SANS NewsBites

Hacker Changed Chemical Concentration at Water Treatment Plant; Ransomware Hits Brazilian Utilities; Google Launches Open Source Vulnerability Website

February 9, 2021  |  Volume XXIII - Issue #11

Top of the News


2021-02-08

Hacker Tampered With Chemical Processes Controls at Florida Water Treatment Plant

On February 5, a hacker altered the amount of sodium hydroxide (lye) added to the water supply for Oldsmar, Florida, from 100 ppm to 11,100 ppm. "According to the county's sheriff, the hacker gained access via an unnamed remote software program that allows employees to troubleshoot IT problems. The same program also includes some screen-monitoring capabilities. As a result, the operator who first noticed the intrusion initially suspected the remote access belonged to another worker." A plant operator noticed the change and reversed it before the tainted water entered the municipality's water supply. Officials have disabled the remote access system. FBI and Secret Service are investigating.

Editor's Note

Vendors often offer remote support and monitoring, which helps maintain their systems. That support mechanism needs to be well understood. If you must expose access to monitor and manage an internal service, make sure that it is properly secured, including mandatory multi-factor authentication, regular reviews of which accounts have access, and logs that not only capture activities, but are also forwarded to your SIEM//SOC. Pay particular attention to any accounts which cannot be MFA, and, if possible, don't allow remote access to them. If cellular or other private networks are used, understand what else is on those networks and how the communications are protected.

Lee Neely
Lee Neely

Many organisations have remote access solutions in place to enable vendors and staff to work remotely, and in the pandemic this has increased, so now is a good time to review all your remote access solutions to ensure that they are configured in a secure manner and where possible MFA is enabled.

Brian Honan
Brian Honan

Utility operator convenience must not be allowed to trump security of the utility.

William Hugh Murray
William Hugh Murray

2021-02-05

Ransomware Hits Brazilian Utility Companies

Networks at two Brazilian utility companies have been hit with ransomware attacks. The ransomware operators stole and leaked data from at least one of the companies; that information includes network access credentials and engineering plans. While both Centrais Eletricas Brasileiras (Eletrobras) and Companhia Paranaense de Energia (Copel) have had to temporarily suspend some administrative operations, the attacks had no impact on the companies' ability to provide power.


2021-02-08

Google Launches Open Source Vulnerability Website

Google has launched the Open Source Vulnerabilities website, "a vulnerability database and triage infrastructure for open source projects aimed at helping both open source maintainers and consumers of open source." Google is also starting a conversation about open source project security, proposing "a framework for shifting the discussion around vulnerabilities in open source."

Editor's Note

This initiative is very important and the Google blog on the subject informative. Neither Open Source or proprietary development are delivering the reliability or quality that are needed. We must dramatically and urgently improve code quality to shore up our crumbling infrastructure. Both transparency and accountability are necessary and current practices are delivering neither.

William Hugh Murray
William Hugh Murray

Solid concepts. Back in 2014 when the Heartbleed OpenSSL vulnerabilities were discovered, Google was one of the founding members of the Core Infrastructure Initiative that had similar goals, including a focus on "open source supply chain security." However, that seemed to go dormant around 2016. There seem to be many of these voluntary efforts that lose steam for lack of a continued forcing function. In the food industry, the loss of revenue after signs on restaurants and notices in newspapers that the restaurant was closed due to discovered vermin infestations or potentially poisonous ingredients found seem to result in higher levels of essential restaurant hygiene than restaurant trade association websites.

John Pescatore
John Pescatore

The Rest of the Week's News


2021-02-05

German Authorities Seize Bitcoin Wallet Worth $60M, But Don't Have the Password

Authorities in Germany have seized a bitcoin wallet that contains more than 50 million euros ($60 million) worth of the cryptocurrency, but the owner of the wallet has refused to disclose the password. That individual served more than two years in prison for hijacking other people's computers to mine the bitcoin. If authorities ever manage to gain access to the wallet, the bitcoin will be sold, and the proceeds given to the state treasury.

Editor's Note

Key escrow is critical with encryption, particularly with valuable assets. Make sure that your enterprise can recover the password for corporate information protected by employees. When using a password vault, make sure that you can also recover the password to that vault, or that it is stored in a known secure location and kept updated.

Lee Neely
Lee Neely

2021-02-05

SitePoint Data Breach

Web-development resource website SitePoint has disclosed a 2020 data breach in which the attackers stole a customer database which was eventually leaked online. Compromised information includes names, email addresses, hashed passwords, usernames, and IP addresses. Some SitePoint users say they have received spam that is likely related to the breach.

Editor's Note

The hack coincided with their promotion of "Hacking for Dummies" by Kevin Beaver. The good news is that these were salted password hashes, making compromise more difficult. If you reused your SitePoint password elsewhere, or have an old account you've not used, change those passwords.

Lee Neely
Lee Neely

2021-02-05

Google Patches Chrome Zero-day

Google has fixed a heap overflow memory corruption vulnerability in the V8 JavaScript engine. The flaw is being actively exploited. Users are urged to update to Chrome 88.0.4324.150 for Windows, macOS, and Linux, which was released to the stable channel last week.

Editor's Note

Make sure that you're updating Chromium-based browsers, as well: Edge, Brave, etc. Note that the Chromium latest version and the latest browser version may not match, e.g, Edge is 88.0.705.63 while Brave is V1.19.92. As there is a published exploit for CVE-2021-21148 in the wild, assume it is being actively exploited.

Lee Neely
Lee Neely

2021-02-08

NextGen Gallery WP Plugin Vulnerabilities Fixed in Update

The publisher NextGen Gallery plugin for WordPress has released an updated version to address two cross-site request forgery vulnerabilities. The flaws could be exploited to take control of vulnerable websites. NextGen Gallery has more than 800,000 installations. Users should upgrade to version 3.5.0 or newer.

Editor's Note

he patched version of the plugin was released December 17th. Even with automatic updates, make sure that your plugins are updated, and remove the unused ones. While the volume and adoption of plugins for WordPress drives warnings at least weekly, you can mitigate much of the risk by enabling auto-updates for plugins, removing unneeded ones, and installing a WAF. If you do install a WAF, make sure that you understand how frequently it's updated to understand your exposure to newly discovered vulnerabilities.

Lee Neely
Lee Neely

The WordPress plugin vulnerability of the week. WordPress plugins are a major source of vulnerability. They come with no representation or assurance of quality. They should be used sparingly, and, where used, actively policed.

William Hugh Murray
William Hugh Murray

2021-02-08

Stolen Healthcare Data Leaked

Ransomware operators have leaked large quantities of data stolen during attacks against Florida-based Leon Medical Centers and Nocona General Hospital in Texas. The attack against Leon Medical Centers took place in November 2020; it is not clear when data were stolen from Nocona General Hospital.

Editor's Note

Back in July 2016, the US the Department of Health and Human Service Office for Civil Rights issued HIPAA guidance that said that all successful ransomware attacks should be considered as reportable security incidents, not just as denial of service attacks. If the attackers encrypted patient health information, they (and not the patient) had control of it ("acquired" it in HIPAA terminology) and thus an unauthorized disclosure had occurred.

John Pescatore
John Pescatore

2021-02-05

NIST Issues Guidance on Protecting Controlled Unclassified Information

The US National Institute of Standards and Technology (NIST) has released SP 800-172: Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171. The publication offers advice for "recommendations for enhanced security requirements to provide additional protection for Controlled Unclassified Information (CUI) in nonfederal systems and organizations when such information is associated with critical programs or high value assets."

Editor's Note

IST SP 800-171 focused on protecting confidentiality; SP 800-172 adds suggested protections for integrity and availability as well as discussion around the value and purpose of each control to aid understanding. These two publications are examples of how to flow down protection requirements for consistent protection of sensitive information. Make sure to leverage a known referenceable standard, as well as a clear definition of your data sensitivity wherever you are having someone else process it, such as cloud, outsourcer, or service bureau. Include this in your contract language. Then verify the controls are in place, not just at inception, but throughout the life of the contract.

Lee Neely
Lee Neely

2021-02-08

FERC Proposed Rulemaking: Cybersecurity Incentives for Electric Companies

Proposed rulemaking from the Federal Energy Regulatory Commission (FERC) would offer incentives for electric companies to implement cybersecurity improvements that exceed the minimum requirements as established by the National Institute of Standards and Technology (NIST). FERC is accepting comments on the proposal until April 6, 2012.

Editor's Note

As the FERC looks at potential incentives that could be offered to electric entities they need to consider what the measuring stick will be to determine adequate achievement of "exceed the minimum requirements as established by the National Institute of Standards and Technology (NIST)". It would be far more appropriate to measure entity implementations that exceed the existing CIP Standards applicable at a particular site based on the determined impact rating of the site. Additionally, entities truly need flexibility in recategorizing expenditures associated with cybersecurity initiatives beyond just the initial CapEx spend and include traditional cybersecurity related O&M spend, this ability to leverage incentive plan elements to pursue cybersecurity tasks associated with programs focused on asset inventory, configuration validations, ICS network collection and response capabilities, and workforce development opportunities would significantly help the industry. This action alone could have a significant positive impact on the cybersecurity our nations critical infrastructure. The concepts of incentivizing additional security controls around moving CIP Low to Med and Med to High treatment will encourage and help fund security improvements at interconnected sites that have by definition a Low impact on the electric system, but have trusted communications paths into higher criticality sites, so they represent the weakest link and will benefit greatly from additional security investments. The concepts around hub and spoke incentives need careful architectural and operations based engineering review to determine if the benefits out way the additional risks in each entities unique system.

Tim Conway
Tim Conway

The proposed rules provide for incentives on two types of 'going beyond the minimum.' The first doesn't make much sense: Incentives for applying security controls for high and medium impact systems to low impact systems. This would kind of be like giving auto manufactures financial incentives for making coffee cup holders more crash-resistant. The second incentive is kind of a variant on the same theme: a "hub and spoke" incentive if all low impact systems external connectivity is routed through presumably more secure high impact systems. This could make more sense but could also result in exploitable low impact systems becoming pathways into high impact systems. An example might be a small/low-impact hydropower system with external connectivity for remote monitoring. If compromised, minimal impact - but if financial incentives resulted in that small/low-impact facility being networked to a major dam or water supply system, did overall risk go up or down?

John Pescatore
John Pescatore

2021-02-08

Android Barcode Scanner App Got a Malicious Update in December

Late last year, Android users began reporting that ads were opening on their default browsers for no detectable reason. Investigation revealed that the source of the ads was a barcode scanning app that had been available in Google Play for years. A December 4, 2020 update to Lavabird Ltd.'s Barcode Scanner appears to have turned the app malicious. Google has removed the app from the store.

Editor's Note

The update to the app included obfuscated malicious code, rather than a change to the SDK which changed advertisement behavior. While Google has raised the bar on Android applications, a lot of applications have not been reviewed for proper security/behavior. In this case, the app was removed from the Play Store, not Play Protect, so it will not be uninstalled on devices automatically. Even so, allowing only applications from the Play Store or your corporate App Store is best practice. On Android, your MDM can also be used to disable or otherwise block banned or otherwise disallowed applications.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

VBA Macro Trying to Alter the Application Menus

https://isc.sans.edu/forums/diary/VBA+Macro+Trying+to+Alter+the+Application+Menus/27068/


Tshark and Malware Analysis

https://isc.sans.edu/forums/diary/Quickie+tshark+Malware+Analysis/27076/


The Great Suspender Going Malicious

https://www.zdnet.com/article/google-kills-the-great-suspender-heres-what-you-should-do-next/

https://github.com/greatsuspender/thegreatsuspender/issues/1263


Barcode Scanner Going Bad

https://blog.malwarebytes.com/android/2021/02/barcode-scanner-app-on-google-play-infects-10-million-users-with-one-update/


Google Chrome Zero Day

https://chromereleases.googleblog.com/2021/02/stable-channel-update-for-desktop_4.html


Plex Media SSDP Amplification DDoS

https://www.netscout.com/blog/asert/plex-media-ssdp-pmssdp-reflectionamplification-ddos-attack


Morse Code Obfuscation

https://www.bleepingcomputer.com/news/security/new-phishing-attack-uses-morse-code-to-hide-malicious-urls/


Firefox Update

https://www.mozilla.org/en-US/security/advisories/mfsa2021-06/


Water Treatment Facility Compromised

https://www.reuters.com/article/us-usa-cyber-florida/hackers-broke-into-florida-towns-water-treatment-plant-attempted-to-poison-supply-sheriff-says-idUSKBN2A82FV