SANS NewsBites

Put Detections in Place Until Microsoft Fully Fixes Windows Installer Flaw; Health-ISAC Says Improve Identity Security; UK Law Would Establish Minimum Essential IoT Security Requirements

November 30, 2021  |  Volume XXIII - Issue #93

Top of the News


2021-11-26

Windows Installer Flaw is Being Actively Exploited

Attackers are actively exploiting an inadequately patched flaw in Microsoft Windows Installer to gain admin rights on vulnerable systems. Microsoft released a fix for the medium-severity privilege elevation flaw in November’s Patch Tuesday release, but the researcher who initially detected the flaw has detected a more serious variant. The vulnerability affects all versions of Windows.

Editor's Note

Not much you can do about this right now. But remember, that this is “just” a privilege escalation flaw. Sadly, privilege escalation flaws are common enough to always assume that there are a few being exploited for which no patch is available.

Johannes Ullrich
Johannes Ullrich

This is a great example of where vulnerability management and purple teams will provide value added to the organization. The VM team should be on top of situations like this where a patch doesn't completely remediate the vulnerability. The purple team should be ready to assist in crafting detections that align with the organization's telemetry. For those with neither team, know that this is a Local Privilege Escalation (LPE) vulnerability and can only be triggered by a threat actor who already has gained execution on the system. It also poses increased risks for insider threats who might seek to elevate their privileges.

Jake Williams
Jake Williams

The flaw allows for privilege escalation using an existing account. While the long-term fix is another update from Microsoft, in the short term you can leverage the Snort rule SSID’s 5865 and 58636 to block exploitation. Note these are in the Snort Subscriber Ruleset, not the free Community Ruleset.

Lee Neely
Lee Neely

Pen testers: it's good to exploit these types of flaws, but do consider what your recommendation is beyond, “Implement patch when available.” What detections can you recommend? What possible follow-on actions might defenders look for? Are there other compensating controls (specific to their environment) that can lessen the frequency or severity of privilege escalation vulnerabilities like this one?

Christopher Elgee
Christopher Elgee

2021-11-29

Health-ISAC Guidance on Identity-Centric Approach to Cybersecurity

New guidance from the Health Information Sharing and Analysis Center (Health-ISAC) provides an identity-centric approach to cybersecurity to help health care organizations comply with 21st Century Cures Act requirements without introducing vulnerabilities. The 21st Century Cures Act requires healthcare organizations to create new APIs that operate on the Fast Healthcare Interoperability and Resources (FHIR) standard and that enable interoperability of electronic health data. Recent research has shown that there are security concerns posed by the FHIR API ecosystem.

Editor's Note

Exposing these systems directly to patients requires strong identity management practices, as outlined in the guidance. While MFA is optional, there are risks to not implementing it: think HIPAA violations and associated penalties. Prepare to federate authentication by leveraging OAuth and OpenID Connect, monitor your API use, respond to anomalous activity.

Lee Neely
Lee Neely

Back in the early 2000's, the firewall was a mark of the rise of infosec. Firewalls separated friends from enemies – and weak defenders from strong. Now that “identity is the new perimeter,” secure, easy-to-use identity solutions are becoming a new mark. As traditional username:password continues to disappoint, what technology will fit your organization well?

Christopher Elgee
Christopher Elgee

In an attempt to avoid being overly prescriptive, HIPAA required covered entities to do risk assessments that they were poorly equipped to do. One effect was to retard the adoption of electronic health records by a generation.

William Hugh Murray
William Hugh Murray

2021-11-25

Proposed UK Legislation Aims to Improve IoT Device Security

Proposed legislation in the UK would establish mandatory security standards for Internet of Things (IoT) devices. The Product Security and Telecommunications Infrastructure Bill would apply to IoT manufacturers, importers, and distributors. The bill would let “the government … ban universal default passwords, force firms to be transparent to customers about what they are doing to fix security flaws in connectable products, and create a better public reporting system for vulnerabilities found in those products.”

Editor's Note

It's easy to joke about the limited impact of eliminating universal default passwords, but the impact is substantial. Just last week NewsBites reported on a DNS rebinding vulnerability in Sky routers that allowed full device takeover. But this was only possible because of universal default passwords. I'm also excited about the prospect of increasing transparency, but that's much harder to measure and only time will tell how this is implemented.

Jake Williams
Jake Williams

A number of governments have put forward initiatives to make it easier for consumers to recognize secure devices. This is the first one I am aware of that spells out mandatory requirements to be allowed to sell devices. I like the idea to put the responsibility at the manufacturer instead of the consumer. It is no longer the consumer failing to change default passwords, but it calls manufacturers out for delivering devices with common default passwords. My wishlist for IoT security also includes well-defined "end of support" dates.

Johannes Ullrich
Johannes Ullrich

While the legislation is likely to be modified before final passage, imposing fines for non-compliance to security standards should help motivate vendors to meet the required minimums. What is needed is equivalent standards in multiple countries to raise the bar across the board.

Lee Neely
Lee Neely

This is a small but important step forward. These few requirements will not make IoT fully secure but they establish an important floor, kind of like restaurants being required to at least have working refrigerators and rodent control systems or they can be shut down. Doesn’t mean the food can’t still be poisonous but people are still safer for it.

John Pescatore
John Pescatore

The Rest of the Week's News


2021-11-26

Problematic Patch Impacts Microsoft Defender for Endpoint

A buggy patch has caused problems for Microsoft Defender for Endpoint on some Windows Server devices. Users running Windows Server 2019 devices with update KB5007206 or later and Windows Server 2022 devices with update KB5007205 or later installed have reported that Microsoft Defender for Endpoint will not launch.

Editor's Note

Good News/Bad News: The Good News is this doesn’t impact desktop or other non-server Windows distributions; the Bad News is the problematic patch only affects Windows Server systems running the Windows Defender service. If you’re using a different endpoint protection service, you’re not impacted. Note that if you are using Windows Server versions for desktop virtualization, such as AWS Workspaces, you should make sure you’ve got another endpoint protection service running.

Lee Neely
Lee Neely

2021-11-23

UK Ministry of Justice Disables Poorly Protected ICS Wi-Fi Access Points

The UK’s Ministry of Justice has disabled several Wi-Fi access points that were inadequately secured. The access points could have been used to gain access to industrial control systems (ICS) that manage boiler pumps in the Royal Courts of Justice. The access points did not require passwords and led to an ICS login page. The Ministry of Justice was alerted to the problem by British tech news website The Register.

Editor's Note

I want to be surprised, but I can't be. This sounds like it is really part of a building management network, a specific type of ICS. Unfortunately, in most cases building management networks are installed and configured by vendors and maintained by staff that are more comfortable with a wrench than a command prompt. It is not at all uncommon to discover building management networks very poorly secured. Work with your organization to determine how your connected building management systems fall under the purview of the cybersecurity team. If not, make a strong case to secure them. When the proverbial poop hits the fan (or a threat actor just turns the fans off), it *will* be considered a cybersecurity problem.

Jake Williams
Jake Williams

These interfaces were intended to allow for remote management and optimization of the system. While wireless control is often a provided component, it must be secured during deployment. The added problem is many ICS/IoT systems have default credentials, which are published in documentation which is generally accessible online. In short make sure that your wireless interfaces are securely configured, and that you change default credentials. Verify these credentials and configuration remain set after a reboot or power cycle.

Lee Neely
Lee Neely

2021-11-29

Vestas Says Cyberattack Was Ransomware

Danish wind turbine manufacturer Vestas has confirmed that a November 19 cyberattack was in fact ransomware. The company says that most of its IT systems are now operational.

Editor's Note

Vestas is still recovering from the incident, so don’t expect a full recounting until that completes and the incident investigation completes. Research by Coveware shows the average downtime from Ransomware to be 16.2 days and average payment is $140,000 in Bitcoin.

Lee Neely
Lee Neely

2021-11-26

DBS Bank Suffers Intermittent Outages

Singapore’s DBS Bank experienced outages last week that prevented customers from accessing their online accounts. The Monetary Authority of Singapore “expects DBS to conduct a thorough investigation to identify the root causes and implement the necessary remedial measures,” and will determine what “supervisory actions” to take after that assessment is complete.

Editor's Note

Online services have gotten more complex. That increases the difficulty of protecting them, but also the difficulty of assuring required service level agreements can be meant at all reliably. If one service relies on 5 suppliers with .99 SLAs, you can still on average meet a .95 SLA requirement. But, if any supplier is at or below .95, you can’t. Protecting against cyberattacks means keeping availability above the required level – if all margin has been consumed by unreliable service, even a minor incident can result in major financial damage.

John Pescatore
John Pescatore

This comment is for the DBS story and the Vestas story above. Traditionally cybersecurity has focused on confidentiality and integrity of data, as that is where the value is for both cyber criminals and nation state actors. But within the past 18 months it seems we have seen a dramatic rise in availability issues also. By availability I mean the operational capability for an organization to fulfill its mission. In most cases the shutting down of operations is not the end goal of the threat actor, but either merely a means to an end (extortion) or accidental collateral damage (NotPetya like incidents). Most likely these availability impacts will only increase as our world becomes more interconnected and interdependent on each other. Finally, unlike confidentiality and integrity incidents, availability based incidents can have an immediate and physical impact to people at a large scale.

Lance Spitzner
Lance Spitzner

2021-11-26

Maritime Services Company Suffers Cyberattack

Singapore-based maritime services firm Swire Pacific Offshore has disclosed that it was the victim of a cyberattack. The incident “resulted in the loss of some confidential proprietary commercial information and … some personal data.”

Editor's Note

It is interesting to note that Singapore data protection laws require data breaches to be reported to the government; failure to report can result in a fine of about $7,300 or a two-year jail sentence. The full details of this incident may only be revealed in that reporting process.

Lee Neely
Lee Neely

2021-11-29

CISA Publishes Mobile Device Cybersecurity Checklist for Organizations

The US Cybersecurity and Infrastructure Security Agency (VCISA) has released a mobile device security checklist for organizations. CISA’s recommendations include enabling automatic updates through a Mobile Device Management system; establishing a trusted devices policy; and enabling two-factor authentication. CISA also urges organizations not to allow mobile devices to connect to critical systems.

Editor's Note

This checklist is device agnostic. Consider the points in the checklist making sure you can detect compliance and non-compliance with your chosen options. For example how granular is your OS version/update detection and will that match your patch/update requirement enforcement? Consider what sorts of data persist on your mobile devices and what applications you allow them to access, and how you can isolate enterprise applications and data on the devices. I created a similar checklist in which used to be included in the SANS SEC 575 course, the trick is maintaining it to keep it relevant.

Lee Neely
Lee Neely

Recommendations should distinguish between enterprises managed and user-managed devices.

William Hugh Murray
William Hugh Murray

2021-11-29

GAO: CISA Needs to Assess Effectiveness of Communications Sector Programs

According to an audit report from the US Government Accountability Office (GAO), the Cybersecurity and Infrastructure Security Agency (CISA) “has not assessed the effectiveness of its programs and services to support [the communications] sector.” GAO has made three recommendations: Develop metrics and analyze feedback from sector infrastructure owners and operators to determine the programs’ effectiveness; Assess capability for Emergency Support Function #2; and Revise sector specific plan “to include goals, objectives, and priorities that address new and emerging threats and risks to the Communications Sector and that are in alignment with sector risk management agency responsibilities.”

Editor's Note

Where are you getting guidance and support for cyber security? Are you following up-to-date guides or are you still looking back to information published "a while ago?” Look for updated versions of your current guidance. If they don’t exist, then look to alternate references for alternatives. Make sure that your self-assessments include effectiveness reviews of your cyber security protections, to include your MSP if used.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Phishing Page Hiding Itself Using Dynamically Adjusted IP Based Allow List

https://isc.sans.edu/forums/diary/Phishing+page+hiding+itself+using+dynamically+adjusted+IPbased+allow+list/28070/


YARA Rule for OOXML Maldocs: Less False Positives

https://isc.sans.edu/forums/diary/YARA+Rule+for+OOXML+Maldocs+Less+False+Positives/28066/


Wireshark 3.6.0 Released

https://isc.sans.edu/forums/diary/Wireshark+360+Released/28076/


Google Cloud Security Report

https://services.google.com/fh/files/misc/gcat_threathorizons_full_nov2021.pdf


Zoom Patch

https://explore.zoom.us/en/trust/security/security-bulletin/


Slack DNSSEC Experience Reports

https://slack.engineering/what-happened-during-slacks-dnssec-rollout/


Trickbot Phishing Checks Screen Resolution to Evade Researchers

https://www.bleepingcomputer.com/news/security/trickbot-phishing-checks-screen-resolution-to-evade-researchers/


QNAP QVR Patch

https://www.qnap.com/de-de/security-advisory/qsa-21-51


CronRAT Malware Hiding in cron

https://sansec.io/research/cronrat


Zero-Day Windows Installer Exploit

https://www.bleepingcomputer.com/news/security/malware-now-trying-to-exploit-new-windows-installer-zero-day/


VMWare VCenter Vulnerability and Patch

https://www.vmware.com/security/advisories/VMSA-2021-0027.html