SANS NewsBites

Guidance Available on US Treasury Department Requirements for Accepting Cryptocurrencies; Update Microsoft PowerShell to Patch Critical Vulnerabilities; Dutch Police Will Go After Second-Time DDoS-as-a-Service Procurers

October 19, 2021  |  Volume XXIII - Issue #82

Top of the News


2021-10-18

Treasury Reports on Virtual Currency and Ransomware

According to a Financial Trends Analysis report from the US Treasury’s Financial Crimes Enforcement Network, 10 ransomware variants have accounted for more than $5 billion in bitcoin transactions. A report from the Treasury’s Office of Foreign Assets Control spells out sanctions compliance guidelines for the virtual currency industry.

Editor's Note

If your organization is considering accepting “cryptocurrency,” make sure business, finance and legal managers are aware of the OFAC sanctions compliance guidance. The risk is not just the actual ransom obtained payments, using involved exchanges may put transactions using these alternative currencies at risk, as well.

John Pescatore
John Pescatore

If you’re using cryptocurrency, check the OFAC status of your exchange. Remember, sanctioned does not mean approved in this context. The use restrictions apply to U.S. persons, meaning citizens and “green card” holders, irrespective of their location. Violations of sanctions carry both civil and criminal penalties ranging up to $1 million and/or 20 years in prison for each violation. Additionally, there is an option for civil penalties which can hold you liable even if you did not know you were engaging in a prohibited transaction. Your financial institution is well versed in OFAC and can help you with references and understanding of the issues and risks as they see them.

Lee Neely
Lee Neely

2021-10-18

Microsoft Advises Updating PowerShell

Microsoft is advising system administrators to update PowerShell 7 to versions 7.0.8 or 7.1.5 to address two vulnerabilities. One of the flaws is a Windows Defender Application Control (WDAC) bypass flaw.; the other is an information disclosure flaw in .NDET Core.

Editor's Note

Currently, PowerShell is not updated with Windows Update. So please update this if you are using an affected version of PowerShell. Updates via Microsoft Update may be available in the future.

Johannes Ullrich
Johannes Ullrich

Microsoft hasn’t yet incorporated PowerShell 7.0 or 7.1 updates into the Microsoft Update service, so you’re going to have push these updates to affected systems. PowerShell 7.2-preview.10 has support for Microsoft Update. Note PowerShell 7.1 installs in a new directory and runs side-by-side with PowerShell 5.1. Installing PowerShell7.1 replaces PowerShell 7.0.

Lee Neely
Lee Neely

2021-10-15

Dutch Authorities Caution DDoS-for-Hire Service Customers

Authorities in the Netherlands have warned customers of distributed denial-of-service (DDoS) for hire services that they will face criminal prosecution if they use the services again. Police sent the warning letters to 29 people who had previously purchased DDoS services from a particular site.

Editor's Note

Hmm, one use of DDoS for service attack capabilities is OK in the Netherlands? I’m pretty sure bank robbers and arsonists don’t get a second strike, but some law enforcement action is better than no action.

John Pescatore
John Pescatore

DDoS attacks are not just being used by attackers; gamers are also figuring out how to use them to knock rivals out of action. As such, the Dutch Authorities appear to be tempering their guidance to not place undue sanctions or otherwise treat the wrong individuals as criminals. While this does move the bar some, it can create confusion, and a more consistent message of “this is illegal and has consequences” whether service provider or consumer, may be more effective.

Lee Neely
Lee Neely

The Rest of the Week's News


2021-10-18

CISA, NSA, and FBI Issue BlackMatter Ransomware Advisory

The US Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the National Security Agency (NSA) have released a joint advisory regarding BlackMatter ransomware, which was recently used in attacks against two agricultural companies: NEW Cooperative and Crystal Valley. BlackMatter operates as ransomware-as-a-service. The alert provides a technical overview of BlackMatter and offers detection signatures and mitigations.

Editor's Note

BlackMatter leverages LDAP and SMB to access AD and discover all hosts (and shared drives) on the network, encrypting them as it goes. They are also encrypting Linux-based machines, using a separate binary and routinely encrypt ESXi virtual machines. And in case you’re wondering, they don’t encrypt backups, they wipe or reformat the data stores instead. This leverages captured credentials, so augmenting your password processes to check breached passwords is a really good move. You privileged accounts (system administrators, Domain Administrators, and particularly your Enterprise Administrator) all need to be MFA. Take a look at time based access limits on accounts, some ransomware is now trying to act off-hours and this can help.

Lee Neely
Lee Neely

According to the Verizon Data Breach Incident Report (DBIR) the time to detect breaches continues to be measured in weeks to months. Detection is more often passive, as in ransomware, than active. To be useful in resisting ransomware attacks, detection must be active and in hours to days. Set an objective for time to detection and implement a strategy to achieve it.

William Hugh Murray
William Hugh Murray

2021-10-18

Israeli Hospital Suffers Ransomware Attack

An Israeli hospital cancelled non-emergency procedures following a ransomware attack last week. Healthcare providers at Hillel Yaffe Medical Center in Hadera are reportedly using pen and paper in the wake of the attack. Israel’s National Cyber Directorate has made indicators of compromise available to other organizations. Israel’s health Ministry has reportedly advised hospitals to print patient files to ensure continuity of care in the event of additional attacks.

Editor's Note

Rolling back to manual methods, such as pen and paper, allow the business to operate at least a limited capacity while incident response completes. If you’re in this position, be sure to allocate extra resources to update the restored electronic systems, and don’t wait for full restoration to verify handwritten records are legible. Also plan to validate that downstream actions are checked to avoid data integrity or other long-term issues.

Lee Neely
Lee Neely

2021-10-18

Sinclair Broadcast Group Suffers Ransomware Attack

Sinclair Broadcast Group, a Maryland-based media provider, suffered a ransomware attack over the weekend. Sinclair says that the attack encrypted company servers and workstations, disrupting networks. Sinclair also disclosed that the attackers stole data.

Editor's Note

Beyond making sure that you block entry points to your network, verify that you can tell when you’ve got malicious parties on your network. Can you detect malicious events in your network? Can you trigger on unexpected privilege escalation or modification? Are you reviewing account privileges regularly to ensure that only needed privileges are assigned? Do you know what to do when an incident is discovered?

Lee Neely
Lee Neely

In their release, Sinclair used language that is often used when ransomware victims have to do a public statement: “As the Company conducts its investigation, it will look for opportunities to enhance its existing security measures.” Convince your management it will actually cost the company less if the release was able to say “Because the Company had improved our security measures before this attack, there was no financial impact to the Company or violation of our customers’ privacy.”

John Pescatore
John Pescatore

2021-10-18

Acer Discloses Second Cyberattack in Less Than a Week

Acer has suffered a second cyberattack in less than a week. The Taiwan-based computer maker confirmed that company servers in Taiwan were hit days after its after-sales service system in India was breached.

Editor's Note

Assume you are already compromised and actively look for signs of attack. When you find a deficiency in one area, look to make sure it doesn’t need to be addressed in other areas as well. Make sure you get to root causes (remember “ask why 5 times”) to help you and your IT staff better provision secure configurations in the future and prevent recurrence.

Lee Neely
Lee Neely

2021-10-15

Missouri Governor Threatens Legal Action Against Journalist for Story About Security Flaw

Missouri’s governor has threatened to prosecute a journalist and the St. Louis Post-Dispatch newspaper after they ran a story about a vulnerability in a state education website. The paper disclosed the vulnerability to the Missouri state Department of Elementary and Secondary Education (DESE), which addressed the issue before the story was published.

Editor's Note

Use caution when responding to disclosed weaknesses, understand the activities needed to expose them and the situation under which they were performed before declaring they are illegal. In this case the SSN’s were revealed by going to the web page and clicking “view source,” which was then disclosed appropriately to DESE where it was addressed. Make sure that you’re regularly doing security testing and evaluation of your applications to minimize issues discovered and reported externally. Treat disclosed vulnerabilities as well intended, not malicious actions, and take action to address and acknowledge them promptly.

Lee Neely
Lee Neely

To me as a non lawyer, the legal issues around security testing a public website are at murky enough to stay away from. Sadly, bruised egos can easily get in the way of fixing the actual security problem. Get permission first to avoid a lot of headaches.

Johannes Ullrich
Johannes Ullrich

Internet Storm Center Tech Corner

Active Scanning for Apache Vulnerabilities CVE-2021-41773 and 42013

https://isc.sans.edu/forums/diary/Apache+is+Actively+Scan+for+CVE202141773+CVE202142013/27940/


Warranty Repairs and Non Removable Storage Risks

https://isc.sans.edu/forums/diary/Warranty+Repairs+and+NonRemovable+Storage+Risks/27938/


Malicious PowerShell Script Using Client Certificate Authentication

https://isc.sans.edu/forums/diary/Malicious+PowerShell+Using+Client+Certificate+Authentication/27944/


PowerShell Updates

https://github.com/PowerShell/Announcements/issues/27


Juniper JunOS Patches

https://kb.juniper.net/InfoCenter/index?page=content&channel=SECURITY_ADVISORIES


TianFu Cup

https://www.darkreading.com/vulnerabilities-threats/china-s-hackers-crack-devices-at-tianfu-cup-for-1-5m-in-prizes


Crypto Wallet Compromised on OpenSea NFT Marketplace

https://blog.checkpoint.com/2021/10/13/check-point-software-prevents-theft-of-crypto-wallets-on-opensea-the-worlds-largest-nft-marketplace/


$5.2 Billion worth of Bitcoin Transactions Linked to Ransomware

https://www.fincen.gov/sites/default/files/shared/Financial%20Trend%20Analysis_Ransomeware%20508%20FINAL.pdf