SANS NewsBites

Don’t Delay in Notifying Customers of an Incident; Check Late December PyTorch Versions In Use for Compromise; Obtain Security Improvement Assurances from Okta, LastPass and Other Password Manager/SSO Vendors

January 3, 2023  |  Volume XXV - Issue #01

Top of the News


2022-12-29

Louisiana Healthcare System Delayed Reporting Breach to HHS OCR

An October 2022 ransomware attack that affected IT systems at Louisiana’s Lake Charles Memorial Health System compromised sensitive data belonging to about 270,000 patients. The organization disclosed the incident in late October, but did not notify the US Department of health and Human Services Office for Civil Rights (HHS OCR) until December 22, and began sending patients notification letters on December 23.

Editor's Note

In this case, the reporting requirement seems to be 60 days so Lake Charles is compliant, but waiting that amount of time to notify impacted customers is the issue. Reports say Lake Charles refused to pay the ransom demand, so allow some time for negotiations. But customers should have been notified faster. Lesson to learn is to have the breach response process in place and tested long before an event.

John Pescatore
John Pescatore

That is a long time for customer notification. While it's tempting to hold off making notifications until you're 100% certain, you need to put a cap of (at most) a couple of weeks to keep your customers comfortable. More transparency is expected. Make sure that you're able to provide information and updates as you move along, not holding back until you have absolutely every detail nailed down.

Lee Neely
Lee Neely

Many criticize mandatory reporting requirements introduced by regulations such as the EU General Data Protection Regulation (GDPR). However, delayed reporting can have serious impacts on the affected individuals such as exposing them to the risk of fraud.

Brian Honan
Brian Honan

While earlier might have been better, I tend to be forgiving of hard choices made by other professionals.

William Hugh Murray
William Hugh Murray

2023-01-02

PyTorch-nightly Dependency Chain Compromised

Machine learning framework PyTorch has disclosed that the PyTorch-nightly dependency chain was compromised in late December. Users who installed PyTorch-nightly Linux packages with pip between December 25 and 30 should uninstall those nightly builds and use the most recent nightly binaries. The dependency in question, torchtriton, was compromised on the Python Package Index (PyPI) code repository.

Editor's Note

Luckily, this only affected the "nightly" builds and only a specific set of features of this very popular machine learning framework. But the event yet again shows the problematic state of the Python supply chain if even major and actively maintained packages can be affected by the compromise of a "random" Python package.

Johannes Ullrich
Johannes Ullrich

Note this only impacts the nightly-build (vs stable) versions of these packages. Make sure you uninstall all four packages (torch, torchvision, torchaudio & torchtriton) as well as purge your cache for these before loading the updated binaries. The bad version of torchtriton was uploaded with the same package name as the nightly-build version, and due to the PyPi index taking precedence, the bad version was loaded versus the official version. The PyTorch team has renamed the torchtriton dependency to pytorch-triton as well as reserving a dummy package to prevent future attacks.

Lee Neely
Lee Neely

2022-12-23

Okta GitHub Repositories Breached

Single sign-on management company Okta says that intruders accessed their GitHub repositories and copied source code for Okta Workforce Identity Cloud service. Okta learned of the incident from GitHub, which notified Okta of “suspicious access” to its repositories in December. Okta officials said, “there was no unauthorized access to the Okta service, and no unauthorized access to customer data.”

Editor's Note

This should be a non-event. Attackers in possession of the source code will not be able to do anything a responsible vendor has not already done as part of their software quality assurance process. Manual and automatic code reviews, dynamic testing assisted by full insight into the source code should be easier for the vendor creating the code than for a third party attacker. On the other hand, we are talking about a vendor producing critical security software.

Johannes Ullrich
Johannes Ullrich

There is an old saying “If you put all your eggs in one basket, watch that basket really, really carefully.” Password managers and SSO platforms are essential big baskets of eggs full of passwords and are obvious high leverage targets for attackers. Both Last Pass and Okta have had serious breaches (even if no customer data was exfiltrated) recently – they haven’t been watching their (your) baskets carefully enough. At renewal time for all such services, require information on security changes and testing and consider competitive procurements.

John Pescatore
John Pescatore

When first discovered, Okta shut down access to their GitHub repositories, and after analyzing access, has since restored that access. The exposure was specific to their new Workforce Identity Cloud service which provides access management, governance and privileged access controls in one package. The attackers are claiming they had sufficient access to reset passwords and MFA credentials data for Okta customers while Okta claims they were not. This follows the August breach of Twilio (used for SMS validation) and September breach of recently acquired Auth0. While the issue of who has which data is being sorted out, you may want to consider what options you have, including changing credentials, use of SMS validation and moving to another solution, just in case.

Lee Neely
Lee Neely

Single sign-on and password managers are the old solution to part of the password problem. While better than nothing, they are still limited. Passkeys are the modern solution. They offer both safety and convenience. Be sure to offer this option to your users. Three months might be a reasonable schedule.

William Hugh Murray
William Hugh Murray

It appears that cyber criminals [or nation states] are ‘upping’ their game by attacking companies that centralize critical information. In this case company proprietary information was lost that could be used to find and exploit vulnerabilities in the Workforce Identity Cloud service. Companies that offer consolidation/centralization services, should revisit their security processes and make it a regular discussion item as part of board level risk management.

Curtis Dukes
Curtis Dukes

The Rest of the Week's News


2023-01-01

LockBit Ransomware Gang Gives Decryptor to Toronto Children’s Hospital

Operators of LockBit ransomware have given Toronto’s Hospital for Sick Children a free decryptor after the facility became the victim of a ransomware attack in mid-December. The cyber incident resulted in delayed lab and imaging results and longer wait times for patients. LockBit operates as ransomware-as-a-service.

Editor's Note

The attack violated LockBit's code of ethics, and they removed the affiliate who executed the attack from their network. But they still took long enough to release the decryptor that the hospital was able to restore over 50% of systems to operational status. The motivation here is likely to paint a positive picture to influence future victims to trust them and pay their fees.

Lee Neely
Lee Neely

While this is good news and shows that even criminal elements have a code a conduct, the fact remains that the IT enterprise had not implemented basic cyber hygiene practices. The recently published ‘Blueprint for Ransomware Defense’ can serve as an action plan for ransomware mitigation, response, and recovery to protect against future attacks.

Curtis Dukes
Curtis Dukes

Let’s not let this story cloud our judgement about the criminal intent and damage ransomware operators cause. Even with the decryption key, the hospital will still need to keep systems offline until they can be sure those systems are not compromised in any way. Getting the decryptor key does not magically reverse the damage and disruption caused by ransomware attacks.

Brian Honan
Brian Honan

LockBit gets little credit for this in my book. I can count; by my reckoning healthcare remains the favorite target for extortion attacks. This is only in part because it is a soft target. In part it is because we will pay to restore care to sick kids.

William Hugh Murray
William Hugh Murray

2022-12-30

Canadian Mining Company Hit with Ransomware

Canada’s Copper Mountain Mining Corporation (CMMC) suffered a ransomware attack in late December. CMMC isolated affected systems and took other systems down as a precaution. The company’s mill was shut down so engineers could determine whether its control systems were affected.

Editor's Note

Copper Mountain had predefined plans which they followed, shutting down systems and reverting to manual controls while conducting their assessment, as well as enlisting the support of external partners. That is how DR plans are supposed to work. It was reported that compromised credentials for a CMMC employee were available for sale in a hacker marketplace on December 13th. While watching for compromised credentials, and taking action to change them is important, making sure that external entry points don't allow access with reusable credentials is critical. Don't forget to review, making sure that accounts which can bypass MFA are not added.

Lee Neely
Lee Neely

Three observations from yet another ransomware attack: 1) Every sector, public and private is a target of cybercriminals 2) You need to be prepared for the eventuality of compromise; the importance of regularly testing recovery plans cannot be understated. 3) Use the ‘Blueprint for Ransomware Defense’ as a guide to protect against future attacks.

Curtis Dukes
Curtis Dukes

2022-12-29

Port of Lisbon Hit with Cyberattack

The Port of Lisbon (Portugal) has confirmed that its IT systems were affected by a cyberattack on December 25. The port, which is one of the busiest in Europe, stated that its operations have not been disrupted by the incident. The attack reportedly took down the port’s website and internal computer systems.

Editor's Note

A busy reporting cycle on ransomware events to start the new year. It is reassuring to read that “All security protocols and response measures planned for this type of occurrence were quickly activated.” Still, lessons can be learned about the state of security employed at the port to further reduce ransomware attacks.

Curtis Dukes
Curtis Dukes

LockBit ransomware operators are taking credit for this attack. Again, predefined security protocols were activated, minimizing the disruption and expediting the response/remediation. The Port is already working with both authorities and staff to ensure the security of the data and systems. The attackers claim to have stolen financial reports, audits, budgets, contracts, ship logs and other information about cargo and crews.

Lee Neely
Lee Neely

The report suggests that at least some mission critical applications were safely isolated from public network facing ones.

William Hugh Murray
William Hugh Murray

2022-12-30

CISA Adds JasperReports Flaws from 2018 to Known Exploited Vulnerabilities Catalog

The US Cybersecurity and Infrastructure Security Agency (CISA) has added two JasperReports vulnerabilities to its known exploited vulnerabilities catalog. The flaws were disclosed in 2018; fixes are available for both flaws. CISA says it has become aware that the vulnerabilities – an information disclosure flaw in JasperReports Server and a directory traversal flaw in JasperReports Library – are being actively exploited. Federal civilian agencies have until January 19 to mitigate the flaws on their systems.

Editor's Note

The two flaws, CVE-2018-5430 and CVE-2018-18809 have patches from TIBCO, also released in 2018. Make sure that you're running the updated JasperReports server, library, and reporting engines.

Lee Neely
Lee Neely

The most obvious use of this database is to prioritize patching. However, consider consulting it as an indicator of quality before buying a product.

William Hugh Murray
William Hugh Murray

2023-01-02

Linux Malware Exploits Flaws in Multiple WordPress Plug-ins

An as-yet unidentified Linux malware is exploiting known vulnerabilities in dozens of WordPress plug-ins and themes to compromise unpatched systems. Once they have gained a foothold, the attackers inject web pages with malicious JavaScripts. The malware targets both 32-bit and 64-bit Linux systems.

Editor's Note

Irrespective of what malware is targeting which plugins, make sure that you're running updated plugins on your WordPress Site, that you've uninstalled inactive plugins and themes, and implemented MFA for your administrator accounts. There are two exploits, the first: Linux.BackDoor.WordPressExploit.1 has remote C&C, targets 32 bit Linux, but will run on 64 bit variants as well; the second: Linux.BackDoor.WordPressExploit.2 appears to be an updated version, with different C&C servers, and has exploits for additional plugins. The Doctor Web blog lists the plugins each targets and has links to IOCs you can ingest.

Lee Neely
Lee Neely

2022-12-27

WordPress YITH WooCommerce Gift Cards Premium Plug-in Vulnerability

A critical arbitrary file upload vulnerability in the YITH WooCommerce Gift Cards Premium WordPress plug-in is being actively exploited. The plug-in has more than 50,000 installations. The flaw affects versions of the plug-in up through 3.19.0 and has been addressed in version 3.20.0. Users are urged to install the most recent version of the plug-in.

Editor's Note

The exploit leverages a flaw in the import_actions_from_settings_from_panel which runs admin_init hook meaning the flaw is running as admin, without authentication, so you can pretty much impact anything in the /wp-admin/ directory. The function was lacking a CSRF and capacity/type check. The updated version of the plugin was released December 6th, (3.20.0) and has been updated since, you should be on at least version 3.21.0. Note that while your WAF can help prevent this type of attack by blocking uploads of files with known dangerous extensions, embedded executable PHP code, or known malicious files.

Lee Neely
Lee Neely

Note that "premium" does not modify "plug-in." While some plug-ins may be of higher quality than others, history suggests that, at least collectively, their quality is a problem. Please use them with appropriate caution.

William Hugh Murray
William Hugh Murray

2023-01-02

New York Governor Hochul Signs Watered-Down Right-to-Repair Bill

On December 28, 2022, New York Governor Kathy Hochul signed a right-to-repair bill into law. The Digital Fair Repair Act had passed both chambers of the state’s legislature months earlier. While some have hailed the bill as landmark legislation, others are disappointed that many of the bill’s original provisions have been watered down or removed completely. The bill will apply only to devices sold on or after July 1, 2023.

Editor's Note

The phrase "baby steps" comes to mind. Even so, this is a step in the right direction. This is the first such bill passed in the US: future bills will build upon this to achieve more comprehensive provisions to better support third-party repair of devices. The bill was weakened through efforts to ensure that safety and security were not compromised with these efforts. Regardless of the provisions, you still need to include due diligence when qualifying repair services, as well as determine where the repair vs replace lines are for your equipment.

Lee Neely
Lee Neely

For most end-users, exercising their right to repair will be at the expense of their security.

William Hugh Murray
William Hugh Murray

Internet Storm Center Tech Corner

SPF and DMARC use on GOV domains in different ccTLDs

https://isc.sans.edu/forums/diary/SPF+and+DMARC+use+on+GOV+domains+in+different+ccTLDs/29384/


Kyverno's container image signature verification bypass

https://www.armosec.io/blog/cve-2022-47633-kyvernos-container-image-signature-verification/


Google Smart Speaker Vulnerability

https://downrightnifty.me/blog/2022/12/26/hacking-google-home.html


Verizon Decommissions 3G CDMA Network

https://www.fiercewireless.com/wireless/verizon-tells-3g-customers-upgrade-they-lose-service


EarSpy: Spying Caller Speech and Identity Through Speaker Vibrations

https://arxiv.org/pdf/2212.12151.pdf


CVE-2022-47939 ksmbd Vulnerability

https://ubuntu.com/security/CVE-2022-47939


Netgear Vulnerabilities

https://kb.netgear.com/000065495/Security-Advisory-for-Pre-Authentication-Buffer-Overflow-on-Some-Routers-PSV-2019-0208


PyTorch Malicious Dependency

https://pytorch.org/blog/compromised-nightly-dependency/