SANS NewsBites

Another BreachForums Takedown; Microsoft Patch Tuesday; Google Chrome Patches Three 0-Days in a Week

May 17, 2024  |  Volume XXVI - Issue #39

Top of the News


2024-05-16

International Law Enforcement Effort Takes Down BreachForums Website Again

A cooperative effort by internal law enforcement agencies has taken down BreachForums, a website that sold malware and data stolen in breaches. Data from recently-reported breaches at Dell and Europol were being offered for sale on the site. A previous incarnation of the site was taken down in June 2023.

Editor's Note

The BreachFormus site operated from June 2023 until May 2024, replacing the Raid Forums site. Now that law enforcement has taken over the site, it's hoped that they have sufficient data to identify and prosecute the operators.

Lee Neely
Lee Neely

These law enforcement take downs are important but until you remove the incentive, cyber-crime will continue to be a problem. At the end of the day, itÕs all about the payout. Law enforcement can have more impact by making it difficult to pay. That means denying payment or the means of transfer to the attacker.

Curtis Dukes
Curtis Dukes

2024-05-15

Microsoft Patch Tuesday

Microsoft's Patch Tuesday release for May 2024 includes fixes for nearly 60 CVEs, including two that are being actively exploited: CVE-2024-30051, a Windows DWM core library elevation of privilege vulnerability and CVE-2024-30040, a Windows MSHTML Platform security feature bypass vulnerability.

Editor's Note

While you're getting your head around the three important vulnerabilities in the MS patch set, don't overlook the updates from Apple and Adobe released this week. Attackers are leveraging CVE-2024-30051, privilege escalation, CVSS score 7.8, in phishing campaigns to bypass OLE mitigations and escalate privileges. CVE-2024-30040, an input validation flaw in MSHTML has a CVSS score of 8.8, CVE-2024-30044, remote code execution, CVSS score 7.2, is a deserialization flaw. Deserialization is the gift that keeps on giving: prioritize fixes for these flaws.

Lee Neely
Lee Neely

2024-05-16

Google Fixes Chrome Zero-day (Yes, Another One)

On Wednesday, May 15, Google released Chrome 125 to the stable channel. The update addresses nine security issues, including yet another zero-day vulnerability in the browser, the third in just one week. Chromium has rated the type confusion vulnerability in V8 as high severity.

Editor's Note

Three zero-days in one week is likely a new record. The best way to stay up to date: Restart Google Chrome once a day, and visit the "About" page once a week to make sure you are up to date.

Johannes Ullrich
Johannes Ullrich

As we're running to keep up with Chrome updates, keep an eye out for issues caused by the default enablement of the PQC (Kyber) algorithm. You may have to push out the PostQuantumKeyAgreementEnabled enterprise policy to disable that as not all TLS implementations properly handle increased size of the TLS ClientHello. (Kyber adds about 1KB to the ClientHello.)

Lee Neely
Lee Neely

The Rest of the Week's News


2024-05-16

GE HealthCare Ultrasound Vulnerabilities

Researchers at Nozomi Networks discovered 11 vulnerabilities in GE HealthCare Vivid Ultrasound products and two related pieces of software. The flaws could be exploited to install malware and access and manipulate stored data. The most serious exploits require physical access to the vulnerable devices and systems. GE's fixes are available on their Product Security Portal.

Editor's Note

I just had a major medical equipment vendor in healthcare tell me that their system that is hooked up to patients can't be scanned with Qualys or Nessus because it fills up the memory of the server and will cause the application to fail, just exclude it.

Moses Frost
Moses Frost

This report reinforces the need for cybersecurity education for engineers. Yes, each is a distinct discipline but today everything uses software and is internet accessible. Every sector needs more cybersecurity professionals but there are simply not enough to go around. In the meantime, schedule the devices for an off-cycle patch as the integrity of the data can be called into question.

Curtis Dukes
Curtis Dukes

The concern here is that these appliances are used, not managed; many will never be patched.

William Hugh Murray
William Hugh Murray

2024-05-16

Nigeria Suspends Cybersecurity Tax

Nigeria has decided to suspend a planned 0.5 cybersecurity tax that was to be imposed on domestic electronic transactions. The decision to suspend the tax was made in response to public outcry in a country where annual inflation has exceeded 30 percent. Nigeria's Information Minister Mohammed Idris said that the new levy was planned as authorities clamp down on cryptocurrency.

Editor's Note

Nigeria is one of the largest economies in Africa, next to South Africa and Egypt. Nigeria is facing keen struggles with inflation and a soaring cost of living; the tax would have hit those working to survive in that environment the hardest. The tax was intended to fund their current efforts to increase cybersecurity, predicted to raise about $1.9 billion annually. Regrettably, there is no tie to the amount of money needed for the initiative and the tax amount; transparency is critical here, particularly when the time are tough.

Lee Neely
Lee Neely

2024-05-16

Wi-Fi Standard Vulnerability Can Lead to SSID Confusion Attacks

Researchers at Top10VPN, along with researcher and KU Leuven (Belgium) computer science professor Mathy Vanhoef, have detected a vulnerability in the IEEE 802.11 Wi-Fi standard that could be exploited to launch SSID confusion attacks, tricking users into connecting to unsecure networks. According to the report, the issue affects all Wi-Fi clients on all operating systems.

Editor's Note

The takeaway from this vulnerability: Do not operate different networks (SSID) using the same passphrase.

Johannes Ullrich
Johannes Ullrich

Long term mitigations require changes to the Wi-Fi standard to include the SSID in the 4-way handshake as well as increased beacon protection to ensure it belongs to the desired SSID. As the attack is leveraging known passwords, consider whether posting Wi-Fi passwords is wise, and how frequently they should be changed.

Lee Neely
Lee Neely

2024-05-13

Apple Patches Everything

On Monday, May 13, Apple released updates to address nearly 30 security issues in multiple products, including iOS, iPadOS, macOS, watchOS and tvOS. Apple patched an actively exploited vulnerability, CVE-2024-23296, in older versions of macOS and iOS; they fixed the flaw for more recent versions of the operating system in March.

Editor's Note

This update includes patches for exploited vulnerabilities in older Apple operating systems. If you still use an older device, make sure you apply these updates.

Johannes Ullrich
Johannes Ullrich

The patches for the newer operating systems include more CVES, iOS/iPadOS 17.5 included 14, macOS 14.5, 21, while the older OSs, iOS/iPadOS 16.7.8 two, and macOS 13.6.7 three. Don't let those low numbers fool you: those are back-ported fixes and due to larger applicability going to be more highly targeted.

Lee Neely
Lee Neely

2024-05-14

Adobe Patch Tuesday

On Tuesday, May 14, Adobe released updates to address 35 vulnerabilities in a range of their products. Of particular concern are patches for critical flaws in Adobe Acrobat and Reader on both Windows and macOS; and critical vulnerabilities affecting Adobe Illustrator for both Windows and macOS. Adobe has also released updates to address vulnerabilities in Substance 3D Painter, Substance 3D Designer, Aero, Animate, FrameMaker, and Dreamweaver.

Editor's Note

Make sure you're tracking updates for both Acrobat Reader and Acrobat, both the DC and Classic 2020 versions. If you have users resistant to updating due to Adobe's new menu/look, remind them they can disable new Acrobat mode post-install and it will remain disabled for subsequent updates.

Lee Neely
Lee Neely

Adobe Acrobat Reader is on par with Google Chrome when it comes to having a large install base. That makes reverse engineering of the patch and discovery of the underlying vulnerability a high priority in the exploit marketplace. Bottom line: check for the update, and let it update automatically.

Curtis Dukes
Curtis Dukes

2024-05-16

Norway's National Cyber Security Centre Urges Organizations to Replace SSLVPN/WebVPN with IPsec with IKEv2

Norway's National Cyber Security Centre (NCSC) recommends that organizations replace SSLVPN/WebVPN with more secure alternatives due to repeated exploitation of vulnerabilities. NCSC urges organizations to transition to Internet Protocol Security (IPsec) with Internet Key Exchange (IKEv2)the end of 2025. For organizations subject to Norway's Safety Act, that deadline is the end of this calendar year.

Editor's Note

Over the years, we've seen many SSLVPN flaws, (most recently Cisco, Fortinet and Sonic Wall.) At core, the IPsec VPN is an open standard while SSLVPN is not, so manufacturers are creating their own implementations. This means that you need to double down on security best practices and applying fixes/updates if you're using a SSLVPN.

Lee Neely
Lee Neely

I'm not sure if moving from SSLVPNs to IKEv2 or IKEv1 standards will by itself solve all problems. What I will say is that IKE was designed for this type of traffic. Maybe it is time to consider alternatives.

Moses Frost
Moses Frost

2024-05-16

CISA Publishes Encrypted DNS Implementation Guidance

The US Cybersecurity and Infrastructure Security Agency (CISA) has published guidance on encrypted DNS implementation for Federal Civilian Executive Branch (FCEB) agencies. The guidance is intended to help FCEBs meet federal requirements related to encryption of Domain Name System (DNS) traffic and enhance the cybersecurity posture of their IT networks, as set forth in Office of Management and Budget's (OMB) Memorandum M-22-09.

Editor's Note

If your team is trying to get their arms around DoH/DoT, this should help. Even if you're not bound by M-22-09, this provides guidance on creating a more secure DNS environment for your shop, to include how to handle clients bypassing enterprise DNS with built-in DoH/DoT.

Lee Neely
Lee Neely

This is an interesting article. Although it applies to CISA and Agencies, it can be used to build a more secure DNS infrastructure in your environment.

Moses Frost
Moses Frost

Internet Storm Center Tech Corner

Microsoft Patches

https://isc.sans.edu/diary/Microsoft+May+2024+Patch+Tuesday/309200

Got MFA? If not, now is the time!

https://isc.sans.edu/diary/Got+MFA+If+not+Now+is+the+Time/30926

Why yq? Adventures in XML

https://isc.sans.edu/diary/Why+yq+Adventures+in+XML/30930

Black Basta Uses Quick Assist

https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/

Various Chrome 0-Day Vulnerabilities

https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_15.html

Android Theft Protection Improvement

https://blog.google/products/android/android-theft-protection/

Critical Git Update

https://github.blog/2024-05-14-securing-git-addressing-5-new-vulnerabilities/

SSID Confusion: Making Wi-Fi Clients Connect to the Wrong Network CVE-2023-52424

https://www.top10vpn.com/assets/2024/05/Top10VPN-x-Vanhoef-SSID-Confusion.pdf

FIDO2 MitM Session Hijacking

https://www.silverfort.com/blog/using-mitm-to-bypass-fido2/?web_view=true#but-first-some-background

Detecting Bluetooth Trackers

https://security.googleblog.com/2024/05/google-and-apple-deliver-support-for.html

Adobe Patches

https://helpx.adobe.com/security/products/acrobat/apsb24-29.html

VMWare Updates

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24280

Revoking Vulnerable Windows Boot Managers

https://techcommunity.microsoft.com/t5/windows-it-pro-blog/revoking-vulnerable-windows-boot-managers/ba-p/4121735