NewsBites Volume XXIV – Issue 28

Top of the News

2022-04-06

US Government and Energy Companies are Stepping Up Cybersecurity Collaboration

Shortly before Russia invaded Ukraine, officials from the US departments of Energy and Homeland Security worked closely with executives from Berkshire Hathaway Energy (BHE) to draft a playbook and help the energy sector take steps to protect their systems from potential Russian cyberattacks. Over the past eight years, BHE has implemented stringent cybersecurity measures to protect its systems from attacks.

Editor's Note

This effort supports three important activities we should all implement. First, having a playbook for what to do to protect systems. Second, setting up communication, including addressing any non-disclosure issues, with regulators, law enforcement (FBI), CISA, and other support services both for awareness and incident response. Third, implementing and verifying the plan. Plans, no matter how comprehensive, are of no value sitting on the shelf. They need to be living documents which are followed.

Lee Neely

Collaboration is the word of the day. Happy to see this and more of it across sectors and even within your own organizations. Push for collaboration and check out the SANS Purple Team page to get started: https://www.sans.org/purple-team/

Jorge Orchilles

US Justice Dept. Disrupts Cyclops Blink Botnet

In March, the US Justice Department (DoJ) disrupted a botnet that was being used by the Sandworm threat actors by taking down its command-and-control network. Sandworm has been linked to Russia’s Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (the GRU). Armed with a court order, the FBI accessed devices in the US that were infected with Cyclops Blink botnet malware and removed it. Most of the infected devices were firewall appliances from WatchGuard; others were network devices from Asus. The botnet is known as Cyclops Blink.

Editor's Note

Great work by DoJ/FBI in disrupting this botnet. But remember you will still need to patch your firewalls (Watchguard and ASUS) to prevent immediate re-infection. WatchGuard published a great step-by-step guide walking you through what to do. https://detection.watchguard.com/

Johannes Ullrich

After the instructions to remove Cyclops Blink were released, the number of infected devices dropped by just 39%, so the FBI stepped up and cleaned up for us all, including disabling remote management. Don’t rely on law enforcement to step in like that; proactively manage your perimeter devices. If you don’t have the resources, hire a reputable company to make sure they are patched, properly configured, and lifecycle replacements are performed. Even then, verify these actions are done.

Lee Neely

I have to admit I feel uncomfortable that law enforcement were granted a court order to hack into people’s systems to remediate the botnet. This type of action could serve as a precedent for future intrusions, which may not have the same good intentions.

Brian Honan

WatchGuard Delayed Disclosure Of Flaw Exploited by Cyclops Blink Operators

WatchGuard fixed a critical vulnerability in its firewalls last year, but didn’t disclose the vulnerability until this week, after Russian state-sponsored hackers exploited it to create the Cyclops Blink botnet. When UK and US law enforcement agencies warned that hackers were infecting WatchGuard firewalls with botnet malware, the company released a tool and direction for identifying and “locking down” infected devices. That information did not specifically mention the vulnerability, although it did urge users to make sure they were running the latest version of the appliances’ OS.

Editor's Note

By delaying the disclosure, WatchGuard may have made it more difficult for customers to accurately define how urgent last year's upgrade was. But the vulnerability was patched about a year ago. And remember that without disabling remote access to the firewall, it is just a matter of time for the next vulnerability to be abused.

Johannes Ullrich

When releasing a fix-it tool or patch with information about associated vulnerability resolution information, particularly if targeting non-IT professionals who won’t research fixes for applicability, relevance and risk/urgency must be conveyed to ensure application of fixes.

Lee Neely

The Rest of the Week's News

2022-04-06

German Authorities Seize Dark-Web Marketplace Servers and Cryptocurrency

German law enforcement authorities have seized servers and cryptocurrency wallets belonging to the dark-web marketplace Hydra. The seizure was the culmination of a coordinated effort that included US authorities from the FBI, the DEA, IRS Criminal Investigations, and Homeland Security Investigations. The US Department of Justice (DoJ) has also announced criminal charges against an alleged Hydra operator and sysadmin.

Editor's Note

Coordinated efforts across multiple countries and authorities. We need more of this.

Jorge Orchilles

A big well done to all involved in this operation. While this takedown won’t lead to an end to cybercrime, what it will do is send a strong message to criminals that they are becoming less and less immune to actions from law enforcement. Hopefully, the seized servers will contain some good intel that will assist law enforcement in identifying and arresting more criminals.

Brian Honan

While crypto is not regulated from a safety and soundness perspective, bypassing OFAC restrictions comes with significant fines. Be clear on the exchanges and currencies you are using.

Lee Neely

ICS Medical Advisory for LifePoint Informatics Patient Portal

The US Cybersecurity and Infrastructure Security Agency (CISA) has published an ICS Medical Advisory warning of a remotely exploitable authentication bypass vulnerability in the LifePoint Informatics Patient Portal, a website that contains patient data. The flaw could be exploited to expose sensitive data. LifePoint Informatics released and deployed Patient Portal Version LPI 3.5.15 in February. Because this is a hosted applications, users do not need to take any action.

Editor's Note

While this is a fix to the hosted portal, make sure that you’re utilizing a defense in depth approach for your healthcare ICS components. Minimize network connectivity, don’t allow direct VPN access to their network, and monitor all interaction.

Lee Neely

Note the security advantage of “applications as a service.” Patching is still necessary, but the cost need not be multiplied by the number of users.

William Hugh Murray

FDA Draft Medical Device Cybersecurity Guidance

The US Food and Drug Administration (FDA) has published draft guidance for medical device cybersecurity. The “guidance is intended to provide recommendations to industry regarding cybersecurity device design, labeling, and the documentation that FDA recommends be included in premarket submissions for devices with cybersecurity risk.” The FDA first released guidance for pre-market medical device cybersecurity in 2014; that guidance was updated in 2018. The FDA is accepting comments on the new draft guidance through July 7, 2022.

Editor's Note

The intent is to raise the security baked into medical devices. Unfortunately, the draft document utilizes non-binding guidelines and recommendations rather than requirements, making them both unlikely to be implemented and harder to measure. Even with guidance converted to implemented requirements, you still need to create a verified secure ecosystem to host these devices.

Lee Neely

US Dept. of Health and Human Services Seeks Comment on HIPAA and HITECH Issues

The US Department of Health and Human Services (HHS) has published a request for information (RFI) in the Federal Register seeking “public comment on how covered entities and business associates are voluntarily implementing recognized security practices as identified in Public Law 116-321 (the HITECH Act) and public input on potential information or clarifications OCR (HHS’s Office for Civil Rights) could provide on its implementation of the statute in future guidance or rulemaking.”

Editor's Note

Comments can be provided by mail (written) or via the Federal Rulemaking Portal. (https://www.regulations.gov ) by searching for Docket ID OCR-0945-AA04.

Lee Neely

Apple Updated macOS Selectively

When Apple released fixes last week to address two critical, actively exploited flaws in macOS, it did so only for macOS Monterey; Big Sur and Catalina did not receive patches. Catalina is affected by one of the vulnerabilities; Big Sur is affected by both. The two older versions of macOS account for 35-40 percent of Macs currently in use. The flaws in question reportedly affect iOS and iPadOS as well.

Editor's Note

Apple needs to release stand-alone security updates for older OS versions, in particular as Apple does alter functionality (like recently removing Python 2), making it impossible for some upgrades. In this case, a stand-alone security update for macOS 12.2 will be almost more important than updates for macOS 10/11. macOS 10/11 are affected by only one of the two flaws fixed in the latest update.

Johannes Ullrich

Apple holds their update/EOL process close. While they have historically supported current plus two versions back, they have a caveat about severity driving the back porting of updates. Vendors consistently apply the best and most comprehensive updates to current versions. For commodity systems, qualify the latest versions and deploy them in a timely fashion. For older versions, make sure that you mitigate risks with added endpoint or network protections and monitoring, as well as looking to a defined lifecycle expectation with appropriate risk acceptance for those devices.

Lee Neely

Some Palo Alto Networks Products Vulnerable to High-Severity OpenSSL Flaw

Palo Alto Networks says that some of its firewall, VPN, and XDR products are vulnerable to an OpenSSL flaw that was disclosed several weeks ago. The infinite loop vulnerability can be exploited to create denial-of-service conditions and crash devices that are not running patched software. While the OpenSSL team released a patch two weeks ago, Palo Alto Network plans to release updates that address the flaw the week of April 18.

Microsoft Takes Down Domains Used in Cyberattacks Against Ukrainian Targets

Microsoft has taken down seven domains that were being used to conduct cyberattacks against Ukrainian targets. The attacks were being launched by the APT28 hacking group, also known as Strontium, which has been linked to Russia’s GRU military intelligence service. Microsoft “obtained a court order authorizing [them] to take control of seven internet domains Strontium was using to conduct these attacks.” They redirected the domains to a Microsoft-controlled sinkhole. The domains were also being used to launch attacks against US and EU government entities and think tanks.

Editor's Note

Redirecting domains like this requires not only infrastructure capable of resisting any retaliatory actions, but also a solid legal basis to keep it from backfiring. One hopes the research done to identify and target these domains can be leveraged to discover the replacements quickly.