SANS NewsBites

FTC May Go After Companies that Ignore Lof4J Flaws; Optional Microsoft Authenticode Fix Enabled Zloader Attacks

January 7, 2022  |  Volume XXIV - Issue #02

Top of the News


2022-01-05

FTC Says Companies Could Face Legal Action for Failing to Mitigate Log4j Vulnerabilities

In a blog post, the US Federal Trade Commission warns, “It is critical that companies and their vendors relying on Logj4 act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action.” The article cites the Equifax case, in which the company failed to patch a known vulnerability, exposing personal information of 147 million people. Equifax ended up paying $700 million to settle various legal actions.

Editor's Note

While some may pooh pooh the FTC’s cybersecurity related actions, it is telling that many attempts have been made by private industry to challenge their authority to do so. SANS gave the FTC a Difference Maker’s award in 2013 and the justifications for that award have held up over the years: “It seems like regardless of who is president or what the state of the economy is, the FTC stays focused on its mission of consumer protection and in particular, going after companies that don't protect their customers' information. The FTC doesn't seem to need new laws or more money, it just keeps fighting for its customers.”

John Pescatore
John Pescatore

The FTC doesn’t want history to repeat itself. While a company could accept the risk of not addressing Log4j vulnerabilities, the FTC wants them to know that both the Gramm Leach Bliley Act (GLBA) and Federal Trade Commission act have specific directions to mitigate known software vulnerabilities. Long story short: update Log4j wherever you’re using it, make sure you’ve deployed your vendor updates, use a properly configured WAF if you can, monitor activity, and document actions taken.

Lee Neely
Lee Neely

Organizations should not see this as a one-off vulnerability and invest in building a program to track assets, vulnerabilities, and patches. Vulnerability management is hard, it is a process, and there is no end state. Implementing lessons learned from Log4j, like those learned during the Struts2 vulnerability that affected Equifax, will be ideal for your organization when the next big vulnerability is inevitably disclosed.

Jorge Orchilles
Jorge Orchilles

On the Log4J Issue, I am not sure how the FTC enforcement will fully happen. There are going to be a fairly large number of systems in which the actual code doesn't exist, won't compile, and is mission critical. I would imagine that this sets a very bad precedent, overall, but it's not unexpected. We have been talking about regulation for years, and if the larger community does not regulate itself, someone else will. This is also compounded by the fact that Log4J may not even show up in the dependency chain directly but as a sub-dependency. We need to watch this carefully as this could start rolling down hill to the next “Exchange Vulnerability” that is not patched in time.

Moses Frost
Moses Frost

2022-01-06

Attackers Exploiting Known Windows Vulnerability to Drop ZLoader

Hackers are exploiting a known vulnerability in Microsoft’s code signing process to install ZLoader malware. The campaign was first detected in November 2021. It uses legitimate remote monitoring and management software to gain initial access to the machine, and then uses a modified dynamic link library (DLL) file to install the malware. Microsoft released a fix for the vulnerability in its code signing process, Authenticode, in 2013. The fix was initially going to be pushed out to all users, but Microsoft decided to make it optional because of the risk of a high level of false positives.

Editor's Note

It's easy to cast shade at Microsoft, but they're right - this has an extremely high risk of false positives in many (if not most) environments. Even given the news of active use of the vulnerability, knee jerk implementation of fixes risks impacting system availability. It's important to put this in context. This vulnerability does NOT allow threat actors access to systems. It only allows them to bypass intended code signing security checks *after* they've already accessed a system, meaning threat actors have already bypassed at least some security controls. To use a circus analogy, carefully consider whether enabling an additional safety net is worth blindfolding the trapeze artists. If you're not sure and projected impacts are high, perform extensive testing first.

Jake Williams
Jake Williams

There are currently two mitigations. Either apply the Microsoft Authenticode fix to check certificate padding with the caveat that it causes some installers to be tagged with an invalid signature, or disable mshta.exe which is how the embedded scripts are executed, provided you’re not using it in your environment.

Lee Neely
Lee Neely

While this particular attack is to run unsigned DLLs, I would like to highlight that leveraging Microsoft signed binaries, scripts, and libraries (LOLBAS) has been around for some time and highlighted in RSAC Keynote by SANS in 2020: https://www.sans.org/blog/the-five-most-dangerous-new-attack-techniques/: The Five Most Dangerous New Attack Techniques The LOLBAS project is maintained here: https://lolbas-project.github.io/

Jorge Orchilles
Jorge Orchilles

2022-01-06

VMware Releases Fixes for Heap Overflow Flaw

VMware has issued updates for a heap overflow vulnerability that could be exploited to execute arbitrary code. The vulnerability affects the CD-ROM device emulation in ESXi versions 6.5, 6.7, and 7.0; Workstation versions 16.x; and Fusion versions 12.x. There is currently not a fix available for ESXi 7.0.

Editor's Note

Initially, I considered mitigating this issue by removing the CD-ROM device from workstations. But keep in mind that it is needed for example to install and update VMWare Tools. For VMWare Fusion and VMWare Workstation, you will likely not even have to upgrade. The fixed versions were released late last year (Workstation: Oct 14th, Fusion: November 18th).

Johannes Ullrich
Johannes Ullrich

If you cannot apply the patch, or it’s not available, the workaround is to remove unused hardware from virtual machines. Note they need to be shut down to do this. It’s not a bad idea to make sure that you’ve removed unused hardware which may have been added for testing or other long forgotten purpose.

Lee Neely
Lee Neely

We constantly see unpatched ESXi and unpatched vCenter in almost every customer environment on premise. The problem isn't getting better – it’s getting far worse. Many companies that have a good desktop and server vulnerability management strategy fall flat in this regard. Patch where you can, segment where you cannot. We still see 6.5, 67, and 7.0. It would also be relevant for many of the Security Industry to patch their workstation builds.

Moses Frost
Moses Frost

The Rest of the Week's News


2022-01-06

Attackers Exploit Google Docs Bug to Send Phishing eMails

In a report, researchers from Avanan describe how attackers have been exploiting a flaw in Google Docs comments to send phishing emails. The attacks have primarily targeted Outlook users.

Editor's Note

This is a good issue to include in awareness training. Just because an email originated from a "trusted" entity like Google, or a link is located on Google docs, doesn't mean it is safe.

Johannes Ullrich
Johannes Ullrich

When you add a comment to a Google Doc which has an “@” reference to the user, regardless of the source of that document, an email is sent to the user, including any malicious links or text in the comment, with a Google originating email address, making it feel trusted/legitimate. If you’re using URL rewriting tools, make sure all external email is in-scope. Make sure that your endpoint or perimeter protections include blocking/denying uncategorized and malicious web site access. At core protection still depends on user hygiene, not clicking unrecognizable links and being sure the comments are truly from a document they are collaborating on with a recognized partner.

Lee Neely
Lee Neely

Google has been slow to address this attack vector, which I think dates back as far as August 2020. This is one of those features that carry risks that can in many, probably most, cases be way more damaging than the benefit of the feature. Kinda like is anyone really missing Adobe Flash?

John Pescatore
John Pescatore

2022-01-06

Honda Y2K22 Navigation System Clock Bug Might Not be Fixed Until August

A bug in the navigation system clocks used in some Honda and Acura vehicles caused the clocks to reset to 2002 on January 1, 2022. The issue appears to affect vehicle models from 2004 through 2012. Some vehicle owners were told that the problem would not be fixed until August.

Editor's Note

Software development needs to consider the time a particular system is supposed to be in operation, and the entire life cycle should be considered. As cars adopt more “smart” feature, it is important to remember that cars are expected to stay operational for 10+ years, unlike smart phones which are often considered obsolete in less than half that time. Simple bugs like this Honda Y2K22 issue do not make me feel very good about how well systems like smart phone integration APIs will perform 10 years from now.

Johannes Ullrich
Johannes Ullrich

It is easy to overlook the capacity of a variable being exceeded, in this case a signed int32 which cannot hold the date string for January 1, 2022. We should have learned this 22 years ago and documented these constraints, or better still chosen alternatives not subject to the limitations. Take a quick look through your application inventory to make sure you address systems with Y2K22 issues. One hopes that any Honda subscription services tied to the navigation systems will refund the charges until the issue is resolved.

Lee Neely
Lee Neely

Wouldn’t it be nice if Honda said “All car loan payments to Honda will be suspended from January to August to make up for the impact to our customers who paid a lot of money to buy our products.”

John Pescatore
John Pescatore

2022-01-04

CISA Setting Up Network of State Cybersecurity Coordinators

The US Cybersecurity and Infrastructure Security Agency (CISA) is helping states find hire cybersecurity coordinators. Because each state has its own IT organizational structure, the coordinators’ jobs will vary. The network of coordinators will communicate with each other to share problem-solving experiences. Thirty-seven coordinators have been hired and five more positions are in the selection process.

Editor's Note

This is a great first step toward helping the "under-resourced counties and municipalities." Here's hoping legislation from Senators Hassan and King enable more collaboration between other agencies (like the National Guard) that may actually bring more resources to the fight.

Christopher Elgee
Christopher Elgee

Make sure you connect with your local CISA coordinator, they are a good contact for bringing resources, such as ransomware remediation, training, assessment tools, and advice at no added charge as they are taxpayer funded. It is easy to forget their mission includes both public and private sector.

Lee Neely
Lee Neely

I’m excited to read about this as CISA is both taking what appears to be a leading role in helping organize US cyber defenses in one of the most difficult areas to defend, and creating a network for better coordination and sharing. My question: is this attempting to replace functionality with the MS-ISAC, better align with MS-ISAC or fill in a gap? The US government has a reputation for solving problems by creating new organizations instead of improving existing ones.

Lance Spitzner
Lance Spitzner

2022-01-06

Fertility Clinic and Online Pharmacy Both Disclose Information Security Breaches

Fertility Centers of Illinois (FCI) and online pharmacy Ravkoo have both notified current and former patients of data security breaches. FCI became aware of the breach in February 2021 and determined in August that patient data had been accessed. The Ravkoo breach occurred in late September 2021and learned a month later that patient data has been accessed.

Editor's Note

In the FCI incident no data was accessed in the electronic health record (EHR) system due to unspecified “security controls.” The disclosure notes that the data for almost 80k current and former patients was accessed in “administrative files and folders.” It seems likely that patient data, whether in scanned paper records or exported EHR data, was placed in locations that were accessible with AD domain logons. In my experience it's also likely that all of this data wasn't actually accessed by threat actors, but the organization lacks the auditing controls to know what specific data was taken so they reported everything in the accessed file shares. This not only increases notification costs, but also likely involved a substantial eDiscovery bill. Organizations handling regulated data should examine their filesystems for copies of regulated data and ensure they have appropriate auditing in place to detect access to that data.

Jake Williams
Jake Williams

Beyond testing and securing your primary applications, make sure that any archives or other locations that data is stored are also secured, particularly any systems where you digitized the paper records to get rid of storage rooms full of boxes of them. Remember that plan to save a fortune by moving unused data to low-cost cloud storage? Did you ever get a report on how it would be secured, including a risk assessment? Did you verify the security was as planned?

Lee Neely
Lee Neely

2022-01-06

New Mexico, Arkansas Counties Hit with Ransomware

Bernalillo County, New Mexico and Crawford County, Arkansas, are both dealing with ransomware attacks. The Bernalillo County attack began early on January 5, 2022. Some government systems have been taken offline and most government buildings are closed to the public, but emergency services are operational. The Crawford County attack began in late December.

Editor's Note

When responding to a ransomware incident, isolating/shutting down and/or disconnecting affected systems is a good step. Make sure that your forensic team has what they need before wiping disks to reinstall, such as logs or system images so they can work on root cause as well as determine what data may have been exfiltrated. Keep in mind the encryption step is often the last thing done on the way “out the door” as it were.

Lee Neely
Lee Neely

Ransomware threat actors often don't get payouts for attacks on municipalities. Attacks on municipalities in 2021 should generally be attributed to inexperience of the specific ransomware operators or desperation - neither of which bodes well.

Jake Williams
Jake Williams

I don’t think anyone predicted that we would not see ransomware in 2022. It is here and organizations must train, test, measure, and improve their people, process, and technology to detect and respond to these attacks before impact. We often call this “left of boom” where boom is exfiltration and encryption.

Jorge Orchilles
Jorge Orchilles

2022-01-06

Log4j Database Search Tool

A search tool is now available to help navigate the Cybersecurity and Infrastructure Security Agency’s (CISA’s) increasingly unwieldy Log4j database. The list of affected products has grown to nearly 3,000. The emergence of the Log4j vulnerabilities and the degree to which affected products can be difficult to determine have both fed calls for a Software Bill of Materials.

Editor's Note

As we see more data calls of the form “Check the list of affected products against your installed software list,” searchable repositories make that far simpler. Beyond reporting, this is useful for analysis of your current possibly impacted products, using either the hosted or downloadable version of this tool. The data includes notes, references, and links to the vendor advisory/fix guidance.

Lee Neely
Lee Neely

2022-01-05

Chrome Update Fixes 37 Security Issues

Google has updated the Chrome browser to version 97.0.4692.71 on the stable channel for Windows, Mac, and Linux. The updated version of Chrome fixes 37 security issues, including a critical use after free in storage flaw.

Editor's Note

Chrome is the gift that keeps giving. Is Chrome the new Flash? According to W3Schools, over 80% of their traffic in 2020 & 2021 was from Chrome making these rapid updates all the more disruptive. These vulnerabilities can have grave impacts including data corruption or malicious code execution, bottom line, time to update (again.) These fixes also impact Chromium based browsers (Edge, Brave, etc.) The good news is updates are already available for those browsers and simply waiting for the user to relaunch their browser.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

A Simple Batch File That Blocks People

https://isc.sans.edu/forums/diary/A+Simple+Batch+File+That+Blocks+People/28212/


Code Reuse in the Malware Landscape

https://isc.sans.edu/forums/diary/Code+Reuse+In+the+Malware+Landscape/28216/


Malicious Python Script Targeting Chinese Language Readers

https://isc.sans.edu/forums/diary/Malicious+Python+Script+Targeting+Chinese+People/28220/


Google Docs Comment Exploit Allows for Distribution of Phishing and Malware

https://www.avanan.com/blog/google-docs-comment-exploit-allows-for-distribution-of-phishing-and-malware


ZLoader Campaign Exploiting Signature Verification Bug

https://research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk/


Google Voice Authentication Scams

https://www.fbi.gov/contact-us/field-offices/portland/news/press-releases/oregon-fbi-tech-tuesday-building-a-digital-defense-against-google-voice-authentication-scams


Windows Server Remote Desktop Emergency Update

https://docs.microsoft.com/en-us/windows/release-health/windows-message-center#2772


Norton Crypto Miner

https://investor.nortonlifelock.com/About/Investors/press-releases/press-release-details/2021/NortonLifeLock-Unveils-Norton-Crypto/default.aspx


VMWare Virtual CD-Rom Vulnerability

https://www.vmware.com/security/advisories/VMSA-2022-0001.html


Honda Y2k22 Bug

https://www.bleepingcomputer.com/news/technology/honda-acura-cars-hit-by-y2k22-bug-that-rolls-back-clocks-to-2002/


Malicious Telegram Installer Includes Purple Fox Rootkit

https://blog.minerva-labs.com/malicious-telegram-installer-drops-purple-fox-rootkit


Web Skimmer Campaign Targets Real Estate Websites

https://unit42.paloaltonetworks.com/web-skimmer-video-distribution/