NewsBites Volume XXIII – Issue 90

Top of the News

2021-11-15

FBI: Portal Compromised to Send Fake Cyberattack Alerts

The FBI has acknowledged that “a software misconfiguration … temporarily allowed an actor to leverage the Law Enforcement Enterprise Portal (LEEP) to send fake emails.” The phony messages warned recipients of an impending cyberattack.

Editor's Note

If your company is involved in an FBI investigation: Expect a personal visit or at least a phone call instead of an email. That said, it can be difficult to establish trust in a situation like this (certainly check IDs). But one thing I always suggest is to participate in local InfraGard chapters which may help establish some relationship with local FBI agents before the incident.

Johannes Ullrich

Major lessons learned from this one: (1) attackers are still constantly scanning exposed servers and finding and exploiting misconfigured and unpatched apps and servers; (2) that means quick detection and assessment of changes is still essential to beat them to the punch.

John Pescatore

This is a good example of why the advice “to not click on links or attachments in emails from untrusted sources” is so outdated. We should instead be coaching people to be wary of unexpected emails and to review them with care before actioning them.

Brian Honan

The Brian Krebs article includes details from an interview with Pompompurin, the person claiming responsibility for the attack. If the claims are accurate, the vulnerability demonstration is embarrassing, but a good reminder about the need to carefully pen test systems.

Joshua Wright

Environmental drift is real. Point in time assessments are not the only way to spot them. Continuous (or close to) control validation and change management may have identified this “temporary software misconfiguration” earlier.

Jorge Orchilles

BotenaGo Malware

Researchers at AT&T AlienLabs have detected new malware that could be used to target millions of routers and other IoT devices. The malware has more than 30 exploit functions. Dubbed BotenaGo because it is written in the Go open source programming language, the malware conducts scans to discover vulnerable devices.

Editor's Note

No big news here. These are the same routers and IoT devices that are compromised several times a day by a variety of different bots harvesting the internet for vulnerable devices to use them for crypto coin mining, DDoS attacks or as attack platforms.

Johannes Ullrich

This should be a call-to-action for organizations to evaluate the devices permitted on the network. Vulnerable IoT or consumer-market devices are not just a home-network problem. These devices also appear on enterprise and government networks and introduce risks outside typical patch management and vulnerability remediation programs. IT asset management is a valuable resource for organizations to get an informed view about assets on their networks.

Joshua Wright

Gratuitous and vulnerable code in many of these devices will result in their being put into botnets.

William Hugh Murray

New Rowhammer Attack

Researchers from ETH Zurich, Vrije Universiteit Amsterdam, and Qualcomm Technologies have discovered vulnerabilities in DRAM memory devices. The flaws break mitigations that were put in place to prevent Rowhammer attacks. While previous Rowhammer attacks have involved simple uniform patterns of “hammering,” the new attack uses more complex patterns.

Editor's Note

The practicality of these attacks has been disputed at times, and I could not find any examples of them being used in actual breaches. But this may be more a fact of other, simpler vulnerabilities, still being available for privilege escalation. In the end, these vulnerabilities put a big dent in the myth that it is possible to separate processes on highly integrated hardware. For example, it may not be advisable to use shared systems like cloud computing for sensitive workloads.

Johannes Ullrich

The Rest of the Week's News

2021-11-12

CISA: ICS Equipment Advisory

The US Cybersecurity and Infrastructure Security Agency (CISA) has released an ICS advisory urging admins to install updates to address “vulnerabilities found in multiple open-source and proprietary Object Management Group (OMG) Data-Distribution Service (DDS) implementations.” The flaws could be exploited to induce denial-of-service and buffer overflow conditions, which could result in remote code execution and data exposure.

Nucleus:13 Vulnerabilities Affect Siemens Nucleus TCP/IP Stack

Critical vulnerabilities in Siemens Nucleus RTOS TCP/IP Stack could be remotely exploited to leak information, execute code, and create denial-of-service conditions. The vulnerabilities include type confusion, improper validation, and out-of-bounds read issues. The flaws, which are known collectively as Nucleus:13, pose risks to some medical devices. Siemens has released fixes for the flaws.

Editor's Note

These vulnerabilities remind me of similar flaws from days long past. Old vulnerabilities are new again when developers reinvent TCP/IP stacks. It's another good reminder about the need to carefully pen test systems.

Joshua Wright

Ohio Hospital Suffers Cyberattack

A cyberattack has forced Southern Ohio Medical Center (SOMC) to operate under electronic health record (EHR) downtime. SOMC has cancelled some patient appointments and has diverted ambulances to other facilities. SOMC initially disclosed the cyberattack in a social media post on Friday, November 11.

Intel BIOS Vulnerabilities

A pair of high-severity vulnerabilities affecting the BIOS reference code in some Intel processors could be exploited to gain elevated privileges. Intel is releasing firmware updates to address the flaws.

Uneven Patching for macOS

Newer versions of macOS appear to be receiving patches for vulnerabilities earlier than older, though still supported, versions of the operating system. For example, the privilege elevation vulnerability that was recently exploited in watering hole attacks on some websites in Hong Kong was patched in macOS Big Sur 11.2 in February 2021, but was not fixed in macOS Catalina until September.

Editor's Note

This should not surprise anyone. Apple security is better than MS in part because it focuses on new code. History shows that it is willing to abandon legacy code and even systems.

William Hugh Murray

Card Skimming Devices Found at Costco

Costco has disclosed that payment card skimmers were discovered at Chicago-area Costco stores. Some customers have reported fraudulent charges on their accounts. Costco has notified affected customers.

Editor's Note

Whether or not organizations have on-site/physical locations in scope for pen testing, this is a good reminder that we absolutely need detective controls. In the same way retail organizations regularly count tills and reconcile store-wide totals, electronic payment systems should be inspected for tampering at least daily.