SANS NewsBites

North Korea Targeting Cybersecurity Researchers; Emotet Operations Disrupted; iOS Zero-days Actively Exploited; US CYBERCOM and NSA: Patch Sudo Now

January 29, 2021  |  Volume XXIII - Issue #8

Top of the News


2021-01-26

North Korean Threat Actors Targeting Cybersecurity Researchers

Google's Threat Analysis Group has detected an ongoing campaign launched by North Korean cyber threat actors against cybersecurity researchers. The threat actors created a blog and Twitter profiles to establish their credibility with the targeted researchers. After gaining their trust, the threat actors ask the researchers if they would like to work together on research projects. If they agree, the hackers send collaboration tools that include malware. Some researchers' computers were compromised after they visited the hackers' blog.

Editor's Note

In the last SANS Top New Attacks and Threat Report (https://www.sans.org/reading-room/whitepapers/threats/paper/39520) we highlighted two active and sophisticated threat vectors: what I called Highly Targeted Phishing attacks, like this campaign against cybersecurity researchers; and a more dangerous variant that Ed Skoudis called "Very Deep Persistence" attacks, where malicious capabilities are buried within hardware, accessories, or components such as charging stations in public place, charging cables, or modified USB drives. While this news item focuses on cybersecurity researchers, these techniques have been used against CEOs, CFOs, and Boards of Directors - as well as researchers from many industries. Good topic for a mid-quarter special topic briefing or tabletop exercise with CXOs/boards.

John Pescatore
John Pescatore

While I most often worry about social engineering scams that my family members would fall for, this one targets us as cybersecurity professionals, with pretty decent supporting research and credentials. This should be used as a teaching moment for collogues newer to InfoSec. The actor's accounts are reportedly deactivated; even so, reference the Google blog list of social media accounts and make sure they're no longer connected with you. That blog also contains C2 site and hashes to incorporate in your detection tools.

Lee Neely
Lee Neely

If cybersecurity "researchers" can be taken in by these "grooming" attacks, imagine the vulnerability of young people. Parents cannot monitor all the activity of children online but they should try to ensure that they do not correspond with "friends" that they meet online.

William Hugh Murray
William Hugh Murray

2021-01-27

International Effort Disrupts Emotet Operations

Law enforcement agencies and judicial systems authorities from Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine have worked together to disrupt functionality of the Emotet malware. The operation took control of Emotet's command-and-control infrastructure, which comprised hundreds of servers around the world. At least two people have been arrested in Ukraine in connection with the operation. Law enforcement officials in the Netherlands are delivering an Emotet update that will remove it from infected devices on April 25, 2021.

Editor's Note

Emotet has been around since 2014, and was offered/sold to other threat actors as a polymorphic loader for their exploits. The Dutch National Police have released a tool (http://www.politie.nl/emocheck), based on the database of email, usernames and passwords they obtained, to check and see if your email address was among those exfiltrated using Emotet.

Lee Neely
Lee Neely

These two operations are a great success of global law enforcement and send a clear message to criminals that they are not immune. To see how lucrative these schemes are for criminals have a look at the video published by the Ukrainian police of their raid (https://youtu.be/_BLOmClsSpc). In it you can see the gold bars and stacks of money the criminals have gathered.

Brian Honan
Brian Honan

2021-01-27

Apple Releases Unscheduled iOS Update to Fix Zero-days

Apple has released an emergency update for iOS to fix critical flaws that are being actively exploited in the wild. One of the vulnerabilities affects the iOS kernel; the other two affect the WebKit. A race-condition vulnerability affecting the kernel could be exploited to gain elevated privileges. The flaws affecting the WebKit could be exploited to allow arbitrary code execution. The newest versions of the affected operating systems are iOS 14.4 and iPadOS 14.4.

Editor's Note

These flaws are being actively exploited, which means install the update post-haste. Make sure you're pushing the update to your Automated Device Enrollment (ADE, formerly DEP) devices along with a message requesting users to make sure it's installed. Even with automated updates enabled, there are cases where updates don't install, so you will need to monitor to ensure the update is installed.

Lee Neely
Lee Neely

2021-01-27

US CYBERCOM and NSA Urge Users to Patch Sudo Vulnerability

The NSA and the US Defense Department's Cyber Command are both warning of a serious heap buffer overflow in the sudo utility that could be exploited to gain root privileges on vulnerable hosts. The vulnerability was detected by researchers at Qualys; it has been present in sudo since 2011. The issue "affects all legacy versions from 1.8.2 to 1.8.31p2 and all stable versions from 1.9.0 to 1.9.5p1 in their default configuration." The issue is addressed in in sudo 1.9.5p2.

Editor's Note

Don't forget to check for and apply updates on older or non-mainstream Linux distributions which are not on your regular patch cycle. The Qualys site includes links to the vendor bulletins for each OS variant. Note that vendor-fixed sudo updates are available which may have version numbers which appear to fall within the ranges identified above. Updating the packages is simple, but make sure any running copies of sudo are terminated after the update.

Lee Neely
Lee Neely

The Rest of the Week's News


2021-01-28

NetWalker Ransomware Operations Disrupted

Authorities in the US and Bulgaria have seized a server used by NetWalker ransomware operators use to communicate with victims and publish stolen data. They have also seized more than $450,000 in cryptocurrency. A Canadian individual allegedly connected to NetWalker ransomware attacks has been charged in US federal court.


2021-01-28

Mimecast Says Certificate Compromise Perpetrated by SolarWinds Threat Actors

Mimecast has confirmed that the certificate compromise reported earlier in January was carried out by the same threat actors responsible for the SolarWinds supply chain attack. In a blog post, Mimecast writes, "Our investigation also showed that the threat actor accessed, and potentially exfiltrated, certain encrypted service account credentials created by customers hosted in the United States and the United Kingdom. These credentials establish connections from Mimecast tenants to on-premise and cloud services, which include LDAP, Azure Active Directory, Exchange Web Services, POP3 journaling, and SMTP-authenticated delivery routes."

Editor's Note

Two key points here: (1) The Russian attackers targeted and compromised at least two large security vendors, FireEye and Mimecast - all major security product and service procurements should be evaluating what security vendors in particular are doing to prevent this in the future, including evidence of external third-party active security assessments and acceptable scores from third party risk analysis services; (2) compromises of cloud service providers like Mimecast have been rare but they do happen. When they occur, they point out that when cloud services are in your supply chain, they have a lot of moving parts and interdependencies. The severe impact of the SolarWinds compromise has raised the visibility of the need for upgrades in supply chain security - good to add a special focus on the cloud services aspect.

John Pescatore
John Pescatore

Mimecast is neither a small nor inexperienced security service provider. Both Mimecast and FireEye should be noted for their exemplary transparency, sharing lessons learned and proactive response to protect users and follow up. Do your service providers have a similar posture in the event of compromise? Also kudos to Microsoft's security team for reaching out to potential competitors when security problems were identified.

Lee Neely
Lee Neely

Signing keys should not be stored online when not in use.

William Hugh Murray
William Hugh Murray

2021-01-28

Stack Overflow Discloses Additional Information About 2019 Breach

Stack Overflow is now providing more details about the 2019 breach that compromised the site's code and data. On May 12, 2019, Stack Overflow became aware that a new user account had elevated privileges for all sites in the Stack Exchange Network. Their "response was to revoke privileges and to suspend this account and then set in motion a process to identify and audit the actions that led to the event." They "found that the escalation of privilege was just the tip of the iceberg and the attack had actually resulted in the exfiltration of our source code and the inadvertent exposure of the PII (email, real name, IP addresses) of 184 users of the Stack Exchange Network (all of whom were notified)." The blog post includes a detailed timeline.


2021-01-26

WestRock Discloses Ransomware Attack

Atlanta-based packaging company WestRock is dealing with a ransomware attack that affected some of its operational and information technology systems. The attack occurred on Saturday, January 23.


2021-01-27

ADT Fixes Vulnerabilities in Home Security Camera

Researchers at Bitdefender have disclosed vulnerabilities in ADT's LifeShield cameras that could be exploited to eavesdrop on conversations or access live video feeds. The issues affect a certain model of LifeShield DIY HD Video Doorbells, which allow users to answer the door remotely through the LifeShield app. Bitdefender notified ADT prior to disclosing the vulnerabilities; ADT released an automatic update in August 2020.

Editor's Note

Doorbell camera vulnerabilities are a particular favorite for actors conducing swatting attacks. Make sure that you're using multi-factor access to your accounts and verify exactly who can access, view, or manipulate them.

Lee Neely
Lee Neely

2021-01-27

NIST Risk-Based Guide on Information Exchange Security

The US National Institute of Standards and Technology (NIST) has released a publication titled Managing the Security of Information Exchanges. The draft document "provides guidance on identifying information exchanges; risk-based considerations for protecting exchanged information before, during, and after the exchange; and example agreements for managing the protection of the exchanged information." NIST is accepting comments on the document until March 12, 2021.

Editor's Note

While we talk about flowing down security requirements, often that doesn't come with a ready methodology to follow. Cloud migration and outsourcing activities, particularly of late, have organizations exchanging information more than ever before and with the pressure to deliver, it's important to use a consistent approach to ensure the information is properly handled. NIST's draft guidance addresses the lifecycle of an information exchange, from planning to termination. Compare this with your current processes to identify gaps or omissions, and if you've discovered a cool trick that will help others, provide comments before March 12th.

Lee Neely
Lee Neely

2021-01-26

Healthcare-Related Breach Roundup

Health IT Security's weekly breach round-up includes a cyberattack against the Okanogan County (Washington) government computer system that has affected the county's Public Health department, and the Einstein Healthcare Network (Philadelphia area) notifying patients of an August 2020 data breach.


2021-01-27

Harris County, TX Will Replace Paperless Voting Machines With Machines that Produce a Paper Trail

Harris County, Texas, has signed a contract to purchase voting machines that create a paper audit trail. Harris County has until now been using voting machines that provide no paper records of votes for people voting in-person. Harris County, with 4.7 million residents, is the third most populous county in the US.


2021-01-28

USCellular Discloses Data Breach

Mobile network company USCellular has disclosed a data breach that compromised customers' account information and wireless phone number. USCellular said the incident stemmed from store employees being tricked into downloading malware onto a store computer. The hackers gained access to the company's CRM system. USCellular believes the attack occurred on January 4, 2021; it was detected two days later.

Internet Storm Center Tech Corner

Critical sudo Vulnerability

https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit


Quakbot (QBot) Update

https://isc.sans.edu/forums/diary/TA551+Shathak+Word+docs+push+Qakbot+Qbot/27030/


Emotet vs. Windows Attack Surface Reduction

https://isc.sans.edu/forums/diary/Emotet+vs+Windows+Attack+Surface+Reduction/27036/


Targeting Security Researchers

https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/


Apple Updates iOS, iPad, tvOS, watchOS, Xcode and iCloud for Windows

https://support.apple.com/en-us/HT201222


Go Lang Vulnerability

https://blog.golang.org/path-security


Azure Docker Escape

https://www.intezer.com/blog/research/how-we-hacked-azure-functions-and-escaped-docker/


New Cryptojacking Malware

https://unit42.paloaltonetworks.com/pro-ocean-rocke-groups-new-cryptojacking-malware/


SlipStreaming

https://www.armis.com/resources/iot-security-blog/nat-slipstreaming-v2-0-new-attack-variant-can-expose-all-internal-network-devices-to-the-internet/


Shadowsocks

https://shadowsocks.org/en/index.html