Free technical content sponsored by Sponsored By Dragos  Free Webinar | Dragos Platform – Improving OT Threat Visibility on CHERNOVITE’s PIPEDREAM | The recent CISA Alert (AA22-103A) highlights a new threat to ICS/OT environments, analyzed and presented by Dragos as PIPEDREAM. It serves as a reminder of how stealthy and subtle industrial malware toolkits can be. On the May 17 webinar, we’ll recap PIPEDREAM malware capabilities, and demonstrate how the Dragos Platform identifies impacted assets, tracks vulnerabilities, and detects any potential current PIPEDREAM activity or past signs of malicious behavior. Register now | https://www.sans.org/info/222760 |
|
| | Top of the News | India’s CERT Requires Fast Reporting of Cyber Incidents (April 29 & May 2, 2022)
New guidelines from India’s Computer Emergency Response team (CERT-In) require companies, data centers, service providers, and government agencies to report cyber incidents within six hours of detection. The covered organizations will also be required to maintain ICT system logs for a rolling period of 180 days and be prepared to submit them to CERT-In if requested. The new requirements take effect in late June.
Editor's Note[Pescatore]There are a lot of flaws in this one. Simple example: “targeted” scanning/probing of networks is included in the incidents that need to be reported, which means a flood of incident reports of low value. Reporting in six hours is obviously a tough requirement, but the CERT-In reporting form has a lot of free-form text and FAX is OK for submission! So, reams of data flowing in but analysis can’t keep up – no increase in security. Large libraries of unread books do not make us smarter. [Ullrich]This regulation appears to be overly ambitious, and the author lacks the basic competence required to draft such a regulation. The broad definition of reportable incidents and the short reporting deadline will lead to a flood of meaningless reports. Requiring long log retention times without specifying what to log will incentivize organizations to enable less verbose logs. You will end up with more but less meaningful logs. [Neely]The timeline is short, 60 days. Twenty incident types are listed with a six-hour reporting window along with requirements to use their specified NTP service. While having a consistent time source is critical for correlation and aggregation, and you should make sure you're using a reliable NTP source, simply requiring use of a known authoritative service would be preferable to limiting the country to a single choice. The big tasks will be getting clarification of all the reporting requirements as well as establishing the communication channels and relationships needed. The reporting window is unusually small, GDPR uses 72 hours and the US is asking for 24 hours. Irrespective of the window size, make sure you know what needs reporting and how. [Frost]It seems like a very grand plan, with very few specific details set to be rolled out within the next 60 days. I don’t think this is realistic and to say it’s ambitious is an understatement. Specifically, just attempting to retain 180 days’ worth of logs will be difficult with all the supply chain shortages. Considering that a single firewall in a decent-sized enterprise will create several gigabytes of daily logs, I can’t imagine how many potential terabytes of records will be required to be retained from here on out in one of the most densely populated countries in the world. The other issue is what would constitute both an incident and detection. If companies decide to report to comply, CERT-In could potentially be seeing a large percentage of reported detections of false-positive or low priority events. How would the CERT-In triage a large influx of reports? Instead of systematically bringing up the regulations, CERT-In wants to collect as much data as possible and sort it out later. We know that this doesn’t typically end well. Maybe it would be ideal to buy storage now, ahead of the rush? Read more in:
- www.theregister.com: India gives local techies 60 days to hit 6-hour deadline for infosec incident reporting - www.darkreading.com: New Regulations in India Require Orgs to Report Cyber Incidents Within 6 Hours |
|
| Microsoft Patches Flaws in Azure PostgreSQL Database (April 28 & 29, 2022)
Microsoft has fixed two vulnerabilities in the Azure Database for PostgreSQL Flexible Server. The flaws could be exploited to obtain elevated privileges and access other customers’ databases. Wiz researchers reported the issued to Microsoft in January. Microsoft has addressed the issues; no action is needed by customers.
Editor's Note[Ullrich]Privilege escalation flaws are very difficult to prevent and dangerous for on-premises systems. But for cloud providers, a simple privilege escalation flaw is deadly as it destroys the illusion of cross-tenant isolation of data. [Neely]Microsoft patched the databases on February 25th, so you're covered. They recommend setting up private network access to flexible servers to minimize further exposure. Fundamentally make sure that you're not needlessly exposing access to services, leverage security services and options to also monitor access to ensure protections are what you think they are. Read the Wiz research blog ( www.wiz.io: Wiz Research discovers "ExtraReplica"— a cross-account database vulnerability in Azure PostgreSQL) for more details on the ExtraReplica flaw. [Frost]While, on the surface, this seems to be tragic, I guess the real question is how prevalent the PostgreSQL Flexible Server deployment is going to be. Having a system with a disclosed vulnerability in your cloud service provider is a double-edged sword. While there was a privileged escalation flaw in PostgreSQL because this is a cloud provider, each PostgreSQL instance can be patched and remediated without the user necessarily worrying about it. With on-premises software, we often see that it is the case that servers go unpatched. The question is a tricky one to weigh in on. Cloud-hosted and shared infrastructure vs. on-premises and private. Which one is safer, less risky, or more secure? Is it better or worse than it is cloud-hosted? Only time will tell. Read more in:
- msrc-blog.microsoft.com: Azure Database for PostgreSQL Flexible Server Privilege Escalation and Remote Code Execution - www.scmagazine.com: Microsoft fixes vulnerability in Azure Database for PostgreSQL Flexible Server - thehackernews.com: Microsoft Azure Vulnerability Exposes PostgreSQL Databases to Other Customers |
|
| Breach Reporting Rules for US Banks Now in Effect (April 29, 2022)
As of May 1, US banks are required to notify regulators of computer security incidents within 36 hours of detection. “A collective of U.S. regulators, including the Federal Deposit Insurance Corp., the Board of Governors of the Federal Reserve System, and the Office of the Comptroller of the Currency” passed the rule in November 2021.
Editor's Note[Pescatore]The FDIC currently requires incident reporting with 72 hours of detection, so this is a significant move forward. But the FDIC, along with the Board of Governors of the Federal Reserve System, and the Office of the Comptroller of the Currency, took input from industry and narrowed the definition of what constitutes a “notification incident” to those that actually caused some harm – probing/scanning would not qualify. 36 hour response will be tough for many but the financial sector certainly needs the toughest requirements. [Neely]Essentially if you're a federally insured or regulated financial institution, this applies. Make sure that you review your agency specific guidance for reporting and note the examples of incidents that were released to clarify the initially overly vague 'Computer-Security Incident' in the initial legislation. Expect your examiners to verify that you have both the notification and definition of what you need to report. As other organizations, CISA, DHS, etc. are looking for incident reporting, it'd be a good idea to make sure you know what that would mean if you're required to comply, to include what information you would rather not share and establishing the relationship required for reporting or assistance. Read more in:
- www.govinfosecurity.com: New US Breach Reporting Rules for Banks Take Effect May 1 - www.fdic.gov: Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers (PDF) |
|
| | | | Sponsored Links Securing Your Cloud Environment with EDR/NDR | EDR and NDRs, everyone’s got a few. But are you using them to protect your AWS footprint? Join SANS Instructor Matt Bromiley on May 18th to get answers to this question to and more as he dissects the responsibilities, challenges, and implementation best practices for arming your Amazon EC2 instances with VDR capabilities. Register Now: https://www.sans.org/info/222765CloudSecNext Bonus Session - The Role of Automation in Amplifying Your Cloud Incident Response Strategy | Today - Tuesday, May 3rd at 3:25PM EDT | https://www.sans.org/info/222770CloudSecNext Bonus Session - How 2021’s Cloud threats Have Matured Our Security Strategy | Wednesday, May 4th at 3:35PM EDT | https://www.sans.org/info/222775 |
|
| | | The Rest of the Week's News | Google Expands Types of Data Users Can Have Removed from Search Results (May 1 & 2, 2022)
Google now allows people to remove more personally identifiable information (PII) from search results. Google has previously allowed people to request that their financial information be removed from search results; now they can have their contact information removed as well.
Editor's Note[Honan]This has been a right, known as the “right to erasure” or more commonly referred to as the “right to be forgotten,” to those based in the EU and covered by the EU General Data Protection Regulation (GDPR). A key point to note is that while the personal data is removed from the search results, the data is still available on the sites hosting that data. Under GDPR, individuals also need to exercise their right to erasure with the sites hosting their personal data. [Neely]With more privacy legislation including the "right to be forgotten" knowing how to exercise that right is important and varies by service. Be sure you understand the process and limitations available. Google outlines the process and limits of what they will do on their Remove select PII or doxing content from Google Search help page: support.google.com: Remove select personally identifiable info (PII) or doxxing content from Google Search Read more in:
- www.bleepingcomputer.com: Google fights doxxing with updated personal info removal policy - www.cnet.com: How to Stop Google From Showing Your Personal Info in Search Results - techcrunch.com: How to remove your personal information from Google search results |
|
| Netatalk Vulnerabilities Affect Synology and QNAP NAS Devices (April 28 & 29, 2022)
Critical vulnerabilities in the Netatalk open source version of Apple Filing Protocol fileserver affect certain QNAP and Synology network attached storage (NAS) devices. The flaws could be exploited to access sensitive data and potentially execute arbitrary code.
Editor's Note[Ullrich]Not a terrible big deal. Disable Netatalk (it is no longer needed) and apply patches as they become available. This affects many Linux based network storage systems. Synology and QNAP are just the two out of them responsible enough to release an advisory. [Neely]Patch your NAS, make sure it's not exposed to the Internet. Remove unneeded apps and user accounts, watch for unexpected additions. Ideally don’t allow SMB or AFP through your boundary, require a VPN for the access. If you must allow the direct connection, only allow it from trusted devices. |
|
| Espionage Threat Actor Target Corporate eMails (May 2, 2022)
Researchers from Mandiant have identified a new espionage threat actor it has dubbed UNC3524. The group “targets the emails of employees that focus on corporate development, mergers and acquisitions, and large corporate transactions.” The threat actors have been observed maintaining dwell time up to 18 months.
Editor's Note[Frost]Interesting attack group leverages typically unmonitored systems for their ingress and egress point. Smart move. Most companies do not realize how vulnerable and easy it is to leverage these systems for C2. There are three things to look for in the article. The command channel for the attacker group, how they leverage EWS On-Premises, and then they mention the Mandiant M365 Hardening Guides. My advice for those considering keeping on-premises servers. Don't. |
|
| US Legislators Introduce Satellite Cybersecurity Companion Bill (April 29 & May 2, 2022)
Companion legislation introduced in the US House of Representatives would direct agencies to help improve network cybersecurity for the commercial satellite sector. The Satellite Cybersecurity Act would “require a report on Federal support to the cybersecurity of commercial satellite systems [and] establish a commercial satellite system cybersecurity clearinghouse in the Cybersecurity and Infrastructure Security Agency.”
Editor's Note[Neely]Having standards should help suppliers design for an appropriate level of security. Making them voluntary may be a double-edged sword if the goal is to raise the bar consistently across the board. The trick will be adding security to existing satellites, often not sized or otherwise equipped to add that workload. One hopes that industry input can be gathered during a RFC comment for the new standards to make them both relevant and achievable. Read more in:
- www.meritalk.com: House Members Debut Satellite Cybersecurity Companion Bill - www.scmagazine.com: Congress wants to study the cybersecurity of satellites after Viasat hack |
|
| April Updates (April 29, 2022)
April 2022 saw a slew of security updates, including fixes for iOS, iPadOS and macOS; patches for Android; several updates or Chrome; Oracle’s quarterly Critical Patch Update; Microsoft’s Patch Tuesday; a fix for Mozilla Firefox and Thunderbird; and an update to address a critical vulnerability in the WordPress Elementor plug-in.
Editor's Note[Neely]While we've been focused on OS and browser updates, make sure we don't overlook the other update actions needed. While many users can be trusted to keep mobile devices and apps they care about updated, verify they are indeed keeping to a defined timeline and not just kicking the can down the road. If you don't have published timelines, and enforcement for keeping systems updated, get that done post-haste. Also, make sure you aren't missing less publicized updates such as the Android April update and Apple's updates beyond iOS, iPadOS and macOS. Read more in:
- www.wired.com: You Need to Update iOS, Android, and Chrome Right Now |
|
| | | | | | | |
| Internet Storm Center Tech Corner | |
|
|
|
Comments
Post a Comment