view.email.sans.org Open in urlscan Pro
136.147.189.156  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Annotated News Update from the Leader in Information Security Training,
Certification and Research

View this email as a web page





April 9, 2024                                                       Vol. 26,
Num. 28

Top of The News

 * US Legislators Draft Nationwide Data Privacy Act
 * Acuity Confirms Their GitHub Repositories Were Breached
 * D-Link NAS Vulnerability Affects End-of-Life Devices
 * Help Us Improve NewsBites

The Rest of the Week's News

 * Optical Product Manufacturer Discloses Cybersecurity Incident
 * German State Switches from Microsoft Windows to Linux
 * Home Depot Data Breach Impacts Employees
 * HHS Alert Warns of Healthcare Sector IT Help Desk Social Engineering Schemes
 * Google V8 Sandbox Aims to Prevent Memory Corruption Vulnerabilities from
   Spreading
 * NYC Payroll Website Not Available Outside of City Intranet
 * US DoJ Data Exposed in Third-Party Breach

Internet Storm Center Tech Corner

Cybersecurity Training Update



Upcoming Live Training Events

SANS Security West 2024 | May 9-14
San Diego, CA or Live Online (PT)
31 courses | 2 cyber ranges
Save $600 when you register & pay before May 19

SANS Leadership & Cloud Security - Crystal City 2024 | May 20-24
Arlington, VA or Live Online (PT)
14 leadership or cloud-focused courses
Save $600 when you register & pay before May 19

SANS ICS Security Summit & Training
Summit: Jun 17-18 | 8 Courses: Jun 19-24
Orlando, FL & Live Online

Limited-time offers on OnDemand training through April 21. 

Popular, New & Updated Courses
SEC275: Foundations – Computers, Technology, & Security (Cert: GFACT)
SEC401: Security Essentials - Network, Endpoint, and Cloud (Cert: GSEC)
FOR500: Windows Forensic Analysis (Cert: GCFE)
SEC541: Cloud Security Attacker Techniques, Monitoring, and Threat
Detection (Cert: GCTD)
View all Courses

Architecting Confidence in the Cloud
Ensure you and your teams are equipped to build resilient cloud environments.
Explore new training.

 

--------------------------------------------------------------------------------

 
Free technical content sponsored by Dragos, Inc.

Free Webinar | 2023 OT Cybersecurity Vulnerability Briefing
Join Dragos Vulnerability Analysts Logan Carpenter and Nick Cano on April 18 @ 1
PM ET on a live webinar for an overview of the latest OT vulnerability
statistics and trends and helpful advice on which vulnerabilities are the most
critical to prioritize mitigation in your OT environment to be better protected
in 2024. Register now: https://www.sans.org/info/228855

  Top of the News
US Legislators Draft Nationwide Data Privacy Act
(April 7 & 8, 2024)
 
Two US legislators have drafted the American Privacy Rights Act, which
“eliminates the existing patchwork of state comprehensive data privacy laws, and
establishes robust enforcement mechanisms to hold violators accountable,
including a private right of action for individuals.” The legislation would
restrict the types of data companies can collect, retain, and use to only what
is necessary to provide products and services. It would also hold companies
accountable for their data security obligations.
 
Editor's Note

[Elgee]
One of the great things about the US is how our 50 states (plus territories!)
serve as petri dishes of democracy. Many have created and tested their own
privacy laws. Here's hoping the federal government manages to adopt the best
aspects of each.

[Neely]
Having a single privacy law in the U.S. would simplify implementation for all
involved. The draft legislation parallels the existing goals of CCPA, GDPR and
other privacy acts. The question is how it will be transformed as it works its
way through congress and if states will be willing to accept what remains or
continue to enact their own rules.

[Dukes]
A US Data Privacy Act is long overdue. On first blush it appears to be modeled
off the European General Data Protection Regulation (GDPR) giving citizens
rights over their personal data. Given its bipartisan sponsored, strengthens the
likelihood it will fully be considered by the House and Senate.

Read more in:
- energycommerce.house.gov: Committee Chairs Rodgers, Cantwell Unveil Historic
Draft Comprehensive Data Privacy Legislation
- www.nextgov.com: Congress tries again for comprehensive data privacy bill
- therecord.media: Sweeping bipartisan comprehensive data privacy bill to be
introduced by congressional leaders
- www.wired.com: A Breakthrough Online Privacy Proposal Hits Congress
- www.securityweek.com: Key Lawmakers Float New Rules for Personal Data
Protection; Bill Would Make Privacy a Consumer Right
- www.infosecurity-magazine.com: US Federal Data Privacy Law Introduced by
Legislators

Acuity Confirms Their GitHub Repositories Were Breached
(April 4 & 5, 2024)
 
The US Department of State is investigating a potential cyber incident after
information that was purportedly taken from national security agencies was
leaked online. Tech consulting firm Acuity, which is a US government contractor,
has confirmed that intruders breached their GitHub repositories and stole
documents.
 
Editor's Note

[Ullrich]
Maybe the headline should read "Acuity confirms it stored national security data
on GitHub", not that the GitHub repo was breached. But it probably sounded
better in the press release to call this a GitHub repo breach.

[Neely]
Not so sure storing national security information on GitHub is a wise choice
without a lot of due diligence to ensure it’s protected. The takeaway is to
really understand the (external) environment you’re storing sensitive data in
and verify the protection (and detection) mechanisms meet or exceed your
requirements, then ensure they continue to do so.

Read more in:
- www.bleepingcomputer.com: Acuity confirms hackers stole non-sensitive govt
data from GitHub repos
- www.theregister.com: Feds probe alleged classified US govt data theft and leak

D-Link NAS Vulnerability Affects End-of-Life Devices
(April 6 & 7, 2024)
 
A vulnerability affecting more than 92,000 D-Link network-attached storage (NAS)
devices is being actively exploited. The issue was discovered by a researcher
known online as netsecfish, who writes, “The vulnerability lies within the
nas_sharing.cgi uri, which is vulnerable due to two main issues: a backdoor
facilitated by hardcoded credentials, and a command injection vulnerability via
the system parameter.“ The vulnerable devices are no longer supported and thus
will not be patched.
 
Editor's Note

[Ullrich]
Whenever you purchase a device, you need to track its "lifetime" based on the
vendors end-of-support rules. Vendors not being open about how long to expect
support for should be avoided. But at one point, the only option will be to
replace the device, which needs to be budgeted for.

[Neely]
We need to be as conscious of lifecycle with home devices as we are in the
workplace. Yeah, they are not broken as they keep working. But they are not
getting updates either. Also it’s easy to forget about them - like that time you
allowed a connection from the internet to help some friends you never shut down?
Now the really hard part is to get rid of the old one so you’re not tempted to
put it back online.

[Murray]
The count makes one suspicious that these devices are visible to the public
networks. Network attached storage should not be visible to the public networks.

Read more in:
- github.com: Command Injection and Backdoor Account in D-Link NAS Devices
- arstechnica.com: Critical takeover vulnerabilities in 92,000 D-Link devices
under active exploitation
- securityaffairs.com: Over 92,000 Internet-Facing D-Link NAS Devices Can be
Easily Hacked
- www.bleepingcomputer.com: Over 92,000 exposed D-Link NAS devices have a
backdoor account
- nvd.nist.gov: CVE-2024-3273 Detail

Help Us Improve NewsBites 
 
Please take 3 minutes to give us your suggestions.

Sponsored Links
SANS 2024 CTI Survey: Managing the Evolving Threat Landscape | May 22 | Join us
to learn How the CTI discipline has evolved in the past year-how CTI analysts
kept up with the ever-changing threat landscape, how they view emerging threats
(adversary use of AI), and how technology enablement improves efficiency.
https://www.sans.org/info/228860

Do You Know Where Your Data Is? | April 25 at 1:00pm ET | Tune in as we dive
into the results and key findings of our Endpoint Data Survey. Our presenters
will provide insight into the strategies that organizations are using to protect
against the loss of such data. https://www.sans.org/info/228865

Unleashing Secure Access with an Identity-Centric Zero Trust Network Access
Solution: Microsoft Entra Private Access | May 1 at 3:30 pm ET | Join us to
explore how you can enable secure access to any app or resource, from anywhere
using Microsoft’s identity-centric Security Service Edge solution.
https://www.sans.org/info/228870

  The Rest of the Week's News
Optical Product Manufacturer Discloses Cybersecurity Incident
(April 4 & 5, 2024)
 
Hoya Corporation has disclosed a cybersecurity incident that the company says
has affected some production facilities and some product ordering systems. Hoya
says that on March 30, they discovered “a discrepancy in system behavior” that
revealed a system failure, and was advised by third-party experts that it was
likely due to unauthorized access. Hoya is a Tokyo-based manufacturer of optical
products, including eyeglasses, contact lenses, endoscopy products, and glass
substrate used in hard disk drives.
 
Editor's Note

[Dukes]
Although Hoya has yet to confirm a ransomware attack, it bears all the hallmarks
of one. Hoya’s revenue last year was just over $5.6B, so it’s safe to assume
they have a reasonable cybersecurity budget. Hopefully, they will be forthcoming
about what happened and what defenses were in place at the time of attack.

Read more in:
- ssl4.eir-parts.net: IT System Incident in Our Group (PDF)
- www.theregister.com: World's second-largest eyeglass lens-maker blinded by
infosec incident
- therecord.media: Japanese optics company Hoya says cyber incident affected
production

German State Switches from Microsoft Windows to Linux
(April 4, 5, & 8, 2024)
 
The Germany state of Schleswig-Holstein says it plans to move from Microsoft
Windows to Linux. Schleswig-Holstein digitalization minister Dirk Schrödter
noted that “the use of open source software also benefits from improved IT
security, cost-effectiveness, data protection, and seamless collaboration
between different systems.” He also cited “digital sovereignty” as a reason for
the move. The switch to open-source is not a surprise: several years ago, the
state announced its intention to switch from Microsoft Office to LibreOffice,
with a goal of migrating 25,000 computers by 2026.
 
Editor's Note

[Neely]
If you’re evaluating a similar move, make sure you consider the impact on your
support and security services. The total cost of ownership may be higher than
you think. Make sure you understand what infrastructure you’re going to need to
provide and how you’ll achieve equivalent security and user experience. You may
need a lot of training as so much experience is based on how Windows does
things.

Read more in:
- arstechnica.com: German state gov. ditching Windows for Linux, 30K workers
migrating
- www.computing.co.uk: German state Schleswig-Holstein ditches Windows for Linux
- www.zdnet.com: German state ditches Microsoft for Linux and LibreOffice

Home Depot Data Breach Impacts Employees
(April 7 & 8, 2024)
 
Home Depot has acknowledged a recent cybersecurity incident that exposed
employee data. Home Depot told Bleeping Computer that “A third-party
Software-as-a-Service (SaaS) vendor inadvertently made public a small sample of
Home Depot associates' names, work email addresses and User IDs during testing
of their systems.” The number of affected employees is not specified.
 
Editor's Note

[Neely]
Testing with mocked up or dummy data takes a bit longer to generate usable data
but is really important for testing. With outsourced or cloud services you need
data which doesn’t matter while you make sure systems are properly secured
before going live.

[Murray]
Test data is part of the specification. It should be written before the code. It
includes both the inputs and the associated expected outputs. Live data does not
contain the expected outputs and is not adequate for testing. Moreover, proper
separation of functions should deny developers and testers access to live data.

Read more in:
- www.bleepingcomputer.com: Home Depot confirms third-party data breach exposed
employee info
- www.theregister.com: Home Depot confirms worker data leak after miscreant
dumps info online

HHS Alert Warns of Healthcare Sector IT Help Desk Social Engineering Schemes
(April 3, 4, & 8, 2024)
 
The US Department of Health and Human Services (HHS) Health Sector Cybersecurity
Coordination Center (HC3) has published a sector alert warning of an increase in
social engineering attacks targeting IT help desks in the healthcare sector. The
calls in the recent campaigns come from phone numbers spoofed to appear local to
the organization; the callers have managed to convince help desk staffers to
enroll new devices for MFA authentication.
 
Read more in:
- www.hhs.gov: Social Engineering Attacks Targeting IT Help Desks in the Health
Sector (PDF)
- www.securityweek.com: Healthcare IT Help Desk Employees Targeted in
Payment-Hijacking Attacks
- www.scmagazine.com: Health sector help desks duped by social engineering
scams, HHS warns

Google V8 Sandbox Aims to Prevent Memory Corruption Vulnerabilities from
Spreading
(April 4 & 8, 2024)
 
Google is adding a V8 sandbox to their Chrome browser with the goal of
preventing “memory corruption in V8 from spreading within the host process.”
Memory corruption vulnerabilities in V8 are usually not garden variety memory
corruption issues: most cannot be addressed by switching to memory-safe
programming languages or using hardware memory safety features.
 
Editor's Note

[Neely]
This is designed to protect the host system from the browser.

[Murray]
Browsers leak. This announcement says that the Javascript V8 engine, a component
of many browsers, leaks so badly that the solution is to encapsulate it so as to
contain the leakage. The objectives of the V8 engine, and of most browsers, were
speed and features. Speed, features, and integrity: pick two.

Read more in:
- v8.dev: The V8 Sandbox
- bughunters.google.com: V8 Sandbox Bypass Rewards 
- thehackernews.com: Google Chrome Adds V8 Sandbox - A New Defense Against
Browser Attacks
- www.securityweek.com: Google Adds V8 Sandbox to Chrome

NYC Payroll Website Not Available Outside of City Intranet
(April 2 & 5, 2024)
 
Due to a phishing campaign aimed at obtaining city employee account credentials,
the New York City Automated Personnel System, Employee Self Service (NYCAPS/ESS)
is not currently publicly available. According to Recorded Future, New York
City’s Office of Technology and Innovation said that employees were receiving
“smishing” (phishing via SMS) messages. While the website is not accessible to
the general public, it is still accessible to employees through NYC’s secure
internal network (intranet). The smishing messages, which asked employees to set
up MFA, appears to be a scam based out of Lithuania.
 
Editor's Note

[Ullrich]
Sounds like a sensible precaution. Reducing your attack surface, by not exposing
some applications to the internet, can substantially reduce the risk. Maybe this
application should never have been exposed in the first place?

Read more in:
- therecord.media: Attempted hack on NYC continues wave of cyberattacks against
municipal governments
- www.politico.com: New York City payroll website has been down for a week,
following phishing attack

US DoJ Data Exposed in Third-Party Breach
(April 8, 2024)
 
A data security incident at a US Department of Justice (DoJ) third-party
contractor has resulted in the exposure of DoJ-related information belonging to
more than 340,000 people. The Greylock McKinnon Associates consulting firm said
the incident occurred in May 2023. The compromised data include Medicare
information and Social Security numbers.
 
Editor's Note

[Neely]
It took the third party until February this year to confirm the incident. While
they subsequently deleted the DoJ data, the data were already exposed) This
highlights the need to understand the capabilities of your third-party providers
as well as make sure their response actions are consistent with your
requirements. Propose a joint tabletop to make sure you’re on the same page.

[Dukes]
Law firms and consultant organizations often maintain sensitive information on
behalf of their clients. They are perhaps the weak link in the cybersecurity
chain. What’s disappointing though, is the timing of victim notification –
almost a year after the data breach.

Read more in:
- therecord.media: DOJ data on 341,000 people leaked in cyberattack on
consulting firm
- techcrunch.com: Hackers stole 340,000 Social Security numbers from government
consulting firm

  Internet Storm Center Tech Corner

A Use Case for Adding Threat Hunting to Your Security Operations Team.
https://isc.sans.edu

Notepad++ Parasite Site
https://notepad-plus-plus.org

Hugging Face Pickle File Vulnerabilities
https://huggingface.co

Heartbleed 10th Anniversary
https://heartbleed.com
 
Possible Libarchive Backdoor Vulnerability
https://github.com
 

Google Considers V8 Sandbox no longer experimental
https://v8.dev

Magento XML Backdoor
https://sansec.io

Google Public DNS's approach to fight against cache poisoning attacks
https://security.googleblog.com

Remote code execution (RCE) vulnerability in Brocade Fabric OS (CVE-2023-3454)
https://support.broadcom.com
 

 


The Editorial Board of SANS NewsBites

Brian Honan
Curt Dukes
Chris Elgee
David Hoelzer
Ed Skoudis
Gal Shpantzer
Jake Williams
Dr. Johannes Ullrich
John Pescatore

Josh Wright
Kathy Bradford
Lance Spitzner
Lee Neely
Mark Weatherford
Moses Frost
Suzanne Vautrinot
William Hugh Murray


 
SANS Institute
11200 Rockville Pike, Suite 200, North Bethesda, MD, 20852

To create a SANS Portal Account visit create new account.
To change your email address visit update profile.
To change your email preferences or unsubscribe visit manage subscriptions.

Privacy Policy.

This mailbox is not monitored. Please email support@sans.org or call
301-654-7267 for assistance.