SANS NewsBites

SolarWinds: Neuberger White House Briefing and Microsoft Source Code; Malware Targeting Apple M1 Processors; Microsoft Replaces Two Windows 10 Servicing Stack Updates

February 19, 2021  |  Volume XXIII - Issue #14

Top of the News


2021-02-18

SolarWinds: Neuberger White House Briefing

At a White House briefing on Wednesday, February 17, Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technology, said that the Biden administration is working on an executive action to help agencies respond to the SolarWinds supply chain attack. Nine federal agencies and 100 private companies are known to have been affected by the attack; that number is likely to grow.


2021-02-19

SolarWinds: Microsoft Says Attackers Accessed Source Code

In a blog published on Thursday, February 18, Microsoft says that the hackers behind the SolarWinds supply chain attack accessed code repositories for “a small subset of Azure components (subsets of service, security, identity), a small subset of Intune components, and a small subset of Exchange components.” In some cases, the attackers downloaded source code.


2021-02-18

Malware Targeting Apple M1 Processors

Researchers have detected two malware strains that target Apple’s new M1 processors. The M1 system-on-a-chip (SoC) was launched late last year and is used in the most recent generations of MacBook Air, MacBook Pro, and Mac mini devices.

Editor's Note

The malware developers are signing their code with legitimate Apple Developer certificates so the software will run on the platform without triggering Gatekeeper. Once reported, Apple revokes those certificates, so the software is no longer trusted and requires intervention to run. We are in a transition as security tools evolve to detect issues with code natively developed for the M1 chip without disabling system functionality. Malware authors are leveraging the lag to release versions which cannot always be detected. Mitigate the risks by installing only known packages and plugins; think twice before enabling a program or plugin which isn’t notarized by Apple.

Lee Neely
Lee Neely

It is long past time for "researchers" to finish identifying and highlighting implementation induced vulnerabilities (the fun part) and to start on developing fundamental security tools, mechanisms, and strategies to mitigate them (the hard part.) Patrick Wardell who reported this is a developer of tools.

William Hugh Murray
William Hugh Murray

2021-02-18

Microsoft Replaces Two Windows 10 Servicing Stack Updates

Microsoft has pulled two problematic Windows 10 servicing stack updates (SSUs) and replaced them with new ones. KB4601392 has been replaced by KB5001078, and KB4601390 has been replaced with KB5001079.

Editor's Note

The flaw actually prevents updates from installing. Push out KB5001079 SSU prior to distribution of the Feb 9 security updates. KB5001078 applies to Windows 10 version 1607 and Server 2016. If you’re unable to install the SSU update, refer to the Microsoft guides for resetting the Windows Update components manually.

Lee Neely
Lee Neely

The Rest of the Week's News


2021-02-17

US DoJ Indicts Three Alleged Hackers Linked to North Korean APT Group

The US Department of Justice (DoJ) has unsealed an indictment charging three North Korean individuals in connection with cyberattacks conducted over more than six years. The individuals were allegedly involved in the 2014 attack against Sony Pictures, the deployment of the WannaCry malware in 2017, and stealing $200 million from banks, ATMs, and cryptocurrency organizations. The individuals charged are believed to be part of a hacking group known as Lazarus, Hidden Cobra, or APT38.


2021-02-18

Following Credential-Stuffing Attack, RIPE NCC Internet Registry Urges Users to Adopt 2FA

The RIPE Network Coordination Center (RIPE NCC) is urging users to enable two-factor authentication (2FA). IN a notice on its website, RIPE NCC writes, “Last weekend, RIPE NCC Access, our single sign-on (SSO) service was affected by what appears to be a deliberate ‘credential-stuffing’ attack, which caused some downtime.” RIPE NCC is a not-for-profit regional Internet registry for Europe, the Middle East, and the former USSR. The organization is headquartered in Amsterdam.

Editor's Note

Don’t wait for announcements like this to enable 2FA. Review your online services and enable 2FA wherever offered. While you’re at it, change those bad or reused passwords you’ve been meaning to fix. If you’re hosting an authenticated service which doesn’t have 2FA, provide it. Most current authentication systems support 2FA out of the box, simplifying the implementation to just communication and transition. Set limits on how long users have to enable 2FA.

Lee Neely
Lee Neely

I think the world really needs these types of announcements to say “(name of company/site that was compromised due to reusable passwords) is switching to 2FA for all user logins” vs. more “urging.” Requiring ground fault interrupt circuits in all electrical outlets near water has saved many more lives than continued “urging” of checking for water and frayed wires before you plug in an appliance.

John Pescatore
John Pescatore

2021-02-18

Virginia Privacy Law

The Virginia Consumer Data Protection Act received overwhelming support in both the Virginia House and Senate; it is now headed to the governor’s desk. If it is signed into law, the bill would apply to companies that “conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth and that (i) during a calendar year, control or process personal data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.“

Editor's Note

I think the world really needs these types of announcements to say “(name of company/site that was compromised due to reusable passwords) is switching to 2FA for all user logins” vs. more “urging.” Requiring ground fault interrupt circuits in all electrical outlets near water has saved many more lives than continued “urging” of checking for water and frayed wires before you plug in an appliance.

John Pescatore
John Pescatore

The new VCDPA goes into effect 1/1/23, the same date as the California Consumer Rights Act, which updated the CCPA. The differences between the VCDPA and CCPA highlight the need for national privacy legislation. In this case if you can meet the CCPA or CCRA, you’re good for the VCDPA, but as we see more state legislation the chance for errors and omissions increases. If you’re doing business online, especially across multiple states, start now making sure you’re aligned with the Virginia and California legislation.

Lee Neely
Lee Neely

2021-02-17

Critical Vulnerabilities in Ninja Forms WordPress Plugin

Four critical flaws in the Ninja Forms WordPress plugin could be exploited to intercept email, take control of vulnerable websites, and redirect administrators to malicious sites. The plugin is installed on more than one million WordPress sites. Users are urges to update to Ninja Forms version 3.4.34.1 or newer.

Editor's Note

The new VCDPA goes into effect 1/1/23, the same date as the California Consumer Rights Act, which updated the CCPA. The differences between the VCDPA and CCPA highlight the need for national privacy legislation. In this case if you can meet the CCPA or CCRA, you’re good for the VCDPA, but as we see more state legislation the chance for errors and omissions increases. If you’re doing business online, especially across multiple states, start now making sure you’re aligned with the Virginia and California legislation.

Lee Neely
Lee Neely

2021-02-18

Health IT Security News Roundup

Incidents covered in Health IT Security’s weekly breach roundup include an 18-month long data leak due to third-party software at Sutter Buttes Imaging in California; a January ransomware attack against Granite Wellness Centers, also in California; an employee email account breach at Grand River Medical Group in Iowa; and a data breach at Texas Spine Consultants.


2021-02-17

WatchDog Cryptojacking Campaign Started in January 2019

Researchers from Palo Alto Network’s Unit 42 have uncovered an ongoing cryptojacking campaign that has been active for more than two years. The WatchDog campaign mines for Monero cryptocurrency; it has compromised nearly 500 Windows and Linux devices.

Editor's Note

The Unit42 blog includes a breakdown of 18 known IP addresses and 125 URLs supporting the WatchDog campaign. The malware is mostly focused on *NIX systems, there are also Go binaries identified for Windows. Leverage the blog’s IOCs which are also already incorporated into some Palo Alto security solutions to detect and respond to this activity.

Lee Neely
Lee Neely

2021-02-17

Hackers Targeted an Obsolete Version of Centreon Software to Infiltrate IT Providers’ Networks

For the past several years, hackers have been targeting vulnerable instances of Centreon monitoring software to gain access to IT providers’ networks. Centreon says that the attackers exploited “an obsolete open source version (v2.5.2), which has been unsupported for 5 years.” French cybersecurity watchdog ANSSI says the attacks bear similarities to those conducted by the Sandworm APT group.

Editor's Note

The Unit42 blog includes a breakdown of 18 known IP addresses and 125 URLs supporting the WatchDog campaign. The malware is mostly focused on *NIX systems, there are also Go binaries identified for Windows. Leverage the blog’s IOCs which are also already incorporated into some Palo Alto security solutions to detect and respond to this activity.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

More Weirdness on TCP Port 26

https://isc.sans.edu/forums/diary/More+weirdness+on+TCP+port+26/27106/

The new "LinkedInSecureMessage" Phish

https://isc.sans.edu/forums/di...https://isc.sans.edu/forums/diary/The+new+LinkedInSecureMessage/27110/

Malspam Pushes Trickbot gtag rob13

https://isc.sans.edu/forums/diary/Malspam+pushing+Trickbot+gtag+rob13/27112/

Microsoft Pulls Servicing Stack Update

https://threatpost.com/microsoft-windows-update-patch-tuesday/163981/

Network Monitoring Company Centreon Compromised (PDF)

https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf

SHAREit Flaw Could Lead to Remote Code Execution

https://www.trendmicro.com/en_us/research/21/b/shareit-flaw-could-lead-to-remote-code-execution.html

Apple M1 Optimized Malware

https://objective-see.com/blog/blog_0x62.html

QNAP Surveillance Station Vulnerability

https://www.qnap.com/en/securi...https://www.qnap.com/en/security-advisory/qsa-21-07

VSCode NPM Extension RCE

https://github.com/jackadamson/CVE-2021-26700

Masslogger Exfiltrates User Credentials

https://blog.talosintelligence.com/2021/02/masslogger-cred-exfil.html

AppleJeus

https://us-cert.cisa.gov/ncas/alerts/aa21-048a

Python 3 Buffer Overflow

https://bugs.python.org/issue42938

Apple Platform Security Guide

https://support.apple.com/guide/security/welcome/web