No Paul? We got this! – PSW #854

Does anybody even text anymore???

We used to call data the target of the attacks. Not sure I agree with the re-labeling.

Mmmmmmmmmmm....donuts! Trying to determine if this is a Magecart-type attack, but have not found any detailed discussion yet.

I feel like we had this conversation recently about dealing with old vulnerabilities/suppporting old systems, etc. then you have this reporting. Patch. Update. Replace.

Note: This is a developing, year-old story.

Speaking at a security conference in Bahrain, US deputy national security advisor for cyber and emerging technology Anne Neuberger said that Chinese state-sponsored threat actors recorded phone calls made by senior US officials. Last week, Neuberger confirmed eight US telecom providers had been compromised by Salt Typhoon along with organizations in many other countries.

Salt Typhoon reminded us our telecom security wasn't where it needed to be, and we have had similar reminders in healthcare, water and power sectors. If you're in the critical infrastructure business, don't wait for regulators to require increased security. It remains a good idea to use end-to-end encrypted mechanisms for sensitive conversations. Even so, make sure you understand where the connection is protected and how.

The FCC is taking decisive steps in holding telecommunications companies accountable for cybersecurity in the wake of the 2024 breach of US wiretap systems. The proposed regulations constitute "urgent action to safeguard the nation's communications systems from real and present cybersecurity threats, including from state-sponsored cyber actors from the People's Republic of China." Note that the telecom security plans need to also address submarine cable security. In effect this updates the 30-year-old legislation (notably section 105) which requires telecom providers to be able to comply with wiretap requests while also making certain that any interception of communications can only be carried out with lawful authorization. The trick is to make sure these annual security reports don't turn into check-the-box exercises, but actually reflect risk-based decisions to secure these services.

Cybersecurity and intelligence agencies from Australia, Canada, New Zealand, and the US have jointly published Enhanced Visibility and Hardening Guidance for Communications Infrastructure. The document serves to underscore the threat posed by Chinee state-sponsored threat actors who have compromised telecommunications networks. The guidance notes that “although [it is] tailored to network defenders and engineers of communications infrastructure, this guide may also apply to organizations with on-premises enterprise equipment.” The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have also advised people to use encrypted phone and messaging apps.

In May 2024, iVerify launched their Mobile Threat Hunting feature. On December 4, they published a report of finding from the use of the feature. From the 2,500 device scans that user submitted to iVerify, seven found instances of Pegasus spyware, some dating as far back as 2021. iVerify writes that their “investigation detected 2.5 infected devices per 1,000 scans – a rate significantly higher than any previously published reports.”

Artivion, Inc. has filed an 8-K form with the Securities and Exchange Commission (SEC) disclosing a "cybersecurity incident" and subsequent response measures beginning November 21. The company is a manufacturer and worldwide supplier of "implantable tissues for cardiac and vascular transplant applications." The form describes the attack as "the acquisition and encryption of files," and informs shareholders that though the effects of the attack are largely mitigated, ordering, shipping, and some corporate operations were disrupted, potentially leading to "additional costs that will not be covered by insurance." It looks like Artivon, formerly CyroLife, is recovering from a ransomware attack and is not certain what the long-term impacts will be, so they are hedging their bets on the material impact statement. What appears missing is communication, other than the 8-K, on the outage and recovery/system status. If an incident warrants a SEC filing, it warrants transparent communication.

Romania's election infrastructure suffered ongoing cyberattacks in the month leading up to first round of voting in the country's presidential election on November 24, 2024. The estimated 85,000 attacks included the compromise of a Permanent Electoral Authority (AEP) map data server connected to the public web; the leaking of official election and voter registration site credentials; and attempted breaches of voting systems via "SQL injection and cross-site scripting (SXX) vulnerabilities from devices in more than 33 countries." The attacks were concurrent with an "influence campaign" possibly conducted via payments to Romanian Tik Tok influencers in exchange for distributing promotional content for the "outsider" candidate who nominally won the first round. While the decision to annul the first election is, itself, a tough call, what is not clear is what is being done to prevent recurrence. Ignoring the claims of social media influence, election system isolation, credential strengthening and vulnerability management need to addressed immediately so the integrity of the results can be ensured. Romanian press release: https://www.ccr.ro/en/press-release-6-dec/

n a December 9 press release shared by the London Stock Exchange, Electrica Group CEO Alexandru Aurelian Chirita disclosed an ongoing cyberattack. Electrica Group is a major supplier of power throughout Romania, providing electricity and energy system maintenance to approximately one fifth of the country's population.

Critical infrastructure attacks are happening globally, and defenses need to be addressed. Regardless of the threat actor, basic measures such as segmentation and strong authentication, need to be implemented and measured. Use a framework to organize your approach. It is likely the Romanian SCADA systems were not impacted simply because they are isolated.

The Cyber Readiness Institute (CRI), Foundation for Defense of Democracies (FDD), and Microsoft have published an interim report detailing feedback and strategy adjustments after Phase 1 of implementing a pilot Cyber Readiness Program for small and medium-sized US water utilities. The CRI includes a CyberCoach which has proven successful in aiding the identification and adoption of appropriate security improvements. The trick is maintaining, to include updates as the threat landscape changes, an appropriate cyber security posture. I wonder if a similar approach would help other critical infrastructure providers.

Researchers from ACROS security have discovered a flaw affecting "all systems from Windows 7 and Server 2008 R2 to the latest Windows 11 v24H2 and Server 2022," which could expose a user's NTLM credentials "by simply having the user view a malicious file in Windows Explorer - e.g., by opening a shared folder or USB disk with such file, or viewing the Downloads folder where such file was previously automatically downloaded from attacker's web page."

The long-term fix is moving from NTLM to Kerberos. The short-term dilemma is weather to wait for Microsoft to publish a fix for Windows 10, 11, Server 2012, 2016, 2019 and 2022, disable NTLM, or to apply the micro patch from ACROS's 0patch service. NTLM can be disabled via GPO, (Security Settings > Local Policies > Security Options, Network Security: Restrict NTLM), but test first. The 0patch fix, which doesn't require a reboot, does require an account and running their agent, which you can do by creating a free trial, have a discussion on the risks of deploying unofficial patches as well as licensing a service selected for this purpose.

US federal prosecutors have charged a California resident with wire fraud and aggravated identify theft for allegedly conducting phishing attacks that targeted telecommunications companies and a financial institution. Remington Ogletree is believed to be at least the sixth alleged member of a hacking group known as Scattered Spider. Ogletree used a combination of techniques including social engineering to obtain credentials needed to access target networks, then leveraging stolen API keys to access customer accounts as well as trying to send about 8.5 million phishing texts intended to steal cryptocurrency, which allowed investigators to track back to the iCloud account being used to test the account, and ultimately to Ogletree himself.

Two data brokers, Gravy Analytics (including subsidiary Venntel) and Mobilewalla, have been confronted by the FTC and barred from collecting and selling sensitive identifiable location data without consumer consent. Gravy and Venntel "collected and used consumers’ [non-anonymized] location data for commercial and government uses without obtaining consent from the individuals," and continued to do so with awareness of the lack of consent.

Data broker or otherwise, it’s a good time to make sure that you have your content straight for any identifiable data. If you have to tell a story about how your walking the line, maybe look more closely.

Cisco reports that their Product Security Incident Response Team (PSIRT) has now discovered "attempted exploitation" of a vulnerability in the Cisco Adaptive Security Appliance (ASA) potentially allowing a cross-site scripting attack. The severity of the flaw is rated medium, and "allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter," due to "insufficient input validation of a parameter.

There is no workaround for the vulnerability, and Cisco recommends mitigating by updating to a fixed release.

OpenWrt users are being urged to upgrade their images to ensure that a critical command injection and hash truncation flaw in OpenWrt Attended Sysupgrade is fixed. The vulnerability could have been exploited to distribute malicious firmware packages

Once the vulnerability was disclosed to OpenWrt developers, they fixed the issue within hours.

Exploiting the flaw, CVE-2024-54143, CVSS 4 score 9.3, relies on hash collisions, due to SHA-256 hashes being truncated to 48 bits, (12 characters), rather than the full 256. The Attended SysUpgrade (ASU) function allows updating to new firmware while preserving previous manually installed/configured packages and settings, facilitating keeping OpenWrt devices updated. Update to the latest commits to address the flaw.

I-O Data has confirmed that three unpatched, critical flaws in their routers are being actively exploited. A firmware update for an inclusion of undocumented features issue (CVE-2024-52564) that could be exploited to disable firewalls has been shipped; patches for the other two vulnerabilities – and  information disclosure issue (CVE-2024-45841) and a remote arbitrary code execution flaw (CVE-2024-47133) – are not expected to be available until December 18.

Found through this article https://hackaday.com/2024/12/11/unexpectedly-interesting-payphone-gives-up-its-secrets/

Amazing read on Inbar Raz's focus to reverse engineer a 1997 public payphone from IMI - Israeli Military Industries. From sourcing (5 yrs ago), lockpicking, hacker fam aid, motherboard and processor RE to using Ghidra when it was still new, Arduinos, and success in updating software.