U.S. President Joe Biden has issued an Executive Order that prohibits the mass transfer of citizens’ personal data to countries of concern.

The Executive Order also “provides safeguards around other activities that can give those countries access to Americans’ sensitive data,” the White House said in a statement.

This includes sensitive information such as genomic data, biometric data, personal health data, geolocation data, financial data, and certain kinds of personally identifiable information (PII).

The U.S. government said threat actors could weaponize this information to track their citizens and pass that information to data brokers and foreign intelligence services, which can then be used for intrusive surveillance, scams, blackmail, and other violations of privacy.

“Commercial data brokers and other companies can sell this data to countries of concern, or entities controlled by those countries, and it can land in the hands of foreign intelligence services, militaries, or companies controlled by foreign governments,” the government said.

In November 2023, researchers at Duke University revealed that it’s trivial to “obtain sensitive data about active-duty members of the military, their families, and veterans, including non-public, individually identified, and sensitive data, such as health data, financial data, and information about religious practices” from data brokers for as low as $0.12 per record.

Stating that the sale of such data poses privacy, counterintelligence, blackmail, and national security risks, it added hostile nations could collect personal information on activists, journalists, dissidents, and marginalized communities with the goal of restricting freedom of expression and curbing dissent.

The government said the countries of concern have a “track record of collecting and misusing data on Americans.” According to the U.S. Justice Department, the countries that fall under this category include China, Russia, Iran, North Korea, Cuba, and Venezuela.

The Executive Order directs the federal agencies to issue regulations that establish clear protections for sensitive personal and government-related data from access and exploitation, as well as set high-security standards to limit data access via commercial agreements.

Additionally, the order requires the Departments of Health and Human Services, Defense, and Veterans Affairs to ensure that Federal grants, contracts, and awards are not misused to facilitate access to sensitive data.

“The Administration’s decision to limit personal data flows only to a handful of countries of concern, like China, is a mistake,” Senator Ron Wyden said in a statement, and that the argument that the U.S. government cannot be banned from buying Americans’ data is no longer valid.

“Authoritarian dictatorships like Saudi Arabia and U.A.E. cannot be trusted with Americans’ personal data, both because they will likely use it to undermine U.S. national security and target U.S. based dissidents, but also because these countries lack effective privacy laws necessary to stop the data from being sold onwards to China.”

The latest attempt to regulate the data broker industry comes as the U.S. added China’s Chengdu Beizhan Electronics and Canadian network intelligence firm Sandvine to its Entity List after the latter’s middleboxes were found to be used to deliver spyware targeting a former Egyptian member of parliament last year.

A report from Bloomberg in September 2023 also found that Sandvine’s equipment had been used by governments in Egypt and Belarus to censor content on the internet.

Access Now said Sandvine’s internet-blocking technologies facilitated human rights violations by repressive governments around the world, including in Azerbaijan, Jordan, Russia, Turkey, and the U.A.E., noting it played a “direct role” in shutting down the internet in Belarus in 2020.

“Sandvine supplies deep packet inspection tools, which have been used in mass web-monitoring and censorship to block news as well as in targeting political actors and human rights activists,” the U.S. Department of State said, explaining its rationale behind adding the company to the trade restriction list. “This technology has been misused to inject commercial spyware into the devices of perceived critics and dissidents.”

Feb 06, 2024NewsroomCybersecurity / Vulnerability

A recently disclosed server-side request forgery (SSRF) vulnerability impacting Ivanti Connect Secure and Policy Secure products has come under mass exploitation.

The Shadowserver Foundation said it observed exploitation attempts originating from more than 170 unique IP addresses that aim to establish a reverse shell, among others.

The attacks exploit CVE-2024-21893 (CVSS score: 8.2), an SSRF flaw in the SAML component of Ivanti Connect Secure, Policy Secure, and Neurons for ZTA that allows an attacker to access otherwise restricted resources without authentication.

Ivanti had previously divulged that the vulnerability had been exploited in targeted attacks aimed at a “limited number of customers,” but cautioned the status quo could change post public disclosure.

That’s exactly what appears to have happened, especially following the release of a proof-of-concept (PoC) exploit by cybersecurity firm Rapid7 last week.

The PoC involves fashioning an exploit chain that combines CVE-2024-21893 with CVE-2024-21887, a previously patched command injection flaw, to achieve unauthenticated remote code execution.

It’s worth noting here that CVE-2024-21893 is an alias for CVE-2023-36661 (CVSS score: 7.5), an SSRF vulnerability present in the open-source Shibboleth XMLTooling library. It was fixed by the maintainers in June 2023 with the release of version 3.2.4.

Security researcher Will Dormann further pointed out other out-of-date open-source components used by Ivanti VPN appliances, such as curl 7.19.7, openssl 1.0.2n-fips, perl 5.6.1, psql 9.6.14, cabextract 0.5, ssh 5.3p1, and unzip 6.00, thus opening the door for more attacks.

The development comes as threat actors have found a way to bypass Ivanti’s initial mitigation, prompting the Utah-based company to release a second mitigation file. As of February 1, 2024, it has begun releasing official patches to address all the vulnerabilities.

Last week, Google-owned Mandiant revealed that several threat actors are leveraging CVE-2023-46805 and CVE-2024-21887 to deploy an array of custom web shells tracked as BUSHWALK, CHAINLINE, FRAMESTING, and LIGHTWIRE.

Palo Alto Networks Unit 42 said it observed 28,474 exposed instances of Ivanti Connect Secure and Policy Secure in 145 countries between January 26 and 30, 2024, with 610 compromised instances detected in 44 countries as of January 23, 2024.