CISA Broke Into a US Federal Agency, No One Noticed For a Full 5 Months

A 2023 red team exercise by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) at an unnamed federal agency exposed critical security failings, including unpatched vulnerabilities, inadequate incident response, and weak credential management, leading to a full domain compromise. According to The Register’s Connor Jones, the agency failed to detect or remediate malicious activity for five months. From the report: According to the agency’s account of the exercise, the red team was able to gain initial access by exploiting an unpatched vulnerability (CVE-2022-21587 – 9.8) in the target agency’s Oracle Solaris enclave, leading to what it said was a full compromise. It’s worth noting that CVE-2022-21587, an unauthenticated remote code execution (RCE) bug carrying a near-maximum 9.8 CVSS rating, was added to CISA’s known exploited vulnerability (KEV) catalog in February 2023. The initial intrusion by CISA’s red team was made on January 25, 2023. “After gaining access, the team promptly informed the organization’s trusted agents of the unpatched device, but the organization took over two weeks to apply the available patch,” CISA’s report reads. “Additionally, the organization did not perform a thorough investigation of the affected servers, which would have turned up IOCs and should have led to a full incident response. About two weeks after the team obtained access, exploit code was released publicly into a popular open source exploitation framework. CISA identified that the vulnerability was exploited by an unknown third party. CISA added this CVE to its Known Exploited Vulnerabilities Catalog on February 2, 2023.” […]

After gaining access to the Solaris enclave, the red team discovered they couldn’t pivot into the Windows part of the network because missing credentials blocked their path, despite enjoying months of access to sensitive web apps and databases. Undeterred, CISA managed to make its way into the Windows network after carrying out phishing attacks on unidentified members of the target agency, one of which was successful. It said real adversaries may have instead used prolonged password-praying attacks rather than phishing at this stage, given that several service accounts were identified as having weak passwords. After gaining that access, the red team injected a persistent RAT and later discovered unsecured admin credentials, which essentially meant it was game over for the agency being assessed. “None of the accessed servers had any noticeable additional protections or network access restrictions despite their sensitivity and critical functions in the network,” CISA said.

CISA described this as a “full domain compromise” that gave the attackers access to tier zero assets — the most highly privileged systems. “The team found a password file left from a previous employee on an open, administrative IT share, which contained plaintext usernames and passwords for several privileged service accounts,” the report reads. “With the harvested Lightweight Directory Access Protocol (LDAP) information, the team identified one of the accounts had system center operations manager (SCOM) administrator privileges and domain administrator privileges for the parent domain. “They identified another account that also had administrative permissions for most servers in the domain. The passwords for both accounts had not been updated in over eight years and were not enrolled in the organization’s identity management (IDM).” From here, the red team realized the victim organization had trust relationships with multiple external FCEB organizations, which CISA’s team then pivoted into using the access they already had.

The team “kerberoasted” one partner organization. Kerberoasting is an attack on the Kerberos authentication protocol typically used in Windows networks to authenticate users and devices. However, it wasn’t able to move laterally with the account due to low privileges, so it instead used those credentials to exploit a second trusted partner organization. Kerberoasting yielded a more privileged account at the second external org, the password for which was crackable. CISA said that due to network ownership, legal agreements, and/or vendor opacity, these kinds of cross-organizational attacks are rarely tested during assessments. However, SILENTSHIELD assessments are able to be carried out following new-ish powers afforded to CISA by the FY21 National Defense Authorization Act (NDAA), the same powers that also allow CISA’s Federal Attack Surface Testing (FAST) pentesting program to operate. It’s crucial that these avenues are able to be explored in such exercises because they’re routes into systems adversaries will have no reservations about exploring in a real-world scenario. For the first five months of the assessment, the target FCEB agency failed to detect or remediate any of the SILENTSHIELD activity, raising concerns over its ability to spot genuine malicious activity. CISA said the findings demonstrated the need for agencies to apply defense-in-depth principles. The cybersecurity agency recommended network segmentation and a Secure-by-Design commitment.

Read more of this story at Slashdot.

Ransomware Attackers Quickly Weaponize PHP Vulnerability With 9.8 Severity Rating

A critical vulnerability in the PHP programming language (CVE-2024-4577) has been exploited by ransomware criminals, leading to the infection of up to 1,800 servers primarily in China with the TellYouThePass ransomware. This vulnerability, which affects PHP when run in CGI mode, allows attackers to execute malicious code on web servers. Ars Technica’s Dan Goodin reports: As of Thursday, Internet scans performed by security firm Censys had detected 1,000 servers infected by a ransomware strain known as TellYouThePass, down from 1,800 detected on Monday. The servers, primarily located in China, no longer display their usual content; instead, many list the site’s file directory, which shows all files have been given a .locked extension, indicating they have been encrypted. An accompanying ransom note demands roughly $6,500 in exchange for the decryption key. The vulnerability, tracked as CVE-2024-4577 and carrying a severity rating of 9.8 out of 10, stems from errors in the way PHP converts Unicode characters into ASCII. A feature built into Windows known as Best Fit allows attackers to use a technique known as argument injection to convert user-supplied input into characters that pass malicious commands to the main PHP application. Exploits allow attackers to bypass CVE-2012-1823, a critical code execution vulnerability patched in PHP in 2012.

CVE-2024-4577 affects PHP only when it runs in a mode known as CGI, in which a web server parses HTTP requests and passes them to a PHP script for processing. Even when PHP isn’t set to CGI mode, however, the vulnerability may still be exploitable when PHP executables such as php.exe and php-cgi.exe are in directories that are accessible by the web server. This configuration is extremely rare, with the exception of the XAMPP platform, which uses it by default. An additional requirement appears to be that the Windows locale — used to personalize the OS to the local language of the user — must be set to either Chinese or Japanese. The critical vulnerability was published on June 6, along with a security patch. Within 24 hours, threat actors were exploiting it to install TellYouThePass, researchers from security firm Imperva reported Monday. The exploits executed code that used the mshta.exe Windows binary to run an HTML application file hosted on an attacker-controlled server. Use of the binary indicated an approach known as living off the land, in which attackers use native OS functionalities and tools in an attempt to blend in with normal, non-malicious activity.

In a post published Friday, Censys researchers said that the exploitation by the TellYouThePass gang started on June 7 and mirrored past incidents that opportunistically mass scan the Internet for vulnerable systems following a high-profile vulnerability and indiscriminately targeting any accessible server. The vast majority of the infected servers have IP addresses geolocated to China, Taiwan, Hong Kong, or Japan, likely stemming from the fact that Chinese and Japanese locales are the only ones confirmed to be vulnerable, Censys researchers said in an email. Since then, the number of infected sites — detected by observing the public-facing HTTP response serving an open directory listing showing the server’s filesystem, along with the distinctive file-naming convention of the ransom note — has fluctuated from a low of 670 on June 8 to a high of 1,800 on Monday. Censys researchers said in an email that they’re not entirely sure what’s causing the changing numbers.

Read more of this story at Slashdot.

Federal Agency Warns (Patched) Critical Linux Vulnerability Being Actively Exploited

“The US Cybersecurity and Infrastructure Security Agency has added a critical security bug in Linux to its list of vulnerabilities known to be actively exploited in the wild,” reported Ars Technica on Friday.

“The vulnerability, tracked as CVE-2024-1086 and carrying a severity rating of 7.8 out of a possible 10, allows people who have already gained a foothold inside an affected system to escalate their system privileges.”

It’s the result of a use-after-free error, a class of vulnerability that occurs in software written in the C and C++ languages when a process continues to access a memory location after it has been freed or deallocated. Use-after-free vulnerabilities can result in remote code or privilege escalation. The vulnerability, which affects Linux kernel versions 5.14 through 6.6, resides in the NF_tables, a kernel component enabling the Netfilter, which in turn facilitates a variety of network operations… It was patched in January, but as the CISA advisory indicates, some production systems have yet to install it. At the time this Ars post went live, there were no known details about the active exploitation.

A deep-dive write-up of the vulnerability reveals that these exploits provide “a very powerful double-free primitive when the correct code paths are hit.” Double-free vulnerabilities are a subclass of use-after-free errors…

Read more of this story at Slashdot.

Instead of ‘Auth,’ We Should Say ‘Permissions’ and ‘Login’

The term “auth” is ambiguous, often meaning either authentication (authn) or authorization (authz), which leads to confusion and poor system design. Instead, Nicole Tietz-Sokolskaya, a software engineer at AI market research platform Remesh, argues that the industry adopt the terms “login” for authentication and “permissions” for authorization, as these are clearer and help maintain distinct, appropriate abstractions for each concept. From their blog post: We should always use the most clear terms we have. Sometimes there’s not a great option, but here, we have wonderfully clear terms. Those are “login” for authentication and “permissions” for authorization. Both are terms that will make sense with little explanation (in contrast to “authn” and “authz”, which are confusing on first encounter) since almost everyone has logged into a system and has run into permissions issues. There are two ways to use “login” here: the noun and the verb form. The noun form is “login”, which refers to the information you enter to gain access to the system. And the verb form is “log in”, which refers to the action of entering your login to use the system. “Permissions” is just the noun form. To use a verb, you would use “check permissions.” While this is long, it’s also just… fine? It hasn’t been an issue in my experience.

Both of these are abundantly clear even to our peers in disciplines outside software engineering. This to me makes it worth using them from a clarity perspective alone. But then we have the big benefit to abstractions, as well. When we call both by the same word, there’s often an urge to combine them into a single module just by dint of the terminology. This isn’t necessarily wrong — there is certainly some merit to put them together, since permissions typically require a login. But it’s not necessary, either, and our designs will be stronger if we don’t make that assumption and instead make a reasoned choice.

Read more of this story at Slashdot.

Memory Sealing ‘mseal’ System Call Merged For Linux 6.10

“Merged this Friday evening into the Linux 6.10 kernel is the new mseal() system call for memory sealing,” reports Phoronix:

The mseal system call was led by Jeff Xu of Google’s Chrome team. The goal with memory sealing is to also protect the memory mapping itself against modification. The new mseal Linux documentation explains:

“Modern CPUs support memory permissions such as RW and NX bits. The memory permission feature improves security stance on memory corruption bugs, i.e. the attacker can’t just write to arbitrary memory and point the code to it, the memory has to be marked with X bit, or else an exception will happen. Memory sealing additionally protects the mapping itself against modifications. This is useful to mitigate memory corruption issues where a corrupted pointer is passed to a memory management system… Memory sealing can automatically be applied by the runtime loader to seal .text and .rodata pages and applications can additionally seal security-critical data at runtime. A similar feature already exists in the XNU kernel with the VM_FLAGS_PERMANENT flag and on OpenBSD with the mimmutable syscall.”
The mseal system call is designed to be used by the likes of the GNU C Library “glibc” while loading ELF executables to seal non-writable memory segments or by the Google Chrome web browser and other browsers for protecting security sensitive data structures.

Read more of this story at Slashdot.

Change Healthcare Finally Admits It Paid Ransomware Hackers

Andy Greenberg reports via Wired: More than two months after the start of a ransomware debacle whose impact ranks among the worst in the history of cybersecurity, the medical firm Change Healthcare finally confirmed what cybercriminals, security researchers, and Bitcoin’s blockchain had already made all too clear: that it did indeed pay a ransom to the hackers who targeted the company in February. And yet, it still faces the risk of losing vast amounts of customers’ sensitive medical data. In a statement sent to WIRED and other news outlets on Monday evening, Change Healthcare wrote that it paid a ransom to a cybercriminal group extorting the company, a hacker gang known as AlphV or BlackCat. “A ransom was paid as part of the company’s commitment to do all it could to protect patient data from disclosure,” the statement reads. The company’s belated admission of that payment accompanied a new post on its website where it warns that the hackers may have stolen health-related data that would “cover a substantial proportion of people in America.”

Cybersecurity and cryptocurrency researchers told WIRED last month that Change Healthcare appeared to have paid that ransom on March 1, pointing to a transaction of 350 bitcoins or roughly $22 million sent into a crypto wallet associated with the AlphV hackers. That transaction was first highlighted in a message on a Russian cybercriminal forum known as RAMP, where one of AlphV’s allegedly jilted partners complained that they hadn’t received their cut of Change Healthcare’s payment. However, for weeks following that transaction, which was publicly visible on Bitcoin’s blockchain and which both security firm Recorded Future and blockchain analysis firm TRM Labs told WIRED had been received by AlphV, Change Healthcare repeatedly declined to confirm that it had paid the ransom.

Change Healthcare’s confirmation of that extortion payment puts new weight behind the cybersecurity industry’s fears that the attack — and the profit AlphV extracted from it — will lead ransomware gangs to further target health care companies. “It 100 percent encourages other actors to target health care organizations,” Jon DiMaggio, a researcher with cybersecurity firm Analyst1 who focuses on ransomware, told WIRED at the time the transaction was first spotted in March. “And it’s one of the industries we don’t want ransomware actors to target — especially when it affects hospitals.” Compounding the situation, a conflict between hackers in the ransomware ecosystem has led to a second ransomware group claiming to possess Change Healthcare’s stolen data and threatening to sell it to the highest bidder on the dark web. Earlier this month that second group, known as RansomHub, sent WIRED alleged samples of the stolen data that appeared to come from Change Healthcare’s network, including patient records and a contract with another health care company.

Read more of this story at Slashdot.

Frontier Communications Shuts Down Systems After Cyberattack

U.S. telecom provider Frontier Communications shut down its systems after a cybercrime group breached some of its IT systems in a recent cyberattack. BleepingComputer reports: Frontier is a leading U.S. communications provider that provides gigabit Internet speeds over a fiber-optic network to millions of consumers and businesses across 25 states. After discovering the incident, the company was forced to partially shut down some systems to prevent the threat actors from laterally moving through the network, which also led to some operational disruptions. Despite this, Frontier says the attackers could access some PII data, although it didn’t disclose if it belonged to customers, employees, or both.

“On April 14, 2024, Frontier Communications Parent, Inc. [..] detected that a third party had gained unauthorized access to portions of its information technology environment,” the company revealed in a filing with the U.S. Securities and Exchange Commission on Thursday. “Based on the Company’s investigation, it has determined that the third party was likely a cybercrime group, which gained access to, among other information, personally identifiable information.” Frontier now believes that it has contained the breach, has since restored its core IT systems affected during the incident, and is working on restoring normal business operations.

Read more of this story at Slashdot.

T-Mobile Employees Across The Country Receive Cash Offers To Illegally Swap SIMs: Report

T-Mobile employees from around the country are reportedly receiving text messages offering them cash in exchange for swapping SIMs. SIM swapping is when cybercriminals trick a cellular service provider into switching a victim’s service to a SIM card that they control, essentially hijacking the victim’s phone number and gaining access to two-factor authentication codes. From the Mobile Report: The texts offer the employee $300 per SIM swap, and asks the worker to contact them on telegram. The texts all come from a variety of different numbers across multiple area codes, making it more difficult to block. The text also claims they acquired the employee’s number “from the T-Mo employee directory.” If true, it could mean T-Mobile’s employee directory, with contact numbers, has somehow been accessed. It’s also possible the bad actor has live/current access to this data, though we consider that less likely due to the fact that some impacted people are former employees who have not worked at the company in months.

Still, the biggest issue here is how this person (or multiple people) obtained the employee phone numbers. We’re not sure yet which employees are impacted, but based on comments online it seems at least a few third-party employees are affected, and we’ve independently confirmed current corporate employees have also received the message. Though we can’t say for certain, this likely means the information is not the same data as what was leaked during the Connectivity Source breach [from September]. We can’t, however, eliminate that possibility. As mentioned, there are reports that some of the contacted people are former employees, and haven’t been employed at T-Mobile for months, so the information being acted upon is likely a few months old at the very least. That being said, we’re pretty confident based on corporate employees being included that this is a different source of data being used.

Read more of this story at Slashdot.