Here is our cyber security news round-up of the week:
The SolarWinds ‘Sunburst’ critical supply chain compromise
On 13 December, the security firm FireEye released the details of a sophisticated manual supply chain attack that affects SolarWinds Orion Platform versions 2019.4 HF 5, 2020.2 (with no hotfix installed) or 2020.2 HF 1. The Washington Post reported that APT29 – aka Russian hacking group Cozy Bear – is the main suspect behind the incident, though this has not yet been validated by FireEye.
Read more here: Massive cyber attack on US government and companies underway
The threat actors involved were able to incorporate a malicious “SolarWinds.Orion.Core.BusinessLayer.dll” dubbed Sunburst into the SolarWinds Orion software distribution, which was digitally signed by SolarWinds. The malicious .dll remains dormant for up to two weeks, where it then connects to several command-and-control servers, where it has the ability to conduct “jobs” that allow activities such as transfer of files, execution of files, system enumeration and more.
After initial compromise, the threat actors utilise available remote access tools and valid credentials within the environment to appear as legitimate traffic. Additional tools have also been deployed, one called Teardrop, an in-memory only dropper, being used in this campaign to pull a custom version of Cobalt Strike onto affected systems. SolarWinds recommends updating to Orion version 2020.2.2, which was made available Tuesday 15 December.
Cisco Talos has summarised the vulnerabilities most likely to be exploited by the stolen red-team tools at FireEye, and has published them alongside the products they affect: CVE-2019-11510 (Pulse Secure), CVE-2020-1472 (Netlogon (Windows)), CVE-2018-13379 (Fortinet FortiGuard FortiOS), CVE-2018-15961 (Adobe ColdFusion), CVE-2019-0604 (Microsoft SharePoint), CVE-2019-0708 (Microsoft Remote Desktop Services), CVE-2019-11580 (Atlassian Crowd and Crowd Data Center), CVE-2019-19781 (Citrix Application Discovery Controller and Citrix Gateway), CVE-2020-10189 (Zoho ManageEngine Desktop Central), CVE-2014-1812 (Group Policy implementation in Microsoft Windows), CVE-2019-3398 (Confluence Server and Data Center), CVE-2020-0688 (Microsoft Exchange), CVE-2016-0167 (Microsoft Windows), CVE-2017-11774 (Microsoft Outlook), CVE-2018-8581 (Microsoft Exchange Server), and CVE-2019-8394 (Zoho ManageEngine ServiceDesk Plus).
Meanwhile, the US Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive directing all US federal agencies to review their networks for signs of compromise and disconnect all SolarWinds products immediately. The NCSC issued a statement and guidance on immediate actions for organisations using SolarWinds.
TCP/IP stack vulnerabilities dubbed AMNESIA:33
Forescout uncovered 33 vulnerabilities across four open-source TCP/IP stacks (uIP, FNET, PicoTCP, and Nut/Net), affecting IoT, OT, and IT devices from at least 150 vendors. Like the Ripple20 vulnerabilities disclosed by JSOS in June, the full scope of AMNESIA:33 is difficult to quantify, since the stacks are widely distributed and implemented by individual vendors themselves. Many devices will likely remain unpatched for this reason.
26 of the flaws could trigger a denial-of-service condition, five could leak potentially sensitive information, two could lead to DNS cache poisoning, and four can be used to achieve remote code execution. Four of the flaws are deemed critical, although the researchers note that the consequences of the vulnerabilities vary widely depending on the circumstances. (A denial-of-service flaw, for example, can be much more serious in an OT environment.) CISA published an advisory to raise awareness around the existence of these vulnerabilities and identify mitigations meant to reduce the risks associated with them.
D-Link routers vulnerable to attack
Multiple wireless routers manufactured by networking hardware supplier D-Link, who acknowledged the risk, have been found at risk of being attacked via a remotely exploitable root command injection flaw, according to vulnerability management and threat assessment researchers Digital Defense. The research team (VRT) found the previously undisclosed bug in four D-Link products, the DSR-150, DSR-250, DSR-500 and DSR-1000AC VPN routers running firmware versions 3.14 and 3.17.
Although pitched at small and medium-sized enterprises (SMEs) first and foremost, the affected devices are commonly sold on consumer websites and e-commerce sites. Given the rise in remote working during the pandemic, it is possible that many people are connecting into a corporate network using one of the affected devices. The vulnerable component in the devices can be accessed without authentication and is exploitable over the internet from both WAN and LAN interfaces. As such, the researchers said, a remote, unauthenticated attacker who had access to the router’s web interface could execute arbitrary commands as root, giving them control of the router.
Poor security exposes millions of medical images online
The analyst team at CybelAngel, a global leader in digital risk protection, has discovered that more than 45 million medical imaging files – including X-rays and CT scans – are freely accessible on unprotected servers, in a new research report released today. The Full Body Exposure report is the result of a six-month investigation into Network Attached Storage (NAS) and Digital Imaging and Communications in Medicine (DICOM), the de facto standard used by healthcare professionals to send and receive medical data. The analysts discovered millions of sensitive images, including personal healthcare information (PHI), were available unencrypted and without password protection.
The tools scanned approximately 4.3 billion IP addresses and detected more than 45 million unique medical images left exposed on over 2,140 unprotected servers across 67 countries including the US, UK and Germany. The analysts found that openly available medical images, including up to 200 lines of metadata per record which included PII (personally identifiable information; name, birth date, address, etc.) and PHI (height, weight, diagnosis, etc.), could be accessed without the need for a username or password. In some instances, login portals accepted blank usernames and passwords.
Edited and compiled by QA's Director of Cyber, Richard Beck.
Stay in the know
Subscribe to our monthly Learning Matters newsletter and stay up to date with QA's latest news, views, offers, must-go-to events and more.
And if you want to keep up with the latest cyber news, why not subscribe to our weekly Cyber Pulse newsletter.
Richard Beck is Director of Cyber at QA. He works with customers to build effective and successful learning solutions tailored for business needs, helping to solve business problems. Richard has designed and architected numerous enterprise and nationwide cyber programmes for QA customers. Responsible for the QA cyber portfolio, products, proposition and cyber partner community. He has over 15 years' experience in senior Information Security roles.
Prior to QA, Richard was Head of Information Security for an organisation who underpin 20% of the UK's Critical National Infrastructure. Richard also held Security and Technical Management posts in Defence, Financial Services and HMG. He holds a number of leading cyber professional certifications, including CISSP, CISM, CISA.
Richard sits on a number of industry boards and security advisory panels, and previously chaired the Communication Industry Personnel Security Information Exchange (CPNI). He is the work stream lead for Cyber Skills & Diversity on the techUK Cyber Management Committee, in addition Richard is also supporting a work stream for the UK Cyber Security Council Formation project. Richard is a regular contributor for cyber insights and industry collaboration including speaker engagements.
He is also a STEM Ambassador working to engage and enthuse young people in the area of cyber security. Providing a unique perspective on the world of cyber security to teachers and encourage young people to consider a career in cyber security.
More articles by Richard
Cyber Pulse: Edition 149 | 9 April
Stop your search for cyber security talent
Cyber Pulse: Edition 148 | 1 April
Cyber Pulse: Edition 147 | 16 March
Cyber Pulse: Edition 146 | 4 March 2021
Cyber Pulse: Edition 145 | 19 February 2021
Cyber Pulse: Edition 144 | 5 February 2021
Cyber Pulse: Edition 143 | 27 January 2021
Cyber Pulse: Edition 142 | 18 January 2021
CISOs should prioritise the “human firewall” during Covid-19