SANS NewsBites

SonicWall Vulnerabilities; Cloud Accounts Exploited In Aviation and High-Tech Networks; UofSC Cybersecurity Grads More Desirable To Employers

January 26, 2021  |  Volume XXIII - Issue #7

Top of the News


2021-01-25

SonicWall Internal Systems Breached Through Vulnerabilities in its Own Products

SonicWall has published an urgent security notice noting that it its "engineering teams continue their investigation into probable zero-day vulnerabilities with SMA 100 series products." SonicWall's internal systems were breached through zero-day vulnerabilities in its own remote access products.

Editor's Note

This is a 0-Day exploit of the SonicWall SMA 100 series of appliances, not their NetExtender VPN as previously thought. Until a patch is released, make sure you have 2FA enabled on your SMA 100s; enable End Point Control to verify devices prior to connection; and consider using Geo-IP/botnet filtering to block access from countries you shouldn't see access from as well as limiting times accounts can login. While good mitigations, these actions need careful considerations when you have users who travel internationally, or work from multiple time zones.

Lee Neely
Lee Neely

Yet another incident that fits into the larger "supply chain" attack theme. This may be more severe than the SolarWinds issue as it may affect a lot more users. I hope SonicWall caught the attack quickly and were able to limit impact. At last year's SANS keynote panel at RSA, I talked about the issues with vulnerable perimeter devices. While companies are dissolving perimeters quickly, we still rely on VPNs and Firewalls and just assume (perhaps incorrectly) these devices to work.

Johannes Ullrich
Johannes Ullrich

2021-01-21

Cloud Accounts Used to Gain Persistent Access to Aviation and High-Tech Company Networks

According to a report from NCC group and its Fox-IT subsidiary, hackers have been gaining access to networks at high tech and aviation organizations and maintaining dwell times of as long as three years. The hackers appear to have gained initial access to the networks through cloud-based services.

Editor's Note

Phishing and password compromise were cited as how the attackers gained initial access - as is the case in the majority of all attacks and more than 90% of incidents when major cloud services are the access point. Strong authentication on cloud admin services would have closed that path. Enhanced monitoring of all admin-privileged accounts would have reduced the time to detect in the unlikely event that strong authentication was compromised.

John Pescatore
John Pescatore

Three years dwell time is easily explained with missing controls around cloud services. In particular SaaS providers do not always offer tools to audit access from authorized users.

Johannes Ullrich
Johannes Ullrich

The attackers used credential stuffing, password spraying, and brute force techniques to compromise credentials used for cloud services, and had a long dwell time. Monitoring, not only for the attacks, but also unusual user activity would have revealed the hackers much sooner. Additionally, make sure account lockout actions are configured and tested. Lastly, verify multi-factor authentication is enabled for all accounts on services which can be directly accessed from the Internet, cloud or otherwise. Your IDP can be configured to vary the strength of authentication required based on many factors, including domain membership, location, and time, to maintain a frictionless experience for legitimate users.

Lee Neely
Lee Neely

2021-01-20

University of South Carolina First Undergraduate College To Make Cybersecurity Graduates Highly Desirable To Employers

The University of South Carolina Aiken is partnering with the SANS Technology Institute to provide the students in the university's Bachelor of Science program in Applied Computer Science - Cybersecurity the option of completing the 12-credit Undergraduate Certificate in Applied Cybersecurity at SANS.edu as part of the UofSC Aiken cybersecurity degree program. The Certificate provides graduates with three GIAC certifications that, according to recent data, make those students three times as likely to chosen for cybersecurity job interviews than students with the certifications commonly earned by cybersecurity graduates.

Editor's Note

This program is an awesome opportunity. If you're in the UofSC Aiken cybersecurity degree program, with a GPA of 2.5 or better, you can apply to the SANS undergraduate program, complete one SANS course per semester in your Junior and Senior years, and come out with four GIAC certifications, and hands-on knowledge which makes you a very attractive candidate for an employer as you not only have a breadth of critical current knowledge but also experience applying it during the program.

Lee Neely
Lee Neely

As a part of SANS.edu, I am very excited about the expansion of our undergraduate program. Not only will this fill a critical gap in training new cyber security talent, but I am in particular excited to see what great content these students will create as part of the included internship with the Internet Storm Center.

Johannes Ullrich
Johannes Ullrich

A bachelors degree is about being ready for life; depending in part upon the program, it may or may not prepare the student for the first job out of school. Certificates are about being ready for the job; they are becoming increasingly useful to employers and candidates.

William Hugh Murray
William Hugh Murray

The Rest of the Week's News


2021-01-22

US Military Intel Purchases Phone Location Data Instead of Obtaining Warrants

According to an unclassified memo obtained by the New York Times, the US Defense Intelligence Agency (DIA) has been circumventing warrant requirements by obtaining smartphone location data through commercially available databases. A 2018 US Supreme Court ruling requires the government to obtain a warrant prior to obtaining phone location data from telecommunication companies.

Editor's Note

Privacy laws and corresponding legislation around mobile device location data continue to evolve. While cellular providers have location data from cell towers, location services on your device also provide individual applications' location data which may be used by their providers. As it is largely impractical to blanket-disable location services and Apple and Google are working to limit what applications can do with location data, only enable it for the applications that truly need it. As law enforcement is able to obtain non-anonymized location data, which then includes information about US and non-US citizens, guidance and practices need to evolve to support not only the 4th Amendment, but also foreign privacy laws. If you're in the federal government, you also have to watch for Executive Order 12333 when accessing the data. https://www.archives.gov/federal-register/codification/executive-order/12333.html

Lee Neely
Lee Neely

2021-01-22

SEPA Ransomware Update: Stolen Files Leaked

Ransomware operators who launched an attack against Scotland's Environment Protection Agency (SEPA) have posted files stolen from the agency's systems. SEPA's network was hit with ransomware in late December 2020; SEPA refused to pay the demanded ransom. A month later, the agency's email and other systems remain down; SEPA flood forecasting and warning system are operating.

Editor's Note

SEPA is taking a hard line on not paying ransomware operators, which supports their continued operation, but also not paying organizations or individuals which are on the International sanctions lists; which is illegal in the US & UK. To support that position, your organization needs not only good differential backups, but also practice restoring systems from those backups, without dependencies on remaining systems which may be compromised.

Lee Neely
Lee Neely

2021-01-25

Vulnerabilities in OPC Network Protocol

Researchers at Claroty have found nine vulnerabilities in implementations of the Open Platform Communications (OPC) network protocol. The vulnerabilities affect products from three vendors: Softing Industrial Automation GmbH, Kepware PTC, and Matrikon Honeywell. All three have released fixes for the flaws, which could be exploited to allow remote code execution attacks, to leak data, and to create denial-of-service conditions.


2021-01-25

Tesla Sues Over Theft of Trade Secrets

Tesla is suing a former employee for allegedly stealing proprietary software code. Alex Khatilov allegedly stole the files and transferred them to his personal Dropbox account within days after he was hired on December 28, 2020. The incident was detected on January 6, 2021. The files were not related to Khatilov's position at Tesla. The complaint alleges breach of contract and theft of trade secrets.

Editor's Note

The SolarWinds compromise points out that if someone can steal your digital intellectual property, odds are high that they could also modify it. Tesla needs to assure its customers that its source code management systems are better at integrity control than they apparently were at access control.

John Pescatore
John Pescatore

The question is: could you detect employees within your organization taking similar actions? Raise the bar by limiting access to authorized cloud services and only allowing approved USB storage devices to be connected to systems. Actively monitor cloud and peripheral use to detect anomalous behavior. Training and policy need to be in place to support/reinforce these controls and include requirements for protection of Intellectual Property, particularly trade secrets.

Lee Neely
Lee Neely

2021-01-25

Australian Securities and Investment Commission Says Server Breached

The Australian Securities and Investment Commission (ASIC) has disclosed that one of its servers was breached. ASIC learned of the incident on January 15, 2021 and says that the breach is "related to Accellion software used by ASIC to transfer files and attachments." ASIC has disabled access to the compromised server. Earlier this month, the New Zealand Reserve Bank experienced a data breach related to Accellion software.


2021-01-25

Cisco Issues Fix for Cross-site Request Forgery Vulnerability in DNA Center

Cisco has released a fix to address a high-severity flaw affecting its Digital Network Architecture (DNA) Center. The vulnerability could be remotely exploited to launch cross-site request forgery attacks. The issue has been fixed in Cisco DNA Center releases 2.1.1.0, 2.1.2.0, 2.1.2.3, 2.1.2.4, and later.


2021-01-25

Crane Manufacturer Palfinger Hit with Cyberattack

Austria-based Palfinger Group, which manufactures hydraulic lifting, loading, and handling systems, says it "is currently the target of an ongoing global cyber attack." In an alert on its website, Palfinger notes that it "cannot be contacted via e-mail nor can it receive or process inquiries, orders, shipments, and invoices." Customers are advised that, presently, the company can be contacted only by telephone.


2021-01-25

Flash Deactivation Halts Chinese Railroad for a Day

A railroad system in northeastern China was disabled for a day earlier this month due to the deactivation of Adobe Flash. Adobe disabled Flash from running after January 12, 2021; China Railway Shenyang uses Flash to plan daily operations. The situation led to a complete shutdown of railway operations in Dalian, Liaoning province on the 12th. On January 13, the railway obtained a version of Flash that did not contain deactivation code and resumed operations.

Editor's Note

Verify any business systems still reliant on Flash and make sure there is an active plan to remove that dependency. While reverting to an older version of Flash may restore the functionality, that action also re-introduces the vulnerabilities in the older player as well.

Lee Neely
Lee Neely

2021-01-23

ADT Employee Pleads Guilty to Spying on Customers Through Security Cameras

A former employee of the home security company ADT has pleaded guilty to computer fraud and invasive visual recording for spying on people through their video surveillance systems. Telesforo Aviles added his personal email to the systems' ADP Pulse accounts, which allowed him to access security cameras. Approximately 200 accounts were affected over a five-year period. During that time, Aviles accessed customer systems nearly 10,000 times. ADT learned of the situation when a customer called to complain about the suspicious email address associated with their account.

Editor's Note

ADT has implemented technical and procedural actions designed to prevent and detect recurrence. All providers need to implement similar controls. As a consumer, you also need to take action. If you have security cameras, to include your doorbell camera, which can be viewed remotely, assume they can be accessed by that provider and verify the accounts which have access to that content. Also review your agreement to verify what other access and use is granted along the retention periods. Also refrain from putting cameras in areas you don't wish activities to be viewed by others.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Another File Extension to Block: JNLP

https://isc.sans.edu/forums/di...


SonicWall Vulnerability Used to Breach SonicWall

https://www.sonicwall.com/supp...


IObit Forum Breached / Used for Ransomware Distribution

https://www.bleepingcomputer.c...


ProtonVPN BSOD

https://protonstatus.com/incid...


Fun With nmap nse Scripts and DoH (DNS over HTTPS)

https://isc.sans.edu/forums/di...


Malicious NPM Module Stealing Discord Passwords

https://blog.sonatype.com/curs...


Mitigating the $I30 Bug

https://www.osr.com/blog/2021/...

https://github.com/OSRDrivers/...