NewsBites Volume XXIII – Issue #6 January 22, 2021

Top of the News

2021-01-20

SolarWinds: FireEye Offers Remediation Strategies and Auditing Tool

FireEye has published a white paper, Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452, as well as a tool, Mandiant Azure AD Investigator, "for detecting artifacts that may be indicators of UNC2452 and other threat actor activity."

Editor's Note

Check the results of the FireEye tool against your current tool output to avoid blind spots.

Lee Neely

SolarWinds: New "Raindrop" Malware Installs Cobalt Strike

A fourth piece of malware used by the Solar Winds hackers has been detected. Dubbed Raindrop, the malware is a backdoor loader that places Cobalt Strike on targeted systems to allow the attackers to move laterally through the network. While Cobalt Strike is a commercially available penetration testing tool, "threat actors have since figured out how to turn it against networks to spread through an environment, exfiltrate data, deliver malware and more."

Editor's Note

The Symantec Report includes both IOC and YARA rules to detect Raindrop, which have been incorporated into their endpoint protection product. https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware

Lee Neely

SolarWinds: Hackers Hit Malwarebytes

The threat actors behind the SolarWinds Orion supply chain attack have hit systems/the network at Malwarebytes. In a January 19 blog post, Malwarebytes writes, "We can confirm the existence of another intrusion vector that works by abusing applications with privileged access to Microsoft Office 365 and Azure environments." Malwarebytes does not use SolarWinds products.

SolarWinds: Microsoft Details How Threat Actors Evaded Detection

Researchers from Microsoft's 365 Defender Research Team, Threat Intelligence Center (MSTIC), and Microsoft Cyber Defense Operations Center (CDOC) have published new information about operational security techniques and anti-forensic behavior the SolarWinds attackers used to evade detection. Microsoft's "goal is to continue empowering the defender community by helping to increase their ability to hunt for the earliest artifacts of compromise and protect their networks from this threat."

Editor's Note

One of the lessons from SolarWinds is early detection. Your 2021 supply chain security plan needs to include validation and possibly upgrading your detection and response capabilities. Understanding how they evaded detection is key to developing capabilities to prevent future abuses.

Lee Neely

NSA Cybersecurity 2020 Year in Review

The US National Security Agency's (NSA) Cybersecurity Directorate has published its first Cybersecurity Year in Review. The document "outlines key milestones and mission outcomes achieved during NSA Cybersecurity's first year." The NSA Cybersecurity Directorate was established in October 2019 "with a mission to prevent and eradicate cyber actors from systems critical to national security and critical infrastructure, with a focus on the Defense Industrial Base."

Editor's Note

Two key areas I'm glad to see NSA focused on in 2020: (1) Encryption - modernization and driving higher adoption; (2) Supply chain security in the Defense Industrial Base. These are two key areas that lead to avoiding or preventing damaging incidents where NSA can add unique value.

John Pescatore

This includes links to guides on secure telecommuting and home network security. Leverage these to close any gaps in your current practices as telecommuting is expected to be utilized by a much higher percentage of the workforce than in years past.

Lee Neely

The Rest of the Week's News

2021-01-20

Dnsmasq Vulnerabilities

Researchers from "JSOF" have disclosed seven vulnerabilities in dnsmasq open-source DNS forwarding software. The flaws could be exploited to allow DNS cache poisoning and remote code execution. The vulnerabilities are addressed in dnsmasq 2.83. The issues are believed to affect products from at least at least 40 vendors.

Editor's Note

The vulnerable versions of dnsmasq are also embedded in products from Android/Google, Comcast, Cisco, Redhat, Netgear, and Ubiquiti, meaning a firmware update is needed. The JSOF Technical Whitepaper [https://www.jsof-tech.com/wp-content/uploads/2021/01/DNSpooq-Technical-WP.pdf] provides some workarounds and detailed analysis. Mitigations include enabling and confusing HSTS on your websites and switching to DNSSEC which make DNS spoofing nearly ineffective.

Lee Neely

"Open Source" continues to fail to live up to its security promise. It appears as though this is code used by tens of vendors, not one of which sufficiently validated its quality. Developers are responsible for the quality of all the code in their products, regardless of its source. Wide reuse of code is not a guarantee of its quality but it is an indicator of its importance.

William Hugh Murray

Malware Found on Some Laptops Provided to UK Schoolchildren

Laptops provided to some British schoolchildren were found to be infected with malware. The laptops were distributed through a government program to help disadvantaged students learn remotely. The computers were infected with malware known as Gamarue (aka Andromeda). The UK's Department for Education (DfE) told The Register, "We are aware of an issue with a small number of devices and we are investigating as an urgent priority to resolve the matter as soon as possible. DfE IT teams are in touch with those who have reported this issue. We believe this is not widespread."

Editor's Note

When having a vendor or supplier image systems for you, checking samples to verify the image is as intended is critical. The Gamarue malware has been in AV products for a long time, so updating your AV software and running a full scan should eliminate it from your laptop. Better still is to have it reimaged from a known good copy.

Lee Neely

CISA Increasing Effort to Get Ransomware Information to Local Government

The US Cybersecurity and Infrastructure Security Agency (CISA) is ramping up efforts to boost ransomware awareness at the local government level. CISA has created a new page on its website that provides ransomware guidance and resources, including a guidebook CISA published last fall along with the Multi-State Information Sharing and Analysis Center. CISA acting director Brandon Wales announced the awareness campaign in a talk at the US Conference of Mayors virtual winter meeting this week. Wales urged mayors to "Get to know your CISO ... [and] get to know the protocols they will put in place to preserve continuity of services."

Editor's Note

The Center for Internet Security has done a good job of providing guidance and monitoring capabilities to state, local, tribal and territorial organizations to minimize the impact of ransomware. In addition to the guidebook this piece references, CIS has published a series of primers and tips. https://www.cisecurity.org/white-papers/security-primer-ransomware/

John Pescatore

Wordfence Offers Free Site Security Audits to US K-12 Public Schools

Wordfence is offering free site cleaning and site security audits to US K-12 public schools that use the WordPress content management system. The organization is also offering those schools a free version of Wordfence that its analysts will configure.

Editor's Note

Having Wordfence installed and configured on these systems is a big win. Beyond offering discounted licensing, having trained resources to both audit your systems and configure the firewall is a win-win. Too often security tools remain on the shelf because trained resources aren't available. Even so, you must act to resolve issues discovered and build the process to maintain a secure site. This is not set-it and forget it.

Lee Neely

Windows RDP Servers are Being Used to Amplify DDoS Attacks

Distributed denial-of-service (DDoS) attack-for-hire services, also called DDoS Booters or illegal IP Stressers, have been using Windows Remote Desktop Protocol (RDP) servers to amplify their attacks. According to a Netscout advisory, "When enabled on UDP/3389, the Microsoft Windows RDP service may be abused to launch UDP reflection/amplification attacks with an amplification ratio of 85.9:1." Network operators are urged to move RDP servers that provide remote access via UDP behind VPN concentrators; if that is not possible, then RDP via UDP/3389 should be disabled.

Belgian Hospital's Network Hit with Cyberattack

A cyberattack against a Belgian hospital resulted in roughly 20 percent of its servers being encrypted. The attackers app[ear to have used Windows BitLocker software to encrypt the servers. Center Hospitalier de Wallonie Picarde (CHwapi) said that patients arriving through emergency services have been rerouted to other facilities.

Amazon Fixes Flaws That Could be Exploited to Take Control of Kindle Accounts

Amazon has fixed a trio of vulnerabilities in its Send to Kindle feature that could have been exploited to take control of Kindle e-Readers, allowing attackers to make purchases in the Kindle store with linked credit cards and to access personal information stores on the devices. To exploit the flaws, a hacker would need to spoof the Kindle owner's email address, send them a maliciously-crafted ebook, and convince them to click on a link inside that ebook.

Editor's Note

My first reaction to this news item was "What's next, patches for Palm Pilots??" But Amazon is in the top 4 in market share for tablets and has shipped over 50M of them. The pandemic has caused an increase in homes dusting off their Kindles to "take out" books from their local libraries, so they are probably more active on home WiFi networks than you might think. Good to remind home users patching isn't just Windows, IoS and Android.

John Pescatore

Just like laptops and tablets, you need to keep the Kindle updated. Think of the Fire as an Android tablet not just an e-Reader, as such apps and content should only come from known sources.