SANS NewsBites

Exchange Server: The Attack That Keeps On Giving (Pain); and Big Cyber Flaws in Power Management from GE

March 23, 2021  |  Volume XXIII - Issue #23

Top of the News


2021-03-22

Exchange Server: Some Patched Systems Were Already Breached

Brandon Wales, acting executive director of the Cybersecurity and Infrastructure Security Agency (CISA) said that thousands of Exchange Servers that have been patched had already been breached. He urged companies to check their systems for indicators of compromise and malicious activity, noting that compromised systems could be used to introduce ransomware or to attack other organizations. Updates for the critical flaws were released on March 2, but many systems have not yet been patched. Researchers at F-Secure said that Exchange Servers are being attacked “faster than we can count.”

Editor's Note

Make sure that you’ve checked for IOCs after you patch. The vulnerabilities area being actively exploited, and even if you applied the patches the day they were released, you still need to verify that your system is clean. Both Microsoft and CISA have published free tools to scan your system. The Microsoft EMOT tool has been updated to be easier and more effective than the prior version and will download and install the MS Security Scanner. https://github.com/microsoft/CSS-Exchange/tree/main/Security

Lee Neely
Lee Neely

Internet wide scans proceeded the patch. Assume breach if your Exchange server was exposed to the internet before you applied the patch.

Johannes Ullrich
Johannes Ullrich

2021-03-22

Exchange Server: Ransomware Operators are Moving In

Vulnerable Microsoft Exchange Servers are now being actively targeted by ransomware operators. Ransomware known as DearCry began attacking Exchange Servers as early as March 9. BlackKingdom ransomware began exploiting the vulnerabilities more recently.

Editor's Note

DearCry appears to be a quickly developed package which encrypts not only data, but also executables and DLLs, rendering the system unusable. BlackKingdom is a more mature traditional ransomware, and security firms can provide help with file recovery if needed. Mitigate the risk by applying patches, scanning for IOCs and making sure that you have real-time detection of attempted exploitation.

Lee Neely
Lee Neely

2021-03-19

Exchange Server: Microsoft Defender Antivirus Mitigates One of the Vulnerabilities

Microsoft has updated two antivirus tools so that they mitigate one of the Exchange Server vulnerabilities in on-premises servers. Microsoft Defender Antivirus and System Center Endpoint Protection mitigates one of the four Exchange Server vulnerabilities for which Microsoft released patches earlier this month. By mitigating this particular vulnerability (CVE-2021-26855), the tools thwart attackers’ current model of operation.

Editor's Note

The Defender mitigation addresses the ProxyLogon vulnerability. Even with the Defender mitigation, you still need to apply the patches for a comprehensive fix as well as scan to make sure your system has not been compromised. The Microsoft EMOT tool is designed to make this easy and can remediate issues found.

Lee Neely
Lee Neely

2021-03-22

CISA Warns of Multiple Vulnerabilities in GE Power Management Devices

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory warning of multiple vulnerabilities in GE’s Universal Relay power management devices. The flaws could be exploited to access sensitive information, obtain privileged access, create a denial-of-service condition, or reboot the device. GE urges users to update affected devices’ firmware to UR firmware version 8.10 or later.

Editor's Note

The list of vulnerabilities found in GE’s firmware is pretty much like reading the OWASP Top 10 software vulnerabilities list from 2005! This is true for many of the operational technology and “Internet of Things” vulnerabilities being disclosed – lots of vulnerabilities caused by prioritizing convenience (easy installs) over security and these devices put many obstacles in the way of easy patching. Essential security hygiene or at least strong segmentation and break/fix windows for patching should be high priority. Spending on Computerized Maintenance Management Systems (CMMS) by OT teams is a $1B per year market. Find out if your company is using a CMSS product and try to get firmware updating to be part of routine maintenance planning.

John Pescatore
John Pescatore

The list of disclosed vulnerabilities is both long and reminiscent of vulnerabilities we learned how to avoid years ago. Note that the version 7.4 firmware update added SSH V1 support and version 8.1x has support for weak SSH algorithms. Beyond updating the firmware, use network segmentation, firewalls, and isolation to limit access to these devices to only authorized devices as it is not clear the weak protocols can be disabled. Don’t allow direct access from the Internet or your enterprise internet. See also the CISA control systems recommended practices for references on ICS defense in depth and improving ICS overall cybersecurity: https://us-cert.cisa.gov/ics/recommended-practices.

Lee Neely
Lee Neely

The Rest of the Week's News


2021-03-19

US Federal Grand Jury Indicts Swiss Citizen For Alleged Role in Leaking Stolen Data

A US federal grand jury has indicted an individual on charges they allegedly stole sensitive data and then posted them on the web. The compromised data include administrative credentials, access keys, and source code. Till Kottmann, who remains in Switzerland, faces several charges, including conspiracy to commit computer fraud and abuse.

Editor's Note

While the motivation for the hack appears to be raising awareness of private company and government-sponsored surveillance and the corresponding impacts on privacy coupled with inadequate security, unauthorized hacking is going to run you into legal entanglements. Worse still, if you’re taking action in support of class-action lawsuits intended to change legislation, it can render your work inadmissible. If you’re interested in disclosing security shortfalls, use the processes of a responsible disclosure organization to do it legally.

Lee Neely
Lee Neely

2021-03-22

Netop Fixes Four Critical Flaws in Remote Teaching Software

Netop has addressed four critical vulnerabilities in its Netop Vision Pro system; the monitoring software is used by teachers to remotely access students’ computers. The flaws could be exploited to spy on students through webcams and microphones, infect machines with malware, and steal user credentials. Netop learned of the vulnerabilities in December 2020 and released an updated version of the product in February 2021.


2021-03-19

Critical BIG-IP Vulnerability is Being Actively Exploited

Attackers are scanning for and actively targeting systems with unpatched F5 Networks BIG-IP and BIG-IQ network devices. F5 released fixes for this flaw and 20 others earlier this month. The unauthenticated remote command execution vulnerability exists in the iControl REST interface. BIG-IP server appliances are used to manage traffic flowing into and out of large networks.

Editor's Note

Exploitation of the vulnerability is trivial, and exploits are widely available. An attacker will first use a SSRF vulnerability to obtain credentials. Next, they will use these credentials to execute code. Exploits have been easily available for a few days now.

Johannes Ullrich
Johannes Ullrich

2021-03-22

Adobe Issues Fix for Critical Flaw in ColdFusion

Adobe has released updates for Cold Fusion to address a critical improper input validation vulnerability that could be exploited to execute arbitrary code. The issue affects ColdFusion 2016 Update 16 and earlier, ColdFusion 2018 Update 10 and earlier, and ColdFusion 2021, version 2021.0.0.323925.

Editor's Note

Adobe gives the security bulletin a priority rating of 2, which indicates that while it’s not actively being exploited, this is a product which has historically been at risk so you should plan to update soon (within 30 days.) Don’t wait for someone to discover your unpatched server. Note that you need to not only apply the corresponding ColdFusion update, but also update your JRE/JDK to the latest versions of the LTS releases for 1.8 and JDK 11 to secure the server. The Adobe security update site below also has links to guides for locking down your ColdFusion server which should be leveraged.

Lee Neely
Lee Neely

Details from Adobe are sparse, but the vulnerability may allow unauthenticated remote code execution. Patch now! You may actually have a few days before an exploit is released.

Johannes Ullrich
Johannes Ullrich

2021-03-22

Shell Discloses Accellion File Transfer Appliance Breach

Energy company Shell disclosed that it “has been impacted by a data security incident involving Accellion’s File Transfer Appliance.” The company is notifying affected individuals and stakeholders.

Editor's Note

The Accellion FTA is being actively targeted and has been since December. Even if you apply the patches to extend the life of the service while you transition, you must check the device for indicators of compromise. At this point it may be better to take it offline and accelerate the migration than accept the risk of further compromise.

Lee Neely
Lee Neely

This is the latest example of a breach caused by the Accellion File Transfer Appliance. Other victims include Qualys, Flagstaff Bank, Kroger and more. This also illustrates the fundamental challenge of enterprise computing. Accellions FTA is a 20 year old product that was no longer well maintained by the vendor (and officially declared end of life earlier this year after the recent rash of exploits). It is difficult for enterprises to remove these legacy devices form their network.

Johannes Ullrich
Johannes Ullrich

2021-03-22

Flagstar Bank Now Says Some Customer Data Were Compromised in Accellion Attack

Michigan’s Flagstar Bank has been notifying some people that their personal data, including names, addresses, and Social Security numbers, were compromised through an attack against the institution’s Accellion file sharing platform. When Flagstar initially acknowledged the January attack several weeks ago, it said that employee data were compromised. Some of the people who have recently been contacted have not had an account with Flagstar in years; others have never had an account with Flagstar.

Editor's Note

Flagstar is offering two years of free credit monitoring to affected individuals. If you don’t already have credit monitoring, accept the offer. Otherwise, multiple monitoring services do not add much value. Note that financial institutions may acquire your personal information in unexpected ways, such as when they purchase your loan from the originating institution, and have retention requirements, mandated by regulators, which exceed the time you’re a customer. As a business, retain personal information the minimal amount of time, making sure you don’t have caches of unpurged data.

Lee Neely
Lee Neely

2021-03-18

Survey: Cybersecurity Experts Rank Smart City Technologies

Researchers at Berkeley’s Center for Long-Term Cybersecurity (CLTC) asked security experts to “rank different technologies according to underlying technical vulnerabilities, their attractiveness to potential attackers, and the potential impact of a successful serious cyberattack.” According to the results of the survey, emergency alerts, street video surveillance, and smart traffic signals posed more security risks than other technologies. The other technologies included in the survey are smart waste/recycling bins; satellite water leak detection; water consumption tracking; smart tolling; public transit open data; and gunshot detection. The researchers were asked to consider the presence of serious vulnerabilities in the underlying technology, the consequences of a successful attack, and whether the technology would be considered a target of interest for attackers.

Editor's Note

The term “Smart City” is like “Internet of Things” – very broad terms that often contain very different technologies or use cases. Comparison of risk across the disparate items within those broad buckets isn’t very meaningful. It is more important to focus on requiring essential security hygiene to be built into all products and systems being procured as part of “Smart City” initiatives.

John Pescatore
John Pescatore

2021-03-19

Russian Pleads Guilty to Tesla Extortion Attempt

A Russian man who attempted to recruit a Tesla employee to place malware on computers at the Tesla Gigafactory has pleaded guilty to conspiracy to intentionally cause damage to a protected computer.” Egor Igorevich Kriuchkov allegedly planned to use the malware to steal data from the network and hold them for ransom. Rather than cooperate with Kriuchkov, the Tesla employee informed his employer who then notified the FBI. Kriuchkov was arrested in August 2020.

Internet Storm Center Tech Corner

Video: Finding Cobalt Strike and Metasploit Downloads

https://isc.sans.edu/forums/diary/Video+Finding+Metasploit+Cobalt+Strike+URLs/27224/


Nim Strings

https://isc.sans.edu/forums/diary/Nim+Strings/27230/


D/TLS DDoS Attacks added to booters

https://www.netscout.com/blog/asert/datagram-transport-layer-security-dtls-reflectionamplification


Microsoft Withdraws Windows Emergency Fix

https://www.bleepingcomputer.com/news/microsoft/microsoft-halts-rollout-of-windows-10-kb5001649-emergency-update/


Active Attacks Against F5 BigIP

https://research.nccgroup.com/2021/03/18/rift-detection-capabilities-for-recent-f5-big-ip-big-iq-icontrol-rest-api-vulnerabilities-cve-2021-22986/

https://twitter.com/Unit42_Intel/status/1373017186818781190


Adobe ColdFusion Patch

https://helpx.adobe.com/security/products/coldfusion/apsb21-16.html


Unsafe Deserialization in Apache OFBiz

https://seclists.org/oss-sec/2021/q1/255


Firefox Restricting Referrer Header

https://blog.mozilla.org/security/2021/03/22/firefox-87-trims-http-referrers-by-default-to-protect-user-privacy/