NewsBites Volume XXIII – Issue 20

Top of the News

2021-03-11

Some Exchange Server Victims Have Multiple Backdoors Installed

Experts are working to notify and help organizations with systems that have been compromised by groups exploiting the Exchange Server vulnerabilities before the attackers move on to phase two of the campaign, which could have much more dire consequences. Some of the victims have been targeted by multiple groups and as a result, now have multiple backdoors on their systems. Victims of the attacks include Norway’s parliament, and the European Banking Authority.

Editor's Note

With proof-of-concept code circulating, backdoors are to be expected. Attackers are racing to control as many systems as possible before other groups lock them down. The attackers are acting MUCH more quickly than system owners and will make the cleanup job all that much harder for system owners who are slow to respond.

Johannes Ullrich

As feared, the criminals have already moved on to the next phase and are starting to leverage their foothold on compromised systems to launch ransomware attacks known as Ransom:Win32/DoejoCrypt.A, and also as DearCry (https://www.zdnet.com/article/microsoft-watch-out-for-this-new-ransomware-threat-to-unpatched-exchange-email-servers/) If you have not checked your on premise Exchange servers by now do so as a matter of urgency using the guidance provided by Microsoft: https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/.

Brian Honan

Multiple Threat Actors are Exploiting Exchange Server Vulnerabilities

According to analysis from ESET, at least 10 APT groups are exploiting the Microsoft Exchange Server vulnerabilities. Many of the groups have ties to China. Six of the groups were actively exploiting the flaws prior to Microsoft’s emergency patch release on Tuesday, March 2.

Editor's Note

The interval between initial exploits by Hafnium and additional APT groups is simply too small for them to have independently discovered the vulnerabilities and developed working exploits. This suggests that after the initial exploits were leveraged by Hafnium in or before January, they then shared them with other groups such as Tick, LuckyMous, Calypso, Webslic and APT41. Given the scope of added exploits discovered, assume they are shared even more broadly. For this reason, it is best to operate on the model that all Exchange servers are targets and that you not only need to apply the patches, but also check carefully for signs of compromise. Make sure that your real-time endpoint protection includes the Exchange vulnerabilities and IOCs.

Lee Neely

This issue of NewsBites features a wide array of vulnerabilities in IT critical infrastructure elements, like windows, MacOS, Exchange and F5 BigIP – without even mentioning SolarWinds Orion. This points out two big issues that are pre-requisites to even considering thinking about talking about buzzwords like “Zero Trust:” – (1) to be proactive, risk analysis has to focus as much (really more) on where vulnerabilities would cause the most impact to business as on who might launch attacks; and (2) if you can’t get the critical IT infrastructure elements to the essential security hygiene level (meaningful segmentation, rapid patching, configuration management) then you have no chance in assessing the trustability of anything else.

John Pescatore

I concur with John Pescatore but I want to stress the urgency and seriousness. Our infrastructure now stands naked before a nation state willing to take the risk of being caught in the act of compromising that infrastructure. We must assume that that state will work to maintain its advantage and that in time of crisis would exploit it.

William Hugh Murray

Microsoft Releases Patches for Older Versions of Exchange Server

On Monday, March 8, Microsoft released patches for older, unsupported versions of Exchange Server to protect entities using those versions from attacks. The decision to release the additional fixes underscores the severity of the severity of the situation. In a blog post accompanying the patches’ release, Microsoft cautions that the cumulative updates address only the four Exchange Server vulnerabilities that are being actively exploited and urged users to upgrade to a supported version of Exchange Server.

Editor's Note

If you are running an older Exchange version, you not only need to apply the patches, but also run detection tools such as the Microsoft Safety Scanner (MSERT) to detect and remove any web shells. Next, start your migration to either supported Exchange or Exchange online services.

Lee Neely

Apple Updates macOS, iOS, and iPadOS to Fix Code Execution Issue

Apple has released an assortment of updates to fix a vulnerability that could allow arbitrary code execution. Users are urged to update to macOS Big Sur 11.2.3, iOS 14.4.1 and iPadOS 14.4.1.

Editor's Note

Apple’s release of an update fixing one single vulnerability is very unusual and may indicate that this vulnerability is already being exploited.

Johannes Ullrich

This update fixes CVE-2021-1844 in Webkit, necessitating updates to iOS/iPadOS and watchOS as well as Safari and macOS 11 (BigSur). While iOS and iPadOS 14.5 are expected to drop soon, this update is here now. Minimize the impact by leveraging your device management solution to push the update to Automated Device Enrollment (ADE), formerly DEP, devices.

Lee Neely

The Rest of the Week's News

2021-03-11

Microsoft Patch Tuesday: March 2021

On Tuesday, March 9, Microsoft released updates to address more than 80 vulnerabilities in Windows, Edge, Azure, Office, and other products. Several of the vulnerabilities are being actively exploited, including a memory corruption issue in Internet Explorer that was used in attacks targeting security researchers; the flaw can be exploited to gain privileges equivalent to those of the logged-on user.

Editor's Note

With all the attention to Exchange, don’t lose sight of this month’s Microsoft patches. Ten of the released updates are rated critical. Some of the patches are being refined, so keep an eye out for changes. Note that this is the last patch for the legacy Edge browser, because support ends this month. You should be actively migrating off legacy Edge to alternatives such as Chromium Edge.

Lee Neely

I hope you had the Exchange server issue under control ahead of the release of Tuesday's monthly patches. We should all be patching DNS servers (and AD using DNS). This vulnerability, while not as easily exploitable as some, has also had some PoC exploits released.

Johannes Ullrich

Adobe Updates Fix Five Critical Flaws in Framemaker, Connect, and Creative Cloud

Adobe has released updates to address critical flaws in Framework, Connect, ad Creative Cloud. An out-of-bounds read issue in Framework, an improper input validation issue in Connect, and an arbitrary file overwrite issue and an OS command injection security issue in Creative could be exploited to allow arbitrary code execution. An improper input validation issue in Creative Cloud could be exploited to gain elevated privileges.

Editor's Note

While these vulnerabilities are rated critical, they are also marked priority 3 which means the product has not historically been a target and to install the updates at your discretion. Creative cloud users should automatically get the updates. Add scanning for the updated versions to your monthly patch verification process flagging or updating those who fail to apply the update.

Lee Neely

F5 Issues Updates to Fix Seven BIG-IP Flaws; Four are Critical

F5 has disclosed seven security issues affecting its BIG-IP and BIG-IQ network devices. Four of the flaws are critical remote code execution issues that could be exploited to take control of vulnerable systems. The flaws are fixed in BIGH-IP versions 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3, and 11.6.5.3. One of the critical flaws also affects BIG-IQ; it is fixed in versions 8.0.0, 7.1.0.3, and 7.0.0.2.

Editor's Note

In addition to patching these systems, verify that the administrative interfaces are not exposed. The #1 precaution you can take, if it is for a home router or an enterprise gateway, is to avoid exposing your administrative interfaces and APIs to the public.

Johannes Ullrich

If you’re an F5 shop, you’re probably using F5 for not only load balancing Internet facing services, but also WAF and SSL termination. These vulnerabilities enable remote code execution, so an exploit can effectively pivot into non-public areas of your corporate network. It’s reasonably easy to discover vulnerable devices with tools like Shodan. There is no effective mitigation other than patching/updating. The F5 overview below has a table of affected to fixed software versions. Use this to plan your attack. Also don’t overlook your non-Internet facing F5 devices.

Lee Neely

Verkada Surveillance Cameras Breached

Live feeds from more than 150,000 Verkada surveillance cameras were breached after admin account credentials were found on the Internet. The intruders were able to access archived footage as well. Verkada has disabled all internal administrator accounts. Affected organizations include hospitals, prisons, schools, police stations, and manufacturing facilities.

Editor's Note

This isn't new: Internet connected cameras accessed via some kind of "support" or "backdoor" password. Cameras often need to be exposed to the Internet for remote monitoring. If you do this: Please do not place cameras in sensitive areas (for example inside your house or office) and avoid systems that store footage in the cloud.

Johannes Ullrich

European Judicial and Law Enforcement Authorities Make Arrests After Cracking Sky ECC Encryption

Authorities in Belgium, France, and the Netherlands, with the support of Europol and Eurojust, have “unlocked” the Sky ECC encrypted communication network, which allows them to monitor communications of organized crime groups. Earlier this week, authorities conducted raids in which they seized property and made arrests. Sky ECC maintains that its encryption was not broken, but that the information used to make the arrests and seizures was obtained through a phony version of its app.

Editor's Note

Well done to all involved in this operation. In particular I think it is very worth noting that this operation was successful without requiring any backdoors into encryption. This demonstrates that we can have strong encryption and that law enforcement with the right resources and tools do not need to undermine that security to attain their goals.

Brian Honan

OVHcloud Data Center Fire in France

A fire at OVH data centers in Strasbourg, France, has affected the availability of major websites, including eeNews Europe, VeraCrypt, and Rust. Some threat actor groups have also been affected. The fire broke out in one of four data centers in Strasbourg; the entire site, which includes four data centers, has been isolated. OVHcloud is the largest cloud services provider in Europe.

Editor's Note

OVH has a rich history of inaction against malicious sites. Some researchers noted how the data center fire removed about 30% of the infrastructure used by various APT groups. This history of inaction against malicious content may also be an indicator for an underlying issue with how the data centers are run in general.

Johannes Ullrich

Just because you moved to the cloud does not mean your BCP issues are magically gone away. Always revise your BCPs and test them using different scenarios, your cloud provider going offline being one of those scenarios.

Brian Honan

Schneider Releases Updates to Address Flaws in Certain Smart Meters

Schneider Electric has released updated for two vulnerabilities that affect its PowerLogic ION/PM smart meter product line. The flaws which were detected by researchers at Claroty are pre-authentication integer-overflow vulnerabilities; both could be exploited to reboot a vulnerable meter, effectively creating denial-of-service condition. One of the vulnerabilities could also be exploited to allow remote code execution.

Editor's Note

These are unauthenticated vulnerabilities, which have been widely published on the Internet. Beyond applying the update, make sure that your meters are properly isolated and that only authorized devices can reach them. The Schneider Electric bulletins includes general security recommendations. Also use NIST SP 800-82 “Guide to Industrial Control Systems (ICS) Security” (https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf) to validate the security measures taken and identify gaps to resolve.