SANS NewsBites

Check Backup Processes If Outsourced/Cloud Services Are Compromised; A New Command-and-Control Framework Detected; Physicians Can Be Prosecuted for HIPAA Violations

October 14, 2022  |  Volume XXIV - Issue #80

Top of the News


2022-10-13

CommonSpirit Acknowledges Cyber Incident as Ransomware

US hospital network CommonSpirit Health is still struggling to get its IT systems up and running more than a week after they became infected with ransomware. Hospitals are still experiencing IT outages and disruptions to appointments. The attack began around October 3.

Editor's Note

Years ago, all businesses learned that if the power went out in the data center, business stopped. Backup power or facilities were required and became common. Once those were in place, the first power outage pointed out another important requirement: regular testing of switching over to back up mechanisms. These days outsourced (mostly cloud) services are the “new electricity” and those backup processes *and* testing of those processes are needed to reduce the impact that Common Spirit’s customers are reporting.

John Pescatore
John Pescatore

Are you prepared to selectively take affected systems offline after an attack to rebuild them? Do you know the interdependencies of such actions? Can you reconcile transactions on connected systems? Dependency mapping, particularly in mature environments can be incredibly difficult, and may necessitate a response posture of taking large numbers of components offline rather than surgically addressing one at a time. Take a lead from actions taken during maintenance windows, typically based on lessons learned, for planning your approach.

Lee Neely
Lee Neely

2022-10-13

Alchimist Command-and-Control Framework

Researchers at Cisco Talos Intelligence have detected a new command-and-control framework, Alchimist [sic], which is designed to target machines running Windows, Linux, and macOS. Talos researchers also discovered an associated remote-access trojan (RAT) called Insekt. “Cisco Talos assesses with moderate-high confidence that this framework is being used in the wild.”

Editor's Note

Kudos to Talos as this is the second C2 they identify in the wild. We have added them to the C2 Matrix which now tracking 110 C2s: https://www.thec2matrix.com/

Jorge Orchilles
Jorge Orchilles

The Alchimist C2 servers pass instructions to the Insekt implant to execute them on Windows and Linux systems. macOS systems must have a previously installed Mach-O file contains the exploit for CVE-2021-4034 (Polkit's pkexec utility), noted the flawed version must pre-exist for the exploit to work. Alchemist is intended as an all-in-one attack framework which avoids detection, is high-quality, rich in features and is good for dropping implants on targets. These frameworks also make it easier for attackers to hide by blending in with other malicious traffic avoiding specific attribution.

Lee Neely
Lee Neely

2022-10-12

Former Doctor Pleads Guilty to HIPAA Violation

A former physician has pleaded guilty to violating the US Health Insurance Portability and Accountability Act (HIPAA). Frank Alario pleaded guilty “to conspiring to wrongfully disclose patients’ individually identifiable health information to pharmaceutical sales representative Keith Ritson in violation of the criminal provisions of the Health Insurance Portability and Accountability Act (HIPAA).” Ritson is scheduled to face trial in late November.

Editor's Note

Two issues of note with this one: (1) This was essentially undetected insider fraud – the physician allowed the sales rep to use his account for a long time to access sensitive information in a way that was probably well outside normal behavior profile of physician access. This should have been a low false positive detection for any user behavior analysis. (2) Direct criminal prosecution of HIPAA violations has not happened often but can and does. Making sure management is aware of (2) can help justify the need for being able to do (1) in healthcare systems.

John Pescatore
John Pescatore

The information was leveraged to determine which patients had insurance that would cover the non-FDA approved compound medications sold by Riston’s company, and when authorized, Alario received commissions and other benefits. Alario granted access to patient records, beyond levels allowed to staff as well as introducing Riston to patients as an affiliate or employee of the practice. While it’s not clear if Riston was simply allowed to use the computer with Alario’s credentials, it is clear that he was permitted free access to digital and physical records beyond regular office hours. While it’s tough to stop someone surrendering their credentials, or just handing over control once logged it, it is possible to monitor access for anomalous patterns. Track access to sensitive information, particularly outside business hours. Make sure that you have sufficient separation of duties, limiting who can grant permission to information, consider multi-person rules. Closely monitor changes to access controls on sensitive information.

Lee Neely
Lee Neely

The Rest of the Week's News


2022-10-11

Microsoft’s October Patch Tuesday Does Not Include Fix for ProxyNotShell Vulnerability

Microsoft’s October Patch Tuesday updates include fixes for two zero-day vulnerabilities and a critical privilege elevation and remote code execution flaw in Azure that received a CVSS rating of 10.0. One of the zero-days, a privilege elevation vulnerability in the Windows COM+ Event System Service, is being actively exploited. Notably, the released does not include fixes for the pair of Exchange Server vulnerabilities known as ProxyNotShell. In all, the October update includes fixes for 85 CVEs.

Editor's Note

One would hope that the Exchange patch would have been included. At least Microsoft has added an RSS feed to their Security Update Guide to facilitate tracking this particular issue (see story below). As to the monthly update, most of the flaws there are elevation of privilege bugs. Don’t forget to look to your Adobe security feeds as well. They just released updates to address 29 vulnerabilities in Acrobat and Reader, Commerce, Magento, and Cold Fusion.

Lee Neely
Lee Neely

Not a routine fix. Likely to be distributed out of cycle when ready.

William Hugh Murray
William Hugh Murray

2022-10-12

Microsoft Adds New RSS Feed to Security Update Guide

Microsoft has added a new RSS feed to its Security Update Guide (SUG) to keep users apprised of security update notifications as they arise. RSS will notify when Microsoft adds a new CVE to the Security Update Guide. Microsoft has also moved to a new system for sending email notifications; users must now “create profiles in the SUG and to sign up for the new Azure-based service.”

Editor's Note

The RSS feed for the SUG is https://api.msrc.microsoft.com/update-guide/rss (which is also on the SUG web page) and is available now. The move to the new SUG from the old email advisory system finished in September; follow the instructions to create your profile to join the new system. Incorporate your RSS feed into systems where you want realtime information. You'll need a RSS Feed reader - either a desktop app, mobile app or browser plugin. No account is needed to follow the RSS feed.

Lee Neely
Lee Neely

2022-10-12

White House Looks to Improve Cybersecurity on Several Fronts, Including IoT Labeling Effort

Later this month, the Biden administration “will bring together companies, associations and government partners to discuss the development of a label for Internet of Things (IoT) devices so that Americans can easily recognize which devices meet the highest cybersecurity standards to protect against hacking and other cyber vulnerabilities.” The effort is listed in an October 11 White House fact sheet on the administration’s focus on strengthening the country’s cybersecurity. The White House swill also be meeting with “international; partners” at the end of this month “to accelerate and broaden this joint work” of the International Counter-Ransomware Initiative.

Editor's Note

Many good initiatives listed, but of course press releases are like sailboats – progress takes powerful wind to see actual progress. Two good things in there: (1) I would really like to see this statement lived up to by the US government: “Strengthening the Federal Government’s cybersecurity requirements, and raising the bar through the purchasing power of government. ” The government demanding higher levels of security in the products and services they procure is the single most powerful way they can drive a major reduction in vulnerabilities; and (2) There is a long history around fire resistant material standards where independent organizations like UL Labs worked with government agencies like NIST and industry associations to make sure that a wide variety of flammable “things” were much safer. This all succeeded because the government didn’t try to dictate standards, it worked with private industry to make sure that procurements and use of flammable “things” had to include compliance with the industry standards. Today, in the Internet of Things, there are already some meaningful standards efforts, like Connectivity Standards Alliance-IoT which have some big names on board: Amazon, Apple, Google, Samsung, etc. If the US government put its buying power behind some consensus standards, the bar for IoT security will be raised.

John Pescatore
John Pescatore

My concern with the IoT label is that it may not remain compliant continuously; what’s needed is a code users can scan to verify current status online, as other countries have done.

Lee Neely
Lee Neely

Labeling will be a great help. One of the things that a label should include is the environment in which the device is intended to be used, and specifically whether it is intended to be attached to the public networks. Devices like cameras and some medical devices, that are intended to attach directly to the public networks have different requirements than those like baby monitors or smartTVs that are intended to be connected only to local area networks.

William Hugh Murray
William Hugh Murray

2022-10-14

Australian Medical Insurer Medibank Discloses Cyberattack

Australian private medical insurer Medibank has acknowledged that it was the victim of a cyber intrusion and data compromise. In an update, Medibank writes, “we … have successfully taken offline the ahm and international student policy systems and its data, and we are in the process of methodically and safely restarting the systems.”

Editor's Note

Medibank has set up a status page with information and updates for customers (first link below) and has sent over 2.8 million email and text messages (where preferred) to Medibank and ahm customers. They have engaged the Australian Cyber Security Centre, regulators, and others to assist with the agency and comms. Keep an eye on the status page as things progress and services are restored.

Lee Neely
Lee Neely

2022-10-12

CISA Adds Fortinet Flaw to Known Exploited Vulnerabilities Catalog

The US Cybersecurity and Infrastructure Security Agency (CISA) has added a Fortinet authentication bypass vulnerability (CVE-2022-40684) to its Known Exploited Vulnerabilities catalog. CISA has also added a Microsoft Windows COM+ Event System Service privilege elevation vulnerability (CVER 2022-41033) to the catalog; Microsoft released a fix for the flaw earlier this week. Both vulnerabilities have mitigation due dates of November 1.

Editor's Note

While not a lot about the Fortigate flaw is disclosed, note that not only should you apply their provided update, but also limit access to administration interfaces. Make sure that you’re not exposing any management interfaces directly to the Internet. If you don’t find them, Shodan will.

Lee Neely
Lee Neely

2022-10-13

Symantec: Cyberespionage Actors with Ties to China Exploited Log4j Vulnerabilities to Gain Access to Networks

Researchers at Symantec have published a report detailing a cyber espionage campaign that has targeted the government of a Middle Eastern company, a multinational electronics manufacturer, and a US State Legislature. The hacking group, which Symantec calls Budworm, is believed to have ties to China’s government. Symantec notes that “In recent attacks, Budworm leveraged the Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45105) to compromise the Apache Tomcat service on servers in order to install web shells. The attackers used Virtual Private Servers (VPS) hosted on Vultr and Telstra as command-and-control (C&C) servers.”

Editor's Note

The Symantec blog includes IoC's you can incorporate into your system to find components of this attack, preferably before any damage is done. Review the CISA aa22-277a bulletin (https://www.cisa.gov/uscert/ncas/alerts/aa22-277a) for MITRE ATT&CK techniques. CISA’s mitigations are not new ideas; they include network segmentation based on function, managing vulnerabilities and configurations, leveraging segmentation, anomalous behavior detection, and restricting use of remote administration tools.

Lee Neely
Lee Neely

2022-10-13

Booz Allen Hamilton Report Provides Analysis of China-Related Hacks

Booz Allen Hamilton’s threat intelligence team has published a report based on their analysis of “more than a dozen case studies from the past decade [and] analyzes these attacks to reveal their logic. Finally, they created tools to help organizations prepare for this threat.” The report, Same Cloak, More Dagger: Decoding How the People's Republic of China Uses Cyberattacks, is designed to help organizations be better prepared for such attacks.

Editor's Note

As China continues to hone their skills, raising the bar, we need to also keep an eye on our prevention, detection and response capability. Prevention requires your CISO to review your supply chain resilience, strengthen information sharing with other (federal) agencies who can help in the event of a breach, conduct executive level exercises training for response, and continuously audit for threat actor activities.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Microsoft October 2022 Patches

https://isc.sans.edu/diary/October+2022+Microsoft+Patch+Tuesday/29138/


Adobe October Patch Tuesday

https://helpx.adobe.com/sa_en/security/security-bulletin.html


Fortinet Guidance

https://www.horizon3.ai/fortinet-iocs-cve-2022-40684/

https://isc.sans.edu/forums/diary/Scans+for+old+Fortigate+Vulnerability+Building+Target+Lists/29142


Alchimist Offensive Framework

https://blog.talosintelligence.com/2022/10/alchimist-offensive-framework.html


VM2 Sandbox Vulnerability

https://www.oxeye.io/blog/vm2-sandbreak-vulnerability-cve-2022-36067


Private npm package disclosure

https://blog.aquasec.com/private-packages-disclosed-via-timing-attack-on-npm


Zimbra Updates

https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P27#Security_Fixes


Android VPN Issues

https://mullvad.net/en/blog/2022/10/10/android-leaks-connectivity-check-traffic/


iOS VPN Issues

https://9to5mac.com/2022/10/12/ios-vpn-apps-2/


Aruba Patches

https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-015.txt


SAP Patch Day

https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10


Top CVEs Actively Exploited By People’s Republic of China State-Sponsored Cyber Actors

https://www.cisa.gov/uscert/ncas/alerts/aa22-279a