SANS NewsBites

Biden Administration Moves Forward on IoT Device Security Labeling; October Patch Needed to Keep Azure Service Fabric Explorer Secure; Modern Detection Techniques Needed for Windows PowerShell Backdoor

October 21, 2022  |  Volume XXIV - Issue #82

Top of the News


2022-10-21

2022 SANS Difference Makers Awards

Nominations for the 2022 SANS Difference Makers Awards will close next week. This annual SANS initiative honors individuals and teams in the cyber security community who have made measurable and significant differences in security. Through their implementation of security processes or technology, or their own volunteer efforts, each person has raised the bar in enabling secure business operations and reducing risk. Help SANS celebrate these achievements by making a nomination. Full information can be found at https://www.sans.org/about/awards/difference-makers/

2022-10-20

White House Convenes Meeting to Discuss IoT Security Standards

At a meeting earlier this week, the White House held a “workshop“ to discuss how to move forward with establishing cybersecurity standards for Internet of Things (IoT) devices. The meeting included representatives from the tech industry, government leaders, policy experts, and Consumer Reports, the non-profit consumer advocacy organization. White House officials say they expect to release the first set of standards in spring 2023.

Editor's Note

Since the direction so far is in line with my comments in Newsbites 81, I have to say this is good to see. Similar past efforts (like in fire retardant materials) succeeded where the government worked with private industry standards efforts and then used its buying power to make those standards meaningful to producers.

John Pescatore
John Pescatore

Work is progressing to ensure the consumer product labelling is both current and relevant. For example, the label will include having a barcode which allows the user to see the vendors security practices, current state so you can ensure the label is current. The label also includes a rating or score. The rating is derived from components such as how easily the device is to patch, encryption, and interoperability. Initially, complying with the standards will be voluntary. Note that even with a rating, sufficient information has to be provided to ensure products are deployed securely.

Lee Neely
Lee Neely

2022-10-20

Azure Service Fabric Explorer Spoofing Vulnerability

A spoofing vulnerability affecting Azure Fabric Explorer versions 8.1.316 and earlier could be exploited to gain full admin privileges. The flaw was detected by researchers from Orca Security and was addressed earlier this month as part of Microsoft’s Patch Tuesday release.

Editor's Note

You applied the October 2022 security update already, right? Service Fabric, a platform for delivering applications, both yours and some familiar Microsoft products such as Intune, Dynamics 365, Skype for Business, Cortana, MS Power BI, etc. Service Fabric Explorer is used by Azure admins to manage and inspect nodes and cloud applications in Service Fabric. Verify you’re running the latest version of the Service Fabric Explorer (SFXv2) - the Microsoft update-guide link below has instructions. Next, review your permissions, make sure that you know who has the rights to do things such as create new applications and reset cluster nodes. Note that future updates to the Service Fabric will remove the v1 SFX as well as the ability to revert to it.

Lee Neely
Lee Neely

2022-10-19

Windows PowerShell Backdoor

Researchers from SafeBreach Labs have found a PowerShell backdoor that masquerades as part of the Windows Update process. The backdoor is being actively exploited to exfiltrate data. SafeBreach’s advisory includes a list of indicators of compromise.

Editor's Note

An interesting find and certainly new and different which makes it difficult to detect using legacy approaches. More modern approaches looking for unusual behaviors like connections to IPs without prior DNS activity (and connections to port 80 sending more data than they receive) should be able to spot this type of backdoor.

Johannes Ullrich
Johannes Ullrich

Beware of Word documents bearing gifts. In this case a Word document (Apply Form<dot>docm) with a macro which launches a PowerShell script. The document properties include information intended to make users believe it’s from a legitimate LinkedIn job application. Make sure that macros are enabled from trusted sources if they are enabled at all. The SafeBreach report includes not only IOCs but also the content of the PowerShell scripts. Take note when reading the SafeBreach report the acronym FUD means fully undetectable which is why you want the IOCs added to your defenses.

Lee Neely
Lee Neely

The Rest of the Week's News


2022-10-19

CISA Urges FIDO Adoption

The US Cybersecurity and Infrastructure Security Agency (CISA) is urging all users to adopt multi-factor authentication (MFA) and for CEOs to adopt FIDO as part of their MFA implementation. CISA Director Jen Easterly told an audience at the FIDO Alliance conference that it is time to “forcefully nudge” users into MFA adoption by making it the default setting rather than an option.

Editor's Note

Good to see this position but a two-pronged caution: “Forceful nudging” should only occur after internal testing to make sure both that the authentication approach and apps/devices are all configurated to work together successfully and that backup processes are made resistant to MFA bypass attacks that we’ve seen. These two things are achievable but non-trivial – we will see many early MFA failure stories from deployments that don’t address them up front.

John Pescatore
John Pescatore

While we’ve been talking about MFA for a bit, the push to FIDO, an enabling component of password less authentication, represents raising the bar to MFA components which are not so easily spoofed or phished. Don’t try to eat the whole elephant at once; start with your externally exposed applications and entry points and leverage your IDPs capability to conditionally raise the bar on authentication based on risk. Remember to consider collaborators and business partners when rolling out these solutions.

Lee Neely
Lee Neely

When the US government states it is pushing for Phishing Resistant MFA, FIDO is an example of that. The problem is many websites do not yet support it, and FIDO often requires a dedicated software or hardware token. Apple, Microsoft, Google, and others’ push to Passkeys greatly simplifies the FIDO implementation for end users, but it’s not yet fully baked and deployed. So while this all sounds great, we are several years out from when FIDO is both simple and widely adopted. More on FIDO / Phishing Resistant MFA at https://www.sans.org/blog/what-is-phishing-resistant-mfa/

Lance Spitzner
Lance Spitzner

Most of the public applications seem to offer at least an option. The problem continues to be within the enterprise, where fraudulently reusable credentials are implicated in breaches.

William Hugh Murray
William Hugh Murray

2022-10-20

US Transportation Security Administration Publishes Rail Cybersecurity Guidance

The US Transportation Security Agency (TSA) has published cybersecurity guidelines for freight and passenger rail systems. The directive was developed to comply with the White House’s effort to strengthen the cybersecurity of the country’s infrastructure. Among the requirements: develop network segmentation policies and controls; create access control measures; build continuous monitoring and detection policies and procedures; and keep operating systems, applications, firmware, and drivers patched in a timely manner.

Editor's Note

This continues the movement to raise the bar across critical sector areas. This guideline extends the earlier 1580-21-01 security directive which went into effect December 31, 2021. Requirements include not only implementing enhanced security measures but also establishes an annual assessment plan as well as regular and proactive assessment activities. Rail System operators are expected to share data with TSA who will likely share it with DHS/CISA to identify vulnerabilities, track trends and cyber security incidents.

Lee Neely
Lee Neely

2022-10-20

Singapore and Germany Reach IoT Labeling Agreement

Singapore and Germany have signed an agreement to recognize each other’s Internet of Things (IoT) security labels. Singapore’s Cyber Security Agency (CSA) reached a similar agreement with Finland last autumn. CSA has recently expanded its labeling scheme to included medical devices.

Editor's Note

As we know from nutritional labels and UL labels on electrical cords, such labels don’t by themselves make things safer but more information to consumers backed by government buying power requiring compliance in government procurements does work to raise the bar.

John Pescatore
John Pescatore

As more countries implement rating/labelling requirements for consumer devices, the question of competing requirements and repeated testing for each market entered arises. Agreements such as these hold the promise of reducing duplicative testing. Over time, expect more categories of devices to be added to the agreement. Note that Singapore has a four-tier rating system and is only recognizing Germany’s labels as meeting the first two tiers.

Lee Neely
Lee Neely

2022-10-20

MediBank Says Patient Data Were Compromised

Australian health insurance company MediBank now says that patient data were stolen in a breach that was disclosed earlier this month. The exfiltrated information includes Medicare and policy numbers, treatment location data, and codes related to diagnoses and procedures. The breach is being investigated by the Australian Federal Police.

Editor's Note

Medibank is being very transparent here. Take note of some of the recovery actions which include creating and redirecting staff to answer their cyber response hotline, halting trading of Medibank shares, as well as publishing what data elements they have verified versus which elements the attackers claim to have. Consider adding similar actions to your incident response plan.

Lee Neely
Lee Neely

2022-10-20

CISA ICS Advisories on Advantech and Hitachi Products

Earlier this week, the US Cybersecurity and Infrastructure Security Agency (CISA) released two Industrial Control Systems (ICS) advisories regarding severe vulnerabilities in Advantech R-SeeNet and Hitachi Energy APM Edge appliances. The Hitachi advisory is an updated version of an advisory originally released in December 2021.

Editor's Note

Both advisories contain the phrase “Low attack complexity.” Additionally, the R-SeeNet vulnerability is remotely exploitable. In both cases, not only should you apply the update, but also make sure that you’re only allowing access from authorized devices and users, not directly exposing these devices to the Internet or Intranet, scanning media prior to introduction and monitoring for unexpected activity.

Lee Neely
Lee Neely

2022-10-19

EyeMed Will Pay $4.5M Penalty for 2020 Data Breach

EyeMed Vision Care LLC will pay $4.5 million as a penalty for violating the New York State Department of Financial Services (DFS) Cybersecurity Regulation (23 NYCRR Part 500). A DFS investigation found that EyeMed’s “failure to conduct periodic risk assessments, together with failure to implement multi-factor authentication and secure access controls, resulted in cyber breach that exposed New York consumer data.”

Editor's Note

Breaches in the medical vertical are starting to result in multiple fines and settlements – it isn’t just CMS and the US federal government anymore. One thing to note in the wording: “EyeMed had violated its Cybersecurity Regulation by failing to implement multifactor authentication (MFA) throughout its email environment, which was required by the regulation.”

John Pescatore
John Pescatore

In addition to failing to implement MFA, they also failed to limit sharing of credentials, data retention and disposal policies, and to conduct adequate risk assessments which would have identified shortfalls in meeting regulatory requirements. The takeaway is make sure that you are not only meeting requirements in your adopted security framework, to include regulatory requirements, but also looking for risks beyond those requirements specific to your environment. Remember to look for updates in both those frameworks. Additionally, monitor for unexpected user behavior. For example, shared credentials could indicate a need for a more appropriate data sharing/collaboration platform.

Lee Neely
Lee Neely

2022-10-19

“GPS Anomalies” Caused Air Traffic Controllers in Texas to Reroute Some Flights

The US Federal Aviation Administration (FAA) is investigating what disrupted GPS and caused some flights in Texas to be rerouted. On Monday, October 17, the FAA released an alert over its Automatic Terminal Information Service (ATIS) that “GPS reported unreliable within 40 NM of DFW.” Over the next day, the disturbance spread to Waco, and then, on the evening of Tuesday, October 18, it stopped.

Editor's Note

While 5G traffic has been known to impact GPS signaling due to interference with older, legacy devices, typically that cause can be pinpointed fairly quickly. In this case no such link can be established. While GPS interference isn’t life-threatening, and planes can revert to older navigation options, it still causes delays, cancellations, etc.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Forensic Value of Prefetch

https://isc.sans.edu/forums/diary/Forensic%20Value%20of%20Prefetch/29168/


Are Internet Scanning Services Good or Bad for You?

https://isc.sans.edu/forums/diary/Are+Internet+Scanning+Services+Good+or+Bad+for+You/29164


Python Obfuscation for Dummies

https://isc.sans.edu/forums/diary/Python%20Obfuscation%20for%20Dummies/29160/


Microsoft TLS Fix

https://support.microsoft.com/en-us/topic/october-17-2022-kb5020435-os-builds-19042-2132-19043-2132-and-19044-2132-out-of-band-243f34de-2f44-4015-a224-1b68a4132ca5


CISA Releases ScubaGear to Audit M365

https://github.com/cisagov/ScubaGear


HTTP/3 Connection Contamination

https://portswigger.net/research/http-3-connection-contamination


FBI Warns of Student Loan Forgiveness Scams

https://www.ic3.gov/Media/Y2022/PSA221018


Fully Undetectable PowerShell Backdoor

https://www.safebreach.com/resources/blog/safebreach-labs-researchers-uncover-new-fully-undetectable-powershell-backdoor/


Oracle October 2022 Critical Patch Update

https://www.oracle.com/security-alerts/cpuoct2022.html


Weak Encryption in Microsoft Office 365

https://labs.withsecure.com/advisories/microsoft-office-365-message-encryption-insecure-mode-of-operation


Tesla 3 Hack

https://www.synacktiv.com/sites/default/files/2022-10/tesla_hexacon.pdf