homepage
Open menu

SANS NewsBites

Red Team Tools Stolen From FireEye; EU COVID-19 Cyberattack and more Healthcare Breaches

December 11, 2020  |  Volume XXII - Issue #97

Top of the NewsThe Rest of the Week's NewsInternet Storm Center Tech Corner

Top of the News

2020-12-09

FireEye Discloses Theft of Red Team Tools

FireEye has acknowledged that it was attacked by a highly sophisticated threat actor, one whose discipline, operational security, and techniques lead us to believe it was a state-sponsored attack. The attacker appears to have accessed FireEye Red team tools, which the company uses to assess the security of customers systems. FireEye is investigating the incident in cooperation with the FBI, Microsoft, and other key partners.

Editor's Note

FireEyes CEO blog post and press release focus on the sophistication of the threat actors and point to great information for detecting the use of the stolen tools, but offer no lessons learned on what vulnerabilities were exploited or what mistakes FireEye made that enabled the attacks to succeed. Putting that out for public consumption obviously carries riskI hope FireEye is providing those lessons learned via trusted channels.

John Pescatore
John Pescatore

Security organizations are under constant attack. Once in a while the attacker wins. This happened twice to us at SANS, 23 years ago and in 2020. As John Pescatore notes, (in addition to finding ways to block the specific intrusion vector and to correct systemic flaw(s) it uncovered) security organizations have a unique and important obligation to share the lessons learned, broadly and quickly.

Alan Paller
Alan Paller

Read more in

FireEye: FireEye Shares Details of Recent Cyber Attack, Actions to Protect Community

Vice: One of The Biggest Cybersecurity Companies In The World Just Got Hacked

Dark Reading: Nation-State Hackers Breached FireEye, Stole Its Red Team Tools

ZDNet: FireEye, one of the world's largest security firms, discloses security breach

The Register: Cybersecurity giant FireEye says it was hacked by govt-backed spies who stole its crown-jewels hacking tools

Wired: Russia's FireEye Hack Is a Statementbut Not a Catastrophe

SC Magazine: FireEye hacked, red team tools stolen

Ars Technica: Premiere security firm FireEye says it was breached by nation-state hackers

Threatpost: FireEye Cyberattack Compromises Red-Team Security Tools

Bleeping Computer: FireEye reveals that it was hacked by a nation state APT group

2020-12-10

EU Medicines Agency Hit with COVID-19-related Cyberattack

The European Medicines Agency is investigating a cyberattack against its network. The organization is in the process of reviewing two COVID-19 vaccines for use in the EU. According to a joint statement from Pfizer and BioNTech, documents relating to the regulatory submission for Pfizer and BioNTechs COVID-19 vaccine candidate, BNT162b2, which has been stored on an EMA server, [have] been unlawfully accessed.

Editor's Note

If youre in healthcare, youre already a big target this year, even more so if youre even peripherally associated with the COVID-19 vaccine production, authorization or distribution. Companies like Johnson & Johnson, Gilead, Moderna, AstraZenica, Genexine, Celltrion and Novavax have been targeted. If you havent verified your security measures, now is a good time to engage a third-party review.

Lee Neely
Lee Neely

The entire vaccine supply chain is or will be under attack. Many proactive efforts to harden the cyber side of operations have been launched, but there are too many links in that complex supply chain. One 2020 SANS Difference Makers award winner (volunteer organization CTI League) has been very active in supporting smaller organizations that may not have sufficient skilled resources to reduce risk. https://www.sans.org/cyber-innovation-awards

John Pescatore
John Pescatore

2020-12-10

Healthcare Breach Roundup: GBMC, Georgia Dentistry Practice, Tufts Health Plan

As of Wednesday, December 9, GMBC Health was still operating under electronic health record (EHR) downtime procedures following a ransomware attack over the weekend. A Georgia dentistry practice suffered a ransomware attack, earlier this year and have recently notified patients.; The Tufts Health Plan notified more than 60,000 members that their personal information had been compromised in a security incident at a third-party entity that provides vision benefits.

The Rest of the Week's News

2020-12-08

Foxconn Discloses Ransomware Attack

Electronics manufacturer Foxconn has acknowledged that the network at a facility in Mexico was hit with ransomware in late November. The ransomware operators also stole data.

2020-12-10

Payment Processor TSYS Suffers Ransomware Attack

Data stolen from payment processor TSYS has been posted online. The files were stolen during a ransomware attack that affected TSYSs systems earlier this month. TSYS said that the attack affected systems that support certain corporate back office functions of a legacy TSYS merchant business.

Editor's Note

The systems compromised are part of Cayan, an in-store physical payment processor, acquired in 2018, which highlights the criticality of securing and merging acquired business systems. Conti operators, who are hosting the stolen data, claim card data was present, while TSYS denies any card data loss. Make sure your cards are set up to alert you for unexpected transactions, particularly card-not-present use.

Lee Neely
Lee Neely

2020-12-08

Microsoft December Patch Tuesday

Microsofts final patch Tuesday release for 2020 includes fixes for 58 security issues in a variety of products, including Windows, Edge, Office, Exchange Server, and Visual Studio. Nine of the vulnerabilities are deemed critical.

Editor's Note

While there are only 58 issues this month, other flaws announced this week will require attention. The trick with these updates will be consistent application to remote systems in spite of the December and January holidays. It may be prudent to remind users to leave systems up and reachable by your update service during this patch window.

Lee Neely
Lee Neely

2020-12-08

Amnesia:33 Vulnerabilities Affect Multiple TCP/IP Libraries

Researchers at Forescout have detected a group of vulnerabilities in open source TCP/IP libraries that are used in the firmware of products sold by more than 150 vendors. The vulnerabilities, which have been given the name Amnesia:33, affect the uIP, FNET, picoTCP, and Nut/NetTCP/IP stacks. The flaws could be exploited to execute code remotely, cause denial-of-service conditions, leak information, and conduct DNS cache poisoning attacks.

Editor's Note

The good news is that these are specific to embedded/IoT devices, not smartphones, computers, servers, etc. The primary mitigation is segmentation. Limit access to and from these devices to only services they need to communicate with. At home, put them on your guest wireless segment, and if possible, turn on device isolation.

Lee Neely
Lee Neely

2020-12-09

Adobes December Patch Tuesday Includes Last Update for Flash

Adobes scheduled patch release for December includes the last ever scheduled update for Flash Player. As of January 12, 2021, Adobe will block Flash content from running. Adobe has also released security updates for Lightroom, Prelude, Experience Manager, and Acrobat and Reader.

Editor's Note

The January 21st kill switch for Flash was embedded in prior releases; this update simply adds language to remind users that it will no longer run and suggests uninstalling. You should be ready, or in final QA, to pull the trigger on your plan to remove Flash from the enterprise. Major browsers have already shifted to a default disabled deliver for Flash content and are scheduled to remove support for Flash from their codebases throughout December and January. If you must provide a Flash-enabled environment, you will need to support both older browsers and older Flash versions, and make certain they are tightly controlled to limit exposure and access to exploitation of unpatched weaknesses.

Lee Neely
Lee Neely

2020-12-09

CISA Warns of Vulnerabilities in Certain GE Healthcare Devices

The US Cybersecurity and Infrastructure Security Agency (CISA) has published an advisory warning of vulnerabilities in GE Healthcare imaging and ultrasound products. The devices have hardcoded default passwords that are used to conduct maintenance. The passwords are not easily changed and are available on the Internet. Customers are advised to contact GE to change the passwords.

Editor's Note

In addition to applying updates and changing the default passwords, mitigate the risks by segmenting networks to include specific rules regarding TELNET, REXEC, FTP, and SSH traffic. Require remote access over VPN and permit traffic only for authorized users.

Lee Neely
Lee Neely

2020-12-10

Vulnerabilities in PageLayer WP Plugin

An update for the PageLayer WordPress plugin addresses two reflected cross-site scripting vulnerabilities that could be exploited to allow malicious code execution leading to site takeover. The PageLayer plugin is installed on more than 200,000 websites.

Editor's Note

While exploiting the XSS flaw still involves a WP Admin clicking the malicious link, updating the plugin is the right approach as the injected Javascript is running in the context of the WP Admins browser. The fix was released on November 9th. Update to at least version 1.3.8 if youre using this plugin. The paid and free versions of Wordfence include XSS protection that help prevent exploitation.

Lee Neely
Lee Neely

WordPress plugins continue to introduce vulnerabilities in websites. Use them only by design and intent; monitor and patch zealously.

William Hugh Murray
William Hugh Murray

2020-12-10

South Korea Ends Government Digital Certificate Authority That Relied on ActiveX

South Koreas government has made good on its promise to get rid of a government-run digital certificate service that depends on Microsofts ActiveX technology. The change is included in South Koreas new Digital Signature Act, which was passed earlier this year. The majority of the acts provisions took effect on Thursday, December 10, 2020.

2020-12-10

Another Mirai Suspect Pleads Guilty

A fourth individual has pleaded guilty to charges stemming from their role in the operation of the Mirai botnet, which caused major Internet disruptions in autumn 2016. The attack at the center of this case targeted the Sony PlayStation Network platform; it also affected the Dyn Domain Name System (DNS) provider. Sentencing is scheduled for January 7, 2021. Three other individuals have already pleaded guilty in the case.

Internet Storm Center Tech Corner

Microsoft Patch Tuesday

https://isc.sans.edu/forums/diary/December+2020+Microsoft+Patch+Tuesday+Exchange+Sharepoint+Dynamics+and+DNS+Spoofing/26860/


Adobe Patch Tuesday

https://helpx.adobe.com/security.html


OpenSSL Patch (Tuesday)

https://www.openssl.org/news/secadv/20201208.txt


Python Backdoor Talking to a C2 Through Ngrok

https://isc.sans.edu/forums/diary/Python+Backdoor+Talking+to+a+C2+Through+Ngrok/26866/


SANS Holiday Hack Challenge

https://holidayhackchallenge.com/2020/


Oblivious DoH

https://blog.cloudflare.com/oblivious-dns/


HTTP Archive Almanac

https://almanac.httparchive.org/en/2020/security


Open Source IoT TCP/IP Stack Vulnerabilities

https://www.forescout.com/company/resources/amnesia33-how-tcp-ip-stacks-breed-critical-vulnerabilities-in-iot-ot-and-it-devices/


FireEye Red Team Tool Signatures

https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html


Cisco Releases Improved Patch for Jabber Vulnerabilities

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-jabber-ZktzjpgO

https://watchcom.no/nyheter/nyhetsarkiv/uncovers-cisco-jabber-vulnerabilities/


Karim Lalji: Fear of the Unknown: A Metanalysis of Insecure Object Deserialization Vulnerabilities

https://www.sans.org/reading-room/whitepapers/testing/fear-unknown-metanalysis-insecure-object-deserialization-vulnerabilities-39920