Cyber Security Today, August 18, 2023 – CISA urges action on a Citrix ShareFile vulnerability, and more

The CISA urges action on a Citrix ShareFile vulnerability, and more.

Welcome to Cyber Security Today. It’s Friday, August 18th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.

Cyb er Security Today on Amazon Alexa Cyber Security Today on Google Podcasts Subscribe to Cyber Security Today on Apple Podcasts

A vulnerability in the storage zones controller of Citrix’s ShareFile file transfer application has caught the attention of the U.S. Cybersecurity and Infrastructure Security Agency. An alert and fix about this vulnerability was issued by Citrix in June. But the cybersecurity agency is now warning federal departments — and all organizations — using this application to install the fix. Vulnerable file transfer applications like Accelion FTA, GoAnywhere MFT and MOVEit have been targets for hackers over the past two years.

UPDATE: According to a statement issued by Citrix after this story was published, a fix for CVE-2023-24489 was released on May 11th with Version 5.11.24, one month before the security bulletin was issued. Customer patching was proactively handled and by June 13th over 83 per cent of them had patched their environments before the incident was made public. Also, by June 13th all unpatched SZC hosts were blocked from connecting to the ShareFile cloud control plane, making unpatched SZC hosts unusable with ShareFile. On August 16th when CISA added the CVE to their known exploited vulnerability catalog there there was a spike to 75 attacks. But, Citrix says this died down immediately given that the issue has been addressed. Our control plane, Citrix says, is no longer connected to any ShareFile StorageZones Controller (SZC) that is not patched. The incident affected less than three per cent of Citrix ShareFile install base, meaning 2,800 customers.

Separately, CNN reports that the White House has ordered federal departments to get cracking on complying with a 2021 executive order to boost their cybersecurity posture. As of the end of June many departments and agencies were behind, says a memo to senior officials. They have until the end of this year to meet their deadlines.

Still with the U.S. government, the Consumer Financial Protection Bureau is promising action to ensure data brokers comply with the U.S. Fair Credit Reporting Act. That act requires data being sold to third parties, such as credit and employment agencies, must be accurate. The bureau might also limit the ability of credit reporting companies to disclose personal information that could be used to contact people who don’t want to be bothered by marketers.

Microsoft still hasn’t closed a significant hole in the naming policies of modules developers can put in PowerShell Gallery. That’s according to researchers at Aqua Security. As a result threat actors can plunk malware in Gallery modules or scripts with similar names to legitimate packages. It’s the same tactic used by threat actors in open source libraries like GitHub, NPM and others. There are over 9 billion packages in PowerShell Gallery. What’s the risk? A Windows or Azure developer could download what they think is a legitimate package and infect their IT system.

UPDATE: After this podcast was recorded Microsoft told The Register that it has made some changes to help identify and remove from the Gallery packages with misleading names.

Last month researchers at vpnMentor completed a 14 month-long experiment. They set up a honeypot with fake data — an unprotected website purporting to be a fraud prevention company — to see what would happen. Within a month it had been found and somone started stealing data. Word must have spread because over the test period there were about 50,000 downloads a month. Lesson one: If your IT environment has data that can easily be stolen, someone will find it fast. The other thing the researchers noticed is no one tried to warn the fake company about its leaky website. Lesson two: Don’t expect Good Samaratins to warn you of security issues.

Here’s an interesting thing about that report: It outlines how hard it is now to misconfigure AWS S3 storage buckets. That’s because there are a number of warnings when setting up bucks. However, AWS application misconfigurations are a big problem. The director of the office of the CISO told Cybersecurity Dive that one big mistake AWS developers make is not limiting an application’s level of access and permissions. Not every operation of a piece of software needs to access every AWS function. Wide access means a successful hacker can also access everything the application can. It’s worth thinking about.

Finally, a service that allowed the sharing of files anonymously has shut because it was being abused by threat actors. Bleeping Computer reports that AnonFiles closed this week because crooks were using it to pass around stolen data and host malware. The service tried banning hundreds of thousands of files. But its hand was forced when the service’s proxy provider — which enabled the anonymity — had had enough.

Later today the Week in Review will be available. Among the topics being discussed is this week’s report by the Cyber Safety Review Board on why the Lapsus$ extortion gang was so successful.

Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening. I’m Howard Solomon

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Sponsored By:

Cyber Security Today Podcast