homepage
Open menu

SANS NewsBites

Access by Terminated Employee Results in Deletion of Critical Data; Employee Error Results in Loss of 22TB of Data; Patch Atlassian Confluence to Thwart Active Attacks

September 3, 2021  |  Volume XXIII - Issue #69

Top of the NewsThe Rest of the Week's NewsInternet Storm Center Tech Corner

Top of the News

2021-09-01

Former Credit Union Employee Pleads Guilty to Computer Intrusion and Destruction of Data

A New York woman has pleaded guilty to destroying data belonging to her former employer. In June 2021, Juliana Barile was fired from her position as a remote worker for an unnamed credit union. A company employee reportedly asked the IT department to disable Barile’s network access after her termination, but the request was not acted upon. Barile then accessed the company’s file server and deleted 21.3 GB of data, including mortgage loan applications and other sensitive information.

Editor's Note

The risk of not automating the connection between an employee being terminated and their access being removed is a long-standing issue. However, this scenario is often a hole even for organizations that have tied those processes together: a part-time worker working remotely. Contract and part-time workers are not always handled through normal HR channels and VPN access is often not well-integrated into the access removal process. Good reminder to look into both of these issues.

John Pescatore
John Pescatore

Two days after being terminated she was able to login and within 40 minutes delete the data. Two lessons here, first employers must deactivate accounts of terminated employees immediately (while the person is being walked out if possible); second, former employees using those accounts for maleficence are always caught. Jeff Man reminded me that per PCI DSS: 8.1.3 Immediately revoke access for any terminated users.

Lee Neely
Lee Neely

Before granting privileges, be certain that you know how and when they are to be withdrawn.

William Hugh Murray
William Hugh Murray

2021-09-01

Dallas Police IT Employee Fired for Deleting More than 22TB of Data

A Dallas Police Department IT employee has been fired after he was found to be responsible for deleting 22.5 TB of police data, including evidence. The city launched an audit after learning that 7.5 TB of evidence had been deleted in April. The audit revealed an additional 15 TB of deleted data, which includes police evidence and files from the city secretary’s office. The employee moved police evidence from cloud storage to a local server. A Dallas police investigation determined that the former employee’s action was not criminal.

Editor's Note

Ask if you could detect this sort of activity. DLP may not be at the top of your list, but information protection includes loss detection. Make sure that your records are not only properly stored and archived, but that they are in immutable form to prevent both deletion and alteration.

Lee Neely
Lee Neely

Not a lot of detail on this one, but it looks like employee error. But the impact is the same as if it was a more exciting ransomware event –“crown jewels” data is gone. There seems to be a lot of “we store it in the cloud, so it must be backed up” going around – that can be true if such services are being paid for, but data can be deleted permanently from the cloud by mistake just as easily as from an on-premises server.

John Pescatore
John Pescatore

2021-09-02

Known Atlassian Confluence Vulnerability is Being Exploited to Install Cryptominers

Cyberthreat actors are exploiting a recently-disclosed vulnerability in Atlassian Confluence to install cryptomining software. Atlassian released an advisory about the remote code execution flaw on August 25; updates to fix the issue are available. Users are urged to upgrade as soon as possible.

Editor's Note

If you haven't already, patch this before the long weekend. Confluence is a huge target and can be used to compromise your software development process. Details about the vulnerability and how to exploit it have been made public so seeing it exploited in the wild is no surprise.

Johannes Ullrich
Johannes Ullrich

The attacks are also being used to spread laterally through networks. Scan your Confluence servers to make sure they have been updated and that they haven’t been compromised. Don’t put off the update until after the holiday weekend, particularly for internet facing systems. Check the Atlassian bulletin for guidance https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html

Lee Neely
Lee Neely

The Rest of the Week's News

2021-09-02

FTC Order Bans SpyFone and its CEO From Surveillance Business

Cyberthreat actors are exploiting a recently-disclosed vulnerability in Atlassian Confluence to install cryptomining software. Atlassian released an advisory about the remote code execution flaw on August 25; updates to fix the issue are available. Users are urged to upgrade as soon as possible.

Editor's Note

If you go to www.spyfone.com, it resolves to a NY-based company Spyphone, with tracker apps that are still in the Google Play and Apple app stores. Support King purports to be a remote support company but lists partners such as “One Click Root” and “One Click Jailbreak.” A good idea to check for any apps from with connections to Support King on mobile devices.

John Pescatore
John Pescatore

The app breaks Section 5 of the FTC Act which covers unfair or deceptive acts or practices. In 2018, it was discovered that the SpyFone S3 bucket was exposed and contained data from over 3600 devices. If they fail to notify users and continue to operate, each instance (device) can carry a civil penalty of up to $43,280.

Lee Neely
Lee Neely

2021-09-02

CISA, FBI, and White House Advise Cyberthreat Vigilance Over Long Weekend

In a joint security advisory, the US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI caution public and private sector organizations to be vigilant about the possibility of ransomware and other cyberattacks over the US Labor Day holiday weekend. The warning is based on the fact that several previous attacks, including the Colonial Pipeline ransomware attack and the Kaseya supply chain attack. Deputy National Security Advisor Anne Neuberger reiterated the advisory’s warning, noting that “We have no specific threat information or information regarding attacks this weekend, but what we do have is history, and in the past over holiday weekends, attackers have sometimes focused on security operation centers that may be understaffed, or a sense that there are fewer key personnel on duty as they may be on vacation.”

Editor's Note

Make sure that your SOC is manned during holidays, and that alerts are responded to. Incentivize staff with holiday and on-call pay, don’t expect them to yield their holiday without compensation. Create clear expectations of what is expected. I have seen on-call arrangements which require employees to carry and actively respond within an hour to an on-call cellphone or pager and require them to be sober during their coverage window.

Lee Neely
Lee Neely

2021-09-03

Pac-Resolver NPM Code Library Updated to Fix Vulnerability

The Pac-Resolver NPM code library has been updates to fix a severe remote code execution flaw. Pac-Resolver is downloaded more than 3 million times a week.

2021-09-02

Autodesk was Targeted in SolarWinds Attack

In a 10-Q filing with the US Securities and Exchange Commission (SEC), computer-aided design (CAD) software company Autodesk disclosed that its network was affected by the SolarWinds supply chain attack. In the filing, Autodesk writes that it “identified a compromised SolarWinds server and promptly took steps to contain and remediate the incidents.”

2021-09-02

K-12 School System ISAC Publishes Essential Cybersecurity Protections

The K12 Security Information Exchange (K12 SIX) has published guidance aimed at helping K-12 school districts protect their networks from ransomware, phishing, and other cybersecurity threats. The documents lists 12 cybersecurity controls, organized into four categories: sanitize network traffic to/from the Internet; safeguard student, teacher, and staff devices; protect the identities of students, teachers, and staff; and perform regular maintenance. K12 SIX was founded in 2020 and operates as an information sharing and analysis center (ISAC) for K-12 education.

2021-09-02

UK VoIP Operators Suffer DDoS Attacks

Two UK Voice over Internet Protocol (VoIP) operators have reported that they have been the targets of distributed denial-of-service (DDoS) attacks. VoIPfone is still experiencing outages as a result of the attack. VoIP Unlimited says it received a “colossal ransomware demand” after it was hit with a huge DDoS attack, and that its services are operational.

Editor's Note

POTS providers had a great record for reliability. VoIP operators will be challenged to meet it. If dependent upon telephone communications, consider cellular backup to VoIP.

William Hugh Murray
William Hugh Murray

Internet Storm Center Tech Corner

Attackers Will Always Abuse Major Events in our Lifes

https://isc.sans.edu/forums/diary/Attackers+Will+Always+Abuse+Major+Events+in+our+Lifes/27808/


STRRAT: A Java Based RAT That Doesn't Care if You Have Java

https://isc.sans.edu/forums/diary/STRRAT+a+Javabased+RAT+that+doesnt+care+if+you+have+Java/27798/


BrakTooth: Impacts, Implications and Next Steps

https://isc.sans.edu/forums/diary/BrakTooth+Impacts+Implications+and+Next+Steps/27802/


Michael Beck: Cloud Forensics Triage Framework (CFTF)

https://www.sans.org/white-papers/40415/


Active Exploitation of Confluence Server CVE-2021-26084

https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/


Cisco Enterprise NFV Infrastructure Software Authentication Bypass

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nfvis-g2DMVVh


GitHub Removing old Ciphers / Keys

https://github.blog/2021-09-01-improving-git-protocol-security-github/


Hackers are Selling Tool to Hide Malware in GPUs

https://www.ehackingnews.com/2021/09/hackers-are-selling-tool-to-hide.html


IPC360 Baby Monitor Vulnerability

https://www.bitdefender.com/files/News/CaseStudies/study/402/Bitdefender-PR-Whitepaper-VictureIPC-creat5590-en-EN.pdf


Annke Network Video Recorder Vulnerability

https://us-cert.cisa.gov/ics/advisories/icsa-21-238-02


ProxyWare Abuse

https://blog.talosintelligence.com/2021/08/proxyware-abuse.html


Fortress Home Security System Weakness

https://threatpost.com/fortress-home-security-remote-disarmament/169069/


PostgreSQL set_user Module Vulnerability

https://www.postgresql.org/about/news/set_user-201-released-2279/