SANS NewsBites

CISA Publishes List of Useful and Free Security Tools, and Info for Small Critical Infrastructure Providers to Convince Management of the Misinformation Risk; Yet Another House Committee Hearing on Data Privacy Does Not Mean Legislation is Near

February 22, 2022  |  Volume XXIV - Issue #15

Top of the News


2022-02-18

CISA Free Cybersecurity Services and Tools

The US Cybersecurity and Infrastructure Security Agency (CISA) has published a catalog of free public and private sector cybersecurity services. The Free Cybersecurity Services and Tools webpage “includes cybersecurity services provided by CISA, widely used open source tools, and free tools and services offered by private and public sector organizations across the cybersecurity community.” CISA plans to include additional tools and services in the future.

Editor's Note

Sadly, some organizations, in particular in the government, have a hard time using free/open-source tools for political reasons, not due to the quality of the tool. I hope that CISA's list will put a spotlight on some of these tools and make it easier to overcome "Layer 8" issues in implementing them. Currently, the list is a bit dominated by a few vendors and I hope over time more tools will be added. Great start and high-quality resources.

Johannes Ullrich
Johannes Ullrich

This is an amazing list of tools but remember you need people and processes to take advantage of them in the most efficient way possible.

Jorge Orchilles
Jorge Orchilles

This is a great resource for businesses, particularly small businesses, to refer to when looking for tools. However, while this helps deal with the challenge of the technology part of cybersecurity, I do hope there will be additional resources made available around the other areas such as processes and people.

Brian Honan
Brian Honan

The site includes foundational security measures you should be incorporating, links to tools you can deploy locally, as well as information on free services CISA can provide to help your cyber hygiene. Leverage these services and tools to both augment current capabilities and verify your assessed posture, possibly discovering issues previously overlooked.

Lee Neely
Lee Neely

In light of recent Russian activity, security professionals and leaders are asking, “What should I be doing?” In most cases, nothing different than what you are already doing now from a security perspective. This CISA publication and release of tools emphasizes the same key lessons: focus on the fundamentals. Neither the attack methods nor the defense methods have changed; it is the sense of urgency that has changed.

Lance Spitzner
Lance Spitzner

2022-02-19

CISA Insights: Foreign Influence Operations

The US Cybersecurity and Infrastructure Security Agency (CISA) has published a CISA Insights document, Preparing for and Mitigating Foreign Influence Operations Targeting Critical Infrastructure. The document “is intended to ensure that critical infrastructure owners and operators are aware of the risks of influence operations leveraging social media and online platforms.” CISA recommends that critical infrastructure organizations assess the information environment; identify vulnerabilities; fortify communication channels; engage in proactive communication; and develop an incident response plan.

Editor's Note

This short three pager doesn’t contain any news for large critical infrastructure providers. However, it may be useful for state/local players across water and power and smaller private firms in manufacturing, transportation, etc. to get across to management the need to monitor and minimize the risk of misinformation campaigns across social media.

John Pescatore
John Pescatore

This is an easy read, and lists both company and employee actions needed to shore up your defenses for misinformation, disinformation and malinformation (MDM) campaigns. Note the different definition of MDM here.

Lee Neely
Lee Neely

2022-02-18

House Committee Holds Hearing on Data Privacy Risks and Reforms

On February 16, 2022, the US House Committee on Administration held a hearing last week titled Big Data: Privacy Risks and Needed Reforms in the Public and Private Sectors. Legislators attending the hearing spoke in support of a national data privacy law, but there is disagreement about what that law would look like.

Editor's Note

For companies that need to deal with multiple state privacy laws and regulations, plan on continuing to do so for the foreseeable future. I think we just passed the 20th anniversary of the first draft US national privacy legislation – while we may see some limited controls on what are now being called social media “platforms,” the obstacles to any meaningful US national privacy legislation have not changed.

John Pescatore
John Pescatore

While there is increasing consensus that a national privacy law is needed, there is still disagreement on where enforcement should lie, which federal agency should oversee the law, what the privacy standards should be, and whether this is a framework to support state laws or intended to replace them. While this is still movement in the right direction, the federal efforts may be overtaken by states unwilling to wait enacting their own legislation, which may make it very interesting for service providers to meet a complex landscape of requirements.

Lee Neely
Lee Neely

The Rest of the Week's News


2022-02-22

NIST is Seeking Comments on Updating Cybersecurity Resources

The National Institute of Standards and Technology (NIST) is seeking public input to help evaluate and improve its Framework for Improving Critical Infrastructure Cybersecurity and other cybersecurity resources. The Cybersecurity Framework has not been updated since April 2018. NIST will accept comments through April 25, 2022.

Editor's Note

With all the activity over the last two years, particularly with ransomware and supply-chain issues, it’s a good time to incorporate that experience to the NIST CSF. Don’t wait to submit comments; you only have until April 25th. Comments need to be submitted to the Federal e-Rulemaking portal (www.regulations.gov) or via email to the NIST RFI (CSF-SCRM-RFI@nist.gov) with attachments in text, RTF, Word, PDF, HTML format.

Lee Neely
Lee Neely

2022-02-18

Dept. of Health and Human Services EHR Guidance

The US Department of Health and Human Services (HHS) Cybersecurity Coordination center has released guidance for protecting electronic health records (EHRs). The document enumerates the most serious threats to EHR systems – phishing; malware/ransomware; encryption blind spots; cloud threats; and insider threats – and “recommend[s] that healthcare leaders shift their focus by moving beyond a prevention strategy and creating a proactive preparedness plan.”

Editor's Note

Having had electronic and paper health records lost during a natural disaster, I am missing any mention of backups in the document. The presentation appears a bit disconnected and repeats common knowledge without deriving a lot of new insight from it. I do not believe that this presentation will convince any healthcare leaders to do anything that they are not already doing.

Johannes Ullrich
Johannes Ullrich

If you have an EHR system, make sure you understand what data is included, where the system is, and how it is protected. This primer is intended to organize and simplify protection strategies from VPN and encryption in transit to email security. Use the recommendations to reduce your risks and drive the conversation with the EHR system provider, whether internal or externally hosted to make sure your data is protected and all parties are prepared in the event of an incident.

Lee Neely
Lee Neely

The biggest takeaway is that everyone should shift their focus from prevention to detection. As we say in SEC504, prevention is a goal, detection is a requirement.

Jorge Orchilles
Jorge Orchilles

2022-02-18

WordPress UpdraftPlus Plug-in Forced Update

Developers of the UpdraftPlus WordPress plugin have forced an update to protect websites from a critical vulnerability. The flaw allows anyone with an account on a vulnerable site to download the site’s private database. UpdraftPlus reportedly has more than 3 million installations.

Editor's Note

Not to sound like a broken record: WordPress is THE largest threat to the Internet's stability and national security. If there ever should be a mass power outage due to compromised industrial PLCs, I am pretty sure the root cause will be a spear phishing site hosted on a compromised WordPress site. A mass DNS outage or BGP melt down? The cause was likely malware downloaded from a compromised WordPress site.

Johannes Ullrich
Johannes Ullrich

It is rare for WordPress to force a plugin update (regardless of the plugin's auto-update setting). This decision relates to the ease of exploit for this flaw by any authenticated user. Even so, make sure your copy is updated to at least 1.22.3 (free version) or 2.22.3 (paid version).

Lee Neely
Lee Neely

2022-02-21

Logistics Company Hit with Cyberattack

Expeditors International, a logistics and freight company based in Seattle, has shut down most of its operations due to a cyberattack. The company says it has “limited ability to conduct operations.”

Editor's Note

Keep an eye on Expeditors’ Downtime Notification site for status updates (link below) as they are updating it daily. They are currently planning to restore systems from backups, which can be a time intensive activity. No announcements have yet been made regarding manual or other alternate processes. Consider this incident, recovery plan, communication to date, comparing with your DR/COOP plans, then look at it from your customers' perspective to verify your assumptions and expectations.

Lee Neely
Lee Neely

Another NewsBites and another ransomware attack. The numbers are not going down and we must continue to collaborate to detect and respond to these threats before boom (boom being exfiltration and/or encryption).

Jorge Orchilles
Jorge Orchilles

2022-02-21

IRS: Facial Recognition No Longer Required for Online Account Access

The US Internal Revenue Service (IRS) is no longer requiring facial recognition for online account registration. The agency faced pushback when it announced that all users would have to use it by summer 2022. Taxpayers can still use the facial recognition authentication option; they can also choose to have a live, virtual interview.

Editor's Note

If you wish to use the ID.me process, the PII provided for identity verification will now be deleted as part of that process. If you had previously used this process, the biometric data will be deleted over the next few weeks. The challenge the IRS and GSA are trying to solve is to implement strong identity verification at scale. The virtual interview option is intended for this tax year only, with an improved options beyond 2022.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Remcos RAT Delivered Through Double Compressed Archive

https://isc.sans.edu/forums/diary/Remcos+RAT+Delivered+Through+Double+Compressed+Archive/28354/


Sending an Email to an IPv4 Address?

https://isc.sans.edu/forums/diary/Sending+an+Email+to+an+IPv4+Address/28362/


SMS Phone-Verified Account Services

https://www.trendmicro.com/en_us/research/22/b/sms-pva-services-use-of-infected-android-phones-reveals-flaws-in-sms-verification.html


Xenomorph Android Banking Trojan

https://www.threatfabric.com/blogs/xenomorph-a-newly-hatched-banking-trojan.html


Clarification for Adobe Magento Vulnerabilities

https://helpx.adobe.com/security/products/magento/apsb22-12.html


Cassandra User-Defined Functions Remote Code Execution

https://jfrog.com/blog/cve-2021-44521-exploiting-apache-cassandra-user-defined-functions-for-remote-code-execution/


Modified CryptBot Infostealer Going After Crypto Wallets

https://asec.ahnlab.com/en/31802/


Apple T2 Weakness

https://www.forensicfocus.com/news/passware-kit-forensic-t2-add-on-the-first-password-recovery-tool-for-macs-with-t2-chips/


snap privilege escalation

https://www.qualys.com/2022/02/17/cve-2021-44731/oh-snap-more-lemmings.txt