Commission. The charges against the four companies – Unisys, Avaya, Check Point, and Mimecast – arose from an investigation that involved public companies possibly affected by the SolarWinds compromise. In total, the four companies will pay civil penalties of nearly $7 million.
Editor's Note
[Pescatore]
While Unisys is also paying fines for control violations, all four essentially are paying fines for applying wordmanship to required disclosures that are supposed to provide investors with meaningful information about events that would impact stock market value. “Downplaying” breach impact just lying to investors, never a good business practice. This is a good topic for a tabletop session with the management team and corporate communications.
[Neely]
The SEC is taking steps to ensure publicly traded companies take cybersecurity seriously, adding penalties to their reporting requirements. While the funds to pay the fines aren’t supposed to come from the shareholders, it’s not clear they won’t. Make sure you’re prepared to not only be fully transparent when reporting but also have a robust cybersecurity program which is actively monitored.
[Dukes]
An interesting twist, where SEC is enforcing its interpretation of a cybersecurity material disclosure requirement. What’s difficult for companies to determine in whether to provide a disclosure is the definition of material. In other words, did the incident have a significant impact on the company's financial condition, operations, or market valuation? Yes, the SolarWinds incident had a widespread impact on the cybersecurity community, but what was the material effect on these four companies individually? The companies said that it had little impact — is that misleading the investor?
Read more in:
- www.sec.gov: SEC Charges Four Companies With Misleading Cyber Disclosures
- www.theregister.com: Tech firms to pay millions in SEC penalties for misleading SolarWinds disclosures | |
|
|
Irish Data Protection Commission Fines LinkedIn Ireland for User Data Misuse
(October 24, 2024)
Ireland’s Data Protection Commission (DPC) has fined LinkedIn Ireland €310 million (US $336 million) for using LinkedIn user data for targeted advertising and behavioral analysis without obtaining user consent. DPC found that LinkedIn violated several provisions of the EU’s General Data Protection Rule (GDPR).
Editor's Note
[Neely]
LinkedIn believes they were fully following GDPR requirements, and is preparing a response to DPC accordingly. DPC is actively pursuing tech companies to ensure user privacy is protected. As other privacy acts are passed, one hopes a similar active stance will be taken to ensure they are followed. Make sure you’re having conversations with your legal and privacy officers about your adherence to relevant regulations. Don’t wait to adjust if you’re not.
Read more in:
- www.dataprotection.ie: Irish Data Protection Commission fines LinkedIn Ireland €310 million
- www.irishtimes.com: Microsoft-owned LinkedIn fined €310m by Irish Data Protection Commission
- therecord.media: LinkedIn hit with $335 million fine for using member data for ad targeting without consent | |
|
|
|
|
|
|
|
|
|
|
|
|
|
