NewsBites Volume XXIII – Issue 24

Top of the News

2021-03-24

Exchange Server: 92 Percent Patched (But Patching is Not Sufficient)

Earlier this week, Microsoft said that 92 percent of vulnerable on-premises Exchange Servers have applied mitigations or been patched against the critical ProxyLogon flaws. Organizations should note that installing the patches does not eliminate the infection if the servers were compromised prior to patching. IT administrators should check systems for indicators of compromise (IOC). Microsoft released fixes for the four vulnerabilities on March 2.

Editor's Note

A 92% mitigation rate is indeed impressive, unless it is due to attackers mitigating the vulnerability to hold on to servers they compromised. Again: It is critical to investigate Exchange servers in detail while patching. A pre-patch compromise is very likely.

Johannes Ullrich

The DHS emergency directive (ED 21-02) requires forensically imaging and analyzing the system prior to patching to avoid this scenario. It is so easy to get caught up in the heat of the moment and forget to check for compromise before patching the vulnerability. If you skipped the check, run the tools from CISA or Microsoft to make sure you’re clean, then cross check with your SIEM. Also verify that your endpoint protection is watching for exploitation real-time. Note Windows Defender includes this capability if your current solution does not. https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/ https://us-cert.cisa.gov/ncas/alerts/aa21-077a

Lee Neely

This has long been a leading indicator of security-based processes/security programs vs. compliance-based. After a vulnerability is discovered, do you check to see if it had been exploited before you detected and mitigated the vulnerability? Old example: web security gateway is updated with more URLs of malicious and/or compromised web sites – did you check to see if any internal machines communicated with the newly discovered evil locations? Too many audits just check the box if vulnerability scanning and patching, URL updating and blocking is done and never look for that “we found the door to the vault open *and* checked to see if any cash was missing” step.

John Pescatore

Exchange Server: Australia Cyber Security Centre is Scanning for Vulnerable Systems

Australian Cyber Security Centre (ACSC) head Abigail Bradshaw said that organizations have reached out to ACSC regarding the Microsoft Exchange Server vulnerabilities after they detected indicators of compromise (IOC) on their systems. ACSC is conducting scans of externally facing Internet connections to determine how many systems remain vulnerable.

Editor's Note

The ACSC is not only tracking vulnerable systems but also working to help get them patched and mitigated. They are partnering with both Microsoft and Commonwealth CISOs as well as state and territory governments to open communication channels and develop needed expertise to resolve problems.

Lee Neely

NCSC Urges Schools to Take Steps to Bolster Defenses Against Ransomware

The UK’s National Cyber Security Centre (NCSC) is warning of an increase in the number of ransomware attacks targeting the education sector. NCSC is urging schools to take steps “to disrupt ransomware attack vectors and enable effective recovery from ransomware attacks.”

CIOs Stepping Up Cyber Talent Efforts

The CIO Institute’s new report on “What Works in Finding Elite Cybersecurity Talent: Promising Practices for Chief Information Officers” was distributed to 4,800 CIOs this week. It shows how CIOs are taking a more active role in cyber talent management and has two surprising findings on (1) yield of elite talent from cyber education programs is shockingly low and (2) how employers use security certifications to decide whom to interview for job openings. The report also includes information about finding cyber talent inside organizations, outside the IT groups.

The Rest of the Week's News

2021-03-24

Ransomware: Sierra Wireless

Canadian Internet of Things (IoT) manufacturer Sierra Wireless is the victim of a ransomware attack. The attack began on March 20. It affected multiple manufacturing sites and disrupted internal operations. The incident has prompted the company to withdraw Q1 2021 financial guidance it released on February 23.

Ransomware: Spanish Labor Agency

A ransomware attack against Spain’s State Public Employment Service (SEPE) has delayed “hundreds of thousands” of appointments at the labor agency. SEPE is involved in the distribution of unemployment benefits. The attack affected all 710 SEPE offices.

Ransomware: How One Company Recovered Without Paying Demand

When Colorado-based data storage company SpectraLogic was the target of a ransomware attack in May 2020, the company called in the FBI instead of engaging with the attackers, who had demanded $3.6 million. SpectraLogic had backups that were separate from the network. Company systems were largely restored within eight days; non-critical systems were brought back several weeks later.

Editor's Note

This is good recap of what it’s really like recovering your enterprise from an attack even when you have offsite backups. Partnership between IT and Cyber Security was key to eliminating the threat from their system to prevent recurrence. Fortunately, they were not subject to additional extortion related to disclosure of exfiltrated information. As the FBI said, this is the right way to recover, and it is also the hard way.

Lee Neely

This is a fantastic read. It highlights the reality of how difficult, from the technical and business aspects, it is to deal with a ransomware attack. Having reliable backups is a key tool in recovering from such attacks. I suggest that you also run an exercise in your organization as to how would you recover from a ransomware attack; this can help you identify weaknesses that you may have from lack of appropriate tools, contact details for law enforcement, processes and procedures to deal with ransomware, and communications to senior management and other key stakeholders.

Brian Honan

On an early system where I cut my teeth, the rule was "if it ran yesterday, it must run today." We had three restore points: close of business last night, close of business last Friday, and close of business the previous Friday. Historically, backup was designed to recover a small number of files in days. Modern backup may have to be designed to recover some mission-critical applications, networks, or even enterprises in hours. Few legacy systems can meet this requirement.

William Hugh Murray

Ben Wright and I are doing a presentation at the May RSA Conference on “The Risks of Cyberinsurance” and then a SANS paper on the topic. I’ve done a few comparisons of public events on cost to avoid or survive vs. paying the ransom, and also the limits to reduction (not avoidance) of cost that typical cyberinsurance policies provide.

John Pescatore

Ransomware: Operators Leaking Data Stolen from Universities

Ransomware operators have begun leaking data stolen from the University of Colorado (CU) and the University of Miami. The CU data were taken by exploiting a vulnerability in the Accellion File Transfer Appliance (FTA). The University of Miami has not disclosed a breach, but has acknowledged that its SecureSend email application is not accessible.

Editor's Note

The CLOP ransomware operators claim to have financial documents, student grades, academic records, enrollment information and student biographical information. Now the task is to not only close the vulnerable path, but also asses the risks and return for payment versus regulatory fines, providing identity monitoring and business impacts, including reputation risk. This is a time to actively engage the board or other governing body; do not make these decisions in a vacuum.

Lee Neely

Browser Changes: Chrome Will Default to HTTPS; Firefox Debuts Enhanced Privacy Feature

When Google moved Chrome 90 to the stable channel in mid-April, the browser will use HTTPS as the default protocol for all addresses typed in the address bar. Earlier this week, Mozilla released Firefox 87, which includes a new privacy feature called SmartBlock. The new feature aims to improve the performance of websites that are “broken” by Firefox’s tracking protections. SmartBlock is available for both private browsing and strict mode.

Editor's Note

Firefox and Google Chrome using HTTPS by default does not improve security a lot, but it is a great indicator that the "HTTPS Everywhere" initiative succeeded in making HTTPS common enough to allow for this step. Some people have suggested eliminating HTTP. This may never be possible, as the proper use of HTTPS requires certificates verifying a specific host name. To configure these certificates, HTTP may still be needed. For sites listening on loopback for example, HTTPS does not add much and a correct implementation of HTTPS can be difficult.

Johannes Ullrich

About 83% of sites are now HTTPS so Chrome defaulting to https:// unless otherwise specified will have nominal impact. Even so, verify secured sites are what they claim to be. Note that IP Address, reserved hostnames like localhost/ and single label domains (e.g., payroll) will still default to http://. Firefox 87 also contains enhancements which limit the information in the HTTP Referer Header to just the top level URL. https://www.example.com is sent rather than https://www.example.com/mypath?myparameters.

Lee Neely

Insurance Company CNA Financial Suffers Data Breach

Insurance firm CNA Financial was hit with a cyberattack on Sunday, March 21. A message on the company’s website notes that “out of an abundance of caution, we have disconnected our systems from our network, which continue to function.” Because CNA is a top US provider of cybersecurity insurance, there is concern that the attackers were looking for policyholder data, which could be used to plan ransomware attacks against companies with ransomware coverage.

California State Controller’s Office Suffers Data Breach

Earlier this month, the California State Controller’s Office Unclaimed Property Division experienced a data breach. A successful phishing attack gave attackers access to an employee account for 24 hours between March 18 and 19. The breach compromised personal data, including names, addresses, Social Security numbers, and the value of the property that has been submitted to the agency.

IT Contractor Gets Two Years in Prison for Deleting 1,200 O365 Accounts

Former IT contractor Deepanshu Kher has been sentenced to two years in prison for breaking into a company’s server and deleting more than 1,200 of their 1,500 O365 accounts. Kher had worked for a consulting firm that was hired to help an unnamed company with its O365 migration. Kher was pulled from the project for unsatisfactory work and then fired from the consulting firm in 2018. Several months later, he broke into the company’s system and deleted the accounts.

QNAP Warns of Brute Force Attacks Targeting NAS Devices

QNAP is urging customers to take steps to improve the security of their Internet-exposed network attached storage (NAS) devices. The devices are being targeted in brute force attacks. Users are encouraged to use strong passwords, change the default access port number, and disable the admin account.

Editor's Note

My monthly(?) reminder: Never, ever expose NAS devices to the public internet. I have also noticed an increase in scans against SSH servers listening on (very) odd ports lately. That said: I believe QNAP is attempting to distinguish itself a bit from the crowd of similar devices by being more open in alerting its customers of security issues surrounding its product.

Johannes Ullrich

NAS devices are a popular target. Not only do they have access to possibly sensitive data and backups, they are a location crypto mining software can hide with a lower detection possibility. In addition to the advice above, be sure you have configured your IP access to only allow authorized hosts to access the device and don’t expose services to the Internet.

Lee Neely

Known Flaws in Thrive Themes for WordPress are being Actively Exploited

Recently-patched vulnerabilities in Thrive Themes “legacy” themes and Thrive Themes plugins for WordPress are being actively exploited. The two flaws can be chained to allow unauthenticated users to upload arbitrary files on vulnerable WordPress sites. Users are urged to update to Thrive Themes “legacy” themes 2.0.0 and to the most recent versions of Thrive Themes plugins.

Editor's Note

A flaw in the RESTAPI for Zapier can be exploited when Zapier is not configured, which allows arbitrary data to be added to the wp_options table. That update coupled with a flaw in the “Legacy” theme’s file compression REST API call allows for creation of arbitrary files on the site, including PHP executable. Updates to the Thrive themes and plugins were released March 12th; auto update can update themes as well as plugins. Wordfence Premium versions received firewall rules March 23rd, and the free version will receive them on April 22nd.

Lee Neely

Wordpress plugins continue to be both vulnerable and exploited. They should be used sparingly, by design and intent, not by default, and should be actively managed and policed.

William Hugh Murray

Cisco Fixes Jabber Flaws

Cisco has released updates to address five vulnerabilities in Jabber for Windows, macOS, and Android and iOS. The most severe of the flaws is due to improper input validation of message content and could be exploited to allow remote, authenticated users execute arbitrary code.

Editor's Note

The alert suggests running Jabber in Phone-only or Team Messaging mode is a workaround for all but CVE-2021-1471. It is better to push out the updated versions. The Cisco alert below includes information on fixed and vulnerable versions. Mobile devices should auto-update to new versions as they are released to their respective App Stores.