SANS NewsBites

NSA OT Cybersecurity Guidance; Researchers Find Flaws Affecting OT and IoT Devices; Pulse Secure Fixes Critical Flaw; Apple Updates iOS to Fix Critical Zero-Day Flaw

May 4, 2021  |  Volume XXIII - Issue #35

Top of the News


2021-04-29

NSA Guidance on Improving Operational Technology Cybersecurity

The US National Security Agency (NSA) has released a cybersecurity advisory urging owners and operators of operational technology (OT) to take steps to improve security. The advisory notes, “As OT components continue being connected to information technology (IT), IT exploitation increasingly can serve as a pivot to OT destructive effects.” NSA recommends that administrators carefully consider the need for each IT-OT connection and then harden those connections.

Editor's Note

The NSA advisory below is only four pages and focuses on evaluating the risks around connectivity from IT to OT as well as guidance for improving the security of your OT systems. Understand, monitor, and document your OT access to those components as well as having gold images and configurations to enable restoration if needed. Segmentation and otherwise only allowing authorized access to OT is an achievable goal. Use the guidance to verify protections are in place as well as provide a plan to improve your cyber hygiene, then track that plan updating as needed. Remember to adjust your lifecycle expectation from years to decades when evaluating OT.

Lee Neely
Lee Neely

This short advisory is really just an update and summation of previous guidance from DoD, FBI, Canadian authorities and industry/academia experts that came out of analysis of the 2015 Ukrainian power grid attack. The first paragraph of the executive summary is good material for a push out to CXOs and boards of directors.

John Pescatore
John Pescatore

2021-04-30

Microsoft Researchers Find Memory Allocation Vulnerabilities in IoT and OT Devices

Researchers from Microsoft have detected 25 memory allocation vulnerabilities that affect Internet of Things (IoT) and Operational Technology (OT) devices. The remote code execution flaws are the result of improper input validation. The researchers have shared their findings with affected vendors.

Editor's Note

The blog from MSRC explains how these exploits work and provides suggested mitigations. Couple those suggestions with the guidance from NSA above on improving OT cyber security to develop a holistic approach to securing OT. As with any vulnerabilities, patch when available, monitor activity, segment and verify the allowed connections are what you think they are.

Lee Neely
Lee Neely

The CISA ICS CERT advisory lists over twenty real time operating system versions that have the flaw (https://us-cert.cisa.gov/ics/advisories/icsa-21-119-04). The list includes well-known names like Amazon, Apache, ARM, Google, Redhat, Samsung, and Windriver/VXWorks, along with many niche RTOS versions. Too often well-known safe coding practices are ignored for memory and processor constrained products, which is like auto manufacturers making the decision to not put oil and fuel filters in cars with small engines.

John Pescatore
John Pescatore

2021-05-03

Pulse Secure Releases Fix for Critical Flaw That is Being Actively Exploited

Pulse Secure has issued fixes for several vulnerabilities, including a critical zero-day in the Pulse Secure VPN appliance that has been exploited to gain access to sensitive networks, including those at defense contractors and government agencies around the world. Several weeks ago, Pulse Secure released the Pulse Connect Secure Integrity Tool that customers can use to check for evidence of malicious activity.

Editor's Note

This vulnerability was disclosed last week, and had already been actively exploited at the time. As usual: Assume compromise, don’t just patch and move on. A tool to verify the integrity of your PulseSecure firmware was made available last week.

Johannes Ullrich
Johannes Ullrich

If you haven’t yet patched the older vulnerabilities, now that the patch for these more recent ones is available it is time to shut down VPN services until all patching is complete. The US federal government deadline for doing so was April 23.

John Pescatore
John Pescatore

If you’re running Pulse Connect Secure 9.0RX or 9.1RX immediately update to version 9.1R11.4 after getting a clean bill of health from the Pulse Secure Integrity Tool. Don’t forget running the Integrity tool will reboot your device. Be sure to follow the guidance relating to expired certificates if you’re updating from versions prior to 9.1R8.x.

Lee Neely
Lee Neely

2021-05-03

Apple Releases iOS 14.5.1 to Fix Zero-Day Flaws

Apple has released multiple updates to address two critical remote code execution vulnerabilities in the WebKit engine that are being actively exploited. The updated versions include iOS 14.5.1, iOS 12.5.3, macOS Big Sur 11.3.1, and watchOS 7.4.1.

Editor's Note

Even though you started the iOS 14.5 and macOS 11.3 updates last week, CVE-2021-30665 and CVE-2021-30663 apply to iOS 14.5, iPadOS 14.5, watchOS 7.4 and macOS 11.3. And because they are actively being exploited, you need to push the update to users who may have already updated to 14.5 or 11.3. Users updating now will be able to do so in a single step. If you have older devices on iOS 12, there is also an update for them. Better still replace these old devices, while Apple is has released security updates, application vendors have been dropping support for iOS 12.

Lee Neely
Lee Neely

Apple doesn’t release a patch within days of a recent point release unless they have to. Update!

Johannes Ullrich
Johannes Ullrich

It is now pass the stage where Apple should release patches in a manner similar to Microsoft’s patch Tuesday schedule. Apple’s devices have grown from being niche devices within many organisations to being used extensively in table, smartphone, and laptop format.

Brian Honan
Brian Honan

The Rest of the Week's News


2021-04-30

SAP Will Pay Millions in Penalties After Voluntarily Disclosing Software Export Violations

German software company SAP SE and the US Department of Justice (DoJ) have reached a non-prosecution agreement after SAP voluntarily disclosed export violations. “SAP acknowledged violations of the Export Administration Regulations and the Iranian Transactions and Sanctions Regulations.” SAP will pay more than $8 million in penalties.

Editor's Note

Export control is a big deal. It has implications not only when operating internationally but also when you employ foreign nationals, which are different from US persons. Be aware of embargoed countries, such as Iran, and make sure that your legal team is current on export control laws. Provide guidance to employees as part of their annual training.

Lee Neely
Lee Neely

2021-04-30

At Least Five US Federal Agencies Possibly Breached Through Pulse Secure Vulnerability

In April, the US Cybersecurity and Infrastructure Security Agency (CISA) directed federal agencies to run the Pulse Connect Secure Integrity Tool and report their findings. CISA says that it is now aware of “at least five federal civilian agencies who have run the Pulse Connect Secure Integrity Tool and identified indications of potential unauthorized access.”

Editor's Note

This is an unauthenticated attack vector and allows the bypass of 2FA. As such, you should be running the integrity checker as well as looking for evidence of unauthorized access to your network, whether public or private sector. Make sure that all accounts are active and authorized. Having a forensic image of your device prior to patching will aid analysis.

Lee Neely
Lee Neely

2021-05-03

Chinese Hackers Infiltrate Russian Submarine Defense Contractor

Threat actors believed to be working on behalf of the Chinese government have used new back door malware to breach systems at a company that engineers Russian Navy nuclear submarines. The attack gained initial purchase through a spear phishing email.

Editor's Note

The attack leveraged the “Royal Road” RTF tool to deliver the PortDoor backdoor. While prior attacks leveraging Royal Road delivered a payload with the name “8.t” this variant includes a document which, when opened, drops the encoded file “e.o” which fetches the PortDoor implant. Make sure that your IOCs are updated.

Lee Neely
Lee Neely

2021-04-30

Codecov Notifying Customers Affected by Supply-Chain Attack

Codecov has begun contacting customers affected by a supply chain attack that affected the company’s Bash Uploader. The breach went undetected for two months. Notifications that threat actors have downloaded repositories are being made through email and through the Codevcov application interface.


2021-05-03

Hewlett Packard Enterprise Releases Fix for Critical Vulnerability in Edgeline Infrastructure Manager

Researchers at Tenable found a critical flaw in Hewlett Packard Enterprise (HPE) Edgeline Infrastructure Manager (EIM) that can be exploited to gain access to conduct remote authentication bypass attacks. The issue lies in the way administrator account password resets are handled. Users are urged to update to HPE EIM version 1.22 or newer.

Editor's Note

Exploitation of this vulnerability is trivial, and sadly, it is yet another example of an API not requiring authentication. Developers often ask for security advice regarding current frameworks and tools they are working with. In the end, it comes back to old stupid flaws we have been making for decades. Do not “chase the squirrel” but realize, that in the end, you are still dealing with HTTP requests that need to be validated, authenticated, and access controlled. Your output also still needs to be appropriately encoded. Newer frameworks may make this easier IF you read the respective guidance on how to take advantage of your framework.

Johannes Ullrich
Johannes Ullrich

2021-05-03

Scripps Health Suffers Cyberattack

The Scripps Health hospital network was the target of a cyberattack over the weekend, forcing the southern California-based organization to divert some patients requiring critical care to other hospitals. The hospitals also postponed appointments scheduled for Monday, May 3, and patients were unable to access the Scripps Health online portal.


2021-05-02

Swiss Cloud Hosting Provider Hit with Ransomware Attack

On Tuesday, April 27, Swiss cloud hosting provider Swiss Cloud was the target of a ransomware attack. While the incident has not affected all Swiss Cloud data centers, more than 6,500 customers experienced disrupted server availability.

Editor's Note

Restoration from these sorts of attacks has been weeks versus days. Think about what you’ve deployed to hosting providers and what would happen if they were offline for a week or two. Ask if you have the ability to recreate those services without dependency on the offline hosting provider. Make sure you are leveraging location and path diversity and redundant services to minimize the risks of a single data center outage. Document your decisions; make sure senior management agrees.

Lee Neely
Lee Neely

This is an expected evolution in the modus operandi of the criminals behind ransomware attacks. They are motivated by money and will focus their efforts on organisations that are more likely to pay. Cloud service providers are therefore a ripe target given the amount of data and services they manage on behalf of their clients. I recommend doing some desktop exercises as to what would your organization do in the scenario where one of your cloud service providers gets hit by ransomware and your data is impacted?

Brian Honan
Brian Honan

Internet Storm Center Tech Corner

Qiling: A true instrumentable binary emulation framework

https://isc.sans.edu/forums/diary/Qiling+A+true+instrumentable+binary+emulation+framework/27372/


FiveHands Ransomware Installed via SonicWall Flaw

https://thehackernews.com/2021/04/hackers-exploit-sonicwall-zero-day-bug.html


Apple Patches 2 0-Day Flaws in WebKit affecting iOS/MacOS/WatchOS

https://support.apple.com/en-us/HT201222


PoC Exploit for CVE-2021-28482 (Microsoft Exchange)

https://gist.github.com/testanull/9ebbd6830f7a501e35e67f2fcaa57bda

https://testbnull.medium.com/microsoft-exchange-from-deserialization-to-post-auth-rce-cve-2021-28482-e713001d915f


Python "ipaddress" improper input validation

https://sick.codes/sick-2021-014/


EXIF Tool Vulnerabilities

https://twitter.com/wcbowling/status/1385803927321415687


ABUS Secvest Internet Connected Alarm Systems

https://eye.security/nl/blog/breaking-abus-secvest-internet-connected-alarm-systems-cve-2020-28973


Yet Another Processor Side-Channel: Micro-Ops Caches

https://www.cs.virginia.edu/venkat/papers/isca2021a.pdf


Pulse Secure Update

https://blog.pulsesecure.net/pulse-connect-secure-patch-availability-sa44784/