SANS NewsBites

Prioritize Patching and Monitoring Microsoft Exchange Servers; City Pays Ransomware Demand But Still Has to Deal With a Breach; Pulse Secure Updated Patch Released to Fully Address Vulnerabilities Not Closed With Previous Patch

August 10, 2021  |  Volume XXIII - Issue #62

Top of the News


2021-08-07

Attackers Scanning for Microsoft Exchange ProxyShell Vulnerabilities

Threat actors are actively scanning for Microsoft Exchange ProxyShell vulnerabilities. Microsoft released fixes for the three vulnerabilities in April; advisories were published in May and July. Technical details about the flaws were disclosed at the Black Hat conference last week.

Editor's Note

Three CVEs are being leveraged to exploit the vulnerability: CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. The first two were patched in April’s Exchange KP5001779 cumulative update, the third in the May KB003435 update. Make sure that you’ve applied the current Exchange updates, and that you’re leveraging Azure Sentinel to check IIS logs to the “/autodiscover/autodiscover.json” and “/mapi/nspi/” strings to detect targeting of your servers for exploitation of the vulnerabilities.

Lee Neely
Lee Neely

Orange Tsai's talk at Defcon outlined a whole family of possible new vulnerabilities in Exchange. It is unlikely that ProxyShell will be the last such vulnerability. Keep your Exchange patching playbooks handy. It would not surprise me to have Microsoft patch more critical Exchange vulnerabilities later today (or in the next couple months).

Johannes Ullrich
Johannes Ullrich

2021-08-09

Joplin, MO, Paid Ransomware Demand

An insurer for the city of Joplin, Missouri, paid a $320,000 ransom after the city’s network was the victim of a ransomware attack in July. A statement from Joplin’s city manager said the demand was paid to keep stolen data from being released, and that “the city has restored nearly every system and the associated data needed to resume normal operations.”

Editor's Note

Note that even after paying the ransom, the city will have to incur the costs to notify all possibly impacted citizens and offer them the usual credit/identify theft monitoring services, and remedy the deficiencies that enabled the ransomware attack to succeed. Since the attackers had control of that data, a breach occurred – the hope is the extortion payment lessens the harm to the citizens. But the payment does not reduce the costs the city will incur.

John Pescatore
John Pescatore

2021-08-09

Pulse Secure Releases Updated Fix for VPN Appliances

Pulse Secure has released an updated fix for a vulnerability that was inadequately patched last year. The critical post-authentication remote code execution vulnerability affects Connect Secure VPN appliances.

Editor's Note

Luckily, a new CVE number was assigned to this issue. But in some ways, it is due to an incomplete patch released for a vulnerability last year. Do not get confused by this and make sure you patch. The original vulnerability was heavily exploited.

Johannes Ullrich
Johannes Ullrich

Pulse Secure initiated external rigorous code review and discovered six vulnerabilities which have been fixed it their 9.1R12 firmware update. The update also provides the ability to run their integrity checking tool without incurring downtime, which was a downside with prior actions needed to detect compromise. That improvement alone warrants raising the priority of applying this update.

Lee Neely
Lee Neely

The Rest of the Week's News


2021-08-08

Google Play Store Changes

As of August 1, developers who wish to publish new apps in the Google Play Store will need to use the Android app bundle (AAB) framework instead of the Android Package (APK), which had been the standard before AAB was introduced in 2018. The AAB standard allows for “streamlined releases and advanced distribution features.”

Editor's Note

The AAB format allows applications to be optimized for delivery to different platforms, reducing the footprint for apps on smaller devices. Coupled with Play Asset Delivery and Play Feature delivery, which replaces unsigned OBB application expansion files for dynamic delivery of added features and content with signed distribution APK, the goal is to improve the overall application delivery and security. Google’s Play Store is the only app store which currently supports these features, so read the guidance from Google if you need options for delivery on other distribution channels.

Lee Neely
Lee Neely

2021-08-06

PCI Security Standards Council and Cloud Security Alliance Joint Bulletin

A joint bulletin from the Payment Card Industry Security Standards Council (PCI SSC) and the Cloud Security Alliance (CSA) aims to “educate stakeholders on the importance of properly scoping cloud environments and good cloud security measures for payment security protection.” The bulletin includes lists of resources from both organizations.

Editor's Note

There really isn’t anything new in this bulletin that isn’t in the 2018 PCI SSC Cloud Computing Guidelines. The key sentence in the bulletin: “Data breach investigation reports continue to find that organizations suffering compromises involving payment data were unaware that cardholder data was present on the compromised systems.” Whether it is on premise or in the cloud, if you don’t know where critical data is you cannot protect it. Persistent encryption that happens at the source of the data is needed, which in turn needs Multi Factor Authentication to be in place to assure only authorized parties can decrypt.

John Pescatore
John Pescatore

The message is to understand what your Cloud Service Provider (CSP) is doing, where your payment data is processed, and apply the same governance to the cloud implementation of payment processing as you did to on-premise implementations. The PCI-CSA bulletin provides guidance to follow and questions to ask as well as resources such as the CSA CCM which you can leverage to assess your cloud implementation.

Lee Neely
Lee Neely

The payment card industry continues to place the cost and burden of fraud on consumers and merchants while perpetuating the fundamental vulnerability of publishing and accepting primary account numbers in the clear. While EMV is now almost universally implemented and accepted, the brands still have no plan to eliminate the magnetic stripe vulnerability. Online merchants should use check-out proxies, like PayPal and Apple Pay, in lieu of accepting credit and debit card numbers in the clear. Consumers should prefer mobile payment systems to the use of credit and debit cards.

William Hugh Murray
William Hugh Murray

2021-08-09

DEF CON: IoT Hardware Random Number Generator Weaknesses

In a DEF CON talk, researchers from Bishop Fox describe issues with hardware random number generators (RNGs), noting that “every IoT device with a hardware random number generator (RNG) contains a serious vulnerability whereby it fails to properly generate random numbers, which undermines security for any upstream use.” The researchers write that IoT needs a cryptographically secure pseudo-random number generator (CSPRNG) subsystem.

Editor's Note

Random number generators in IoT devices have been recognized as an IoT problem for a while. For larger systems, advanced CPU features or in some cases even add-on hardware can be used to create quite good streams of random numbers. But for IoT devices, cost cutting and limited features often leads to very predictable execution paths which in turn lead to more predictable random numbers. This is probably best addressed by adding specific entropy sources to IoT CPU designs. These design changes are cheap and can be very effective.

Johannes Ullrich
Johannes Ullrich

Creating code that uses good pseudo-random numbers, let alone cryptographically secure ones, takes extra work which is easily dismissed as not worth it. Identify functions which must have CSPRNG and verify those as part of your SDLC. Where possible leverage built-in capabilities found on system-on-a-chip devices, the call that consistently throughout your code. For users of IoT devices, limit connections, inbound and outbound where possible to reduce exposure of insecure access controls.

Lee Neely
Lee Neely

2021-08-09

Google is Previewing Unattended Project Reminder

Google is previewing a new Active Assist feature designed to help users identify and manage inactive cloud computing projects. Unattended Project Reminder generates recommendations to help users with “discovering, reclaiming, and shutting down unattended projects.”


2021-08-09

FTC Warns of SMS Phishing Scheme

The US Federal Trade Commission (FTC) is warning of an SMS phishing campaign that attempts to harvest personally identifiable data of people applying for unemployment benefits. The phony messages impersonate various state agencies and provide links to maliciously crafted websites designed to look like the state agencies’ sites.

Editor's Note

While the advice to users is similar for email and SMS Phishing attempts, SMS messages don’t have the benefit of screening by your corporate protections. Users still need to beware of unexpected links in SMS messages and to consider the source carefully before acting. Consider blocking unknown SMS senders. Spam filters for SMS rely on sending all SMS messages to a third party for analysis, so you need to consider the risk and privacy impacts before enabling those services.

Lee Neely
Lee Neely

I don’t know about you, but I have personally seen a jump in SMS phishing (sometimes called Smishing) attacks also. Cyber criminals are extremely adaptable. If they perceive organizations (and people) are getting better at spotting email phishing attacks, they will quite readily jump to other mediums (texting, social media, voice). When training your workforce how to spot any type of attack, don’t focus on the medium (email vs. texting, etc.), focus on the common indicators they all share. That way as cyber criminals jump from one technology to the next, your workforce is trained and can spot the attacks.

Lance Spitzner
Lance Spitzner

Not sure if there is an overall uptick. But there are some pretty odd brazen attempts I have seen recently. For example: https://isc.sans.edu/forums/diary/Is+this+the+Weirdest+Phishing+SMishing+Attempt+Ever/27706/

Johannes Ullrich
Johannes Ullrich

2021-08-09

Pegasus Spyware

The most recent version of Pegasus can be installed in targeted mobile devoices without user interaction and without notification. The targeted device must have a vulnerable operating system or app. Once installed, Pegasus can access virtually everything on the device. Pegasus manufacturer NSO Group maintains that it sells the spyware only for government use in tracking criminals and terrorists. Information recently released by the Pegasus project, a consortium of media organizations and journalists from 10 countries, indicates that the spyware has been used to target heads of state, activists, and journalists.

Editor's Note

The Amnesty International Security Labs report provides insight as to where and how Pegasus is introduced onto mobile devices. They have released both their IOCs as well as their MVT tool for analysis of Android devices and iOS backups. You may want to leverage these to double-check devices, particularly for potentially targeted individuals.

Lee Neely
Lee Neely

2021-08-09

Vulnerabilities in Arcadyan Routers

Researchers from Tenable have identified three vulnerabilities that affect routers made by Arcadyan; researchers from Juniper Threat Labs say that one of the flaws (CVE-2021-20090) is being actively exploited in the wild. That vulnerability affects devices from 20 vendors; the other two vulnerabilities appear to affect only Buffalo WSR-2533 routers.

Editor's Note

The Arcadyan firmware is installed in 17 varieties of home, SMB and ISP provided routers. The exploit attempts to install a version of the Mirai malware. Mitigate the risk by installing updates as they are available. Leverage IOC information in the Juniper blog to detect attempted access and/or downloads.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Malicious Microsoft Word Remains A Key Infection Vector

https://isc.sans.edu/forums/diary/Malicious+Microsoft+Word+Remains+A+Key+Infection+Vector/27716/


Malware Bazaar Daily Download

https://isc.sans.edu/forums/diary/MALWARE+Bazaar+Download+daily+malware+batches/27728/


Microsoft Exchange ProxyShell

https://isc.sans.edu/forums/diary/ProxyShell+how+many+Exchange+servers+are+affected+and+where+are+they/27732/


Go/Rust IP Address Validation Vulnerability

https://github.com/rust-lang/rust/pull/83652


Facial Recognition "Master Keys"

https://arxiv.org/pdf/2108.01077.pdf


Pulse Secure Patch Bypass

https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44858


Synology Warns of Brute Force Attacks

https://www.synology.com/en-global/company/news/article/BruteForce/Synology®%20Investigates%20Ongoing%20Brute-Force%20Attacks%20From%20Botnet


Router Auth Bypass

https://threatpost.com/auth-bypass-bug-routers-exploited/168491/


Firefox Version 100 Experiment

https://bugzilla.mozilla.org/show_bug.cgi?id=1719070


Interaction Less Vulnerabilities in Messaging Apps

https://www.ehackingnews.com/2021/08/the-interaction-less-flaws-in-messaging.html


HTTP2 Vulnerabilities

https://portswigger.net/research/http2#conclusion