HHS Provides Guidance for Reducing Risk of Unsupportable Systems; Exploits Detailed for Text Encoding Such as Unicode; Large Botnet Launching DDoS Attacks From China

OCR defines a “legacy” system as “an information system with one or more components that have been supplanted by newer technology and for which the manufacturer is no longer offering support.” I think they should just call them “unsupportable” systems to make the issue gain more traction. The OCR advice is solid for trying to reduce the risk of unsupportable systems, but many exist because much longer (often infinite) lifecycles were estimated for devices, software, and systems than is realistic when technology advances are shortening. Budgets and planning should be assuming shorter lifecycles – think cell phone replacement lifecycles, not refrigerator lifecycles.

John Pescatore

This bulletin also requires added mitigations and assessments of legacy systems. The concern is that your legacy system would not be able to protect ePHI at the same level as newer systems as they are not engineered to the current threat landscape. The bulletin includes a good list of mitigations for legacy systems to include upgrading to a newer/supported version where possible, segmentation/isolation, increased authentication strength, removing unneeded software and increased firewall rules with supporting monitoring. Even with those in place, expect pressure to replace legacy systems with newer versions to include cloud-based alternatives.

Lee Neely

“Reasonable and appropriate” is bureaucratic language intended to avoid accountability. Fortunately, healthcare covered entities now have more prescriptive language to guide them in securing their systems. For a targeted sector where breaches risk injury and death, the bar is very high. Recent events suggest that isolating clinical applications from those facing the public networks (e.g., e-mail and browsing) is urgent.

William Hugh Murray

It is often assumed that editors used to create and review code are simple "text editors." But even traditional editors like emacs and vi have support for Unicode. Modern languages like Swift have embraced Unicode to provide developers coding in languages other than English a better experience, and it is for example possible to use Unicode characters as variable names. This trend will make mitigating this vulnerability more difficult. On the other hand, this threat will mainly manifest itself if code is reviewed manually. For automated source code review tools, it should be trivial to detect abuses of this feature. In the end, I would consider this problem not relevant enough to worry much about it.

Johannes Ullrich

In short, the compiler reads code literally as stored, while the viewers for humans respect text-rendering commands such as formatting characters and Unicode Bidi overrides. Pay careful attention to where these characters are used in code, disallow them if unneeded. Compare raw and formatted output of source to discover unexpected differences. POC’s were developed in C, C++, C#, Python, JavaScript, Java, Rust and Go. Changes in compilers and source code repositories can also help to prevent this activity, but those will take a while to manifest themselves.

Lee Neely

Note that this botnet has been active since at least November 2019. Sadly, there are so many variants of different IoT botnets active, it is hard to even distinguish the different "brands." QiHoo 360 made its research public after a takedown attempt for this botnet. This botnet also focused on vulnerable systems inside China. The Pink botnet is also one of the few botnets to take advantage of DNS over HTTPS (DoH).

Johannes Ullrich

Operators were able to observe attempts to secure infected devices and take actions to reacquire them by also applying updates in real-time. Pink also leveraged DNS over HTTPS to obfuscate C2 host/address resolution activities.

Lee Neely

Identified critical infrastructure will be subject to more stringent cybersecurity standards, commensurate with risks associated with a critical rating. Without supporting funding and resources, for implementation and lifecycle, improvements are unlikely.

Lee Neely

It appears that the US government has identified so many industries as critical, and the term critical infrastructure is now so broad, that it is losing its value. CISA, backed by the Homeland Security Committee, are looking to up the game by redefining what is truly critical identified as “primary systemically important entities” so they can focus their most critical resources on those “entities” and ensure they have both the resources to succeed and the necessary motivation to act BEFORE being compromised.

Lance Spitzner

The most obvious examples are finance and the power grid. However, recent events in transportation and distribution suggest that everything is connected to everything else.

William Hugh Murray

Discovery of these vulnerabilities relies on SIPVicious PRO rather than the open source version of that tool. The open source version focuses on SIP while the PRO version targets real-time communication. Web Real-Time Communication (WebRTC) could be used to disconnect calls or otherwise causing a DOS condition. If you’re using FreeSWITCH, update to 1.10.7. If your switch is exposed to the Internet, investigate a SIP router or firewall to further protected it.

Lee Neely

Well done to all involved in this and it's great seeing the frequency of these operations and arrests increasing. A clear indication that law enforcement agencies are becoming more adept and sharing intelligence and cooperating in running operations.

Brian Honan

At core this requires the use of encryption to protect information and allow access to information only to those who need to access it. Be prepared to audit access rights and make sure you have no over-permissioned users as well as appropriate separation-of-duties. This also requires financial institutions to designate a person to oversee their information security program and report regularly to the board or a senior officer in charge of information protection.

Lee Neely