Annotated News Update from the Leader in Information Security Training, Certification and Research
GIAC CERTFICATIONS NewsBites SANS Annotated News Update from the Leader in Information Security Training, Certification and
Research
October 4, 2024 Vol. 26, Num. 76
Top of The News
* Ivanti: Known Endpoint Manager Vulnerability is Being Actively Exploited
* Patch Now: Critical Zimbra Flaw in postjournal is Being Actively Exploited
* Akamai Researchers Find that CUPS Vulnerabilities Can be Exploited to Launch DDoS Attacks
The Rest of the Week's News
* Multiple Flaws Found in DrayTek Vigor Routers
* Fixes Available for Multiple Jenkins Vulnerabilities
* Aqua Nautilus Dissects Parasitic “perfctl” Cryptomining Malware
* Update Available to Address Flaw in Avast Antivirus for Windows
* T-Mobile to Pay $15.75 Million Fine and Spend the Same on Security
* UK Nuclear Safety Regulator Fines Nuclear Facility Overseer for Cybersecurity Failings
* Stronger OT Security: International Guidance and MITRE EMB3D
* NVD Enrichment Backlog Update
* Taking Down State-Sponsored Threat Actor Domains
Internet Storm Center Tech Corner
Cybersecurity Training Update
SANS Rocky Mountain Fall 2024 | October 21-26
Denver, CO or Live Online (MT)
10 courses
SANS HackFest
Summit: Oct 28-29 | Training: Oct 29 - Nov 4
Hollywood, CA & Live Online
SANS Cyber Defense Initiative(R) 2024 | December 13-18
Washington, DC or Live Online (ET)
40+ courses | 1 Cyber Range
Special offers on OnDemand training available now through October 13
Popular, New & Updated Courses
FOR518: Mac and iOS Forensic Analysis and Incident Response (GIME)
SEC587:Advanced Open-Source Intelligence (OSINT) Gathering and Analysis
SEC510: Cloud Security Controls and Mitigations (GPCS)
View all Courses
Cybersecurity Awareness Month – Claim Your Free AI Toolkit
Embrace AI’s potential while staying secure. The SANS AI Toolkit helps your workforce capitalize on AI while defending against its
risks.
-
Free technical content sponsored by SANS
#Webcast: SANS 2024 ICS/OT Survey: The State of ICS/OT Cybersecurity | Wednesday, October 9, 10:30 AM ET | SANS Certified
Instructor, Jason Christopher, explores the growing trends in cyber threats, vulnerabilities, and risks across industrial
environments, including actionable recommendations for how organizations can improve their security posture.
Top of the News
Ivanti: Known Endpoint Manager Vulnerability is Being Actively Exploited
(October 2 & 3, 2024)
Earlier this week, Ivanti updated a May advisory to note that one of the vulnerabilities it addresses (CVE-2024-29824) is being
actively exploited. CVE-2024-29824 is a critical SQL-injection vulnerability affecting Ivanti Endpoint Manager. The US
Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to their Known Exploited Vulnerabilities (KEV) catalog;
Federal Civilian Executive Branch (FCEB) agencies are expected to address the issue by October 23.
Editor's Note
[Ullrich]
Of course it is exploited. Ivanti vulnerabilities have become common enough where attackers have playbooks as to how to
effectively exploit them. If attackers have playbooks to exploit a product, you had better have a playbook to keep it up to date
and to deal with the resulting incidents if you are not up to date.
[Dukes]
One’s strategy shouldn’t be to manage updates depending on whether the vulnerability is being actively exploited. It should be
based on the criticality of the vulnerability (Arbitrary Code Execution). The hot patch should have been applied back in May. For
those that haven’t yet patched, now you may be in a race with a determined adversary – don’t lose.
[Neely]
CVE-2024-29824, SQL Injection vulnerability, has a CVSS score of 9.6 and is due to improper input sanitization of special elements
in a SQL command. The flaw affects Ivanti endpoint manager (EPM) up to 2022 su5. Address the issue by updating your Ivanti EPM to
the latest version.
Read more in:
- forums.ivanti.com: Security Advisory May 2024 (Updated October 2, 2024)
- www.helpnetsecurity.com: Critical Ivanti Endpoint Manager flaw exploited (CVE-2024-29824)
- www.securityweek.com: Ivanti EPM Vulnerability Exploited in the Wild
- thehackernews.com: Ivanti Endpoint Manager Flaw Actively Targeted, CISA Warns Agencies to Patch
- www.cisa.gov: Known Exploited Vulnerabilities Catalog
- nvd.nist.gov: CVE-2024-29824 Detail
Patch Now: Critical Zimbra Flaw in postjournal is being Actively Exploited
(September 27 & October 2, 2024)
Zimbra has released an update to address a critical inadequate user input sanitation vulnerability in its postjournal service. The
flaw could be exploited by unauthenticated attackers to execute arbitrary commands on vulnerable installations. The flaw is being
actively exploited, and has prompted warnings from Computer Emergency Response Teams (CERTs) in Italy and Latvia, as well as from
multiple threat researchers. Users are urged to install the latest Zimbra update or disable postjournal.
Editor's Note
[Neely]
CVE-2024-45519, RCE flaw, has a CVSS 3 score of 10.0, and has been added to the NIST KEV catalog with a due date of 10/24/24. The
fix is to either disable if not used, or to update postjournal to the latest version, ensure mynetworks is properly configured to
prevent unauthorized access, and apply all Zimbra updates.
Read more in:
- blog.projectdiscovery.io: Zimbra - Remote Command Execution (CVE-2024-45519)
- x.com: Threat Insight
- wiki.zimbra.com: Zimbra Security Advisories
- www.theregister.com: 'Patch yesterday': Zimbra mail servers under siege through RCE vuln
- therecord.media: Zimbra bug causes alarm among researchers, CERTs after exploitation attempts
- www.scworld.com: Zimbra email platform under active attack, RCE possible
- arstechnica.com: Attackers exploit critical Zimbra vulnerability using cc’d email addresses
- www.helpnetsecurity.com: Critical Zimbra RCE vulnerability under mass exploitation (CVE-2024-45519)
- nvd.nist.gov: CVE-2024-45519 Detail
Akamai Researchers Find that CUPS Vulnerabilities Can be Exploited to Launch DDoS Attacks
(October 1, 2, & 3, 2024)
Researchers at Akamai have determined that several of the recently-disclosed vulnerabilities in the Common UNIX Printing System
(CUPS) could be chained to launch distributed denial-of-service (DDoS) attacks. According to Akamai, “Research shows that, to
begin the attack, the attacking system only needs to send a single packet to a vulnerable and exposed CUPS service with internet
connectivity, [and] …it would take an attacker mere seconds to co-opt every vulnerable CUPS service currently exposed on the
internet and cost the attacker less than a single US cent on modern hyperscaler platforms.”
Editor's Note
[Ullrich]
This is an interesting exploit vector and longer term, it may have a larger impact than the remote code execution issues.
[Neely]
If you're not using CUPS, don't just disable it, uninstall it so the vulnerable code is removed. IF you are using it, apply the
updated fixes to cups-lib. Consider carefully how you're exposing TCP and UDP Port 631 (Internet Printing Protocol).
[Murray]
Simone Margaritelli has been trying for months to get the CUPS developers to acknowledge this vulnerability. Block port 631.
Read more in:
- www.akamai.com: When CUPS Runneth Over: The Threat of DDoS
- therecord.media: Experts warn of DDoS attacks using linux printing vulnerability
- www.helpnetsecurity.com: CUPS vulnerabilities could be abused for DDoS attacks
Sponsored Links
Webcast: General Quarters! The Impact of Cybersecurity on the Maritime Industry | Thursday, October 17, 11:30 ET | In this
webcast, SANS experts will explore the critical role of cybersecurity in safeguarding maritime operations. Save your seat today!
Virtual Event: AI Summit Solutions Track on October 29th | Join us for our upcoming free virtual event to learn how industry
leading technologies and techniques can enhance your ability to examine and analyze incidents like never before using AI. Save
your seat today!
Virtual Event: Fall Cyber Solutions Fest 2024 | Wednesday, November 6 – Friday, November 8 | This free virtual event features 5
tracks ranging from emerging technologies available today to zero trust and threat hunting. Whether you're just starting out in
the world of cyber or are a seasoned pro, these tracks will take your cybersecurity skills to the next level. Save your seat
today!
The Rest of the Week's News
Multiple Flaws Found in DrayTek Vigor Routers
(October 2, 2024)
Researchers at Forescout’s Vedere Labs identified 14 security issues affecting DrayTek Vigor routers. One of the flaws is rated
maximum severity (CVSS 10.0) and a second is rated critical (CVSS 9.1). Nine are rated high-severity (between CVSS 7.0 and 8.9),
and three are rated medium-severity. The flaws can be exploited to take control of vulnerable routers and from there steal data,
deploy malware, and launch denial-of-service attacks. Most of the vulnerabilities affect the routers’ web-based user interface.
While DrayTek warns that the routers’ control panels should be accessible only from local networks, the researchers at Forescout
found more than 700,000 devices had their web interfaces exposed to the public Internet. The flaws affect 24 models of DrayTek
Vigor routers, some of which are no longer supported. DrayTek has made patches available for all affected models, end-of-life
included.
Editor's Note
[Ullrich]
Never ever expose these admin interfaces to the internet. They are all vulnerable. For some of them, the vulnerability just hasn't
been published yet.
[Dukes]
Two things that should drive patch prioritization: 1) the large number of vulnerabilities; and 2) the criticality of the
vulnerabilities. For the first, it gives the evildoer a lot to work with in developing an exploit. For the second, a criticality
of 10.0 effectively means that the router is remotely vulnerable with low complexity. Although we can chastise DrayTek for having
so many vulnerabilities, they at least did the right thing by including patches for end-of-life products.
[Neely]
The DrayTek routers are primarily used for commercial customers; it's important to get these patched to protect their business,
providing VPN, firewall, content filtering, VoIP and bandwidth management. Of the 24 impacted models, 11 are EOL. Aside from
updating the firmware, protect the management interface from unauthorized devices, replace EOL devices (the update for EOL devices
only addresses CVE-2024-41592, the GetCGI() function with buffer overflow, CVSS score 10).
Read more in:
- www.forescout.com: DRAY:BREAK | Breaking Into DrayTek Routers before Threat Actors Do It Again (PDF)
- www.draytek.com: Firmware / Software
- www.theregister.com: 700K+ DrayTek routers are sitting ducks on the internet, open to remote hijacking
- www.scworld.com: 14 DrayTek vulnerabilities patched, including max-severity RCE flaw
- www.securityweek.com: New Vulnerabilities Expose Hundreds of Thousands of DrayTek Routers to Hacking
Fixes Available for Multiple Jenkins Vulnerabilities
(October 2 & 3, 2024)
Jenkins has released updates to address five vulnerabilities in multiple products. A pair of vulnerabilities (CVE-2024-47806 and
CVE-2024-47807) in the OpenId Connect Authentication Plugin are considered high-severity; they involve audience and issuer claim
validation and could be exploited to gain elevated privileges. The other three vulnerabilities are considered medium-severity.
Editor's Note
[Neely]
The three medium-severity flaws could be used to access and decode encrypted credential values, API keys, Certificates and secret
files. Check your component product versions, update Jenkins Weekly to 2.479, Jenkins LTS to 2.462.3, Credentials plugin
to1381.v2c3a_12074da_b_ and OpenID Connect Authentication Plugin to 4.355.v3a_fb_fca_b_96d4. Jenkins advises to update
immediately.
Read more in:
- www.securityweek.com: Jenkins Patches High-Impact Vulnerabilities in Server and Plugins
- securityonline.info: Security Vulnerabilities Uncovered in Jenkins: Immediate Updates Recommended
- www.jenkins.io: Jenkins Security Advisory 2024-10-02
- nvd.nist.gov: CVE-2024-47806 Detail
- nvd.nist.gov: CVE-2024-47807 Detail
Aqua Nautilus Dissects Parasitic “perfctl” Cryptomining Malware
(October 2 & 3, 2024)
On October 3, 2024, Aqua Nautilus published analysis of the "perfctl" malware, which researchers discovered on a honeypot server,
and whose effects have been observed on Linux servers worldwide for three years. The malware breaches systems through
"misconfigurations or exposed secrets," often exploiting two known, patched vulnerabilities: CVE-2023-33246, affecting Apache
RocketMQ 5.1.0 and older, and CVE-2021-4034, a flaw in Polkit. The attack is "elusive and persistent," waiting for a server to be
idle: an obfuscated payload is downloaded, executed, copied into a directory for temporary files, then the original process is
terminated and the original file deleted. Copies of the malware and its elements are named to camouflage as legitimate Linux files
and processes, embedding themselves in the target server with rootkits and "trojanized versions" of normal utilities. Once
established, the malware begins cryptomining and in some cases proxyjacking to sell unused bandwidth. Aqua Nautilus recommends
"system monitoring, network traffic analysis, file and process integrity monitoring, and proactive mitigation" via patching,
restricting file execution, disabling unused services, implementing strict privilege management, and segmenting networks.
Read more in:
- www.aquasec.com: perfctl: A Stealthy Malware Targeting Millions of Linux Servers
- thehackernews.com: New Perfctl Malware Targets Linux Servers for Cryptocurrency Mining and Proxyjacking
- www.bleepingcomputer.com: Linux malware “perfctl” behind years-long cryptomining campaign
- www.darkreading.com: Near-'perfctl' Fileless Malware Targets Millions of Linux Servers
Update Available to Address Flaw in Avast Antivirus for Windows
(October 3, 2024)
A vulnerability in Avast Antivirus for Windows could be exploited to gain elevated privileges on unpatched systems. The
high-severity race-condition flaw (CVE-2024-5102) exists in the “Repair” feature of Avast Antivirus for Windows versions older
than 24.2. Users are urged to ensure they are running the most recent version of the product.
Editor's Note
[Neely]
Flaws in your endpoint protection solution should be rapidly addressed regardless of score. The flaw stems from how the repair
function handles symbolic links; an attacker can manipulate those links to have it delete or recreate arbitrary files as well as
execute code with system privileges. The root cause is improper link resolution before file access and improper validation of
input.
Read more in:
- securityonline.info: CVE-2024-5102: Avast Antivirus Flaw Could Allow Hackers to Delete Files and Run Code as SYSTEM
- support.norton.com: Norton Security Advisories
- nvd.nist.gov: CVE-2024-5102 Detail
T-Mobile to Pay $15.75 Million Fine and Spend the Same on Security
(October 2 & 3, 2024)
A court order released on September 30, 2024, approves a Consent Decree settling legal action against T-Mobile by the Federal
Communications Commission. The FCC had been investigating T-Mobile after four major data breaches between 2021 and 2023, aiming to
determine the company's culpability per the Communications Act of 1934; the act "expects telecommunications carriers to take
'every reasonable precaution' to protect their customers' proprietary or personal information." The breaches resulted in the theft
and release of millions of customers’ "names, addresses, dates of birth, Social Security numbers, driver's license numbers," and
service plan details. Half of the $31.5 million settlement will be paid as civil penalty to the US Treasury, and the other half
must be spent to "address foundational security flaws" within two years: applying secure authentication practices, building
zero-trust architecture, improving data hygiene, and arranging for third-party assessments, among other measures.
Editor's Note
[Neely]
While T-Mobile has had as many as 7 breaches over the last five years, this settlement covers the last four (since 2021). You may
recall in 2021 things kicked off with an attacker stealing personal and device related information, including PINs, for 76.6
million current, former, and prospective T-Mobile customers. The good news is that the FCC is actively raising the bar, requiring
breach notifications, stating "Consumers’ data is too important and much too sensitive to receive anything less than the best
cybersecurity protections. We will continue to send a strong message to providers entrusted with this delicate information that
they need to beef up their systems or there will be consequences." The hard part, if you're a T-Mobile customer, is deciding if
you can survive until the changes are made or if you should switch to AT&T, Sprint or Verizon who have had other issues of late.
[Dukes]
The FCC is increasingly holding organizations accountable for not exhibiting a standard of reasonableness when it comes to
protecting consumer information. This is the latest installment. For companies wishing to stay out of the FCC, or judicial branch
crosshairs, the Center for Internet Security recently published a ‘Guide to Defining Reasonable Cybersecurity’ that specifies what
must be done to meet the standard of reasonable cybersecurity.
Read more in:
- www.theregister.com: T-Mobile US to cough up $31.5M after that long string of security SNAFUs
- docs.fcc.gov: DA 24-860 (PDF)
- docs.fcc.gov: FCC Reaches Multi-Million Dollar Settlement of Investigations Into T-Mobile Data Breaches With Significant
Improvements to Company’s Cybersecurity (PDF)
- : T-Mobile pays $16 million fine for three years’ worth of data breaches
UK Nuclear Safety Regulator Fines Nuclear Facility Overseer for Cybersecurity Failings
(October 3, 2024)
The UK’s Office for Nuclear Regulation (ONR) has fined nuclear waste processing firm Sellafield Ltd £332,500 (436,439 USD) for
issues with “management of the security around its information technology systems between 2019 to 2023 and its breaches of the
Nuclear Industries Security Regulations 2003.” An investigation determined that Sellafield’s IT systems could have allowed
unauthorized access and data loss. The Chief Magistrate presiding in court earlier this week also fined Sellafield £53,253 (69,900
USD) to cover costs associated with the prosecution.
Editor's Note
[Dukes]
Another example of the standard ‘duty of care’ being applied by the judicial system to an organization. Besides the monetary fine,
the settlement typically requires the organization to apply additional security controls and submit annual risk management reports
on the state of its cybersecurity program. You can get ahead of this by implementing and measuring yourself against one of several
well-known cybersecurity frameworks: NIST CSF, ISO 27001, and the CIS Critical Security Controls.
Read more in:
- onr.org.uk: Sellafield Ltd fined £332,500 for cyber security shortfalls
- : Sellafield Fines by Regulator of Cybersecurity Policy Failings
- www.theguardian.com: Sellafield ordered to pay nearly £400,000 over cybersecurity failings
- www.bbc.com: Sellafield fined for cyber security breaches
- therecord.media: Sellafield, UK’s largest nuclear site, fined £330,000 for cybersecurity failings
- www.reuters.com: UK's nuclear waste unit Sellafield fined for cybersecurity failings
Stronger OT Security: International Guidance and MITRE EMB3D
(October 2, 2024)
A new publication of joint guidance from security organizations in Australia, Canada, Germany, Japan, Korea, New Zealand, the US,
and the UK outlines core principles for maintaining security in Operational Technology (OT). OT systems are “vital services;” they
are also complex, diverse, and difficult to change, making security difficult to assess. The document emphasizes checking
decisions against six principles: 1. “Safety is paramount,” specifically physical safety of human beings; 2. “Knowledge of the
business is crucial ... Top-down thinking has historically led many organisations to seek to separate OT from IT;" 3. “OT data is
extremely valuable and needs to be protected;” 4. “Segment and segregate OT from all other networks;” 5. “The supply chain must be
secure;” and 6. “People are essential for OT cyber security.” Within days of this guidance, MITRE fully published EMB3D: a “living
framework” for linking device properties to threats and mitigations in OT as well as IoT, automotive, healthcare, and other
applications. The framework is informed by major vulnerability enumerations, and the mitigations are "mapped to the security
controls" from International Society of Automation and International Electrotechnical Commission's ISA/EIC 62443 Series of
Standards.
Editor's Note
[Murray]
Flat networks continue to be problematic everywhere but exposing OT to the public networks is reckless.
Read more in:
- www.securityweek.com: US, Allies Release Guidance on Securing OT Environments
- www.cyber.gov.au: Principles of operational technology cyber security
- www.securityweek.com: MITRE Adds Mitigations to EMB3D Threat Model
- emb3d.mitre.org/: The MITRE EMB3D Threat Model
- emb3d.mitre.org: Whitepaper: The EMB3D Threat Model for Embedded Devices (PDF)
NVD Enrichment Backlog Update
(September 30 & October 2, 2024)
The US National Institute of Standards and Technology’s (NIST’s) National Vulnerability Database (NVD) is still showing a
significant enrichment backlog. What this means is that while new CVEs appear in the NVD, some currently offer only minimal
information instead of an organized aggregation of publicly available data about the vulnerability. The backlog issue began in
February 2024. In May, NIST hired a third-party consultant to help with the backlog.
Editor's Note
[Neely]
The trend is moving in the right direction: as of September 21, 72.4% of CVEs were not analyzed compared to 93.4% in May. NIST
missed their self-imposed deadline of September 30th to clear the backlog; it's not clear what it'll take to clear it, as well as
to thwart efforts to create alternates to the NIST vulnerability repositories.
[Murray]
One can only love the characterization of "significant enrichment backlog." They have had a broken system for months.
Read more in:
- nvd.nist.gov: NVD Dashboard
- vulncheck.com: Danger is Still Lurking in the NVD Backlog
- nvd.nist.gov: CVEs and the NVD Process
- www.theregister.com: NIST's security flaw database still backlogged with 17K+ unprocessed bugs. Not great
Taking Down State-Sponsored Threat Actor Domains
(October 3, 2024)
The US Justice Department (DoJ) has unsealed a warrant that authorized the seizure of more than 100 domains associated with
cyberthreat actors with ties to Russia’s government. The domains have been used to conduct computer fraud and other abuses in the
US. A civil lawsuit filed by Microsoft and the NGO Information Sharing and Analysis Center (NGO-ISAC) sought the seizure of 66
domains; the DoJ seized an additional 41 domains.
Editor's Note
[Dukes]
While the work of government and the private sector is applauded, two areas need additional focus: 1) the speed in moving from
detection of criminal domains to their seizure; and 2) detection of new criminal domains. For the first, it appears it took
upwards of a year to seize the domains identified as supporting criminal activity. For the second, global collaboration and
information sharing is needed. Let’s celebrate the win and continue the fight against cyber criminals.
Read more in:
- blogs.microsoft.com: Protecting Democratic Institutions from Cyber Threats
- www.justice.gov: Justice Department Disrupts Russian Intelligence Spear-Phishing Efforts
- www.nextgov.com: DOJ, Microsoft disrupt Russian hackers targeting civil society orgs
- cyberscoop.com: DOJ, Microsoft seize more than 100 domains used by the FSB
- www.securityweek.com: Microsoft, DOJ Dismantle Domains Used by Russian FSB-Linked Hacking Group
Internet Storm Center Tech Corner
Hurricane Helene Aftermath - Cyber Security Awareness Month
Security Related Docker Containers
Kickstart Your DShield Honeypot
SANS Munich (free Community Night Tuesday October 15th)
CreanaKeeper Use of Cloud Services
Optigo Spectra Vulnerabilities
Pixel Addressing Vulnerabilities in Cellular Modems
CUPS DDoS Attack
Draytek Vulnerabilities
Zimbra - Remote Command Execution (CVE-2024-45519)
Enhancing the security of Microsoft Edge extensions with the new Publish API
CVE-2024-36435 Deep-Dive: The Year’s Most Critical BMC Security Flaw
The Editorial Board of SANS NewsBites
Brian Honan
Curt Dukes
Chris Elgee
David Hoelzer
Ed Skoudis
Gal Shpantzer
Jake Williams
Dr. Johannes Ullrich
John Pescatore
Josh Wright
Kathy Bradford
Lance Spitzner
Lee Neely
Mark Weatherford
Moses Frost
Suzanne Vautrinot
William Hugh Murray
SANS Institute
11200 Rockville Pike, Suite 200, North Bethesda, MD, 20852
To create a SANS Portal Account visit create new account.
To change your email address visit .
To change your email preferences or unsubscribe visit manage subscriptions.
.
This mailbox is not monitored. Please email
[email protected] or call 301-654-7267 for assistance.