SANS NewsBites

Food Processing Company Paid $11M Ransom; Fastly Outage Disrupts Internet; GitHub Expands Token Scanning; Microsoft’s Vulnerability Tuesday is Mostly Privilege Escalation

June 11, 2021  |  Volume XXIII - Issue #46

Top of the News


2021-06-10

JBS Paid $11M Ransom to Prevent Attackers from Leaking Stolen Data

Meat processing company JBS USA acknowledged that it paid $11 million to ransomware operators following an attack late last month. In a media statement, JBS says that most of its facilities were up and running when they paid the ransom, and that the decision to pay was made “to mitigate any unforeseen issues related to the attack and ensure no data was exfiltrated.” According to Security Scorecard, the JBS attack began with reconnaissance in February 2021. The attackers exfiltrated data from March 1-May 29 and encrypted the JBS environment on June 1.

Editor's Note

Some common threads between JBS USA and the Colonial Pipeline failures, beyond the initial lack of essential security hygiene and the decision to pay ransom: (1) Failure to detect large volumes of data exfiltration over long periods of active exploitation; and (2) lack of a tested process and plan for how to deal with an incident to minimize service interruptions. For JBS, this happened despite their stated IT spending and IT employee count being significantly higher than industry averages. All of this indicates a lack of investment in both IT processes to minimize vulnerabilities and security skills, planning, and processes to mitigate and respond.

John Pescatore
John Pescatore

Make sure that your detection capabilities are where they need to be. Are all your locations protected at the same levels? Attackers were not only in the JBS Network for three months, but also exfiltrated 5 TB of data. Are you continuously watching for compromised passwords and taking steps to change them promptly when discovered? Are you looking for unexpected connections or unusual volumes of traffic? Verify your boundary protection and access devices are updated and secured. Ensure MFA is comprehensively enabled for all internet facing services. Augment your internal processes with periodic third-party assessments of your security posture.

Lee Neely
Lee Neely

Wow, this is a big check. Profits like this will only fuel more aggressive attacks. However, to keep things in perspective, the FBI reported over $1.8 billion in losses due to BEC/CEO Fraud for 2020. We just don’t hear about these attacks because a while successful BEC attack does not shut down infrastructure, ransomware does.

Lance Spitzner
Lance Spitzner

One must have a capability to detect breaches in hours to days. Extortion demands as the first indication of a breach is unacceptable.

William Hugh Murray
William Hugh Murray

2021-06-09

Fastly CDN Outage Knocked Portions of the Internet Offline

On Tuesday, June 8, many major websites experienced a period of unavailability, which was caused by an outage at content delivery network (CDN) Fastly. Fastly says the issue was due to a software bug that “was triggered by a valid customer configuration change” and that the issue was fixed within an hour.

Editor's Note

Promises to do better and not make mistakes in the future don’t carry the weight of a signed SLA for outsourced services. Make sure your SLA includes defined and measurable service delivery levels and corresponding financial penalties. Even though the disruption was detected in under a minute, it took most of an hour to achieve 95% restoration. External dependencies, with interrelated systems can extend recovery time even further. Document your configuration and known dependencies to aid troubleshooting and manage recovery expectations.

Lee Neely
Lee Neely

One of the promises of cloud providers is to isolate customers from each other, and to keep one customer's bad configuration from affecting others. While Fastly was quickly able to mitigate the underlying issue, I do not like the statement that the outage was triggered by a customer configuration change. It was triggered by a bug in Fastly's code that allowed a single innocent customer to take down their system.

Johannes Ullrich
Johannes Ullrich

Another good lesson about cloud service level agreements. Looks like this was about a maximum of a 3 hour outage, which according to Fastly’s SLAs would mean Gold and Enterprise customers impacted that long (or up to 7 hours) can request and get a 10% credit against their monthly charges. For many businesses, that will not come close to any business disruption costs. Internet connectivity overall has to be thought of just as electricity is thought of – backup plans need to be in place for long outages that may not even trigger any SLA credits, let alone cover disruption costs.

John Pescatore
John Pescatore

Careful. Fastly and its customers are "edge" providers. While this failure impacted the "world wide web," the internet, the transport layer, performed as intended.

William Hugh Murray
William Hugh Murray

2021-06-10

GitHub Adds RubyGems and PyPl to its Secret Scanning

GitHub has added PyPl and RubyGems to its secrets scanning capabilities. A GitHub blog post notes that “If one of these [package registry credentials] secrets is leaked, rather than compromising one product, it can compromise thousands.” GitHub has been scanning for and revoking secrets, also known as tokens, in users’ code since 2015.

Editor's Note

Thanks to GitHub for helping secure the open source ecosystem. With so many projects using GitHub, any change like this will help.

Johannes Ullrich
Johannes Ullrich

GitHub has been pretty good over the years at adding bottom-up security features and services, including code testing tools and a well-managed bug bounty program. Looks like Microsoft’s acquisition of GitHub in 2018 did not negatively impact that, which is a good thing. There will not be a single top-down answer to supply chain security in software, any more than there is for the security/safety of the supply chain that runs from restaurants back to farms.

John Pescatore
John Pescatore

2021-06-09

Microsoft Patch Tuesday

On Tuesday, June 8, Microsoft issued fixes for 50 security issues. Six of the flaws – privilege elevation vulnerabilities in Microsoft DWM Core Library, Windows NTFS, and Microsoft Enhanced Cryptographic Provider; an information disclosure vulnerability in the Windows Kernel, and a remote code execution vulnerability on Windows MSHTML platform – are being actively exploited.

Editor's Note

This patch Tuesday is probably best characterized as "Mostly Harmless." It contains a number of already exploited vulnerabilities, but for the most part, these are privilege escalation vulnerabilities.

Johannes Ullrich
Johannes Ullrich

Patches for 0-Days, to include those actively exploited is becoming commonplace. And with current trends, privilege escalation flaws (CVE-2021-31956, CVE-2021-33639, CVE-2021-31201 and CVE-2021-31199) are just as valuable as RCE flaws such as CVE-2010-33742 since they provide more ways for the attacker to elevate privileges once they have an initial foothold. Regrettably, as indicated by the Colonial Pipeline and JBS attacks, the bar for initial entry is not where it needs to be. Judicious updates and application of security baselines is also a component in raising that bar.

Lee Neely
Lee Neely

The Rest of the Week's News


2021-06-09

Colonial Pipeline CEO Testifies at Congressional Hearings

Colonial Pipeline CEO Joseph Blount testified before the Senate and House Homeland Security Committees earlier this week. Blount said that Colonial Pipeline did not have a plan in place for dealing with the ransomware attack. He encouraged companies that suffer similar attacks to be transparent about their experiences. Blount was criticized for refusing recovery help from the Cybersecurity and Infrastructure Security Agency (CISA).

Editor's Note

Remember the “For Want of a Nail” proverb. Could you be undone by the use of a compromised password? Do you have remote access which requires only a reusable password? Did you really decommission old insecure access methods or were they left enabled “just in case?” The complexity and pace of a modern enterprise stresses the ability to pay attention to all the details, and with the current ROI on hacking, it is more critical than ever to do so. Encourage your analysts to automate themselves out of a job, meaning to automate repetitive and mundane tasks so they have the bandwidth to keep up with the changes and growth of adopted technology. Participate in their implementation to make sure you have visibility and relationships established up front.

Lee Neely
Lee Neely

2021-06-08

More Updates: Adobe and Intel

On Tuesday, June 8, Adobe released updates to address more than 40 security issues in Acrobat, Reader, Photoshop, Experience Manager, After Effects and other applications. On the same day, Intel released 29 security advisories to address nearly 80 vulnerabilities in a variety of products.

Editor's Note

Adobe's Acrobat and Reader updates need to be applied quickly. For Intel, the tricky part is BIOS updates. For some of them, you may need to wait for OEM patches instead of applying Intel's patches directly.

Johannes Ullrich
Johannes Ullrich

We’re not catching a break this month. Adobe Creative Cloud, which can drive the updates to their other products on endpoints, itself needs updating and should do so automatically. The affected applications will not apply updates until they are quit and relaunched. As this month’s Microsoft and Apple OS patches require reboots, leverage that, by forcing the reboot immediately or via a maximum timeout.

Lee Neely
Lee Neely

Patching continues to be an expensive and inefficient way to achieve quality. At best, it is only marginally effective.

William Hugh Murray
William Hugh Murray

2021-06-08

IoT Message Broker Vulnerabilities

Researchers at the Synopsys Cybersecurity Research Center have found denial-of-service vulnerabilities in three open-source IoT message brokers, RabbitMQ, EMQ X, and VerneMQ. All three flaws involve Message Queuing Telemetry Transport (MQTT) protocol client input handling and can be exploited with a malicious MQTT message. The vulnerabilities were disclosed to project maintainers in March and all three have released fixes. Users should update to RabbitMQ version 3.8.16 or later; EMQ X to version 4.2.8 or later; and VerneMQ version 1.12.0 or later.


2021-06-10

Chrome Update Includes Fix for Actively Exploited Flaw

Google has updated its Chrome browser to version 91.0.4472.101 on the stable channel for Windows, Mac, Linux. The browser has been updated to address 14 security issues, including a type confusion vulnerability in the V8 open source and JavaScript engine that is being actively exploited.

Editor's Note

Chromium browsers are not far behind. The group which developed the exploit for CVE-2021-30544 also developed the exploit to MSHTML (CVE-2021-33742), making it prudent to update Chrome and Chromium browsers expeditiously Where possible push the updates rather than waiting on user action.

Lee Neely
Lee Neely

Google Chrome vulnerabilities are becoming common entry points for more targeted attacks. This vulnerability is already being exploited; expect more soon. The easiest way to improve your chances of having an up-to-date Google Chrome is to exit it once a day and restart it. With all the time we spend using web browsers, they are often just left running which may prevent updates from being applied. Restarting your browser is like rebooting your operating system after applying a patch.

Johannes Ullrich
Johannes Ullrich

It is really time that more vendors start to push out software with security fixes when the fixes are ready and proven stable and IT groups update configuration management processes away from the antiquated “wait for Vulnerability Tuesday” (or worse for servers) to patch everything at once.

John Pescatore
John Pescatore

2021-06-10

Vulnerabilities in Rockwell Automation ISaGRAF5

The US Cybersecurity and Infrastructure Security Agency (CISA) has released an advisory warning of multiple vulnerabilities in Rockwell Automation ISaGRAF5 Runtime. The flaws could be exploited to execute code remotely, disclose information, or cause denial-of-service conditions. The issues affect products from Schneider Electric and GE, which have taken steps to mitigate the issues; other vendors’ products may be affected as well.

Editor's Note

Storing a credential in the clear in a configuration file that you read without verification isn’t something we can afford to do anymore, no matter that it was easy and how well it worked. Apply the updates to ISaGRAF Runtime, restrict access to the ICS, particularly TCP ports 1131 and 1132, and restrict access to the Runtime’s folder.

Lee Neely
Lee Neely

2021-06-09

CISA Fact Sheet on Ransomware Threat to Operational Technology

The US Cybersecurity and Infrastructure Security Agency (CISA) has published a fact sheet on the increased threat of ransomware to operational technology (OT) assets and control systems. CISA urges “critical infrastructure asset owners and operators [to] adopt a heightened state of awareness and voluntarily implement recommendations” that include identifying critical processes; implementing network segmentation between IT and OT networks; and developing and testing “workarounds or manual controls to ensure that critical processes – and the industrial control system (ICS) networks supporting them – can be isolated and continue operating without access to IT networks."


2021-06-09

Ransomware Hits Community College in Iowa

The Des Moines (Iowa) Area Community College (DMACC) cancelled all classes for four days after its network was hit with a cyberattack. DMACC has asked students, faculty, and staff not to use Microsoft Office 365 or Blackboard. As of Thursday, June 10, classes with in-person components are being held at their regular times. Virtual classes have not yet resumed.


2021-06-10

NY State Senate Passes Right to Repair Bill

New York’s State Senate has passed The Digital Fair Repair Act, a bill that would allow consumers to rep[air their own electronic devices. The New York State Assembly has not yet passed its version of the bill.

Editor's Note

The "Right to Repair" does have significant impact on security. Locked down devices are too often left vulnerable after vendors abandon support for them and customers are left with costly replacements as their only option.

Johannes Ullrich
Johannes Ullrich

As more states consider the user’s right to repair, it opens options for users to more affordably maintain their own equipment and small businesses to enter the space. This is a good time to review your acceptance of risks for employees having their issued systems repaired. Consider the risks of OEM versus after-market components as well as data protection requirements irrespective of who, how or where the work is done.

Lee Neely
Lee Neely

In our space, the impact of state legislation may extend way beyond the boundaries of the state. Congress has the responsibility and authority to regulate interstate commerce. State initiatives such as this occur when Congress fails. As with most legislation, “the devil is in the details.” Drafting legislation that accomplishes its goal while avoiding unintended consequences is difficult.

William Hugh Murray
William Hugh Murray

Internet Storm Center Tech Corner

Microsoft Patch Tuesday

https://isc.sans.edu/forums/diary/Microsoft+June+2021+Patch+Tuesday/27506/


Architecture, Compilers and Black Magic

https://isc.sans.edu/forums/diary/Architecture+compilers+and+black+magic+or+what+else+affects+the+ability+of+AVs+to+detect+malicious+files/27510/


Are Cookie Banners a Waste of Time or a Complete Waste of Time?

https://isc.sans.edu/forums/diary/Are+Cookie+Banners+a+Waste+of+Time+or+a+Complete+Waste+of+Time/27436/


PuzzleMaker Attacks With Chrome Zero-Day Exploit Chain

https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/


Intel Patches

https://www.intel.com/content/www/us/en/security-center/default.html


Adobe Updates

https://helpx.adobe.com/security.html


Let's Encrypt and CentOS 7

https://blog.devgenius.io/lets-encrypt-change-affects-openssl-1-0-x-and-centos-7-49bd66016af3


ALPACA TLS Attack

https://alpaca-attack.com/ALPACA.pdf


Google Chrome Update

https://chromereleases.googleblog.com/2021/06/stable-channel-update-for-desktop.html


Citrix Application Delivery Controller Vulnerability

https://support.citrix.com/article/CTX297155


VoIP Monitor GUI XSS

https://www.rtcsec.com/post/2021/06/abusing-sip-for-cross-site-scripting-most-definitely/


Denial of Service Vulnerabilities in RabbitMQ, EMQ X, and VerneMQ

https://www.synopsys.com/blogs/software-security/cyrc-advisory-rabbitmq-emqx-vernemq/