SANS NewsBites

If You Haven’t Patched Log4Shell Yet, You’ve Been Compromised; FTX Disclosure Reaffirms “Cryptocurrencies” Have More Risk Than Reward; Look at Engenuity ATT&CK Evaluation If You Are Considering Managed Endpoint Detection and Response Services

November 18, 2022  |  Volume XXIV - Issue #90

Top of the News


2022-11-17

CISA and FBI: If You Haven’t Patched Log4Shell, Assume Your Systems are Compromised

A joint cybersecurity alert from the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI details advanced persistent threat activity conducted by Iranian state-sponsored threat actors against the network of an unnamed federal civilian executive branch organization. The attackers gained initial access earlier this year by exploiting the Log4Shell vulnerability. The alert says, “CISA and FBI encourage all organizations with affected VMware systems that did not immediately apply available patches or workarounds to assume compromise and initiate threat hunting activities.”

Editor's Note

Log4Shell is a tricky vulnerability in that exploitability depends first of all on how the library is exactly used, and secondly on the creativity of the attacker to reach the vulnerable code. Please do not underestimate the creativity of the attacker as you are assessing how this vulnerability impacts you. Patch.

Johannes Ullrich
Johannes Ullrich

Sage advice – assume compromise, apply patches or implement workarounds. It’s been a year since discovery of the Log4j vulnerability. Patches have been produced, workarounds documented and available; yet the government still has to issue an alert. Organizations and their leadership have to be held accountable for not establishing a standard duty of care.

Curtis Dukes
Curtis Dukes

You knew this was coming, even so you couldn't get support to update everything. It’s time revisit all your systems where you've not deployed the patches and forensicate them to make sure they are still pristine. And patch them. Make sure that you're not exposing unneeded services to the internet, like your VMware management network, use MFA judiciously, particularly on your internet facing services, and make sure that everything is plumbed into your centralized logging, and then that appropriate alerts are in place both for your SOC and IT staff. Implement a service which checks credentials against breach dumps and require immediate change or account lock when discovered. Now, a tricky one, make sure that you are using access controls to limit credentials to only operate on authorized services/systems to restrict lateral movement.

Lee Neely
Lee Neely

Or if you are a customer of SolarWinds. Indeed, assuming that one is compromised can be a prudent and useful assumption. Finding and eliminating covert and dormant compromise is a daunting problem. Consider structuring one's network and implementing least privilege access control so as to resist its spread and exploitation.

William Hugh Murray
William Hugh Murray

2022-11-17

FTX Moved Assets to Cold Wallets as Precautionary Measure

The Nassau, Bahamas-based FTX cryptocurrency exchange, which filed for bankruptcy on Nov. 11, 2022, has revealed it moved all digital assets offline and initiated an investigation to determine whether roughly $400 million USD in crypto assets were stolen. FTX general counsel Ryne Miller asserted that FTX “initiated precautionary steps,” including moving digital assets to cold wallets.

Editor's Note

Even for blockchains, the first rule of IT still applies: Garbage in, garbage out. If you don't have any processes to manage your funds, who knows what is moved to what cold wallet, and who controls the respective keys. In the end, you may just end up with a cryptographically sound record of what funds the administrators decided to allow the "investors" to fight for. Sadly, I doubt that this incident will kill cryptocurrencies.

Johannes Ullrich
Johannes Ullrich

Even though assets were secured, $473M was allegedly stolen, and it's postulated this was an insider. From the court filing by John Ray III, "Never in my career have I seen such a complete failure of corporate controls and such a complete absence of trustworthy financial information as occurred here. From compromised systems integrity and faulty regulatory oversight abroad, to the concentration of control in the hands of a very small group of inexperienced, unsophisticated and potentially compromised individuals, this situation is unprecedented." The takeaways, if you're interested in Cryptocurrency, are both to make sure that there is sufficient separation of duties, and appropriately mitigated risks to include MFA, cold and encrypted (client-side) wallets as well as multi-signature wallets which require multiple keys to perform a transaction. Even if you're not in the Cryptocurrency business, ensure you have sufficient separation of duties, and traceability on transactions.

Lee Neely
Lee Neely

Really what this and the numerous other incidents point out is that “crypto” “currencies” are not currencies and often don’t implement cryptography very well. From a business perspective, use of them by legitimate businesses over other forms of electronic payments doesn’t provide any cost savings or revenue gains that would offset the enormous increase in risk.

John Pescatore
John Pescatore

2022-11-16

MITRE Engenuity Publishes Managed Security Services Provider Evaluations

MITRE Engenuity has published an evaluation of managed security service providers. The evaluations “highlighted results across 16 providers and assessed provider capabilities in their ability to analyze and describe adversary behavior.” The participants in this first round of evaluations included Atos, Bitdefender, BlackBerry, BlueVoyant, Critical Start, CrowdStrike, Microsoft, NVISO, OpenText, Palo Alto Networks, Rapid7, Red Canary, SentinelOne, Sophos, Trend Micro, and WithSecure.

Editor's Note

I’m a big fan of the ATT&CK-based product evaluations but a few caveats: (1) It takes a skilled/experienced security person to understand the results and compare across the tested products. This is not a simple ranking. (2) This latest test is not really of broad MSSPs, more a test of vendors with Managed Endpoint Detection and Response offerings based on their own products. (3) Each year, Engenuity tests something new: there is no year-to-year continuity, so the next version of these products and services will change as far as which are more effective.

John Pescatore
John Pescatore

The MITRE ATT&CK framework is the Industry accepted way to describe cyberattack details. The jury is still out on its applicability in assessing security capabilities of individual products that make up the cybersecurity ecosystem. MSSPs offer a much broader range of cybersecurity tools and capabilities that support managed service providers.

Curtis Dukes
Curtis Dukes

As much as 50% of organizations are using MSSPs these days. The evaluations don't rank, qualify or disqualify any of the assessed vendors, but rather give you the results of a ten-step response to the TTPs of OilRig (an Iranian Government aligned ATP.) Consider not only how these MSSPs performed, but also if your team, insourced or outsourced, is considering all aspects of these ten steps. Drill down on making adjustments where gaps are found.

Lee Neely
Lee Neely

The Rest of the Week's News


2022-11-15

Electric Vehicle Charging Infrastructure Cybersecurity

Scientists from Sandia and other US National Laboratories “recently published a summary of known electric vehicle charger vulnerabilities in the scientific journal Energies.” The vulnerabilities range from payment card skimming to taking control of an EV charger network. The paper includes proposed fixes and changes to the EV charging infrastructure.

Editor's Note

Remember that even the systems controlling good old gas pumps are still vulnerable. Why would anybody expect that companies will learn from old mistakes and do things "right" if they work faster and cheaper done vulnerable.

Johannes Ullrich
Johannes Ullrich

This pretty much reads like early studies of the lack of security being built into Internet of Things. The good news is that funding to improve cybersecurity and safety overall of EV charging systems is included in the National Electric Vehicle Infrastructure Formula Program under the US Federal Highway Administration.

John Pescatore
John Pescatore

While many of us consider the risk or EV charging from the perspective of load on the grid or power where the owner has the car parked, this report focuses on the technology behind that charging. Skim the paper to get a sense of all the technologies involved in EV charging. As such, the researchers were able to use low power SDR to interrupt the car charging, use RFID cloning to allow charging on someone else's account, let alone exploiting insecure web interfaces discovered. This feels like the familiar story of time to market and cost to deliver versus security. The fixes aren't unsurprising including securing access to physical ports, using proper encryption, removing unneeded services and keeping components updated. It is hoped that standards and best practices emerge from ongoing research between the Sandia, Idaho and Pacific Northwest National Labs. You may want to take a pause and reflect to see if you have projects which could benefit from increased attention to cyber hygiene.

Lee Neely
Lee Neely

Cybersecurity has been both a board and executive leadership team focus area for several years. Any new product that is internet connected, has to be reviewed for security vulnerabilities prior to release; it’s part of the development cycle and factors into the risk management process. Cybersecurity best practices exist today—use them.

Curtis Dukes
Curtis Dukes

2022-11-16

Methodist Hospital Employees Indicted for HIPAA Violations

A US federal grand jury in Tennessee has indicted five former Methodist Hospital employees for alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). The five defendants allegedly supplied Roderick Harvey with names and phone numbers of Methodist patients who had been in car accidents. Harvey also faces charges related to the scheme.

Editor's Note

Ambulance chasing is legal, stealing patient records to sell to ambulance chasers is not. If you are subject to HIPAA, another data point to highlight is that violations can result in prosecutions not just fines. In this case, employees are being charged with misuse of patient data and it is not a big leap for investigators to ask why the hospital didn’t detect this activity.

John Pescatore
John Pescatore

Harvey was a fugitive, arrested in August after fleeing to Arizona. He faces seven counts of obtaining patient information for financial gain. In this particular case, he is accused of bribing folks to get that information. In general, make sure that users, when pressured to turn over (sensitive) information, understand what their obligations are to protect the information as well as what the intended use is. When in doubt, defer to the data owner, privacy officer or legal counsel who are better versed in regulatory restrictions on information handling. Also make sure they understand the reporting mechanism for coercion or bribery.

Lee Neely
Lee Neely

The new proverb, “data is the new currency” rings true in this case. Hospital administrators should integrate this case into the training employees receive on the HIPAA law.

Curtis Dukes
Curtis Dukes

2022-11-17

Industry Group Says Third Party Providers Should be Exempt from CISA’s Incident Reporting Rule

The Information Technology Industry Council (ITIC) has responded to a CISA Request for Information on the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) regarding the scope of CIRCIA incident reporting requirements. In its response ITIC writes, “CISA should develop criteria based on criticality assessment to national and economic security when entities are performing national critical functions. Such an approach should be encouraged to narrow down when entities are truly carrying out national critical functions that matter to national security, such as satellite communications, versus commercial use cases. If a system is not reasonably tied to a critical function at the national level, then it should not be covered.”

Editor's Note

Most of the comments are focused on more definition in the draft language where squishy terms like “covered entity,” “covered incident” and “reasonable belief” were used and that is needed. There are 16 “Critical” Infrastructure sectors defined by CISA but what would be considered a “critical” incident within one of those sectors needs better definition, much the way the SEC had to provide guidance on what constitutes a “material event” that would require financial reporting.

John Pescatore
John Pescatore

This comes down to signal to noise ratio. Understanding what is reporting and what matters is key. In our own shops, we already know what is most critical and categorize the types of events which matter. The risk is missing events which may be early indicators or possibly indications of a wider spread problem than anticipated. If you're having trouble getting your arms around how to categorize what's critical, take a look at the PDF to get some ideas for down-selecting and refining your approach.

Lee Neely
Lee Neely

Prevention, prevention, prevention. Mandatory reporting starts as admiration of the problem and rapidly turns into expensive boiler plate.

William Hugh Murray
William Hugh Murray

2022-11-17

GAO Urges CISA, Secret Service, and FBI to Help Stale, Local, Tribal, and Territorial Governments with Ransomware Challenges

In a report, the US Government Accountability Office (GAO) makes recommendations that “could help the federal government improve coordination and assistance” to help protect state, local, tribal, and territorial (SLTT) government organizations from ransomware attacks. Ransomware: Federal Coordination and Assistance Challenges recommends that the Cybersecurity and Infrastructure Security Agency (CISA), Secret Service, and FBI improve interagency coordination on ransomware assistance to SLTTs and evaluate how to best address concerns raised by SLTTs; and that the Department of Education work with CISA to establish an applicable government coordinating council to coordinate cybersecurity efforts between federal agencies and with the K-12 community.

Editor's Note

A natural forcing function for collaboration amongst federal agencies with SLTT’s is the Multi-State Information Sharing and Analysis Center (MS-ISAC). As part of its network monitoring service, the MS-ISAC publishes a monthly Situational Awareness Report to the SLTT community that includes the Top 10 malware [including ransomware] events found.

Curtis Dukes
Curtis Dukes

Coordination and collaboration helps build our overall situational awareness as well as making it easier to "phone a friend" when things get dicey. An interesting finding is that an incident at a school can cause a loss of between 3 days and 3 weeks of learning. Things are rough enough in the school systems without that added impact. If you're involved in coordinated communication and outreach, step back and make sure that everyone is both included and participating. This is an opportunity to add incredible resources to your rolodex.

Lee Neely
Lee Neely

This is a problem of many targets at least some of which lack the scale to adequately protect themselves, rather than one of "coordination." Coordination among Federal agencies may reduce waste, possibly even improve efficiency, without addressing the problem.

William Hugh Murray
William Hugh Murray

2022-11-17

Hive Ransomware Alert

The US Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Department of Health and Human Services have jointly released an alert warning of an uptick in the spread of Hive ransomware. The threat actors have targeted multiple business and critical infrastructure sectors, with a focus on healthcare and public health. As of this month, Hive ransomware threat actors have received nearly $100 million in payments. The alert includes technical details as well as indicators of compromise (IoCs) and recommended mitigations.

Editor's Note

These threat actors are penetrating networks by taking advantage of single factor authentication, RDP and VPN, or bypassing MFA like CVE-2020-12812 in FortiOS servers, as well as exploiting Exchange vulnerabilities. We've talked about this before, (yes, I'm telling you this is preventable,) don't expose RDP to the Internet, use strong MFA on anything Internet facing, and keep those updates flowing. Not to ignore your internal systems, you need to do this internally, as the old castle & moat model is not sufficient with today's threat landscape. Leverage what you learned hardening your external services, you know what to do from here.

Lee Neely
Lee Neely

As ransomware attacks get faster, IoCs become irrelevant; the ransomware will announce the compromise. Unless there are mitigations that are specific to the ransomware, prevention is more efficient than mitigation. Strong authentication, structured network, and least privilege access control will resist ransomware of all stripes and also resist other kinds of attacks.

William Hugh Murray
William Hugh Murray

2022-11-17

F5 Fixes RCE Flaws in BIG-IP and BIG-IQ

F5 has released updates to address two high-severity remote code execution vulnerabilities that affect its BIG-IP and BIG-IQ products. While the flaws are not trivial to exploit, they could be used to gain complete control of vulnerable devices. Researchers from Rapid7 found the vulnerabilities – an unauthenticated RCE via cross-site forgery on iControl SOAP and an authenticated RCE via RPM spec injection, impacting the iControl REST component – as well as “several bypasses of security controls that F5 does not consider vulnerabilities with a reasonable attack surface.”

Editor's Note

These are difficult to exploit, so you can do regression testing and plan your outage. Even so, don't assume these are not exploitable; with the publishing of the fix and vulnerability, that is actively being worked. Implement the recommended mitigations from F5 to restrict access to the management interfaces from both the self IP address and your network until you can apply the updates. Consider leaving long term restrictions on where management connections to your F5's can originate from.

Lee Neely
Lee Neely

2022-11-16

GAO: US Department of Defense Needs to Improve Cyber Incident Reporting and Sharing

The US Government Accountability Office (GAO) says that the Department of Defense (DoD) needs to do a better job of reporting and sharing information about cybersecurity incidents. While DoD has taken steps that have reduced the number of cyber incidents it experiences, the agency “hasn't fully implemented its processes for managing cyber incident, doesn't have complete data on cyber incidents that staff report, and doesn't document whether it notifies individuals whose personal data is compromised in a cyber incident.”

Editor's Note

The trend of DOD incidents in the GAO report indicates things are heading in the right direction overall, this is about completing initiatives designed to properly collect/report and act on that information. When collecting incident information make sure that you have all the relevant information. Review the collection process to make sure it's still adequate. Then make sure you know what gets reported on what timeline. Verify that those reporting lines are not only functional but also include appropriate data handling to ensure that appropriate confidentiality and integrity is maintained. Make sure that projects needed to support these efforts complete. Some may need reassignment to achieve success.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Packet Tuesday

https://packettuesday.com


Lessons Learned from Automatic Failover

https://isc.sans.edu/diary/Lessons+Learned+from+Automatic+Failover+When+8888+disappears+IPv6+to+the+Rescue/29260


Evil Maid Attacks - Remediation for the Cheap

https://isc.sans.edu/diary/Evil+Maid+Attacks+Remediation+for+the+Cheap/29256


F5 Big IP CVE-2022-41622 and CVE-2022-41800 Vulnerability Details

https://www.rapid7.com/blog/post/2022/11/16/cve-2022-41622-and-cve-2022-41800-fixed-f5-big-ip-and-icontrol-rest-vulnerabilities-and-exposures/


Bitbucket Server and Data Center Vulnerability

https://jira.atlassian.com/browse/BSERV-13522


Amazon RDS Snapshot Leaks

https://www.mitiga.io/blog/how-mitiga-found-pii-in-exposed-amazon-rds-snapshots


Adobe Commerce merchants to be hit with TrojanOrders this season

https://sansec.io/research/trojanorder-magento


SANS EDU Research: Detecting and Mitigating the GateKeeper User Override on macOS in an Enterprise Environment; Antonio Piazza

https://www.sans.edu/cyber-research/detecting-and-mitigating-the-gatekeeper-user-override-on-macos-in-an-enterprise-environment/


Details about iPad/iOS Neural Engine Vulnerability CVE-2022-32899

https://github.com/0x36/weightBufs/


Disneyland Malware Team: It's a Puny World After All

https://krebsonsecurity.com/2022/11/disneyland-malware-team-its-a-puny-world-after-all/


Stealing Passwords From Infosec Mastodon - Without Bypassing CSP

https://portswigger.net/research/stealing-passwords-from-infosec-mastodon-without-bypassing-csp


SQLi and Access Flaws in Zendesk

https://www.varonis.com/blog/zendesk-sql-injection-and-access-flaws


Electric Vehicle Charging Infrastructure

https://newsreleases.sandia.gov/ev_security/