SANS NewsBites

Check for Signs of “Infamous Chisel-A” on Android Mobile Devices; Take Proactive Approach to Limit Unnecessary Data Exposure; Replace, Segregate, or Mitigate Vulnerable Windows 7 Legacy Systems

September 5, 2023  |  Volume XXV - Issue #70

Top of the News


2023-09-01

Sandworm is Targeting Ukrainian Soldiers’ Phones with Malware

According to analysis published by intelligence agencies from the Five Eyes countries (Australia, Canada, New Zealand, the UK, and the US), the Sandworm hacker group is targeting phones used by Ukrainian soldiers. The malware being deployed in the attacks is known as Infamous Chisel-A, which scans files and network data for exfiltration, provides backdoor access on infected devices, and includes network monitoring and scanning, traffic collection, SSH access, and SCOP file transfer capabilities.

Editor's Note

The CISA report notes “The Infamous Chisel components are low to medium sophistication and appear to have been developed with little regard to defense evasion or concealment of malicious activity.” Spillover potential may be low, but it is worth warning Android phone users and updating MDM checks.

John Pescatore
John Pescatore

Sandworm, we meet again. This time you're wielding Chisel, far less subtle and effective compared to NotPetya. Chisel is not intended to be subtle nor evade defenses, albeit the TOR backdoor is hidden, it's still possible to detect and block the activity. The report includes IOCs, and the NIST analysis includes downloadable YARA rules to aid hunting. Odds are you're going to want to do a factory reset or replacement of any impacted devices.

Lee Neely
Lee Neely

2023-09-02

MTA Disables Trip History Feature

New York’s Metropolitan Transit Authority (MTA) has disabled a feature in its One Metro New York (OMNY) website that could have been abused to access other people’s travel history. Until recently, the MTA’s One Metro New York (OMNY) website would retrieve the travel history associated with payment card payment card information used to purchase tap-and-go rides. As stolen payment card data are readily available on the Internet, the situation posed a serious privacy threat. The issue was detected by researchers from 404 Media, who alerted the MTA to the problem.

Editor's Note

A minor example of a larger problem where data usage is frequently way more promiscuous than need be. Good to use this as justification for reviewing data exposure to avoid privacy fines or other regulatory actions.

John Pescatore
John Pescatore

The feature was created to allow users to track tap-and-go history (entry point) without having to create an OMNY account. That anyone could track history based on just having the correct credit card number, may sound like a low-risk scenario, the availability of stolen card numbers means that it's a lot easier than you may think to do that. Note that MTA was and continues to tokenize card numbers, clearly the same card number resulted in the same tokenized number and is evaluating other ways to more securely provide the history functions.

Lee Neely
Lee Neely

Privacy laws continue to drive fundamental changes in how data is collected and maintained by organizations. In this case the NY MTA quickly realized disabling the feature was the easiest solution until an identity and access management scheme can be introduced to protect access to the data.

Curtis Dukes
Curtis Dukes

This report is about the potential for the leakage of the data. The more fundamental questions are about its retention and its storage. Is retention necessary and legitimate? If so, is the data stored encrypted and access controlled? Only then does the question of the privileged access of the application arise.

William Hugh Murray
William Hugh Murray

2023-09-04

Hackers Infiltrate High Security Military Fencing Company Through Machine Running Windows 7

Attackers gained access to the network of a company that manufactures high-security perimeter fencing for UK military sites. The company, Zaun, said the intruders possibly exfiltrated 10GB of data. Zaun also disclosed that the intruders may have gained initial access to their network through a PC that was running Windows 7.

Editor's Note

We're all thinking weakest link right? In this case the Windows 7 system was characterized as rogue. For many OT/ICS systems it is a real possibility that you have legitimate Windows 7 devices which are, effectively, toasters, where patching and updating is achieved via expensive forklift replacement. Security for these is going to be dependent on network and physical security measures to limit access, in and out, as well as monitoring. Make sure you know where these older devices are, why they are there, and that you've got your hands around protecting and monitoring them.

Lee Neely
Lee Neely

This attack highlights two key facts: 1) every organization, in every sector, is a potential target for ransomware gangs, and 2) organizations need to plan for end-of-life software. For end-of-life software, the easy solution is to upgrade. That said, it isn’t always that simple for organizations. In that case the organization needs to perform a risk assessment and develop other mitigations to protect the enterprise.

Curtis Dukes
Curtis Dukes

While there are valid reasons for the continued use of archaic and unsupported software, such high risk uses should not be connected to both the public and enterprise networks.

William Hugh Murray
William Hugh Murray

The Rest of the Week's News


2023-09-04

Social Engineering Attacks Targeting Okta Customers

Okta says that threat actors are using social engineering attacks to target high-privilege accounts and gain access to organizations’ networks. The attackers have been calling help desks and convincing staff to reset multi-factor authentication (MFA) for the Okta Super Administrator accounts. Okta has provided a list of the attackers’ tactics, techniques, and procedures (TTPs) as well as recommended measures for protection against the attacks.

Editor's Note

This is not a technical attack exploiting a technical vulnerability, this is a highly advanced social engineering attack led by cyber attackers who are doing their research. There is nothing wrong with the super-user accounts that Okta has created, nor the federated capabilities its products support. There are many real world needs for this. What the cyber threat actors have learned is we have become so good at using technology (like Otka) to secure technology that cyber threat actors are now targeting the one operating system we have failed to secure, “the HumanOS.” Okta published five actionable steps organizations can take to help defend against them. https://sec.okta.com/articles/2023/07/social-engineering-getting-more-extreme-fixes-can-be-simple

Lance Spitzner
Lance Spitzner

Even if you're not an Okta customer, consider how a scenario like this could play out in your enterprise. Don't only think about your MFA protections, but also those "break-glass" emergency accounts - maybe the help desk can't be tricked into producing a hardware token, but if they can surrender those credentials - game over. The threat actors in this scenario already had compromised credentials, waiting only on the MFA token to finish the job. Make sure you're monitoring for compromised credentials, requiring them to be reset when discovered, particularly for privileged accounts, ideally for all accounts.

Lee Neely
Lee Neely

Social engineering has become the bread and butter for enabling attacks by cybercriminals. Couple that with most help desks being rated on response time and closing of user request tickets and you understand why Okta issued the warning. The warning also provides an opportunity for organizations to revisit their own response playbook when it comes to requests to change privileged accounts.

Curtis Dukes
Curtis Dukes

Support desk people are trained to be polite and helpful and measured on closing tickets. It should not surprise anyone that that makes them an exploitable vulnerability. Train for security first and measure accordingly.

William Hugh Murray
William Hugh Murray

2023-09-04

New Medical Device Manufacturing Rules Put Focus on Security

Medical device manufacturers are facing new requirements regarding the security of their products. Starting October 1, 2023, the US Food and Drug Administration (FDA) will require manufacturers to submit information about medical devices’ security details. If the medical device premarket submission is incomplete – FDA requires information about device security controls, a plan for coordinated vulnerability disclosure, and a software bill of materials – the FDA will automatically reject the submission. In January 2023, the European Union adopted the Network and Information Systems 2 (NIS2) Directive, which also includes requirements for medical device cybersecurity.

Editor's Note

Remember back in 2004 when the payment card industry first put out the PCI Data Security Standards? First comes resistance and lobbying, then comes claims of mitigation or draconian projections of how security will break everything, then movement to replace inventory that has finally aged out anyway with hopefully more secure products and processes. To shorten that cycle for medical devices, start working now with procurement and operations to let vendors know security will be a key evaluation criterion in all new procurements.

John Pescatore
John Pescatore

This ties back to the Consolidated Appropriations Act, 2023 (Omnibus) legislation passed last December, where Section 3305 - "Ensuring Cybersecurity of Medical Devices," which went into effect March 29, 2023. Come October 1st, the “refuse to accept” clauses go into play for devices which have not submitted sufficient cybersecurity details. Previously the FDA indicated they were not interested in broad use of the refuse-to-accept option; it will be interesting to see if there is an exemption or extension process. As much as medical and healthcare systems are targeted, I would not hold out for an easy or simple exception process.

Lee Neely
Lee Neely

It’s time for device manufacturers to read the ‘tea leaves.’ Government is using regulation to drive manufacturers to enable basic secure by design principles into their products. While some of the requirements don’t have a material effect on the end-user, they are basic building blocks of a secure by design approach. I would suggest that trade associations work with their respective government agencies to understand what an acceptable submission will be, so that it can be standardized within that sector.

Curtis Dukes
Curtis Dukes

One has the right to expect security by design in all applications and appliances. That said, while this is a high visibility application, it is not one that worries this observer more than others. Attacks do not scale.

William Hugh Murray
William Hugh Murray

2023-09-01

NCSC Warning on AI Large Language Model Prompt Injection Threats

The UK’s National Cyber Security Centre (NCSC) has published a blog about the threat prompt injection attacks pose to large language models (LLMs). Prompt injection attacks involve people creating malicious input that causes language models to behave malicious ways, such as generating offensive content, exposing data, or producing other unexpected consequences.

Editor's Note

In the SANS 2023 Threat Report (https://www.sans.org/white-papers/sans-2023-attack-threat-report/) SANS instructor Stephen Sims details how he was able to get generative AI to do all those bad things, as well as create simple malware.

John Pescatore
John Pescatore

You should be building a library of concerns and best practices for Generative AI. This capability isn't going away, and it will continue to evolve and train from provided datasets. Consider spinning up a team to do a deep dive on what it can do for, and against, you. Publish guidelines for staff to not only help them understand the new technology but also protect your information.

Lee Neely
Lee Neely

LLMs are powerful natural language user interfaces to the modern computer. They are a natural and expected application of cheap and powerful computers. As with any such interface we should ensure that the application not be contaminated by its use, that persistent changes to the application not be possible from the interface, and that user-to-user isolation is maintained.

William Hugh Murray
William Hugh Murray

2023-09-01

Sourcegraph Data Security Incident

Sourcegraph experienced a data security incident that exposed some user data, including paid customers’ license keys, license key recipient names, and email addresses, and community users’ account email addresses. Sourcegraph detected the incident when it noticed an unexpected spike in API usage on August 30. The intruder used an admin token that had been exposed online through a commit privileges to increase API rate limits for some users.

Editor's Note

Good to ask all code testing tool vendors if their products address the problem Sourcegraph noted: “Our internal control systems, including automated code analysis, failed to catch the access token being committed to the repository.”

John Pescatore
John Pescatore

There is excellent transparency in the security notice from Sourcegraph. Only about 20 license keys were exposed, and those have been rotated/updated. The rate-limiting is a temporary measure which only affects community (free) users while the investigation completes. In addition to rotating the identified licenses, and implementing temporary rate limits, the hijacked account access has been revoked, Sourcegraph has implemented new processes and tests to better detect and prevent future activity.

Lee Neely
Lee Neely

2023-09-04

Microsoft Issues Reminder that TLS 1.0 and 1.1 Will be Disabled in Future Versions of Windows

Microsoft has reminded users that TLS 1.0 and TLS 1.1 will be disabled by default in future versions of Windows. Users will have the option of enabling the older protocols if necessary, but that option may be removed in the future. TLS 1.0 and TLS 1.1 are already disabled in Microsoft 365 products and WinHTTP and WinINET API surfaces. TLS 1.2 was released in 2008 and TLS 1.3 was released in 2018.

Editor's Note

You should already be focusing on making TLS 1.3 your standard. Now is a good time to make sure you've disabled support for TLS 1.0 (1999) and 1.1 (2006) in your services. Microsoft's Tech Community alert includes a list of applications which are reliant on TLS 1.1 and are expected to be broken, many of which are old versions and should be updated.

Lee Neely
Lee Neely

Microsoft’s requirement for backwards compatibility has always been at odds with timely transition to newer, more secure versions of TLS. It’s understandable: customer needs (err, support calls) should always be a key consideration. Let’s hope 2023 is indeed the year that TLS 1.0 and 1.1 are finally excised from all Microsoft products.

Curtis Dukes
Curtis Dukes

2023-09-01

Guidance on Protecting Patients After Healthcare Cybersecurity Incidents

The Joint Commission, a healthcare non-profit, has published a Sentinel Event Alert addressing ways to protect patients in the wake of a cyberattack affecting healthcare organizations. The document lists seven suggested actions, including evaluating hazards vulnerability awareness (HVA) findings to prioritize services that need to remain operational and protected; creating a downtime planning committee; developing downtime plans, procedures, and resources; designating response teams; training everyone on downtime operation; establishing situational awareness with effective communication; and regrouping, evaluating, and making necessary changes after an attack. The document also includes some real-life examples of changes implemented due to healthcare organization cyberattacks.

Editor's Note

The seven actions suggested by the Joint Commission are all steps that form the basis for an organization’s incident response plan. While specific to the healthcare sector, the actions can easily be applied to other critical sectors, especially those that have an operational technology (OT) component. Perhaps the most important action to take is to host regular training exercises on key steps of the plan.

Curtis Dukes
Curtis Dukes

These are practices we should all have worked out, regardless of being in the healthcare sector. Take a moment and compare what you have with the activities in the report. Beware, this is a different definition of the term HVA, but that shouldn't impact your analysis.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner