SANS NewsBites

Insurer Loses PHI to Attackers; Threat Actors Exploiting SAP Vulnerabilities; Collaboration Apps Being Used to Spread Malware; Critical Flaw in VMware Carbon Black

April 9, 2021  |  Volume XXIII - Issue #28

Top of the News


2021-04-08

DC Care First BC/BS Health Insurer Loses Clinical and Other Patient PII To Attackers

CareFirst BlueCross BlueShield Community Health Plan District of Columbia (CHPDC) has disclosed that a January 2021 cyberattack compromised data belonging to current and former enrollees and employees. The compromised data include names, Social Security numbers, claims information, and in some cases, clinical information.

Editor's Note

This is a good example of transparency and a proactive response. CHPDC has not only published a notice, but also a FAQ, offered 2 years of free credit monitoring as well as engaged expert help for response, containment and remediation to prevent recurrence. While it’s nice to have full attribution in a cyber-attack, these steps taken represent concrete measurable actions which will help maintain and strengthen business relationships with customers, peers, and providers.

Lee Neely
Lee Neely

2021-04-07

Threat Actors are Exploiting Unpatched SAP Applications

Threat actors are exploiting known vulnerabilities in SAP applications. In a joint report, SAP and Onapsis noted that “critical SAP vulnerabilities [are] being weaponized in less than 72 hours of a patch release.” Attackers are exploiting the flaws to steal data, conduct fraud, deliver malware, and disrupt operations. Users are urged to update SAP applications.

Editor's Note

Attackers are now actively targeting unsecured SAP applications. CVE-2020-6287 and CVE-2020-6207 are rated as high-risk due to the potential to gain remote unauthorized system access. While patching your ERP system requires prioritization and adequate regression testing, these aggressive attacks warrant enlisting outside services to expedite the process. Consider immediately restricting access to unpatched SAP systems that are currently Internet-accessible.

Lee Neely
Lee Neely

Patching faster continues to be easier to do with ease of spinning up AWS/Azure based full sized test environments, and is critical to do with high impact applications like SAP. The Solar Winds compromise points out that those high impact apps should also be tested for flaws or hidden capabilities, and the production instances monitored for unusual behavior – also a lot easier to do with manageable levels of false positives with modern tools.

John Pescatore
John Pescatore

Historically, it has been more important to patch thoroughly than to patch urgently. Recent events suggest that that may be changing. In any case, the time to widespread exploitation seems to be shrinking.

William Hugh Murray
William Hugh Murray

2021-04-07

Threat Actors are Using Collaboration Apps to Spread Malware

Threat actors have been targeting collaboration apps, like Slack and Discord, to spread malware. The increased number of people working remotely has expanded the use of these apps; attackers have been using the platforms to deliver malware and exfiltrate data. The activity does not exploit vulnerabilities in the collaboration apps; instead, the threat actors are exploiting existing features and the level of trust that the platforms offer.

Editor's Note

These platforms are excellent for sharing and distributing files, and links to them are easily embedded in email. As the use of these services has become commonplace, those links no longer stand out as unusual. Some of the attack vectors, such as token stealing to access Discord, can’t be easily mitigated. If you’re not actively using these collaboration apps for business purposes, consider blocking their domains and adding the client software to your application deny list. If you are using them, make sure that your implementation is following best security practices and is sufficient for protecting the data stored and exchanged there.

Lee Neely
Lee Neely

2021-04-06

Critical Flaw in VMware Carbon Black

A critical vulnerability in the VMware Carbon Black Cloud Workload appliance could be exploited to bypass authentication and gain elevated privileges. The issue is due to incorrect URL handling. Users are urged to upgrade to VMware Carbon Black Workload appliance version 1.0.2.

The Rest of the Week's News


2021-04-07

Gigaset Android Phone Affected by Supply Chain Attack

Some Gigaset Android smartphones are being infected with malware through a “poisoned” update. The malware can open browser windows, download other malware, and send text messages in an effort to spread. Gigaset says the issue affects “older devices” and that they “expect to be able to provide further information” soon.

Editor's Note

The troubling detail is that the update came from the Gigaset update servers. Gigaset published a technical solution to remove the malware; there is some disagreement about the completeness of the fix. The better plan may be to power of affected devices, and remove both the battery and SIM. While Gigaset hopes to have better remediation information shortly, as this is impacting older devices, the more expedient and complete resolution may be to replace your device if affected.

Lee Neely
Lee Neely

We cannot deal with the supply chain by placing all the responsibility on the end user. We must hold those who distribute malicious code responsible.

William Hugh Murray
William Hugh Murray

2021-04-08

Lazarus Group’s Vyveva Backdoor Malware

An advanced persistent threat (APT) group with ties to North Korea reportedly used backdoor malware known as Vyveva in an attack against networks at a South African freight company. The Lazarus APT group appears to have been using Vyveva since late 2018. Vyveva’s “capabilities [include] file exfiltration, ‘timestomping,’ gathering information about the victim computer and its drives, and other common backdoor functionality such as running arbitrary code specified by the malware’s operators.”


2021-04-06

Singapore Job Matching Organization Discloses Third-Party Data Breach

Singapore’s Employment and Employability Institute (e2i) has disclosed a data breach affecting 30,000 individuals. The company learned of the breach on March 12 from a third-party vendor whose systems were breached. The incident affects individuals who used e2i services or participated in e2i events between November 2018 and March 2021.

Editor's Note

Third-party liability needs to be understood. Make sure that your contracts not only flow down cyber security and data protection requirements but also legal and indemnification clauses. These clauses should be standardized for your supply chain management group and reviewed/updated annually by your cyber and legal staff. The review may drive the need to update existing contracts. Document your decision to update now or wait until renewal.

Lee Neely
Lee Neely

2021-04-06

Malicious Document Builder EtterSilent

Threat actors are using a malicious document builder known as EtterSilent in their campaigns. One version of EtterSilent mimics electronic signature app DocuSign but asks users to enable macros; a second version of EtterSilent has been used to drop the Trickbot banking trojan.

Editor's Note

EtterSilent includes features that allow it to bypass Microsoft Defender, Windows Antimalware Scan Interface (AMSI), and popular email services, including Gmail. EtterCell documents, created by the EtterSilent builder, are downloader payloads that use Excel 4.0 macro functions to download and execute malicious payloads.

Lee Neely
Lee Neely

2021-04-07

Android Malware Hides in App Pretending to be Netflix

Check Point Research (CPR) discovered a wormable malware in a phony app on the Google Play Store. Dubbed “FlixOnline” it disguises itself as a legitimate Netflix client offering unlimited entertainment and a free 60-day premium Netflix subscription due to COVID-19. The malware targets WhatsApp, “listening in” on conversations and auto-responding to messages with malicious content. The application requests overlay and Battery Optimization Ignore and notification permissions to keep the device from shutting down as well as provide access to the WhatsApp communications.

Editor's Note

Beware of over-permissioned applications bearing false promises. The application is using the permissions granted to access the WhatsApp and dismiss and reply to messages. Overlay permissions are often seen in a credential stealing application. The Netflix link provided is also a credential stealing site. The application has been removed from the Play Store and Play Protect will remove any installed copies. No action is needed for the WhatsApp.

Lee Neely
Lee Neely

With each Android release, Google has been reducing the scope of app behavior that is allowed. Taking advantage of that requires carriers/operators to be pushing out updates, users to allow them to happen and sometimes requires newer phones to be used. Google had been improving Play Store security/privacy vetting across 2019 but did not publicly announce significant advances in 2020 or so far in 2021. The Play Store and Apple App Store still represent significant obstacles in preventing malware compared to what PC and server operating systems.

John Pescatore
John Pescatore

2021-04-08

Belden Says More Information Was Compromised in 2020 Breach

Belden, a network connectivity device manufacturer based in the US, has disclosed additional information about a 2020 cyberattack. When the company first acknowledged the incident in November, it said that current and former employee data and some business data had been compromised. Now it appears that the compromised data include information about some employee’s family members, and health-related information.

Editor's Note

Consider whether your enterprise holds data sensitive for others that you do not really need, use, or adequately protect. The most effective way to ensure that one does not leak sensitive data is not to keep it.

William Hugh Murray
William Hugh Murray

2021-04-08

Previous Data Theft May Have Contributed to Exchange Server Attacks

US government officials and Microsoft are puzzling over how the threat actors behind the Microsoft Exchange Server attacks were able to carry out attacks so broadly and so quickly. One emerging theory is that the threat actors, who have been linked to China, have vast troves of stolen and/or mined information that they used to determine which accounts to target. Anne Neuberger, deputy national security adviser for cyber and emerging technology said, “We face sophisticated adversaries who, we know, have collected large amounts of passwords and personal information in their successful hacks. Their potential ability to operationalize that information at scale is a significant concern.” (Please note that the WSJ story is behind a paywall.)


2021-04-08

Aviary Dashboard Analyzes Data Output from Sparrow Detection Tool

The US Cybersecurity and Infrastructure Security Agency (CISA) and its partners have released a dashboard to help “visualize and analyze outputs from its Sparrow detection tool released in December 2020. Sparrow helps network defenders detect possible compromised accounts and applications in Azure/Microsoft O365 environments. CISA created Sparrow to support hunts for threat activity following the SolarWinds compromise.”

Editor's Note

As DHS/CISA continue to refine and require added scans relating to the SolarWinds compromise, this dashboard represents a way to track and monitor the results from scans made using their Sparrow detection tool, which should aid reporting requirements associated with this activity. Even if you’re not bound by these directives, consider this approach to tracking the status and health of SolarWinds environments.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Malspam with Lokibot vs. Outlook and RFCs

https://isc.sans.edu/forums/diary/Malspam+with+Lokibot+vs+Outlook+and+RFCs/27282/


WiFi IDS's and Private MAC Addresses

https://isc.sans.edu/forums/diary/WiFi+IDS+and+Private+MAC+Addresses/27288/


Simple Powershell Ransomware Creating a 7Z Archive of your Files

https://isc.sans.edu/forums/diary/Simple+Powershell+Ransomware+Creating+a+7Z+Archive+of+your+Files/27286/


SAP Attacks

https://us-cert.cisa.gov/ncas/current-activity/2021/04/06/malicious-cyber-activity-targeting-critical-sap-applications


QNAP Upates Older EOL Devices

https://www.qnap.com/de-de/release-notes/qts/4.3.6.1620/20210322


GIGASET Android Phones Infected by Compromised Update Server

https://www.heise.de/news/Gigaset-Malware-Befall-von-Android-Geraeten-des-Herstellers-gibt-Raetsel-auf-6006464.html


Update on PHP Incident

https://externals.io/message/113981


LinkedIn Leak

https://www.ehackingnews.com/2021/04/data-stolen-from-500-million-linkedin.html


Details about Linux Kernel Bluetooth Vulnerabilities

https://google.github.io/security-research/pocs/linux/bleedingtooth/writeup.html


VMWare Carbon Black Cloud Workload Appliance Authentication Bypass

https://www.vmware.com/security/advisories/VMSA-2021-0005.html


Cisco SD-WAN vManage Software Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vmanage-YuTVWqy


HTML Lego: Hidden Phishing at Free JavaScript Site

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/html-lego-hidden-phishing-at-free-javascript-site/


Royal Flush: Privilege Escalation Vulnerability in Azure Functions

https://www.intezer.com/blog/cloud-security/royal-flush-privilege-escalation-vulnerability-in-azure-functions/


Cisco Small Business Router Vulnerabilities

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-rce-q3rxHnvm


Google Chrome Blocking Port 10080

https://github.com/whatwg/fetch/issues/1191#issuecomment-797659444