Hello and welcome to this edition of This Week In Security! Arvin is your editor for this week and I picked security news I found interesting, so Let's get to it - a couple of Police agencies reported of unintentional data leaks over the past weeks, inadvertently exposing sensitive information of its officers and staff. The incidents were attributed to human error. As a general security best practice, review first the data and information that will be sent, especially, if it involves publishing to public internet, to ensure that only the intended information is released and that it is sanitized and does not contain sensitive information. Discord shut down their services due to a Data breach where the malicious actor published the stolen user data to a forum. Discord is investigating the cause of the breach and will improve their site's code and security practices per their announcement. Citrix disclosed critical CVEs CVE-2023-24489 and CVE-2023-3519. CVEs CVE-2023-24489 was added to CISA Known Exploited Vulnerabilities Catalog and should be patched as it is currently being exploited in the wild. It is good practice to review vendor security announcements and also, regularly update infrastructure systems patches. Secure access to systems by allowing access to trusted users and networks and use WAFs/IDS+IPS - like BIG-IP ASM/Adv WAF and BIG-IP AFM - to provide additional checks to traffic traversing a network. CISA shared their Secure by Design views on Artificial Intelligence (AI). Quote "adversarial inputs that force misclassification can cause cars to misbehave on road courses or hide objects from security camera software. These adversarial inputs that force misclassifications are practically different from standard input validation or security detection bypass, even if they’re conceptually similar.". Another quote "Protecting machine learning models is important, but it is also important that the traditional parts of the system are isolated and secured. Privacy and data exposure concerns are more difficult to assess – given model inversion and data extraction attacks, a risk-neutral security policy would restrict access to any model at the same level as one would restrict access to the training data.". Another BlackCat ransomware, now with tools such as Impacket and Remcom, has been extorting victims in a Ransomware-as-a-Service model. Defense In Depth implemented is always nice to have during these type of ransomware incidents. For example, in previous instance of BlackCat ransomware attacks as analyzed by Microsoft, it was observed to be used after Exchange server vulnerabilities are exploited or with use of already compromised credentials in a target organization. As we can never be sure where the entry point is, it is always good to know that all bases are covered - ensure system patches are up-to-date, systems only have access to resources it needs, 2FA and strong Authentication mechanisms.
I hope you will find the security news I picked educational. Thanks and till the next edition.
Couple of Police agencies reported of unintentional data leaks over the past week.
In a statement, the force told The Register: "Cumbria Constabulary became aware of a data breach on Monday 6th March 2023 where information about the pay and allowances of every police officer and police staff roles as at 31st March 2022 was uploaded to the Constabulary's website, which was a human error."
The incident was referred to the Information Commissioner's Office (ICO - the UK data regulator), the force told us. It claims the ICO determined that no further action was necessary, beyond giving some advice and recommendations. The ICO was satisfied with the actions the Constabulary had taken and the robust steps which were put in place to prevent any further data breaches.
The data leak involved a spreadsheet detailing the surnames and initials of all serving officers in the Police Service of Northern Ireland (PSNI), plus civilian staff members. It listed their rank or grade, plus location and department in which they work, but no other personal information such as private addresses is said to have been included.
In an official statement, the PSNI said the breach resulted from information included in error in response to a Freedom of Information (FoI) request, and was taken down quickly, but the service does not appear to know whether the information in the spreadsheet was accessed while it was online.
Norfolk and Suffolk police have stepped forward to admit that a “technical issue” resulted in raw data pertaining to crime reports accidentally being included in Freedom of Information responses.
The latest blunder follows a litany of recent errors elsewhere in the forces: Police Service in Northern Ireland (PSNI) last week confirmed it unwittingly exposed a spreadsheet containing details of serving police officers; and this week Cumbria constabulary said it mistakenly published the names, salaries and allowances for all officers and staff online.
"A technical issue has led to some raw data belonging to the constabularies being included within the files produced in response to the FoI requests in question. The data was hidden from anyone opening the files, but it should not have been included.
Software should be built with security in mind
CEOs, policymakers, and academics are grappling with how to design safe and fair AI systems, and how to establish guardrails for the most powerful AI systems. Whatever the outcome of these conversations, AI software must be Secure by Design.
AI community risk management
Secure by Design “means that technology products are built in a way that reasonably protects against malicious cyber actors successfully gaining access to devices, data, and connected infrastructure.” Secure by Design software is designed securely from inception to end-of-life. System development life cycle risk management and defense in depth certainly applies to AI software. The larger discussions about AI often lose sight of the workaday shortcomings in AI engineering as related to cybersecurity operations and existing cybersecurity policy. For example, systems processing AI model file formats should protect against untrusted code execution attempts and should use memory-safe languages. The AI engineering community must institute vulnerability identifiers like Common Vulnerabilities and Exposures (CVE) IDs. Since AI is software, AI models – and their dependencies, including data – should be capturedinsoftware bills of materials. The AI system should also respect fundamental privacy principles by default.
CISA understands that once these standard engineering, Secure-by-Design and security operations practices are integrated into AI engineering, there are still remaining AI-specific assurance issues. For example, adversarial inputs that force misclassification can cause cars to misbehave on road courses or hide objects from security camera software. These adversarial inputs that force misclassifications are practically different from standard input validation or security detection bypass, even if they’re conceptually similar. The security community maintains a taxonomy of common weaknesses and their mitigations – for example, improper input validation is CWE-20. Security detection bypass through evasion is a common issue for network defenses such as intrusion detection system (IDS) evasion.
AI-specific assurance issues are primarily important if the AI-enabled software system is otherwise secure. Adversaries already have well-established practices to exploit an AI system with exposed known-exploited vulnerabilities in the non-AI software elements. With the example of adversarial inputs that force misclassifications above, the attacker’s goal is to change the model’s outputs. Compromising the underlying system also achieves this goal. Protecting machine learning models is important, but it is also important that the traditional parts of the system are isolated and secured. Privacy and data exposure concerns are more difficult to assess – given model inversion and data extraction attacks, a risk-neutral security policy would restrict access to any model at the same level as one would restrict access to the training data.
About 2,000 NetScaler installations feared compromised as CISA raises alarm over ShareFile
Uncle Sam's Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday warned that criminals have exploited CVE-2023-24489, a 9.8-of-10-severity improper-access-control bug in Citrix ShareFile.
ShareFile is the vendor's collaboration and file sharing application, and it allows enterprises to store files in the cloud or in an on-premises data center.
Citrix sounded the alarm about that security flaw on June 13, and warned that the vulnerability, if exploited, "could allow an unauthenticated attacker to remotely compromise the customer-managed ShareFile storage zones controller."
This flaw affects all supported versions of customer-managed ShareFile storage zones controller before version 5.11.24, and upgrading to the latest version will plug the hole, Citrix said at the time. That version was released in May to squash the bug, a month before the tech outfit went public with details of the flaw.
Now the bug has been added to CISA's Known Exploited Vulnerabilities Catalog of stuff that should be fixed as soon as possible because it's under attack in the wild.
"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," the Feds warned, and set a September 6 deadline by which US federal civilian agencies must patch the flaw.
Backdoored NetScaler boxes
Meanwhile, another critical Citrix bug, this one in NetScaler and tracked as CVE-2023-3519, is also being used to compromise hundreds of servers, according to Fox-IT researchers.
CVE-2023-3519 is a code-injection vulnerability, and it also received a 9.8 CVSS severity score. It can, and has been, exploited for remote code execution.
Citrix issued a security alert about this CVE and two others on July 18. At the time, the vendor warned that "exploits of CVE-2023-3519 on unmitigated appliances have been observed."
According to Mandiant, the likely culprits are China-based cyberspies, though the evidence is murky.
"A patched NetScaler can still contain a backdoor," Fox-IT noted. "It is recommended to perform an indicator-of-compromise check on your NetScalers, regardless of when the patch was applied."
There's a couple of ways to do this. Fox-IT has released a Python script that uses Dissect to perform triage on forensic images of NetScalers.
And also this week, Mandiant provided a Bash-script to check for indicators-of-compromise on live systems.
"Be aware that if this script is run twice, it will yield false positive results as certain searches get written into the NetScaler logs whenever the script is run," Fox-IT warned.
Updated to add
A spokesperson for Citrix ShareFile has been in touch with some facts and figures they wanted you to know. The rep confirmed that its customers had been attacked via the CVE-2023-24489 flaw, though attempted to play it down: "While there was a spike to 75 attacks following this, this died down immediately given that the issue has been addressed."
"The incident affected less than three percent of our install base (2,800 customers)," they claimed. "There is no known data theft from this incident."
The spinner also told us more than 80 percent ShareFile customers had patched their environments using the May update before the vulnerability was made public in June.
Discord.io has shut down "for the foreseeable future," after crooks stole, and then put up for sale, data belonging to all 760,000 of the service's users.
The attack happened on Monday night"resulting in content from our database being leaked to unknown actors," according to a notice on the Discord.io website.
After swiping all of the data, including both "non-sensitive" and "potentially-sensitive" account details, a miscreant who goes by the handle Akhirah dumped the info on a cybercrime forum.
Miscreants also leaked users' salted and hashed passwords, which the service says only affects "a small number of people from before we exclusively offered Discord as a login option." That began in 2018.
Another version of BlackCat ransomware has been spotted extorting victims. This variant embeds two tools, we're told: the network toolkit Impacket for lateral movement within compromised environments, and Remcom for remote code execution.
BlackCat, also known as AlphaV, is a notorious ransomware crew whose affiliates lately have taken to compromising hospitals and medical clinics, stealing medical records, and demanding a ransom to keep that information under wraps. Many of these healthcare orgs would rather pay up than face lawsuits from patients when their protected files are leaked or sold online by the extortionists over non-payment.
The BlackCat malware works on Windows and Linux, and is rented out to criminals, who break into targets and run the data-stealing malware, making it a ransomware-as-a-service operation. Under this business model, the affiliates pay to use the malware developed by operators in their attacks, and then the affiliates earn a cut of the proceeds if the victims pay the ransoms.
For BlackCat affiliates, that reportedly translates to between 80 and 90 percent of the amount paid, we're told.
This particular extortion operation was first seen in the criminal underground in 2021, and it was noteworthy because it was one of the first ransomware strains to be written in Rust. Since then, it's been updated, with operators adding features and improvements.
Impacket + Remcom
The new version, according to Microsoft, uses Impacket, a freely available collection of Python code for working with network protocols.
This tool allows miscreants to move laterally across the network, and "has credential dumping and remote service execution modules that could be used for broad deployment of the BlackCat ransomware in target environments," the Windows giant said.
Additionally, this BlackCat version also has Remcom, which allows attackers to execute code and copy files on remote systems, embedded in the executable, we're told.
"The file also contains hardcoded compromised target credentials that actors use for lateral movement and further ransomware deployment."
While Microsoft doesn't say what July intrusions used this new version of BlackCat, one of the gang's affiliates did break into Barts Health NHS Trust, one of the UK's largest hospital groups, that month.
That infection followed one in June at California's Beverly Hills Plastic Surgery, during which crooks claimed to steal personal information and healthcare records, "including a lot of pictures of patients that they woud [sic] not want out there."