Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Remember Ping of Death? You Are Not Alone

Many years ago, systems which used code from the BSD TCP/IP stack - which was most OS's of the era, including Windows - were plagued by a buffer overflow in the IP fragment reassembly code which would instantly crash the targeted system. This exploit was nicknamed the 'Ping of Death'. Now FreeBSD users are having a sense of deja vu, as they come to grips with a buffer overflow in the ping utility.

In order to process the ICMP echo reply (or other error) responses it receives, ping has to reconstruct the received IP header, its ICMP payload and - if there is one - the IP and ICMP headers of the error-generating datagram, which is the payload of ICMP itself. To do this, it calls a pr_pack() function which - and here's the vulnerability - fails to allow for any IP header options in either of the two IP headers. If there are options, the result is that the destination buffer is overflowed by up to 40 bytes - and those bytes could be carrying shellcode. Can you spell RCE? I knew you could!

But it gets better: because ping uses ICMP, it has to make use of a raw socket to work, and this requires root privileges - so it runs as a SetUID executable; in other words, as root. The saving grace is that the ping process runs in a capability mode sandbox on the affected versions of FreeBSD, and is thus very constrained in how it can interact with the rest of the system. But it's surprising what an ingenious attacker can achieve from such a tenuous toehold on a targeted system.

There is no workaround, and all supported versions of FreeBSD are affected. The fix is to upgrade to a supported version dated after 2022-11-29 23:00 UTC, approximately - see the security advisory for full details.

Uncredited, Stack overflow in ping(8), security advisory, 29 November 2022. Available online at https://www.freebsd.org/security/advisories/FreeBSD-SA-22:15.ping.asc.

Chinese Hackers Stole Tens of Millions of Dollars of US COVID Relief Funding

According to the US Secret Service, hackers associated with the Chinese government stole at least $US20 million in US COVID relief benefits, including Small Business Administration loans and unemployment insurance funds. The theft was performed by APT41, aka Winnti, a threat actor that splits its efforts between financially motivated cybercrime on its own behalf and cyber-espionage for the Chinese government.

Several members of APT41 were indicted by the Department of Justice for espionage operations, with Deputy Attorney General Jeffrey Rosen commenting at the time, "Regrettably, the Chinese Communist Party has chosen a different path of making China safe for cybercriminals so long as they attack computers outside China and steal intellectual property helpful to China".

Bing, Christopher, Chinese hackers stole millions worth of U.S. COVID relief money, Secret Service says, Reuters, 6 December 2022. Available online at https://www.reuters.com/technology/chinese-hackers-stole-millions-worth-us-covid-relief-money-secret-service-says-2022-12-05/.

Healthcare Ransomware Attacks Escalating

Ransomware attacks on hospitals, health insurers and other parts of the healthcare sector are steadily increasing and it seems likely that this will become one of the major security trends of 2023.

Last week, it was the turn of New Zealand health insurance company Accuro, which announced that it had lost access to its systems - which seems to be code for ransomware - and while it had no evidence of personal health information being exfiltrated, it could not rule it out. The previous month, patient data stolen from NZ GP network Pinnacle Health was posted on the web. And, of course, I need not mention Medibank.

Most recently, a hospital complex in Versailles, in the suburbs of Paris, had to cancel operations and transfer some patients because of a cyberattack, according to the French health ministry. The Hospital Centre of Versailles, which consists of Andre-Mignot Hospital, Richaud Hospital and the Despagne Retirement Home, had to shut down its computer systems, internet access and phone systems due to what appears to be a ransomware attack.

Extra staff had to be called in to the intensive care unit because although the equipment there was still working, it was not connected to the network, and doctors had to rely on people watching the screens. Six patients in total had to be transferred - three from intensive care and three from the neonatal unit, said the Minister, Francois Braun, duting a visit to the hospital.

Many other French hospitals have been attacked - the same hospital had successfully defended itself against previous attacks but back in August the Corbeil-Essonnes hospital, also on the outskirts of Paris, was disrupted for several weeks due to a ransomware attack. Although in that case, $US10 million ransom was demanded, it would not be paid, since the French government has legislated to make ransom payments illegal.

AFP, French hospital suspends operations after cyber attacks, France 24, 5 December 2022. Available online at https://www.france24.com/en/france/20221205-french-hospital-suspends-operations-after-cyber-attacks.

Palo Alto Introduces Medical IoT Security

In the cases above, the key equipment was not affected - only the networks and computers. But network-connected medical equipment such as infusion pumps, imaging devices (X-ray, MRI and CT scanners) and even more basic ECG monitors are increasingly based on embedded microcontrollers or computers - in many cases, even running COTS operating systems.

In fact, according to Palo Alto Networks' Unit 42 Threat Research, 75% of infusion pumps they studied had at least one vulnerability or threw up a security alert, while 51% of X-ray machines had a high-severity vulnerability (CVE-2019-11687). 44% of CT scanners and 31% of MRI machines had high-severity exposures and - not really a surprise - 20% of common imaging devices were running an unsupported version of Windows.

Seeing an obvious market opportunity - not to mention a need - Palo Alto has introduced a new Medical IoT Security product which will assess all devices and guide network segmentation to enforce the privilege of least privilege, using machine learning. There's lots of other functionality, including ensuring data residency requirements in various countries are met, regulatory compliance, device vulnerability management and automated response to anomalies.

It will be interesting to see how this pans out. According to medical professionals I have spoken to, they often need privileges in excess of their normal roles in order to respond to patient emergencies, and so attempts to tightly lock down medical information systems can be terribly counter-productive. But, as the previous story shows, the opposite approach doesn't work either. Find the 'sweet spot' is going to be a difficult process.

Xu Zou, The Medical IoT Security To Depend on When Lives Depend on You, blog post, 5 December 2022. Available online at https://www.paloaltonetworks.com/blog/2022/12/medical-iot-security-to-depend-on/.

Koppel, R., Smith, S., Blythe, J., & Kothari, V., Workarounds to Computer Access in Healthcare Organizations: You Want My Password or a Dead Patient?, in Driving Quality in Informatics: Fulfulling the Promise, 2015, vol. 208, pp. 215–220.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.