SANS NewsBites

Eliminate or Secure Your Use of Remote Desktop Protocol; Denial of Services Caused by Let’s Encrypt Root Cert Expiration; Protect Life Critical Systems Against Ransomware and Other Attacks

October 1, 2021  |  Volume XXIII - Issue #77

Top of the News


2021-09-30

ESET: Remote Desktop Protocol Attacks are Increasing

According to the ESET Threat Report T2 2021, there has been a significant increase in Remote Desktop Protocol (RDP) endpoint attacks. ESET statistics indicate a 104 percent increase in attacks against RDP servers since its June report.

Editor's Note

This shouldn't be news to anybody watching their logs over the last couple years. A number of large credential leaks focused on RDP. We looked at some of the increases in RDP scanning in April of last years when it was noted as a significant entry point for ransomware. (https://isc.sans.edu/forums/diary/Increase+in+RDP+Scanning/25994). Since then, we have seen a steady rise in the number of sources scanning for RDP with occasional surges in reports. (https://isc.sans.edu/port.html?port=3389). Note that this increase isn't so much caused by remote working. These systems have been exposed before, but leaked credentials gave attackers new tools to attack these exposed systems.

Johannes Ullrich
Johannes Ullrich

Two points on this one: (1) monthly or even quarterly changes in the technical targets of attacks aren’t very meaningful overall, since usually the next month or quarter will be very different. This one shows the growth mostly in attacks against targets in Spain, so often still regional info to be gained; and (2) there was a lot of emergency use of RDP to support work from home. By now that use should be replaced with more secure remote access approaches – see the NSA/CISA VPN guidance listed in another item in this issue of Newsbites.

John Pescatore
John Pescatore

Whether exploited or not, your pentesters should tell you that services like RDP, VNC, SMB, etc. exposed to the internet are bad. Please, please, please put them behind a good VPN with MFA. See also: today's article on VPN security. (-:

Christopher Elgee
Christopher Elgee

With the increased telework, many added services were made Internet accessible, quickly. Those often include RDP, which makes access easy for users and malicious actors. Remote access must require multi-factor authentication to thwart the value of captured credentials. Put your RDP services behind a secure remote access gateway rather than exposing them directly to the Internet.

Lee Neely
Lee Neely

Unsecure RDP connections are one of the top attack vectors that ransomware gangs use to infiltrate companies. Microsoft have published a guide on how to secure RDP (https://www.microsoft.com/security/blog/2020/04/16/security-guidance-remote-desktop-adoption). But you should also identify all remote management tools and platforms that are in place within your organization, ensure they are secured appropriately, and regularly conduct reviews to make sure they remain secure.

Brian Honan
Brian Honan

2021-09-30

Let’s Encrypt Root Certificate Expiration Causes Problems

A Let’s Encrypt root certificate expired, disrupting some popular websites and services. There has been advance warning that the IdentTrust DST Root CA X3 certificate would expire on September 30.

Editor's Note

Certificate management has long been overlooked – expired certificates are a continual source of self-inflicted denial-of-service attacks. This used to be just an internet-facing web server problem, but the increased use of SSL everywhere (both internally and with more than browser to server connections) it becomes more critical. Discovering what certificates are in use and when they will expire is the first step – should be considered a required function within asset inventory and vulnerability management processes.

John Pescatore
John Pescatore

While you’ve been focused on getting all your sites to be TLS only, and implementing processes and automation to keep those current, don’t overlook the processes needed to keep your root certificate stores current. While you’re working to judiciously apply patches such as browser and OS updates which include updated certificates, don’t overlook application server/service updates which may also include local root certificate stores.

Lee Neely
Lee Neely

This Let’s Encrypt issue is a good lesson in how vendors and manufacturers think about technology. Deploying certificates is a great and helpful idea. The part of the challenge that I believe many companies or technologists miss is day 2. How do you handle updates for maintenance items on devices that are not general-purpose computers? TVs, printers, light bulbs, Internet connected toasters? How do you revoke or update a certificate on a printer? An intermediary certificate with ten years of life on a device with a ten-year life span is ideal. Using that same certificate on a device created six months ago? Probably not ideal unless you can update it.

Moses Frost
Moses Frost

2021-09-30

Ransomware Attack May Have Contributed to Patient’s Death

A lawsuit alleges that a 2019 ransomware attack against an Alabama hospital‘s network prevented healthcare providers from monitoring possible life-threatening conditions that eventually led to the death of a patient. (Please note that the WSJ story is behind a paywall.)

Editor's Note

Critical systems need adequate protection. Isolate systems which, if compromised, can result in loss of life, and limit access to only authorized systems and users. Verify those separations are in place on a regular cadence, removing any access which is no longer needed.

Lee Neely
Lee Neely

Over the years there have been worms, distributed denial-of-service and ransomware attacks that tragically been associated with loss of life. Lawsuits have followed but have rarely if ever been successful. That doesn’t change the fact that functions that are life critical should be protected at a much higher level, with regularly tested backup approaches and prioritized monitoring.

John Pescatore
John Pescatore

I worked at significant hospitals for the first 8 to 10 years of my IT career. Security was secondary to patient safety. The most considerable security budget items dealt with patient health information and keeping worms from bringing down the systems. Anyone who has worked in that field knows that it's challenging to convince management to prioritize information security. A significant challenge is to upgrade a million-dollar medical device because it runs Windows 7 and still has several more years of life left before it is obsolete. Maybe this new style of attack that impacts patient safety can bring more meaningful change, both at the manufacturer level and at healthcare facilities.

Moses Frost
Moses Frost

The Rest of the Week's News


2021-09-30

NSA & CISA Guide on VPN Security

The US National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have jointly released a guide to virtual private network (VPN) security. The guide offers advice for choosing a VPN as well as details for secure deployment.

Editor's Note

Sound advice and it may help justify spending some time reviewing VPN configurations. While some of the recommendations (for example limiting the IP addresses users connect from) may not be practical for a remote access solution, keeping your software up to date and implementing two factor authentication is a must at this point for any remote access solution.

Johannes Ullrich
Johannes Ullrich

This guide encapsulates the basics for you to verify your VPN is well chosen and securely configured. Configure secure encrypted protocols, keep them patched and select products which you can verify are genuine. Make sure that multi-factor authentication doesn’t exclude any accounts. If you have the infrastructure to support certificate-based authentication, consider that as an option. Make sure certificates cannot be easily extracted and moved to unauthorized systems. Also make sure that your VPN grants access only to the services each user needs.

Lee Neely
Lee Neely

It feels like we are rehashing this conversation again with SSL VPNs. Initially, we said that HTTPS-based VPNs were less than ideal, specifically those used to port forward through Java Applets. Now the guidance has shifted even more interestingly. Use standards-based protocols like IPSEC and be able to inspect the code itself. The interesting problem here is that all enterprise VPNs, with few exceptions, are closed sourced. The open source options lack many of the logging/auditing/firewalling features most organizations need. It sounds like an opportunity for someone to fill the gap. This problem is even more challenging when you get to the newer Service Defined Perimeter options which form Zero Trust. Almost all of these are opaque and sometimes with custom VPN Protocols—still excellent guidance from CISA and the NSA.

Moses Frost
Moses Frost

Terminate VPNs on the application, not the operating system or the perimeter.

William Hugh Murray
William Hugh Murray

2021-09-30

CISA Releases Insider Threat Assessment Tool

The US Cybersecurity and Infrastructure Security Agency (CISA) has released an insider threat self-assessment tool for public and private sector organizations. The Insider Risk Mitigation Self-Assessment Tool provides a list of questions to help organizations assess their risk posture. CISA says “The tool will also help users further understand the nature of insider threats and take steps to create their own prevention and mitigation programs.”

Editor's Note

When was the last time you assessed your insider threat posture? Use the CISA tool to take a fresh look at your posture. Use the assessment report to plan for any improvements, and note your successes.

Lee Neely
Lee Neely

Keep in mind that while insider threat is low, consequences and risk are high. Focus on controls (e.g., vetting at hiring, supervision, training, separation of duties, job rotation, mandatory vacations, accountability, recognition, compensation).

William Hugh Murray
William Hugh Murray

2021-09-28

FoggyWeb Backdoor Malware

A recent Microsoft Threat Intelligence Center blog post details newly detected malware being used by the Nobelium threat actor. The FoggyWeb post-exploitation backdoor is “capable of remotely exfiltrating sensitive information from a compromised AD FS server. It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server.”

Editor's Note

This exploit is leveraging DLL search order hijacking and applies to both your on-premises and cloud based AD FS services. Read the Microsoft bulletin for techniques and IOCs used Microsoft provided security products, such as Defender, already detect Nobelium/FoggyWeb. Review your security settings, make sure credentials are issued using best practices, use HSM modules to prevent exfiltration of secrets by FoggyWeb. Use the Microsoft’s best practices guide for securing AD FS. https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs

Lee Neely
Lee Neely

Once again, ADFS is back in the news. We talked about blood in the water, and this will not end for some time. Anyone who spends any time searching the internet will see that ADFS is used in some of the world's largest and most important institutions. We should treat this just like we treat VPNs. It's the edge of your network; in this case, it's the edge of your identity perimeter. It's also connected directly to Active Directory, and many times it's part of the Azure Active Directory Flow.

Moses Frost
Moses Frost

2021-09-30

CISA and Girls Who Code Partnership

The Cybersecurity and Infrastructure Security Agency (CISA) is partnering with Girls Who Code “to develop pathways for young women to pursue careers in cybersecurity and technology.” CISA Director Jen Easterly said, “The gender gap that exists in the cybersecurity workforce contributes to the overall cyber workforce shortage that persists in the United States and globally, which ultimately makes us less prepared to deal with the threats of today and tomorrow.”

Editor's Note

SANS has a Girls Go Cyberstart initiative (https://girlsgocyberstart.org/) that has partnered with Girls Who Code in the past. Bringing women and minorities into cybersecurity both increases the size of the workforce and the effectiveness and diversity of security teams.

John Pescatore
John Pescatore

This is an excellent opportunity as CISA is becoming not only more central in US government cyber security, but also interfacing with private sector, particularly critical infrastructure and is seeking needed cyber talent to meet its mission. The networking opportunities are outstanding.

Lee Neely
Lee Neely

2021-09-29

Russian Cybersecurity CEO Arrested for Alleged High Treason

Authorities in Russia have arrested the CEO of a cybersecurity company on suspicion of high treason. Law enforcement raided the offices of Group-IB on September 29. Ilya Sachkov, CEO and co-founder of Group-IB, allegedly shared data with foreign intelligence entities.

Editor's Note

Given the recent high level political talks about ransomware, such as talks at the G7 summit, this is a worrying development. Group-IB have been very effective in sharing data with law enforcement in dealing with cyber-crime. Such actions against senior figures in cyber security companies may discourage others from sharing similar information and negatively impacting our ability at a global level to deal with the threat of cybercrime and in particular ransomware.

Brian Honan
Brian Honan

When sharing data, particularly internationally, be very clear on export control and legal jurisdiction surrounding that information. Verify the agency which regulates your industry and the information category.

Lee Neely
Lee Neely

2021-09-30

Indiana Hospital Suffers Cyberattack

Schneck Medical Center in Indiana has disclosed that it was the victim of a cyberattack and that “Out of an abundance of caution, access to all IT applications within [its] facilities were suspended.” Most services at the facility appear to be unaffected.

Editor's Note

This shows the need for clear communications when responding to an incident. While some services are offline, such as the phone system, other changes, such as delaying certain procedures due to pandemic induced capacity constraints, are also being erroneously attributed to the attack. Communicate fully and clearly and provide regular updates during an incident.

Lee Neely
Lee Neely

2021-09-30

US Lawmakers Want to Hear FBI’s Reasons for Delaying Release of Ransomware Decryption Key

US legislators are demanding that FBI director Christopher Wray appear before Congress to explain the agency’s reasons for withholding decryption key for the ransomware that infected Kaseya software. Last week, the Washington Post reported that the FBI obtained the key by accessing servers used by the criminals who launched the attack; the agency held onto the decryption key for nearly three weeks before sharing it with Kaseya.

Internet Storm Center Tech Corner

Keeping Track of Time: Network Time Protocol and GPSD Bug

https://isc.sans.edu/forums/diary/Keeping+Track+of+Time+Network+Time+Protocol+and+a+GPSD+Bug/27886/


TLS 1.3 and SSL: The Current State of Affairs

https://isc.sans.edu/forums/diary/TLS+13+and+SSL+the+current+state+of+affairs/27882/


SANS.edu Student Christopher DeWees: Expired Domain Dumpster Diving

https://www.sans.edu/cyber-research/40505/


Visa/Apple Express Transit Relay Attack

https://www.bbc.com/news/technology-58719891


FluBot Offering Fake FlutBot Protection

https://twitter.com/CERTNZ/status/1443701853665980440


Apple Airtags Stored XSS

https://medium.com/@bobbyrsec/zero-day-hijacking-icloud-credentials-with-apple-airtags-stored-xss-6997da43a216


Undetected Azure Active Directory Brute-Force Attacks

https://www.secureworks.com/research/undetected-azure-active-directory-brute-force-attacks


CISA/NSA Guidance To Configure VPNs

https://media.defense.gov/2021/Sep/28/2002863184/-1/-1/0/CSI_SELECTING-HARDENING-REMOTE-ACCESS-VPNS-20210928.PDF


Facebook Open Sourcing "Mariana Trench" Tool To Analyze Android and Java Apps

https://engineering.fb.com/2021/09/29/security/mariana-trench/


EFF Discontinues HTTPS Everywhere Plugin

https://www.eff.org/deeplinks/2021/09/https-actually-everywhere


Malicious CryptoCoin Wallet

https://discourse.mozilla.org/t/got-hacked-by-the-add-on-called-safepal-wallet/85797


Microsoft Automates Exchange Mitigations

https://techcommunity.microsoft.com/t5/exchange-team-blog/new-security-feature-in-september-2021-cumulative-update-for/ba-p/2783155