SANS NewsBites

French Telecom and Train Service Sabotaged; VMware ESXi Hypervisor Vulnerability; Patch ServiceNow Now

July 30, 2024  |  Volume XXVI - Issue #58

Top of the News


2024-07-29

Telecom and High-Speed Train Services in France Were Sabotaged

Vandals severed fiber optic cables used by several French telecommunications companies. Police say that the incident has disrupted both fixed and mobile services in six areas of France; Paris is not affected. The malicious activity follows close on the heels of sabotage that disrupted the SNCF high-speed train service shortly before the Olympics opening ceremonies.

Editor's Note

Distributed infrastructure like trains, power lines and communication lines are very susceptible to physical attack. As it is impossible to prevent these attacks, detection becomes even more important to prevent accidents. Luckily, it appears that the detection part worked, and nobody was injured due to the sabotage events.

Johannes Ullrich
Johannes Ullrich

Sometimes the weakest link in the IT security chain is low-tech physical attack. It's hard to defend against as you have buried cables, junction boxes, and buildings that house the IT equipment. In this case it appears to have been a coordinated attack for reasons yet to be disclosed.

Curtis Dukes
Curtis Dukes

Sabotage in the form of demonstration. Was this part of your risk assessment?

Moses Frost
Moses Frost

These fibers were not easily reached, the vandals did their homework on the location and impact of the cuts. Regardless of the motivation, make sure you donÕt still rely on security by obscurity, that even hard to find locations are as secure as those which aren't. Then assess your ability to affect service restoration in these areas to make sure you can still meet RTO.

Lee Neely
Lee Neely

This attack was intended to disrupt the opening of the Paris 2024 Olympics. Speculation is that it took place outside of Paris because of the security measures in place in Paris. In the modern world, one cannot rely exclusively on perimeter security. The further out one pushes the perimeter, the more porous it becomes. Think layered security.

William Hugh Murray
William Hugh Murray

2024-07-29

Microsoft: VMware ESXi Hypervisor Vulnerability is Being Actively Exploited

Microsoft warns that ransomware groups are actively exploiting a known flaw in VMware ESXi hypervisor to gain full admin privileges on vulnerable servers. A fix for the authentication bypass vulnerability (CVE-2024-37085) was released last week. Exploiting the vulnerability requires the attacker to already have limited system privileges.

Editor's Note

It turns out that if you take your control plane (or Tier 0) infrastructure and hook it into your Active Directory (in most cases Tier 1), you could have problems. In this case, according to Documentation dating back to 2012, all you need to do is create an AD Group called ESX Admins, anyone in this group is automatically an ESXi Admin. Being an ESXI Admin effectively means your infrastructure can be completely taken over. Your EDR? It isn't going to help you here.

Moses Frost
Moses Frost

There are three flaws being addressed, CVE-2024-37085, CVE-2024-37086, CVE-2024-37087, and they affect ESXi 7 & 8 as well as center cloud foundation 4 and 5 as well as vCenter 7 & 8. If you're not on the current versions, (ESXi 8, vCenter 8, Cloud Foundation 5) you're not going to have fixes for all three flaws. Note there only workarounds for CVE-2024-37085, which are applied after your ESXi host is joined to the AD domain. Deploy the updates.

Lee Neely
Lee Neely

2024-07-26

ServiceNow Vulnerabilities Under Exploitation

According to researchers from Resecurity, threat actors have been exploiting three vulnerabilities in ServiceNow to execute code remotely. Two input validation flaws (CVE-2024-4879 and CVE-2024-5217), are rated critical. The third, a sensitive file read issue (CVE-2024-5178), is rated medium severity. ServiceNow released updates and hotfixes to address the flaws on July 10. The US Cybersecurity and Infrastructure Security Agency (CISA) has added the two critical vulnerabilities to their Known Exploited Vulnerabilities (KEV) catalog.

Editor's Note

The updates were applied to the hosted instances of Service Now, (Utah, Vancouver and Washington DC) and released for self-hosted instances to apply. Verify which category you're in, and that the patches are applied, you may be done. If you're on a SN version older than Utah, you need to update. The KEV due date for the updates is August 19th.

Lee Neely
Lee Neely

AssetNote conducted some interesting research and disclosed vulnerabilities in ServiceNow. Threat actors are taking no time to exploit these issues or find new ones. https://www.assetnote.io/resources/research/chaining-three-bugs-to-access-all-your-servicenow-data

Moses Frost
Moses Frost

The lessons learned from the Solar Winds compromise five years ago still apply - highly privileged apps (like system management, directories, etc.) will always be targets and will always need expedited patching and anomaly monitoring.

John Pescatore
John Pescatore

The Rest of the Week's News


2024-07-29

Apple Backports Fix for Critical Zero-day

Apple has released a fix for an older version of macOS to address a critical vulnerability that is being actively exploited. The flaw was initially addressed in March 2024; at that time, patches were released for more recent versions of macOS, and the flaw was added to CISA's Known Exploited Vulnerabilities (KEV) catalog. The patch released on Monday, July 29 addresses the memory corruption flaw in macOS Monterey 12.7.6. The flaw can be exploited to obtain unauthorized read / write access to the kernel, which could lead to complete compromise of vulnerable devices.

Editor's Note

It's Apple update Tuesday, they released visionOS 1.3, tvOS 17.6, macOS 12.7.6, 13.6.8 & 14.6, watchOS 10.6, iOS/iPadOS 16.7.9 & 17.6 and Safari 17.6. The fixes are being back-ported to all the supported versions. You should be moving the macOS 12 systems forward as support ends when macOS 15 releases this fall.

Lee Neely
Lee Neely

Apple rarely makes patches available for older devices, creating a culture amongst users to upgrade as new OS versions become available. It's also worth noting that the table stakes must be sufficiently high for Apple to patch its third oldest OS version.

Curtis Dukes
Curtis Dukes

There is a natural conflict between backward compatibility and security. For this reason, Apple does not commit to backward compatibility. If you get it, it's a gift. On the other hand, Apple encourage users to stay current. (I am going to upgrade to iOS 17.6 as soon as I press send on these comments.)

William Hugh Murray
William Hugh Murray

2024-07-29

Acronis Cyber Infrastructure Vulnerability

A critical vulnerability in certain versions of Acronis Cyber Infrastructure (ACI) is being actively exploited. Acronis released updates to address the authentication bypass vulnerability, which is due to a default password, last fall. The US Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to their Known Exploited Vulnerabilities (KEV) catalog.

Editor's Note

Acronis is critical infrastructure. Monitor it closely, just like ESXi.

Moses Frost
Moses Frost

Hardcoded and default passwords are the gift that keeps on giving. We need to change the culture to cease using them. Add asking about their use to your vendor qualifications process, ensuring they can be changed or avoided. Also, make sure your team is changing/setting these for any install, Including a demo or POC. Per the KEV, you need apply the updates by August 19th.

Lee Neely
Lee Neely

Ugh, a vendor that still uses default passwords, a clear violation of Secure by Design principles. Users should change the default password, as they look to update the product. Separately, the company should move to instance-unique set-up passwords for all future versions of the product.

Curtis Dukes
Curtis Dukes

2024-07-26

Telerik Releases Updates for Progress Telerik Reporting and Report Server

Telerik has released updates to address critical vulnerabilities in their Progress Telerik Reporting and Report Server products. In Telerik Reporting versions 2024 Q2 (18.1.24.514) and earlier, an insecure type resolution vulnerability could be exploited to launch an object injection attack. In Telerik Report Server versions 2024 Q2 (10.1.24.514) and earlier, a deserialization of untrusted data vulnerability could be exploited to achieve remote code execution. Users are urged to update to Telerik Reporting version 2024 Q2 (18.1.24.709) or later and Telerik Report Server version 2024 Q2 (10.1.24.709) or later.

Editor's Note

It looks like after a few Progress Software vulnerabilities, we are starting to see a deluge of these from the company. Progress Software is a conglomerate similar to companies like CA. Expect more issues like this from the company. Maybe it does make a case for MORE product security testing. Most companies that do it are in the top 10%, but those companies may not necessarily run mid-market software like this.

Moses Frost
Moses Frost

2024-07-29

Google Workplace Password Manager Incident

Google has acknowledged that for about 18 hours on July 24 and 25, a significant number of users were unable to find or save passwords in the password manager for Chrome browser. The issue affected users on the M127 version of the Chrome browser. Google provided an interim workaround during the incident; once it was resolved, Google recommended that users restart their browsers to ensure the fix is applied.

Editor's Note

With the regular updates to Chrome, many users are already restarting browsers weekly. Make sure that you're set enterprise controls to ensure the updates are applied and a restart happens in a reasonable timeframe, say 48 hours.

Lee Neely
Lee Neely

2024-07-29

HealthEquity Discloses Breach

HealthEquity, a financial services company that serves the healthcare sector, has disclosed a breach of a third-party vendor's systems that compromised data belonging to 4.3 million people who signed up for health savings accounts. HealthEquity said they received an alert of a 'systems anomaly' in March that triggered an investigation that revealed, at the end of June, an intrusion. The compromised data include name, address, phone number, Social Security number, employee ID, employer, dependent information, and payment card information.

Editor's Note

Not a lot of detail out to explain the over 3 month time to detect, but it sounds like the vendor may never have detected being compromised. Contracts with vendors handling sensitive/regulated information need to include terms of service around key security performance indicators.

John Pescatore
John Pescatore

It appears to be a simple 'smash and grab' using compromised logon credentials. What's troubling is that it took almost 90 days to determine that PHI/PII data was taken and another month for the data breach notice to be filed. It's also disconcerting that the data taken was stored outside our core systems, a failure of the company's data protection control.

Curtis Dukes
Curtis Dukes

In the light of SolarWinds, Crowdstrike, this and other recent events, many organizations need to rethink their management culture, philosophy, policies, methods, and procedures. Give special attention to where multi-party controls may be essential and efficient. Do single individuals have authority to execute transactions or make changes that put the mission, health, or life of the enterprise at risk?

William Hugh Murray
William Hugh Murray

2024-07-29

NVD Backlog Catch-up Estimates

According to estimates from Fortress Information Security, the US National Institute of Standards and Technology's (NIST's) National Vulnerability Database (NVD) will not clear its backlog of CVEs until early next year. In February, the number of vulnerabilities being analyzed by NVD dropped significantly. In May, NIST announced that Analygence would be helping clear the backlog of vulnerabilities and predicted that they would be caught up by the end of September. Fortress, which has been monitoring the situation, predicts that the backlog will be cleared until early 2025.

Editor's Note

While backlog is being addressed at about 30/CVEs/day, new CVEs are arriving at about 111/day, so the contractor has a challenge to through the existing backlog of about 17,000. While they are scaling up, it is estimated they need to process about 220/day to get ahead. While it's easy to sit back and say things like automated analysis or even AI will help, at core Analygence needs staff to get this done, and they are as challenged as the rest of us to find quality staff.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner