SANS NewsBites

CISA Funded Institute Published Good Starting Point for Securing CI/CD Pipelines; Deadline for Government Agencies Securing Management Interfaces Was Not Met

June 30, 2023  |  Volume XXV - Issue #52

Top of the News


2023-06-29

Guidelines for Securing Continuous Integration/Continuous Delivery Environments

The US Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have jointly published guidelines for securing Continuous Integration/Continuous Delivery (CI/CD) environments. The document describes the attack surface, offers three potential threat scenarios, and makes recommendations for threat mitigation and hardening CI/CD cloud deployments.

Editor's Note

The threat scenarios in this document are good starting points for tabletop exercises. CI/CD pipelines and DevOps processes are often tightly coupled with business processes and very different between organizations. A really good playbook to protect CI/CD for Business/Agency A might not work at all for Business/Agency B.

John Pescatore
John Pescatore

The report explains the conditions, threats, and issues in language that is easy to understand, and can help you build understanding of the issues without mentioning Log4-J or SolarWinds. The recommendations, including validation of code signatures, using accounts with limited lifespan, MFA, and keeping systems and services patched/updated are a conversation you can have with your teams to see where you can raise the bar as well as better understand your developers’ needs.

Lee Neely
Lee Neely

If adversaries gain access to a software developer’s environment, then undoubtably bad things can happen. The same is true if they gain access to any organization’s enterprise. The guidance published by CISA and NSA is useful, but first, adopt and implement an established cybersecurity framework (i.e., NIST CSF, NIST 800-53, CIS) for the entire enterprise.

Curtis Dukes
Curtis Dukes

2023-06-28

US Federal Agency Systems Failing Binding Operational Directive Compliance Deadline

On June 13, 2023, the US Cybersecurity and Infrastructure Security Agency (CISA) issued a Binding Operations Directive (BOD) compelling federal civilian executive-branch (FCEB) agencies to mitigate the risk from Internet-exposed management interfaces. The BOD required that the agencies either remove the relevant devices from the Internet or implement stringent access controls by June 27. Researchers from Censys recently found “hundreds of publicly exposed devices within the scope outlined in the directive.”

The Rest of the Week's News


2023-06-29

Medtronic Paceart Optima System Vulnerability

A vulnerability in a messaging feature of Medtronic’s Paceart Optima System, a cardiac device data workflow system, could be exploited to achieve remote code execution or create denial-of-service conditions. The feature is not enabled by default. The deserialization of untrusted data issue affects Paceart Optima versions 1.11 and older. Organizations are urged to update Paceart Optima to version 1.12 or newer.

Editor's Note

The good news is that Medtronic is able to publicly state that “During routine monitoring, Medtronic identified a vulnerability in the optional Paceart Messaging Service…” before any attackers were able to exploit that vulnerability. Even better would have been if that routine monitoring and flaw detection had occurred during the pre-shipment testing of the software.

John Pescatore
John Pescatore

The best fix is to update to the newer version. An alternate mitigation is to disable the messaging feature both in the server and workstation. Review the business impact before disabling the service; it could be just applying the update will be far less disruptive.

Lee Neely
Lee Neely

Typically, most users install devices using the default configuration; it’s human nature. In this case, that’s a good thing as this vulnerability is in a feature that is not enabled by default. Given that, the likely number of users of this device that are vulnerable should be quite low. Regardless, they should heed the vendors risk mitigation guidance as an additional precaution.

Curtis Dukes
Curtis Dukes

2023-06-28

Cause of June 28 Microsoft Teams Outage Detected, Addressed

Users of Microsoft Teams reported being unable to access the platform on Wednesday, June 28. Microsoft investigated the issue and determined that the problem was due to a configuration change. That change has been rolled back and Microsoft reported seeing availability improving around the world.


2023-06-29

MITRE 25 Most Dangerous Software Weaknesses 2023

The Homeland Security Systems Engineering and Development Institute managed by MITRE has published a list of the 2023 CWE (Common Weakness Enumeration) 25 most dangerous software weaknesses. Topping the list are out-of-bounds write, improper neutralization of input during web page generation (cross-site scripting), improper neutralization of special elements used in an SQL command (SAQL injection), use after free, and improper neutralization of special elements used in an OS command (OS command injection). The US Cybersecurity and Infrastructure Security Agency (CISA) notes that “the CWE Top 25 is calculated by analyzing public vulnerability data in the National Vulnerability Data (NVD) for root cause mappings to CWE weaknesses for the previous two calendar years.”


2023-06-28

Microsoft Sysmon 15: New Features

Microsoft has released Sysmon 15, which includes two new features. First, Sysmon is now a protected process, which means that “Windows uses code integrity to only allow trusted code to load into the protected service… and also protects these processes from code injection and other attacks from admin processes.” Second, Sysmon 15 is capable of detecting new executables.


2023-06-27

CISA: Supply Chain Risk Management Resources

The US Cybersecurity and Infrastructure Security Agency (CISA) plans to launch an initiative later this year that will help federal agencies understand and implement cyber supply chain risk management (C-SCRM). Speaking at FCW’s Supply Chain Workshop earlier this week, CISA’s C-SCRM Project Management Office Lead Shon Lyublanovits said that the initiative will include a hub for resources as well as a training program.


2023-06-27

CISA: Cloud Security Guidance

The US Cybersecurity and Infrastructure Security Agency (CISA) has published two updated documents through its Secure Cloud Business Applications (SCuBA) project. The SCuBA Technical Reference Architecture is designed for agencies to “use to adopt technology for cloud deployment, adaptable solutions, secure architecture and zero trust frameworks.” The extensible Visibility Reference Framework “enables organizations to identify visibility data that can be used to mitigate threats, understand the extent to which specific products and services provide that visibility data, and identify potential visibility gaps.”


2023-06-28

JAMA Study on Ripple Effects of Healthcare Sector Ransomware Attacks on Area Healthcare Facilities

According to a study published in the Journal of the American Medical Association (JAMA), ransomware attacks targeting health care facilities could have indirect effects on other health care facilities in the area. The study found that hospitals near those suffering a ransomware attack may experience an increase in the number of patients seen as well as insufficient resource es to care for time-sensitive emergency conditions. The “study suggests that health care cyberattacks such as ransomware are associated with greater disruptions to regional hospitals and should be treated as disasters, necessitating coordinated planning and response efforts.”


2023-06-29

UCLA, Siemens Energy, Schneider Electric Among MOVEit Victims

The number of organizations affected by MOVE-it-related cyberattacks keeps growing; one estimate puts the figure at more than 130. Among the more recently confirmed victims are the University of California Los Angeles (UCLA) and Siemens Energy. Schneider Electric is investigating reports that they were the victim of a MOVEit-related cyberattack.

Internet Storm Center Tech Corner

The Importance of Malware Triage

https://isc.sans.edu/diary/The+Importance+of+Malware+Triage/29984/

Kazkhastan: The world's last SSLv2 Super Power

https://isc.sans.edu/diary/Kazakhstan+the+worlds+last+SSLv2+superpower+and+a+country+with+potentially+vulnerable+lastmile+internet+infrastructure/29988

GuLoader or BatLoader/Modiloader infection for Remcos RAT

https://isc.sans.edu/diary/GuLoader+or+DBatLoaderModiLoaderstyle+infection+for+Remcos+RAT/29990

Drone Security and Fault Injection Attacks

https://labs.ioactive.com/2023/06/applying-fault-injection-to-firmware.html

npm manifest issues

https://blog.vlt.sh/blog/the-massive-hole-in-the-npm-ecosystem

Dell BIOS Updates

https://www.dell.com/support/kbdoc/de-de/000214778/dsa-2023-174-dell-client-bios-security-update-for-an-out-of-bounds-write-vulnerability

CVE-2023-26258 Remote Code Execution in ArcServe UDP Backup

https://www.mdsec.co.uk/2023/06/cve-2023-26258-remote-code-execution-in-arcserve-udp-backup/

Sysmon Update

https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon

https://medium.com/@olafhartong/sysmon-15-0-file-executable-detected-40fd64349f36

Process Mockingjay: Echoing RWX In Userland To Achieve Code Execution

https://www.securityjoes.com/post/process-mockingjay-echoing-rwx-in-userland-to-achieve-code-execution

RowPress: Amplifying Read Disturbance in Modern DRAM Chips

https://dl.acm.org/doi/abs/10.1145/3579371.3589063

Google Chrome Update

https://chromereleases.googleblog.com/2023/06/stable-channel-update-for-desktop_26.html