NewsBites Volume XXIII – Issue 63

Top of the News

2021-08-10

Microsoft Patch Tuesday Includes Fix for Actively Exploited Vulnerability

On Tuesday, August 10, Microsoft released fixes for 44 security issues. The batch includes patches for three security issues affecting Windows Print Spooler. One of the flaws (CVE-2021-36948), a privilege elevation issue affecting the Windows Medic Update Service, is being actively exploited.

Editor's Note

The latest PrintNightmare patch does reduce functionality by no longer allowing users to provide print drivers. But even with this change in functionality, the print nightmare isn’t over yet. A new print spooler-related vulnerability was disclosed, including PoC exploit, affecting clients connecting to compromised print servers. The vulnerability could be used for local privilege escalation (e.g., an attacker setting up a malicious print server to connect to in order to escalate privileges on a compromised system). At the same time, older print nightmare issues are actively used by ransomware gangs.

Johannes Ullrich

Microsoft is now enforcing requiring admin rights to install print drivers rather than making that an optional second step. The Windows Update Medic Service is a new service which aids fixing windows update when it gets broken so users will continue to receive updates, removing the long string of workarounds needed to fix it. That fix alone is worth deploying the update.

Lee Neely

New Windows Print Spooler Bug (CVE-2021-36958)

A day after its monthly patch release, Microsoft has disclosed yet another vulnerability affecting Windows Print Spooler. The privilege elevation/remote code execution vulnerability “exists when the Windows Print Spooler service improperly performs privileged file operations.” The CERT Coordination Center has issued a vulnerability note.

Editor's Note

Until a patch is released, there are two mitigating steps: first, block SMB shares at your perimeter, which you should already be doing; second, disable the print spooler service. Disabling the print spooler disables local and remote printing, so disable it on systems which don’t need to print, particularly domain controllers and servers which aren’t print spoolers.

Lee Neely

GitHub Is No Longer Accepting Passwords to Authenticate Git Operations

As of August 13, 2021, GitHub will require token-based authentication to authenticate Git operations. People still using usernames and passwords for authentication must move to a personal access token over HTTPS or SSH key. Users who have already enabled two-factor authentication for their GitHub accounts will not be affected by the change.

Editor's Note

For some organizations, this transition is going to be problematic or even an interruption in service, but this kind of painful transition is what we need as an industry to force the transition to password-less authentications strategies. Bravo, GitHub.

Joshua Wright

One more area to make sure that you aren’t using passwords. Make sure that you’ve updated all your accounts, particularly those used with automated processes to ensure you don’t have a service interruption.

Lee Neely

Every movement away from reusable passwords raises the bar against the vast majority of successful attacks. If your software development process includes use of GitHub, use this as a justification for hardening authentication across your entire software development and maintenance lifecycle.

John Pescatore

The Rest of the Week's News

2021-08-12

Thief Who Stole $600 Million from Poly Network Plans to Return it

An individual who stole more than $600 million worth of cryptocurrency from Poly Network is returning the funds. Poly Network is a decentralized financial platform that facilitates cryptocurrency/blockchain exchanges. The thief exploited a vulnerability affecting cross-chain smart contract transactions. So far, $260 million of the stolen funds has been returned to Poly Network.

Editor's Note

his was not a private key compromise but rather a vulnerability in the contract transaction application. Poly Network has taken steps to repair the vulnerability and was able to identify the destination wallet funds were transferred to, and ultimately the attacker’s mailbox, IP, and device fingerprints through on-chain and off-chain tracking, which hampered the thief’s ability to further move the purloined funds. Full repayment should not be expected.

Lee Neely

PayPal has been around for over 20 years now, many other payment systems for more than a decade, and there have been very few major security incidents, let alone anywhere customers had to depend on the thieves returning funds! The end-to-end cost of transactions over cryptocurrency exchanges is not much lower; the risk is much higher.

John Pescatore

Some 5G Networks are Using 4G Infrastructure

While mobile devices may say they are connected to 5G, they may be connected to non-standalone 5G architecture, which piggybacks on 4G network infrastructure. As a result, users may not be getting the level of security that 5G purports to offer, notably protection from IMSI catchers. Relying on 4G infrastructure also makes the devices vulnerable to tracking, eavesdropping, and downgrade attacks.

Editor's Note

Backwards compatibility has been an issue with cell phone networks in the past in that attackers were able to trigger downgrades from more secure technologies like LTE to 3G or even GPRS. 5G mixed networks are a transition solution and will hopefully be replaced soon by pure 5G networks taking advantage of the full feature set including security options. Some carriers are already advancing this transition.

Johannes Ullrich

Moving to 5G requires updates and replacing equipment. To get started, providers are adding 5G to their existing 4G network. Stand-alone implementations are planned for the future. As part of that effort the 3G services a need to be retired to make room for new separate 5G gear; those retirements are planned for the fall of 2022.

Lee Neely

Scripps Health Cyberattack Led to EHR Downtime and $110M in Losses and Expenses

A ransomware attack that targeted Scripps Health in California resulted in more than four weeks of electronic health record (EHR) downtime and more than $110 million in losses and expenses. When the attackers gained access to the Scripps system on April 21, 2021, they stole data; the ransomware was deployed several weeks later.

Editor's Note

Exfiltrating data prior to a ransomware attack is becoming SOP. Early detection of both malicious activity and unexpected data transfers need to be part of your ransomware preparedness plan. Focus first on your known sensitive data repositories, whether personnel or IP, then extend your protections based on risk. Be prepared to discover unexpected collections of data, and don’t overlook files stored locally by users.

Lee Neely

Another data point about cybersinsurance with this disclosure: it appears Scripps carried $20M in cyberinsurance which was still less than the estimated $21M recovery costs and obviously didn’t come close to covering the $91M in lost revenue. A $20M policy probably cost Scripps close to $1M with a $1M deductible – so the cost of the $20M insurance policy payout was $2M. Not enough public info to estimate costs to avoid the downtime, but quite often the cost of self-insuring is not much higher than the insurance costs – and the cost of avoidance covers more than just the current year.

John Pescatore

OMB Memo: Federal Agencies Have 60 Days to Identify Critical Software

A memo from the US Office of Management and Budget (OMB) directs federal agencies to “identify all agency critical software, in use or in the process of acquisition” and begin the process of securing it. Agencies have one year to implement security measures established by the National Institute of Standards and Technology (NIST) to the identified software.

Editor's Note

The trick here is the definition of critical software is broad and can be read to include the OS, firmware and all your development tools. The memo allows for a phased approach while the specifics are worked out. Keep an eye on refinements from NIST.

Lee Neely

H-ISAC Alert Warns of Attacks Leveraging Right-to-Left Override

The Health Information Sharing and Analysis Center (H-ISAC) has published an alert warning of increased phishing schemes that exploit a legitimate Unicode feature to evade detection. The Right-to-Left Override Unicode character supports languages that are read right-to-left; the feature can be abused to make malicious files appear benign.

Editor's Note

As this is abusing built in intended functionality, preventative controls aren’t an option. Instead, make sure that your detection tools are watching for common abuse formats of RTLO characters within filenames such as \u202E, [U+202E], and %E2%80%AE. Also check your analysis tools to ensure they do not interpret the RTLO character and instead print the true name of the file containing it.

Lee Neely

Firefox 91 Includes New Privacy Features

Mozilla released Firefox 91 on Tuesday, August 10. The most recent version of the browser includes two new privacy features: enhanced cookie clearing and HTTPS by default in private mode. The enhanced total cookie protection lets users “easily delete all cookies and supercookies that were stored on [their] computer by a website or by any trackers embedded in it.” HTTPS by default in private mode does exactly that: “automatically establish[ing] a secure, encrypted connection over HTTPS whenever possible.”

Editor's Note

Turning on Strict Tracking Protection to enable this doesn’t seem to cause much breakage. Still takes a motivated user to enable all this but consumers are increasingly demanding higher levels of privacy and all the browsers are moving to higher levels by default – a very good thing.

John Pescatore

Once privacy/anti-tracking features are in place, adoption will require user training and encouragement. While the impacts have been nominal, make sure the help desk staff have actually removed cookies associated with corporate, on premise, and cloud, services to better understand the user experience.

Lee Neely

Adobe Releases Updates for Magento and Adobe Connect

Adobe has released updates to address 26 vulnerabilities in the Magento e-commerce platform; 20 of the flaws are rated critical. Adobe has also released updates to address three vulnerabilities in Adobe Connect.