SANS NewsBites

Who Will Notify Change Healthcare Victims?; Fix Ivanti EPM Again; OpenSSF Threat Intel Sharing

May 24, 2024  |  Volume XXVI - Issue #41

Top of the News


2024-05-22

Who is Responsible for Change Healthcare Ransomware Notification?

More than 100 medical associations have asked the US Department of Health and Human Services (HHS) to clarify who is responsible for notifying affected individuals about the Change healthcare ransomware4 attack. The letter asks that HHS require UnitedHealth Group to notify people whose information was compromised in the ransomware attack. The letter also asks that the HHS investigation focus on Change Healthcare, not the offices that were affected by the incident.

Editor's Note

Because what is really important after a breach is to find a way to abscond your responsibility to customers. If you lost the data, you need to notify. The entity suffering the breach should also have the best information identifying what data was exactly lost.

Johannes Ullrich
Johannes Ullrich

On the face of it, the 100+ medical associations have the relationship with the affected individuals, not the out-sourced billing provider. That said, Change Healthcare should make those medical associations whole for all costs associated with this security incident. That includes the costs associated with victim notification and any credit monitoring services offered.

Curtis Dukes
Curtis Dukes

In our interconnected world, this question is likely to arise again and again. We must await more experience to arrive at a general rule. That said, Change Healthcare continues to have other priorities for the moment. One hopes that this question does not distract them.

William Hugh Murray
William Hugh Murray

2024-05-23

Ivanti Fixes Flaws in Endpoint Manager

Ivanti has released fixes to address 10 vulnerabilities in its Endpoint Manager. Six of the flaws are rated critical and four are rated high severity. All are SQL injection vulnerabilities. The critical flaws can be exploited without authentication; the other flaws require that the attacker be authenticated.

Editor's Note

Yes, this is a different flaw than the one disclosed and exploited last week. I am afraid these devices will need a flamethrower patch to properly secure them at least until July.

Johannes Ullrich
Johannes Ullrich

At this point, Ivanti has released a hotfix for 2022SU5 which replaces four DLLs. You need to unblock the installed DLLs, back them up, replace them with the new ones, then reboot your server. Alternately you can close the EPM console and run IISRESET if you can't reboot. Either step is critical to ensuring the new DLLs are loaded.

Lee Neely
Lee Neely

2024-05-20

OpenSSF Announces Threat Intelligence Sharing Initiative

The Open Source Security Foundation (OpenSSF) has introduced OpenSSF Siren, an open source threat intelligence sharing mailing list. OpenSSF Siren offers a place to share tactics, techniques, and procedures (TTPs) as well as indicators of compromise (IoCs) related to recent attacks. The mailing list, hosted by OpenSSF, will be publicly available; registration will be required to post to the list.

Editor's Note

The best threat intelligence comes from peers in your areas of interest, not from commercial threat intel sources. I hope this list will succeed.

Johannes Ullrich
Johannes Ullrich

The Rest of the Week's News


2024-05-21

Zoom Adds Post-Quantum Encryption to Meetings

Zoom says it has deployed post-quantum end-to-end encryption (E2EE) for Zoom Meetings. The feature will be rolled out to Zoom Phone and Zoom Rooms soon. Zoom Meetings and Zoom Phone have had E2EE enabled since 2020 and 2022, respectively; the addition of post-quantum encryption will help protect customers from harvest now, encrypt later attacks.

Editor's Note

Expect vendors to pick up the pace in announcing PQE protocols in their tool suites. This follows announcements by both Signal and Apple earlier this year. Organizations should still determine the level of protection their data requires before implementing, as older equipment may not operate or have limited functionality with the increased key size.

Curtis Dukes
Curtis Dukes

Zoom is adding Kyber 768 to their E2EE, where the encryption keys are only provided to participants, as is the case for standard E2EE, claiming their servers don't have these keys and therefore content is indecipherable. As with other PQC offerings, it's a good idea to test it out and keep an eye on it as it matures. Before you click, check the product and version support as well as limitations in their KB article "Using end-to-end encryption (E2EE) in Zoom meetings (https://support.zoom.com/hc/en/article?id=zm_kb&sysparm_article=KB0065408)

Lee Neely
Lee Neely

Good move. While holding a meeting, one should not have to worry about whether the content of the meeting might still be sensitive when quantum cryptanalysis becomes efficient.

William Hugh Murray
William Hugh Murray

2024-05-22

Rockwell Automation Urges Customers to Disconnect ICS Devices from the Internet

Rockwell Automation has published an advisory urging all customers to take IMMEDIATE action to assess whether they have devices facing the public internet and, if so, urgently remove that connectivity for devices not specifically designed for public internet connectivity.

Editor's Note

Searching shodan.io for rockwell, siemens, schneider, etc. yields many thousands of operational technology (OT) devices. Connectivity options for OT should be, in order: none/true air gap, data diode, MFA-protected VPN/private network. Sadly, the people who really need to hear this almost certainly don't read NewsBites.

Christopher Elgee
Christopher Elgee

This is practical advice and should be a part of your cybersecurity program. DonÕt give the adversary more attack surface than necessary to manage business operations. While you're at it, take the opportunity to ensure that any vendor supplied default passwords have been changed.

Curtis Dukes
Curtis Dukes

It's not safe out there; make sure the only devices youÕre exposing directly to the Internet are those that are designed for it. Even so, you want to isolate your IOT/OT devices to restrict unwelcome advances, or leverage of unmitigated weaknesses. Remember to review how devices and sensors deployed "in the field" are accessed and protected. Review protections based on older threat models which may no longer be accurate.

Lee Neely
Lee Neely

While Rockwell issued this advisory to and for its customers, it really applies to everyone. Not only do these devices increase the attack surface gratuitously but they are the components from which bot-nets are built. Take advantage of the guidance that Rockwell has developed for its customers.

William Hugh Murray
William Hugh Murray

2024-05-23

ARPA-H to Hold Virtual Proposers Day for Hospital Cybersecurity Projects

The Advanced Research Projects Agency for Health (ARPA-H) has pledged $50 million to fund the development of technology to automate security for hospital IT systems. ASRPA-H is holding a Virtual Proposers Day for the Universal PatchinG and Remediation for Autonomous DEfense, or UPGRADE, on June 20. Registration is open through June 18.

Editor's Note

Taking an approach of developing automated defenses in healthcare environments may be just what we need to turn the tide on security incidents in this sector. UPGRADE has four technical areas: first, creation of a vulnerability mitigation platform; second, creating high-fidelity digital twins of equipment in hospital environments; third and fourth are about developing methods to detect software vulnerabilities then develop defenses for each. Proposals are needed for all four areas, so if you've got ideas you may want to jump in.

Lee Neely
Lee Neely

2024-05-23

GitHub Fixes Critical Enterprise Server Vulnerability

GitHub has updated its Enterprise Server (GHES) to address a critical authentication bypass vulnerability. The issue affects GHES instances that use SAML single sign-on (SSO) authentication with the optional encrypted assertions feature, and is fixed in GHES versions 3.9.15, 3.10.12, 3.11.10 and 3.12.4.

Editor's Note

This addresses CVE-2024-4985, authentication bypass vulnerability has a CVSS-B core of 10.0, and CWE-303 incorrect implementation of Authentication Algorithm which impacts all versions of GHES prior to 3.13.0. Even if you're not using SAML SSO, or SAML SSO without encrypted assertions today, you're going to update to the fixed version. Read the release notes, there are other improvements in 3.13 which also improve performance, logging and security such that you may want to target going all the way to that version.

Lee Neely
Lee Neely

Many organizations have moved to SSO for user convenience and likely also use it to access GitHub resources. They also have likely implemented the optional encrypted assertions feature to protect communications with the SAML server. As this vulnerability is rated a 10 on the CVSS severity score, prioritize patching in hours not days or weeks.

Curtis Dukes
Curtis Dukes

2024-05-23

Fix Available for GitLab Cross-Site Scripting Vulnerability

GitLab has fixed a high-severity cross-site scripting vulnerability in the VS code editor. The flaw could be exploited to steal information with maliciously crafted pages. The exploit requires user interaction. GitLab recommends that all installations be upgraded to versions 17.0.1, 16.11.3, and 16.10.6 for GitLab Community Edition (CE) and Enterprise Edition (EE). The updates address six additional, medium-severity flaws.

Editor's Note

XSS flaws are often underestimated. I think this particular vulnerability is a great example of how bad a relatively "simple" XSS flaw can become. XSS exploitability if often limited by the imagination and creativity of the attacker. Defenders tend to underestimate both.

Johannes Ullrich
Johannes Ullrich

CVE-2024-4835, a 1-click XSS account takeover flaw, has a CVSS 3 score of 8.0. The prior GitLab account takeover flaw, CVE-2023-7028, is under active attack, so you really need to make sure you've applied updates to mitigate these flaws being taken advantage of.

Lee Neely
Lee Neely

2024-05-23

CentroMed Discloses Cybersecurity Incident

Texas-based El Centro Del Barrio, which does business as CentroMed, has disclosed that it suffered a cybersecurity incident earlier this year. They are notifying approximately 400,000 individuals that their personally identifiable information (PII) and personal health information (PHI) was compromised. The affected data include medical and health information and financial account information. The incident was discovered on May 1; CentroMed experienced another attack last year.

Editor's Note

As this is the second security incident CentroMed has experienced in past year, an independent review of their cybersecurity program is warranted. Better to get ahead of this before multiple lawsuits are filed.

Curtis Dukes
Curtis Dukes

This is their second incident in a year after falling victim to the Karakurt extortion group in June 2023. That incident impacted 350,000 individuals and claimed 42 GB of data, which wasn't leaked publicly. While security isn't perfect, none of us want to be in that "not again" conversation. Conduct a tabletop of how you would respond in a similar situation. Identify scenarios where improved cyber defenses could still fail and take steps to minimize that.

Lee Neely
Lee Neely

2024-05-23

CISA Adds Apache Flink Vulnerability to KEV Catalog

The US Cybersecurity and Infrastructure Security Agency (CISA) has added an improper access control vulnerability in Apache Flink to its Known Exploited Vulnerabilities (KEV) catalog. The flaw was introduced in Apache Flink 1.11.0; users should upgrade to Flink versions 1.11.3 or 1.12.0. The fixes have been available since January 2021. Federal Civilian Executive Branch (FC+EB) agencies have until June 13 to mitigate the vulnerability or discontinue their use of Flink.

Editor's Note

CVE-2020-17519, which allows for an unauthenticated user to read any file on the local JobManager file system through its REST interface, was identified as under attack by Palo Alto's Unit 42 back in November 2020 and January 2021. At this point hunt down your copies of Apache Flink, if any, and update them post-haste.

Lee Neely
Lee Neely

KEVs are urgent priority patches. The fix date that CISA dictates for Federal agencies should not be taken as license to delay.

William Hugh Murray
William Hugh Murray

Internet Storm Center Tech Corner

Scanning without Scanning with nmap

https://isc.sans.edu/diary/Scanning+without+Scanning+with+NMAP+APIs+FTW/30944

NMAP Scanning Without Scanning - The ipinfo API

https://isc.sans.edu/diary/NMAP+Scanning+without+Scanning+Part+2+The+ipinfo+API/30948

Analysis of 'redtail' file uploads to ISC Honeypot

https://isc.sans.edu/diary/Analysis+of+redtail+File+Uploads+to+ICS+Honeypot+a+MultiArchitecture+Coin+Miner+Guest+Diary/30950

C-Root Server Lost Touch With Peers

https://arstechnica.com/security/2024/05/dns-glitch-that-threatened-internet-stability-fixed-cause-remains-unclear/

Veeam Vulnerability

https://www.veeam.com/kb4581

Why Your WiFi Router Doubles As An Apple Airtag

https://krebsonsecurity.com/2024/05/why-your-wi-fi-router-doubles-as-an-apple-airtag/

https://account.microsoft.com/privacy/location-services-opt-out

https://answers.microsoft.com/en-us/windows/forum/all/wifi-sense-my-ssid-includes-optout-why-do-windows/1453142a-755a-476f-aa48-56d05b89e33c

https://www.computerworld.com/article/1484722/here-s-how-to-opt-out-of-google-s-wi-fi-snooping.html

https://www.privacy.org.nz/publications/commissioner-inquiries/google-s-collection-of-wifi-information-during-street-view-filming/

Ivanti Vulnerabilities

https://forums.ivanti.com/s/article/Avalanche-6-4-3-602-additional-security-hardening-and-CVE-fixed?language=en_US

Justice AV Solutions Software Backdoor

https://www.rapid7.com/blog/post/2024/05/23/cve-2024-4978-backdoored-justice-av-solutions-viewer-software-used-in-apparent-supply-chain-attack/

iTerm2 Vulnerabilities

https://vin01.github.io/piptagole/escape-sequences/iterm2/hyper/url-handlers/code-execution/2024/05/21/arbitrary-url-schemes-terminal-emulators.html

GitHub Enterprise Vulnerability CVE-2024-4985

https://nvd.nist.gov/vuln/detail/CVE-2024-4985

BitBucket Pipelines Leaking Secrets

https://cloud.google.com/blog/topics/threat-intelligence/bitbucket-pipeline-leaking-secrets

Microsoft Recall Privacy

https://www.microsoft.com/en-us/windows/copilot-plus-pcs?r=1#faq1