Google and Chrome proposed split, CISA insights, AI OSS-Fuzz, Roundup

Hello! ArvinF is your editor for this edition of the F5 SIRT This Week in Security, covering 17 to 23 November 2024. We have news this week on a proposed split of Google Chrome browser from Google, insights from a CISA red team exercise, the recovery Change healthcare services, Google's AI powered OSS-Fuzz tool, and a round up on "swatting", EoS and Critical CVEs,  "digital end of life planning" and "future proofing". I hope you find the selection educational and help increase your security mindset. 

Credit to the original authors of the articles.

If this is your first TWIS, you can  always read past editions .  The F5 SIRT also encourages you to check out all of the  content from the F5 SIRT.

Let's get to it!

Google and Chrome proposed split

The US DoJ is proposing to split Chrome web browser from Google. The aim of this proposed divesting from Chrome by Google is to end its monopoly on search. Google derives most of its profits from advertisements and having the Chrome browser using Google Search as its default search engine makes the competition steep. As Chrome browser has a very large user base, Google has monopoly of the search results, use of these search activity and content scraping for training AI models and advertisements returned to users. If this proposal pulls through, chrome browser will have a new owner and have access to its code and will maintain its security. Another consequence is the split  it that it would potentially break Google Services their users find helpful for their daily activities. On the business side of this proposal, industry giants revenue such as Apple and Mozilla will be impacted as Google pays to have Google Search as the default search for Safari and Firefox. We will have to see how this plays out.   

DoJ wants Google to sell Chrome and ban it from paying to be search default

• https://www.theregister.com/2024/11/21/usa_vs_google_full_filing/
• https://www.justice.gov/atr/case-document/file/1577991/dl
• https://www.channelnewsasia.com/commentary/google-chrome-us-department-justice-antitrust-advertising-internet-monopoly-4761976
• https://www.theregister.com/2024/10/09/usa_vs_google_proposed_remedies/

CISA Red Team exercise insights

CISA conducted a red team assessment and documented it in their article "Enhancing Cyber Resilience: Insights from CISA Red Team Assessment of a US Critical Infrastructure Sector Organization".

Figure 1: Timeline of Red Team Cyber Threat Activity

The figure "Timeline of Red Team Cyber Threat Activity" shows that the successful initial access to the target organization was thru "an old and unpatched service with a known XML External Entity (XXE) vulnerability" that has a public PoC on the target web server. An existing "Web Shell" in the Linux based web server allowed the red team to execute commands. After the initial foothold, the red team escalated privileges as the service account on the web server had too much privileges available via sudo. They moved laterally - insufficient network segmentation from the Linux to the Windows environment allowed eventual grabbing of Kerberos TGT from the Windows DC as some of the windows hosts had unconstrained delegation enabled. When unconstrained delegation is enabled, Kerberos TGTs of any user that authenticates to it are stored on these systems. "With sufficient privileges, an actor can obtain those tickets and impersonate associated users."

From a mitigation perspective, I hope that organizations do add layers of protection to their networks, applications and sensitive business systems. A Web Application Firewall such as F5 BIG-IP ASM/Adv WAF, NGINX App Protect or F5 Distributed Cloud would have offered mitigations to the initial "XML External Entity (XXE) vulnerability" on the target web server thru attack signatures and security policy configurations. If BIG-IP AFM was deployed, it could offer network segmentation with its network firewall policy configursation and IPS/IDS functionality thru Protocol Inspection. BIG-IP SSLO can integrate with other security products as it provides access to encrypted traffic passing thru it and action based on detected behavior of the chained security service.

The CISA article has extensive details of the red team excercise findings and recommendations. Do have a read of the "Noted Strengths" - while the target organization had shortcomings, it also had some strengths such as the proper deployment of the EDR and incident response capabilities. The mitigations section is also insightful for Network Defenders, Software Manufacturers and a section for recommendation to "continually test your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified". Organizations should ensure to allow minimal privilege to service accounts, secure configuration of business systems - remove unused and potentially vulnerable software, logging and keep the systems OS up to date.      

Here's what happens if you don't layer network security – or remove unused web shells

• https://www.theregister.com/2024/11/22/cisa_red_team_exercise/
• https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-326a
• https://www.cisa.gov/sites/default/files/2024-11/aa24-326a-enhancing-cyber-resilience-insights-from-cisa-red-team-assessment_0.pdf
• https://www.cisa.gov/securebydesign
• https://techdocs.f5.com/en-us/bigip-17-1-0/ssl-orchestrator-setup/topologies-in-sslo/configuring-service-chain.html

Change Healthcare services restored

Change Healthcare recovered from the ransomware attack it experienced 9 months ago. ALPHV/Blackcat threat group sidelined it and affected 94 percent of payment  transactions between hospitals and practitioners throughout the US healthcare system. The Change Healthcare CEO faced the US congress and explained that the breach was due to the use of stolen credentials by the threat group to log into a Citrix portal that did not have multi-factor authentication (MFA) enabled. The organization also paid the ransom - UnitedHealth paid $22 million to the attackers. 

Change Healthcare's ransomware attacks were documented in previous F5SIRT TWIS editions in February and March 2024. It was unfortunate as the healthcare system and payments were affected and had financial consequences for both the organizations and public. 

K08200035: Use cases | BIG-IP APM operations guide have authentication and authorization configurations available in BIG-IP APM. Organizations which are looking to secure their services should implement standard protocols such as OpenID and Oauth 2.0. BIG-IP APM Access policy can also implement client checks and integrate with a MFA solution to increase the difficulty of attempting to gain access using stolen credentials.   

Security training such as for identifying phishing and following IT security processes for security incident response should be regularly conducted as "Human Firewall" of the organization needs to be up to date and continuously monitoring potentially malicious activities that may lead to breaches.  
   
Mega US healthcare payments network restores system 9 months after ransomware attack

• https://www.theregister.com/2024/11/20/change_healthcares_clearinghouse_services/
• https://community.f5.com/kb/security-insights/inspectre-rustpanos-cves-x-url-blunder-and-more-april-8-14-2024-f5-sirt-this-wee/329120
• https://community.f5.com/kb/security-insights/lockbit-resurface-after-takeover--lazarus-are-hitting-feb-25th-%E2%80%93-march-2nd—thi/328326

K08200035: Use cases | BIG-IP APM operations guide

• https://my.f5.com/manage/s/article/K08200035

Google OSS-Fuzz AI powered vulnerability finder

Google's OSS-Fuzz is an AI-driven fuzzing tool that uses large language models (LLMs) to help find bugs in code repositories. It found 26 vulnerabilities and recently found a critical CVE in OpenSSL. Per my read, OpenSSL scored the CVE as a Low while Google score it as a Critical as OpenSSL is a widely utilized software and library.

Leveraging AI driven tools in software development and testing will surely help organizations deliver secure software now and in the future as these solutions mature. 

As defenders, vulnerabilities in applications and systems should be addressed. Keep your systems up to date on patches and ensure secure management and application access are in place.

Google's AI bug hunters sniff out two dozen-plus code gremlins that humans missed

• https://www.theregister.com/2024/11/20/google_ossfuzz/
• https://security.googleblog.com/2024/11/leveling-up-fuzzing-finding-more.html

"swatting", EoS and Critical CVEs,  "Digital end of life planning", "Future proofing"

“swatting” - a term that refers to calling emergency services to report a fake emergency of sufficient seriousness that it has the potential to result in the deployment of Special Weapons and Tactics (SWAT) teams. A teen serial "swatter for hire" pleaded guilty to 4 counts and scoped in 375 swatting calls to law enforcement and is now facing jail time. Cyber threat groups also use swatting to extort and intimidate ransomware victims such as in the case of Fred Hutchinson Cancer Center back in January.

Older models of D-Link VPN routers  DSR-150 / DSR-150N / DSR-250 / DSR-250N all hardware versions and firmware version have been EOL/EOS as of 05/01/2024 are potentially in trouble due to disclosure of a serious remote code execution (RCE) vulnerability - a buffer overflow bug that leads to unauthenticated RCE. No patches will be provided per D-Link and instead, offers a 20 percent discount on a new service router (DSR-250v2) to aid consumers of tech refreshing these out of support vulnerable hardware.  D-Link advised to regularly update each device's unique password used to access its web management and ensuring Wi-Fi encryption is enabled. D-Link also announced that EoL/EoS devices and NAS Models is affected by CVE-2024-10914 - a Command Injection Vulnerability.

Palo Alto Networks Critical CVEs , CVSS 9.9 - CVE-2024-9463 and CVSS 9.2 - CVE-2024-9465, both affecting the Expedition migration tool is under active exploitation. The CVEs can be exploited by an unauthenticated attacker.  

The governments of Japan and Sweden provided future proofing advise to their citizens.

Japan's National Consumer Affairs Center suggested citizens start "digital end of life planning" and it includes: 

Ensuring family members can unlock your smartphone or computer in case of emergency;
Maintain a list of your subscriptions, user IDs and passwords;
Consider putting those details in a document intended to be made available when your life ends;
Use a service that allows you to designate someone to have access to your smartphone and other accounts once your time on Earth ends.

Sweden's government "If crisis or war comes" guide received its first update in six years and its distribution to every Swedish household citing factors such as war, terrorism, cyberattacks, and increasingly extreme weather events and calls for unity to secure the country's independence.

Snippet from the document:

Digital security
Digitalisation can make us vulnerable to cyber attacks that knock out critical IT systems. You play a part in strengthening Sweden’s resilience by handling information in a safe and secure way, both at home and at work.

Tips to get started:
Create strong passwords that use a combination of letters, numbers and symbols.
Don’t click on links in emails, or open attachments from unknown senders.
Install security updates immediately.
Perform regular backups of important information to an external hard drive, USB drive or cloud service.

As observed in previous security news and announcements, running systems with unauthenticated critical CVEs exposes the organization to risks of a security breach of these systems and further deploying malware, exfiltrate data and affect the availability of systems ands services. Organizations should address these vulnerabilities on supported vendor products promptly. For devices that already reached an "End of Support" state, a technology refresh of systems with newer and supported platforms will enable the organization to run up to date software from the vendor. Organizations should ensure to secure access to the management interfaces of systems by not exposing these interfaces or APIs to the public internet and allowing only trusted users and networks access.

"swatting" takes away resources and misleads authorities to action on fraudulent emergency calls and with malicious intent and will surely land someone in jail - "don't do it" and "don't offer".  The snippet from Wikipedia on swatting countermeasures includes "educating 911 dispatchers to identify fraudulent calls; ensuring that responding officers were aware of the potential for a hoax; and creating an opt-in registry for people who feared that they might become victims of swatting, such as journalists, celebrities, and live streamers. Using the registry, these people can provide cautionary information to the police, to inform officers responding to potential swatting attempts that target the victim's address". 

Japan and Sweden have provided their citizens guidance in preparation of significant events with focus in digital footprints. These are good practice and helps ones that would manage these information and assets in the future.    

Teen serial swatter-for-hire busted, pleads guilty, could face 20 years

• https://www.theregister.com/2024/11/18/teenage_serial_swatterforhire_busted/
• https://en.wikipedia.org/wiki/Swatting
• https://www.theregister.com/2024/01/05/swatting_extorion_tactics/
• https://www.theregister.com/2024/11/20/dlink_rip_replace_router/
• https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10415
• https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10413

Put your usernames and passwords in your will, advises Japan's government

• https://www.theregister.com/2024/11/21/japan_digital_end_of_life/

Sweden's 'Doomsday Prep for Dummies' guide hits mailboxes today

• https://www.theregister.com/2024/11/18/sweden_updates_war_guide/
• https://rib.msb.se/filer/pdf/30874.pdf