Author: blogmirnet

A vulnerability has been discovered in Check Point Security Gateway Products that could allow for credential access. A Check Point Security Gateway sits between an organization’s environment and the Internet to enforce policy and block threats and malware. Successful exploitation of this vulnerability could allow for credential access to local accounts due to an arbitrary file read vulnerability. Other sensitive files such as SSH keys and certificates may also be read. Depending on the privileges associated with the accounts, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Local accounts that are configured to have fewer rights on the system could be less impacted than those that operate with administrative rights.

Threat Intelligence Check Point is aware that an exploit for CVE-2024-24919 exists in the wild and is being actively exploited. Additionally, the Norwegian cybersecurity organization mnemonic has reported observing threat actors extracting ntds.dit, a store of Active Directory hashes on a Domain Controller, from compromised customers within 2-3 hours after logging in with a local user.

Systems Affected

Quantum Security Gateway and CloudGuard Network Security prior to R81.20, R81.10, R81, R80.40 Quantum Maestro and Quantum Scalable Chassis prior to R81.20, R81.10, R80.40, R80.30SP, R80.20SP Quantum Spark Gateways prior to R81.10.x, R80.20.x, R77.20.x

Risk Government: – Large and medium government entities: High – Small government entities: High

Businesses: – Large and medium business entities: High – Small business entities: High

Home Users: Low

Recommendations

Apply the updates provided by Check Point to vulnerable systems immediately after appropriate testing. Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

References Check Point: https://support.checkpoint.com/results/sk/sk182336 https://blog.checkpoint.com/security/enhance-your-vpn-security-posture/

Rapid7: https://www.rapid7.com/blog/post/2024/05/30/etr-cve-2024-24919-check-point-security-gateway-information-disclosure

mnemonic: https://www.mnemonic.io/resources/blog/advisory-check-point-remote-access-vpn-vulnerability-cve-2024-24919

Bleeping Computer: https://www.bleepingcomputer.com/news/security/check-point-releases-emergency-fix-for-vpn-zero-day-exploited-in-attacks/

CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24919

Register now >

June 05 – Microsoft Purview | Collecting Copilot Interactions using Purview eDiscovery June 06 – Microsoft Defender for Cloud | What’s New in Microsoft Defender for Cloud Container Security June 12 – Azure Network Security | Azure Firewall Integration in Microsoft Copilot for Security June 13 – Microsoft Defender for Cloud | Shift Left with Microsoft Defender for Cloud June 20 – Microsoft Defender for Cloud | Elevate Cloud Security Using Permissions Management in Microsoft Defender for Cloud June 25 – Microsoft Defender for Cloud | New Version for File Integrity Monitoring

Multiple vulnerabilities have been discovered in Progress Telerik Report Server, which could allow for remote code execution. Telerik Report Server provides centralized management for Progress’ business intelligence reporting suite through a web application. Successful chain exploitation of these vulnerabilities could allow for remote code execution in the context of the affected service account. Depending on the privileges associated with the service account, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Services whose accounts are configured to have fewer rights on the system could be less impacted than those who operate with administrative rights.

Threat Intelligence According to open source reports, a proof-of-concept was posted on GitHub. There are currently no other reports of these vulnerabilities being exploited in the wild.

Systems Affected

Progress Telerik Report Server versions prior to 2024 Q2 (10.1.24.514)

Risk Government: – Large and medium government entities: High – Small government entities: Medium

Businesses: – Large and medium business entities: High – Small business entities: Medium

Home Users: Low

Recommendations

Apply appropriate updates provided by Progress to vulnerable systems immediately after appropriate testing. Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.

References Progress: https://docs.telerik.com/report-server/knowledge-base/deserialization-vulnerability-cve-2024-1800 https://docs.telerik.com/report-server/knowledge-base/registration-auth-bypass-cve-2024-4358

Proof-of-Concept: https://github.com/sinsinology/CVE-2024-4358 https://summoning.team/blog/progress-report-server-rce-cve-2024-4358-cve-2024-1800

News Outlets: https://securityaffairs.com/164114/hacking/progress-telerik-report-servers-poc.html https://www.helpnetsecurity.com/2024/06/04/cve-2024-4358-cve-2024-1800-poc https://thehackernews.com/2024/06/telerik-report-server-flaw-could-let.html

CVE: https://nvd.nist.gov/vuln/detail/CVE-2024-1800 https://nvd.nist.gov/vuln/detail/CVE-2024-4358

The NIST NCCoE is hosting a Community Profiles Workshop on June 20, 2024, at 2:00 P.M. ET.

Since the NIST Cybersecurity Framework (CSF) was first released in 2014, the CSF has been used by communities with shared interests in cybersecurity risk management. They developed what CSF 2.0 terms “Community Profiles” to describe the ways various organizations have used CSF Profiles to develop cybersecurity risk management guidance that applies to multiple organizations, as well as to differentiate them from Organizational Profiles that are not shared publicly. A Community Profile can be thought of as guidance for a specific community that is organized around the common taxonomy of the CSF.

During this workshop, participants will:

1. Learn from communities that have successfully developed Community Profiles
2. Hear what the NCCoE learned from the recent comment period on the Community Profiles Guide
3. Share input regarding Community Profiles and influence future NIST guidance in this area

If you have any questions about this event, please reach out to our team at framework-profiles@nist.gov.

Register Now 

---

A VPN bypass technique dubbed TunnelVision was discovered that allows an unauthenticated user to send DHCP messages to manipulate routes to redirect VPN traffic. This vulnerability may allow a threat actor to read, disrupt, or modify network traffic expected to be protected by the VPN. If successfully exploited, the existing VPN tunnel remains intact, and the side channel created by the threat actor is undetectable. This “decloaking” method is identified as CVE-2024-3661​. Recommendations and technical details can be found in the Zscaler blog post and the Leviathan Security blog post.

As more Internet of Things (IoT) devices become prominent in our daily lives, concerns about their security shortcomings also increase. These devices—such as smart thermostats, smart appliances, and internet-connected security cameras and systems—add a layer of convenience and ease of access to many technologies we use regularly. While they have many advantages, they also have the disadvantage of being more vulnerable to cyberattacks.

Researchers recently identified vulnerabilities in Telit Cinterion cellular modems that leave millions of IoT devices at risk. The most severe vulnerability could allow arbitrary code to be executed remotely on the modem without prior authentication. Telit Cinterion cellular modems are widely used in the automotive, industrial, financial, healthcare, and telecommunication sectors. Researchers recommend disabling nonessential SMS capabilities for vulnerable IoT devices and employing private Access Point Names (APNs) with strict security settings.

Vulnerabilities were also previously discovered in the popular internet-connected treadmill, Peloton. While these vulnerabilities could allow threat actors to gain access to the network, they would also require threat actors to have physical access to the treadmill. Using social engineering, a determined threat actor could compromise the smart home device.

Additionally, smart home security systems are vulnerable to compromise. Earlier this year, Wyze cameras had a security incident in which 13,000 accounts were compromised, and approximately 1,500 users were able to view the feed of other Wyze cameras. Wyze had a similar incident in September 2023.

IoT devices are often used to build botnets, as their usually lax security measures make them ideal targets for threat actors. Many IoT devices still use default login account credentials and often go unpatched. Once compromised, threat actors can remotely control these devices. Botnets are frequently used in distributed denial-of-service (DDOS) attacks, and can also be used for credential stuffing, cryptojacking attacks, phishing, and infecting more devices with botnet malware.

In March, the Connectivity Standards Alliance (CSA) Product Security Working Group released its IoT Device Security Specification 1.0 to upgrade IoT security measures. Highlights of these requirements include:

Factory resets must return the device to a secure default. No hardcoded default passwords. Secure storage of sensitive data. Data must be stored and transmitted securely. Secure software updates to patch security issues. Secure development process. Known vulnerabilities must be identified, disclosed, and mitigated.

Recommendations

Keep all devices patched with the latest security updates after appropriate testing. Change the default password for accounts and devices. Use strong, complex passwords and multi-factor authentication (MFA) wherever possible, choosing authentication apps or hardware tokens over SMS text-based codes.

Proposal to Revise SP 800-135 Revision 1, “Recommendation for Existing Application-Specific Key Derivation Functions”

In July 2023, NIST’s Crypto Publication Review Board initiated a review of Special Publication (SP) 800-135 Rev. 1, Recommendation for Existing Application-Specific Key Derivation Functions (2011). NIST received five public comments in response.

NIST proposes to revise SP 800-135 Rev. 1 to:  

• standardize additional application-specific key derivation functions, 
• maintain consistency with the upcoming revision of SP 800-131A regarding approved hash functions, and  
• update references to current versions of existing application-specific key derivation functions. 

Submit your comments on this decision proposal by June 14, 2024 to cryptopubreviewboard@nist.gov with “Comments on SP 800-135 Decision Proposal” in the subject line.

Comments received in response to this request will be posted on the Crypto Publication Review Project site after the due date. Submitters’ names and affiliations (when provided) will be included, while contact information will be removed. See the project site for additional information about the review process.

Read More

A vulnerability has been discovered in Google Chrome, which could allow for arbitrary code execution. Successful exploitation of this vulnerability could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with administrative user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.   Threat Intelligence There are reports of this vulnerability being exploited in the wild.   Systems Affected   Chrome prior to 124.0.6367.201/.202 for Windows and Mac Chrome prior to 124.0.6367.20 for Linux    Risk Government: – Large and medium government entities: High – Small government entities: Medium   Businesses: – Large and medium business entities: High – Small business entities: Medium   Home Users: Low   Recommendations   Apply appropriate updates provided by Google to vulnerable systems immediately after appropriate testing. Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Restrict execution of code to a virtual environment on or in transit to an endpoint system. Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. Restrict use of certain websites, block downloads/attachments, block JavaScript, restrict browser extensions, etc. Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from untrusted sources. Remind users not to visit untrusted websites or follow links provided by unknown or untrusted sources.   References Google: https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_9.html   CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4671

This Joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC) (hereafter referred to as the authoring organizations) released this Joint Cybersecurity Advisory to provide information on Black Basta, a ransomware variant whose actors have encrypted and stolen data from at least 12 out of 16 critical infrastructure sectors, including the Healthcare and Public Health (HPH) Sector.

This advisory provides TTPs and IOCs obtained from FBI investigations and third-party reporting. Black Basta is considered a ransomware-as-a-service (RaaS) variant and was first identified in April 2022. Black Basta affiliates have impacted a wide range of businesses and critical infrastructure in North America, Europe, and Australia. As of May, Black Basta affiliates have impacted over 500 organizations globally.

Black Basta affiliates use common initial access techniques—such as phishing and exploiting known vulnerabilities—and then employ a double-extortion model, both encrypting systems and exfiltrating data. Ransom notes do not generally include an initial ransom demand or payment instructions. Instead, the notes provide victims with a unique code and instructs them to contact the ransomware group via a .onion URL (reachable through the TOR browser). Typically, the ransom notes give victims between 10 and 12 days to pay the ransom before the ransomware group publishes their data on the Black Basta TOR site, Basta News.

Healthcare organizations are attractive targets for cybercrime actors due to their size, technological dependence, access to personal health information, and unique impacts from patient care disruptions.

The authoring organizations urge the HPH Sector and all critical infrastructure organizations to apply the recommendations in the mitigations section of this advisory to reduce the likelihood of compromise from Black Basta and other ransomware attacks.

The Federal Bureau of Investigation (FBI) released this Private Industry Notification (PIN) to highlight cybercriminals’ activity using phishing and Short Message Service (SMS) phishing (SMiShing) campaigns against employees at US retail corporate offices in order to create fraudulent gift cards resulting in financial loss.

As of January, the FBI noted a cybercriminal group labeled STORM-0539, also known as Atlas Lion, targeting national retail corporations; specifically the gift card departments located in their corporate offices. STORM-0539 used SMiShing campaigns to target employees and gain unauthorized access to employee accounts and corporate systems. Once they gained access, STORM-0539 actors used phishing campaigns to target other employees to elevate network access and target the gift card department in order to create fraudulent gift cards.

This FBI PIN includes some of the techniques, tactics, and procedures (TTPs) observed by STORM-0539 actors, recommended mitigations to reduce the likelihood and impact associated with similar attack campaigns, and is being provided to assist agencies and organizations in guarding against the persistent malicious actions of cybercriminals.