Source: www.darkreading.com – Author: Nate Nelson, Contributing Writer At 2024’s RSA Conference this week, brand names like Microsoft, Amazon Web Service (AWS), International Business Machines (IBM), Fortinet, and more agreed to take steps toward meeting a set of seven objectives defined by the US’s premier cyber authority. The agreement is voluntary, not legally binding, anodyne, […]

La entrada Is CISA’s Secure by Design Pledge Toothless? – Source: www.darkreading.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

In a new blog post, Ivanti says that it has found another vulnerability and urges customers to “immediately take action to ensure you are fully protected”.

This vulnerability only affects a limited number of supported versions–Ivanti Connect Secure (version 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1), Ivanti Policy Secure version 22.5R1.1 and ZTA version 22.6R1.3.

Please read between the lines that there could be unsupported versions which will never see a patch for this vulnerability.

A patch is available now for Ivanti Connect Secure (versions 9.1R14.5, 9.1R17.3, 9.1R18.4, 22.4R2.3, 22.5R1.2, 22.5R2.3 and 22.6R2.2), Ivanti Policy Secure (versions 9.1R17.3, 9.1R18.4 and 22.5R1.2) and ZTA gateways (versions 22.5R1.6, 22.6R1.5 and 22.6R1.7).

Customers can access the patch via the standard download portal (login required). The instructions are somewhat complicated, to say the least. Due to all the different versions that are available, it is imperative to carefully read the instructions.

Customers can read this KB article for detailed instructions on how to apply the mitigation and apply the patch as each version becomes available. Please ensure you are following the KB article to receive updates. If you have questions or require further support, please log a case and/or request a call in the Success Portal.

Important to note:

• Customers who applied the patch released on January 31 or February 1, and completed a factory reset of their appliance, do not need to factory reset their appliances again.
• And once customers applied this newly released patch, they do not need to apply the mitigation or the patches released on January 31 and February 1. 

The vulnerability

The vulnerability, listed as CVE-2024-22024 with a CVSS score of 8.3 out of 10, allows an attacker to access certain restricted resources without authentication.

An XML external entity injection (XXE) is a web security vulnerability that allows an attacker to interfere with an application’s processing of XML data. It often allows an attacker to view files on the application server filesystem, and/or to interact with any back-end or external systems that the application itself can access.

Ivanti found the XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways.

Since Ivanti claims that the vulnerability came up during internal code reviews, it is unlikely that an exploit already exists, but this type of vulnerability is usually easy to exploit, so chances are, this will not take long.

Although we have seen a pretty convincing claim that they did not find it themselves:

According to Ivanti they are unaware of any evidence of customers being exploited by CVE-2024-22024.

Only a week ago all, FCEB agencies received intructions to disconnect vulnerable Ivanti products before the weekend. This because besides the Ivanti vulnerabilities actively exploited in massive numbers we wrote about on January 11, 2024, alerts went off about two new high severity flaws on January 31, 2024.

All in all, since January 10, five vulnerabilities have been reported in Ivanti products. And at least three of them are subject to active exploitation.

---

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

Prosecutors in Finland this week commenced their criminal trial against Julius Kivimäki, a 26-year-old Finnish man charged with extorting a once popular and now-bankrupt online psychotherapy practice and thousands of its patients. In a 2,200-page report, Finnish authorities laid out how they connected the extortion spree to Kivimäki, a notorious hacker who was convicted in 2015 of perpetrating tens of thousands of cybercrimes, including data breaches, payment fraud, operating a botnet and calling in bomb threats.

In November 2022, Kivimäki was charged with attempting to extort money from the Vastaamo Psychotherapy Center. In that breach, which occurred in October 2020, a hacker using the handle “Ransom Man” threatened to publish patient psychotherapy notes if Vastaamo did not pay a six-figure ransom demand.

Vastaamo refused, so Ransom Man shifted to extorting individual patients — sending them targeted emails threatening to publish their therapy notes unless paid a 500-euro ransom. When Ransom Man found little success extorting patients directly, they uploaded to the dark web a large compressed file containing all of the stolen Vastaamo patient records.

Security experts soon discovered Ransom Man had mistakenly included an entire copy of their home folder, where investigators found many clues pointing to Kivimäki’s involvement. By that time, Kivimäki was no longer in Finland, but the Finnish government nevertheless charged Kivimäki in absentia with the Vastaamo hack. The 2,200-page evidence document against Kivimäki suggests he enjoyed a lavish lifestyle while on the lam, frequenting luxury resorts and renting fabulously expensive cars and living quarters.

But in February 2023, Kivimäki was arrested in France after authorities there responded to a domestic disturbance call and found the defendant sleeping off a hangover on the couch of a woman he’d met the night before. The French police grew suspicious when the 6′ 3″ blonde, green-eyed man presented an ID that stated he was of Romanian nationality.

Finnish prosecutors showed that Kivimäki’s credit card had been used to pay for the virtual server that hosted the stolen Vastaamo patient notes. What’s more, the home folder included in the Vastaamo patient data archive also allowed investigators to peer into other cybercrime projects of the accused, including domains that Ransom Man had access to as well as a lengthy history of commands he’d executed on the rented virtual server.

Some of those domains allegedly administered by Kivimäki were set up to smear the reputations of different companies and individuals. One of those was a website that claimed to have been authored by a person who headed up IT infrastructure for a major bank in Norway which discussed the idea of legalizing child sexual abuse.

Another domain hosted a fake blog that besmirched the reputation of a Tulsa, Okla. man whose name was attached to blog posts about supporting the “white pride” movement and calling for a pardon of the Oklahoma City bomber Timothy McVeigh.

Kivimäki appears to have sought to sully the name of this reporter as well. The 2,200-page document shows that Kivimäki owned and operated the domain krebsonsecurity[.]org, which hosted various hacking tools that Kivimäki allegedly used, including programs for mass-scanning the Internet for systems vulnerable to known security flaws, as well as scripts for cracking database server usernames and passwords, and downloading databases.

Mikko Hyppönen, chief research officer at WithSecure (formerly F-Secure), said the Finnish authorities have done “amazing work,” and that “it’s rare to have this much evidence for a cybercrime case.”

Petteri Järvinen is a respected IT expert and author who has been following the trial, and he said the prosecution’s case so far has been strong.

“The National Bureau of Investigation has done a good job and Mr Kivimäki for his part some elementary mistakes,” Järvinen wrote on LinkedIn. “This sends an important message: online crime does not pay. Traces are left in the digital world too, even if it is very tedious for the police to collect them from servers all around the world.”

Antti Kurittu is an information security specialist and a former criminal investigator. In 2013, Kurittu worked on an investigation involving Kivimäki’s use of the Zbot botnet, among other activities Kivimäki engaged in as a member of the hacker group Hack the Planet (HTP). Kurittu said it remains to be seen if the prosecution can make their case, and if the defense has any answers to all of the evidence presented.

“Based on the public pretrial investigation report, it looks like the case has a lot of details that seem very improbable to be coincidental,” Kurittu told KrebsOnSecurity. “For example, a full copy of the Vastaamo patient database was found on a server that belonged to Scanifi, a company with no reasonable business that Kivimäki was affiliated with. The leaked home folder contents were also connected to Kivimäki and were found on servers that were under his control.”

The Finnish daily yle.fi reports that Kivimäki’s lawyers sought to have their client released from confinement for the remainder of his trial, noting that the defendant has already been detained for eight months.

The court denied that request, saying the defendant was still a flight risk. Kivimäki’s trial is expected to continue until February 2024, in part to accommodate testimony from a large number of victims. Prosecutors are seeking a seven-year sentence for Kivimäki.