SANS NewsBites

Ukraine Sheds More Light on Sandworm; SolarWinds Disputes SEC Findings; SysAid is the Next MoveIT

November 10, 2023  |  Volume XXV - Issue #89

Top of the News


2023-11-09

SolarWinds Responds to SEC Action

SolarWinds says that the recent lawsuit filed by the US Securities and Exchange Commission (SEC) “is fundamentally flawed—legally and factually—and we plan to defend vigorously against the charges.” The complaint alleges that SolarWinds and its former CISO defrauded customers and investors by obfuscating the company’s inadequate cybersecurity practices. Solar Winds maintains that “snippets of documents and conversations out of context to patch together a false narrative about our security posture.”

Editor's Note

This is where your legal team will earn their retainer. And they need support from you to succeed. Without taking sides in the SolarWinds lawsuit, there are some lessons here we can leverage. Finalize and review assessment documents. Address deficiencies and document actions taken. Make sure that you're fully following your security standards, including documenting any risk acceptance or deviations. Have frank conversations with your internal auditors, remember they work for you, follow their guidance, or document why not and have management sign off either way.

Lee Neely
Lee Neely

And, so, the legal posturing begins. Ultimately, it is the CEO who bears responsibility for informing investors on the state (including cybersecurity) of the company. There is also a fine line in how material cybersecurity deficiencies are discussed with investors absent an actual attack. Too much information can provide a roadmap for the attacker. Too little, well, then you might get sued by the government.

Curtis Dukes
Curtis Dukes

This lawsuit is not so much about SolarWinds security posture as it is about misleading customers and investors. That said, their security posture notwithstanding, they did ship malicious code to their customers for which they have not been held accountable. This may well be the single most expensive security failure ever, with the cost borne not by the failing party but by its customers.

William Hugh Murray
William Hugh Murray

2023-11-09

Mandiant: Sandworm Targeted Ukrainian Energy Plant a Year Ago

Late last year, the threat actor known as Sandworm launched an attack against a Ukrainian energy facility. What sets the attack apart is that it employed techniques that have not been seen before to target the plant’s industrial control systems (ICS) and operational technology (OT). Researchers at Mandiant have written an in-depth technical analysis of the incident.

Editor's Note

Malware that lives off the land in an OT attack, which seems to have been developed in 1-2 months is a peek at how Sandworm's cyber capabilities have evolved. Note they also deployed CADDYWIPER via GPO from a domain controller using the TANKTRAP PowerShell script, (also used for NEARMISS, SDELETE and PARTYTICKET), on the IT systems to distract from the attack on the OT systems. The mitigations remain the same. Focus on securing the attack vector and detection/monitoring. Have the hard discussion about exactly which entry points are exposed and needed. While many OT components don't have security updates, there are other components which do, such as hypervisors, firewalls, routers and monitoring components, that need to be considered. Have an in-depth conversation on how to keep them updated without unacceptable impact to operational objectives.

Lee Neely
Lee Neely

Two points stand out in the Mandiant report. First, the attacker applied ‘living off the land’ tactics to compromise the OT environment. We’ve seen this tactic used in information technology (IT) environments but, perhaps this is the first time used against OT. Second, the attacker, exploited the physical connection of the two environments, IT and OT, to enable the attack. Yes, there are legitimate business reasons for connecting the two environments, but that just means you had better understand the security consequences and protect accordingly.

Curtis Dukes
Curtis Dukes

Novel attack or otherwise, the risk of mis-operation of critical infrastructure in time of armed conflict should not surprise anyone. What may be concerning in the Mandiant report is the increasing maturity of the Russian attackers.

William Hugh Murray
William Hugh Murray

2023-11-09

SysAid Zero-day

Threat actors are exploiting a zero-day path traversal vulnerability in on-premises versions of SysAid service management software. The flaw was detected by researchers at Microsoft Threat Intelligence, who notified SysAid about the issue. SysAid has released an update to address the vulnerability; users are urged to ensure their systems are running SysAid version 23,3,36 or later.

Editor's Note

CVE-2023-47246, a path traversal flaw, doesn't have a published score; attackers leverage the flaw to upload a WAR file containing a WebShell and other payloads to the root of your SysAid Tomcat server. The threat actors appear to be the same group which exploited the MOVEit flaw, the clop ransomware gang. SysAid urges taking action, Rapid 7 takes it a step further suggesting applying the update on an emergency basis. Patched or otherwise, use caution with SysAid instances exposed to the Internet as they are being targeted, and discoverable with Shodan.

Lee Neely
Lee Neely

The Rest of the Week's News


2023-11-09

Malicious Python Packages

Researchers from Checkmarx have detected malware they are calling BlazeStealer in malicious Python packages that masquerade as legitimate Python obfuscators. BlazeStealer fetches a malicious script that enables a bot that gives the attacker control over infected systems.

Editor's Note

For these packages, both the setup.py and init.py scripts include the scripts, used during package installation, which receives and executes code from an external source. The primary fix is to make sure that you properly vet all your included packages. Leverage services from Git, Google, your CI/CD tools and others as a force multiplier here.

Lee Neely
Lee Neely

This malware highlights the fragile nature of open-source software libraries. If done correctly, malware introduced in the supply chain can have disastrous consequences for developers across a large number of vendors. This malware demonstrated that level of skill. What’s baffling though is that the consequence is about the least possible thing that could happen. Strange.

Curtis Dukes
Curtis Dukes

2023-11-09

Wordfence Bug Bounty Program

Wordfence is launching a bug bounty program to find vulnerabilities in WordPress plugins and themes. The rewards offered in the program “are based on active install counts, the criticality of the vulnerability, the ease of exploitation, and the prevalence of the vulnerability type.”

Editor's Note

We're all aware of the seemingly perpetual list of WP vulnerabilities, particularly in the myriad of plugins. Wordfence (aka Defiant Inc) is working to raise the security bar with this program. To participate, register with the Wordfence bug bounty program, carefully read the conditions, paying particular attention to what is and is not in scope. If you've previously submitted vulnerabilities, they can be associated with your account to increase your status/ranking. Note that bounties are not paid for out-of-scope vulnerabilities, and while each submission is checked, you're encouraged to limit out-of-scope submissions as there are limits on how many of your reports will be checked.

Lee Neely
Lee Neely

Kudos to Wordfence for implementing such a program. As we’ve discussed in previous SANS NewsBites, WordPress plugins are the security weak link. Bug bounty programs are an efficient way to ferret out vulnerabilities before they can cause harm. It’s proven highly successful in large organizations such as the US Department of Defense.

Curtis Dukes
Curtis Dukes

2023-11-09

US Radiology Specialists Fined $450,000 Over Failure to Protect Patient Data

The New York state attorney general has fined US Radiology Specialists $450,000 for inadequate cybersecurity practices and failure to protect patient data. The breach was part of a ransomware attack. The compromised data include driver’s license and passport numbers as well as medical exam and diagnosis information.

Editor's Note

This breach, and a recent breach of plastic surgeons shows that HIPAA is missing the teeth to prevent these breaches. HIPAA may have a lot of reasonable rules to help clinics protect this data, but without per-breach enforcement and independent auditing, the rules are meaningless.

Johannes Ullrich
Johannes Ullrich

US Radiology is a private service provider for partner companies. At core, they failed to quickly update their firewall to provide adequate protections to both their and partner connected networks as well as failing to upgrade other systems in a timely fashion. In addition to the fine, they are also required to update their IT infrastructure, properly secure their network and update data protection policies. Meaning they need to incur both the cost of the deferred actions and the penalty as well as any costs associated with the ransomware incident. While it may be easy to defer updates to systems and security practices, consider this scenario, then work to prioritize needed improvements, to include scheduling out-year activities so they are not lost. Make sure that any interconnected networks, such as one to a service provider, are properly constrained and have monitoring you're watching. Think trust but verify.

Lee Neely
Lee Neely

The State of New York, both the OAG and the DFS, have been on a tear this year in fining companies for inadequate cybersecurity practices. Per the OAG, US Radiology Specialists, did not demonstrate a standard of reasonableness in implementing its cybersecurity program. In addition to the fine the OAG also required adoption of data security practices. A good starting point for any organization implementing security practices is the CIS Critical Security Controls, Implementation Group 1.

Curtis Dukes
Curtis Dukes

Regulators have been punishing victims for a generation now with no measurable effect on security.

William Hugh Murray
William Hugh Murray

2023-11-09

CISA Adds Service Location Protocol Vulnerability to KEV

The US Cybersecurity and Infrastructure Security Agency (CISA) has added a known Service Location Protocol (SLP) vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability “allows an unauthenticated remote attacker to register arbitrary services,” and can be exploited to launch denial of service attacks with a high factor of amplification. Researchers at Bitsight and Curesec disclosed the vulnerability in April.

Editor's Note

Another protocol that should never have been exposed to the public internet. But if it can be exposed: It will be exposed.

Johannes Ullrich
Johannes Ullrich

CVE-2023-29552, CVSS Score of 7.5, allows an unauthenticated remote hacker to register arbitrary service, which then is used to conduct an amplified DDoS attack leveraging spoofed UDP traffic. You can apply your vendor specific mitigations or disable the SLP (RFC 2608) service on UDP port 427. Vulnerable systems share the characteristic of being old and not otherwise using the service. Odds are this is an old service you're not using and can simply block/disable.

Lee Neely
Lee Neely

2023-11-09

NIST Seeks Comments on Guidance for Protecting Controlled Unclassified Information

The US National Institute of Standards and Technology (NIST) has published a revised draft of SP 900-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. NIST will accept comments on the draft through January 12, 2024. This document is the third draft; a final rule is expected to be published early next year.

Editor's Note

The comment period goes through January 12, 2024. While CUI has been on the books for a while, not all agencies have transitioned until recently. The comments have highlighted a need to streamline and simplify CUI guidance in 800-171. CUI is more complicated than prior guidance relating to sensitive unclassified information, allowing for more fine-grained categorization and identification of needed controls. As such don't try to figure that out on your own. If you're going to be processing/handling or generating CUI, work with your federal contacts to learn exactly which categories of CUI they are using and how they expect them to be marked and protected, as they have already developed guidance and training for their users.

Lee Neely
Lee Neely

2023-11-07

American Hospital Association Lawsuit Challenges Online Tracker Warning

The American Hospital Association (AHA) and three other healthcare organizations have filed a lawsuit challenging the US Department of Health and Human Services guidance that warned against the use of online trackers. In July, the HHS Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) sent letters to 130 healthcare organizations, warning that tracking technologies like Meta/Facebook pixel and Google Analytics used in a healthcare environment could disclose personal health information to third parties and potentially violate HIPPA and FTC regulations.

Editor's Note

If you are using trackers on your web site, make sure that you are fully aware of the data they have access to and where that is sent/used. Document this and make sure the risk is accepted. If you are not actively using them and the related services, take them off.

Lee Neely
Lee Neely

2023-11-09

OpenAI Says ChatGPT Outages Caused by DDoS

OpenAI says that ChatGPT outages earlier this week were due to a distributed denial-of-service (DDoS) attack. Partial outages were reported on Tuesday, November 7, and a significant outage was reported on Wednesday, November 8. As of about 4:30 pm ET, OpenAI was reporting that “the incident has been resolved and status of our services have returned to normal.”

Editor's Note

Verify that your DDoS protections include layer 7 defenses as well as make sure that you don't already own services (in house or otherwise) you haven't leveraged to keep the bar on this sort of attack.

Lee Neely
Lee Neely

2023 has seen a dramatic increase in DDoS attacks. Threat intelligence generally attributes the uptick in DDoS attacks to the military conflict in Ukraine. Organizations should review their SLAs with their upstream provider to limit the effect of DDoS attacks.

Curtis Dukes
Curtis Dukes

Internet Storm Center Tech Corner

Visual Examples of Code Injection

https://isc.sans.edu/diary/Visual+Examples+of+Code+Injection/30388

Example of a Phishing Campaign Project File

https://isc.sans.edu/diary/Example+of+Phishing+Campaign+Project+File/30384

What's Normal: New uses of DNS, Discovery of Designated Resolvers (DDR)

https://isc.sans.edu/diary/Whats+Normal+New+uses+of+DNS+Discovery+of+Designated+Resolvers+DDR/30380

SysAid Exploited by Cl0p Ransomware (CVE-2023-47246)

https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification

WS_FTP Server Update CVE-2023-42659

https://community.progress.com/s/article/WS-FTP-Server-Service-Pack-November-2023

Malvertiser copies PC news site to delivery infostealer

https://www.malwarebytes.com/blog/threat-intelligence/2023/11/malvertiser-copies-pc-news-site-to-deliver-infostealer

pyArrow/Apache Arrow Vulnerability

https://lists.apache.org/thread/yhy7tdfjf9hrl9vfrtzo8p2cyjq87v7n

Cryptomining with Microsoft Azure Automation Services

https://www.safebreach.com/blog/cryptocurrency-miner-microsoft-azure

Windows 11 Insider Changing Firewall Behaviour

https://blogs.windows.com/windows-insider/2023/11/08/announcing-windows-11-insider-preview-build-25992-canary-channel/

CISA Adds SLP Vulnerability to Known Exploited Vulnerability List

https://www.cisa.gov/news-events/alerts/2023/11/08/cisa-adds-one-known-exploited-vulnerability-catalog

BlueNoroff macOS Malware

https://www.jamf.com/blog/bluenoroff-strikes-again-with-new-macos-malware/

Emphasizing Security by Default with Advanced Microsoft Authenticator Features

https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/emphasizing-security-by-default-with-advanced-microsoft/ba-p/3773130