SANS NewsBites

Snowflake Customer Database Data Theft Due to Compromised Customer Credentials; Microsoft and Google to Help Rural US Hospitals with Cybersecurity; Type-O Blood Shortage Following Synnovis Cyber Incident

June 11, 2024  |  Volume XXVI - Issue #45

Top of the News


2024-06-11

Mandiant Reports on Snowflake Customer Data Theft Investigation

In a June 10 blog post, Mandiant writes that they have “identified a threat campaign targeting Snowflake customer database instances … using stolen customer credentials, advertising victim data for sale on cybercrime forums, and attempting to extort many of the victims.” Mandiant says that they and Snowflake have notified at least 165 customers that they data may have been compromised. Snowflake says they are developing a plan to require MFA and other “advanced security controls.”

Editor's Note

Apple yesterday released its plan for future AI integration into its products. As part of this announcement, Apple also released an article about how it will address the privacy challenges around off-device computing. I hope strong security and privacy assertions will become the norm going forward, but on the other hand, am well aware that these decisions are often not made by engineers and the lowest bidder/first to market will prevail. Snowflake got to its position right now not because it is the most secure provider of AI compute services. Allowing users to quickly setup accounts with weak passwords probably helped them gain market share.

Johannes Ullrich
Johannes Ullrich

With our ever-increasing reliance on third-party vendors and cloud service providers we need to be more aware that this introduces a different set of risks. Customers of these services need to ensure that the security features provided by third parties meet their security and compliance requirements, but they also need to ensure they utilise the security features and functions available from those third parties. As with all outsourcing arrangements, you can outsource the function and/or business process but you cannot outsource the responsibility.

Brian Honan
Brian Honan

We deal with a lot of these conversations in the Cloud Penetration Testing course because it has become increasingly apparent that the “shared responsibility model” defines infrastructure incidents well but has no bearing on shared security responsibility. In this case, if you didn’t protect your customer’s data, it’s on you, but the service provider is mostly in the news.

Moses Frost
Moses Frost

Don't be lulled into a false sense of security that Snowflake is the only environment where compromised, reusable credentials are being targeted. Verify that you're enabling and enforcing MFA for your outsourced and cloud services, regardless of the service providers requirement. Then the harder task: requiring MFA for your services. The good news is with the IDP you had to deploy for cloud authentication, you can leverage that on your services. Start with low hanging fruit, then move to more challenging use cases.

Lee Neely
Lee Neely

After more than thirty years, strong authentication can hardly be described as "advanced." It is both essential and effective.

William Hugh Murray
William Hugh Murray

2024-06-10

Microsoft and Google Pledge to Help Rural US Hospitals With Cybersecurity Services

Microsoft and Google have committed to provide free and low-cost cybersecurity services to roughly 2,100 rural US hospitals. Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger announced the commitments on Monday, June 10. The announcement comes in the wake of a series of cyberattack targeting healthcare organizations, including the Change Healthcare breach, which reportedly affected more than one of every three insurance claims in the country.

Editor's Note

Certainly Microsoft and Google are to be applauded for their efforts to help rural hospitals. But what happens when the grants conclude, when the free one-year subscription ends, when the free cybersecurity training ends. A basic lack of resources (human and fiscal) will still exist. Let’s use the year that Microsoft and Google are providing to figure out a sustainable long-term approach to protecting the cyber underserved.

Curtis Dukes
Curtis Dukes

This is fantastic news and something that should be considered for almost any rural critical infrastructure. Cloud SaaS solutions like Microsoft and Google are lifesavers for small companies as they make business functionality simple. Now Microsoft and Google can do the same for security as security is built into their solutions. Rural infrastructure simply does not have the resources to both operate and be secure. We can regulate them to death, but that is not going to solve the problem. Solutions like this will help solve that problem.

Lance Spitzner
Lance Spitzner

Arguably, this is good. I would like to see this implemented in a slightly different fashion. It feels like this move enables you to be locked into that vendor ecosystem. We need to have government backing to help these hospitals fix their systems. This will require a multi-year effort at all levels to fix the problem. The problem cannot be solved with just Windows Defender or just consulting. When your biomedical device is running Windows NT and is sitting next to the IoT Toaster, which is sitting next to the Windows desktops, and all these systems can fall over with just a port scan, Microsoft Windows Defender isn’t going to do much.

Moses Frost
Moses Frost

This is huge! Microsoft is going to be offering non-profit pricing, including a year of their security suite, to existing customers while Google is going to be providing endpoint security advice at no cost, and a pool of funding to support software migration. Google is also launching a pilot program to develop a package of security capabilities which fit each hospital's needs. It would be nice to see similar offerings for doctors/dentists/labs/etc. which are often themselves small businesses without the resources to implement in-depth security programs, and suffer as keenly, if not more so, in a cyberattack.

Lee Neely
Lee Neely

While on the surface this reads as a good news story, it also highlights the severe lack of funding that many governments around the globe, not just in the US, have given to securing critical services such as healthcare. The services people rely on for the quality of their lives and their security should not rely on charitable donations by private firms.

Brian Honan
Brian Honan

2024-06-10

Cyberattack on Pathology Services Organization Leads to Shortage of Type O Blood in London

The UK’s National Health Service (NHS) is calling for donation of Type O blood following a cyberattack that disrupted systems at Synnovis, a company that provides pathology services for hospitals and other healthcare organizations in London. Because Synnovis cannot match blood as quickly as it could prior to the attack, doctors have been giving patients O-type blood, resulting in a shortage of both O-positive and O-negative blood.

Editor's Note

A prime example of criminals not caring about the harm their actions have on the lives of people. Their primary motivation is money. The sooner our legislators and governments understand the true nature of this threat then the sooner we hopefully we see some proper and realistic response to this ever growing threat. It is not just systems that are being threatened anymore; it is people's lives.

Brian Honan
Brian Honan

The toll of this ransomware attack continues. Unfortunately, it also highlights another single point of failure within the healthcare sector. Change Healthcare (part of UnitedHealth Group) is the example in the US, Synnovis the example in the UK. Government would be wise to launch a resilience study of critical infrastructure sectors with a particular focus on the unintended consequences of business consolidation (M&A).

Curtis Dukes
Curtis Dukes

Type O negative blood is the universal blood type needed for emergency transfusions and can be donated to patients regardless of blood types, while O positive can be donated to anyone with positive blood type, about 3 out of 4 patients. With IT systems relating to typing and matching impacted, having a healthy store of both O negative and positive is a really good risk mitigation. Even if you're not in the healthcare industry, this is a call to consider where having a "generic" option for service impacts could help you weather that storm.

Lee Neely
Lee Neely

The Rest of the Week's News


2024-06-07

Microsoft: Recall Will Now Be Opt-in

In a bow to outcry over security concerns, Microsoft now says that the Recall feature on Copilot+ Windows PCs will be opt-in. Recall takes screenshots every five seconds for local AI analysis. The idea is that it will make everything you’ve done on the machine searchable. This has some pretty dire privacy implications: seized computers in legal discovery, thieves, hackers. Microsoft also plans to add encryption for the stored data and require authentication to access the stored data.

Editor's Note

Recall seems to (inadvertently) cross the line between continuous differential backups and Orwellian oversight. The snapshots Recall takes will be encrypted using Windows Hello Enhanced Sign-in Security (ESS) so the user has to authenticate before those snapshots are decrypted and available, which also means this is only as good as the strength of user authentication. Note to self: take time implementing new features, particularly those relating to AI, while powerful, they are complex and have implications you need time to assess.

Lee Neely
Lee Neely

This whole debacle by Microsoft on the way Recall has been rolled out and this subsequent rushed response to the security and privacy concerns flies in the face of the recent "Prioritizing security above all else" announcement by the Microsoft CEO Satya Nadella. This episode is a prime example of "just because you can do it, doesn't mean you should do it."

Brian Honan
Brian Honan

2024-06-10

Cisco Talos Finds Vulnerabilities in AutomationDirect PLCs

Researchers at Cisco Talos have discovered 15 vulnerabilities in AutomationDirect programmable logic controllers (PLCs). The flaws in the Automation Direct Productivity series PLCs are all rated critical or high severity. They can be exploited to achieve remote code execution or cause denial-of-service conditions. The US Cybersecurity and Infrastructure Security Agency (CISA) released an advisory about the vulnerabilities in late May. Updates are available to address the vulnerabilities.

Editor's Note

These vulnerabilities which include out of bounds writes, stack and heap-based buffer overflows, active debug code and insufficient input validation, have a collective CVSS 4 score of 9.3. Beyond the obvious verification that you don't have PLCs directly exposed to the Internet, make sure you update both the PLC firmware and the Productivity Suite to the newest versions. Also, verify network access is limited to only devices which are supposed to interact with them.

Lee Neely
Lee Neely

PLCs are typically not Internet-facing. Any attack would require that the evildoer already have access on the target network to exploit any of the vulnerabilities. That said, given the large number of critical vulnerabilities, implement the vendor supplied security updates as soon as downtime is available.

Curtis Dukes
Curtis Dukes

While many of these PLCs are not being used in sensitive applications, many that are have already been forgotten. We should require and expect both quality and stability.

William Hugh Murray
William Hugh Murray

2024-06-10

Two Arrested for Allegedly Using a Homemade Mobile Cellphone Tower to Send Phishing Messages

Last month, police in the UK arrested two people for allegedly setting up a homemade cellphone tower and using it to bypass mobile phone networks’ systems to block suspicious messages. The homemade mobile antenna was reportedly used to send thousands of malicious SMS messages. The messages pretend to be communications from banks and other organizations.

Editor's Note

I am a bit surprised that the effort was worth it. How to set up a system like this is well-documented and not too difficult with modern software-defined radios. But there is still some cost and effort involved. As someone else suggested, maybe this was a proof of concept for a larger attack?

Johannes Ullrich
Johannes Ullrich

Imagine if you would, the fake AP attack but with a cell tower. The attack leveraged weaknesses in the protocols which require the devices to authenticate to the cell network, but not validate that network. This allowed the hackers to bypass the cell network anti-smishing defenses. The UK has a service which allows users to forward SMS message to 7726 for analysis. Other carriers are implementing junk SMS reporting. Investigate options provided by your carrier to identify junk SMS messages. Decide if you want a send-all or a send-suspect/on-demand model.

Lee Neely
Lee Neely

2024-06-10

NYT Source Code Stolen

The New York Times (NYT) has confirmed that some of its internal source code and data were stolen and leaked on the Internet. The theft occurred in January 2024; the information was leaked on Thursday, June 6. NYT said the breach occurred after GitHub credentials were inadvertently exposed.

Editor's Note

Not to sound like a broken record, but a compromised reusable token was used to access the repositories and exfiltrate data. In this case 273GB of data was pilfered. (5 thousand repos, 3.6 million files.) In addition to source code (which included the Wordle game), IT documentation and infrastructure tools were taken. So yay for all the work to document and put that information online, but boo for having one credential to rule them all. As easy as it is to branch into a conversation about credential rotation, it's better to pull the MFA thread as well as talk about session timeout/expiration.

Lee Neely
Lee Neely

Github made the following commitment: "Starting in March 2023 and through the end of 2023, GitHub will gradually begin to require all users who contribute code on GitHub.com to enable one or more forms of two-factor authentication (2FA)." The difficulty is that setting up strong authentication requires some user involvement. When the users are "customers, persuasion may be indicated.

William Hugh Murray
William Hugh Murray

2024-06-07

LastPass Outage Due to Problematic Chrome Extension Update

The LastPass password manager experienced a 12-hour outage last week. LastPass attributes the problem to a bad update to its Chrome extension placing too much stress on their servers. For 12 hours starting just after noon ET on Thursday, June 6, users trying to access their password vaults or to log into their accounts were greeted with “404 Not Found” error messages. LastPass said they resolved the issue on Thursday evening.

Editor's Note

A bad update for a browser plugin isn't something you can easily roll back, let alone fix, QA, and distribute an updated version. While the pressure to deliver rapidly is incredible, and nothing new to security professionals, it's not a bad idea to understand how a scenario would be handled in your shop.

Lee Neely
Lee Neely

LastPass helps users manage the increasing number of accounts they accumulate and is considered a best practice for password protection. Unfortunately, password managers can also be a single point of failure, whether intentional or not. Time to consider moving to Passkeys as an alternative.

Curtis Dukes
Curtis Dukes

2024-06-10

Cleveland (Ohio) Government Suffers Cyber Incident

Some IT systems belonging to the City of Cleveland, Ohio are offline following an (undetermined) cyber incident. Cleveland’s 911 system, along with police, fire, and emergency medical services are functioning. A city spokesperson told Recorded Future News that “All internal systems and software platforms will be shut down until further notice.”

Editor's Note

While 911 was offline, emergency responder radio systems were still operating, allowing emergency services to be delivered. City phone services have been restored as of Monday. Cleveland's 311 daytime calls are being handled by after-hours operators. 311 is the number to call for information about the City's programs and services, as well as submit a non-emergency service request. What I'm not finding is any sort of outage/incident announcement on the city's web site. Make sure your plans include outage notification/status updates on services where you manage the message.

Lee Neely
Lee Neely

One may infer that safety applications were sufficiently isolated from more vulnerable applications. Would that the other applications were similarly isolated from each other.

William Hugh Murray
William Hugh Murray

2024-06-07

SolarWinds Releases Security Updates for SolarWinds Platform and Serv-U

SolarWinds has released SolarWinds Platform version 2024.2, which addresses three vulnerabilities: a high-severity SWQL injection vulnerability, a high-severity stored cross-site scripting (XSS) vulnerability, and a medium-severity race condition vulnerability. SolarWinds has also released an update for SolarWinds Serv-U to address a high-severity directory traversal vulnerability.

Editor's Note

Today's contestants for SolarWinds Platform flaws are: CVE-2024-28996, SWQL Injection, CVSS 3 score of 8.1, is a high complexity attack, CVE-2024-28999, a race condition, CVSS 3 score of 8.1 and CVE-2024-29004, stored XSS, CVSS 3 score of 4.8. They impact the SolarWinds Platform 2024.1 SR1 and before, the fix is to update to 2024.2. Don't overlook the need to update their Serv-U product, CVE-2024-28995, a directory traversal flaw, CVSS score of 8.6, affects Serv-U FTP Server, Serv-U Gateway, and Serv-U MFT Server. The fix is to deploy Serv-U 15.4.1 hotfix 2. While there is not any indication these are being exploited in the wild, given SolarWinds, and how easy it is to discover vulnerable products exposed to the Internet, expect that not to change.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Veeam Exploit CVE-2024-29849
https://summoning.team/blog/veeam-enterprise-manager-cve-2024-29849-auth-bypass/

SORBS Shutdown
https://www.theregister.com/2024/06/07/sorbs_closed/

Rogue Cell Tower Shut Down in London
https://www.cityoflondon.police.uk/news/city-of-london/news/2024/june/two-people-arrested-in-connection-with-investigation-into-homemade-mobile-antenna-used-to-send-thousands-of-smishing-text-messages-to-the-public/

PHP Unicode Remote Code Execution Exploit
https://blog.orange.tw/2024/06/cve-2024-4577-yet-another-php-rce.html
https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577/


PyTorch Distributed RPC Framework Remote Code Execution
https://huntr.com/bounties/39811836-c5b3-4999-831e-46fee8fcade3
https://www.cve.org/CVERecord?id=CVE-2024-5480


Malicious VSCode Extensions Used by Researchers
https://www.bleepingcomputer.com/news/security/malicious-visual-studio-code-extensions-with-millions-of-installs-discovered/

Malicious Comfyui Modules
https://www.youtube.com/watch?v=ntwGHjBCbeQ