Cybersecurity Saturday

From the cybersecurity policy front,

  • Cybersecurity Dive offers “four tech issues to watch in Trump’s second term.”
  • The Wall Street Journal reports,
    • “A federal agency has issued a directive to employees to reduce the use of their phones for work matters because of China’s recent hack of U.S. telecommunications infrastructure, according to people familiar with the matter.
    • “In an email to staff sent Thursday, the chief information officer at the Consumer Financial Protection Bureau warned that internal and external work-related meetings and conversations that involve nonpublic data should only be held on platforms such as Microsoft Teams and Cisco WebEx and not on work-issued or personal phones.
    • “Do NOT conduct CFPB work using mobile voice calls or text messages,” the email said, while referencing a recent government statement acknowledging the telecommunications infrastructure attack. “While there is no evidence that CFPB has been targeted by this unauthorized access, I ask for your compliance with these directives so we reduce the risk that we will be compromised,” said the email, which was sent to all CFPB employees and contractors.
    • “The alert is the latest demonstration of concerns within the federal government about the scale and scope of the hack, which investigators are still endeavoring to fully understand and have attributed to a group dubbed Salt Typhoon.” 
  • The Office of National Coordination for Health IT released version 3.5 of its HIPAA Security Risk Assessment tool for small and medium healthcare entities.

From the cybersecurity vulnerabilities front,

  • The Cybersecurity and Infrastructure Security Agency (CISA) added six known exploited vulnerabilities to its catalog this week.
  • Bleeping Computer adds,
    • “Today, CISA warned that attackers are exploiting a critical missing authentication vulnerability in Palo Alto Networks Expedition, a migration tool that can help convert firewall configuration from Checkpoint, Cisco, and other vendors to PAN-OS.
    • “This security flaw, tracked as CVE-2024-5910, was patched in July, and threat actors can remotely exploit it to reset application admin credentials on Internet-exposed Expedition servers.
    • “Palo Alto Expedition contains a missing authentication vulnerability that allows an attacker with network access to takeover an Expedition admin account and potentially access configuration secrets, credentials, and other data,” CISA says.
    • “While the cybersecurity agency has yet to provide more details on these attacks, Horizon3.ai vulnerability researcher Zach Hanley released a proof-of-concept exploit in October that can help chain this admin reset flaw with a CVE-2024-9464 command injection vulnerability (patched last month) to gain “unauthenticated” arbitrary command execution on vulnerable Expedition servers.”
  • Also from Bleeping Computer,
    • “A malicious Python package named ‘fabrice’ has been present in the Python Package Index (PyPI) since 2021, stealing Amazon Web Services credentials from unsuspecting developers.
      According to application security company Socket, the package has been downloaded more than 37,000 times and executes platform-specific scripts for Windows and Linux.
    • “The large number of downloads is accounted by fabrice typosquatting the legitimate SSH remote server management package “fabric,” a very popular library with more than 200 million downloads.
    • “An expert explained to Bleeping Computer that that fabrice remained undetected for so long because advanced scanning tools were deployed after its initial submission on PyPI, and very few solutions conducted retroactive scans.”

From the ransomware front,

  • Per Bleeping Computer,
    • “After being used in Akira and Fog ransomware attacks, a critical Veeam Backup & Replication (VBR) security flaw was also recently exploited to deploy Frag ransomware.
    • “Code White security researcher Florian Hauser found that the vulnerability (tracked as CVE-2024-40711) is caused by a deserialization of untrusted data weakness that unauthenticated threat actors can exploit to gain remote code execution (RCE) on Veeam VBR servers.
    • “watchTowr Labs, which published a technical analysis on CVE-2024-40711 on September 9, delayed releasing a proof-of-concept exploit until September 15 to give admins enough time to apply security updates issued by Veeam on September 4.”
    • “Code White also delayed sharing more details when it disclosed the flaw because it “might instantly be abused by ransomware gangs.”
  • and
    • “A new phishing campaign dubbed ‘CRON#TRAP’ infects Windows with a Linux virtual machine that contains a built-in backdoor to give stealthy access to corporate networks.
    • “Using virtual machines to conduct attacks is nothing new, with ransomware gangs and cryptominersusing them to stealthily perform malicious activity. However, threat actors commonly install these manually after they breach a network.
    • “A new campaign spotted by Securonix researchers is instead using phishing emails to perform unattended installs of Linux virtual machines to breach and gain persistence on corporate networks.
  • and
    • “UK’s National Cyber Security Centre (NCSC) has published an analysis of a Linux malware named “Pigmy Goat” created to backdoor Sophos XG firewall devices as part of recently disclosed attacks by Chinese threat actors.
    • “Last week, Sophos published a series of reports dubbed “Pacific Rim” that detailed five-year attacks by Chinese threat actors on edge networking devices.
    • ‘One of the custom malware used in these attacks is a rootkit that closely impersonated Sophos product file naming conventions. 
    • ‘The malware, which is designed for compromising network devices, features advanced persistence, evasion, and remote access mechanisms and has a rather complex code structure and execution paths.
    • “Although the NCSC report does not attribute the observed activity to known threat actors, it underlines similar techniques, tactics, and procedures (TTPs) to the “Castletap” malware, which Mandiant has associated with a Chinese nation-state actor.”

From the cybersecurity defenses front,

  • Cybersecurity Dive tells us,
    • “Google Cloud is mandating multifactor authentication for all users, the company said in a Monday blog post. It will roll out MFA in phases through the end of 2025.
    • “The hyperscaler said it will start encouraging users to enroll in MFA this month. More than 70% of Google accounts owned by people who regularly use its products already use MFA, the company said. 
    • “In early 2025, Google Cloud said it will require MFA for all users who sign into their account with a password. By the end of next year, the MFA requirement will extend to all users who federate authentication into Google Cloud via identity providers.” 
  • A Dark Reading commentator discusses ‘[t]he Power of Process in Creating a Successful Security Posture. Establishing realistic, practitioner-driven processes prevents employee burnout, standardizes experiences, and closes many of the gaps exposed by repeated one-offs.”
  • Here is a link to Dark Reading’s CISO Corner.