MITRE admits 'nation state' attackers touched its NERVE R&D operation

PLUS: Akira ransomware resurgent; Telehealth outfit fined for data-sharing; This week's nastiest vulns

Infosec In Brief In a cautionary tale that no one is immune from attack, the security org MITRE has admitted that it got pwned.

The non-profit reported that its R&D research center – the Networked Experimentation, Research, and Virtualization Environment (NERVE) – was penetrated using zero-day flaws in an Ivanti virtual private network. MITRE reports it was one of many targeted by what it's described as "a foreign nation-state threat actor."

"No organization is immune from this type of cyber attack, not even one that strives to maintain the highest cyber security possible," warned Jason Providakes, president and CEO of MITRE.

"We are disclosing this incident in a timely manner because of our commitment to operate in the public interest and to advocate for best practices that enhance enterprise security as well necessary measures to improve the industry's current cyber defense posture. The threats and cyber attacks are becoming more sophisticated and require increased vigilance and defense approaches. As we have previously, we will share our learnings from this experience to help others and evolve our own practices."

MITRE explained that its core networks were not compromised, but that the incident should serve as a call to arms for the industry and more details will be published later.

Alert for Windows Putty users: As per the homepage of the terminal tool, PuTTY 0.81 "fixes a critical vulnerability CVE-2024-31497 in the use of 521-bit ECDSA keys. If you have used a 521-bit ECDSA private key with any previous version of PuTTY, consider the private key compromised: remove the public key from authorized_keys files, and generate a new key pair.

"However, this only affects that one algorithm and key size. No other size of ECDSA key is affected, and no other key type is affected."

It turns out it is possible to figure out someone's 521-bit ECDSA private key from their public signatures, so if you have an affected key, now's the time to rotate it.

International cyber agencies issue Cisco security warning

CISA, the FBI, Europol's European Cybercrime Center, and the Netherlands' National Cyber Security Centre have issued a warning that the Akira ransomware remains a threat.

Akira ransomware deployed by Russian-linked gangs has been a problem for some time. As we reported last year, the miscreants controlling it have been targeting a flaw (CVE-2023-20269) in the remote access VPN feature of Cisco's Adaptive Security Appliance and Firepower Threat Defense software.

It also turns out the same bad actors have been relying on an issue patched in 2020 (CVE-2020-3259) in the web services interfaces of the same Cisco software products.

Government cyber security groups say they're still at it. They report that recent evidence suggests miscreants are busily abusing those known Cisco vulnerabilities to gain initial access, achieve persistence, steal data and encrypt files.

The joint cyber security advisory details indicators of compromise and tactics, techniques, and procedure orgs potential victims can use to spot attacks – and we suggest giving the full document a read.

Old vulnerabilities don't just go away because they're outdated. If anything they're hot targets that continually top lists of the most abused flaws.

Like a busted window covered with a trash bag and cardboard, an unpatched legacy system – especially one that sits on the edge of a network like a VPN or web interface – is a great indicator of an organization ripe for the picking.

Look, we get it – this vulture is intimately familiar with customers who for very sound reasons can't take systems offline for a patch. But we also know this is a choice: be caught with your pants down, or endure the inconvenience to avoid an easily preventable security disaster.

Critical vulnerabilities of the week: Atlassian Bamboopsies

Leading the list of critical vulnerabilities this week are a trio of critical issues in Atlassian's Bamboo Data Center and Server – all of which have been fixed in the latest release.

The first (CVE-2024-22257, CVSS 8.2) is an issue in Spring Security in which a broken access control setting in AuthenticatedVoter#vote can pass a null authentication parameter, allowing an unauthenticated attacker to expose assets. The other two (CVE-2024-22259 CVSS 8.1, and CVE-2024-22243 CVSS 8.1) involve issues in the Spring Web dependency that can lead to server-side request forgery.

Elsewhere:

  • CVSS 9.2 – CVE-2024-3493: Several Rockwell Automation PLCs are improperly validating input, allowing for attackers to cause nonrecoverable faults.
  • CVSS 9.1 – CVE-2021-20599: Multiple versions of Mitsubishi Electric's MELSEC iQ-R series CPU modules are transmitting sensitive data in cleartext, allowing an attacker to hijack credentials.
  • CVSS 8.8 – Multiple CVEs: Electrolink FM/DAB/TV transmitters contain a number of vulnerabilities enabling attackers to obtain full system access and execute arbitrary code.
  • CVSS 8.8 – CVE-2024-20295: Cisco Integrated Management Controller is insufficiently validating user input, allowing an unauthenticated local attacker to inject commands and elevate privileges.
  • CVSS 8.7 – CVE-2024-20356: The same Cisco vulnerability in IMC listed above also exists in the web management interface.
  • CVSS 8.7 – CVE-2024-1480: Several models of Unitronics' Vision series PLCs are storing passwords in a recoverable format, allowing an attacker to steal credentials and hijack devices.

Yet another telehealth firm fined for sharing customer data

If it's a day ending in "Y" that means an online healthcare business has done something irresponsible or unethical with customer data.

Case in point: last week online mental health care company Cerebral agreed to pay the Federal Trade Commission more than $7 million to settle charges it disclosed health information belonging to nearly 3.2 million customers to sites like LinkedIn, Snapchat and TikTok through the use of tracking tools embedded in its website and apps.

Cerebral and its former CEO, Kyle Roberson, were accused of not only sharing customer data for advertising purposes, but also misleading customers about cancellation policies and engaging in deceptive practices with respect to substance use disorder treatment.

As was the case with online mental health site BetterHelp and online pharmacy GoodRx, both of which were accused of similar bad behavior, the fine comes along with an agreement not to share customer data.

Robertson hasn't agreed to the settlement terms, and his charges "will be decided by the court," the FTC declared. ®

More about

TIP US OFF

Send us news


Other stories you might like