SANS NewsBites

Sabotage Shuts Down Iranian Nuclear Site; Name:Wreck DNS Vulnerabilities; Critical Zoom RCE Flaw

April 13, 2021  |  Volume XXIII - Issue #29

Top of the News


2021-04-12

Sabotage Reportedly Shut Down Iran’s Natanz Uranium Enrichment Site

In what appears to be an act of sabotage, Iran’s Natanz uranium enrichment facility was shut down on Sunday, April 11. An explosion at the facility reportedly caused a power failure. US and Israeli intelligence officials said that Israel played a role in the incident. The Natanz facility was shut down a decade ago by the Stuxnet worm.

Editor's Note

Not a lot of details out on this one yet, but an important reminder on two fronts. The obvious one is for power system and other critical infrastructure operators to take immediate action to reduce exposure to similar attacks. But, a broader reminder that back in 2010 the Stuxnet malware attack caused spillover that impacted financial systems and many other networks – good reason for an accelerated push to make sure essential security hygiene deficiencies are addressed rapidly.

John Pescatore
John Pescatore

The take-away is to make sure that critical infrastructure is properly protected from cyber-attack. Control systems need to be properly isolated and never directly accessible from the Internet. Further, not only restrict access to known trusted systems, but also monitor that access for anomalous behavior. Make sure that supporting systems, such as power and cooling are similarly protected and monitored. Lastly, practice good OPSEC. One of the take-aways from the Stuxnet incident was that PR photos in front of the control systems were used to reveal the technology used allowing that attack to be very accurately developed and targeted.

Lee Neely
Lee Neely

2021-04-12

Name:Wreck DNS Vulnerabilities

Researchers at Forescout and JSOF have disclosed nine vulnerabilities affecting four widely-used TCP/IP stacks. The flaws can be exploited to cause denial-of-service conditions and take devices offline or gain remote control of vulnerable devices. The issues affect an estimated 100 million devices.

Editor's Note

While these are issues that need to be "patched now", the end user may not have the option if vendor firmware is not updated. A better fix is likely an architecture that forces all internal devices to use an internal recursive resolver. While it may not mitigate all the vulnerabilities, it will at least provide visibility into DNS traffic which is crucial for devices that are often only offering limited logging.

Johannes Ullrich
Johannes Ullrich

The vulnerable versions of Nucleus NET, FreeBSD, and NetX have been updated, but the trick is waiting on vendor updates to devices with these as an embedded OS. Mitigations include identification and segmentation of devices with the vulnerable TCP/IP stacks, configuring devices to use known good internal DNS servers and monitoring and blocking of malicious or malformed DNS traffic.

Lee Neely
Lee Neely

2021-04-09

Critical Zoom Flaw Allows Remote Code Executions with No User Interaction

Two security researchers from the Netherlands demonstrated an exploit of flaws in the Zoom desktop client that allowed them to take control of a user’s computer. The exploit chains together three vulnerabilities in Zoom to allow remote code execution with no user interaction. The exploit works on the Zoom desktop client for PCs and for Mac.

Editor's Note

The browser version of Zoom in not affected - a good work around until the patch is available. Good to see that Zoom was one of the sponsors of the Pwn2Own competition that found this one.

John Pescatore
John Pescatore

This flaw was revealed and demonstrated during the Pwn2Own event. The vulnerabilities have been reported to Zoom, and no details were made public. The Pwn2Own events have been a great way for researchers to demonstrate their skills responsibly. While depressing to see pretty much every single target fall year after year, this event has been a great source of responsibly disclosed vulnerability details.

Johannes Ullrich
Johannes Ullrich

The exploit leverages a weakness in the Zoom Chat product, not the in-session chat which is part of Zoom Meetings or Zoom Video Webinars. The attacker has to either be an accepted external contact or another organizational user. The best mitigation is to use the web client until a fix is released. Also make sure that you’re following best practices to secure online meetings and accept external contact requests only from people you know and trust.

Lee Neely
Lee Neely

A rare exception to the rule that one should prefer purpose-built applications to browsers.

William Hugh Murray
William Hugh Murray

The Rest of the Week's News


2021-04-12

NCSC Recommends Actions to Address Fortinet SSL VPN Vulnerability

Britain’s National Cyber Security Centre (NCSC) is urging users to take steps to protect Fortinet SSL VPNs from active exploits. NCSC recommends checking to see if the FortiOS updates have been applied. If they have not, “the NCSC recommends that as soon as possible, the affected device should be removed from service, returned to a factory default, reconfigured and then returned to service.”

Editor's Note

As the flaws are being exploited, assume unpatched devices have been compromised. The strategy recommended by NCSC, effectively a factory wipe and reset, (and patched) is a good way to make sure that your device is operating from a known good configuration. Make sure that all your internet facing and boundary protection devices including VPNs, firewalls, load balancers, WAFs are at the top of both the patch priority and security posture review lists. Ensure they are both properly configured and updated.

Lee Neely
Lee Neely

Updating your remote access equipment, while most people still work from home, may be scary. But dealing with an incident involving your remote access equipment while working from home is worse. An upgrade can be scheduled.

Johannes Ullrich
Johannes Ullrich

2021-04-09

Unit 42 Researchers Find Cryptojackers Targeting Washington State Educational Organizations

Researchers at Palo Alto Networks’ Unit 42 global threat intelligence team recently detected cryptojacking attacks targeting three educational organizations in Washington state. The incidents were detected on February 16, March 10, and March 15. The Unit 42 report includes a list of indicators of compromise.


2021-04-12

Ransomware Affects Cheese Delivery in the Netherlands

A ransomware attack that targeted Bakker Logistiek, a warehousing and transportation provider, has resulted in a cheese shortage in stores in the Netherlands. Bakker’s director said that due to the attack, they did not know where in their warehouses products were, and that it also prevented the company from receiving orders. The company is using backups to restore operations. They did not indicate if they paid the ransom.


2021-04-12

Expired Certificate Prevents Pulse Secure VPN Logins

An expired code-signing certificate prevented Pulse Secure VPN users from accessing their devices. The problem affects users working from home when they try to connect to company networks through their browsers. The issue is the expired certificate combined with a software bug that fails to verify that timestamped executables are signed.

Editor's Note

This denial of service/access problem that keeps popping up shows the need for certificate discovery and management tools. There are some commercial products and a number of open source tools (like OpenCA and gnoMint) that provide support at scale for certificate management.

John Pescatore
John Pescatore

Certificate use has become pervasive, and certificate lifetimes are shrinking, necessitating active monitoring and automated processes to update them automatically where possible. If nothing else, generate a support ticket with sufficient priority and warning to take action without interruption. When using certificates to sign code, be sure to not only use a timestamp server which captures the certificate validity at the time of signing, but also verify the behavior after the code signing certificate has expired.

Lee Neely
Lee Neely

2021-04-12

US Dept. of Health and Human Services OIG Finds Infosec Program is Not Effective

An audit of the US Department of Health and Human Services (HHS) information security program found it to be not effective. The audit, which was conducted by Ernst & Young LLP on behalf of the HHS Office of Inspector General (OIG), evaluated HHS’s information security program against Federal Information Security Management Act (FISMA) metrics. HHS’s information security program was also found not effective in audits conducted for FY 2018 and FY 2019.

Editor's Note

Repeat findings on an audit are not something you want. While HHS does have overall strategy for implementing needed processes and controls, OIG found the specific roadmaps and KPIs were lacking, which would drive completing the implementation of those strategies. Make sure that your enterprise strategy has the information needed for success to the lowest layers, including measurable objectives, defined timelines and funded resources. If you are not going to implement a regulatory requirement, such as the Continuous Diagnostics and Mitigation (CDM) program, work that at the highest levels with the regulator, and document the outcome and update your enterprise roadmap accordingly.

Lee Neely
Lee Neely

2021-04-12

IcedID Banking Trojan Spreading Through Contact Forms

Researchers from the Microsoft 365 Defender Threat Intelligence Team have detected attackers abusing contact forms on company websites to generate emails that include malicious links that can ultimately lead to machines becoming infected with the IcedID banking Trojan.


2021-04-12

Accellion: University of Colorado

The University of Colorado (CU) has provided additional information about a data breach related to a vulnerability in Accellion’s File Transfer Appliance (FTA). CU says that more than 300,000 unique records containing personally identifiable information were compromised. CU says the compromised data are being held for ransom and that they do not intent to pay the demand.


2021-04-09

Kentucky Unemployment Insurance Office Offline to Reset PINs After Attempted Fraud

A cyberattack forced the Kentucky Office of Unemployment Insurance to take account operations offline for several days. Attackers used automated tools to access users’ accounts; in some cases, they changed bank information so that funds were diverted to a different account. The Office of Unemployment Insurance is resetting more than 300,000 PINs to ensure that thieves would not steal payments. Once the operations go back online, users will be assigned a new, 8 digit PIN and will be required to create a new 12 character password.

Editor's Note

Previously used 4-digit PINs, while encrypted, were trivial to guess, as users often chose predictable values. Having users choose longer passwords, sending account PINs out-of-band, and an emailed multi-factor access code are excellent steps in the right direction.

Lee Neely
Lee Neely

While resistant to the rare brute force attacks, it sounds as though this system will continue to be vulnerable to the more prevalent fraudulent credential replay attacks. Strong authentication requires that at least one form of evidence be resistant to replay.

William Hugh Murray
William Hugh Murray

2021-04-12

Biden Nominates Former NSA Officials to Top Cybersec Positions at DHS and White House

The Biden administration has nominated former National Security Agency (NSA) official Jen Easterly to become director of the Cybersecurity and Infrastructure Security Agency (CISA). Biden is also expected to nominated former NSA official Chris Inglis to fill the new position of National Cybersecurity Director.

Editor's Note

These nominees have not only cybersecurity expertise, but also track records of partnership with private industry. CISA has used those relationships to increase the relevance, effectiveness and value of their services and guidance to both the public and private sector. Extending this partnership model to other cybersecurity roles is necessary to have comprehensive, relevant and effective security leadership.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

No Python Interpreter? This Simple RAT Installs Its Own Copy

https://isc.sans.edu/forums/diary/No+Python+Interpreter+This+Simple+RAT+Installs+Its+Own+Copy/27292/


Identifying Cobalt Strike DNS Infrastructure

https://labs.f-secure.com/blog/detecting-exposed-cobalt-strike-dns-redirectors


Example of Cleartext Cobalt Strike Traffic

https://isc.sans.edu/forums/diary/Example+of+Cleartext+Cobalt+Strike+Traffic+Thanks+Brad/27300/


Facebook Mistakenly Suggests Adding Domains To Public Suffix List will Ease Tracking

https://publicsuffix.org

https://www.facebook.com/business/help/331612538028890


Facebook Ads Used to Push Clubhouse Related Malware

https://www.ehackingnews.com/2021/04/cybercriminals-used-facebook-ads-to.html


ASA 5506 Series Security Appliances Field Notice

https://www.cisco.com/c/en/us/support/docs/field-notices/720/fn72019.html


Expired Certificate for PulseSecure VPN Devices

https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44781/?kA13Z000000fzbR


Pwn2Own Summary

https://thehackernews.com/2021/04/windows-ubuntu-zoom-safari-ms-exchange.html


Tesla Exploited Via Google Chrome Vulnerability

https://leethax0.rs/2021/04/ElectricChrome/