SANS NewsBites

VMWare, Apple, Roundcube Patches and Exploits; Free Help from CISA and HSS for Healthcare Sector

October 27, 2023  |  Volume XXV - Issue #85

Top of the News


2023-10-25

VMware Patches Critical vCenter Vulnerability

VMware has released patches to address a critical out-of-bounds write vulnerability affecting its vCenter Server and VMware Cloud Foundation products. The flaw could be exploited to achieve remote code execution. The issue is severe enough that VMware has released fixes for end-of-life products, including vCenter Server 6.7U3, 6.5U3, VCF 3.x, and vCenter Server 8.0U1. VMware has also released updates for a moderate severity vulnerability that could lead to partial information disclosure.

Editor's Note

vCenter has been in the crosshairs of ransomware gangs for a while. Patch this before the next issue of NewsBites talks about how they are taking advantage of this flaw to extort organizations. As a first step: Please ensure any IPs allowing direct access to vCenter are not reachable from the internet.

Johannes Ullrich
Johannes Ullrich

Use this quote from VMWare to drive immediate patching: “In-product workarounds were investigated, but were determined to not be viable.”

John Pescatore
John Pescatore

If you're running one of the older, unsupported, vCenter Server products, you caught a break here and have an update. Apply the patch, then move to the latest supported/patched version. POC exploit code is available on the Internet, there are no workarounds.

Lee Neely
Lee Neely

The vendor is sending a clear signal when it chooses to provide an update for end-of-life products – the install base is high. Users of vCenter Server and its cloud foundations products should download the update and patch immediately.

Curtis Dukes
Curtis Dukes

2023-10-25

Apple Updates

Apple has released updates to address security issues in multiple versions of iOS, iPadOS, and macOS, as well as tvOS, watchOS, and Safari. In all, the updates fix more than 50 security issues, including an actively exploited integer overflow vulnerability in the Kernel that affects older versions of iOS.

Editor's Note

This update is most important for users of older devices. Apple is providing a patch for an already exploited vulnerability to devices unable to run more recent versions of iOS.

Johannes Ullrich
Johannes Ullrich

Apple released updates for pretty much all their operating systems, to include iOS/iPadOS 15 and macOS 12 (Monterey). Don't overlook that older hardware is still running those versions, patch them, then initiate plans to update them to devices that can run the current versions. It's time to bring that newer hardware up to the current release as well. Even with the updates applied, take a look at running mobile devices in lockdown mode for users in risky areas.

Lee Neely
Lee Neely

2023-10-26

CISA and HHS Publish Cybersecurity Toolkit for Healthcare and Public Health Sector

The US Cybersecurity and Infrastructure Security Agency (CISA), the Department of Health and Human Services (HHS), and the Health Sector Coordinating Council (HSCC) Cybersecurity Working Group have published a cybersecurity toolkit for the Healthcare and Public Health sectors. The toolkit consolidates pertinent cybersecurity resources, including cyber hygiene, suggestions for strengthening defenses and maturing cybersecurity efforts, and addressing resource constraints.

Editor's Note

Here are a lot of resources you're going to want all in one place. Not only guidance on actions to take, but also aids to explain the threat landscape to management as you garner support to implement selected security improvements. Don't overlook that CISA is a free resource, and you can leverage that to not only assess your current state but help you plan improvements. Having a second set of eyes, while it may result in issues which need addressing, is far better than having your adversaries exploit those shortfalls.

Lee Neely
Lee Neely

This 82 page document definitely “consolidates” a lot of other documents but really does not bring any value to overcoming the obstacles to actually doing all those things mentioned across those 82 pages.

John Pescatore
John Pescatore

Kudos to HHS and CISA in leveraging existing cybersecurity best practices into a single repository. The guidance has been available for quite some time, just a Chrome or Bing search away. So, perhaps this will spur implementation by healthcare organizations.

Curtis Dukes
Curtis Dukes

This initiative is timely. It will be helpful only to the extent that healthcare management makes it a priority.

William Hugh Murray
William Hugh Murray

The Rest of the Week's News


2023-10-27

NGINX and Ingress Controller Issues Put Kubernetes at Risk

Kubernetes security company ARMO identified two new vulnerabilities in the Nginx Ingress Controller for Kubernetes (ingress-nginx). These vulnerabilities affect the use of NGINX as a reverse proxy in front of Kubernetes. Two vulnerabilities (CVE-2023-5043 and CVE-2023-5044) allow attackers to inject arbitrary code into the Kubernetes ingress controller process. This vulnerability puts service account tokens in use by the process at risk. The two vulnerabilities are mitigated in NGINX 1.19. The third vulnerability, CVE-2023-4886, affects Kubernetes itself. It enables an attacker with control over the ingress object to steal Kubernetes API credentials. Version 1.8 of Kubernetes mitigates this vulnerability.

Editor's Note

One of those things we cover in SEC588, so let me describe what’s happening here. TL;DR There is a good news set of angles: First you need to be able to control the nginx yaml, so you do need some level of authentication. Second If you’ve architected your CI/CD pipelines correctly, you can replace this container quickly. The problem may be that most people do not consider updating tags as often, so this is one of those hair-on-fire bugs, but only to the attackers and defenders who understand Kubernetes. Unlike all systems, Kubernetes heavily relies on authentication tokens and permissions. This container service, which is required to have certain permissions in Kubernetes, is vulnerable to that key material being read. Just make sure you know who is able to apply PodSpecs, guard your API Server, make sure its not on the internet, like most of them seem to be.

Moses Frost
Moses Frost

Ingress in Kubernetes is an API object that provides HTTP and HTTPS routing to services based on a set of rules, including hostnames or URL paths. NGINX Ingress Controller is a solution that manages this routing mechanism using the widely known NGINX reverse proxy server. Update to Kubernetes 1.8, update to NGINX version 1.19 and add the "-enable-annotation-validation" command line configuration.

Lee Neely
Lee Neely

2023-10-24

Irish Police Vehicle Seizure Data Exposed

Irish National Police (Garda) data regarding seized vehicles was found online in an unprotected database. More than 500,000 records were exposed; the data include identity documents, vehicle registrations, names, and other identifying information of drivers, witnesses, and Garda officers.

Editor's Note

Many issues exposed in this one: (1) Need to Share always has to be satisfied with “Need to Protect.” (2) “Need to Protect” includes requirement for “Need to Notice.” (3) All those Needs are more complex when a supply chain is involved. (3) Finger-pointing down the supply chain rarely reduces liability and never reduces damage to information owner. Many organizations probably have this same potential exposure – use this item to get approval for action now.

John Pescatore
John Pescatore

Encrypting data at rest, limiting access to those with need-to-know, let alone annually verifying those settings are in place, may sound like regulatory and bureaucratic overhead/PITA until you find you've got exposed data and need to explain to management, staff, regulators and possibly the press why. In this case, the weakness was at a third-party, and the contract included data protection provisions, but validation of appropriate access controls seems to have been missing. The third-party is the data steward, you're still the data owner, and protection remains your responsibility.

Lee Neely
Lee Neely

Unfortunately, a basic configuration setting was not applied, leading to the data exposure. The Center for Internet Security has foundation security benchmarks for the major cloud service providers as well as configuration recommendations for individual products (i.e., databases). Going forward, the Garda can make configuration to the benchmarks a requirement of the SLA.

Curtis Dukes
Curtis Dukes

2023-10-25

Canadian Hospitals Affected by IT Outage

A cyberattack against shared services provider TransForm has caused outages affecting email systems and patient records at five Canadian hospitals: Windsor Regional, Hotel Dieu, Bluewater Health, Erie Shores HealthCare and the Chatham-Kent Health Alliance. The hospitals have had to delay or cancel some patient appointments.

Editor's Note

TransForm is a non-profit organization created by the five hospitals to manage their IT, accounts payable and supply chain, sending about 1 million patient messages a month while managing about 40,000 devices. The arrangement has achieved economy of scale wins for the hospitals and that comes with risks of wider impact for issues. Replace TransForm with your cloud service provider in the conversation and dive deep into what you can do to mitigate outage impacts, to include the ROI and expected risk of occurrence. Keep that report updated.

Lee Neely
Lee Neely

2023-10-25

Philadelphia Discloses Cyberattack

The city of Philadelphia disclosed that its IT systems were hit with a cyberattack in May and that the incident compromised personal information. The city detected suspicious activity in its email system in late May; it was later determined that intruders may have had access to email accounts between May 26 and July 28. In August, the city learned that some of the email accounts held protected health information.

Editor's Note

While the breach appeared to end in July, the PHI reporting didn't happen until October, just about the end of the allowed 90-day window for HIPAA reporting. While the delay is likely due to forensic and other analysis to ensure the reporting was accurate, which is something we would all want, make sure that your incident reporting plans are on as short a timeline as possible, not only for transparency, but also to keep the information authoritative, neutralizing third-party speculative releases.

Lee Neely
Lee Neely

I hate to be a grumpy Gus in my comments today, but any time I see an “Incident of Notice” that includes the phrase “In an abundance of caution…” I stop reading. If an organization even just had slightly more than modicum of caution most incidents would have been avoided. Even just a scintilla of caution should result in less than two months of dwell time for active attacks.

John Pescatore
John Pescatore

The biggest takeaway from this disclosure is the apparent lack of incident response planning by the city. After containing the breach, communicating the possible loss of PII (including protected health information) to its residents has to be at the top of the list of actions to take.

Curtis Dukes
Curtis Dukes

2023-10-25

NCC Group Observes Uptick in Ransomware Attacks

According to a September 2023 report from NCC Group, ransomware groups launched 514 attacks in September, a year-over-year increase of more than 150 percent. There was also a 76 percent increase in double ransomware attacks. The majority (50 percent) of the attacks were against organizations in North America; 30 percent targeted European organizations.

Editor's Note

Interesting stats, some not surprising: 50% of the attacks targeted North America, 30% Europe and then Asia with 9%. The most prolific attacker was LockBit 3.0, followed by LostTrust, BlackCat and RansomedVC. Surprising was that Clop, the group behind the MOVEit attacks, didn't appear in the September list. Newcomer RansomedVC, has a twist to their extortion plan, claiming any flaws found on victims' networks would be reported under the GDPR, which could trigger hefty fines for data breaches which may include compensation to affected individuals. Make sure you haven't relaxed your anti-ransomware protections and awareness.

Lee Neely
Lee Neely

Notwithstanding International law enforcement efforts, ransomware attacks are still on the rise in 2023. More needs to be done to take away the main advantage evil-doers have: ransomware payment via crypto-currency.

Curtis Dukes
Curtis Dukes

2023-10-26

UK Parliament Inquiry on Critical National Infrastructure Cyber Resilience

The UK Parliament’s Science and Technology Committee is calling for information that can help protect the country’s Critical National Infrastructure (CNI) from cyberattacks. The committee notes that the UK is third-most targeted country in the world for cyberattacks, following the US and Ukraine.

Editor's Note

I suspect that what the UK Parliament will find as a result of the call is that sufficient cybersecurity guidance already exists to protect critical infrastructure. The next step will be to enforce a minimum cybersecurity standard for each critical infrastructure sector. Additionally, one must look at the potential insider threat, and include both physical and procedural security controls in the minimum standard.

Curtis Dukes
Curtis Dukes

The committee acknowledges the challenges caused by a mixture of government and private sector owned systems comprising their CNI, which heightens the need for comment from those operators who don't operate in the government sector. Responses need to be submitted by November 10th, using the Cyber resilience of the UK's critical national infrastructure portal. Documents up to 25mb can be submitted, be sure to follow the guidance to ensure acceptance.

Lee Neely
Lee Neely

2023-10-26

Update Available to Fix Zero-day Vulnerability in Roundcube Webmail Servers

Researchers from ESET say the Winter Vivern cyberespionage group has been exploiting a zero-day cross-site scripting (XSS) vulnerability in the Roundcube Webmail server. Since October 11, Winter Vivern group has been targeting Roundcube Webmail servers at several European government organizations and a think tank. Roundcube has released updates to address the vulnerability; users are urged to update to versions 1.6.4, 1.5.5, and 1.4.15 or later.

Editor's Note

Threat actors are targeting products like Roundcube and Zimbra as they are often used in situations where the victim has a lower IT budget and a correspondingly lower level of sophistication of security measures, making it easier to compromise their organization. The messages sent in this attack leveraged JavaScript embedded in the message such that the act of viewing the message in a browser was sufficient to launch the attack, which sent a list of folders and emails in the victim's Roundcube account to the attackers. Beyond updating to the latest version of Roundcube, consider migrating to a solution which is a harder target. It's 2023, there is no need to run email in-house, and service providers have a much bigger budget to provide secure environments. Remember, you need to activate the security functions in that solution, to include appropriate monitoring.

Lee Neely
Lee Neely

2023-10-25

Ransomware Attack on Chilean Telecom GTD Disrupts IaaS

Chile’s Computer Security Incident Response Team (CSIRT) has disclosed that the Grupo GTD telecommunications company suffered a ransomware attack that has disrupted its Infrastructure as a Service (IaaS) platform. The attack began on Monday, October 23. GTD has taken down its IaaS platforms for analysis. GTD recommends that organizations that use its IaaS services consider taking certain measures to determine if they were affected by the attack.

Editor's Note

If you're a GTD IaaS customer, follow the suggested mitigations to scan for anomalous traffic, accounts, processes, and malware, to include hunting for the Rorschach ransomware using the provided IOCs.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Apple Updates

https://isc.sans.edu/diary/Apple+Patches+Everything+Releases+iOS+171+MacOS+141+and+updates+for+older+versions+fixing+exploited+vulnerability/30344

Confluence Server Scans CVE-2023-22515

https://isc.sans.edu/diary/Sporadic+scans+for+serverinfoaction+possibly+looking+for+Confluence+Server+and+Data+Center+Vulnerability+CVE202322515/30342

Adventures in Validating IPv4 Addresses

https://isc.sans.edu/diary/Adventures+in+Validating+IPv4+Addresses/30348

BIG-IP Configuration Utility Unauthenticated Remote Code Execution

https://my.f5.com/manage/s/article/K000137353

https://www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/

iLeakage Vulnerability

https://ileakage.com/

Critical VMVware vCenter Patch CVE-2023-34048

https://www.vmware.com/security/advisories/VMSA-2023-0023.html

Samsung Messages and Samsung Wallet briefly marked as 'harmful' by Google

https://9to5google.com/2023/10/23/samsung-messages-wallet-harmful-app-google/

OAuth Hijacking

https://salt.security/blog/oh-auth-abusing-oauth-to-take-over-millions-of-accounts

Microsoft Exchange Server CVE-2023-36745 PoC

https://n1k0la-t.github.io/2023/10/24/Microsoft-Exchange-Server-CVE-2023-36745/

Citrix Bleed PoC CVE-2023-4966

https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966

VMWare VRealize Exploit CVE-2023-34051 CVE-2023-34052

https://www.vmware.com/security/advisories/VMSA-2023-0021.html