SANS NewsBites

No Surprise: Cyberinsurance is Not Improving Cybersecurity; Microsoft Investigating How Malicious Windows Drivers Got Through; More Google Play Security Around Developer Accounts

June 29, 2021  |  Volume XXIII - Issue #51

Top of the News


2021-06-28

Cyber Insurance Does Not Appear to be Improving Cybersecurity

A paper from Britain’s Royal United Services Institute (RUSI) “explores whether cyber insurance can incentivise better cyber security practices among policyholders, … [and] finds that the shortcomings of cyber insurance mean that its contribution to improving cyber security practices is more limited than policymakers and businesses might hope.”

Editor's Note

The important quote in this report is something I told insurers back in the early 2000’s when I was at Gartner: “The difficulties inherent in understanding cyber risk, which is anthropogenic and systemic, mean insurers and reinsurers are unable to accurately quantify its causes and effects.” OK, I didn’t use the term “anthropogenic” – I had to look that up: basically, it means “caused by humans.” My version: bad guys exploit vulnerabilities in people and software. There are no tables of material strengths for either people or software, thus human engineering and software engineering are oxymorons – they are not engineering disciplines and broad, rigid standards can’t be driven by insurance companies. The report’s number one recommendation is that “essential security hygiene” be mandated, in this case the UK Cyber Essentials which is similar to the CIS Critical Security Controls Implementation Group 1.

John Pescatore
John Pescatore

Cyber insurance is too new to expect it to affect business. At this point, insurance companies are experimenting with the product and collecting data to refine their business. I hope insurance companies will bring the same data-driven approach they use for other insurance products to cyber security in the future.

Johannes Ullrich
Johannes Ullrich

Purchasing cyber insurance doesn’t alleviate the responsibility to implement cyber security. The past year, with ransomware payouts by insurers, has been the first time they are operating in the red, so I expect insurers to either stop or modify their coverage for ransomware, or raise the bar by developing a cybersecurity “clean bill of health” (aka minimum standards) before providing coverage, as well as monitoring breach and incident notifications to ensure their insured clients are maintaining a healthy cyber security posture.

Lee Neely
Lee Neely

2021-06-28

Microsoft Investigating Malware-Signing Incident

Microsoft is investigating an incident in which its Windows Hardware Compatibility Program (WHCP) certified what turned out to be a malicious driver. The driver, known as Netfilter, has been used in gaming environments; it has the capacity to decrypt Internet traffic and send it to another machine. Microsoft has suspended the account through which the driver was submitted.

Editor's Note

The scary part is that this malicious driver was apparently intended to cheat at online games. This wasn't a sophisticated state-sponsored or organized crime organization, but an individual managed to get Microsoft to sign a malicious driver to either play appearing to come from other countries or to reduce the network speeds of competitors.

Johannes Ullrich
Johannes Ullrich

So far, the good news is Microsoft does not believe a signing certificate was compromised. So, looks like an issue with the WHCP testing and certification process. Every software testing process has to continually be improved but app stores/driver testing etc. are highly effective in reducing the volume of malicious software and updates that cause any meaningful damage.

John Pescatore
John Pescatore

2021-06-28

Google Play is Increasing Developer Account Security

Google is rolling out stronger security practices for Google Play developer accounts. Google will require a contact name, a physical address, phone and email verification, and declaration of account type. Developer accounts will also have mandatory two-factor authentication.

Editor's Note

The changes are being phased in; starting in August new accounts must specify account type and contact information, and 2FA will be required. Later this year all existing accounts must also set their type, update contact information, and enable 2FA. Google is also providing guidance on keeping your account in good-standing. This will help trace applications to known good sources; when coupled with Play Protect, the security and integrity of applications in the Play Store will increase as well.

Lee Neely
Lee Neely

Another example of continual improvement around application testing and certification, and 2FA being mandated.

John Pescatore
John Pescatore

The Rest of the Week's News


2021-06-28

Microsoft Security Response Team: New Activity from SolarWinds Threat Actors

In a blog post late last week, Microsoft’s Security Response team wrote that it “is tracking new activity from the NOBELIUM threat actor … [that includes] password spray and brute-force attacks.” The threat actor compromised a computer used by a Microsoft customer support employee. From there, the actors launched targeted attacks. (Please note that the WSJ story is behind a paywall.)

Editor's Note

How do you think you’d fare in a password spray attack? (Where a few common passwords are used to try to access a large number of accounts.) Make sure externally facing services use MFA, and where passwords are used integrate the password process with data breach checks to disallow common or compromised passwords. Make sure that you’re getting alerts from these sorts of activities. Then engage a team to attempt password compromise to verify your position.

Lee Neely
Lee Neely

2021-06-24

Communication Chip Vulnerabilities Can be Exploited with the Wave of a Phone

A researcher and consultant from IOActive has detected vulnerabilities in near-field communication (NFC) chips that are used in ATMs and point-of-sale (POS) systems all over the world. NFC chips allow users to tap or wave a payment card over a reader. Josep Rodriguez created an app that allows an Android phone to mimic NFC communications. The app could be used to crash POS devices, steal payment card data, and alter transactions.

Editor's Note

ALL input has to be validated. We have seen vulnerabilities in other communication protocols, not just NFC, where developers implemented the standard without considering non-standard transmissions. The best example is probably various 802.11 implementations that followed the standard and expected the SSID to be limited to 32 bytes, only to be "surprised" with malicious actors triggering buffer overflows by using longer SSID strings.

Johannes Ullrich
Johannes Ullrich

The net effect is that NFC interface can be used to trigger a buffer overflow, and indicates caution is needed when adding new interfaces to legacy systems. In this case, the exploit could be used to read mag-stripe data from cards but not an EMV card or chip PIN. As a user, it’s best to use the chip reader over the mag stripe reader when a choice is presented.

Lee Neely
Lee Neely

2021-06-28

Zyxel Firewalls and VPNs are Being Attacked

Zyxel has published an advisory warning that they ”recently became aware of a sophisticated threat actor targeting Zyxel security appliances with remote management or SSL VPN enabled in the USG/ZyWALL, USG FLEX, ATP, and VPN series.” The attacker tries to access targeted devices through WAN.

Editor's Note

Only allow WAN based administration of your VPN from trusted devices. Verify the security settings are as they should be. After applying the update from Zyxel, and someone logs in as admin, the VPN a security check will pop up to alert of any security misconfigurations. Even without a pop-up, double check things are as you expect.

Lee Neely
Lee Neely

2021-06-28

Cisco Adaptive Security Appliance Vulnerability is Being Actively Exploited

Attackers are actively exploiting a known vulnerability in Cisco Adaptive security Appliance (ASA) after researchers published proof-of-concept exploit code. Cisco released an initial fix for the flaw in October 2020, and issued a second fix in April 2021 after determining that the earlier fix was incomplete.

Editor's Note

This flaw permits unauthenticated XSS attacks against a user of the web services interface on a vulnerable service. There are no published workarounds or mitigations other than updating your firmware here; make sure that you’re actually running an affected product, e.g. vulnerable release of the ASA software plus a vulnerable AnyConnect or WebVPN configuration.

Lee Neely
Lee Neely

Patches have been out now for a couple of months. With a PoC available now, exploitation attempts are likely already underway.

Johannes Ullrich
Johannes Ullrich

2021-06-28

NIST Defines Critical Software for Executive Order

The US National Institute of Standards and technology (NIST) has released a definition of “critical software.” The definition is one of the requirements from the cyber executive order signed in May. NIST writes “EO-critical software is defined as any software that has, or has direct software dependencies upon, one or more components with at least one of these attributes: is designed to run with elevated privilege or manage privileges; has direct or privileged access to networking or computing resources; is designed to control access to data or operational technology; performs a function critical to trust; or, operates outside of normal trust boundaries with privileged access.”

Editor's Note

It is a pretty broad definition, which is realistic. The Critical Software part of the EO is on a fast track – by July 11 NIST/NSA will publish minimum standards and requirements vendors need to meet in testing their source code. This can be a very good thing: while many major software vendors already will likely meet the requirements, many security software products and lots of open source tools likely do not.

John Pescatore
John Pescatore

This definition is very broad, including operating systems and web browsers. Read the table as well as the definition, then turn to the FAQs to understand scope, definitions and applicability; such as embedded, Open Source and GOTS, all of which could be EO-critical. While initial focus is on-premise software, cloud based products and services are also in scope. Expect more information and guidance as we move forward with the EO implementation.

Lee Neely
Lee Neely

2021-06-28

Ireland Health Service Executive Still Operating Under EHR Downtime

More than six weeks after a ransomware attack, the Ireland Health Service Executive is still operating under electronic health record (EHR) downtime. Patients have been informed that they could experience significant delays in care; they are also being asked to bring healthcare-related documents to appointments. Recovery costs are expected to be at least $600 million.

Editor's Note

Key lesson here, ransomware attacks cost far more than just the ransom. There are tremendous costs in the down and recovery time, having to rebuild both systems and networks to truly ensure the systems can be trusted again. What is frightening here is the potential cost in lives due to delayed care.

Lance Spitzner
Lance Spitzner

2021-06-25

FIN7 Cybercrime Group Member Sentenced to Prison

A Ukrainian individual was sentenced to seven years in prison for his role in the FIN7 cybercrime group, which is also known as Carbanak and Navigator. Andrii Kolpakov was also ordered to pay $2.5 million in restitution.

Internet Storm Center Tech Corner

Increase in UDP Port 389 Scans (LDAP/AD)

https://isc.sans.edu/forums/diary/Is+this+traffic+bAD/27566/


CD/DVD Destruction

https://isc.sans.edu/forums/diary/DIY+CDDVD+Destruction/27572/


CFBF Files Strings Analysis

https://isc.sans.edu/forums/diary/CFBF+Files+Strings+Analysis/27576/


Zyxel Exploits

https://twitter.com/JAMESWT_MHT/status/1407987022170578946

https://kb.zyxel.com/KB/searchArticle!viewDetail.action?articleOid=018137&lang=EN


Cisco Vulnerability Exploited

https://threatpost.com/cisco-asa-bug-exploited-poc/167274/


Microsoft Signs Netfilter Rootkit

https://www.gdatasoftware.com/blog/microsoft-signed-a-malicious-netfilter-rootkit


Details From Microsoft About Netfilter Malware

https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/


Google Compute Engine Platform RCE

https://github.com/irsl/gcp-dhcp-takeover-code-exec