Article Details

MITRE admits 'nation state' attackers touched its NERVE R&D operation. PLUS: Akira ransomware resurgent; Telehealth outfit fined for data-sharing; This week's nastiest vulns. Infosec In Brief In a cautionary tale that no one is immune from attack, the security org MITRE has admitted that it got pwned. The non-profit reported that its R&D research center – the Networked Experimentation, Research, and Virtualization Environment (NERVE) – was penetrated using zero-day flaws in an Ivanti virtual private network. MITRE reports it was one of many targeted by what it's described as "a foreign nation-state threat actor." "No organization is immune from this type of cyber attack, not even one that strives to maintain the highest cyber security possible," warned Jason Providakes, president and CEO of MITRE. "We are disclosing this incident in a timely manner because of our commitment to operate in the public interest and to advocate for best practices that enhance enterprise security as well necessary measures to improve the industry's current cyber defense posture. The threats and cyber attacks are becoming more sophisticated and require increased vigilance and defense approaches. As we have previously, we will share our learnings from this experience to help others and evolve our own practices." MITRE explained that its core networks were not compromised, but that the incident should serve as a call to arms for the industry and more details will be published later. International cyber agencies issue Cisco security warning CISA, the FBI, Europol's European Cybercrime Center, and the Netherlands' National Cyber Security Centre have issued a warning that the Akira ransomware remains a threat. Akira ransomware deployed by Russian-linked gangs has been a problem for some time. As we reported last year, the miscreants controlling it have been targeting a flaw (CVE-2023-20269) in the remote access VPN feature of Cisco's Adaptive Security Appliance and Firepower Threat Defense software. It also turns out the same bad actors have been relying on an issue patched in 2020 (CVE-2020-3259) in the web services interfaces of the same Cisco software products. Government cyber security groups say they're still at it. They report that recent evidence suggests miscreants are busily abusing those known Cisco vulnerabilities to gain initial access, achieve persistence, steal data and encrypt files. The joint cyber security advisory details indicators of compromise and tactics, techniques, and procedure orgs potential victims can use to spot attacks – and we suggest giving the full document a read. Old vulnerabilities don't just go away because they're outdated. If anything they're hot targets that continually top lists of the most abused flaws. Like a busted window covered with a trash bag and cardboard, an unpatched legacy system – especially one that sits on the edge of a network like a VPN or web interface – is a great indicator of an organization ripe for the picking. Look, we get it – this vulture is intimately familiar with customers who for very sound reasons can't take systems offline for a patch. But we also know this is a choice: be caught with your pants down, or endure the inconvenience to avoid an easily preventable security disaster. Critical vulnerabilities of the week: Atlassian Bamboopsies Leading the list of critical vulnerabilities this week are a trio of critical issues in Atlassian's Bamboo Data Center and Server – all of which have been fixed in the latest release. The first (CVE-2024-22257, CVSS 8.2) is an issue in Spring Security in which a broken access control setting in AuthenticatedVoter#vote can pass a null authentication parameter, allowing an unauthenticated attacker to expose assets. The other two (CVE-2024-22259 CVSS 8.1, and CVE-2024-22243 CVSS 8.1) involve issues in the Spring Web dependency that can lead to server-side request forgery. Elsewhere: Yet another telehealth firm fined for sharing customer data If it's a day ending in "Y" that means an online healthcare business has done something irresponsible or unethical with customer data. Case in point: last week online mental health care company Cerebral agreed to pay the Federal Trade Commission more than $7 million to settle charges it disclosed health information belonging to nearly 3.2 million customers to sites like LinkedIn, Snapchat and TikTok through the use of tracking tools embedded in its website and apps. Cerebral and its former CEO, Kyle Roberson, were accused of not only sharing customer data for advertising purposes, but also misleading customers about cancellation policies and engaging in deceptive practices with respect to substance use disorder treatment. As was the case with online mental health site BetterHelp and online pharmacy GoodRx, both of which were accused of similar bad behavior, the fine comes along with an agreement not to share customer data. Robertson hasn't agreed to the settlement terms, and his charges "will be decided by the court," the FTC declared.