2022-10-21
Top of the News
2022-10-20
White House Convenes Meeting to Discuss IoT Security Standards
At a meeting earlier this week, the White House held a “workshop“ to discuss how to move forward with establishing cybersecurity standards for Internet of Things (IoT) devices. The meeting included representatives from the tech industry, government leaders, policy experts, and Consumer Reports, the non-profit consumer advocacy organization. White House officials say they expect to release the first set of standards in spring 2023.
Editor's Note
Since the direction so far is in line with my comments in Newsbites 81, I have to say this is good to see. Similar past efforts (like in fire retardant materials) succeeded where the government worked with private industry standards efforts and then used its buying power to make those standards meaningful to producers.

John Pescatore
Work is progressing to ensure the consumer product labelling is both current and relevant. For example, the label will include having a barcode which allows the user to see the vendors security practices, current state so you can ensure the label is current. The label also includes a rating or score. The rating is derived from components such as how easily the device is to patch, encryption, and interoperability. Initially, complying with the standards will be voluntary. Note that even with a rating, sufficient information has to be provided to ensure products are deployed securely.

Lee Neely
2022-10-20
Azure Service Fabric Explorer Spoofing Vulnerability
A spoofing vulnerability affecting Azure Fabric Explorer versions 8.1.316 and earlier could be exploited to gain full admin privileges. The flaw was detected by researchers from Orca Security and was addressed earlier this month as part of Microsoft’s Patch Tuesday release.
Editor's Note
You applied the October 2022 security update already, right? Service Fabric, a platform for delivering applications, both yours and some familiar Microsoft products such as Intune, Dynamics 365, Skype for Business, Cortana, MS Power BI, etc. Service Fabric Explorer is used by Azure admins to manage and inspect nodes and cloud applications in Service Fabric. Verify you’re running the latest version of the Service Fabric Explorer (SFXv2) - the Microsoft update-guide link below has instructions. Next, review your permissions, make sure that you know who has the rights to do things such as create new applications and reset cluster nodes. Note that future updates to the Service Fabric will remove the v1 SFX as well as the ability to revert to it.

Lee Neely
Read more in
Microsoft: Service Fabric Explorer Spoofing Vulnerability
The Register: Tear in Microsoft Azure Service Fabric can give attackers full admin privileges
Bleeping Computer: Microsoft Azure SFX bug let hackers hijack Service Fabric clusters
Security Week: Microsoft Patches Vulnerability Allowing Full Access to Azure Service Fabric Clusters
The Hacker News: Researchers Detail Azure SFX Flaw That Could've Allowed Attackers to Gain Admin Access
2022-10-19
Windows PowerShell Backdoor
Researchers from SafeBreach Labs have found a PowerShell backdoor that masquerades as part of the Windows Update process. The backdoor is being actively exploited to exfiltrate data. SafeBreach’s advisory includes a list of indicators of compromise.
Editor's Note
An interesting find and certainly new and different which makes it difficult to detect using legacy approaches. More modern approaches looking for unusual behaviors like connections to IPs without prior DNS activity (and connections to port 80 sending more data than they receive) should be able to spot this type of backdoor.

Johannes Ullrich
Beware of Word documents bearing gifts. In this case a Word document (Apply Form<dot>docm) with a macro which launches a PowerShell script. The document properties include information intended to make users believe it’s from a legitimate LinkedIn job application. Make sure that macros are enabled from trusted sources if they are enabled at all. The SafeBreach report includes not only IOCs but also the content of the PowerShell scripts. Take note when reading the SafeBreach report the acronym FUD means fully undetectable which is why you want the IOCs added to your defenses.

Lee Neely
Read more in
SafeBreach: SafeBreach Labs Researchers Uncover New Fully Undetectable PowerShell Backdoor
The Register: 'Fully undetectable' Windows backdoor gets detected
Bleeping Computer: Hackers use new stealthy PowerShell backdoor to target 60+ victims
Gov Infosecurity: Undetectable Backdoor Disguises as Windows Update
The Rest of the Week's News
2022-10-19
CISA Urges FIDO Adoption
The US Cybersecurity and Infrastructure Security Agency (CISA) is urging all users to adopt multi-factor authentication (MFA) and for CEOs to adopt FIDO as part of their MFA implementation. CISA Director Jen Easterly told an audience at the FIDO Alliance conference that it is time to “forcefully nudge” users into MFA adoption by making it the default setting rather than an option.
Editor's Note
Good to see this position but a two-pronged caution: “Forceful nudging” should only occur after internal testing to make sure both that the authentication approach and apps/devices are all configurated to work together successfully and that backup processes are made resistant to MFA bypass attacks that we’ve seen. These two things are achievable but non-trivial – we will see many early MFA failure stories from deployments that don’t address them up front.

John Pescatore
While we’ve been talking about MFA for a bit, the push to FIDO, an enabling component of password less authentication, represents raising the bar to MFA components which are not so easily spoofed or phished. Don’t try to eat the whole elephant at once; start with your externally exposed applications and entry points and leverage your IDPs capability to conditionally raise the bar on authentication based on risk. Remember to consider collaborators and business partners when rolling out these solutions.

Lee Neely
When the US government states it is pushing for Phishing Resistant MFA, FIDO is an example of that. The problem is many websites do not yet support it, and FIDO often requires a dedicated software or hardware token. Apple, Microsoft, Google, and others’ push to Passkeys greatly simplifies the FIDO implementation for end users, but it’s not yet fully baked and deployed. So while this all sounds great, we are several years out from when FIDO is both simple and widely adopted. More on FIDO / Phishing Resistant MFA at https://www.sans.org/blog/what-is-phishing-resistant-mfa/

Lance Spitzner
Most of the public applications seem to offer at least an option. The problem continues to be within the enterprise, where fraudulently reusable credentials are implicated in breaches.

William Hugh Murray
Read more in
CISA: NEXT LEVEL MFA: FIDO AUTHENTICATION
Health IT Security: CISA Encourages Orgs To Go Further Than MFA, Adopt FIDO Authentication
Gov Infosecurity: US CISA Official: 'Forcefully Nudge' Users to Adopt MFA
2022-10-20
US Transportation Security Administration Publishes Rail Cybersecurity Guidance
The US Transportation Security Agency (TSA) has published cybersecurity guidelines for freight and passenger rail systems. The directive was developed to comply with the White House’s effort to strengthen the cybersecurity of the country’s infrastructure. Among the requirements: develop network segmentation policies and controls; create access control measures; build continuous monitoring and detection policies and procedures; and keep operating systems, applications, firmware, and drivers patched in a timely manner.
Editor's Note
This continues the movement to raise the bar across critical sector areas. This guideline extends the earlier 1580-21-01 security directive which went into effect December 31, 2021. Requirements include not only implementing enhanced security measures but also establishes an annual assessment plan as well as regular and proactive assessment activities. Rail System operators are expected to share data with TSA who will likely share it with DHS/CISA to identify vulnerabilities, track trends and cyber security incidents.

Lee Neely
Read more in
TSA: Rail Cybersecurity Mitigation Actions and Testing (PDF)
TSA: TSA issues new cybersecurity requirements for passenger and freight railroad carriers (Press Release)
Security Week: New TSA Directive Aims to Further Enhance Railway Cybersecurity
Cybersecurity Dive: TSA rolls out long-anticipated cyber directive for freight, passenger rail systems
2022-10-20
Singapore and Germany Reach IoT Labeling Agreement
Singapore and Germany have signed an agreement to recognize each other’s Internet of Things (IoT) security labels. Singapore’s Cyber Security Agency (CSA) reached a similar agreement with Finland last autumn. CSA has recently expanded its labeling scheme to included medical devices.
Editor's Note
As we know from nutritional labels and UL labels on electrical cords, such labels don’t by themselves make things safer but more information to consumers backed by government buying power requiring compliance in government procurements does work to raise the bar.

John Pescatore
As more countries implement rating/labelling requirements for consumer devices, the question of competing requirements and repeated testing for each market entered arises. Agreements such as these hold the promise of reducing duplicative testing. Over time, expect more categories of devices to be added to the agreement. Note that Singapore has a four-tier rating system and is only recognizing Germany’s labels as meeting the first two tiers.

Lee Neely
Read more in
2022-10-20
MediBank Says Patient Data Were Compromised
Australian health insurance company MediBank now says that patient data were stolen in a breach that was disclosed earlier this month. The exfiltrated information includes Medicare and policy numbers, treatment location data, and codes related to diagnoses and procedures. The breach is being investigated by the Australian Federal Police.
Editor's Note
Medibank is being very transparent here. Take note of some of the recovery actions which include creating and redirecting staff to answer their cyber response hotline, halting trading of Medibank shares, as well as publishing what data elements they have verified versus which elements the attackers claim to have. Consider adding similar actions to your incident response plan.

Lee Neely
Read more in
Yourir: Medibank cyber incident response (PDF)
The Register: Health insurer's infosec incident diagnosis goes from 'take a chill pill' to emergency ward
Security Week: Australian Health Insurer Medibank Admits Customer Data Stolen in Ransomware Attack
Gov Infosecurity: Australia's Data Breach Debacle Expands
2022-10-20
CISA ICS Advisories on Advantech and Hitachi Products
Earlier this week, the US Cybersecurity and Infrastructure Security Agency (CISA) released two Industrial Control Systems (ICS) advisories regarding severe vulnerabilities in Advantech R-SeeNet and Hitachi Energy APM Edge appliances. The Hitachi advisory is an updated version of an advisory originally released in December 2021.
Editor's Note
Both advisories contain the phrase “Low attack complexity.” Additionally, the R-SeeNet vulnerability is remotely exploitable. In both cases, not only should you apply the update, but also make sure that you’re only allowing access from authorized devices and users, not directly exposing these devices to the Internet or Intranet, scanning media prior to introduction and monitoring for unexpected activity.

Lee Neely
Read more in
CISA: ICS Advisory (ICSA-22-291-01) Advantech R-SeeNet
CISA: ICS Advisory (ICSA-21-336-06) Hitachi Energy APM Edge (Update A)
The Register: CISA warns of security holes in industrial Advantech, Hitachi kit
The Hacker News: CISA Warns of Critical Flaws Affecting Industrial Appliances from Advantech and Hitachi
2022-10-19
EyeMed Will Pay $4.5M Penalty for 2020 Data Breach
EyeMed Vision Care LLC will pay $4.5 million as a penalty for violating the New York State Department of Financial Services (DFS) Cybersecurity Regulation (23 NYCRR Part 500). A DFS investigation found that EyeMed’s “failure to conduct periodic risk assessments, together with failure to implement multi-factor authentication and secure access controls, resulted in cyber breach that exposed New York consumer data.”
Editor's Note
Breaches in the medical vertical are starting to result in multiple fines and settlements – it isn’t just CMS and the US federal government anymore. One thing to note in the wording: “EyeMed had violated its Cybersecurity Regulation by failing to implement multifactor authentication (MFA) throughout its email environment, which was required by the regulation.”

John Pescatore
In addition to failing to implement MFA, they also failed to limit sharing of credentials, data retention and disposal policies, and to conduct adequate risk assessments which would have identified shortfalls in meeting regulatory requirements. The takeaway is make sure that you are not only meeting requirements in your adopted security framework, to include regulatory requirements, but also looking for risks beyond those requirements specific to your environment. Remember to look for updates in both those frameworks. Additionally, monitor for unexpected user behavior. For example, shared credentials could indicate a need for a more appropriate data sharing/collaboration platform.

Lee Neely
Read more in
2022-10-19
“GPS Anomalies” Caused Air Traffic Controllers in Texas to Reroute Some Flights
The US Federal Aviation Administration (FAA) is investigating what disrupted GPS and caused some flights in Texas to be rerouted. On Monday, October 17, the FAA released an alert over its Automatic Terminal Information Service (ATIS) that “GPS reported unreliable within 40 NM of DFW.” Over the next day, the disturbance spread to Waco, and then, on the evening of Tuesday, October 18, it stopped.
Editor's Note
While 5G traffic has been known to impact GPS signaling due to interference with older, legacy devices, typically that cause can be pinpointed fairly quickly. In this case no such link can be established. While GPS interference isn’t life-threatening, and planes can revert to older navigation options, it still causes delays, cancellations, etc.

Lee Neely
Read more in
Internet Storm Center Tech Corner
Forensic Value of Prefetch
https://isc.sans.edu/forums/diary/Forensic%20Value%20of%20Prefetch/29168/
Are Internet Scanning Services Good or Bad for You?
https://isc.sans.edu/forums/diary/Are+Internet+Scanning+Services+Good+or+Bad+for+You/29164
Python Obfuscation for Dummies
https://isc.sans.edu/forums/diary/Python%20Obfuscation%20for%20Dummies/29160/
Microsoft TLS Fix
CISA Releases ScubaGear to Audit M365
https://github.com/cisagov/ScubaGear
HTTP/3 Connection Contamination
https://portswigger.net/research/http-3-connection-contamination
FBI Warns of Student Loan Forgiveness Scams
https://www.ic3.gov/Media/Y2022/PSA221018
Fully Undetectable PowerShell Backdoor
Oracle October 2022 Critical Patch Update
https://www.oracle.com/security-alerts/cpuoct2022.html
Weak Encryption in Microsoft Office 365
Tesla 3 Hack
https://www.synacktiv.com/sites/default/files/2022-10/tesla_hexacon.pdf