SANS NewsBites

Attackers Exploiting Known Vulnerabilities in Soho Password Management Service and Sitecore; UL SafeCyber Platform

November 9, 2021  |  Volume XXIII - Issue #88

Top of the News


2021-11-07

Threat Actors are Exploiting Known Flaw in Zoho Password Management Service

According to a report from Palo Alto Networks’ Unit 42, threat actors have exploited a known vulnerability in Zoho ManageEngine AdSelfService Plus to compromise networks at nine organizations in various sectors, including technology, defense, energy, and healthcare. The threat actors likely have ties to China. In mid-September, a US Cybersecurity and Infrastructure Security Agency (CISA) alert warned that the critical vulnerability was being actively exploited. Zoho has released updates to address the flaw.

Editor's Note

This flaw has been exploited since shortly after it was made public (and after a patch was released). Any vulnerable exposed system has likely been compromised. Palo Alto’s blog lists some IOCs to watch out for, but there are likely other groups using this relatively easy to exploit vulnerability.

Johannes Ullrich
Johannes Ullrich

Reusable passwords are not only inherent unsecure, but they also require robust password reset processes since attackers have always targeted them. Self-service password reset software needs to be high security and ManageEngine did not live up to that. If you are using competing products for automated password reset, make sure you have applied all patches and chose a quality vendor.

John Pescatore
John Pescatore

2021-11-08

Australian Cyber Security Centre: Attackers are Exploiting Known Flaw in Sitecore XP

A remote code execution flaw in the Sitecore Experience Platform (XP) content management system is being actively exploited, according to an alert from the Australian Cyber Security Centre (ACSC). Sitecore released a fix for the issue in October.


2021-11-08

Underwriters Laboratory Launches SafeCyber Platform

Underwriters Laboratory (UL) has introduced its SafeCyber Digital Security Platform, “a suite of cloud-based security solutions for connected products.” The “Maturity Path solution provides you with a secure development life cycle maturity assessment and a certification readiness score for … connected product lines.” Other solutions include Firmware Check and Field Monitoring.

Editor's Note

With last week’s announcement of the Minimum Viable Security Product baseline by Google, Salesforce, Okta, Slack and others, and this announcement by UL, there are fewer and fewer reasons for poor security in devices/"things.” The first step for security managers is to gain support for all procurement to include security processes and testing as part of the evaluation process.

John Pescatore
John Pescatore

The Rest of the Week's News


2021-11-08

REvil Suspects Arrested

An international law enforcement operation has resulted in the arrests of seven individuals believed to be involved with the Sodinokibi/REvil ransomware operations. The US Department of Justice has seized “$6.1 million in funds traceable to alleged ransom payments.” The US State Department is offering up to $10 million for information that helps identify or locate leaders of the ransomware group.

Editor's Note

This is very welcome news and great to see, yet again, how international cooperation by various law enforcement agencies can have a real impact on those who target the vulnerable on the Internet. While a welcome victory, this is not the end of ransomware gangs but it does send a very strong message to them that the game, and cost of playing in the game, has changed significantly.

Brian Honan
Brian Honan

This is great news but don't let your guard down. These groups re-organize and there are more than enough criminals to go around. Continue to train and prepare for the next attack, whether ransomware or not, assume breach, and focus on detection and response.

Jorge Orchilles
Jorge Orchilles

2021-11-07

Operation Cyclone Disrupts Clop Ransomware Group’s Operations

An international law enforcement effort dubbed Operation Cyclone has disrupted operations of the Clop ransomware group. Six alleged members of the group were arrested in Ukraine earlier this year. Several cybersecurity companies provided threat intelligence for the operation.

Editor's Note

A reminder as to why it is so important for victims of cybercrime to report these crimes to law enforcement. The more information we share with the authorities, the more data and intelligence they have. This allows agencies such as Europol to analyse that data, leading to more effective operations and arrests.

Brian Honan
Brian Honan

Another bit of good news on the ransomware front. Keep your guards up and keep training your teams to detect and respond to the inevitable next attack.

Jorge Orchilles
Jorge Orchilles

Ransomware attacks are popular among criminals because they believe that the risk of punishment is low. That risk is clearly going up. Law enforcement begins with and relies upon victims providing essential intelligence.

William Hugh Murray
William Hugh Murray

2021-11-05

Electronic Health Record Security Issues

Philips and the US Cybersecurity and Infrastructure Security Agency (CISA) have issued advisories about a pair of SQL injection vulnerabilities in the Philips TASY Electronic Medical Record HTML5 system. The flaws affect versions 3.06.1803 and earlier. Also, QRS Healthcare Solutions recently disclosed a data security incident that compromised personal data, including health information, of some clients’ patients.

Editor's Note

In 2021 there is no excuse why a vendor is rolling out products with SQL Injection flaws in them. SQL Injection is consistently in the CWE/SANS Top 25 Most Dangerous Software Errors.

Brian Honan
Brian Honan

Of course, parsing inputs is not an issue limited to health records. Parsing inputs gets harder and harder when one does not know the environment in which one's product will run. However, it seems very unlikely that one does not know that one's product will use a database and that it must resist the insertion of SQL commands. Note that the database manager cannot protect itself; it cannot know enough about the intent of the application to recognize malicious inputs.

William Hugh Murray
William Hugh Murray

2021-11-08

Medical Device Incident Response Playbook

A new publication from the Cloud Security Alliance IoT Working Group aims to help healthcare organizations mitigate security risks. The document provides guidance not only for incident response, but also for incident response preparation.

Editor's Note

While it is likely that some, not to say many, healthcare organizations do not have mature incident response plans, most should prefer and concentrate on security measures that operate early.

William Hugh Murray
William Hugh Murray

2021-11-05

Defense Contractor Discloses Phishing Attack, Data Theft

A US government contractor has disclosed a phishing attack that resulted in data theft. Electronic Warfare Associates acknowledged that its email system was breached and that the attackers exfiltrated personal information. The breach occurred in August 2021. The attack was detected when the thief attempted to use the stolen data to commit wire fraud.


2021-11-05

ITIC Recommendations on ICT Supply Chain Security Risks

In September, the US Department of Commerce’s Bureau of Industry and Security issued a request for public comments on Information Communications Technology (ICT) supply chain risks. The Information Technology Industry Council (ITIC) responded to the request with policy recommendations, which include “continu[ing] to build and leverage robust public-private partnerships to address ICT supply chain challenges [and] mak[ing] investing in critical technologies a national priority.”

Editor's Note

The solution to the supply chain risk must start with supplier accountability. We should be demanding a machine-readable software bill of materials in all products along with a statement of intended use and expected environment.

William Hugh Murray
William Hugh Murray

Internet Storm Center Tech Corner

(Ab)Using Security Tools & Controls for the Bad

https://isc.sans.edu/forums/diary/AbUsing+Security+Tools+Controls+for+the+Bad/28014/


Decrypting Cobalt Strike Traffic With Keys Extracted From Process Memory

https://isc.sans.edu/forums/diary/Decrypting+Cobalt+Strike+Traffic+With+Keys+Extracted+From+Process+Memory/28006/


XMount for Disk Images

https://isc.sans.edu/forums/diary/Xmount+for+Disk+Images/28002/


Image-Scaling Attacks in Machine Learning

https://www.usenix.org/system/files/sec20fall_quiring_prepub.pdf


Targeted Attack Campaign Against ManageEngine ADSelfService Plus

https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/


More Proactive SIMs

https://medium.com/telecom-expert/more-proactive-sims-f8da2ef8b189


Thunderbird Update

https://www.mozilla.org/en-US/security/advisories/mfsa2021-50/