SANS NewsBites

“Largest Ever” Attack is a Reminder to Test Your DDoS Defenses; Microsoft Flips and Moves to More Secure Power Apps Defaults; CISA: Patch ProxyShell Vulnerabilities Now

August 24, 2021  |  Volume XXIII - Issue #66

Top of the News


2021-08-21

Cloudflare: Huge DDoS Attack

Cloudflare reports that in July, it detected and mitigated a distributed denial-of-service (DDoS) attack that maxed out at 17.2 million HTTP requests-per-second. The attack lasted less than a minute. Cloudflare says the attack was using more than 20,000 infected devices in more than 100 countries. The same botnet targeted a different Cloudflare customer last week with a maximum rate of eight million requests-per-second.

Editor's Note

Cloudflare’s DDoS mitigation service is separate from their CDN offering. It leverages their presence around the globe to detect, measure, and stop these activities. Customer traffic has to be routed through their system, which then dynamically builds rules to stop the attack at layer 4, rather than layer 7. The top network layer attacks are Syn, Reset, and UDP floods, with an emerging trend in network protocol attacks, including UDP Portmap and Quote of the DAY (QOTD). There seems to be a trend for shorter and more intense DDOS attacks that reactive SOC monitoring and response are not well suited for; automation is key here. Work with your DDOS vendor to tune your mitigation system based on your threat model.

Lee Neely
Lee Neely

The press loves “biggest DDoS attack ever” stories but many of the most damaging DDoS attacks weren’t brute force with high numbers of requests per second. The important point is where in your architecture have you put mitigation of denial-of-service attempts and do you regularly test your switchover to alternate connections or mitigation services?

John Pescatore
John Pescatore

DDos attacks are now so commonplace that hosting an online service without DDoS protection is similar to not having spam filtering for your email. Criminals will continue to evolve their tools and techniques in this area which requires constant innovation by defenders.

Brian Honan
Brian Honan

2021-08-23

Misconfigured Microsoft Power Apps Portals Exposed Data

Earlier this year, researchers from Upguard discovered that misconfigured Microsoft Power Apps portals exposed millions of records. Power Apps offers application programming interfaces (APIs) which, when enabled, default to making the data publicly accessible. The compromised information includes COVID-19 contact tracing and vaccination sign-up data, and job applicant data, including Social Security numbers. Earlier this month, Microsoft announced that Power Apps portals will now store API and other data privately by default.

Editor's Note

If the data is in the cloud, better make sure you have your authorization controls in place. People will find it. In this case, Microsoft warns of weak configurations, but does allow them with a single click. Power Apps are intended to be used by non-coders to write applications. This audience may not fully understand the implications of the warning.

Johannes Ullrich
Johannes Ullrich

There is an old joke about a badly written manual on how to defuse a bomb that said, “Cut the blue wire after you cut the red wire.” Yes, the instructions were correct but the way it was worded guaranteed a dangerous result and a loud boom. Good to see that Microsoft abandoned its original “not a vulnerability, it is by design” to making it easier for security to be the default position.

John Pescatore
John Pescatore

Deny by default is a lesson we all need to learn, particularly as we move to the cloud. Verify access controls are as expected. As much as we trust large service and application suppliers such as Amazon, Microsoft, Oracle, Google, always verify and monitor the security is as described and remains so. At the end of the day, it matters more to detect and address insufficient access controls than to find out your data is exfiltrated and for sale.

Lee Neely
Lee Neely

Developers exhibit a strong preference for convenient defaults over safe ones; they have been trained by users that are more likely to complain about “hard to use” than “risky to use.” Until and unless they can be retrained, users may not assume that products are “safe out of the box.”

William Hugh Murray
William Hugh Murray

2021-08-23

CISA Issues Urgent Alert to Patch ProxyShell Vulnerabilities

Over the weekend, the US Cybersecurity and Infrastructures Security Agency (CISA) issued an urgent alert warning that “Malicious cyber actors are actively exploiting … ProxyShell vulnerabilities.” Microsoft released fixes for the flaws in May.

Editor's Note

If you still find an unpatched and exposed Exchange server, walk away from it... who knows how many attackers are already fighting for it. “Cleaning it up” will be impossible. Or as they say, “nuke from orbit.”

Johannes Ullrich
Johannes Ullrich

The amount of abuse your organization will take for running something like Exchange in-house keeps going up. As Dr. Ullrich said in today's Stormcast, “If you haven't patched yet, don't bother - just move on.”

Christopher Elgee
Christopher Elgee

All three vulnerabilities (CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207) are fixed in Microsoft’s May security update. Make sure you’re applying the monthly updates. Updates for Windows 10 are cumulative, so August’s updates also include these fixes.

Lee Neely
Lee Neely

The Rest of the Week's News


2021-08-23

Razer Installer Gives Users Windows 10 SYSTEM Privileges

An unpatched vulnerability in the Razer peripherals installer grants users full administrative rights on Windows 10 systems. When a Razer device is plugged in, Windows automatically downloads an installer with driver software and the Synapse utility.

Editor's Note

Incident responders should add an investigation of locally installed Windows drivers to their playbooks (C:\Windows\System32\drivers). Privilege escalation through vulnerable drivers is a systemic problem for Windows, and one that requires significant re-architecting to prevent. We'll likely see a lot more of these vulnerabilities in the future.

Joshua Wright
Joshua Wright

This exploit leverages Window’s automatic installation of drivers and requires local access to the system to interact with the installer. By using the installer’s option to select where the software is installed, coupled with the Windows explorer option to ‘Open PowerShell window here,’ that shell is opened with the privileges of the installer; in this case System. Razer is publishing an update which addresses the vulnerability, as well as providing the researcher with a bug bounty, even though this was disclosed.

Lee Neely
Lee Neely

First printer drivers, now mouse drivers. The ability of normal users to install code that will later be executed by a higher privileged user is very dangerous and I am sure this pattern will continue to provide interesting vulnerabilities in the future.

Johannes Ullrich
Johannes Ullrich

2021-08-23

Realtek SDK Vulnerabilities are Being Actively Exploited

Threat actors are actively exploiting vulnerabilities in the Realtek Software Development Kit (SDK). Realtek disclosed the flaws and released fixes on August 15. Researchers from IoT Inspector published details about the vulnerabilities the following day. The issues affect devices from 65 vendors.

Editor's Note

IoT Inspector found about a dozen vulnerabilities and their report lists about 200 types of affected devices including routers, IP cameras, Wi-Fi repeaters and gateways. They also include queries to discover the devices using Shodan. Restrict network access to only authorized devices/users, disallowing Internet access where possible to mitigate risks of exploiting default/hard-coded credentials as well as other attack vectors. Leverage the IOCs in the IoT Inspector report to augment your detection/response capabilities.

Lee Neely
Lee Neely

In light of these supply chain attacks, buyers should demand information about the provenance of the software in products they might purchase. The provenance must include not only a “bill of materials” for the product but also information about the tools and processes used to build it. Only then are they in a position to assess and mitigate their exposure to these attacks.

William Hugh Murray
William Hugh Murray

2021-08-23

Nokia Subsidiary Suffers Ransomware Attack

A Nokia subsidiary, SAC Wireless, has disclosed that it was the victim of a ransomware attack during which the criminals also stole data. SAC Wireless helps customers design and build cellular networks. The compromised data include contact information government ID numbers, employment information, health information, tax return data, and digital signatures.


2021-08-23

US State Department Reportedly Experienced Cybersecurity Incident

The US State Department reportedly experienced a cyberattack that prompted notification to the Defense Department’s Cyber Command. The incident does not appear to have had an effect on State Department day-to-day operations, but few other details have been made available. The State Department was one of several government departments that a Senate report criticized for failing to meet “the basic cybersecurity standards necessary to protect America’s sensitive data.”

Editor's Note

Earlier this month, an audit report was released citing State and six other agencies for having weak security practices, in effect a guide for the sorts of practices to target for a successful exploit. When you are the recipient of a negative report like that, you need to create a prioritized remediation plan and start closing findings well ahead of the publish/release date to get ahead of those inevitable attacks.

Lee Neely
Lee Neely

2021-08-23

Stolen Funds Returned to Poly Network

The thief who stole more than $600 million in cryptocurrency from the Poly Network has returned all of the funds. Poly Network is now in the process of restoring asset control to users.

Editor's Note

The attacker returned the pilfered funds as well as the bounty Poly Network paid ($500,000) to their wallet. Poly also offered him the position of “Chief Security Advisor” although it’s not clear if the offer will be accepted. It’s not a bad idea to leverage the hacker’s skills and mindset to find ways to improve and maintain security. The trick will be finding a way to build and maintain trust. A risk-based decision is needed in this scenario to determine if the oversight needed to ensure the hacker doesn’t cause added harm is worth the offset in security to reduce the likelihood of further incidents.

Lee Neely
Lee Neely

If one cannot spend it, one might as well return it to those who can. While we may not be able to regain control of funds in destination accounts, we can blacklist the accounts so that the money cannot be spent or transferred.

William Hugh Murray
William Hugh Murray

2021-08-20

Liquid Crypto Exchange Theft

Thieves have stolen nearly $100 million from the Japanese cryptocurrency exchange Liquid. The company is tracking the stolen funds and working with other exchanges to freeze the stolen assets.

Editor's Note

For several years, the list of “cryptocurrency” compromises has grown much faster than the list of legitimate companies accepting them. I think a better way to describe most of these is to call them “dissolvable currencies” – the “crypto” term was worked in to imply strong levels of safety, which is almost never the case.

John Pescatore
John Pescatore

In 2014, Tokyo-based Bitcoin exchange Mt. Gox lost over $400 million in a crypto heist, which resulted in Japan’s legislators passing a law to regulate Bitcoin exchanges. Japan also recognizes Bitcoin and other digital currencies as legal property under their Payment Services Act (PSA). This helps support the actions to freeze accounts and stop movement of pilfered assets. The attackers are then using decentralized exchanges, outside Japan, to avoid being frozen.

Lee Neely
Lee Neely

When we use the expression “crypto” we imply “cryptographically” secure; the cryptography is working as intended. However, cryptography is never more secure than the environment in which the keys are stored and protected. Thus we see that the distributed ledger is working as intended but wallets and exchanges are being compromised. These are no stronger than the lockwords that are chosen by human beings to protect the private keys. Choose carefully. Prefer exchanges that offer strong authentication.

William Hugh Murray
William Hugh Murray

Internet Storm Center Tech Corner

Out of Band Phishing Using SMS Messages to Evade Network Detection

https://isc.sans.edu/forums/diary/Out+of+Band+Phishing+Using+SMS+messages+to+Evade+Network+Detection/27768/


Waiting for the C2 to Show Up

https://isc.sans.edu/forums/diary/Waiting+for+the+C2+to+Show+Up/27772/


DOCX with Embedded EXE

https://isc.sans.edu/forums/diary/docx+With+Embedded+EXE/27776/


Elevate Privileges with Razer Mouse

https://twitter.com/j0nh4t/status/1429049506021138437


Realtek Vulnerabilities Exploited

https://securingsam.com/realtek-vulnerabilities-weaponized/


Exposed Microsoft Power Apps

https://www.upguard.com/breaches/power-apps


Securing Your Windows 365 Cloud PCs

https://techcommunity.microsoft.com/t5/windows-it-pro-blog/securing-your-windows-365-cloud-pcs/ba-p/2663129


Pegasus Fraud Scam

https://www.ehackingnews.com/2021/08/pegasus-iphone-hacks-used-as-bait-in.html


Proper Audit Logging for Office 365

https://zolder.io/office-365-audit-logging/