SANS NewsBites

iOS Users Can Avoid Ad Tracking; Codecov Compromise Snares HashiCorp Code Signing Key; Passwordstate Password Manager Downloaded Malware

April 27, 2021  |  Volume XXIII - Issue #33

Top of the News


2021-04-26

iOS Now Lets Users Opt Out of Ad Tracking

Apple’s newest update for iOS, version 14.5, includes a new features called App Tracking Transparency, which lets users choose whether or not to allow apps to track their activity across other apps and websites owned by other companies. App Tracking Transparency gives users granular control, allowing them to make decisions for each app.

Editor's Note

The important issue is that consumers increasingly have the choice (as they should) to decide how much of their personal info gets exposed, and they are increasingly choosing to reduce the exposure. That has been good news for app dev groups and DevOps methodologies that actually do focus on the users wants and needs – software architects and DevOps leads listing “privacy” as one of their core business requirements is a good thing.

John Pescatore
John Pescatore

Initially Apple introduced IDFA where you could disable the unique identifier for your device. With 14.5, applications will prompt for permission to track, with an optional messages explaining why they want to track; and you can click “Ask App not to Track.” Note that the prompt will not show up where developers are tracking you across their own services, e.g., Facebook tracking you from their main platform to Messenger and Instagram.

Lee Neely
Lee Neely

This is more useful than the now-universal warnings about the use of cookies without distinguishing between native cookies (those used for saving state in the application) and tracking cookies.

William Hugh Murray
William Hugh Murray

2021-04-26

Codecov: HashiCorp Key Compromised

HashiCorp says that its GPG code-signing and verification key was compromised as a result of the Codecov supply chain attack. The key has been rotated. Codecov learned earlier this month that threat actors accessed and modified Bash Uploader scripts to exfiltrate sensitive information.

Editor's Note

For encryption and digital signatures to be more than placebos, essential security hygiene is needed to enforce strong access controls around the private keys. When code signing is used, processes/playbooks for how to perform revocation need to be established and periodically tested.

John Pescatore
John Pescatore

Supply chain attacks are so dangerous because they not only affect end-users ("consumers") but also suppliers. This can lead to a snowball effect with one compromise of a key supplier leading to the compromise of additional suppliers with vastly different customers.

Johannes Ullrich
Johannes Ullrich

Private keys must not be stored online when not in use. That is what thumb drives are for.

William Hugh Murray
William Hugh Murray

2021-04-24

Passwordstate Password Manager Suffers Supply Chain Attack

Customers of the Passwordstate password manager are being directed to reset their passwords following a supply chain attack that affected the Passwordstate update mechanism. The issue affects customers who implemented In-Place Upgrades between April 20, 8:33 PM UTC, and April 22, 0:30 AM UTC. Manual upgrades were not affected.

Editor's Note

The impact of the compromised code is increased as this is an enterprise password manager, as opposed to one for individual users. Providing an enterprise password manager is an excellent way to help users establish good passwords and minimize reuse. And as it is now a central repository of key sensitive information, due diligence is essential, not only for making sure updates are genuine, but also that security controls are fully implemented. Click Studios, the makers of Passwordstate, are posting advisories and updates (https://clickstudios.com.au/advisories/default.aspx) which include checksums of the bad DLL, suggested actions, exfiltrated data description and status. Australian customers may also reach out to the Australian Cyber security Center (ACSC) for assistance at ASD.Assist@defence.gov.au or 1300 CYBER1.

Lee Neely
Lee Neely

Password managers are one of those “if you put all your eggs in one basket, you better really, really watch that basket” areas. This appears to have a narrow compromise window but the severity means that all PCs using the compromised Passwordstate software should be considered compromised until examined.

John Pescatore
John Pescatore

Another case of a supplier distributing malicious code, distributing code that it did not write, leaving others with a huge mess to clean up. Unlike SolarWinds, this code was not distributed to enterprises but to end-users, at least some of whom are enterprise users. We cannot put all the risk of supply chain compromises on the end users. We must hold suppliers accountable for distributing malicious code. Distributing only code that one originates is a much easier problem than never distributing code with errors or vulnerabilities.

William Hugh Murray
William Hugh Murray

The Rest of the Week's News


2021-04-26

Update Delivered by Law Enforcement in January is Now Deleting Emotet

Over the weekend, law enforcement officials activated code that erases Emotet malware from infected computers. In late January 2021, law enforcement agencies from several countries took control of Emotet’s command and control infrastructure. Shortly thereafter, Germany’s federal police agency, Bundeskriminalamt, began pushing out the update designed to remove Emotet.

Editor's Note

The uninstaller was delivered by the captured Emotet C2 servers in late January with a self-destruct date of April 25th. The package addresses the two ways Emotet achieves persistence: either as a system service or a Run key. The Malwarebytes blog explains the behavior of the package and actions it takes. Per the US DOJ, the update was provided by foreign law enforcement using overseas C2 servers, not FBI agents. The delay between distribution and removal was to give time for responders to complete forensic analysis and cleanup of any other related malware.

Lee Neely
Lee Neely

The Emotet takedown appears to be one of the more successful takedowns in recent memory. A lot has been written about law enforcement pushing an update to remove the malware (similar also to recent law enforcement action against unpatched Exchange servers). I believe we should and hopefully will see more of the same in the future. Waiting for users to patch and fix their systems hasn't been working and these systems become ticking timebombs waiting for additional infections, or being used to revive taken down botnets.

Johannes Ullrich
Johannes Ullrich

2021-04-23

Radixx Says Malware Responsible for Reservation Systems’ Outage

Radixx has acknowledged that a security incident caused an outage of its Radixx Res reservation application. The outage affected reservations systems for approximately 20 low-cost airlines. Radixx says it “is taking steps to stand up a new Radixx application server environment.”


2021-04-22

FAA Tells Private Jet Operators to Update Garmin Aviation GPS Now

The US Federal Aviation Administration (FAA) has published an Airworthiness Directive (AD) instructing private jet operators to install software updates for Garmin GTS 8000 series collision avoidance units. The devices have generated seven false Traffic Collision Avoidance System warnings, which could ultimately increase the likelihood of a collision. The AD is effective May 17, 2021.

Editor's Note

Our industry has a lot to learn from the FAA about how to distribute intelligence in a timely manner to those who can best, or must, act on it.

William Hugh Murray
William Hugh Murray

2021-04-26

Follow-up: Univ. of Minnesota Researchers Apologize for “Hypocrite Commits”

Researchers from the University of Minnesota (UMN) have offered a written apology for submitting what they call “hypocrite commits” to the Linux kernel project. Last week, a Linux kernel project maintainer banned UMN from contributing to the project, reverted patches submitted by anyone with a umn.edu email address, and placed a “default reject” on any future patches submitted through umn.edu addresses. The maintainer said that they will not discuss the matter further until after the researchers and the university take action to satisfy the Linux community’s required actions.

Editor's Note

This is not how you partner with someone to improve processes. This is analogous to an unauthorized penetration test, causing more harm than the improvements envisioned at inception. It is commendable that the UMN both apologized and stopped the research efforts leading to the commits; more work is still needed to repair the damage. While the apology identifies that they didn’t achieve permission, current actions still don’t reflect they are following the processes for legitimate patch submission. This is now about regaining trust rather than fixing technical issues.

Lee Neely
Lee Neely

2021-04-26

FBI/DHS/CISA Joint Warning About Russian State-Sponsored Hackers

The Federal Bureau of Investigation (FBI), the Department of Homeland Security (DHS), and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint alert describing activity conducted by Russian state-sponsored cyberthreat actors. The alert describes the group’s tactics, techniques, and procedures, which include password spraying and leveraging zero-day vulnerabilities. The alert recommends that organizations adopt security controls, including implementing multi-factor authentication (MFA) and “prohibit[ing] remote access to administrative functions and resources from IP addresses and systems not owned by the organization.”

Editor's Note

Even if you don’t think you are a target, review the US-CERT CISA Alert recommendations you can leverage across your organization: implementing MFA, and making sure that newly provisioned systems are configured to appropriate security baseline, and that you’re actively monitoring services for abuse. Additionally, make sure that your user verification processes are still robust. Make sure that adjustments made for a fully remote workforce didn’t introduce gaps an attacker can leverage to get legitimate credentials.

Lee Neely
Lee Neely

2021-04-26

Apple Patches “Worst macOS Bug in Recent Memory”

Apple has released a fix for a vulnerability in macOS that let hackers bypass Apple security features including Gatekeeper, File Quarantine, and app notarization requirements. The flaw has been exploited in the wild. Researcher Patrick Wardle has referred to the vulnerability as “the worst macOS bug in recent memory.” Users are urged to update to macOS (Big Sur) 11.3.

Editor's Note

Labeling this vulnerability the "worst in recent memory" may be overhyping it a bit, but while exploitation still requires a user to willingly install malware, the vulnerability evades all controls Apple put in place in recent years to prevent just that from happening. Upgrade quickly.

Johannes Ullrich
Johannes Ullrich

At core, the Apple protections assumed applications would have a file “info.plist.” An application, which is actually a script and doesn’t contain that file, would bypass the security check, including the mandatory notarization check, and be executed. In addition to the macOS update, XProtect has also been updated to detect and warn for attempts to exploit the flaw which means that will be available for older macOS users. While the XProtect update is installed automatically, the macOS update is not. Apple released updates to Big Sur, Mojave, and Catalina this week to address multiple vulnerabilities; you’ll want to get those all queued up for installation.

Lee Neely
Lee Neely

The telling quote is in the Wired story: “The flaw is akin to a front entrance that's barred and bolted effectively, but with a cat door at the bottom that you can easily toss a bomb through. Apple mistakenly assumed that applications will always have certain specific attributes.” This type of flaw is pretty much at the level of buffer overflows.

John Pescatore
John Pescatore

2021-04-26

More Than One-Fifth of PC Users are Running Windows 7

Kaspersky says that based on analysis of anonymized OS metadata, 22 percent of PC users are running end-of-life Windows 7. Microsoft discontinued support for Windows 7 in January 2020. Kaspersky says that 72 percent of PC users are running Windows 10.

Editor's Note

Ignoring special purpose systems which have to run Windows 7, such as an instrument controller or oscilloscope, general purpose systems need to move to a supported OS. The common argument is that the old system is fully functional typically followed by not wanting to learn a new OS. Because there are no fixes or support for these systems, they need to be isolated as they are no longer sufficiently secure for Internet access. This is further complicated by cloud migrations which require these systems to have Internet access. The good news is that new versions of applications are unlikely to operate on either Windows 7 systems either because the OS isn’t supported or the hardware is not sufficient for its needs which can be used to drive the conversation.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

How Safe are Your Docker Images?

https://isc.sans.edu/forums/diary/How+Safe+Are+Your+Docker+Images/27340/


Compact VBA Macros

https://isc.sans.edu/forums/diary/Malicious+PowerPoint+AddOn+Small+Is+Beautiful/27342/


Base64 Strings Used in Web Scanning

https://isc.sans.edu/forums/diary/Base64+Hashes+Used+in+Web+Scanning/27346/


CAD: .DGN and .MVBA Files analyzed with oledump

https://isc.sans.edu/forums/diary/CAD+DGN+and+MVBA+Files/27354/


Additional SolarWinds Infrastructure

https://www.riskiq.com/blog/external-threat-management/solarwinds-c2-servers-new-tactics/


Cellebrite Exploit

https://signal.org/blog/cellebrite-vulnerabilities/


Duo 2FA Bypass

https://sensepost.com/blog/2021/duo-two-factor-authentication-bypass/


Clickstudios Password Manager Compromise

https://www.csis.dk/newsroom-blog-overview/2021/moserpass-supply-chain/


Homebrew Code Execution Vulnerability

https://brew.sh/2021/04/21/security-incident-disclosure/


Apple AirDrop Shares Personal Data

https://www.informatik.tu-darmstadt.de/fb20/ueber_uns_details_231616.en.jsp


MacOS 0-Day Bug Patched

https://objective-see.com/blog/blog_0x64.html

https://support.apple.com/en-us/HT201222


Emotet Uninstaller Triggered

https://blog.malwarebytes.com/threat-analysis/2021/01/cleaning-up-after-emotet-the-law-enforcement-file/


HashiCorp Code Signing Key Exposed By Codecov Compromise

https://www.theregister.com/2021/04/26/hashicorp_reveals_exposure_of_private/