SANS NewsBites

Medtronic Recalls Insulin Pump Remote Controllers with Life Threatening Vulnerability; TSA to Raise Security Requirements for Railway and Aviation Operators; Prioritize Patching Apache HTTP Servers

October 8, 2021  |  Volume XXIII - Issue #79

Top of the News


2021-10-06

Medtronic Recalls Insulin Pump Remote Controllers Due to Cybersecurity Risks

Medtronic has recalled remote controllers for its MiniMed 508 and MiniMed Paradigm insulin pumps. The affected devices were distributed between August 1999 and July 2018. The remote controller devices are vulnerable to a capture-replay attack, which could be used to alter the level of insulin the pump dispenses.

Editor's Note

This vulnerability was discovered, and the initial limited recall announced, back in 2018. I hope the Medtronic Board of Directors, especially the members of the Medtronic Board’s Quality Committee read the opening line of the FDA medical device recall announcement “The FDA has identified this as a Class I recall, the most serious type of recall. Use of these devices may cause serious injuries or death.” While the attack path is not simple, avoiding life threatening vulnerabilities and the cost of product recalls should be pretty high on the Product Quality priority list but does not seem to have been.

John Pescatore
John Pescatore

It is estimated that 31,000 devices need to be replaced. The balance between life-safety and security always comes down on the life-safety side. In the past, we’ve seen security flaws in medical devices which didn’t warrant this level of response; as exploitation of medical devices can be fatal, it is hoped that the threat of recalls like this will push suppliers to implement higher levels of security.

Lee Neely
Lee Neely

My biggest fear with medical devices is not cyber attackers targeting and exploiting these vulnerabilities, but some random malware accidentally infecting and spreading through medical devices, causes unintended havoc and harm. In the military we called this “collateral damage.”

Lance Spitzner
Lance Spitzner

2021-10-07

DHS Says TSA Will Impose New Cybersecurity Requirements for “High-Risk” Railway and Aviation Operators

On Wednesday, October 6, US Department of Homeland Security (DHS) Secretary Alejandro Mayorkas said that the Transportation Security Administration (TSA) will introduce regulations aimed at improving the cybersecurity of critical railway and aviation operators. The regulations will require that the organizations name a chief cyber official, establish cyberattack recovery plans, and report cyber incidents to the government. The regulations are expected to take effect by the end of this calendar year.

Editor's Note

The plan requires three actions (1) improve their cybersecurity processes, (2) identify a chief cyber official, and (3) inform the government when their network has been breached and have a draft cyber recovery plan on-hand to recover from the incident. While not obvious, incident reporting allows CISA/DHS to keep overall tabs on security across the nation and setting that up will help foster the needed relationship if you need to call upon them for their resources or expertise.

Lee Neely
Lee Neely

This is just an initial step – any railway and aviation operator that didn’t have a named CSO and an incident recovery plan in this day and age should fire their CEO and replace their Board of Directors. Regulatory push to make essential security hygiene a mandatory cost of doing business is needed across most of the critical infrastructure sectors.

John Pescatore
John Pescatore

I really hope TSA takes the approach NIST does and works hard to (and provides the time for) community input, feedback and involvement.

Lance Spitzner
Lance Spitzner

2021-10-06

Fixes Available for Apache HTTP Server Zero-Day

Apache has released a second update for its HTTP Web Server after an initial fix was deemed incomplete. Apache’s first fix for the path traversal vulnerability (CVE-2021-41773) was released in version 2.4.50 on Tuesday, October 5. Apache released version 2.4.51 on Thursday, October 7.

Editor's Note

In version 2.4.49, Apache re-wrote a large part of the code that validates URLs. The goal was to improve the speed of this code. Sadly, the rewrite missed some common URL issues like URL encoding. Luckily the error was discovered quickly. I don't think this version of Apache made it into any Linux distributions. Note that the initial fix, Apache 2.4.50, was incomplete and you should now be running Apache 2.4.51. But do not worry if you are running an earlier version. Many Linux distributions will stick to a particular version and only back-port security fixes. 2.4.49 and 2.4.50 are the only vulnerable versions that they were only "current" from September 15th to October 7th.

Johannes Ullrich
Johannes Ullrich

Be aware of the Apache server version your distribution supports when looking at the update. For example, RHEL 7 is based on Apache version 2.4.6 while RHEL 8 uses 2.4.37 and patches will be applied to those versions rather than providing version 2.4.51, this is documented in the distribution backporting policy. Use this information to verify that your vulnerability scanners aren’t providing a false positive on the patched version.

Lee Neely
Lee Neely

This year seems to be the year of constant critical vulnerabilities and highlights that patching alone is insufficient for defenders to rely on for protection. A comprehensive vulnerability management program should be developed to determine how an organization can mitigate the impact of vulnerabilities while awaiting the application of patches or upgrades.

Brian Honan
Brian Honan

The Rest of the Week's News


2021-10-07

New DOJ Initiative: US Government Contractors Can be Sued for Failing to Report Breaches

On Wednesday, October 6, US Deputy Attorney General Lisa Monaco announced the Justice Department’s Civil Cyber Fraud Initiative. Using the existing False Claims Act, the new initiative will allow the DoJ to sue federal contractors if they fail to report breaches or cyberattacks or if “they fail to follow required cybersecurity standards.” The False Claims Act includes a whistleblower provision.

Editor's Note

We have several decades of data that says lawsuits rarely result in enduring increases in security. I’d much rather see contractors and suppliers that commit fraud by not following required cybersecurity standards be suspended or barred from doing business with the federal government. The Federal Accounting Regulations already support doing so.

John Pescatore
John Pescatore

Disclosure of breaches or incidents hits many companies square in the reputation risk soft spot. Part of disclosure must include an acceptable level of protection of that information. All of us with outsource, service or cloud contracts should verify they already include cyber provisions which include incident response and notification requirements as well as consequences for failure to report or meet information protection requirements. Verification that a provider is meeting required security standards is critical to ensuring your information is properly protected. That verification is not “one and done.” It needs to be updated regularly.

Lee Neely
Lee Neely

2021-10-03

Pipeline Cybersecurity Rules Raise Concerns

In July 2021, the Transportation Security Administration (TSA) issued emergency pipeline cybersecurity rules. The cyberattack that shut down Colonial Pipeline for six days in May showed that voluntary cybersecurity guidelines for energy pipelines were insufficient. The new TSA rules were not released publicly. Through a Freedom of Information Act (FoIA) request, the Washington Post obtained a redacted copy of the rules issued and shared them with industrial cybersecurity experts. While some of the requirements, such as developing and testing incident response plans, met with positive reviews, some analysts expressed concern that the rules could actually hinder security. Implementation directions are vague in some areas and overly-prescriptive in others. SANS Technical Director of ICS and SCADA programs Tim Conway noted that “There are a ton of lessons learned from almost two decades of experience in other critical infrastructure sectors,” and said the industry should be involved in developing requirements.

Editor's Note

Cyber guidelines are exactly that, guidelines, a baseline or minimum. Take the opportunity to use them to find gaps. If there are controls that don’t make sense or are unachievable, document that, and be prepared to defend that conclusion to your regulator or auditor. Leverage your relationships with peers facing the same standards to find workable mechanisms to not only meet the requirements, but also increase security as well as make the overall process easier.

Lee Neely
Lee Neely

This appears heavily rushed with very little industry input. There is a wealth of knowledge in our community. By taking more time to gather that community feedback, not only does TSA create a far stronger framework, but more likely to gain industry by in. NIST does a fantastic job doing this with their CFC process (Call For Comments) for NIST related frameworks and guidelines.

Lance Spitzner
Lance Spitzner

2021-10-04

The Atlantic Council’s Maritime Cybersecurity Report

During 2020, cyberattacks against the Maritime Transportation System (MTS) increased by 400 percent in a matter of months. US government released the National Maritime Cybersecurity Plan in December 2020 – more of a road map than an implementation guide. A report from the Atlantic Council offers 12 recommendations grouped into categories of First, Next, and Later.

Editor's Note

While fascinating, these types of increases in cyberattacks could probably apply to pretty much any industry that is heavily connected to and dependent on technology.

Lance Spitzner
Lance Spitzner

Cybersecurity is essential to any network connected infrastructure. Yet such cautions and prescriptions continue to be necessary. Join and support the Surface Transportation ISAC.

William Hugh Murray
William Hugh Murray

2021-10-07

FDA Issues Medical Device Vulnerability Notification Best Practices

The US Food and Drug Administration (FDA) has published best practices for notifying patients of cyber vulnerabilities in medical devices. The document “provides helpful information and elements for industry stakeholders, federal partners, and other interested stakeholders ... to consider when developing a cybersecurity communication strategy.” The elements include making the communication simple, timely, and relevant; acknowledging what is not known; and ensuring it is easy to find.

Editor's Note

We have repeatedly seen the need for concise, clear, understandable communication in the event of an incident. The guidance is intended to help develop a message non-technical users can understand and then take the needed action properly. Even with the best plan, users may still not read or understand what is expected; backup the message with a responsive contact center armed with simple guidance they can walk the users through.

Lee Neely
Lee Neely

2021-10-05

SMS Routing Company Syniverse Discloses Breach in SEC Filing

Syniverse, a company that manages SMS routing for major US carriers, has disclosed that attackers had access to its databases for five years. In a filing with the US Securities and Exchange Commission (SEC), Syniverse wrote that “in May 2021, [they] became aware of unauthorized access to [their] operational and information technology systems by an unknown individual or organization.” An investigation revealed that the unauthorized access began in 2016.

Editor's Note

Syniverse, which processes messages for 300 carriers with a volume of about 740 billion messages/year, says they have fixed the identified vulnerabilities and are continuing to investigate the breach to determine if additional access paths exist. As their primary customer is the carriers rather than the customer whose messages are delivered, you will have to rely on your carrier for any notifications of impact or required follow-up actions.

Lee Neely
Lee Neely

Yet another nail in the coffin of the use of SMS for security. Sadly, SMS replacement standards like RCS that would avoid relying on a "secure" forwarding network have never quite taken off.

Johannes Ullrich
Johannes Ullrich

This is a major breach that could have long term implications given the sheer volume of data and messages that could have been accessed in that time. It also highlights the importance of ensuring any sensitive communications should be done via end to end encrypted solutions and not rely solely on the security of the messaging infrastructure.

Brian Honan
Brian Honan

2021-10-06

Disgruntled Former Employee Strikes Twice in a Row

A UK man sabotaged networks of two former employers in less than two months. After Adam Georgeson was fired from his position as an IT technician at a UK secondary school, he accessed the school’s network, wiped data and changed staff members’ passwords. Georgeson was arrested while working at a new job at an IT company. Shortly thereafter, Georgeson was fired from that job as well. He accessed the company’s network, changed passwords and modified the customer contact phone system. Georgeson has pleaded guilty to two cyber hacking offenses.

Editor's Note

Having an expedited access termination process for employees involuntarily separated is critical to preventing retaliatory actions like this. Verify that the process is comprehensive, particularly with outsourced or cloud services which may have external entry points. Also expire or lock any MFA tokens. If accounts are disabled rather than removed, make sure any access or attempted reactivation is closely monitored.

Lee Neely
Lee Neely

Having an expedited access termination process for employees involuntarily separated is critical to preventing retaliatory actions like this. Verify that the process is comprehensive, particularly with outsourced or cloud services which may have external entry points. Also expire or lock any MFA tokens. If accounts are disabled rather than removed, make sure any access or attempted reactivation is closely monitored.

John Pescatore
John Pescatore

School systems often have very small IT staffs, resulting in a concentration of privilege and independence from knowledgeable supervision. Business enterprises are more likely to have sufficient staff that new hires need not be given administrative privileges and be subject to knowledgeable supervision.

William Hugh Murray
William Hugh Murray

2021-10-06

Critical Vulnerabilities in Honeywell Experion PKS and ACE Controllers

The US Cybersecurity and Infrastructure Security (CISA) has released an advisory warning of three vulnerabilities affecting Honeywell Experion Process Knowledge System (PKS) C200, C200E, C300 and ACE Controllers. The flaws include a critical unrestricted file upload vulnerability that has a CVSS score of 10.0; an improper neutralization of special elements in output vulnerability; and a relative path traversal vulnerability. The flaws could be exploited to remotely execute code, cause denial-of-service conditions, and allow attackers to access files and directories. Users are urged to patch as soon as possible.

Editor's Note

These are large industrial process controllers and as such access should be limited to authorized devices and services only. Make sure access is closely monitored to detect attempts to exploit the weakness. Start planning the outage to update the firmware now.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Looking Glass Sites

https://isc.sans.edu/forums/diary/Looking+Glasses+Debugging+Network+Connectivity+Issues/27904/


Who is Hunting For Your IPTV Set-Top Box?

https://isc.sans.edu/forums/diary/Who+Is+Hunting+For+Your+IPTV+SetTop+Box/27912/


Apache 2.4.49 Directory Traversal Vulnerability

https://isc.sans.edu/forums/diary/Apache+2449+Directory+Traversal+Vulnerability+CVE202141773/27908/

https://blog.sonatype.com/apache-servers-actively-exploited-in-wild-importance-of-prompt-patching


Another Update For Apache

https://httpd.apache.org


Facebook Postmortem

https://engineering.fb.com/2021/10/05/networking-traffic/outage-details/


Python Ransomware Targeting ESXi Server

https://www.sophos.com/en-us/press-office/press-releases/2021/10/sophos-researchers-uncover-new-python-ransomware-targeting-an-esxi-server-and-virtual-machines.aspx


Windows 11 Released

https://www.microsoft.com/security/blog/2021/10/04/windows-11-offers-chip-to-cloud-protection-to-meet-the-new-security-challenges-of-hybrid-work/

https://www.microsoft.com/en-us/download/details.aspx?id=55319


AT&T SIM Forensics

https://medium.com/telecom-expert/what-is-at-t-doing-at-1111340002-c418876c212c


Google Making Additional 2FA Push

https://blog.google/technology/safety-security/making-sign-safer-and-more-convenient/


FontOnLake Rootkit

https://www.welivesecurity.com/2021/10/07/fontonlake-previously-unknown-malware-family-targeting-linux/


osquery 5 with macOS Endpoint Security

https://www.trailofbits.com/post/announcing-osquery-5-now-with-endpointsecurity-on-macos