SANS NewsBites

Open Redirect Links Still Being Used in Phishing Campaigns; Singapore Expands Crowd-sourced Vulnerability Hunting Program; CISA Says Stop Using Single Factor Authentication

August 31, 2021  |  Volume XXIII - Issue #68

Top of the News


2021-08-30

Microsoft is Tracking Open Redirect Phishing Campaign

Microsoft is tracking a credential phishing campaign that uses open redirect links to manipulate users into visiting maliciously crafted websites. Microsoft says that the threat actors behind the attacks have used more than 350 unique domains.

Editor's Note

Make sure your email and endpoint protection services detect these links. Make sure the URL protection features are enabled. Note that while these tools rewrite URLs and some familiarization is needed, the current encoding used by open redirects which capture user trends and clicks is already heavily encoded making it impractical for a user to visually verify the target URL. Microsoft Defender for Office 365 is included with E5/G5 licensing and has these capabilities.

Lee Neely
Lee Neely

Open Redirects used to be part of the OWASP Top 10 list of web application vulnerabilities. But while they no longer make the "Top 10", open redirects are common and often underestimated. Their use in phishing is pretty obvious, but in some cases, they can also be used to steal OAUTH credentials.

Johannes Ullrich
Johannes Ullrich

The Microsoft blog entry notes that “Today’s email threats rely on three things to be effective” but doesn’t list the most important enabling factor: the use of reusable passwords. Microsoft’s own research showed that 99.9% of phishing attacks would not have succeeded if simple text messaging as a second authentication factor was used. Another item in today’s NewsBites has US CISA finally putting single factor authentication in their Bad Practices list, along with using unpatchable software and default passwords.

John Pescatore
John Pescatore

2021-08-31

Singapore Government CIO’s Office Creates Vulnerability Hunting Program

Singapore’s Government Technology Agency has established a Vulnerability Rewards Programme that will pay up to $5,000 for vulnerabilities found in public sector information and communications technology (ICT) systems. The program will initially be restricted to three systems, but will be expanded to include additional ICT systems. Participants must be approved before they begin hunting for vulnerabilities.

Editor's Note

Singapore had already been running well-managed bug bounty programs for several years with very positive results. The key is “well-managed” – not just managing the submission review and payout process, but also having the processes and playbooks in place for quickly remediating the vulnerabilities discovered. The next step is using the data to change software development and IT operations practices that resulted in vulnerable applications.

John Pescatore
John Pescatore

It's wonderful to see more public entities moving this way. So many, at present, don't even have clear points of contact for responsibly disclosing vulnerabilities found. Related: does your site have /.well-known/security.txt ?

Christopher Elgee
Christopher Elgee

Read the restrictions carefully. The programs are seasonal, focusing on 10 critical and “high-profile” systems during each run. Also hackers must meet a set of criteria before being permitted to participate; these checks are performed by HackerOne which will also provide the VPN gateway needed to investigate the identified targets. Violation of the terms of service will result in that access being terminated.

Lee Neely
Lee Neely

2021-08-30

CISA Adds Single-Factor Authentication to Bad Practices Catalog

The US Cybersecurity and Infrastructure Security Agency (CISA) has added single-factor authentication to its list of Bad Practices. CISA notes that “The presence of these Bad Practices in organizations that support Critical Infrastructure or National Critical Functions (NCFs) is exceptionally dangerous and increases risk to our critical infrastructure.” Single-factor authentication is the third item to be added to the Bad Practices catalog; the first two are using unsupported or end-of-life software and using known or default passwords and credentials.

Editor's Note

Single-factor authentication needs to be minimized and eliminated where possible. Prioritize your actions based on the criticality of both the system and data processed. Where it remains, long passphrases, ideally checked against breach data, need to be used. Gain user support by using solutions which allow for single sign-on which fail-over to multi-factor authentication when accessed from non-trusted. Require endpoints/trusted devices to use MFA. Some authenticators can be configured to require MFA when the system attempting to use SSO has been logged in using single-factor authentication. Read the CISA National Critical Functions (https://www.cisa.gov/national-critical-functions) if you’re wondering what NCFs are.

Lee Neely
Lee Neely

Of the current three Bad Practices listed, two of them are password-related. For the past three years the VZ DBIR has identified passwords as one of the top two drivers of breaches globally (phishing is the other). I’m a huge fan and supporter of MFA. Interested to see if / what CISA adds to this list in the future.

Lance Spitzner
Lance Spitzner

The Rest of the Week's News


2021-08-27

Google Transparency Report: Geofence Warrants Increased by a Factor of 10

According to Google’s most recent transparency report, the company saw a significant increase in geofence warrants last year. Geofence warrants capture device data from users within a specified area over a specific amount of time. The number of warrants Google received for US locations in 2018 was 941; in 2020, that number was just over 11,000. Geofence requests now account for more than 25 percent of all law enforcement data requests Google receives.

Editor's Note

While this will not tell you if your user data was requested, it is interesting to see the groupings by request types. In the US, the top requests have shifted from search warrants, subpoenas and preservation requests to search warrants, preservation requests and subpoenas, indicating an uptick in investigative activities. Preservation requests hold information for future actions relating to active investigations until they can compel its legal release, and if the information is released it is reported in the other categories.

Lee Neely
Lee Neely

Build it and they will come. The ability to ask for geofence warrants is too tempting to not use them. This may serve as warning what may happen with other surveillance features built into future devices.

Johannes Ullrich
Johannes Ullrich

2021-08-30

OMB Memo Outlines Framework for Agency Cyber Incident Logging

A memo from the USA White House Office of Management and Budget (OMB) lays out a framework to help federal agencies comply with the Cybersecurity Executive Order requirements to log and store data related to cybersecurity incidents. The memo describes a tiered maturity model for event log management and sets target dates for measuring current practices and for achieving each tier.

Editor's Note

The guidance is useful even if you’re not impacted by E.O. 14028. Make sure that you have your bases covered: needed events are logged, with a consistent and reliable time source, that access to read and update logs is appropriate, that they are retained and secured to facilitate analysis and response activities. Agencies are required to assess and report their maturity as defined in the memo within 60 days, reach EL1 maturity within one year, EL2 within eighteen months and EL3 within three years. NIST SP 800-92 will be updated to include the requirements from this memo.

Lee Neely
Lee Neely

The UK’s National Cyber Security Centre (The NCSC) also has an excellent guide to help organisations tackle the challenge of monitoring their logs. Their Logging Made Easy (LME) guide is a great start for any organization. https://www.ncsc.gov.uk/blog-post/logging-made-easy

Brian Honan
Brian Honan

2021-08-30

QNAP Working on Updates to Fix OpenSSL Vulnerabilities in Some NAS Devices

QNAP says it is developing updates to address vulnerabilities affecting its Network Attacked Storage (NAS) devices. OpenSSL released fixes for the heap-based buffer overflow and read buffer overrun issues last week. The flaws could be exploited to access memory data without authorization, cause denial-of-service conditions, or run arbitrary code. The issues affect QNAP NAS devices running QTS, QuTS hero, QuTScloud, and HBS 3 Hybrid Backup Sync.

Editor's Note

These specific OpenSSL vulnerabilities are not severe enough to lose any sleep over. Also, any device using OpenSSL (which means at least all Linux/BSD based devices) are vulnerable. Similar updates are available for other devices.

Johannes Ullrich
Johannes Ullrich

NAS devices need to be carefully protected, not only as exploits continue to surface, but also as they are now being targeted by Ransomware such as eChoraix which is specifically targeting QNAP and Synology devices. Make sure that your NAS device is only accessible by authorized hosts, that default credentials have been changed, and that any unused or unexpected applications are uninstalled.

Lee Neely
Lee Neely

NAS services and devices should not be connected to the public networks.

William Hugh Murray
William Hugh Murray

2021-08-30

Microsoft Fixed Exchange Server ProxyToken Vulnerability in July

A vulnerability in Microsoft Exchange Server could be exploited to steal email. Dubbed ProxyToken, the flaw allows unauthenticated attackers to reconfigure mailbox operations. Microsoft fixed the vulnerability in the July 20-21 cumulative updates for Exchange.

Editor's Note

ProxyToken is different from ProxyShell, so make sure you’re checking on the mitigations for the correct vulnerability. We can no longer afford to treat Exchange and MS Server patches as items that need careful regression testing; these are now addressing actively exploited vulnerabilities and need to be applied judiciously with minimal evaluation. Take a look at your email/productivity solution and assess the viability of a cloud alternative to lessen the burden of the current vulnerability/mitigation/update cycles. Where you have migrated, make sure that you decommission old services once new functionality is verified. Set limits to that verification window to minimize risks.

Lee Neely
Lee Neely

Given that every halfway competent threat actor has been scanning for Exchange vulnerabilities this year, this vulnerability, while easily exploited, does not substantially alter the threat landscape. One possible issue may be that this vulnerability is used for more subtle but high impact configuration changes that are easily missed. For example, an attacker could configure forwarding email addresses.

Johannes Ullrich
Johannes Ullrich

2021-08-27

Boston Public Library System Outage Blamed on Cyberattack

On Wednesday, August 25, the Boston Public Library (BPL) experienced a cyberattack that resulted in a broad system outage. A message on the BPL website reads, “The library is currently experiencing a significant system outage and online library services that require login are unavailable.” BPL is the third-largest public library system in the US.

Editor's Note

Make sure to test your communication plan for an outage like this ahead of time. Also make sure that there are routes to your public affairs staff to respond to media and other enquiries that will function during an interruption. Train users and set expectations for response during an outage.

Lee Neely
Lee Neely

2021-08-30

Vulnerabilities in Delta Electronics DIAEnergie Management System

According to a security advisory from the US Cybersecurity and Infrastructure Security Agency (CISA), eight vulnerabilities in Delta Electronics DIAEnergie management system could be exploited “to retrieve passwords in cleartext [due to a weak hashing algorithm], remotely execute code, cause a user to carry out an action unintentionally, or log in and use the device with administrative privileges.” The vulnerabilities affect DIAEnergie versions 1.7.5 and earlier. Delta was alerted to the issues in April but has not yet released fixes.

Editor's Note

The patch is targeted for September 15th. Given the plethora of weaknesses, take steps to isolate these devices only allowing communication with authorized devices. Monitor traffic for inappropriate connection attempts and don’t allow these to be directly reachable from the Internet; at a minimum, require a secure supported VPN for external access.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner