SANS NewsBites

US State Department iPhones Compromise by NSO Pegasus Spyware; FBI Issues Broad Ransomware Warning; Microsoft Shuts Down Malicious Domains Exploiting Unpatched Microsoft Vulnerabilities

December 7, 2021  |  Volume XXIII - Issue #95

Top of the News


2021-12-04

NSO’s Pegasus Spyware Found on iPhones of US State Department Employees

According to a report from Reuters, phones belonging to at least nine US State Department employees were infected with Pegasus spyware. The malware is made by NSO Group. The targeted employees were either based in Uganda or were working on Uganda-related issues. Pegasus capabilities include location tracking, microphone activation, and data theft. A State Department spokesperson declined to confirm the report.

Editor's Note

There are so many takeaways from this story. First, while NSO claims it will take legal action against those who misused its tools, their customers will likely have more success in claiming sovereign immunity than NSO itself. Second, it's unfortunate that Apple doesn't provide users with more information they can use to detect an attack themselves. Companies like NSO will continue to capitalize on this lack of transparency to victimize users. Finally, it's hard to imagine these actions (and others like them) aren't related to the sanctions placed on NSO.

Jake Williams
Jake Williams

The story of NSO should also be seen as a warning to other companies offering offensive tools commercially. Well-funded attackers often use the same tools red teams use legitimately in authorized penetration tests. So far, I don't think anybody has found a way to effectively restrict how these tools are being used. NSO group stuck out for its unique abilities to attack mobile devices, and in some ways, its downfall was that the tool was “too good.”

Johannes Ullrich
Johannes Ullrich

Apple is taking the initiative to notify users who have devices infected with the NSO spyware. The vulnerability used to install their software was closed in the September release of iOS 14.8. Make sure that your devices are on current versions, particularly if deployed in foreign countries. Make sure that your mobile device management system can actively detect spyware installed on your devices rather than having a third-party give you the bad news. Note that while NSO claims to only license their software to government agencies with strict terms including Israeli government granted export licenses, and use against USG employees is strictly prohibited, that is an administrative rather than a technical control; you need to implement the technical controls to insure the attack vectors remain closed.

Lee Neely
Lee Neely

The US federal government has long neglected an opportunity to use its buying power to drive Google and Apple to support a trusted “Government App Store” as part of all federal wireless contracts. Google and Amazon provided federal cloud capabilities because the federal government did use their buying power as FedRAMP and US government “Cloud-first” initiatives were backed with procurement requirements.

John Pescatore
John Pescatore

Working for a company that sells an adversary emulation platform, we have to maintain a balance between operational security and feature sets. Products that do not “call home” are welcomed by our customers but if the product lands in the wrong hands, we would have no visibility into its use. This is what has occurred with Pegasus and other products. Learning from these mistakes is costly but required.

Jorge Orchilles
Jorge Orchilles

2021-12-06

FBI Warning on Critical Infrastructure Ransomware Attacks

The FBI has released a TLP:White Flash warning that the Cuba ransomware has been used in attacks targeting entities in multiple critical infrastructure sectors, including financial, healthcare, and IT. The Flash lists technical details about Cuba ransomware, as well as indicators of compromise and recommended mitigations.

Editor's Note

While I will always applaud the release of IOCs to aid with detection, the way this report was released leaves a bit to be desired. Critical infrastructure consists of 16 different sectors covering broad swaths of industry, including information technology. In the future it would be ideal if the broad cover of "critical infrastructure" isn't used without further clarification.

Jake Williams
Jake Williams

Add the IOCs from the Flash to your SIEM and keep an eye out for new ones; the FBI is asking for new discoveries to be shared with them. Make sure you’re segmenting critical systems, only allowing communication between trusted components. Use strong/unique passwords or better still, require MFA for any services which can interact with these systems, which themselves may not be able to support MFA. Actively monitor activity to detect anomalous behavior.

Lee Neely
Lee Neely

Does your organization have a process to consume this cyber threat intelligence and ensure the team can detect and respond to these adversary behaviors? If not, performing adversary emulations as purple team exercises is one of the most efficient methods to test, measure, and improve your people, process, and technology so these known attacks do not impact your organization.

Jorge Orchilles
Jorge Orchilles

2021-12-06

Microsoft Dismantles APT Group’s Infrastructure

Microsoft’s Digital Crimes Unit has taken steps to disrupt operations of an advanced persistent threat (APT) group with ties to China. Recently unsealed court documents show that Microsoft was granted the authority to seize websites in 29 countries that were used by the hacking group, which it has nicknamed Nickel.

Editor's Note

This operation is significant in scope and impact. In particular the takeover of command and control domains from the threat actor will allow Microsoft to continue to identify victims. The report also demonstrates how even apex-grade threat actors use commodity tools, such as mimikatz and NTDSDump. They can do that only because these tools continue to work in victim environments.

Jake Williams
Jake Williams

It is hard to complain about Microsoft shutting down malicious websites, but the bulk of the attacks launched by Nickel and others were exploiting the continuing stream of critical vulnerabilities in Microsoft’s software. It is kind of like if Tesla formed a Digital Crimes Unit to shut down thieves that were stealing Telsa cars because the Tesla door locks didn’t work.

John Pescatore
John Pescatore

It is excellent that Microsoft is taking steps against those working to exploit the vulnerabilities in their systems. One hopes they are spending as much or more energy on fixing those weaknesses. For the rest of us, keep an eye on updates to both our endpoint operating systems and protection products. Make sure they are reporting in regularly and that your responders have what they need - resources and training - to respond to detected maleficence.

Lee Neely
Lee Neely

The Rest of the Week's News


2021-12-06

Gen. Nakasone: US Military Has Taken Action Against Ransomware Actors

The US military has taken action against ransomware actors, according to head of Cyber Command General Paul Nakasone. Prior to the Colonial Pipeline and JBS attacks, the government saw ransomware attacks as the purview of law enforcement. Nakasone said that Cyber Command would take action against any cyberthreat actors that target US infrastructure, whether or not they have geopolitical ties. Nakasone also heads the National Security Agency (NSA).

Editor's Note

What makes this announcement new is the US military is now stating it will not only respond to and target nation state actors but also cyber criminal actors. A big part of this is because the impact of both nation state and cyber criminals are starting to blend. Both can have a direct impact to the country’s ability to operate at a political, economic or military level as both can and do have an impact on critical infrastructure. I believe this is a step in the right direction. Until cyber criminals face consequences for their actions, they have no motivation to stop attacking; cyber crime is simply far too profitable and effective. Law enforcement is one approach, but difficult when the cyber criminal actors are protected by their host country. Other methods like these may be required.

Lance Spitzner
Lance Spitzner

The US has a long history of separating military and law enforcement actions. Ransomware seems to be a rare case where national security interests justify a military response. However, we must be careful as a nation not to normalize military operations in criminal actions, either for investigation or response. It's not hard to see the slippery slope here - especially because CYBERCOM has had real successes where law enforcement authorities were simply not sufficiently matched to the ransomware threat.

Jake Williams
Jake Williams

Response to cyber criminals, such as ransomware actors, will need multiple agencies across multiple countries. Bringing available resources and expertise together will help with takedowns of these groups; the NSA and Cyber Command have already started cooperating with other agencies to increase the effectiveness of these activities.

Lee Neely
Lee Neely

The story below on GAO asking government to act along with this story confirming the military is acting is what we will continue to see in the short term. Organizations have proven they cannot defend themselves against ransomware. We will follow and report the evolution of the fight against ransomware and hope it leads to its demise.

Jorge Orchilles
Jorge Orchilles

2021-12-02

GAO: Government Must Take Steps to Protect Critical Infrastructure

In testimony before the US House Committee on Transportation and Infrastructure, the Government Accountability Office (GAO) warned that the government must take action to protect the country’s critical infrastructure from cyberattacks.

Editor's Note

Now is the time to get acquainted, or reacquainted, with your local CISA contacts. They will be driving at the direction of DHS, any actions (technical or reporting) needed. Expect pressure to follow and report the use of NIST frameworks and standards as well as reporting security metrics via the Continuous Diagnostics and Mitigation (CDM) program. If you’re following other security frameworks, the NIST CSF documentation includes tools for mapping other security frameworks to NIST controls such as SP 800-53, which you can leverage.

Lee Neely
Lee Neely

From the perspective of my small town's water district, this message may be well-received, but without additional resources, little will change. Personal agenda: I'd love to see National Guard units gain authority to assist such organizations during regular training assemblies under supervision of CISA. They have the skills, the community ties, and 39 days per year to train.

Christopher Elgee
Christopher Elgee

While the “Government” in this particular piece refers to the US government, I think it is safe to say the same commentary can be aimed at nearly every other government across the globe. For too long, governments have under-invested and under-resourced cyber security, relying on the private sector to fill the gap. Unfortunately, that gap still remains unfilled.

Brian Honan
Brian Honan

2021-12-06

HHS Launches Healthcare Sector Cybersecurity Website

The US Department of Health and Human Services (HHS) has launched a website for its 405(d) Aligning Health Care Industry Security Approaches Program. The site offers cybersecurity resources for the healthcare sector, including recommended products, tools, and mitigations.

Editor's Note

The HHS 405 (d) Program, established in response to the Cybersecurity Act of 2015, is looking for participation to make this site relevant and useful. The intent is to provide vetted practices, which means they are looking for input from those in the field with relevant experience about what does and does not work.

Lee Neely
Lee Neely

Cybersecurity professionals working in security should provide feedback to HHS on how to make this site useful to their efforts. My first impression is it is heavy on pointing to products and light on people/processes/skills. What I’d really like to see is more case studies: “Here’s how a healthcare company like you overcame the unique obstacles to securing systems faced in healthcare.”

John Pescatore
John Pescatore

2021-12-06

Spar Supermarkets Hit with Cyberattack

Hundreds of Spar supermarkets in the UK have been temporarily closed due to a cyberattack that affected the store’s payment processing capabilities. Some stores affected by the attack switched to cash only transactions. The National Cyber Security Centre is aware of the issue.

Editor's Note

This appears to be a supply chain type of attack. According to the BBC (https://www.bbc.com/news/uk-england-lancashire-59554433) the external IT provider who manages the IT and till/register systems for the affected Spar shops is the victim of the ransomware attack. This attack again highlights the importance of managing third-party risk and assessing how a ransomware attack against one of your suppliers, in particular those deeply embedded in your IT infrastructure, would impact your business and to then put in appropriate controls to manage that risk.

Brian Honan
Brian Honan

In retail, the holiday season often comes with a change freeze for IT, and with that the inability to apply patches. At the same time, ransomware actors in particular realize that retail stores are dependent on holiday sales. While Spar is more a generic grocery store chain, they will likely still see increased traffic in their stores during holidays.

Johannes Ullrich
Johannes Ullrich

I worked my way through college in retail where we had no electronic POS system, to include the old knuckle-buster credit card machines and know what it’s like to chase down errors in making change. After 20 months of electronic payments versus handling cash, you may need to provide a refresher to those handling cash to avoid errors, particularly if the POS system is offline. Make sure your backup/manual procedures are still accurate.

Lee Neely
Lee Neely

2021-12-03

Cyberattack Hits Colorado Utility

The Delta-Montrose (Colorado) Electric Association (DMEA) experienced a cyberattack in November that disrupted billing systems and destroyed 20 years of records. DMEA expects to have its billing systems up and running sometime this week.

Editor's Note

Double check that your backups are disconnected, differential and resistant to ransomware attacks. Don’t forget to look at your records retention practices. As many records have been digitized, moved on-line and the paper shredded, those too need to have secure backups for the retention period.

Lee Neely
Lee Neely

2021-12-06

Cyberattack Hits Maryland Dept. of Health

Over the weekend, the Maryland Department of Health took IT systems offline in the wake of a cyberattack. The department’s main website was also unavailable; visitors to the site were redirected to the state’s main website. As of Monday evening, December 6, the Maryland Department of health’s website is available. The department acknowledges that “the incident appears to have affected some of our partners, including local health departments (LHD).”

Internet Storm Center Tech Corner

Hunting for PHPUnit Installed via Composer

https://isc.sans.edu/forums/diary/Hunting+for+PHPUnit+Installed+via+Composer/28084/


Info-Stealer Using webhook.site to Exfiltrate Data

https://isc.sans.edu/forums/diary/InfoStealer+Using+webhooksite+to+Exfiltrate+Data/28088/


TA551 (Shathak) Pushes IcedID (Bokbot)

https://isc.sans.edu/forums/diary/TA551+Shathak+pushes+IcedID+Bokbot/28092/


Wifi Router Flaws

https://www.iot-inspector.com/blog/router-security-check-2021/


Mozilla NSS Library Vulnerability

https://bugs.chromium.org/p/project-zero/issues/detail?id=2237


EwDoor Botnet is Attacking AT&T Customers

https://threatpost.com/att-botnet-network/176711/


pip-audit scanning Python packages for known vulnerabilities

https://pypi.org/project/pip-audit/


JAMF Pro 10.32 Patch

https://community.jamf.com/t5/jamf-pro/what-s-new-in-jamf-pro-10-32-release/m-p/246505


Microsoft Defender Scares Admins with Emotet False Positives

https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-scares-admins-with-emotet-false-positives/


Printing Shellz HP Printer Vulnerabilities

https://blog.f-secure.com/hp-printer-vulnerabilities/?_ga=2.125707850.1160056027.1638325485-2056233716.1638325485


Unpatched Local Privilege Escalation in Mobile Device Management Service

https://blog.0patch.com/2021/11/micropatching-unpatched-local-privilege.html