Headline
What to do with that fancy new internet-connected device you got as a holiday gift
There are many examples of WiFi-enabled home cameras, assistants and doorbells vulnerable to a wide range of security issues.
Thursday, January 18, 2024 14:00
Welcome to 2024!
The Threat Source newsletter is back after our winter break.
When I wasn’t spending my downtime chasing around my toddler, one of my main projects was to upgrade the internet connection at my house. My ISP started offering Gigabit speeds and a 60 GHz connection, which was appealing to me as someone who is always on a quest to find the best way to stream PS5 games to my Steam Deck.
This sent me down a path of reconfiguring my home network and re-adding a bunch of devices to a new network. And even though this sounds like a totally basic skill for anyone who works in cybersecurity, it was a big deal for me to set up a separate IoT-only network.
Many readers may have even gotten a new IoT device for a holiday gift. This mobile projector was featured on several “Top Gifts of 2023” lists I was looking at in December, and there are always the slam dunk gifts of a new home AI assistant like Google Home or the Amazon Echo Show to control all things “smart” in your home.
And we all know that, by being connected to the internet, many of these IoT devices are going to be vulnerable to adversaries. Last week, researchers found a network-connected torque wrench used in many industrial environments could be infected with ransomware.
There are many examples of WiFi-enabled home cameras, assistants and doorbells vulnerable to a wide range of security issues, so I don’t think I need to run down those dangers in this newsletter. I wanted to take this space to share a few reminders and best practices of how to best set up these devices and manage them. This is a topic I covered previously in video format a few years ago, but I’m sure much of the UI/UX in this tutorial has changed since then, and I feel like I learned quite a bit from “YouTube University” over the past week or so in my own journey.
- Use network mapping software to track which devices connect to your network using what communication methods. NetworkMaps is a free, open-source option that I used when I was taking cybersecurity courses online.
- Create an IoT-specific network. This was super easy for me to do with the Gigabit-enabled router my ISP sent me, but I set up a network specifically for these devices to connect to (like my baby monitor, smart TVs, etc.) with a completely different network name and password from my “main” network. This keeps these devices segmented so that, if a bad guy is lurking, they stay on that IoT-specific network that doesn’t talk to your more sensitive devices like a work laptop.
- Make sure your router’s firewall is enabled, disable WPS and enable the WPA2 or WPA3 security protocol.
- Immediately change the default usernames and passwords that come with any new WiFi-connected device you’re setting up.
- Any home routers or IoT devices could point to OpenDNS servers for an additional (and free!) layer of security.
- Disable any additional features or data-sharing you feel like you don’t need. The prime example of this for me is Amazon Sidewalk, the community network that allows Amazon devices to talk to one another and send alerts to users about various goings-on in their respective communities. The main drawback for me is that it allows your neighbors to pull off just a little of your internet bandwidth for their connected devices, too, and opens a whole slew of privacy concerns.
**The one big thing **
Cisco Talos recently worked with fellow security company Avast to release a new version of the decryptor for the Babuk ransomware. Our researchers obtained executable code capable of decrypting files affected by the Babuk Tortilla ransomware variant, allowing Talos to extract and share the private decryption key used by the threat actor in its latest variant.
**Why do I care? **
Babuk is one of the most prevalent ransomware families in the wild right now, so any additional resources for victims to potentially recover faster, and for free, is good news. And Dutch Police, acting on threat intelligence supplied by Talos, identified, apprehended and the Dutch Prosecution Office prosecuted the threat actor behind Babuk Toa bad guy is lurkingtilla operations, demonstrating the power of cooperation between law enforcement agencies and commercial security organizations such as Talos and Avast.
**So now what? **
The newest version of the decryptor is now available through No More Ransom, or directly on Avast’s website. Continued action from law enforcement to track down, apprehend and charge the operators behind ransomware is one of the many important steps we can take as a society and security community to reduce the prevalence of ransomware.
**Top security headlines of the week **
Security researchers are warning of actively exploited vulnerabilities in the Ivanti Connect Secure VPN that, as of Wednesday, still did not have a patch available. The vulnerabilities are an authentication bypass flaw (CVE-2023-46805) and a command injection issue (CVE-2024-21887). An adversary could chain these vulnerabilities to execute arbitrary commands on the targeted appliance. Incident response firm Volexity said earlier this week that government agencies and military branches across the globe, as well as several Fortune 500 private companies. Chinese state-sponsored actor UTA0178 is suspected to be behind the exploitation of these vulnerabilities, some dating back to December. Ivanti says it is still developing patches for these issues, one of which may not be available until mid-February. In the meantime, users should follow the mitigation steps outlined by Ivanti, and implement a new scanner that can detect exploitation attempts. (DarkReading, SecurityWeek)
Britain’s national library is working to restore its online services 11 weeks after a cyber attack, though a full recovery may take until the end of the year. The British Library started restoring read-only versions of its online catalog last week, including records of printed and rare books, maps, journals and music scores. The Rhysida ransomware group initially took credit for the attack in October 2023, claiming it was offering personal information for sale on the dark web. The library eventually confirmed that some employee data had been stolen in the attack, and it had to temporarily take its entire catalog offline. The attack also held up the payment system for which the library rewards authors and creators each time one of their works is checked out. (The Guardian, The New York Times)
Chinese government officials have apparently found a way to de-anonymize Apple AirDrop users to track anyone sharing content that’s outlawed by the country. AirDrop is normally encrypted, and has been used previously to share messages, content and art with other iPhone users in public that is against the ruling Communist Party in China. But the Beijing municipal government’s justice bureau says China-backed experts have found a way to carry out a complex encryption attack to reveal the original sender of the messages and prosecute them. In November 2022, Apple updated AirDrop settings so users in China could only opt-in to receive files from unknown contacts during a 10-minute window before it automatically shut off. The feature did not previously have a time limit. Translations of government statements indicate that the method involves what are known as “rainbow tables” to defeat the measures AirDrop has in place to obfuscate users’ phone numbers and email addresses. (Ars Technica, CBS)
**Can’t get enough Talos? **
- Beers with Talos Ep. #142: Talos Speed Dating (the episode we never set out to make but did anyway)
- Intellexa and Cytrox: From fixer-upper to Intel Agency-grade spyware
- Microsoft starts off new year with relatively light Patch Tuesday, no zero-days
- Video series discussing the major threat actor trends from 2023
- Year in Malware 2023: Recapping the major cybersecurity stories of the past year
**Most prevalent malware files from Talos telemetry over the past week **
SHA 256: b8aec57f7e9c193fcd9796cf22997605624b8b5f9bf5f0c6190e1090d426ee31
MD5: 2fb86be791b4bb4389e55df0fec04eb7
Typical Filename: KMSAuto Net.exe
Claimed Product: KMSAuto Net
Detection Name: W32.File.MalParent
SHA 256: 36efad0617db0d45de00cc4f3cf49af7c2d6b5b15ca456d13703b5d366c58431
MD5: 147c7241371d840787f388e202f4fdc1
Typical Filename: EKSPLORASI.EXE
Claimed Product: N/A
Detection Name: Win32.Generic.497796
SHA 256: 1fa0222e5ae2b891fa9c2dad1f63a9b26901d825dc6d6b9dcc6258a985f4f9ab
MD5: 4c648967aeac81b18b53a3cb357120f4
Typical Filename: yypnexwqivdpvdeakbmmd.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Scar::1201
SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
MD5: 7bdbd180c081fa63ca94f9c22c457376
Typical Filename: c0dwjdi6a.dll
Claimed Product: N/A
Detection Name: Trojan.GenericKD.33515991
SHA 256: 39b0d4bad98713924775595834f1e07598a12c2622977578739222e09766066c
MD5: a543017b4fa809e9f6b7251e7c14a5b0
Typical Filename: a543017b4fa809e9f6b7251e7c14a5b0
Claimed Product: N/A
Detection Name: Auto.39B0D4BAD9.232061.in07.Talos
Related news
A newly disclosed critical security flaw impacting Progress Software MOVEit Transfer is already seeing exploitation attempts in the wild shortly after details of the bug were publicly disclosed. The vulnerability, tracked as CVE-2024-5806 (CVSS score: 9.1), concerns an authentication bypass that impacts the following versions - From 2023.0.0 before 2023.0.11 From 2023.1.0 before 2023.1.6, and&
An unknown adversary compromised a CISA app containing the data via a vulnerability in the Ivanti Connect Secure appliance this January.
By Deeba Ahmed Patch Now! One-Day Vulnerabilities Exploited by Magnet Goblin to Deliver Linux Malware! This is a post from HackRead.com Read the original post: Magnet Goblin Hackers Using Ivanti Flaws to Deploy Linux Malware
This Metasploit module chains a server side request forgery (SSRF) vulnerability (CVE-2024-21893) and a command injection vulnerability (CVE-2024-21887) to exploit vulnerable instances of either Ivanti Connect Secure or Ivanti Policy Secure, to achieve unauthenticated remote code execution. All currently supported versions 9.x and 22.x are vulnerable, prior to the vendor patch released on Feb 1, 2024. It is unknown if unsupported versions 8.x and below are also vulnerable.
By Deeba Ahmed Ivanti has released patches for vulnerabilities found in its enterprise VPN appliances, including two flagged as exploited zero-days… This is a post from HackRead.com Read the original post: Ivanti VPN Flaws Exploited by DSLog Backdoor and Crypto Miners
Ivanti has alerted customers of yet another high-severity security flaw in its Connect Secure, Policy Secure, and ZTA gateway devices that could allow attackers to bypass authentication. The issue, tracked as CVE-2024-22024, is rated 8.3 out of 10 on the CVSS scoring system. "An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti
By Deeba Ahmed Zero-Day Nightmare: CVE-2024-21893 Exploits Surge in Attacks on Ivanti Products. This is a post from HackRead.com Read the original post: Chained Exploits, Stolen VPN Access: Hackers Target Ivanti Users Despite Patches
A recently disclosed server-side request forgery (SSRF) vulnerability impacting Ivanti Connect Secure and Policy Secure products has come under mass exploitation. The Shadowserver Foundation said it observed exploitation attempts originating from more than 170 unique IP addresses that aim to establish a reverse shell, among others. The attacks exploit CVE-2024-21893 (CVSS
CISA has ordered all FCEB agencies to disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products.
Google-owned Mandiant said it identified new malware employed by a China-nexus espionage threat actor known as UNC5221 and other threat groups during post-exploitation activity targeting Ivanti Connect Secure VPN and Policy Secure devices. This includes custom web shells such as BUSHWALK, CHAINLINE, FRAMESTING, and a variant of LIGHTWIRE. "CHAINLINE is a Python web shell backdoor that is
By Deeba Ahmed The Ivanti VPN vulnerabilities have plunged into a black hole. This is a post from HackRead.com Read the original post: Ivanti VPN Flaws Exploited to Spread KrustyLoader Malware
Ivanti is alerting of two new high-severity flaws in its Connect Secure and Policy Secure products, one of which is said to have come under targeted exploitation in the wild. The list of vulnerabilities is as follows - CVE-2024-21888 (CVSS score: 8.8) - A privilege escalation vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows
A pair of recently disclosed zero-day flaws in Ivanti Connect Secure (ICS) virtual private network (VPN) devices have been exploited to deliver a Rust-based payload called KrustyLoader that's used to drop the open-source Sliver adversary simulation tool. The security vulnerabilities, tracked as CVE-2023-46805 (CVSS score: 8.2) and CVE-2024-21887 (CVSS score: 9.1), could be abused
This Metasploit module chains an authentication bypass vulnerability and a command injection vulnerability to exploit vulnerable instances of either Ivanti Connect Secure or Ivanti Policy Secure, to achieve unauthenticated remote code execution. All currently supported versions 9.x and 22.x prior to the vendor mitigation are vulnerable. It is unknown if unsupported versions 8.x and below are also vulnerable.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday issued an emergency directive urging Federal Civilian Executive Branch (FCEB) agencies to implement mitigations against two actively exploited zero-day flaws in Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) products. The development came after the vulnerabilities – an authentication bypass
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a now-patched critical flaw impacting Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core to its Known Exploited Vulnerabilities (KEV) catalog, stating it's being actively exploited in the wild. The vulnerability in question is CVE-2023-35082 (CVSS score: 9.8), an authentication bypass
By Deeba Ahmed Another day, another zero-day flaw driving the cybersecurity world crazy. This is a post from HackRead.com Read the original post: Ivanti VPN Zero-Day Flaws Fuel Widespread Cyber Attacks
By Deeba Ahmed Another day, another zero-day flaw driving the cybersecurity world crazy. This is a post from HackRead.com Read the original post: Ivanti VPN Zero-Day Flaws Fuel Widespread Cyber Attacks
As many as five different malware families were deployed by suspected nation-state actors as part of post-exploitation activities leveraging two zero-day vulnerabilities in Ivanti Connect Secure (ICS) VPN appliances since early December 2023. "These families allow the threat actors to circumvent authentication and provide backdoor access to these devices," Mandiant said in an
As many as five different malware families were deployed by suspected nation-state actors as part of post-exploitation activities leveraging two zero-day vulnerabilities in Ivanti Connect Secure (ICS) VPN appliances since early December 2023. "These families allow the threat actors to circumvent authentication and provide backdoor access to these devices," Mandiant said in an
Several international security agencies are echoing a warning by Ivanti about actively exploited vulnerabilities in its VPN solution.
Several international security agencies are echoing a warning by Ivanti about actively exploited vulnerabilities in its VPN solution.
A pair of zero-day flaws identified in Ivanti Connect Secure (ICS) and Policy Secure have been chained by suspected China-linked nation-state actors to breach less than 10 customers. Cybersecurity firm Volexity, which identified the activity on the network of one of its customers in the second week of December 2023, attributed it to a hacking group it tracks under the name UTA0178
A pair of zero-day flaws identified in Ivanti Connect Secure (ICS) and Policy Secure have been chained by suspected China-linked nation-state actors to breach less than 10 customers. Cybersecurity firm Volexity, which identified the activity on the network of one of its customers in the second week of December 2023, attributed it to a hacking group it tracks under the name UTA0178