SANS NewsBites

Biden Executive Order on Supply Chain Security; Google Nudging Users Towards 2FA; Patch Your Exim Servers Now; Vulnerable Dell Firmware Update Driver is in Wide Use

May 7, 2021  |  Volume XXIII - Issue #36

Top of the News


2021-04-29

Biden Administration is Finalizing Executive Order Prompted by SolarWinds

In response to the SolarWinds supply chain attack, the Biden administration plans to release an executive order (EO) establishing cybersecurity standards for companies that conduct business with the US government. The EO is expected to include software development standards and plans for investigating cyber incidents. Basically, other EO is using the federal procurement process to effect change in the development process.

Editor's Note

The US goverment using its buying power to drive higher standards in cybersecurity is a good thing, but it can’t be just be more maturity model/process certification paperwork requirements. Actual security testing of products and services needs to be part of the mandates. Also, the idea of a “Cyber NTSB” (first raised by Steve Bellovin many years ago, and more recently by Bellovin and Adam Shostack) is a really vital initiative that needs to come from the federal level to be effective.

John Pescatore
John Pescatore

Good step in the right direction, one that does not require legislation. That said, we need to hold accountable suppliers who distribute malicious code, including “back doors.” This may require legislation.

William Hugh Murray
William Hugh Murray

2021-05-07

Google is Encouraging Users to Adopt 2FA

Google will prompt users to turn on two-factor authentication (2FA). Users who have already adopted 2FA will be asked to conform their identities. Eventually, Google and plans to automatically enroll users in two-step verification if their accounts are configured to allow it.

Editor's Note

I’d like to see that “eventually” replaced with “next month” and see Google replaced with “Google, Microsoft, Facebook, Paypal…). Once again I will point to Microsoft’s research that replacing reusable passwords with simple (not perfect) 2FA like text messages to mobile phones is effective against 99.9% of phishing attacks and phishing the is the front end of the majority of successful breaches and ransomware incidents. Oh, and 90% of your board members are using 2FA at home on their personal devices and financial accounts.

John Pescatore
John Pescatore

Even better would be 2FA on by default, only disabled by exception. Make sure that all your accounts, not just Google, have 2FA enabled wherever possible. While you’re looking at the account, check for application passwords or trusted/logged in devices to make sure that they are current and still needed. Look for the trust relationship for that laptop you gave to your neighbor/co-worker/etc. or that smartphone you traded in last year.

Lee Neely
Lee Neely

Google has been a great champion of popularizing 2FA and developing usable solutions for end users. This work has been supported by data that shows that 2FA is preventing almost all phishing attacks. If Google can do it with its vast and diverse user base, so can you.

Johannes Ullrich
Johannes Ullrich

Given that people’s email accounts tend to be the nucleus for all their other online identities, this is a very welcome move and great to see someone like Google normalize security measures such as 2FA.

Brian Honan
Brian Honan

Fraudulent password reuse is involved in many, not to say most, breaches. Google's offering of strong authentication to its users is a model for others. It offers sufficient choices to users to achieve effective security with a minimum of inconvenience. Its use by default is a step in the right direction. Strong authentication within the enterprise should, by now, be the default. One might really like to know what the voluntary adoption of Google's strong authentication has been. While it might justify the pervasive belief that "strong authentication is too hard," it just might prove that the opposite is true.

William Hugh Murray
William Hugh Murray

2021-05-06

Fixes are Available for Exim Mail Server Vulnerabilities

Researchers at Qualys detected 21 security flaws in the Exim mail server. Some of the flaws could “be chained together to obtain full remote unauthenticated code execution and gain root privileges.” Admins are advised to update to Exim version 4.94.2 to address the vulnerabilities in the mail transfer agent. Exim maintainers also said that the 3.x release is obsolete and should no longer be used.

Editor's Note

Some of these vulnerabilities go back to the original versions of Exim from 2004, so don’t assume the flaws are only for the newer versions you have deployed – update all of them. The Qualys Security Advisory (includes not only the technical details but also PoC code, which means you need to patch any externally facing Exim servers right away. Don’t forget to update the rest of your Exim installations. Take advantage of the Security Advisory information to learn how the exploit works and verify the updated version is not susceptible on a test or lab system.

Lee Neely
Lee Neely

Exim had similarly severe vulnerabilities about two years ago. What followed was a large wave of exploits against Exim servers by anybody who knew how to spell "EHLO". It took about a month for an easy to use exploit to arrive. In short: You need to patch now if you run Exim (many Linux systems use it).

Johannes Ullrich
Johannes Ullrich

2021-05-05

Dell Firmware Update Driver Vulnerabilities

Researchers at Sentinel labs found five high-severity vulnerabilities in a firmware update driver that has been installed on hundreds of millions of Dell systems since 2009. Two of the five vulnerabilities are memory corruption flaws, two are lack of input validation flaws, and the fifth is a code logic issue. Dell has provided remediation suggestions.

Editor's Note

This flaw is "only" a privilege escalation vulnerability. But given the wide use of the utility, and its ability to modify firmware, it may become an interesting conduit to install more persistent back doors. Patch as you get around to it. The challenge will be to find all the instances of these drivers.

Johannes Ullrich
Johannes Ullrich

The list of impacted systems from Dell is long and comprehensive, and may suck all the joy out of the room. Note that on May 10th, the Dell notification solutions can be leveraged for automated deployment of the update when installed, even non-enterprise customers will be notified of the available update. https://www.dell.com/support/contents/en-us/article/product-support/self-support-knowledgebase/software-and-downloads/download-center/drivers-and-downloads/notifications

Lee Neely
Lee Neely

The Rest of the Week's News


2021-05-06

US Intelligence is Conducting Supply Chain Risk Review

Prompted by the SolarWinds attack, US intelligence agencies are undertaking a review of supply chain risks posed by Russian companies and US companies that conduct business in Russia. The FBI and other participating agencies will share their findings with the Commerce Department to determine whether vendors need to be excluded from US supply chains.

Editor's Note

Given the state of the world’s current political climate I would hope that this review will not be confined to just Russian interests.

Brian Honan
Brian Honan

There will always be a geopolitical aspect to supply chain risk assessments, but just as all businesses learned early on that geo-blocking by country domains was rarely a workable solution, political decisions that do the same thing will have very little impact on the actual security level of products and services in company supply chains.

John Pescatore
John Pescatore

Given the number of participants in the supply chain, this will be a daunting task. Nor is it clear that identifying and eliminating weak links in advance is an efficient way to strengthen the chain.

William Hugh Murray
William Hugh Murray

2021-05-06

Ryuk Ransomware Infection Traced to Pirated Software

Sophos Rapid Response team helped a European biomolecular research institute deal with a Ryuk ransomware attack. The infection has been linked to pirated software that a student working remotely downloaded. The software contained a keystroke logger, which stole sensitive information.

Editor's Note

Several lessons here. The institute lost a week’s worth of data because their backups weren’t updating as expected. The malware was able to obtain access to the school’s network as remote services used reusable credentials. Make sure that remote connections include a host posture check before completing the connection, particularly if you permit access by non-enterprise devices. Require updated active endpoint protection. Consider carefully options of providing regular or discounted licenses for home use versions of enterprise software. Be prepared for human error, not just direct attacks.

Lee Neely
Lee Neely

I would encourage everyone to read the Sophos report. It is a great case study as to how many organisations are at risk as a result of COVID19 forcing people to work remotely, and in particular working from their own personal devices. Read the report and check to see if you have the appropriate controls in place to prevent your organization becoming a victim of a breach related to use of personal devices.

Brian Honan
Brian Honan

Ineffective supervision of novices is a fundamental problem of WFH. Consider teaming of novices with experienced people to achieve something like one-on-one supervision. Both halves of the team will benefit.

William Hugh Murray
William Hugh Murray

2021-05-05

DDoS Attack Affected Belgian Government, Education, and Other Sites

A distributed denial-of-service (DDoS) attack targeted Belgian Internet service provider Belnet on Tuesday, May 4. The attack affected roughly “200 organizations … including universities, public administrations and research institutes.” The incident forced Belgium’s Parliament to postpone some meetings, and some law enforcement forces’ systems were affected as well.

Editor's Note

Do you have a contingency plan for operations if you, or your key services, are subject to a DDoS attack? And have you communicated that to users/customers? With the current remote work environment, in-person work-arounds are tricky and may not succeed. You likely have some ready work-arounds in place. How often have you, like me, rolled your eyes at the list of numbers for dialing into a VTC and clicked use computer audio? Or setup a meeting without a dial-in number? Those may still be working in this scenario. Do you have updated phone trees? Do they include customer incident response organizations?

Lee Neely
Lee Neely

2021-05-06

Cisco Patches Flaws in SD-WAN vManage and HyperFlex Software

Cisco has released updates to address critical flaws in SD-WAN vManage and HyperFlex software. The vulnerabilities could be exploited to create rogue admin accounts and execute commands with root privileges. Cisco also released updates to address vulnerabilities in other software including Cisco Small Business 100, 300, and 500 Series Wireless Access Points and SD-WAN vEdge Software.


2021-05-06

CISA FiveHands Ransomware Analysis

The US Cybersecurity and Infrastructure Security Agency (CISA) has published analysis of the FiveHands ransomware. Threat actors used FiveHands, along with publicly available tools and the SombRAT remote access trojan, to launch a ransomware attack against an unnamed organization. CISA notes that “the initial access vector was a zero-day vulnerability in a virtual private network (VPN) product.” The analysis report includes indicators of compromise and suggested mitigations.

Editor's Note

Give AR21-126B to your SOC to incorporate the IoCs into their SIEM/SOAR products. You should both read AR21-126A for interesting analysis of the parts and pieces of this attack and review the mitigations – including decommissioning unused remote access devices, limiting the software users can install, enabling host based firewalls, and keeping things patched with updated active endpoint protection services.

Lee Neely
Lee Neely

The continued success of extortion attacks demonstrates the vulnerability of the cyber infrastructure. While indicators of compromise are valuable, we need less emphasis on tools and attacks, more on prevention and resilience.

William Hugh Murray
William Hugh Murray

2021-05-05

NIST Taking Comments on HIPAA Security Rule Guidance

The US National Institute of Standards and Technology (NIST) is seeking comments on updates to its Introductory Resource Guide for Implementing the HIPAA Security Rule. The initial current version was published in 2008. NIST is taking comments through June 15, 2021.


2021-05-06

Hack the Pentagon Expands Permissible Targets

The US Defense Department has expanded “its vulnerability disclosure program to include all publicly accessible DOD information systems.” Known familiarly as Hack the pentagon, the program was launched in 2016 and at the time was limited to DOD’s public facing applications and websites.

Editor's Note

To date, over 29,000 vulnerabilities were reported on the previously in-scope systems; over 70% were determined to be valid. This number is expected to be much larger with the increased scope. In 2020, CISA directed all executive branch agencies to develop their own vulnerability disclosure programs. The Defense Department partnered with HackerOne to develop this program and has spent the last four years maturing it. Other agency programs may not be as well managed and may have a much smaller scope. Before researching a site, be sure that you have found and follow the rules of engagement and reporting processes.

Lee Neely
Lee Neely

Well-managed bug bounty programs continue to show very positive results but a key point: “well-managed” means not just a well-managed vulnerability finding/reward process, but also a well-managed process to rapidly fix the verified vulnerabilities and improving the dev process to make sure that same flaws don’t just reappear in the next version.

John Pescatore
John Pescatore

One continues to be concerned about "lone-wolf" "researchers. Participants in these programs should be identified in advance and work under supervision or in teams. We must be careful not to legitimize rogue hacking in the name of security.

William Hugh Murray
William Hugh Murray

2021-05-05

Update Available for WordPress Antispam Plugin

The developers of the Spam protection, AntiSpam, FireWall by CleanTalk plugin for WordPress have released an updated version to fix an SQL vulnerability that could expose sensitive data. The plugin has been installed on more than 100,000 sites. Users are urged to update to the most current version of the plugin, 5.156 or later.

Editor's Note

The SQL injection was enabled by failing to use prepared SQL statements. WordPress includes a function $wpdb-prepare() which will do this for you and encourages all developers with plugins which include database access to use it. If you’re a plugin developer, make sure that you are using it. The updated plugin was released March 10th; make sure your copy is updated. Wordfence firewall rules were released to the paid version March 4th, and to the free version April 3rd.

Lee Neely
Lee Neely

It should be clear by now that WordPress Plug-in quality is a risk. They should be installed only by design and intent, only where clearly indicated, and never by default. Once installed they must be actively managed.

William Hugh Murray
William Hugh Murray

Internet Storm Center Tech Corner

Quick and Dirty Python: masscan

https://isc.sans.edu/forums/diary/Quick+and+dirty+Python+masscan/27384/


May 2021 Forensic Contest

https://isc.sans.edu/forums/diary/May+2021+Forensic+Contest/27386/


Scans for Exposed Azure Storage Containers

https://isc.sans.edu/forums/diary/Exposed+Azure+Storage+Containers/27396/


Android Update

https://source.android.com/security/bulletin/2021-05-01?hl=en


Dell Privilege Escalation Vulnerability

https://www.dell.com/support/kbdoc/en-us/000186019/dsa-2021-088-dell-client-platform-security-update-for-dell-driver-insufficient-access-control-vulnerability

https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/


Exim Mail Server Vulnerabilities

https://www.qualys.com/2021/05/04/21nails/21nails.txt


Windows Defender Bug Fills Windows 10 Boot Drive with thousands of files

https://www.bleepingcomputer.com/news/microsoft/windows-defender-bug-fills-windows-10-boot-drive-with-thousands-of-files/


ICMP Tunnel Backdoor

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel/


VMWare vRealize Business for Cloud Patch

https://kb.vmware.com/s/article/83475


Cisco Updates SD-WAN vManager / HyperFlex HX

https://tools.cisco.com/security/center/publicationListing.x?product=Cisco&sort=-day_sir&limit=100#~Vulnerabilities


Security and Privacy Risks of Number Recycling at Mobile Carriers in the US

https://recyclednumbers.cs.princeton.edu


Qualcomm MSM Vulnerability

https://research.checkpoint.com/2021/security-probe-of-qualcomm-msm/


Google to Automatically enroll users in 2SF

https://blog.google/technology/safety-security/a-simpler-and-safer-future-without-passwords/


New Cellebrite Vulnerabilities Announced

https://www.ehackingnews.com/2021/05/new-vulnerabilities-in-cellebrites.html