SANS NewsBites

Healthcare Compromise Still Affecting Pharmacy Billing, LockBit Won’t Stay Down, SolarWinds Cyberthreat Actors Using New TTPs

February 27, 2024  |  Volume XXVI - Issue #16

Top of the News


2024-02-26

Change Healthcare/Optum Compromise Still Affecting Pharmacy Billing

Last week, Change Healthcare, part of Optum, detected a compromise in its network. In response, it disabled a number of services. The most prominent effect has been the continuing unavailability of some billing services for pharmacies. Early reports indicate that the incident may have been enabled by last week's ConnectWise ScreenConnect vulnerability, which allowed ALPHV/BlackCat ransomware group to access internal systems.

Editor's Note

The ScreenConnect vulnerabilities, CVE-2024-1709, authentication bypass, CVSS score 10, and CVE-2024-1708, path-traversal flaw, CVSS score 8.4, can be mitigated by updating to version 23.9.8. Monitor the ScreenConnect App_Extensions folder for suspicious .aspx and .ashx files. Note CVE-2024-1709 has been added to the CISA KEV catalog with a due date of 2/29. ConnectWise has also revoked licenses for unpatched servers, which may help reduce the attack vector. In the meantime, Change Healthcare is still working to restore services, they have published a dashboard providing incredible transparency on all their application component status' which should IT staff working to bring services back online. They also provide mechanism for filing a support ticket for issues with services not identified.

Lee Neely
Lee Neely

2024-02-26

LockBit Won’t Stay Down

Although law enforcement agents took control of the LockBit ransomware gang’s infrastructure, last week LockBit has resurfaced, launching a new leak site and spreading malware. The group says that while they lost control of servers running PHP, those not running PHP remained in their control.

Editor's Note

Taking down distributed criminal enterprises tends to be notoriously hard. The distributed nature, and the ability for others to quickly re-implement the tools and techniques used by a particular group will often result in limited impact of takedown actions. However, the bust of LockBit was still a welcome relief for many past victims who are now able to decrypt some of the files affected by LockBit.

Johannes Ullrich
Johannes Ullrich

After a couple of days, LockBit is firing back at the taunts from the FBI, watch from a distance, don't engage. LockBit says they still have customer data, and are posturing about releasing/extorting the data, while that may or may not happen, don't lose site of the protections you're implementing for ransomware, know LockBit decryption keys are available. Expect LockBit look-alike or derivative attacks.

Lee Neely
Lee Neely

This will continue to be a cat-and-mouse game between law enforcement and cybercriminal until either: 1) the bad guys are all locked up; or 2) it is no longer monetarily advantageous to the criminals. Increased focus should be on crypto-currency transactions and removing them as a way for cybercriminals to hide.

Curtis Dukes
Curtis Dukes

Taking down criminals' online infrastructure can appear to be like a game of whack-a-mole: as soon as one site is taken down another re-appears. The important takeaways from these takedowns are not that the infrastructure is back up and running but that law enforcement have seized and are analysing data that result in other intelligence lead takedowns and arrests. These takedowns also disrupt the activities of these gangs, seize valuable assets such as crypto-wallets, and send a message to them that they are not untouchable. As a community, let's keep our eyes on the goal of putting those criminals behind bars and not be distracted by their recovery operations.

Brian Honan
Brian Honan

2024-02-26

Cyberthreat Actors Behind SolarWinds Attack are Using New Tactics

An alert published jointly by intelligence and cyber agencies from the Five Eyes countries, (Australia, Canada, New Zealand, the TUK, and the US) warns that the cyberthreat actors responsible for the SolarWinds attack are developing tactics to target assets held in the cloud infrastructure. The alert includes updated tactics, techniques, and procedures the group is using.

Editor's Note

Two techniques warrant consideration. First, after a post-incident password change, SVR actors are going after unused accounts following the password reset instructions. Second, they are capturing Cloud Authorization tokens. In the first case, make sure that idle accounts are not just disabled but deleted after a defined period. In the second, common techniques here are password spraying, MFA bombing (or fatigue) or even circumventing device registration processes. Make sure you're using phishing resistant MFA for cloud accounts, train users on MFA attacks. Review cloud authentication token lifetime, dialing it back based on risk.

Lee Neely
Lee Neely

SVR is no different than other threat actors; they are going after where the data are. Today, that is increasingly the cloud. The other interesting thing to note here, and I’ve mentioned in the past, and even in the cloud pen testing class, is the use of residential proxies and other “cheap” technologies to get around Conditional Access policies. Using location to bypass further interrogation, such as MFA, violates zero trust.

Moses Frost
Moses Frost

The key line in the report, “…Denying initial access to the cloud environment can prohibit SVR from successfully compromising their target.” The use of credential harvesting for initial access has increased over the past year for both cloud and on-prem environments. The best defense continues to be use of multi-factor authentication and removal of dormant accounts.

Curtis Dukes
Curtis Dukes

Not sure just how radically new these TTPs are. What the article implies is that the cyberthreat actors are focusing on the Cloud, and getting in via compromised accounts and access credentials. I forgot where I saw this quote but I loved it: “Cyber threat actors are no longer hacking into end points, they are simply logging into end points”. This is why I feel phishing-resistant MFA is becoming so important, to include the Cloud.

Lance Spitzner
Lance Spitzner

The Rest of the Week's News


2024-02-23

Microsoft Expands Free Logging for FCEB Agencies

Last summer, state-sponsored threat actors obtained a private encryption key that allowed them to access email accounts at a number of organizations, including the US Departments of State and Commerce. The breaches came to light because of the logging services that were part of a high-tier license. Microsoft has begun providing expanded free logging services to all US Federal Civilian Executive Branch (FCEB) agencies regardless of the license they hold. Until now, the service was provided to Purview Audit level customers, and available to other levels at additional cost.

Editor's Note

It’s taken six months from initial commitment but is now a reality at least for US federal entities. Some of the delay can be chalked up to government inertia, some to Microsoft for increased storage requirements. The timing just happens to line up with the upcoming release of the CSRB report on Microsoft security lapses. Regardless, defenders need adequate logging services to defend their environment.

Curtis Dukes
Curtis Dukes

Having increased logging for non-FCEB tenants would help, particularly small businesses who can't afford license levels which include the in-depth logging. Make sure you know what level (depth and timeframe) of logging you're getting from our cloud services and dig deep on forwarding those logs to a service where you can control the retention.

Lee Neely
Lee Neely

It’s funny, shouldn’t logging just come with the service? We will see how this plays out, just like in the “firewall” market. Some firewalls come with built-in logging tools; others you bring your own.

Moses Frost
Moses Frost

2024-02-23

AT&T Outage Was the Result of Problematic Update

AT&T says that last week’s network “outage was caused by the application and execution of an incorrect process used as we were expanding our network, not a cyberattack.” The outage began on Friday morning, February 23, and was resolved later that afternoon.

Editor's Note

Infrastructure providers are uniquely enabled to shut down their own networks in creative ways never available to an outside adversary. Don't attribute to malice what can be explained by a simple misconfiguration.

Johannes Ullrich
Johannes Ullrich

The good news is it wasn't a cyberattack. The bad news is the configuration team had a really bad day. I have anecdotally been told it was an error of under 10 lines of code. AT&T customers are being provided with a $5 credit on their next bill to compensate for the outage. Among all the recovery and communication efforts, consider what you'd do with the responsible team were you in this position. Is this valuable experience which can be leveraged to prevent recurrence or are they an example of a career limiting move? Consider those scenarios where you'll "just use our cell phones," did you consider diversity in base carriers?

Lee Neely
Lee Neely

Is AT&T Wireless critical infrastructure? If so, will this bring up hearings in Congress? I would imagine there is some concern when the fire departments tell people they need to find someone on the street with cell service for 911.

Moses Frost
Moses Frost

The lesson for the rest of us is "if it ran today, do not do anything tonight that will keep it from running tomorrow." When making a major change, have a plan for returning to a running state.

William Hugh Murray
William Hugh Murray

2024-02-23

Malawi Passport Services Suspended After Cyber Incident

The Malawian government has stopped issuing passports following what appears to be a ransomware attack on the country’s immigration service’s network. The attackers are demanding a ransom payment, but the country’s president says they have no intention of paying it. The immigration department has been given three weeks to resume processing passports.

Editor's Note

The Malawi passport system has had challenges since they changed providers in 2021 after citing irregularities. The country is silent on what data has been breached, and those in Malawi with expired or no passports are unable to get them and therefore unable to leave the country, and citizens are demanding resumption of services. This is a scenario to consider, evaluate transparency, communication as well as resiliency. Make sure that you've properly considered the business impact of your service and adjust accordingly.

Lee Neely
Lee Neely

2024-02-26

White House Report Urges Devs to Get Rid of Memory Safety Vulnerabilities

A report from the White House Office of the National Cyber Director (ONCD) urges tech developers to adopt memory-safe programming languages, like Rust. The languages can help reduce the presence of buffer overflow, use-after-free, and use of uninitialized memory issues. The report also “explores hardware architecture and formal methods as complementary approaches to achieve similar outcomes.”

Editor's Note

The report is encouraging Americans to work together to adopt memory safe programming language supported by improved software measurability (SQA) process. The trick is not only selecting these languages, like Rust, for a project but also migrating existing, working, projects to them as well as augmenting the development process to include the modernized measurement. The age old challenge of cost and time to market may undo this plan without pervasive support in the organization and industry.

Lee Neely
Lee Neely

Most of the major operating system vendors have already announced plans to move software development to the memory safe programming language Rust. Unfortunately, it takes time to code existing software products with a new programming language.

Curtis Dukes
Curtis Dukes

This administration is taking on the software quality issue. This is just one measure.

William Hugh Murray
William Hugh Murray

2024-02-26

ThyssenKrupp Discloses Breach

Steel producer ThyssenKrupp disclosed a breach of systems in its Automotive Body Solutions division, prompting the company to shut down other IT systems as a precaution. The incident occurred at a ThyssenKrupp factory in Saarland, Germany.

Editor's Note

Attackers continue to target ThyssenKrupp with goals of either disrupting production or industrial espionage. Previous attacks in 2013, 2016, 2020 and 2022 by groups like the Mount Locker and NetWalker ransomware gangs. While no group has stepped up to take credit for this attack, and ThyssenKrupp reports they are in the process of gradually returning to normal operations, this is also an ideal opportunity to pursue means to prevent future attacks.

Lee Neely
Lee Neely

2024-02-26

RCMP Investigating Cyberattack on its Network

The Royal Canadian Mounted Police (RCMP) is investigating a ”cyber event” that targeted its network. A spokesperson for the RCMP said the incident does not affect its operations, nor does it pose a threat to citizens.

Editor's Note

While comments are being made about the magnitude of the breach, and indications of infections tied to python package install scripts, the exact nature of the event is being held close at this time. RCMP has sufficient mitigations to allow operations to continue event with affected systems offline. I'm hoping I'd come off as unfazed and operational if I were in their shoes, how about you?

Lee Neely
Lee Neely

2024-02-26

U-Haul Customer Data Compromised

U-Haul has disclosed a breach that compromised information belonging to about 67,000 customers in the US and Canada. U-Haul detected the breach in early December and began notifying affected individuals this week.

Editor's Note

Back in September 2022, U-Haul had another breach which took five months to detect; this breach was discovered on December 5th and the attackers were in the system from July 20th to October 2nd, 2023. Both attacks used compromised credentials. Affected accounts are required to change their passwords and additional security measures have been implemented. The data breached included names, dates of birth and driver's license numbers. The payment processing system was not affected. If you've got a U-Haul account, you may want to change the password proactively, particularly if you're not sure that it is a strong password unique to U-Haul. Affected users are being offered one year of Experian identity protection, monitoring and restoration. Here is a chance to dig into ways to improve detection and response time.

Lee Neely
Lee Neely

This one is interesting. This attack group is opportunistic and not a targeted attack. How many criminals could use this data to determine who is moving and when to target them? I just now considered the threat model here.

Moses Frost
Moses Frost

2024-02-26

Zyxel Fixes Multiple Vulnerabilities in Firewalls and Access Points

Zyxel has released patches for four vulnerabilities affecting in multiple products. Three of the vulnerabilities – a null pointer dereference vulnerability (CVE-2023-6397), a post-authentication injection vulnerability (CVE-2023-6398), and a format string vulnerability (CVE-2023-6399) – affect multiple Zyxel firewalls. The fourth vulnerability – a format string vulnerability (CVE-2023-6764) – affects multiple Zyxel access points.

Editor's Note

There are no workarounds for these flaws. CVE-2023-6397, CVE-2023-6399 and CVE-2023-6764 only apply to their Firewall products while CVE-2023-6398 applies to both Firewalls and APs. Zyxel published a matrix of CVE's and affected products, generally for their firewalls, apply ZLD V5.37 Patch 2. For APs, apply the model appropriate version of 6.29 or 6.70 to your APs. Note some devices have hotfix which must be obtained directly from Zyxel.

Lee Neely
Lee Neely

I can’t believe that I am saying this, but for ISPs and places outside the U.S., Zyxel has a very sizable market. That’s a scary thought.

Moses Frost
Moses Frost

2024-02-26

Ultimate Member WordPress Plugin Vulnerability

A critical SQL injection vulnerability in the Ultimate Member WordPress plugin can be exploited to extract information from databases. The flaw lies in an unsecure implementation of the users query functionality. The issue has been fixed in Ultimate member v. 2.8.3. The vulnerability was discovered through Wordfence Intelligence’s Bug Bounty Program.

Editor's Note

The bounty on this bug was $2,063. The query didn't prevent SQL Injection, which can be used to steal information from the database. The flaw only affects configurations which have enabled the custom table for usermeta option in this plugin. The fully patched version of Ultimate Member was released on February 19th, make sure that you've got the updated version. Wordfence firewall rules were released January 30th and again February 29th for the paid and free versions respectively.

Lee Neely
Lee Neely

Bug bounty programs continue to pay huge dividends in finding vulnerabilities in software products. Now comes the hard part: getting users to download and install the necessary security patch before evildoers weaponize the vulnerability.

Curtis Dukes
Curtis Dukes

2024-02-26

NIST Releases Final Version of Cybersecurity Framework 2.0

The US National Institute of Standards and Technology (NIST) has published the final version of its Cybersecurity Framework (CSF) 2.0. The new version of the document aims to provide guidance and resources for all organizations rather than focusing on only on those in critical infrastructure. It also addresses governance and supply chain issues.

Editor's Note

One of the trends here, also seen with 800-171, is that CISA is making these frameworks apply to all sizes and types of businesses, not just federal agencies or big business. Too often the question, particularly for a SMB, is how to get started with security and while they may wish to hire help to implement, the framework and supporting documents are themselves free. Note that these are coordinated with organizations such as ISO/IEC to support crosswalk for both understanding and leveraging existing practices.

Lee Neely
Lee Neely

The purpose of the Framework is to help (encourage) management to manage and reduce risk. The intent of this update is to make it more broadly applicable and effective.

William Hugh Murray
William Hugh Murray

It’s been ten years, even an outstanding tool like CSF needs a refresh. With this update NIST is connecting governance and supply chain as important parts of one’s cybersecurity program. Well-done, and here’s hoping for another good ten year run!

Curtis Dukes
Curtis Dukes

Internet Storm Center Tech Corner

Update MGLNDD * Scans

https://isc.sans.edu/diary/Update+MGLNDD+Scans/30686

Simple Anti-Sandbox Technique: Where's the Mouse

https://isc.sans.edu/diary/Simple+AntiSandbox+Technique+Wheres+The+Mouse/30684

Utilizing the VirusTotal API to Query Files Uploaded to the DShield Honeypot

https://isc.sans.edu/diary/Utilizing+the+VirusTotal+API+to+Query+Files+Uploaded+to+DShield+Honeypot+Guest+Diary/30688

New WiFi Authentication Vulnerabilities Discovered

https://www.top10vpn.com/research/wifi-vulnerabilities/

Subdomain Takeover Spam

https://labs.guard.io/subdomailing-thousands-of-hijacked-major-brand-subdomains-found-bombarding-users-with-millions-a5e5fb892935

Security Vulnerabilities in Apex Code Could Leak Salesforce Data

https://www.varonis.com/blog/apex-code-vulnerabilities

IBM Operation Decision Manager Exploit CVE-2024-22319 CVE-2024-22320

https://labs.watchtowr.com/double-k-o-rce-in-ibm-operation-decision-manager/

Linux Kernel TLS Vulnerability CVE-2024-26582

https://lore.kernel.org/linux-cve-announce/2024022139-spruce-prelude-c358@gregkh/