SANS NewsBites

Protect Linux endpoints from Shikitega Malware; IHG Breached Again, Disrupting Business; Update, Segment, or Properly Dispose of Baxter Spectrum Infusion Pumps

September 9, 2022  |  Volume XXIV - Issue #70

Top of the News


2022-09-07

Shikitega Malware Targets Linux Devices

Researchers from AT&T’s Alien Labs have detected malware that targets endpoints and Internet of Things (IoT) devices running Linux. The malware, which is being called “Shikitega is delivered in a multistage infection chain where each module responds to a part of the payload and downloads and executes the next one.” Shikitega could be exploited to take control of vulnerable devices and to install persistent cryptomining malware.

Editor's Note

These more subtle attacks easily hide in the noise created by all the Mirai and similar bots flooding Linux devices. Remember that the important attacks are the one-offs, not the top 10 attacks shown by your console.

Johannes Ullrich
Johannes Ullrich

When you read Linux, don’t just think of your servers or desktops, remember that many IoT devices are running Linux, with very limited built-in security measures to deploy. Shikitega is delivered in a very stealthy way and leverages legitimate hosting services for C2 functions. Incorporate the IOCs from the Alien Lab report. The best mitigations are to keep your devices updated, deploy EDR, and have backups. While you can’t deploy EDR to most IoT devices, you can isolate them as much as possible, make sure they are getting updated and where possible export the configuration to make service restoration simpler.

Lee Neely
Lee Neely

2022-09-07

InterContinental Hotels Group Discloses Breach

The InterContinental Hotels Group (IHG), which operates more than 6,000 hotels under 17 brands, disclosed a breach of its IT systems. The incident began on September 5 and was disclosed in a statement made to London (UK) Stock Exchange. The incident disrupted IHG booking systems and other applications. This is the third breach IHG has experienced since 2017.

Editor's Note

IHG had $1.39B of revenue in 2021, or about $3.8M per day. If bookings of IHG’s nearly 900,000 rooms are impacted by the disruption, a 10% hit would mean the breach could be costing them almost $400k per day just in delayed, if not lost, revenue. IHG also paid over $1.5M in a legal settlement over a previous breach, which have been happening frequently at IHG. If you’ve been having trouble convincing management to back needed changes to reduce vulnerabilities, this will be the latest data point for proactive spending invariably being cheaper than incurring a meaningful breach.

John Pescatore
John Pescatore

Remember IHG operates 17 hospitality brands including Holiday Inn, Crowne Plaza, and Candlewood Suites, meaning you may be impacted even though you've not booked an InterContinental Hotel stay. While centralized systems are offline, local hotel operators are able to process reservations on their local systems. While this is the third attack since 2017, it is unlikely they are connected; think more of kicking someone while they are down. Which means if you’re compromised, you need to not only restore services, and remediate the weaknesses used against you, but also raise the bar overall. The IHG attackers appear to be seeking the personal data associated with reservations, which can then be resold.

Lee Neely
Lee Neely

2022-09-08

Vulnerabilities in Baxter Spectrum Infusion Pumps

Researchers from Rapid7 found multiple vulnerabilities in Baxter SIGMA Spectrum Infusion Pump and SIGMA Wi-Fi battery TCP/IUP-enabled medical devices. The flaws could be exploited to access sensitive data and alter system configurations. Rapid7 alerted Baxter to the vulnerabilities in April. Baxter recommends ensuring all data and settings are wiped from devices before decommissioning them, placing devices behind hospital firewalls or on its own network VLAN, using strong wireless network security protocols, and as a last resort, disabling wireless operation.

Editor's Note

Wiping all WiFi devices before decommissioning is vital because too many of them, include Baxter’s pumps, store WiFi credentials in non-volatile memory. The usual segmentation advice is true for any OT type technology, and even vulnerable IT devices and guest logins.

John Pescatore
John Pescatore

These devices FTP and Telnet services enabled, and the firmware update is needed to disable them. Make sure that you’ve isolated them, using firewalls, separate VLANS, etc. If you’re using Wi-Fi, ensure that you’re using current wireless security. Hint: open access point or a captive portal aren’t sufficient. As a last resort you can operate these without a network, note that impacts the ability to deliver formulary (drug library) updates to them.

Lee Neely
Lee Neely

The Rest of the Week's News


2022-09-07

CISA and FBI Advisory Warns Ransomware Actors are Targeting Education Sector as Los Angeles Unified School Recovers From an Attack

The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have published a joint advisory warning that a ransomware threat actor known as Vice Society is targeting the education sector. The warning comes on the heels of a ransomware attack that hit the Los Angeles (California) Unified School District (LAUSD) over the Labor Day weekend; LAUSD schools opened as planned on Tuesday, September 6. An anonymous source said that in the months preceding the attack, LAUSD network account credentials had been offered on the Dark Web.

Editor's Note

If you look at multi-year attack data, you see that attackers target every sector that has vulnerabilities – which means they target all sectors. Denial-of-service attacks, which includes ransomware, often do target specific times when targets may feel a sense of urgency – holiday shopping, start of school year, tax filing days, etc. But, most ransomware attacks are also data exfiltration type attacks which create their own urgency. Bottom line: use data over headlines and focus on increasing basic security hygiene as “4-seasons” protection.

John Pescatore
John Pescatore

No matter what your sector, you should be prepared for attacks. You should have a plan in place for recovery that you’ve tested, verified your backups and ensured you’re keeping systems updated, particularly boundary control devices. Make sure that all your internet accessible entry points use MFA, for everyone. Treat that VIP or Administrator account as just as likely to be compromised, no matter how careful they are or how strong the password. A level playing field also helps buy-in. If you’re looking to expose more services to the Internet, ensure security posture assessment, and remediation, is required in the process.

Lee Neely
Lee Neely

2022-09-08

Healthcare Sector Cyberattacks Have Impacted Patient Safety

A survey conducted by Ponemon and sponsored by Proofpoint found that ransomware attacks have the most adverse effects on patient care when compared with business email compromise (BEC) attacks, cloud compromises, and supply chain attacks. The survey comprises responses from 641 IT experts working in the healthcare sector. Nearly 90 percent say that their organizations have experienced a cyberattack within the past year; two-thirds of organizations reporting having been targeted by ransomware said that the incidents disrupted patient care.

Editor's Note

Healthcare has tremendous pressure to implement the latest technology to aid patient care. And when that technology, or supporting systems are offline, the patients are directly impacted. It is easier to start with security practices than retrofit running production systems, and this is the challenge many of us face, not only in healthcare. If you’re having trouble building management support to retrofit or otherwise raise the bar, make sure that you’re sharing how compromise directly impacts customers. While death may not be a consequence, having your business transferred to your competition or worse a loss of reputation, should resonate.

Lee Neely
Lee Neely

2022-09-07

CISA’s New Strategic Plan and an RFI on Cyber Incident Reporting

Jen Easterly, Director of the US Cybersecurity and Infrastructure Security Agency (CISA), previewed CISA’s new strategic plan and said that they would soon publish a request for information (RFI) regarding cyber incident reporting requirements. CISA’s strategic plan will have four [pillars: cyber defense; risk reduction and resilience; operational collaboration; and agency unification. In addition to the RFI about cybersecurity incident reporting rulemaking, CISA plans to hold “listening sessions” to gather feedback from industry.

Editor's Note

When talking about reporting, the conversation needs to include a good understanding about how the information is protected and who has access to it. But don’t forget to make sure you understand what information is required, that you can actually provide it in the format needed. The schedule for the listening sessions as well as links to the proposed regulation are on the CISA Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) site (https://www.cisa.gov/circia)

Lee Neely
Lee Neely

2022-09-08

NSA: Commercial National Security Algorithm Suite 2.0

The US National Security Agency (NSA) has released guidance regarding the Commercial National Security Algorithm Suite 2.0. The “advisory notifies National Security Systems (NSS) owners, operators, and vendors of future requirements for quantum-resistant (QR) algorithms for NSS.” NSA expects owners and operators of NSS to begin using QR algorithms by 2035.

Editor's Note

The trick here is not to jump the gun, only deploying algorithms which have been vetted and approved by NSA, NIAP, etc. Read the caveats for each of the approved algorithms as they apply to the data you're protecting. Note the timeline recommends software and firmware signing to start migrating immediately. Expect to be required to include language for support of CNSA 2.0 algorithms in procurement contracts very soon.

Lee Neely
Lee Neely

2022-09-08

Lazarus Hacking Group Targeting Energy Companies in US, Canada, and Japan

The North Korean state-sponsored hacking group known as Lazarus has launched a campaign to steal sensitive information from computer networks of energy providers in the US, Canada, and Japan. Researchers from Cisco Talos say the hackers are exploiting Log4j vulnerabilities in VMware Horizon servers to access the targeted networks.

Editor's Note

What is new is that a new implant “MagicRAT” is being deployed three days before the deployment of their previously known VSingle malware. The entry point remains vulnerable services, such as unpatched VMWare Horizon servers vulnerable to Log4Shell, which have, in this case, patches for the flaw. Yes, it’s a bummer getting downtime to patch these services, but it’s far better than the dust-up if you’re compromised. Yes, your internal network is safer than Internet exposed services, and it’s too risky to assume hackers can’t penetrate your perimeter. Core capabilities in the Lazarus toolkit include disabling endpoint protection and other mitigations you’ve deployed to detect and prevent compromise.

Lee Neely
Lee Neely

2022-09-07

HP Support Assistant Vulnerability Fixed for 9.x

HP has made available an updated version of its Support Assistant tool to address a high severity flaw that could be exploited to gain elevated privileges on vulnerable systems. Support Assistant comes pre-installed on HP laptop and desktop computers, as well as on Omen devices. The flaw is a DLL hijacking issue that occurs when Support Assistant launches Performance Tune-up. HP recommends that users upgrade to the latest version of Support Assistant version 9.x; HP will not be making a fix available for version 8.x.

Editor's Note

Make sure that you are keeping any OEM provided software updated if your imaging processes don’t remove it. Also scan for re-introduction. The HP Support Assistant CVE-2022-38395 has a CVSS 3.0 score of 8.2, in part as the tool is already running with system privileges. The attack, while simple to exploit, requires a foothold on a system prior to exploitation, which provides some cushion; don’t sit on forcing the update.

Lee Neely
Lee Neely

2022-09-08

CISA Adds 12 More Flaws to Known Exploited Vulnerabilities Catalog


The US Cybersecurity and Infrastructure Security Agency (CISA) has added a dozen security flaws to its Known exploited Vulnerabilities (KEV) catalog. The issues affect products from Google, D-Link, QNAP, Apple, MikroTik, Oracle, Fortinet, Netgear, and Android. All 12 vulnerabilities have mitigation deadlines of September 29, 2022.

Editor's Note

We've talked about some of these previously, but don’t overlook the others. Note that the D-Link and Netgear updates relate to end-of-life products. Make sure you’re actively replacing and excessing them. While they still work, the flaws also still work, which does nobody a favor if pressed back into service. Make sure that you wipe the firmware prior to recycling/disposal.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Analyzing Obfuscated VBS with CyberChef

https://isc.sans.edu/diary/Analyzing+Obfuscated+VBS+with+CyberChef/29028


PHP Deserialization Exploit Attempt

https://isc.sans.edu/diary/PHP+Deserialization+Exploit+attempt/29024


Analysis of an Encoded Cobalt Strike Beacon

https://isc.sans.edu/diary/Analysis+of+an+Encoded+Cobalt+Strike+Beacon/29014


pfBlockerNG Unauthenticated RCE

https://www.ihteam.net/advisory/pfblockerng-unauth-rce-vulnerability/


GIFShell attack creates reverse shell using Microsoft Teams GIFs

https://www.bleepingcomputer.com/news/security/gifshell-attack-creates-reverse-shell-using-microsoft-teams-gifs/


TA505 Group's TeslaGun In-Depth Analysis

https://www.prodaft.com/resource/detail/ta505-ta505-groups-tesla-gun-depth-analysis


Cisco Publishes Unpatched Small Business Router Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sb-rv-vpnbypass-Cpheup9O


Shikitega - New stealthy malware targeting Linux

https://thehackernews.com/2022/09/new-stealthy-shikitega-malware.html


EvilProxy Phishing-As-A-Service with MFA Bypass

https://resecurity.com/blog/article/evilproxy-phishing-as-a-service-with-mfa-bypass-emerged-in-dark-web


Zyxel Patches RCE Vulnerability

https://www.zyxel.com/support/Zyxel-security-advisory-for-format-string-vulnerability-in-NAS.shtml


Moobot Going after D-Link Devices

https://unit42.paloaltonetworks.com/moobot-d-link-devices/