SANS NewsBites

Sonic Wall VPN Appliance Under Active Attack; Patch WooCommerce Block Now; US Government Takes Steps Against Ransomware But Doesn’t Address MFA

July 16, 2021  |  Volume XXIII - Issue #55

Top of the News


2021-07-15

SonicWall Warns of Active Attacks Against VPN Appliances

SonicWall has issued an urgent security notice warning of active attacks “targeting Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products running unpatched and end-of-life (EOL) 8.x firmware.”

Editor's Note

These vulnerabilities have been known for months, and have been exploited for months. You will need to decommission these devices or if possible upgrade them to a 9.x or 10.x firmware. Upgrades will likely require a valid subscription. Remember that many security devices will work only if you continue to pay subscription fees.

Johannes Ullrich
Johannes Ullrich

Attackers will always focus their efforts on our blind spots. As endpoint protection has evolved dramatically in recent years to provide greater visibility to the desktop, we’ve seen an increase in attacks against security appliances, such as firewalls and VPN concentrators, where endpoint security products can’t be installed. This attack is focused on an SMB product line, but enterprise products from Cisco, Juniper, F5, Palo Alto Networks, and Citrix have had similar issues within the last year. Earlier this week, Microsoft reported attacks against SolarWinds Serv-U product being launched from compromised home routers. So, this serves as a great reminder that “appliances” should be included your regular patch and vulnerability management program, and organizations should consider the risk and impact if an employee’s home routers is compromised, as well.

Jon Gorenflo
Jon Gorenflo

VPNs are still the predominant remote access to the corporate network and remain a critical boundary protection device. As such, you need to keep them secured, patched and current. While implementing MFA, verifying the security and patching them with nominal disruption is tricky enough; you need to add lifecycle replacement to your list. That means you’re going to have to identify and implement the replacement early enough to have the users cut over before the old solution goes out of support. Then you need to retire the old one, as in dispose of it, to avoid the temptation to fall back to an unsupported, no longer secure solution.

Lee Neely
Lee Neely

2021-07-15

WooCommerce Releases Fix for Critical Flaw in WooCommerce Block

The developers of the WooCommerce e-commerce platform for WordPress have released updates to address a critical SQL-injection vulnerability that is being actively exploited. The issue affects the Woo Commerce Block feature, which is installed on more than 200,000 WordPress sites.

Editor's Note

You MUST patch this vulnerability today. This vulnerability is already being exploited.

Johannes Ullrich
Johannes Ullrich

Updates were released to all vulnerable versions, about 90 updates in total. This means you can update to a fixed version without having to worry about compatibility issues. That said, you still need to press forward to get to the latest versions of these plugins if you’re continuing to use them. Note that the Wordfence paid version had two firewall rules to detect and block exploitation as of July 14th and 15th. The free version will get these rules August 13th and 14th.

Lee Neely
Lee Neely

2021-07-15

US Government Reveals Measures to Fight Ransomware

The Biden administration has revealed several measures aimed at preventing ransomware attacks. US State Department will pay up to $10 million for information about cyberattacks that target the country’s critical infrastructure and were conducted “at the direction or under the control of a foreign government.” There are also plans to cut ransomware operators off from cryptocurrency, and the Cybersecurity and Infrastructure Security Agency (CISA) has launched the Stop Ransomware website which will serve as a clearinghouse for resources to help businesses and state and local governments protect their networks.

Editor's Note

These are all good things but what is missing here is the most proactive step: the US government driving increased use of multi factor authentication to replace reusable passwords in government and critical infrastructure applications. President Biden’s Executive Order on cybersecurity did emphasize MFA – the publicity around ransomware should be used to main gains in eliminating reusable passwords before attention moves on.

John Pescatore
John Pescatore

The trick is to disrupt the effectiveness of the tactics used with ransomware. A multi-faceted, multi-agency effort is underway to do this and includes task forces and rewards for information on ransomware gangs and even conferences. The StopRansomware.gov web site is set up to deliver information regarding what ransomware is, what to do if compromised, and how to avoid it. Core to avoidance is good cyber hygiene and good user behavior. The site breaks this down into understandable bites and has references from multiple sources to help preparedness. Conduct a ransomware tabletop exercise to see how prepared you really are. Implement any lessons learned, look at adding this to your annual DR exercise.

Lee Neely
Lee Neely

I somehow feel we are still very much in the wild-wild west stages of cybersecurity. Instead of WANTED posters being posted on the frontier cities of the old cowboy days, we have cyber WANTED posters for the international community. It’s a step in the right direction (we are no longer homesteaders on our own having to protect the farm) but we have so much further to go (we need the sheriffs to help enforce international law). I checked out the CISA new ransomware site and love it! The problem we have in the US is that so many organizations are putting out information (CISA, FTC, FBI, NCSA, IRS), it can be both overwhelming and conflicting for its citizens).

Lance Spitzner
Lance Spitzner

These measures may change the risk/reward of ransomware and reduce the efficiency of the black market. In the meantime, enterprises need to reduce the attack surface and raise the cost of attack. Consider strong authentication, structured networks, and least privilege access control.

William Hugh Murray
William Hugh Murray

Read more in

The Hill: Biden administration stepping up efforts to respond to ransomware attacks

US Dept. of State: Rewards for Justice – Reward Offer for Information on Foreign Malicious Cyber Activity Against U.S. Critical Infrastructure

CISA: Stop Ransomware

Vice: U.S. Government Offers $10 Million for Info on Hackers Targeting Critical Infrastructure

NPR: The White House Announces Additional Steps To Combat Ransomware

Cyberscoop: US government launches plans to cut cybercriminals off from cryptocurrency

Nextgov: Agencies Unveil Plans to Fight Ransomware—Including Paying for Tips

SC Magazine: White House announces $10 million bounty for state sponsored cybercriminals

ZDNet: US State Department offering $10 million reward for state-backed hackers

Dark Reading: State Dept. to Pay Up to $10M for Information on Foreign Cyberattacks

The Rest of the Week's News


2021-07-13

REvil Ransomware Websites Offline

According to multiple researchers, websites related to the REvil ransomware have been taken offline. It is not clear why the sites are unavailable; they have been unreachable since Tuesday, July 13.

Editor's Note

Ransomware gangs need to be careful to attract just the right amount of attention and notoriety. Too little, and victims will not pay as the actor is not yet established as reliable. Too much and law enforcement will take note and pressure ISPs / Registrars to disconnect payment sites even if the individuals themselves are out of reach. It is very possible that REvil is just rebranding or selling assets to a different group.

Johannes Ullrich
Johannes Ullrich

As exciting as the prospect is of them being shut down, hold the applause until you see an announcement from law enforcement stating they took them down. Otherwise, expect them to re-emerge, probably from a different locale.

Lee Neely
Lee Neely

2021-07-14

CISA: Agencies Must Mitigate PrintNightmare Vulnerability

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an Emergency Directive (ED) instructing federal agencies to take action to protect systems from being attacked through the Windows Print Spooler service vulnerability known as PrintNightmare. The ED lists six actions that agencies must complete by Wednesday, July 21.

Editor's Note

All agencies are required to disable print services on AD controllers, apply the patches to all Windows servers and workstations, then either disable print spoolers, restrict installation of printer drivers to administrators via GPO or registry keys, by July 20th. These are good practices to consider even if you’re not impacted by this directive. Don’t forget to address cloud-based Windows servers or workstations, whether directly or indirectly (third-party) managed.

Lee Neely
Lee Neely

2021-07-14

Microsoft Patch Tuesday Includes Fix for PrintNightmare

On Tuesday, July 13, Microsoft released fixes for nearly 120 security issues, including 13 that are rated critical. Four of the flaws are being actively exploited. One of the critical flaws addressed in the updates is the PrintNightmare print spooler vulnerability. Microsoft also fixed a pair of privilege elevation vulnerabilities reportedly exploited by Candiru spyware.

Editor's Note

This update includes fixes for four zero-day flaws, and the official patch for PrintNightmare. Even with this fix, look to restrict print driver installation to administrators only as the CISA ED 21-04 suggests. Don’t lose sight of the other updates released, including fixes for SharePoint and Exchange which deserve special attention due to their exploitability.

Lee Neely
Lee Neely

Pro tip: you can gauge the quality of your pentesters with this kind of vulnerability. Yes, they can probably move laterally and escalate privilege, but can they give you viable recommendations that fit your operations model? Do those recommendations apply to just this vuln-of-the-day, or are they generally applicable to your vulnerability management program?

Christopher Elgee
Christopher Elgee

2021-07-15

Microsoft Discloses New Windows Print Spooler Flaw

Microsoft has shared information about a new, as-yet unpatched vulnerability affecting Windows Print Spooler. This vulnerability is separate from the PrintNightmare flaw; it is a local privilege elevation vulnerability that “can only be exploited locally to gain elevated privileges on a device.” The flaw has been given a CVSS score of 7.8.

Editor's Note

The Windows Print Spooler is the gift that keeps on giving. The reason is an architectural choice made many Windows versions ago. Printer drivers are code provided by users, and this code executes as System. This will not be fixable unless you heed Microsoft's advice and disable users’ ability to provide printer drivers. Everything else will just be a bandaid until the architecture is fixed in a future Windows version.

Johannes Ullrich
Johannes Ullrich

Vulnerabilities that require device access to exploit do not result in large scale or widespread attacks.

William Hugh Murray
William Hugh Murray

2021-07-13

Adobe Patch Tuesday

On Tuesday, July 13, Adobe released updates to address 28 security issues affecting Acrobat and Reader, Framemaker, Illustrator, Dimension, and Bridge. 22 of the flaws are rated critical.

Editor's Note

The Acrobat and Reader flaws are a priority 2, as in no active exploit but historically targeted application, while the others are a priority 3 as they are not a historically targeted platform. Even so, the base CVSS scores suggest not sitting on these updates. Typically users need to close these applications before an update can be performed, and with the Microsoft patches queued up, it’d be a good time for a forced reboot to ensure that happens.

Lee Neely
Lee Neely

Patching is a necessary but expensive way to achieve software quality. Consider applications in the cloud and thin clients to reduce your cost.

William Hugh Murray
William Hugh Murray

2021-07-14

ICS Patch Tuesday: Siemens and Schneider Electric

Siemens has released 18 security advisories that address nearly 80 vulnerabilities in its products. Schneider Electric has released six advisories that address 25 vulnerabilities in a variety of the company’s products. Among the flaws for which Schneider has release fixes is a critical authentication bypass issue in Schneider Electric Modicon programmable logic controllers (PLCs).

Editor's Note

As other items point out, July will be a busy patching month and IT resources that support OT patching may be consumed dealing with the volume of Microsoft, Adobe and VPN patches. Good idea to review segmentation and monitoring around any Siemens and Schneider device usage.

John Pescatore
John Pescatore

2021-07-15

Tools From Spyware Vendor Candiru Exploited Windows Zero-Days (Now Patched)

Citizen Lab and Microsoft report that cyberespionage made by an Israeli spyware company have been used by governments to snoop on journalists, politicians, human rights activists and others. Some of the tools exploited vulnerabilities in Windows which were patched earlier this week.

Editor's Note

The Citizen Lab report not only outlines the malware functionality, C&C infrastructure and how to identify it, but also shows the lucrative nature of this sort of offering. Apply the patches, and keep an eye on the IOCs as a well-funded group like this will find other ways to exploit systems.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Microsoft Patch Tuesday

https://isc.sans.edu/forums/diary/Microsoft+July+2021+Patch+Tuesday/27628/


Adobe Patch Tuesday

https://helpx.adobe.com/security/products/acrobat/apsb21-51.html


One way to fail at malspam - give recipients the wrong password

https://isc.sans.edu/forums/diary/One+way+to+fail+at+malspam+give+recipients+the+wrong+password+for+an+encrypted+attachment/27634/


USPS Phishing Kit Reporting Data Back Via Telegram

https://isc.sans.edu/forums/diary/USPS+Phishing+Using+Telegram+to+Collect+Data/27630/


ForgeRock OpenAM Vulnerability

https://backstage.forgerock.com/knowledge/kb/article/a47894244


GMail Supporting BIMI

https://cloud.google.com/blog/products/identity-security/bringing-bimi-to-gmail-in-google-workspace


Firefox Updates

https://www.mozilla.org/en-US/security/advisories/mfsa2021-28/


SAP Netweaver Vulnerabilities

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506


less.js RCE

https://www.softwaresecured.com/exploiting-less-js


Sonicwall Warns of Ransomware

https://www.sonicwall.com/support/product-notification/urgent-security-notice-critical-risk-to-unpatched-end-of-life-sra-sma-8-x-remote-access-devices/210713105333210/


WooCommerce Flaw Exploited

https://www.wordfence.com/blog/2021/07/critical-sql-injection-vulnerability-patched-in-woocommerce/


KiwiSDR Backdoor

https://www.bleepingcomputer.com/news/security/software-maker-removes-backdoor-giving-root-access-to-radio-devices/