SANS NewsBites

Check That You Really Are Meeting Data Retention Requirements; Patch Fortinet FortiNAC Now; Follow NSA Recommendations to Reduce BlackLotus Bootkit Risk

June 27, 2023  |  Volume XXV - Issue #51

Top of the News


2023-06-26

SEC Fines JP Morgan $4M for Deleting eMails

The US Securities and Exchange Commission has fined JP Morgan Securities $4 million for deleting data related to Chase Bank. Under the Securities Exchange Act, JP Morgan is required to retain emails for three years; the 47 million messages in question, which were dated from January-April 2018, were deleted in 2019. JP Morgan detected the issue and self-reported to the SEC in 2020. JP Morgan says responsibility for deleting the data lies with a third-party vendor they hired to manage their archived data.

Editor's Note

A lot of errors in this one. A third-party vendor service was claiming to be compliant with FINRA rules of enforcing 3 year retention requirements, but neither JP Morgan or FINRA noticed that it really wasn’t. Good idea to check your processes or services to see if too little or too much deletion is really happening.

John Pescatore
John Pescatore

You can outsource the task but you cannot outsource the responsibility. Always make sure that your third-party suppliers are fully aware of the compliance, regulatory, legal, and contractual obligations your organization, and therefore they, have to operate under.

Brian Honan
Brian Honan

In a regulated space, archives are a big deal. Know your retention requirements, and what disposition means. In the public sector, that means you’re likely obligated to turn over records, including email, to the national archives.

Lee Neely
Lee Neely

This appears to have been a lapse by JP Morgan Securities in validating that the third-party vendor was meeting the compliance controls required for data retention. It’s a financially painful lesson for JP Morgan Securities but one that others can learn from.

Curtis Dukes
Curtis Dukes

2023-06-23

Fortinet Releases Updates to Fix Untrusted Object Deserialization Vulnerability

Fortinet has released updates to address a deserialization of untrusted data vulnerability in its FortiNAC zero-trust access solution. The flaw could be exploited to execute code remotely. Users are urged to upgrade to FortiNAC versions 9.4.3, 9.2.8, 9.1.10, 7.2.2 or above. Although the vulnerability also affects FortiNAC versions 8.x, there will not be an update for those versions.


2023-06-23

NSA Urges Organizations to Harden Systems Against BlackLotus Bootkit Malware

The US National Security Agency (NSA) has published a mitigation guide for the BlackLotus Unified Extensible Firmware Interface (UEFI) bootkit malware. The NSA says that Microsoft’s efforts to address BlackLotus are insufficient: while “Microsoft issued patches for supported versions of Windows to correct boot loader logic, … patches were not issued to revoke trust in unpatched boot loaders via the Secure Boot Deny List Database (DBX).”

The Rest of the Week's News


2023-06-26

SolarWinds CISO and CFO Facing SEC Investigation

In a Form 8-K filing with the US Securities and Exchange Commission, SolarWinds revealed that several current and former employees, including the company’s chief financial officer (CFO) and chief information security officer (CISO) have received notices indicating they may be facing SEC civil enforcement action. In the filing, SolarWinds notes that “the Wells Notices provided to these individuals each state that the SEC staff has made a preliminary determination to recommend that the SEC file a civil enforcement action against the recipients alleging violations of certain provisions of the U.S. federal securities laws.” The company itself has also received a Wells Notice.

Editor's Note

The recently released national cybersecurity strategy emphasized the shifting of liability to product and service companies. This action appears to be another signal to the market that companies will be held responsible. What’s interesting though, is that the SEC recommended an enforcement action against SolarWinds over its public statements on cybersecurity and procedures governing such disclosures. Is this a case where the issue is about statements made, or not, in the context of financial regulations rather than a lack of appropriate application of cybersecurity?

Curtis Dukes
Curtis Dukes

This really just indicates the beginning of the investigation to see if failures that allowed this compromise to happen were known and not acted on, or just not known. From a customer perspective, both are equally bad – a supplier of software that is installed at the heart of IT operations with full access needs to be held to higher standards that require at least essential security hygiene be maintained to assure software product integrity.

John Pescatore
John Pescatore

The SolarWinds SEC issues will be interesting to follow as the MOVEit vulnerabilities surface. Is there going to be a correlation between the situations?

Moses Frost
Moses Frost

This is currently a case of he-says, she-says. The SEC states that SolarWinds didn't properly disclose their breach in 2020, while SolarWinds contends they performed as required. This is an argument to make careful records of not only your breach disclosures, but the basis or regulations you feel you were following.

Lee Neely
Lee Neely

Hopefully this is a step toward holding suppliers accountable for shipping malicious code.

William Hugh Murray
William Hugh Murray

2023-06-26

Microsoft Teams Vulnerability Allows External Sources to Send Files to Employees

A flaw in Microsoft Teams External Tenants feature allows attackers to bypass phishing safeguards and deliver malware to employees. The vulnerability affects Microsoft Teams with default configuration. The issue lies in an insecure direct object reference (IDOR) access control vulnerability. Microsoft has acknowledged that the flaw exists but does not plan to address it right away.


2023-06-26

Suncor Energy Cyber Incident Affecting Petro-Canada Customers

A cyberattack affecting systems at Canada’s Suncor Energy has caused problems for customers at Petro-Canada filling stations. The issues are preventing customers from logging in to accounts, earning rewards points, or paying with payment cards. Suncor has not yet provided details about the cyber security incident.


2023-06-23

CISA Adds Eleven Vulnerabilities to KEV Catalog

On Thursday and Friday of last week (June 22& 23) the US Cybersecurity and Infrastructure Security Agency (CISA) added 11 security issues to its Known exploited Vulnerabilities (KEV) catalog. These include three vulnerabilities affecting multiple Apple products; vulnerabilities in VMware Tools and VMware Aria Operations for Networks; vulnerability in Zyxel Network-Attached Storage (NAS) devices; three vulnerabilities affecting Roundcube Webmail; a vulnerability affecting Mozilla Firefox, Firefox ESR, and Thunderbird; and a vulnerability affecting Microsoft Win32k.


2023-06-26

Third-Party Data Breach Affects American Airlines and Southwest Airlines Pilots

A third-party vendor breach has prompted American Airlines and Southwest Airlines to begin notifying pilots that their personal data have been compromised. The third-party vendor, Pilot Credentials, manages pilot recruitment and applications for multiple airlines. The compromised data include government-issued identification numbers, including those for Social Security, driver’s licenses, Airman Certificates, and passports. The breach occurred in late April; Pilot Credentials notified American and Southwest about the incident on May 3. American and Southwest have both moved pilot applications to internal systems.


2023-06-26

BIND Updates Fix Three Vulnerabilities

The Internet Systems Consortium (ISC) has released updated versions of BIND to address three vulnerabilities in the domain name system (DNS) software. All three issues are remotely exploitable and could be used to create denial-of-service (DoS) conditions. The vulnerabilities are fixed in BIND versions 9.16.42, 9.18.16, and 9.19.14 and BIND Supported Preview Edition versions 9.16.42-S1 and 9.18.16-S1.


2023-06-26

Largest Reported Healthcare Data Breaches YTD

Healthcare sector data security breaches reported to the US Department of Health and Human Services Office for Civil Rights (HHS OCR) so far this year affect more than 39 million people. Among the largest reported breaches: Managed Care of North America, which affected 8.86 million people; Pharmerica Corp., which affected 5.8 million people; and egal medical group, which affected 3.38 million people. (Note: Some of the breaches occurred in 2022 but were not reported to HHS OCR until 2023.)


2023-06-23

HC3: SEO Poisoning is Targeting Healthcare Orgs

The US Health Sector Cybersecurity Coordination Center (HC3) has published an analyst note warning that search engine optimization (SEO) poisoning attacks are increasingly being used against organizations in the US Health Care and Public Health sector. The note’s suggestions for detecting and preventing SEO poisoning attacks include implementing typosquatting detection and using indicators of compromise (IoC) lists.


2023-06-26

More MOVEit Breach Victims

Entities reporting breaches enabled by MOVEit include the New York City Department of Education and third-party service provider PBI Research Services. The PBI breach has affected Genworth Financial, Wilton Reassurance, and the California Public Employees’ Retirement System (CalPERS).

Internet Storm Center Tech Corner

Email Spam With Modiloader Attached

https://isc.sans.edu/diary/Email+Spam+with+Attachment+Modiloader/29978

Word Document with an Online Attached Template

https://isc.sans.edu/diary/Word+Document+with+an+Online+Attached+Template/29976

Quakbot Activity Obama271 Distrubution Tag

https://isc.sans.edu/diary/Qakbot+Qbot+activity+obama271+distribution+tag/29968

Camaro Dragon Infects USB Drives as well as Network Drives

https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/

BlackLotus Mitigation Guide

https://media.defense.gov/2023/Jun/22/2003245723/-1/-1/0/CSI_BlackLotus_Mitigation_Guide.PDF

Grafana Security Release

https://grafana.com/blog/2023/06/22/grafana-security-release-for-cve-2023-3128/

Microsoft Teams External Tenant Confusion

https://labs.jumpsec.com/advisory-idor-in-microsoft-teams-allows-for-external-tenants-to-introduce-malware/

Free Smart Watches

https://www.darkreading.com/threat-intelligence/suspicious-smartwatches-mailed-us-army-personnel