SANS NewsBites

Pegasus Spyware Points Out Mobile Phones Are Vulnerable; DNS Services Can Be a Single Point of Failure; Important Workaround for Mitigating Windows SAM Vulnerability

July 23, 2021  |  Volume XXIII - Issue #57

Top of the News


2021-07-22

Amnesty International Spyware Report

Amnesty International’s Security Lab “has uncovered widespread, persistent and ongoing unlawful surveillance and human rights abuses perpetrated using NSO Group’s Pegasus spyware.” The Forensic Methodology Report also includes a forensic tool to detect the spyware’s presence on mobile devices.

Editor's Note

Great report by Amnesty and a must read for anybody doing IR on mobile devices. Remember that the exploits used may be "high end" now, but they tend to trickle down the food chain. For the rest of us, the lesson to learn is that you absolutely need to keep your mobile devices up to date, and yes, a text message may be used to run arbitrary code on your device.

Johannes Ullrich
Johannes Ullrich

iPhones and Android phones have been harder targets to compromise than Windows PCs but this Pegasus use points out they are far from impenetrable. In the SANS 2021 New Threat and Attack report, SANS instructor Heather Mahalik points out many of the key issues and action steps. https://www.sans.org/webcasts/2021-report-top-attacks-threat-report-118445/

John Pescatore
John Pescatore

While far from mass surveillance, and while most of the targets were political, some appeared to be targeted for mere celebrity. While such surveillance might not be illegal in all the countries engaged in it, it qualifies as abuse and misuse everywhere. Here it would require a warrant issued by a court based upon probable cause to believe a crime.

William Hugh Murray
William Hugh Murray

2021-07-22

Akamai DNS Problems Cause Internet Outage

Akamai says that an Edge DNS service problem was to blame for a July 22 Internet outage affecting the availability of numerous major websites, but has not yet detailed the cause of the problem. Akamai has implemented a fix and says the issue was not due to a cyberattack.

Editor's Note

Yet another choke point that can take down large parts of the Internet. Resilience comes from redundancy and diversity. It doesn't help to have multiple servers if they all run the same software and configuration. Luckily Akamai was pretty quick in resolving the issue.

Johannes Ullrich
Johannes Ullrich

As the internet moves to more centralized services to localize information to increase performance/access to content, the stability becomes only as good as those services. While Akamai only has 9.6% of the CDN share, they have major players such as Oracle, AWS, Microsoft and AT&T. When engaging these services, have a frank discussion on failure impacts and their mitigations. You will need to define your actions, including customer communications, possibly reimbursement, in the event of an outage.

Lee Neely
Lee Neely

Having deep visibility into network traffic can often quickly differentiate between internal or external services having performance and issues caused by denial of service or other attacks. Great opportunity for the NOC and the SOC to use common instrumentation and tools to speed detection, resolution and restoration.

John Pescatore
John Pescatore

2021-07-22

Microsoft Offers Workaround for Windows 10 Security Accounts Manager Vulnerability

Microsoft has released a workaround for a privilege elevation vulnerability that affects the Windows 10 Security Accounts Manager database. The flaw could be exploited to access data and create new accounts.

Editor's Note

The fix is to restrict access to the system32\config directory and then remove (and recreate) any volume shadow copies (system restore points) to assure the changes in privileges are captured.

Lee Neely
Lee Neely

Keep watching Microsoft's KB article for updates. Initially, server versions of Windows were not believed to be vulnerable but the most recent update showed recent server versions as vulnerable.

Johannes Ullrich
Johannes Ullrich

Just a reminder that accounts should be periodically reauthorized and reconciled to real people.

William Hugh Murray
William Hugh Murray

The Rest of the Week's News


2021-07-20

Fortinet Issues Updates to Fix Use After Free Vulnerability in FortiManager and FortiAnalyzer

Fortinet has released updates to fix a serious use after free vulnerability in FortiManager and FortiAnalyzer network management solutions. The flaw can be exploited to allow remote code execution as root if the fgfmsd daemon is enabled. Foertinet has also provided a workaround.

Editor's Note

My usual comment: Don't expose it to the internet if it doesn't need to be exposed. These are not the actual firewall / VPN endpoints but the software used to manage them.

Johannes Ullrich
Johannes Ullrich

2021-07-22

Apple Updates for Multiple Products

Apple has released updates for iOS, watchOS, tvOS, iPadOS, and macOS. While the iOS update (iOS 14.7) includes fixes for 37 security issues, it does not fix the zero-click vulnerability in iMessenger that can be exploited by Pegasus spyware.

Editor's Note

Probably the most notable fix is the patch for the WiFi SSID format string vulnerability. Initially, this was only considered a DoS issue. But Apple confirmed that this can be used to execute code. On relatively recent iOS versions, this requires the user to join the oddly named WiFi network. But on older versions, this exploit will execute without user interaction.

Johannes Ullrich
Johannes Ullrich

While these updates don’t include the patch for Pegasus, there are enough other issues to warrant applying the patches immediately, particularly for iOS and iPadOS as some of the flaws are remotely exploitable. The NSO group, who are behind the Pegasus spyware, are investing heavily in exploits to maintain visibility into mobile devices, which hopefully will drive increases in security options to reduce their attack surfaces.

Lee Neely
Lee Neely

2021-07-21

TSA Issues Second Pipeline Security Directive

The Department of Homeland Security’s (DHS’s) Transportation Security Administration (TSA) has issued a second cybersecurity directive for pipelines. While TSA has not released specifics of the directive, the agency notes that the “Security Directive requires owners and operators of TSA-designated critical pipelines to implement specific mitigation measures to protect against ransomware attacks and other known threats to information technology and operational technology systems, develop and implement a cybersecurity contingency and recovery plan, and conduct a cybersecurity architecture design review.”

Editor's Note

Make sure you’ve implemented the required security controls and contingency plan, that you’re monitoring those controls as well as regularly testing your emergency response plan. Consider not only conducting internal design reviews, but also hiring third parties or peer organizations for a reciprocal review to identify any gaps. Expect regulators to audit your activities here.

Lee Neely
Lee Neely

2021-07-21

CISA/FBI Security Advisory Details Chinese State Sponsored Cyberattacks Against US Oil and Gas Pipeline Companies

A joint security advsory from the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) “provides information on a spearphishing and intrusion campaign conducted by state-sponsored Chinese actors that occurred from December 2011 to 2013, targeting U.S. oil and natural gas (ONG) pipeline companies.” The advisory includes a list of indicators of compromise and suggests mitigations to bolster pipeline security.

Editor's Note

If you were wondering how they operate, the alert outlines how they obtained access and actions you can watch for. The mitigations apply to any sort of OT you’re operating – to include strong spam/email security filters and secure remote access with multi-factor authentication. Make sure you’re really doing the mitigations listed. Your SOC should tell you the IOCs are well known to them; if not, have them not only incorporate them but also make sure they have appropriate threat feeds to stay current.

Lee Neely
Lee Neely

2021-07-21

Linux Privilege Elevation Flaw Affects Most Releases

A security flaw affecting the kernel of most Linux distributions could be exploited to gain root privileges. The issue affects all Linux kernel versions that have been released since 2014. The flaw was discovered by researchers at Qualys.

Editor's Note

The exploit uses a 1GB pathname, 5GB of memory, uses 1 million inodes and exploitation requires system access. This can be partially mitigated by setting /proc/sys/kernel/unprivileged_userns_clone to 0 and /proc/sys/kernel/unprivileged_bpf_disabled to 1 to prevent mounting long directories in a user namespace and prevent a user from loading a eBPF program into the kernel. The long term fix will be to apply kernel updates when released. BSD derived kernels (FreeBSD, macOS, etc.) are not vulnerable.

Lee Neely
Lee Neely

2021-07-22

Kaseya Obtains REvil Master Decryptor

Kaseya says it has obtained a universal decryption key to help affected customers recover from REvil ransomware. Kaseya was hit with a supply chain attack at the beginning of July that infected more than 1,000 organizations with REvil.

Editor's Note

As REvil has gone off-the-air, Kaseya and their source are the only places you can get a REvil decryption tool. Kaseya has engaged Emsisoft to help all affected customers. Kaseya is actively contacting customers who were impacted.

Lee Neely
Lee Neely

What’s fascinating about this story is how the REvil community shut down and went dark before they received any payment. Apparently all the visibility they were getting put them at too much risk, so they ‘virtually fled’. This is good news as it shows we can put enough pressure on these threat actors to change behavior. Now the question is, can we continue to apply even more pressure / deterrence to stop future attacks? As for the decryptor key, remember that recovering data is only half the battle. Infected companies now have to rebuild all their systems to ensure their integrity, so there is a huge amount of work still ahead.

Lance Spitzner
Lance Spitzner

2021-07-22

Saudi Aramco Acknowledges Data Leak

Saudi Aramco says that some of its files were leaked as a result of a breach affecting a third-party contractor, and maintains that its own networks were not breached. Earlier this summer, the attacker demanded $50 million in cryptocurrency to delete the data they stole.


2021-07-20

UK’s Northern Trains Ticket Kiosks Hit by Ransomware

Northern Trains, a publicly owned company that operates railways in the north of England, was hit with a ransomware attack. The attack prompted the company to take its self-service ticket kiosks offline.

Editor's Note

San Francisco’s Bay Area Rapid Transit (BART) suffered a similar ransomware impact back in 2016. Often, risk analysis efforts have a blind spot around kiosk and point of sale systems that generate a lot of revenue or reduce a lot of cost. As the old movie line goes: “Follow the money!”

John Pescatore
John Pescatore

2021-07-21

Prison Sentence for Fatal Swatting Attack

A Tennessee man has been sentenced to five years in prison for his role in a swatting attack that resulted in death. Shane Sonderman and co-conspirators repeatedly digitally harassed a man who died of a heart attack after police were called to his home under false pretenses.

Editor's Note

The engagement often starts with an attempt to get credentials or otherwise obtain some desirable cyber account, which when ignored the gangs then escalate to various levels, ultimately initiating a sometimes fatal swatting attack. If you find yourself being harassed contact your local law enforcement to reduce the risks of a fatal engagement.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Windows Registry Hives Permission Problem

https://isc.sans.edu/forums/diary/Summer+of+SAM+incorrect+permissions+on+Windows+1011+hives/27652/


Microsoft Published Summer of SAM Guidance

https://isc.sans.edu/forums/diary/Summer+of+SAM+Microsoft+Releases+Guidance+for+CVE202136934/27656/


Akamai Outage

https://isc.sans.edu/forums/diary/Lost+in+the+Cloud+Akamai+DNS+Outage/27660/


HP Printer Drivers Allows Privilege Escalation

https://labs.sentinelone.com/cve-2021-3438-16-years-in-hiding-millions-of-printers-worldwide-vulnerable/


Linux Local Privilege Escalation in Filesystem Layer

https://blog.qualys.com/vulnerabilities-threat-research/2021/07/20/sequoia-a-local-privilege-escalation-vulnerability-in-linuxs-filesystem-layer-cve-2021-33909


FortiManager and FortiAnalyzer Vulnerability

https://www.fortiguard.com/psirt/FG-IR-21-067


Apple Patches Everything

https://support.apple.com/en-us/HT201222


Formbook/XLoader Malware Ported to Mac

https://research.checkpoint.com/2021/top-prevalent-malware-with-a-thousand-campaigns-migrates-to-macos/


Pulse Secure Backdoors

https://us-cert.cisa.gov/ncas/current-activity/2021/07/21/malware-targeting-pulse-secure-devices


Oracle Critical Patch Update

https://www.oracle.com/security-alerts/cpujul2021.html


Kaseya Decryptor Available

https://www.kaseya.com/potential-attack-on-kaseya-vsa/


Jira Data Center and Jira Service Management Data Center Security Advisory

https://confluence.atlassian.com/adminjiraserver/jira-data-center-and-jira-service-management-data-center-security-advisory-2021-07-21-1063571388.html


Forgot password? Taking over user accounts Kaminsky style

https://sec-consult.com/blog/detail/forgot-password-taking-over-user-accounts-kaminsky-style/