SANS NewsBites

Check and Protect Any Basic Service Domain Service Accounts; Academic Institutions Need to Evaluate Impact of Latest MOVEit Breach; Get Assurances From Cisco on Splunk SIEM Futures

September 26, 2023  |  Volume XXV - Issue #76

Top of the News


2023-09-25

City of Dallas Report on May 2023 Ransomware Incident

The City of Dallas (Texas) has published a report that offers details about a ransomware attack that was detected in May. The report reveals that the initial vector of attack was a stolen account, and that attackers had access to the city’s systems for about a month before they began encrypting files. During that time, the threat actors exfiltrated about 1.17 TB of data. The city has earmarked $8.5 million to help restore systems affected by the incident.

Editor's Note

A detailed report but vague on the actual root cause, only saying “…initial access utilized the basic service domain service account, connecting to a server,” Phishing was never mentioned, could be a default account left unchanged. The compromise and over 1 TB of data exfiltrated were not noticed until the ransomware demand. The report noted that the IT security budget was about 2.5% of the IT budget, not unusual at the local level, though Dallas is a big city – but that level of spending is only usually sufficient when IT operations (configuration management, patching, upgrading, etc.) is very mature and that does not seem to be the case. The total cost of the incident was about $8. 5M or about $300 per record. As usual, the cost of avoiding this would have been much less than the cost of the incident.

John Pescatore
John Pescatore

Kudos to the City of Dallas for providing an After Action Report (AAR) of the ransomware incident that affected city services. This AAR helps others understand attacker initial access, traversal mechanisms and injection of command-and-control software. The report further validates that attackers use available network management tools to fully map the network and determine location of data repositories. What’s unfortunate is the cost of cleanup (initially 8.5M) when a focus on basic cyber hygiene (patching, secure configuration, monitoring) could have preempted or limited the effects of this cyber incident.

Curtis Dukes
Curtis Dukes

This is consistent with the current model of acquiring access, mapping the system fully, quietly, before exfiltrating and encrypting everything. Gaining access to a legitimate account continues to be a solvable problem. Beyond making sure you deploy MFA, particularly to privileged accounts, you need to ensure SOP includes shutting down inactive accounts judiciously, particularly those for employees who have left or retired. Make sure that maintenance accounts are only active when actually being used for maintenance. Also be sure to regularly scan for breached passwords in use in your environment and actively change them.

Lee Neely
Lee Neely

A key part of a mature incident response process is learning from the incident. This report is a great opportunity to learn from someone else’s incident and to identify ways you can better protect your organization. Kudos to the City of Dallas for sharing this information so others can learn and better protect themselves.

Brian Honan
Brian Honan

The compromise of a single account, no matter how privileged or reusable, should not be sufficient to compromise an entire enterprise the size of the city government of Dallas. Strong authentication, privileged access management, and network segmentation are essential in any all enterprises of that scale. If $8.5M is the cost of the cure, then the proportional cost of prevention should have been adequate to implement those three essential and efficient measures. If those measures are not in place in your enterprise, document the reasons and the decision not to implement them. The authority of the official saying not to implement them must include the discretion to implement them.

William Hugh Murray
William Hugh Murray

2023-09-25

National Student Clearinghouse Data Breach

The US National Student Clearinghouse (NSC) was one of the organizations affected by a breach of a MOVEit managed file transfer server. NSC said that attackers gained access to a third-party server in late May and stole files containing sensitive information. Nearly 900 US secondary schools, colleges, and universities are affected by the incident.

Editor's Note

The best move if you have a MOVEit service is to assume compromise and replace it. That may be easier said than done, so in the interim, make sure that you're hunting for those IoCs and have not only instrumented the service but also have active monitoring and playbooks at the ready.

Lee Neely
Lee Neely

With over 2,000 victims of the MOVEit vulnerability, data breach notifications will continue for months. In this case it’s not only the National Student Clearinghouse that is affected, but also other organizations that use its services. No time like the present to avail yourself of the free credit monitoring services offered.

Curtis Dukes
Curtis Dukes

2023-09-26

Cisco Announces Intent to Acquire Splunk

Cisco has agreed to purchase data analysis software company Splunk. This is Cisco's largest ever acquisition. While both companies have approved the deal, it still must face the scrutiny of regulators.

Editor's Note

Almost ancient history, but does anyone remember Cisco MARS? Cisco has been in the SIEM market before through licensing of software from netForensics and then by acquisition of Protego over 15 years ago. If the acquisition goes through (possibly the 5th biggest software acquisition in history), Splunk customers should get assurances and roadmaps from Cisco on how Splunk’s SIEM leadership will be increased and maybe even new pricing approaches.

John Pescatore
John Pescatore

The Rest of the Week's News


2023-09-22

DHS Report: Harmonization of Cyber Incident Reporting to the Federal Government

The US Department of Homeland Security ((DHS) has published a report, Harmonization of Cyber Incident Reporting to the Federal Government, that offers suggestions for simplifying federal cyber incident reporting rules. There are currently more than 40 different cyber incident reporting requirements within the federal government. The report offers eight recommendations for streamlining that process, including adopting common terminology for incident reporting, developing model definition of reportable cyber incidents, and developing a model reporting form.

Editor's Note

Standardized reporting requirements increase the likelihood incidents will be reported, reduce duplicative reporting and will help those processing those reports to better understand them. The next steps are for continued feasibility studies on the adoption of these recommendations, hopefully resulting in a new standard with an adoption timeline, hopefully in FY24.

Lee Neely
Lee Neely

It seems as though the US Government has caught the ‘harmonization’ bug. We have the ONCD RFI on cyber regulatory harmonization and now cyber incident reporting harmonization. Anything we can do to simplify the requirements asked of industry when it comes to cyber incident reporting is a good thing.

Curtis Dukes
Curtis Dukes

2023-09-25

IT-ISAC Hosted Election Security Research Forum

The US Information Technology Information Sharing Analysis Center (IT-ISAC) recently hosted an Election Security Research Forum. The event was the culmination of “5 years of planning by the IT-ISAC’s Elections Industry Special Interest Group (EI-SIG) and an independent advisory board composed of security researchers, security companies, nonprofits, and former state and local election officials.” Election equipment manufacturers granted vetted security researchers access to the devices to hunt for vulnerabilities.

Editor's Note

We have seen a lot of positive efforts aiding states and localities in assuring the integrity of the equipment they are using during elections. Many lessons were learned about process issues, as well. Both need to be addressed. Good to see the IT-ISAC and CIS pushing this forward.

John Pescatore
John Pescatore

This is the first time that election equipment manufacturers have made their products available for testing outside of the normal EAC sponsored Voting System Test Laboratories. It allowed select, independent researchers to test outside the confines of the EAC voting equipment certification process. Kudos to IT-ISAC for sponsoring the forum.

Curtis Dukes
Curtis Dukes

Continued progress to secure the IT used to collect and count votes is a step in the right direction, to include embracing secure configurations and pen testing. Once secure configurations are vetted and deployed, processes for keeping them updated and validated will need to be developed. Note that automation includes not only polling places, but also centralized tabulation and processing of absentee ballots. This still leaves election officials the challenges of getting voters to turn out, and making sure votes are genuinely cast by registered voters.

Lee Neely
Lee Neely

The requirements for ballot secrecy, early reporting, and a high level of public trust in the results makes the US Presidential election system what we in IT call a hard problem, largely because there are thousands of local solutions. We should not leave their quality wholly to chance. This is an important initiative in solving the hard problem.

William Hugh Murray
William Hugh Murray

2023-09-22

ISC Releases Updates to Fix BIND Vulnerabilities

A pair of vulnerabilities in the BIND named daemon could be exploited to create denial-of-service conditions. The first vulnerability (CVE-2023-3341) is a stack exhaustion flaw in control channel code. The second (CVE-2023-4236) is “a flaw in the networking code handling DNS-over-TLS queries may cause named to terminate unexpectedly due to an assertion failure.”

Editor's Note

Stack exhaustion or causing the daemon to crash are sub-optimal unless you're the attacker. While neither of these are being actively exploited, with the preponderance of DDoS attacks, you're going to want to update to BIND version 9.18.19 or preview edition 9.18.19-S1 soon.

Lee Neely
Lee Neely

2023-09-21

Cities Across the US are Suing Hyundai and Kia Over Inadequate Car Security

Between 2011 and 2021, more than 9 million Kia and Hyundai vehicles were sold without engine immobilizers installed. The devices prevent cars from being hotwired, but their absence from the Kia and Hyundai vehicles has resulted in a significant spike in the theft of those automobiles. Kia and Hyundai are facing multiple lawsuits. In August, a federal judge rejected a proposed settlement of $200 million in one of the cases, finding that the proposed settlement was not fair or adequate.

Editor's Note

It’s unfortunate that Kia and Hyundai didn’t follow industry best practices when it came to ‘basic anti-theft technology.’ The result is a very large number of auto thefts targeting these two brands, owner and government angst, and accompanying lawsuits. The legal argument is simple: by not following industry best practices, Kia and Hyundai failed to exhibit a standard duty of care with their products. By the way, we are starting to see this play out when it comes to cybersecurity as well.

Curtis Dukes
Curtis Dukes

Groups like the Kia Boyz or Kia Boys have turned stealing these cars into sport, which is amusing until it's your car that gets jacked, let alone more than once. Software updates were developed to provide an "ignition kill" capability as well as free steering wheel locks, even so there remain a large number of vehicles that don't have the update, and claims persist that the update doesn't solve the problem. If you own an affected Kia or Hyundai, be sure that you're working with your dealership to get the needed updates and mitigations. Add making sure that your vehicle includes an immobilizer needs to be on your requirements list for a new purchase. If it doesn't have one, you need to consider mitigations such as a steering wheel lock, as well as bypass scenarios.

Lee Neely
Lee Neely

2023-09-21

US/UK Data Transfer Agreement

The US and the UK have reached an agreement regarding data transfer between the two countries. The regulations will take effect on October 12, 2023. Referred to as the data bridge, the agreement is in essence piggybacking on a data transfer agreement reached by the US and the European Union in July.

Editor's Note

These agreements were made possible by the Executive Order on Enhancing Safeguards for United States Signal Intelligence Activities last October, which brought the U.S. in line with E.U. expectations on data handling in response to a series of EU court rulings finding U.S. surveillance laws provided inadequate privacy and rights protections for Europeans whose data may be transferred to data centers in the U.S. While this is also a factor with the UK, the U.S. and UK also have intelligence-sharing agreements and similar surveillance programs which helped enable the agreement. These agreements should allow tech companies doing data transfer to continue to do so without impediment, something AI developers will be able to leverage immediately.

Lee Neely
Lee Neely

For government, this agreement and the earlier agreement with the EU are good things as they aid the timely search to uncover terrorist, criminal, and cyberattacks. For individuals, it can be a concern if the state uses the information for non-court sanctioned purposes. At the end of the day, if you’re law abiding, you have very little risk.

Curtis Dukes
Curtis Dukes

2023-09-25

Google is Deprecating Gmail Basic HTML View

Starting in January 2024, Google will remove Gmail basic HTML view and redirect users to Standard view. When Standard view was introduced in 2013, users had the option of switching to Basic if they had slow connections; Basic lacked some of the features available in Standard view. The “Set Basic HTML as default view” option is no longer available.

Editor's Note

As the "Set Basic HTML as default view" option is removed, trying out the Standard view and reverting if you don't like it isn't a viable plan. The Standard view has been out ten years, which is a pretty generous time to convert; in that time the average connection and browser has become faster and more performant, so unless you were counting on the difference in how mail readers worked with Basic vs Standard view, you'll be fine.

Lee Neely
Lee Neely

Although Google did not provide the reason, I suspect they ‘ran the numbers’ and decided that it was no longer necessary to maintain the basic HTML codebase. From a security perspective, moving to standard view avails users of the latest security features – a good thing.

Curtis Dukes
Curtis Dukes

2023-09-25

Apple Patched Zero Days Used to Deploy Spyware

The patches Apple released last week for zero-day vulnerabilities were prompted by the discovery that they had been used to introduce Predator spyware onto the mobile phone of an Egyptian politician. The vulnerabilities could be chained to infect targeted devices with spyware by redirecting them to websites using HTTP rather than HTTPS.

Editor's Note

The malware is highly targeted and localized to maximize success, making prevention difficult. You can reduce the risk by both rolling out the update, and leveraging lockdown mode, which is enhanced in iOS 17. This is a good time to start testing lockdown mode for folks in risky areas, particularly high profile users more likely to be a target. At the very least, send users with loaner phones which are wiped after trips to risky locations. The cost of the device is far less than the cost of a compromise.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Scanning for Laravel - a PHP Framework for Web Artisants

https://isc.sans.edu/diary/Scanning+for+Laravel+a+PHP+Framework+for+Web+Artisants/30242

LuaJIT Malware

https://www.sentinelone.com/labs/sandman-apt-a-mystery-group-targeting-telcos-with-a-luajit-toolkit/

NPM systeminformation flaw

https://systeminformation.io/security.html

Team City Authentication Bypass

https://twitter.com/ptswarm/status/1706223917008834748

Fake CVE-2023-40477 Proof of Concept Leads to VenomRAT

https://unit42.paloaltonetworks.com/fake-cve-2023-40477-poc-hides-venomrat/

Unmasking a Sophisticated Phishing Campaign That Targets Hotel Guests

https://www.akamai.com/blog/security-research/sophisticated-phishing-campaign-targeting-hospitality

BSides JAX October 14th

https://www.bsidesjax.org/

Tickets:

https://www.eventbrite.com/e/bsides-jacksonville-2023-registration-566463807497?aff=oddtdtcreator