SANS NewsBites

SolarWinds Attack Vectors and US Federal Judiciary Actions; Attacks Targeting Cyber Researchers; SonicWall Zero-day Exploited; NoxPlayer Update Compromised

February 2, 2021  |  Volume XXIII - Issue #9

Top of the News


2021-02-01

Threat Actors Behind SolarWinds Used Multiple Attack Vectors

The acting director of the US Cybersecurity and Infrastructure Security Agency (CISA) says that “significant numbers of both the private-sector and government victims linked to this campaign had no direct connection to SolarWinds.” The threat actors multiple attack vectors. (Please note that the WSJ story is behind a paywall.)


2021-02-01

SolarWinds: US Federal Judiciary Sets New Requirements for Filing Sensitive Documents

The SolarWinds supply chain attack affected the US court system’s electronic files, prompting the federal Judiciary to adopt “new security procedures to protect highly sensitive confidential documents filed with the courts.” US courts have been instructed to issue standing or general orders that “highly sensitive court documents (HSDs) filed with federal courts will be accepted for filing in paper form or via a secure electronic device, such as a thumb drive, and stored in a secure stand-alone computer system. These sealed HSDs will not be uploaded to” the Judiciary’s Case Management/Electronic Case Files system.

Editor's Note

Isolated or air-gapped systems still have information flowing in and out, so controls are critically needed to ensure that only intended information is permitted. Administration tasks will need one or more of these safeguards: duplication of backup, patching, monitoring and alerting capabilities, or a controlled interface from existing systems, which could be leveraged to affect a compromise. Alternatively, sensitive documents can be secured by encryption where only the intended readers can decrypt them, and third-party key recovery requires security officers not system administrators.

Lee Neely
Lee Neely

The "SolarWinds" attack demonstrates the fragility of our infrastructure and the necessity of "zero trust," of process-to-process isolation, of mutually suspicious processes. It is time to end the convenience of flat enterprise networks, where compromise can spread laterally quickly and efficiently.

William Hugh Murray
William Hugh Murray

2021-01-29

Microsoft Provides More Information About Attacks Targeting Researchers

Microsoft is sharing additional information about the North Korean hacking campaign targeting cybersecurity researchers. Google’s Threat Analysis Group released an initial warning about the campaign last week. In a January 28 blog post, Microsoft’s Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Threat Intelligence Team write that over that past months, they have “detected cyberattacks targeting security researchers by an actor we track as ZINC.” The ZINC threat group has ties to the Lazarus Group. Microsoft’s report provides additional technical information about the threat actors’ use of Visual Studio as an attack vector. The campaign presently appears to be targeting only researchers who are using Windows.

Editor's Note

These "grooming" attacks, the kind that are used against children, are narrowly targeted, resource intensive, and do not scale well. More are abandoned than succeed. The value of the target to the attacker determines whether or not they are efficient.

William Hugh Murray
William Hugh Murray

2021-02-01

SonicWall Zero-day is Being Exploited in the Wild

SonicWall says that threat actors are exploiting a critical, unpatched vulnerability in one of the company’s firewalls. The flaw affects SonicWall Secure Mobile Access 100 series firmware version 10.x. SonicWall is in the process of developing a patch for the vulnerability and expect to make it available by the end of the day on Tuesday, February 2. The company has listed mitigation that could be implemented until the fix is available.


2021-02-01

NoxPlayer Software Update Mechanism Compromised in Supply-Chain Attack

Researchers from Eset say that the NoxPlayer Android emulator was hit with a supply chain attack. The attackers compromised the BigNox software distribution system and sent malicious updates. The malware is installing surveillance software on users’ computers. While NoxPlayer has a reported 150 million users around the world, the attackers appear to be targeting only a very small number users, all located in Asia.

Editor's Note

This is hard to detect, as the update MD5 checksum matched the information provided over the BigNox API. The tell-tale sign was that the bogus updates were not digitally signed. Until BigNox provides a verified clean version, do not apply updates. Better still, uninstall the NoxPlayer. The IOCs in the WeLiveSecurity article below should be leveraged to detect compromise.

Lee Neely
Lee Neely

When internet commerce was growing rapidly in the early 90s, bad guys learned they could turn vulnerable servers into network sniffers and see all the user logins that were carried in the clear at the time. Netscape was the leading browser company, and they came up with SSL to encrypt login connections - adding a lot of complexity but a much needed raising of the bar that took several years to do right. We are long past the point where a similar raising of the bar in assuring all software (which includes updates) is required to demonstrate evidence of testing before being installed. Software vendors having their development and distribution systems compromised will be a growing threat vector until enterprises demand better.

John Pescatore
John Pescatore

The Rest of the Week's News


2021-02-01

UK Research and Innovation Discloses Ransomware Attack

UK Research and Innovation (UKRI), a UK government organization that manages research grants for UK organizations, has acknowledged that its network was hit with a ransomware attack. UKRI disclosed the incident on January 28. The attack affected a Brussels-based UK Research Office (UKRO) portal, and an extranet known as the BBSRC extranet; both have been taken offline. UKRI has reported the incident to authorities.

Editor's Note

Isolated or air-gapped systems still have information flowing in and out, so controls are critically needed to ensure that only intended information is permitted. Administration tasks will need one or more of these safeguards: duplication of backup, patching, monitoring and alerting capabilities, or a controlled interface from existing systems, which could be leveraged to affect a compromise. Alternatively, sensitive documents can be secured by encryption where only the intended readers can decrypt them, and third-party key recovery requires security officers not system administrators. See CISA Launches Campaign to Reduce the Risk of Ransomware: https://www.cisa.gov/news/2021/01/21/cisa-launches-campaign-reduce-risk-ransomware

Lee Neely
Lee Neely

The more segmented one's network, the more the damage of "ransomware" will be limited.

William Hugh Murray
William Hugh Murray

2021-01-30

FonixCrypter Ransomware Group Shuts Down Operations, Releases Master Decryption Key

Operators of the Fonix ransomware say they will cease operations and have made a decryption tool and the decryption key available so its victims can regain access to their data. The tool is what the operators have used to decrypt files as proof that they really can be decrypted, but it might not be useful to decrypt large quantities of data. The master decryption key could be used to build a more efficient decryptor.

Editor's Note

The master decryption key, coupled with the recently-released decryptor, works for decrypting small groups of files. It is not, by itself, however, an effective mechanism to recover your entire file repository nor should it be trusted to be free of backdoors or malware. For that scale and confidence, you need to wait for an updated general purpose ransomware decryption tool such as the Emsisoft decryptor. Beware of fake source code for the Fonix ransomware that was released by FonixCrypter gang members who disagreed with the shutdown.

Lee Neely
Lee Neely

2021-02-01

US Legislators Want NSA to Answer Questions About 2012 Juniper Networks Supply Chain Attack

US legislators are seeking answers from the National Security Agency (NSA) about a 2012 supply-chain attack that affected Juniper Networks. A statement released by Senator Ron Wyden’s (D-Oregon) office notes, “In 2015, Juniper revealed a security breach in which hackers modified the software the company delivered to its customers. Researchers subsequently discovered that Juniper had been using an NSA-designed encryption algorithm, which experts had long argued contained a backdoor, and that the hackers modified the key to this backdoor.” A letter dated January 28, 2021, and signed by 10 US legislators asks the NSA to describe the actions it took “to protect itself, the Department of Defense, and the US government from future software supply chain attacks.” Renewed interest in the older case was prompted by the SolarWinds supply chain attack that came to light in December 2020.

Editor's Note

In both cases, code was modified before delivery to customers. Software providers need to make sure that code repositories can be updated or accessed only by authorized systems and users. Consumers need to ask what suppliers are doing to ensure the code delivered is genuine and unaltered, beyond the digital signature. Where possible, ask to see verifiable test results to assure only intended operations are enabled.

Lee Neely
Lee Neely

2021-02-01

Libgcrypt Developers Patch Critical Vulnerability

A critical heap overflow vulnerability in the Libgcrypt open-source cryptographic library and GNU Privacy Guard module could be exploited to write arbitrary data and execute code. The flaw affects Libgcrypt 1.9.0, which was released in mid-January. Developers have addressed the vulnerability in Libgcrypt 1.9.1.

Editor's Note

If you are using GPG, Homebrew, or other packages sitting on top of Libgcrypt, apply both the Libgcrypt update and updates to those packages necessitated by changes in Libgcrypt 1.9.1. An alternative is to roll back to LTS 1.8.5 or better, check compatibility with applications prior to rolling back.

Lee Neely
Lee Neely

2021-01-29

NITRO Open Source Library Flaws Fixed

At least two vulnerabilities detected in the NITRO open source library could be exploited to allow remote code execution. The NITRO library is used by the US Department of Defense (DoD) and intelligence agencies to store, share, and send digital images taken by satellites. Researchers at GRIMM defected the flaws; they are working with the Cybersecurity and Infrastructure Security Agency (CISA) to make sure affected organizations are aware of the issue. The vendor has issued fixes for all the vulnerabilities.

Editor's Note

Version 2.10.0 of the NITRO library addresses the flaws and is available from the GitHub NITRO site (https://github.com/mdaus/nitro). The GitHub site below contains information on the flaws as well as example utilities which demonstrate the vulnerabilities.

Lee Neely
Lee Neely

2021-01-29

WordPress Popup Builder Plugin Users Urged to Update to Fix Vulnerabilities

Vulnerabilities in the Popup Builder – Responsive WordPress Pop up – Subscription & Newsletter plugin could be exploited to send newsletters, and delete or add newsletter subscribers. The plugin is installed on 200,000 WordPress sites. The vulnerability affects Popup Builder versions 3.71 and earlier. The issue is fixed in version 3.72 and the most recent version is 3.73.

Editor's Note

While some fixes were introduced in 3.71, the complete fix wasn’t available until version 3.72 of the plugin. Beyond automatic updates to WordPress and plugins, consider protecting your WordPress site with both a WAF and MFA to reduce the attack surface. Lastly, remove unneeded plugins and only install them after validating the function and security. Also see Wordfence’s 2020 WordPress Threat Report: https://www.wordfence.com/blog/2021/01/the-wordfence-2020-wordpress-threat-report/

Lee Neely
Lee Neely

2021-01-29

Vulnerabilities in Fuji Electric ICS Products

Five vulnerabilities affecting industrial control system products from Fuji Electric could be exploited to execute code. The flaws are not remotely exploitable. The vulnerabilities affect Fuji Electric’s Tellus Lite V-Simulator and V-Server Lite. The company recommends upgrading to version 4.0.10.0.

Internet Storm Center Tech Corner

Perl.com Domain Hijacked

https://www.ehackingnews.com/2021/01/perlcom-official-site-for-perl.html

Spamcop Domain Expired

https://www.bleepingcomputer.com/news/security/spamcop-anti-spam-service-suffers-an-outage-after-its-domain-expired/

libgcrypt vulnerability

https://lists.gnupg.org/pipermail/gnupg-announce/2021q1/000456.html

Fingerprinting QUIC (PDF)

https://arxiv.org/pdf/2101.11871.pdf

MacOS 11.2 Update

https://support.apple.com/en-us/HT212147

Objective-See Tools Now Open Sources

https://twitter.com/patrickwardle/status/1356149073045143553

iMessage Blastdoor

https://googleprojectzero.blogspot.com/2021/01/a-look-at-imessage-in-ios-14.html

SonicWall Update

https://www.sonicwall.com/support/product-notification/urgent-security-notice-sonicwall-confirms-sma-100-series-10-x-zero-day-vulnerability-feb-1-2-p-m-cst/210122173415410/