SANS NewsBites

Virginia Advances Cyber Workforce Development; Bytecode Alliance Pushes Safe and Fast Software; Linux Kernel Vulnerability; Google Service Account Security Recommendation

April 30, 2021  |  Volume XXIII - Issue #34

Top of the News


2021-04-28

Bytecode Alliance Promotes WebAssembly to Improve Supply Chain Security

The Bytecode Alliance is inviting organizations to join its efforts to promote the use of WebAssembly and the WebAssembly System Interface to improve supply chain security. Member “organizations share a vision of a WebAssembly ecosystem that fixes cracks in today’s software foundations that are holding the industry and its software supply chains back from a secure, performant, cross-platform and cross-device future.”

Editor's Note

The major browser vendors have been working collaboratively on WebAssembly since 2017, in an effort to have common standards for fast and safe binaries that run on a variety of processors on the web. Good to see the focus on “safe” being equal to the focus on “fast.”

John Pescatore
John Pescatore

2021-04-28

Linux Kernel Vulnerability

A kernel address space layout randomization (KASLR) vulnerability in the Linux Kernel could be exploited to view Kernel stack memory. Users of affected versions of the Linux Kernel are urged to upgrade to the most current builds.

Editor's Note

As the exploit is a read operation, it’s pretty much not-detectable from the network. Detecting reads of the /syscall procfs locally can generate a lot of traffic and false positives. The patch was merged into the codebase December 3rd and should be included in your Linux distribution as you apply updates. Double check if you’re running kernel versions 5.10-rc4, 5.4.66 or 5.9.8.

Lee Neely
Lee Neely

Major distributions have patches available. Remember that this will likely require a reboot. Not urgent, but should be applied as part of your regular patch schedule / scheduled maintenance window.

Johannes Ullrich
Johannes Ullrich

2021-04-27

Service Account Authentication on Google Cloud

Google offers guidelines for using service accounts (accounts that represent non-human users) on Google Cloud and for selecting the appropriate authentication method. Recommendations include using service accounts only where appropriate and when possible, using attached service accounts.

Editor's Note

Service accounts – essentially machine accounts that can’t do “human” things like enter a password or answer an authentication challenge – are often overlooked even as human authentication is strengthened. I like that Google starts off this guidance with the most important guidance: “Only use service accounts where appropriate.” There are many cases where service accounts are used just as hardcoded embedded passwords were used – simpler for both the developer and the attacker.

John Pescatore
John Pescatore

This document provides good guidance on where to use service accounts versus human user accounts. Service accounts don’t use your interactive login services, and can be granted rights only t0 the specific services to which they need access, making monitoring and anomaly detection much easier and practical. Apply this model to your on-premise systems as well. Eliminate business processes which execute as an end user where possible, leverage published standards and best practices.

Lee Neely
Lee Neely

The Rest of the Week's News


2021-04-29

CISA and NIST Joint Report on Supply Chain Security

The US Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) have jointly issued a report, Defending Against Software Supply Chain Attacks. The report provides recommendations for implementing the NIST Cyber Supply Chain Risk Management Framework and the Secure Software development Framework.

Editor's Note

The report reminds us that open source code is also targeted, not just code signing keys or suppliers code repositories. Develop a mindset that open source is someone else’s code and needs to be checked for security flaws and undesired extra functionality. When building your deployment environment, use unprivileged processes wherever possible to reduce the attack surface in that phase of deployment. Make sure that you have a formal C-SCRM program, which includes open lines of communication with suppliers, secure development and deployment practices, and equal scrutiny of products irrespective of origin. Read the report for added recommendations. Talk to your suppliers about what they are doing, and if that feels inadequate, re-assess the risk of that relationship.

Lee Neely
Lee Neely

Supply chain security is kind of like information security overall in that we pretty much know what to do and there are many frameworks that list everything to do – the how to overcome real world business obstacles to making progress is the hard part. Most vertical industries with an ISAC have supply chain security working groups or ad hoc sessions at ISAC meetings. The InfraGard Electronic Security Industry Cross Sector Council has recently partnered with the FBI and private sector organizations to provide education, information sharing, networking and workshops on supply chain threats and security approaches.

John Pescatore
John Pescatore

This document is more balanced than most of the recommendations in the space in that it addresses suppliers. However, it addresses the end users first. This problem cannot even be mitigated by end users. Some will fall victim and our already fragile infrastructure will be further weakened. We must take a supplier first strategy, prevention first. Suppliers must be severely sanctioned when they distribute malicious code.

William Hugh Murray
William Hugh Murray

2021-04-27

FCC Supply Chain Security Strategy

At an event on Monday, April 26, US Federal Communications Commission (FCC) acting chairperson Jessica Rosenworcel described the FCC’s “proactive, three-pronged strategy to building a more secure, resilient, and next-generation communications supply chain for this 5G future.” The strategy involves slowing down untrusted vendors, speeding up trustworthy innovation, and collaborating with government, industry, and partner nations.

Editor's Note

The FCC strategy for “slowing down untrusted vendors” points to the Secure and Trusted Communications Networks Act of 2019 that so far has focused on only Chinese telecoms vendors as being untrusted – Dahua Technology, Hangzhou Hikvision, Huawei, Hytera and ZTE Corp. products are the only ones on the list. National security priorities may indicate those vendors are untrusted but there are many, many other vendors that are major risks to supply chains. The UK approach to national telecoms security has long included active testing requirements for critical vendors.

John Pescatore
John Pescatore

A "supplier first" strategy. Should include sanctions for suppliers who ship malicious code.

William Hugh Murray
William Hugh Murray

2021-04-27

University of Minnesota Responds to Linux Foundation Requests

The Head of the Department of Computer Science and Engineering at the University of Minnesota has responded to the Linux Foundation’s requests for them to take certain actions, and have indicated that they intend to take steps to regain the foundation’s trust. In addition, a paper based on the “hypocrite commits” that was scheduled to be presented at the IEEE Symposium on Security and Privacy next month has been withdrawn.

Editor's Note

When you make a mistake, own it, then clean it up, quickly. Not only did they withdraw the research paper for lack of permission and partnership, they also took it a step further to not set a precedent on how research should be conducted. It would be interesting to have a panel discussion of both sides to help others understand the intent, impact, and how the fence can be mended.

Lee Neely
Lee Neely

The mitigation should include adding an ethics component to the curriculum.

William Hugh Murray
William Hugh Murray

2021-04-28

Notifying Emotet Victims With the Help of Have I Been Pwned

In an effort to let individuals and organizations know that their systems were infected with Emotet malware, law enforcement officials have shared 4.3 million email addresses with the Have I Been Pwned breach alert service.

Editor's Note

Have you checked for your email in HIBP lately? All of them? So if you find them, change the password for that account, enable 2FA if supported, make sure your endpoint protection is installed, auto-updated and licensed. While you’re changing passwords, this is a good time to update the ones you’ve been meaning to, particularly ones you reused or are easily guessable. Make sure your SOC has incorporated the Emotet Yara Signatures published by DFN Cert.

Lee Neely
Lee Neely

2021-04-29

KDC Spoofing in F5 BIG-IP

Researchers at Silverfort have found a Key Distribution Center (KDC) spoofing vulnerability in F5 Networks’ BIG-IP Application Delivery Services appliance that could be exploited to bypass Kerberos security. The flaw could be used to sign into the Big-IP Access Policy Manager. Fixes are available for BIG-IP APM 12.x, 13.x, 14.x and 15.x.

Editor's Note

Nice work by the researchers at Silverfort. They found a number of similar vulnerabilities in a wide range of equipment. Please update if you are using Kerberos to authenticate. Kerberos is quite old but still not well understood and bad implementations are sadly somewhat common.

Johannes Ullrich
Johannes Ullrich

2021-04-29

Ransomware Task Force Report

The Institute for Security and Technology’s Ransomware Task Force has released a report titled Combatting Ransomware: A Comprehensive Framework for Action: Key Recommendations from the Ransomware Task Force. The report includes “a comprehensive framework of actions (48 in total) that government and industry leaders can pursue to significantly disrupt the ransomware business model and mitigate the impact of these attacks in the immediate and longer terms.”

Editor's Note

Ask your CISO and CIO to read the report. It includes statistics and trend information you can use to help management understand the need to be adequately prepared for ransomware. While the recommendations include actions to be performed at the government levels, partner with your peers, ISP, hosting and cloud providers to better understand their protections and develop a plan of services to leverage and actions you can take to help you improve your readiness and build lines of communication in the event of an incident.

Lee Neely
Lee Neely

Extortion attacks are increasing, demands are higher, and mitigation more expensive, whether or not the demands are met. A systematic approach is overdue.

William Hugh Murray
William Hugh Murray

2021-04-28

DC Metropolitan Police Department Suffers Ransomware Attack

Washington, DC’s Metropolitan Police Department has acknowledged that it was the target of a ransomware attack. The ransomware operators claim to have stolen 250 GB of the department’s files; they are demanding $50 million.


2021-04-29

Ransomware Operators Leak Files Taken from Illinois Office of the Attorney General

Ransomware operators have leaked information stolen from the Illinois Office of the Attorney General (OAG). The Illinois OAG acknowledged the attack on April 13. The operators leaked the files after ransom negotiations failed.


2021-04-29

Whistler Canadian Resort Suffers Ransomware Attack

The Resort Municipality of Whistler (RMOW) in British Columbia, Canada was the target of a ransomware attack earlier this week. The incident forced RMOW to shut down its network, websites, email, and phone systems.

Editor's Note

Look at your system interdependencies. If you had to shut down your data center, would you also be taking your phones and email offline or do you have enough isolation to allow you to shutdown impacted segments without taking all your enterprise services offline? Verify containment options of your outsourced and cloud based services as well to understand what their failure model looks like. Did you remember to include DR/Backup services or are you still waiting to fund those? Is the system you have sufficiently isolated?

Lee Neely
Lee Neely

Whistler has grown from a ski resort with only the most primitive guest accommodations to a city with year round residents. It is probably no more or less vulnerable than any other city of similar size. All such cities need to step up their game; the population is simply too target-rich. However, as with supply chain attacks, we need a systematic approach to extortion attacks, one that includes taking the profit out of the equation and putting in effective investigation, prosecution, and punishment.

William Hugh Murray
William Hugh Murray

Internet Storm Center Tech Corner

Diving into a Singapore Post Phishing E-Mail

https://isc.sans.edu/forums/diary/Diving+into+a+Singapore+Post+Phishing+Email/27356/


From Python to .Net

https://isc.sans.edu/forums/diary/From+Python+to+Net/27366/


Two in Five Victims of Online Scam Adverts Do Not Report to Host Platforms

https://www.which.co.uk/news/2021/04/two-in-five-victims-of-online-scam-adverts-dont-report-to-host-platforms/


Microsoft Defender Blocks Cryptojacking Malware

https://www.microsoft.com/security/blog/2021/04/26/defending-against-cryptojacking-with-microsoft-defender-for-endpoint-and-intel-tdt/


Stopping Google FLoC

https://github.blog/changelog/2021-04-27-github-pages-permissions-policy-interest-cohort-header-added-to-all-pages-sites/

https://amifloced.org


Linux Privilege Escalation Vulnerability

https://talosintelligence.com/vulnerability_reports/TALOS-2020-1211


RotaJakiro Backdoor

https://www.bleepingcomputer.com/news/security/new-stealthy-linux-malware-used-to-backdoor-systems-for-years/


F5 Big IP Kerberos Spoofing Vulnerability

https://support.f5.com/csp/article/K51213246


PHP Composer Vulnerability

https://blog.sonarsource.com/php-supply-chain-attack-on-composer


Microsoft Identifies Several Integer Overflow Vulnerabilities

https://us-cert.cisa.gov/ics/advisories/icsa-21-119-04