SANS NewsBites

India says China Not Responsible for Power Sector Cyber Attacks; Oxford COVID Lab Targeted; NCSC Free Cybersecurity Tool for Small Businesses; United Health Services Says Ransomware Cost $67M

March 2, 2021  |  Volume XXIII - Issue #17

Top of the News


2021-03-01

Indian Government Refutes Reports that China is Responsible for Power Sector Cyber Attacks

According to a report from cybersecurity company Recorded Future, hackers with ties to China’s government are behind a series of cyberattacks targeting power generation and distribution facilities in India. Ten Indian power organizations have been targeted since mid-2020. The report posits that the campaign may be responsible for an October 2020 power outage in Mumbai. India’s Ministry of Power responded to the allegations, saying, "There is no impact on any of the functionalities carried out by POSOCO (Power System Operation Corporation) due to the referred threat." (An executive summary of the Recorded Future report is below; access to the full white paper requires registration.)


2021-02-26

Oxford Univ. COVID Research Lab Targeted by Hackers

Hackers gained access to computers at the Division of Structural Biology lab at Oxford University (UK). The lab is conducting COVID-19-related research. The compromised machines are “used to purify and prepare biochemical samples.” The National Cyber Security Centre (NCSC) has been notified and will conduct an investigation.

Editor's Note

Lab equipment needs proper segmentation to protect it from hacking and to ensure the integrity of the experiments and the corresponding data. With the current crisis, many services were set up quickly to accommodate adjustments in work locations. Those configurations may also include providing remote access to systems like this. Don’t wait for someone else to find gaps in your hurried implementations; review the configuration, making sure that security best practices are followed, particularly strong authentication. If remote access is no longer needed, remove it.

Lee Neely
Lee Neely

2021-03-01

NCSC Free Cybersecurity Tool for Small Businesses

The UK’s National Cyber Security Centre (NCSC) has established a free online service to help small businesses develop a customized cyber security action plan. The “Cyber Action Plan” tool is currently available to sole traders and small businesses; availability for individuals and families is forthcoming.

Editor's Note

Small business have difficulty knowing where to start. This tool helps; it provides specific recommendations to get going. One thing to pay attention to is an asset lifecycle. I have often visited businesses with equipment that is ten or more years old, where the bar for compromise has become quite low. Equipment sold to small businesses is not always at the same level of sophistication as enterprise offerings and necessitates a shorter lifecycle as well as regular verification that they are updated and still secure.

Lee Neely
Lee Neely

Small businesses are targets, not because the value of a successful attack is high, but because the cost of attack is low.

William Hugh Murray
William Hugh Murray

This will help companies navigate their way through the maze they see around cybersecurity. The UK’s NCSC has been proactive in providing businesses with free and independent guidance on how to keep their systems secure – a model I hope many other governments will adopt.

Brian Honan
Brian Honan

2021-02-26

United Health Services Estimates 2020 Ransomware Attack Cost Them $67M

Universal Health Services, which experienced a ransomware attack in the fall of 2020 now says that the incident cost the organization $67 million in losses due to patients being diverted to other facilities, delayed billing, and the cost of restoring connectivity. The information was disclosed in an earnings statement released late last month. (Please note that the WSJ story is behind a paywall.)

Editor's Note

While cyber may feel like insurance with little to no ROI in the boardroom, recovery costs and shareholder impact change the equation. Prevention is cheaper than response and recovery. Prioritize fixes with large returns such as differential backups and ubiquitous use of multi-factor authentication. Review security best practices for both remote access and newly provisioned cloud services to make sure nothing is missed. Lastly, make sure that your incident response plan is up to date dated and tested, rather than a letter to your successor.

Lee Neely
Lee Neely

The Rest of the Week's News


2021-02-26

US House Solar Winds Hearing

On Friday, February 26, the US House of Representatives Homeland Security and Oversight and Reform Committees held a joint hearing on the SolarWinds supply chain attack. Executives from SolarWinds, FireEye, and Microsoft testified. Current and former SolarWinds CEOs Sudhakar Ramakrishna and Kevin Thompson faced pointed questioning regarding the company’s security culture. Homeland Security Committee chair Bennie G. Thompson said that laws needed to be updated to address the issues raised by the SolarWinds attack. Representatives Michael McCaul (R-Texas) and Jim Langevin (D-Rhode Island) plan to introduce a breach disclosure bill that would require companies to notify the government in the event of breaches.

Editor's Note

Monitoring, detection, and incident response capabilities must be in place before reporting is possible. Reducing dwell time by discovery of malicious or unusual behavior is key and requires sufficient visibility into the enterprise services, whether legacy or cloud based, before you become a headline. An intern choosing and publishing a bad password is not a failing of the intern; it is a failing of the company processes to properly train and support them.

Lee Neely
Lee Neely

While useful, and perhaps even necessary, "breach disclosure" operates late. Prevention operates early but is more difficult to legislate. It might well start with legislation that requires transparency and accountability for all distributions.

William Hugh Murray
William Hugh Murray

2021-02-26

Microsoft Open-Sourcing CodeQL Queries

Microsoft is releasing the CodeQL queries it used to analyze source code during its investigation of the SolarWinds supply chain attack. Other organizations can use the tool to help them determine if their systems were infected by the attack.


2021-02-26

Logix PLC Hard-Coded Vulnerability

A severe vulnerability in Rockwell Automation’s Logix programable logic controllers (PLCs) can be remotely exploited to alter the devices’ application code and configuration. The issue lies in a hard-coded encryption key. Affected devices include Studio 5000 Logix Designer, RSLogix 5000, and numerous Logix Controllers. Rockwell has suggested mitigations and user actions to protect vulnerable systems.

Editor's Note

Nowhere in the CERT Alert or in the Rockwell Automation site’s mitigation guidance did I see “deploy patched version of the badly designed, vulnerable software that contains a hardcoded encryption key.” There does not seem to be a patch available or any reference to a planned patch. The mitigation guidance is pretty much “it will hurt if you do that, so don’t do that.” The reality is that deploying patches to PLCs is hard, disruptive, and expensive – really good reasons that vendors that sell to that market should be taking security seriously from the start.

John Pescatore
John Pescatore

PLCs need isolation, as they don’t respond well to unwelcome advances. There is no patch here, only mitigations. Segmentation, which means permitting connections only from authorized devices, is key. Do not enable direct Internet access. Additionally review Rockwell’s System Security Design Guidelines for defense-in-depth configuration of automation systems. https://literature.rockwellautomation.com/idc/groups/literature/documents/rm/secure-rm001_-en-p.pdf

Lee Neely
Lee Neely

2021-02-27

NSA Publishes Zero-Trust Guidance

The US National Security Agency (NSA) has published guidance for organizations wanting to implement the Zero Trust security model, noting that Zero Trust “requires continuous verification of the operational picture via real-time information fed from multiple sources to determine access and other system responses.” The document describes the basic principles of Zero Trust, outlines the benefits and challenges of its implementation, and offers recommendations for organizations that want to adopt the model.

Editor's Note

Implementing Zero Trust requires supporting underlying practices to monitor the available services for maleficence. The endpoint becomes the security boundary, necessitating strong configuration management, monitoring and updating along with good business practices and a mature security model. You also need layer 7 visibility and monitoring, and an understanding of how services are authorized to communicate. Operational Technology, SCADA and ICS systems may not be good candidates for Zero Trust.

Lee Neely
Lee Neely

Zero Trust is an 11 year old buzzword that basically means “Implement all of the Critical Security Controls” and then go further. You cannot start at the Zero Trust Level, you have to have a secure foundation.

John Pescatore
John Pescatore

The steps in "zero trust" should be taken in the order of efficiency. One starts with strong authentication, and then moves on to end-to-end application layer encryption. These two things are highly efficient. The next two steps are first horizontal process to process authentication and then vertical.

William Hugh Murray
William Hugh Murray

2021-02-26

T-Mobile Discloses Customer Data Breach

Telecommunications provider T-Mobile has disclosed that a data breach compromised customer information, including names, Social Security numbers, account numbers and associated PINs, and account security questions and answers. Some of the data appear to have been used in SIM-swapping attacks. T-Mobile notified affected customers in February.

Editor's Note

If you’ve enabled a PIN to protect your T-Mobile account from SIM-swapping attacks, change it now. Also change your account password as well as your security questions and answers. Set a PIN on your account if you don’t have one. T-Mobile is offering two free years of credit-monitoring and identity theft protection to affected users. If you don’t already have it, now is a good time to get credit monitoring started.

Lee Neely
Lee Neely

T-Mobile customers who rely upon their mobiles for authentication should be sensitive to evidence of compromise such as not receiving calls or one time passwords that they expect. T-Mobile must increase customer authentication for requests for remedies for this breach; attacks will look like requests for remediation. This authentication may have to include having the customer present credentials like drivers licenses or passports. This breach demonstrates a limitation on the use of SMS for the distribution of one-time passwords.

William Hugh Murray
William Hugh Murray

2021-03-01

Chinese Businessman Charged in Attempted Theft of General Electric Intellectual Property

Federal authorities have indicted Chi Lung Winsman Ng for conspiring to steal trade secrets from General Electric (GE). The US Department of Justice said that Ng and unnamed co-conspirators allegedly conspired to steal sensitive data relating to GE’s silicon carbide metal-oxide semiconductor field-effect transistors (MOSFETs). One of the alleged co-conspirators was an engineer at GE for more than seven years.

Editor's Note

A timely reminder that the insider threat is alive and well and adversaries will look to coerce or bribe insiders as part of their attacks.

Brian Honan
Brian Honan

Internet Storm Center Tech Corner

Pretending to be an Outlook Version Update

https://isc.sans.edu/forums/diary/Pretending+to+be+an+Outlook+Version+Update/27144/


Geolocating Satori Botnet Scanning Port 26

https://isc.sans.edu/forums/diary/So+where+did+those+Satori+attacks+come+from/27140/


Fun with DNS over TLS

https://isc.sans.edu/forums/diary/Fun+with+DNS+over+TLS+DoT/27150/


Alexa Skill Security (PDF)

https://www.ndss-symposium.org/wp-content/uploads/ndss2021_5A-1_23111_paper.pdf


T-Mobile Data Breach / SIM Swapping

https://beta.documentcloud.org/documents/20492859-t-mobile-feb-2021-bc-data-breach


Gootloader Update

https://news.sophos.com/en-us/2021/03/01/gootloader-expands-its-payload-delivery-options/


AOL Phishing

https://www.bleepingcomputer.com/news/security/beware-aol-phishing-email-states-your-account-will-be-closed/


Spectre Exploit in the Wild

https://dustri.org/b/spectre-exploits-in-the-wild.html