SANS NewsBites

Electricity ISAC Sharing Tools; Ghost Remote Access Credentials Enable Water System Attack; Google Silently Pushing out Android COVID Contact Tracing App

June 22, 2021  |  Volume XXIII - Issue #49

Top of the News


2021-06-21

E-ISAC Members Now Have New Tool to Share Information

Neighborhood Keeper, developed by Dragos with the support of the US Department of Energy (DOE) is a “sensor-enabled data collection and information-sharing network.” The collected data are anonymized, so they can be shared with government as well

Editor's Note

Great news. Information sharing is one of the most powerful and underused tools to secure organizations. Finding the right balance between sharing and anonymizing data is tricky. I hope we will hear more about this tool and any lessons learned from it.

Johannes Ullrich
Johannes Ullrich

Having indicators from peers helps provide relevant actionable data to be better prepared for an incident. Anonymizing the data will help with reputation risk, but it is important to know what anonymizing means and who is processing your data. In this case passive sensors are providing metadata to Neighborhood Keeper to provide distributed alerts, and requests for assistance from other ISAC members are also encrypted and allow for private communication with temporary identification options to permit assistance without revealing specifics.

Lee Neely
Lee Neely

This is a fantastic example of community and government working together. It won’t solve all our problems in the utility space, but it is a good start. Kudos to both DoE and Dragos for leading this initiative.

Lance Spitzner
Lance Spitzner

2021-06-20

Intruder Deleted Programs from San Francisco Area Water Treatment Facility Network

NBC News reports that in January 2021, a hacker accessed the network at a San Francisco-area water treatment plant. The malicious intruder was in possession of the username and password for a TeamViewer remote access account that belonged to a former employee. The intruder allegedly deleted programs that control drinking water treatment. The incident was detected the following day; the passwords have been changed and the programs reinstalled.

Editor's Note

It’s incredibly important to disable departing employee’s accounts immediately, particularly if they can be used for remote access to services. Further, RDP services such as TeamViewer need to require multi-factor access as well as follow the vendor secure configuration guidelines. Verify these settings remain in place, only current users have access and no access is configured which can bypass those settings.

Lee Neely
Lee Neely

It is often a manual process for smaller organizations to remove access when an employee leaves. Another advantage of a two-factor authentication approach (which should have been required for TeamViewer remote access) is the ability to revoke the credential in one action and simplify dealing with broad removal of access.

John Pescatore
John Pescatore

One more instance in which strong authentication (at least two kinds of evidence, at least one of which is resistant to replay) would have been helpful. Management has always been better at getting terminated employees off the payroll than in revoking online privileges. That problem is complicated by the modern economy where often as many as half of those with privileges are consultants, contractors, temporary, and part-time workers.

William Hugh Murray
William Hugh Murray

2021-06-21

Google is Pushing Out Massachusetts COVID Contact Tracing App

Google appears to be force-installing the Massachusetts MassNotify COVID-19 contact tracing app on residents’ Android devices. Users are reporting that the app has been installed even if they have not activated Android Exposure Notification on their devices. It also appears that the app is not yet active; users have been unable to open it or to uninstall it. In a statement to 9to5Google, Google wrote “This functionality is built into the device settings and is automatically distributed by the Google Play Store, so users don’t have to download a separate app.”

Editor's Note

Exposure notification services are built-in to Android and iOS devices, and can be enabled, configured or disabled by the end user without the use of an explicit application. Even so, some regions are distributing notification applications to streamline the process. This install is not a full install of the MassNotify application per-se; users will see “Settings -> Google -> COVID-19 Exposure Notifications” which can be removed by uninstalling “Massachusetts Department of Health.”

Lee Neely
Lee Neely

I am in favor of COVID contact tracing apps, and Google did a good job implementing them. But in the end, this is a question of trust. Google is not a trusted entity when it comes to how they collect and use personal data. Having them push out an application without user consent casts the Google data-collection machine shadow on this project.

Johannes Ullrich
Johannes Ullrich

Public health services have been actively engaged in contact tracing for more than one hundred years. It has been effective in all but eliminating some diseases and has ensured timely treatment for millions. This tracing has been so successful in protecting privacy that most people do not even know that it exists. Technology holds the promise to make it even more timely and comprehensive. Let us not become so fearful that we forego this opportunity.

William Hugh Murray
William Hugh Murray

The Rest of the Week's News


2021-06-17

GEA-1 Encryption Algorithm Weakness Was Intentional

A paper from researchers at several European universities and research institutions suggests that the GEA-1 encryption algorithm had a deliberately baked-in weakness. The algorithm was used in cellphones in the 1990s and 2000s. Following the paper’s publication, the European Telecommunications Standards Institute (ETSI), which developed the algorithm confirmed that the weakness was deliberate, noting that it was introduced to meet encryption export regulations.

Editor's Note

There are many more cases where export controls around cryptography resulted in unsecure systems and technology being built – unfortunately during the formative years of the internet/World Wide Web infrastructure. The over-reliance on SSL and the still extremely low implementation levels of persistent data encryption are direct results. Societally (and within enterprises) the overall benefits of strong protections on data overall outweighs the negative impact of law enforcement/security monitoring warrant-free visibility into the data.

John Pescatore
John Pescatore

While GEA-1 was used in 2G networks, and the weakness is not present in the current GEA-3 and GEA-4 algorithms, some GPRS networks still have GEA-1 fallback, and phones as recently as 2018 still supported the GEA-1 and GEA-2 algorithms. Risks of fallback can be minimized by using devices which don’t include radios which support GPRS fallback, typically newer than 2019, or if supported, configure for 5G/LTE only.

Lee Neely
Lee Neely

Not only do government mandated backdoors not provide much value, they tend to weaken security for future generations of devices that need to stay backward compatible.

Johannes Ullrich
Johannes Ullrich

Governments have long resisted air-side encryption. (In the US during WWII it was illegal) This is not the first time that air-side encryption in mobile telephone service has been deliberately compromised. While such encryption may not protect the conversations of targets of choice of nation states, mostly “persons of interest” in criminal investigations, it does offer some protection against large scale surveillance and protects targets of opportunity from organized crime.

William Hugh Murray
William Hugh Murray

2021-06-21

WaterISAC Survey of US Water and Wastewater Utilities

According to a survey of US water and wastewater utilities conducted by the Water Sector Coordinating Council (WSCC) and the Water Information Sharing and Analysis Center (WaterISAC), 38 percent of water utilities have identified all IT-networked assets and 31 percent have identified all OT-networks assets. Just 60 percent of respondents say they include cybersecurity in their risk assessments. Respondents also listed their top needs for support from the federal government: water-sector-specific training and education; technical assistance, assessments, and tools; cyberthreat information; and federal loans and grants.

Editor's Note

Most water utilities are run by small local governments. They have the same disadvantages of small businesses in the commercial sector, compounded by the complexities of local funding issues. The most glaring controls needs are very much in line with the essential security hygiene levels (Implementation Group 1) of the CIS Critical Security controls, but most respondents indicated a lack of the trained cybersecurity staff. Any funding for infrastructure improvements should target some funding for this area.

John Pescatore
John Pescatore

2021-06-21

Ransomware Operators Leak Data Stolen from ADATA

Data stolen from Taiwanese memory and storage manufacturer ADATA has reportedly been leaked online. ADATA’s network was the target of a ransomware attack in late May. The ransomware operators appear to have stolen at least 700GB of archived data. The service where the data were being hosted closed the ransomware operators’ account.

Editor's Note

While the MEGA storage service has closed their account, the Ragnar operators still have the data and will find another location to distribute it. This raises the concerns about where your exfiltrated data could be located and who has copies, despite assurances from the operators it will be deleted upon receipt of payment. It may be simpler to operate on a model that exfiltrated data has been released publicly and to build your response plan from there.

Lee Neely
Lee Neely

Ransomware is nothing more than malware; what makes it so effective is how criminals monetize the infections. Originally, monetization was via targeting availability, but criminals then added the impact of exposing confidentiality, as they did here. Depending on your industry, one of these two is bound to have a significant impact to your organization, thus the rise in payments.

Lance Spitzner
Lance Spitzner

2021-06-21

Ransomware: Fertility Clinic Says Patient Data were Compromised

Personal information belonging to 38,000 patients of a fertility clinic in Atlanta, Georgia, was compromised in an April 2021 ransomware attack. Reproductive Biology Associates and My Egg Bank North America. The compromised data include names, addresses, Social Security numbers, lab results and other sensitive information.

Editor's Note

While ransomware requires the total compromise of a network, it begins with a breach. A breach is a breach is a breach. If one is breached, then extortion is only one of the bad things that may result. Resist breaches and detect them early, i.e., hours to days. Recovery may be too late and ineffective.

William Hugh Murray
William Hugh Murray

2021-06-18

Wegmans Discloses Data Leak

US supermarket chain Wegmans has notified some customers that their personal information was compromised due to misconfigured cloud-based databases. Wegmans said is learned of the exposed data from a third-party security researcher. Compromised data include names, phone numbers, Shoppers Club numbers, and email address and passwords for Wegmans.com accounts.


2021-06-21

South Korean Nuclear Research Agency’s Network Infiltrated

The internal network of South Korea’s Korea Atomic Energy Research Institute (KAERI) was infiltrated on May 14. The perpetrators are believed to be threat actors working on behalf of North Korea. The intruders appear to have exploited a vulnerability in an unnamed VPN.

Editor's Note

There have been a wave of VPN vulnerabilities and attacks, notably impacting Pulse Secure, SonicWall, Fortinet FortiOS and Citrix. Make sure that your VPN has been updated and configured to current security baselines. Ensure no users can bypass multi-factor authentication and that any old VPN services were fully decommissioned, rather than left running “just in case.”

Lee Neely
Lee Neely

2021-06-21

Does Malicious Hotspot Break iPhone WiFi Functionality? Not Really

Reports of a malicious Wi-Fi hotspot damaging iPhones’ Wi-Fi functionality are exaggerated. A bug in iOS causes iPhones’ Wi-Fi functionality to be disabled when it joins a network with a certain SSID. Users can restore Wi-Fi functionality by resetting the device’s network settings, which will delete its saved Wi-Fi passwords.

Editor's Note

An interesting old format string vulnerability. Luckily, the risk from this problem is minimal. A victim has to join a very "odd" looking WiFi network. I doubt a lot of people will fall for that. Still, it may be a good idea to look out for pranks involving this SSID. To recover, you will need to reset your network settings which may erase some stored credentials for other networks.

Johannes Ullrich
Johannes Ullrich

Use caution joining a wireless network that has a name which looks like a format statement. (E.g., %p%s%s%s%s%n) While legal, that SSID may not be a network designed for general use. Recovery involves resetting your device network settings – which means all the stored wireless networks are forgotten and you will need to join them again. It’s not a bad idea to do this from time to time so your device is only searching for currently used preferred networks.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Network Forensics on Azure VMs (Part #2)

https://isc.sans.edu/forums/diary/Network+Forensics+on+Azure+VMs+Part+2/27538/


Google Open Redirect Being Abused

https://isc.sans.edu/forums/diary/Open+redirects+and+why+Phishers+love+them/27542/


Easy Access to the NIST RDS Database

https://isc.sans.edu/forums/diary/Easy+Access+to+the+NIST+RDS+Database/27544/


Attack and Defend: Distributed Web Applications (free Webcast)

https://www.sans.org/webcasts/attack-defend-modern-distributed-applications-119610


iOS Wifi Bug

https://blog.chichou.me/2021/06/20/quick-analysis-wifid/


NSA VoIP Security Guide

https://media.defense.gov/2021/Jun/17/2002744054/-1/-1/1/CTR_DEPLOYING%20SECURE%20VVOIP%20SYSTEMS.PDF


Darkside Impersonators

https://www.helpnetsecurity.com/2021/06/21/impersonating-darkside/


Tesla RAT COVID-19 Vaccination Phish

https://threatpost.com/agent-tesla-covid-vax-phish/167082/


Tor Browser Update

https://www.bleepingcomputer.com/news/security/tor-browser-fixes-vulnerability-that-tracks-you-using-installed-apps/


Schneider PowerLogic Vulnerabilities

https://www.ehackingnews.com/2021/06/six-major-flaws-identified-in-schneider.html


AutoCAD Update

https://www.autodesk.com/trust/security-advisories/adsk-sa-2021-0004