SANS NewsBites

Surge of Critical Healthcare Attacks; Too Many High Priority Patches

November 13, 2020  |  Volume XXII - Issue #90

Top of the News


2020-11-11

Critical Healthcare Cybersecurity Incidents Abound

According to Health IT Security, Hendrick Health in Texas detected a threat that prompted it to shut down IT networks; the organization is operating under EHR (electronic health record) downtime procedures. Among other news in the article: Sonoma (California) Valley Hospital is operating under EHR downtime procedures a month after its network was hit with ransomware; Floridas Advanced Urgent Care is notifying patients that their personal information may have been compromised during a ransomware attack in March; and Minnesotas People Incorporated Mental Health Services notified 27,500 patients that their personal data were compromised following a phishing incident earlier this year.

Editor's Note

Healthcare remains a target of both opportunity and choice. Increasing the cost, and reducing the surface, of attack in this industry is urgent.

William Hugh Murray
William Hugh Murray

2020-11-13

Australias Government Warns of SDBBot Activity Targeting Healthcare Sector

The Australian Cyber Security Centre (ACSC) has issued an alert warning that it observed increased targeting activity against the Australian Health sector. The threat actors have been using the SDBBot remote Access Tool (RAT) to move through networks and exfiltrate data. The ACSC notes that SDBBot is a known precursor of the Clop ransomware, and urges that all network owners review their controls against ransomware as per ACSCs publication Ransomware in Australia.

Editor's Note

Patient care systems and applications should not be connected to the public networks.

William Hugh Murray
William Hugh Murray

The Rest of the Week's News


2020-11-12

Microsoft: Use MFA That Doesnt Use Publicly Switched Phone Networks

Microsoft is urging organizations to use multi-factor authentication (MFA) that does not rely on publicly switched telephone networks. SMS and voice protocols were designed without encryption; one-time passcodes sent via SMS or voice can be intercepted. Encrypted authentication apps, like Microsoft Authenticator, Google Authenticator, and Cisco Duo Mobile provide better security.

Editor's Note

The most important quote from the Microsoft blog post is the rate of compromise of accounts using any type of MFA is less than 0.1% of the general population. Using the widely offered SMS-based 2FA options means a user is 1000 times less likely to have their credentials compromised. Before we start talking about more secure, but often single vendor-controlled alternatives, lets get that 1000x improvement in protection from phishing. If the apps (which are software written by vendors who are often issuing dozens of, often more than 100, applications patches per month) really do prove to be more secure, then the world can migrate to something more secure. I cant emphasize enough: the most important step is getting users away from reusable passwords.

John Pescatore
John Pescatore

Implementing any form of MFA is a major improvement over a reusable password. Since you are able to forward SMS messages to your computer or other devices, using tools like Apple iMessage and Google Messages, interception is possible. Also, in the current environment, PSTN calls are also forwarded or otherwise re-routed, potentially exposing their data as well, as they are not encrypted end-to-end. Choose stronger authentication options such as the Microsoft Authenticator, Google Authenticator, prior to enabling SMS or voice verification options. Use a risk-based approach when selecting the authenticator strength for enterprise applications, which may lead you to require hard tokens for more sensitive data access, particularly when Internet accessible. NIST SP 800-63 provides guidance for selecting authenticator strength. https://www.nist.gov/itl/tig/projects/special-publication-800-63

Lee Neely
Lee Neely

MFA without doubt is a key layer of protection against accounts being hijacked. While the use of Authenticator Apps is the preferred method as recommended by Microsoft it is important to consider the challenge of rolling out such Apps across your user base, in particular for those users who dont have corporate devices and may be resistant to installing a corporate app onto their personal device. You should look not just at MFA to defend your systems but also include other elements in a zero trust model.

Brian Honan
Brian Honan

Courtneys First Law: "Nothing useful can be said about the security of a mechanism except in the context of a specific application and environment."

William Hugh Murray
William Hugh Murray

2020-11-11

Microsoft Patch Tuesday, and A New Format for the Security Update Guide

On Tuesday, November 10, Microsoft released fixes to address 112 vulnerabilities; one of the flaws is being actively exploited. The Windows Kernel Cryptography Driver vulnerability has been actively exploited in conjunction with a Chrome JavaScript engine RCE flaw to compromise vulnerable devices. With this monthly release, Microsoft has changed the format of its advisories. While the new format brings Microsofts advisories in line with those of other software vendors, it also eliminates some details that users have found useful.

Editor's Note

Glad to see Microsoft finally joining the rest of the industry in standardizing on CVSS-based scoring. Next, they need to attack the issues around why enterprises seem to face obstacles to shortening Windows time to patch, even for the most critical vulnerabilities.

John Pescatore
John Pescatore

While the change brings the notices in alignment with industry standards, evaluation information such as the scope, exploit path and consequences of exploit are no longer present, making it difficult to assess impact. Microsofts model is to apply all updates to end-user systems, such as Windows 10, and commodity servers; even so, have a good backup prior to updating, and regression test prior to deployment in production environments.

Lee Neely
Lee Neely

2020-11-11

Adobe November Patch Tuesday Fixes Three Flaws

Adobe has released fixes for three vulnerabilities affecting Adobe Connect and Adobe Reader Mobile. A pair of reflected cross-site scripting flaws in Adobe Connect could be exploited to allow arbitrary JavaScript execution in the browser. An improper access control vulnerability in Adobe Reader Mobile could be exploited to disclose information.

Editor's Note

The Adobe Connect fix is categorized as priority 3, meaning you can patch it with your normal patching process as its neither a traditional target nor under active exploit. Even so, if youre leveraging Adobe Connect for collaboration, application of the patch with your November activities is a good idea. The Reader Mobile vulnerability is Android specific and also a priority 3, which normal app store application updates should be able to support.

Lee Neely
Lee Neely

2020-11-12

Google Fixes More Chrome Zero-days

Google has fixed two more zero-day flaws in Chrome. One of the flaws is an inappropriate implementation in V8; the other is a use after free issue in Chrome Site Isolation. The vulnerabilities, which are being actively exploited, are resolved in Chrome 86.0.4240.198 for Windows, macOS, and Linux.

Editor's Note

These are the fourth and fifth updates for Chrome in the last three weeks. Unlike the prior three flaws, these were externally discovered and reported. And like prior updates, they are accompanied by claims of active exploit which drives the need for expeditious deployment. Dont forget to make sure that your mobile users are updating as well.

Lee Neely
Lee Neely

2020-11-11

Security Updates Available to Address Three Flaws in Silver Peak Unity Orchestrator

A trio of flaws affecting Silver Peaks Unity Orchestrator SD-WAN management platform could be combined to allow unauthenticated attackers to take over vulnerable networks. The flaws, an authentication bypass issue, a file delete path traversal issue, and an arbitrary SQL query execution issue, are resolved in Silver Peak Unity Orchestrator 8.9.11+, 8.10.11+, or 9.0.1+.


2020-11-11

Cisco Fixes Vulnerability in IOS XR Software

Cisco has released an update to address a vulnerability in the ingress packet processing function of Cisco IOS XR Software for Cisco ASR 9000 Series Aggregation Services Routers. The flaw could be exploited to cause a denial-of-service condition. The issue affects Cisco ASR 900 Series Aggregation Service Routers running IOS XR software earlier than versions 6.7.2 and 7.1.2.


2020-11-11

Intel Fixes 95 Security Issues

Intel released 40 security advisories on Tuesday, November 10. The advisories address a total of 95 vulnerabilities in a variety of its products. Critical flaws affect Intel Wireless Bluetooth products and Intel Active Management Technology.


2020-11-12

Schneider Electric PLC Vulnerabilities

Two flaws in Schneider Electric Programmable Logic Controllers (PLCs) could be exploited to compromise vulnerable PLCs and from there, move through the network. The flaws affect Schneider EcoStruxure Machine Expert v1.0 PLC management software and firmware for Schneider M221 PLC, version 1.10.2.2.

Editor's Note

The best mitigation is to protect PLCs by segregating them from unauthorized network access as they are not always engineered to handle general network traffic or probing.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Microsoft Patch Tuesday

https://isc.sans.edu/forums/diary/Microsoft+November+2020+Patch+Tuesday/26778/


Traffic Analysis Quiz

https://isc.sans.edu/forums/diary/Traffic+Analysis+Quiz+DESKTOPFX23IK5/26780/


Preventing Exposed Azure Blob Storage

https://isc.sans.edu/forums/diary/Preventing+Exposed+Azure+Blob+Storage/26786/


"Platypus" Attack against Intel SGX

https://platypusattack.com/


Adobe Updates

https://helpx.adobe.com/security.html


Firefox Updates

https://www.mozilla.org/en-US/security/advisories/mfsa2020-49/#CVE-2020-26950


Fingerprinting ADS-B Signals

https://icnp20.cs.ucr.edu/proceedings/aimcom2/Real-World%20ADS-B%20signal%20recognition%20based%20on%20Radio%20Frequency%20Fingerprinting.pdf


Open Source Security Scorecards

https://github.com/ossf/scorecard


Bitdefender: UPX Unpacking Featuring Ten Memory Corruptions

https://landave.io/2020/11/bitdefender-upx-unpacking-featuring-ten-memory-corruptions/


Ubuntu 20.04 Privilege Escalation

https://securitylab.github.com/research/Ubuntu-gdm3-accountsservice-LPE


Apple Security Updates

https://support.apple.com/en-us/HT201222


DNS Cache Poisoning Attack Reloaded

https://dl.acm.org/doi/pdf/10.1145/3372297.3417280


Rebel Powell: Poisoned Postman; Detecting Manipulation of Compliance Features in a Microsoft Exchange Online Environment

https://www.sans.org/reading-room/whitepapers/cloud/poisoned-postman-detecting-manipulation-compliance-features-microsoft-exchange-online-environment-39850