Forescout Cyber Weekly Roundup
February 1, 2019
Twitter: @proffitt_colby
The Forescout Cyber Roundup is a weekly blog series highlighting some of the previous week’s cyber headlines and explaining why they matter. Each article includes a closer look at the potential implications of the news or event, predictions about what might happen next and suggestions for all readers, from the C-suite to end users. Articles are ordered by date, not necessarily priority.
- Data of 14,200 Diagnosed with HIV in Singapore Leaked Online (January 28, 2019)
- Shutdown Might have Helped Government Cyber in Some Ways (January 30, 2019)
- Hackers are Going after Cisco RV320/RV325 Routers Using a New Exploit (January 27, 2019)
- Japan to Survey 200 million Devices in Cybersecurity Push ahead of Tokyo 2020 Olympics (January 29, 2019)
- Splunk Enterprise Version 7.2.3 Authenticated Remote Reverse Shell Code Execution Exploit (January 24, 2019)
https://packetstormsecurity.com/files/151328/splunkenterprise723-exec.txtNagios XI Version 5.5.6 Suffers from Remote Code Execution and Privilege Escalation Vulnerabilities (January 23, 3018)
https://packetstormsecurity.com/files/151296/nagiosxi556-execescalate.txt
Summary: Security Operation Center (SOC) screens and information radiators needed a refresh last week, with two major remote code execution (RCE) vulnerabilities affecting Nagios XI and Splunk Enterprise.
Why it matters: Countless SOCs leverage the two resources together to manage and secure enterprises with thousands of users and endpoints, and terabytes of sensitive or mission-critical data. Nagios XI is an enterprise server and networking monitoring software used to monitor mission-critical infrastructure, applications, services, network protocols, operating systems—even in-house applications and systems. Similarly, Spunk Enterprise is a tool often used in tandem with Nagios XI to turn the data collected into meaningful, actionable intelligence and visualizations. These kinds of vulnerabilities, if exploited, might allow an attacker to not only access Splunk Enterprise and Nagios XI, but also map the data, systems, applications and networks being monitored. Attacks on SIEM logging and analytics systems become interesting because of the context of the targeted end-user (in this case SOC analysts). The vulnerabilities recur because, like all parsers, systems designed to parse logs into structured data might become susceptible to command injection, when the expected input stream breaks out of data context into that of code execution. As a result, attackers could ultimately see the weaknesses that the security team is trying to resolve, and either exploit them directly, or document them for future attacks. We saw a similar proof-of-concept exploit last month with Elasticsearch, which, when combined with Logstash and Kibana, is used in a similar manner as Splunk for data processing and visualization assistance. Further, the last week brought us major vulnerabilities in Exchange and the Thunderbird email client, plus the Firefox and Chrome browsers, all of which serve as reminders that even the most defended SOC workstreams are exposed wherever they’re connected. Patching is a critical exercise not just for end users, but for SOC owners and operators as well.
https://www.zdnet.com/article/data-of-14200-diagnosed-with-hiv-in-singapore-leaked-online/
Summary: An American living in Singapore has allegedly accessed and leaked the health records and personal data of more than 14,000 individuals diagnosed with HIV.
Why it matters: The theft and disclosure of electronic health records (EHR) is a cyber scenario that often keeps CIOs, CROs, and CISOs in the healthcare industry awake at night. There have been multiple cases in recent years involving the accidental compromise of HIV data in the United States. In 2017, a health insurer mailed HIV information to 12,000 patients, but sensitive data was visible through the envelope windows. The incident resulted in class action lawsuit settlements and state attorneys general enforcement actions totaling at least $17 million to date. In 2011, records containing HIV information for 192 patients were left on a train by a Massachusetts General Hospital worker, resulting in a $1 million HIPAA settlement with the Department of Health and Human Services’ Office for Civil Rights. In 2018, an unsecured database containing information about thousands of HIV/AIDS patients in Nashville, Tennessee’s Metro Public Health Department was determined to be inappropriately accessible to all staff. In this most recent case, in which sensitive data was collected by the partner of an insider, it’s clear that in many cases the healthcare industry is still lacking the necessary, basic procedures to limit, control and protect sensitive patient data—from a mandatory multi-person approval process for accessing data to the ban of USB drives and other portable devices, and using encryption to render stolen or leaked data unintelligible. At the end of 2018, we predicted that major Public Health Information (PHI) breaches will continue, but the attacks will get more personal and creative. Although right now it’s unclear if the data thief has released the patient data, it’s likely that such data will be put up for sale on the dark web and eventually surface as a trove of information that will be used in ransomware attacks or public extortion attempts, much like we recently saw in Collection #1 data leak the and Collections 2-5 data leaks.
Summary: While many have feared a negative impact and increased cybersecurity risks, recent research suggests that the government’s cyber posture actually improved on account of the shutdown.
Why it matters: Last Friday President Trump agreed to reopen the federal government for three weeks while negotiations continue. Although a sigh of relief for many, the shutdown had a massive impact—from furloughed employees who were forced to find alternative employment to Stop-Work orders that cost federal contractors as much as $200 million per day. Of the roughly 40,000 small government contractors, nearly one third lack the cash reserves to sustain business operations during the shutdown. Clearly, we’ll be feeling the shutdown ripples for the foreseeable future. There’s also been considerable concern about the government’s ability to maintain a strong cybersecurity posture during the shutdown. The Cybersecurity and Infrastructure Security Agency (CISA), which leads efforts to defend U.S. critical infrastructure, had almost 40% of its staff furloughed as a result of the shutdown. The impact at the Department of Defense (DoD) was not as severe because the department already had its 2019 budget in place, but many have worried that cyber adversaries would capitalize on the lack of cyber personnel and double their efforts to penetrate federal networks and systems. However, this recent research indicates that despite the shutdown, the government’s security posture actually improved. In two areas, patching and endpoint security, scores improved; one area that worsened, network security, was likely due to normal variance over time. Quite simply, these improvements can be attributed—at least to a large degree—to the lack of personnel on the network. If employees aren’t connected, it’s far easier to protect your network. It’s hard to phish someone, for example, if they aren’t checking their email. While this story tries to find a silver lining in the shutdown—and perhaps in the short-term security improved—the reality is that the shutdown is going to have much more severe consequences on the cyber posture of the federal government in the long-term. TSA employees aren’t the only ones seeking new employment. Many federal cybersecurity staff are also looking for employment outside of the Public Sector, putting an additional strain on an already understaffed cyber workforce. At a recent congressional hearing, U.S. Director of National Intelligence Dan Coats warned that the cyber efforts of foreign actors are “likely to further intensify this year.” Given that, it’s imperative that the U.S. government make every effort to avoid shutdowns in the future. Some have gone so far as to suggest laws that would effectively ban government shutdowns.
https://www.zdnet.com/article/hackers-are-going-after-cisco-rv320rv325-routers-using-a-new-exploit/
Summary: Internet scans and exploitation attempts started last Friday after a proof-of-concept exploit for two Cisco router models was published.
Why it matters: Admins of Cisco network infrastructure responded this week to a pair of new router vulnerabilities undergoing exploit in the wild. The first, CVE-2019-1653, allows a remote attacker to get sensitive device configuration details without a password. The second, CVE-2019-1652, allows a remote attacker to inject and run admin commands on the device without a password. When used together, it’s possible for attackers to remotely take full control of the vulnerable devices. Cisco initially issued a workaround, which required an admin to change the access privilege level to 15/15 and replace the old password with a new, complex one. But, as always, it’s best to update the router firmware with the latest patches from Cisco. In 2018, we saw other Cisco zero days exploited by bad actors, such as CVE-2018-15454 (also see Forescout’s Security Policy Template (SPT) version 18.0.4). It’s only a matter of time before this latest exploit is leveraged by multiple bad actors, so it’s critical that security teams patch their impacted Cisco networking gear as quickly as possible.
Summary: The Japanese government is preparing a national sweep of some 200 million network-connected devices for cybersecurity lapses ahead of the 2020 Tokyo Olympic Games.
Why it matters: The Japanese government is taking proactive measures to limit the possibility of a cyberattack, but for the efforts to truly be effective, the owners of the devices—mostly Internet Service Providers (ISPs)—will need to take additional action to purge the connected devices of malware and patch any vulnerabilities. Those additional actions, however, may require a considerable amount of time and extra resources, so it will be interesting to see how the ISPs respond. Previously, some ISPs have taken swift action to coordinate with government requests. Last year, the Nippon Telegraph and Telephone Corp. (NTT) rapidly agreed to block access to sites that provide unauthorized access to copyrighted content. Not surprisingly, NTT is a monopoly government-owned corporation, although the government did significantly reduce its volume of shares just last year. Other Japanese ISPs have traditionally taken a more measured approach and consulted with experts before taking action. Regardless, what we can hope is that the Japanese ISPs will capitalize on the government investment and take action to create a more secure cyber ecosystem in time for the 2020 Olympics.