SANS NewsBites

More Exploits of Pulse Secure Vulnerabilities; IBM Funds Schools System Security Improvements; NIST Paper on Biometrics for First Responders

June 4, 2021  |  Volume XXIII - Issue #44

Top of the News


2021-06-03

Threat Actors Exploited Pulse Secure Zero-Day to Break into MTA Systems

Cyberthreat actors believed to be operating with the support of China’s government exploited a Pulse Secure zero-day vulnerability to gain access to New York City’s Metropolitan Transportation Authority (MTA) computer systems earlier this spring. A forensic investigation revealed that the intruders attempted to remove evidence of their forays into the network, which raises the possibility that there have been system breaches that MTA has not discovered.

Editor's Note

Pulse Secure had to patch multiple vulnerabilities this last year, and they have been exploited extensively.

Johannes Ullrich
Johannes Ullrich

We are now almost 18 months past the first advisories to patch the initial wave of Pulse Secure VPN vulnerabilities, and several months ago advisories came out about additional Pulse Secure vulnerabilities. Many IT operations have been struggling just to keep remote access for Work From Home running and patching has suffered – more compromise hunting is required to detect malware installs that occurred before patching, as recent DHS/CERT advisories have pointed out.

John Pescatore
John Pescatore

With a shift to increased remote work, your boundary protections are critical. Today’s combination traditional VPN, Zero Trust, CASB, VDI, and EDR require attention to detail including security configuration, judicious application of updates, and active monitoring (and response) for malfeasance. Make sure that you have the right skillsets on hand, supported with adequate, training funding and depth of coverage.

Lee Neely
Lee Neely

Breaches of infrastructure systems may not be obvious and may not be immediately exploited. Nation state attackers may save them for later use. Think “zero trust” and “least privilege.” Think urgency; the longer these systems remain vulnerable, the greater the risk that they are covertly compromised.

William Hugh Murray
William Hugh Murray

2021-06-02

IBM Announces School Systems Chosen to Receive Cybersecurity Grants

IBM has selected six US school systems to receive grants to help strengthen their cybersecurity. The school systems are Brevard Public Schools (Florida), Denver Public Schools (Colorado), KIPP Metro Atlanta Schools (Georgia), Newhall Independent School District (California), Poughkeepsie Independent School District (New York), and Sheldon Independent School District (Texas). “The grants will sponsor IBM Service Corps teams to help six U.S. K-12 public school districts proactively prepare for and respond to cyber threats.”

Editor's Note

Two of the most critical services governments provide are public education and election services. In the US, the way those two areas are governed and funded is antiquated and resistant to change. Volunteer and private industry support for increased security levels in both of those areas has really been needed and has turned into good investments for business as stability and security in those areas is good for business.

John Pescatore
John Pescatore

The need for shoring up security in the education sector has become clear with the past year of successful attacks on school systems. Ransomware preparedness and response is at the top of the list for the IBM team help with “pain points.” The need is far greater than IBM alone can address; as cyber security professionals we should all be reaching out to our local school systems, leveraging our enterprise community outreach functions if possible, to see if we can help.

Lee Neely
Lee Neely

The limited impact of these expenditures illustrates how big this problem is and how difficult it will be to remedy on a district-by-district basis. We need to make the public networks a safer environment for all users. It is time to operate these networks as the infrastructure that they are.

William Hugh Murray
William Hugh Murray

2021-06-03

NIST: Mobile Device Biometric Authentication for First Responders

A report from the US National Institute of Standards and Technology (NIST) “examines how first responders could use mobile device biometrics in authentication and what the unsolved challenges are.” The report is intended to help public safety organizations make choices about first responder authentication options. NIST is accepting comments through July 19, 2021.

Editor's Note

Have first responders read and respond to the draft. Responders I have talked to already leverage biometrics, and remind me to look at scenarios where biometric options fail, e.g, using fingerprint readers while wearing PPE. When creating security profiles for mobile devices, ensure that your device protections don’t interfere with life safety needs of responders. Safety needs to trump security, which means you may have a different configuration on some devices. Have clear support for those decisions at the highest levels.

Lee Neely
Lee Neely

This report is more of a tutorial around mobile device biometrics that is strong on the challenges and really weak on “how to implement” guidance. Microsoft’s research showed that 99.9% of phishing attacks would be defeated just by mobile device text messaging, and over 80% of successful ransomware attacks start with successful phishing attacks. While first responders do have unique needs, we are in an emergency situation where reusable passwords have to be considered as dangerous as carcinogens like lead in consumer products or e coli in meat.

John Pescatore
John Pescatore

The Rest of the Week's News


2021-06-03

White House Memo: Advice to Private Sector on Protection from Ransomware

Anne Neuberger, Deputy Assistant to the President and Deputy National Security Advisor for Cyber and Emerging Technology, has released an open letter to corporate executives and business leaders urging them to take action to protect their networks from ransomware. The memo strongly recommends implementing the five best practices from the President’s Executive Order: back up data, system images, and configurations, and regularly test them, and keep the backups offline; update and patch systems promptly; test your incident response plan; check your security team’s work; and segment networks.

Editor's Note

Ben Wright of SANS and I have done a recent series of talks and a white paper around the ransomware issues. Key point (1) is that no security group or manager makes the pay/don’t pay decision – that will always be a business or legal/regulatory-driven decision. But Key Point (1a) is that security managers can provide critical input into required strategies and changes needed to reduce the risk of ransomware to an acceptable level that will enable the business decision to be “we don’t need to pay the ransom.” Brian Honan makes Key Point (1b) below.

John Pescatore
John Pescatore

Private sector companies are primarily driven by profit goals and anything that does not help achieve those goals will always be neglected. Until we start speaking about cybersecurity in terms of business risk, private sector companies will continue to treat security as an IT problem and as a cost. And this cost-based focus is what has led many companies to have such poor cybersecurity protections. It is time we start to move our focus away from technical solutions and speak more about business risks to our boards and colleagues. I think one thing we need to get into the debate about ransomware is that paying the ransom does not make the cost of recovery any cheaper. In the case of Colonial Pipeline, who paid $4m for the decryption tool, they still reverted to their backups to restore their systems. The HSE in Ireland who got the decryption tool for free had to use a third party tool to make it work effectively. In both cases the IR teams are still having to go to each individual machine, verify that it is clean, remediate it, recover data onto it, and then bring it online – this has to happen whether you have the decryption key or not. So paying for the decryption key is not a magic wand that gets all your systems back online overnight. You are still looking at weeks if not months of work to get large estates back up and running.

Brian Honan
Brian Honan

When reviewing your response plan, look carefully at your downtime procedures. Are you able to provide some level of service or will you be hard down? Consider the case of the Massachusetts Steamship Authority where they were still able to process cash ticket sales and operate their ferries. Make sure that your situational awareness is as good or better than your adversaries’. Start with the core CIS controls, making sure you know what hardware and software you have, that it is securely configured and your data is protected.

Lee Neely
Lee Neely

And do not forget strong authentication (at least two kinds of evidence, at least one of which is resistant to replay). Credential replay is implicated in many ransomware attacks and other breaches. While this measure may not be sufficient for targets of choice, it will get most out of the target of opportunity population.

William Hugh Murray
William Hugh Murray

2021-06-03

DoJ Will Treat Ransomware Investigations with High Priority

According to a senior officials from the US Department of Justice, DoJ will give ransomware investigations a priority similar to that of terrorism investigations. Earlier this week, US Attorney’s offices across the country received guidance instructing them to share information about ransomware investigations with a Washington, DC-based task force.

Editor's Note

This is much needed and gives me hope. No matter how good any company is at security, if threat actors can operate any way they want without fear of retribution, anyone can and will be compromised. I think it's interesting the government is taking the terrorism angle, as the motives of terrorists and criminals are very different, but as we are seeing, the impact at the human level can, in many ways, be the same. The sense of urgency appears to be great enough now to force the US government to take political and economic actions against other countries.

Lance Spitzner
Lance Spitzner

What this does is add to the list of topics which require expedient information sharing/reporting with Washington. Prioritizing activities also requires providing funds needed to acquire and train staff and equipment needed to support the work.

Lee Neely
Lee Neely

2021-06-03

FBI Says REvil Ransomware Group Responsible for JBS Attack; Company Says Facilities are Now Operational

The FBI has “attributed the JBS attack to REvil and Sodinokibi and [is] working diligently to bring the threat actors to justice.” JBS says that all its facilities are once again operational.

Editor's Note

REvil is known for “double extortion” tactics, demanding ransom not only for the decryption key but also for not selling exfiltrated information, leveraging any potentially damaging content if possible. JBS wisely engaged help from the Australian Signals Directorate and the FBI to respond to the criminal aspects of the attack while working with their incident response provider to quickly restore operations.

Lee Neely
Lee Neely

2021-06-03

Massachusetts Steamship Authority Hit with Ransomware Attack

A ransomware attack affecting the Massachusetts Steamship Authority’s computer network has affected its operations. Customers were unable to make reservations or purchase tickets online or by phone. (Please note that the WSJ story is behind a paywall.)

Editor's Note

As with other service related attacks, OT systems are able to operate, but supporting systems, in this case online ticketing and reservations, are unavailable. Even so, they are able to process cash transactions.

Lee Neely
Lee Neely

The fact that a "Steamship Authority" can be crippled by ransomware shows that everybody can be affected.

Johannes Ullrich
Johannes Ullrich

Jeh Johnson commented on TV this morning that the extortion demands are tailored to the ability to pay and lower than the cost of recovery by other means, such that, as in Colonial Pipeline, paying it is an attractive individual business choice while collectively it perpetuates the problem.

William Hugh Murray
William Hugh Murray

2021-06-03

Fujifilm Shuts Down Network in Wake of Ransomware Attack

Fujifilm has shut down parts of its network after becoming aware of a possible ransomware attack. The Tokyo-based company has also “disconnected from external correspondence.”


2021-06-02

Massachusetts Hospital Discloses Ransomware Attack

Sturdy Memorial Hospital in Attleboro, Massachusetts, has disclosed that its network was hit with a ransomware attack in February 2021. Analysis revealed that patient medical and financial data were compromised. The hospital paid a ransom to prevent data from being leaked. The incident also affected healthcare providers that had partnered with Sturdy Memorial for coordination of patient care. The hospital is now notifying affected patients.


2021-06-03

US Supreme Court Ruling Reins in CFAA’s Reach

A ruling from the Supreme Court limits the scope of the Computer Fraud and Abuse Act (CFAA). The case, Van Buren v. United States, involves a former police officer who accepted money for using his access to a law enforcement database to look up license plate information. The written majority opinion notes that the court’s job was to “decide whether Van Buren… violated the Computer Fraud and Abuse Act of 1986 (CFAA), which makes it illegal ‘to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.’ He did not. This provision covers those who obtain information from particular areas in the computer—such as files, folders, or databases—to which their computer access does not extend. It does not cover those who, like Van Buren, have improper motives for obtaining information that is otherwise available to them.”

Editor's Note

Limiting the scope of the CFAA is a huge win for cyber security research. Having clear permission and defined scope when accessing and researching systems is still critical. Discovery of a device in a search engine, running with default credentials doesn’t by itself constitute permission to access or configure it.

Lee Neely
Lee Neely

While not technically a violation of the CFAA, Van Buren was guilty of an abuse of his privilege and should be subject to other discipline. This is simply one more indication, as if any were needed, that the CFAA needs to be rewritten with more emphasis on what is done, i.e., misuse and abuse, and less on the concept of “authorization.”

William Hugh Murray
William Hugh Murray

2021-06-01

Amazon Sidewalk is Going Live Next Week

On June 8, 2021, Amazon smart devices, which include Echo and Ring, will automatically be integrated into the Amazon Sidewalk wireless mesh service. Sidewalk will "share a small portion of your internet bandwidth" to "extend the low-bandwidth working range of devices." Users can opt out of participating through the Alexa and Ring apps.

Editor's Note

This is an opt-out service. If you take no action, you will be opted-in. The idea is to provide better connectivity for your Amazon devices where your network may have gaps, essentially an 80Kbps connection. Amazon cites the case of using their tracking devices to find a lost pet. The success of Sidewalk is dependent on the number of participating devices in any area. The downside is you have no visibility into which devices are connected to your network and what they are doing. The good news is you can opt out at your account level, not just the device level. In the Ring App, sidewalk is under the Control Center, in the Alexa App it is under Settings -> Account Settings -> Amazon Sidewalk. The option is only present when you’re connected to your Ring or Echo devices.

Lee Neely
Lee Neely

By choosing to make this an opt-out service, Amazon is showing why updates to US national privacy laws are badly needed. When I worked on surveillance cases for the US Secret Service in the 1980s, to put a vehicle tracker on a suspect’s car that was connected to the car's 12v system, we needed to get a court order because of the unauthorized use of the car owner’s “services.” What Amazon is doing here seems no different to me.

John Pescatore
John Pescatore

2021-06-02

Nobelium Spear Phishing Campaign Domains Seized

US authorities have seized two domains associated with a recent spear phishing campaign. The attackers are believed to be Nobelium, the threat actor likely responsible for the SolarWinds Orion supply chain attack. The spear phishing attacks masqueraded as messages from the US Agency for International Development (USAID) and targeted government agencies, think tanks, and non-governmental organizations (NGOs) around the world.

Editor's Note

If one is not expecting a communication, one should simply throw it away. It is almost always the safest move. If one feels that they cannot do that, pick up the phone. Out-of-band confirmations are cheap and effective; they work in both directions.

William Hugh Murray
William Hugh Murray

2021-06-02

Microsoft Acquires ReFirm Labs

Microsoft has acquired firmware analysis company ReFirm Labs. Microsoft says the acquisition will “enrich our firmware analysis and security capabilities across devices that form the intelligent edge, from servers to IoT.”

Editor's Note

The most successful mergers/acquisitions over the past 5 years or so have been the big cloud platform players, like Salesforce, Amazon AWS, Google, and Microsoft buying small, innovative security vendors to build higher levels of security into their cloud infrastructure. The least successful cybersecurity M&As have been big IT companies buying security product companies just to increase revenue by selling security products. Building security in, versus “spending in depth,” is the key to real and sustainable levels of business protection.

John Pescatore
John Pescatore

With the recent rash of firmware-related vulnerabilities, ReFirm (the authors of Binwalk) should give Microsoft a huge leg up in analysis and response to firmware security issues including IoT and embedded device use cases. This acquisition further broadens the scope of protections offered under the Azure Defender umbrella, specifically Azure Defender IoT.

Lee Neely
Lee Neely

2021-06-03

US Army Rescinds Workplace IoT Ban

The US Army appears to have rescinded a May 20, 2021, memo banning remote workers from using Internet of Things (IoT) devices in their workspaces. The ban was issued over concerns that IoT devices are constantly collecting data and listening.

Editor's Note

The ban is essentially unenforceable; it is good OPSEC guidance. It’s still a good idea to be aware of the devices in your workspace. Just as you would question a stranger in a meeting, consider what these devices can capture and take action to remove or disable them when appropriate. Higher priority for the enterprise is making sure that you have good visibility into endpoint security and actions so you can respond appropriately.

Lee Neely
Lee Neely

Security is a space in which intuition does not serve us well, where “obvious” choices are wrong. Cooler heads have prevailed here. However, since many smart devices inside the SOHO router establish connections to the public networks by default, it will be difficult to give directions that are practical. We need standards, perhaps even regulation, that require smart devices to both encrypt and disclose what connections they make. While most home users will ignore the disclosures, they will empower WFH users.

William Hugh Murray
William Hugh Murray

Internet Storm Center Tech Corner

Guildma is now using Finger and Signed Binary Proxy Execution to Evade Defenses

https://isc.sans.edu/forums/diary/Guildma+is+now+using+Finger+and+Signed+Binary+Proxy+Execution+to+evade+defenses/27482/


Bypassing Protected Folders Protections

https://dl.acm.org/doi/10.1145/3431286


Firefox 89 Released

https://www.mozilla.org/en-US/security/advisories/mfsa2021-23/


Microsoft Edge Will make HTTPS default

https://blogs.windows.com/msedgedev/2021/06/01/available-for-preview-automatic-https-helps-keep-your-browsing-more-secure/


Realtek RTL8170C Vulnerabilities

https://www.vdoo.com/blog/realtek-wifi-vulnerabilities-zero-day


Huawei LTE USB Stick E3372 Vulnerability

https://www.theregister.com/2021/06/02/huawei_lte_usb_stick_vulnerability/


NortonLifeLock Crypto

https://investor.nortonlifelock.com/About/Investors/press-releases/press-release-details/2021/NortonLifeLock-Unveils-Norton-Crypto/default.aspx


OpenPGP RNP Patch

https://www.rnpgp.org/advisories/ri-2021-001/


Script to Test CIS Zoom Benchmark

https://github.com/turbot/steampipe-mod-zoom-compliance


F5 BIG-IP Edge Client for Windows Vulnerability

https://support.f5.com/csp/article/K20346072


Fancy Product Designer Wordpress Plugin Vulnerability

https://www.welivesecurity.com/2021/06/03/zero-day-popular-wordpress-plugin-exploited-take-over-websites/


WordPress Pushes Jetpack Plugin Patch

https://www.bleepingcomputer.com/news/security/wordpress-force-installs-jetpack-security-update-on-5-million-sites/