SANS NewsBites

SANS Russian Cyber Attack Escalation in Ukraine Webcast and Resource Center; Russian Uses of Malware as Part of Invading Ukraine Will Spillover, Check and Upgrade Defenses; Coalition Will Act as a Force Multiplier for Nonprofit Security Organizations; Irish Ransomware Incident Costs Exceed €100m, Much More Than Cost to Avoid

February 25, 2022  |  Volume XXIV - Issue #16

Top of the News


2022-02-25

SANS Webcast: Russian Cyber Attack Escalation in Ukraine - What You Need To Know and Do!

SANS Webcast: Russian Cyber Attack Escalation in Ukraine - What You Need To Know and Do!

This webcast features cybersecurity experts Rob Lee, Kevin Holvoet, Jake Williams, and Tim Conway, who come together to give an overview of current Russian threat actor capabilities, discuss critical infrastructure attacks on Ukraine, and possible cyber-attack spillover into the EU and US. The webcast focuses on actions you can take today to bolster your organization's security.

The webcast and additional guidance are available the SANS Ukraine Russia Conflict Cyber Resource Center:


2022-02-24

Ukrainian Computers Infected with Wiper Malware

Hundreds of computers in Ukraine have been infected with Windows wiper malware. The malware appears to be signed with a legitimate developer certificate. The appearance of the wiper malware follows close on the heels of a series of distributed denial-of-service attacks and SMS spam attacks against Ukrainian devices. In some cases, the wiper malware was accompanied by ransomware, which may have been used as a decoy or red herring.

Editor's Note

Currently, these attacks appear to be targeting systems in the Ukraine. But don't feel too safe if you are not connected to the Ukraine. As NotPetya and other events have shown, malware like this easily spills over.

Johannes Ullrich
Johannes Ullrich

It is not a huge surprise that both kinetic and cyber-attacks are being leveraged against the Ukraine. The wiper has been dubbed “HermeticWiper” because the certificate which signs it was issued to “Hermetica Digital Ltd.” Note that it has also been found in Lithuania and Latvia, seemingly targeting financial institutions and government contractors. The ransomware feint is reminiscent of the WhisperGate wiper previously targeting the Ukraine. Even so, user awareness, content filtering, and other ransomware defenses are still relevant to reducing the likelihood of a successful compromise.

Lee Neely
Lee Neely

2022-02-23

Nonprofit Cyber Coalition Established

The Nonprofit Cyber Coalition will bring together more than 20 organizations “to collaboratively align [their] individual strengths into a collective force for good, taking positive action for the entire cyber ecosystem.” Founding members include the Center for Internet Security (CIS), the Anti-Phishing Working Group, the Cloud Security Alliance, and Consumer Reports.

Editor's Note

SANS gave one the founders of one of the organizations, #ShareTheMicInCyber, a SANS Difference Makers award in 2021 and has long been a supporter of the Center for Internet Security. There is a lot of good and meaningful progress in cybersecurity being driven by non-profits, this coalition can act as a force multiplier for future efforts.

John Pescatore
John Pescatore

This is an incredible gathering of expertise and resources. This is a collection of free services you can leverage, and augments resources provided by others such as the CISA. The initial focus is on raising awareness of the services offered and how you can leverage them. If you’re curious about the composition of the coalition, the last three pages of the press release below describe each of the members and what they bring to the table.

Lee Neely
Lee Neely

2022-02-23

Irish Healthcare Ransomware Attack Recovery Costs Could Reach €100m

The costs of response to and recovery from last May’s ransomware attack against Ireland’s Health Service Executive (HSE) is currently €43 million (USD 48 million) and could end up being as high as €100 million (USD 112 million), according to a letter from the HSE’s interim CIO. That figure does not include the costs of implementing security measures recommended by a PWC report on the incident.

Editor's Note

It should be very clear by now that the cost of a ransomware attack is not limited to the ransom payment itself (if you decide to pay in the first place). The response and recovery from a ransomware attack includes many other variables that will increase the cost exponentially. I hope that by now all the NewsBites readers have bought in to investing in testing, measuring, and improving their security controls (people, process, and technology) before the inevitable breach. We call this culture “operating under assumed breach.”

Jorge Orchilles
Jorge Orchilles

Read that number and remember it doesn’t include security improvements or other costs to patients, including any loss of life which resulted from the downtime. Now make sure your recovery plans include obtaining funding for security improvements, as well as lack of, or reduction to, customer business during the recovery.

Lee Neely
Lee Neely

Folks, remember HSE never paid a ransom; they obtained the decryption key for free. The biggest costs to ransomware is not the ransom, but costs to no longer be able to function, costs to reputation, costs to recover, legal fees, etc. Anytime someone is paying a ransom, you can exponentially increase that number to determine the real costs. And those costs are just financial. What about costs to people’s health, jobs, family life, and emotional state?

Lance Spitzner
Lance Spitzner

The Rest of the Week's News


2022-02-23

Cyclops Blink

The US Cybersecurity and Infrastructure Security Agency (CISA) and the UK National Cyber Security Centre (NCSC) have released alerts warning of new network device malware that is being used by the Russian Sandworm hacking group. Known as Cyclops Blink, the malware is a Linux ELF executable.

Editor's Note

People keep asking, “What can I do?” While there is little you can do to help people in Ukraine right now, you should be able to find the time today to double check your router/firewall (not just Watchguard). Make sure it is up to date, uses strong authentication and that its admin interface is not exposed to the public. Compromised routers are a valuable commodity even for state actors not just to launch DoS attacks, but also to use as proxies for targeted attacks.

Johannes Ullrich
Johannes Ullrich

Yes, this the same Sandworm group that released the NotPetya malware. Cyclops Blink leverages a firmware update weakness which allows it to persist across firmware updates on WatchGuard devices. WatchGuard has published updates to Fireware that address the vulnerability. It is expected that other manufacturer devices will also be targeted. The best mitigation is to disable remote management of your router/firewall and keep the firmware updated.

Lee Neely
Lee Neely

2022-02-24

American Hospital Association Cybersecurity Advisory

The American Hospital Association (AHA) has published a cybersecurity advisory, noting that it “is closely monitoring the potential for increased cyber risks to the U.S. health system stemming from the ongoing military operations in the Russia/Ukraine region.” The AHA list three main concerns for hospitals and health systems: they could be directly targeted by Russian-sponsored cyber actors; they could experience collateral damage from malware; and their services could be disrupted by a cyberattack. The advisory also provides resources and recommendations for protecting networks.

Editor's Note

Expect threat actors to target health and government systems for members of the NATO alliance in response to the sanctions issued. Heightened awareness is called for, panic is not. Make sure that you are taking steps to ensure your cyber posture is strengthened. Leverage active monitoring, immutable backups, strong authentication and DDOS protections. Update and verify contact information for responders and key management staff. Finish up those BC/DR plans you’ve been updating to include new services or functions implemented in the last two years.

Lee Neely
Lee Neely

2022-02-23

Cisco Field Notice: Upgrade Firepower Software

Cisco has published a field notice urging users of their Firepower firewalls to upgrade their software; if they do not, security updates may fail after March 5, 2022. The issue is due to an upcoming Secure Sockets Layer (SSL) certificate change.

Editor's Note

The threat intelligence feeds consumed by the Firepower platform depend on the SSL certificate. The certificate authority is being decommissioned March 6th, so postponing can make Monday March 7th a really bad day. The Firepower Management Center is what needs the update, not the Firepower Threat Defense device. Note that the fix may require updates to a newer supported software version, so you want to leverage between now and March 5th for regression testing.

Lee Neely
Lee Neely

2022-02-24

Cisco FXOS and NX-OS Software Security Advisory Bundled Publication

Cisco has released fixes for four vulnerabilities in its FXOS and NX-OS network operating systems. Three of the security issues are rated high severity; the fourth is rated medium. Cisco was alerted to one of the vulnerabilities – a fabric services over IP denial-of-service issue – by the National Security Agency (NSA). The fixes are part of Cisco’s semi-annual FXOS and NX-OS Software Security Advisory Bundled Publication.

Editor's Note

If you’re running Cisco Nexus or UCS series switches/appliances or virtual edge services, check the advisories for applicability. The fixes include addressing CVE-2022-20650, which can be remotely exploited and allow command injection. The flaw identified by the NSA is CVE-2022-20624, resulting from insufficient validation of network packets, allowing specially crafted packets to exploit it. While some of the flaws are mitigated by not enabling vulnerable features, such as CFSoIP, it’s best to apply the update to protect future possibilities of you enabling those functions.

Lee Neely
Lee Neely

2022-02-24

NCCoE Releases Final Telehealth and Remote Patient Monitoring Ecosystem Guidance

The National Cybersecurity Center of Excellence (NCCoE) has released the final version of its guidance on remote patient monitoring and telehealth security. In the publication, NCCoE notes that it “built a laboratory environment to demonstrate how healthcare delivery organizations can implement cybersecurity and privacy controls to enhance telehealth RPM resiliency;” the document includes how-to guides. NCCoE is part of the National Institute of Standards and Technology (NIST).

Editor's Note

Volume C: How-to Guides make this publication much more useful than the typical NIST Special Publication. Working with private industry, a reference architecture was used to build out real world systems using real world products to develop and implement a candidate security solution. Other volumes provide the usual high level security guidance, and the how-to volume is not a “just build this” solution but definitely brings everything closer to reality.

John Pescatore
John Pescatore

With the pandemic, HIPAA restrictions relating to telehealth were loosened. It’s time to make sure that systems implemented to provide remote services to patients are properly secured, with validation. These guides are intended to help with that process. Check services you may have exposed to ease access are only allowing the access intended, monitored, patched/updated and themselves are not pivot points into your other IT systems. Make sure that you have an appropriate agreement with the services, such as a BAA, for protecting that information.

Lee Neely
Lee Neely

2022-02-23

UK Police Seize £16 Million in Stolen Cryptocurrency

In July 2021, the Greater Manchester (UK) Police seized more than £16 (USD 22.2 million) in stolen cryptocurrency from USB sticks and an online safe. As of February 18, 2022, more than £4 million (USD 5.4 million) of the cryptocurrency has been returned to victims of the theft.

Editor's Note

While becoming more mainstream, crypto is still less regulated with fewer consumer protections than traditional currency. Keep track of your crypto, including the details, reporting losses if stolen. Funds can only be returned if sufficient details are available; in this case the wallet address, savings and trading services it was invested in as well as the law enforcement agency the loss was reported to must match.

Lee Neely
Lee Neely

2022-02-22

IRS Will Switch to Login.Gov After Current Tax Season

The US Internal Revenue Service (IRS) plans to roll out the Login.Gov authentication tool after the April 2022 tax filing deadline. The agency will stick with ID.me for the remainder of the current tax season. The IRS has already walked back plans to require taxpayers who want to access their IRS accounts online to use facial recognition technology following pushback from legislators and digital right advocates.

Editor's Note

For whatever reason, the IRS initially tried the “let’s throw the frog into a pot of boiling water” approach to moving away from reusable passwords – and the frog leapt out. Login.gov supports 2FA and strong identity proofing at enrollment – the identity frog is in the pot and the temperature can gradually be increased.

John Pescatore
John Pescatore

Throwing a frog into a boiling pot, as John says, is too rapid of a change and never effective, particularly with a large user group. In short, look before you leap. Login.gov is engineered for providing accounts for the public to authenticate to US Government systems which include both strong authentication and identity verification. This move should help smooth any rough edges in the current Login.gov account activation process.

Lee Neely
Lee Neely

It is, and probably ought to be, difficult to enroll in login.gov or ID.me. I have so far been unsuccessful. The IRS has committed to both facial recognition and an interview as options for people like me.

William Hugh Murray
William Hugh Murray

Internet Storm Center Tech Corner

Ukraine Update: Webcast

https://www.sans.org/webcasts/russian-cyber-attack-escalation-in-ukraine/


Other Ukraine Related Stories

https://isc.sans.edu/forums/diary/Ukraine+Russia+Situation+From+a+Domain+Names+Perspective/28376/

https://detection.watchguard.com


Wiper Malware Seen Deployed Against Targets in the Ukraine

https://twitter.com/juanandres_gs/status/1496581710368358400

https://twitter.com/ESETresearch/status/1496581903205511181


New Sandworm Malware Cyclops Blink Replaces VPNFilter

https://www.ncsc.gov.uk/news/joint-advisory-shows-new-sandworm-malware-cyclops-blink-replaces-vpnfilter


The Rise and Fall of log4shell

https://isc.sans.edu/forums/diary/The+Rise+and+Fall+of+log4shell/28372/


A Good Old Equation Editor Vulnerability Delivering Malware

https://isc.sans.edu/diary/rss/28368


Asustor Victim of Deadbolt Ransomware

https://forum.asustor.com/viewtopic.php?f=45&t=12630


Firepower Rule Update Failure After March 5th 2022

https://www.cisco.com/c/en/us/support/docs/field-notices/723/fn72332.html?emailclick=CNSemail


Social Media Takeover Malware Distributed Via Microsoft App Store

https://research.checkpoint.com/2022/new-malware-capable-of-controlling-social-media-accounts-infects-5000-machines-and-is-actively-being-distributed-via-gaming-applications-on-microsofts-official-store/


Horde Webmail 5.2.22 - Account Takeover via Email

https://blog.sonarsource.com/horde-webmail-account-takeover-via-email


Zabbix Vulnerability Exploited

https://www.cisa.gov/uscert/ncas/current-activity/2022/02/22/cisa-adds-two-known-exploited-vulnerabilities-catalog

https://support.zabbix.com/browse/ZBX-20350


NoVNC Phishing

https://mrd0x.com/bypass-2fa-using-novnc/


pfsense authenticated RCE

https://www.shielder.it/advisories/pfsense-remote-command-execution/