SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #90
November 13, 2020Surge of Critical Healthcare Attacks; Too Many High Priority Patches
******************************************************************************
SANS NewsBites November 13, 2020 Vol. 22, Num. 090
******************************************************************************
THE TOP OF THE NEWS
Critical Healthcare Cybersecurity Incidents Abound
Australias Government Warns of SDBBot Activity Targeting Healthcare Sector
*************************** Sponsored By AWS Marketplace ************************************
How to Enhance SOC Efficiency for the AWS Cloud | November 19 @ 2:00 PM ET | We invite you to join SANS analyst Dave Shackleford and AWS Specialist Solutions Architect Nam Le as they host an informative webcast designed to teach you how to limit alert fatigue, while enhancing SOC productivity through automating actionable insights and removing respective manual tasks, through the exploration of real-world examples and offering practical guidance to help equip you with the needed visibility and efficiencies to scale.
| http://www.sans.org/info/218165
******************************************************************************
REST OF THE WEEKS NEWS
Microsoft: Use MFA That Doesnt Use Publicly Switched Phone Networks
Microsoft Patch Tuesday, and A New Format for the Security Update Guide
Adobe November Patch Tuesday Fixes Three Flaws
Google Fixes More Chrome Zero-days
Security Updates Available to Address Three Flaws in Silver Peak Unity Orchestrator
Cisco Fixes Vulnerability in IOS XR Software
Intel Fixes 95 Security Issues
Schneider Electric PLC Vulnerabilities
INTERNET STORM CENTER TECH CORNER
******************************************************************************
CYBERSECURITY TRAINING UPDATE
OnDemand and Live Online Training Special Offer
Best Offers of the Year! Get an 11" iPad Pro w/ Magic Keyboard, a Microsoft Surface Go 2 - 256 GB SSD, or Take $350 Off with ANY qualifying SANS Training Course through November 18.
- www.sans.org/specials/north-america/
New & Updated Courses
MGT516: Managing Security Vulnerabilities: Enterprise and Cloud
- https://www.sans.org/cyber-security-courses/managing-enterprise-cloud-security-vulnerabilities/
SEC460: Enterprise and Cloud | Threat and Vulnerability Assessment
- https://www.sans.org/cyber-security-courses/enterprise-cloud-threat-vulnerability-assessment/
SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling
- https://www.sans.org/cyber-security-courses/hacker-techniques-exploits-incident-handling/
View all courses
- https://www.sans.org/cyber-security-courses/
Upcoming Live Online Events
SANS Cyber Defense Initiative 2020 - Dec 14-19 EST
35+ Courses | Core, Cyber Defense, and DFIR NetWars
- https://www.sans.org/event/cyber-defense-initiative-2020-live-online/
Cyber Threat Intelligence Summit & Training
FREE Summit: Jan 21-22 | Courses: Jan 25-30
- https://www.sans.org/event/cyber-threat-intelligence-summit-2021/
View complete event schedule
- https://www.sans.org/cyber-security-training-events/north-america/
Free Resources
Tools, Posters, and more.
******************************************************************************
TOP OF THE NEWS
--Critical Healthcare Cybersecurity Incidents Abound
(November 11, 2020)
According to Health IT Security, Hendrick Health in Texas detected a threat that prompted it to shut down IT networks; the organization is operating under EHR (electronic health record) downtime procedures. Among other news in the article: Sonoma (California) Valley Hospital is operating under EHR downtime procedures a month after its network was hit with ransomware; Floridas Advanced Urgent Care is notifying patients that their personal information may have been compromised during a ransomware attack in March; and Minnesotas People Incorporated Mental Health Services notified 27,500 patients that their personal data were compromised following a phishing incident earlier this year.
[Editor Comments]
[Murray] Healthcare remains a target of both opportunity and choice. Increasing the cost, and reducing the surface, of attack in this industry is urgent.
Read more in:
Health IT Security: Security Threat Forces Hendrick Health to EHR Downtime Procedures
https://healthitsecurity.com/news/security-threat-forces-hendrick-health-to-ehr-downtime-procedures
--Australias Government Warns of SDBBot Activity Targeting Healthcare Sector
(November 13, 2020)
The Australian Cyber Security Centre (ACSC) has issued an alert warning that it observed increased targeting activity against the Australian Health sector. The threat actors have been using the SDBBot remote Access Tool (RAT) to move through networks and exfiltrate data. The ACSC notes that SDBBot is a known precursor of the Clop ransomware, and urges that all network owners review their controls against ransomware as per ACSCs publication Ransomware in Australia.
[Editor Comments]
[Murray] Patient care systems and applications should not be connected to the public networks.
Read more in:
cyber.gov.au: SDBBot Targeting Health Sector
https://www.cyber.gov.au/acsc/view-all-content/alerts/sdbbot-targeting-health-sector
cyber.gov.au: Ransomware in Australia
https://www.cyber.gov.au/acsc/view-all-content/publications/ransomware-australia
ZDNet: Australian government warns of possible ransomware attacks on health sector
******************************************************************************
THE REST OF THE WEEKS NEWS
--Microsoft: Use MFA That Doesnt Use Publicly Switched Phone Networks
(November 10 & 11 & 12, 2020)
Microsoft is urging organizations to use multi-factor authentication (MFA) that does not rely on publicly switched telephone networks. SMS and voice protocols were designed without encryption; one-time passcodes sent via SMS or voice can be intercepted. Encrypted authentication apps, like Microsoft Authenticator, Google Authenticator, and Cisco Duo Mobile provide better security.
[Editor Comments]
[Pescatore] The most important quote from the Microsoft blog post is the rate of compromise of accounts using any type of MFA is less than 0.1% of the general population. Using the widely offered SMS-based 2FA options means a user is 1000 times less likely to have their credentials compromised. Before we start talking about more secure, but often single vendor-controlled alternatives, lets get that 1000x improvement in protection from phishing. If the apps (which are software written by vendors who are often issuing dozens of, often more than 100, applications patches per month) really do prove to be more secure, then the world can migrate to something more secure. I cant emphasize enough: the most important step is getting users away from reusable passwords.
[Neely] Implementing any form of MFA is a major improvement over a reusable password. Since you are able to forward SMS messages to your computer or other devices, using tools like Apple iMessage and Google Messages, interception is possible. Also, in the current environment, PSTN calls are also forwarded or otherwise re-routed, potentially exposing their data as well, as they are not encrypted end-to-end. Choose stronger authentication options such as the Microsoft Authenticator, Google Authenticator, prior to enabling SMS or voice verification options. Use a risk-based approach when selecting the authenticator strength for enterprise applications, which may lead you to require hard tokens for more sensitive data access, particularly when Internet accessible. NIST SP 800-63 provides guidance for selecting authenticator strength.
https://www.nist.gov/itl/tig/projects/special-publication-800-63
[Honan] MFA without doubt is a key layer of protection against accounts being hijacked. While the use of Authenticator Apps is the preferred method as recommended by Microsoft it is important to consider the challenge of rolling out such Apps across your user base, in particular for those users who dont have corporate devices and may be resistant to installing a corporate app onto their personal device. You should look not just at MFA to defend your systems but also include other elements in a zero trust model.
[Murray] Courtneys First Law: "Nothing useful can be said about the security of a mechanism except in the context of a specific application and environment."
Read more in:
ZDNet: Microsoft urges users to stop using phone-based multi-factor authentication
The Register: Microsoft warns against SMS, voice calls for multi-factor authentication: Try something that can't be SIM swapped
https://www.theregister.com/2020/11/11/microsoft_mfa_warning/
Tech Community: It's Time to Hang Up on Phone Transports for Authentication
--Microsoft Patch Tuesday, and A New Format for the Security Update Guide
(November 10 & 11, 2020)
On Tuesday, November 10, Microsoft released fixes to address 112 vulnerabilities; one of the flaws is being actively exploited. The Windows Kernel Cryptography Driver vulnerability has been actively exploited in conjunction with a Chrome JavaScript engine RCE flaw to compromise vulnerable devices. With this monthly release, Microsoft has changed the format of its advisories. While the new format brings Microsofts advisories in line with those of other software vendors, it also eliminates some details that users have found useful.
[Editor Comments]
[Pescatore] Glad to see Microsoft finally joining the rest of the industry in standardizing on CVSS-based scoring. Next, they need to attack the issues around why enterprises seem to face obstacles to shortening Windows time to patch, even for the most critical vulnerabilities.
[Neely] While the change brings the notices in alignment with industry standards, evaluation information such as the scope, exploit path and consequences of exploit are no longer present, making it difficult to assess impact. Microsofts model is to apply all updates to end-user systems, such as Windows 10, and commodity servers; even so, have a good backup prior to updating, and regression test prior to deployment in production environments.
Read more in:
KrebsOnSecurity: Patch Tuesday, November 2020 Edition
https://krebsonsecurity.com/2020/11/patch-tuesday-november-2020-edition/
Threatpost: Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
https://threatpost.com/microsoft-patch-tuesday-critical-bugs/161098/
The Register: Microsoft emits 112 security hole fixesincluding the cure for a Google-disclosed kernel vuln exploited in the wild
https://www.theregister.com/2020/11/11/patch_tuesday_updates/
SC Magazine: Microsoft pushes 112 patches, which may cause management tools to buckle under pressure
SC Magazine: Bad move, plain and simple: Microsofts new bug reporting format draws criticism
MSRC: November 2020 Security Updates
https://msrc.microsoft.com/update-guide/releaseNote/2020-Nov
--Adobe November Patch Tuesday Fixes Three Flaws
(November 11, 2020)
Adobe has released fixes for three vulnerabilities affecting Adobe Connect and Adobe Reader Mobile. A pair of reflected cross-site scripting flaws in Adobe Connect could be exploited to allow arbitrary JavaScript execution in the browser. An improper access control vulnerability in Adobe Reader Mobile could be exploited to disclose information.
[Editor Comments]
[Neely] The Adobe Connect fix is categorized as priority 3, meaning you can patch it with your normal patching process as its neither a traditional target nor under active exploit. Even so, if youre leveraging Adobe Connect for collaboration, application of the patch with your November activities is a good idea. The Reader Mobile vulnerability is Android specific and also a priority 3, which normal app store application updates should be able to support.
Read more in:
ZDNet: Adobe releases new security fixes for Connect, Reader Mobile
https://www.zdnet.com/article/adobe-releases-new-security-fixes-for-connect-reader-mobile/
Bleeping Computer: Adobe releases security update for Adobe Reader for Android
Adobe: Security updates available for Adobe Connect | APSB20-69
https://helpx.adobe.com/security/products/connect/apsb20-69.html
Adobe: Security update available for Adobe Reader Mobile | APSB20-71
https://helpx.adobe.com/security/products/reader-mobile/apsb20-71.html
--Google Fixes More Chrome Zero-days
(November 11 & 12, 2020)
Google has fixed two more zero-day flaws in Chrome. One of the flaws is an inappropriate implementation in V8; the other is a use after free issue in Chrome Site Isolation. The vulnerabilities, which are being actively exploited, are resolved in Chrome 86.0.4240.198 for Windows, macOS, and Linux.
[Editor Comments]
[Neely] These are the fourth and fifth updates for Chrome in the last three weeks. Unlike the prior three flaws, these were externally discovered and reported. And like prior updates, they are accompanied by claims of active exploit which drives the need for expeditious deployment. Dont forget to make sure that your mobile users are updating as well.
Read more in:
Threatpost: 2 More Google Chrome Zero-Days Under Active Exploitation
https://threatpost.com/2-zero-day-bugs-google-chrome/161160/
ZDNet: Google patches two more Chrome zero-days
https://www.zdnet.com/article/google-patches-two-more-chrome-zero-days/
Security Week: Google Patches Two More Chrome Zero-Days Exploited in Attacks
https://www.securityweek.com/google-patches-two-more-chrome-zero-days-exploited-attacks
Bleeping Computer: Google fixes more Chrome zero-days exploited in the wild
--Security Updates Available to Address Three Flaws in Silver Peak Unity Orchestrator
(November 11, 2020)
A trio of flaws affecting Silver Peaks Unity Orchestrator SD-WAN management platform could be combined to allow unauthenticated attackers to take over vulnerable networks. The flaws, an authentication bypass issue, a file delete path traversal issue, and an arbitrary SQL query execution issue, are resolved in Silver Peak Unity Orchestrator 8.9.11+, 8.10.11+, or 9.0.1+.
Read more in:
Threatpost: Silver Peak SD-WAN Bugs Allow for Network Takeover
https://threatpost.com/silver-peak-sd-wan-bugs-network-takeover/161142/
Portswigger: Silver Peak addresses three-pronged RCE exploit in Unity Orchestrator
Silver Peak: Security Advisories
https://www.silver-peak.com/support/user-documentation/security-advisories
--Cisco Fixes Vulnerability in IOS XR Software
(November 11, 2020)
Cisco has released an update to address a vulnerability in the ingress packet processing function of Cisco IOS XR Software for Cisco ASR 9000 Series Aggregation Services Routers. The flaw could be exploited to cause a denial-of-service condition. The issue affects Cisco ASR 900 Series Aggregation Service Routers running IOS XR software earlier than versions 6.7.2 and 7.1.2.
Read more in:
Threatpost: High-Severity Cisco DoS Flaw Can Immobilize ASR Routers
https://threatpost.com/high-severity-cisco-dos-flaw-asr-routers/161115/
Cisco: Cisco IOS XR Software for Cisco ASR 9000 Series Aggregation Services Routers Slow Path Forwarding Denial of Service Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-xr-cp-dos-ej8VB9QY
--Intel Fixes 95 Security Issues
(November 10 & 11, 2020)
Intel released 40 security advisories on Tuesday, November 10. The advisories address a total of 95 vulnerabilities in a variety of its products. Critical flaws affect Intel Wireless Bluetooth products and Intel Active Management Technology.
Read more in:
Threatpost: Colossal Intel Update Anchored by Critical Privilege-Escalation Bugs
https://threatpost.com/intel-update-critical-privilege-escalation-bugs/161087/
Bleeping Computer: Intel fixes 95 vulnerabilities in November 2020 Platform Update
Intel: Intel Product Security Center Advisories
https://www.intel.com/content/www/us/en/security-center/default.html
--Schneider Electric PLC Vulnerabilities
(November 12, 2020)
Two flaws in Schneider Electric Programmable Logic Controllers (PLCs) could be exploited to compromise vulnerable PLCs and from there, move through the network. The flaws affect Schneider EcoStruxure Machine Expert v1.0 PLC management software and firmware for Schneider M221 PLC, version 1.10.2.2.
[Editor Comments]
[Neely] The best mitigation is to protect PLCs by segregating them from unauthorized network access as they are not always engineered to handle general network traffic or probing.
Read more in:
Threatpost: Bugs in Critical Infrastructure Gear Allow Sophisticated Cyberattacks
https://threatpost.com/bugs-critical-infrastructure-gear-attacks/161164/
Security Week: Encryption Vulnerabilities Allow Hackers to Take Control of Schneider Electric PLCs
se: Security Notification - Modicon M221 Programmable Logic Controller
https://www.se.com/ww/en/download/document/SEVD-2020-315-05/
******************************************************************************
1) Webcast | Tune in to our upcoming webcast, "What Works in Maintaining Deep Security and Enabling Detection and Response Across Data Center and Cloud Apps" to gain insight into the business justification for advanced network detection and response (NDR) capabilities and the key evaluation factors that resulted in the election and deployment of ExtraHop's Reveal(x) platform. | November 24 @ 1:00 PM EST
| http://www.sans.org/info/218170
2) Webcast | Join SANS Instructor, Matt Bromiley and Infoblox cybersecurity expert, Bob Hansmann for our upcoming webcast, "Supercharge IR with DDI Visibility" to learn how to enhance and supercharge your incident response process with tips you can implement right away | November 18 @ 12:00 PM EST
| http://www.sans.org/info/218175
3) Webcast | We invite you to join our upcoming Ask the Expert Session hosted by Axonius Director of Security, Daniel Trauner during our webcast titled, "What's This Thing? Solving Asset Management for Security Ops" | November 17 @ 2:00 PM EST
| http://www.sans.org/info/218180
******************************************************************************
INTERNET STORM CENTER TECH CORNER
Microsoft Patch Tuesday
https://isc.sans.edu/forums/diary/Microsoft+November+2020+Patch+Tuesday/26778/
Traffic Analysis Quiz
https://isc.sans.edu/forums/diary/Traffic+Analysis+Quiz+DESKTOPFX23IK5/26780/
Preventing Exposed Azure Blob Storage
https://isc.sans.edu/forums/diary/Preventing+Exposed+Azure+Blob+Storage/26786/
"Platypus" Attack against Intel SGX
Adobe Updates
https://helpx.adobe.com/security.html
Firefox Updates
https://www.mozilla.org/en-US/security/advisories/mfsa2020-49/#CVE-2020-26950
Fingerprinting ADS-B Signals
Open Source Security Scorecards
https://github.com/ossf/scorecard
Bitdefender: UPX Unpacking Featuring Ten Memory Corruptions
https://landave.io/2020/11/bitdefender-upx-unpacking-featuring-ten-memory-corruptions/
Ubuntu 20.04 Privilege Escalation
https://securitylab.github.com/research/Ubuntu-gdm3-accountsservice-LPE
Apple Security Updates
https://support.apple.com/en-us/HT201222
DNS Cache Poisoning Attack Reloaded
https://dl.acm.org/doi/pdf/10.1145/3372297.3417280
Rebel Powell: Poisoned Postman; Detecting Manipulation of Compliance Features in a Microsoft Exchange Online Environment
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
