SANS NewsBites

CISA Requires Microsoft Safety Scanner to be Run; North Korean Fake Security Company; Ubiquiti Breach “Catastrophically Worse Than Reported”; Ransomware: University of Maryland Data Leaked

April 2, 2021  |  Volume XXIII - Issue #26

Top of the News


2021-04-01

Exchange Server: CISA Requires Agencies to Run Microsoft Safety Scanner

The US Cybersecurity and Infrastructure Security (CISA) has directed federal agencies to “download and run the current version of Microsoft Safety Scanner (MSERT) in Full Scan mode” and “download and run the Test-ProxyLogon.ps1 script as an administrator to analyze Exchange and IIS logs and discover potential attacker activity.” Agencies must perform these actions by noon EDT on Monday, April 5. There are also hardening requirements that must be implemented by June 28, 2021. The new requirements were released as Supplemental Direction to CISA’s March 3 Emergency Directive 21-02.

Editor's Note

Everybody should run the Microsoft Safety Scanner for Exchange. Even if you patched as soon as the patch was released by Microsoft. The scanner isn't perfect, but it is easy to run and you should assume that the system was compromised the day before the patch was released.

Johannes Ullrich
Johannes Ullrich

The MSERT script is being updated frequently, so be sure to download the latest before performing these scans. The new requirements are not just to harden the OS of the servers, but also verify that you’re employing principle of least privilege for accounts on your exchange server. Also note the requirement to not only be on support OS and Exchange versions but also apply patches within 48 hours of release which leaves little time for regression testing and necessitates verified roll-back procedures.

Lee Neely
Lee Neely

2021-04-01

North Korean State-Sponsored Threat Actors Created Fake Security Company

North Korean state-backed hackers are once again targeting security researchers. This time, the threat actors have set up a phony offensive security company, replete with a website and associated social media accounts. The fake company, SecuriElite, says it is based in Turkey and that it offers penetration testing, software security assessments, and exploits. The same group of threat actors launched a campaign earlier this year involving phone social media accounts, from which they asked targeted researchers if they wanted to collaborate on a project.

Editor's Note

Just as you would for services used at home, you need to check references carefully when hiring a security firm. Use known good sources for references. If your industry peers haven’t heard of or don’t have direct experience with a firm, use caution or select again.

Lee Neely
Lee Neely

2021-04-01

Whistleblower: Ubiquiti Breach “Catastrophically Worse Than Reported”

In a letter to the European Data Protection Supervisor, a whistleblower wrote that a breach disclosed by Ubiquiti in January 2021 “was catastrophically worse than reported, and legal silenced and overruled efforts to decisively protect customers.” In a March 31 Update to January 2021 Account Notification, Ubiquiti disclosed that it was targeted by an unsuccessful extortion attempt in January.

Editor's Note

Unlike similar products, the "controller" function for Ubiquiti's network and video products is run on premise. But authentication usually happens via Ubiquiti's cloud authentication service. In addition, the web-based controller software in some cases retrieves components from Ubiquiti's site. I reviewed the controller web interface, and for example, Ubiquiti is including JavaScript from delighted.com for "optional user surveys". An attacker, who appears to have had full access to Ubiquiti's source code and cloud infrastructure, may have been able to swap out that code for something malicious. If you are using Ubiquiti products, make sure you disable remote access to the controller.

Johannes Ullrich
Johannes Ullrich

Transparency is key in a breach situation. Be clear about the scope and relevance of affected systems, as well as recovery efforts. Update your disclosure as new information becomes available to maintain the relationship with your customers and users. For third-party contracts, make sure that your security requirements flow down to sub-contractors and that your indemnification and liability clauses are sufficient to protect your business. If you’re using the Ubiquiti cloud management services and you have not changed your password since January 11th, both change it and implement MFA.

Lee Neely
Lee Neely

2021-03-30

Ransomware: University of Maryland Data Leaked

Ransomware operators are leaking data that appears to have been stolen from systems at the University of Maryland, Baltimore, and the University of California, Merced. The compromised data include tax documents, passport numbers, Social Security numbers (SSNs) and health savings plan enrollment forms.

Editor's Note

The Clop group has been harvesting data via Accellion FTA exploits. This dataset includes both employee and student data. While the universities have taken steps to prevent recurrence, employees and students need to make sure they are also taking steps to prevent identity theft for themselves and any family members also included on benefit, tuition, or grant application forms.

Lee Neely
Lee Neely

The Rest of the Week's News


2021-03-31

Medical Researchers Targeted in Phishing Campaign

A report from Proofpoint says that state sponsored threat actors have targeted medical researchers in the US and Israel with credential phishing attacks. The campaign began in December 2020. Proofpoint says “the tactics and techniques observed in BadBlood (Proofpoint’s name for the campaign) continue to mirror those used in historic TA453 (aka Charming Kitten) campaigns.”

Editor's Note

Capturing reusable credentials continues to be the “easy button” for getting access to systems and information. In this campaign they are using look-alike sites to harvest credentials, and while users may notice that the 1drv[.]casa is not a legitimate Microsoft login site, many will miss that clue. The more complete solution is ubiquitous multi-factor authentication. Don’t allow any users to opt-out, reducing the effectiveness of captured credentials. If possible, integrate your password processes with breach data checks to identify and trigger updates for passwords which have been breached.

Lee Neely
Lee Neely

Almost every time I read a long report about a complex state-sponsored attack, in the first paragraph I’ll see “phishing” and “harvested login-credential.” After that will be catchy names for the threat actor or malware, and descriptions of what the attackers did after easily “harvesting credentials” – i.e., taking advantage of the use of reusable passwords by obvious targets, like sys admins, medical researchers during a pandemic, security researchers, CFOs, etc. There has been a lot of hype recently about “Zero Trust” architectures, which can’t exist when those targets are still using easily compromised credentials.

John Pescatore
John Pescatore

2021-04-01

US Justice Dept. Warns of Vaccine Survey Phishing Campaigns

The US Justice Department says it has received reports of fraudulent COVID-19 surveys that are being sent to consumers in email and in text messages. The message says the recipient is eligible to receive a prize for answering the questions and asks them to provide a credit card number to pay shipping and handling.

Editor's Note

This takes its cues from the old Nigerian scam, where you are tricked into providing a small fee in exchange for a huge reward. And as in that scenario, the temptation to participate is heightened by the campaign message. As then, the task is to train users, friends and family to click only on links from known senders. The DOJ site below has links for not only reporting suspected phishing campaigns, but also references for users who may have provided information to fraudsters as well as protection measures for future use. As we are in tax season, consider an IRS Identity protection PIN to prevent fraudulent filing of a tax return on your SSN. https://www.irs.gov/identity-theft-fraud-scams/get-an-identity-protection-pin

Lee Neely
Lee Neely

2021-04-01

SolarWinds: US Malware Analysis Report

The US Department of Homeland Security (DGS) and US Cyber Command are planning to release a malware analysis report that details malicious code allegedly used by the threat actors behind the SolarWinds supply chain attack. The report was initially scheduled to be released on March 31, but has since been delayed.


2021-04-01

Indictment in Kansas Water Utility Breach

US federal authorities have indicted Wyatt A. Travnichek for allegedly tampering with a public water system in Kansas. The incident occurred in late March 2019. Travnichek allegedly gained access to the Post Rock Rural Water District’s computer system and shut down cleaning and disinfection procedures. Travnichek has been charged with tampering with a public water system and reckless damage to a protected computer wit unauthorized access.


2021-04-01

RSA: DHS Secretary Describes Planned 60-Day Cybersecurity Sprints

Speaking to a virtual audience at the RSA conference, US Department of Homeland Security (DHS) Secretary Alejandro Mayorkas said that DHS and the Cybersecurity and Infrastructure Security Agency (CISA) are planning a series of 60-day sprints to address cybersecurity goals. There are six areas of focus, including ransomware, resiliency of industrial control systems at water and sewage treatment facilities, and election security. Mayorkas also noted the forthcoming executive order, which will aim to “advance the federal government’s ability to prevent and respond to cyber incidents.”


2021-03-31

Executive Order to Address Breach Disclosure

Anne Neuberger, deputy national security advisor for cyber and emerging technology, said the Biden administration is working closely with the private sector on a forthcoming executive order, which is expected to make “fundamental improvements to national cybersecurity.” Among other elements, the draft executive order would require organizations that do business with the federal government to disclose network breaches with a matter of days.

Editor's Note

Breach disclosure, encryption at rest, and 2FA for companies working with the Federal Government appear to be the core themes of the pending order. When implementing encryption, have a clear understanding of where and when data is, and is not, encrypted. Contracts with the Federal Government already include incident response and disclosure requirements, with pre-identified contacts and defined timelines. Additionally, a clear understanding of how that information needs to be protected, where and when it is reported, and by whom, are key to maintaining trust in the business relationship. If you don’t have similar provisions in contracts with service providers, you need to add them.

Lee Neely
Lee Neely

The first federal US breach notification law was proposed in 2003. Sad to see that 18 years later US legislators still have been unable to act in this area. Since several states have joined California in passing state level laws, most companies would prefer a federal standard requirement. So, action is badly needed on this and perhaps the FCC will tackle cell phone number spoofing, too.

John Pescatore
John Pescatore

2021-03-31

Brown University Data Center Shut Down Following Cyber Incident

Brown University’s CIO and chief digital officer said they shut down the school’s data center after detecting “a cybersecurity threat to the University’s Microsoft Windows-based technology infrastructure” on March 30. The Computing and Information Services team has begun restoring systems.

Editor's Note

Many services are back online, or are being restored shortly. Brown University is using their Computing and Information Services Alerts page to provide status updates on impacted services. https://it.brown.edu/alerts

Lee Neely
Lee Neely

2021-03-30

Harris Federation Ransomware Attack Affects 50 UK Schools

The UK’s non-profit Harris Federation, which operates 50 primary and secondary schools in London and Essex, has disclosed that it suffered a ransomware attack in late March. The incident occurred the same day the National Cyber Security Centre warned that ransomware operators are targeting the education sector. The attack affected servers, telephone systems, and email systems. Devices that the schools issued to students have also been disabled.

Internet Storm Center Tech Corner

Old TLS Versions: Gone but not Forgotten

https://isc.sans.edu/forums/diary/Old+TLS+versions+gone+but+not+forgotten+well+not+really+gone+either/27260/


Quick Analysis of a Modular InfoStealer

https://isc.sans.edu/forums/diary/Quick+Analysis+of+a+Modular+InfoStealer/27264/


April 2021 Forensic Quiz

https://isc.sans.edu/forums/diary/April+2021+Forensic+Quiz/27266/


Perl Netmask Vulnerability

https://blog.urth.org/2021/03/29/security-issues-in-perl-ip-address-distros/


Google Chrome Update / DoH on Linux

https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop_30.html

https://docs.google.com/document/d/1zAdSK393IznaLKQ0ItOmwLBy59fIq9ydxBRJQX-2ntQ/edit#


Chinese Tax Authority Facial Recognition System Fooled

https://www.scmp.com/tech/tech-trends/article/3127645/chinese-government-run-facial-recognition-system-hacked-tax


VMWare vRealize Vulnerability

https://www.vmware.com/security/advisories/VMSA-2021-0004.html


Pre-P0wned Docker Containers

https://unit42.paloaltonetworks.com/malicious-cryptojacking-images/


Coinhive Domains Used to Warn Victims

https://www.troyhunt.com/i-now-own-the-coinhive-domain-heres-how-im-fighting-cryptojacking-and-doing-good-things-with-content-security-policies/


Detecting Attacker's BITS Utility Use

https://www.fireeye.com/blog/threat-research/2021/03/attacker-use-of-windows-background-intelligent-transfer-service.html


Kansas Man Indicted For Tampering With Public Water System

https://www.justice.gov/usao-ks/pr/indictment-kansas-man-indicted-tampering-public-water-system


Older QNAP Devices Vulnerable And No Longer Patched

https://securingsam.com/new-vulnerabilities-allow-complete-takeover/