SANS NewsBites

Colonial Pipeline Gets $1M Fine for Security Failures; Malicious USB Drives Being Used to Download Worms; Install Latest F5 Big IP Patches ASAP, Check for Compromise

May 10, 2022  |  Volume XXIV - Issue #37

Top of the News


2022-05-09

One Year Later, US Regulator Proposes Colonial Pipeline Fine

The US Department of Transportation’s Pipeline and Hazardous Materials Safety Administration (PHMSA) has proposed fining Colonial Pipeline nearly $1 million for control room management failures that contributed to the severity of the May 2021 cyberattack. One year ago, Colonial Pipeline shut down operations in the wake of a ransomware attack. According to a PHSMA press release, the Notice of Probable Violation (NOPV) and Proposed Compliance Order “alleges that failures to adequately plan and prepare for a manual restart and shutdown operation contributed to the national impacts when the pipeline remained out of service after the May 2021 cyber-attack.”

Editor's Note

While PHMSA is still under the US Department of Transportation, the Transportation Security Administration (TSA) which is under DHS has overall responsibility for pipeline security. Until the Colonial Pipeline incident, TSA largely focused on voluntary compliance and interviews on security issues, mostly focused on operational technology and physical security, with no real audits. Since the incident, TSA has put out 2 Pipeline Cybersecurity Directives (one requiring a “Cybersecurity Coordinator” for the first time) and established a cybersecurity operations branch. This is a good example to use to drive a proactive review of (a) cross OT/IT cybersecurity visibility into and security testing of OT cybersecurity and (b) development of playbooks for response to a cyber incident that impacts OT operations directly or indirectly.

John Pescatore
John Pescatore

If you had not considered regulatory fines for breaches and ransomware, here is an example you can use. The direct cost is more obvious: negotiator, incident response, recovery, etc. I go deeper into these costs in my blog: https://www.scythe.io/library/the-real-costs-of-ransomware-direct-costs

Jorge Orchilles
Jorge Orchilles

This emphasizes the importance of a viable COOP plan. If you're in a regulated industry, you need to make sure that your regulators are on-board with your service resumption goals. Even so, you need to make sure you can meet those goals, to include any assumptions about acquisition. Revisit plans about backup communication paths as well as changes to perimeter security to facilitate resumption of operations. The last two years have taught us that exposed services are rapidly targeted, remember security by obscurity isn't. Stand things up securely from the get-go.

Lee Neely
Lee Neely

In addition to fines, accountability for these failures should include changes in both governance, directors, and management. Fines alone are not sufficient to change an organization's behavior.

William Hugh Murray
William Hugh Murray

2022-05-06

Raspberry Robin Spreads Via External Drives

Analysts from Red Canary have detected a worm that spreads via external USB drives. Dubbed Raspberry Robin, the malware uses Microsoft Standard Installer to communicate with its command-and-control infrastructure, which is largely made up of compromised QNAP devices.

Editor's Note

Even if you aren't interested in this particular malware, read it for a nice example on how to provide actionable information about detecting this type of malware and the particular techniques being used will likely be found in other malware as well.

Johannes Ullrich
Johannes Ullrich

Am I the only one who thought this was a Raspberry Pi issue? Not so much. This is the loaded media problem; once again your QNAP devices are in the cross hairs. This reminds us to not allow autoplay on removable media, only use trusted media, and ideally, scan it before inserting it into system components. Note that NGAV systems tend to not perform disk scanning, they scan when files are opened, so you need a separate process for that.

Lee Neely
Lee Neely

2022-05-09

Big-IP Flaw is Being Actively Exploited: Patch Now

A critical vulnerability in F5’s Big-IP appliances is being actively exploited. F5 released fixes for the flaw last week. The flaw affects the Big-IP iControl REST authentication component. It can be exploited to execute commands with root privileges and could potentially allow attackers to take complete control of vulnerable devices.

Editor's Note

This is a serious vulnerability and represents a foundational misunderstanding of threat modeling. Regardless of authentication bypass issues, F5 essentially built a webshell into its product. The only saving grace is that the management interface of the F5 should not be accessible from the Internet. Still, we're already observing threat actors exploiting the vulnerability. I wrote a blog post on the post-exploitation activity observed and recorded a video dissecting the vulnerability, including recommendations for organizations. Blog post: https://www.scythe.io/library/f5-big-ip-cve-2022-1388 Video: https://www.youtube.com/watch?v=1IChiQZM7EY

Jake Williams
Jake Williams

Our honeypots started seeing numerous exploit attempts Sunday-Monday night. Exploit attempts include simple recon, backdoors (including webshells), data exfiltration and even two attempts to destroy the devices. Please see this as yet another “last warning” to remove admin/control interfaces from public networks and carefully restrict traffic to these interfaces. This particular vulnerability is about as bad as they come, but F5 isn't the only one having patched an unauthenticated remote code execution flaw recently. The number of exposed systems is small, but if your system is vulnerable and exposed, it was likely exploited by now.

Johannes Ullrich
Johannes Ullrich

Readers of this newsletter probably know to turn off external management interface, but when's the last time you ran < ssh user@your.vpc.here nmap $(curl icanhazip.com) > on your home network? On your friends' and relatives'?

Christopher Elgee
Christopher Elgee

If you're still procrastinating because the flaw wasn't well known, or being exercised, time's up. Make sure that you've got your roll-back process well defined then get that maintenance window lined up. Repeat until done.

Lee Neely
Lee Neely

The Rest of the Week's News


2022-05-09

Agricultural Equipment Company Systems Hit with Ransomware

Agricultural machinery maker AGCO says its systems were hit with a ransomware attack. The incident affects some of its production facilities. AGCO says it “is still investigating the extent of the attack, but it is anticipated that its business operations will be adversely affected for several days and potentially longer to fully resume all services.”

Editor's Note

This is the time of year where agricultural machinery is in high demand as crops are planted, making the attack even more disruptive. While you may not have heard of AGCO, its brands include Challenger®, Fendt®, GSI®, Massey Ferguson® and Valtra® and their biggest rivals are Caterpillar, Komatsu and John Deere & Company. We've been talking about supply chain risks for a bit, but have you considered the availability of large system components and your realistic ability to pivot to alternatives. How about when those components are pre-paid? How about a supplier which provides services that manage operations?

Lee Neely
Lee Neely

2022-05-09

Microsoft Fixes Azure Data Factory and Azure Synapse Pipelines Vulnerability

Microsoft has released updates to address a vulnerability affecting Azure Data Factory and Azure Synapse Pipelines. The issue could be exploited to execute remote commands across Integration Runtimes. Microsoft does not expect that customers will need to take any action, but in the event that action is necessary, customers will receive notifications through Azure Service Health Alerts.

Editor's Note

If you're running Azure Integration Runtime, or on-premises Self-Hosted Integration Runtime, with auto-updates enabled, you're good to go. If you're not so big on auto-update - keep an eye on your Azure Service Health notifications and have a frank conversation about enabling auto-updates, things are moving pretty fast these days, and leveraging auto-updates from your providers can save you all sorts of long-term issues.

Lee Neely
Lee Neely

2022-05-09

RubyGems Fixes Critical Unauthorized Gen Takeover Flaw

RubyGems has fixed a critical vulnerability that could be exploited to unpublish Ruby packages from the repository and put altered and/or malicious versions in their places. The flaw affected RubyGems<dot>org, which hosts more than 170,000 gems.

Editor's Note

This was a simple oversight and there is no evidence it's been exploited. While authentication and most rights were indeed checked, the check that the gem you were accessing was indeed the one you're permitted access to was missed, this is fixed. RubyGems also now sends an email to the gem owner when a gem is yanked or published. As a package owner, you should audit your gems for signs of potential tampering as well as make sure that you're following best practices outlined in the mitigation section of the RubyGems GitHub page below.

Lee Neely
Lee Neely

2022-05-06

Better Cybercrime Metrics Act Becomes US Law

Last week, US President Joe Biden signed the Better Cybercrime Metrics Act into law. The legislations requires that the Department of Justice and the FBI to maintain cybercrime statistics and requires the DoJ to work with National Academy of Sciences to develop a taxonomy to help make sense of the information.

Editor's Note

Reliable, repeatable data on cybercrime incidents is badly needed, but don’t look for output from this Act for at least two years. The taxonomy effort alone is planned to take 1 year.

John Pescatore
John Pescatore

Until the taxonomy is completed, the benefits cannot begin to be realized. With luck this will lead to standardized metrics which will allow us to consistently assess the current landscape.

Lee Neely
Lee Neely

This effort might be boot strapped by starting with the Veris framework used by the many contributors, including the FBI and Secret Service, to the Verizon Data Breach Incident Report (DBIR).

William Hugh Murray
William Hugh Murray

2022-05-09

US State Department Offers Reward for Info About Conti Ransomware Operators

In an attempt to hobble the Conti Ransomware operation, the US State Department is offering “a reward up to $10,000,000 for information leading to the identification and/or location of any individual(s) who hold a key leadership position in the Conti ransomware variant transnational organized crime group [and] a reward of up to $5,000,000 for information leading to the arrest and/or conviction of any individual in any country conspiring to participate in or attempting to participate in a Conti variant ransomware incident.”

Editor's Note

This is another measure to deter malicious actors but will probably only gain businesses more time to prepare as other actors will fill in Conti’s place. The best time is now folks. Test, measure, train and improve your people, process, and technology. We have a ton of resources at SANS: https://sans.org/purple-team

Jorge Orchilles
Jorge Orchilles

Given the alignment of the Conti Ransomware operators with the Russian government, it'll be interesting to see if anyone takes the State Department up on this offer. Also, as they are a RAAS provider, it's not clear how much legal action will flow down to their affiliates using their platform. This should be interesting to watch.

Lee Neely
Lee Neely

2022-05-09

Costa Rica Declares Cybersecurity Emergency

Costa Rica’s new president Rodrigo Chaves has declared a state of cybersecurity emergency several weeks after a Conti ransomware attack significantly impaired multiple government computer networks. The country’s treasury has not had access to digital services since mid-April.

Editor's Note

The attacks on Costa Rica commenced April 18th, and they are still recovering, and their government has decided they are not going to pay the ransom. The attack is impacting their Ministry of Finance, Ministry of Science, Innovation, Technology and Communications, National Meteorological Institute, Radiographic Costarricense, Costa Rica Social Security Fund, and others. The reward offered by the US State Department hopes to result in a take-down before others can be harmed. In the meantime, this declaration will enable the support needed to apply resources to recovery, remediation, and prevention of recurrence, just as an emergency declaration after a natural disaster does.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

F5 BIG-IP Unauthenticated RCE Vulnerability (CVE-2022-1388)

https://isc.sans.edu/forums/diary/F5+BIGIP+Unauthenticated+RCE+Vulnerability+CVE20221388/28624/


What is the simplest malware in the world?

https://isc.sans.edu/forums/diary/What+is+the+simplest+malware+in+the+world/28620/


Octopus Backdoor is Back with a New Embedded Obfuscated Bat File

https://isc.sans.edu/forums/diary/Octopus+Backdoor+is+Back+with+a+New+Embedded+Obfuscated+Bat+File/28628/


QNAP QVR Update

https://www.qnap.com/de-de/security-advisory/qsa-22-07


Trend Micro False Positive Aftermath

https://success.trendmicro.com/dcx/s/solution/000290966?language=en_US


Microsoft Azure

https://orca.security/resources/blog/azure-synapse-analytics-security-advisory/

https://msrc-blog.microsoft.com/2022/05/09/vulnerability-mitigated-in-the-third-party-data-connector-used-in-azure-synapse-pipelines-and-azure-data-factory-cve-2022-29972/


CVE-2022-1388 (BIG-IP) Exploits

https://twitter.com/sans_isc/status/1523741896707043328

https://github.com/horizon3ai/CVE-2022-1388


Raspberry Robin Worm

https://redcanary.com/blog/raspberry-robin/


rubygems CVE-2022-29176 explained

https://greg.molnar.io/blog/rubygems-cve-2022-29176/