Robin’s Newsletter #277

This week

NSA, CSIA Top 10 misconfigurations

• The National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) have released an advisory (PDF) highlighting the most common cyber security misconfigurations exploited by attackers:

1. Default configurations of software and applications
2. Improper separation of user/administrator privilege
3. Insufficient internal network monitoring
4. Lack of network segmentation
5. Poor patch management
6. Bypass of system access controls
7. Weak or misconfigured multi-factor authentication (MFA) methods
8. Insufficient access control lists (ACLs) on network shares and services
9. Poor credential hygiene
10. Unrestricted code execution

• CISA says these illustrate “a trend of systemic weaknesses in many large organisations” and encouraged “properly trained, staffed, and funded network security teams” to mitigate these weaknesses.
• The advisory calls for software manufacturers to reduce the prevalence of these misconfigurations in their products, particularly by eliminating default passwords, providing high-quality audit logs to customers “at no extra charge,” and mandating multi-factor authentication.

The Red Cross proposed rules of engagement for hacktivists

• The International Committee of the Red Cross (ICRC) has set out twelve rules of engagement concerning hacktivist involvement in cyber warfare. It follows a “worrying trend” in increasing civilian involvement in conflicts, such as by groups like the IT Army of Ukraine.
• Eight of the rules apply to hacktivists and aim to minimise the potential for overspill that could affect civilians or have an impact on humanitarian responses:

1. Do not direct cyberattacks against civilian objects
2. Do not use malware or other tools or techniques that spread automatically and damage military objectives and civilian objects indiscriminately
3. When planning a cyberattack against a military objective, do everything feasible to avoid or minimize the effects your operation may have on civilians
4. Do not conduct any cyber operation against medical and humanitarian facilities
5. Do not conduct any cyberattack against objects indispensable to the survival of the population or that can release dangerous forces
6. Do not make threats of violence to spread terror among the civilian population
7. Do not incite violations of international humanitarian law
8. Comply with these rules even if the enemy does not

• The remaining four rules are aimed at dissuading nation-states from encouraging hacktivist action:

1. If civilian hackers act under the instruction, direction or control of a State, that State is internationally legally responsible for any conduct of those individuals that is inconsistent with the State’s international legal obligations, including international humanitarian law
2. States must not encourage civilians or groups to act in violation of international humanitarian law
3. States have a due diligence obligation to prevent international humanitarian law violations by civilian hackers on their territory
4. States have an obligation to prosecute war crimes and take measures necessary to suppress other IHL violations

• There has been backlash from several hacktivist groups, with the pro-Ukrainian HDr0 group allegedly defacing the website of the Russian Red Cross branch claiming “There are no rules in war”.
• In November last year (vol. 5, iss. 45) the humanitarian organisation proposed a ‘digital Red Cross’ identifier that could be used to mark systems used for humanitarian purposes.

Interesting stats

70% of organisations encountering human-operated ransomware had fewer than 500 employees, with 80-90% of successful ransomware compromises originate through unmanaged devices and 13% of attacks that reached the ransom phase, including some form of data exfiltration, amongst the many cybercrime stats in Microsoft’s Digital Defence Report 2023.

$20 million offered by a Russian zero-day broker for a chain of bugs in WhatsApp to compromise iOS and Android devices.

Other newsy bits / in brief

• NATO is investigating a breach after hacktivist group SeigedSec claimed to have stolen 3,000 documents from the ‘NATO Lessons Learned Portal’, described by the military coalition as an “unclassified NATO website”.

• Rhysida ransomware gang has claimed attacks on the Portuguese and Dominican Republic governments

• Lyca Mobile has announced that recent network disruption was the result of a “cyber attack”. In a statement on the company’s website (which is prevented from being indexed by search engines) the British telco says that it is “now clear” that attackers accessed personal information and asking customers to “be vigilant”. In a previous statement, Lyca said it is “confident that all our records are fully encrypted”.

• DNA testing firm 23andMe says that cybercriminals claim to have “the most valuable data you’ll ever see” on 13 million of the company’s users appears to have been compiled by credential stuffing against its users’ accounts. Credential stuffing involves trying username and password combinations from other breaches against multiple other websites in the hope that accounts have re-used passwords.

• MGM Resorts says that its September cyberattack is expected to cost the casino and hospitality business $100 million. Less than $10 million was spent on “one-time” expenses, such as bringing in consultants to handle the response efforts, with other consequences relating to a 5% drop in hotel occupancy. The company says “virtually all” of its guest-facing systems have been restored and expects the costs to be recovered from its cyber insurance.

• Blackbaud has agreed to a $49.5 million settlement with 49 US states follow a May 2020 ransomware attack where it had denied (vol. 3, iss. 40 losing sensitive data belonging to over 13,000 customers. In March this year (vol. 3, iss. 11), the company settled a case with the SEC on the matter for $3 million.

• Snapchat has received a preliminary enforcement notice from the UK Information Commission over a “worrying failure” to identify and assess the privacy risks to children before launching its ‘My AI’ feature.

• The EvilProxy phishing-as-a-service platform has been abusing an open redirect vulnerability in recruitment website Indeed.com to bypass mail protections and capture user’s credentials.

• A bug in the Lorenz ransomware group has been leaking data, including names, emails and subject lines, entered into the contact form on the group’s website.

• Cisco Talos says that Qakbot’s botnet may still be operational and being used to send ransomware payloads to Italian victims. In September the FBI’s Operation Duck Hunt (vol. 6, iss. 36) took control of the botnet’s command and control infrastructure and change the encryption key to lock the operators out of the botnet; however, no arrests were made as part of the operation.

• Cisco has released a patch to address hard-coded admin credentials in the networking giant’s Cisco Emergency Responder system (which enables accurate location tracking of IP phones).

• TorchServe, an open-source AI model-serving tool maintained by Meta and Amazon, has three critical vulnerabilities that can lead to remote code execution. One of them is that the management console doesn’t require authentication and binds, by default, to every IP address on the server.

• Seven vulnerabilities in Supermicro baseband management controllers allow takeover of ‘lights out’ server interfaces.

• Vulnerabilities in WS_FTP (CVE-2023-40044; 10/10) and Atlassian Confluence Data Center and Server editions (CVE-2023-22515; 10/10) are being actively exploited by attackers.

• IronNet has filed for Chapter 7 bankruptcy. The firm, founded by former NSA director general Keith Alexander had raised more than $400 million in funding before floating on the stock market in August 2021. Since then, the share price has tumbled as the company struggled to sign up new customers to its ‘collective defense’ network detection and response platform.

• Okta has acquired password manager Uno, amidst plans to fast-track a personal tier, for an undisclosed sum.

• Yubico has announced a FIDO Pre-Reg service, currently in preview with Okta, to pre-register YubiKeys to user accounts.

And finally

• Cryptography researchers are offering a bounty to anyone who can crack the phrases used by the NSA as seed values for NIST’s elliptic curves. The aim is to address “a cryptographic mystery, some conspiracy theories, and an historical password cracking challenge” after the person who picked them, Dr Jerry Solinas, passed away earlier this year having forgotten what the sources were.