SANS NewsBites

macOS Malware Snuck Through Apple's Vetting; Cisco Zero-day Actively Exploited; New Zealand Stock Exchange DDoS Attacks

September 1, 2020  |  Volume XXII - Issue #69

Top of the News


2020-08-31

Shlayer Snuck Through Apple's Software Vetting Process

Malware known as Shlayer managed to slip past Apple's software vetting process. Apple established an automated notarization process in February 2020; developers submit software to be notarized. If the software passes the checks, macOS Gatekeeper allows it to run.

Editor's Note

Apple has been clear from the start that notarization does not equal application testing. Pretty much like in the real world where notary publics don't actually quiz you to make sure you really are you, they just check a few documents and notarize that the documents you showed them match the identity you are claiming. Apps do get tested for inclusion in the app store - you can limit Macs to only allowing apps to be downloaded from the App Store. That app testing has been pretty good but not perfect either. The MacOS layers of protection do lower the malware risk significantly, but Macs used for business purposes should also have malware protection installed.

John Pescatore
John Pescatore

Shawn Geddis, Security and Certifications Engineer at Apple, briefed me on application notarization last year. He explained that notarized applications are checked for malicious components and that the developer ID is confirmed; what is provided back to the developer is the Notarization for that App. Notarization is not App Review, nor is source code shared with Apple. The Application is then distributed by the developer through whatever means necessary to all of its users. Notarized Applications are verified and allowed to run on macOS because it can be attested that they do not contain identifiable malicious components. This is an extension of what has been taking place with gatekeeper data within macOS for some time. Even so, as John states, it is still a good idea to have additional anti-malware protections for defense in depth.

Lee Neely
Lee Neely

Notarization speaks to attribution, not quality, not motive or intent.

William Hugh Murray
William Hugh Murray

2020-08-31

Cisco Zero-day is Being Actively Exploited

Cisco has issued an advisory warning of a vulnerability in its IOS XR software that is being actively exploited. Cisco has not yet released a fix for the flaw, which "is due to insufficient queue management for Internet Group Management Protocol (IGMP) packets." The vulnerability can be exploited "to cause memory exhaustion, resulting in instability of other processes."


2020-08-31

New Zealand Stock Exchange Hit With More DDoS Attacks

The New Zealand Stock Exchange (NZX), which suspended trading last week due to distributed denial-of-service (DDoS) attack, was hit with a new round of attacks on Monday, August 31. NZX was able to resume trading after moving to a contingency plan.

Editor's Note

Network architecture and application reachability are key to survival of DDOS attacks. NYSE and other major exchanges are believed to be able to withstand a similar attack because of network segmentation and lack of internet facing trading applications. See https://www.scmagazine.com/home/security-news/nyse-not-susceptible-to-takedown-like-new-zealand-exchange/

Lee Neely
Lee Neely

We are seeing a return by criminals to extortion-based DDoS attacks. If you are running business critical systems online you need to ensure you have appropriate DDoS protections in place the same way that you ensure you have redundant power to your Data Centre.

Brian Honan
Brian Honan

The Rest of the Week's News


2020-08-28

Former Cisco Employee Pleads Guilty to Damaging Company's Network

A former Cisco employee has pleaded guilty to intentionally accessing a protected computer without authorization and recklessly causing damage. Sudhish Kasaba Ramesh resigned his position at Cisco in April 2018; five months later, he accessed Cisco's AWS-hosted cloud infrastructure and "deployed code" that resulted in the deletion of more than 450 virtual machines for Cisco's WebEx Teams application.

Editor's Note

Separation processes must include verified disablement of accounts. Monitor those accounts for unauthorized access, and delete them when the data and functions have been reassigned; give yourself a hard time limit to ensure this happens. Audit/review your accounts against your active user list regularly.

Lee Neely
Lee Neely

The key question, of course, is why the employee could still access his privileged account five months after he left Cisco. Cloud accounts often evade the direct connection from the HR app to Active Directory that would remove access upon termination. A good audit should always show percentage of "ghost" accounts left active - good idea to do some targeted auditing of cloud service admin accounts.

John Pescatore
John Pescatore

This incident exemplifies why in an era of companies employing on-premise and cloud-based platforms it is critical to have a coherent Identify and Access Management strategy in place with appropriate access management systems to support that strategy. In light of the current pandemic and the many changes made to systems to enable businesses to support, a thorough review of how the "new normal" impacts on the Joiner, Mover, and Leavers processes is indicated.

Brian Honan
Brian Honan

Control of privileged users is difficult. One should not grant a privilege that one cannot withdraw. Prefer strong authentication using a hardware token that one can disable or reclaim upon separation. However, resisting backdoors will require supervision, layered security, multi-party controls, and Privileged Access Management software. It remains a problem that for privileged users, where accountability is the ultimate control, we are most likely to tolerate sharing of IDs and credentials.

William Hugh Murray
William Hugh Murray

2020-08-28

Chinese Citizen Arrested, Charged with Theft of Trade Secrets

US federal authorities have arrested a Chinese citizen on charges of "accessing a computer without authorization, or exceeding authorization to obtain information from a protected computer and theft of trade secrets." Haizhou Hu has been conducting research at the University of Virginia. Hu allegedly stole research simulation code.


2020-08-31

Slack Fixes RCE Flaw in Older Versions of Desktop App

Slack has fixed an HTML code injection vulnerability affecting older desktop versions of the collaboration app. The flaw could be exploited to take control of the app, allowing access to private channels, passwords, and other sensitive information. A bug-hunter found the vulnerability and reported it to Slack in January 2020. The issue, which affected version 4.2 and 4.32 of the desktop app for Linux, macOS, and Windows, was fixed in March.

Editor's Note

Slack has fixed an HTML code injection vulnerability affecting older desktop versions of the collaboration app. The flaw could be exploited to take control of the app, allowing access to private channels, passwords, and other sensitive information. A bug-hunter found the vulnerability and reported it to Slack in January 2020. The issue, which affected version 4.2 and 4.32 of the desktop app for Linux, macOS, and Windows, was fixed in March.

Lee Neely
Lee Neely

2020-08-28

DoJ is Attempting to Seize Hackers' Cryptocurrency Accounts

The US Department of Justice has filed a civil forfeiture complaint seeking to obtain control of 280 cryptocurrency accounts it alleges are being used by North Korean hackers to launder stolen funds. The complaint describes two 2019 attacks in which North Korean hackers allegedly targeted cryptocurrency exchanges.

Editor's Note

It is in the nature of the blockchain that the evidence never goes away. The use of digital currency does not necessarily confer the anonymity that one might expect. However, it is in the nature of digital currency that attribution may be difficult and the activity may be convoluted and obscure. There are software and services for analysis that improve transparency and accountability.

William Hugh Murray
William Hugh Murray

2020-08-31

Hackers Exploiting Old Firmware Flaw in Unpatched QNAP NAS Devices

Researchers at Qihoo say that hackers are scanning for QNAP network attached storage (NAS) devices that are running outdated versions of QNAP firmware. When the hackers find QNAP NAS devices running vulnerable versions of the firmware, they exploit a flaw to install a backdoor on the device. The vulnerability was addressed in a QNAP firmware update in July 2017.

Editor's Note

It bears repeating that storage should not be directly attached to the the public networks. Think LOCAL Area Networks (LANs) and VLANS.

William Hugh Murray
William Hugh Murray

2020-08-30

New TLS/SSL Certificates Now Limited to 13-Month Validity Period

As of Tuesday, September 1, 2020, all new TLS/SSL certificates issued will be valid for no more than 397 days (roughly 13 months). The new rule does not affect existing certificates with longer validity periods.

Editor's Note

Where possible, use automation to keep your certificates updated so the update interval is not critical. Consider scanning and alerting for certificates nearing expiration to support manual updates as well as verify automation.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner