SANS NewsBites

Optus Breach Traced to API Coding Error; Zyxel EoL NAS Devices Under Attack; CDK Warns Customers to be on the Lookout for Social Engineering Attacks Following Ransomware Attack

June 25, 2024  |  Volume XXVI - Issue #49

Top of the News


2024-06-21

2022 Breach of Australian Telecom Optus Blamed on API Coding Error

The Australian Communications and Media Authority (ACMA) has determined that a September 2022 breach affecting telecommunications firm Optus was due to an API coding error. The issue had been present for four years before the breach. ACMA says Optus failed to protect customer data of millions of individuals.

Editor's Note

The API had two entry points, each of which was secured in 2017. In 2021, a coding error broke one of the ACLs, but the defect was only detected in one of the entry points, despite both being impacted by the same flaw. While the obvious move was to make sure that the same fixes were applied to all entry points, the better move for your future self is to only have one entry point, one set of security controls and one instance to support, secure, document and implement.

Lee Neely
Lee Neely

APIs are still untested; we see such common flaws. It's web hacking like the 2000s all over again. If you haven't dug into APIs, start. If you think they are not vulnerable to the more traditional attacks, they probably are.

Moses Frost
Moses Frost

This is the second such determination in recent weeks by an Australian government authority that a commercial business failed in implementing reasonable cybersecurity. While CIS's guide to defining reasonable cybersecurity is specific to the United States, defining reasonable cybersecurity applies globally. Reasonable cybersecurity is becoming the bar businesses will be measured against.

Curtis Dukes
Curtis Dukes

2024-06-24

Shadowserver: EoL Zyxel NAS Devices are Being Attacked

Just a few weeks after critical vulnerabilities in Zyxel network-attached storage (NAS) devices were disclosed, data gathered by the Shadowserver Foundation indicates that end-of-life (EoL) Zyxel NAS devices are coming under attack. Shadowserver has reported observing instances of attempted compromise of a command injection vulnerability (CVE-2024-29973) by a Mirai-like botnet. Timothy Hjort, Student Intern in Vulnerability Research, Outpost24, detected the vulnerabilities and noted in a write-up that 'Despite the fact that the device has reached End-of-Life by the end of last year, they still released patches for the three critical vulnerabilities,' including CVE-2024-29973.

Editor's Note

There is a non-zero chance that the EOL devices will remain unpatched for the same reason they are still operating. CVE-2024-29973 has a CVSS score of 9.8. Even with the patches, the best move is to replace these with supported devices. Scan your environment for them, then take actions to patch and decommission them, don't let them go into the rainy-day pile. Make sure you're not exposing NAS to the Internet.

Lee Neely
Lee Neely

It's interesting to see what types of systems are being attacked as we have such an American view into the state of things. Zyxel may not be the most 'relevant' company in the US, but overseas its used quite frequently. Interesting to see how this was targeted. You must imagine that someone sat on these bugs.

Moses Frost
Moses Frost

This disclosure should serve as a reminder that NAS devices should not be visible to the public networks, that any device vulnerabilities are likely to become more visible as time passes, and that all devices must be managed and maintained for as long as they are in use.

William Hugh Murray
William Hugh Murray

2024-06-24

CDK Warns of Social Engineering Attacks Targeting Affected SaaS Customers

Automobile dealership software-as-a-service (SaaS) provider CDK Global has set up interactive voice-response lines for customers to obtain information about the ransomware attack that has disrupted operations at its customers organizations. A message on that system from CDK says that threat actors are contacting automobile dealerships, claiming to be from CDK and trying to gain deeper access to the dealerships systems.

Editor's Note

Seeing blood in the water, attackers are cranking up their social engineering playbook. If you and your team haven't participated in a social engineering village, you need to, even if on video, to see just how effective these techniques are. Don't forget it's not that hard to create legitimate looking correspondence or other communication, encourage staff to verify if they have any doubts about a request for access or information. Remember to call your known-good contact, not the information in the email/document/etc.

Lee Neely
Lee Neely

Another area of the market no one thinks about. The automotive service industry is now at the core of your mechanics and dealerships. CDK is important in that space, but we probably don't know how far this will go because it's not widely known or understood.

Moses Frost
Moses Frost

The Rest of the Week's News


2024-06-24

LA County Health Dept. Breach Traced to Push Notification Spamming

According to a breach notification letter the Los Angeles (California) Department of Public Health sent to individuals whose data were compromised in a February 2024 cyberattack, the attackers gained access to the system through push notification spamming. The perpetrators inundated an employee with fraudulently-generated multi-factor authentication (MFA) approval requests from their Microsoft 365 account, one of which the recipient approved.

Editor's Note

Push Notification Fatigue is not theoretical, it's a thing, which is why you're getting pushed towards phishing-resistant MFA. Don't throw your existing MFA under the bus: it's better than mere passwords, it's that attack techniques have evolved to circumvent many of the less robust MFA options. The good news is you probably already have staff chomping at the bit to roll out passkeys, FIDO2, Certificate Based Authentication, or other robust options. Let them loose on a POC or two, then pick one to deploy this year.

Lee Neely
Lee Neely

Social engineering, the acquisition of special knowledge or privileges, by means of fraud or deceit, remains the most efficient form of attack.

William Hugh Murray
William Hugh Murray

2024-06-20

Radiology Practice Tells Patients Their Data Were Stolen in Cyberattack

Minnesota-based Consulting Radiologists is notifying more than 500,000 patients that their personal information was compromised in a breach earlier this year. The firm detected anomalous activity in February and brought an outside cybersecurity experts. Their investigation concluded in mid-April that the breach compromised sensitive personal data, including patients' names, addresses, dates of birth, Social Security numbers, and health insurance information and medical records, all belonging to 511,947 people.

Editor's Note

Another ransomware event targeting the healthcare sector - check, the sector has been a frequent target for years. Here's the dilemma: when to inform patients that their PII and/or PHI data was compromised. HHS rules say within 60-days following the discovery of the breach. That puts notification at mid-April. Or is it 60-days after the investigation concludes, that's mid-June. The rules are loose enough that the only thing at risk is the patient's private data.

Curtis Dukes
Curtis Dukes

Both LockBit and Qilin are taking credit for the attack. Russia-based Qilin claims to have made off with more than 70GB of Consulting Radiologist's data. This is the same group behind the politically motivated Synnovis healthcare attack in London, which was intended to cause a crisis, which is consistent with the Russian gang Modus Operandi of causing disruption. Consulting Radiologists is focused on raise-the-bar activities to prevent recurrence and is also offering a year of credit monitoring, credit report and credit score services to affected individuals.

Lee Neely
Lee Neely

The original purpose of Social Security Numbers was to remedy inevitable name collisions among all the workers in America across time. When used to resolve name collisions in small populations, the last four digits are sufficient. Collection and retention, much less disclosure, of the whole number is reckless. Do not put your organization at risk.

William Hugh Murray
William Hugh Murray

Having worked in IT, I've seen some strange setups. What makes these health issues worse is that they ask for your social security number, which exposes your identity, and then whether you pay up, they may go after your patients. Many are susceptible to thinking they owe money for their medical bills.

Moses Frost
Moses Frost

2024-06-21

Change Healthcare Discloses Types of Data Compromised in February Breach

Change Healthcare has begun notifying organizations that their patients' data were compromised in the February cyberattack. The notifications include more specifics about what type of data were compromised. They include information about health insurance policies, medical records, diagnoses, prescriptions, test results, billing and claims information, financial account information, and ID info, including passport numbers, driver's license numbers, and Social Security numbers.

Editor's Note

Change Healthcare is still sifting through data to determine who was or was not affected by the breach, telling us this is going to take a bit. I don't fault them for caution to accurately identify affected individuals: in today's environment, of both highly connected information sharing and concentrated attacks, especially on healthcare providers, you really need to be proactive about having credit monitoring and restoration services. Don't wait for the breach notification. When was the last time you checked that your credit was locked/frozen? Trust but verify here, your peace of mind is worth it.

Lee Neely
Lee Neely

Note that much of the PII data disclosed, while useful for resolving identity collisions at application or enrollment time, should never have been retained. The lesson for the rest of us is that retaining data longer than necessary creates a liability and a risk.

William Hugh Murray
William Hugh Murray

2024-06-24

LivaNova Notifying Customers of October 2023 Breach

UK-based medical device company LivaNova is notifying nearly 130,000 individuals that their personally identifiable information was compromised in a cyberattack in late October 2023. LivaNova became aware of the incident in mid-November 2023, and a subsequent investigation determined that the intruders stole names, addresses, Social Security numbers, medical information, and health insurance information, and other data. LivaNova disclosed the incident in late April, shortly after the extent of the breach was determined.

Editor's Note

Medical device manufacturer LivaNova was still refining the extent of the breach, during which 2.2 terabytes of data was exfiltrated. LockBit claimed responsibility for the attack in December. LivaNova was notifying US based individuals in April, and started notifying non-US based individuals in May; they are not offering credit monitoring, but rather pointing folks to free credit monitoring services. While the timeline is tricky to follow, they fixed the vulnerable systems and services right away, but the identification of affected individuals took a lot longer than expected. Make sure you are aware of where your sensitive data is, so you can rapidly identify what is affected in an incident.

Lee Neely
Lee Neely

Another example of the gap in victim notification. While these two incidents are specific to the healthcare sector, victim notification also lags in most sectors. There are legitimate arguments for the time it takes to investigate, but that's time the criminal can use to their advantage. More often than not, the investigation concludes that data was stolen as it has for LivaNova.

Curtis Dukes
Curtis Dukes

2024-06-24

Indonesia's National Data Center Hit with Ransomware

Indonesia's National Data Center hit with ransomware attack. The incident has disrupted multiple services, including immigration document management as well as school and university enrollment services. Indonesia's Communications Ministry says the data center's systems were infected with a variant of LockBit and that the attackers have demanded a ransom payment of USD 8 million.

Editor's Note

Indonesia is emphatic they are not paying the ransom. This attack is the Brain Cipher, which is a new variant of the LockBit ransomware; it's not certain they are behind it as many other threat actors are running with the leaked LockBit 3.0 builder, also this attack is not listed on the resurrected LockBit leak site. Entry to systems was due to disabling the Windows Defender security which allowed malware to be installed. While more information is still forthcoming, it'd be a good idea to verify an alert would trigger, and be responded to, when security services were disabled.

Lee Neely
Lee Neely

Ransomware gangs pretty much target every sector to include national government. While it is doubtful they will get a payout, the information has value as part of the criminal supply chain.

Curtis Dukes
Curtis Dukes

2024-06-24

Japan's Space Agency Says Cyber Incidents Have Not Compromised Sensitive Data

The Japan Aerospace Exploration Agency (JAXA) has experienced several cyberattacks over the past year. Officials say that the incidents have not compromised sensitive rocket and satellite data. Japan's Chief Cabinet Secretary, Yoshimasa Hayashi, says security officials are taking steps to protect JAXA systems from future attacks.

Editor's Note

Space exploration and research is known for extensive collaboration between the public and private sectors. As such, having reachable servers and services is common. The hard part for all of us supporting wide collaboration is to not only ensure the components involved are patched and secured, but to also move to more secure practices. Beyond moving to modern technology, I know that FTP server still works but..., but also embracing modern security practices, such as MFA, endpoint signaling before allowing connections, and comprehensive logging/monitoring with automated responses. Look for untapped capabilities in existing services which could be good candidates to raise the bar in a non-disruptive fashion.

Lee Neely
Lee Neely

2024-06-24

US Sanctions (Most) Kaspersky Executives and Leaders

Following the US Department of Commerce's announcement of an upcoming ban on Kaspersky products and services due to national security concerns, the Treasury Department imposed sanctions on a dozen people who hold leadership positions at Kaspersky. The company's CEO and founder, Eugene Kasperksy, has not been sanctioned. The sanctions prohibit US individuals and entities from conducting business with those named. The sanction does not include Eugene Kaspersky. Important Kaspersky ban dates: as of July 20, 2024, Kaspersky may not sell its products or services in the US; as of September 29, 2024, Kaspersky Security Network must cease operating in the US, which means no more Kaspersky software updates and antivirus signatures will be provided as of that date.

Editor's Note

This reminds me of a question my buddy John and I were discussing of which is better: a silent or USG-only ban, which leaves the private sector unprotected, or a public one like this which can be contested/debated. The research and threat profile for both are the same. The sanctions are based on Executive Order 14024, from April 2021, which allows sanctioning against individuals and entities furthering specified harmful foreign activities of the Russian Federation.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Sysinternals Process Monitor Version 4 Released

https://isc.sans.edu/diary/Sysinternals+Process+Monitor+Version+4+Released/31026

Configuration Scans Expand

https://isc.sans.edu/diary/Configuration+Scanners+Adding+Java+Specific+Configuration+Files/31032

SQL Server Emergency Fix

https://support.microsoft.com/en-us/topic/june-20-2024-kb5041054-os-build-20348-2529-out-of-band-b746ffbd-934e-42ac-9c66-ed0636edf7f1

Juniper Security Analytics Update

https://supportportal.juniper.net/s/article/On-Demand-JSA-Series-Multiple-vulnerabilities-resolved-in-Juniper-Secure-Analytics-in-7-5-0-UP8-IF03?language=en_US

Kaspersky Sanctions

https://home.treasury.gov/news/press-releases/jy2420

MacOS/iOS XNU Buffer Overflow Exploit CVE-2024-27815

https://jprx.io/cve-2024-27815/

Phoenix UEFI Buffer Overflow Affects Wide Range of Systems

https://eclypsium.com/blog/ueficanhazbufferoverflow-widespread-impact-from-vulnerability-in-popular-pc-and-server-firmware/

Ghostscript Update

https://ghostscript.readthedocs.io/en/gs10.03.1/News.html

js2py vulnerability

https://github.com/Marven11/CVE-2024-28397-js2py-Sandbox-Escape