SANS NewsBites

SolarWinds Even More Victims; $2 Million In Scholarships for talented students interested in cyber

January 8, 2021  |  Volume XXIII - Issue #2

Top of the News


2021-01-07

SolarWinds: Federal Judiciary Electronic Records Possibly Breached

The Administrative Offices of the US Courts is "adding new security procedures to protect highly sensitive confidential documents filed with the courts" following a possible compromise of its Case Management/Electronic Case Files (CM/ECF) system. The Judiciary is auditing the system along with the Department of Homeland Security (DHS).


2021-01-06

SolarWinds: DoJ eMail Accounts Breached

The US Department of Justice (DoJ) says that the hackers behind the SolarWinds supply chain attack breached the department's Office 365 environment and compromised more than 3,000 email accounts. The DoJ Office of the Chief Information Officer (OCIO) detected malicious activity in late December 2020.


2021-01-06

SolarWinds: FBI, NSA, ODNI, and CISA Point Finger at Russia

In a joint statement, the US Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and The National Security Agency (NSA) wrote, "an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks."

Editor's Note

It is highly likely that at least one hostile nation state has gained persistent access to our infrastructure. While much of the access may never be exploited, its existence constitutes an existential threat to our national security. It is time to stop admiring the problem.

William Hugh Murray
William Hugh Murray

Good cybersecurity tools can find the persistent presence of those nation states only when they are deeply and continuously adapted to local conditions by people with elite cyber talent like the folks who found the SolarWinds infection at Mandiant/FireEye. Tools don't find these problems without those hunters and tool adapters, and no nation will be able to withstand sustained cyber attacks without a cadre of world-class hunters. Hunters will be as important in future conflicts as fighter pilots were in World War II. The National Cyber Scholarship Foundation launched a $2 million scholarship program to identify and support the next generation of hunters; more than 25,000 high school students are participating this winter and spring. A parallel collegiate program will be announced in late January.

Alan Paller
Alan Paller

2021-01-07

SolarWinds: CISA Guidance Update Requires Agencies to Conduct Forensic Analysis

The US Cybersecurity and Infrastructure Security Agency (CISA) has updated its SolarWinds guidance. The January 6, 2021, "supplemental guidance v3 requires (1) agencies that ran affected versions conduct forensic analysis, (2) agencies that accept the risk of running SolarWinds Orion comply with certain hardening requirements, and (3) reporting by agency from department-level Chief Information Officers (CIOs) by Tuesday, January 19, and Monday, January 25, 2021."

Editor's Note

CISA has three categories of network/systems for response guidance as well as whether or not you were running an impacted version of SolarWinds. If you don't have the required forensic capabilities, CISA will help you locate a qualified provider. CISA also warns that there may be other vulnerabilities in SolarWinds Orion the threat actors have yet to exploit. The best plan for reintroduction of Orion into your environment is to build on freshly provisioned servers from the most current version. Before implementing CISA measures, make sure your organization is not taking a more conservative approach.

Lee Neely
Lee Neely

The Rest of the Week's News


2021-01-07

Hackney Data Stolen, Leaked in Ransomware Attack

The ransomware operators responsible for an attack against the network of the Hackney council in London, UK have leaked stolen data. The ransomware attack occurred in October 2020. The council's services are still "significantly disrupted." The stolen information has reportedly been posted on the dark web.

Editor's Note

Given the number of successful attacks against healthcare institutions, it is fair to infer that far too many such institutions are accepting the risk of such attacks. While this may be justified, it simply cannot be acceptable to take that risk while also failing to have a plan for timely remediation.

William Hugh Murray
William Hugh Murray

2021-01-07

Ransomware Hits Minnesota Lake Region Healthcare Network

Lake Region Healthcare (LRHC) in Minnesota was the victim of a ransomware attack in late December 2020. The attack prompted LRHC to initiate HER downtime procedures. In a public statement, LRHC said they "are providing most of [their] services as usual by operating largely off alternative systems."


2021-01-06

House Passes FedRAMP Bill

The US House of Representatives has passed a bill that codifies the Federal Risk and Authorization Management Program, or FedRAMP. The FedRAMP Authorization Act also establishes an advisory committee "to ensure effective and ongoing coordination of agency adoption, use, authorization, monitoring, acquisition, and security of cloud computing products and services to enable agency mission and administrative priorities."

Editor's Note

FedRAMP provides a level playing field for assessing the security of cloud services to a known standard, including ongoing monitoring and visibility to issues and responses, known as POA&Ms. Assessing the security of a FedRAMP authorized service is much easier than trying to exercise your "right to audit" and mapping their practices to your security standards. FedRAMP also adds the requirements to support strong authentication, e.g. PIV/SmartCard. Even so, it's up to the agency to either implement the use of smart cards or obtain approval not to from their authorizing official; all FedRAMP customer responsibilities must be addressed in order to obtain an approval to operate (ATO).

Lee Neely
Lee Neely

In many areas of information security the federal government lags behind private industry. But FedRAMP and DMARC and DNSSEC are areas where the federal government used its buying power to drive higher levels of security in the broader commercial markets and led the way in adopting more secure use of the Internet and Internet-based services. I'd like to see application security and strong authentication get added to that list for future government adoption to drive markets.

John Pescatore
John Pescatore

One agrees with John Pescatore on strong authentication. It resists the fraudulent reuse of compromised credentials, a pervasive risk. It is, at least arguably, our most efficient security measure. One also agrees that application security, especially applications common across enterprises, is essential, though much more difficult to specify or legislate. However, particularly on the desktop, applications are a small part of the attack surface. Most desktops have ten to a hundred times the amount of system code than is actually required by the applications. The vulnerabilities in this code are common and exploited across enterprises. Consider reducing your attack surface by eliminating gratuitous functions.

William Hugh Murray
William Hugh Murray

2021-01-07

ired Healthcare Exec Sentenced to Prison for Sabotaging PPE Distribution

A former employee of Georgia-based Stradis Healthcare has pleaded guilty to computer intrusion for tampering with the company's computer systems. Christopher Dobbins used a secret account he had created to gain access to the Stradis network where he altered and deleted data, hobbling the company's efforts to distribute personal protective equipment (PPE) in spring 2020. Dobbins has been sentenced to one year in prison.

Editor's Note

Stradis terminated Dobbins's regular accounts after he was terminated but missed the secret account he created. Accounts should be validated regularly. Not only after creation but on a regular basis to ensure only legitimate and active accounts are enabled. Account creation, particularly when assigned privileges, should create an alert or trigger an action.

Lee Neely
Lee Neely

Hard to do anything but cheer the sentencing. But, the question of how a "secret account" existed should be a spur to making sure privileged accounts are limited and routinely audited - if not regularly revoked to require regular re-justification for access.

John Pescatore
John Pescatore

Transparency and accountability are the primary controls over privileged users. In enterprises with more than one or two such users, consideration should be given to Privileged Access Management software.

William Hugh Murray
William Hugh Murray

2021-01-06

Nissan Source Code Possibly Exposed

Source code for Nissan North America mobile apps and diagnostic tools may have been exposed due to an improperly configured Git server. Nissan says it has secured the server.

Editor's Note

The server had default (admin/admin) credentials. As much has been done of late to make services available to remote workers, verifying the security, including the presence of default credentials, has to be part of service delivery. Security also should be re-verified after installing patches, upgrades, or significant changes.

Lee Neely
Lee Neely

2021-01-06

NSA Guidance Urges Updating Outdated TLS Protocols

The US National Security Agency (NSA) has issued guidance urging system administrators to replace obsolete Transport Layer Security (TLS) protocols with updated versions. The guidance offers strategies for detecting obsolete TLS instances (TLS 1.0 and 1.1 as well as SL 2.0 and 3.0) and for replacing them with newer versions with strong encryption and authentication (TLS 1.2 and 1.3).

Editor's Note

NSA Cyber also set up a valuable GitHub repo with tools (https://github.com/nsacyber/Mitigating-Obsolete-TLS). A tool that should probably be added is Zeek which is ideally suited to detect the use of outdated TLS configurations. It can also be used to verify that certain outdated versions and ciphers are no longer in use, and that it is safe to disable them.

Johannes Ullrich
Johannes Ullrich

When implementing strong encryption, be sure to disable weak algorithms as well. The weak algorithms in TLS 1.2 are NULL, RC2, RC4, DES, IDEA, and TDES/3DES. While TLS 1.3 removes these, if you're also supporting TLS 1.2, use an external scanner verify they are disabled.

Lee Neely
Lee Neely

2021-01-07

Legislators' Computers Left Unattended When They Were Evacuated

When people stormed the US Capitol building on Wednesday, legislators' computers were left unattended. One senator has reported that a laptop was stolen from his office. It has not been determined what information the computer contains.

Editor's Note

In emergency situations, in particular, it is important to have automated tools to secure systems. During an evacuation, people should focus on leaving the area, not securing their screen. This has happened at hotels when thieves used fire alarms to evacuate buildings before stealing laptops.

Johannes Ullrich
Johannes Ullrich

Can't fault people fleeing violent mobs or burning airplanes for leaving the laptops on behind them, but this is a good news item for reminding decision makers why screenlock and timeout timers are beneficial to the health of the business in any instance where a computing device may be left unattended even in normal circumstances.

John Pescatore
John Pescatore

The first priority during a crisis is preservation of life and limb. Typically drill/test scenarios don't include facility breach, so unlocked or unattended systems are not at risk. Even so, implementing idle timers which lock the screen have to be SOP. NIST SP 800-53 controls require this on federal information systems. Similar requirements stem from NIST SP 800-171 which apply to non-federal systems processing sensitive USG information.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Netfox Detective: An Alternative Open-Source Packet Analysis Tool

https://isc.sans.edu/forums/di...


Using the NIST Database and API to Keep Up with Vulnerabilities

https://isc.sans.edu/forums/di...


Zyxel Exploitation Under Way

https://isc.sans.edu/forums/di...


Brian Nishida: Ubuntu Artifacts Generated by Gnome Desktop Environment (PDF)

https://www.sans.org/reading-r...


ElectroRAT Drains Cryptocurrency Accounts

https://www.intezer.com/blog/r...


Chrome Will Prefer HTTPS over HTTP By Default

https://chromium-review.google...


Android January Patch Day

https://source.android.com/sec...


Telegram Publishes Users' Locations Online

https://blog.ahmed.nyc/2021/01...


Fortinet Patches

https://www.fortiguard.com/psi...


Foxit PhantomPDF Patches

https://www.foxitsoftware.com/...


Firefox Android Updates

https://www.mozilla.org/en-US/...


Titan Security Key (PDF)

https://ninjalab.io/wp-content...


The Great Suspender Google Chrome Extension

https://www.theregister.com/20...