TETRA:BURST, MOVEit, and More - July 17th - 23rd, 2023 - F5 SIRT - This Week in Security

Editor's introduction 

Welcome back my friends, to the show that never ends.  The editor carousel turns and it's me, MegaZone, again this week.  Things are fairly busy currently, as we're coming up on our August 2nd QSN and we're doing all of our preparations for that.  But there is still some time to look back at last week's news and pull out a few items that caught my attention.

TWIS isn't necessarily the biggest issues of the week, of those with the greatest impact, or largest implications, etc.  Just the issues that caught the eye of that week's editor, so each each reflects the personality of the editor to some degree as well.  This time a fairly random mix of issues caught my fancy. 

TETRA involves a favorite subject of mine - rolling your own crypto.  That's just a recurring bad idea.  But I'm also interesting in seeing the technical details once they're released and just how broad the impact really is on today's users.

MOVEit is this week's issue with the greatest potential impact, IMHO.  Hundreds of organizations already identified as victims, over 20 million individual records suspected to be compromised - and that's likely just the tip of the iceberg given the organizations involved and the nature of their businesses.  MOVEit could be one of the larger events of 2023, but we still have half the year left - it can always get worse.

I used to be a regular Twitter user, but I really got tired of Elon's antics with it last fall and all but completely pulled stakes for the Fediverse.  I've kept my account only to keep up with a couple of friends with private accounts who remain active there, and every time I check in it seems like things have gotten worse.  So I admit to a bit of schadenfreude when I saw the article, and the data, on the massive decline in infosec Twitter activity earlier this year.  Honestly, I'm glad to see more people leaving.  But that's just me.

I didn't always agree with Kevin Mitnick professionally, but I respected what he achieved.  I was sorry to see the news last week of his passing from cancer at 59.  I've lost friends and family to cancer, and my thoughts are with his family and those who were close to him.

On that somber note, let's take a look back at the week that was.

TETRA:BURSTs On the Scene

As a teaser for an upcoming Black Hat presentation, some preliminary details on vulnerabilities in TETRA have been released.  TETRA (TErrestrial Trunked RAdio) "is a digital trunked mobile radio standard developed to meet the needs of traditional Professional Mobile Radio (PMR) user organizations" - including public safety, utilities, transportation, and government and military operations.  In use in over 100 countries, TETRA was developed nearly two decades ago and, wait for it, utilizes proprietary, closes cryptographic systems.  cue montage of hands slapping foreheads That's invariably a ticking time bomb, and it seems TETRA is no exception.

Never roll your own crypto.

Five CVEs have been teased, though details have not yet been published:

• CVE-2022-24401- Critical:  The Air Interface Encryption (AIE) keystream generator relies on the network time, which is publicly broadcast in an unauthenticated manner. 
• CVE-2022-24402 - Critical: The TEA1 algorithm has a backdoor that reduces the original 80-bit key to a key size which is trivially brute-forceable on consumer hardware in minutes.
• CVE-2022-24404 - High: Lack of ciphertext authentication on AIE allows for malleability attacks.
• CVE-2022-24403 - High: The cryptographic scheme used to obfuscate radio identities has a weak design that allows attackers to deanonymize and track users.
• CVE-2022-24400 - Low: A flaw in the authentication algorithm allows attackers to set the Derived Cypher Key (DCK) to 0.

Collectively, these vulnerabilities have been dubbed TETRA:BURST by the researchers at Midnight Blue.  Stay tuned - they'll be presenting at Black Hat August 9th, with rapid follow-ups at Usenix Security on the 11th, and DEF CON on the 13th.

• https://tetraburst.com/
• https://www.etsi.org/technologies/tetra
• https://www.vice.com/en/article/4a3n3j/backdoor-in-police-radios-tetra-burst
• https://www.theregister.com/2023/07/24/tetra_radio_security_flaws/

I Like to MOVEit!

That's right, if my brain is going to earworm me every time I read this, I'm sharing it.  With that out of the way, the MOVEit breach is turning into one of the largest cybersecurity incidents of the year.  We've been seeing a lot of interest from our customers, so I know there is a lot of concern out there in the community.  With reports continuing to surface it seems clear we'll have more than 500 victim organizations.  It seems likely that it will be a while before the true scope of the impact is known; just how many organizations were hit, and how many millions of individuals have likely had their records breached.

• https://www.theregister.com/2023/07/20/moveit_victim_count/
• https://www.cybersecuritydive.com/news/moveit-breach-timeline/687417/
• https://therecord.media/more-companies-confirm-moveit-related-data-incidents-shutterfly-tjmaxx-tomtom

InfoSec Twitter Is Dead

Confirming what everyone who is actually part of the community already knew, the infosec community largely abandoned Twitter earlier this year - late-April to early-May, more precisely.  I was actually an early departer - I'd had enough of Twitter's antics in late-2022 and headed over to the Fediverse, Infosec.Exchange in particular.  But the data shows subsequent changes at Twitter have been quite effective at killing most of the remaining community.

Over the last 3 weeks of our data (June 21 to July 12, 2023), we saw a weekday daily tweet count drop from the 1,272 pre-Elon average to just 333 tweets a day, which is about a 74% drop in weekday tweets. The 2-week rolling average (including weekends) dropped down to 272 tweets over the final 2 weeks. When I attempt to remove automated CVE announcements (bots), the drop is even more significant, dropping from over 500 a day down to 66 over the last two weeks, an 87% decrease in CVE-related tweets.

This does explain an apparent uptick I noticed in infosec activity in the Fediverse in recent months.  I suppose more people made the jump.

• https://www.cyentia.com/the-death-of-infosec-twitter/
• https://www.scmagazine.com/news/researcher-flags-post-elon-data-showing-infosec-twitter-is-dead

RIP, Kevin Mitnick

I graduated from college in 1994 and got my first 'Internet' job with a long-since gone access server vendor, Xylogics, not long after.  I'd already developed an interest in networks and security in school, and I was active on USENet back then, so of course I saw the news in early 1995 when Kevin Mitnick was arrested.  The 'Free Kevin' movement was an early example of hacktivism, with corporate sites being defaced with the message, etc.  His name kept popping up over the years during his trial and while serving his sentence, and then again with his release and new life in the infosec community. 

In my subsequent career I've seen him keynote and present multiple times over the years, I've run into him at tradeshows, etc.  I think it is fair to say that he's been a controversial figure both within the infosec community with without, but he certainly was a prominent figure in the industry for the past couple of decades.  Whether or not you agreed with his views, they had an impact simply because there were many who listened to what he had to say, and he had the voice of authority.  Kevin had an outsized impact on our industry, in what is now a time cut short.  

Kevin Mitnick died Sunday, July 16th, 2023 aged 59, of pancreatic cancer,

• https://www.dignitymemorial.com/obituaries/las-vegas-nv/kevin-mitnick-11371668
• https://blog.knowbe4.com/kevin-david-mitnick-aug-6-1963-july-16-2023
• https://apnews.com/article/mitnick-hacker-ghost-wires-cybersecurity-social-engineering-5648301b615635cb4c781f0c220681d9
• https://www.washingtonpost.com/obituaries/2023/07/20/kevin-mitnick-hacker-dies/
• https://boingboing.net/2023/07/19/kevin-mitnick-1963-2023.html

Until Next Time

You can always check out past issues of This Week In Security.  I also encourage you to explore the wider library of content published by the F5 SIRT.

See you again in seven weeks, give or take.