SANS NewsBites

Patch Available for Critical Polkit Vulnerability; Security Services Firm COO Charged With Attacking Customer Devices; Remote Access Trojan Uses SEO Poisoning to Spread

June 15, 2021  |  Volume XXIII - Issue #47

Top of the News


2021-06-11

Linux Polkit Privilege Vulnerability Can be Exploited to Get Root Shell

A fix is available for a privilege elevation vulnerability in the polkit system service that is installed by default on many Linux systems. The flaw was introduced in a commit seven years ago, shipping with polkit v. 0.113. The researcher who discovered the flaw says it “is surprisingly easy to exploit.” The fix was released on June 3, 2021.

Editor's Note

Check your Linux distributions, for applicability; this applies to RHEL 8, Fedora 21 (or later), Debian “Bullseye,” and Ubuntu 20.04 among others. Think of Polkit as an alternative to sudo, where some commands require explicit permission and others are simply executed. Exploiting the weakness, which uses simple commands, requires interrupting the command at the right point to trigger the vulnerable code. The mitigation is to patch the affected systems now, particularly on any internet facing Linux systems.

Lee Neely
Lee Neely

systemd is further confirming its reputation as a security nightmare. But remember that Polkit replaces sudo, which in itself has had a spotty history. It isn't easy to allow for the flexible assignment of elevated privileges. Update as your Linux distribution makes updates available.

Johannes Ullrich
Johannes Ullrich

2021-06-11

Cybersecurity COO Charged in Connection with Georgia Medical Center Cyberattack

The US Department of Justice (DoJ) has charged Vikas Singla with multiple counts of intentional damage to a protected computer and a single count of obtaining information by computer from a protected computer. The indictment alleges that in 2018, Singla launched a cyberattack against Gwinnett Medical Center, which is now known as Northside Hospital System. The attack allegedly involved disruption of the facility’s phone system and printer network and the theft of information from a digitizing device. Singla is the chief operating officer (COO) and co-founder of Securolytics, a network security company that specializes in the health care sector.

Editor's Note

This is a tough one – Securolytics has been around for 5 years and has some very high profile/experienced and local investors. Good reminder that whenever any third party is given access to networks or systems, those credentials and passwords should be removed at the end of the engagement – no matter how trusted the 3rd party. Also points out that any “Thing” with an IP address is a potential compromise point.

John Pescatore
John Pescatore

This appears to be a case of insider threat from a third-party service provider. Not only do you need to worry about your own insider threat, but you also need to make sure that you know what access you’re providing your third-party providers, and understand how they are vetting their staff to address insider threats. Make sure your credential management extends to any credentials used by the service provider. Lastly, make sure your contract includes sufficient recourse if anything goes wrong, keeping in mind the sensitivity of data shared, which may include sensitive network topology and system information. Make sure contract termination processes are documented and processes followed to not leave any outdated access paths.

Lee Neely
Lee Neely

2021-06-14

SolarMarker RAT Spreading Through SEO Poisoning

SolarMarker is a remote access trojan (RAT) that steals data and access credentials. Microsoft says that attackers trying to spread SolarMarker have been using PDF documents loaded with search engine optimization keywords to try to trick users into visiting malicious websites.

Editor's Note

These documents, which masquerade as legitimate documents users may otherwise be looking for, are hard to have users not open. Even so, users can be made aware of the technique and trained to use caution when a document is prompting them to load more documents for the information requested. Endpoint protections, to include filtering of malicious sites, are key to preventing this sort of attack.

Lee Neely
Lee Neely

Understanding the distribution vector for malicious code may be more useful in resisting it than knowing its capabilities.

William Hugh Murray
William Hugh Murray

The Rest of the Week's News


2021-06-14

Dept. of Energy Subcontractor Sol Oriens Acknowledges Cybersecurity Incident

A US Department of Energy (DoE) subcontractor has acknowledged that its “network environment” was hit with a cyberattack. Albuquerque, New Mexico-based Sol Oriens says that it became aware of the incident last month and that the attackers managed to steal some documents; the company told Fedscoop that they have brought in a cyber forensics company to investigate the breach. Sol Oriens works with DoE’s National Nuclear Security Administration.

Editor's Note

If Sol Oriens had classified or critical security information, that would have been stored and processed on isolated networks and not reachable in this attack. The contract from NNSA would have stringent data protection and handling restrictions as well. Ask how you’re protecting your most sensitive information form this sort of attack. DOE offers a cyber security test called the “Cybersecurity Capability Maturity Model (C2M2),” which energy sector organizations can use to assess the security of their networks. (https://www.energy.gov/ceser/energy-security/cybersecurity-capability-maturity-model-c2m2-program ) If you’re not in the energy sector, look at the guidance documents to see where you can better assess your security posture, then make improvements.

Lee Neely
Lee Neely

Peer connection between one's network and those of contractors might expand both the attack surface and the population of potential attackers. Consider zero trust, next generation firewalls, and strong authentication (at least two kinds of evidence, at least one of which is resistant to replay, e.g. one time passwords).

John Pescatore
John Pescatore

2021-06-15

Australian Signals Directorate Wants Critical Infrastructure Providers to Share Cyber Incident Information

An unnamed but well-known company in Australia refused the help from the Australian Signals Directorate (ASD) after the company’s network was hit with a cyberattack. For nearly two weeks, the company rebuffed ASD’s offers of assistance, and even then, they accepted only generic advice. Three months later, the company experienced another cyberattack. ASD director-general Rachel Noble said that this incident underscores the need for increased authority for ASD “to expect these critical infrastructure providers to actually have better cybersecurity standards in the first place.”

Editor's Note

ASD is known for their cyber expertise, detection and response capability. And while it is tempting to reject an offer of help from “the government,” that help can really augment your response capabilities. If you do accept help, participate fully, leverage all the resources that can be brought to the table. Assess relevant government agencies, such as ASD and CISA ahead of time, to both understand what they have to offer and build a relationship before you need one.

Lee Neely
Lee Neely

2021-06-14

Shadow Figment: A Honeypot for Critical Infrastructure Attackers

The US Department of Energy’s (DoE’s) Pacific Northwest National Laboratory (PNNL) has developed what is essentially a honeypot designed to attract hackers intent on disrupting elements of critical infrastructure networks. Dubbed Shadow Figment, “the technology uses artificial intelligence to deploy elaborate deception to keep attackers engaged in a pretend world—the figment—that mirrors the real world. The decoy interacts with users in real time, responding in realistic ways to commands.”

Editor's Note

This is part of PNNL’s overall PACiFiC (Proactive Adaptive Cybersecurity for Control) approach to protecting operational technology (control systems) from attack. The effort is addressing Situational Awareness, Analytics, Decision Support and Defense. Defense includes deception with the intent of discovering hackers’ activities early on. While honeypots are not new, the technology leveraged here uses “model-driven dynamic deception” which is much more realistic than a static decoy. The model is intended to behave as the genuine control system would, making it harder for the attacker to discover the ruse.

Lee Neely
Lee Neely

Honeypots / deception are useful in two primary ways. For most organizations, they can greatly simplify detection; anything that interacts with them is by definition suspicious. However, when dealing with more interactive / advanced threats, honeypots / deception can be a powerful way to turn the tables, in both collecting good information (intel) and putting out bad information. DoE / PNNL is the perfect organization to lead an effort like this, and a powerful way to take the offensive against our scariest threats.

Lance Spitzner
Lance Spitzner

2021-06-11

House Oversight Committee Asks JBS for Documentation of Decision to Pay Ransom

The US House Oversight and Reform Committee wants to know JBS USA CEO Andre Nogueira’s reasons for paying $11 million to ransomware operators. In a letter, committee chair Rep. Carolyn Maloney (D-New York) “request[s] documents related to JBS Foods USA’s recent decision to pay a $11 million ransom” be submitted to the Oversight and Reform Committee by June 24.

Editor's Note

While congress is paying more attention to ransomware attacks and why payments are made, you need to focus on your cyber security posture. Make sure that you’re ready for such an attack; verify training, detection, and response capabilities are where they need to be. Conduct tabletop exercises to make sure not only that responses are known, including fail-over options for offline systems, but also that any external services or responders needed are current, relevant, and still able to help.

Lee Neely
Lee Neely

It’s easy for government to say, “Don’t pay,” but when organizations are unable to operate, and the impact cripples both the company and their community, there may be few options. I would love to see our government spend less time on the “pay / don’t pay” discussion and focus more on inflicting pain / repercussions on those leading the attacks.

Lance Spitzner
Lance Spitzner

The decision to pay extortion is a business decision and the responsibility of the enterprise. It should be made in advance of a demand, as part of a documented response plan. The decision should take into account the fact that it funds a criminal economy and raises the risk to the community. Providing a safe environment in which to do business is the responsibility of government. Needless to say, government will resist contributions to the criminal economy.

William Hugh Murray
William Hugh Murray

2021-06-14

Codecov Retiring Bash Uploader Used in Attacks

Codecov is retiring the Bash script uploader that was compromised and used in supply chain attacks earlier this year. Codecov is replacing it with a NodeJS-based uploader. According to a Codecov blog post, the new uploader “is shipped as a static binary executable on the Windows, Linux, Alpine Linux, and macOS operating systems.” It is currently in beta.

Editor's Note

Not sure if the move to NodeJS fixes any actual security issues. It may actually make things more complex to secure going forward. The move may be more related to keeping the code base maintainable by current developers.

Johannes Ullrich
Johannes Ullrich

2021-06-14

The Top 20 Secure PLC Coding Practices Project

The Programmable Logic Controller (PLC) Security Top 20 List is scheduled to be released on Tuesday, June 15. The list will be hosted by the International Society of Automation (ISA) Global Security Alliance.

Editor's Note

SANS has demonstrated that such lists can be helpful and effective in improving quality and reducing risk. However, “20” is a long list and ordering is important. Ordered list should end in “other.”

William Hugh Murray
William Hugh Murray

2021-06-11

Unpatched Vulnerabilities in Akkadian Provisioning Manager

Three high-severity security flaws in the Akkadian Provisioning Manager could be exploited collectively to allow remote code execution with elevated privileges. The vulnerabilities were discovered by researchers at Rapid7. The flaws – use of hard-coded credentials; improper neutralization of special elements used in an OS command; and exposure of sensitive information to an unauthorized actor – are present in version 4.50.18 of the Akkadian platform. There are currently no patches for the vulnerabilities.

Editor's Note

Include sweeping for passwords in configuration files to your CI/CD process. Make sure they are not stored in your software repositories and they don’t get needlessly pushed to production. Require passwords to be set on deployment; don’t provide defaults which are either unlikely to be changed or can be used with a default deployment to exploit weaknesses.

Lee Neely
Lee Neely

2021-06-11

Avaddon Ransomware Group Closes Up Shop, Sends Decryption Keys to BleepingComputer

The ransomware operators behind the Avaddon ransomware claim to have shut down operations and have turned over all decryption keys to BleepingComputer.com. The Avaddon group has recently been contacting victims and pressuring them to pay the demanded ransom, but has been accepting victims’ counteroffers without further negotiation.

Internet Storm Center Tech Corner

EoL SonicWall SRA 4600 VPN Gateways Exploited in Current Attacks

https://isc.sans.edu/forums/diary/Sonicwall+SRA+4600+Targeted+By+an+Old+Vulnerability/27518/


Older Fortinet Vulnerability Still Exploited

https://isc.sans.edu/forums/diary/Fortinet+Targeted+for+Unpatched+SSL+VPN+Discovery+Activity/27520/


PrivacyMic: Utlizing Inaudible Frequencies for Privacy Preserving Daily Activity Recognition

https://news.umich.edu/privacymic-for-a-smart-speaker-that-doesnt-eavesdrop/


Linux Vulnerability in polkit

https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/


Apple iOS 12.5.4 Security Update

https://support.apple.com/en-us/HT212548


NIST.gov DNS Issues

https://puck.nether.net/pipermail/outages/2021-June/013670.html


Akkadian Provisioning Manager Multiple Vulnerabilities

https://www.rapid7.com/blog/post/2021/06/08/akkadian-provisioning-manager-multiple-vulnerabilities-disclosure/


Bypassing MFA in Exchange Online

https://www.microsoft.com/security/blog/2021/06/14/behind-the-scenes-of-business-email-compromise-using-cross-domain-threat-data-to-disrupt-a-large-bec-infrastructure/