SANS NewsBites

Patch Available to Fix Microsoft Date Coding Flaw; Large Scale Data Arrays Need Special Attention to Assure Backup; Chinese Social Media Surveillance Drives Need for Open Source Intelligence

January 4, 2022  |  Volume XXIV - Issue #01

Top of the News


2022-01-02

Microsoft Releases Fix for Exchange Server Flaw that Disrupted eMail Delivery

Microsoft has released temporary fixes for a bug in Exchange Server that trapped email in transport queues. The issue, jokingly dubbed Y2K22, is due to a date check failure in the FIP-FS anti-malware scanning engine; the flaw affects on-premises Exchange Server 2016 and 2019.

Editor's Note

Representing dates properly remains a common problem. There are a number of standard solutions (e.g. ISO time formats or Unix timestamps), which are not foolproof but will beat and one-off implementation.

Johannes Ullrich
Johannes Ullrich

An obvious failure in Microsoft’s software development lifecycle and pre-release testing. Hopefully, Microsoft’s testing in the future will now routinely include setting clocks forward during test…

John Pescatore
John Pescatore

January 1st 2022 is when a signed 32bit Integer can no longer hold the date value, sometimes called a Y2K22 bug. There is a manual fix available from Microsoft which stops the FIP-FS scanning engine, removes old AV files, installs a new AV engine, and restarts services. A fully automatic fix is still being developed. You can download the Reset-ScanEngineVersion.ps1 script from https://aka.ms/ResetScanEngineVersion.

Lee Neely
Lee Neely

2021-12-30

Kyoto University Research Data Lost in Supercomputer Backup Bug

In mid-December 2021, Japan’s Kyoto University lost 77TB of data when its supercomputer backup system deleted nearly all files that were more than 10 days old. The problem was due to a buggy software update from HPE. The incident deleted millions of files belonging to 14 research groups. The university says that data from four of the research groups cannot be restored.

Editor's Note

Doing backups well is hard and boring. Which means it doesn't get done properly. Remember the old rule that data that doesn't exist at least three times in three different physical locations (and at least one of them offline) should be considered already lost.

Johannes Ullrich
Johannes Ullrich

The old trope of testing patches probably doesn't apply since most organizations won't have multiple large-scale storage arrays with which to test patches on. Even then, the “test” likely can impact production data. Second, although the article suggests the impact was backup data, that seems a bit misleading. In some scientific research contexts, data stored on device other than where it was generated is noted as “backup” data. While the 77TB lost was characterized as having been generated over a three day period, that doesn't mean it can be reconstituted in three days. It was generated over a specific three day period. I've been involved in a few research situations where this three day loss could destroy months or years of work. In a typical situation, the data is generated and then processed from a high redundancy storage cluster (such as the one that had the errant software update). Aggregate data of a much smaller size is then stored longer term. It is simply infeasible to say “keep multiple copies with offline backups” when you're generating this much data on a daily basis, that's why the org invested in such a high performance (and obscenely expensive) storage system in the first place.

Jake Williams
Jake Williams

HPC has graded storage, where data is migrated to slower and slower storage as the local on-line storage comes at a premium. The software which manages the migration of data, and ultimately deletion, is a critical component as it not only tracks data migration, but also maintains the working space needed for the system to continue to operate. The new script was deployed without quiescing the running scripts as well as fully testing the modified logic. The intention was to only remove log files more than ten days old. Recreating the lost data by re-running the experiments, in this case, may not be practical due to system availability coupled with the time and expense needed to prepare them to run.

Lee Neely
Lee Neely

2021-12-31

China Is Targeting Western Social Media with Surveillance Technology

According to a Washington Post report, China is mining Western social media for data about “well known Western media journalists [and] … key personnel from political, business and media circles.” China has been using surveillance technology domestically, but an examination of bidding documents, contracts, and company filings show that China has expanded its purview beyond its borders.

Editor's Note

Consider regular internal or contracted OSINT hunts. These should be deep dives for corporate officers and at least sweeps for all employees/corporate identities. Use some of the tools on https://osintframework.com/ for a self-checkup!

Christopher Elgee
Christopher Elgee

China is not the only country doing this, and indeed your competitors may also be monitoring the social media activity of your key staff members. Start 2022 by running an awareness campaign to staff on how to secure their online social media accounts and how to better protect themselves and your business online.

Brian Honan
Brian Honan

Don’t count on the data collection terms published by social media sites to protect your data. If you don’t want it viewed publicly, don’t post it on social media. Also, review your profile with an eye to how that information could be used to target you, your employer, or co-workers.

Lee Neely
Lee Neely

The Rest of the Week's News


2021-12-30

Rhode Island AG Investigating Transit Authority Breach

Rhode Island’s Attorney General (AG) is opening an investigation into a data breach that affected the state’s Public Transit Authority (RIPTA). RIPTA disclosed the August 2021 breach last month telling victims that intruders had exfiltrated data related to RIPTA health plans. The AG’s office began receiving complaints from people who received a breach notice from RIPTA but who had no connection to the agency. It appears that the state’s former employee health plan administrator, UnitedHealthcare, was sending all state employee health claims bills to RIPTA, making the agency pick through to find the pertinent data. The Rhode Island AG is “reviewing this incident to determine whether the entities involved have complied with state laws regarding notification and safeguarding of personal information in their custody.”

Editor's Note

On the surface, sending all the state’s data to an agency and letting them figure out what was theirs, sounds like an easy fix which avoids omitting needed records. This also exposes data to an agency which they don’t have a need to know (regardless of regulation) for and adds liability to the receiving party to properly protect that data. Make sure that when you are sharing data, you only share the records which are in scope, and that both parties are appropriately protecting that data.

Lee Neely
Lee Neely

2021-12-29

CISA: Manufacturing Sector Facing Increased Cyberthreats

In an Insights report, the US Cybersecurity and Infrastructure Security Agency (CISA) says “the Critical Manufacturing Sector is at risk from increased cyber-attack surface areas and limited cybersecurity workforces related to the COVID-19 pandemic.” Factors responsible for expanding the attack surface include increased remote work and the use of robotics. CISA suggests mitigations such as “developing cybersecurity and operational knowledge within the shop floor environment is essential, given reduced crew density. Additionally, cybersecurity teams within firms must invest in training for security analysts to be capable of remote monitoring of manufacturing environments.”

Editor's Note

Well, pretty much every sector is “… at risk from increased cyber-attack surface areas and limited cybersecurity workforces related to the COVID-19 pandemic.” And, the report is pretty lightweight – mostly pointing out possible risks of moves to robotic process automation bringing increased Internet exposure. But, good to use as ammunition if your company is planning on migrating to RPA technology soon.

John Pescatore
John Pescatore

When we entered the pandemic, we rapidly created remote management/monitoring capabilities for many systems, including some which may not be suited for it. We also stepped-up automation and other processes which allowed for operation with fewer humans. Take a pause and assess the security of those systems, making sure that only authorized devices and users can access those networks, be sure you can detect anomalous traffic and behavior. Assess for cases where you no longer need that access and remove it.

Lee Neely
Lee Neely

2022-01-03

BlackBerry EoL

As of January 4, 2022, legacy services for BlackBerry 7.1 OS and earlier, BlackBerry 10 software, BlackBerry PlayBook OS 2.1 and earlier are discontinued. BlackBerry devices running these legacy services over WiFi or cellular networks will no longer be able to receive or send text messages, place calls – including 911 emergency calls.

Editor's Note

BlackBerry hardware running the Android OS are not impacted. In 2017 BlackBerry announced they would only support these legacy operating systems for two more years. The good news for the enterprise is if you have users who refused to upgrade because things were not broken, this is no longer the case; you can migrate them to a current supported device. The bad news is they likely want a replacement device asap; make sure you have some spare/loaner devices on-hand.

Lee Neely
Lee Neely

Blackberry were once the industry leaders for secure mobile communications. It is sad to see them come to EoL but a reminder from a cybersecurity perspective that reliance on a single technology to be your main security provider is not a wise long term strategy and that you should regularly review the technological solutions you rely on.

Brian Honan
Brian Honan

2022-01-03

Healthcare Supply Chain Association Releases Security Guidance Documents

The Healthcare Supply Chain Association (HSCA) has published two documents for medical device manufacturers, healthcare delivery organizations, and service providers. HSCA notes that “Maintaining device and information security is a shared responsibility of the manufacturers and suppliers of connected devices and services as well as the healthcare delivery organizations (HDOs) that use them.”

Editor's Note

This document contains 50 requirements statements (search for “should”), 18 of which (the ones in the last two sections) are very good requirements to convince procurement to include in all RFPs and contracts for medical devices and services.

John Pescatore
John Pescatore

The guidance includes important notifications, such as warrantee and lifecycle information, partnerships to resolve security incidents in a timely fashion, as well as breach/incident sharing with the appropriate ISAOs without non-disclosure provisions. The problem is the guidance needs to be implemented. Healthcare providers will need to push on their suppliers to ensure they are complying with appropriate security practices prior to signing contracts. Suppliers need to make sure the providers understand the needed security when deploying their products and services. Then healthcare providers need to actively assess their protections regularly.

Lee Neely
Lee Neely

2022-01-03

Broward Health Discloses Breach

Florida-based Broward Health has acknowledged that it experienced a data security breach that affects information of more than 1.3 million people. The incident occurred in October 2021. The breach appears to have been made through a third-party provider who had access to the Broward Health network.

Editor's Note

Indications are the third-party provider’s access was used to access another account which could access the exfiltrated data. In addition to resetting all passwords, Broward Health is implementing multi-factor authentication for all users as well as added minimum security posture requirements for devices they don’t manage connecting to their network. When providing remote services consider requiring not only MFA, but also VDI or similar protections to insulate your system from weaknesses in the connecting system. Only permit access to needed services, at all layers.

Lee Neely
Lee Neely

2022-01-03

iOS HomeKit DoS Vulnerability

A denial of service vulnerability in Apple’s HomeKit software framework affects iOS versions 14.7 through 15.2. Dubbed DoorLock, the vulnerability was discovered by researcher Trevor Spinolas and reported to Apple in August 2021. HomeKit allows users to control their smart home devices through iPhones and iPads.

Editor's Note

An interesting vulnerability, but it isn't clear if it is exploitable in “real life.” To exploit this issue, the victim would need to install a rogue application and give it permission to access the HomeKit configuration.

Johannes Ullrich
Johannes Ullrich

The flaw is triggered by changing the name of a HomeKit device to a string of over 500,000 characters. A partial fix is included in iOS 15 which limits the length of a name in a HomeKit device, which only works if all devices with access to that HomeKit are running iOS 15. When exploited, recovery requires restoring iOS devices and disabling Home Data until all HomeKit devices are renamed or removed from your iCloud account.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Exchange Server Year 2022 Bug

https://isc.sans.edu/forums/diary/Exchange+Server+Email+Trapped+in+Transport+Queues/28204/

https://techcommunity.microsoft.com/t5/exchange-team-blog/email-stuck-in-exchange-on-premises-transport-queues/ba-p/3049447


Agent Tesla Updates

https://isc.sans.edu/forums/diary/Agent+Tesla+Updates+SMTP+Data+Exfiltration+Technique/28190/

https://isc.sans.edu/forums/diary/Do+you+want+your+Agent+Tesla+in+the+300+MB+or+8+kB+package/28202/


LotL Classifiers

https://isc.sans.edu/forums/diary/LotL+Classifier+tests+for+shells+exfil+and+miners/28184/


McAfee Phishing Campaign with a Nice Fake Scan

https://isc.sans.edu/forums/diary/McAfee+Phishing+Campaign+with+a+Nice+Fake+Scan/28208/


Log4j 2 Security Vulnerabilities Update Guide

https://isc.sans.edu/forums/diary/Log4j+2+Security+Vulnerabilities+Update+Guide/28188/


Log4j Vulnerability CVE-2021-44832

https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44832


Microsoft Defender Log4j False Positives

https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-log4j-scanner-triggers-false-positive-alerts/


Forensics Issues and Techniques to Improve Security in SSD with Flex Capacity Feature

https://arxiv.org/ftp/arxiv/papers/2112/2112.13923.pdf


iLO Bleed Attack

https://thehackernews.com/2021/12/new-ilobleed-rootkit-targeting-hp.html


LastPass Credential Stuffing

https://www.bleepingcomputer.com/news/security/lastpass-users-warned-their-master-passwords-are-compromised/


T-Mobile SIM Swapping Alerts

https://www.bleepingcomputer.com/news/security/t-mobile-says-new-data-breach-caused-by-sim-swap-attacks/


Fisher Price Bluetooth Phone Privacy Flaw

https://www.pentestpartners.com/security-blog/audio-bugging-with-the-fisher-price-chatter-bluetooth-telephone/


Trend Micro Apex One Patch

https://success.trendmicro.com/solution/000289996


E-commerce Bots Using Cheap Domain Registration Services

https://threatpost.com/ecommerce-bots-domain-registration-account-fraud/177305