SANS NewsBites

NSA Says VMware Flaw Actively Exploited; Healthcare Org to Pay $4.2M in Breach Settlement; U.S. National Cybersecurity Director

December 8, 2020  |  Volume XXII - Issue #96

Top of the News


2020-12-07

NSA Warns that VMware Flaw is Being Actively Exploited, Fixes Available

The US National Security Agency (NSA) has issued a cybersecurity advisory, warning that Russian hackers are exploiting a command injection flaw in VMware Access and VMware identity Manager. The exploit allows attackers to install malware, access data, and maintain a persistent presence on vulnerable systems. VMware issued fixes for the flaw on Thursday, December 3.

Editor's Note

The attack relies on compromising the management interface, which runs on port 8443. The workaround disables configurator-managed settings changes. Apply the package updates now rather than the workaround and only make the management interface available to trusted systems, don't expose it to the internet.

Lee Neely
Lee Neely

Read more in

Defense: Russian State-Sponsored Actors Exploiting Vulnerability in VMware(R) Workspace ONE Access Using Compromised Credentials (PDF)

VMware: HW-128524: CVE-2020-4006 for Workspace ONE Access, Identity Manager and Connector (81754)

VMware: Advisory | VMSA-2020-0027.2

Ars Technica: NSA says Russian state hackers are using a VMware flaw to ransack networks

Cyberscoop: NSA warns of Russian government-backed hackers aiming at US defense sector targets

Wired: The NSA Warns That Russia Is Attacking Remote Work Platforms

ZDNet: NSA warns of Russian state-sponsored hackers exploiting VMWare vulnerability

Security Week: VMware Patches Workspace ONE Access Vulnerability Reported by NSA

Threatpost: VMware Rolls a Fix for Formerly Critical Zero-Day Bug

Bleeping Computer: VMware fixes zero-day vulnerability reported by the NSA


2020-12-07

Kalispell Regional Healthcare Agrees to Pay $4.2M in Breach Settlement

Kalispell (Montana) Regional Healthcare (KRH) has reached a settlement with plaintiffs in a lawsuit filed after a data security breach. KRH will pay $4.2 million. The lawsuit was filed in December 2019; the incident occurred earlier that year. The attack began through phishing emails; the attackers gained access to employee accounts and retained that access until the breach was detected several months later.

Editor's Note

This is an expensive settlement, worth highlighting to management: up to $15,000 in direct breach related losses per claimant, in addition to the usual credit theft/identity theft assistance type services. There were only 250 social security numbers reported compromised from the 130,000 records exposed, so it may be unlikely that the maximum is reached. But, the cost of avoiding the deficiencies cited (not following industry standard levels of security, not adequately training employees, etc.) for KRH's roughly 1,000 employees would not only be less than the total costs incurred but are also going to now be incurred anyway.

John Pescatore
John Pescatore

Kalispell had been identified as being in the top 9% of organizations in the healthcare industry for cybersecurity compliance. Even so, they were undone by phishing attacks. Adequate user training, protection of sensitive data, monitoring, and response to unauthorized activities and actions are key to not only resisting an attack but also detecting and stopping these sorts of attacks. Leverage external assessors and testers to make sure the controls implemented work as expected before your adversaries find weaknesses for you.

Lee Neely
Lee Neely

2020-12-04

NDAA Would Create Position of National Cybersecurity Director

The proposed 2021 US National Defense Authorization Act (a must-pass bill) would establish a new Senate-confirmed, executive branch position of National Cyber Director. The bill would also give the Cybersecurity and Infrastructure Security Agency (CISA) subpoena authority to keep tabs on critical infrastructure cybersecurity and require CISA to hire cybersecurity coordinators for every state.

Editor's Note

This bill, if passed, formalizes the role the National Guard cyber units play in responding to cyber incidents. Tt also allows for collaboration with civilian agencies and provides a framework for collaboration, cross-training with other agencies such as the FBI, DHS CISA, state & local governments, law-enforcement and non-federal agencies.

Lee Neely
Lee Neely

The Rest of the Week's News


2020-12-07

Greater Baltimore Medical Center Suffers Ransomware Attack

The Greater Baltimore Medical Center (GBMC) has acknowledged that its network was hit with ransomware over the weekend. GBMC Health Care says that the attack has forced them to cancel some procedures that were scheduled for Monday, December 7.


2020-12-07

Embraer Data Leaked After Ransomware Attack

Ransomware operators behind a November ransomware attack on Brazilian aerospace company Embraer have published files that were allegedly taken from the company's network. Embraer has refused to pay the demanded ransom and has restored its systems from backups.

Editor's Note

Embraer believed they understood the scope and value of data exfiltrated and subsequently released, and had sufficient resources to rebuild affected systems. Before an incident occurs, assess sensitive data and have the hard conversations about what damage can occur if data are released. Include conversations about the location and protections of that data, make adjustments and improvements where needed. Document your decisions; review them annually; and stand by them when or if the time comes.

Lee Neely
Lee Neely

2020-12-07

Randstad Discloses Ransomware Attack

Randstad, a human resources company based in the Netherlands, has disclosed that its network was hit with ransomware known as Egregor. The ransomware operators have also targeted systems at Barnes and Noble and at TransLink, Vancouver, BC's transportation agency.


2020-12-04

Kmart Network Reportedly Hit with Ransomware

US retailer Kmart has reportedly been targeted in a ransomware attack. The incident affected the company's back-end servers. Kmart has not confirmed the report; a ransom note was shared with Bleeping Computer.


2020-12-08

UK Engineering Services Firm Acknowledges Cyberattack

RMD Kwikform, a UK engineering services firm, was the target of a cyberattack in November. The company has notified the Information Commissioner's Office (ICO) and is cooperating with the National Cyber Security Centre (NCSC) and other authorities. Kwikform's parent company, Interserve, was the target of a cyberattack in May 2020.


2020-12-06

Kazakhstan Government Wants to Intercept Citizens' HTTPS Traffic Again

The government of Kazakhstan is once again requiring that citizens living in the country's capital install a government-issued digital certificate on their devices if they want to access Internet services outside the country. The certificate allows the government to intercept all HTTPS traffic from those devices. If Kazakh citizens want to access sites like Facebook, YouTube, Instagram, Twitter, or Netflix, they will need the certificate. This has happened twice before - in December 2015 and in July 2019. In those previous instances, browser makers blacklisted the Kazakh government certificate. The requirement is being touted as a security initiative; the country plans to hold a parliamentary election in January 2021.

Editor's Note

While done a bit more clumsily, this is pretty much the same type of encryption backdoor that is proposed by the "EARN-IT" or "LEAD" bills proposed in the United States. Kazakhstan just doesn't have the cloud to force the tech industry into compliance, so they rely on pressuring citizens to install the backdoors necessary for interception.

Johannes Ullrich
Johannes Ullrich

The certificate will enable MiTM inspection/interception and possible modification of traffic flowing through their perimeter, and as the certificate is trusted, the user will not be alerted, or aware. This monitoring also provides mechanisms for credential capture. The prior attempt failed after browser manufacturers blacklisted the Kazakhstan Government's certificates. As traffic is being routed through centralized control points, bypassing the security perimeter by the use of a VPN or other service to wrap/embed user's traffic is unlikely to succeed for long.

Lee Neely
Lee Neely

2020-12-07

Package Delivery Lockers Hacked

Someone hacked into a system that allowed them to unlock thousands of package delivery lockers in Moscow, Russia. The PickPoint delivery service allows people to order items and have them delivered to lockers, where they retrieve their packages using a mobile app.


2020-12-07

Italian Police Make Arrests in Leonardo Data Theft

Authorities in Italy have arrested two people in connection with the theft of data from a defense contractor LeonardoSpA. The suspects introduced malware into the company computers through a USB drive; they allegedly stole 10GB of data from Leonardo over a two-year period. One of the suspects was an IT manager at the company.


2020-12-07

QNAP Releases Fixes for Vulnerabilities in NAS Devices

QNAP has published a security advisory urging users to update to the most recent versions of QTS and QuTS to address four vulnerabilities in its Network Attached Storage (NAS) products. One of the flaws could be exploited to take control of vulnerable NAS devices.

Editor's Note

It has been a of couple weeks, so here is the regular reminder: Do not expose network storage devices to the Internet, QNAP or any other brand. QNAP is actually pretty good in patching these flaws, which is why you may see them mentioned more frequently.

Johannes Ullrich
Johannes Ullrich

Make sure your QNAP devices are updated now. Don't expose your NAS devices to the Internet. If you're using them to share content, follow security guidelines. Consider using separate devices for sharing content and backups, and minimize services enabled. Note that some versions of the QTS operating systems are also vulnerable to the Windows ZeroLogin flaw when configured as a domain controller.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Proxy Scanner Attempting to Connect to Specific Hostname

https://isc.sans.edu/forums/diary/Is+IP+91199118137+testing+Access+to+aahwwx52hostxyz/26852/


Corrupt BASE64 Strings: Detection and Decoding

https://isc.sans.edu/forums/diary/Corrupt+BASE64+Strings+Detection+and+Decoding/26616/


Recovering Passwords From Pixelized Screenshots

https://www.linkedin.com/pulse/recovering-passwords-from-pixelized-screenshots-sipke-mellema/


Tomcat Information Leak

https://nvd.nist.gov/vuln/detail/CVE-2020-17527


Google Updates

https://chromereleases.googleblog.com/2020/12/stable-channel-update-for-desktop.html


Microsoft Teams Remote Code Execution Vulnerability (Patched)

https://github.com/oskarsve/ms-teams-rce


PlayStation Now RCE

https://hackerone.com/reports/873614


Cisco Security Manager Java Deserialization Vulnerabilities

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-csm-java-rce-mWJEedcD