SANS NewsBites

CISA: Weak Cloud Security Actively Exploited; NSA: Third-Party DNS Resolvers Unsafe; FIX NOW! Actively Exploited Flaws in Microsoft, Adobe, and Cisco Products

January 15, 2021  |  Volume XXIII - Issue #4

Top of the News


2021-01-14

CISA: Attackers Exploit Poor Cyber Hygiene to Compromise Cloud Security Environments

The US Cybersecurity and Infrastructure Security Agency (CISA) has released Analysis Report AR21-013A: Strengthening Security Configurations to Defend Against Attackers Targeting Cloud Services, after becoming aware of cyber-attacks leveraging weaknesses in cloud security services. Threat actors are leveraging phishing and other techniques to exploit poor cyber hygiene practices and misconfigurations in cloud services. CISA has listed steps organizations can take to improve their cloud security posture.

Editor's Note

The false belief that "cloud equals more secure" is so pervasive that one of the largest cloud providers has an employee (a senior retired FBI agent) whose nearly full-time job is explaining to clients that the system images they bought from the cloud provider were "no more secure than the servers and desktops they bought from Best Buy." In a meeting in Washington, he told the other attendees his nickname at the company was "CAO." When asked what that meant, he said, "Chief Apology Officer." It takes skilled professionals to make cloud systems secure, though the cloud providers offer wonderful tools to enable clients to make their systems more secure. SANS has in-depth, up-to-date courses on how to use those tools (https://www.sans.org/blog/sans-cloud-security-curriculum/) and all three top cloud providers allow you to order system images preconfigured according to the Center for Internet Security configuration guidelines. https://www.cisecurity.org/blog/everything-you-need-to-know-about-cis-hardened-images/: Everything You Need to Know About CIS Hardened Images

Alan Paller
Alan Paller

The report includes great recommendations to improve cloud security. Make sure that you're adequately securing cloud environments; at a minimum make sure you're following the service's security guidance. Review that guidance annually for improvements and needed changes. Make sure that direct access requires MFA. Verify that conditional access is both enabled and operates as planned. Evaluate the risks of enabling SSO from corporate desktops. Be sure that cloud service logs are being reviewed regularly, ideally forwarded automatically to your centralized logging and SIEM.

Lee Neely
Lee Neely

Poor configuration management, authentication, privilege management and secure configuration IT ops practices don't get better just because the application is now running in the cloud. Too often it just means that the wrong things can be done faster. None of CISA's recommendation are cloud-specific. Best approach is to focus on essential security practices on-premise, then extend to the cloud.

John Pescatore
John Pescatore

2021-01-14

NSA Warns Enterprises Not to Use Third-Party DNS Resolvers

The US National Security Agency (NSA) has released recommendations for enterprises to securely adopt encrypted DNS. The document "explain[s] the benefits and risks of adopting the encrypted domain name system (DNS) protocol, DNS over HTTPs (DoH), in enterprise environments." The NSA recommends against using third-party DNS resolvers to "ensure proper use of essential enterprise security controls, facilitate access to local network resources, and protect internal network information."


2021-01-12

Microsoft Patch Tuesday Includes Fix for Actively Exploited Microsoft Defender Flaw

Microsoft has released fixes for 83 security issues in its software, including Windows, Edge, Office, SQL Server, and Azure. Ten of the flaws are rated critical. One of the flaws fixed was disclosed prior to the monthly security update, and one of the flaws is being actively exploited: a remote code execution vulnerability that affects Microsoft Defender.

Editor's Note

Prioritize patching the actively exploited Defender flaw, which affects versions 1.1.17600 and below, followed closely by the splwow64 (user-mode printer driver) and Windows RPC Runtime updates. The RPC vulnerability is a RCE that reportedly requires no user interaction to exploit.

Lee Neely
Lee Neely

2021-01-13

Adobe Patch Tuesday - High Priority

Adobe has released security updates to address seven critical vulnerabilities in Photoshop, Illustrator, Animate, Bridge, and other products. As of Tuesday, January 12, Adobe is blocking Flash content. Users are being urged to uninstall the software, which is no longer supported.

Editor's Note

Uninstalling Flash removes the option for a bypass of the kill switch. Make sure browser updates, which further blocked the running of Flash, are installed. Monitor for the reintroduction, only permitting Flash where the risk has been explicitly accepted and mitigations are in place to prevent abuse. Consider adding Flash to your denied/banned applications list and blocking content at the perimeter.

Lee Neely
Lee Neely

2021-01-14

Cisco Updates Include Fix for Serious Vulnerability in CMX and 70 Other High-Severity Flaws

Cisco has released fixes for nearly 70 high-severity flaws in a variety of products. One of the most serious vulnerabilities affects Cisco Connected Mobile Experiences (CMX); it could be exploited to "allow a remote, authenticated attacker without administrative privileges to alter the password of any user on an affected system." Cisco has also released fixes for vulnerabilities in its RV routers, but it is not releasing updates for older RV routers that have reached end-of-life (EOL). The devices in question, which include Cisco Small Business RV110W, RV130, RV130W, and RV215W systems, reached EOL in 2017 and 2018, and paid extended support contracts expired on December 1, 2020. Cisco is urging customers using older versions of its RV routers to upgrade to newer, actively supported models.

Editor's Note

Exploiting the vulnerabilities requires existing credentials on the devices. One of the mitigations is to disable the web UI for managing the configuration. As these are devices used by small businesses, which may not have the expertise to manage them using the command line, replacement of these EOL devices is a much better choice. Review the configuration to ensure that only authorized devices and users are able to update the configuration. Make sure that you are regularly checking for and applying updates as well as verifying the configuration, and changing credentials after support staff turnover.

Lee Neely
Lee Neely

Demolition experts find a small number of key support points and use a small number of explosives to bring down very large buildings. IT infrastructure elements, like network management systems (SolarWinds), VPN servers (such as PulseSecure) and all routers/switchers/load balancers, etc. are high priority/high level targeted "support points" that can cause catastrophic damage if left vulnerable and exploitable. Down time for patching/securely configuring key infrastructure elements has to be fought for.

John Pescatore
John Pescatore

The Rest of the Week's News


2021-01-12

Proposed Rulemaking Would Require Financial Institutions to Report Cybersecurity Incidents Within 36 Hours

US federal financial regulatory agencies have proposed a rule that would require financial institutions to report cybersecurity events to financial regulators "no later than 36 hours after the banking organization believes in good faith that the incident occurred." The US The Office of the Comptroller of the Currency, Treasury, the Board of Governors of the Federal Reserve System and the Federal Deposit Insurance Corporation (FDIC) published the proposed rulemaking in the Federal Register on January 12, 2021; comment will be accepted through April 12, 2021.


2021-01-13

International Effort Leads to DarkMarket Server Takedown and Arrest of Alleged Operator

An international law enforcement operation involving Europol and agencies in Germany, Australia, Denmark, Moldova, Ukraine, the UK, and the US has taken down the DarkMarket illegal online marketplace. The alleged operator of the marketplace, an Australian citizen living in Germany, has been arrested. Authorities also seized more than 20 associated servers in Moldova and Ukraine.

Editor's Note

A Darknet market is an e-commerce site designed to lie beyond the reach of regular search engines. Payments are made purely with cryptocurrency, and buyers and sellers are largely untraceable. Even so, this market had 500,000 users with 2,400 sellers. This takedown was part of a larger investigation which led to the 2019 shutdown of the CyberBunker "bulletproof hosting" service and distinct from the 2009 takedown of another site also called DarkMarket.

Lee Neely
Lee Neely

An exemplary example of how international cooperation between law enforcement agencies can effectively tackle online crime. Expect to see many more of these operations in the future.

Brian Honan
Brian Honan

2021-01-13

SolarWinds: Third Malware Tool Discovered

SolarWinds and CrowdStrike have disclosed information about yet another piece of malware that helped enable the supply chain attack. Dubbed Sunspot, the malware is designed "to insert the SUNBURST backdoor into software builds of the SolarWinds Orion IT management product."


2021-01-14

Apple Will Remove Feature that Let its Apps Bypass Security Measures

In October 2020, Mac researchers noticed a feature in a beta version of macOS 11.2 that allowed Apple apps to bypass socket firewalls and virtual private networks. Dubbed the ContentFilterExclusionList, the feature permitted roughly 50 Apple programs to access the Internet without going through the Network Extension Framework, which was established to allow the monitoring and filtering of network traffic. Researchers noted that exploiting the ContentFilterExclusionList is trivial. The second beta version of macOS 11.2 will not include that feature.

Editor's Note

With the increased emphasis on supply chain security, allowing 50 apps to bypass security measures without recourse should raise a red flag. Apple is turning up the security with macOS 11, including deprecating kernel modules to prevent introduction of malfeasance into the highest privileged parts of the OS. Apple also introduced a Network Extension Framework to permit security products to interact with all network-bound traffic. While an exclusion list may be valuable, by default all applications need to follow the security framework; only be excepted when the user organization accepts that risk, if ever.

Lee Neely
Lee Neely

2021-01-13

Stolen COVID-19 Data Leaked

Hackers who stole COVID-19 vaccine and medicine data from the European Medicines Agency (EMA) late last year have posted the information online. Law enforcement authorities are investigating.


2021-01-13

Mimecast Says Hackers Stole Digital Certificate

In a January 12 blog post, eMail security provider Mimecast says, "Microsoft recently informed us that a Mimecast-issued certificate provided to certain customers to authenticate Mimecast Sync and Recover, Continuity Monitor, and IEP products to Microsoft 365 Exchange Web Services has been compromised by a sophisticated threat actor." The issue affects approximately 10 percent of Mimecast's customer base. Mimecast has asked affected customers "to immediately delete the existing connection within their M365 tenant and re-establish a new certificate-based connection using the new certificate" Mimecast has made available. Both the methods and the targets of the attack bear similarities to the SolarWinds supply chain attack.

Editor's Note

The certificate stolen is the one that is trusted to create the certificates associated with successful authentication activities. As such, removing the old certificate so it is no longer trusted is required. That requires deleting and recreating the connection rather than just updating a certificate in place.

Lee Neely
Lee Neely

2021-01-12

Update Available to Fix Critical Flaw in Orbit Fox by ThemeIsle WordPress Plugin

A critical authenticated privilege elevation flaw in the Orbit Fox by ThemeIsle WordPress plugin could be exploited to take control of vulnerable websites. An update for the plugin is available. It also addresses a medium-severity stored cross-site scripting vulnerability that could be exploited to inject malicious JavaScript into websites. The plugin has been installed on more than 400,000 WordPress sites. Users are urged to update to Orbit Fox by ThemeIsle version 2.10.3.

Editor's Note

Exploiting the vulnerability requires both enabling the creation of registration forms and the Elementor and Beaver Builder plugins. Even if you only have the ThemeIsle plugin, apply the update. Wordfence pushed firewall rules to their free version on December 19th to block attempted exploitation.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

MSFT January 2021 Patch Tuesday

https://isc.sans.edu/forums/diary/Microsoft+January+2021+Patch+Tuesday/26978/


Adobe Patches

https://helpx.adobe.com/security.html


Mimecast Cert Stolen

https://www.mimecast.com/blog/important-update-from-mimecast/


Leaking Silhouettes of Cross-Origin Images

https://blog.mozilla.org/attack-and-defense/2021/01/11/leaking-silhouettes-of-cross-origin-images/


Hancitor Activity Resumes After a Holiday Break

https://isc.sans.edu/forums/diary/Hancitor+activity+resumes+after+a+hoilday+break/26980/


Intel Hardware-Enabled Ransomware Protections

https://www.cybereason.com/blog/cybereason-and-intel-introduce-hardware-enabled-ransomware-protections-for-businesses


Making Clouds Rain: RCE in Microsoft Office 365

https://srcincite.io/blog/2021/01/12/making-clouds-rain-rce-in-office-365.html


SAP Security Patch Day

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476


Dynamically Analyzing A Heavily Obfuscated Excel 4 Macro Malicious File

https://isc.sans.edu/forums/diary/Dynamically+analyzing+a+heavily+obfuscated+Excel+4+macro+malicious+file/26986/


Odd Filename Corrupts NTFS Disks

https://twitter.com/jonasLyk/status/1347900440000811010


Cisco Vulnerabilities

https://tools.cisco.com/security/center/publicationListing.x