Everything old is still happening - May 15th - 21st, 2023 - F5 SIRT - This Week in Security

I, MegaZone, am once again your editor this week.  I hope you're doing well.  Sitting comfortably?  Good, let's see what this week brought us.

Some weeks just feel, not slow, but dull.  It is always fun to write (and read) about new and interesting events - at least from a distance; first had experience of 'exciting' events is a mixed blessing, at best.  It can be fun swapping 'war stories' with peers, but I think most of us would rather not have to live those stories in the first place.  Anyway, this week felt dull to me.  There were plenty of events and articles to review, but it all felt like things we've covered before.  The same issues we've all seen countless times - ransomware, breaches, compromised user data, etc.  

Sometimes working in Infosec feels like being stuck in a version of the film Groundhog Day.  It's just the same thing over and over and over.  Or maybe it's like being a modern day Sisyphus, forever trying to lift the level of security while it just keeps sliding back down.

Well, let's jump into it.  Last week Aaron wrote about malware of various sorts, including ransomware.  This week I'm going to express my exasperation with the subject.

Ransomware forever

I'm tired of reading about ransomware.  I'm tired of writing about ransomware.  I'm tired of dealing with ransomware.  I'm just tired of ransomware, period.  If you're reading this you probably have similar feelings.  Every week there are more attacks disclosed, more warnings issued, and often the same underlying causes.  Unpatched systems.  Gaps in anti-malware systems.  A user getting phished.  Next verse same as the first.

 I don't really have any clever insights on the subject.  We can't stop fighting the good fight and just allow attacks to proliferate.  But I don't see any end in sight as long as basic precautions such as timely patching, updated anti-malware systems, better network partitioning, disaster recovery planning, etc., continue to be lacking.  Security initiatives are often underfunded and there never seems to be enough resources to address all needs.  It certainly doesn't help when firms pay the ransom to restore operation, which just provides incentive for further attacks.  But somehow it is easier to justify paying out a ransom than spending the money upfront on prevention.  And so it is left to those in infosec to keep picking up the pieces.  It just gets pretty exasperating, doesn't it?

This is just a partial list of the ransomware related articles that came across my feeds in the past week:

• https://www.group-ib.com/blog/qilin-ransomware/
• https://www.silive.com/news/2023/05/richmond-university-medical-center-suffers-ransomware-attack-unclear-if-patient-info-compromised.html
• https://blog.talosintelligence.com/ra-group-ransomware/
• https://status.aloha.ncr.com/incidents/cnl38krr6n6b
• https://www.trendmicro.com/en_us/research/23/e/blackcat-ransomware-deploys-new-signed-kernel-driver.html
• https://www.scmagazine.com/news/ransomware/us-sanctions-russian-ransomware-operator-who-leaked-stolen-dc-police-data
• https://www.scmagazine.com/news/ransomware/fin7-cybergang-tied-to-april-papercut-attacks
• https://www.scmagazine.com/native/ransomware/akira-ransomware-is-bringin-1988-back
• https://www.scmagazine.com/news/ransomware/ransomware-resurgence-after-strange-year-in-2022-insurance-data-shows
• https://www.scmagazine.com/news/privacy/cyberattack-on-norton-health-spurs-long-waits-prescription-and-lab-delays
• https://thehackernews.com/2023/05/clr-sqlshell-malware-targets-ms-sql.html
• https://thehackernews.com/2023/05/new-michaelkors-ransomware-as-service.html
• https://thehackernews.com/2023/05/new-ransomware-gang-ra-group-hits-us.html
• https://thehackernews.com/2023/05/inside-qilin-ransomware-affiliates-take.html
• https://thehackernews.com/2023/05/us-offers-10-million-bounty-for-capture.html
• https://thehackernews.com/2023/05/notorious-cyber-gang-fin7-returns-cl0p.html
• ...and that's more than enough to make the point, I think.

It's a never ending firehose of ransomware.  At least it feels that way.

I have a slight hope, as I wrote in my last stint in the editor's seat, that increasing government regulation will make companies legally and financially responsible for their networks and services, as well as tightening requirements from insurance vendors.  Stop the payment of ransoms, increase the costs of attacks due to poor practices - thereby making the upfront investment a better business decision, etc.  We can't keep doing what we, collectively, have been doing and expect things to get better.  Infosec professionals can't keep jumping from crisis to crisis forever.

Physician, Heal Thyself!

Remember the good old days when threat actors had at least a little honor and would actively avoid the healthcare industry?  And if they accidentally hit a medical target, such as a hospital, they'd apologize and give out the recovery keys or the like?  Those were much more innocent days, and boy have times changed.  These days attackers are going after health care providers seemingly constantly, and patient medical records are fair game too.  This does seem to be in part because the healthcare industry has not kept up with infosec best practices, and it makes them a soft target.

The good news, if you can call it that, is that we are seeing an increase in legal action and regulatory penalties, which may spur increased investment in cybersecurity.  Of course, the penalties assessed still tend to pale compared to the profits made, which diminishes the motivation to improve.  Until penalties have a real impact on the bottom line I'm skeptical that we'll see real change, though some damaging lawsuits might add some encouragement.

• https://www.scmagazine.com/news/ransomware/5-82m-pharmerica-patients-stolen-accessed-cyberattack
• https://www.scmagazine.com/news/identity-and-access/ftc-to-crack-down-on-biometric-tech-health-app-data-privacy-violations
• https://www.scmagazine.com/news/application-security/ftc-says-fertility-app-premom-shared-user-health-data-with-third-parties
• https://www.scmagazine.com/news/compliance/medevolve-pays-ocr-350k-penalty-over-insufficient-hipaa-risk-analysis
• https://www.scmagazine.com/news/privacy/eyemed-fined-2-5m-after-security-deficiencies-spurred-2020-breach
• https://www.scmagazine.com/news/careers/train-rural-hospital-workforce-cybersecurity-needs

KeePass Master Password Risk

We've covered the LastPass breach extensively since last September - no one is still using it, right?  As users fled LastPass, one of the popular alternatives was, and is, KeePass.  Unfortunately, KeePass isn't immune to their own issues - though, thankfully, not on the scale that LastPass suffered.  The issue, documented as CVE-2023-32784, allows a malicious actor with access to the system running KeePass to obtain a user's master password via a memory dump.  It affects KeePass 2.x, and is fixed as of 2.54 - so update now if you haven't already.

This is not as severe an issue as the attacker would already need to have access to the user's machine, in which case they may be able to obtain the password through simpler means - such as a key logger - but it is something to be aware of.

• https://thehackernews.com/2023/05/keepass-exploit-allows-attackers-to.html
• https://www.cve.org/CVERecord?id=CVE-2023-32784
• https://nvd.nist.gov/vuln/detail/CVE-2023-32784
• https://vulcan.io/blog/how-to-fix-cve-2023-32784-in-keepass-password-manager/

CNAs Take Note!

As I covered in my groundbreaking, two-article series - Why We CVE and CVE: Who, What, Where, and When - F5 is a CVE Numbering Authority (CNA) and I'm deeply involved in both F5's vulnerability management activities and several CVE.org working groups.  I very much encourage other vendors, open-source programs, etc., to join the CVE program and even become a CNA.  It's not as hard as it might seem at first, and we're generally a friendly bunch.

Anyway, I'm using this soapbox to amplify a message from the CVE Program Secretariat - as of June 30th, 2023 all CNAs must be using CVE Services to reserve CVE IDs and publish new records.  The old, manual system will be shutting down after that date.  This shouldn't be a surprise to any CNAs who have been paying attention, as it has been in the pipeline for well over a year and mentioned many times, but now the deadline looms.  I know there are some dragging their feet - now is the time to get with it.  I personally recommend checking out Vulnogram (you can also install a local instance) and cvelib as useful tools for interacting with CVE Services.  There is also cveClient, but I don't have personal experience with that tool.

If you need assistance, I'd recommend joining the CNA Coordination Working Group (CNACWG) and getting help from peer CNAs via the mentor program, mailing list, Discord, etc.

• https://www.cve.org/AllResources/CveServices
• https://www.cve.org/ReportRequest/ReserveIDsPublishRecordsForCNAs
• https://vulnogram.github.io/#editor
• https://github.com/Vulnogram/Vulnogram
• https://github.com/RedHatProductSecurity/cvelib
• https://github.com/CERTCC/cveClient
• https://www.cve.org/ProgramOrganization/WorkingGroups#CNACoordinationWorkingGroupCNACWG

Until Next Time

If you're new to This Week In Security you can check out past issues.  You can also view the wider library of content published by the F5 SIRT, which covers a variety of subjects.

I'll see you again in seven weeks or so, as the carousel of editors turns.  Until then, take care.