SANS NewsBites

iOS 16 Lockdown Mode and Safety Check; Cisco Won't Release Patches for EoL Routers; Microsoft (and Others) to Require Token-Based Authentication

September 13, 2022  |  Volume XXIV - Issue #71

Top of the News


2022-09-12

New Security Features in iOS 16

Apple has released iOS 16, which includes two new security features: Lockdown Mode and Safety Check. Lockdown Mode is meant to be used by individuals with especially high concerns about being targeted by commercial spyware, like NSO Group’s Pegasus. It “strictly limits certain functionalities, sharply reducing the attack surface that potentially could be exploited by highly targeted mercenary spyware.” Lockdown Mode significantly limits the functionality of the device. Safety Check is meant to be used by people who are in immediate danger of domestic abuse. It gives users access to several controls in one place, allowing them to revoke permissions to location data and other information.

Editor's Note

Apple's updates yesterday (see story below) fixed a number of security vulnerabilities, one of which was already exploited in the wild. Apple made updates available for iOS 15 as well as 16, so you are not forced to updated to take advantage of the bug fixes. Features like Lockdown may provide substantial security benefits, but realize they come at the cost of limiting functionality.

Johannes Ullrich
Johannes Ullrich

Lockdown mode, available in iOS 16, iPadOS 16, and macOS 13 (Ventura), is intended for VIPs who would be targets of a nation state attack traveling in risky areas. The controls would likely be unacceptable full time. They could be part of your baseline configuration for a loaner pool of devices used on foreign travel, but don’t overlook those demanding to take their regular device and not use a loaner. The Safety Check (under Settings, Privacy & Security) allows you to manage sharing and access, take a few minutes to review (and possibly update) what you’re sharing with others, services you’ve granted applications access to, devices logged into your AppleID. The learn more option on the Safety Check main screen provides information on using the service and what it does, which you should familiarize yourself with prior to being in a situation where you need to make changes.

Lee Neely
Lee Neely

I’m a huge fan of both of these features. Lockdown is one of the very first vendor solutions that trades security for functionality, a trade-off I think more people will be interested in than Apple might perceive. Safety Check is one I did not even know was coming, and applaud Apple. There is actually a 3rd BIG security feature called by Apple Passkeys, which turns your Apple devices into a FIDO device, enabling phishing resistant, biometric based MFA. In other words, you may not even need passwords anymore as your device is your authentication.

Lance Spitzner
Lance Spitzner

I expect the use of both of these features to be sparse. However, the existence of these two features illustrates how important to our daily lives the mobile computer has become.

William Hugh Murray
William Hugh Murray

2022-09-07

Cisco Releases Fixes for Three Flaws, Won’t Patch Vulnerability in Older Routers

While Cisco released updates to fix three vulnerabilities in its products, the company says it will not be patching a VPN-hijacking vulnerability that affects four of its small business routers because they have reached End of Life (EoL). Cisco urges customers still using the older routers to upgrade; there are no workarounds for the vulnerability in the affected devices.

Editor's Note

It is very important to track the end of life/end of support of hardware and software you are using. Cisco at least still releases notices alerting users of new vulnerabilities. Other vendors may just go silent after their products reach end of support.

Johannes Ullrich
Johannes Ullrich

If you're using the RV100W, RV130, RV130W or RV215W router/firewalls, it’s time to forklift them out of there. Even if you’re not using the IPSec VPN network on these (and therefore not vulnerable to these issues), they are end-of-life and other security updates will not be forthcoming.

Lee Neely
Lee Neely

The smaller the number of appliances that one manages, the less efficient it is to patch one. For small numbers of old devices, the cost of maintenance is likely to exceed the cost of replacement.

William Hugh Murray
William Hugh Murray

2022-09-09

Microsoft Will Soon Require Token-Based Authentication for Exchange Online

In less than one month, Microsoft will turn off basic authentication, like usernames and passwords over unencrypted channels, for Exchange Online service. As of October 1, 2022, users will be required to employ token-based authentication (to access their accounts.). Other cloud providers are making similar changes: Google has already moved 150 million users to two-factor authentication, and Rackspace will stop allowing cleartext email protocols by the end of the calendar year.

Editor's Note

Microsoft has provided diagnostic tools to help analyze specific issues with disabling basic authentication. You can have a specific service re-enabled by opening a support ticket, but that only buys you until January 2023 where the change becomes permanent. Even if Microsoft moves that date, don’t let off the gas on preparing to use MFA for your EXO access; you want to be prepared and tested before the ability to revert changes is removed. Enabling MFA for EXO includes configuring a window of how frequently you wish to re-verify users (e.g., every 30 or 60 days) which reduces the impact of this change. If you’re using MS365 with a separate IDP, make sure that you understand the change to that IDP behavior.

Lee Neely
Lee Neely

Better late than never. I am of the opinion that all software vendors should ship products with secure configurations by default and allow the customer to make changes if they must/really need to.

Jorge Orchilles
Jorge Orchilles

These are very welcome moves by all the providers covered in this article. However, security should be the default setting for many of the cloud services and one that is included in all subscription levels, not just at premium subscriptions.

Brian Honan
Brian Honan

The Rest of the Week's News


2022-09-12

Study: Breakthrough Factors for Women Working in Technology

A study from Girls Who Code and Logitech surveyed 400 tech and IT workers about what factors are most important in women deciding to pursue a computer science career. The study identified the five most influential breakthrough factors: having a mentor early on; having passion for the work; a job that makes meaningful contributions to society; access to communities of women in the field; and support from male colleagues.

Editor's Note

Read the PDF to understand what they mean by these five breakthrough factors. This is not just treating everyone the same, it also means understanding how they differ to help them achieve greatness. Engaging and supporting future workers early on, e.g., high school or earlier, is important. Share your passion and enthusiasm, don’t be patronizing, and provide support and opportunities irrespective of gender. If you think you’re doing these, ask your younger workers for brutal feedback, and make adjustments as needed.

Lee Neely
Lee Neely

2022-09-12

Apple Releases Updates for Zero-Day Flaws

On Monday, September 12, Apple released updates to address vulnerabilities in Safari, macOS, iOS, iPadOS, tvOS, and watchOS. Apple notes that it ”is aware of a report that this issue may have been actively exploited.” The vulnerability, which affects iOS and iPadOS, could be exploited to execute arbitrary code with kernel privileges.

Editor's Note

The 11 CVEs are addressed both in iOS/iPadOS 15.7 and iOS 16. iOS 16 is only available for the iPhone 8 or newer at this time, so you may want to push out 15.7 until you’re certain your fleet of devices can all run 16. If you still have devices hanging out on iOS 14, it's time to move them to at least 15 as iOS 14 support is expected to end with the release of iOS 16. Don’t overlook the updates to watchOS, Safari and macOS. Note that Apple Watch series 4 or later is required for watchOS 9.

Lee Neely
Lee Neely

2022-09-12

CISA RFI on Cyber Incident Reporting Requirements for Critical Infrastructure

The US Cybersecurity and Infrastructure Security agency (CISA) has published a request for information (RFI) seeking input on proposed cyber incident reporting regulations for critical infrastructure. CISA is soliciting input as the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which “directs CISA to develop and oversee implementation of regulations requiring covered entities to submit to CISA reports detailing covered cyber incidents and ransom payments.” CISA has also scheduled series of public listening sessions across the country. CISA will accept comments through November 14, 2022.

Editor's Note

Don’t think of this as a one-way street. While rapid reporting to CISA can help provide them overall situational awareness, CISA also has resources you, as taxpayers, can leverage when you need them. Read the proposed legislation and consider your barriers to participation, then let CISA know how those could be addressed. Don’t sit on your feedback; November 14th will arrive faster than you may think. The links from the Federal Register below include both information on how to provide feedback as well as where you can find the public listening sessions.

Lee Neely
Lee Neely

2022-09-09

NHTSA Notice of Final Version of Cybersecurity Best Practices for the Safety of Modern Vehicles

The US National Highway Traffic Safety Administration (NHTSA) has published the final version of its Cybersecurity Best Practices for the Safety of Modern Vehicles in the Federal Register. The guidelines offer recommendations for industry in the areas of cybersecurity best practices, education, aftermarket/user-owned devices, serviceability, and technical vehicle cybersecurity best practices. They incorporate comments made in response to the draft version of the guidance that was released in January 2021.

Editor's Note

Now vehicle, OEM, and after-market accessory manufacturers need to incorporate these best practices which will take time. It will be interesting to see if further steps to add consequences for failing to incorporate adequate cybersecurity practices are taken.

Lee Neely
Lee Neely

2022-09-12

Zero-Day Vulnerability in BackupBuddy WordPress Plugin

The developer of the BackupBuddy for WordPress has released an updated version of the plugin that fixes an actively exploited directory traversal vulnerability. The flaw allows unauthenticated users to download files from vulnerable sites. The issue affects BackupBuddy versions 8.5.8.0 to 8.7.4.1. iThemes has made BackupBuddy version 8.7.5, available to all site owners “regardless of licensing status.” BackupBuddy has been installed an estimated 140,000 times.

Editor's Note

You already checked to make sure that you're running the current version of BackupBuddy (8.7.5) or removed it because it’s no longer needed. It's OK, I’ll wait. Now, double check your WAF protections for directory traversal and file inclusion rules are in place. Incorporate the IOCs from the Wordfence blog into your IP blocklist. What was that? You don’t have a WAF in front of your WordPress site? The easy button is to pick up one designed for WordPress (like Wordfence), then subscribe to updates for immediate access to protections against current threats. Note you’re going to quickly eclipse that subscription cost cleaning up from one successful exploit.

Lee Neely
Lee Neely

2022-09-12

HC3 Brief on Emerging Technology Implications for Healthcare Cybersecurity

The US Department of Health and Human Services (HHS) Office of Information Security and the Health Sector Cybersecurity Coordination Center (HC3) have published a brief about emerging technology’s security implications for the health sector. The document addresses artificial intelligence, 5G cellular technology, nanomedicine, smart hospitals, and quantum computing.

Editor's Note

As technology becomes more useful in supporting decisions, particularly autonomous ones, the data which drives those decisions as well as the access to that data needs to be adequately protected. Consider that devices are able to effectively be on-line continuously, e.g. 5G, and those external developments, like Quantum computing, will continue to raise the bar on data protection. The basics will still apply: information should, ideally, be encrypted at rest with (MFA) access to only devices and users authorized to access that data. Keep data only as long as is necessary, and consider offline archive copies. Know which data is where and why. Make sure you are properly de-identifying data when sharing.

Lee Neely
Lee Neely

Healthcare is struggling with current technology. Special care must be exercised in adopting the novel.

William Hugh Murray
William Hugh Murray

2022-09-12

Texas Hospital Recovering From Ransomware Attack

OakBend Medical Center in Richmond, Texas is operating under electronic health record (EHR) downtime in the wake of a September 1 ransomware attack. The facility is bringing their “clinical systems back online in a controlled, systematic environment,” and has continuing phone and email issues.

Editor's Note

Be prepared for collateral damage, such as your phone or email being offline, when recovering from a ransomware attack. Make sure that your business continuity plans are updated and regularly tested. Double check that your recovery times are both achievable and acceptable by senior management. Double check that you’re limiting lateral movement, both by segmentation and access controls, to reduce the need to proactively take everything offline after an attack. Make sure your rolodex includes verified contacts for not only helping with recovery but also investigation and reporting before you need them.

Lee Neely
Lee Neely

Healthcare continues to be plagued by ransomware. It is hard to know whether this is because they are being specifically targeted or because they are vulnerable. However, the impact on EHR is because these systems are not sufficiently isolated from the public networks. Where such systems do use the public networks, they must be protected by end-to-end encryption and application aware firewalls.

William Hugh Murray
William Hugh Murray

Internet Storm Center Tech Corner

VirusTotal Result Comparisons for Honeypot Malware

https://isc.sans.edu/diary/VirusTotal+Result+Comparisons+for+Honeypot+Malware/29040


Malware Abusing File Exchange Site

https://isc.sans.edu/diary/Phishing+Word+Documents+with+Suspicious+URL/29034


Apple Patches

https://support.apple.com/en-us/HT201222


Let's Encrypt Reviving Certificate Revocation Lists

https://letsencrypt.org/2022/09/07/new-life-for-crls.html


Bypassing GitHub Required Reviewers to Submit Malicious Code

https://www.legitsecurity.com/blog/bypassing-github-required-reviewers-to-submit-malicious-code


Crimeware Trends: Ransomware Developers Turn to Intermittent Encryption

https://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/


Lorenz Ransomware Group Cracks MiVoice and Calls Back For Free

https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/