SANS NewsBites

SolarWinds Hack Code Includes the Work of Hundreds of Developers; Expansion of the Ransom/Ransomware Pandemic

February 16, 2021  |  Volume XXIII - Issue #13

Top of the News


2021-02-15

Microsoft: SolarWinds Hack Code Includes the Work of Hundreds of Developers

Microsoft’s analysis of the code used in the SolarWinds supply chain attack suggests it includes the work of more than 1,000 developers. Microsoft president Brad Smith told TV news program 60 Minutes that “from a software engineering perspective, it's probably fair to say that this is the largest and most sophisticated attack the world has ever seen.”


2021-02-15

FS-ISAC: Single Threat Actor Hit Organizations Hit with DDoS Ransom Attacks

The Financial Services Information Sharing and Analysis Center (FS-ISAC) says that in 2020, more than 100 financial services organizations were targeted with distributed denial-of-service (DDoS) extortion attacks. All the attacks were launched by the same threat actor.

Editor's Note

This highlights the value of sharing cyber intelligence within your industry. To do that you need secure communication mechanisms. FS-ISAC was created to provide and facilitate that in the financial sector as well as provide intelligence and insight needed to make good decisions.

Lee Neely
Lee Neely

2021-02-14

Canadian Vehicle Rental Company Hit with Ransomware

Discount Car and Truck Rentals, a Canadian division of US-based Enterprise Holdings, has disclosed that it is recovering from a ransomware attack. The ransomware operators have also reportedly stolen data. The attack affected systems at the Discount Car and Truck Rentals headquarters office. As of Sunday morning, February 14, customers were not able to book or manage rentals online.

Editor's Note

I was just contacted by a colleague working with a client recovering from a ransomware attack. On Day 0, they were confident they had backups and could fully restore. By Day 3, they discovered a configuration error in their backup system, rendering most of their backups largely unusable, as well as leaving the task of re-imaging hundreds of workstations, one by one.  I have had to be the bearer of bad news that the backups were only marginally effective; that is one of the hardest conversations to have with management, particularly if you had previously assured them otherwise. Key takeaways are: verify your backups, including your ability to restore them; have a gold image for building systems before you need it; identify resources, including contract and funding requirements needed to rebuild at scale.

Lee Neely
Lee Neely

Ransomware attacks are not just cybersecurity attacks. They are also business interruption events and can have significant impact on an organization’s ability to continue doing business. You should include ransomware attacks as part of your Business Continuity Planning and run several exercises to determine how best your organization can continue operating should they become a victim of such an attack.

Brian Honan
Brian Honan

2021-02-15

French Hospital Suffers Ransomware Attack

The Center Hospitalier de Dax-Côte d’Argent in southwest France, is recovering from a ransomware attack that occurred earlier this month. The incident has affected the hospital’s ability to offer patient care and has impacted its switchboard.

The Rest of the Week's News


2021-02-14

Book Excerpt

An excerpt from Nicole Perlroth’s recently-published book This is How They Tell Me the World Ends, which examines the zero-day vulnerability market.


2021-02-12

Florida Water Treatment Plant Incident

Several sets of access credentials for the Oldsmar, Florida, water treatment plant system were found in a batch of data posted online shortly before the breach. A joint alert issued by the FBI, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the Environmental Protection Agency, and the Multi-State Information Sharing and Analysis Center provides an overview of the incident and suggests mitigations.

Editor's Note

The mitigation advice is straightforward essential security hygiene. The What-Not-to-Dos and the What-to-Dos are as well-known as “to lose weight, don’t eat as much and do exercise more” but the ways to overcome the obstacles to change are not focused on. One successful strategy that translates from weight control to security hygiene: focus on one major thing to get started. In weight control, stop drinking soda! In security hygiene, stop allowing remote access with reusable passwords. Make that happen – then try to replace fried foods (Windows 7 or older) with broiled (Windows 10) and buy a scale (firewall) and use it (positive firewall policy) etc. But, first conquer that sugary soda (reusable passwords) habit!

John Pescatore
John Pescatore

Where you still have to have reusable passwords, look to NIST 800-63 for guidance on long passphrases which are only changed when breached. This necessitates incorporating breach detection in your password management processes. There are tools that can integrate with AD and other password management systems to prevent selection of breached passwords as well as continuous auditing to notify when a chosen password is breached. Understand how these work often using a partial hash to get candidates with actual hash comparison on your systems.

Lee Neely
Lee Neely

Strong authentication ("at least two kinds of evidence, at least one of which is resistant to replay") is the single most efficient security mechanism that we have. It is essential in all but the most trivial applications.

William Hugh Murray
William Hugh Murray

2021-02-13

Phone Company Employee Charged in SIM Swapping Case

A Florida man who worked for a phone company is facing charges for allegedly taking advantage of his access to customer data to take control of 19 phone numbers. A co-conspirator allegedly paid Stephen Daniel DeFiore $2,325 to switch out SIM cards belonging to customers.

Editor's Note

Privileged insiders continue to be a concern. The best mitigation is multi-person controls for sensitive operations, with monitoring and change management where appropriate. Even so, that has to be coupled with risk management processes to determine and reassess which actions are defined as sensitive operations.

Lee Neely
Lee Neely

2021-02-11

Washington State Bill Would Centralize Government Cybersecurity

Following a breach that exposed citizens’ personal information, the US state of Washington is seeking to consolidate state cybersecurity operations in one office. Washington Governor Jay Inslee has called for the state’s Office of Cybersecurity to shift from an advisory body to agencies to an entity that oversees IT security for all state government agencies.

Editor's Note

This one is a long time coming and hopefully, more states will follow. Every state has a State CISO but not every State CISO has the authorities and responsibilities for all of the state agencies, departments, boards, councils, commissions, etc., that fall under the executive branch. This puts the governor at a serious disadvantage of not completely understanding the risk their state faces regarding cybersecurity since the responsibilities are so distributed and there is no single organization driving comprehensive enterprise security.

Mark Weatherford
Mark Weatherford

2021-02-15

Dutch Research Council Network Hit with Cyberattack

The network of the Dutch Research Council (NWO) is temporarily unavailable due to a cyberattack. NWO funds scientific research at universities and institutes. While the organization’s website has not been affected, the system that processes grant applications is currently unavailable.


2021-02-12

Two More Organizations Affected by Accellion Breaches

The University of Colorado, and telecommunications company Singtel have both been impacted by data breaches that were conducted through a vulnerability in Accellion’s File Transfer Appliance (FTA). The company recently announced that it is ending support for FTA.

Editor's Note

It’s hard to entertain replacing a service like this FTA which was stable and working for twenty years. Include service lifecycle timelines when implementing solutions rather than scrambling after a catastrophic failure. When transferring data with mandatory protections, such as privacy data, look to either additionally encrypt those files or at a minimum add a password to prevent access in the event of a transfer service compromise.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

AgentTesla Dropped Through Automatic Click in Microsoft Help File

https://isc.sans.edu/forums/diary/AgentTesla+Dropped+Through+Automatic+Click+in+Microsoft+Help+File/27092/

Securing and Optimizing Networks Using pfSense Traffic Shaper to Combat Bufferbloat

https://isc.sans.edu/forums/diary/Securing+and+Optimizing+Networks+Using+pfSense+Traffic+Shaper+Limiters+to+Combat+Bufferbloat/27102/

Bloomberg Supermicro Story

https://www.bloomberg.com/features/2021-supermicro/

https://www.theregister.com/2021/02/12/supermicro_bloomberg_spying/

Power Outages and Some Network Outages as a Result

https://downdetector.com

Telegram Used to Defraud Delivery Services

https://thefintechtimes.com/sift-finds-new-telegram-fraud-exploiting-increasing-use-of-food-delivery-services/

Singtel Suffers Zero-Day Cyberattack

https://threatpost.com/singtel-zero-day-cyberattack/163938/

Vulnerabilities in Mobile Health Apps (PDF)

https://approov.io/download/all-that-we-let-in_hacking-mhealth-apps-and-apis.pdf

Apple to Proxy Safe Browsing Requests

https://twitter.com/othermaciej/status/1359736220809531393

Phone Scam Success Rates

https://www.helpnetsecurity.com/2021/02/15/lost-money-to-phone-scams/

https://nakedsecurity.sophos.com/2021/02/12/sms-tax-scam-unmasked-bogus-but-believable-dont-fall-for-it/