SANS NewsBites

Compromised SolarWinds Update Found at 37 US Defense Suppliers; Microsoft Exchange and RDP Vulnerabilities are Prime Attacker Targets; Cyberinsurance Provider CNA Hit by Ransomware and Pays $40M Ransom

May 21, 2021  |  Volume XXIII - Issue #40

Top of the News


2021-05-19

SolarWinds Supply Chain Attack Affected 37 Companies in US Defense Industrial Base

In testimony before the US Senate Armed Services cyber subcommittee, Rear Adm. William Chase III told legislators that 37 companies within the defense industrial base were affected by the SolarWinds supply chain attack. Chase also noted that the Department of Defense (DOD) was not affected by SolarWinds or by Hafnium.

Editor's Note

Key quote here: “… the Cybersecurity Maturity Model Certification, DOD’s nascent program for improving the cybersecurity of the defense industrial base, would not necessarily have prevented the intrusions.” Maturity models are great for identifying and communicating the most dangerous gaps in security processes but do NOT focus on actual testing and continual monitoring. Simple example: many software vendors that achieved the highest levels on the software Capability Maturity Model continued to deliver code with well-known vulnerabilities. Active monitoring and testing are needed to deal with software supply chain attacks.

John Pescatore
John Pescatore

2021-05-19

Hackers Scanning for Exchange Server Vulnerabilities Within Minutes of Disclosure

Researchers from Palo Alto networks say that hackers were scanning for vulnerable Exchange Servers within minutes after Microsoft disclosed the four zero-day vulnerabilities. The report also says that Remote Desktop Protocol accounted for 32 percent of security issues.

Editor's Note

To support work from home, many organizations hurriedly pushed out RDP-based approaches and attackers have been taking advantage of that (also see the Sophos news item below). As we return to the “new normal,” more secure ways of supporting remote access should be top priority as part of the plan for employees returning to some amount of working from the office.

John Pescatore
John Pescatore

While Exchange vulnerabilities are the newest shiny thing to exploit, don’t lose sight of other less sexy vulnerabilities. Your email IT team should already be on a rapid cadence of patching Exchange, even though you’ve already asked them to start migrating to your chosen cloud email solution, so the rest of your team can focus on the regular bouts of OS and application patches. In case you missed it, Wind River released updates to VxWorks which may impact many of your OT systems.

Lee Neely
Lee Neely

2021-05-20

CNA Paid $40M Ransom After March Attack

CNA Financial Corporation, the Chicago-based insurance company, reportedly paid a $40 million ransom demand after its network was hit with a ransomware attack earlier this year. CNA paid the sum two weeks after the attack, which locked employees out of the network and compromised customer data. A company spokesperson said that “CNA is not commenting on the ransom.”

Editor's Note

This incident pre-dates the recent ransomware attack that hit AXA, another large cyber insurance carrier that had issued coverage to Colonial Pipeline, who also paid ransom. AXA recently announced it would stop issuing policies that would cover ransom payments – more carriers are likely to do the same. CNA Financial has over $10B in annual revenue and is in the top ten of cyberinsurance policy issuers and offered a “CyberPrep” service to policy holders, a “ … proactive program of cyber risk services designed to help identify, mitigate and respond to persistent and emerging threats.” I’d like to hear if they were using their own service and what went wrong.

John Pescatore
John Pescatore

Before making the payment, CNA checked guidance and informed their regulators, including the Office of Foreign Assets Control, which enforces economic and trade sanctions against targeted foreign countries and regimes, terrorists and drug traffickers; and the FBI. While payment is not desired, being aligned with legal and regulatory guidance will minimize future blowback. Transparency about the event and relating actions has shown itself to be the best option as you need a consistent message not only for customers but also for employees, board members, shareholders and regulators if appropriate. With the current volume of ransomware payback, regulators are focusing on how to slow it down; make sure the relevant guidance hasn’t changed prior to making a decision.

Lee Neely
Lee Neely

WOW, that is a big number! Please remember though, ransomware is nothing more than a type of malware. It’s not a new attack method, it’s a new monetization method, albeit a very profitable one, and thus the reason we are seeing exponential growth. Also remember there are other attacks just as costly but not nearly as public, such as CEO fraud. This attack method costs billions of dollars a year, but it’s hardly in the news as companies rarely go public when it happens.

Lance Spitzner
Lance Spitzner

The Rest of the Week's News


2021-05-20

Dragos: Water Utility Watering Hole Found During Oldsmar Investigation

While investigating the Oldsmar Water Treatment facility cyberattack, Dragos found a “watering hole”: malicious code hosted on a Florida water utility contractor’s website. Although a city of Oldsmar browser had visited the WordPress-based site earlier in the day of the attack, it does not appear that the watering hole figured into the Oldsmar attack. “Dragos’s best assessment is that an actor deployed the watering hole on the water infrastructure construction company site to collect legitimate browser data for the purpose of improving the botnet malware’s ability to impersonate legitimate web browser activity.”

Editor's Note

This blog is an exploration of how sometimes intrusions don't align no matter the coincidence. It's a great learning style blog for intrusion/cyber threat intelligence analysts.

Robert Lee
Robert Lee

Do not worry too much about the attacks that you identify. Worry about the ones you do not see. In this case, the highly visible initial attack may have been a "good thing" as it started an investigation that revealed more stealthy unrelated attacks happening at the same time.

Johannes Ullrich
Johannes Ullrich

2021-05-19

Ransomware Hits New Zealand’s Waikato District Health Board

A ransomware attack hit the network of Waikato District Health Board in New Zealand on Tuesday, May 18. Most of the organization’s IT systems are down and hospitals are taking only urgent cases. Some elective surgeries are being postponed.

Editor's Note

Even though we’ve seen announcements that ransomware operators are not going to target healthcare organizations, or other critical sectors, you cannot assume that you’re no longer a target. Per DHB Chief Executive Kevin Snee, this attacked originated from a malicious email attachment. Emphasizing the need to validate both technical controls and UAT are where they need to be. Also make sure that your DR plans addresses routing customers to alternate providers while services are offline versus having them wait. Talk to those providers ahead of time if you’re going to use that option, and offer reciprocal support to sweeten the pot.

Lee Neely
Lee Neely

2021-05-20

Colonial Pipeline CEO Defends Paying Ransom

Colonial Pipeline CEO Joseph Blount acknowledged paying the $4.4 million ransom, saying it “was the right thing to do for the country.” The attack was detected on May 7 and the ransom was paid later that same day. (Please note that the WSJ story is behind a paywall.)

Editor's Note

The choice to pay is harder than ever. Double Encryption (multiple ransomware strains, with two payouts), extortion for exfiltrated information, or threats of cyber-attack for non-payment, let alone the desire to return to operation, make things complex. Hold a tabletop exercise to go analyze the landscape and determine at which point, if any, you’d make a payment and why. Include key stakeholders in the process and obtain management support. If applicable share with your regulator to determine what their response will be and adjust accordingly.

Lee Neely
Lee Neely

It appears from the limited reports, that Colonial Pipeline was not prepared for such an attack and did not have a plan for how to deal with it. While the decision to meet extortion demands is a business, rather than a security, decision, it should be done only in accordance with a plan made before the attack. This decision appears to have been made in the absence of any plan. Chainalysis reported last week that “Known payments to ransomware attackers rose 337% from 2019 to 2020, when they reached over $400 million worth of cryptocurrency. Attackers show no signs of slowing down in 2021, and have already taken in more than $81 million from victims so far.”

William Hugh Murray
William Hugh Murray

2021-05-20

Ireland Healthcare System Ransomware Attack

The ransomware operators responsible for the attack against Ireland’s Health Service Executive has released a free decryption key, but say they intend to expose patient data. The attackers also targeted Ireland’s Department of Health, which managed to prevent the ransomware from executing. Officials say it will be “many weeks” before systems are fully restored.

Editor's Note

The ransomware gang made a decryptor available for free after the HSE refused to pay. It isn't clear if the decryptor worked. But the data was leaked, and is now being used in scams. Scammers are calling individuals, pretending to be associated with healthcare providers, and are using personal data about recent medical procedures to trick victims into providing bank account access data. It is not clear if these scams are conducted by the ransomware gang or scavengers taking advantage of the data leaks. In addition to recovering from the technical impact of the breach, the Irish healthcare providers will have difficulties restoring trust with clients and recovering from these additional effects of the attacks.

Johannes Ullrich
Johannes Ullrich

Many weeks to restore services probably exceeds most of our RTO projections. The question is are you prepared for large scale system recovery? Do you have contracts in place to bring in help? Do you have documentation on how to rebuild components and what the interdependencies are? Is your recovery priority and order still accurate? Did you incorporate all those cloud services you’ve been migrating to? Conducing a formal exercise to recreate a system from the backup to include running a parallel business process is essential and a valuable learning experience.

Lee Neely
Lee Neely

2021-05-11

ID Theft Resource Center: Notable April Breaches

The Identity Theft Resource Center’s notable data breaches in April 2021 include the theft of personally identifiable information belonging to 132,000 GEICO customers, the exposure of private information belonging to 72,000 people participating in a Pennsylvania Department of health contact tracing program, and the compromise of personally identifiable information held by the ParkMobile parking app.

Editor's Note

I’ve used the ITRC data for many years – it is “breach-centric” but has been using a consistent methodology over the years. The takeaway here: just because ransomware is getting all the press coverage, the most important issue is NOT pay ransom/don’t pay, it is that the same weaknesses being exploited in ransomware attacks are continuing to enable breaches and many other forms of damaging attacks.

John Pescatore
John Pescatore

While health departments have been quietly doing contact tracing for generations, privacy concerns about its use have been raised in the light of the pandemic. A breach of this kind gives some credence to those concerns.

William Hugh Murray
William Hugh Murray

2021-05-19

CISA Announces Firmware Mitigation Plan

In a presentation at the RSA Conference, officials from the Cybersecurity and Infrastructure Security Agency (CISA) announced a campaign to mitigate firmware vulnerabilities. The campaign’s goals include software bills of material that include the firmware level, vendors explaining the intent of system components, and code analysis.

Editor's Note

Unlike the ingredients in food, when something goes bad on the SBOM it can be patched rather than recalled or disposed of. The trick is not only the continuous monitoring but also application of fixes in the field. Not just commodity desktops and servers but also IOT devices need to be actively monitored and updated. The consumer will need an “easy button” to succeed. I’m still trying to decide if I liked write-protected firmware better as updates are a lot easier, yet malicious code can also be written there.

Lee Neely
Lee Neely

Knowing what is supposed to be there improves one's ability to recognize what is not supposed to be there.

William Hugh Murray
William Hugh Murray

2021-05-20

RSA Execs May Now Talk About the 2011 Hack

The 2011 theft of SecurID seeds from RSA “was the original massive supply chain attack,” writes Andy Greenberg. The 10-year non-disclosure agreements have expired, allowing RSA employees to tell their stories of the attack.

Editor's Note

The RSA hack was enabled by a phishing attack against an employee who was running an outdated version of Windows and Microsoft Office, with no application control or privilege restrictions on external downloaded apps. The employee clicked on what looked like an internal spreadsheet and an Adobe Flash vulnerability was exploited and the game was over – sound familiar? Ten years later, the majority of attacks are enabled by these same failures in a small number of essential hygiene steps. Use any of the recent headline grabbers to get support from above to drive the well-known changes needed.

John Pescatore
John Pescatore

The question is, would this attack work today in your organization? Are your detection and response capabilities up to tracking malicious actors on your network? While the desired responses are obvious, make sure that your assumption is founded on real input and testing. Detection and response to attack needs to replace missing these entirely or finding out from someone else.

Lee Neely
Lee Neely

2021-05-19

Sophos Report: Cyberattackers’ Dwell Time is Less Than Two Weeks

Sophos has published its Active Adversary Playbook 2021, a report that “details attacker behavior and impact as well as the tactics, techniques and procedures (TTPs) seen in the wild by Sophos’ frontline threat hunters and incident responders.” Among the findings: 30 percent of attacks involved Remote Desktop Protocol at the start, and attackers’ median dwell time prior to detection was 11 days.

Editor's Note

Some very good news! One of the key lessons I learned from Richard Bejtlich is that “attacker dwell time” should be a strategic security metric for almost every organization. As we all know, fool-proof prevention is not possible; cybersecurity is about resilience. Dwell time is a great way to measure that. Several years ago we were measuring dwell time in months, now it appears to be weeks.

Lance Spitzner
Lance Spitzner

This suggests that our goal should be to detect breaches in hours to days. Few enterprises have such a goal and fewer still are measuring and reporting results.

William Hugh Murray
William Hugh Murray

2021-05-19

International Student Health Insurance Data Breach

Guard.me, a Canadian company that provides health insurance to students traveling and studying abroad, has suffered a data breach that exposed personally identifiable information. Guard.me took down its website after detecting suspicious activity on May 12. The company has begun notifying affected students by email. The company’s reporting and notification obligations will vary based on where each affected individual resides.

Internet Storm Center Tech Corner

From RunDLL32 to JavaScript then PowerShell

https://isc.sans.edu/forums/diary/From+RunDLL32+to+JavaScript+then+PowerShell/27428/


May 2021 Forensic Contest: Answers and Analysis

https://isc.sans.edu/forums/diary/May+2021+Forensic+Contest+Answers+and+Analysis/27430/


New YouTube Video Series: Everything you ever wanted to know about DNS and more

https://isc.sans.edu/forums/diary/New+YouTube+Video+Series+Everything+you+ever+wanted+to+know+about+DNS+and+more/27440/


And Ransomware Just Got a Bit Meaner

https://isc.sans.edu/forums/diary/And+Ransomware+Just+Got+a+Bit+Meaner+yes+it+is+possible/27438/


CIS Controls V8

https://www.cisecurity.org/controls/v8/


QNAP Pre-Auth Remote Code Execution in MusicStation/MalwareRemover

https://www.shielder.it/advisories/qnap-musicstation-malwareremover-pre-auth-remote-code-execution/


New Pulse Secure VPN Advisory

https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44800/


Android Stalkerware Vulnerabilities

https://www.welivesecurity.com/2021/05/17/android-stalkerware-threatens-victims-further-exposes-snoopers-themselves/


Double Encrypting Ransomware

https://www.wired.com/story/ransomware-double-encryption/


Dell iDRAC 9 Security Update

https://www.dell.com/support/kbdoc/en-us/000186420/dsa-2021-082-dell-emc-idrac-9-security-update-for-improper-authentication-vulnerability


Attackers Scanned for Exchange Servers Five Minutes after Patch Release

https://www.ehackingnews.com/2021/05/microsoft-exchange-bug-report-allowed.html


GPS For Authentication: Is the Juice Worth the Squeeze @sans_edu

https://www.sans.org/reading-room/whitepapers/authentication/gps-authentication-juice-worth-squeeze-40270