homepage
Open menu
Contact Sales

SANS NewsBites

MFA and Privilege Management Key to Detecting and Thwarting Latest State Sponsored Attacks; More Reasons to Quickly Patch Firewalls; Prioritize GitLab Update

May 26, 2023  |  Volume XXV - Issue #42

Top of the NewsThe Rest of the Week's NewsInternet Storm Center Tech Corner

Top of the News

2023-05-25

Volt Typhoon State-Sponsored Threat Actors Use Stealth Tactics

Microsoft has detected “stealthy and targeted malicious activity focused on post-compromise credential access and network system discovery aimed at critical infrastructure organizations in the United States” and Guam. The Chinese state-sponsored hackers, known as Volt Typhoon, have been active since at least mid-2021. Volt Typhoon evades detection through “living off the land” tactics, which make their activity difficult to distinguish from regular Windows activity. Cybersecurity and intelligence agencies from the Five Eyes countries (Australia, Canada, New Zealand, the UK, and the US) have published a joint cybersecurity advisory that includes a list of artifacts, mitigations, and indicators of compromise.

Editor's Note

Great write up. The attack was targeted, but remember that the techniques described are used by other actors as well, and tend to "trickle down" to less sophisticated attacks. Try to read the document considering which part of the attack you would have been able to detect, and how you may be able to fill in some blind spots.

Johannes Ullrich
Johannes Ullrich

Many lessons to be learned from this one, especially related to the initial attack vector exploiting vulnerabilities in low end firewalls/routers from Fortinet and others. A key takeaway: the attacks harvested credentials from those devices and then took advantage of admin privileges on those accounts to launch hard to detect living off the land attacks. Once again, use of 2FA on all privileged accounts would have thwarted these attacks or made them much easier to detect.

John Pescatore
John Pescatore

The core mitigations for this type of attack include being able to monitor for unusual activity, not just unexpected commands, but unusual login hours, activation of services or accounts outside of norms. Yeah, modeling normal is challenging. But you can watch for unexpected PowerShell scripts, login behavior, and enabling of proxy-type services which could enable an end-around your access controls. You can also lock down and instrument critical components like your domain controllers, making unexpected activity easy to spot.

Lee Neely
Lee Neely

This is the hallmark of a classic nation state intelligence operation – gain access, elevate privilege [credentials], burrow deep [living off the land], collect and exfiltrate data. By taking advantage of available IT tools, discovery is made all the more difficult. The primary objective would be intelligence collection, but given the network’s importance, denial of service would be a secondary objective. Every organization should use this discovery to review their patch management process, as well as to review access logs [privilege account]. If organizations are slow to patch, adversary have all the time they need to establish a foothold and elevate privileges.

Curtis Dukes
Curtis Dukes

2023-05-25

Practicefirst Will Pay $550,000 Over Data Breach

Medical management company Practicefirst will pay a fine of $550,000 to the state of New York for failing to adequately protect patient data. The company failed to update their software in a timely manner, resulting in the theft of data affecting 1.2 million individuals, more than 428,000 of whom reside in New York. Practicefirst violated both the Heath Insurance Portability and Accountability Act (HIPAA) and New York state laws.

2023-05-25

GitLab Releases Update to Fix Critical Flaw

GitLab has released version 16.0.1 for both GitLab Community Edition (CE) and GitLab Enterprise Edition (EE). The newest version fixes a critical path traversal vulnerability that could be exploited to read arbitrary files without authenticating. The issue affects GitLab CE/EE version 16.0.0; older versions are not affected.

The Rest of the Week's News

2023-05-24

Apria Healthcare is Notifying Patients of Breach They Detected in 2021

Apria Healthcare has begun notifying more than 1.8 million patients that their personal data were compromised during a breach that allowed intruders access to the information for several weeks in both 2019 and 2021. Apria discovered the incidents in September 2021. The US Health Insurance Portability and Accountability Act (HIPAA) “requires covered entities to report breaches affecting 500 or more individuals to the affected individuals, to OCR, and (in certain cases) to the media without unreasonable delay and no later than 60 calendar days from discovery.”

Editor's Note

The law is pretty clear that victim notification is to be made 60-days from discovery. The company doesn’t get a ‘pass’ on the notification requirement simply because they ‘believe’ the attacker’s goal was to obtain funds. Further, Apria has no way of knowing whether personal information was ‘misused’ as a result of this cyber breach. Clearly the board should review the steps taken by the Apria executive leadership team in responding to the breach and hold them accountable.

Curtis Dukes
Curtis Dukes

Apria claims it has taken two years to fully investigate the breach and determine what, if any, data was accessed. Apria is just now offering affected patients a year of credit monitoring and restoration two years after their data was potentially compromised. While important to fully investigate a breach, taking two years to notify affected parties is just too long. Perform a risk assessment and determine what your customers tolerance would be then update your plans to include that goal, so everyone is on the same page.

Lee Neely
Lee Neely

2023-05-23

Bridgestone CISO on Lessons Learned from Ransomware Attack

In February 2022, tire manufacturer Bridgestone was the target of a ransomware attack that took its North American operations offline for days. Bridgestone America Chief Information Security Officer (CISO) Tom Corridon said his most important piece of advice is to determine who makes which decisions in a crisis before one occurs. Corridon also noted that breaches can generate an atmosphere of openness to changes that can help avoid another incident.

2023-05-25

CISOs Want Breach Disclosure Rules

Solar Winds Chief Information Security Officer (CISO) Tim Brown told Dark Reading that CISOs want clear rules about breach disclosure. Former Uber CISO Joe Sullivan was sentenced to three years’ probation in addition to a $50,000 fine; the judge in the case made it clear that the next time a similar case comes before him, he will be far less lenient. The US Federal Trade Commission’s (FTC) breach disclosure rules along with the tangle of regulations, executive orders, state laws, and legal precedent complicate disclosure decisions. Brown suggests that CISOs would benefit from a law much like the Sarbanes-Oxley Act, which provides a framework for financial reporting regulations for chief financial officers (CFOs).

2023-05-25

CosmicEnergy Malware Designed to Disrupt OT and ICS

Mandiant researchers have identified new malware that targets operational technology (OT) and industrial control systems (ICS). Dubbed CosmicEnergy, “the malware is designed to cause electric power disruption by interacting with IEC 60870-5-104 (IEC-104) devices, such as remote terminal units (RTUs), that are commonly leveraged in electric transmission and distribution operations in Europe, the Middle East, and Asia. CosmicEnergy was detected after it was uploaded to VirusTotal in December 2021 via a Russian IP address.

2023-05-24

Known Flaw in WordPress Beautiful Cookie Consent Banner Plugin in Being Actively Exploited

Hackers are exploiting a known vulnerability in the Beautiful Cookie Consent Banner plugin for WordPress to add malicious JavaScript to unpatched websites. The plugin has more than 40,000 active installs. Beautiful Cookie Consent Banner’s developer released a fix in version 2.10.2 in January 2023. The vulnerability can also be exploited to create admin accounts on vulnerable sites.

2023-05-23

Rheinmetall Acknowledges April Cyberattack was Ransomware

German automotive and arms manufacturer Rheinmetall has confirmed that a cyber incident detected and disclosed in April was a ransomware attack. The company says the attack affected the civilian branch of its business.

2023-05-25

Zyxel: Patches for Critical Firewall Vulnerabilities; Firmware Vulnerability Patched in April is Being Actively Exploited

Zyxel has released fixes for buffer overflow vulnerabilities in its firewalls and VPNs. Both flaws could be exploited to achieve remote code execution. These fixes arrive just a month after Zyxel released fixes for an OS command injection vulnerability; that vulnerability is being actively exploited.

Internet Storm Center Tech Corner

IR Case/Alert Management

https://isc.sans.edu/diary/IR+CaseAlert+Management/29880

More Data Enrichment for Cowrie Logs

https://isc.sans.edu/diary/More+Data+Enrichment+for+Cowrie+Logs/29878

Apache Nifi Scans

https://isc.sans.edu/diary/Help+us+figure+this+out+Scans+for+Apache+Nifi/29874/

Expo Framework OAUTH Vulnerability CVE-2023-28131

https://salt.security/blog/a-new-oauth-vulnerability-that-may-impact-hundreds-of-online-services

D-Link Vulnerabilities

https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10332

Volt Typhoon: Living of the Land

https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF

Android App Breaking Bad

https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/

Zyxel Updates

https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-buffer-overflow-vulnerabilities-of-firewalls

Mitel MiVoice Vulnerability CVE-2023-31457 CVE-2023-32748

https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-23-0004

Barracuda Email Security Gateway Vulnerability

https://status.barracuda.com/incidents/34kx82j5n4q9

Gitlab Patch

https://about.gitlab.com/releases/2023/05/23/critical-security-release-gitlab-16-0-1-released/

Samsung Updates fix 0-Day

https://security.samsungmobile.com/securityUpdate.smsb

Lenovo All-In One Bricked by Windows Update

https://www.reddit.com/r/Lenovo/comments/136tatm/lenovo_firmware_10055_bricking_thinkcentre_v53024/

Dell VxRail Security Update

https://www.dell.com/support/kbdoc/en-us/000213011/dsa-2023-071-dell-vxrail-security-update-for-multiple-third-party-component-vulnerabilities-7-0-450

BrutePrint: Expose Smartphone Fingerprint Authentication to Brute-force Attack

https://arxiv.org/pdf/2305.10791.pdf