A fresh wave of attacks on APAC government entities involves both self-propagating malware spreading via removable drives and a spear-phishing campaign.

Source: Chris Willson via Alamy Stock Photo

One of China's most prolific and well-known state-sponsored threat actors is back on the scene with new self-propagating malware that spreads through USB drives (along with other tools), to extend its cyber-espionage goals of system control and data exfiltration.

Mustang Panda also is using spear-phishing to spread multistage downloaders that deliver malware in its recent targeting of various government entities in the Asia-Pacific (APAC) region, Trend Micro researchers revealed in a blog post on Sept. 9.

Using malware-loaded USB drives is a strategy that experienced a revival during and in the wake of the COVID-19 pandemic, and Mustang Panda (aka Camaro Dragon, Bronze President, Luminous Moth, Red Delta, Stately Taurus, and, for Trend Micro, Earth Preta) is known for using it as a primary infection vector. The advanced persistent threat (APT) is mainly in the business of cyber espionage and has been known to collaborate with other Chinese actors on coordinated attacks. In fact, Trend Micro has recently reported a spate of fresh activity from Chinese threat actors in general, which may or may not be related.

**Mustang Panda's Quick Attacks, Custom Malware**

This time around, Mustang Panda is using the vector to deliver malware called PUBLOAD via a self-propagating variant of the worm HIUPAN, as well as other tools such as FDMTP and PTSOCKET to control systems and exfiltrate data. A concurrent spear-phishing campaign by the threat actor also is targeting the same victim demographic, using malicious attachments to distribute backdoors and other malware.

Specific targets in the campaigns include people in various government organizations: military, police departments, foreign affairs and welfare agencies, executive branches, and public education. Victims are often hit by a fast-paced approach that infiltrates their system and steals data before they have a clue as to what's happening, according to Trend Micro.

"Earth Preta’s attacks are highly targeted and time-sensitive, often involving rapid deployment and data exfiltration, with a focus on specific countries and sectors within the APAC region," Trend Micro researchers Lenart Bermejo, Sunny Lu, and Ted Lee wrote in the post.

**Evolution of Previous APT Tactics**

The new campaigns observed by Trend Micro have two distinct vectors for initial entry that show evolution in the group's typical tactics. The first is the deployment of the HIUPAN worm via USB drives to propagate PUBLOAD, which acts as a stager that can download the next-stage payload from a command-and-control (C2) server.

In previous campaigns, Mustang Panda used spear-phishing emails to deliver PUBLOAD, making the use of a self-propagating worm a novel tactic for the group. The ultimate goal of the USB campaign is to deliver end-stage malware to achieve control on a targeted environment for persistent data exfiltration.

"This HIUPAN variant has differences with the previously documented variant, which was used to propagate ACNSHELL, although its main utility within the attack chain stays the same," the researchers noted in the post.

The version of PUBLOAD used in the new campaigns is similar to ones previously delivered through spear-phishing and documented by Trend Micro. In this case, Mustang Panda is using PUBLOAD to introduce supplemental tools into the targets' environment, such as FDMTP to serve as a secondary control tool, and PTSOCKET, a which is used as an alternative exfiltration option.

**Spear-Phishing Delivers Multistage Attack**

Separately, a "fast-paced" spear-phishing campaign that researchers observed in June is delivering a chain of malware that ultimately delivers a backdoor called CBROVER, which supports file download and remote shell execution, the researchers said.

Along the way, malicious .url attachments download and execute other malware, including DOWNBAIT, a first-stage downloader for downloading a decoy document and shellcode component, and PULLBAIT, straightforward shellcode that downloads and executes CBROVER. Trend Micro also has found evidence of Mustang Panda exploiting Microsoft's cloud services for data exfiltration.

The spear-phishing campaign uses decoy documents related to foreign affairs to lure victims into continuing the attack chain. Countries likely targeted in the attacks include Myanmar, the Philippines, Vietnam, Singapore, Cambodia, and Taiwan, the researchers said.

"The quick turnover of decoy documents and malware samples on the WebDAV server hosted at 16\[.\]162\[.\]188\[.\]93 suggests that Earth Preta is executing highly targeted and time-sensitive operations, focusing on specific countries and industries within APAC region," they wrote.

The researchers included a list of indicators of compromise (IoCs) for the attacks in the post and advise "continuous vigilance" and "updated defensive measures" in the face of increasingly more sophisticated tactics by Mustang Panda and its cohorts. "Earth Preta has remained highly active in APAC," they wrote, "and will likely remain active in the foreseeable future."

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Mustang Panda Feeds Worm-Driven USB Attack Strategy

For modern applications built on Kubernetes and microservices, platform engineering is not just about building functional systems but also about embedding security into the fabric of those systems.

Michelle Ensey, Senior Manager of Product Management, NGINX

September 10, 2024

4 Min Read

Source: Brian Jackson via Alamy Stock Photo

Platform engineering is the rising star of the operations firmament. But squint hard and you'll quickly see that the foundation of any serious platform engineering program is operational and application security. By designing a platform through a "security-first" lens, platform engineering leaders can set up their DevOps and AppDev teams for success and make them more efficient by minimizing the toil and cognitive load required to properly execute security policies and practices.

**Designing Platform Assets From "Least Privilege": A Lockdown Mindset**

Every component within your platform — be it a virtual machine, a container, or even a service account — should operate with the bare minimum number of permissions. This is native to security and secure by design, but it should also be a core part of platform design, too. This limits the blast radius if an attacker does compromise a part of your system. Platform engineering teams should design their tools and services for application developers and DevOps practitioners accordingly. Doing this well requires attention to detail and a deep understanding of developer workflows. It also means that platform designs should, if possible, accommodate just-in-time access that elevates permissions only when necessary and revokes them after the required action. Sounds hard, but everything is moving faster in application development, so permissioning systems should meet the challenge, too. This means keeping developers in their workflows and making sure they get what they need when they need it, while also maintaining proper security. 

**Secure Defaults in Configuration Management: No Room for Sloppiness**

When your infrastructure is defined as code (IaC), the default settings for critical components (load balancers, database access, API gateways) become the foundation of your security posture. Developers want to spend as little time as possible on configurations. Yet a shockingly high percentage of security incidents are attributed to misconfigurations of security controls or access policies. Configuration management isn't sexy, but platform engineering for security means putting real muscle-building default configs and scanning behind it to ensure those configs are enforced in testing and deployment. Closely related to security configuration management is hardening IaC templates (Terraform, CloudFormation, etc.). These templates define your infrastructure deployments. Attackers know this and are paying more and more attention to IaC as an avenue of attack. Regular security reviews and IaC scanning can help uncover potential weaknesses. For their part, developers just want to grab a template and run with it. Inline suggestions where developers deploy infrastructure are becoming essential. New AI systems are particularly helpful in analyzing configurations and suggesting changes to harden or improve them.

**Automated Security Testing in CI/CD Pipelines: Fail Fast, Fail Safe**

Platform engineering must integrate security checks directly into your continuous integration and continuous delivery (CI/CD) pipelines so they run automatically whenever developers test code (and often before it is pushed to the main branch). This spots vulnerabilities early in the development cycle. Running static application security testing (SAST) and software composition analysis (SCA) to detect code vulnerabilities and risky open source components is the bare minimum.

More comprehensive practices entail container image scanning for known vulnerabilities and IaC scanning for misconfigurations. Better yet, deploying runtime scanners can detect problems that might appear only when processes are running. Properly done, security automation increases policy enforcement and reduces human error. However, heavy-handed automation can become problematic. For example, enforcing broad, automated code scanning of an entire application before every commit may result in scanners calling out known but irrelevant issues and slowing down CI/CD pipelines for no good reason. Scanning should be integrated with the developer experience using in-line tooling and scanners that never move the dev out of their comfort zone. Scanning can also focus on code that changes to reduce alert fatigue.

**GitOps for Version and Control**

Adopting GitOps for managing infrastructure and container images can help platform engineering better manage fast-changing configurations and create more transparent and accountable infrastructure engineering. Version control, deployment of configurations as code, and the use of a central repository are simple paths to improving application and infrastructure security by removing human errors, streamlining workflows, and eliminating unfamiliar additional IT orchestration systems. SecOps teams can even share Git access to GitOps workflows so that during a security incident everyone is in the same repo and able to root-cause together. For developers and DevOps, GitOps feels more native than trying to learn new environments like Ansible or other IT deployment and configuration engines.

**Conclusion: Platform Security is Job No. 1**

These are just some of the ways smart platform engineering can actually boost security while still improving developer experience, code velocity, and DevOps performance. Any assumption that enhancing platform security will necessarily slow down and hinder application development is a false trade-off. In fact, the two can be highly complementary, and platform engineers are probably better suited to delivering security while improving developer experience than security engineers themselves. For modern applications built on Kubernetes and microservices, platform engineering is not just about building functional systems but also about embedding security into the fabric of those systems, making it an integral part of security engineering.

**About the Author**

Senior Manager of Product Management, NGINX

Michelle Ensey is an accomplished product management professional with extensive experience across diverse industries. She currently serves at NGINX, where she plays a pivotal role in developing and delivering cutting-edge solutions to enhance application delivery and security. Known for her unwavering dedication to continuous learning and innovation, Michelle stays ahead of technological trends and is always enthusiastic about tackling new challenges and seizing opportunities to drive progress. Her commitment to excellence and her passion for technology make her a standout in her field.

Platform Engineering Is Security Engineering

Episode 3: On September 11, 2019, two cybersecurity professionals were arrested in Dallas County, Iowa and forced to spend the night in jail -- just for doing their jobs. Gary De Mercurio and Justin Wynn. Despite the criminal charges against them eventually being dropped, the saga that night five years ago continues to haunt De Mercurio and Wynn personally and professionally. In this episode, the pair and Coalfire's CEO Tom McAndrew share how the arrest and fallout has shaped their lives and careers as well as how it has transformed physical penetration tests for the cybersecurity industry as a whole.

Dark Reading Confidential: Pen Test Arrests, Five Years Later

Researchers flagged a pair of Gallup site XSS vulnerabilities.

Source: Kristoffer Tripplaar via Alamy Stock Photo

UPDATE

Editor's Note: Dark Reading has become aware that a portion of the original Checkmarx research on these vulnerabilities is in dispute, prompting us to retract sections of our reporting below.

As election season started to simmer over the summer, the Gallup polling company rushed to patch against a pair of cross-site scripting (XSS) vulnerabilities in the company's website that left it vulnerable to misuse by malicious actors.

Cybersecurity researchers with Checkmarx explained in a report on Sept. 9 that they first contacted the incident response team at Gallup on June 23 to report the XSS flaws — the first a reflected XSS bug with a CVSS score of 6.5 out of 10, and the second a document object model (DOM)-based XSS vulnerability with a CVSS score of 5.4.

The flaws do not impact any of Gallup’s internal data or polling.

**Gallup's Cross-Site Scripting Vulnerabilities**

In the case of the first reflected XSS flaw, the researchers found that "the /kiosk.gx endpoint does not properly sanitize or encode the query string ALIAS parameter value before including it on the page."

In the second flaw, the endpoint once again failed to protect query parameter values before adding them to the page.

To avoid similar XSS flaws, the researchers at Checkmarx suggest that cybersecurity teams ensure their data is properly encoded before sending it to the response markup (HTML) or page DOM. Further, they recommend tweaking the content security policy to block locations where the browser can fetch or execute scripts.

This post was updated at 11:30AM ET on Sept. 11, 2024, to reflect that the bugs affected the website, not the Gallup Poll itself.

Another update was made at 4:53PM ET on Sept. 11, 2024 to clarify that neither vulnerability could have allowed attacker access to Gallup.com infrastructure and did not put internal data at risk of compromise.

A third update was made at 1:03PM ET on Sept. 12, 2024, to remove sections of the article that were based on now-disputed portions of the original Checkmarx blog.

Gallup Addresses XSS Bugs in Website

Researchers flagged a pair of Gallup polling site XSS vulnerabilities that could have allowed malicious actors to execute arbitrary code, access sensitive data, or take over a victim account.

Source: Kristoffer Tripplaar via Alamy Stock Photo

UPDATE

As election season started to simmer over the summer, the Gallup polling company rushed to patch against a pair of cross-site scripting (XSS) vulnerabilities in the company's website that left it vulnerable to malicious actors.

Both flaws presented the opportunity for adversaries to perform actions on behalf of users.

These weaknesses are particularly concerning heading into a US election season that is already being widely targeted by misinformation. Just this week, for instance, the US Department of Justice accused Russia of a $10 million disinformation campaign that sought to barrage social media with enough bad information to sway the presidential election in November.

Cybersecurity researchers with Checkmarx explained in a report on Sept. 9 that they first contacted the incident response team at Gallup on June 23 to report the XSS flaws — the first a reflected XSS bug with a CVSS score of 6.5 out of 10, and the second a document object model (DOM)-based XSS vulnerability with a CVSS score of 5.4.

Cross-scripting flaws allow an attacker to use the URL address bar to insert unauthorized script into a page. For this attack, a target would be sent a malicious URL that looks exactly like a Gallup.com page. Once the victim clicks on the link, they are taken to a page indiscernible from the real thing֫—except in this instance the attacker controls the content displayed.

While these flaws do not impact any of Gallup’s internal data or polling, the bugs could be used by bad actors to spoof convincing looking Gallup.com site pages with misleading information. At scale, a convincing Gallup-branded page could be used spread misinformation to millions of people at once. Of particular concern to the Checkmarx team is that with a trusted name like Gallup behind the bad information, the campaign could appear incredibly convincing—a particularly dangerous risk during election season.

"In an era where misinformation and identity theft pose significant threats, the security of survey platforms is crucial, particularly during pivotal global election cycles," the Checkmarx team wrote. "Gallup, the leading survey company, quickly addressed security vulnerabilities that could be exploited to facilitate the dissemination of false information and compromise the personal data of users."

**Gallup's Cross-Site Scripting Vulnerabilities**

In the case of the first reflected XSS flaw, the researchers found that "the /kiosk.gx endpoint does not properly sanitize or encode the query string ALIAS parameter value before including it on the page."

Exploitation of the vulnerability could allow malicious actors to execute code in the targeted user's navigation session to perform various actions on their behalf, the researchers added.

"It's important to note that this endpoint is commonly used to access Gallup surveys, which may make users more susceptible to exploitation," the Checkmarx team wrote. "This could lead to unauthorized access to personally identifiable information (PII), manipulation of user preferences, and other detrimental actions."

In the second flaw, the endpoint once again failed to protect query parameter values before adding them to the page, giving a malicious actor another opportunity to perform tasks disguised as the target users and even take over the account altogether.

To avoid similar XSS flaws, the researchers at Checkmarx suggest that cybersecurity teams ensure their data is properly encoded before sending it to the response markup (HTML) or page DOM. Further, they recommend tweaking the content security policy to block locations where the browser can fetch or execute scripts.

"The prevalence of misinformation was identified as the top global risk in 2024 by the World Economic Forum’s 'Global Risks Report 2024,'" Checkmarx vice president of security research Erex Yalon says. "\[It's important to\] secure software that is prone to exploits of malicious actors, educate and close the knowledge gap, and hopefully safeguard the integrity of the election process."

This post was updated at 11:30AM ET on Sept. 11, 2024, to reflect that the bugs affected the website, not the Gallup Poll itself.

Another update was made at 4:53PM ET on Sept. 11, 2024 to clarify that neither vulnerability could have allowed attacker access to Gallup.com infrastructure and did not put internal data at risk of compromise.

Gallup.com Bugs Open Door to Election Misinformation

A PRC threat cluster known as "Crimson Palace" is demonstrating the benefits of having specialized units carry out distinct stages of a wider attack chain.

Source: Pictorial Press Ltd via Alamy Stock Photo

A trio of threat clusters working in service of the People's Republic of China (PRC) have compromised at least a dozen new targets, including one Southeast Asian government organization.

Operation Crimson Palace has been around since March 2023, but been particularly active in 2024, as the threat actors fight against cybersecurity analysts to stay alive. In fact, despite being outed and actively hunted, Crimson Palace's three arms have managed to continue breaching public and private organizations in Asia, and stealing potentially sensitive strategic data and materials from what Sophos described in a new report as "a prominent agency within the government of a Southeast Asian nation."

**The Ocean's 11 of the Cyber-Threat World**

Every heist movie has a team, where each team member has a unique specialty. You've got your getaway driver, your hacker or safecracker, the weapons expert, the muscle, the silver-tongued vixen.

Operation Crimson Palace uses this team-based approach for cyber heists. Instead of operating as a monolithic advanced persistent threat (APT), three independent teams — tracked by Sophos as Alpha, Bravo, and Charlie — each have a unique, though partly overlapping role in the wider attack chain. This setup allows each cluster to hyperfocus on specific tasks, and allows different clusters to work on different compromises simultaneously.

Cluster Alpha typically handles initial access: performing network reconnaissance and mapping, moving laterally and establishing persistence in a targeted system, deploying backdoors, interrupting security software, and so on.

Broadly speaking, Cluster Bravo is the infrastructure specialist. It further entrenches and spreads in target networks, prepares the field for malware deployment, and establishes command-and-control (C2) communications channels, often by using one Crimson Palace victim as a relay point through which to attack another. From January to June, Sophos identified a number of organizations — including one government agency — whose infrastructure Bravo borrowed for purposes of malware staging.

"It's obscuring the command-and-control in places where you might already be expecting to see traffic," explains Chester Wisniewski, global field chief technology officer (CTO) at Sophos. "If you see HTTPS traffic directly with one of your primary telecommunications providers — or perhaps with another government agency or business entity in the country that's commonly engaging with people in your environment — it's going to be a lot harder to determine if that's \[coming from a malicious\] C2, or if it's just normal business operations."

Though Bravo hasn't always featured heavily in Crimson Palace attacks, it has come to life in more recent cases. Sophos newly identified Bravo activity in at least 11 Asian organizations and agencies, including government contractors.

"It's very possible Cluster Alpha \[and Bravo\] doesn't even know what they're after, other than that this is the target environment that they must keep the door open to, to allow someone else in who's aware of what the goal is," Wisniewski notes.

That someone else is Cluster Charlie.

**Cluster Charlie: An Unstoppable Threat**

Cluster Charlie is the cleanup hitter, responsible for whatever is necessary to maintain system access and exfiltrate sensitive data. Befitting its role, it appears to be the most active and sophisticated of the three clusters.

Its story took shape following its first run-in with researchers in August 2023. After Sophos blocked its custom C2 tool, PocoProxy, the Charlie cluster went quiet for a few weeks. Then, beginning that September and continuing ever since, it has constantly bounced back with a new tactic, technique, or procedure (TTP) for every one its adversaries have blocked.

In response to having its custom malware blocked, Charlie turned to the open source community, making use of at least 11 tools for C2 (e.g. Cobalt Strike), shellcode loading (e.g. Donut), evasion of EDR software (e.g. RealBindingEDR), and more. "When they had custom C2 access to the environment and we successfully blocked it, they pivoted to some open source tools," Wisniewski recalls. "And then when that didn't work, they came back with new custom tooling."

Charlie's creativity came through the most in its means of malware delivery. In the period between last November and this past May, Charlie deployed C2 implants using no less than 28 unique combinations of sideloading chains, execution methods, and shellcode loaders. On multiple occasions during the month of February, the group even conducted a kind of A/B testing, deploying its malicious files using slightly varying means to test which method would work best.

As Wisniewski warns, "If you have something they want — even if you're successful in figuring out their current approach to how they're attacking the network — they're not going to stop. They will continue to innovate and iterate."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Chinese Tag Team APTs Keep Stealing Asian Gov't Secrets

It takes more than technical knowledge to write about cybersecurity in a way people want to read. It takes creativity, discipline, and other key skills.

Source: Inga via Alamy Stock Photo

COMMENTARY

In a recent piece, I explained why I do all my own writing and steadfastly refuse to use AI or ghostwriters. I thought it would make sense to follow up that piece by discussing my writing process.

There are so many quality cybersecurity experts in this field, but aspiring writers among them might not be getting published as often as they'd like. To help security professionals expand their impact, I'd like to offer 10 tips on how to write pieces that will get published on a regular basis.

**1\. Put in the Effort**

Simply put, writing takes work, and writing well takes a lot of work. Writing well on a regular basis takes even more work. There is no shortcut. Someone who wants to publish regularly needs to set aside time to put in the effort required to do so.

**2\. Write Regularly**

Security professionals aren't interested in seeing the same stale content linger for weeks and weeks. Publishing regularly requires coming up with fresh, new material on a regular basis. This is easier said than done, of course. So how can an aspiring writer write quality pieces on a regular basis? See the next few points for ideas.

**3\. Exercise Your Creativity**

Creativity is a gift everyone gets at various levels, but we often don't adequately leverage the creativity that we do have. Digging down deep to find creative angles to approach and discuss security topics is sorely needed. Readers are eager for this type of material, and the writer who brings creative perspectives will not disappoint their audience.

**4\. Find Inspiration Around You**

Don't be afraid to take inspiration from a variety of things. When we open our eyes to the whole of the world around us, we can find inspiration in many places.

**5\. Stock a Warehouse of Stories**

Readers enjoy stories from the trenches. This is likely because there is really no substitute for insight gained through real-world experience. In my opinion, it is helpful to have material you can draw on, like a warehouse. Of course, this material needs to change and evolve over time to suit what audiences are interested in hearing or reading. Perhaps it is helpful to think of it like a comedian having their "tight 10" — a ready and relevant 10 minutes of material that they can go to at a moment's notice.

**6\. Know Your Audience**

I can't stress enough the importance of knowing your audience. When writing for a security audience, the entire nature and demeanor of your piece will be vastly different than if you were writing for the general public, a business audience, an IT audience, or whoever. Tailoring and targeting what you write to the audience that will receive it is an ever-evolving art. It is a skill that serves a writer well, though, and it is well worth the investment in time and energy for you to work on your audience understanding.

**7\. Speak the Language of Your Readers**

A big part of knowing your audience is understanding what issues are relevant to them and how they best understand and internalize discussions around those issues. This requires understanding and speaking the language of the reader. This is an extremely important skill for a writer, and one that takes conscious effort to hone and develop.

**8\. Be Practical**

Too often, I see people writing about, suggesting, discussing, and/or presenting topics that are not particularly practical. There are a lot of interesting ideas out there, but you need to understand what is practical and actionable for the audience. When writing, it is important to ask ourselves the question, "What actionable items will the audience take away from this?"

**9\. Stay Focused**

Not surprisingly, writing takes a tremendous amount of discipline. As I write this piece, I am having to block out several distractions around me. This is a constant theme — life and work are full of distractions. I cannot stress enough the importance of staying focused when working on a piece.

**10\. Follow Through**

Lots of people come up with all kinds of ideas but follow through on few or none of them. While writing takes a number of skills, including focus and discipline, following through is no less important. Starting 10 articles and finishing none of them benefits no one. Suggesting 10 project ideas and seeing none of them through is a fool's errand. Throwing out 10 presentation topics but creating the content for none of them produces no value. It's better to pick your battles carefully, methodically, and strategically. That gives a writer the best chance of producing a finished product that people will want to read.

**And Finally...**

When it comes to writing, there is no secret recipe. Like many things in both our personal and professional lives, it takes creativity, hard work, focus, discipline, and follow-through, among other things. If writing to be published is something you would like to do, go for it. But be strategic and deliberate about it for the best chance at positive results. Happy writing!

**About the Author**

Field CISO, F5

Josh Goldfarb is currently Field CISO at F5. Previously, Josh served as VP and CTO of Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team, where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT. In addition to Josh's blogging and public speaking appearances, he is also a regular contributor to Dark Reading and SecurityWeek.

10 Writing Tips for Cybersecurity Professionals

CISA has added CVE-2024-40766 to its Known Exploited Vulnerabilities catalog.

Source: Michael Vi via Shutterstock

Threat actors, including Akira ransomware affiliates, have begun exploiting a critical remote code execution (RCE) vulnerability that SonicWall disclosed — and patched — in its Gen 5, Gen 6, and some versions of its Gen 7 firewall products last month.

The attack activity has prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to add the vulnerability, identified as CVE-2024-40766, to its Known Exploited Vulnerabilities (KEV) database. The vulnerability is one of the three that CISA added to its KEV catalog this week and wants federal civilian executive branch (FCEB) agencies to address by Sept. 30.

**Improper Access Control Bug**

CVE-2024-40766 is an improper access control bug in the management access component of SonicWall SonicOS running on the company’s SonicWall Firewall Gen 5 and Gen 6 devices, as well as Gen 7 devices running SonicOS 7.0.1-5035 and older. It lets attackers gain complete control of affected devices and in some cases cause the firewall to crash entirely.

SonicWall first disclosed the bug on Aug. 22 and assigned it a severity rating of 9.3 out a possible maximum of 10 on the CVSS scale. On Sept. 6, the network security vendor updated the advisory to include the local SSLVPN accounts as being vulnerable to CVE-2024-40766 as well. The advisory also warned customers about attack activity targeting the vulnerability and urged organizations to immediately apply the company's recommended mitigations for it.

Artic Wolf on Friday said it had observed Akira ransomware affiliates abusing the vulnerability to compromise SSLVPN accounts on SonicWall devices. "In each instance, the compromised accounts were local to the devices themselves rather than being integrated with a centralized authentication solution such as Microsoft Active Directory," Arctic Wolf said.  "Additionally, MFA was disabled for all compromised accounts."

SonicWall wants customers of affected appliances to update to fixed versions of the technology as soon as possible. The company also recommends that organizations limit firewall management functions to trusted sources and to disable WAN management via the Internet. "Similarly, for SSLVPN, please ensure that access is limited to trusted sources, or disable SSLVPN access from the Internet," SonicWall advised.

The company is also "strongly" advocating that administrators of the company's Gen 5 and Gen6 firewalls ensure that SSLVPN users with locally managed accounts change their passwords immediately to protect against unauthorized access. Additionally, SonicWall has recommended that organizations enable multifactor authentication (MFA) for all SSLVPN users.

**SonicWall: A Popular Target**

SonicWall's firewall products, like routers, VPNs and other network security technologies are an attractive attack target because of the elevated privileges threat actors can gain on a target network by compromising one of these products. Many network security products give attackers access to all traffic flowing in and out of a network and also to the valuable assets and data that are behind the devices. In recent years, security vendors such as Cisco and entities like CISA and the UK's National Cyber Security Center (NCSC) have warned repeatedly about attackers targeting vulnerabilities in network devices as a means to gain an initial foothold on target devices.

Earlier this year, CISA, for instance, identified China's notorious Volt Typhoon group as routinely targeting networking appliances from vendors such as Fortinet, Ivanti, NetGear, Cisco, and Citrix to obtain initial access. In a 2023 report, Cisco said it had observed continuous malicious activity, including traffic manipulation and copying, infrastructure reconnaissance, and active attempts to weaken network defenses, by state sponsored actors and intelligence agencies around the world. The company assessed that attackers like targeting network technologies such as routers and switches because of the deep visibility they enable on a victim network and because organizations often fail to keep the devices properly secured and patched.

Concerns over heightening government exposure to such attacks prompted CISA to issue a binding operational directive in late June that required FCEB agencies to implement strong measures to protect management interfaces for specific network devices such as firewalls, routers, switches, VPN concentrators, load balancers, and proxies.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Akira Ransomware Actors Exploit SonicWall Bug for RCE

Though the company reports that data was exfiltrated in the breach, it has been remained tightlipped regarding the kind of data that was exposed.

Source: Kumar Sriskandan via Alamy Stock Photo

Avis Car Rental is notifying nearly 300,000 individuals of a data breach it fell victim to in early August.

According to the letter it is sending out to those who have been affected, a threat actor gained unauthorized access to its business applications. The company took steps to end the access and launched an investigation alongside third-party experts, as well as alerted the authorities and notified the Maine Attorney General's Office.

The investigation has led the company to believe that the access was gained between Aug. 3 and Aug. 6, and that some personal identifiable information (PII) was exfiltrated, though the scope of the breach remains unclear.

"While details of the recent Avis intrusion are scant and we're not privy to how disruptive this attack was to Avis corporate employees and the nearly 300,000 customers apparently impacted, I am encouraged by the company's quick response and its implementation of additional safeguards to its systems and customer data," Sean Deuby, principal technologist at Semperis, wrote in an emailed statement to Dark Reading.

Avis is providing complimentary one-year memberships to those who were affected, but they must enroll by Dec. 31. Still, the company recommends that its customers remain vigilant against fraud and identity theft and review their financial statements often, as it works to bolster its cybersecurity protections.

**About the Author**

300K Victims' Data Compromised in Avis Car Rental Breach

Endpoint security has been around for decades, but changes in device use and the quick evolution of new attacks have triggered the development of new security techniques.

Source: Dzmitry Skazau via Alamy Stock Photo

Because of their large attack surface made up of different sets — including laptops, desktops, mobile devices, and servers — endpoints are becoming the primary targets of increasingly sophisticated attacks. This diversity is further complicated by the variety of operating systems (OSs) being run on those devices. In addition, the location of these devices is often no longer tied only to company networks, due to the increase in hybrid and remote work, and more server workloads moving to the cloud.

To meet the growing needs of security teams, the endpoint security market is constantly evolving, albeit at an incremental rate recently. Endpoint security has been around for decades, but changes in device use and the quick evolution of new attacks have triggered the development of new security techniques.

Below are four areas for security professionals to focus on to establish and enhance their endpoint security. While not a comprehensive list, this should help security experts, both new and established, understand the core concepts around endpoint security.

**Baseline Security**

Endpoint protection starts with strong baseline security. Organizations must make optimal use of all of the features their OSes and applications provide that can help with endpoint protection. To do this, security experts should:

*   Use consistent application deployment methods: Restrict application deployments to known sources. Layer on a workflow for updating and maintaining approved applications.
    
*   Perform configuration management: Configure OSes and applications for security. For example, use hardening guidelines and manage browser add-ons and client applications' security capabilities.
    
*   Use auditing and logging: Understanding events on an endpoint starts with auditing and logging the right security events, and with having a process in place to monitor for security events. Aim to establish a single source of truth for endpoint status.
    

While providing a foundation for baseline security, this list is not exhaustive. Security leaders should also look into actions that include managing vulnerabilities for all OSs and managing backups.

**Endpoint Detection and Response**

Endpoint detection and response (EDR) tools store and monitor endpoint events to detect and hunt for suspicious behaviors, and also provide response capabilities to those events. Common events that are monitored include, but are not limited to, execution events, registry events, file events, and network events.

EDR, in its purest form, does not interrupt running processes; instead, it analyzes the resulting events to search for known indicators of compromise or patterns that indicate malicious behavior.

EDR tools can be likened to a data recorder, or "black box," for the endpoint devices on which they are installed. These tools gather telemetry data about the activity happening on those devices and make it available for examination later. Of course, storing the recorded data is not nearly enough — an EDR tool must also be able to present the data to an administrator in a way that enables further analysis using both automated and human-driven means.

**Automated Moving Target Defense**

Automated moving target defense (AMTD) is an emerging technology that focuses on constantly changing the attack surface of a system or network. AMTD makes it harder for attackers to identify and exploit vulnerabilities by dynamically modifying the process structure, memory space, system configurations, software stack, or network characteristics. This proactive approach helps to improve cyber defense and mitigate the risk of successful attacks.

Endpoint defense with AMTD can include:

*   Enhancing memory defense through morphing or enhanced randomization
    
*   Augmenting confidential computing enclaves with AMTD proactive defense
    
*   Enhancing runtime software hardening (polymorphism of code or inputs)
    
*   Automatic endpoint self-healing from known good files storage
    
*   Applying AMTD to file storage or storage access channels (command and storage polymorphing)
    

AMTD for endpoints and endpoint software is a set of technologies that make it harder for attackers to reverse engineer and exploit endpoint OSes and software technologies. AMTD works by introducing unpredictable and frequent changes in the attack surface of the applications and OSs on which it is used.

**Mobile Threat Defense**

The mobile attack landscape has continued to grow and change with the increase of smartphone and tablet sales, and with the proliferation of bring-your-own-device arrangements in enterprises. Every year, we see new statistics claiming hundreds of percentage points of growth in mobile malware.

The MTD market includes vendors that use some combination of the following mobile protection methods for Android and iOS:

*   Behavioral anomaly and configuration detection
    

*   Protection against device attacks, network attacks, and malicious and leaky apps
    
*   Mobile anti-phishing protection
    
*   OS-, hardware- and application-based vulnerability assessment, monitoring, and compliance
    
*   Crowdsourced threat intelligence
    

Baseline security, EDR, AMTD, and MTD are just a few crucial tools security leaders can use to improve their endpoints' resilience against attacks. There continue to be many other layers of security designed to contribute to the protection of endpoints, and security leaders must take a holistic approach, as this topic is foundational for enterprises who will need to adjust their strategy for changing and increased variation in devices, agile work environments, and increasingly sophisticated security threats.

**About the Author**

Director Analyst, Gartner

Eric Grenier is a Director Analyst at Gartner working in the Technical Professionals Security Technology and Infrastructure team, focusing on Endpoint Security including endpoint protection and endpoint detection and response.

Source

DARKReading