SANS NewsBites

Change Healthcare Says Clearinghouse Services are Functional; CISA Red Team Assessment Report; D-Link Tells Users to Replace End-of-Life Routers

November 22, 2024  |  Volume XXVI - Issue #90

Top of the News


2024-11-20

Change Healthcare Clearinghouse Services are Functional

Nine months after suffering a catastrophic ransomware attack, Change Healthcare says that its healthcare-related transactions clearinghouse services have been restored. Change Healthcare normally handles 15 billion financial transactions annually. The American Hospital Association reported that the February attack disrupted services at 94 percent of US hospitals.

Editor's Note

Nine. Months. Later. Their clearinghouse service is not the last thing needing service restoration. I'm pretty sure none of us have put nine months as a recovery time objective without considerable management buy-in. I'm sure there were many conversations about the restored service stability, ability to handle the prior workload plus any catch-up work, and the zinger, promises that the compromise would never happen again, all of which result in delays. Work these out, including what evidence is expected, in your tabletop exercises. Don't forget to include exercises where you actually rebuild/recover and operate a system.

Lee Neely
Lee Neely

What fallout will we see from Change Healthcare? I am not sure the blowback has been strong enough yet in the Medical Sector. Does that say more about Healthcare IT or just Healthcare in general?

Moses Frost
Moses Frost

This may well have been one of the most expensive breaches in history with much of the cost being borne by customers.

William Hugh Murray
William Hugh Murray

2024-11-21

CISA Insights from Red Team Assessment of Critical Infrastructure Organization

The US Cybersecurity and Infrastructure Security Agency (CISA) conducted a red team assessment of a critical infrastructure organization at the organization's request. CISA has published a cybersecurity advisory detailing the tactics, techniques, and procedures they used. The report also includes lessons learned in the areas of insufficient technical controls, continuous training, support, and resources, and business risk as well as noted strengths demonstrated by the critical infrastructure provided.

Editor's Note

The western world has a serious problem with critical infrastructure. Don't forget Volt Typhoon! Adversaries have persistence TODAY in water, power, healthcare, etc. and can break our first world bubble at any time. If you aren't a critical infrastructure provider, please consider volunteering with Infragard or local cyber civilian reserves (where available). Note: the red team here did not gain access to OT/ICS systems. That's great news!

Christopher Elgee
Christopher Elgee

Red Team, Blue Team, Purple Team, Architect, in the sector, not in the industry, it doesn't matter. I highly recommend reading this report. It doesn't matter if you are early in your career, late in your career, director, or CIO, this is a valuable report. I recommend reading this report if you do nothing else today or next week.

Moses Frost
Moses Frost

Three takeaways here: First is the importance of defense in depth. Not just EDR but also network layer detection and response. Second is to keep the staff trained and supported with the resources to detect, understand and respond to current threats. Third is management support and understanding of threats for proper risk-based decision making, not supporting updates of known vulnerable software, instead accepting the risk. Where a WAF had been deployed in response to a discovered vulnerability, in the new VDP program, it was never toggled from monitor/learning mode to blocking mode, management should have verified procedures were in place to ensure issues were fully addressed and verified. Take a hard look at your shop in this context, then take steps to avoid a me-too scenario.

Lee Neely
Lee Neely

2024-11-21

D-Link Tells Users to Replace End-of-Life / End-of-Service Devices

In a Security Announcement published this week, D-Link 'recommends that D-Link devices that have reached EOL/EOS be retired and replaced.' Specifically, the advice applies to these D-Link routers: DSR-150 (EOL May 2024), DSR-150N (EOL May 2024), DSR-250 (EOL May 2024), DSR-250N (EOL May 2024), DSR-500N (EOL September 2015), and DSR-1000N (EOL October 2015). The announcement follows the disclosure of a serious buffer overflow vulnerability in the devices that could lead to remote code execution.

Editor's Note

These devices are typically installed in the houses of non-IT individuals. I suspect when you're in the US and going to your parents'/relatives' houses, maybe take a look and see if they are running these older devices. If so, Christmas is around the corner.

Moses Frost
Moses Frost

These are not expensive devices and most users have gotten good value from them. The replacements will offer improvements in value, performance, features, and functions. Much of the cost of replacing them will be in the setup, configuration, and network downtime. (Hopefully the replacements will not have default passwords.)

William Hugh Murray
William Hugh Murray

It's totally legitimate to set EOL dates and not provide updates beyond that point. And it's on us, as consumers, to plan for that. Having a scored CVE for the vulnerability helps make the case for prompt action, even if these devices are under $200 each.

Lee Neely
Lee Neely

D-Link is at least offering a discount for people who need to switch devices. On the other hand, open source solutions like OpenWRT will often extend the life of these devices by years.

Johannes Ullrich
Johannes Ullrich

The Rest of the Week's News


2024-11-21

Decade-Old Vulnerabilities in Ubuntu needrestart

The Qualys Threat Research Unit (TRU) has published a report on five local privilege escalation vulnerabilities in "needrestart," a Linux utility that helps automatically keep service versions current by flagging them for restart after updates. The utility has had all five flaws since version 0.8, released April 2014, and has been installed by default in Ubuntu Server since version 21.04, and may be manually installed on many older Ubuntu releases and in the package repositories of other distributions. CVE-2024-48990, CVE-2024-48991, and CVE-2024-48992 allow arbitrary code execution by running interpreters with malicious variables or by installing malicious interpreters; CVE-2024-11003 and CVE-2024-10224 allow execution of arbitrary shell commands via unsanitized input data. Updating to 3.8 or later patches the flaws, but a modification to the utility's configuration file to "disable the interpreter scanning feature ... [to] stop needrestart from executing interpreters with potentially attacker-controlled environment variables."

Editor's Note

Qualys team continues to find classic amazing bugs in Legacy Software. It not only feels retro, but in this case, it is retro.

Moses Frost
Moses Frost

Needrestart can be compelled to execute arbitrary scripts, which can be mitigated by changing /etc/needrestart/needrestart.conf to disable interpreter scanners by setting $nrconf{interpscan} to 0 until you deploy the updated packages. In CVE-2024-48990 and CVE-2024-48922 an attacker can run a script which uses environmental varabiles to execute arbitrary code, while CVE-2024-48991 requires exploiting a time-of-use time-of-check race condition. In CVE-2024-11003 attacker-controlled input is fed to Module::ScanDeps triggering CVE-2024-10224. Tip: it took you longer to read that paragraph than it would to deploy the updated needrestart and libmodule-scandeps-perl.

Lee Neely
Lee Neely

Qualys did not provide a proof of concept exploit, but there is enough detail in their report to assume that an exploit will be released before you read this. This is only a privilege escalation issue, but should still be addressed quickly.

Johannes Ullrich
Johannes Ullrich

2024-11-21

Google OSS-Fuzz Finds Dozens of Open-Source Vulnerabilities

Google's OSS-Fuzz tool, which now includes AI capabilities, recently detected 26 vulnerabilities in open-source projects. Google announced that it was bringing large language model (LLM) capabilities to bear on the tool, which has been in use since 2016. Google says the vulnerabilities would not have been detected without the targets generated by the LLM component.

Editor's Note

Everything we do in security is bounded by resources (people, time, money), and prioritizing those resources towards maximum RRROI (Risk Reduction Return on Investment) is critical. Since by definition fuzzing starts with an infinite number of possible inputs, creating fuzzing targets to increase the odds of finding vulnerabilities, or in particular to maximize code coverage and reduce, is needed. Using AI techniques seems promising, but my worry is what 'blind spots' are or will be built into the LLM models being used for this? There have been great demonstrations about how AI-based image recognition models can be easily defeated. Increased code coverage should be a good thing, unless the remaining code area is the real vulnerability swamp.

John Pescatore
John Pescatore

The AI LLMs are both reducing the time to detection and finding flaws not discovered by "human-written" fuzzing tests. While the ultimate goal is to have the LLM generate a suggested patch for flaws found, consider how leveraging the OSS-Fuzz open-source tool in your SQA processes would help you with discovery with nominal impact on the release process, assuming no issues are found.

Lee Neely
Lee Neely

2024-11-20

Apple Patches Two Exploited Zero-Day Vulnerabilities

On Tuesday, November 19, Apple released patches for two zero-day vulnerabilities in macOS and iOS systems; the company "is aware of a report" that these bugs have been exploited in the wild on Intel-based Mac systems, but does not specify details nor indicators of compromise (IoC). Both vulnerabilities stem from "processing maliciously crafted web content": CVE-2024-44308 allows arbitrary code execution through JavaScriptCore, and CVE-2024-44309 allows a cross-site scripting attack through WebKit. To apply the patches, update to macOS Sequoia 15.1.1, iOS/iPadOS 17.7.2 or 18.1.1, and visionOS 2.1.1.

Editor's Note

CVE-2024-44309 is a cookie management flaw, while CVE-2024-44308 impacts the JavaScript core. Note these apply to both iOS 17 & 18. Make sure that you're working to be on devices which can all run iOS 18, it's a lot easier when your fleet is all on the same version. Your Mac users are likely already getting prompts to install 15.1.1 - make sure the updates are actually applied.

Lee Neely
Lee Neely

Just a reminder that most Apple users should have automatic updates enabled.

William Hugh Murray
William Hugh Murray

2024-11-21

Censys: Nearly 150,000 Industrial Control Systems are Internet-Exposed

According to Censys's 2024 State of the Internet Report, there are more than 145,000 internet-exposed industrial control systems (ICS) worldwide. Censys detected exposed systems in 175 countries. Thirty-eight percent of the exposed systems are in North America, 35% in Europe, and 22% in Asia. The report indicates that the exposed systems are accessible through certain protocols, including Modbus, Fox, BACnet, WDBRPC (Wind River), EIP, S7 (Siemens), and IEC 60870-5-104.

Editor's Note

The days of nobody caring about ICS, or otherwise discounting the risks of compromise are past. It's going to take a joint effort to secure exposed interfaces without jeopardizing effectiveness or real-time data collection. Where LTE/5G connections are used, talk to your provider about private networks and other security options available. Latency is a nasty four-letter word in this context, and availability rules the roost, still have a discussion after they read the report.

Lee Neely
Lee Neely

2024-11-21

Oracle Patches Actively Exploited Flaw in Agile Product Lifecycle Management

Oracle has released fixes for an actively exploited, high-severity unauthenticated information disclosure vulnerability in their Agile Product Lifecycle Management (PLM). The flaw has been exploited to download files. The issue affects PLM version 9.3.6. Admins are urged to update to a fixed version as soon as possible.

Editor's Note

CVE-2024-21287, PLM information disclosure flaw, CVSS score 7.5, is easily exploited by an unauthenticated user with network access to the PLM system, and can be used to access critical data or even all data in your Oracle PLM framework. Beyond applying the patch, revisit the security configuration of your PLM system to make sure you're applying current best practices.

Lee Neely
Lee Neely

2024-11-21

MITRE's List of Most Dangerous Software Weaknesses

MITRE has published their list of 25 Most Dangerous Software Vulnerabilities for 2024. Topping the list is improper neutralization of input during web page generation, or cross-site scripting; followed by out-of-bounds write, improper neutralization of special elements used in an SQL command, or SQL injection; cross-site request forgery; improper limitation of a pathname to a restricted directory, or path traversal; and out-of-bounds read.

Editor's Note

While their placement has moved around from a ÒMost DangerousÓ perspective, all of the vulnerabilities were listed last year in the top 40 Ð none of them are new. If you required all code to get a clean run from most modern app vulnerability testing tools before promoting to production systems, you would have known of these in advance of exposure.

John Pescatore
John Pescatore

What have we learned? In my lifetime thus far, these bugs haven't changed in how dangerous they are, they appear to be static in that sense. Take this into account when you consider we are not making any less software as a species, only more software is being made.

Moses Frost
Moses Frost

Input sanitization (neutralization) has been a challenge and a successful attack vector for a while. The other vulnerabilities aren't new either, so your security testing (static and dynamic) should already be revealing these weaknesses. The focus has to be on secure coding, taking the time to ensure weaknesses are addressed as early as possible in the SDLC. Use this report to bolster the case that secure development is as important as delivery.

Lee Neely
Lee Neely

2024-11-20

Major Financial Data Handler Finastra Suffers Breach

In a statement to customers updated on November 13, Finastra, "which provides software and services to 45 of the world's top 50 banks," disclosed a data breach in an internal secure file transfer platform (SFTP), mentioning but neither verifying nor disavowing claims that a threat actor allegedly stole and sold the data on the dark web. Finastra's business spans over 8000 clients in 42 countries, often "processing huge volumes of digital files containing instructions for wire and bank transfers on behalf of its clients." The company's Security Operations Center (SOC) believe that malware was not deployed, and no files were accessed, viewed, or tampered with apart from those exfiltrated. The compromised SFTP was not the default platform, and certain products and customers were not affected. Finastra has emphasized "accuracy and transparency" in communication with customers, employing a third-party cybersecurity firm as well as "implement[ing] an alternative secure file sharing platform" while their investigation of the breach continues.

Editor's Note

The threat actor, or at least their persona abyss0, seems to have vanished, abandoning some transactions mid-stream. Given the success of recent law enforcement takedowns, one hopes there is a connection. Regardless, file interchange systems continue to be a target. Fully understand the risks of those used, and offered Ñ Finastra's system was in-house Ñ and make sure you have proactive monitoring. Check those incident response parts of your contracts, making sure all contacts are current and are part of the cyber provisions your procurement team incorporates into contract language. Having a good relationship with that team, as well as your OGC, goes a long way to stacking the deck in your favor.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Increase In Phishing SVG Attachments

https://isc.sans.edu/diary/Increase+In+Phishing+SVG+Attachments/31456

Apple Patches Two Exploited Vulnerabilities

https://isc.sans.edu/diary/Apple+Fixes+Two+Exploited+Vulnerabilities/31452

Detecting the Presence of a Debugger in Linux

https://isc.sans.edu/diary/Detecting+the+Presence+of+a+Debugger+in+Linux/31450

Logging blind spot revealed in FortiClient VPN

https://pentera.io/blog/FortiClient-VPN_logging-blind-spot-revealed/

Needrestart Vulnerability

https://www.qualys.com/2024/11/19/needrestart/needrestart.txt

Oracle Patch for Agile Product Lifecycle Management CVE-2024-21287

https://www.oracle.com/security-alerts/alert-cve-2024-21287.html

OFBiz Patches CVE-2024-47208 CVE-2024-48962

https://nvd.nist.gov/vuln/detail/CVE-2024-47208

https://seclists.org/oss-sec/2024/q4/95

D-Link Warns of Vulnerability in EOL Devices

https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10415

Palo Alto Patches

https://security.paloaltonetworks.com/CVE-2024-0012

https://security.paloaltonetworks.com/CVE-2024-9474

VMware vCenter Server Attacks

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24968e

Veritas Enterprise Vault Vulnerability

https://www.veritas.com/support/en_US/security/VTS24-014