homepage
Open menu

SANS NewsBites

Apache Tomcat Servers - Act Now; WordPress Plugins Actively Exploited; FBI Talks Ransomware at RSA

March 3, 2020  |  Volume XXII – Issue #18

Top of the NewsThe Rest of the Week's NewsInternet Storm Center Tech Corner

Top of the News

2020-03-02

GhostCat Vulnerability Affects Apache Tomcat Servers (Important to Act Now)

A vulnerability in the Tomcat AJP protocol can be exploited to read file contents and access source code and configuration files. If the servers allow file uploads, the flaw can also be exploited to remotely execute code. Dubbed GhostCat because it has existed in Tomcat for more than a decade, the vulnerability affects Tomcat versions 6.x, 7.x, 8.x, and 9.x. Apache Tomcat has released versions 9.0.31, 8.5.51, and 7.0.100 to address the issue.

Editor's Note

This vulnerability got a bit "lost" between RSA and Coronavirus. It should have received much more attention as exploitation is under way. Multiple proof of concept exploits are available.

Johannes Ullrich
Johannes Ullrich

The exploit requires the AJP connector to be enabled and its port, often 8009, accessible. Apply updates to Tomcat where explicitly installed. Where Tomcat is bundled with applications, you'll need to wait for the supplier to provide an update. Mitigations include disabling AJP if you're not using the service, or restrict access to port 8009. If you are using it, enable the required Secret attribute to require authenticated connections.

Lee Neely
Lee Neely

2020-03-02

WordPress Plugin Flaws Are Being Actively Exploited

Hackers have been exploiting vulnerabilities in several WordPress plugins. Updates are available to address flaws in the Duplicator, Profile Builder, ThemeGrill Demo Importer, Flexible Checkout Fields for WooCommerce, Async JavaScript, 10Web Map Builder for Google Maps, and Modern Events Calendar Lite plugins. Attackers have also been exploiting a vulnerability in ThemeREX Addons; there is currently no update available to address this flaw, and users are urged to remove the plugin from their sites.

Editor's Note

If you absolutely need to run WordPress: Let Wordpress.com run it for you. It appears to be the WordPress business model to make the software impossible to run securely on your own unless you spend a lot of effort or run a very limited, stripped-down version.

Johannes Ullrich
Johannes Ullrich

Don't just disable unused plugins, remove them so the vulnerable code is deleted from your server. Check your site for new admin accounts, and unexpected content, particularly .php and .zip files in /wp-content/uploads/. Also, make sure you have regular backups of both your site and its database so you can roll back if needed.

Lee Neely
Lee Neely

Application managers and developers are responsible for the quality of all included code, without regard to its source. "Plugins" rarely come with any representation or measure of quality.

William Hugh Murray
William Hugh Murray

2020-03-02

RSA: FBI Special Agent Talks Ransomware

At the RSA Conference in San Francisco last week, Joel DeCapua, FBI special agent in the Global Operations and Targeting Unit, told an audience that victims of ransomware have paid more than $140 million over the past six-and-a-half years. That figure accounts only for ransom demands paid in bitcoin. DeCapua also said that the initial vector of intrusion for about three-quarters of ransomware attacks is Remote Desktop Protocol (RDP).

Editor's Note

Only expose the RDP service to the Internet by exception on systems sufficiently configured for the service, including strong authentication, active monitoring and patching. Better still, require a VPN prior to allowing RDP access.

Lee Neely
Lee Neely

Other speakers suggest the main source of ransomware is phishing. Strong authentication schemes are better than any kind of passwords in resisting either RDP or phishing.

William Hugh Murray
William Hugh Murray

The Rest of the Week's News

2020-02-27

Redcar and Cleveland Council Still Recovering from Ransomware

A ransomware attack hit servers in the UK council of Redcar and Cleveland more than three weeks ago; residents are still unable to access online services. One councilor said they were told recovery would take several months and cost between #11 million and #18 million (US $14 million and $23 million).

Editor's Note

Time to recover includes impacts of deciding to rebuild or repair impacted systems, as well as experience with recovery from DR media. When planning for ransomware, don't forget to include active exercises rebuilding systems to assure those processes work in a timely fashion.

Lee Neely
Lee Neely

We need to accept that there is no guarantee our preventive controls will detect and prevent a ransomware attack. Having an effective BCP can minimise the impact of many ransomware attacks. This story reinforces that stance and the old adage "Fail to prepare, prepare to fail."

Brian Honan
Brian Honan

2020-02-28

RailWorks Ransomware Attack

RailWorks Corp., a railroad track and transit system provider, suffered a ransomware attack in late January 2020. The breach may have compromised personally identifiable information of current and former employees as well as their beneficiaries and dependents; the company has begun notifying affected individuals.

2020-03-01

Hackers Target Visser Precision with Ransomware and Steal Data

A "cybersecurity incident" at Visser Precision, a maker of custom parts for companies in the automotive, aerospace, and other industries, is believed to be a ransomware attack. The attackers also stole data belonging to its business partners, and have reportedly already posted some of the stolen documents.

2020-03-01

Walgreens App Bug Exposed Users Personal Messages

A privacy issue in the Walgreens mobile app (Android and iOS) secure messaging feature exposed users' information to other users. The bug allowed some user to view others' personal messages, which included some health-related information, for several days last month. Walgreens became aware of the issue on January 15, 2020. It has since been fixed. Walgreens operates more than 9,000 drugstores across the US.

2020-03-02

Network Rail/C3UK Data Leak

A database maintained by Internet service provider C3UK was found to be unprotected, exposing information belonging to roughly 10,000 people who used the company's wi-fi service at railway stations. C3UK is a contractor for Network Rail, which owns and manages the infrastructure of most of the railway network in Great Britain.

Editor's Note

While this was a backup, not the full production database, it still included email addresses, gender, mobile device OS information, as well as travel reason, which was intended to be used for targeted advertising. Think twice about the amount of information requested to use free services.

Lee Neely
Lee Neely

2020-02-26

Munson Healthcare Group Data Security Incident

Hackers gained access to email accounts of at least two employees at Munson Healthcare Group in Michigan between July 31 and October 22, 2019. The breach was not detected until January 16, 2020. The compromised accounts had access to patient data, including names, financial account information, Social Security numbers, and insurance, diagnostic, and treatment information. Munson Healthcare operates nine hospitals in Northern Michigan.

Editor's Note

It is this kind of continued fraudulent reuse of compromised credentials that strong authentication is designed to resist.

William Hugh Murray
William Hugh Murray

2020-03-02

Pro Publica Examines Security of Election-Related Websites

Pro Publica found that at least 50 election-related websites in the US have serious security issues. Some of the sites are running on software that dates back to 2003, some have inadequate encryption, and some contain unnecessary software. The election-related sites provide information for voters about where to vote, how to register to vote, and they provide election results. None of the sites Pro Publica examined had reported cyberattacks.

Editor's Note

"Unnecessary software," including operating system code, is a significant source of vulnerability. Such software often increases the attack surface of systems and applications by more than ten times. This code is often included without any thought being given to its provenance or quality.

William Hugh Murray
William Hugh Murray

Internet Storm Center Tech Corner

Show me Your Clipboard Data!

https://isc.sans.edu/forums/diary/Show+me+Your+Clipboard+Data/25846/


Hazelcast IMDG Discover Scan

https://isc.sans.edu/forums/diary/Hazelcast+IMDG+Discover+Scan/25850/


Microsoft Exchange Server Vulnerability Scans

https://twitter.com/GossiTheDog/status/1232369036438233088


Tomcat GhostCat Vulnerability

https://lists.apache.org/thread.html/r7c6f492fbd39af34a68681dbbba0468490ff1a97a1bd79c6a53610ef%40%3Cannounce.tomcat.apache.org%3E


SSL Distribution by Country

https://isc.sans.edu/forums/diary/Secure+vs+cleartext+protocols+couple+of+interesting+stats/25854/


Checkpoint Evasion Encyclopedia

https://research.checkpoint.com/2020/cpr-evasion-encyclopedia-the-check-point-evasion-repository/


OWASP Threat Dragon

https://github.com/mike-goodwin/owasp-threat-dragon-desktop


SANS Free Things

https://sans.org/free