SANS NewsBites

US Government Agencies Required to Standardize Vulnerability Disclosure Programs; US Prosecutor eMail Accounts Breached via Solar Winds Compromise; Android Malware Uses Virtual Network Computing to Steal Data; Ship Location System Easily Spoofed

August 3, 2021  |  Volume XXIII - Issue #60

Top of the News


2021-07-30

CISA Vulnerability Disclosure Policy Platform

The US Cybersecurity and Infrastructure Security Agency (CISA) has launched a vulnerability disclosure policy (VDP) platform that supports its Binding Operational Directive 20-01 requiring federal agencies to establish VPDs.

Editor's Note

Agencies have until September 2, 2022 to have all internet accessible systems in scope. Policies and contacts had to be published within 180 days, and after 180 days any new internet-accessible systems were automatically in scope. Identification of existing systems in scope was required 270 days from the issuance of BOD 20-01, June 1, 2021, with additional systems required every 90 days until all internet accessible systems are listed as in scope. The challenge is developing procedures to track, coordinate and resolve reported issues, which may impact federal incident reporting activities. The BOD provides references and resources needed to develop a VDP. Before you go testing an agency’s system, check their web site under /vulnerability-disclosure-policy to see what is permitted/in-scope.

Lee Neely
Lee Neely

Back in 2017 the US Department of Justice put out a solid framework for Vulnerability Disclosure Programs – good to see CISA making standard VDPs a requirement across federal systems. They now provide a template complying with this BOD. One nit: while the BOD does require the policy to be published at a standard URL across government systems, it is *not* an easy to guess URL. I’d like to see requirements that all federal home pages include a visible link to vulnerability reporting information.

John Pescatore
John Pescatore

2021-08-02

SolarWinds Threat Actors Breached US Federal Prosecutors’ eMail Accounts

The US Department of Justice (DoJ) has issued an updated statement on SolarWinds to include information that the threat actors behind the SolarWinds supply chain attack also compromised Microsoft Office 365 accounts in 27 federal prosecutors’ offices. The threat actors had access to the accounts between May 7 and December 27, 2020. The compromised information includes “all sent, received, and stored emails and attachments found within those accounts during that time.”

Editor's Note

We knew the fallout from the SolarWinds compromise was going to be bad, but this points out how really, really bad the damage has been. In the SANS 2021 New Attacks and Threat report, SANS Fellow and instructor Ed Skoudis detailed the key mitigation needs to minimize damage from what he called “Software Integrity Attacks.” Details at https://www.sans.org/webcasts/2021-report-top-attacks-threat-report-118445/

John Pescatore
John Pescatore

Review administrator access to your cloud services. Make sure that service administrators use a separate account to manage the service versus accessing it as an end-user. Require multi-factor authentication on all accounts, especially administrators. Additionally, if you have “break-glass” or other administrator accounts which are single factor, secure those passwords, and monitor their use closely to detect abuse.

Lee Neely
Lee Neely

2021-07-30

Android VNC Malware

Android remote access trojan (RAT) can steal sensitive information from infected devices. The malware uses Virtual Network Computing (VNC) remote screen sharing technology to steal data. The malware spread via the Google Play Store in an app called “Protection Guard,” which was installed more than 5,000 times.

Editor's Note

Malware allowing interactive control over a particular mobile device has been used for more sophisticated social engineering attacks. An attacker, while on the phone with a victim, is able to manipulate the screen to for example affect the user’s session as they log into their legitimate online banking website.

Johannes Ullrich
Johannes Ullrich

Unlike prior malware which used an HTML overlay to capture credentials, the “Vultur” RAT uses VNC to capture keystrokes and record screens, removing the need to create custom overlays and the effort required to install them. It does leverage an overlay to trick the user into granting permission. The malicious apps have been removed from the play store and play protect will remove them from affected devices. Even so, use caution when granting app permissions, and only install apps from well-known developers in the legitimate app store. (Google Play, or your corporate app catalog)

Lee Neely
Lee Neely

The app stores are intended to distribute. They are "suppliers," but of code developed by others. While they have distributed malicious apps, they have done a pretty good job of detecting and eliminating them. Users should limit downloads to code that they are sure they are going to use. In deciding whether to download, they should look beyond the stores to the developers.

William Hugh Murray
William Hugh Murray

2021-08-02

Spoofing Ship Locations

Data analysts from SkyTruth and Global Fishing Watch have found that ships’ locations have been spoofed via the automatic identification system (AIS). International law requires most commercial ships to have AIS transponders. While military ships are exempt from the requirement, many use AIS transponders under an alias while navigating busy areas.

Editor's Note

The maritime AIS system is set up like the ADS-B system used for aviation. The signals are not encrypted as they are intended to be seen by everybody in the vicinity of the vessel. Theoretically, it would be possible to digitally sign the signals, but that would require a global key infrastructure. Spoofed AIS signals have frequently been observed in areas where boats attempt to conceal illegal activity. This can be dangerous if a ship conceals or alters its location.

Johannes Ullrich
Johannes Ullrich

In times of tension or war, military ships would not be using AIS location data. Vessels use on-board systems for safety, such as collision avoidance. Even so, AIS data is aggregated for search and rescue, cargo tracking, environmental crimes and sanction violations, it is for these purposes that inaccurate data is a concern. Some AIS inaccuracies can be mitigated by comparing with satellite imagery.

Lee Neely
Lee Neely

Regardless of what marketing says, not every threat can be emulated during a red team or pentest engagement. Tabletop exercises and cyber ranges can be good complements, helping organizations understand their larger risk profile.

Christopher Elgee
Christopher Elgee

The Rest of the Week's News


2021-08-02

Swisslog Issues Updates to Fix Vulnerabilities in Pneumatic Tube Firmware

Swisslog Healthcare has released updates to fix vulnerabilities in the Nexus Control Panel of its TransLogic pneumatic tube system (PTS) stations. The pneumatic tube systems used in many hospitals to transport medicine and lab samples in more than 3,000 hospitals around the world. Researchers at Armis found nine critical vulnerabilities in the TransLogic PTS system.

Editor's Note

If you have an affected system, until updated firmware can be deployed, follow the mitigations in the Armis PwnedPiper report including blocking Telnet (port 23) on Translogic PTS stations, implement segmentation or other access controls to limit PTS components to only communicate with the Translogic central server (SCC) and deploy the provided Snort IDS rules to detect attempted exploits.

Lee Neely
Lee Neely

2021-08-03

Hackers Exploited Exchange Flaws to Steal Data from Telecom Companies in Southeast Asia

Researchers from Cybereason have found that hacking groups with ties to China’s government exploited vulnerabilities in Microsoft Exchange to steal information from cellular network providers in southeast Asia.


2021-07-30

EU Regulators Fine Amazon Nearly $900 Million for GDPR Violations

The National Data Protection Commission (CNPD) has fined Amazon €746 million ($ 886 million) for violations of the European Union’s General Data Protection Regulation (GDPR). The fine was disclosed in an Amazon filing with the US Securities and Exchange Commission (SEC).

Editor's Note

At core here is the use of personalization practices which tailor advertising related to a web service such as Amazon. If you’re providing a service that is personalized based on user activities, work closely with your legal team to not run afoul of GDPR or similar privacy legislation.

Lee Neely
Lee Neely

That is almost a 3% hit on Amazon’s CY 2020 profits – or almost all the profit they made from the sales across the annual “Prime Day” event. To paraphrase an old saying: “A billion here, a billion here adds up to *real* money – protecting users privacy rights can meaningfully increase profit margins.”

John Pescatore
John Pescatore

In addition to imposing the fine, the regulators mandated procedural changes. It should be noted that Amazon claims that the findings are "without merit" and says that it will appeal. What is significant is that "the game is afoot."

William Hugh Murray
William Hugh Murray

2021-08-03

Police Accessed Western Australia’s COVID-19 Tracing App Data

An audit report regarding Western Australia’s SafeWA COVID-19 contact tracing app reveals that police accessed the app’s data and that the app itself contained security flaws. In the report, the Auditor-General of Western Australia expressed concern that the personal data the app collected were used for purposes other than contact tracing. Western Australia released the SafeWA app in November 2020.

Editor's Note

Understand the legislative controls regarding access to data you safeguard on behalf of others. Ensure that data you’ve collected for an identified purpose is only used as intended, particularly HIPAA and PII data which are provided with specifically identified consent or purpose. If you’re in a bind where a legal mandate is asking for access to your data, make sure that you’ve consulted with both your regulator and legal team before releasing it.

Lee Neely
Lee Neely

The temptation for the police to abuse and misuse any data held by government is all but irresistible. In the US we have been doing contact tracing for more than 100 years with few reported cases of abuse. However, the potential for abuse interferes with the legitimate purpose of the data. People do not need much of an excuse not to cooperate.

William Hugh Murray
William Hugh Murray

2021-07-30

Florida Medical Practice Data Breach

The Orlando Family Physicians medical practice has acknowledged a data breach that affects the protected health information (PHI) of nearly 450,000 people. In a notice of security incident, Orlando Family Physicians writes that “a recent phishing email incident … potentially resulted in unauthorized access to personal information of four employees’ email accounts.” The initial breach occurred in April 2021.

Editor's Note

Isolate the vulnerable applications of e-mail and browsing from mission critical applications and sensitive data.

William Hugh Murray
William Hugh Murray

Internet Storm Center Tech Corner

Infected With a .reg File

https://isc.sans.edu/forums/diary/Infected+With+a+reg+File/27692/


Unsolicited DNS Queries

https://isc.sans.edu/forums/diary/Unsolicited+DNS+Queries/27694/


Changing BAT Files on the Fly

https://isc.sans.edu/forums/diary/Changing+BAT+Files+On+The+Fly/27700/


Excessive Exchange Permissions (Patched)

https://bugs.chromium.org/p/project-zero/issues/detail?id=2186


Empty NPM Package has Over 700,000 Downloads

https://www.bleepingcomputer.com/news/software/empty-npm-package-has-over-700-000-downloads-heres-why/


Node.JS July 2021 Security Releases

https://nodejs.org/en/blog/vulnerability/july-2021-security-releases-2/


Malicious PyPi Packages

https://jfrog.com/blog/malicious-pypi-packages-stealing-credit-cards-injecting-code/


REvil / Darkside May be Back as Blackmatter

https://www.bleepingcomputer.com/news/security/darkside-ransomware-gang-returns-as-new-blackmatter-operation/


Blocking PetitPotam with netsh RPC Filters

https://twitter.com/gentilkiwi/status/1421949715986403329


Pneumatic Tube Vulnerabilities

https://www.blackhat.com/us-21/briefings/schedule/index.html#a-hole-in-the-tube-uncovering-vulnerabilities-in-critical-infrastructure-of-healthcare-facilities-23546