SANS NewsBites

HP Printers Require Immediate Firmware Updates; ATT’s Network Infested With Dangerous Malware; Path Mozilla NSS Crypto Libraries

December 3, 2021  |  Volume XXIII - Issue #94

Top of the News


2021-11-30

HP Releases Firmware Updates for Printers

HP Enterprises has released firmware updates for more than 150 models of its multifunction printers. HP learned of the vulnerabilities from F-Secure in April 2021. One of the issues addressed in the updates is a critical buffer overflow vulnerability; the other is a high-severity information disclosure vulnerability. The flaws could be exploited to take control of vulnerable devices, steal information, and gain access to networks.

Editor's Note

This vulnerability affects printers for the last few years. If you have an HP printer, it is likely vulnerable. Update your firmware in particular if the printer is reachable over a network. The other exploit scenarios may be less of a problem if the printer is located in a home office without easy access.

Johannes Ullrich
Johannes Ullrich

Coincidentally, the SANS Holiday Hack Challenge will feature a printer hack this year. As an overlooked part of most infrastructure networks, printers make interesting targets for adversaries since they are seldom subject to rigorous patch management processes. We thought it important to highlight printer vulnerabilities as a common threat for many organizations.

Joshua Wright
Joshua Wright

By now, network-attached printers should be fully covered by vulnerability management processes, across their entire lifecycle, including disposal. If not, there have been real world damage-causing exploits against printers over the past 5 years – seeing vulnerabilities that include code execution should be a red flag for action.

John Pescatore
John Pescatore

Make sure you’re installing firmware updates on your printers. If you’re using a third party double check their practices. Understand controls which allow or disallow Internet printing before enabling that capability. As many printers now cache information and have ports for USB or other memory cards, consider locations away from unescorted access, not just to prevent media insertion, but also limit unintended browsing of sensitive output. Consider using devices that permit jobs to be queued/paused until the requester is physically present.

Lee Neely
Lee Neely

2021-12-02

AT&T Networking Devices Infected with Botnet Malware

AT&T is dismantling a botnet that had established itself within the company’s network. The malware affected EdgeMarc Enterprise Session Border Controller appliances.

Editor's Note

Last week, we had a story about Sky waiting a year to patch customer premise equipment. AT&T didn't want to be outdone and is now, four years after the vulnerability was originally reported, and after it is actively being exploited, considering steps to mitigate it. In your office (and home office) network design: Treat ISP supplied equipment as hostile and outside your perimeter.

Johannes Ullrich
Johannes Ullrich

The report suggests that ATT’s use of wildcard certificates may have enabled the malware to get broad internal access. NSA put out a warning about wildcard certs in October 2021. (Just search for “NSA ALPACA” because the creative folks at Ft. Meade used that very cool acronym for “Application Layer Protocols Allowing Cross-Protocol Attacks” vs. earlier use of it for Application Layer Protocol Confusion attacks.)

John Pescatore
John Pescatore

In addition to wildcard certificates, it appears these devices also have default credentials which need addressing A patch was released in December 2018, about 19 months after the first discovery of the flaw. Application of the patch has manual updates.

Lee Neely
Lee Neely

2021-12-02

NSS Crypto Library Flaw

Mozilla has released fixes to address a critical flaw in the Network Security Services (NSS) cryptographic library. The heap overflow vulnerability affects all versions of NSS older than 3.73 and 3.68.1 ESR.; it was detected by Google Project Zero’s Tavis Ormandy.

Editor's Note

The NSS library isn't as well-known as openssl, but the scope of its use is similar. Many clients, and in a few cases servers, use this library. As so often with these library flaws, patching the library is just a first step. You may also need to patch software using it.

Johannes Ullrich
Johannes Ullrich

Tavis' write-up of this flaw indicates that redirecting code execution is trivially exploitable. NSS is used by Firefox, Thunderbird, and a variety of other software projects from RedHat, Oracle, SUSE, and others: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Overview.

Joshua Wright
Joshua Wright

This applies to products which use the NSS for handling signatures such as Thunderbird, LibreOffice, Evolution and Evince. The fixes to Thunderbird were released 30 days ago, so the fixed libraries are now available for public download. This also means the most current releases of these products include the fixes, make sure they’ve been updated in your environment.

Lee Neely
Lee Neely

2021-12-05

The 2021 SANS Holiday Hack Challenge Opens Mid-December

Join the global cybersecurity community in this free & festive cyber security challenge and virtual conference. Our gift to the cyber community, the SANS Holiday Hack Challenge is a series of super fun, high-quality, hands-on cybersecurity challenges through which you help Santa defeat cybersecurity villains to save the holiday season from treachery—and learn new skills in the process.

The SANS Holiday Hack Challenge is for all skill levels, with stellar prizes at the end for the best of the best entries.

Sign up here today and get notified first when the game opens for play.

https://www.sans.org/mlp/holiday-hack-challenge/


The Rest of the Week's News


2021-11-30

Panasonic Discloses Network Breach

Panasonic has disclosed that its network was breached earlier this year. The attackers had access to the network from June through November 2021. Panasonic noted that the intruders had accessed some data on a file server.

Editor's Note

There are two issues here – closing the access path and determining the level of access or damage. Could you detect accesses to your file servers or other resources that happened six months ago or are you rolling the logs over when they get “too big” irrespective of duration? While Panasonic says nothing about the exact access method, you may want to make sure that you’re actively disabling inactive accounts, only granting users the access they need for their role with a regular review to ensure they are not over permissioned.

Lee Neely
Lee Neely

Attacker 'breakout time' is a metric we use to measure the amount of time it takes an attacker to go from initial exploitation to secondary post-exploitation or lateral movement within a network. For sophisticated attackers, breakout time is measured in minutes, or hours. Panasonic's case is not unusual, where it may take an organization several months to identify a compromise. Threat hunting and red team exercises can help shorten that detection window, but must be supported by a strong incident response process.

Joshua Wright
Joshua Wright

2021-12-02

Former Ubiquiti Employee Arrested for Data Theft and Extortion

Law enforcement officials have arrested a former Ubiquiti employee for stealing data and then attempting to extort nearly $2 million from the company. Nickolas Sharp also allegedly posed as a whistleblower, planting false news stories about the breach.

Editor's Note

I have seen some talk about how to detect the kind of activity this developer used to collect the information. Many suggestions do not take into account the access developers need to work effectively. A developer typically needs read access to repositories other than the one they are working on even for little things like a quick copy/paste. Do not use this incident to make your developers’ lives any more difficult.

Johannes Ullrich
Johannes Ullrich

This is a case of a trusted insider, with administrator access, abusing those privileges, including modifying logs to cover his tracks. Further, he leveraged an incident to mask his activities. This is an excellent scenario for a tabletop exercise to talk about prevention and discovery. Consider actions such as forwarding logs to a centralized service to reduce the likelihood of modification; performing traffic flow analysis coupled with other DLP tools to discover data exfiltration. Make sure that you’re colling information from insource, outsourced and cloud systems wherever possible.

Lee Neely
Lee Neely

2021-12-01

Bulletproof Hosting Provider Sentenced to Prison

A US federal judge in Michigan has sentenced Aleksandr Grichishkin to five years in prison sentence for providing bulletproof hosting services that were used to operate botnets, spread malware, and steal sensitive financial information. The service hosted Zeus, SpyEye, Citadel, and Black Hole malware.

Editor's Note

There’s a long history in the US of the RICO (Racketeer Influenced Corrupt Organization) act to go after those who knowingly profit by selling products and services to bad guys who meet the broad definition of RICO. While it is so broad that there have been abuses, it is good to see convictions (and asset seizures) coming against the modern equivalent where services providers are profiting from criminals. Good to use this to notify the product/service side of your company of the need to “know your customer.”

John Pescatore
John Pescatore

2021-12-02

TSA Cybersecurity Directives for Passenger and Freight Rail

The US Transportation Security Administration (TSA) has published cybersecurity directives for freight and passenger rail. The directives require that cyber incidents are reported to the government within 24 hours after they are detected. They also require cybersecurity assessments and incident response plans based on the results of the assessments.

Editor's Note

The first directive is to designate a cybersecurity coordinator to perform the identified tasks. The question is – do you have someone in a similar role? This is a liaison between you and your regulator, relevant ISAC or even CISA. This would also be a good person to coordinate vulnerability disclosure activities.

Lee Neely
Lee Neely

2021-12-02

BadgerDAO and MonoX Disclose Cryptocurrency Thefts

$120 million in cryptocurrency was reportedly stolen from the BadgerDAO blockchain decentralized finance platform wallets earlier this week. Badger believes the theft involved a malicious script in their website’s user interface. Badger froze smart contracts after learning of the thefts. In a separate story, MonoX Finance reported that an attacker exploited a bug in smart contract drafting software to steal $31 million in cryptocurrency.

Editor's Note

Access leveraged an API key which was allegedly protected by 2FA. When you implement 2FA, you need to implement it properly. This is another case where you don’t want to “roll your own,” use an existing tested solution, then test your implementation rigorously.

Lee Neely
Lee Neely

Insert usual comments here about why the term “cryptocurrency” is an oxymoron. Another note: calling the “MonoX Finance” software is like calling your kid’s fingerpainting “art.” The token abuse exploited is pretty much the equivalent of the web price changing vulnerabilities that worked in the first online commerce sites decades ago.

John Pescatore
John Pescatore

2021-12-02

Airgap Attack Frameworks

Researchers from ESET have published a report examining all known frameworks that have been used to attack air-gapped networks. ESET notes that all the frameworks were designed for purposes of espionage and all used USB drives as the primary vector of transmission. Additionally, all known frameworks were designed to attack Windows systems.

Editor's Note

If you’re relying on air-gapped networks for security, review the white paper to understand what processes can be leveraged to cross that gap and how to secure them. Look first at how you’re transferring information in and out of those systems, making sure only trusted files and media are allowed, that you’re scanning that media aggressively.

Lee Neely
Lee Neely

Systems that are not connected to the public networks for security reasons are probably sufficiently sensitive that they must be protected physically.

William Hugh Murray
William Hugh Murray

2021-12-09

Internet Storm Center Tech Corner

Hunting for PHPUnit Installed via Composer

https://isc.sans.edu/forums/diary/Hunting+for+PHPUnit+Installed+via+Composer/28084/


Info-Stealer Using webhook.site to Exfiltrate Data

https://isc.sans.edu/forums/diary/InfoStealer+Using+webhooksite+to+Exfiltrate+Data/28088/


TA551 (Shathak) Pushes IcedID (Bokbot)

https://isc.sans.edu/forums/diary/TA551+Shathak+pushes+IcedID+Bokbot/28092/


Wifi Router Flaws

https://www.iot-inspector.com/blog/router-security-check-2021/


Mozilla NSS Library Vulnerability

https://bugs.chromium.org/p/project-zero/issues/detail?id=2237


EwDoor Botnet is Attacking AT&T Customers

https://threatpost.com/att-botnet-network/176711/


pip-audit scanning Python packages for known vulnerabilities

https://pypi.org/project/pip-audit/


JAMF Pro 10.32 Patch

https://community.jamf.com/t5/jamf-pro/what-s-new-in-jamf-pro-10-32-release/m-p/246505


Microsoft Defender Scares Admins with Emotet False Positives

https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-scares-admins-with-emotet-false-positives/


Printing Shellz HP Printer Vulnerabilities

https://blog.f-secure.com/hp-printer-vulnerabilities/?_ga=2.125707850.1160056027.1638325485-2056233716.1638325485


Unpatched Local Privilege Escalation in Mobile Device Management Service

https://blog.0patch.com/2021/11/micropatching-unpatched-local-privilege.html