SANS NewsBites

SEC Investigating Solar Winds Compromise Impact; Many Critical Patches from Apple, Google, Microsoft; Microsoft Makes It Easier for Windows Users to Move to Strong Authentication

September 17, 2021  |  Volume XXIII - Issue #73

Top of the News


2021-09-15

SEC Wants Security Incident Data from Organizations That Used SolarWinds Software

As part of an investigation, the US Securities and Exchange Commission is asking organizations that downloaded SolarWinds software to submit records related to any security incidents dating back to 2019. Some organizations have expressed concern that by submitting previously undisclosed information to the SEC, they are opening themselves to liability.

Editor's Note

This is a needed investigation, very little risk to companies that provide information given existing requirements to publicly disclose incidents with material impact.

John Pescatore
John Pescatore

What we have been missing in cybersecurity is a body similar to the US National Transportation Safety Board (NTSB), which investigates root causes in aviation accidents, to investigate and share the root causes and potential remedial actions in relation to cybersecurity incidents. However, a body that has the potential to sanction a firm over other regulatory issues is not the body to do this.

Brian Honan
Brian Honan

2021-09-14

It’s Time to Update Everything

Recent updates from Apple, Google, and Microsoft include patches for vulnerabilities that are being actively exploited. Among the vulnerabilities Apple has fixed is a chain of exploits known as ForcedEntry, which has been used to install spyware without user interaction. Microsoft’s updates include a fix for the MSHTML rendering engine that can be exploited to execute arbitrary code. And Google’s update for Chrome includes fixes for two vulnerabilities that are being actively exploited.

Editor's Note

It isn’t easy to find good data around the impact of software updates these days but browsers on PCs, mobile apps, and cloud apps are all updated constantly without causing disruption. The risks of updating everything, everyday are way lower than old perceptions. If nothing else, the use of IaaS to rapidly QA updates has proven to be a huge win for security. The major barrier to overcome is IT operations staying locked into a “change is bad” mentality.

John Pescatore
John Pescatore

The sheer volume recently of critical patches that need to be applied has highlighted our need to focus efforts on securing the data and the applications that we rely on and not the underlying devices. Containerization and isolation technologies that can secure data and apps from other apps and the operating system are something to seriously consider for your endpoint security.

Brian Honan
Brian Honan

It will be a long weekend for operations teams waiting for change windows to apply patches for vulnerabilities that are being actively exploited.

Jorge Orchilles
Jorge Orchilles

2021-09-15

Microsoft Patch Tuesday

On Tuesday, September 14, Microsoft released updates to address 86 vulnerabilities in Windows, Office, Azure, Edge, and other products. Three of the fixed flaws are rated critical, including one in the legacy MSHTML rendering engine that has already been exploited in targeted attacks.

Editor's Note

This patch Tuesday is interesting for the number of high-profile, already exploited, vulnerabilities is addresses. First of all, it includes a patch for the MSHTML vulnerability which is currently used by ransomware gangs. (It is used by others as well, but if you say “ransomware,” management listens and will let you patch it.) PrintNightmare gets another patch, and this patch will actually finally break some network printing. The hidden gem here is the patch for CVE-2021-38647, the Open Management Infrastructure. Never heard of it? You are not alone. But if you are running Linux in Azure, Microsoft likely installed it for you on your virtual machine and left it wide open to attack. Note that even after the patch was released, new Linux VMs in Azure still received the old vulnerable version. (May have been fixed by now).

Johannes Ullrich
Johannes Ullrich

2021-09-15

Microsoft Fixes Critical Azure OMI Vulnerabilities

Microsoft has fixed four vulnerabilities in the Open Management Infrastructure, which is embedded in frequently-used Azure services. The four flaws, which have been dubbed OMIGOD, were detected by researchers at Wiz, who write, “The vulnerabilities are very easy to exploit, allowing attackers to remotely execute arbitrary code within the network with a single request and escalate to root privileges.”

Editor's Note

This patch was released as part of patch Tuesday. Note that at least for a day after patch Tuesday, newly created Linux VMs in Azure still received the vulnerable version. Linux VMs in Azure may have had this installed and enabled if you enabled certain management features for your virtual machines. Assume that the tool is installed if you are running Linux in Azure, and patching it is urgent as exploitation of the flaw is trivial if respective ports are reachable.

Johannes Ullrich
Johannes Ullrich

2021-09-16

Microsoft Expanding Passwordless Account Features

Microsoft will soon begin rolling out passwordless features to all users. Previously, the features were available only to corporate customers. The password-free features will be available for Microsoft Authenticator and the Hello login service. Instead of passwords, users will be able to access accounts with fingerprints or face scans, hardware authentication tokens, and verification codes sent to phones or emailed.

Editor's Note

Anything that reduces the percentage of logins using reusable passwords is a good thing. But, we still have different “islands” of authentication approaches across the leading platforms (Apple, Facebook, Google, Microsoft, etc. Adoption of OAuth, OpenID Connect and SAML provide standard protocols but it is kind of like back in the days when railroads all use the same materials for the tracks but picked different spacing between the rails. “Interoperability” didn’t happen until all agreed on (or regulations demanded) track gauge standards.

John Pescatore
John Pescatore

People do not like two factor authentication. If you have to pick one factor, the password is usually the weaker part, and the part that causes more pain to users. For some applications, passwordless app based authentication makes a lot of sense.

Johannes Ullrich
Johannes Ullrich

Passwords remain one of the weakest links in our lives. Moving to passwordless is the future but I fear the shift will take a significant amount of time.

Jorge Orchilles
Jorge Orchilles

The biggest problem with strong authentication is making it simple. What MS is doing helps and I really applaud this initiative BUT we could just end up making authentication complex again. I don’t know about you but 1. I already have three different authenticator apps and its most likely going to get worse. 2. Work and Personal authenticator apps are blending. I have one Authenticator app that is used for both work and personal accounts. In another odd case, I’m using MS Authenticator for my work Microsoft account and using Google Authenticator for my personal Microsoft accounts. Authentication has the potential to once again get really confusing really fast as different organizations take different approaches using different technologies.

Lance Spitzner
Lance Spitzner

The Rest of the Week's News


2021-09-15

Former US Military and Intelligence Officers Will Pay Penalty for Providing Hacking Services to UAE Government

Three US citizens have agreed to a pay a penalty of $1,685,000 “to resolve a Department of Justice investigation regarding violations of U.S. export control, computer fraud and access device fraud laws.” All three, who are former US military or intelligence community employees, worked for a company that provided hacking services to the government of the United Arab Emirates.

Editor's Note

This is a slap on the wrist at best based on the annual salary they were making for multiple years according to Nicole Perlroth, NYT journalist and author of “This Is How They Tell Me The World Ends" https://twitter.com/nicoleperlroth/status/1438175837149270018?s=20

Jorge Orchilles
Jorge Orchilles

2021-09-16

FTC Says Health Apps Must Comply with Health Breach Notification Rule

The US Federal Trade Commission (FTC) has voted 3-2 that the Health Breach Notification Rule now also applies to developers and vendors of health apps and connected devices. Companies that do not comply could face monetary penalties of more than $43,000 a day. The rule requires those organizations, and now apps, that handle health information notify the FTC, users, and in some cases the media in the event of a breach.


2021-09-16

Universal Decryptor for REvil/Sodinokibi Released

Bitdefender has released a free universal decryptor for REvil/Sodinokibi ransomware. The decryptor, which Bitdefender developed with the help of law enforcement, will help victims who were hit with the ransomware before July 13, 2021. According to reports, the ransomware has re-emerged after a brief lull.

Editor's Note

This decryptor is for victims ransomed prior to July 13, 2021. Since those attacks, REvil has taken a two month sabbatical and is now back in operation with more resources than ever before. Stay "left of boom" (boom being encryption) by testing your detection and response.

Jorge Orchilles
Jorge Orchilles

Well done to Bitdefender and all the law enforcement agencies involved in this. Remember that if you are a victim of ransomware and cannot recover a critical device, the key to decrypt it may become available in the future. So store the device securely for recovery at a later date.

Brian Honan
Brian Honan

2021-09-14

Adobe Patch Tuesday

On Tuesday, September 14, Adobe released fixes for vulnerabilities in numerous products, including Acrobat and Reader, Photoshop, Experience Manager, and ColdFusion. In all, the updates address 59 security issues, 36 of which are critical.


2021-09-16

CISA and FBI Warn Zoho Flaw is Being Exploited

In a joint alert, the US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have warned that Advanced Persistent Threat (APT) actors are exploiting a vulnerability in Zoho ManageEngine ADSelfService Plus. Zoho ManageEngine ADSelfService Plus build 6114, which was released on September 6, fixes the flaw.


2021-09-15

Ransomware Hits South Africa’s Justice Dept.

A ransomware attack has encrypted systems at South Africa’s Department of Justice and Constitutional Development. The incident occurred on September 6. As a result, “all electronic services provided by the department are affected, including the issuing of letters of authority, bail services, e-mail and the departmental website.”

Internet Storm Center Tech Corner

Phishing 101: why depend on one suspicious message subject when you can use many

https://isc.sans.edu/forums/diary/Phishing+101+why+depend+on+one+suspicious+message+subject+when+you+can+use+many/27842/


Hancitor Campaign Abusing Microsoft's OneDrive

https://isc.sans.edu/forums/diary/Hancitor+campaign+abusing+Microsofts+OneDrive/27838/


Microsoft Patches

https://isc.sans.edu/forums/diary/Microsoft+September+2021+Patch+Tuesday/27834/


Adobe Patches

https://helpx.adobe.com/security/security-bulletin.html


Malware Taking Advantage of Linux Subsystem for Windows

https://www.bleepingcomputer.com/news/security/new-malware-uses-windows-subsystem-for-linux-for-stealthy-attacks/


PrintNightmare Fix Breaks Network Printing

https://www.bleepingcomputer.com/news/security/new-windows-security-updates-break-network-printing/


Travis CI Patch

https://travis-ci.community/t/security-bulletin/12081


IBM System x IMM Vulnerability

https://support.lenovo.com/es/en/product_security/len-66347


Fake iTerm installing Malware on OS X

https://objective-see.com/blog/blog_0x66.html


"Secret"Agent Exposes Azure Customers To Unauthorized Code Execution

https://www.wiz.io/blog/secret-agent-exposes-azure-customers-to-unauthorized-code-execution