SANS NewsBites

FDIC Requires Banks to Report Incidents Within 36 Hours; Sky Broadband Finally Patches UK Routers; Tardigrade Malware Targets Biomanufacturing

November 23, 2021  |  Volume XXIII - Issue #92

Top of the News


2021-11-19

FDIC Rule for Banks to Report Breaches

The US Department of the Treasury's Office of the Comptroller of the Currency, the Federal Reserve, and the Federal Deposit Insurance Corporation (FDIC) have finalized cybersecurity incident notification requirements for banks. The new rule requires banks to report security incidents to the FDIC within 36 hours after detection. The rule defines a qualifying cybersecurity incident as an event that “results in actual or potential harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits; or constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.” The rule takes effect April 1, 2022, with full compliance extended until May 1, 2022.

Editor's Note

Some will be excited about this 36 hour disclosure timeline, but as an IR practitioner, I'm pretty sure it's not going to be a net positive. First, while it's obvious that hiding a breach is counter to the public's interest, it's not clear what a 36 hour timeline will do to protect customers that a five day deadline won't. Second, every time I've seen accelerated disclosure timelines like this, there's a countering force where organizations try to thread the legal needle of what precisely constitutes an incident. The definition in this case is fairly comprehensive - so much so that it's hard to imagine what doesn't constitute a reporting requirement. Overly broad definitions like this don't serve the public interest. Instead, they provide a convenient excuse for organizations to interpret the rules to avoid "reporting every little thing."

Jake Williams
Jake Williams

It’s interesting to see regulators outside of the EU adopt GDPR type regulations, in particular with regards to mandatory reporting. However, I hope the FDIC will learn from some of the issues experienced when GDPR was first introduced by ensuring it has enough resources to deal with the volume of reports it will received and that it gives clear guidance as to what determines a breach to be reportable. Finally, it is also critical that reported breaches are followed up to ensure the victim organisations investigate and remediate the breach properly and they simply don’t treat the reporting requirement as a box ticking exercise.

Brian Honan
Brian Honan

There was a lot of squishy language (like “good faith estimate”) in the original wording that was eliminated in response to comments, a good thing. But, the basic definition of a “notification incident” is still pretty broad. For example, outages cause by service provider downtime that would still not violate the service providers SLAs could be considered a “notification incident.” The other issue will be do the Treasury Agencies use all this data to proactively alert banking institutions of potential coming attacks or is it just a data collection effort?

John Pescatore
John Pescatore

Work with your regulator to understand the final order as it gets refined and clarified over the next six months. Develop a clear understanding of what the notification criteria mean for your financial institution and be sure you know exactly who and how you are supposed to file the notification with.

Lee Neely
Lee Neely

2021-11-19

Sky Routers Patched 17 Months After Vulnerability Disclosure

Sky Broadband has rolled out a fix for a critical DNS rebinding vulnerability affecting six million Sky routers in the UK. The flaw could be exploited to access the router’s home network, change router configuration, and traverse the network to access other devices. The flaw was first disclosed to Sky in May 2020 and was initially set to be mitigated by November 2020. Sky says that as of October 22, 2021, 99 percent of affected routers have received the update.

Editor's Note

Consumers often have no choice but to wait for ISPs to apply patches to equipment supplied by the ISP. Having ISPs roll out patches *should* make things easier for users, but ISPs do need to perform and not leave users hanging with unpatched equipment.

Johannes Ullrich
Johannes Ullrich

This patch took entirely too long to implement, though it was a fairly complex attack not likely to be exploited en-masse. That doesn't change the severity of the vulnerability though. Organizations setting clear timelines with researchers and researchers holding organizations to those timelines will keep everyone safer. I know Google Project Zero takes a lot of heat for its mandatory disclosure timelines, but that's what keeps bugs like this from going unpatched for more than a year.

Jake Williams
Jake Williams

After you make sure that your router is updated, provided you didn’t replace it waiting on this critical update. You’re going to want to check your systems for exploitation. Encourage Sky to come out with bug fixes in a more timely fashion.

Lee Neely
Lee Neely

2021-11-22

Biomanufacturing ISAC Issues Advisory on Tardigrade Malware

The Bioeconomy Information Sharing and Analysis Center (BIO-ISAC) has published an advisory describing malware that has been used to target biomanufacturing firms. Dubbed Tardigrade, the malware was first detected in the wake of a ransomware attack. It has the functionality of a trojan, and uses sophisticated detection evasion techniques. Tardigrade is ”actively spreading” in the biomanufacturing industry.

Editor's Note

This report is definitely interesting, but it should be noted that at the time of publication for this NewsBites there are significant questions about the BioISAC report in the CTI community. I haven't personally reviewed the sample yet, but have reviewed the BioISAC report and am working with people who have directly analyzed the sample. We'll publish more on this in the next NewsBites. If the story hadn't already gained major national media attention, we likely wouldn't have included it here given the questions about the original reporting.

Jake Williams
Jake Williams

The Rest of the Week's News


2021-11-20

Server Problems Lock Some Tesla Owners Out of Their Vehicles

On Friday, November 19, Tesla owners around the world reported being unable to communicate with their vehicles using the Tesla app. For some Tesla owners, the app is their only method of unlocking their vehicles. Elon Musk said the problem was due to “accidentally increased verbosity of network traffic.”

Editor's Note

As our world becomes more and more reliant on the Internet and computers, I hope that manufacturers will recognize the need to implement manual backup.

Brian Honan
Brian Honan

Musk reported that steps were taken to prevent recurrence. While on-line and electronic access to vehicles is really cool, make sure you have a plan B. If your Tesla has a key fob support, make sure that you have a working fob as a backup, otherwise map out what you would do if you can no longer access or drive your vehicle. Be sure to test Plan B at least once.

Lee Neely
Lee Neely

Handing your car keys to the "cloud" may not be a great idea when it rains “verbose network traffic.”

Johannes Ullrich
Johannes Ullrich

I’m not sure any Tesla models can only be unlocked via a mobile app to Tesla server connection but if anyone has bought a vehicle that works that way, hard to be sympathetic. I can pretty much guarantee the multiplication of (cell phone availability times Internet connection to server) times (server availability) times (server connection to car) results in an availability number way lower than most people need for getting into their car…

John Pescatore
John Pescatore

2021-11-19

FBI Flash Alert: FatPipe 0-Day is Being Actively Exploited

The FBI has issued a Flash Alert warning of an actively exploited 0-day in FatPipe WARP, MPVPN, and IPVPN Software. An unknown threat actor has been exploiting the flaw in FatPipe MPVPN networking devices since May 2021. The vulnerability allows the attacker to obtain a foothold and maintain a persistent presence in targeted systems. According to the TLP:White alert, “The vulnerability allowed APT actors to gain access to an unrestricted file upload function to drop a webshell for exploitation activity with root access, leading to elevated privileges and potential follow-on activity.”

Editor's Note

Patch this before leaving for the long weekend if possible. This vulnerability is being exploited already (for a few months!). I know, this will not be easy for a device like a load balancer, but the alternatives aren't pretty. The vulnerability fits well into the ransomware actor playbook.

Johannes Ullrich
Johannes Ullrich

Make sure that you rolled out the updates to your FatPipe WARP, MPVPN and IPVPN devices; disable UI and SSH access from the WAN interface; deploy the IOCs and verify you’re not seeing any malicious activity. If you find indicators of related activity, reach out to your local FBI office.

Lee Neely
Lee Neely

2021-11-19

Some Healthcare Entities Delayed Patient Breach Notification

In the past several weeks, three US healthcare entities have exceeded the Health Insurance Portability and Accountability Act’s (HIPAA’s) 60-day patient breach notification requirement. None of the entities – Sea Mar Community Health Centers in Seattle; Lakeshore Bone and Joint Institute in Chesterton, Indiana; and Putnam County Memorial Hospital in Missouri – provided a reason for the delayed notification.

Editor's Note

While healthcare organizations are at the top of the list of cyber targets these days, the current environment has made it difficult for any company to be adequately staffed for the expected workload, let alone incident response. If reporting is delayed, be sure to document the contributing factors and be prepared to defend that in court.

Lee Neely
Lee Neely

2021-11-22

Exchange Servers and Internal Reply-Chain Attacks

Attackers are exploiting Microsoft Exchange ProxyShell and ProxyLogon vulnerabilities to conduct spam campaigns. The attacks hijack email chains and inject the spam messages in existing email threads.

Editor's Note

The first mitigation is to make sure your on-premises exchange servers are fully patched. Make sure that your endpoint protection server solution is deployed to your servers (as opposed to the desktop version). Make sure the linked IOCs are incorporated into your SIEM. Look to see where moving to hosted exchange servers is on your roadmap; then move it up the list.

Lee Neely
Lee Neely

2021-11-22

Breach Compromised GoDaddy Managed WordPress Customer Data

In a November 22 filing with the Securities and Exchange Commission (SEC), GoDaddy disclosed “unauthorized third-party access to [its] Managed WordPress hosting environment.” The intruder used a compromised password to gain access to GoDaddy systems in early September. GoDaddy detected the problem on November 17. The incident exposed up to 1.2 million users’ email addresses and subscriber numbers, the admin password originally used to provision the subscribers WordPress instance, SFTP usernames and passwords; in some cases, SSL private keys were also exposed. The account has been changed, passwords reset, SSL keys reprovisioned, and impacted users are being notified.

Editor's Note

Privileged accounts, particularly those used to configure multiple systems on behalf of others, need strong authentication which is replay resistant. If you must use a password, use the longest possible password the system support; if possible, regenerate that password on a frequent basis. Consider configuring these accounts with added access control and active monitoring to provide visibility to unusual actions as well as stop unauthorized inbound and outbound activities. If you are an impacted GoDaddy user, GoDaddy changed your Admin, SFTP and DB passwords, you will need to change your admin password twice, once through password recovery and a second time through the admin users’ interface to reset the ability to manage your site through the GoDaddy dashboard. Suggest having your users also reset their passwords. If your SSL certificate is impacted, a free Domain Validation SSL certificate with a one-year duration will be installed, which can be replaced at your leisure. Lastly, GoDaddy says to make sure you’re checking the health and security of your WordPress site, consider a firewall, your active plugins are auto updated and unused ones are deleted. Additionally, make sure that you configure multi-factor access on your GoDaddy subscriber account.

Lee Neely
Lee Neely

2021-11-22

Wind Turbine Firm Vestas Acknowledges Cyberattack

Danish wind turbine manufacturer Vestas Wind Systems was the victim of a cyberattack on Friday, November 19. The company shut down IT systems in multiple locations to prevent the effects of the attack from spreading. Vestas said that the attackers compromised data.

Editor's Note

Some customer data exfiltrated and the IT systems are being verified for integrity prior to restarting services. Despite the Biden Administration publishing guidance to leave critical systems alone, attackers continue to target them. When the details of this attack are published, it’ll be a good use case to compare your current security readiness against.

Lee Neely
Lee Neely

2021-11-19

Utah Imaging Associates Discloses Data Security Breach

Cyber intruders had access to the network of Utah Imaging Associates for about a week earlier this year. The radiology center says the incident affected nearly 600,000 people. The compromised data include names, Social Security numbers, health insurance policy numbers, and medical diagnosis, treatment, and prescription information.

Editor's Note

This incident was discovered and remediated September 4th 2021, the same day! Unfortunately, the initial intrusion started August 29th. Review which systems and services are exposed to the Internet, making sure critical systems are not in that list, that your backups are working and verified; make sure that you’re still conducting phishing exercises.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Simple YARA Rules for Office Maldocs

https://isc.sans.edu/forums/diary/Simple+YARA+Rules+for+Office+Maldocs/28062/


Hikvision Security Cameras Potentially Exposed to Remote Code Execution

https://isc.sans.edu/forums/diary/Hikvision+Security+Cameras+Potentially+Exposed+to+Remote+Code+Execution/28056/


Detecting PAM Backdoors

https://isc.sans.edu/forums/diary/Backdooring+PAM/28058/


PHP deserialize vulnerability in CloudLinux Imunify360

https://blog.talosintelligence.com/2021/11/vulnerability-spotlight-php-deserialize.html


CVE-2021-42306 CredManifest: App Registration Certificates Stored in Azure Active Directory

https://www.netspi.com/blog/technical/cloud-penetration-testing/azure-cloud-vulnerability-credmanifest/


Retailers Urged to Patch Magento

https://www.theregister.com/2021/11/22/ncsc_magento_updates_black_friday_reminder/


PoC of CVE-2021-42321: pop mspaint.exe on the target

https://gist.github.com/testanull/0188c1ae847f37a70fe536123d14f398


BeC Via Exchange Flaws

https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html


Windows Priv. Escalation PoC

https://github.com/klinix5/InstallerFileTakeOver


Rusted Anchors: A National Client-Side View of Hidden Root CAs in the Web PKI Ecosystem

https://dl.acm.org/doi/pdf/10.1145/3460120.3484768