SANS NewsBites

India CERT to Require 6-Hour Incident Reporting; Microsoft Fixes Privilege Escalation Flaw in Azure PostgreSQL DB; US Banks Now Have 36 Hour Incident Response Reporting Deadline

May 3, 2022  |  Volume XXIV - Issue #35

Top of the News


2022-05-02

India’s CERT Requires Fast Reporting of Cyber Incidents

New guidelines from India’s Computer Emergency Response team (CERT-In) require companies, data centers, service providers, and government agencies to report cyber incidents within six hours of detection. The covered organizations will also be required to maintain ICT system logs for a rolling period of 180 days and be prepared to submit them to CERT-In if requested. The new requirements take effect in late June.

Editor's Note

There are a lot of flaws in this one. Simple example: “targeted” scanning/probing of networks is included in the incidents that need to be reported, which means a flood of incident reports of low value. Reporting in six hours is obviously a tough requirement, but the CERT-In reporting form has a lot of free-form text and FAX is OK for submission! So, reams of data flowing in but analysis can’t keep up – no increase in security. Large libraries of unread books do not make us smarter.

John Pescatore
John Pescatore

This regulation appears to be overly ambitious, and the author lacks the basic competence required to draft such a regulation. The broad definition of reportable incidents and the short reporting deadline will lead to a flood of meaningless reports. Requiring long log retention times without specifying what to log will incentivize organizations to enable less verbose logs. You will end up with more but less meaningful logs.

Johannes Ullrich
Johannes Ullrich

The timeline is short, 60 days. Twenty incident types are listed with a six-hour reporting window along with requirements to use their specified NTP service. While having a consistent time source is critical for correlation and aggregation, and you should make sure you're using a reliable NTP source, simply requiring use of a known authoritative service would be preferable to limiting the country to a single choice. The big tasks will be getting clarification of all the reporting requirements as well as establishing the communication channels and relationships needed. The reporting window is unusually small, GDPR uses 72 hours and the US is asking for 24 hours. Irrespective of the window size, make sure you know what needs reporting and how.

Lee Neely
Lee Neely

It seems like a very grand plan, with very few specific details set to be rolled out within the next 60 days. I don’t think this is realistic and to say it’s ambitious is an understatement. Specifically, just attempting to retain 180 days’ worth of logs will be difficult with all the supply chain shortages. Considering that a single firewall in a decent-sized enterprise will create several gigabytes of daily logs, I can’t imagine how many potential terabytes of records will be required to be retained from here on out in one of the most densely populated countries in the world. The other issue is what would constitute both an incident and detection. If companies decide to report to comply, CERT-In could potentially be seeing a large percentage of reported detections of false-positive or low priority events. How would the CERT-In triage a large influx of reports? Instead of systematically bringing up the regulations, CERT-In wants to collect as much data as possible and sort it out later. We know that this doesn’t typically end well. Maybe it would be ideal to buy storage now, ahead of the rush?

Moses Frost
Moses Frost

2022-04-29

Microsoft Patches Flaws in Azure PostgreSQL Database

Microsoft has fixed two vulnerabilities in the Azure Database for PostgreSQL Flexible Server. The flaws could be exploited to obtain elevated privileges and access other customers’ databases. Wiz researchers reported the issued to Microsoft in January. Microsoft has addressed the issues; no action is needed by customers.

Editor's Note

Privilege escalation flaws are very difficult to prevent and dangerous for on-premises systems. But for cloud providers, a simple privilege escalation flaw is deadly as it destroys the illusion of cross-tenant isolation of data.

Johannes Ullrich
Johannes Ullrich

Microsoft patched the databases on February 25th, so you're covered. They recommend setting up private network access to flexible servers to minimize further exposure. Fundamentally make sure that you're not needlessly exposing access to services, leverage security services and options to also monitor access to ensure protections are what you think they are. Read the Wiz research blog (https://www.wiz.io/blog/wiz-research-discovers-extrareplica-cross-account-database-vulnerability-in-azure-postgresql/) for more details on the ExtraReplica flaw.

Lee Neely
Lee Neely

While, on the surface, this seems to be tragic, I guess the real question is how prevalent the PostgreSQL Flexible Server deployment is going to be. Having a system with a disclosed vulnerability in your cloud service provider is a double-edged sword. While there was a privileged escalation flaw in PostgreSQL because this is a cloud provider, each PostgreSQL instance can be patched and remediated without the user necessarily worrying about it. With on-premises software, we often see that it is the case that servers go unpatched. The question is a tricky one to weigh in on. Cloud-hosted and shared infrastructure vs. on-premises and private. Which one is safer, less risky, or more secure? Is it better or worse than it is cloud-hosted? Only time will tell.

Moses Frost
Moses Frost

2022-04-29

Breach Reporting Rules for US Banks Now in Effect

As of May 1, US banks are required to notify regulators of computer security incidents within 36 hours of detection. “A collective of U.S. regulators, including the Federal Deposit Insurance Corp., the Board of Governors of the Federal Reserve System, and the Office of the Comptroller of the Currency” passed the rule in November 2021.

Editor's Note

The FDIC currently requires incident reporting with 72 hours of detection, so this is a significant move forward. But the FDIC, along with the Board of Governors of the Federal Reserve System, and the Office of the Comptroller of the Currency, took input from industry and narrowed the definition of what constitutes a “notification incident” to those that actually caused some harm – probing/scanning would not qualify. 36 hour response will be tough for many but the financial sector certainly needs the toughest requirements.

John Pescatore
John Pescatore

Essentially if you're a federally insured or regulated financial institution, this applies. Make sure that you review your agency specific guidance for reporting and note the examples of incidents that were released to clarify the initially overly vague 'Computer-Security Incident' in the initial legislation. Expect your examiners to verify that you have both the notification and definition of what you need to report. As other organizations, CISA, DHS, etc. are looking for incident reporting, it'd be a good idea to make sure you know what that would mean if you're required to comply, to include what information you would rather not share and establishing the relationship required for reporting or assistance.

Lee Neely
Lee Neely

The Rest of the Week's News


2022-05-02

Google Expands Types of Data Users Can Have Removed from Search Results

Google now allows people to remove more personally identifiable information (PII) from search results. Google has previously allowed people to request that their financial information be removed from search results; now they can have their contact information removed as well.

Editor's Note

This has been a right, known as the “right to erasure” or more commonly referred to as the “right to be forgotten,” to those based in the EU and covered by the EU General Data Protection Regulation (GDPR). A key point to note is that while the personal data is removed from the search results, the data is still available on the sites hosting that data. Under GDPR, individuals also need to exercise their right to erasure with the sites hosting their personal data.

Brian Honan
Brian Honan

With more privacy legislation including the "right to be forgotten" knowing how to exercise that right is important and varies by service. Be sure you understand the process and limitations available. Google outlines the process and limits of what they will do on their Remove select PII or doxing content from Google Search help page: https://support.google.com/websearch/answer/9673730: Remove select personally identifiable info (PII) or doxxing content from Google Search

Lee Neely
Lee Neely

2022-04-29

Netatalk Vulnerabilities Affect Synology and QNAP NAS Devices

Critical vulnerabilities in the Netatalk open source version of Apple Filing Protocol fileserver affect certain QNAP and Synology network attached storage (NAS) devices. The flaws could be exploited to access sensitive data and potentially execute arbitrary code.

Editor's Note

Not a terrible big deal. Disable Netatalk (it is no longer needed) and apply patches as they become available. This affects many Linux based network storage systems. Synology and QNAP are just the two out of them responsible enough to release an advisory.

Johannes Ullrich
Johannes Ullrich

Patch your NAS, make sure it's not exposed to the Internet. Remove unneeded apps and user accounts, watch for unexpected additions. Ideally don’t allow SMB or AFP through your boundary, require a VPN for the access. If you must allow the direct connection, only allow it from trusted devices.

Lee Neely
Lee Neely

2022-05-02

Espionage Threat Actor Target Corporate eMails

Researchers from Mandiant have identified a new espionage threat actor it has dubbed UNC3524. The group “targets the emails of employees that focus on corporate development, mergers and acquisitions, and large corporate transactions.” The threat actors have been observed maintaining dwell time up to 18 months.

Editor's Note

Interesting attack group leverages typically unmonitored systems for their ingress and egress point. Smart move. Most companies do not realize how vulnerable and easy it is to leverage these systems for C2. There are three things to look for in the article. The command channel for the attacker group, how they leverage EWS On-Premises, and then they mention the Mandiant M365 Hardening Guides. My advice for those considering keeping on-premises servers. Don't.

Moses Frost
Moses Frost

2022-05-02

US Legislators Introduce Satellite Cybersecurity Companion Bill

Companion legislation introduced in the US House of Representatives would direct agencies to help improve network cybersecurity for the commercial satellite sector. The Satellite Cybersecurity Act would “require a report on Federal support to the cybersecurity of commercial satellite systems [and] establish a commercial satellite system cybersecurity clearinghouse in the Cybersecurity and Infrastructure Security Agency.”

Editor's Note

Having standards should help suppliers design for an appropriate level of security. Making them voluntary may be a double-edged sword if the goal is to raise the bar consistently across the board. The trick will be adding security to existing satellites, often not sized or otherwise equipped to add that workload. One hopes that industry input can be gathered during a RFC comment for the new standards to make them both relevant and achievable.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Using Passive DNS Sources for Reconnaissance and Enumeration

https://isc.sans.edu/forums/diary/Using+Passive+DNS+sources+for+Reconnaissance+and+Enumeration/28596/


Detecting VSTO Office Files with ExifTool

https://isc.sans.edu/forums/diary/Detecting+VSTO+Office+Files+With+ExifTool/28604/


The Gmail SMTP Relay Service Exploit

https://www.avanan.com/blog/the-gmail-smtp-relay-service-exploit


SonicWall Global VPN Client DLL Search Order Hijacking

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0036


OpenSSF Package Analysis

https://openssf.org/blog/2022/04/28/introducing-package-analysis-scanning-open-source-packages-for-malicious-behavior/


M1 Prefetcher Data Leak

https://www.prefetchers.info


Microsoft Edge Secure Network

https://support.microsoft.com/en-gb/topic/use-the-microsoft-edge-secure-network-to-protect-your-browsing-885472e2-7847-4d89-befb-c80d3dda6318


Sina Weibo Making Users IPs and Location Public

https://www.theregister.com/2022/04/29/weibo_location_services_default/


Zoom Updated

https://explore.zoom.us/en/trust/security/security-bulletin/