Ransomware, OpenSSH, AI and Trust, Google Geofence Dec 10-17, 2023 - F5 SIRT - This Week in Security
I am back to editing the newletter this week after a long pause. A lot of new incidents and advisories came out this week highlighting ongoing challenges in cyber security across various sectors, including telecommunications, retail, energy, and healthcare. The focus on 5G network protection, software vulnerabilities, and evolving cyberattack techniques underscores the dynamic and constantly evolving nature of cyber threats. I would to briefly highlight latest stories and then get into details of a few important ones
Comcast's Xfinity Data Security Incident: Comcast's Xfinity experienced unauthorized access to its internal systems between October 16 and October 19.
VF Corp Cyber Incident: VF Corp, the owner of Vans, reported unauthorized activity on its computer systems, disrupting operations including e-commerce order fulfillment.
Iran Petrol Stations Cyberattack: Nearly 70% of Iran's approximately 33,000 gas stations were rendered out of service following suspected cyberattacks.
China's Data Security Plan: China issued a draft contingency plan for data security incidents.
US Plans for 5G Protection: The U.S. Embassy in Costa Rica announced plans to organize a regional conference on protecting 5G networks in response to cybersecurity and spying concerns.
Johnson Controls Cyber Incident: Building products provider Johnson Controls identified a weakness in its internal control over financial reporting due to a cyber incident disclosed in September.
Russian Targeting of JetBrains Servers: U.S. officials reported that Russian hackers are targeting servers hosting outdated versions of software made by Czech tech company JetBrains for potential SolarWinds-style espionage operations.
CISA's Advisory to Manufacturers: The Cybersecurity and Infrastructure Security Agency (CISA) urged manufacturers to eliminate default passwords after recent attacks targeting water sector industrial control systems (ICS).
CISA's Healthcare Security Guidance: CISA issued cybersecurity recommendations for the healthcare and public health sector.
NSA's SBOM Guidance: The National Security Agency (NSA) published guidance to help organizations incorporate Software Bill of Materials (SBOM) to mitigate supply chain risks.
SMTP Smuggling Attack Technique: A new attack technique called SMTP Smuggling was identified, which allows malicious actors to send spoofed emails that bypass authentication protocols.
Delta Dental Data Breach: Delta Dental of California reported a data breach impacting over 6.9 million individuals, caused by the MOVEit hack.
Advisory on Play Ransomware
On December 18th a joint Cybersecurity Advisory (CSA) titled #StopRansomware: Play Ransomware was released by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD's ACSC). This advisory aims to inform about the tactics, techniques, and procedures (TTPs), as well as indicators of compromise (IOCs), associated with the Play ransomware group. These insights are based on FBI investigations conducted as recently as October 2023.
The Play ransomware group is known for using a double-extortion model. They first exfiltrate data from their targets and then encrypt the systems. This group has significantly impacted a diverse range of businesses and critical infrastructure organizations across North America, South America, Europe, and Australia.
To combat this threat, the FBI, CISA, and ASD’s ACSC are urging organizations to review and implement the recommendations provided in the joint CSA. These measures are designed to reduce both the likelihood and impact of incidents involving Play and other ransomware attacks. Additional resources and information can be found on CISA’s #StopRansomware webpage, which includes the updated #StopRansomware Guide.
OpenSSH 9.6 released
OpenSSH 9.6, the latest version of the complete SSH protocol 2.0 implementation, has been released. It includes sftp client and server support and can be downloaded from the mirrors listed on the OpenSSH website.
Significant in this release are several security fixes, minor features, and bug fixes. Key security updates address vulnerabilities in the SSH transport protocol and issues related to ssh-agent(1) and ssh(1). The release thwarts the "Terrapin attack," a novel but limited security threat to the SSH transport protocol's integrity. This attack, discovered by researchers Fabian Bäumer, Marcus Brinkmann, and Jörg Schwenk, involves manipulating message sequences before and after encryption commencement. OpenSSH 9.6 counters this through a "strict KEX" protocol extension, enhancing the integrity of initial key exchanges.
Another fix involves ssh-agent(1), where previously, when adding PKCS#11-hosted private keys with destination constraints, only the first key had constraints applied. Additionally, OpenSSH 9.6 addresses a potential command injection vulnerability in ssh(1) when invalid user or hostnames containing shell metacharacters are used.
The release also introduces potentially incompatible changes. For example, ssh(1)/sshd(8) will now terminate connections if a peer exceeds the window limit by more than a small grace factor, ensuring compliance with the RFC4254 protocol.
New features include a %j token in ssh(1) for ProxyJump hostname expansion, ChannelTimeout support in ssh(1), support for reading ED25519 private keys in PEM PKCS8 format, and a protocol extension for renegotiating acceptable signature algorithms in sshd(8).
Bug fixes cover various aspects, including keystroke timing obfuscation, signal handling, and handling of specific directives and options. The release also improves portability and regression test reliability, updates OpenSSL dependency in the RPM specification, and makes adjustments for OpenSolaris systems.
Bruce Schneier: AI and Trust
Bruce Schneier recently wrote an essary on AI and Trust in which he explores the concept of trust in AI, arguing that we often confuse two different kinds of trust: interpersonal trust (think friends/family) and social trust (think systems/institutions). This confusion can lead to problems when it comes to AI, like mistaking AI systems for friends and being more vulnerable to manipulation. Schneier argues that we make a category error when we think of AI as our friends. AI systems are not people, and they should not be trusted in the same way. Schneier further argues that corporations controlling AI are not inherently trustworthy and calls for government regulation to ensure safe and ethical AI use.
He proposes four core principles for establishing responsible AI governance:
Transparency: AI systems should be transparent, allowing for clear understanding of their inner workings and decision-making processes. This transparency fosters accountability and enables informed public discourse about AI's potential impact.
Accountability: Someone or something must be held accountable for the actions and outcomes of AI systems. This accountability mechanism ensures that responsibility for potential harms or biases is clearly attributed, preventing the nebulous notion of "AI did it" from becoming an acceptable excuse.
Safety: AI systems must be designed with safety as a paramount concern. They should not pose threats to human safety or well-being, whether intentionally or unintentionally. Rigorous testing and safeguards are essential to mitigating potential risks.
Fairness: AI systems should be free from bias and discrimination. They should treat all individuals fairly and equitably, regardless of their background, demographics, or any other protected characteristics. Mitigating algorithmic bias is crucial to prevent AI from exacerbating existing societal inequalities.
Schneier concludes by highlighting the immense potential of AI to improve our lives in various aspects. However, he warns against the dangers of unfettered AI development and the potential erosion of trust if we fail to address the ethical and regulatory challenges it presents. By embracing the four principles outlined above, we can navigate the complexities of AI and build trustworthy systems that benefit humanity as a whole.
Google Kills Geofence Warrants
Google has announced a significant change in how it handles users' "Location History" in Google Maps, aiming to enhance privacy and limit its response to geofence warrants. This move is seen as a major victory for privacy advocates and criminal defense attorneys who have criticized geofence warrants for their potential to implicate innocent individuals based on their location proximity to a crime scene.
Geofence warrants, also known as reverse-location searches, compel companies like Google to provide information about all users within a specific location and timeframe. These warrants have been controversial due to their broad scope and the privacy implications for individuals caught in the data dragnet.
Google's decision to encrypt location data and shorten its retention period means the company will no longer be able to access this data to respond to such warrants. This change is a deliberate effort to end dragnet location searches, as confirmed by a Google employee and privacy experts like Jennifer Granick from the American Civil Liberties Union.
The change does not completely prevent the government from accessing information on specific users by demanding full account details. However, it significantly limits the ability of investigators to obtain data or metadata on all users within certain parameters.
This policy shift comes amidst ongoing legal debates over the fundamental legality of geofence warrants. The U.S. Court of Appeals for the Fourth Circuit is currently evaluating a case, United States v. Chatrie, which questions the legality of these warrants.
Google's move is a proactive step in addressing privacy concerns related to geofence warrants, which have been used in high-profile cases like the Capitol Hill storming and the Kenosha riots. It reflects a growing awareness and response to the complex balance between law enforcement needs and individual privacy rights in the digital age.
Electronic Frontier Foundation (eff.org) considers this a good move and acknowleges the remaining challenge:
"However, we are not yet prepared to declare total victory. Google’s collection of users’ location data isn’t limited to just the “Location History” data searched in response to geofence warrants; Google collects additional location information as well. It remains to be seen whether law enforcement will find a way to access these other stores of location data on a mass basis in the future. Also, none of Google’s changes will prevent law enforcement from issuing targeted warrants for individual users’ location data—outside of Location History—if police have probable cause to support such a search."