homepage
Open menu

SANS NewsBites

SolarWinds Updates; Mobile Device Emulators in Massive Bank Account Theft; DoJ Seizes Fake COVID Domains

December 22, 2020  |  Volume XXII - Issue #100

Top of the NewsThe Rest of the Week's NewsInternet Storm Center Tech Corner

Top of the News

2020-12-18

SolarWinds: An Updated SEC Filing, a Revised CISA Alert, and an NSA Advisory on Authentication Mechanism Abuse

SolarWinds has updated its US Securities and Exchange Commission (SEC) Form 8-K filing to provide additional information about the supply-chain breach. The Cybersecurity and Infrastructure Security Agency (CISA) revised its alert to include information about additional initial access vectors, an updated list of IOCs, and the National Security Agency (NSA)'s advisory about hackers abusing authentication mechanisms.

Editor's Note

The use of SAML to support federated authentication has been a huge enabler for cloud services, and also to allow for alternative authentication mechanisms including SSO, MFA, as well as changing the authentication requirement based on location. Attackers are using forged SAML tokens to access your cloud services, particularly email systems, but also any insourced applications using federated authentication. This is done either by stealing the private key which signs SAML authentication tokens, or by obtaining sufficient privileges to create new trust relationships. Verify the security configuration of federated authentication components and monitor for any malicious behavior. Talk to your cloud service providers about their use of SolarWinds and their response plans, if any.

Lee Neely
Lee Neely

2020-12-21

SolarWinds: Victims Include US Treasury Dept., VMware, Cisco

The SolarWinds supply chain attack was used to compromise email accounts at the US Treasury Department. The hackers were able to gain access to the email accounts after taking control of the Treasury Department's single sign-on cryptographic key. Other victims of the attack include the US Department of Homeland Security, The Department of Energy, VMware, Cisco, and Intel, as well as a hospital, a university, technology and accounting companies, and a "very, very large" as-yet unnamed telecommunications company. (Please note that the WSJ story is behind a paywall.)

Editor's Note

When considering the impact of email account compromise, look beyond BEC to other services, such as file, meeting, and collaboration services protected by the same authentication tokens. Verify trust relationships used with federated authentication are genuine, and that they are also verifying their security.

Lee Neely
Lee Neely

A key lesson from this supply chain compromise is that defensive controls by themselves are not enough. No matter how robust they are, you also need good and effective detective and responsive controls in place. Do not think of your defensive controls as ways to stop attackers but as ways to detect an attacker fast enough and delay the attacker long enough for you to respond to them.

Brian Honan
Brian Honan

While all SolarWinds customers must be assumed to have been compromised, many are not immediate targets. All should apply updates, assume that there are now backdoors on their networks, and attempt to isolate the backdoors with "zero trust" strategies on a timely basis. These strategies are indicated for most large enterprises in any case.

William Hugh Murray
William Hugh Murray

2020-12-21

SolarWinds: Hackers May Have Conducted a Test Run Last Fall

FireEye's Kevin Mandia says there is evidence the SolarWinds hackers tried a test run last fall. A code change in the Orion platform in October 2019 "was innocuous code. It was not a backdoor."

Editor's Note

As the discovered depth of compromise of SolarWinds systems increases, it becomes prudent to consider all versions of SolarWinds Orion as suspect, include copies deployed on isolated or air-gapped networks; follow CISA guidelines for response and mitigation. https://us-cert.cisa.gov/ncas/alerts/aa20-352a#mitigations

Lee Neely
Lee Neely

2020-12-17

Mobile Device Emulator Farms Used in Massive Bank Account Theft

Researchers with IBM Trusteer has "discovered a major mobile banking fraud operation" that drained millions from bank accounts. With "an infrastructure of mobile device emulators to set up thousands of spoofed devices," the thieves used previously compromised online banking account access credentials to steal funds from bank accounts in the US and the EU.

Editor's Note

This attack involved fraudulent credential reuse. Both bankers and their customers should require strong authentication on mobile banking apps. This should include the use of device identifiers that are difficult to mimic.

William Hugh Murray
William Hugh Murray

2020-12-21

DoJ Seizes Fake COVID Domains

The US Department of Justice (DoJ) has seized domains that were being used to impersonate pharmaceutical companies involved in COVID-19 treatments. The domains, which were spoofing Moderna and Regeneron, were being used to harvest personal information of site visitors.

The Rest of the Week's News

2020-12-21

Dell Issues Fixes for Critical Flaws in Wyse ThinOS

Dell has released updates to address a pair of critical vulnerabilities in its Dell Wyse ThinOS. The flaws affect all Dell Wyse Thin Clients running ThinOS versions 8.6 and earlier. The vulnerabilities could be exploited to remotely execute code and access files. Both vulnerabilities received CVSS scores of 10. Researchers at CyberMDX detected the flaws and reported them to Dell in June 2020.

Editor's Note

While customers should expect security representations from vendors, history suggests that they be taken with a grain of salt. Vendors making such claims should specify the limits of the remedy that they will offer when they fail to meet their security goals.

William Hugh Murray
William Hugh Murray

2020-12-21

OS "Zero-Click" Exploit Used to Infect Journalists' Phones

Earlier this year, state-backed attackers placed spyware on 36 personal phones that belonged to Al Jazeera journalists and other employees of the news channel. According to University of Toronto's Citizen Lab, "[t]he phones were compromised using an exploit chain that we call KISMET, which appears to involve an invisible zero-click exploit in iMessage."

Editor's Note

The mitigation is to update to iOS 14. This attack was very targeted, and leveraged zero-click infection vectors, making it both harder to detect, and harder to prevent, as there was no user action required. Even so, enable on-device protection mechanisms to block or filter unknown senders to prevent messages from being processed.

Lee Neely
Lee Neely

It appears that this attack was narrowly focused, required a lot of special knowledge, but no special privileges. Current versions of iOS are not vulnerable to this attack, but it seems clear that iOS is a continuing target, at least in part because it is relied upon by so many for so much.

William Hugh Murray
William Hugh Murray

2021-02-05

Browser Makers Ban Kazakhstan's Traffic Interception Certificate

Major browser makers have blocked a root certificate that Kazakhstan's government Is requiring users to install. The certificate allows the Kazakh government to intercept HTTPS traffic; without the certificate, users will be unable to access foreign websites, including Facebook, Twitter, Instagram, and YouTube. Kazakhstan's government attempted a similar requirement in August 2019. The Kazakh government maintains that the certificate requirement is part of a public/private cybersecurity training exercise. Apple, Microsoft, Google, and Mozilla have all blocked the certificate.

Editor's Note

Having a certificate like this provides visibility to user action rather than preventing cyber attacks. A different approach is needed to truly provide endpoint protection and should not be limited to only certain sites.

Lee Neely
Lee Neely

This is the logical equivalent of a postal service requiring the use of stamps that send a copy of every letter to the government. That is not a recipe for high levels of security.

John Pescatore
John Pescatore

2020-12-19

Firefox Will Introduce Anti-Tracking Feature Next Year

When Mozilla releases Firefox 85 in January 2021, the browser will include an anti-tracking feature called Network Partitioning. The feature will allow Firefox to store website data like favicon caches, CSS files, and images in partitioned, per-website storage rather than in one pool. This should make it more difficult for users to be tracked across websites.

Editor's Note

Apple and Google already do limited versions of this in the Safari and Chrome browsers. There is increasing demand from consumers for privacy, as well as increased government scrutiny of intrusive practices (well, not so much in Kazakhstan...). Good to let the product/business side know that privacy and security are increasingly features of top products, not impediments to their adoption and use.

John Pescatore
John Pescatore

2020-12-21

Crypto Wallet Data Exposed

Information that was stolen from Ledger, a cryptocurrency wallet website, in June 2020 has been leaked on a hacker forum. The information is reportedly being used in phishing attacks. Ledger has been notifying customers via Twitter. Ledger provided information about the breach in a July 2020 blog post.

2020-12-18

Europol Launches Decryption Platform for Law Enforcement

Europol, along with the European commission, has launched a new decryption platform to help EU law enforcement "decrypt information lawfully obtained in criminal investigations." The platform is operated by the European Cybercrime Centre (EC3).

Editor's Note

Kudos to Europol and the European Commission for this initiative. This now enables smaller EU member states' police forces access to decryption technologies that normally are the preserve of police forces with much larger budgets. Having a centralized platform also enables better intelligence and data analysis capabilities targeting criminal activities.

Brian Honan
Brian Honan

Such efforts are most likely to succeed against device encryption where the key, the method, and the cryptogram are all available, at least at some cost. They are more expensive for message encryption, and so expensive that they cannot be used for wide-spread surveillance.

William Hugh Murray
William Hugh Murray

2020-12-21

Trucking Company Recovering from Ransomware Attack

US trucking and freight logistics company Forward Air has acknowledged that its network was hit with ransomware earlier this month. Forward Air made the disclosure in a Form 8-K filing with the US Securities and Exchange Commission (SEC). Forward Air detected the attack on December 15, 2020.

Internet Storm Center Tech Corner

A slightly optimistic tale of how patching went for CVE-2019-19781

https://isc.sans.edu/forums/diary/A+slightly+optimistic+tale+of+how+patching+went+for+CVE201919781/26900/


Heads-up: VirusTotal Functionality in Sysinternals Tools Not Working

https://isc.sans.edu/forums/diary/Headsup+VirusTotal+Functionality+in+Sysinternals+Tools+Not+Working/26906/


What's The Deal With Openportstats.com?

https://isc.sans.edu/forums/diary/Whats+the+deal+with+openportstatscom/26912/


Kazakhstan: Browsers Block Government Certificate Authority

https://www.zdnet.com/article/apple-google-microsoft-and-mozilla-ban-kazakhstans-mitm-https-certificate/


5G Vulnerabilities

https://positive-tech.com/about/news/vulnerabilities-in-standalone-5g-networks-could-allow-attackers-to-steal-credentials-and-falsify-subscriber-authentication/


Bouncy Castle BCrypt Password Verification Error

https://www.synopsys.com/blogs/software-security/cve-2020-28052-bouncy-castle/


Dell Wyse ThinOS 8.6 Security Update

https://www.dell.com/support/kbdoc/en-hr/000180768/dsa-2020-281


SolarWinds 2nd Backdoor

https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/


SolarWinds Domains

https://securelist.com/sunburst-connecting-the-dots-in-the-dns-requests/99862/