SANS NewsBites

Tools Available to Help Mitigate Log4j Risk; Update Apache and Minimize Configurations to Avoid Vulnerabilities; Azure App Service for Linux Exposes .git Files

December 28, 2021  |  Volume XXIII - Issue #100

Top of the News


2021-12-22

Joint Log4j Cybersecurity Advisory

Attackers are “actively scanning networks to potentially exploit” Log4j vulnerabilities, according to a joint advisory issued by cybersecurity organizations from the US, the UK, Canada, Australia, and New Zealand. The advisory offers technical details, mitigations, and additional resources.

Editor's Note

At this point, the importance of mitigating the log4j vulnerability should be evident without this advisory. But the advisory is still useful, particularly in that it includes tools to assist in finding vulnerable log4j instances.

Johannes Ullrich
Johannes Ullrich

This alert consolidates information you need to know to deal with Log4j. The primary mitigation remains upgrading it where used, which means you need a current application inventory and corresponding monitoring. If you have outsourced or cloud services which haven’t let you know if or how Log4j applies to their environment, actively reach out to them for information. Did you remember to check out our ICS/OT systems for issues? If you are providing services to others, make sure you’re informing them on your actions and any actions they may need to take. Leverage the resources in the bulletin for reporting, IOCs or even if you need help getting your arms around this.

Lee Neely
Lee Neely

2021-12-27

Apache HTTPD Server Vulnerabilities

Apache has released Apache HTTP Server 2.4.52 to address two vulnerabilities. The first is a possible buffer overflow when parsing multipart content in mod_lua of Apache HTTP Server 2.4.51 and earlier; the second is a Possible NULL dereference or SSRF in forward proxy configurations in Apache HTTP Server 2.4.51 and earlier.

Editor's Note

Of the two vulnerabilities, the one in mod_lua is far more serious since it could in theory result in code execution. But there are two big lessons here. First, in every distro I checked, mod_lua was compiled with security features that make exploitation far harder and less likely. Second, there's an attack surface lesson here. Very few organizations use mod_lua in Apache, yet it is enabled by default in many Linux distributions. Minimizing attack surface is foundational to security but unfortunately many distributions are expanding attack surface for the sake of compatibility. Security professionals shouldn't just "apt install" and presume everything is optimally secure. Instead, review configurations to ensure that that package maintainers haven't added extras you don't need.

Jake Williams
Jake Williams

Just over 31% of public facing web servers run the Apache HTTP server. If you’re using the default httpd from your Linux distribution, make sure that you’re on a patched version, or manually install/configure the current version. If you want to stay with the built-in version and it’s running behind, you may need to update to a newer distribution.

Lee Neely
Lee Neely

2021-12-24

Azure App Service Vulnerability

Microsoft has disclosed a vulnerability in its Azure App Service for Linux. The flaw could be exploited to download files that were not intended to be public. Microsoft learned of the vulnerability from researchers at Wiz. Known as the NotLegit bug, the vulnerability has existed since September 2017. In a blog post, Microsoft writes that they have “updated all PHP images to disallow serving the .git folder as static content as a defense in depth measure.” They have also notified affected customers and updated documentation as appropriate.

Editor's Note

While most cloud services security incidents are enabled by admin error, this is a good reminder that vulnerabilities continue to be found in cloud services like Azure, AWS, GCP and others. File integrity and data movement monitoring is still required for business-critical executables, files and data.

John Pescatore
John Pescatore

Exposed .git directories are a common issue and they should show up in web application vulnerability scans. It also remains one of the top vulnerabilities probed in our honeypots. A little bit odd that it took so long to discover this issue.

Johannes Ullrich
Johannes Ullrich

If you setup a “Local Git” repository for your content delivered using the Azure App Service, those repositories were public, not private because the config file (web.config) in the .git folder was only processed by their IIS server, not Apache or other technologies used. Microsoft resolved the issue November 17th, and started notifying affected customers via email December 7th. If you were using this service, make sure that your deployed code is as expected, particularly any included authentication information such as API keys which may warrant updates.

Lee Neely
Lee Neely

This is not the first high-profile cloud platform vulnerability discovered and reported by Wiz and it certainly won't be the last. If your org uses cloud platforms, you should be following Wiz for early notifications of vulnerabilities.

Jake Williams
Jake Williams

The Rest of the Week's News


2021-12-22

Cyberspace Solarium Commission Will Become a Non-Profit

The Cyberspace Solarium Commission has reached the end of its term as designated in the 2019 National Defense Authorization Act (NDAA). Dozens of the commission’s recommendations have become law, including establishing the post of National Cyber Director. Leaders of the commission plan to convert it to a non-profit organization.

Editor's Note

Since 2019, the commission has seen 40 of their suggested measures codified into law. The move to a non-profit “think tank” changes the reporting relationship with lawmakers and they will have to use existing relationships as well as build a new working model to get more legislation on the docket. It is expected they will continue the push to get mandatory incident reporting passed next.

Lee Neely
Lee Neely

2021-12-23

Log4j Scanners

The Cybersecurity and Infrastructure Security Agency (CISA) has released Log4j-scanner, “a project derived from other members of the open-source community by CISA to help organizations identify potentially vulnerable web services affected by log4j vulnerabilities.” Other organizations and researchers have published Log4j scanners as well.

Editor's Note

If you don’t have a scanner, or cannot afford one, this is what you need. You can also use this to cross-check the results from your current scanner. Note that you need to additional steps, such as configuring your own DNS server to check for some of the weaknesses. Make sure you don’t miss your non-internet facing systems. The current drawbridge/moat (aka perimeter firewall) model is not the barrier it once was.

Lee Neely
Lee Neely

2021-12-23

More Healthcare Organization Breaches

West Virginia’s Monongalia Health System and Florida’s BioPlus Specialty Pharmacy Services LLC have experienced cybersecurity incidents. A phishing attack in late October compromised the protected health information (PHI) of nearly 400,000 people. BioPlus reported a server hacking incident earlier this month that affected the PHI of 350,000 people. Both incidents have been added to the US Department of Health and Human Services HIPAA Breach Reporting Tool website.

Editor's Note

Make sure that you terminate or otherwise deactivate inactive, defunct, or terminated user accounts, including email. Enable monitoring including “impossible access” detection. (E.g., connecting from the U.S. and abroad within a window shorter than the travel time.) Make sure that you can also detect anomalous behavior on your networks and services to include data exfiltration activities. For outsourced or cloud services have a serious conversation about what is possible. Make sure the incident response information is current and all parties know those contacts/exchanges are legitimate.

Lee Neely
Lee Neely

2021-12-27

Ransomware Attacks are Targeting QNAP NAS Devices

Ransomware operators are reportedly targeting QNAP network-attached storage (NAS) devices with the eChoraix malware. The attacks began to intensify in mid-December. It is not clear how the attackers gained access to the devices. Some users admitted that they had not adequately secures their NAS devices; others say that they were breached through a vulnerability in QNAP Photo Station.

Editor's Note

Remember: Never never never expose a network storage device to the internet.

Johannes Ullrich
Johannes Ullrich

Yes, it’s really cool to have your home storage available over the Internet; however, home NAS devices have repeatedly been found to be not up to the task. Use cloud file sharing solutions which are engineered to stand up on the Internet with strong authentication. This can also make it much easier to share files/collaborate externally securely. If you’re continuing with your current NAS devices, review the accounts regularly, keep them patched, and remove any unused or unknown applications.

Lee Neely
Lee Neely

2021-12-21

Problematic Dell BIOS Update

Recent Dell BIOS updates have reportedly been preventing laptops and desktops from booting. The affected BIOS versions are 1.14.3 for Latitude laptops, 2.8.0 for Inspiron, and 1.0.18 for Aurora R8. Dell has not yet released updated versions; users can downgrade to a previous firmware version until the updates are available.

Editor's Note

The trick here is that you needed not only to regression test this update, but also to test it with connected peripherals to see issues. If you pushed this out, you’ll want to roll back to version 1.13.0, which requires a bit of luck as the laptop has to be stable enough to complete the downgrade. Dell has published guidance on downgrading the BIOS: https://www.dell.com/support/kbdoc/ro-ro/000130652/downgrading-the-system-bios-on-a-dell-system

Lee Neely
Lee Neely

2021-12-27

Fresenius Kabi Releases Updates to Address Vulnerabilities in Infusion Systems

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an ICS Medical Advisory warning of multiple vulnerabilities in Fresenius Kabi Agilia Connect Infusion Systems. The flaws could be exploited to access data, modify device settings, or perform arbitrary actions as an authenticated user. Fresenius has released updated versions of the vulnerable components.

Editor's Note

Look through the list of vulnerabilities and ask if you’ve made any of those same mistakes in your software engineering processes and fix them if you have. Fresenius Kabi has been communicating on this topic; make sure you’ve got the updates installed. Note that if you have an early Link+, you’ll need a hardware update to support the new firmware, contact Fresenius Kabi directly for assistance and follow the mitigations in the CISA bulletin.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Log4j/Log4Shell and Cloud Internal Meta Data Services

https://isc.sans.edu/forums/diary/log4shell+and+cloud+provider+internal+meta+data+services+IMDS/28168/

https://isc.sans.edu/forums/diary/Defending+Cloud+IMDS+Against+log4shell+and+more/28170/


Log4j/Log4Shell Pushing Crypto Miner

https://isc.sans.edu/forums/diary/Example+of+how+attackers+are+trying+to+push+crypto+miners+via+Log4Shell/28172/


More Undetected PowerShell Droppers

https://isc.sans.edu/forums/diary/More+Undetected+PowerShell+Dropper/28158/


Attackers are Abusing MSBuild to Evade Defenses and Implant Cobalt Strike Beacons

https://isc.sans.edu/forums/diary/Attackers+are+abusing+MSBuild+to+evade+defenses+and+implant+Cobalt+Strike+beacons/28180/


Forensics Challenge Solution

https://isc.sans.edu/forums/diary/December+2021+Forensic+Contest+Answers+and+Analysis/28160/


Apache Patches

https://httpd.apache.org/security/vulnerabilities_24.html


Auerswald COMpact Multiple Backdoors

https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-007/-auerswald-compact-multiple-backdoors


Vulnerabilities in Garrett Metal Detectors

https://blog.talosintelligence.com/2021/12/vuln-spotlight-garrett-metal-detector.html#more


CAB-less 40444

https://news.sophos.com/en-us/2021/12/21/attackers-test-cab-less-40444-exploit-in-a-dry-run/


Ellume COVID Home Test Weakness

https://github.com/FSecureLABS/Ellume-COVID-Test_Research-Files


Microsoft Vulnerable and Malicious Driver Reporting Center

https://www.microsoft.com/security/blog/2021/12/08/improve-kernel-security-with-the-new-microsoft-vulnerable-and-malicious-driver-reporting-center/


Azure Source Code Leak

https://blog.wiz.io/azure-app-service-source-code-leak/


Bypassing File Quarantine, Gatekeeper and Notarization Requirements

https://objective-see.com/blog/blog_0x6A.html


Spider-Miner: Trojanized Version of Spiderman No Way Home

https://blog.reasonlabs.com/2021/12/23/spider-miner-with-great-power-comes-great-problems/