SANS NewsBites

HHS Provides Guidance for Reducing Risk of Unsupportable Systems; Exploits Detailed for Text Encoding Such as Unicode; Large Botnet Launching DDoS Attacks From China

November 2, 2021  |  Volume XXIII - Issue #86

Top of the News


2021-11-01

HHS OCR Bulletin: Address Security for Legacy Systems

The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has published a bulletin that urges healthcare organizations to manage the security risk of legacy systems. The Health Insurance Portability and Accountability Act (HIPAA) requires “requires covered entities and their business associates to implement safeguards that reasonably and appropriately secure the electronic protected health information (ePHI) that these organizations create, receive, maintain, or transmit.”

Editor's Note

OCR defines a “legacy” system as “an information system with one or more components that have been supplanted by newer technology and for which the manufacturer is no longer offering support.” I think they should just call them “unsupportable” systems to make the issue gain more traction. The OCR advice is solid for trying to reduce the risk of unsupportable systems, but many exist because much longer (often infinite) lifecycles were estimated for devices, software, and systems than is realistic when technology advances are shortening. Budgets and planning should be assuming shorter lifecycles – think cell phone replacement lifecycles, not refrigerator lifecycles.

John Pescatore
John Pescatore

This bulletin also requires added mitigations and assessments of legacy systems. The concern is that your legacy system would not be able to protect ePHI at the same level as newer systems as they are not engineered to the current threat landscape. The bulletin includes a good list of mitigations for legacy systems to include upgrading to a newer/supported version where possible, segmentation/isolation, increased authentication strength, removing unneeded software and increased firewall rules with supporting monitoring. Even with those in place, expect pressure to replace legacy systems with newer versions to include cloud-based alternatives.

Lee Neely
Lee Neely

“Reasonable and appropriate” is bureaucratic language intended to avoid accountability. Fortunately, healthcare covered entities now have more prescriptive language to guide them in securing their systems. For a targeted sector where breaches risk injury and death, the bar is very high. Recent events suggest that isolating clinical applications from those facing the public networks (e.g., e-mail and browsing) is urgent.

William Hugh Murray
William Hugh Murray

2021-11-01

Trojan Source Attack Exploits

Researchers from the University of Cambridge “have discovered ways of manipulating the encoding of source code files so that human viewers and compilers see different logic.” Dubbed Trojan Source, the “attack exploits subtleties in text-encoding standards such as Unicode to produce source code whose tokens are logically encoded in a different order from the one in which they are displayed, leading to vulnerabilities that cannot be perceived directly by human code reviewers.”

Editor's Note

It is often assumed that editors used to create and review code are simple "text editors." But even traditional editors like emacs and vi have support for Unicode. Modern languages like Swift have embraced Unicode to provide developers coding in languages other than English a better experience, and it is for example possible to use Unicode characters as variable names. This trend will make mitigating this vulnerability more difficult. On the other hand, this threat will mainly manifest itself if code is reviewed manually. For automated source code review tools, it should be trivial to detect abuses of this feature. In the end, I would consider this problem not relevant enough to worry much about it.

Johannes Ullrich
Johannes Ullrich

In short, the compiler reads code literally as stored, while the viewers for humans respect text-rendering commands such as formatting characters and Unicode Bidi overrides. Pay careful attention to where these characters are used in code, disallow them if unneeded. Compare raw and formatted output of source to discover unexpected differences. POC’s were developed in C, C++, C#, Python, JavaScript, Java, Rust and Go. Changes in compilers and source code repositories can also help to prevent this activity, but those will take a while to manifest themselves.

Lee Neely
Lee Neely

2021-11-01

Pink Botnet

Researchers from Qihoo 360’s Netlab have released information about what they are calling the largest botnet to be discovered in the wild in the past six years. Pink, as the researchers have dubbed it, comprises more than 1.6 million infected devices, most of which are in China. Pink’s main activity is launching distributed denial-of-service (DDoS) attacks and injecting ads into websites.

Editor's Note

Note that this botnet has been active since at least November 2019. Sadly, there are so many variants of different IoT botnets active, it is hard to even distinguish the different "brands." QiHoo 360 made its research public after a takedown attempt for this botnet. This botnet also focused on vulnerable systems inside China. The Pink botnet is also one of the few botnets to take advantage of DNS over HTTPS (DoH).

Johannes Ullrich
Johannes Ullrich

Operators were able to observe attempts to secure infected devices and take actions to reacquire them by also applying updates in real-time. Pink also leveraged DNS over HTTPS to obfuscate C2 host/address resolution activities.

Lee Neely
Lee Neely

The Rest of the Week's News


2021-11-01

CISA Identifying Crucial Critical Infrastructure

The US Cybersecurity and Infrastructure Security Agency (CISA) has begun identifying elements of the country’s critical infrastructure that could cause cascading failures if they experience cyberattacks. The idea is to bolster protection for these “primary systemically important entities” to protect them from cyberattacks and other disruptions.

Editor's Note

Identified critical infrastructure will be subject to more stringent cybersecurity standards, commensurate with risks associated with a critical rating. Without supporting funding and resources, for implementation and lifecycle, improvements are unlikely.

Lee Neely
Lee Neely

It appears that the US government has identified so many industries as critical, and the term critical infrastructure is now so broad, that it is losing its value. CISA, backed by the Homeland Security Committee, are looking to up the game by redefining what is truly critical identified as “primary systemically important entities” so they can focus their most critical resources on those “entities” and ensure they have both the resources to succeed and the necessary motivation to act BEFORE being compromised.

Lance Spitzner
Lance Spitzner

The most obvious examples are finance and the power grid. However, recent events in transportation and distribution suggest that everything is connected to everything else.

William Hugh Murray
William Hugh Murray

2021-11-01

FreeSWITCH Vulnerabilities

Researchers have detected five vulnerabilities in Free SWITCH telecommunications stack software. The flaws include authentication issues, information leakage, and susceptibility to denial-of-service. The issues have been addressed in FreeSWITCH 1.10.7, which was released on October 25.

Editor's Note

Discovery of these vulnerabilities relies on SIPVicious PRO rather than the open source version of that tool. The open source version focuses on SIP while the PRO version targets real-time communication. Web Real-Time Communication (WebRTC) could be used to disconnect calls or otherwise causing a DOS condition. If you’re using FreeSWITCH, update to 1.10.7. If your switch is exposed to the Internet, investigate a SIP router or firewall to further protected it.

Lee Neely
Lee Neely

2021-10-30

12 Arrested in Connection with Ransomware Attacks

Law enforcement officials in Ukraine and Switzerland have arrested 12 individuals believed to be involved in ransomware attacks that targeted critical infrastructure and large organizations. The arrests are the result of a cooperative effort involving law enforcement agents from eight countries as well as Europol and Eurojust.

Editor's Note

Well done to all involved in this and it's great seeing the frequency of these operations and arrests increasing. A clear indication that law enforcement agencies are becoming more adept and sharing intelligence and cooperating in running operations.

Brian Honan
Brian Honan

2021-10-28

FTC Consumer Financial Data Protection Rules

The US Federal Trade Commission is proposing to update rules requiring financial institutions to report security incidents affecting customer data within 30 days of detection. The FTC is accepting comments on its proposal for amending the Standards for Safeguarding Customer Information rule. The FTC has also “updated [a] rule that strengthens the data security safeguards that financial institutions are required to put in place to protect their customers’ financial information.”

Editor's Note

At core this requires the use of encryption to protect information and allow access to information only to those who need to access it. Be prepared to audit access rights and make sure you have no over-permissioned users as well as appropriate separation-of-duties. This also requires financial institutions to designate a person to oversee their information security program and report regularly to the board or a senior officer in charge of information protection.

Lee Neely
Lee Neely

2021-11-01

Toronto Transit System Hit with Ransomware Attack

A ransomware attack disrupted the Toronto Transit Commission’s network late last week. The incident was detected on Friday, October 29. The attack escalated over the weekend; it affected online systems used for vehicle operator communications, online booking, internal email and other services. The Ann Arbor (Michigan) Area Transportation Authority reported a system disruption last week.


2021-11-01

Cyberattack Affects Some Healthcare Networks in Canadian Province

A cyberattack on October 30 shut down the networks of health systems in the Canadian province of Newfoundland and Labrador. The incident also affected communications; residents reported being unable to place phone calls to health centers or 911.

Internet Storm Center Tech Corner

Remote Desktop Protocol RDP Discovery

https://isc.sans.edu/forums/diary/Remote+Desktop+Protocol+RDP+Discovery/27984/


Sysmon Update

https://isc.sans.edu/forums/diary/Sysinternals+Autoruns+and+Sysmon+updates/27986/


Trojan Source: Invisible Vulnerabilities

https://www.trojansource.codes/trojan-source.pdf


Kaspersky Lost Amazon Simple Email Service Token

https://support.kaspersky.com/general/vulnerability.aspx?el=12430#01112021_phishing


Detecting HTTP Header Smuggling Vulnerabilities

https://www.darkreading.com/application-security/free-tool-scans-web-servers-for-vulnerability-to-http-header-smuggling-attacks


Google Chrome Updates

https://chromereleases.googleblog.com/2021/10/stable-channel-update-for-desktop_28.html


AbstractEmu Malware Roots Android

https://blog.lookout.com/lookout-discovers-global-rooting-malware-campaign


Microsoft Defender For Endpoint Web Content Filtering

https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/web-content-filtering-now-generally-available-on-windows/ba-p/2893357