SANS NewsBites

US Treasury Sanctions Cryptocurrency Exchange for Ransomware Involvement; Patch VMWare and Assure Segmentation; Patch Out for Zero-Day Exploits Against Older Apple Devices; Port of Houston: Planning, Processes and Controls Worked to Avoid Damage from ManageEngine Attack

September 24, 2021  |  Volume XXIII - Issue #75

Top of the News


2021-09-21

US Treasury Dept. Sanctions Cryptocurrency Exchange Over Ransomware Transactions

The US Treasury has sanctioned a cryptocurrency exchange for handling transactions for ransomware operators. Suex is registered as a business in the Czech Republic but operates through offices in Russia. According to the Treasury Dept., “Analysis of known SUEX transactions shows that over 40% of SUEX’s known transaction history is associated with illicit actors. The sanctions include freezing Suex’s US assets and prohibiting companies doing business in the US from conducting transactions through Suex.

Editor's Note

It is hard to find trustable statistics, but it appears that overall, less than 2% of transactions using “cryptocurrencies” are criminal in nature. Most of the transactions are investor trading, which is a different thing to worry about. But there should be global pressure and sanctions on exchanges that are enabling any criminal transactions.

John Pescatore
John Pescatore

With OFAC Sanctions in place, there are significant consequences for using their services in the U.S. Which means that if you’re deciding to pay a ransomware demand via Suex, you and your financial institution (FI) would be subject to sanctions or other enforcement actions, both of which are deal breakers for the FI.

Lee Neely
Lee Neely

This is an interesting way to undermine the payment flow these criminal gangs rely on. It also illustrates that tackling cybercrime needs a cohesive and wide ranging approach and not technical controls by themselves. In theory, this may be an effective way to undermine the payment flow these criminal gangs rely on and hopefully won’t turn into a “whack-a-mole” type operating.

Brian Honan
Brian Honan

I welcome the U.S. government stepping up their defense against ransomware by classifying it as a criminal, economic, and national-security threat. Cryptocurrency leverages blockchain which means we can trace transactions and they can't be removed or hidden after they occur. Don't let the government do all the work for you though; test, measure, and improve your ability to detect and respond to threats before impact.

Jorge Orchilles
Jorge Orchilles

To me this seems a far more effective approach than punishing victim companies that pay a ransom. Interesting to see US Treasury targeted SUEX as over 40% of its transactions were ransomware-related. This will obviously not stop ransomware attacks, but is a step in the right direction, targeting financial exchanges heavily involved in supporting criminal activities.

Lance Spitzner
Lance Spitzner

Chainanlysis and Treasury cooperated to produce a report on this effort: https://blog.chainalysis.com/reports/ofac-sanction-suex-september-2021

William Hugh Murray
William Hugh Murray

2021-09-22

VMware Releases 19 Fixes

VMware disclosed 19 vulnerabilities in its products and released fixes for the issues. One is a critical arbitrary file upload flaw in vCenter Server Analytics service. VMware has also offered a workaround for users who can’t patch right away, but notes that “patching ... carries less technical debt and less risk than using a workaround.” Malicious actors are already scanning for servers vulnerable to the flaw.

Editor's Note

VMware sent a security alert to their security advisories mailing list. If you’re a vCenter Server user, and not subscribed to that list, you can sign up on the VMware Security Advisories page (https://www.vmware.com/security/advisories.html). This vulnerability applies to version 6.5, 6.7 and 7.0 of vCenter, and can be partly mitigated through perimeter protections, such as limiting access to ESXi, vCenter Server and vSphere management interfaces to only vSphere admins, from trusted locations. The full fix is to apply the update. Disabling the CEIP service, or not enabling it in the first place are not effective mitigations.

Lee Neely
Lee Neely

The vCenter file upload / code execution vulnerability should be easy to exploit and fits well into the current ransomware playbook. Needless to say: Do not expose vCenter to the Internet. It is like leaving your datacenter door unlocked. This vulnerability adds the "Free Servers" sign to the door.

Johannes Ullrich
Johannes Ullrich

VMware infrastructure should be in a separate management segment of the network. It should not be exposed to internal users and much less the Internet.

Jorge Orchilles
Jorge Orchilles

2021-09-23

Apple Issues Patches for 0-day Flaws in Older Versions of macOS and iOS

Apple has released fixes for vulnerabilities in macOS Catalina and iOS that are being actively exploited. The Security Update 2021-006 for Catalina addresses a vulnerability that could be exploited to execute arbitrary code with kernel privileges. iOS 12.5.5 addresses three vulnerabilities that could be exploited to execute arbitrary code.

Editor's Note

While Apple has extended support for older operating systems, e.g., iOS 12.5, you should actively work to migrate to hardware which supports the newest versions which are going to have the greatest attention.

Lee Neely
Lee Neely

2021-09-23

Port of Houston Fends Off Cyberattack

The Port of Houston (Texas) Authority says it successfully fended off a cyberattack last month. The attack involved the ManageEngine ADSelfService Plus password management and single sign-on solution. A September 16 joint advisory from the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and United States Coast Guard Cyber Command (CGCYBER) warned of the ManageEngine ADSelfService Plus.

Editor's Note

Always good to see stories of “pilot lands plane safely” vs. only hear about crashes. Not much detail yet on what the Port of Houston did right, but kudos to them for being able to issue a very short and positive press release that ended with a resounding microphone drop: “Port Houston followed its Facilities Security Plan in doing so, as guided under the Maritime Transportation Security Act (MTSA), and no operational data or systems were impacted as a result.”

John Pescatore
John Pescatore

This is not the first time ports have been the target of cyber attacks and as our physical infrastructure continues to be more reliant and dependent on IT, these attacks will continue as criminals and nation state actors look to achieve their goals. In 2013, Europol reported hackers had breached the shipping systems in the Belgian port of Antwerp to enable their drug smuggling activity https://www.bbc.com/news/world-europe-24539417: Police warning after drug traffickers' cyber-attack.

Brian Honan
Brian Honan

This is outstanding. While details have not been published, other than a point of contact, it will be worthwhile looking at what the port did to defend itself to see if those are actions you could apply to improve your cyber posture.

Lee Neely
Lee Neely

The Rest of the Week's News


2021-09-23

Senate Committee Drafting Legislation That Would Update FISMA

Members of the US Senate Homeland Security and Governmental Affairs Committee are drafting legislation that would clarify the role of the Cybersecurity and Infrastructure Security Agency (CISA) in helping agencies improve their cybersecurity postures. The draft legislation would also update the federal Information Security Modernization Act (FISMA) to reflect the evolving cyber threat environment.

Editor's Note

FISMA and related rules/regulation on how government agencies protect government information and systems (including government used of privately owned infrastructure) are badly needed. However, most of the talk here is once again around requiring more reporting from industry to government vs. anything to drive critical government systems to reach essential levels of security hygiene and protection.

John Pescatore
John Pescatore

While increased reporting helps with visibility, what is needed is relevant security standards. Too often security controls are written from a perspective of what is possible with Windows systems in an office environment. The mission and scope of government systems ranges from office computing to leading edge research and critical systems. Guidance needs to be simplified and focused on core controls which can be broadly applied without having to spend lots of time tailoring/researching, applying overlays to determine what is indented and how they are applied. A greater percentage of controls need to be technical which enables them to be both monitored and implemented with automation while not preventing systems from completing their intended mission objectives.

Lee Neely
Lee Neely

One of the biggest challenges we have in the US is there are so many different departments and agencies involved in leading cybersecurity efforts. According to this report, the focus of updating FISMA would be to codify CISA as the central department in leading those efforts. While CISA is relatively new and huge / broad in scope, I like what I have seen in their efforts publishing resources supporting organizations.

Lance Spitzner
Lance Spitzner

2021-09-22

Apple Deprecating TLS 1.0 and 1.1

Apple has deprecated the Transport Layer Security (TLS) 1.0 and 1.1 protocols in recent versions of macOS and iOS. TLS 1.0 dates back to 1999; TLS 1.1 dates back to 2006. The Internet Engineering Task Force (IETF) approved TLS 3.0 in March 2018. Apple plans to remove support for the older version ds of TLS in future releases.

Editor's Note

TLS 1.0/1.1 are broken and exploits are not terribly complex. But removing these old protocols doesn't always improve security. For some older devices, the only option may be to switch to completely unencrypted communication. Network monitoring can be used to identify the use of weak TLS versions. Once you have an inventory of these legacy devices, you may come up with a plan to either replace them, or mitigate the vulnerability via other means such as network segmentation or the use of VPN appliances.

Johannes Ullrich
Johannes Ullrich

Apple’s move here should surprise no one. TLS 1 and 1.1 are aged protocols, and while most known attacks are somewhat esoteric, reasonable successors have hit the mainstream at this point. Businesses need to prepare for these deprecations; as always, make sure your mission critical systems are running current operating systems, as older and end of life OSes will often not support TLS 1.2 or 1.3. Do not assume your business won't be impacted and start testing and migration plans now.

James Leyte-Vidal
James Leyte-Vidal

You should have moved to TLS 1.2 by now. It is widely supported and your security tools will continue to function. Use third-party reporting and testing services, such as SSL Labs, to verify your services are indeed using secure protocols and algorithms. Test TLS 1.3 before widely deploying as it has been known to break some security tools, such as web proxies which operate as a MITM.

Lee Neely
Lee Neely

2021-09-22

Another Farm Co-op Hit with Ransomware

A Minnesota Farm Co-op is the second such organization to be hit with ransomware in less than a week. Crystal Valley said in a statement that it was alerted to the attack on Sunday, September 19. The attack rendered Crystal Valley’s payment system inoperable.

Editor's Note

Don’t depend on a critical infrastructure designation to prevent attacks. Make sure you have good cyber hygiene, your users are diligent, and you leverage resources, such as the CISA, for both guidance and resources to achieve those ends.

Lee Neely
Lee Neely

2021-09-21

Wisconsin Law Requires Insurance Companies to Protect Data

A new law in Wisconsin will require insurance companies to protect customers’ personal information, including health data. Insurance companies will have to conduct risk assessments, establish information security programs, and work with third-parties tom ensure data security. The law takes effect on November 1, 2021.

Editor's Note

The legislation attempts to create a common standard for information protection, incident response, and breach notification. Regardless of regulatory requirements, you should assess your protection of sensitive company and customer data regularly to ensure you don’t have gaps, and verify that your notification and response plans are both current and tested. Don’t wait for the attackers or auditors to discover a gap in your plan.

Lee Neely
Lee Neely

If your industry isn't already subject to data security regulations, it will be. Start looking at the “common sense” practices being called for across many of these different bills and start preparing your business for them now. The runway to implement given by these laws is not always generous. Also, pointing out these types of bills to your senior leaders may help get the funding to plan for this work in advance.

James Leyte-Vidal
James Leyte-Vidal

Unlike banking, and though engaged in interstate commerce, insurance companies are regulated by the states.

William Hugh Murray
William Hugh Murray

Internet Storm Center Tech Corner

An XML-Obfuscated Office Document (CVE-2021-40444)

https://isc.sans.edu/forums/diary/An+XMLObfuscated+Office+Document+CVE202140444/27860/


A First Look at Apple's iOS 15 "Private Relay" feature

https://isc.sans.edu/forums/diary/A+First+Look+at+Apples+iOS+15+Private+Relay+feature/27858/


Excel Recipe: Some VBA Code with a Touch of Excel4 Macro

https://isc.sans.edu/forums/diary/Excel+Recipe+Some+VBA+Code+with+a+Touch+of+Excel4+Macro/27864/


Windows Platform Binary Table Weakness

https://eclypsium.com/2021/09/20/everyone-gets-a-rootkit/


Apple Patches Older iOS/MacOS Versions

https://support.apple.com/en-us/HT201222


Broken Digital Signatures Used to Foil Malware Detection

https://blog.google/threat-analysis-group/financially-motivated-actor-breaks-certificate-parsing-avoid-detection/


Exchange Autodiscovering Leaks Credentials

https://www.guardicore.com/labs/autodiscovering-the-great-leak/


Nagios Vulnerabilities

https://claroty.com/2021/09/21/blog-research-securing-network-management-systems-nagios-xi/


Apple Deprecating TLS 1.0/1.1

https://developer.apple.com/news/?id=bv8ur34d


macOS Finder Security Feature Bypass Leads to Possible RCE

https://ssd-disclosure.com/ssd-advisory-macos-finder-rce/


VMWare vCenter Advisory

https://blogs.vmware.com/vsphere/2021/09/vmsa-2021-0020-what-you-need-to-know.html


NetGear Circle Parental Control Vulnerability

https://blog.grimm-co.com/2021/09/mama-always-told-me-not-to-trust.html