SANS NewsBites

Stolen COVID Data Were Altered Before Leak; FBI Vishing Warning; Apache Vulnerability

January 19, 2021  |  Volume XXIII - Issue #5

Top of the News


2021-01-18

Stolen COVID Data Were Altered Before They Were Leaked

The hackers who stole COVID-19-related data from the European Medicines Agency (EMA) altered it before posting it on the dark web. The data pertain to the BNT162b2 vaccine, which was jointly developed by Pfizer and BioNTech. According EMA's most recent update on the cyberattack, "some of the correspondence has been manipulated by the perpetrators prior to publication in a way which could undermine trust in vaccines." Amsterdam-based EMA evaluates applications for medicines to be marketed in the European Union.

Editor's Note

The integrity of data has always been the most overlooked element of the Confidentiality Integrity Availability triad, but there have been many attacks over the years (most aimed at stock price manipulation) that modified critical data. At a Cybersecurity Moonshot Initiative stakeholders' workshop back in 2019, we highlighted fighting "deep fakes" and disinformation as top of the priority list - more focus on hardening the information is needed.

John Pescatore
John Pescatore

Think digital signatures, hashes (TripWire), and blockchain.

William Hugh Murray
William Hugh Murray

Beyond encrypting data at rest and in transit, data integrity, particularly for official records, needs to be verifiable to detect tampering. Consider digitally signing official correspondence and records. Just as you check the digital signatures for software updates, the same capabilities need to exist for official formation.

Lee Neely
Lee Neely

2021-01-18

FBI Warns About Vishing

The FBI has issued a TLP:WHITE Private Industry Notification (PIN) warning that cyber threat actors are using Voice over Internet Protocol (VoIP) platforms to contact employees at companies around the world and try to trick them into visiting a webpage that harvests their personal data. The threat actors have used the account credentials they collect to access companies' networks. The FBI's recommended mitigations include implementing multi-factor authentication, a least-privilege policy, network segmentation, and providing admins with two accounts: one for system changes and another for email, generating reports, and deploying updates.

Editor's Note

Over the last year, more services were made Internet-accessible to promote frictionless remote work. Often those services were secured only with AD credentials, which allows new attack vectors when accounts are compromised. Add multi-factor authentication to all internet accessible services, and make sure they are monitored for unexpected activity, particularly services used to convey sensitive information such as eMail, Phone, VTC and Chat.

Lee Neely
Lee Neely

That these measures are effective against, not only this attack vector, but many others, is what makes them efficient.

William Hugh Murray
William Hugh Murray

2021-01-15

Apache Velocity XSS Vulnerability

Apache was notified of a cross-site scripting vulnerability in its Velocity Java-based template engine in October 2020; a publicly visible fix was posted to GitHub in early November, but Apache Velocity Tools has not yet formally disclosed the issue.

Editor's Note

This is being tracked as CVE-2020-13959. Don't wait for the disclosure to apply updates to your Apache Velocity tools. Review the ongoing use of Java for application delivery.

Lee Neely
Lee Neely

The Rest of the Week's News


2021-01-18

Scottish Environment Protection Agency Suffers Ransomware Attack

The Scottish Environment Protection Agency (SEPA) has acknowledged that its network was infected with ransomware; the agency says it does not intend to pay the ransomware operators' demand. The attack began in late December 2020. The attackers have reportedly stolen more than 1GB of data. The attack has affected SEPA's "contact centre, internal systems, processes and internal communications." SEPA's critical services, including monitoring and flood forecasting and warning, are operational.


2021-01-18

Singapore's Financial Institutions Get Updated Cyber Defense Guidelines

The Monetary Authority of Singapore (MAS) has revised its Technology Risk Management Guidelines to include directing financial institutions to ensure that third-party service providers are adequately securing data. The guidelines also call for increased security controls and strong risk mitigation for cloud technologies and APIs.

Editor's Note

Flowing down cybersecurity requirements to third-party service providers includes not only contract language but also validation that they are indeed doing what is required. When reviewing assessment reports, make sure they are relevant to protecting your data, particularly for cloud-based solutions where the CSP audit report provides a foundation but doesn't address the implementation of your service.

Lee Neely
Lee Neely

2021-01-18

Multiple Vulnerabilities in FiberHome Routers' Firmware

Numerous vulnerabilities, including at least 28 backdoor accounts, have been found in the firmware of FiberHome FTTH ONT routers. The routers are used mainly in South America and Southeast Asia. The researcher who detected the vulnerabilities also noted that the devices' firewall is active on the IPv4 interface, but not on the IPv6 interface.

Editor's Note

When using a device like this which terminates your ISP service with an Ethernet connection, be sure to have your own firewall/router as routers from ISPs are typically externally managed, and you cannot control the updates or security features.

Lee Neely
Lee Neely

2021-01-18

Feedback Prompts Bugtraq to Reverse Decision to Shut Down

On January 15, the Bugtraq mailing list announced it would be shutting down on January 31, 2021. Bugtraq was established in November 1993. A day later, Bugtraq wrote, "based on the feedback we've received both from the community-at-large and internally, we've decided to keep the Bugtraq list running."


2021-01-18

Microsoft Zerologon Flaw Enforcement Phase Begins February 9

Organizations that have not yet patched the Microsoft Zerologon vulnerability are being urged to do so before February 9, 2021. As of that date, Microsoft "will be enabling Domain Controller enforcement mode by default. This will block vulnerable connections from non-compliant devices." Microsoft released a fix for the Zerologon vulnerability in its August 2020. In September 2020, the US Department of Homeland Security (DHS) issued an emergency directive instructing agencies to patch systems against the flaw.

Editor's Note

Review your systems to make sure the patch has been fully deployed. Check behavior on non-Windows systems. If you're enabling the non-secure net login for specific accounts, set time limits to resolve the issue and remove the exception. Review the Microsoft bulletin below to make sure you are ready. Validate you're able to detect attempted abuse.

Lee Neely
Lee Neely

2021-01-18

OpenWRT Breach

A hacker breached an admin account on the OpenWRT forum. The account was protected by a password, but did not have two-factor authentication implemented. According to an OpenWRT security notice, "the intruder was able to download a copy of the user list that contains email addresses, handles, and other statistical information about the users of the forum." All forum passwords have been reset and API keys have been flushed. The breach occurred on Saturday, January 16.

Editor's Note

Take a moment to verify you're implementing multi-factor authentication (MFA) on all admin and privileged accounts. Make sure any "break glass" accounts (admin accounts with a reusable password) are both minimized and used only in emergencies. Monitor for the use of reusable passwords on privileged accounts. Have an approval, review, and validation process for accounts that cannot be made MFA.

Lee Neely
Lee Neely

The year of Strong Authentication was 2018. By now, all admin accounts should be using it. No exceptions, no excuses.

William Hugh Murray
William Hugh Murray

2021-01-18

$5.1M Fine for HIPAA Violation

Excellus Health Plan has agreed to pay a $5.1 million fine to the US Department of Health and Human Services (HHS) Office for Civil Rights for violations of the Health Insurance Portability and Accountability Act (HIPAA). The hackers breached the Excellus network in December 2013 and maintained access until at least mid-May 2015. The breach exposed personally identifiable information of more than 9.3 million patients. The exposed data included names, bank account information, and clinical treatment information. Excellus filed a breach report in September 2015.

Editor's Note

HIPAA fines have been infrequent: in the 17 years since compliance started, OCR has levied fines in only 92 cases out of about 70,000 investigated. On the other hand, the average fine has been about $1.4M - good to highlight to CXOs and boards if you are in the healthcare vertical.

John Pescatore
John Pescatore

In light of the "ransomware" attacks in the healthcare industry, the time-to-detection of a breach must shrink from months to hours. Providers must have an objective and strategy and tactics for achieving it.

William Hugh Murray
William Hugh Murray

Read more in

Internet Storm Center Tech Corner

Scans for DNS over HTTPs

https://isc.sans.edu/forums/diary/Obfuscated+DNS+Queries/26992/

https://us-cert.cisa.gov/ncas/current-activity/2021/01/15/nsa-releases-guidance-encrypted-dns-enterprise-environments


Doc And RTF Malicious Document

https://isc.sans.edu/forums/diary/Doc+RTF+Malicious+Document/26996/


Exploit for Shazam Geolocation Vulnerability

https://ash-king.co.uk/blog/Shazlocate-abusing-CVE-2019-8791-CVE-2019-8792


Apple Removing ContentFilterExclusionList

https://www.patreon.com/posts/46179028


Center for Internet Security Cisco NX-OS Benchmark

https://www.cisecurity.org/cis-benchmarks/


Netlogon Domain Controller Enforcement Mode Starting February 9th

https://msrc-blog.microsoft.com/2021/01/14/netlogon-domain-controller-enforcement-mode-is-enabled-by-default-beginning-with-the-february-9-2021-security-update-related-to-cve-2020-1472/


Voice Phishing and Internal Messaging Systems Used to Escalate Privileges

https://www.ic3.gov/Media/News/2021/210115.pdf