Today’s Tales from the Trenches is brought to you by Bill Burge, Senior Security Solutions Consultant.

When you’re first diving into network modeling with RedSeal, one of the initial tasks is connecting to network devices to gather their configurations. It’s a step that seems simple enough, but that elusive F-word, “Failed” becomes an all-too-familiar sight. But here’s the thing—each network has its own set of requirements, and once you crack the code, things move pretty smoothly.

That is, unless one device (or a whole set of them) decides to be a rebel. Suddenly, you’re stuck with the F-word. But wait—could that “F” word actually stand for something else? Could it be “Finding” instead of “Failed”? Maybe, just maybe, while you’re trying to pull configurations to find potential network issues, you’ve already stumbled upon something valuable about the network itself.

Customer 1: The Vegas Shuffle

Imagine this: a major Las Vegas resort and casino is trying to connect a seemingly simple firewall to a T1 for their “deal of the day” promotions. Sounds straightforward, right? Well, don’t get too excited yet. Despite repeated efforts, all they get is that dreaded “Failed.” The firewall team insists it’s up and running, and they’re logged in. Still, nothing but failure.

A bit of digging reveals the issue—turns out the IP address we’re trying to connect to is on the inside transit network of the firewall. The same subnet is defined as the failover link between the two core routers. When asked, NetOps (with a few “C” titles sprinkled in) were asked what would happen if one core router failed. Their response? The entire internal data traffic would reroute to the T1 link, leading to the “deal of the day” server. Suddenly, “Failed” isn’t just a failure—it’s a crucial finding that was previously unknown to the team.

Customer 2: The European Firewall Fiasco

Now let’s talk about a hardware and software manufacturer with a global presence. They’ve got firewalls scattered worldwide, and I’m given a list of firewalls along with a TACACS credential that’s “good for every firewall in the network.” Sounds too good to be true, doesn’t it?

After creating a couple thousand data collection tasks, everything seems to be humming along—until we hit the dreaded F-word again. But this time, something strange happens: the failed devices share a pattern. Upon investigating, we uncover that all the firewalls in Europe are pointed to the wrong TACACS server. That’s a major design flaw that had slipped under the radar, and it only came to light when RedSeal couldn’t pull the necessary data.

In each of these cases, what appeared initially to be failures, turned out to be incredibly valuable findings. We were able to uncover network design issues that had gone unnoticed until the F-word reared its head.

So, next time you see “Failed,” don’t just assume it’s the end of the world. It might just be the beginning of a crucial network discovery!

Reach out to RedSeal or schedule a demo today today for a personalized walkthrough and discover how RedSeal can revolutionize your approach to cybersecurity.

In this week’s cybersecurity news roundup, we cover a range of critical vulnerabilities and ongoing threats. Highlights include the disclosure of a severe Apache Struts 2 vulnerability with a high CVSS score, a potential shift in U.S. Cyber Command and NSA leadership, and a Microsoft MFA bypass attack named AuthQuake. We’re also seeing a series of high-stakes cyberattacks, including the exploitation of AWS misconfigurations, a ransomware assault on Electrica Group, and a breach at Krispy Kreme. As cyber risks continue to evolve, these incidents serve as a stark reminder of the need for robust security measures.

A critical vulnerability in Apache Struts 2 has been disclosed

A critical vulnerability in Apache Struts 2, CVE-2024-53677, has been disclosed with a near-maximum severity score: 9.5 (CVSSv4) and 9.8 (CVSSv3). This flaw allows remote code execution via malicious file uploads and lacks a workaround, making patching to Struts 6.4.0 or higher essential. Applications not using the deprecated File Upload Interceptor are unaffected. Updating requires rewriting actions for compatibility. Despite alternatives, Struts 2 remains popular, with significant downloads monthly. The vulnerability underscores risks, recalling Struts’ role in the 2017 Equifax breach. (The Register)

Trump advisors explore splitting NSA and CyberCom leadership roles

Advisers to President-elect Donald Trump are revisiting plans to separate U.S. Cyber Command (CyberCom) and the National Security Agency (NSA), currently led under a “dual-hat” structure. This idea, previously explored during Trump’s first term, has resurfaced within the transition team and right-wing think tanks. Proponents argue the roles are too vast for one leader, while critics warn of operational inefficiencies and risks to NSA’s intelligence-gathering integrity.

The arrangement, established in 2010, has sparked debates across administrations, with President Biden’s 2022 review favoring its retention. Legal hurdles exist, but Trump could bypass Congress with executive actions. A split would raise complex restructuring questions and could dilute CyberCom’s and NSA’s effectiveness. Lawmakers remain skeptical, emphasizing the need for clear justification. Critics also highlight the irony of Trump’s anti-bureaucracy stance driving a move that could create new administrative challenges. For now, the dual-hat structure remains intact. (The Record)

Microsoft MFA bypassed in AuthQuake PoC

Researchers at Oasis Security presented details of an attack technique that could have given threat actors access to Outlook emails, OneDrive files, Teams chats, and Azure cloud instances. Needing only an hour to execute, it required no user interaction, and it would not trigger any notification to the victim. The attack is based on exploitation of the authenticator app process, in which a user to obtains a six-digit MFA code on their app. The researchers saw that one session supports up to 10 failed attempts to prevent brute-force attacks, but they then saw that an attacker could execute multiple attempts simultaneously, enabling them to go through possible combinations relatively fast. Oasis named this attack method AuthQuake, and reported it to Microsoft in late June. A temporary fix was deployed a few days later, followed by a permanent fix in October. (Security Week)

Ivanti reports multiple critical vulnerabilities in its Cloud Services Application

Ivanti has issued a security advisory for three critical vulnerabilities in its Cloud Services Application (CSA), including a maximum CVSS 10-rated flaw, CVE-2024-11639, which allows unauthenticated attackers to gain administrative privileges via authentication bypass in the admin web console. Two additional vulnerabilities, both rated 9.1, include a command injection flaw (CVE-2024-11772) enabling remote code execution and an SQL injection bug (CVE-2024-11773) that allows arbitrary SQL commands. These flaws are exploitable in CSA versions 5.0.2 and earlier, with patches available in version 5.0.3. Ivanti stated there is no evidence of exploitation but urges immediate updates to prevent potential attacks. This follows previous high-profile CSA vulnerabilities flagged by CISA due to active exploitation risks. (The Register)

Chinese APT abuses Visual Studio Code Tunnels for C2 purposes

SentinelOne has published a report on a Chinese cyberespionage campaign that targeted “large business-to-business IT service providers in Southern Europe” from late June to mid-July 2024. The threat actor used SQL injection against Internet-facing web and database servers to gain initial access. The campaign was detected and disrupted during its early stages. Notably, the operation abused Visual Studio Code Remote Tunnels for command-and-control purposes. The researchers explain, “Originally designed to enable remote development, this technology provides full endpoint access, including command execution and filesystem manipulation. Additionally, Visual Studio Code tunneling involves executables signed by Microsoft and Microsoft Azure network infrastructure, both of which are often not closely monitored and are typically allowed by application controls and firewall rules. As a result, this technique may be challenging to detect and could evade security defenses. Combined with the full endpoint access it provides, this makes Visual Studio Code tunneling an attractive and powerful capability for threat actors to exploit.” (SentinelOne)

Operation PowerOFF hits DDoS sites

Europol announced that a coordinated law enforcement effort across Finland, Australia, Brazil, Canada, the UK, and US led to the shutdown of 27 popular DDoS attack platforms. Dubbed Operation PowerOFF, the effort identified over 300 users of these platforms and the arrests of three administrators. Europol said it timed the takedowns ahead of the December holiday season to prevent the typical spike in DDoS attacks that cause “severe financial loss, reputational damage, and operational chaos for their victims.” (The Record)

AI voice generation likely used in influence operation 

Researchers at Recorded Future cited the use of generative AI voice generation technology in a recent Russian-tied campaign to weaken Europe’s support for Ukraine. The researchers found it “very likely” the campaign used commercial AI voice generation products in their efforts, including tech from ElevenLabs. These voices were used over supposed news clips to present Ukranian politicians as corrupt. The tech allowed the campaign to produce videos quickly in various languages across the EU using native speech patterns and dialects. Recorded Future concluded the actual impact of the campaign on public opinion was minimal. (TechCrunch)

Krispy Kreme hit with cyberattack

In “affront to all that is sacred” news, the US donut chain Krispy Kreme confirmed it suffered a cyberattack in an SEC filing. The attack began on November 29th, with ongoing impacts on online ordering in the US as of this recording. The attack did not impact in-person ordering and retail deliveries. In its Q3 earnings, the company reported digital orders represented 15.5% of sales. Krispy Kreme immediately sought outside expertise after discovering the attack, but no other details have been released. So far, no threat actors have taken credit for the attack. (Bleeping Computer)

Contenders for top cyber roles in the next Trump administration visit Mar-a-Lago

Brian Harrell, a seasoned veteran of the Department of Homeland Security (DHS) under the Trump administration, is reportedly a leading contender for high-ranking cybersecurity roles in the next administration, The Record reports. Sources familiar with the situation reveal that Harrell has been invited to Mar-a-Lago in the coming weeks to interview for roles such as director of the Cybersecurity and Infrastructure Security Agency (CISA) and DHS undersecretary for strategy, policy, and plans. Harrell, who previously served as DHS assistant secretary for infrastructure protection, is well-regarded for his expertise in safeguarding critical infrastructure. Recorded Future News first reported his candidacy for these prominent positions.

He is not the only one under consideration. Matt Hayden, former DHS assistant secretary for cyber, infrastructure, risk, and resilience, and Sean Plankey, a former National Security Council cyber team member and acting assistant secretary at the Department of Energy’s cybersecurity office, are also being discussed for potential leadership at CISA. Two sources confirmed Plankey’s name in the mix for the top CISA role. The forthcoming Mar-a-Lago interviews are part of broader plans to fill key positions within DHS, not only in cybersecurity but also in areas such as immigration enforcement and leadership roles at the Transportation Security Administration (TSA). This diverse hiring strategy reflects the transition team’s focus on securing leadership across various critical sectors. (The Record)

A Dell Power Manager vulnerability lets attackers execute malicious code

A critical vulnerability (CVE-2024-49600) in Dell Power Manager, used to manage power settings on Dell systems, allows attackers with local access and low privileges to execute malicious code and escalate privileges. Affecting versions prior to 3.17, the flaw stems from improper access control, enabling unauthorized access to sensitive system functions and potential full system compromise. Rated with a CVSS score of 7.8 (high severity), the vulnerability requires local access but is low in complexity and does not need user interaction. Dell has released version 3.17 to address the issue, urging users to update immediately. No workarounds exist, emphasizing the need for timely patching and robust endpoint security to mitigate risks. (Cyber Security News)

Hackers exploit AWS misconfigurations in massive data breach

Independent cybersecurity researchers, Noam Rotem and Ran Locar, uncovered a significant cyber operation exploiting vulnerabilities in public websites hosted on Amazon Web Services (AWS). Researchers linked the campaign to the Nemesis and ShinyHunters hacking groups who used tools like Shodan to scan AWS public IP ranges for application vulnerabilities or misconfigurations. They then scanned exposed endpoints for sensitive data, including credentials for popular platforms like GitHub, Twilio and cryptocurrency exchanges. Verified credentials were later marketed on Telegram channels for hundreds of euros per breach. The researchers and AWS advised customers to avoid use of hard-coded credentials by using services like AWS Secrets Manager, periodically rotating keys and secrets, deploying Web Application Firewalls (WAFs), and using CanaryTokens as tripwires for sensitive information. (Infosecurity Magazine and Dark Reading)

Romanian energy giant battles ongoing attack

A cyberattack is in progress—that’s the note investors for the Electrica Group received on Monday. Electrica Group provides energy to more than 3.8 million customers in Romania and is considered one of the most important energy service companies in the country. Providing limited details, a statement from the company’s CEO said they are working to resolve the issue and identify the source of the attack. While not confirmed, the attack is believed to be tied to ransomware. The statement went on to say that critical systems have not been affected, but customers may notice disruptions in service that were purposely implemented to protect internal infrastructure. Some are speculating Russia may have had a hand in the attack after Romania blamed pro-Russian hackers last week for interfering in their presidential election, ultimately forcing the country to annul the results. (The Record)

Ransomware disrupts medical device maker

Medical device maker Artivion reports they are still working to restore systems following a November ransomware attack that encrypted files and disrupted order, shipping, and corporate operations. The medical device company, which makes and distributes aortic-centric cardiac and vascular medical products—think mechanical human heart valves and stent grafts to over 100 countries—said the attack has caused disruptions to some order and shipping processes, though the company has largely mitigated most disruptions. As of this recording, no ransomware group has claimed responsibility for the attack. (Security Week)

Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts or schedule a demo today.

Cybersecurity continues to be a critical focus in the face of ever-evolving threats. This week, several major incidents and advisories highlight the increasing risks across multiple sectors. From the FBI and CISA urging the use of encrypted messaging apps to protect personal communications, to the revelations of hacking groups targeting U.S. telecom networks and companies facing vulnerabilities, these developments underscore the importance of robust security measures. Notable incidents include Cloudflare’s service disruption, the rise of sophisticated phishing tools bypassing multi-factor authentication, and ongoing concerns over legacy vulnerabilities in widely used devices. In this roundup, we take a closer look at these stories and the implications for both individuals and organizations in securing their digital environments.

FBI and CISA urge Americans to use encrypted apps rather than calling

Further developments from the Salt Typhoon attack on U.S. telecommunications companies, officials from both agencies are recommending that Americans use start using encrypted messaging apps. Speaking to the media on Tuesday, Jeff Greene, executive assistant director for cybersecurity at CISA, along with a senior FBI official who asked not to be named, said they plan to use the same message as they do inside their respective organizations: Encryption is your friend,” whether it’s on messaging or encrypted voice communication. They also suggest people considering using a cellphone that “automatically receives timely operating system updates, responsibly managed encryption and phishing resistant multi-factor authentication for email, social media, and collaboration tool accounts.” (NBC News)

Cloudflare says it lost 55% of logs pushed to customers for 3.5 hours

This story pertains to a bug that appeared on November 14 in the internet security company’s log collection service, one that allows its customers to monitor the traffic on their websites and filter it based on certain criteria. They are also used to investigate security incidents, DDoS attacks, traffic patterns, and to perform site optimizations. This is a big service, amounting to over 50 trillion customer event logs every day, of which around 4.5 are sent to customers. The incident was caused by a misconfiguration in a log forwarder component in Cloudflare’s pipeline. The pause then created a massive spike once the system tried to resolve itself. Cloudflare has now implemented several measures to prevent future occurrences. (BleepingComputer)

Phishing tool Rockstar 2FA targets Microsoft 365 creds

Researchers at Trustwave are warning of a Phishing-as-a-service toolkit named Rockstar 2FA, which apparently targets Microsoft 365 accounts and bypasses multi-factor authentication via adversary-in-the-middle attacks. It is an updated version of the DadSec/Phoenix phishing kit. The attacks involve theft of a victim’s password and session cookie though the creation of a proxy server between a target user and the website the user wishes to visit, which itself is a phishing site. Trustwave points out a unique feature of this current campaign being websites whose common theme is cars. (Cybersecurity News)

FBI advises telecoms to boost security following Chinese hacking campaign

Since October, we’ve been covering ongoing reports that China-backed hacking group, Salt Typhoon, was reportedly in the networks of AT&T, Verizon, and Lumen (formerly CenturyLink), among others. These attacks are thought to be part of a broad Chinese espionage campaign targeting U.S. officials and also wiretap systems that might identify Chinese individuals under U.S. surveillance. On Tuesday, U.S. government officials warned that Salt Typhoon is still inside networks of some phone and internet providers. Additionally on Tuesday, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) issued guidance to telecommunication companies to bolster their defenses through deployment of encryption as well as centralized and consistent monitoring. The government’s guidance was issued jointly with security agencies and organizations in New Zealand, Australia, Canada, and Britain. (SecurityWeek and TechCrunch)

Decade-old Cisco vulnerability under active exploit

Cisco is warning customers that an input validation vulnerability (CVE-2014-2120) in its Adaptive Security Appliance (ASA) WebVPN login page is now actively being exploited by threat actors. Cisco documented the bug back in 2014 and exploitation could allow an unauthenticated remote attacker to launch cross-site scripting (XSS) attacks. Cisco discovered exploitation attempts in November 2024 and said customers should upgrade to a fixed software release. The company added that there are no workarounds for this flaw. This issue highlights how implementing legacy security fixes can get lost in the sea of security priorities that organizations are facing. (Dark Reading)

Misconfigured WAFs heighten security risks

According to a report from Zafran, nearly 40% of Fortune 100 companies leveraging their content delivery network (CDN) providers for Web Application Firewall (WAF) services may be exposing back-end servers to attacks. WAFs act as intermediaries between users and Web applications, inspecting traffic for an array of threats and blocking malicious activity. In total, Zafran found 2,028 domains belonging to 135 companies exposing at least one supposedly WAF-protected server. This means attackers could access the servers over the Internet to launch attacks like denial-of-service (DoS) and ransomware. The researchers explained that the issues stem from organizations not following best practices including adequately validating Web requests to back-end origin servers, filtering IP addresses and establishing encrypted TLS connections between the CDN provider and their servers. While some responsibility does lie with customers, the researchers said, “CDN providers who offer WAF services share some responsibility as well for failing to offer customers proper risk avoidance measures and for not building their networks and services to circumvent misconfigurations in the first place.” (Dark Reading)

Japan warns of I-O Data zero-day router flaws exploited in attacks

Japan’s Computer Emergency Response Team aka CERT, is warning of a zero-day vulnerabilities in I-O Data router devices. These can be exploited to modify device settings, execute commands, or even turn off the firewall. “The vendor has acknowledged the flaws in a security bulletin published on its website.” But, the fixes are only expected to land on December 18, which means users will be exposed to risks until then unless mitigations are enabled. The three flaws, which were identified on November 13, and which all have CVE numbers, relate to information disclosure, remote arbitrary OS command execution, and the ability to disable firewalls. (BleepingComputer)

Microsoft stands firm on TPM requirements for Windows 11

Microsoft is pushing hard on its upgraded security culture by dashing the hopes some may have about lower hardware requirements for Windows 11. Windows 10 end of support is approaching in October 2025, and Microsoft says that its Trusted Platform Module (TPM) 2.0 requirement for Windows 11 is “non-negotiable.” PM 2.0. It’s a hardware-level chip or firmware capability that helps encrypt or decrypt data, confirm digital signatures, and assist with any other cryptographic operations. (The Verge)

Senators fume over response to ‘disturbing and widespread’ Chinese hack of US telecoms

Senators have expressed deep frustration over the Biden administration’s handling of a significant cyberattack by the Chinese government-linked group “Salt Typhoon,” which infiltrated numerous U.S. and global telecommunications systems. This breach, considered the most severe in telecom history, compromised the phones of officials, including President-elect Donald Trump, and potentially exposed the communications of a vast number of Americans. During a Capitol Hill briefing, lawmakers criticized the lack of accountability and demanded more transparency. Senator Rick Scott (R-Fla.) questioned the absence of preventive measures, while Senator Josh Hawley (R-Mo.) described the breach as “breathtaking” and called for declassification of details to inform the public about the potential exposure of their communications.

Senate Intelligence Committee Chair Mark Warner (D-Va.) highlighted the failure of telecom companies to secure critical systems, noting that the hackers remain embedded in these networks.  In response, the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI are collaborating with telecom providers to address the breach, though the full extent of the infiltration remains uncertain. CISA Director Jen Easterly announced that the Department of Homeland Security’s Cyber Safety Review Board would formally investigate the hack, with recommendations expected next year.

Lawmakers are also considering legislation to enhance cybersecurity in telecommunications, aiming to implement measures before year’s end. Senator Mike Rounds (R-S.D.) emphasized the need for enforceable cybersecurity standards for telecom companies, acknowledging that addressing these security concerns will require time. The bipartisan concern underscores the necessity for stringent cybersecurity protocols and potential retaliatory actions against China, as the administration continues to investigate and seek long-term solutions to this critical national security threat.  (Politico, Reuters, Yahoo)

Russian hackers hack hackers

In No Honor Among Thieves News, a new report from Lumen’s Black Lotus Labs details how the Russian cyber-espionage group Turla used the infrastructure of the Pakistani-linked group Storm-0156 to launch their attacks. Researchers had been observing operations by Storm-0156, finding a C2 server on an Indian government network. This server began interacting with three IP addresses known to be linked to Turla. Further research shows Turla has been using the Pakistani group’s infrastructure since 2022, using the servers to launch various backdoors and other malware. Eventually, Turla became more ambitious, moving laterally into Storm-0156’s workstation and gaining direct access to its data and tooling. Researchers at Microsoft contributing to the report said Turla used this access to target Afghan government agencies. This isn’t a new tactic for Turla. Back in 2019, the NSA put out an advisory that it hijacked infrastructure by the Iran-backed group OilRig to carry out attacks. (Bleeping Computers)

Cisco switches hit with bootloader vulnerability

The flaw impacts over 100 device models across Cisco’s MDS, Nexus, and UCS Fabric Interconnect lines, allowing attackers to bypass the bootloader verification process and load software. The flaw doesn’t require authentication but physical access to the switches. Cisco released several NX-OS updates to patch the flaws and will roll out the updates for all devices by the end of the month, excluding one discontinued Nexus model. It cautioned that no mitigations for this flaw will be provided in the interim other than preventing physical access to the switches. (Security Week)

Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts or schedule a demo today.