SANS NewsBites

Microsoft Makes Password Failure Lockout a Default in RDP; HHS Threat Briefing Focuses on Web App Security; Patch Your FileWave MDM Software

July 26, 2022  |  Volume XXIV - Issue #57

Top of the News


2022-07-25

New Windows 11 Default Policy to Help Prevent RDP Brute-Force Attacks

Microsoft has enabled a default policy in Windows 11 builds that is designed to help thwart brute-force Remote Desktop Protocol (RDP) attacks. Accounts will be locked for 10 minutes after 10 incorrect login attempts. The account lock setting is available in Windows 10 but is not enabled by default.

Editor's Note

Nice move by Microsoft. RDP has been called "Ransomware Deployment Protocol" for a reason. Sadly, it is still widely deployed without sufficient controls and Microsoft's move will make it slightly less likely for a carelessly deployed system to be compromised.

Johannes Ullrich
Johannes Ullrich

Two security policies that have been common requirements that have been too often ignored or bypassed are lockout after failed attempts and requiring MFA on all remote access. Microsoft turning on lockout by default for RDP is a good thing, but turning on MFA for RDP obviates the need for lockout and stops more than just brute force attacks.

John Pescatore
John Pescatore

Account lockout is excellent, and you should enable it on all platforms which support it. Now go make sure that any internet facing RDP requires MFA, and is sufficiently monitored and otherwise secured to withstand malfeasance.

Lee Neely
Lee Neely

It is good to see a vendor like Microsoft making security by default the standard setting in its newer products. It has been a long time coming and I hope we see this initiative spread to many other settings and products, not just those offered by Microsoft but for other vendors too.

Brian Honan
Brian Honan

This control is not disruptive and might well be enabled by default.

William Hugh Murray
William Hugh Murray

2022-07-25

HHS HC3 Urges Healthcare Sector Organizations to Consider Web App Security

The US Department of Health and Human Services (HHS) Health Sector Cybersecurity Coordination Center (HC3) has released web application security guidance for the health sector. The publication defines web applications in healthcare, describes types of web app attacks, suggests mitigations, and provides additional cybersecurity resources.

Editor's Note

Teaching web application security for a few years now, I am always surprised by the lack of awareness around common web application security threats. This isn't just a healthcare problem, and we have to stop looking at it as a software/developer issue. Security teams not understanding web logs and how to recognize common attacks are as much part of the problem as missing SBOMs and developers not understanding the risks of dom based XSS.

Johannes Ullrich
Johannes Ullrich

Even if you're not in the healthcare sector, read the HHS PDF below. The mitigations and protections should not come as a surprise - what may surprise you is where you're not doing them. Make sure your WAF is not in learning mode, but actively blocking attacks, login services should employ MFA, with monitoring as well as impossible access scenario detection and prevention. Make sure that your testing development requires issues found to be addressed, not merely noted.

Lee Neely
Lee Neely

This isn’t really guidance, it is a threat briefing from the HHS HC3 – a good basic presentation about web app security threats and controls but unfortunately no raising of the regulatory bar to force movement. It does include a nice list of web app security requirements from the HHS Cybersecurity Practices program that map to about 40 NIST Framework controls. If you are trying to justify increasing app security in 2023, use that as a checklist to point out compliance gaps.

John Pescatore
John Pescatore

2022-07-25

FileWave MDM Vulnerabilities

Researchers from Claroty’s Team 82 have discovered and disclosed two critical vulnerabilities in FileWave’s mobile device management (MDM) system. The flaws, an authentication bypass issue and a hard-coded cryptographic key can be remotely exploited to take control of vulnerable platforms. The flaws have been addressed in FileWave version 14.7.2.

Editor's Note

Web apps. Again. A good old web application vulnerability in a piece of "security" software. No cloud involved here, just a good old web application vulnerability that is so boring that we rather have it than spend the time learning how to do authorization properly.

Johannes Ullrich
Johannes Ullrich

Don't think MDM only impacts my smartphone fleet. MDM's are managing Windows & Mac Laptops, as well as your iPhones/iPads/Android Tablets and smart phones. The exploit provides privileged access to a FileWave MDM, allowing for modifications across your fleet managed devices. As such, you want to roll out the fixed version. You're going to need to update all your components - servers, boosters, imaging, admin and client platform. The good news is it's a series of simple package updates.

Lee Neely
Lee Neely

The Rest of the Week's News


2022-07-22

Update Questions for Confluence App Now

Last week, Atlassian disclosed several vulnerabilities, including a hard-coded password issue affecting the Questions for Confluence app. Atlassian has since reported that the password has been leaked online, which makes patching the app even more urgent.

Editor's Note

Too late. It’s probably already compromised if you had it exposed to the world. But that was probably just a honeypot anyway (at least it is now).

Johannes Ullrich
Johannes Ullrich

The hard coded password for the "disabledsystemuser" account has been published. Make sure you've deleted that account, and you monitor for it being recreated. This is a system account, so even if you remove the Atlassian product, the account remains. And yeah, apply the patches to your Atlassian products immediately.

Lee Neely
Lee Neely

2022-07-25

CosmicStrand UEFI Firmware Rootkit

Researchers at Kaspersky have detailed their findings about a Unified Extensible Firmware Interface (UEFI) firmware rootkit they are calling CosmicStrand. In 2017, researchers from Qihoo360 published a blog about an earlier variant of the rootkit, which they called Spy Shadow Trojan.

Editor's Note

Long gone are the days of moving the jumper or dip switch to permit firmware updates. As such you were making sure the updates were pushed from verified sources. This malware appears to be an update performed on an already otherwise compromised system. Once installed the firmware includes the CSMCORE DXE driver which enables a legacy boot process, adding accounts to the OS along the way. The killer is that you cannot just re-install/replace the drive to eliminate UEFI firmware implants. If you're lucky you can install known good firmware, but odds are you're in a physical hardware replacement scenario.

Lee Neely
Lee Neely

2022-07-22

SonicWall Releases Fixes for SQL Injection Vulnerability

SonicWall is urging users to upgrade Global Management System (GMS) and Analytic On-Prem products to address a critical SQL injection vulnerability. The issue is due to “improper neutralization of special elements used in an SQL command.” Users should upgrade to GMS 9.3.1-SP2-Hotfix-2 or later and Analytics 2.5.0.3-2520-Hotfix-1 or later.

Editor's Note

The likelihood of exploit can be reduced by deploying a WAF, but the right way to fix this is to deploy the update. Then look at how a WAF could help with this and other applications.

Lee Neely
Lee Neely

It is disappointing in the extreme that in 2022 we see a security vendor having to address a SQL Injection vulnerability in their product suite.

Brian Honan
Brian Honan

See my comment about the FileWave issue.

Johannes Ullrich
Johannes Ullrich

2022-07-25

TSA Revises Pipeline Cybersecurity Requirements

The US Department of Homeland Security’s (DHS’s) Transportation Safety Administration (TSA) has issued revised cybersecurity requirements for pipeline operators. The revisions were made in response to industry requests for “more flexibility to meet the intended security outcomes. “The new pipeline cybersecurity directive takes effect on July 27 and expires on the same date in 2023.

Editor's Note

Two comments: (1) The “flexibility” added is largely by TSA changing to a “tell us what you will do and then we will audit to make sure you do what you say” approach which usually sets a very low bar for security. Good news is TSA has mandatory requirements for what must be included that cover the important basic hygiene elements. (2) There is a deadline for operators to submit plans, but there did not appear to be a deadline around TSA review and approval. Does TSA have the staff or contractor to do meaningful review with timely turn-around?

John Pescatore
John Pescatore

The initial version of the requirements, from July 2021, resulted in a flurry of 380 exception requests, an indication that this needed to be revisited. This is intended to be a more flexible framework to incorporate variances in environment and implementation. Operators have 21 days to submit a plan to implement the new requirements. Once approved, they are expected to actually implement them. Requirements include segmentation, MFA, incident response plans, auditing, and logging capabilities.

Lee Neely
Lee Neely

2022-07-25

T-Mobile Will Pay $500M Over Data Breach

T-Mobile has agreed to pay at least $500 million to settle legal action over a 2021 data breach that compromised information belonging to nearly 77 million customers. $350 million will go toward a settlement fund for members of a class action lawsuit and associated legal fees. T-Mobile has also agreed to spend at least $150 million to improve its security practices.

Editor's Note

These fines have been ramping up on a $/impacted user basis. Uber’s $148M fine in 2016 was $2.6/user, Equifax in 2017 as $4.29/user and T-Mobile’s fine for the 2021 breach is $6.49/user. The costs the breached companies paid outside of the fines is hard to define but typically in these mega breaches it is in $10 – 25/record exposed range – always more than the fine. The fines are useful to show CXOs and boards – in the vast majority of breaches, the cost of fines alone is much higher than what it would have cost to avoid or minimize the incident.

John Pescatore
John Pescatore

If the settlement is split equally among the 77 million customers, they get about $5 each. T-Mobile is partnering with Mandiant, Accenture and KPMG to improve their cybersecurity posture and conducting about 900,000 training courses for employees and partners. As this 2021 incident is the fifth publicly acknowledged security breach in four years, it'll be interesting to see how effective these measures are.

Lee Neely
Lee Neely

2022-07-25

Uber Will Not Face Federal Prosecution Over 2016 Data Breach

Uber has publicly acknowledged that it attempted to cover up a 2016 data breach. The admission was made as part of a non-prosecution agreement with the US Department of Justice (DoJ). According to the agreement, the incident was investigated and disclosed by an executive leadership team that took the reins of the company the year after the breach. In addition, Uber has “has invested substantial resources to significantly restructure and enhance the company’s compliance, legal, and security functions.”

Editor's Note

The breach was due to attackers obtaining an access key which allowed them access to Uber's databases of users and drivers. the information for 50 million users and 7 million drivers was exposed. Uber not only paid a ransom, but also around $148 million in settlements of civil litigation. The lesson here is to report incidents as required.

Lee Neely
Lee Neely

All CSOs should watch this case very carefully to see what legal liability their role could be exposed to by decisions made when dealing with a breach.

Brian Honan
Brian Honan

Internet Storm Center Tech Corner