Pegasus Spyware Points Out Mobile Phones Are Vulnerable; DNS Services Can Be a Single Point of Failure; Important Workaround for Mitigating Windows SAM Vulnerability

Great report by Amnesty and a must read for anybody doing IR on mobile devices. Remember that the exploits used may be "high end" now, but they tend to trickle down the food chain. For the rest of us, the lesson to learn is that you absolutely need to keep your mobile devices up to date, and yes, a text message may be used to run arbitrary code on your device.

Johannes Ullrich

iPhones and Android phones have been harder targets to compromise than Windows PCs but this Pegasus use points out they are far from impenetrable. In the SANS 2021 New Threat and Attack report, SANS instructor Heather Mahalik points out many of the key issues and action steps. https://www.sans.org/webcasts/2021-report-top-attacks-threat-report-118445/

John Pescatore

While far from mass surveillance, and while most of the targets were political, some appeared to be targeted for mere celebrity. While such surveillance might not be illegal in all the countries engaged in it, it qualifies as abuse and misuse everywhere. Here it would require a warrant issued by a court based upon probable cause to believe a crime.

William Hugh Murray

Yet another choke point that can take down large parts of the Internet. Resilience comes from redundancy and diversity. It doesn't help to have multiple servers if they all run the same software and configuration. Luckily Akamai was pretty quick in resolving the issue.

Johannes Ullrich

As the internet moves to more centralized services to localize information to increase performance/access to content, the stability becomes only as good as those services. While Akamai only has 9.6% of the CDN share, they have major players such as Oracle, AWS, Microsoft and AT&T. When engaging these services, have a frank discussion on failure impacts and their mitigations. You will need to define your actions, including customer communications, possibly reimbursement, in the event of an outage.

Lee Neely

Having deep visibility into network traffic can often quickly differentiate between internal or external services having performance and issues caused by denial of service or other attacks. Great opportunity for the NOC and the SOC to use common instrumentation and tools to speed detection, resolution and restoration.

John Pescatore

The fix is to restrict access to the system32\config directory and then remove (and recreate) any volume shadow copies (system restore points) to assure the changes in privileges are captured.

Lee Neely

Keep watching Microsoft's KB article for updates. Initially, server versions of Windows were not believed to be vulnerable but the most recent update showed recent server versions as vulnerable.

Johannes Ullrich

Just a reminder that accounts should be periodically reauthorized and reconciled to real people.

William Hugh Murray

My usual comment: Don't expose it to the internet if it doesn't need to be exposed. These are not the actual firewall / VPN endpoints but the software used to manage them.

Johannes Ullrich

Probably the most notable fix is the patch for the WiFi SSID format string vulnerability. Initially, this was only considered a DoS issue. But Apple confirmed that this can be used to execute code. On relatively recent iOS versions, this requires the user to join the oddly named WiFi network. But on older versions, this exploit will execute without user interaction.

Johannes Ullrich

While these updates don’t include the patch for Pegasus, there are enough other issues to warrant applying the patches immediately, particularly for iOS and iPadOS as some of the flaws are remotely exploitable. The NSO group, who are behind the Pegasus spyware, are investing heavily in exploits to maintain visibility into mobile devices, which hopefully will drive increases in security options to reduce their attack surfaces.

Lee Neely

Make sure you’ve implemented the required security controls and contingency plan, that you’re monitoring those controls as well as regularly testing your emergency response plan. Consider not only conducting internal design reviews, but also hiring third parties or peer organizations for a reciprocal review to identify any gaps. Expect regulators to audit your activities here.

Lee Neely

If you were wondering how they operate, the alert outlines how they obtained access and actions you can watch for. The mitigations apply to any sort of OT you’re operating – to include strong spam/email security filters and secure remote access with multi-factor authentication. Make sure you’re really doing the mitigations listed. Your SOC should tell you the IOCs are well known to them; if not, have them not only incorporate them but also make sure they have appropriate threat feeds to stay current.

Lee Neely

The exploit uses a 1GB pathname, 5GB of memory, uses 1 million inodes and exploitation requires system access. This can be partially mitigated by setting /proc/sys/kernel/unprivileged_userns_clone to 0 and /proc/sys/kernel/unprivileged_bpf_disabled to 1 to prevent mounting long directories in a user namespace and prevent a user from loading a eBPF program into the kernel. The long term fix will be to apply kernel updates when released. BSD derived kernels (FreeBSD, macOS, etc.) are not vulnerable.

Lee Neely

As REvil has gone off-the-air, Kaseya and their source are the only places you can get a REvil decryption tool. Kaseya has engaged Emsisoft to help all affected customers. Kaseya is actively contacting customers who were impacted.

Lee Neely

What’s fascinating about this story is how the REvil community shut down and went dark before they received any payment. Apparently all the visibility they were getting put them at too much risk, so they ‘virtually fled’. This is good news as it shows we can put enough pressure on these threat actors to change behavior. Now the question is, can we continue to apply even more pressure / deterrence to stop future attacks? As for the decryptor key, remember that recovering data is only half the battle. Infected companies now have to rebuild all their systems to ensure their integrity, so there is a huge amount of work still ahead.

Lance Spitzner

San Francisco’s Bay Area Rapid Transit (BART) suffered a similar ransomware impact back in 2016. Often, risk analysis efforts have a blind spot around kiosk and point of sale systems that generate a lot of revenue or reduce a lot of cost. As the old movie line goes: “Follow the money!”

John Pescatore

The engagement often starts with an attempt to get credentials or otherwise obtain some desirable cyber account, which when ignored the gangs then escalate to various levels, ultimately initiating a sometimes fatal swatting attack. If you find yourself being harassed contact your local law enforcement to reduce the risks of a fatal engagement.

Lee Neely