SANS NewsBites

Change Healthcare Shows Signs of Life; Microsoft Discloses Additional Information About Breach; CISA Systems Compromised Through Ivanti Vulnerabilities

March 12, 2024  |  Volume XXVI - Issue #20

Top of the News


2024-03-08

Change Healthcare Shows Signs of Life

Change Healthcare is beginning to recover from a February ransomware attack that disrupted the submission and processing of insurance claims and prescriptions across the US. Change Healthcare’s parent company, UnitedHealth Group, says that electronic prescription services, including claim submission and payment transmission, have been restored, and the company is taking steps to restore other services.

Editor's Note

"Signs of life" are welcome by all the small businesses like pharmacies and doctor's offices depending on Change Healthcare. To Change Healthcare's parent, United Healthcare, paying $20 Million in ransom was likely a bit more than a minor inconvenience and is not going to substantially affect financial results. However, many of the businesses depending on Change Healthcare for payment processing have a much harder time to deal with the delayed income.

Johannes Ullrich
Johannes Ullrich

Having heard from friends about the impact of the service outage, restoration of service, for those who didn't switch to alternatives Optum services, is both anticipated and welcome. This is a good time to consider where you have weaknesses in common targets such as your RDP, VDI and VPN services. Make sure these are only available to authorized users and systems, you're both patched and implementing security best practices. Have you scheduled a security posture assessment to validate that?

Lee Neely
Lee Neely

Change Healthcare continues to be under the microscope and offers many lessons that we will relearn. For example, yes it was a malicious attack, but it also demonstrated a lack of implementation of basic cybersecurity controls for a Fortune 50 company. For the healthcare industry and every industry vertical for that matter, it demonstrated that vendor consolidation can easily lead to supply chain disruption. I suspect many hearings will be held; many reports will be written in the coming months, but these are lessons we are already familiar with.

Curtis Dukes
Curtis Dukes

2024-03-08

Microsoft Discloses Additional Information About January Breach

Microsoft says that the cyberthreat actors who breached the company’s corporate network earlier this year not only accessed company email systems, but also accessed internal systems and source code repositories. Microsoft characterizes the incident as “ongoing.” The intrusions have been attributed to Russian state-sponsored threat actors.

Editor's Note

People often talk about "assume compromise" when it comes to initiatives like "zero-trust." There is another side to this that is mentioned less frequently: "assume incomplete remediation." Evicting a skilled attacker from your network is hard. Once they gained a foothold, and were able to access significant parts of your infrastructure, evicting an attacker can become difficult and it is even more difficult to impossible to proof that the attacker no longer has access to any systems.

Johannes Ullrich
Johannes Ullrich

Threat actors continue to use the secrets/tokens exfiltrated to attempt to access systems. Some of those secrets were traded with customers in email. Microsoft has been reaching out to those customers to assist them with mitigations. Microsoft is continuing to take steps to harden their systems. If you're a Microsoft Office customer, you should make sure you're following current best practices, to include, MFA, then check for updates to those practices which support an increased security posture.

Lee Neely
Lee Neely

Being the world’s largest software vendor has both advantages and disadvantages, the disadvantage being you have a rather large bullseye painted on your back. Unfortunately for Microsoft, 2024 is continuing where 2023 ended: continued scrutiny of the company and its application of cybersecurity practices.

Curtis Dukes
Curtis Dukes

2024-03-08

CISA Systems Compromised Through Ivanti Vulnerability

A cyberattack prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to take two systems offline last month. The affected systems were running older technology that was due to be replaced and were reportedly breached through vulnerabilities in Ivanti VPN products. The systems that were breached and taken offline are CISA’s Infrastructure Protection Gateway and their Chemical Security Assessment Tool.

Editor's Note

With all respect to CISA, this is a reminder that none of us is immune from an attack. Even so, learn from examples like this to help make your case to prioritize and implement updates. This was a perfect storm of both a weakness of their VPN and the two back-end systems that hadn't been updated to be more secure. When reviewing your systems, consider the two systems allegedly breached, CSAT system which houses private sector chemical security plans and the IP Gateway that contains critical information about the interdependency of U.S. infrastructure, as examples of systems which should have higher assurance access control mechanisms, even when protected by firewall and VPNs.

Lee Neely
Lee Neely

The Rest of the Week's News


2024-03-11

British Library Ransomware Recovery Impeded by Legacy Systems

The British Library is struggling to recover from an October ransomware attack due in no small part to its dependence on legacy systems. Ransomware operators invaded the Library’s network in October and stole 600GB of data. A recent report on the incident says that some systems cannot be restored because they are too old to operate on current infrastructure and/or have aged out of support. The report also cites an absence of multi-factor authentication as a likely cause.

Editor's Note

Well done to the British Library on sharing the report on this breach so that others can learn from it. Open and transparent sharing of incident reports will enable us all to improve our defences.

Brian Honan
Brian Honan

The Library was not able to bring back EOL it systems, and had approved funding for their replacements. Even with funding it can be tempting to postpone implementing a replacement, keeping in mind the old system has to be viable until the cutover happens. In the past we've justified keeping an old system online, assuming we can restore it from the intended backup mechanism. Unless you test that restoration, to include verifying operation of the restored system, don't check it off as recoverable. Now the really icky part: you need to not only have your system inventory but also interdependencies, so you know how to wire things back up.

Lee Neely
Lee Neely

Legacy systems are a double-edged sword. The longer you’re able to maintain systems, the lower the CAPEX, and the longer you maintain legacy systems the higher the risk of something bad happening from software EOL. Too often, organizations trade IT modernization budget for other competing priorities – failing in its standard duty of care to provide appropriate, credible, and defensible protection.

Curtis Dukes
Curtis Dukes

2024-03-11

QNAP Releases Fixes for Three Flaws in NAS Devices

QNAP has released updates to fix three vulnerabilities in their network-attached storage (NAS) devices. One of the vulnerabilities is a critical improper authentication issue could be exploited to compromise the security of affected systems. The other two issues, code injection and SQL injection vulnerabilities, are rated medium severity.

Editor's Note

CVE-2024-21899, improper authentication, CVSS score 9.8, can be exploited remotely. The other two are CVE-2024-21900, arbitrary command execution, CVSS score 4.3, and CVE-2024-21901, SQL injection, CVSS score 4.7 are both exploitable over the local network. Beyond making sure that your NAS is not Internet accessible, and only contains known accounts and applications, you need to be making sure the OS and applications are kept updated to help mitigate local threats. QNAP released updates for QTS 5.1.x; QTS 4.5.x; QuTS hero h5.1.x; QuTS hero h4.5.x; QuTScloud c5.x; and my QNAPcloud 1.0.x.

Lee Neely
Lee Neely

2024-03-11

Open-Source Anti-Fraud Software to Help Protect Financial Systems in Africa and Asia

The Tazama project is open source financial transaction monitoring software for financial systems. Launched by the Linux Foundation Charities and the Bill and Melinda Gates Foundation, Tazama aims to provide real-time fraud protection for financial services to organizations in Africa, Asia, and the Middle East. In a separate story, an INTERPOL assessment on global financial fraud found that evolving technologies enable increasingly sophisticated fraud campaigns without requiring significant technological expertise.

Editor's Note

While big payment processors like Visa and Mastercard have fraud services, smaller FIs, particularly in Asia or Africa regions don't have the wherewithal to implement such systems. This is intended to bridge that gap and increase trust of those institutions. Tazama analyzes transactions against 270 rules for about 30 types fraud checks, at a rate of about 2300 transactions per second, effectively real-time detection. It is expected that organizations such as the Central Bank of West African States is going to mandate the use of an anti-fraud service which should result in a large uptake of the service.

Lee Neely
Lee Neely

2024-03-11

Shadowserver: Nearly 150,000 Systems Still Vulnerable to Fortinet Security Flaw

The Shadowserver Foundation has detected nearly 150,000 Fortinet products that remain unpatched against a known critical vulnerability. Fortinet disclosed the out-of-bounds write vulnerability (CVE-2024-21762) a month ago. The flaw affects FortiOS and FortiProxy. Users are urged to upgrade or update to fixed versions of the products.

Editor's Note

Fortinet devices are often used by small businesses without the resources and processes to update devices regularly. It must become easier to keep SMB devices up to date. The short downtime caused by automatic downtime usually poses much less of a risk than the extended downtime cause by a possible compromise.

Johannes Ullrich
Johannes Ullrich

It's been a month, have you patched your Fortinet devices? Did you check to see if your device shows vulnerable in Shodan? Yes, there isn't evidence of wide spread exploitation, and, as boundary control devices these should be top of your list to update.

Lee Neely
Lee Neely

If they can be counted, they can be warned. If they can be counted, the bad guys can exploit them.

William Hugh Murray
William Hugh Murray

2024-03-11

US Intelligence Agency Publishes Cloud Security Mitigation Strategies

The US National Security Agency (NSA) has published a document listing its top 10 cloud security mitigation strategies, which include using secure cloud identity and access management practices, implementing network segmentation and encryption in cloud environments, and managing cloud logs for effective threat hunting. Each of the strategies has an accompanying information sheet with additional details.

Editor's Note

While cloud migration may feel like old news, what's needed is to make sure the security is covered uniformly. Use these ten guides to make sure you're mitigating cloud risks consistently, building your cloud service adoption playbook accordingly. Review your existing cloud services, particularly ones you've had for a while, to make sure your bases are covered.

Lee Neely
Lee Neely

A good compendium of cloud mitigation strategies. While specific to cloud environments, most, if not all the mitigation strategies are applicable to on-prem implementations as well. Other useful best practice guidance can be found at both the Cloud Security Alliance and Center for Internet Security.

Curtis Dukes
Curtis Dukes

Understand what controls your provider has provided and you are expected to use them.

William Hugh Murray
William Hugh Murray

2024-03-11

French Government Agencies Hit with Cyberattacks

France’s prime minister says that the country’s government agencies are experiencing cyberattacks of “unprecedented intensity.” Descriptions of the incidents suggest they are distributed denial-of-service (DDoS) attacks. The French government has established a crisis unit to deal with the situation.

Editor's Note

While I feel immediate sympathy for any organization these attacks are directed towards, my first response when I read about DDoS attacks is to make sure I've got protections in place to ensure I have a chance of surviving such an attack. Talk to your providers – ISP, Cloud and outsource – and verify they have protections in place. Chat with your network team for their input, not only on what's in place but also where they see gaps. Don't forget to visit your CSOC to make sure they are prepared and properly equipped.

Lee Neely
Lee Neely

You will need help from an upstream provider to help you deal with a DoS attack. The time to identify who to call is before the attack.

William Hugh Murray
William Hugh Murray

2024-03-11

ODNI’s Open-Source Intelligence Strategy

The US Office of the Director of National Intelligence (ODNI) has published the Intelligence Community (IC) Open Source Intelligence (OSINT) Strategy for 2024-2026. The strategy’s mission is that “IC professionals collect, create, and deliver timely, relevant, and insightful open source intelligence to inform national security decisions and protect our Nation and its interests.”

Editor's Note

If you're wondering what can be done with OSINT, this short doc is something you need to read. Part of the strategy is moving forward with industry partners, including academia, private sector and foreign counterparts to keep pace with technology advances and develop best practices. Watch for an OSINT Strategy Action Plan to see the specific activities planned for the future.

Lee Neely
Lee Neely

As government produced strategies go, this one is decidedly short, only six pages. Perhaps a reflection of the importance it garners within the IC compared against other robustly funded intelligence disciplines.

Curtis Dukes
Curtis Dukes

Internet Storm Center Tech Corner

What happens when you accidentally leak your AWS API Keys

https://isc.sans.edu/diary/What+happens+when+you+accidentally+leak+your+AWS+API+keys+Guest+Diary/30730

How Crypto Imposters are using Calendly to infect Macs with Malware

https://cyberguy.com/news/how-crypto-imposters-are-using-calendly-to-infect-macs-with-malware/

https://krebsonsecurity.com/2024/02/calendar-meeting-links-used-to-spread-mac-malware/

Misconfiguration Manager: Overlooked and Overprivileged

https://posts.specterops.io/misconfiguration-manager-overlooked-and-overprivileged-70983b8f350d

Cisco VPN Client Vuln

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-secure-client-crlf-W43V4G7

Attack Wrangles Thousands of Web Users into a Password Cracking Botnet

https://arstechnica.com/security/2024/03/attack-wrangles-thousands-of-web-users-into-a-password-cracking-botnet

Fortinet Vulnerability Exploited

https://bishopfox.com/blog/cve-2024-21762-vulnerability-scanner-for-fortigate-firewalls

pgAdmin Path Traversal

https://www.shielder.com/advisories/pgadmin-path-traversal_leads_to_unsafe_deserialization_and_rce/

Font Vulnerabilities

https://www.canva.dev/blog/engineering/fonts-are-still-a-helvetica-of-a-problem/

QNAP Flaws

https://securityonline.info/cve-2024-21899-cvss-9-8-critical-qnap-flaw-opens-door-to-hackers/