NewsBites Volume XXII – Issue #99 December 18, 2020

Top of the News

2020-12-16

SolarWinds: Domain Seized and Used as Kill Switch

Microsoft and a group of other tech companies have seized and sinkholed a malicious domain that was being used as a command-and-control server to communicate with networks infected through the SolarWinds supply chain attack. The domain has been reconfigured so that in some cases, it acts as a kill switch, preventing the SUNBURST malware that was distributed through the compromised SolarWinds software update system from operating.

Editor's Note

While this shuts down the C&C server, making it more difficult to leverage the existing SUNBURST malware distributions, the malware is still in place and still needs to be contained and eradicated. Also look for indicators of malicious activity such as credential changes and anomalous network traffic.

Lee Neely

SolarWinds: More Victims Emerge

FireEye and the US Treasury Department were among the first organizations to acknowledge that their networks were infiltrated by hackers through the SolarWinds supply chain breach. More companies and government agencies have now come forward to disclose that their networks were also affected by the breach. Additional victims now include the US Energy Department and National Nuclear Security Administration, the Federal Energy Regulatory Commission (FERC), The US State Department, Microsoft, Cisco, and Intel.

Editor's Note

SolarWinds was widely deployed in the US government and as such, more instances of SUNBURST will be discovered. While the C&C domain has been sinkholed, existing vulnerable versions need to be isolated and shutdown. If you have the capability, collect a forensic image of the system, including memory, prior to shutdown to aid analysis

Lee Neely

All SolarWinds customers must be presumed compromised. Rigorous content control (think TripWire) is indicated for all enterprise software. "Read only" and "execute only" must replace default "read/write." This will represent a major change in essential enterprise "cybersecurity" going forward but will represent a significant reduction in the risk of breaches. This gives a whole new meaning to "zero trust." (One can take some small comfort in the fact that the Russians will be overwhelmed by the data from 18000 simultaneous breaches.)

William Hugh Murray

SolarWinds: National Security Council Invokes Cybersecurity Emergency Process

The SolarWinds supply chain breach has prompted the US National Security Council (NSC) to invoke a cybersecurity emergency process established under the Obama administration. PPD-41established a Unified Coordination Group to serve as "the primary method for coordinating between and among Federal agencies in response to a significant cyber incident as well as for integrating private sector partners into incident response efforts, as appropriate."

SolarWinds: APT Actors May Have Used Multiple Attack Vectors

The attackers behind the SolarWinds supply chain attack may have used other attack vectors to infiltrate targeted networks. The US Cybersecurity and Infrastructure Security Agency (CISA) is investigating "evidence of additional access vectors, other than the SolarWinds Orion platform."

Editor's Note

he CISA bulletin describes additional indicators related to the other attack vectors, such as SAML tokens with unusually long lifetimes (24 versus 1 hour); as well as fake valid SAML signing certificates; and sequential user access from geographically dispersed locations. Monitor accounts and authentication services closely for unexpected behavior and/or trust relationships.

Lee Neely

The US-CERT CISA alert referenced below has a simple "triage" list of 3 risk categories the 18,000 or so affected SolarWinds' users fall into, useful for justifying immediate disruptive action if you are in Category 3 and justifying needed resources to be sure if you think you are in Category 2.

John Pescatore

The use of software distribution as an attack vector demonstrates a major vulnerability in our infrastructure. It suggests that vendors must exercise rigorous content control over their distributions. Distributions must be digitally signed and customers must reconcile the signatures before use. Vendors will likely be seen as liable for contaminated distributions and shipping one may well be an existential event.

William Hugh Murray

SolarWinds: Major Investors Sold Stock Days Before Breach was Disclosed

Two major SolarWinds investors sold $280 million worth of stock just days before the breach of the company's software update system was disclosed. SolarWinds stock price dropped more than 20 percent in the days following the disclosure. The large transaction shortly before the announcement of the breach is likely to prompt an investigation from the Securities and Exchange Commission (SEC). The investors have issued a joint statement saying they were not aware of the breach when they sold the stock.

The Rest of the Week's News

2020-12-17

GitHub to Move Away from Passwords for Git Operations Authentication

GitHub is planning to switch from password-based to token-based authentication for Git operations. The change will not apply to logging into accounts. The scheme will be tested in Summer 2021, and as of August 13, 2021, GitHub "will no longer accept account passwords when authenticating Git operations on GitHub.com."

Editor's Note

If you have 2FA for your GitHub account, you're already using token-based authentication. The primary impact is to command line and apps/services which access Git Repos directly using your password. Two "brownouts" scheduled for June 30 and July 28 will provide testing windows before the hard cutoff in August. If you want to be more proactive, you can convert your account to 2FA today, which will require configuration of tokens for authenticated operations and third-party integrations immediately.

Lee Neely

This doesn't take effect until August 13, 2021, but should serve as a model for all such repositories and services. All admin operations should move beyond reusable passwords. If nothing else, this will eliminate the hardcoded default password risk. In their daily real lives, human beings are getting quite used to two-factor authentication - the assumed barriers to more 2FA being used online are largely just excuses for inaction.

John Pescatore

he use of passwords for authentication makes one vulnerable to credential replay attacks as well as so called "password stuffing" attacks, short dictionary attacks, and brute force attacks. Strong authentication is essential for all but the most trivial applications. GitHub does not qualify as "trivial."

William Hugh Murray

Flaws Discovered in Maritime Communications Suite

Researchers from Pen Test Partners found numerous vulnerabilities in the Dualog Connection Suite, which ships use for communications - including email, file transfers, and Internet access - while at sea. The flaws include undocumented admin accounts with hardcoded passwords, SQL injection, and Flash-based two-factor authentication conducted in a Flash0-based, client-side app.

Fix Available for WordPress Contact Form 7 Plugin Vulnerability

The developers of the Contact Form 7 WordPress plugin have released a fix to address a critical unrestricted file upload vulnerability. The plugin is installed on more than 5 million WordPress sites. Users are urged to update to Contact Form 7 version 5.3.2.

Editor's Note

If you don't have the file upload capability of Contact Form 7 enabled, you're not vulnerable; even so, you need to update if you're using this plugin. While there is no published exploit code, and that there were some mitigations to exploiting which raise the difficulty of exploitation, including a .htaccess file with restrictions, randomized file names and restrictions on the extensions accepted for file uploads, exploitation is not easy. Even so, given the frequency of WordPress issues, rapid response is still prudent. Wordfence provides additional information on the Contact Form 7 vulnerability: https://www.wordfence.com/blog/2020/12/a-challenging-exploit-the-contact-form-7-file-upload-vulnerability/

Lee Neely

FBI Issues DoppelPaymer Warning

The FBI has issued a Private Industry Notification (PIN - TLP: White) warning of DoppelPaymer ransomware attacks against organizations operating critical infrastructure, such as healthcare, emergency services, and education. The PIN warns that the DoppelPaymer ransomware operators have called victims to coerce them into paying the demands, and have also threatened to release stolen data if they were not paid.

Trend Micro Releases Fixes for Flaws in Web Gateway

Trend Micro has released an update to address six vulnerabilities in its InterScan Web Security Virtual Appliance. Some of the flaws could be exploited to take control of vulnerable appliances. The flaws were first reported to TrendMicro in the summer of 2019, but they were not all patched until late November 2020.

Prison Sentence for Healthcare.gov Data Theft and Abuse

A US District Judge in Louisiana has sentenced Colbi Trent Defiore to three-and-a-half years in prison for stealing and abusing patient data from Healthcare.gov. Defiore previously pleaded guilty to "intentionally accessing a protected computer in excess of authorization for the purpose of commercial advantage and private financial gain, and in furtherance of the commission of a felony." Defiore worked as a seasonal employee for a company that supported the Centers for Medicare & Medicaid Services (CMS). He used the stolen data to apply for credit cards and loans, resulting in nearly $600,000 in damages.

Critical Cross-site Scripting Vulnerability in F5 BIG-IP

F5 has warned of several security issues, including a critical cross-site scripting vulnerability, that affect its BIG-IP products. Users are urged to upgrade to versions 13.1.3.5, 14.1.2.8, 15.1.1, or 16.0.1.

Editor's Note

It's really easy to overlook updating your load balancer; they are often a component in your perimeter security as they often also provide WAF and NAT/SNAT services for business applications and supporting servers; they need to be rigorously updated, monitored and secured.