The Saga Continues – PSW #846

Default credential scanners are pretty common; some projects are really old, and some are being actively maintained. Commercial scanners test for default credentials, but I find coverage spotty and not kept up-to-date. Some scanners only support basic tasks, such as finding a target and trying ALL default credentials. There are better ways to do this, but I believe that coverage for default credentials is pretty weak in most security programs. Ideally, this is a constantly running process, both internal and external.

This story sounds familiar. It seems when security researchers take a look at something, there is a statement that reads like this article: "Recent investigation by Bitsight TRACE has discovered multiple critical 0-day vulnerabilities across six ATG systems from five different vendors. These vulnerabilities pose significant real-world risks, as they could be exploited by malicious actors to cause widespread damage, including physical damage, environmental hazards, and economic losses. What’s even more concerning is that, besides multiple warnings in the past, thousands of ATGs are still currently online and directly accessible over the Internet, making them prime targets for cyberattacks, especially in sabotage or cyberwarfare scenarios." - Also, this article goes into great detail complete with videos of "magic smoke".

First, the new vulnerabilities are not all that critical, as an attacker requires at least a guest account to get started. The first vulnerability allows an attacker to escalate from guest-level privileges to admin-level privileges. The second vulnerability allows an admin-level user to execute arbitrary code as its root. The combination of the two is exciting. I'm unsure of Cisco's strategy for the small business line of routers and switches. They don't want to push them in the sales cycle as the margins are higher on enterprise gear. They also do not seem to want to support them as they quickly push the small business line to end-of-support. This means we don't get fixes for the vulnerabilities, as is the case with the recently disclosed vulnerabilities. Do you have this gear on your network? Before you answer that, have you looked? It's easy for large enterprises to state, "We don't have that," but then not even look for it! I bet this gear exists in your network, perhaps from a small branch office or through an acquisition. I advise looking for it and then replacing it immediately, as this line of gear has a long history of vulnerabilities and exploits that never got fixed by a software update because Cisco never released patches.

Tons of new updates for fwupd came out this week. There is support for more hardware and several improvements that allow fwupd to check for and update firmware more efficiently. Lots of details in Richard's post for those that want the deep technical details. Per usual, the distros are slow to add new versions. If you run Linux this is must-have software. I add the following two lines to my update script:

• fwupdmgr refresh
• fwupdmgr get-updates

I really need to clean-up this script and release it. I created it to update Manjaro/Arch systems as it will update the mirror list, update all packages, update firmware via LVFS, and has some other Arch Linux specific things for updating via pacman and re-building Python packages when the Python version for the platform us updated.

This is an incredibly detailed post on reverse engineering this particular brand of headphones that allows offline listening via NFC-enabled "cookies" that are placed in the headphones. The location tracking was very interesting, as well as the routes taken to decrypt the NFC communications.

This is the best tutorial I've seen that documents how to do this. However, I am not particularly fond of control a Kali Linux instance via my smartphone. I get the use case, but I find it clunky and weird. I prefer a smaller laptop, perhaps a RPI with a screen, or separate device that I can use my laptop to interact with to get a proper keyboard and screen. I will build this project at some point to check it out again.

A stealthy and persistent malware called Perfctl has infected thousands of Linux systems since 2021. It exploits numerous misconfigurations and vulnerabilities, employs advanced evasion techniques, and primarily uses infected machines for cryptocurrency mining and as proxies. The malware's sophistication and ability to persist through reboots and removal attempts make it a significant threat to Linux servers worldwide. This malware uses all sorts of living off-the-land techniques to hide and persist reboots but does not embed itself in the kernel as far as I can tell, nor does it dig into the bootloader/EFI partition to persist either. I'm not entirely certain why, as if malware can escalate, the kernel is a great place to hide (though it would have to keep hooking future kernels when the system is updated). While I can think of better ways to do this on Linux, the current strategy seems to be working, showcasing just how little attention folks are paying to Linux systems when it comes to threat detection and EDR. I have seen great companies doing Linux security, though one I researched has gone out of business, and the other was acquired.

The article discusses ongoing security vulnerabilities in Windows printing systems, specifically the Print Spooler service. It explains that despite Microsoft's efforts to patch these issues, new vulnerabilities continue to emerge, potentially allowing attackers to gain elevated privileges on Windows systems. Turns out CUPS isn't the only printing subsystem that has vulnerabilities.

In a supplemental filing with the Office of the Maine Attorney General, Comcast says that the Financial Business and Consumer Solutions (FBCS) breach in February of this year compromised data belonging to more than 237,000 Comcast customers. Initially, FBCS said that Comcast customer data were not affected, but in July, FBCS notified Comcast that their customer data were compromised. Truist Bank recently notified customers that their data may also have been compromised in the FBCS breach. The total number of individuals affected by the FCBS breach is estimated to exceed four million.

FBCS is a debit collector, initially reporting a compromise in March. In July they recanted saying that as many as 4 million records were compromised. Comcast stopped using the service in 2020, however; they didn't take steps to ensure their data was removed from FBCS systems. FBCS is claiming they are financially unable to bear the cost of identity monitoring/credit restoration services, so it falls to their customers, Comcast, CF Medical, etc. to pay for this. Make sure that you have procedures for clearing (andverifying) data on third-party service providers as well as an understanding of where liability falls should they have a breach with limited financial solvency.

In an 8-K form filed with the SEC on October 7, 2024, the American Water Works Company disclosed a cyberattack described as "unauthorized activity within its computer networks." The company – whose services cover approximately 14 million people – states that no drinking water or wastewater plants have been affected, but the customer account system, bill payment portal, and call center are offline. Reported mitigation efforts include "disconnecting or deactivating" systems, and consulting "third-party cybersecurity experts." At just over two weeks after a cyberattack on a Kansas water treatment facility, this is the latest in a series of attacks on US water plants, coinciding with EPA and legislative efforts to shore up "critical cybersecurity vulnerabilities" in the largely non-compliant industry.

American Water has published a FAQ on impacted services - https://amwater.com/corp/security-faq- and promises to update their home page as things change, it's not easy to find those updates, they are on their essential services page with a link back to the FAQ. On a positive note, while the billing system is offline, customers will not be assessed late fees or have service disconnected. One hopes customers will be notified when the system is online. When you're doing notification, consider making things more easily found.

Ireland’s Data Protection Commission (DPC) is investigating Ryanair’s processing of customer personal data. Specifically, the DPC has received complaints from people that Ryanair is demanding extra data from customers who book flights through travel agencies or third-party websites. In some cases, the extra information demanded includes biometric data. The investigation is focusing on whether Ryanair’s methods of gathering and holding the data comply with the General Data Protection Regulation (GDPR).

Ryanair, famous for their low-cost, no-frills, everything extra, flights; has historically resisted efforts by third parties to sell their flights, implemented the added ID validation as a deterrent and protection to consumers from unauthorized online travel agents who may be overcharging or scamming customers. The process has had numerous complaints. The issue here isn't addressing those concerns, rather focusing on how Ryanair is protecting and disclosing the gathered ID/Biometric data, particularly in cross-border scenarios, in this process. If you're processing data covered by the GDPR, double down on making sure you're following all of the requirements to avoid undue scrutiny by the DPC.

A "logic issue" in the VoiceOver screen reader (CVE-2024-44204) and a bug in the Media Session component (CVE-2024-44207) were both patched by Apple's release of iOS and iPadOS 18.0.1. The VoiceOver flaw allowed the accessibility feature to read aloud a user's saved passwords; the Media Session issue allowed the Messages app to record "a few seconds of audio before the microphone indicator is activated" when creating an audio message. Both CVSS base scores are rated medium.

We may have caught a break in that Apple is not indicating these flaws are being actively exploited. The Media Session flaw is specific to the iPhone 16, while CVE-2024-44204, VoiceOver flaw affects all devices running iOS 18, it has a CVSS 3.1 score of 5.5, it's a good idea to push iOS/iPadOS 18.0.1 to all your devices running version 18.0.

A blog post from Cloudflare reports that during September, 2024, their protection systems mitigated a campaign of over 100 hyper-volumetric L3/4 DDoS attacks, the largest of which reached an unprecedented 3.8 terabits per second (Tbps) and 2.14 billion packets per second (Pps). Cloudflare indicates that the attack targeted their customers in the "financial services, Internet, and telecommunication industries." The attack was likely carried out by a botnet comprising "MicroTik devices, DVRs, and Web servers," as well as ASUS home routers exploited through a critical authentication bypass vulnerability (CVE-2024-3080, CVSS 9.8).

Those flaws on SOHO routers continue to be exploited to build botnets with amazing impact. Make sure that you're not exposing managment interfaces as well as keeping the firmware updated, and replace EOL devices proactively. These things can be hard for home users, and while plans for certified devices which are born secure and default to automatic updates continue to evolve, the hard part will likely remain the challenge of getting folks to replace a device which "works perfectly." A challenge for us to convey to our friends and family when they call for help.

Okta has identified and resolved a vulnerability in Okta Classic that could have been exploited to bypass sign-on policies and gain unauthorized access to applications. The vulnerability was introduced in the July 17, 2024 release of Okta Classic, and has been resolved in the Okta production environment since October 4, 2024. Okta recommends that users “review the Okta System Log for unexpected authentications from user-agents evaluated by Okta as 'unknown' between July 17, 2024 and October 4, 2024.” Okta provides details about how to perform the review in their advisory.

The vulnerability only existed in certain configurations of Okta Classic, even so you should check your logs fusing the following query: outcome.result eq "SUCCESS" and (client.device eq "Unknown" OR client.device eq "unknown") and eventType eq "user.authentication.sso" for possible exploits, particularly authentication from unusual locations, IPs or times of day. While the vulnerability was introduced on July 17th, it wasn't identified until September 27th, and rapidly addressed with a tested patch in production 8 days later.

According to a report in The Wall Street Journal, a threat actor group with ties to China’s government has broken into the networks of several US broadband providers. Known as Salt Typhoon, the group may have accessed systems used for court-authorized wiretaps. The breached companies include Verizon, AT&T, and Lumen/Century Link. The incident is being investigated the FBI, U.S. intelligence agencies and the Department of Homeland Security.

The attack vector used by Salt Typhoon/Ghost Emperor in this case is unknown. In the past they have been know to obtain initial access through flaws like the Exchange ProxyLogin vulnerability to leverage a custom backdoor, SparroDoor, customized Mimikatz, and a rootkit known as Demodex. Make sure that any remaining on-premisis Exchange servers are fully patched, and reach back to your team to make sure that MFA is required on your Internet facing services.

The US National Institute of Standards and Technology’s (NIST’s) National Vulnerability Database (NVD) is still showing a significant enrichment backlog. What this means is that while new CVEs appear in the NVD, some currently offer only minimal information instead of an organized aggregation of publicly available data about the vulnerability. The backlog issue began in February 2024. In May, NIST hired a third-party consultant to help with the backlog.

The trend is moving in the right direction, as of September 21, 72.4% of CVEs were not analyzed compared to 93.4% in May. While NIST missed their self-imposed deadline of September 30th to clear the backlog, it's not clear what it'll take toe clear it, as well as thwart efforts to create alternates to the NIST vulnerability repositories.

On October 3, 2024, Aqua Nautilus published analysis of the "perfctl" malware, which researchers discovered on a honeypot server, and whose effects have been observed on Linux servers worldwide for three years. The malware breaches systems through "misconfigurations or exposed secrets," often exploiting two known, patched vulnerabilities: CVE-2023-33246, affecting Apache RocketMQ 5.1.0 and older, and CVE-2021-4034, a flaw in Polkit. The attack is "elusive and persistent," waiting for a server to be idle: an obfuscated payload is downloaded, executed, copied into a directory for temporary files, then the original process is terminated and the original file deleted. Copies of the malware and its elements are named to camouflage as legitimate Linux files and processes, embedding themselves in the target server with rootkits and "trojanized versions" of normal utilities. Once established, the malware begins cryptomining and in some cases proxyjacking to sell unused bandwidth. Aqua Nautilus recommends "system monitoring, network traffic analysis, file and process integrity monitoring, and proactive mitigation" via patching, restricting file execution, disabling unused services, implementing strict privilege management, and segmenting networks.

A vulnerability in Avast Antivirus for Windows could be exploited to gain elevated privileges on unpatched systems. The high-severity race-condition flaw (CVE-2024-5102) exists in the “Repair” feature of Avast Antivirus for Windows versions older than 24.2. Users are urged to ensure they are running the most recent version of the product.

CVSS-2024-5102 has a CVSS 4 score of 7.3, even so, flaws in your endpoint protection solution should be rapidly addressed regardless of score. The flaw stems in how the repair function handles symbolic links, an attacker can manipulate those links to have it delete or recreate arbitrary files as well as execute code with system privileges. The root cause is improper link resolution before file access and improper validation of input.

Jenkins has released updates to address five vulnerabilities in multiple products. A pair of vulnerabilities (CVE-2024-47806 and CVE-2024-47807) in the OpenId Connect Authentication Plugin are considered high-severity; they involve audience and issuer claim validation and could be exploited to gain elevated privileges. The other three vulnerabilities are considered medium-severity.

CVE-2024-47806 has a CVSS 3 score of 8.2, while CVE-2024-47807 has a CVSS 3 score of 8.1, both are authentication flaws which fail to validate claims in ID tokens. While the other three flaws are medium, they could be used to acces and decode encrypted credential values, API keys, Certificates and secret files. Check your component product versions, update Jenkins Weekly to 2.479, Jenkins LTS to 2.462.3, Credentials plugin to1381.v2c3a12074dab_ and OpenID Connect Authentication Plugin to 4.355.v3afbfcab96d4. Jenkins advises to update immediately.

Earlier this week, Ivanti updated a May advisory to note that one of the vulnerabilities it addresses (CVE-2024-29824) is being actively exploited. CVE-2024-29824 is a critical SQL-injection vulnerability affecting Ivanti Endpoint Manager. The US Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to their Known Exploited Vulnerabilities (KEV) catalog; Federal Civilian Executive Branch (FCEB) agencies are expected to address the issue by October 23.

CVE-2024-29824, SQL Injection vulnerability, has a CVSS score of 9.6 and is due to improper input sanitization of special elements in a SQL command. The flaw affects Ivanti endpoint manager (EPM) up to 2022 su5. Address the issue by updating your Ivanti EPM to the latest version.

A court order released on September 30, 2024, approves a Consent Decree settling legal action against T-Mobile by the Federal Communications Commission. The FCC had been investigating T-Mobile after four major data breaches between 2021 and 2023, aiming to determine the company's culpability per the Communications Act of 1934; the act "expects telecommunications carriers to take 'every reasonable precaution' to protect their customers' proprietary or personal information." The breaches resulted in the theft and release of millions of customers’ "names, addresses, dates of birth, Social Security numbers, driver's license numbers," and service plan details. Half of the $31.5 million settlement will be paid as civil penalty to the US Treasury, and the other half must be spent to "address foundational security flaws" within two years: applying secure authentication practices, building zero-trust architecture, improving data hygiene, and arranging for third-party assessments, among other measures.

The fine plus the mandated spend on cyber improvements is about $31.5 million. While T-Mobile has had as many as 7 breaches over the last five years, this settlement covers the last four (since 2021.) You may recall in 2021 things kicked off with an attacker stealing personal and device related information, including PINs, for 76.6 million current, former and prospective T-Mobile customers. The good news is that the FCC is actively raising the bar, requiring breach notifications, stating "Consumers’ data is too important and much too sensitive to receive anything less than the best cybersecurity protections. We will continue to send a strong message to providers entrusted with this delicate information that they need to beef up their systems or there will be consequences." The hard part, if you're a T-Mobile customer, is deciding if you can survive until the changes are made or if you should switch to AT&T, Sprint or Verizon who have had other issues of late.

Researchers at Forescout’s Vedere Labs identified 14 security issues affecting DrayTek Vigor routers. One of the flaws is rated maximum severity (CVSS 10.0) and a second is rated critical (CVSS 9.1). Nine are rated high-severity (between CVSS 7.0 and 8.9), and three are rated medium-severity. The flaws can be exploited to take control of vulnerable routers and from there, steal data, deploy malware, and launch denial-of-service attacks. Most of the vulnerabilities affect the routers’ web-based user interface. While DrayTek warns that the routers’ control panels should be accessible only from local networks, the researchers at Forescout researchers found more than 700,000 devices had their web interfaces exposed to the public Internet. The flaws affect 24 models of DrayTek Vigor routers, some of which are no longer supported. DrayTek has made patched available for all affected models, end-of-life included.

Researchers identified over 700,000 DreyTrek routers in 168 countries, and are primarily used for commercial customers, it's important to get these patched to protect their business, providing VPN, Firewall, Content filtering, VoIP and bandwidth management. Of the 24 impacted models, 11 are EOL. Aside from updating the firmware, protect the management interface from unauthorized devices, replace EOL devices (the update for EOL devices only addresses CVE-2024-41592, the GetCGI() function with buffer overflow, CVSS score 10.)