CyberWeekly 19' Oct | Issue #10
Apple and Google propose shorter SSL/TLS certificate lifecycles, CISA warns of SolarWinds vulnerabilities, Iranian cyber threats targeting critical infrastructure, and post-quantum cryptography.
Apple and Google Want Shorter Certificate Lifecycles
(October 15, 2024)
Apple has proposed a significant reduction in the validity period of SSL/TLS certificates, currently set at 398 days. The proposal outlines a phased approach to decrease this lifespan, ultimately aiming for a mere 45-day validity period by 2027. Concurrently, Google is considering a reduction in domain validation reuse periods to 90 days or less. This shift has sparked dissatisfaction among system administrators, who express concerns about the operational challenges posed by such frequent renewals.
The push for shorter lifecycles is largely motivated by security considerations. Shorter certificate lifetimes minimize the window of opportunity for compromised certificates to be exploited, thereby enhancing overall security. However, this necessitates robust automation processes for certificate renewals, especially as organizations increasingly deploy certificates across various endpoints and services. The implementation of standard protocols like ACME could facilitate this transition, allowing for more seamless updates and reducing the burden on IT teams.
CISA: SolarWinds Hardcoded Credential Bug is Being Actively Exploited
(October 15 & 16, 2024)
The Cybersecurity and Infrastructure Security Agency (CISA) has identified a critical vulnerability in SolarWinds Web Help Desk, characterized by hardcoded credentials that could permit unauthenticated remote access to internal functionalities. This vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog and poses significant risks as it allows potential attackers to modify sensitive data. SolarWinds has issued a hotfix to address this issue.
The specific vulnerabilities include CVE-2024-28986, which involves a Java deserialization flaw with a CVSS score of 9.8, and CVE-2024-28987, the hardcoded credential issue with a score of 9.1. Users are advised to upgrade directly to WHD version 12.8.3 Hotfix 3 to mitigate these risks effectively. The urgency of remediation is underscored by CISA's deadline of November 5th for addressing this vulnerability.
Security Agencies from US, Canada, and Australia Warn Iranian State-Sponsored Cyberthreat Actors are Targeting Critical Infrastructure
(October 16 & 17, 2024)
In a collaborative advisory, the FBI, CISA, NSA, along with Canadian and Australian cybersecurity agencies, have alerted organizations about Iranian state-sponsored cyber actors targeting critical infrastructure sectors. The advisory highlights tactics such as password spraying and MFA push bombing, which are employed to gain unauthorized access to accounts.
Organizations are urged to bolster their defenses against these tactics by implementing phishing-resistant multi-factor authentication (MFA) solutions and ensuring that all internet-facing services are adequately protected. Training users to recognize suspicious login attempts and promptly deny unauthorized MFA requests is essential in mitigating these threats. Security practices should also include stringent password policies aligned with NIST guidelines and timely account management procedures.
Readiness for Post-Quantum Cryptography Means Renovation and Innovation
(October 15 & 16, 2024)
A recent survey conducted by General Dynamics Information Technology (GDIT) reveals that nearly 50% of US federal cybersecurity decision-makers view legacy systems as a primary barrier to adopting post-quantum cryptography (PQC). While many agencies are developing strategies for PQC readiness, resource constraints leave some without defined plans or priorities.
The survey emphasizes the need for ongoing monitoring and updating of cryptographic systems as new standards emerge. In response to these challenges, CISA has published guidance aimed at aiding agencies in their transition towards PQC. Additionally, NIST has finalized several algorithms designed to withstand quantum computing threats. The formation of the Fully Homomorphic Encryption Technical Consortium (FHETCH) aims to promote standards for quantum-resilient cryptography solutions, further facilitating this transition.
CISA/FBI “Bad Practices” Guidance Open to Feedback
(October 16 & 17, 2024)
CISA and the FBI have released a joint document titled "Product Security Bad Practices," inviting public comment until December 2, 2024. This guidance outlines risky software design practices that manufacturers should avoid to reduce customer risk. It categorizes bad practices into three main areas: product properties (e.g., reliance on memory-unsafe languages), security features (e.g., lack of multi-factor authentication), and organizational processes (e.g., failure to publish timely vulnerability disclosures).
This initiative reflects an ongoing effort to improve software security standards through public engagement and feedback. By highlighting poor coding practices under their Secure by Design initiative, CISA aims to encourage manufacturers to adopt better security measures in their products.
US Defense Department Publishes Cybersecurity Maturity Model Certification Rule
(October 11, 14, 15, & 17, 2024)
The US Department of Defense has finalized the Cybersecurity Maturity Model Certification (CMMC) Program Rule aimed at safeguarding Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Set to take effect in mid-December, this rule establishes standardized security measures that contractors must implement.
Over the past decade, requirements surrounding the protection of FCI and CUI have become increasingly stringent. The introduction of CMMC serves as a critical framework for ensuring compliance with these requirements in federal contracts. Organizations seeking contracts will need to demonstrate adherence to these security measures as part of their bidding process.
Sponsored
Here are the Top 5 Best IDA Pro plugins that will help you in your malware analysis endeavours. These are the best plugins to help automate the reversing engineering process.
L;DR Top 5 Best IDA Pro Plugins
HexRaysCodeXplorer, Flare IDA Repo, HashDB, Diaphora, Ret Sync
https://guidedhacking.com/threads/top-5-best-ida-pro-plugins-for-malware-analysis.20107/
Without the sponsors and partners, hacklido wouldn't be where it is now, So we would like to thank them.
Sponsors:
Community Partners:
If you wish to Sponsor / Partner with hacklido and get benefitted? Reach out to us via email@hacklido.com to discuss with us!