SANS NewsBites

Ransomware Payment Recovery Never Covers the Cost of the Incident; PyPi Raises Security with 2FA Requirement; Windows Autopatch Released

July 12, 2022  |  Volume XXIV - Issue #53

Top of the News


2022-07-12

SANSFIRE Keynote Live Stream

Join us this evening for a live stream of the keynote from SANSFIRE. 7pm ET Tuesday June 12th.

For about 20 years, the Internet Storm Center has offered terabytes of data to the community to help you understand attacks you are seeing and assist you in augmenting or, as we often put it, "add color" to your network logs. Security teams globally have been using that added color to reduce time to detect and time to restore.

In this hands-on keynote, you will learn how to effectively and efficiently use the data we offer and how to contribute data to our collection

https://www.sans.org/webcasts/the-internet-storm-center-how-to-use-and-how-to-contribute-data/

A recording will be available in case you miss the live presentation.


2022-07-10

Ransomware Payment Recovery Does Not Cover Costs of Attack

Maastricht University in the Netherlands has recovered cryptocurrency it paid after a ransomware attack in 2019. The €200,000 30 bitcoin payment in 2019 is now worth €500,000. Maastricht University says the net gain of €300,000 does not cover the costs associated with the attack.

Editor's Note

The obvious reaction from most NewsBites readers is, of course, “No Duh” or whatever the 2022 equivalent of that is. But, important to get across to management that no insurance payment, let alone any recovery of damages through legal means, ever covers the full cost of an incident and more importantly: the cost of avoiding most incidents is almost always less than the cost of suffering the incident.

John Pescatore
John Pescatore

The volatility of cryptocurrency worked in their favor this time. While it's awesome to recover the payment, and I would jump on it if the opportunity presented itself, don't assume recovering the ransom, including any increase in value, will come close to covering costs incurred to recover from an attack, particularly as some decryption programs provided by the attackers don't work leading to the most resource intensive recovery option.

Lee Neely
Lee Neely

This is an important point that organizations should take into consideration when facing ransomware extortions, the cost of recovery is not just the ransom demand. It can also include the costs of replacing compromised devices, updating systems, dealing with forensic and other investigations, and so on. (Disclaimer: I am a guest lecturer at Maastricht University but had no involvement with this incident.)

Brian Honan
Brian Honan

2022-07-11

PyPI Mandates Two-Factor Authentication

The Python Package Index (PyPI) repository has begun rolling out a two-factor authentication (2FA) requirement for critical projects. Google’s Open Source Security Team has provided 4,000 Titan security keys to be given to eligible maintainers.

Editor's Note

The push-back from developers is interesting, and a good lesson for anybody rolling out 2FA in larger organizations. Developers contributing to PyPI are probably less likely to experience technical issues implementing 2FA than most organizations, and these developers are likely more aware than most about some of the issues with password-based authentication. But still, the extra complexity of 2FA was enough for some of them to rebel/refuse to participate.

Johannes Ullrich
Johannes Ullrich

It’s 2022. How have the other library management systems survived this long without requiring multi-factor? Having not been extremely into every library management system like this, it does make you question what the other managers are doing. Is this an oversight? Have threat actors been in these systems for years without tipping us off?

Moses Frost
Moses Frost

Good to see all the momentum and minimal (but not zero) pushback for stronger authentication in the software supply chain. Now is a good time to do a prototype test of 2FA within your organization, maybe just the security group and some security friendly IT admins. Find the trouble areas (there will be some) and develop, and get approved, plans for some level of 2023 rollout.

John Pescatore
John Pescatore

Nice move to incentivize the adoption of 2FA! Before you get too excited, note that the Titan keys are only authorized in Austria, Belgium, Canada, France, Germany, Japan, Spain, Switzerland, United Kingdom, and the United States. Other areas need either a FIDO U2F key or enable 2FA through a mobile app such as Google Authenticator, MS Authenticator, DUO Mobile, etc. Note that this simply prevents accounts being usurped by others, doesn't ensure the integrity of the users who have the 2FA tokens.

Lee Neely
Lee Neely

2022-07-12

Windows Autopatch is Now Available

Microsoft has made Windows Autopatch available for all users with Windows Enterprise E3 and E5 licenses. Autopatch will automate the updates for Windows 10, Windows 11, Microsoft Edge and Microsoft 365.

Editor's Note

Windows Autopatch is an interesting option for larger organizations to manage the risk of patching. Note that this is an option, and not replacing the patch Tuesday we know and love. But it offers for free what many organizations are already doing in some form.

Johannes Ullrich
Johannes Ullrich

Per many previous comments, try it out – most organizations will see minimal breakage and take one more step towards basic security hygiene.

John Pescatore
John Pescatore

I would like to say “Yay, this is great," like Chrome Automatic Updates, but we have seen problematic patches in the past. Will we see an enterprise or two go down because of a botched patched like we say when Antivirus vendors accidentally quarantine critical system services? Curious to see how this will go.

Moses Frost
Moses Frost

Make sure you understand how this applies to your business, as in what packages and license levels you need to enable the feature and is available both through as services from Microsoft to manage systems on a customer's behalf (Windows Autopatch) or as part of Windows Update for Business and the Windows Update for Business deployment services. Start with a test set of systems to determine the impact, versus your prior update mechanisms. Note that this is directed to end-users (commodity systems) rather than server systems, where application of the updates requires a much lower level of regression testing and has become SOP.

Lee Neely
Lee Neely

The Rest of the Week's News


2022-07-10

HHS OCR Will Improve Breach Reporting Process

The US Department of Health and Human Services (HHS) Office of Civil Rights (OCR) has agreed to improve its communication with entities that report breaches. A recent report from the Government Accountability Office (GAO) recommended that HHS “establish a feedback mechanism to improve the effectiveness of its breach reporting process.”

Editor's Note

This is part of the bill coming due as the health care world has moved (sloowly) to depending on and starting to realize the benefits of electronic health records. The Healthcare Information Portability and Accountability Act (HIPAA) in 1996 resulted in breach notification regulations giving 60 days for notifying impacted parties and HHS, obviously too long – very manual processes evolved from that. Tighter requirements would have driven the need to move away from manual, paper bound breach notification processes at least as fast as electronic health records moved.

John Pescatore
John Pescatore

In incident response one of the most important things you can do is to learn from your own incidents, one of the other important things you can do is to learn from others’ security incidents. Hopefully, the HHS will provide feedback to individual organizations and sanitized feedback to others so that all organizations can improve their security from lessons learnt.

Brian Honan
Brian Honan

Whether you're having vulnerabilities or breaches reported to you, timely response is required. Additionally, don't just file the information, make sure it is acted upon by qualified and empowered people. Without an effective response, those reporting are unlikely to continue to do so and may chose other ways of handling the information which may be far less desirable.

Lee Neely
Lee Neely

2022-07-08

Microsoft Temporarily Rolls Back Macro Blocking

Microsoft has temporarily rolled back its decision to block VBA macros in Office documents downloaded from the Internet. Office has been warning users about macros for the past six years, giving users an option to enable them. Earlier this year, Microsoft announced that it would begin automatically blocking VBA macros by default; the feature went live in June.

Editor's Note

The change was likely rolled back due to unintended business process impact. No matter what the source, users need to be trained to think twice, pause, and think again, before enabling macros in an Office document. Organizationally you can roll out the Microsoft Office group policy objects and enable the "Block macros from running in Office files from the Internet" policy setting. Note that a document's properties could then be updated (file, properties, and click unblock in the security section and hit apply) to remove the "mark of the web" and macros would then be enabled. Only do this for trusted content.

Lee Neely
Lee Neely

The amount of chatter on Twitter and other social media over this is rather interesting. Many pen-testers and red team individuals are cheering and jeering at Microsoft’s decision to roll back. Cheering as Macros will still be somewhat available over the Office Ecosystem and Jeering because Microsoft had a chance to remove this vulnerability by default. What this will ultimately mean will be difficult to figure out, other than the “status quo” from here on out for the foreseeable future.

Moses Frost
Moses Frost

Had to manage a similar problem in IBM some forty years ago. Changing the default (the right "security" decision) broke applications all around the world. One can only sympathize. Notice and publicity can only marginally mitigate the pain.

William Hugh Murray
William Hugh Murray

2022-07-08

GAO to US Department of Energy: Improve Grid Cybersecurity

In a recent report, the US Government Accountability Office (GAO) listed 26 priority recommendations for the Department of Energy (DoE). The recommendations fall into eight categories, including improving cybersecurity and electricity grid resilience.

Editor's Note

The three cybersecurity recommendations are pretty high level, mostly focusing on risk assessment and management. Missing two key things: giving priority to achieving basic security hygiene in existing energy infrastructure and building security into evolving energy sources that are more distributed than the traditional infrastructure.

John Pescatore
John Pescatore

Some of the recommendations, while timely, need funding to have the intended benefits, particularly for specialized areas where finding workers with relevant skills may be difficult without sufficient incentives.

Lee Neely
Lee Neely

The hard part of improving grid security is changing the culture of the industry in which, the access of operators to those controls that they use to respond in real-time to component failures or imbalances between load and supply, trump cybersecurity and grid resilience.

William Hugh Murray
William Hugh Murray

2022-07-07

OMB is Developing Real-Time Zero-Trust Scoring

The US Office of Management and Budget (OMB) is developing a way to generate real-time zero-trust scores for network users. The effort is the agency’s response to the May 2021 Cybersecurity Executive Order, which directs federal agencies to adopt zero-trust cybersecurity principles and make necessary adjustments to their network architectures.

Editor's Note

In order to come close to something like “zero trust” you first need strong authentication in use and IT and security operations meeting basic security hygiene requirements around configuration and vulnerability management, privilege management, etc. So, realistically any scoring system should be showing near zero for several fiscal years, no hurry.

John Pescatore
John Pescatore

This appears to be about trusting users rather than systems and architectures, the hard part to see in real-time.

William Hugh Murray
William Hugh Murray

2022-07-11

L3Harris Will Not Pursue Purchase of NSO Group

L3Harris, a US defense contractor, has reportedly dropped its efforts to buy NSO Group, which makes Pegasus spyware and hacking tools. L3Harris began negotiations with NSO in June. The US Department of Commerce placed NSO on its entity blacklist in November 2021; the Biden administration recently raised security concerns about the potential purchase, which reportedly prompted L3Harris to call off its negotiations.

Editor's Note

SANS instructor Heather Mahalik, at the RSA Conference SANS New Threats and Attacks keynote panel, discussed why you need to look at the risks of “stalkerware” with Pegasus as the prime example. There is a need for intelligence community tools to track bad actors, really powerful stalkerware will always be used there and almost as powerful stalkerware will be used commercially, too – but done under the name of “marketing AI.” For really high value users, like CEO, CFO, board, etc. extraordinary protection will be required – see previous NewsBites comments on Apple’s LockDown feature coming for iPhones.

John Pescatore
John Pescatore

Counterintelligence concerns and suggestions should be factored in as risks in your decision-making process. This doesn't mean you have to accept their recommendation; it means don't discount it without careful consideration. Additionally, there are financial consequences for disregarding DOC sanctions, such as blacklisting an entity. The point is to make an informed decision rather than being blindsided by unintended consequences.

Lee Neely
Lee Neely

2022-07-07

GAO: DoD Needs to Mitigate Risks to Defense Industrial Base

A recent report from the US Government Accountability Office (GAO) recommends that the Department of Defense “develop… a robust strategy and measure… and report… on DOD-wide industrial base risk mitigation efforts.” The risks to Defense Industrial Base companies include weak physical and cybersecurity factors and reliance on foreign suppliers.

Editor's Note

The DoD has over 200,000 suppliers – a rising tide for security in the Defense Industrial Base will raise the security level of all vendors. Great example was when NIST put out encryption standard FIPS 140-1 in 2001 or so, it enabled browser security and the ability to at least do SSL with meaningful encryption. But progress really started to happen a few years later when OMB or GAO required all browser procurements to only use FIPS compliant products -and private industry benefitted enormously.

John Pescatore
John Pescatore

Supply chain security, to include single points of failure, and domestic vs foreign sources will continue to be on the radar for quite some time. Even if you're not in the defense space, we've all learned about the potential consequences of remote or non-redundant suppliers over the last two years. Identify where you have similar dependencies and make sure that you have a plan B & C.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

SANSFIRE Keynote Stream

https://www.sans.org/webcasts/the-internet-storm-center-how-to-use-and-how-to-contribute-data/


Extracting URLs from Emotet with Cyberchef

https://isc.sans.edu/forums/diary/Excel%204%20Emotet%20Maldoc%20Analysis%20using%20CyberChef/28830/


Microsoft Rolling Back Macro Policy Change

https://techcommunity.microsoft.com/t5/microsoft-365-blog/helping-users-stay-safe-blocking-internet-macros-by-default-in/ba-p/3071805


Checkmate Ransomware Affected Poorly Configured QNAP NAS

https://www.qnap.com/en/security-advisory/QSA-22-21


PyPi Requires 2FA for critical packages

https://pypi.org/security-key-giveaway/


Rogers Outage

https://about.rogers.com/news-ideas/a-message-from-rogers-president-and-ceo/


Rolling Pwn

https://rollingpwn.github.io/rolling-pwn/


GitHub Runners Mine Cryptocoins

https://www.trendmicro.com/en_us/research/22/g/unpacking-cloud-based-cryptocurrency-miners-that-abuse-github-ac.html