SANS NewsBites

Infrastructure Breaches: State-Sponsored Threat Actors Target US Broadband Providers' Court-Authorized Wiretap Interfaces; Wayne County, Michigan Government Websites Down; American Water Works SEC Filing Indicates Unauthorized Network Activity

October 8, 2024  |  Volume XXVI - Issue #77

Top of the News


2024-10-07

Chinese Salt Typhoon Threat Actors Breached US Broadband Providers' Networks

According to a report in The Wall Street Journal, a threat actor group with ties to China's government has broken into the networks of several US broadband providers. Known as Salt Typhoon, the group may have accessed systems used for court-authorized wiretaps. The breached companies include Verizon, AT&T, and Lumen/Century Link. The incident is being investigated the FBI, U.S. intelligence agencies, and the Department of Homeland Security.

Editor's Note

If you build it, they will come. The court-authorized wiretap interfaces at telco providers are too juicy of a target for attackers to overlook. Note to also closely monitor any infrastructure like this in your own environment. You may not deal with court ordered wiretaps, but your security team likely still has extensive systems to reach out to and monitor endpoints.

Johannes Ullrich
Johannes Ullrich

Large ISPs are attractive targets for nation state intelligence agencies and present an equally large attack surface. While they could do more for the security of their users, they cannot be relied upon to do so. Targeted users should take appropriate precautions, to include end-to-end encryption and proprietary DNS service.

William Hugh Murray
William Hugh Murray

The attack vector used by Salt Typhoon/Ghost Emperor in this case is unknown. In the past they have been known to obtain initial access through flaws like the Exchange ProxyLogin vulnerability to leverage a custom backdoor, SparroDoor, customized Mimikatz, and a rootkit known as Demodex. Make sure that any remaining on-premises Exchange servers are fully patched, and reach back to your team to make sure that MFA is required on your Internet facing services.

Lee Neely
Lee Neely

Details are lacking, but two immediate thoughts: 1) there has to be an exploit in common for all three communication service providers (CSPs); and 2) over time CSPs automate CALEA implementation, which creates a pathway to those protected systems. Nation states understand that, as they implemented them in their own countries.

Curtis Dukes
Curtis Dukes

2024-10-03

Wayne County, Michigan is Dealing with a Cybersecurity Incident

Wayne County, Michigan, which includes the city of Detroit, is dealing with the aftermath of a cyberattack that shut down government websites and disrupted operations of several offices. The incident reportedly began on Wednesday, October 2. Sources say that the county is experiencing disruptions in collecting taxes and processing prison inmates. A county spokesperson said they expected to be 'fully operational' by Friday, October 4.

Editor's Note

Wayne County was putting updates on their Facebook page while their website was offline; these are reflected on the home page of the now restored county website. Wayne County is the largest county in Michigan with 1.75 million residents. This is the latest blow to Michigan, which included hits on Flint and Traverse City, as well as impacts from the Ascension and McLaren hospital ransomware incidents. Don't assume you're not a target and leave things be. Be proactive, start with the basics, MFA, patching and monitoring, grow from there.

Lee Neely
Lee Neely

Municipalities rank right up there with healthcare as targets for ransomware attacks. Take appropriate care to include strong user authentication, isolating mission critical applications from e-mail and browsing, and having hot backup and recovery.

William Hugh Murray
William Hugh Murray

2024-10-07

American Water Works Company

In an 8-K form filed with the SEC on October 7, 2024, the American Water Works Company disclosed a cyberattack described as "unauthorized activity within its computer networks." The company - whose services cover approximately 14 million people - states that no drinking water or wastewater plants have been affected, but the customer account system, bill payment portal, and call center are offline. Reported mitigation efforts include "disconnecting or deactivating" systems, and consulting "third-party cybersecurity experts." At just over two weeks after a cyberattack on a Kansas water treatment facility, this is the latest in a series of attacks on US water plants, coinciding with EPA and legislative efforts to shore up "critical cybersecurity vulnerabilities" in the largely non-compliant industry.

Editor's Note

A lot of focus has been on nation states potentially targeting critical infrastructure and efforts to protect said infrastructure. That is a concern, but this also could have been a simple ransomware event, targeting the internet accessible IT systems of critical infrastructure providers. There exist good solid cybersecurity frameworks (i.e., NIST CSF, ISO 27001, CIS Controls) that work, if implemented. Efforts should be made to ease the implementation and monitoring against one of those frameworks.

Curtis Dukes
Curtis Dukes

American Water has published a FAQ on impacted services (amwater.com/corp/security-faq) and promises to update their home page as things change. It's not easy to find those updates; they are on their essential services page with a link back to the FAQ. On a positive note, while the billing system is offline, customers will not be assessed late fees or have service disconnected. One hopes customers will be notified when the system is online. When you're doing notification, consider making things more easily found.

Lee Neely
Lee Neely

'Largely non-compliant' means failure to employ basic hygiene. However, the industry is also plagued with ad hoc connections to the public networks placed not by management but by operators for their own convenience. In the absence of basic security measures this is all too easy to do. Management should provide operators with necessary, even useful, connections using VPNs that terminate on the intended control, not on the perimeter.

William Hugh Murray
William Hugh Murray

The Rest of the Week's News


2024-10-07

MITRE Launches Collaborative AI Incident Sharing Initiative

MITRE's Center for Threat-Informed Defense, in collaboration with 15 private-sector organizations to develop the AI Incident Sharing Initiative. The project is part of MITREÕs Adversarial Threat Landscape for Artificial-Intelligence Systems (ATLAS) framework and operates 'as a mechanism for a community of trusted contributors to both receive and share protected and anonymized data on real world AI incidents that are occurring across operational AI-enabled systems.'

Editor's Note

Invariably, more industry collaboration is better than less, but self-inflicted wounds are as much, if not more, of a threat than adversaries. The wisdom of the Critical Security Controls and OWASP Top 20 apply to all large software systems, which includes AI.

John Pescatore
John Pescatore

As AI continues to find its way into our environments, having a feed of AI incidents and defenses becomes a critical layer of defense. You should be reading up on ATLAS and seeing how you can leverage the data in your environment. Start with the beta set of AI mitigations which are designed to prevent techniques or sub-techniques from being executed. ATLAS mitigations can be found here: atlas.mitre.org/mitigations/

Lee Neely
Lee Neely

There are two hard problems in intelligence. The first is enlisting reliable, but not necessarily trusted, sources. The second is identifying those who can use the intelligence to your advantage without compromising it. Ideally these are both small population as MITRE is using in this application.

William Hugh Murray
William Hugh Murray

2024-10-07

Ireland's Data Protection Commission is Investigating Ryanair's Customer Verification Process GDPR Compliance

Ireland's Data Protection Commission (DPC) is investigating Ryanair's processing of customer personal data. Specifically, the DPC has received complaints from people that Ryanair is demanding extra data from customers who book flights through travel agencies or third-party websites. In some cases, the extra information demanded includes biometric data. The investigation is focusing on whether Ryanair's methods of gathering and holding the data comply with the General Data Protection Regulation (GDPR).

Editor's Note

Protection and storage of collected data will continue to be an issue for companies. The question for the DPC will boil down to this: is the data collected the same as what Ryanair would collect from its own website?

Curtis Dukes
Curtis Dukes

Biometric data is not as vulnerable to disclosure or use as one might intuitively infer. It does not rely upon the secrecy of the stored reference for security (as do passwords and private keys) but upon the difficulty of counterfeiting the instant data. Biometric instant data is vulnerable to replay and therefore is most often employed, for convenience, as additional factors in MFA where protection from replay is provided by a different factor.

William Hugh Murray
William Hugh Murray

Ryanair, famous for their low-cost, no-frills, everything-extra flights, has historically resisted efforts by third parties to sell their flights. They implemented the added ID validation as a deterrent and protection to consumers from unauthorized online travel agents who may be overcharging or scamming customers. The process has had numerous complaints. The issue here isn't addressing those concerns, rather focusing on how Ryanair is protecting and disclosing the gathered ID/Biometric data, particularly in cross-border scenarios, in this process. If you're processing data covered by the GDPR, double down on making sure you're following all of the requirements to avoid undue scrutiny by the DPC.

Lee Neely
Lee Neely

2024-10-07

FBCS Breach Compromised Comcast and Truist Bank Customer Data

In a supplemental filing with the Office of the Maine Attorney General, Comcast says that the Financial Business and Consumer Solutions (FBCS) breach in February of this year compromised data belonging to more than 237,000 Comcast customers. Initially, FBCS said that Comcast customer data were not affected, but in July, FBCS notified Comcast that their customer data were compromised. Truist Bank recently notified customers that their data may also have been compromised in the FBCS breach. The total number of individuals affected by the FCBS breach is estimated to exceed four million.

Editor's Note

FBCS is a debt collector, initially reporting a compromise in March. At that time, FBCS said the incident did not affect Comcast data. However, in July they notified Comcast that their customer data were compromised in the breach. Comcast stopped using the service in 2020, however; they didn't take steps to ensure their data was removed from FBCS systems. FBCS is claiming they are financially unable to bear the cost of identity monitoring/credit restoration services, so it falls to their customers, Comcast, CF Medical, etc. to pay for this. Make sure that you have procedures for clearing (and verifying) data on third-party service providers as well as an understanding of where liability falls should they have a breach with limited financial solvency.

Lee Neely
Lee Neely

2024-10-07

Okta Addresses Sign-on Policy Bypass Vulnerability

Okta has identified and resolved a vulnerability in Okta Classic that could have been exploited to bypass sign-on policies and gain unauthorized access to applications. The vulnerability was introduced in the July 17, 2024 release of Okta Classic, and has been resolved in the Okta production environment since October 4, 2024. Okta recommends that users 'review the Okta System Log for unexpected authentications from user-agents evaluated by Okta as 'unknown' between July 17, 2024 and October 4, 2024.' Okta provides details about how to perform the review in their advisory.

Editor's Note

The vulnerability only existed in certain configurations of Okta Classic; even so, you should check your logs fusing the following query: outcome.result eq "SUCCESS" and (client.device eq "Unknown" OR client.device eq "unknown") and eventType eq "user.authentication.sso" for possible exploits, particularly authentication from unusual locations, IPs or times of day. While the vulnerability was introduced on July 17, it wasn't identified until September 27, and rapidly addressed with a tested patch in production eight days later.

Lee Neely
Lee Neely

2024-10-07

Update Now: Cross-Site Scripting Flaw in LiteSpeed Cache WordPress Plugin

A high-severity cross-site scripting vulnerability in the LiteSpeed Cache plugin for WordPress could be exploited to gain elevated privileges and potentially load malware onto unpatched websites. The issue affects LiteSpeed Cache up through version 6.5.0.2; users are urged to update to the most recent version of the plugin, which has more than six million active installations.

Editor's Note

The vulnerability, CVSS score 7.1, is due to improper input neutralization and could be used to inject malicious scripts, advertising, redirects, and other payloads into your site. Auto-update should have already fixed your plugin, but you should double check. Uninstall any unused plugins or themes. Ask the hard questions on any plugins without updates, and minimize the number of plugins to keep the attack surface small and your site stable.

Lee Neely
Lee Neely

Cross-site scripting vulnerabilities have been around for decades and are totally preventable. Seems as though the developers need some remedial training in secure software development practices like input validation and output encoding. Developers, take a look at the OWASP Cheat Sheet Series.

Curtis Dukes
Curtis Dukes

The value of WordPress plugins must be balanced against their historic quality. They should be employed sparingly and managed carefully.

William Hugh Murray
William Hugh Murray

2024-10-05

iOS 18.0.1

A "logic issue" in the VoiceOver screen reader (CVE-2024-44204) and a bug in the Media Session component (CVE-2024-44207) were both patched by Apple's release of iOS and iPadOS 18.0.1. The VoiceOver flaw allowed the accessibility feature to read aloud a user's saved passwords; the Media Session issue allowed the Messages app to record "a few seconds of audio before the microphone indicator is activated" when creating an audio message. Both CVSS base scores are rated medium.

Editor's Note

We may have caught a break in that Apple is not indicating these flaws are being actively exploited. The Media Session flaw is specific to the iPhone 16, while the VoiceOver flaw affects all devices running iOS 18; it has a CVSS 3.1 score of 5.5. It's a good idea to push iOS/iPadOS 18.0.1 to all your devices running version 18.0.

Lee Neely
Lee Neely

Most Apple iOS users should enable automatic updates.

William Hugh Murray
William Hugh Murray

2024-10-04

Cloudflare Handles Record-Breaking DDoS Attack

A blog post from Cloudflare reports that during September, 2024, their protection systems mitigated a campaign of over 100 hyper-volumetric L3/4 DDoS attacks, the largest of which reached an unprecedented 3.8 terabits per second (Tbps) and 2.14 billion packets per second (Pps). Cloudflare indicates that the attack targeted their customers in the "financial services, Internet, and telecommunication industries." The attack was likely carried out by a botnet comprising "MicroTik devices, DVRs, and Web servers," as well as ASUS home routers exploited through a critical authentication bypass vulnerability (CVE-2024-3080, CVSS 9.8).

Editor's Note

Those flaws on SOHO routers continue to be exploited to build botnets with amazing impact. Make sure that you're not exposing management interfaces and are keeping the firmware updated and replacing EOL devices proactively. These things can be hard for home users, and while plans for certified devices which are born secure and default to automatic updates continue to evolve, the hard part will likely remain the challenge of getting folks to replace a device which "works perfectly." A challenge for us to convey to our friends and family when they call for help.

Lee Neely
Lee Neely

Botnets include many devices that cannot protect themselves from traffic on the public network and are loosely managed.

William Hugh Murray
William Hugh Murray

Internet Storm Center Tech Corner

macOS Sequoia: System/Network Admins, Hold On!

https://isc.sans.edu/diary/macOS+Sequoia+SystemNetwork+Admins+Hold+On/31330

Survey of CUPS exploit URLs

https://isc.sans.edu/diary/Survey+of+CUPS+exploit+attempts/31326

Free API Security Workshop

https://www.sans.org/webcasts/aviata-solo-flight-challenge-cloud-security-workshop-chapter-7/

Cisco Vulnerabilities

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv34x-privesc-rce-qE33TCms

Apple iTunes PoC

https://github.com/mbog14/CVE-2024-44193

Attackers used ISP's Wiretap System to Spy on Users

https://www.wsj.com/politics/national-security/china-cyberattack-internet-providers-260bd835 (paywall)

https://www.bleepingcomputer.com/news/security/atandt-verizon-reportedly-hacked-to-target-us-govt-wiretapping-platform/

Exposed LDAP Servers

https://www.usenix.org/conference/usenixsecurity24/presentation/kaspereit

Exploiting Visual Studio via Dump Files

https://ynwarcs.github.io/exploiting-vs-dump-files

Apple Security Updates

https://support.apple.com/en-us/100100