SANS NewsBites

ICANN Won’t Revoke Russian Domains; Ukraine Asks Cryptocurrency Exchanges to Block Russian Users; SWIFT Data Center Under Guard After Russian Banks Excluded

March 4, 2022  |  Volume XXIV - Issue #18

Top of the News


2022-03-03

ICANN Says it Will Not Revoke Russian Domains

The Internet Corporation for Assigned Names and Numbers (ICANN) has rejected a request from Ukraine to revoke top-level Russian domains and associated SSL certificates. In a publicly released reply, ICANN President and CEO Göran Marby wrote, “In our role as the technical coordinator of unique identifiers for the Internet, we take actions to ensure that the workings of the Internet are not politicized, and we have no sanction-levying authority. Essentially, ICANN has been built to ensure that the Internet works, not for its coordination role to be used to stop it from working.”

Editor's Note

“Disconnecting” Russia is the wrong move IMHO. The Internet is one way Russians are still receiving outside news and it is making a difference. More targeted removal of particular domains may be more appropriate, but ICANN wouldn't be the right way to accomplish this.

Johannes Ullrich
Johannes Ullrich

Ukraine’s request to ICANN sought technical actions ICANN could execute; however, executing those actions would arguably violate ICANN’s own bylaws. If ICANN were to pick sides in this conflict, it would be pressured to pick sides in countless future conflicts where the public opinion could be more divided. The future political ramifications would likely decrease the world’s confidence in the security and stability of the Internet as a whole. ICANN wisely held true to its stated mission, which is “to ensure the stable and secure operation of the Internet's unique identifier systems.”

Jon Gorenflo
Jon Gorenflo

In short, ask the right organization to take actions and know their constraints. While I can appreciate the desire for the Ukraine to delist the .ru top level domain, revoke certificates and shutdown root servers as a sanction for Russia’s actions against them, ICANN can’t technically do all those things. Its role is the assignment of unique Internet identifiers aligned with global policies. Those same policies don’t allow for ICANN to take the actions requested; in fact, no single entity has the power to take those actions. It’s worth noting the root DNS servers are independently operated and geographically distributed for the same reasons. Yes, SSL certificates can be revoked by the issuers, but only for reasons outlined in their certificate handling agreements.

Lee Neely
Lee Neely

Information warfare is a two-way street. While severing ties with an enemy reduces propaganda going out, it also keeps the West's messages from reaching Russian citizens. This reality is likely what's driving the Russian government to disconnect itself from the wider internet later this week.

Christopher Elgee
Christopher Elgee

2022-03-02

Ukrainian Government Asks Tech Companies, Crypto Exchanges for Support

The Ukrainian government has asked Oracle and SAP to halt their business relationships with Russian entities. The government has also requested cryptocurrency exchanges to “block addresses of Russian users.” Earlier this week, Oracle tweeted that they have “suspended all operations in the Russian Federation.”

Editor's Note

It may not be technically possible in all cases, but for sanctions to work, cryptocurrencies have to be included. It will however be difficult (and may take some time) to properly identify sanctioned entities exchanging payments via crypto currencies.

Johannes Ullrich
Johannes Ullrich

Crypto Exchanges and cryptocurrency fall outside normal regulatory reach. As such, participation by the exchanges is going to be an individual choice. This is further complicated by having to have an accurate mapping of wallet to user and location as crypto facilitates obfuscation and indirection. It is not clear how effective these blocks will be.

Lee Neely
Lee Neely

2022-03-03

Data Center Under Guard After SWIFT Excludes Russian Banks

A SWIFT data center in Switzerland is being physically guarded by law enforcement after the international financial messaging system excluded several large Russian banks from its network to comply with instructions from the European Council. SWIFT also has data centers in the Netherlands and the US.

Editor's Note

SWIFT's Swiss data center is a well-protected defensible space with five of seven floors under ground as well as being surrounded by high walls, barbed wire ,and security cameras in preparation for such a situation. Verify the physical security at your data center is not only commensurate with your anticipated threat scenarios, but also that those protections are tested regularly.

Lee Neely
Lee Neely

The Rest of the Week's News


2022-03-03

Senate Passes Bill Requiring Critical Infrastructure Operators to Report Cyberattacks, Ransomware Payments

The US Senate has passed the Strengthening American Cybersecurity Act, which requires critical infrastructure operators to report cyberattacks to the Cybersecurity and Infrastructure Agency (CISA) within 72 hours. The legislation also requires the critical infrastructure operators to report ransomware payments within 24 hours. The Department of Justice (DoJ) says the bill has ”serious flaws,” noting that it does not include reporting incidents to the FBI.

Editor's Note

The tools being deployed against the Ukraine critical infrastructure will work in the US as well. The architecture of US critical infrastructure, including the thousands of independent operators, makes attacks much more complicated, particularly if you’re looking to remain undetected or coordinate across operators. CISA is tasked with having visibility to critical infrastructure; having these notifications will help that insight. One hopes that as CISA resolves the issues in the GAO study above, the issues noted by DoJ can also be remedied.

Lee Neely
Lee Neely

Legislation cannot do magic. The Verizon Data Breach Incident Report continues to show, that with the possible exception of ransomware attacks, the time from breach to discovery continues to be measured in weeks, not hours. While one might well argue that that is far too long, law alone will not change it.

William Hugh Murray
William Hugh Murray

2022-03-02

GAO: CISA’s National Critical Infrastructure Prioritization Plan Needs to Improve

According to a Government Accountability Office (GAO ) audit report, the Cybersecurity and Infrastructure Security Agency’s (CISA’s) National Critical Infrastructure Prioritization Plan is not living up to its potential. According to the report, “Nine of 12 CISA officials and all 10 of the infrastructure stakeholders GAO interviewed questioned the relevance and usefulness of the program.”

Editor's Note

The central issue driving most of the negative comments is that the bulk of the US infrastructure looked at (energy, water, manufacturing, IT) is owned and operating by some combination of private industry and state/local government. The CISA started out in 2018 and largely took a top down approach as if the federal government drove how those systems worked and were governed. So, better involvement in early stages with “stakeholders” is a good recommendation. I’d add taking advantage of the ISACs that have been effective, especially the Multi-State ISAC. The Federal Government cannot move at the speed of threats and technology changes with a top down approach - we learned that in the old “Orange Book” computer security days and it still holds true.

John Pescatore
John Pescatore

The distributed nature of critical infrastructure operators makes comprehensive communication and cooperation challenging. One hopes leveraging local ISACs which are more closely connected to those operators can facilitate the relationship and get stakeholders in the conversation. If you are an operator, a.k.a. stakeholder, make sure that you’re connected not only to your local ISAC, but also your local CISA office for resources and support.

Lee Neely
Lee Neely

2022-03-03

Palo Alto Networks Unit 42 Looks at Medical Infusion Pump Vulnerabilities

Researchers at Palo Alto Networks’ Unit 42 examined data gathered from “more than 200,000 infusion pumps on the networks of hospitals and other healthcare organizations.” More than half of the devices were vulnerable to two flaws that have been known since 2019.

Editor's Note

Unit 42 not only calls out the flaws, but also points out that mitigations are well-known and not applied. Their report includes a list of capabilities healthcare organizations need to embody to protect and secure Internet of Medical Things (IoMT) devices. At a high level, know what you have, know where it is, reduce risks (segmentation, monitoring and updates) and prevent threats. Look beyond the devices themselves and make sure your entire network ecosystem is secured.

Lee Neely
Lee Neely

2022-03-03

CISA Medical Device Advisories for Vulnerabilities in BD Products

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued two medical device advisories regarding hard-coded vulnerabilities in certain BD Pyxis and Viper LT products. The flaws could be exploited to access or in some cases modify sensitive information. BD Pyxis is an automated medication dispensing system; BD Viper LT is an automated molecular texting system.

Editor's Note

There are two vulnerabilities, CVE-2022-22765 – hard coded credentials which has a low attack complexity, is not remotely exploitable and has no known public exploits and CVE-2022-22766, which allows access to the underlying file system if the BD managed credentials were discovered. While fixes haven’t been released yet, mitigate the risks by limiting physical access to the devices, as well as ensuring the devices are properly segmented and traffic is monitored for inappropriate interaction. Make sure that the right staff are being alerted oto updates from BD.

Lee Neely
Lee Neely

2022-03-02

Logan Health Breach Compromised Patient and Employee Data

Logan Health Medical Center in Montana has notified more than 200,000 patients, employees, and business associates that their personal information was compromised following a file server breach. Logan Health became aware of suspicious activity in November 2021.

Editor's Note

Notifications from this breach and other similar incidents have been delayed by using manual processes to verify information was accessed or otherwise released in contrast to declaring the entire dataset was compromised. Act now to capture exactly which systems have sensitive data to facilitate identification of affected information as as well as fine tune your recovery process. With the continued focus by attackers on healthcare systems, consider proactively obtaining identity monitoring services instead of waiting for notification that your information was previously compromised.

Lee Neely
Lee Neely

2022-03-03

Nvidia Data Stolen

Nvidia has acknowledged that its network was breached and data were stolen. The chipmaker said that the hackers stole proprietary data and employee credentials. The data have reportedly been leaked on the internet. The data thieves are demanding that Nvidia allow their graphics cards to mine cryptocurrencies faster; if the demand is not met, the thieves say they will release Nvidia source code.

Editor's Note

We may not have heard the last from Nvidia regarding the breach. There are some leaks surfacing that may include certificate material (even if outdated) and source code. The demand to unlock the graphics card for mining is interesting. Nvidia implemented some restrictions and intentionally slowed some mining related operations as cards where purchased quickly by miners and none were left for Nvidia's traditional customers: online gamers.

Johannes Ullrich
Johannes Ullrich

The Lapsus$ gang claims they have 1TB Nvidia proprietary data and password hashes and leaked a 20GB document archive to support their claim. The attackers are asking to change Nvidia’s Lite Hash Rate (LHR) technology which enables the card to limit its use for crypto mining, making it harder to use compromised systems for this purpose. As the LHR source is claimed to be part of the exfiltrated data, and attackers hope someone will engineer a bypass to the rate restrictions, be vigilant and verify Nvidia firmware updates are genuine.

Lee Neely
Lee Neely

Most dangerous here are likely the leaked code-signing certificates. With the weak state of certificate revocation lists, even these older certs are sure to be handy for attackers, making their malware appear legitimate.

Christopher Elgee
Christopher Elgee

Internet Storm Center Tech Corner

Ukraine Updates

https://www.golem.de/news/ausfall-angriff-auf-ka-sat-satellit-ueber-gatewaystation-in-ukraine-2203-163614.html

https://www.crowdstrike.com/blog/how-to-decrypt-the-partyticket-ransomware-targeting-ukraine/

https://www.bleepingcomputer.com/news/security/ukraine-says-local-govt-sites-hacked-to-push-fake-capitulation-news/


IsaacWiper and HermeticWizard: New wiper and worm targeting Ukraine

https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/


Geoblocking when you can't Geoblock

https://isc.sans.edu/forums/diary/Geoblocking+when+you+cant+Geoblock/28392/


Attackers Search For Exosed "LuCI" Folders

https://isc.sans.edu/diary/28400


The More Often Something is Repeated, the More True it Becomes

https://isc.sans.edu/forums/diary/The+More+Often+Something+is+Repeated+the+More+True+It+Becomes+Dealing+with+Social+Media/28396/


Alexa Versus Alexa

https://arxiv.org/abs/2202.08619


Bypassing Google Cloud Armor

https://kloudle.com/blog/piercing-the-cloud-armor-the-8kb-bypass-in-google-cloud-platform-waf


Memory Corruption Vulnerabilities in PJSIP

https://jfrog.com/blog/jfrog-discloses-5-memory-corruption-vulnerabilities-in-pjsip-a-popular-multimedia-library/


Octa Patch for Advanced Server Access Client

https://trust.okta.com/security-advisories/okta-advanced-server-access-client-cve-2022-24295


ViaSat Outage

https://www.reuters.com/business/aerospace-defense/satellite-firm-viasat-probes-suspected-cyberattack-ukraine-elsewhere-2022-02-28/


Fortinet Bug

https://www.fortiguard.com/psirt/FG-IR-21-028


IBM Updates

https://www.ibm.com/blogs/psirt/


Google Updates

https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop.html


Conti Ransomware Leak

https://threatpost.com/conti-ransomware-decryptor-trickbot-source-code-leaked/178727/


Middle Box DDoS Attacks

https://www.akamai.com/blog/security/tcp-middlebox-reflection