SANS NewsBites

Denmark's Critical Infrastructure Targeted; Australian Ports Knocked Out in Cyberattack

November 14, 2023  |  Volume XXV - Issue #90

Top of the News


2023-11-13

Danish Cybersecurity Organization Details Cyberattacks Targeting Critical Infrastructure

In May of this year, more than 20 critical infrastructure organizations in Denmark were targeted with cyberattacks. A report published by SektorCERT, the Danish cybersecurity organization for critical infrastructure sectors details the attacks, which were carried out through known vulnerabilities in Zyxel firewalls.

Editor's Note

Note the use of two Zyxel firewall vulnerabilities in these attacks. Before you move on to the next comment/story: Add a recurring monthly reminder to your calendar to check if your firewall/perimeter device firmware is up to date. It is notoriously difficult to be notified of available updates for these devices (not just Zyxel) and usually requires some manual care. Of course: If you do not want to be the script, write one to monitor for updates.

Johannes Ullrich
Johannes Ullrich

The SektorCERT report shows that security was not considered to be a critical part of Denmark’s critical infrastructure. Lack of knowledge that Zyxel was even in use, or that firewall software needed regular updates, ignoring repeated warnings between patch availability and before attacks all indicate a systemic problem. Good case study for all nations to proactively fix similar problems and a good “essential security hygiene” checklist to use with all critical service providers to your own organization.

John Pescatore
John Pescatore

Several lessons here. First, know what you have, get a good inventory, particularly of your boundary control devices. Second, don't assume devices are up-to-date, even if new: assume firmware updates were released after the unit was produced and always include updates as part of the provisioning processes. Third, paying for the needed contract (software, hardware, or labor) so updates can be installed, is cheaper than the breach recovery. Fourth, make sure you're monitoring for and responding to incidents 24x7, don't assume you have to do all that yourself in-house, there are external resources and services you can leverage.

Lee Neely
Lee Neely

A lot to unpack in this report. First, it appears to have been a series of targeted attacks, which often speaks to nation state involvement. Second, vulnerabilities that were not patched, which highlights an ineffective patch management process. Third, misunderstanding of the service level agreement between vendor and operators when it comes to maintenance of the Zyxel firewalls. Fourth, and unfortunately all too common, organizations not having complete knowledge of devices operating on their network. The lesson learned is that every organization has to have a relentless focus on cybersecurity basics, what we call essential cyber hygiene.

Curtis Dukes
Curtis Dukes

2023-11-13

Australian Ports Recovering from Cyberattack

A cyberattack that affected the DP World shipping and logistics company disrupted operations at four Australian ports over the weekend. DP World took the ports’ systems offline on Friday, November 10. As of Monday, November 13, the ports in Brisbane, Fremantle, Melbourne, and Sydney were operating normally. DP World Australia said it expected to move 5,000 containers through the ports on Monday; they are facing a backlog of 30,000 containers due to the three days the systems were offline. The four ports account for approximately 40 percent of freight in and out of Australia.

Editor's Note

DP World was able to contain the attacks to their Australian components. They have roughly 10% of the shipping worldwide and operate 82 inland and marine terminals in 40 countries. Further, they executed their response plan, bringing things back online in three days. While the investigation is not completed, they are bringing services online, indicating someone had addressed the risk of further compromise versus mission execution. Make sure to include that decision process in your planning. Beyond walkthroughs, make sure you schedule exercises for staff to practice their recovery techniques.

Lee Neely
Lee Neely

While not yet declared a ransomware attack, it has all the hallmarks of an attack by cyber criminals often associated with ransomware gangs. The attack on DP World, and several others over the last few months highlight the increasing impact to business operations, which translates to lost revenue. The next set of questions by regulators will be whether the organization exhibited a ‘standard of reasonableness’ in defending itself.

Curtis Dukes
Curtis Dukes

The Rest of the Week's News


2023-11-10

State of Maine Discloses it was Affected by MOVEit Breach

The government of the state of Maine has disclosed that its MOVEit server was breached earlier this year: intruders had access to files on the server on May 28 and 29. The incident affects 1.3 million people; the compromised data include names, Social Security numbers (SSNs), dates of birth, driver's license/state ID numbers, taxpayer ID numbers, and some medical and health insurance information.

Editor's Note

The population of Maine, as of 2020, was 1.3 million, meaning it's safe to assume that if you are a resident you're impacted. The state is providing two years of credit monitoring to those directly impacted, and has setup hotlines, discount codes and access processes to facilitate service activation. The only concerning thing is that it took them five months to finish the analysis to disclose the breach. That is a long time for your customer or employee data to be unknowingly released. The state notes they took the needed steps from Progress Software to secure MOVEit, but don't indicate what they are doing to replace it. If you're still using MOVEit, you really need to consider moving to an alternate solution PDQ. It will remain a target.

Lee Neely
Lee Neely

Herein lies the conundrum: how much data should an organization maintain and what are their responsibilities to protect it? In this case, the State of Maine, provides digital services to its citizens and much of the data collected is for that purpose. The question now comes down to whether their measures to protect the data were reasonable, given the sophistication of the attack.

Curtis Dukes
Curtis Dukes

2023-11-10

Threat Actors are Breaching Healthcare Organizations Through ScreenConnect Remote Access Tool

Researchers at Huntress say that cyberthreat actors are gaining unauthorized access to US healthcare organizations through locally-hosted instances of the ScreenConnect remote access tool, used by Transaction Data Systems. Huntress has provided a list of observed tactics, techniques, and procedures used in the attacks.

Editor's Note

According to ConnectWise, the vendor of ScreenConnect, the attacker gained access via an on-prem instance which hadn't been updated since 2019. The point here is that all remote access tools, not just RDP, are targets, and they need to be configured to, at a minimum, vendor best practices, and kept updated. Don't expose any remote desktop or management interfaces to the Internet: require they be accessed via a VPN. And really assess that emergency access, you know the one - so the on-call person can respond without driving in when things break noting it can and will be leveraged by your attackers who also not want to drive in.

Lee Neely
Lee Neely

2023-11-10

Shields Ready Campaign Emphasizes Critical Infrastructure Resilience

Last week, the US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Emergency Management Agency (FEMA) launched a campaign “to encourage the critical infrastructure community to focus on strengthening resilience.“ CISA director Jen Easterley said that Shields Ready “complements” the earlier Shields Up campaign, which encouraged critical infrastructure organizations to take defensive action in response to threat intelligence. In contrast, Shields Ready encourages the organizations to take steps ahead of time to prepare for cyberattacks.

Editor's Note

Speed limit signs “encourage” safe driving. Speed cameras and speed traps enforce safe driving laws. We have many years of experience that we have plenty of US government “encouragement” and not enough enforcement of existing mechanisms (let alone new ones) for making lack of due diligence in cybersecurity look as risky to CEOs and boards as lack of financial due diligence.

John Pescatore
John Pescatore

It's easier to implement added protections when you're not busy fighting fires, which is why the recommendation is to get things in place today before they are needed. CISA has supporting services to help review and assess your resiliency as well as help with tabletop campaign. Leverage their process to assess your resiliency today and identify gaps as well as prioritize fixes, so you're ready to respond when the call comes for budget items.

Lee Neely
Lee Neely

Far too often it’s a known vulnerability for which a patch exists, that is the leading cause of compromise. Mandating a minimum cybersecurity baseline that all critical infrastructure providers have to adhere to, would go a long way to ‘strengthening resilience.’ A good starting point would be the CIS Critical Security Controls, Implementation Group 1.

Curtis Dukes
Curtis Dukes

The prevalence and persistence of ransomware attacks suggests the need for hot (or at least warm) backups.

William Hugh Murray
William Hugh Murray

2023-11-10

CISA, ODNI, and NSA Publish SBOM Consumption Guidance

The US Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI) and the National Security Agency (NSA) have published software supply chain security guidance for vendors. The document focuses on software bill of materials (SBOM) consumption.

Editor's Note

While you're focused on SCRM, and your SBOM, make sure you have a complete inventory of software you need to check first. If you're not keeping that current and those items updated, you may want to get your arms around those processes before you start looking at their corresponding SBOMs. When you do start considering SBOMs, focus on areas where you're leveraging open-source software.

Lee Neely
Lee Neely

SBOM is a solid initiative, but a pre-requisite is accurate software inventory. SBOM for Zyxel firewall software was of no help to those Danish critical infrastructure providers who didn’t even know they were using Zyxel software.

John Pescatore
John Pescatore

This is a step in the direction of holding suppliers accountable for distributing malicious code.

William Hugh Murray
William Hugh Murray

2023-11-13

CISA Adds Five Juniper Vulnerabilities to KEV

On Monday, November 13, the US Cybersecurity and Infrastructure Security Agency (CISA) added five vulnerabilities in Juniper Junos OS to its Known Exploited Vulnerabilities catalog. Two of the flaws are external variable modification vulnerabilities, and three are missing authentication for critical function vulnerabilities. Juniper urges users to upgrade to patched versions of affected products.

Editor's Note

The variable manipulation flaws, CVE-2023-36844, CVE-2023-36845 and CVE-2023-36846 have CVSS scores of 5.3, 9.8 and 5.3 respectively. The missing authentication flaws, CVE-2023-36847 and CVE-2023-36851 have CVSS scores of 5.3. All five have a due date of November 17th in the KEV catalog. Beyond expeditiously updating to the latest JunOS release, restrict access to or disable your J-Web interface immediately. Adversaries are going to be scanning for the J-Web interface, patched or otherwise, to see what they can do.

Lee Neely
Lee Neely

2023-11-10

McLaren Health Care Sends Breach Notification Letters

McLaren Health Care, a Michigan-based health care delivery system, has sent breach notification letters to about 2.2 million people. McLaren says the incident was detected on August 22, and that the intruders had access to its network between July 28 and August 23. The breach resulted in the theft of personal data, including but not limited to Social Security numbers, health insurance and medical information, diagnoses, medical record numbers, billing or claims information, Medicare/Medicaid information, and prescription/medication and treatment details.

Editor's Note

The AlphaV/BlackCat ransomware gang is taking credit for the breach and threatening to auction off the data if not paid. Given that McLaren engaged help back in August, it's safe to assume they already have decided how to respond to this threat, and are currently holding their cards close. If you're a member or employee, rather than worrying about what specific data was or was not breached, or if it's going to be auctioned, make sure you're set with credit monitoring and identity restoration services.

Lee Neely
Lee Neely

The compromise of health insurance numbers and social security numbers will likely result in healthcare fraud. The lesson for the rest of us is that the most important role of social security numbers is to break collisions among other identifiers (e.g. name and address.) This can be done with the last four or five digits of the number and does not require the risk associated with storing the whole number.

William Hugh Murray
William Hugh Murray

2023-11-13

Ohio City Notifies Residents of Ransomware Attack

The government of the City of Huber Heights, Ohio, is recovering from a ransomware attack. The city notified residents of the situation on the morning of Sunday, November 12, noting that “while public safety services are not impacted the following city divisions are affected: Zoning, Engineering, Tax, Finance, Utilities, Human Resources, and Economic Development.”

Editor's Note

Notice that the city is committing to updates at 2PM daily to keep residents informed, and already shared to expect the disruption to last a week, what actions are underway, as well as clarifying which services were online/unaffected, and who to contact. Those actions should help reduce the interrupt level to allow those responding to the incident to execute rather than having to (repeatedly) stop and explain things.

Lee Neely
Lee Neely

2023-11-13

China’s ICBC Bank Hit with Ransomware

A ransomware attack that targeted The Industrial & Commercial Bank of China (ICBC) last week disrupted financial services at institutions around the world. The incident began on Wednesday, November 8. ICBC sent messengers with thumb drives to the US to clear transactions.

Editor's Note

ICBC is China's largest bank, and largest commercial bank in the world based on revenue. As they cannot connect to DTCC/NSCC they are unable to clear transactions, which is having impacts on US Treasury trades, which is why they are sending messengers to manually do so. Additionally, some other actions are being taken to prevent other types of transactions, which cannot be cleared, from being initiated while the bank recovers. The attackers appear to have leveraged Citrix Bleed to own the bank's unpatched Citrix server. To abuse an old story - but for a patch, the battle was lost. Beyond keeping things patched and secured, be aware of downstream impacts of isolating systems which conduct external transactions, incorporate actions business partners may take to protect themselves from your outage and how to recover from those steps.

Lee Neely
Lee Neely

Undoubtedly, this event will increase the clarion call for a prohibition on ransomware payouts as it impacted global financial services. Just for the record, I don’t support paying ransomware gangs. That said, it’s usually a bit more complicated for ransomware victims. They often have to weigh the impact to their business operations, their ability to quickly recover from the attack, and, requirements of their cyber insurance provider, in deciding whether to pay or not.

Curtis Dukes
Curtis Dukes

Internet Storm Center Tech Corner

Noticing command control channels by reviewing DNS protocols

https://isc.sans.edu/diary/Noticing+command+and+control+channels+by+reviewing+DNS+protocols/30396

Routers Targeted for Gafgyt Botnet

https://isc.sans.edu/diary/Routers+Targeted+for+Gafgyt+Botnet+Guest+Diary/30390

Passive SSH Key Compromise via Lattices

https://eprint.iacr.org/2023/1711.pdf

Juniper Vulnerabilities Exploited

https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution?language=en_US

ScreenConnect used to Attack Healthcare

https://www.huntress.com/blog/third-party-pharmaceutical-vendor-linked-to-pharmacy-and-health-clinic-cyberattack

Fake Skills Assessment Portals Associated with Sapphire Sleet

https://twitter.com/MsftSecIntel/status/1722316019920728437

OpenVPN Access Server Vulnerabilities

https://openvpn.net/security-advisory/access-server-security-update-cve-2023-46849-cve-2023-46850/