SANS NewsBites

US, UK, Australian Governments Warn of Attacks Targeting Healthcare and Transportation; Patch Those Netgear Products; GitHub Moves to 2FA for Maintainers and Admins in 2022

November 19, 2021  |  Volume XXIII - Issue #91

Top of the News


2021-11-17

US, UK, and Australia Warning About APT Activity

In a joint alert, law enforcement and cybersecurity agencies in the US, the UK, and Australia warn that cyberthreat actors with ties to Iran are targeting organizations in the healthcare and transportation sectors. The advanced persistent threat (APT) group is exploiting vulnerabilities in Microsoft Exchange ProxyShell and Fortinet.

Editor's Note

Review the mitigations in the bulletin irrespective of whether you see yourself as a target. Make sure that you’re keeping systems patched and updated. Take another look at allow/deny lists, particularly on servers which are purpose built to block the execution of unknown software. Make sure that you are always using MFA on privileged accounts and on any remotely accessible services.

Lee Neely
Lee Neely

2021-11-18

Netgear Releases Updates to Fix RCE Flaw in Multiple Products

Netgear has released firmware updates to address a pre-authentication buffer overflow vulnerability that affects multiple products, including extenders, routers, DSL modem routers, AirCards, and cable modems. The flaw is due to the Universal Plug and Play daemon accepting unauthenticated HTTP SUBSCRIBE and UNSUBSCRIBE requests.

Editor's Note

As usual: Please update. Even if your router is not affected by this vulnerability: Double check if there is new firmware for it. It is so easy to miss an update. The UPNP protocol has had various issues over the years, and it should be disabled in your router if possible. It could be used to remove firewall rules, even if it works as designed.

Johannes Ullrich
Johannes Ullrich

UPnP allows applications to setup forwarding automatically, rather than manually configuring these on your router. Even so, consider disabling it if you don’t need it. If you don’t have an option to automatically update your firmware, make sure that your processes include monitoring for security updates and verification of their timely installation. Disable unneeded services. Verify you’re on the distribution lists for your vendor’s security notifications. Check with your vendor to verify you remain eligible for updates, which may include service contracts or active lifecycle management.

Lee Neely
Lee Neely

2021-11-17

GitHub’s Commitment to npm Security

In a blog post, GitHub details two incidents involving the npm registry and its subsequent investigations. GitHub also writes that it will begin requiring two-factor authentication (2FA) for maintainers and admins of popular npm packages. The requirement will start rolling out in early 2022.

Editor's Note

Good steps by GitHub to mitigate some of the larger issues around npm. At this point, there have been just too many compromised npm packages. I like GitHub proactively scanning for malicious code. Now we will have to see if the scans are sufficient to make a difference.

Johannes Ullrich
Johannes Ullrich

Every movement away from reusable passwords is a good thing. Do your IT admins and other privileged user accounts still rely on reusable passwords for authentication?

John Pescatore
John Pescatore

Active enforcement of mitigations, such as requiring strong authentications, versus providing it and waiting for users to maybe implement it, is a much stronger position to be in. Even if you’re not npm, you should ensure that 2FA is enabled for accounts updating your content.

Lee Neely
Lee Neely

Opt-in to strong authentication leaves the balance between security and convenience to the end user. That is an appropriate default for many applications. As noted when this problem was first reported, this is not one of them.

William Hugh Murray
William Hugh Murray

The Rest of the Week's News


2021-11-17

UK Government Guidance on Security Rules for Tech Mergers and Acquisitions

Section 3 of the UK’s National Security and Investment Act 2021 will give ministers the authority (and responsibility) to impose conditions on or even block technology mergers and acquisitions if there are national security issues involved. Technologies deemed relevant to national security include Artificial Intelligence, Computing Hardware, Cryptographic Authentication, and Data Infrastructure. The National Security and Investment Act takes effect in January 2022.

Editor's Note

Having controls on technology which impacts critical or sensitive processes and systems is important. When a product you’re using is merged or acquired, it’s a good idea to assess the new company to see if they remain in a supportive position. In government this is even more important. The intent of this legislation is good. The included categories are very broad, could allow for challenges relating to applicability.

Lee Neely
Lee Neely

2021-11-17

CISA Cybersecurity Playbooks for Federal Agencies

The US Cybersecurity and Infrastructure Security Agency (CISA) has published incident and vulnerability response handbooks for Federal Civilian Executive Branch (FCEB) agencies. CISA writes that the “playbooks provide FCEB agencies with a standard set of procedures to identify, coordinate, remediate, recover, and track successful mitigations from incidents and vulnerabilities affecting FCEB systems, data, and networks.”

Editor's Note

There is also a promise that future versions of these playbooks will be used outside FCEB agencies. The practices currently captured already have broad applicability beyond the intended audience and include areas such as incident response, detection & analysis to containment, eradication, and recovery. The playbooks do include CISA/DHS reporting requirements, which are less applicable to the private sector; you’ll want to map those to your regulators. Lastly, leverage CISA resources and consulting to help you verify you’re good to go. These services are covered by tax dollars and are free to businesses within the US.

Lee Neely
Lee Neely

Having a playbook is a good first step. Like everything else, it requires practice. Ensure the correct people are briefed and trained as much as possible. The more you test and measure people and process, the more opportunities to improve before the real test.

Jorge Orchilles
Jorge Orchilles

2021-11-18

Microsoft Fixes Information Disclosure Vulnerability in Azure Active Directory

Microsoft has mitigated an information disclosure vulnerability in Azure Active Directory. The flaw was due to a misconfiguration issue that allowed private key data to be stored in clear text. Microsoft’s guidance lists its mitigations and suggested customer remediations for affected products and services.

Editor's Note

Check the notice for the specific technologies affected. If you’re using any of them, you need to follow the advice from MS to secure these credentials.

Lee Neely
Lee Neely

2021-11-16

DHS Cybersecurity Talent Management System

The US Department of Homeland Security (DHS) has launched the Cybersecurity Talent Management System (CTMS), which was created to help the department “more effectively recruit, develop, and retain cybersecurity professionals.” People hired through CTMS will be part of the DHS Cybersecurity Service, which will protect critical infrastructure from cyber threats.

Editor's Note

A key success factor will be using market-based pay rather than the old government GS scale wage. DHS has around 1,500 cyber security vacancies, 1,000 of which fit into CTMS, and looking for 150 people to hire in 2022.

Lee Neely
Lee Neely

As a part-time government employee, infosec professional, and MBA, I've been amazed at how little the US Government (and much of industry, frankly) has done to try and attract top talent. The DoD figured this out years ago for medical professionals by instituting significant incentives above and beyond standard pay rates. Kudos to DHS for offering the same in infosec.

Christopher Elgee
Christopher Elgee

2021-11-16

CISA Working Group on Space Infrastructure

The US Cybersecurity and Infrastructure Security Agency (CISA) has formed a cross-sector working group to assess risks to federal and private space infrastructure. CISA’s main focus will be ”mitigating cyber risks to position, navigation and timing (PNT) services and GPS.”

Editor's Note

The trick is there are not spare cycles on these systems to implement encryption or other hardening steps, and like OT, their lifecycle is measured in decades not years. It will likely take a phased approach, where replacement services are secure enough; the trick is funding that model as you can’t practically just land and re-launch existing infrastructure after modifications.

Lee Neely
Lee Neely

Our acceptance, use of, and reliance on these services has exceeded our wildest expectations when they were introduced. They are so much a part of our daily lives that we are likely to notice them mostly in the breach. It should be obvious that the risks can only increase, perhaps exponentially, in proportion to our use and reliance; the issue is mitigating them.

William Hugh Murray
William Hugh Murray

2021-11-16

Oversight Committee Finds ‘Small Lapses’ Led to Ransomware Attacks

A memo from the US House Oversight and Reform Committee summarizes findings gained from investigations into the ransomware attacks against Colonial Pipeline, JBS USA, and the CNA Financial Corporation. Each of the three companies paid a ransom; and in each case, initial purchase in the company’s network was made through “minor security lapses,” such as a user account with a weak password and an employee downloading a phony browser update. The committee also says that “some companies lacked clear initial points of contact with the federal government,” impeding responses to the attacks.

Editor's Note

Rather than say "minor security lapses" I'd say "initial penetration was successful due to lapses in basic security hygiene which are easily preventable." Not to mention that "weak password" is an oxymoron.

John Pescatore
John Pescatore

Don’t forget to verify the small things are also done, such as account disablement, active monitoring and response, clear incident POC information, not just on your web site and DR plans, but also with your regulator, or security sector. Leverage security.txt files to provide contact information. Consider a security@yourdomain email list, which you are parsing with your SIEM, not directly reading.

Lee Neely
Lee Neely

2021-11-16

Middle East Eye News Site Compromised in Watering Hole Attack

Researchers at ESET have detected a watering hole attack that targeted several websites, including the Middle East Eye news site. The campaign was active between March 2020 and August 2021. The attacks targeted specific site visitors. The campaign also targeted government websites in Yemen, Syria, and Iran, and an Italian aerospace company.

Internet Storm Center Tech Corner

Emotet Returns

https://isc.sans.edu/forums/diary/Emotet+Returns/28044/


JavaScript Downloader Delivers Agent Tesla Trojan

https://isc.sans.edu/forums/diary/JavaScript+Downloader+Delivers+Agent+Tesla+Trojan/28050/


GitHub Improves npm Security

https://github.blog/2021-11-15-githubs-commitment-to-npm-ecosystem-security/


Exposed Firefox cookies.sqlite Databases

https://www.theregister.com/2021/11/18/firefox_cookies_github/


Intel CPU Debug Vulnerability

https://www.ptsecurity.com/ww-en/about/news/positive-technologies-discovers-vulnerability-in-intel-processors-used-in-laptops-cars-and-other-devices/

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00528.html


FBI Warns of Fatpipe VPN Exploits

https://www.ic3.gov/Media/News/2021/211117-2.pdf


Home Router Vulnerability Listing

https://modemly.com/m1/pulse


DDS Protocol Implementation Vulnerabilities

https://us-cert.cisa.gov/ics/advisories/icsa-21-315-02


Siemens TCP/IP Flaws

https://www.forescout.com/blog/new-critical-vulnerabilities-found-on-nucleus-tcp-ip-stack/


Netgear UPNP Stack Based Buffer Overflow

https://blog.grimm-co.com/2021/11/seamlessly-discovering-netgear.html