SANS NewsBites

Unpatched On-Premise Atlassian Servers Have Likely Already Been Compromised; Critical Patches Released for 20 Netgear Vulnerabilities

September 7, 2021  |  Volume XXIII - Issue #70

Top of the News


2021-09-03

CYBERCOM Warns that Critical Atlassian Vulnerability is Being Actively Exploited

On Friday, September 3, US CYBERCOM sent a tweet urging users to patch a critical vulnerability in Atlassian’s Confluence Server and Data Center. USCYBERCOM wrote, “Mass exploitation of Atlassian Confluence CVE-2021-26084 is ongoing and expected to accelerate. Please patch immediately if you haven’t already— this cannot wait until after the weekend.” Atlassian updated its August 25 advisory on September 3.

Editor's Note

Some clients are still very hesitant to do internal or assumed breach penetration tests. With all the ways into an environment (exposed services like this, identity abuse, phishing, insiders...), it's hard to justify ignoring. See also: The Emperor's New Clothes.

Christopher Elgee
Christopher Elgee

By the time you are reading this, consider all vulnerable Atlassian instances compromised. Only on-premise installs are affected. Atlassian already patched cloud instances.

Johannes Ullrich
Johannes Ullrich

This applies only to your self-hosted Confluence servers. The notice has been changed to reflect that exploitation does _NOT_ require an account on the system. Apply the patch to your Confluence servers now, and make sure that only those that need to be are exposed to the Internet. Double check for additional services which may themselves be Internet accessible and provide unintended exploitation paths.

Lee Neely
Lee Neely

2021-09-06

Netgear Firmware Releases Updates to Fix Switch Vulnerabilities

Netgear has made firmware updates available for 20 products to address three high-severity security flaws. Proof-of-concept exploits and technical details for two of the vulnerabilities are publicly available. Most of the affected products are smart switches.

Editor's Note

Use the web interface of your Netgear switch or router, or the mobile management app if it has one, to check for and install any updates. For models that support it, enable automatic updates during times where it doesn’t matter if your device reboots. You can also cross-check the Netgear support site to verify you have the current firmware version.

Lee Neely
Lee Neely

2021-09-03

Dallas School District Discloses Data Compromise

In a data security update, the Dallas (Texas) Independent School District has acknowledged that “a data security incident involving the district’s electronic records ... may affect former and current students, alumni, parents, and district employees.” The breach affects students, parents, employees, and contractors dating back to 2010. The district learned of the incident on August 8, 2021.

Editor's Note

Most schools are returning to in-school classes but will need to maintain remote learning capabilities and connectivity. As that stabilizes, use this news item to justify checking if 11-year-old sensitive data really needs to be stored online and evaluate other essential data security precautions. School systems have many obstacles to securing systems and networks – minimizing what is available to attack can be a very useful first step.

John Pescatore
John Pescatore

The trick is making sure that students are not sharing extra data with the school provided IT systems, that they don’t install extra applications, only using school systems for schoolwork to minimize the data that is at risk in the event of a compromise of the school’s IT systems. Parents should ask what protections are in place with systems protecting their data. As challenging as remote learning and providing IT systems to students is, even prior to the pandemic, ask (and offer) if they need help or expertise, respecting the guidance and staff they have in place.

Lee Neely
Lee Neely

The Rest of the Week's News


2021-09-06

Jenkins Discloses Compromised Atlassian Confluence Server

Jenkins server developers have acknowledged that one of their Confluence servers was compromised. The intruders installed a cryptominer on the compromised server. The server in question hosted the no-longer-used Jenkins Wiki portal and had been deprecated since October 2019.

Editor's Note

You know those services you deprecated and didn’t retire because you needed them “just-in-case?” Me too. Time to go back and either retire them, or restore them to a managed/patched state, as well as double check them for compromise. Also update your lifecycle processes to include setting a retirement date for the old service or equipment. Retirement needs to include data disposition or archive.

Lee Neely
Lee Neely

See the first story above. Let’s hope the Jenkins' statement is correct and none of their software was compromised.

Johannes Ullrich
Johannes Ullrich

2021-09-03

New Zealand Limited Internet Outage Caused by Response to Cyberattack

Vocus NZ, a major internet provider in New Zealand, said that its response to a distributed denial-of-service (DDoS) attack last week caused a widespread Internet outage. Vocus was reportedly blocking the DDoS launched against one of its customers; the actions it took caused customers in Auckland, Wellington, Christchurch to experience outages. The issue has been resolved.

Editor's Note

Collateral damage from DDoS attacks is quite common. ISPs often have to block some legitimate traffic initially to regain the ability to manage their networks. In some cases, filters can also cause additional load issues on routers.

Johannes Ullrich
Johannes Ullrich

DDoS attacks are becoming more common, with increased bandwidth and decreased duration. Some last only a few seconds, meaning automation is needed to effectively shut down these attacks. Work with your ISP and service providers to determine what their response capabilities are. They should be able to provide recent results of success or failure. DDoS prevention may be a separate service from your existing providers or something you must purchase and reconfigure your network routing to leverage. Make sure you have all the details before starting the engagement.

Lee Neely
Lee Neely

2021-09-02

BrakTooth Bluetooth Vulnerabilities

Researchers at Singapore University of Technology and Design have identified a group of vulnerabilities affecting Bluetooth stacks implemented on system-on-a-chip circuits used by at least 11 vendors. Known collectively as BrakTooth, the flaws affect a variety of devices, including smartphones, laptop and desktop systems, and industrial equipment. The risks posed by the flaws include crashing device firmware create denial-of-service conditions, allowing arbitrary code execution, and creating a deadlock condition that prevents Bluetooth communication. Some affected vendors have released patches to address the issues.

Editor's Note

BrakTooth is attacking Bluetooth Classic and exploitation requires an attacker to be in radio range. This applies to not just your Smartphone or tablet, but also your laptop or any other devices with Bluetooth System on a Chip (SOC) components. The SANS ISC writeup lists tested vendors and patch status and notes that the vulnerability likely applies to Bluetooth Classic implementations not listed. Mitigations include: applying available updates, disabling Bluetooth where you’re not using it, and evaluating SOC implementations in your environment to consider the risks of exploit versus turning off that Bluetooth until it can be patched.

Lee Neely
Lee Neely

The bad news is that Bluetooth is widely supported and used for many sensitive applications. The good news is that Bluetooth range is measured in meters and attacks against it do not scale well.

William Hugh Murray
William Hugh Murray

2021-09-06

Kaspersky: Attacks Against IoT Devices Doubled Over Six Months

Researchers at Kaspersky detected over 1.5 billion attacks against Internet of Things (IoT) devices during the first six months of 2021, more than twice as many as it detected during the previous six months. The attacks appear to be focused on stealing sensitive data, mining cryptocurrency, and adding devices to botnets.

Editor's Note

This is kind of a click-bait headline – for the last 5 years or so, various reports have showed the number of attacks against IoT devices growing 100-300% per year. Of course, the number of IoT devices is growing that fast, too. But the important part is do vulnerable IoT devices provide attack paths to your critical systems or information, not how many attacks are out there. Knowing if and where your roof leaks is important; how many raindrops fell in a storm, not so much.

John Pescatore
John Pescatore

Pretty meaningless statistic as IoT devices are already saturated with attacks. For years now, IoT botnets have achieved an overkill causing new devices to be compromised within minutes. Let’s see if recent arrests in China affecting the "Mozi" gang will have some affect (but many of these botnets are on autopilot and remain in a zombie state long after the groups behind it have ceased operations).

Johannes Ullrich
Johannes Ullrich

Over the last decade or so, there has been an explosion of IoT devices, both at home and work, which provide automation or assistance. The desire to monitor and/or interact with them has resulted in many being configured with increased accessibility. Make sure that your devices can talk only to services they need, and that they can’t cause peripheral harm if compromised. Where possible put them on an isolated network. Even home routers now include VLANs and Guest Network segments, which can be leveraged for this purpose.

Lee Neely
Lee Neely

Single application devices should be relatively easy to secure. However, the tendency of developers to include general purpose operating systems and the sheer number of the devices creates a large and porous attack surface and increases global risk for little return.

William Hugh Murray
William Hugh Murray

2021-09-05

Windows 11 Will Have New Hardware Requirements

The Windows 11 operating system, which is scheduled to be released next month, has hardware requirements that prevent it from being installed on older devices. While there is a loophole that allows users to install Windows 11 older systems, Microsoft has indicated that users who choose to run Windows 11 on unsupported devices will not receive updates through Windows Update. Windows 11 is scheduled to begin rolling out in early October; Microsoft expects the rollout to continue through mid-2022.

Editor's Note

Your IT staff should be evaluating the hardware minimums for Windows 11 and updating your standard configurations so newly purchased systems can run a supported version of Windows 11, even if you’re not planning to migrate right away. Note that home versions require an Internet connection and a Microsoft.com account to complete installation and activation. Microsoft has released a compatibility check tool: https://www.microsoft.com/en-us/windows/windows-11#pchealthcheck

Lee Neely
Lee Neely

2021-09-06

French Government Visa Website Data Breach

A French government website experienced a data security breach in August. Compromised data include names, email addresses, passport and identity card numbers and other information entered when applying for visas from the French government. IN a press release, the French Ministry of Foreign Affairs and Ministry of the Interior say that no sensitive data, as defined by the General Data Protection Regulation (GDPR), were compromised.

Internet Storm Center Tech Corner