SANS NewsBites

FBI Actively Mitigating Compromised Corporate Exchange Servers; Critical Patches to Windows, Exchange and SAP

April 16, 2021  |  Volume XXIII - Issue #30

Top of the News


2021-04-14

FBI Remotely Removed Web Shells from Infected Exchange Servers

Since Friday, April 9, the FBI has been removing web shells from compromised on-premises Exchange servers in at least eight US states. A federal court in Texas granted the warrant that allowed the FBI to conduct the operation without the knowledge of the systems owners and operators, although they are attempting to contact them. The operation “did not patch any Microsoft Exchange Server zero-day vulnerabilities or search for or remove any additional malware or hacking tools that hacking groups may have placed on victim networks by exploiting the web shells.”

Editor's Note

There are a couple of important dimensions to this one: First, the fire department going into a burning building without permission to put out a fire that may spread to adjacent buildings is a good thing overall, but may end up in extensive water damage to the burning building. The same is true for what the FBI is doing - from a business perspective, much better to *not* be a candidate for unplanned outside fixes of your compromised systems. Second: be prepared for phishing campaigns that appear to be coming from @FBI.gov – warn your supply chain as well. If you have been unable to move to restrictive DMARC anti-spoofing policies, this would be a good item to use to get high level support to do so.

John Pescatore
John Pescatore

This both cool and unsettling. It is better to secure your own systems or hire help than to have assistance granted by court order. The FBI will be sending email to notify system owners of actions taken. Even so, be on the lookout for fake FBI.gov phishing emails. Remember these actions didn’t apply patches or forensically analyze your systems to determine what else may be impacted.

Lee Neely
Lee Neely

2021-04-13

CISA: Patch New Exchange Server Vulnerabilities Now

Included in Microsoft’s Patch Tuesday this month are fixes for four additional vulnerabilities in on-premise Exchange Servers. These new flaws were detected by the National Security Agency. The Cybersecurity and Infrastructure Security Agency (CISA) has given US federal agencies until12:01am EDT on Friday, April 16 to deploy the Microsoft updates. Agencies are also required to apply/maintain controls, report completion by noon EDT on April 16, and to immediately report related cyber incidents and indicators of compromise.

Editor's Note

While these vulnerabilities don’t appear to be actively being exploited, CISA considers them severe enough to warrant not only requiring immediate patching, but disconnecting any systems not patched by noon today. They make the point that once a fix is publicly released, the weakness can be reverse engineered to create an exploit; coupled with the current activities around exploiting Exchange servers, it’s a good idea to apply these patches now, regardless of whether you're in the public or the private sector.

Lee Neely
Lee Neely

2021-04-13

Microsoft Patch Tuesday

On Tuesday, April 13, Microsoft released fixes for more than 110 security issues. Among the vulnerabilities addressed are four additional flaws affecting on-premise Exchange Servers (see additional information in the story above). Other vulnerabilities addressed in the updates is a privilege elevation flaw in Windows that is being actively exploited.

Editor's Note

I hope you kept good notes, because there are four more Exchange vulnerabilities to patch. These vulnerabilities were found and reported by the NSA, and no exploit or details have been made public yet. But Microsoft considers exploitation likely.

Johannes Ullrich
Johannes Ullrich

2021-04-14

SAP Updates

On Tuesday, April 13, SAP released a total of 19 security notes, including updates to address critical vulnerabilities in Business Client, Commerce, and NetWeaver. Five of the security notes are updates to previously released notes.

Editor's Note

Vulnerabilities in ERP systems usually do not get a lot of press. But they are heavily targeted and prior vulnerabilities in SAP (or similar products) were used to compromise numerous organizations. It often takes only days for exploits to be developed. I know this one is more difficult to patch, but make sure you get it done soon.

Johannes Ullrich
Johannes Ullrich

SAP is already on the radar of exploitable platforms, and the patch list includes fixes to vulnerabilities with critical (aka hot news) and high ratings. These fixes address missing authorization checks, information disclosure, and other flaws which warrant prompt action.

Lee Neely
Lee Neely

The SolarWinds compromise pointed out that high market share apps that are put in highly sensitive places are high value targets for sophisticated attackers, and should be prioritized for patching. The SolarWinds compromise also pointed out that monitoring of high-risk systems should be stepped up after patching to reduce time to detect if an update has been compromised.

John Pescatore
John Pescatore

The Rest of the Week's News


2021-04-13

Adobe Patch Tuesday

On Tuesday, April 13, Adobe released fixes for 10 vulnerabilities affecting Adobe Bridge, Adobe Digital Editions, Photoshop, and RoboHelp. Four of the vulnerabilities in Adobe Bridge are rated critical: two memory corruption issues and two out-of-bounds write bugs, all of which could lead to arbitrary code execution. Two critical buffer overflow vulnerabilities in Photoshop could lead to remote code execution. A critical privilege elevation vulnerability in Digital Editions could lead to arbitrary system file write.

Editor's Note

If affected products are installed but not currently licensed, or not logged into the respective Creative Cloud account, the automatic update will not happen. Suggest uninstalling products with expired or no licenses to remove potentially exploitable applications from systems.

Lee Neely
Lee Neely

2021-04-16

Google Project Zero is Adding a 30-Day Grace Period for Patching

Google Project Zero is changing its disclosure policy to allow time for users to apply patches. Project Zero’s 90-day (for vulnerabilities that are not being exploited) and 7-day (for vulnerabilities that are being actively exploited) deadlines will remain in place, but if vendors produce a patch within the designated time period, Project Zero will refrain from releasing vulnerability details for 30 days.

Editor's Note

Google must strike a difficult balance between identifying vulnerabilities and inviting their exploitation, a responsibility few would take on.

William Hugh Murray
William Hugh Murray

2021-04-15

Chrome 90 Introduces HTTPS Default Protocol

Google has released Chrome 90 to the stable channel for Linux, macOS, and Windows. The newest version of the browser includes using HTTPS as the default protocol. It also reintroduces protection from NAT Slipstreaming attacks. In all, Chrome 90 addresses 37 security issues.

Editor's Note

Of the 37 security fixes, 19 were credited to external researchers – the value of well-managed external bug bounty programs continues to be validated.

John Pescatore
John Pescatore

Other browsers will likely follow. More than 90% of websites are supporting HTTPS now, so this move makes a lot of sense. But you may experience some slower connections to the sites that do not support HTTPS, which will likely include internal IoT style devices.

Johannes Ullrich
Johannes Ullrich

This update also applies to Chromium based browsers (Edge, Brave, Vivaldi, etc.) With the migration to HTTPS over the last few years, the impact on end users is nominal. Sites on the HSTS preload list already defaulted to HTTPS. HTTP fallback is still enabled. This release also includes the first version of Google’s Federated Learning of Cohorts (FLoC) which is their answer to privacy while still delivering targeted ads. Note that FLoC is disabled by default in Brave and Vivaldi.

Lee Neely
Lee Neely

2021-04-13

NERC: Electric Utilities Have Faced “Unprecedented” Cyber Threats

At a virtual press briefing earlier this week, North American Electric Reliability Corporation (NERC) Senior VP Manny Cancel said that the electricity sector has faced an “unprecedented” increase in cyber threats over the past year and a half. Cancel noted that nearly 25 percent of the 1,500 electric utilities that share information with NERC said they had downloaded the tainted SolarWinds software. A smaller subset of those said they used SolarWinds in their operational technology networks.

Editor's Note

Control systems have to not only watch for compromised products like Orion, but also for attempts to access control systems via spearphishing and VPN compromise. The GAO report from March 21 (https://www.gao.gov/products/gao-21-81) had one recommendation for DOE: to more fully address risks to the nations power grid in coordination with DHS, states and industry. Until that effort solidifies, look to a hybrid approach to protection systems rooted in the Purdue Model. Secure the perimeter, require multi-factor authentication for access, verify security settings and updates are applied, and use segmentation to allow only authorized systems to interact with control system components.

Lee Neely
Lee Neely

There are software products and firmware in use across power systems that have the same or higher market share as SolarWinds had in that vertical, particularly on the OT networks. Identifying those and increasing prioritization of protection/segmentation/detection of those high value targets is a lesson learned from the SolarWinds compromise impact.

John Pescatore
John Pescatore

While these numbers are not surprising, they document the severity of the attack and the resulting risk to our infrastructure.

William Hugh Murray
William Hugh Murray

2021-04-14

ODNI Annual Threat Assessment

The Office of the Director of National Intelligence has released its annual threat assessment report. The report “focuses on the most direct, serious threats to the United States during the next year.” Intelligence officials also spoke at a Senate Intelligence Committee hearing earlier this week. “The complexity of the threats, their intersections, and the potential for cascading events in an increasingly interconnected and mobile world create new challenges for the IC [Intelligence Community].”

Editor's Note

This report is only 27 pages and is far more than just cyber, covering military, WMD, Space, Intelligence and Influence capabilities for many countries. Use the information to better understand the threats, their motivations, capabilities, and goals and how that overlays with current world conditions.

Lee Neely
Lee Neely

2021-04-15

US Sanctions Russia

The Biden administration has imposed sanctions on Russia for cyberespionage activity and for its efforts to influence the presidential election. Also sanctioned six Russian technology companies that support the cyberespionage activity and more than 30 entities and individuals for attempting to sway the election. In addition, 10 Russian Embassy officials in Washington, DC, will be expelled.

Read more in

White House: Executive Order on Blocking Property with Respect to Specified Harmful Foreign Activities of the Government of the Russian Federation

White House: FACT SHEET: Imposing Costs for Harmful Foreign Activities by the Russian Government

Treasury: Treasury Sanctions Russia with Sweeping New Sanctions Authority

Washington Post: Biden administration imposes significant economic sanctions on Russia over cyberspying, efforts to influence presidential election

Cyberscoop: White House slaps sanctions on Russian cyber activities while blaming SVR for SolarWinds campaign

SC Magazine: As US takes sweeping action against Russia for years of hacking, industry skeptical of impact

The Register: It was Russia wot did it: SolarWinds hack was done by Kremlin's APT29 crew, say UK and US

ZDNet: SolarWinds: US and UK blame Russian intelligence service hackers for major cyber attack


2021-04-15

NSA, CISA, and FBI Warn of Top Vulnerabilities Exploited by Russian Hackers

In a joint advisory, the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) warn that Russian Foreign Intelligence Service threat actors are exploiting “known vulnerabilities to conduct widespread scanning and exploitation against vulnerable systems in an effort to obtain authentication credentials to allow further access.” The advisory includes a list of the exploited vulnerabilities and mitigations for those vulnerabilities.

Editor's Note

The list of vulnerabilities isn't surprising. It is not a list of difficult to exploit obscure problems, but the same list of vulnerabilities everybody else is exploiting. Use this as a good reason to double check if you are running any of the vulnerable systems, and make sure they are patched. Given that some of these vulnerabilities go back to 2018: If you still find a vulnerable system, consider it compromised.

Johannes Ullrich
Johannes Ullrich

Actors are taking advantage of both unpatched or improperly secured systems and reusable credentials. Beyond implementing multi-factor authentication, integrate your reusable password system (typically Active Directory) with a system which monitors for breached passwords, and require users to not select a known compromised password; immediately change passwords when they are discovered in the breach data. Prioritize the patching and security validation of any and all internet facing services. Dispel beliefs that your access server is obscure and not discoverable by looking for similar products in a tool like Shodan.

Lee Neely
Lee Neely

After SolarWinds, we should hardly need such a warning. It is urgent that we restore trust in our infrastructure. In the meantime, we can resist some further damage by implementing strong authentication (at least two kinds of evidence, at least one of which is resistant to replay), one of our most efficient protective measures.

William Hugh Murray
William Hugh Murray

Internet Storm Center Tech Corner

Microsoft Patch Tuesday

https://isc.sans.edu/forums/diary/Microsoft+April+2021+Patch+Tuesday/27306/


Why and How You Should be Using an Internal Certificate Authority

https://isc.sans.edu/forums/diary/Why+and+How+You+Should+be+Using+an+Internal+Certificate+Authority/27314/


Congratulations to the SANS.edu National Cyber League Teams!

https://twitter.com/SANS_EDU/status/1382453652602941440


April 2021 Forensics Quiz Solution

https://isc.sans.edu/forums/diary/April+2021+Forensic+Quiz+Answers+and+Analysis/27308/


NAME:WRECK DNS Vulnerabilities

https://www.forescout.com/research-labs/namewreck/


Chrome 90 Released (and 0-Day Exploits)

https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop_14.html

https://github.com/avboy1337/1195777-chrome0day

https://github.com/r4j0x00/exploits/tree/master/chrome-0day


Adobe Patch Tuesday

https://helpx.adobe.com/security.html


SAP Updates

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=573801649


Linux/Mac Malware included in npm Module

https://blog.sonatype.com/damaging-linux-mac-malware-bundled-within-browserify-npm-brandjack-attempt


Vulnerabilities Used By Russian Foreign Intelligence Service

https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2573391/russian-foreign-intelligence-service-exploiting-five-publicly-known-vulnerabili/


Insecurity URL Handling

https://positive.security/blog/url-open-rce


SANS Research Paper: Bryan Scarbrough; Malware Detection in Encrypted TLS Traffic Through Machine Learning (PDF)

https://www.sans.org/reading-room/whitepapers/artificialintelligence/malware-detection-encrypted-tls-traffic-machine-learning-40185