SANS NewsBites

Segment Storage Appliances from Internet Connectivity; Check All Python Packages for Auto-Execute; Third Party Breaches Are A Risk to You

September 6, 2022  |  Volume XXIV - Issue #69

Top of the News


2022-09-05

Deadbolt Ransomware Campaign Targeting QNAP Devices

QNAP has released an advisory warning that it has become aware of a Deadbolt ransomware campaign targeting some of its products. Specifically, “the campaign appears to target QNAP NAS devices running Photo Station with internet exposure.” QNAP has released updates to address the issue, and reminds users that “QNAP NAS should not be directly connected to the Internet.”

Editor's Note

Deadbolt has been an ongoing issue for exposed storage devices. It is important to note that this and similar ransomware has affected not just QNAP devices, but QNAP has been more open in warning users and implementing specific protections to fight this ransomware. The ransomware typically does not exploit specific vulnerabilities in the storage device’s firmware, but instead exploits configuration issues like weak passwords. And please do not expose these devices to the Internet!

Johannes Ullrich
Johannes Ullrich

Don’t expose NAS directly to the Internet, or indirectly via port forwarding. Religiously update the firmware and any applications installed, make sure there are no unknown accounts, accounts have strong passwords, and make sure that you have backups.

Lee Neely
Lee Neely

2022-09-02

One-third of PyPI Packages Trigger Code Execution on Download

Close to one-third of packages in the Python Package Index (PyPI) automatically execute code after download. Checkmarx research engineer Yehuda Gelb writes’ “When a python package is installed, pip, python’s package manager, tries to collect and process the metadata of this package, such as its version and the dependencies it needs to work properly. This process occurs automatically in the background by pip running the main setup.py script that comes as part of the package structure.” Attackers could potentially place malicious code in the setup.py file.

Editor's Note

While we expect scripts to run as part of a pip install, it turns out pip download also executes the setup.py script, intended to resolve dependencies, provided the package doesn't include a .whl (wheel) file which takes precedence over downloading the .tar.gz version of a package. The tricky part is if the .whl file is missing, the .tar.gz file is automatically downloaded (which has an embedded setup.py) and then the contents of setup.py are executed. As a mitigation, check your repositories for .whl files and if they are missing, don’t download using pip; use an alternate process to download the tar.gz file and investigate without executing.

Lee Neely
Lee Neely

Another Pypi and / or Python supply chain story. The interesting part here is that we can already see the increased scrutiny in Python specifically in Pypi with MFA stories and other issues. We have also seen npm in the news. But does this mean other languages are somehow not also in the same boat? It's a daunting problem to solve and we have only started looking.

Moses Frost
Moses Frost

2022-09-02

Healthcare Security Breaches are More Often Involving Third-Party Vendors

The majority of the 10 largest healthcare sector data breaches reported to the Department of Health and Human Services Office for Civil Rights (HHS OCR) so far this year occurred on third-party vendor systems. The three largest breaches each affected more than two million individuals.

Editor's Note

Like KeyBank (see story below), security of outsourced services can be your weakest link. Prepare to spend more time validating their security than you would expect. Don’t expect you're going to get realtime logs from them; more likely they are going to contact you. Make sure you understand what that means, and keep that information current.

Lee Neely
Lee Neely

I worked in this space in the 2000’s and I can tell you many major medical centers have to rely on third-party vendors. Almost every department may have their own unique vendor set to support their medical devices. There is barely a consideration for actual security best practices in many of these systems. Mostly because at most they feel ransomware would be the biggest threat. Most of these vendors will have direct connections into the facility and they will probably have the ability to laterally move anywhere as many of these networks are not security segmented by firewalls. I would even suspect many of them are just networks with all manner of devices connected to them freely. This doesn't surprise me: I had to fix a vendor issue in the early days where the actual large medical manufacturer kept imaging machines that had a worm (pre-Conficker) loaded into the build on accident.

Moses Frost
Moses Frost

The Rest of the Week's News


2022-09-05

Draft Amendments to New York State Cybersecurity Rules for Financial Organizations

Financial institutions whose headquarters are in the state of New York may soon be compelled to abide by additional cybersecurity standards. The New York Department of Financial Services (NYDFS) has submitted draft amendments to its Cybersecurity Requirements for Financial Services Companies. The proposed new requirements include an expanded list of events subject to the 72-hour incident notification requirement, a 24-hour reporting window for ransomware payments, and “a 30-day requirement to provide a written description of why the payment was necessary, alternatives to payment that were considered, and all sanctions diligence conducted.”

Editor's Note

There are a few areas where the proposed changes dictate particular solutions, like “password vaulting” and “endpoint detection and response,” which is never a good idea. But, while many of the proposed changes will be complained about, most of them are just common sense essential security hygiene controls that need to be in place for any hope of a reasonable level of risk.

John Pescatore
John Pescatore

While some of the suggested mitigations seem mundane, it’s not a bad idea to review your existing solutions, such as EDR, to make sure they incorporate current threat and response scenarios. It’s easy to get complacent- establish a lifecycle process for your defenses.

Lee Neely
Lee Neely

2022-09-03

KeyBank Says Third-Party Breach Led to Theft of Customer Data

A third-party vendor breach led to the theft of KeyBank mortgage customer data. The attackers stole the data in early July from an insurance service provider, Overby-Seawell Company. KeyBank says it learned of the breach in early August. The stolen information includes Social Security numbers, addressed, and account numbers.

Editor's Note

This piece, and the item (above) on healthcare breaches, just point out that most business processes involve third-party service providers and those third parties may often be the weak link in your supply chain. The flip side is your company may be the weak link in larger players’ supply chains. Both scenarios carry high risk – use these news items in a small tabletop exercise if you need to get management support for addressing.

John Pescatore
John Pescatore

Third party security is as important as your insourcing. And it can be much harder to verify. Don’t just put the right to audit in the contract, have a real conversation about how you would verify as well as what incident data can be shared. If you aren’t comfortable with the working relationship, and you can’t change solutions, you’ll need to articulate that and seek resolution or documented risk acceptance prior to go-live. Remember that no matter how good your reputation is – KeyBank has an awesome community support reputation – it's not the third party's image but *your* image on the line.

Lee Neely
Lee Neely

2022-09-02

Open Source Security Foundation’s npm Best Practices Guide

The Open Source Security Foundation (OpenSSF) has released an npm Best Practices guide that focuses on dependency management and npm supply chain security. The “document provides 1) an overview of security features of npm in the context of supply-chain, 2) explicit recommendations and 3) details or links to the official documentation to achieve these recommendations.”

Editor's Note

Every Best Practices guide should come with a list of “How others overcame obstacles to implement…” examples. In many cases, the best security practice is common sense, but operational reasons drive shortcut approaches that are not secure. However, many companies (the ones *not* in the news for a breach) have found ways to justify how doing the right things in security up front actually can reduce cost of apps and time to market.

John Pescatore
John Pescatore

Best practices are sometimes a euphemism for “This worked and we didn't get fired.” Don't discount your own experience about what worked. Instead, read the guide to make sure that you've not overlooked anything. Leverage it as support for raising the bar on your own practices.

Lee Neely
Lee Neely

2022-09-02

Fog Data Science’s App Offers Location Data

An investigation conducted by the Electronic Frontier Foundation (EFF) and the Associated Press (AP) found that Fog Data Science, a private data broker, has been selling location data to US law enforcement agencies at the federal, state, and local levels. The company’s web app, Fog Reveal, allows its customers to access detailed information about people’s work and personal lives. Records obtained in the course of the investigation indicate that Fog has or has had contracts to provide data to at least 18 clients.

Editor's Note

Fog Data advertises having a network of 250 million devices providing realtime geolocation data. The issue is the service can be used for legitimate purposes, say who was around a violent crime, or to locate those going to a targeted organization, violating their privacy. This data is gathered from apps to which you have granted location services, which means you can revoke those permissions, or disable location services entirely. Globally disabling location services is too disruptive and not a viable approach. The best approach is to limit location services to applications you trust and only when needed.

Lee Neely
Lee Neely

This type of data sales to Law Enforcement is not something necessarily new. Is the fact that their presence on the Internet is also very small? No, many of these data brokers also fly under the radar. The really interesting item to note here is the fact that searches and data could be gathered without warrants. The questionable part then becomes who is able to access the data and who is watching or following that data access. Can this be abused to facilitate potentially criminal activity such as stalking or other acts? The reason we have some of these laws is not just privacy but also as a protection to citizens. Location data can very well be misused. Now will something happen in this case? Something to watch.

Moses Frost
Moses Frost

2022-09-05

Another Chrome Update Addresses Zero-Day

Google has updated the Chrome browser stable channel to version 105.0.5195.102 for Windows, Mac, and Linux to address a vulnerability that is being actively exploited. The flaw is described only as a high severity insufficient data validation issue in Mojo.

Editor's Note

This is the sixth zero-day patch for Chrome in 2022; CVE-2022-3075 is being exploited in the wild. It follows CVE-2022-0609 (2/14), CVE-2022-1096 (3/25), CVE-2022-1364 (4/14), CVE-2022-2294 (7/4) and CVE-2022-2856 (8/17). While Google is not sharing the details relating to exploit/attack vectors, prior zero-day exploit patterns warrant taking this seriously and pushing the update.

Lee Neely
Lee Neely

2022-09-02

ICS Medical Advisory: Multiple Vulnerabilities in Contec Health CMS8000

The US Cybersecurity and Infrastructure Security Agency (CISA) has released an ICS Security Advisory warning of multiple vulnerabilities in Contec Health’s CMS8000 CONTEC ICU CCU Vital Signs Patient Monitor. The flaws – uncontrolled resource consumption, hard-coded credentials, active debug code, and two improper access control issues – could be exploited “to cause a denial-of-service condition, modify firmware with physical access to the device, access a root shell, or employ hard-coded credentials to make configuration changes.” Contec Health has not yet responded to CISA requests to mitigate the issues.

Editor's Note

The flaws are relatively simple to exploit, and include the ability to load new firmware from an inserted USB drive or crash these devices in masse with a UDP packet flood. As such, mitigations include limiting physical access, network isolation only allowing devices which absolutely need to connect.

Lee Neely
Lee Neely

2022-08-31

Microsoft Detects One-Click Vulnerability in TikTok

TikTok has fixed a security issue in its Android app that could have been exploited to hijack vulnerable accounts with a single click. The vulnerability allowed attackers to bypass the app’s deeplink verification, and affected both versions of the TikTok for Android app. The flaw was found by Microsoft’s 365 Defender Research Team.

Editor's Note

The flaw was found in both versions of the TikTok Android app. Update to the current version or remove it if you're not actively using TikTok.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner