Professional Documents
Culture Documents
Top of The News
Top of The News
Cyber Security Leadership Resources: New ranges, scorecard poster, and more.
#Open Network Detection and Response (NDR) for Dummies. Open NDR can collect evidence from
your network to quickly resolve incidents or to embark on proactive threat-hunting missions.
Download your free copy here and improve how you understand your network, respond to attacks
and proactively protect your organization. | https://www.sans.org/info/221450
Attackers are actively exploiting an inadequately patched flaw in Microsoft Windows Installer to
gain admin rights on vulnerable systems. Microsoft released a fix for the medium-severity privilege
elevation flaw in November’s Patch Tuesday release, but the researcher who initially detected the
flaw has detected a more serious variant. The vulnerability affects all versions of Windows.
Editor's Note
[Ullrich]
Not much you can do about this right now. But remember, that this is “just” a privilege escalation
flaw. Sadly, privilege escalation flaws are common enough to always assume that there are a few
being exploited for which no patch is available.
[Williams]
This is a great example of where vulnerability management and purple teams will provide value
added to the organization. The VM team should be on top of situations like this where a patch
doesn't completely remediate the vulnerability. The purple team should be ready to assist in
crafting detections that align with the organization's telemetry. For those with neither team, know
that this is a Local Privilege Escalation (LPE) vulnerability and can only be triggered by a threat
actor who already has gained execution on the system. It also poses increased risks for insider
threats who might seek to elevate their privileges.
[Neely]
The flaw allows for privilege escalation using an existing account. While the long-term fix is
another update from Microsoft, in the short term you can leverage the Snort rule SSID’s 5865 and
58636 to block exploitation. Note these are in the Snort Subscriber Ruleset, not the free
Community Ruleset.
[Elgee]
Pen testers: it's good to exploit these types of flaws, but do consider what your recommendation
is beyond, “Implement patch when available.” What detections can you recommend? What
possible follow-on actions might defenders look for? Are there other compensating controls
(specific to their environment) that can lessen the frequency or severity of privilege escalation
vulnerabilities like this one?
- www.zdnet.com: Hackers are targeting this Microsoft Windows Installer flaw, say security
researchers
Editor's Note
[Neely]
Exposing these systems directly to patients requires strong identity management practices, as
outlined in the guidance. While MFA is optional, there are risks to not implementing it: think
HIPAA violations and associated penalties. Prepare to federate authentication by leveraging OAuth
and OpenID Connect, monitor your API use, respond to anomalous activity.
[Elgee]
Back in the early 2000's, the firewall was a mark of the rise of infosec. Firewalls separated friends
from enemies – and weak defenders from strong. Now that “identity is the new perimeter,”
secure, easy-to-use identity solutions are becoming a new mark. As traditional
username:password continues to disappoint, what technology will fit your organization well?
[Murray]
In an attempt to avoid being overly prescriptive, HIPAA required covered entities to do risk
assessments that they were poorly equipped to do. One effect was to retard the adoption of
electronic health records by a generation.
- h-isac.org: Identity, Interoperability, Patient Access, and the 21st Century Cures Act: A Health-
ISAC Guide for CISOs (PDF)
Editor's Note
[Williams]
It's easy to joke about the limited impact of eliminating universal default passwords, but the
impact is substantial. Just last week NewsBites reported on a DNS rebinding vulnerability in Sky
routers that allowed full device takeover. But this was only possible because of universal default
passwords. I'm also excited about the prospect of increasing transparency, but that's much harder
to measure and only time will tell how this is implemented.
[Ullrich]
A number of governments have put forward initiatives to make it easier for consumers to
recognize secure devices. This is the first one I am aware of that spells out mandatory
requirements to be allowed to sell devices. I like the idea to put the responsibility at the
manufacturer instead of the consumer. It is no longer the consumer failing to change default
passwords, but it calls manufacturers out for delivering devices with common default passwords.
My wishlist for IoT security also includes well-defined "end of support" dates.
[Neely]
While the legislation is likely to be modified before final passage, imposing fines for non-
compliance to security standards should help motivate vendors to meet the required minimums.
What is needed is equivalent standards in multiple countries to raise the bar across the board.
[Pescatore]
This is a small but important step forward. These few requirements will not make IoT fully secure
but they establish an important floor, kind of like restaurants being required to at least have
working refrigerators and rodent control systems or they can be shut down. Doesn’t mean the
food can’t still be poisonous but people are still safer for it.
Read more in:
Sponsored Links
NEW SURVEY | Take a Custom Survey - OT/ICS Security Survey: Securing Data vs. Critical
Infrastructure, written by Dean Parsons for your chance to win a $250 Amazon gift card! | Survey
closes December 13th | https://www.sans.org/info/221455
Attend SOCReload21 on December 1st to hear from speakers including SANS’ Chris Crowley &
David Bianco. Register to attend! | https://www.sans.org/info/221460
Upcoming Webcast: Applying AI & Automation to Protect Your (the) Internet Attack Surface |
December 2nd at 10:30AM ET | https://www.sans.org/info/221465
A buggy patch has caused problems for Microsoft Defender for Endpoint on some Windows Server
devices. Users running Windows Server 2019 devices with update KB5007206 or later and
Windows Server 2022 devices with update KB5007205 or later installed have reported that
Microsoft Defender for Endpoint will not launch.
Editor's Note
[Neely]
Good News/Bad News: The Good News is this doesn’t impact desktop or other non-server
Windows distributions; the Bad News is the problematic patch only affects Windows Server
systems running the Windows Defender service. If you’re using a different endpoint protection
service, you’re not impacted. Note that if you are using Windows Server versions for desktop
virtualization, such as AWS Workspaces, you should make sure you’ve got another endpoint
protection service running.
The UK’s Ministry of Justice has disabled several Wi-Fi access points that were inadequately
secured. The access points could have been used to gain access to industrial control systems (ICS)
that manage boiler pumps in the Royal Courts of Justice. The access points did not require
passwords and led to an ICS login page. The Ministry of Justice was alerted to the problem by
British tech news website The Register.
Editor's Note
[Williams]
I want to be surprised, but I can't be. This sounds like it is really part of a building management
network, a specific type of ICS. Unfortunately, in most cases building management networks are
installed and configured by vendors and maintained by staff that are more comfortable with a
wrench than a command prompt. It is not at all uncommon to discover building management
networks very poorly secured. Work with your organization to determine how your connected
building management systems fall under the purview of the cybersecurity team. If not, make a
strong case to secure them. When the proverbial poop hits the fan (or a threat actor just turns the
fans off), it *will* be considered a cybersecurity problem.
[Neely]
These interfaces were intended to allow for remote management and optimization of the system.
While wireless control is often a provided component, it must be secured during deployment. The
added problem is many ICS/IoT systems have default credentials, which are published in
documentation which is generally accessible online. In short make sure that your wireless
interfaces are securely configured, and that you change default credentials. Verify these
credentials and configuration remain set after a reboot or power cycle.
Danish wind turbine manufacturer Vestas has confirmed that a November 19 cyberattack was in
fact ransomware. The company says that most of its IT systems are now operational.
Editor's Note
[Neely]
Vestas is still recovering from the incident, so don’t expect a full recounting until that completes
and the incident investigation completes. Research by Coveware shows the average downtime
from Ransomware to be 16.2 days and average payment is $140,000 in Bitcoin.
- www.theregister.com: Wind turbine maker Vestas confirms recent security incident was
ransomware
Singapore’s DBS Bank experienced outages last week that prevented customers from accessing
their online accounts. The Monetary Authority of Singapore “expects DBS to conduct a thorough
investigation to identify the root causes and implement the necessary remedial measures,” and
will determine what “supervisory actions” to take after that assessment is complete.