Top of The News

Windows Installer Flaw is Being Actively Exploited

Health-ISAC Guidance on Identity-Centric Approach to Cybersecurity

Proposed UK Legislation Aims to Improve IoT Device Security

The Rest of the Week's News

Problematic Patch Impacts Microsoft Defender for Endpoint

UK Ministry of Justice Disables Poorly Protected ICS Wi-Fi Access Points

Vestas Says Cyberattack Was Ransomware

DBS Bank Suffers Intermittent Outages

Maritime Services Company Suffers Cyberattack

CISA Publishes Mobile Device Cybersecurity Checklist for Organizations

GAO: CISA Needs to Assess Effectiveness of Communications Sector Programs

Internet Storm Center Tech Corner

Cybersecurity Training Update

New & Updated Courses

SEC401: Security Essentials – Network, Endpoint, and Cloud (Cert: GSEC)

SEC488: Cloud Security Essentials (GCLD)

MGT521: Security Leadership Essentials for Managers (Cert: GSLC)

View all Courses

Upcoming Live Training Events

SANS Security East 2022 | Jan 17-22

Live Online | US Eastern Time

Cyber Defense, ICS Security, Leadership & More

Cyber Threat Intelligence Summit & Training 2022

Summit: Jan 27-28 | Courses: Jan 31 - Feb 5

Register Now | Free Virtual Summit

Register Now | Bethesda, MD

SANS San Diego 2022 | Feb 7-12

Live Online or in San Diego, CA

Cloud Security, DFIR, Offensive Ops & More

Cyber Security Leadership Resources: New ranges, scorecard poster, and more.

Free technical content sponsored by Corelight

#Open Network Detection and Response (NDR) for Dummies. Open NDR can collect evidence from
your network to quickly resolve incidents or to embark on proactive threat-hunting missions.
Download your free copy here and improve how you understand your network, respond to attacks
and proactively protect your organization. | https://www.sans.org/info/221450

Top of the News

Windows Installer Flaw is Being Actively Exploited

(November 23, 24, & 26, 2021)

Attackers are actively exploiting an inadequately patched flaw in Microsoft Windows Installer to
gain admin rights on vulnerable systems. Microsoft released a fix for the medium-severity privilege
elevation flaw in November’s Patch Tuesday release, but the researcher who initially detected the
flaw has detected a more serious variant. The vulnerability affects all versions of Windows.

Editor's Note

[Ullrich]
Not much you can do about this right now. But remember, that this is “just” a privilege escalation
flaw. Sadly, privilege escalation flaws are common enough to always assume that there are a few
being exploited for which no patch is available.

[Williams]

This is a great example of where vulnerability management and purple teams will provide value
added to the organization. The VM team should be on top of situations like this where a patch
doesn't completely remediate the vulnerability. The purple team should be ready to assist in
crafting detections that align with the organization's telemetry. For those with neither team, know
that this is a Local Privilege Escalation (LPE) vulnerability and can only be triggered by a threat
actor who already has gained execution on the system. It also poses increased risks for insider
threats who might seek to elevate their privileges.

[Neely]

The flaw allows for privilege escalation using an existing account. While the long-term fix is
another update from Microsoft, in the short term you can leverage the Snort rule SSID’s 5865 and
58636 to block exploitation. Note these are in the Snort Subscriber Ruleset, not the free
Community Ruleset.

[Elgee]

Pen testers: it's good to exploit these types of flaws, but do consider what your recommendation
is beyond, “Implement patch when available.” What detections can you recommend? What
possible follow-on actions might defenders look for? Are there other compensating controls
(specific to their environment) that can lessen the frequency or severity of privilege escalation
vulnerabilities like this one?

Read more in:

- blog.talosintelligence.com: Attackers exploiting zero-day vulnerability in Windows Installer —

Here’s what you need to know and Talos’ coverage

- threatpost.com: Attackers Actively Target Windows Installer Zero-Day

- www.zdnet.com: Hackers are targeting this Microsoft Windows Installer flaw, say security
researchers

Health-ISAC Guidance on Identity-Centric Approach to Cybersecurity

(November 23 & 29, 2021)

New guidance from the Health Information Sharing and Analysis Center (Health-ISAC) provides an
identity-centric approach to cybersecurity to help health care organizations comply with 21st
Century Cures Act requirements without introducing vulnerabilities. The 21st Century Cures Act
requires healthcare organizations to create new APIs that operate on the Fast Healthcare
Interoperability and Resources (FHIR) standard and that enable interoperability of electronic
health data. Recent research has shown that there are security concerns posed by the FHIR API
ecosystem.

Editor's Note

[Neely]

Exposing these systems directly to patients requires strong identity management practices, as
outlined in the guidance. While MFA is optional, there are risks to not implementing it: think
HIPAA violations and associated penalties. Prepare to federate authentication by leveraging OAuth
and OpenID Connect, monitor your API use, respond to anomalous activity.

[Elgee]

Back in the early 2000's, the firewall was a mark of the rise of infosec. Firewalls separated friends
from enemies – and weak defenders from strong. Now that “identity is the new perimeter,”
secure, easy-to-use identity solutions are becoming a new mark. As traditional
username:password continues to disappoint, what technology will fit your organization well?

[Murray]

In an attempt to avoid being overly prescriptive, HIPAA required covered entities to do risk
assessments that they were poorly equipped to do. One effect was to retard the adoption of
electronic health records by a generation.

Read more in:

- h-isac.org: Identity, Interoperability, Patient Access, and the 21st Century Cures Act: A Health-
ISAC Guide for CISOs (PDF)

- healthitsecurity.com: H-ISAC Releases CISO Guide for Identity-Centric Data Sharing

- www.scmagazine.com: H-ISAC shares guide for identity-centric data sharing approach

Proposed UK Legislation Aims to Improve IoT Device Security

(November 25, 2021)

Proposed legislation in the UK would establish mandatory security standards for Internet of Things
(IoT) devices. The Product Security and Telecommunications Infrastructure Bill would apply to IoT
manufacturers, importers, and distributors. The bill would let “the government … ban universal
default passwords, force firms to be transparent to customers about what they are doing to fix
security flaws in connectable products, and create a better public reporting system for
vulnerabilities found in those products.”

Editor's Note

[Williams]

It's easy to joke about the limited impact of eliminating universal default passwords, but the
impact is substantial. Just last week NewsBites reported on a DNS rebinding vulnerability in Sky
routers that allowed full device takeover. But this was only possible because of universal default
passwords. I'm also excited about the prospect of increasing transparency, but that's much harder
to measure and only time will tell how this is implemented.

[Ullrich]

A number of governments have put forward initiatives to make it easier for consumers to
recognize secure devices. This is the first one I am aware of that spells out mandatory
requirements to be allowed to sell devices. I like the idea to put the responsibility at the
manufacturer instead of the consumer. It is no longer the consumer failing to change default
passwords, but it calls manufacturers out for delivering devices with common default passwords.
My wishlist for IoT security also includes well-defined "end of support" dates.

[Neely]

While the legislation is likely to be modified before final passage, imposing fines for non-
compliance to security standards should help motivate vendors to meet the required minimums.
What is needed is equivalent standards in multiple countries to raise the bar across the board.

[Pescatore]

This is a small but important step forward. These few requirements will not make IoT fully secure
but they establish an important floor, kind of like restaurants being required to at least have
working refrigerators and rodent control systems or they can be shut down. Doesn’t mean the
food can’t still be poisonous but people are still safer for it.
Read more in:

- www.govinfosecurity.com: UK Legislation Seeks Mandatory Security Standards for IoT

Sponsored Links

NEW SURVEY | Take a Custom Survey - OT/ICS Security Survey: Securing Data vs. Critical
Infrastructure, written by Dean Parsons for your chance to win a $250 Amazon gift card! | Survey
closes December 13th | https://www.sans.org/info/221455

Attend SOCReload21 on December 1st to hear from speakers including SANS’ Chris Crowley &
David Bianco. Register to attend! | https://www.sans.org/info/221460

Upcoming Webcast: Applying AI & Automation to Protect Your (the) Internet Attack Surface |
December 2nd at 10:30AM ET | https://www.sans.org/info/221465

The Rest of the Week's News

Problematic Patch Impacts Microsoft Defender for Endpoint

(November 25 & 26, 2021)

A buggy patch has caused problems for Microsoft Defender for Endpoint on some Windows Server
devices. Users running Windows Server 2019 devices with update KB5007206 or later and
Windows Server 2022 devices with update KB5007205 or later installed have reported that
Microsoft Defender for Endpoint will not launch.

Editor's Note

[Neely]

Good News/Bad News: The Good News is this doesn’t impact desktop or other non-server
Windows distributions; the Bad News is the problematic patch only affects Windows Server
systems running the Windows Defender service. If you’re using a different endpoint protection
service, you’re not impacted. Note that if you are using Windows Server versions for desktop
virtualization, such as AWS Workspaces, you should make sure you’ve got another endpoint
protection service running.

Read more in:

- www.theregister.com: Microsoft Defender for Endpoint laid low. Not by malware, but by another
buggy Windows patch

- www.bleepingcomputer.com: Microsoft Defender for Endpoint fails to start on Windows Server

UK Ministry of Justice Disables Poorly Protected ICS Wi-Fi Access Points

(November 23, 2021)

The UK’s Ministry of Justice has disabled several Wi-Fi access points that were inadequately
secured. The access points could have been used to gain access to industrial control systems (ICS)
that manage boiler pumps in the Royal Courts of Justice. The access points did not require
passwords and led to an ICS login page. The Ministry of Justice was alerted to the problem by
British tech news website The Register.

Editor's Note

[Williams]

I want to be surprised, but I can't be. This sounds like it is really part of a building management
network, a specific type of ICS. Unfortunately, in most cases building management networks are
installed and configured by vendors and maintained by staff that are more comfortable with a
wrench than a command prompt. It is not at all uncommon to discover building management
networks very poorly secured. Work with your organization to determine how your connected
building management systems fall under the purview of the cybersecurity team. If not, make a
strong case to secure them. When the proverbial poop hits the fan (or a threat actor just turns the
fans off), it *will* be considered a cybersecurity problem.

[Neely]

These interfaces were intended to allow for remote management and optimization of the system.
While wireless control is often a provided component, it must be secured during deployment. The
added problem is many ICS/IoT systems have default credentials, which are published in
documentation which is generally accessible online. In short make sure that your wireless
interfaces are securely configured, and that you change default credentials. Verify these
credentials and configuration remain set after a reboot or power cycle.

Read more in:

- www.theregister.com: UK Ministry of Justice secures HVAC systems 'protected' by passwordless

Wi-Fi after Register tipoff
Vestas Says Cyberattack Was Ransomware

(November 29, 2021)

Danish wind turbine manufacturer Vestas has confirmed that a November 19 cyberattack was in
fact ransomware. The company says that most of its IT systems are now operational.

Editor's Note

[Neely]

Vestas is still recovering from the incident, so don’t expect a full recounting until that completes
and the incident investigation completes. Research by Coveware shows the average downtime
from Ransomware to be 16.2 days and average payment is $140,000 in Bitcoin.

Read more in:

- www.vestas.com: Second update on cyber incident

- www.theregister.com: Wind turbine maker Vestas confirms recent security incident was
ransomware

DBS Bank Suffers Intermittent Outages

(November 24 & 26, 2021)

Singapore’s DBS Bank experienced outages last week that prevented customers from accessing
their online accounts. The Monetary Authority of Singapore “expects DBS to conduct a thorough
investigation to identify the root causes and implement the necessary remedial measures,” and
will determine what “supervisory actions” to take after that assessment is complete.