SANS NewsBites

Cyberattacks Target Two Chicago Hospitals; Synergia: Interpol Operation Takes on Cybercrime; AnyDesk Forces Passwords Resets After Data Leak

February 6, 2024  |  Volume XXVI - Issue #10

Top of the News


2024-02-06

ISACs

The water and wastewater sector has made several recent appearances in NewsBites; we want to make sure you know that there is indeed a Water Information Sharing and Analysis Center (ISAC): https://www.waterisac.org/

ISACs provide two-way information sharing of sector-specific threat intelligence. We encourage you to find an ISAC that meets your needs at the National Council of ISACs: https://www.nationalisacs.org/member-isacs-3


2024-02-05

Cyberattacks Target Two Chicago-Area Hospitals

Chicago’s Lurie Children’s Hospital has proactively taken its systems offline following a cybersecurity incident. The outage affects phone and email services as well as electronic health records (EHR). Lurie disclosed the incident on February 1. Another Chicago-area hospital, Saint Anthony, recently disclosed a cybersecurity incident in which patient data were accessed. That incident occurred in December.

Editor's Note

Lurie Children’s doesn’t currently have an ETA for service restoration. They have implemented contingency plans to provide maximum service to patients, having set up a call center to handle questions and arrange services. Getting a call center to handle customers online quickly should be a priority activity in your BC/DR process, make sure you've got that process nailed down, don't assume any existing phone service will be operating. Keep in mind that despite guidelines from ransomware operators to not target hospitals, ransomware gangs are ignoring those and targeting healthcare organizations, the takeaway being to not depend on usage restrictions from attack service providers to stop the gangs from attacking anyway.

Lee Neely
Lee Neely

With the decade old shift to electronic health records and interconnected systems, hospitals administrators now must prioritize cybersecurity. If not, they will continue to be targeted by cybercriminals and separately, held accountable for the data loss. In upcoming budgets, HHS likely will offer financial assistance to smaller hospitals that implement cybersecurity performance goals.

Curtis Dukes
Curtis Dukes

High risk public network facing applications like phone and email should be isolated from mission critical systems like healthcare records.

William Hugh Murray
William Hugh Murray

2024-02-02

Synergia: Interpol Operation Takes on Cybercrime

A global Interpol operation last fall “was launched in response to the clear growth, escalation and professionalisation of transnational cybercrime and the need for coordinated action against new cyber threats.” The operation involved law enforcement agencies from more than 50 countries. More than 1,300 suspicious IP addresses were identified; more than 70 percent of those have been taken down. 31 people have been arrested and 70 additional suspects have been identified.

Editor's Note

The operation ran from September through November, which is pretty quick for this broad of a takedown and shows what can be done with broad cooperation. The international cooperation included 60 law enforcement agencies as well as Interpol's gateway partner private sector groups such as Kaspersky, TrendMicro, Shadowserver, Team Cymru and Singapore-based Group-IB. The 30% of servers that weren't taken offline are still under active investigation for their involvement in cybercrime operations. The dismantled infrastructure was used for phishing, banking malware and ransomware attacks.

Lee Neely
Lee Neely

Well done to all involved in this operation. Cyber criminals need to realise that the days of operating at low risk on the Internet are no longer around. As this operation demonstrates, law enforcement agencies are becoming more and more proficient and detecting, disrupting, and detaining criminals.

Brian Honan
Brian Honan

It will always be a ‘cat-n-mouse’ game between law enforcement and cybercriminals. Expect cybercriminals to modify their TTPs because of the joint law enforcement action. Thankfully, law enforcement is being supported by members of the tech sector to better the odds of success.

Curtis Dukes
Curtis Dukes

Cyber criminals continue to believe that cybercrime has a low risk of investigation, identification, and punishment. It may take many efforts like this over time to change this belief.

William Hugh Murray
William Hugh Murray

2024-02-05

AnyDesk Forces Passwords Resets After Data Leak

AnyDesk forced a password reset for all users of its remote access solution after learning that user credentials were leaked. In a public statement, AnyDesk writes, “We have revoked all security-related certificates and systems have been remediated or replaced where necessary. We will be revoking the previous code signing certificate for our binaries shortly and have already started replacing it with a new one.”

Editor's Note

AnyDesk could have provided some additional details in their notification. For example, lists of certificates compromised. Attackers may use these certificates later to sign malware. AnyDesk has also failed to provide additional details about which weaknesses the attacker exploited. This is always useful for others to learn. Maybe they will follow up with a better postmortem after their investigation concludes.

Johannes Ullrich
Johannes Ullrich

If your cybersecurity program is mature, it may be time to include lost certificates in your threat model. Include signed, malicious code in your offensive operations engagements.

Christopher Elgee
Christopher Elgee

AnyDesk released their statement about this breach on Friday night (European time)/Friday afternoon US time. Communicating to your clients that you have suffered a security breach on a Friday afternoon/evening does not align with the phrase "The integrity and trust in our products is of paramount importance to us and we are taking this situation very seriously" I often say, "you won't be judged for being the victim of a cyber attack, but you will be judged on how you respond to it."

Brian Honan
Brian Honan

AnyDesk is a popular target for threat actors as it provides remote control, VPN and file transfer capabilities, often leveraged in the fake Microsoft Support scam which offers to "clean" malware or other bugs off your system, even if you're on macOS. All users of my.anydesk.com need to change their passwords. Both the AnyDesk client and the portal support 2FA via TOTP, while you're rotating your portal password, make sure that you've enabled and configured 2FA. Then see if you can also enable it for your AnyDesk clients.

Lee Neely
Lee Neely

The optimum time to reset a password is not after a breach but automatically after its first use. We call this a one-time password, OTP. It is a component of many systems of strong authentication. Strong authentication is an essential and efficient security mechanisms. Many such systems, e.g., Passkeys, are more convenient than passwords and do not rely upon the user to change them.

William Hugh Murray
William Hugh Murray

The Rest of the Week's News


2024-02-02

Cloudflare Provides More Info on November Breach

In a recent blog post, Cloudflare provides details about the November 2023 cybersecurity incident affecting its Atlassian server. The post is based on information from CrowdStrike’s Forensic team, which Cloudflare brought in to investigate the incident. A threat actor, believed to be state-sponsored, used credentials stolen in an Okta October breach to access Cloudflare’s Atlassian Confluence internal wiki and their Atlassian Jira bug database.

Editor's Note

If you're wondering how to approach a similar situation in your shop, the blog post lays out all things you should consider. From identifying the root cause, failure to rotate a compromised credential, understanding the possible access with those credentials as well as any accounts created, containment, eradication and post-event hardening and improvement. Consider your network architecture and how resistant it is to lateral movement. Consider how to reduce trust based on network, that systems are validating both the user and system are appropriate for the requested connection.

Lee Neely
Lee Neely

2024-02-05

Mitsubishi Electric Factory Automation Vulnerabilities

Mitsubishi Electric has published an advisory detailing two vulnerabilities in several of its Factory Automation (FA) products: a high-severity missing authentication for critical function vulnerability (CVE-2023-6942) and a critical-severity unsafe reflection vulnerability (CVE-2023-6943). Patches for the flaws are not yet available.

Editor's Note

CVE-2023-6941 has a CVSS score of 7.5; CVE-2023-6943 has a CVSS score of 9.8. While there are no patches, the Mitsubishi bulletin provides guidance on affected products and mitigations. In short, make sure these systems are properly isolated, don't expose them to the Internet, and make sure the system you're using to access them is itself secure (patched, EDR, etc.). Exploiting the flaw would allow the attacker to reprogram your PLCs as well as installing new utilities on your engineering workstations.

Lee Neely
Lee Neely

2024-02-05

Rust Foundation Receives $1M Grant From Google

Google has given the Rust Foundation a $1 million grant “to support efforts that will improve the ability of Rust code to interoperate with existing legacy C++ codebases.” Google Vice President of Engineering, Android Security & Privacy Dave Kleidermacher noted that “Based on historical vulnerability density statistics, Rust has proactively prevented hundreds of vulnerabilities from impacting the Android ecosystem. This investment aims to expand the adoption of Rust across various components of the platform.”

Editor's Note

Rust has been making great inroads in the Android space as one of the strongest tools to address memory safety and security issues. This funding should help increase the interoperability with legacy C++ codebases, resulting in both easier and more use in non-Android scenarios.

Lee Neely
Lee Neely

2024-02-05

Pennsylvania Courts System Suffers Denial-of-Service Attack

The Pennsylvania Courts system says its website has been disrupted by a denial-of-service attack. The incident has affected the availability of PACFile (the online court document filing system), online docket sheets, PAePay, and the Guardianship Tracking system. Pennsylvania Courts remain open and accessible to the public.

Editor's Note

Current claims are this is a DoS attack, and they are busy restoring services and forensicating the environment. If the DoS attack is a smoke-screen, this approach will reveal any additional attacks. As the capabilities to launch very disruptive DDoS attacks seems to be perpetually increasing, you may want to setup a regular check/update from your service providers on their protections/capabilities to make sure they are adapting to the evolving threat environment. Also, check-in with any services which didn't offer DDoS protections previously to see if that has changed. Don't forget to check your third-party and outsourced service providers.

Lee Neely
Lee Neely

DDoS attacks are mostly a nuisance for organizations and not sustainable. What is concerning is the increase in attacks over the past year. It indicates that large numbers of devices aren’t practicing basic cyber hygiene and have been herded into botnets. Is it time to consider a cyber health check before allowing access to the Internet?

Curtis Dukes
Curtis Dukes

Keep in mind that DoS attacks are used to distract from other more subtle attacks.

William Hugh Murray
William Hugh Murray

2024-02-02

US Sanctions Iranian Officials Over Critical Infrastructure Cyberattacks

The US Treasury Department has sanctioned six Iranian government officials over their part in a cyberattack targeting critical infrastructure in the US and other countries. The individuals breached water utilities in the US through Unitronics programmable logic controllers (PLCs). Affected organizations include a water utility in Aliquippa, Pennsylvania.

Editor's Note

The sanctions mean that all property and interests in property of these Iranian officials in the U.S., or that are in control of U.S. persons are blocked and must be reported to the Office of Foreign Assets Control (OFAC). Additionally, any entities with over 50 percent ownership by these officials are also blocked. In essence, all tractions within the U.S. with these assets or entities are prohibited. While this may make things difficult for the Iranian officials, the impact on the threat actors isn't clear, as such you still need to take steps to protect your critical infrastructure. Leverage the Water ISAC for threat intelligence as well as guidance for expertise you can leverage. Consider hiring a friendly assessor, rather than reacting to issues revealed by those threat actors.

Lee Neely
Lee Neely

While important to demonstrate American resolve, it is highly unlikely that any of the individuals will be visiting the US or extradition friendly countries any time soon. What is more important is that vendors, where possible, apply ‘secure by design’ principles in future releases of their products.

Curtis Dukes
Curtis Dukes

2024-02-02

40-Year Sentence for Leaking CIA Secrets

Joshua Adam Schulte has been sentenced to 40 years in prison for espionage, computer hacking, making false statements to the FBI, and other offenses. Schulte leaked classified CIA information to WikiLeaks in 2016. Schulte was employed as a software developer at the CIA’s Center for Cyber Intelligence.

Editor's Note

There really are consequences for unauthorized disclosure of classified information; it's nice to have a current example to reinforce this point. Schulte was able to perform his actions by obtaining admin privileges, as well as granting himself added access. While the role-granting should trigger an alert, this is where regular account and access control reviews are important in case those alerts are missed. Also verify you have active/rapid processes to restrict access when an account holder is sanctioned or otherwise in a questionable state.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Public Information and Email Spam

https://isc.sans.edu/diary/Public+Information+and+Email+Spam/30620/

DShield Sensor Log Collection with Elasticsearch

https://isc.sans.edu/diary/DShield+Sensor+Log+Collection+with+Elasticsearch/30616

AnyDesk Breach

https://anydesk.com/en/public-statement

https://www.bleepingcomputer.com/news/security/anydesk-says-hackers-breached-its-production-servers-reset-passwords/

https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2024/2024-213655-1032.pdf

Ivanti POC For CVE-2024-21893

https://attackerkb.com/topics/FGlK1TVnB2/cve-2024-21893/rapid7-analysis

Deepfake Exploits

https://www.scmp.com/news/hong-kong/law-and-crime/article/3250851/everyone-looked-real-multinational-firms-hong-kong-office-loses-hk200-million-after-scammers-stage

https://www.404media.co/inside-the-underground-site-where-ai-neural-networks-churns-out-fake-ids-onlyfake/

Leaky Vessels

https://snyk.io/blog/leaky-vessels-docker-runc-container-breakout-vulnerabilities/