SANS NewsBites

Disable NTLM Authentication on Domain Controllers; No More Ransomware Project Effective in Reducing Ransomware Risk; Patch Your Apple Products Again to Avoid Arbitrary Code Attacks

July 27, 2021  |  Volume XXIII - Issue #58

Top of the News


2021-07-26

Mitigations for PetitPotam Windows NTLM Relay Attack

Microsoft has released mitigations to help users protect systems from the PetitPotam Windows NT LAN Manager (NTLM) relay attack that could make Windows systems reveal password hashes. Microsoft’s recommended mitigation is to disable NTLM authentication on Windows domain controllers.

Editor's Note

These last few weeks have provided attackers with a number of interesting new opportunities for lateral movement. PrintNightmare, Summer of SAM, and now PetitPotam are all very applicable and it will likely take months (years?) to completely patch or mitigate them. One more reason to up your detection game for these exploits. Make sure you have relevant indicators covered.

Johannes Ullrich
Johannes Ullrich

PetitPotam affects Windows Server 2008 through 2019. If you cannot disable NTLM, then make sure you’re either using signing features such as SMB signing or Extended Protection for Authentication (EPA). Also make sure your Active Directory Certificate Services (AD CS) servers are configured to protect against NTLM relay attacks. See Microsoft KP5005413 for mitigations.

Lee Neely
Lee Neely

The guidance from Microsoft is not new but being highlighted because of a new attack method. Most technology cannot be deployed as is; investment in people and process is required to ensure proper configurations. Same is true with security solutions; people need to follow a process to tune, detect, and respond to attacks.

Jorge Orchilles
Jorge Orchilles

2021-07-26

No More Ransom Project Has Helped Millions of Ransomware Victims

The No More Ransom Project has saved organizations nearly €1 billion in payments to ransomware operators. In the five years that it has been operating, the No More Ransom Project has helped millions of ransomware victims recover files after attacks. The No More Ransom portal is available in 37 languages. It has more than 120 tools capable of decrypting more than 150 strains of ransomware.

Editor's Note

This project by Europol has been a great success and is a portal I have used successfully when working with companies impacted by ransomware. The NoMoreRansom www.nomoreransom.org is a great example of how public and private partnership can work together to tackle cybercrime.

Brian Honan
Brian Honan

This is a great example of an effective, action-oriented partnership between government agencies (Europol and Politie, the Dutch national police organization) and vendors (initially Kaspersky and McAfee, now many more) to provide free help to individuals and businesses. No More Ransom emphasizes prevention/avoidance though essentially security hygiene, since at the front end ransomware attacks are like all other attacks. The collection of encryption tools as the last resort recognizes the unique recovery aspects of a ransomware event.

John Pescatore
John Pescatore

his sort of assistance is critical to reduce the frequency certainty of ransomware payments. That reduction is necessary to turn the tide on operators. This service provides decryption, reporting, and prevention tools to members. To obtain a decryption tool, ransomware victims upload two encrypted files and the ransom note to their Crypto Sheriff for a match. If matched, the decryptor includes detailed instructions for use. If not matched, users are advised to check again shortly as tools are being continuously added.

Lee Neely
Lee Neely

Working together has always proved to be better than working in isolation. I recommend leveraging these resources so we improve as an industry and hopefully slow down ransomware attacks.

Jorge Orchilles
Jorge Orchilles

2021-07-26

Apple Releases iOS/iPadOS 14.7.1 and macOS 11.5.1

Just five days after releasing 14.7 and macOS 11.5, Apple has released an update to address an IOMobileFrameBuffer vulnerability which can be used to execute arbitrary code with kernel privileges. CVE-2021-30807 was reported by an anonymous researcher.

Editor's Note

iOS 14.7.1 is only about an 80mb delta if you’ve installed 14.7. If you’re still rolling out your requirement to go to iOS/iPadOS 14.7 and macOS 11.5, then switch to 14.7.1/11.5.1. This vulnerability is being exploited in the wild.

Lee Neely
Lee Neely

While annoying to have to patch your systems twice in two weeks, I applaud Apple for the fast response. A lot has been written about the increase in 0-Days Apple patched this year, but I think the real story isn't the increase of 0-Days but instead Apple finally paying more attention to them and calling them out in special patches like this.

Johannes Ullrich
Johannes Ullrich

The Rest of the Week's News


2021-07-26

Malware Authors are Using Uncommon Programming Languages

According to researchers at BlackBerry, malware creators are increasingly using arcane programming languages to improve the development process and to evade detection and hinder analysis. In particular, instances of malware written in Go, Rust, Nim, and DLang are on the rise.

Editor's Note

Not sure if I would call languages like "Go" uncommon, but reverse analysis tools and debuggers are only now starting to support it well. This will give attackers an advantage. But this is also not new. Go has been reported as an up-and-coming malware language for a couple years now due to its concurrency support and ease of supporting network clients and servers.

Johannes Ullrich
Johannes Ullrich

Too many host-based defensive tools are easily tricked by using a slight variation of payloads. Attackers recognize this and can queue up a list of payloads using Rust, Go, Dart, Julia, etc. Application safe listing isn't perfect, but it's a heck of a lot more reliable than trying to play catch-up each time a new payload variant is identified.

Joshua Wright
Joshua Wright

Not only might Go and Rust binaries be better for evading signature detection, but they could also run more stealthily than PowerShell. PowerShell post-exploitation tools are easy to write, but also easy to log and reverse engineer. The more attackers shift from PowerShell to compiled code, the more difficult it will be to track them.

Jason Fossen
Jason Fossen

Pentesters have done the same thing, transitioning through PowerShell, compiled Python executables, cscript.exe XML files, etc; now we're on to Golang and Rust. On top of that, we use wrappers and encoders - all to avoid signature-based detection. In your environment, what type of *behavioral* detections do you have? Will you catch additions to admin groups, inter-workstation communications, and heavy/odd Active Directory requests?

Christopher Elgee
Christopher Elgee

On the other hand, the commonly used languages are vulnerable to procedures being contaminated by their data (e.g., buffer overflows.) We really need to move in the direction of strongly typed object-oriented languages. One more instance where we know what to do but lack the will to do it.

William Hugh Murray
William Hugh Murray

2021-07-26

NIST’s NCCoE Chooses Companies to Demonstrate Zero Trust Architectures

The US National Institute of Standards and Security’s (NIST’s) National Cybersecurity Center of Excellence (NCCoE) has selected 18 tech companies to demonstrate zero trust architectures. The project is intended to “demonstrate several approaches to a zero trust architecture, … designed and deployed according to the concepts and tenets documented in NIST Special Publication (SP) 800-207, Zero Trust Architecture. The example implementations will integrate commercial and open-source products that leverage cybersecurity standards and recommended practices.” NIST in in the process of drafting zero trust architecture guidance for federal agencies.

Editor's Note

“Zero Trust” being specifically mentioned in President Biden’s Executive Order has ratcheted up the already high level of hype around the term. To achieve Zero Trust, you basically have to implement all of the CIS Critical Security Controls – you can’t determine what to trust (let alone enforce trust decisions) if you don’t have reliable visibility, network access control, configuration management, privilege management, application control, etc. A key indicator of this: most of the 18 security vendors participating in the NIST project are well known vendors who two years ago sold the same products but didn’t have “Zero Trust” in their marketing campaigns.

John Pescatore
John Pescatore

As vendors struggle for position in support of E.O. 14028, agencies need to focus on their plan for the EO, including secure configurations, comprehensive MFA, encryption at rest, transit and in use (in memory) as well as clearly defining which systems are and are not in scope. You are still going to need segmentation and other protections for OT and other specialized IT. When the dust settles, these efforts will yield a demonstration of Zero Trust implementations which follow NIST SP 800-207, and should provide needed insight to make an informed selection to meet the EO requirements.

Lee Neely
Lee Neely

While "zero trust" is too often used as marketing hype, enterprise security is too often porous. While it is widely accepted, a single user clicking on a bait message should not expose the entire enterprise. Any initiatives for improvement are welcome. That said, we know what to do; we lack the will to do it.

William Hugh Murray
William Hugh Murray

2021-07-26

Newest Version of Firefox Does Not Support FTP

Mozilla has released Firefox 90. The newest version of the browser does not support File Transfer Protocol (FTP). In a blog post, Mozilla says the decision to remove support for FTP was made because of security issues; of particular concern is that the protocol transfers data in cleartext. FTP was disabled by default in Firefox 88.

Editor's Note

FTP was deprecated in Chrome at the beginning of 2020 and has been disabled by default since Firefox 88 was released in April of 2020. If you have FTP servers, you should be replacing them with secure alternatives, either shared drives (Box, Google Drive, OneDrive, etc.) or services built on SFTP, FTPS, HTTPS, MTS. When implementing a file transfer service, be sure to keep it updated, secure and replace it before support is dropped.

Lee Neely
Lee Neely

Good riddance to bad rubbish. Both the protocol and the servers have been leaking sensitive information for decades. It is a clear case of convenience trumping security.

William Hugh Murray
William Hugh Murray

2021-07-26

Amnesty International Calls for Surveillance Tech Moratorium

The recent release of a report from the Pegasus Project revealed that NSO Group’s Pegasus surveillance technology has been used to spy on government officials, human rights activists, journalists, and others around the world. “Amnesty International is calling for an immediate moratorium on the export, sale, transfer and use of surveillance technology until there is a human rights-compliant regulatory framework in place.”

Editor's Note

As long as the surveillance technology use risk remains, the best stance is to provide users with training to be proactive in securing their mobile devices. Keep them updated, only install apps from Apple/Google/corporate app stores, don’t leave them unattended, block unknown callers and texters, use loaner devices on foreign travel, implement device sanitization and verification processes to support international use.

Lee Neely
Lee Neely

There is little chance that a "regulatory framework" will deter nation states from surveillance of their citizens.

William Hugh Murray
William Hugh Murray

2021-07-26

Florida Dept. of Economic Opportunity Discloses Data Breach

A data breach at the Florida Department of Economic Opportunity’s (DEO) unemployment benefits system compromised information associated with nearly 58,000 accounts. The information may have been compromised between April 27 and July 16, 2021, according to a letter sent to affected claimants.

Editor's Note

Breached information included SSN and driver license numbers, bank account numbers, home addresses, phone numbers, DOB and claim information. They are not providing credit monitoring, so if you think you’re affected, and don’t have credit monitoring already, today’s the day to get it. If you do have it, check it, make sure alerts are configured and working.

Lee Neely
Lee Neely

2021-07-26

Brazil’s Cyberattack Response Network

Brazil ‘s government has established the Federal Cyber Incident Management Network to help government entities respond to cyberattacks more quickly. Other organizations may join the network on a voluntary basis.

Editor's Note

Increased communication, sharing, and notifications will help participating entities improve their preparedness and response. Success depends on building an appropriate trust/privacy model, particularly if you wish to entice/include non-government entities in the network.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

PetitPotam ADCS Domain Admin Vulnerability

https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/


Recovering Malspam Password

https://isc.sans.edu/forums/diary/Failed+Malspam+Recovering+The+Password/27674/


XCSSET Mac Malware Target Google Chrome / Telegram

https://thehackernews.com/2021/07/nasty-macos-malware-xcsset-now-targets.html


Defunct Video Hosting Site Flooding Normal Websites With Porn

https://www.vice.com/en/article/qj8xz3/a-defunct-video-hosting-site-is-flooding-normal-websites-with-hardcore-porn


Apple Patches 0-Day

https://support.apple.com/en-us/HT201222


Attackers Adopt Exotic Programming Languages

https://blogs.blackberry.com/en/2021/07/old-dogs-new-tricks-attackers-adopt-exotic-programming-languages


LemonDuck/LemonCat Coinminers Going Multi-OS

https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/


GitHub Expending Supply Chain Security Support to Go

https://github.blog/2021-07-22-github-supply-chain-security-features-go-community/