SANS NewsBites

Check for Plex and XStream on PCs; Are You at Risk From Using Third Party Invisible Pixel Trackers?; Make Sure CISA Is Not On Your Email Spam List

March 14, 2023  |  Volume XXV - Issue #21

Top of the News


2023-03-11

CISA Adds Plex and XStream Vulnerabilities to KEV List

The US Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog: a remote code execution flaw in Plex Media Server and a remote code execution flaw in XStream. Both have remediation due dates of March 31, 2023. Some reports have indicated that the breach of a LastPass engineer’s computer may have been conducted through a Plex vulnerability.

Editor's Note

Most organizations will not have Plex, a popular video player, on their radar. But it played an important role in the LastPass breach. A developer's workstation had Plex installed. A vulnerability in Plex was used to compromise the workstation and that workstations was used in the large breach of encrypted LastPass credential files. Software running on developers’ personal systems is often overlooked. Organizations should provide incentives to developers to keep software on personal workstations up to date by reimbursing patching tools or offering assistance in managing the updates.

Johannes Ullrich
Johannes Ullrich

Along with making sure that installed copies of these products get fixed, riddle me this: should they be installed on work computers? Part of any hardening exercise is removing unnecessary components. If you’re ok with the risk, make sure it is documented.

Lee Neely
Lee Neely

2023-03-10

Cerebral Notifies Millions of Data Breach

Cerebral, a mental health services healthcare platform, has begun notifying more than 3 million people that their personal information was compromised. A Notice of HIPAA (Health Insurance Portability and Accountability Act) Privacy Breach recently posted on the Cerebral website says that the company has been using invisible pixel trackers and other tracking technologies from several third parties since late 2019.


2023-03-13

CISA Ransomware Vulnerability Warning Pilot

The US Cybersecurity and Infrastructure Security Agency (CISA) has announced the creation of its new Ransomware Vulnerability Warning Pilot (RVWP). RVWP was established to comply with the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) and has been in operation since the end of January. RVWP involves “leverage[ing] existing authorities and technology to proactively identify information systems that contain security vulnerabilities commonly associated with ransomware attacks.”

The Rest of the Week's News


2023-03-13

Blackbaud Agrees to Pay $3M to Settle Misleading Disclosure Charges

The US Securities and Exchange Commission announced that Blackbaud has “agreed to pay $3 million to settle charges for making misleading disclosures about a 2020 ransomware attack.” Blackbaud provides donor data management software to non-profit organizations. When Blackbaud disclosed the incident in July 2020, the company said that donor bank data and Social Security numbers (SSNs) had not been compromised. However, a September 2020 SEC filing indicated that the attackers had accessed and stolen those data.

Editor's Note

Good one to use to drive a tabletop exercise walking through your breach disclosure processes. Call it “Take an Hour to Help Ourcorp Avoid a $3M Fine.”

John Pescatore
John Pescatore

Consistency and transparency are crucial in a breach. It is more important to fully disclose customer impacts than to downplay them to avoid negative consequences. Make sure customer and regulatory reporting match. If one is found to be in error take immediate steps to rectify and communicate.

Lee Neely
Lee Neely

The details of this ransomware attack make for a good case study and should be captured in a tabletop exercise by the Board. Communication to employees, customers, and suppliers are important components of any incident response plan and should be regularly exercised by the leadership team. The final piece of the case study should capture total costs of the attack as IT and security budgets are reviewed.

Curtis Dukes
Curtis Dukes

2023-03-10

CISA Shares Red Team Incident Assessment Findings

The US Cybersecurity and Infrastructure Security Agency (CISA) has published a cybersecurity advisory “detailing activity and key findings from a recent CISA red team assessment … of a large critical infrastructure organization with multiple geographically separated sites.” The advisory recommends establishing a baseline of normal network activity; conducting regular assessments; and enforcing phishing-resistant multi-factor authentication.


2023-03-10

Authorities Seize NetWire RAT Domain, Infrastructure Server

Law enforcement agencies in multiple countries have taken action to hobble operations of the NetWire remote access trojan (RAT). The FBI seized a domain associated with NetWire. In Switzerland, authorities seized a server that hosted NetWire infrastructure. And law enforcement authorities in Croatia have arrested an individual in connection with the alleged operation of NetWire.


2023-03-08

CISA and Women in CyberSecurity Announce Partnership

The US Cybersecurity and Infrastructure Security Agency (CISA) and Women in CyberSecurity (WiCyS) have signed a Memorandum of Understanding, “which outlines opportunities for the two organizations to formally partner on bringing awareness to the incredible careers in the industry and building a pipeline for the next generation of women in cybersecurity.”


2023-03-13

Los Angeles Housing Authority Discloses Data Breach

The Housing Authority of the City of Los Angeles (HACLA) has disclosed a data breach that affects personal information, including driver’s license, payment card, passport, and financial account numbers and health insurance data. HACLA detected encrypted files on its network on December 31, 2022. An investigation revealed that intruders had had access to HACLA’s network since mid-January 2022.


2023-03-13

Belgian Hospital’s Servers Hit with Cyberattack

The Centre Hospitalier Universitaire (CHU) Saint-Pierre in Brussels, Belgium, was the target of a cyberattack over the weekend. The incident caused the organization to divert ambulances to other hospitals. By Saturday evening, the affected servers were disconnected and restarted; they remain disconnected from the Internet. CHU Saint-Pierre’s chief executive said that the hospital “launched the emergency plan specifically established for this type of situation.”


2023-03-13

Akuvox E11 Smart Intercom Vulnerabilities Remain Unpatched

More than a dozen vulnerabilities have been detected in Akuvox E11 smart intercoms. The flaws were reported to the US Cybersecurity and Infrastructure Security Agency (CISA) by researchers from Claroty’s Team 82. Both Claroty and CISA have attempted to notify the Chinese vendor and coordinate the vulnerabilities’ disclosure since January 2022. The vulnerabilities remain unfixed; CISA recommends disconnecting Akuvox E11 devices from the Internet until fixes are made available.


2023-03-13

Failure of Silicon Valley Bank May Lead to Phishing/BEC-like Scams

The failure of Silicon Valley Bank (SVB) and Signature Bank this weekend left many of the bank's customers with questions as to how to communicate with the bank, or how to access their money. Scams often take advantage of these uncertainties, and some indications of scammers becoming ready to act have been sighted. The Internet Storm Center already spotted some suspicious domain registrations, and observed companies using simple emails to update account information with partners.

Internet Storm Center Tech Corner

SVB Scams and New Domain Registrations

https://isc.sans.edu/diary/Incoming+Silicon+Valley+Bank+Related+Scams/29630

AsynRAT Trojan - Bill Payment (Pago de la factura)

https://isc.sans.edu/diary/AsynRAT+Trojan+Bill+Payment+Pago+de+la+factura/29626

Mirai Payload Generator

https://isc.sans.edu/diary/Overview+of+a+Mirai+Payload+Generator/29624

Multi-Technology Script Leading to Browser Hijacking

https://isc.sans.edu/diary/MultiTechnology+Script+Leading+to+Browser+Hijacking/29620

CISA Adds Older PLEX and VMWare Vulnerabilities to Known-Exploited List

https://www.bleepingcomputer.com/news/security/cisa-warns-of-actively-exploited-plex-bug-after-lastpass-breach/

FortiOS Vulnerability Exploited

https://www.fortiguard.com/psirt/FG-IR-22-369

OneNote will warn users of embedded content

https://www.microsoft.com/en-us/microsoft-365/roadmap?filters=OneNote%2CIn%20development&searchterms=122277

Google Removing Chrome Cleanup Tool

https://security.googleblog.com/2023/03/thank-you-and-goodbye-to-chrome-cleanup.html