homepage
Open menu
Contact Sales

SANS NewsBites

FTC Applies Breach Notification to Health App Vendors; Patch Your Fortinet Appliances; Establish and Test Backups for Web-based Dashboards to Survive DDoS Outages

June 13, 2023  |  Volume XXV - Issue #47

Top of the NewsThe Rest of the Week's NewsInternet Storm Center Tech Corner

Top of the News

2023-06-09

FTC Proposes Amendment to Health Data Breach Notification Rule

The US Federal Trade Commission (FTC) has published a notice of proposed rulemaking in the Federal Register. The proposed rule would amend the FTC’s Health Breach Notification Rule to add health app developers to the entities that are required to report data breaches. The FTC is accepting public comment through August 8, 2023.

Editor's Note

This also refines the definition of a Personal Health Record (PHR) and reinforces the requirement to report breaches of health records not covered by HIPAA. Having a consolidated reference will help those impacted. Our demand to monitor and track our fitness has resulted in a plethora of applications and devices to meet that demand, often delivered with an eye on time-to-market, not data security and reporting. This rule change puts those meeting the demand on notice they have skin in the game. If you're collecting personal health information, or creating applications which do, you may want to weigh in on reporting requirements.

Lee Neely
Lee Neely

Requiring apps that handle/store personal health records to meet breach disclosure requirements was floated for public comment in 2020 with little to no pushback – it makes sense. Especially as we now see Apple and other health app/device vendors starting to meet increased consumer demands for privacy and making claims for higher levels of personal health data protection.

John Pescatore
John Pescatore

2023-06-12

Fortinet Releases Patches for Critical RCE Vulnerability

Patches are available to address a critical remote code execution vulnerability in Fortinet’s FortiGate firewalls. The flaw is fixed in FortiOS firmware versions 6.0.17, 6.2.15, 6.4.13, 7.0.12, and 7.2.5. Fortinet says the vulnerability may have been exploited to launch attacks against government, manufacturing, and critical infrastructure organizations.

2023-06-09

June 9 Azure Outage Explained

Microsoft says that an Azure Portal outage last week was caused by an unanticipated spike in traffic. The incident resulted in customers seeing “service unavailable” messages for several hours on Friday, June 9.

The Rest of the Week's News

2023-06-12

OMB Extends Software Self-Attestation Deadline

The US Office of Management and Budget (OMB) has extended the deadline for agencies to obtain software security self-attestation letters from contractors. Originally, agencies had until June 12 to collect self-attestations from providers of critical software and until September 14 to collect the letters from all vendors. The deadline has now been extended to three months after OMB creates a common self-attestation form for critical products, and six months for non-critical products. According to the updated guidance from OMB, agencies will not need to collect self-attestation letters for open-source software.

Editor's Note

This changes the impact of the Supply Chain Risk Management (SCRM) aspect of EO 14028. Yeah, this is the prevent a future SolarWinds plan. Essentially NIST SP 800-218 laid out the requirements with OMB M-22-18 setting the enforcement timeline. M-23-16 adds 3-12 months to the process and removes the attestation requirement for open-source attestation. This alleviates the process at one level but doesn't remove the need to make sure that you're still using the genuine components rather than an "improved" package with "special" features. Note that timing is still tied to the release and approval by OMB of a common form for attestation.

Lee Neely
Lee Neely

Extensions to OMB mandate deadlines are pretty much standard practice but Software Bills of Material are not very useful if all the software is packed with vulnerabilities because of shoddy development practices.

John Pescatore
John Pescatore

The extension is reasonable given that the self-attestation form is still in draft form with industry comment through 26 June. Further, even if software vendors cannot meet one or more of the reporting requirements, they can simply submit a PO&M to the government and continue to offer their products for purchase. It is a bit puzzling though that web browsers would be excluded from reporting given their importance and the fact the top browsers are all developed by well-established software vendors.

Curtis Dukes
Curtis Dukes

2023-06-12

Apple Adds Privacy and Security Features to Multiple Products

Apple is improving privacy and security protections in a range of its products. Link tracking protection in Messages, Mail, and Safari Private browsing will remove tracking data from shared links. A new iOS feature will allow users to share specific pictures with apps while keeping other private. Lockdown Mode will get new features and will be supported on watchOS.

2023-06-12

Barracuda ESG Vulnerability Affects Australian Capital Territory Government

The government of the Australian Capital Territory said that it suffered a security breach as the result of a compromised Barracuda Email Security Gateway (ESG). Barracuda disclosed the critical remote command injection vulnerability on May 19 and issued a fix on May 20. More recently, Barracuda urged users whose appliances were compromised to replace them instead of applying patches. The ACT government said that although it had rebuilt its Barracuda system following the vulnerability’s disclosure, an investigation revealed that a data breach had occurred.

Editor's Note

Threat hunting, checking for IOCs, has to be continuous. In the ESG case, there was a red flag for you to not only address the ESG but also check for compromise. The trick is you can't sit back waiting on the next alert that something you have is vulnerable or being exploited, you need to be continuously ingesting IOCs and looking for anomalous behavior.

Lee Neely
Lee Neely

2023-06-10

Progress MOVEit Transfer Fix Available for New Vulnerabilities

Progress Software has released a patch to address additional vulnerabilities in its MOVEit Transfer file transfer application. Last week, Progress released a patch to fix a critical SQL injection vulnerability in MOVEit. The newly-disclosed vulnerabilities are also SQL injection issues. Progress urges customers to install the June 9 patch.

2023-06-12

Former Samsung Executive Allegedly Intended to Use Stolen Data to Build Chip Plant in China

Authorities in South Korea have arrested and indicted a former Samsung Electronics executive for allegedly stealing technological intellectual property (IP). The individual hired 200 Samsung and SK Hynix employees and allegedly directed them to steal information from those companies. He allegedly intended to use the information to build a chip manufacturing facility in China.

2023-06-12

Swiss Government Affected by DDoS, Ransomware

Swiss government agencies have been affected by a ransomware attack against a third-party technology provider and by distributed denial-of-service (DDoS) attacks. The Swiss government released a statement saying that some operational data may have been stolen as a result of the ransomware attack against Xplain, which provides software to some government agencies.

2023-06-12

ODNI Report: US Government is Purchasing Citizens’ Sensitive Data

A recently declassified report released by the US Office of the Director of National Intelligence (ODNI) reveals that the US government is buying large quantities of data abouts its citizens. While obtaining phone location data would normally require a warrant, the government has circumvented that requirement by purchasing the information from private companies. The report also notes that deanonymization of data deemed to have been sanitized of personally identifiable information is “trivial.

Internet Storm Center Tech Corner

Geoserver Attack Details: More Cryptominers Against Unconfigured WebApps

https://isc.sans.edu/diary/Geoserver+Attack+Details+More+Cryptominers+against+Unconfigured+WebApps/29936

Undetected PowerShell Backdoor Disguised as a Profiled File

https://isc.sans.edu/diary/Undetected+PowerShell+Backdoor+Disguised+as+a+Profile+File/29930

DShield Honeypot Activity for May 2023

https://isc.sans.edu/diary/DShield+Honeypot+Activity+for+May+2023/29932

Fortinet Update CVE-2023-27997

https://www.fortiguard.com/psirt/FG-IR-23-097

Fortinet Patches CVE-2023-27997

https://twitter.com/cfreal_/status/1667852157536616451

Bitwarden Key Accessible By Low Privileged User

https://hackerone.com/reports/1874155

Western Digital SMART Flag Abuse

https://arstechnica.com/gadgets/2023/06/clearly-predatory-western-digital-sparks-panic-anger-for-age-shaming-hdds/

Second MOVEit Vulnerability

https://www.progress.com/security/moveit-transfer-and-moveit-cloud-vulnerability