SANS NewsBites

SolarWinds Update, Egregor Ransomware, and 12 Year Jail Sentence

January 12, 2021  |  Volume XXIII - Issue #3

Top of the News


2021-01-11

SolarWinds Hires Krebs and Stamos; FBI Investigating JetBrains as Possible Victim

SolarWinds has hired Christopher Krebs, former head of the US Cybersecurity and Infrastructure Security Agency (CISA) and Alex Stamos, former Facebook CISO, to help manage the aftermath of the discovery of the supply-chain attack affecting the SolarWinds Orion management tool. In a related story, the FBI is investigating the possibility that Czech software company JetBrains may have been a victim of the SolarWinds attack as well.

Editor's Note

Indications are that the JetBrains TeamCity connection was misconfigured rather than compromised and provided a path into SolarWinds code repository.

Lee Neely
Lee Neely

2021-01-11

SolarWinds CEO Shares New Information About the Attack

n a blog post, SolarWinds CEO Sudhakar Ramakrishna writes, "We believe we have found a highly sophisticated and novel malicious code injection source the perpetrators used to insert the SUNBURST malicious code into builds of our Orion Platform software." Ramakrishna adds that they are sharing the information because "we believe that sharing this information openly will help the industry guard against similar attacks in the future and create safer environments for customers."

Editor's Note

The SolarWinds timeline shows that the initial intrusion happened in September 2019 and went undetected by SolarWinds until they were notified externally in December 2020 that their software was compromised. That time-to-detect is more typical of small companies, not $1B annual revenue/turnover high-tech companies. The repeated use of the term "highly sophisticated and novel" malware in the CEO's post is likely recommended by legal counsel but this kind of verbiage always seems to indicate the victim was only anticipating rudimentary, non-persistent and well-known threats.

John Pescatore
John Pescatore

2021-01-09

FBI Issues Egregor Ransomware Advisory

The FBI has released a Private Industry Notification (TLP: white) warning of an increased threat to businesses from the Egregor ransomware operators. The notification describes Egregor's ransomware-as-a-service operation model and suggests mitigations organizations can apply.

Editor's Note

The Egregor operators leverage affiliates to hack into the targeted network to drop the ransomware for a 70/30 revenue split as well as publishing exfiltrated data on external sites to ensure ransom is paid. To the mitigations listed by the FBI, add: know where your critical data is housed. Knowing where data is stored allows you to assess the impact of public release as well as recovery alternatives, possibly including paying the ransom.

Lee Neely
Lee Neely

2021-01-08

Hacker Involved in JP Morgan Chase Data Theft is Sentenced to 12 Years in Prison

A US federal judge in New York has sentenced Andrei Tyurin to 12 years in prison for numerous offenses, including computer intrusion, wire fraud, and bank fraud. Tyurin and three accomplices hacked major US financial institutions, brokerages, and other companies. They stole personal information of more than 80 million JP Morgan Chase customers. Tyurin has been in US custody since was extradited from the country of Georgia in September 2018.

The Rest of the Week's News


2021-01-08

Major Browsers Updated to Fix Hijacking Bugs

The developers of the Firefox, Chrome, and Edge browsers are urging users to update to the newest versions to protect their systems from hijacking. Firefox users should update to the browsers' most recent versions to fix a critical use-after-free vulnerability. Chrome and Edge users should update their browsers to fix an out-of-bounds write vulnerability. The Chrome and Edge updates also address a dozen other security issues.

Editor's Note

While you may have Chrome & Firefox browsers configured for automatic updates, you will need to push out updates to Firefox ESR. As today is also patch Tuesday, don't lose sight of these updates while evaluating the other updates. Fortunately, the prediction is for a lightweight update from Microsoft this month.

Lee Neely
Lee Neely

2021-01-11

UK High Court Says Intelligence Agencies May Not Use Bulk Hacking

The UK High Court has ruled that authorities may not use bulk equipment interference warrants, also known as general warrants, to gather information about millions of people at once while conducting surveillance. The practice raises privacy concerns, as sensitive information of innocent people gets captured when authorities cast a broad net. The High Court's ruling strikes down a 2016 ruling by the Investigatory Powers Tribunal, which allowed that a single warrant could be used by the likes of GCHQ, MI5, and MI6 to conduct mass surveillance.

Editor's Note

The trick here is balancing the scope of the warrant with effective data collection. Much like the ACLU story below, citizens' right to privacy over broad-scope data collection is being challenged. While data collection invariably also contains information out-of-scope, direction is needed on minimization techniques, as well as due process similar to the US FISA and EO 12333 to protect those who have information inadvertently collected.

Lee Neely
Lee Neely

2021-01-11

Two People Sentenced for Data Theft from UK Roadside Assistance Organization

Two people have received suspended sentences for their roles in the theft of data from UK emergency roadside assistance company RAC. Kim Doyle, an RAC employee, sold customer data to William Shaw, who is the director of an accident claims management company. Doyle received an eight-month suspended sentence; Williams received a two-year suspended sentence.


2021-01-11

Bitdefender Releases DarkSide Ransomware Decryption Tool

Romanian security company Bitdefender has released a free decryption tool for victims of the DarkSide ransomware. DarkSide first appeared late last summer; it uses a ransomware-as-a-service operating model.

Editor's Note

First, note the disclaimer by Bitdefender: "We do not encourage you to do this until you made sure that your files can be opened safely and there is no damage to the decrypted files." The best way to be sure your critical files/executables can be opened safely and could not be corrupted by the attacker is to safely back them up in advance and restore from the backup. Ransomware attacks can easily leave encrypted malware files in the place of legitimate files.

John Pescatore
John Pescatore

If you elect to use their tool to recover after the DarkSide ransomware, be sure to follow the guidance on the Bitdefender Labs site (https://labs.bitdefender.com/2021/01/darkside-ransomware-decryption-tool) regarding backup as well as verifying that your system is fully operational before removing any copies of encrypted files. Having a separate differential backup is still the best option for ransomware recovery.

Lee Neely
Lee Neely

2021-01-11

macOS Cryptomining Malware Variant is Hard to Analyze

A new variant of malware that is being used to mine cryptocurrency on macOS computers is proving difficult to analyze. The malware's "payloads are exported as run-only AppleScript files, which makes decompiling them" complicated. OSAMiner has been around since at least 2015.

Editor's Note

SentinelLabs has released their AVET decompiler for others to use. The analysis by SentinelLabs discusses how their Apple Event (AVET) decompiler works, includes IOCs and hashes, as well as detailing the operation of the macOS.OSAminer which appears to be the Monero RandomX Miner. https://labs.sentinelone.com/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/

Lee Neely
Lee Neely

2021-01-12

Reserve Bank of New Zealand is Investigating a Data Breach

The Reserve Bank of New Zealand is investigating a security breach of a third-party file-sharing service provider. The bank disclosed the incident on Sunday, January 10, noting that "a third party file sharing service used by the Reserve Bank to share and store some sensitive information, has been illegally accessed." The Reserve Bank uses the system to share information outside its organization.


2021-01-08

Civil Liberties Groups Ask US Supreme Court to Hear Case Regarding Personal Device Passcodes

The American Civil Liberties Union (ACLU) is asking the US Supreme Court to hear a case involving the question of whether or not passcodes for privately owned mobile devices are protected under the Fifth Amendment. The ACLU, along with along with the Electronic Frontier Foundation (EFF), has filed a petition for a writ of certiorari to the Supreme Court in the case of Robert Andrews v. the State of New Jersey. Andrews is a Newark, NJ, sherriff's officer who refused to provide police with passcodes for two iPhones. (Please note that the WSJ story is behind a paywall.)

Editor's Note

The challenge is one of scope and equivalent access to forensically imaging a desktop. Because mobile devices are strongly encrypted, the passcode is necessary to access any information. The device passcode provides access to all information on the device, as well as possible bypass for applications which use biometric (e.g. fingerprint or facial scan) for access, which may exceed the scope of the warrant. Keep sensitive information off the device and configure services to retain information on-device for the minimum period only.

Lee Neely
Lee Neely

Sooner or later, this issue will get addressed by the courts. There is precedent in the US that someone cannot be required to provide the combination to a safe. But, there have also been different rulings around privacy/self-incrimination in work environments and employers can require access to privately-owned devices used by employees for work applications.

John Pescatore
John Pescatore

2021-01-11

Ubiquiti Networks Urges Customers to Change Passwords

Ubiquiti Networks has notified customers of a data breach that affected servers containing user profile information for the company's account.ui.com web portal. The site allows customers to manage devices remotely. Ubiquiti encouraged customers to change their passwords.

Internet Storm Center Tech Corner

Maldoc Strings Analysis

https://isc.sans.edu/forums/di...


Using the NVD Database API Part 3/3

https://isc.sans.edu/forums/di...


CVSS Reliability Survey

https://user-surveys.cs.fau.de...


Fake Trump Video Malware

https://www.trustwave.com/en-u...


SMS Phishing (Smishing)

https://www.bbc.com/news/busin...


dnsrecon Vulnerability

https://www.exploit-db.com/exp...


Sysinternals Update

https://docs.microsoft.com/en-...


Ubiquiti Breach

https://www.bleepingcomputer.c...


Run-Only AppleScript Reversing

https://labs.sentinelone.com/f...