SANS NewsBites

Microsoft Vulnerability Tuesday Includes Patch for Wormable Flaw; Recent Events Raise Risks of Attacks from Russian Hackers; Prioritize Mitigating Microsoft Windows RDP Vulnerability

January 14, 2022  |  Volume XXIV - Issue #04

Top of the News


2022-01-12

Microsoft Patch Tuesday Includes Fix for Wormable Vulnerability

On Tuesday, January 11, Microsoft released fixes for nearly 120 security issues. Nine of the vulnerabilities are rated critical and six were previously disclosed. Microsoft has also noted that one of the flaws fixed this month is “wormable,” meaning it can spread without user interaction.

Editor's Note

This is the second wormable vulnerability in http.sys in 12 months. CVE-2021-31166, patched last May, was never widely exploited and aside from some PoC exploit leading to denial of service, no actual remote code execution exploit was published. Exploit mitigation techniques in kernel mode drivers make exploitation difficult and may buy us some more time in this case as well. Little detail has been published so far about this vulnerability.

Johannes Ullrich
Johannes Ullrich

The combination of disclosure and the RCE flaw in the HTTP stack means attackers are going to be working to discover unpatched systems and exploit them. Don’t make it any easier by neglecting to apply the entire bundle of patches, including the updates for Chromium Edge.

Lee Neely
Lee Neely

The term “wormable” gains more visibility for quicker patching. The versions of Windows that have this feature enabled by default varies. More details on the ISC post below.

Jorge Orchilles
Jorge Orchilles

2022-01-11

CISA, NSA, and FBI Warn Russian Hackers Targeting US Critical Infrastructure

In a joint advisory, the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA), and the FBI have warned that Russian state-sponsored cyberthreat actors are targeting US critical infrastructure entities. The advisory includes technical details about the activity as well as mitigations for organizations to implement.

Editor's Note

The bulletin explains what these threat actors target and how you can mitigate the risks. Don’t limit your scope of mitigations to just these products. Make sure that you’re keeping hardware and software updated, MFA on your entry points is comprehensive, monitoring is working as expected, verify your incident reporting chain. Now execute penetration tests to verify you’re not missing details.

Lee Neely
Lee Neely

Critical infrastructure being targeted isn't anything new. But increased tensions with Russia may lead to an increase in activity. Not all that activity may be tightly coordinated but historically, “hacktivist” groups often get involved. Also see the story below about attacks against Ukrainian government websites last night

Johannes Ullrich
Johannes Ullrich

This, like activities in Ukraine, are notable because of the current situation Russian state actors are likely to express displeasure online.

Christopher Elgee
Christopher Elgee

It is interesting to note other countries, such as the UK, are also issuing similar alerts. Given today’s interconnected world and our dependencies on supply chains every organization, whether you are located in the US or the UK, should take heed of these alerts and actions on the threat intel within them. https://www.ncsc.gov.uk/news/ncsc-us-partners-promote-understanding-mitigation-russian-state-sponsored-cyber-threats

Brian Honan
Brian Honan

For those who are actively involved in CTI or protecting against these specific, there is nothing radically new in these reports. However, joint reports like these are extremely helpful for several reasons. First, because it is a joint report from CISA, NSA and FBI, organizations don’t have to dig around different sites and dig out key information: it’s all provided to them by a combined trusted authority. Second, the report makes it very simple to understand who the threat actor is, the TTPs (mapped to the MITRE ATT&CK model) and what to do. Quite often the problem is cybersecurity is NOT lack of information, but being overwhelmed by information, data points and recommended actions. Reports like these cut through the noise and provide a single, actionable source. That is what I feel is a key role of government guidance, to help make cybersecurity easier for organizations to act on.

Lance Spitzner
Lance Spitzner

2022-01-12

Windows Remote Desktop Protocol Vulnerability

A recent CyberArk blog post by Gabriel Sztenjworcel explains how using named pipes with RDP sessions can be used to gain file systems access on client machines, view and modify clipboard data, and intercept smartcard data. The exploit takes advantage of RDP Virtual Channels; some are the main RDP graphical and input data and connected to the remote desktop service, while others, such as the clipboard and printer redirection are handled by separate processes. Virtual channel data is passed between these processes using named pipes. Exploitation doesn’t require privileges, just access to the RDP server. Microsoft released a patch for CVE-2022-21893 on January 11th.

Editor's Note

This is the biggest news of the week that honestly isn't getting enough attention. If you're running legacy RDP servers, don't miss out on this one. While the CyberArk advisory says the vulnerability extends all the way back to Server 2012R2, Microsoft is pushing patches for Windows 7 and Server 2008R2 through its extended security updates (ESU) channel for those who are subscribers. If you are running RDP on a legacy server and aren't getting patches, make sure you understand the threat. If the threat actor has access to the server, they can retrieve files from any connected client (e.g. the systems admin) and certainly use that to gain code execution on the remote client's machine. The threat actor need not have full control of the RDP server either; they only need an authenticated RDP client. Finally, given the verbosity of CyberArk's writeup, we should expect threat actors to weaponize this vulnerability quickly. These "client to client" and "server to client" exploitation channels are unusual and likely aren't in the threat model of most organizations. Make sure they become part of yours.

Jake Williams
Jake Williams

This isn't a "huge" vulnerability, as it requires two users being connected (and authenticated) to the same RDP server. But it is interesting and should be patched quickly as it could easily be used to elevate privileges after obtaining a low privilege account.

Johannes Ullrich
Johannes Ullrich

The attack leverages the FIFO behavior of named pipes, allowing an attacker to create a new pipe with the right name which will be used by a new connection before the one created for that connection. This exploit impacts at least Windows Server 2012 R2 forward. Apply the RDP patch from Microsoft. Make sure you’re not directly exposing RDP to the Internet. Monitor RDP servers to make sure that unexpected activity is not occurring. If you’re developing applications which use virtual channels, make sure they are also not subject to a similar compromise.

Lee Neely
Lee Neely

The Rest of the Week's News


2022-01-13

Microsoft Pulls Windows Server Updates After Users Report Problems

Microsoft has pulled Windows Server updates it released on Patch Tuesday after users reported that they were causing problems. The update reportedly breaks Hyper-V and causes domain controllers to keep rebooting.

Editor's Note

Microsoft has been on a months-long bad streak of being in the news for failed patches or needing to push out patches for software vulnerabilities (like the Y2K22 issue) that should have been easily avoided or detected pre-release. It would be good to see Microsoft publish some analysis to see if this is just a random concentration of issues or if something systemic at Microsoft needs to be addressed.

John Pescatore
John Pescatore

Make sure you’ve pulled these from the list of patches you’re pushing out. Be prepared to roll back KB5009624, KB5009546 and KB5009557 (Server 2012R2, 2016 and 2019 respectively.) Even big shops like Microsoft can have QA issues, kudos for responding and pulling these back. Note to self, make sure code you tested/created in 2021 isn’t subject to Y2K22 issues, retest now.

Lee Neely
Lee Neely

2022-01-11

SonicWall Issues Fixes for Flaws in SMA 100 Series Devices

SonicWall has released updates to address several vulnerabilities in its Secure Mobile Access 100 series of devices. The most critical of the vulnerabilities is a stack-based buffer overflow issue that could be exploited to allow unauthenticated remote code execution.

Editor's Note

The update from SonicWall was published a month ago; make sure you’ve installed it. Make sure your edge devices are at the top of your security update list. The report from Rapids7 will fuel the fire of attempted exploitation. The flaw is also present in the SMA 200, 210, 400, 410 and 500v products.

Lee Neely
Lee Neely

2022-01-12

Maryland Dept. of Health Confirms Ransomware Attack

The Maryland Department of Health has acknowledged that their IT systems were hit with a ransomware attack in early December. Maryland CISO Chip Stewart says they have not paid a ransom. The December 4 attack was initially described as a network security breach. The department is still recovering.

Editor's Note

The MDH is following their COOP plan, purchasing, and deploying replacement systems smoothly and according to that plan. Make sure that your plan can be as smoothly executed, be sure to consider the impact of supply chain challenges similar to what we have faced recently.

Lee Neely
Lee Neely

Another NewsBites, another reported ransomware attack. This threat is not going away and impacts most organizations. There are many resources to ensure your organization is prepared. Here is a recent relevant article/interview: Repelling A Ransomware Attack: 5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack: https://medium.com/authority-magazine/repelling-a-ransomware-attack-bryson-bort-of-scythe-on-the-5-things-you-need-to-do-to-protect-b8ff7f990a1b

Jorge Orchilles
Jorge Orchilles

2022-01-11

CISA Adds Known Exploited Vulnerabilities to Catalog

The US Cybersecurity and Infrastructure Security Agency (CISA) has added 15 new entries to its Known Exploited Vulnerabilities Catalog. CISA is directing federal civilian agencies to remediate three of the vulnerabilities – a VMware vCenter Server improper access control vulnerability, a Hikvision improper input validation vulnerability and a FatPipe WARP, IPVPN, and MPVPN privilege escalation vulnerability – by January 24. The remaining 12 vulnerabilities must be remediated by July 10.

Editor's Note

BOD 22-01 requires agencies to review the catalog making sure that they don’t have any unmitigated software as well as report the results of the review and mitigation status. The catalog includes mitigation due dates agencies must meet. As this catalog is expected to continuously update, this review and report cycle will need to be operationalized and hopefully properly funded. For those in the private sector, a regular scan of the catalog to see if you’ve got any gaps in your current mitigations would be a good practice.

Lee Neely
Lee Neely

2022-01-12

Threat Actors Exploiting Cloud Services to Deliver RATs

Researchers from Cisco Talos have discovered a malware campaign that leverages public cloud infrastructure, like Amazon web services (AWS) and Azure Cloud Services, to spread three different remote access trojans (RATs). The campaign was first detected last fall.

Editor's Note

With the adoption of cloud services, most organizations are establishing trust relationships with service providers which can exceed, or cannot be limited to, the scope of subscribed services, allowing a direct path to malware stored there. Block access to the indicated domains, verify trust relationships are only in place for approved services, make sure both perimeter and endpoint protections are active and working, monitor for malicious activity.

Lee Neely
Lee Neely

2022-01-13

GAO Report on Federal Response to SolarWinds and Microsoft Exchange Incidents

The US Government Accountability Office (GAO) released a report on the federal response to the SolarWinds and Microsoft Exchange incidents. The “GAO's objectives were to (1) summarize the SolarWinds and Microsoft Exchange cybersecurity incidents, (2) determine the steps federal agencies have taken to coordinate and respond to the incidents, and (3) identify lessons federal agencies have learned from the incidents.”

Editor's Note

The report met the first two objectives very well but is really weak on the lessons learned and recommendations. In general, the report focuses almost completely on response and not at all on detection/prevention in the period between when the compromised Solar Winds software was active but before private industry notifications came out. After 8 years of spending on Continuous Diagnostic and Mitigation solutions, not a single mention of CDM in the report. Some IG audits have started to focus more on threat hunting and active testing. I’d really like to see GAO reports like this focus on proactive detection and prevention actions at least equally to reactive post-compromise response.

John Pescatore
John Pescatore

The report is big on response and coordination and highlights what did and didn’t work after the incidents. What is missing is steps agencies can take for improved detection and to mitigate the likelihood of recurrence. Make sure that your logging is sufficient in retention and separation to support forensic activities, that you have comprehensive detection and response systems, and you’ve verified your playbooks are operating properly. Reach out to your peers to keep that relationship current and healthy.

Lee Neely
Lee Neely

I would add supplier accountability. The more privileged or powerful a process or user, the more important as a control is accountability.

William Hugh Murray
William Hugh Murray

2022-01-12

Pegasus Spyware Found on El Salvadoran Journalists’ Devices

Digital rights organizations Citizen Lab and Access Now have published a report detailing their investigation into the use of NSO Group’s Pegasus spyware against journalists and civil rights activists in El Salvador.

Editor's Note

This is sadly unsurprising and continues to highlight that either NSO is incapable of policing its customers or (more likely) no commercial spyware company can ensure its software isn't abused.

Jake Williams
Jake Williams

The report sets the stage and background which lead to use of the spyware in that country and provides context for those actions. While these efforts currently target journalists and the NSO infection vector is a zero-click attack path, we still need to be vigilant, keeping our devices fully updated, keep them under our control, remove unneeded or unused applications, use loaner devices for high-risk situations and use caution with links and attachments.

Lee Neely
Lee Neely

2022-01-14

Several Ukrainian Government Websites Compromised

On Friday, January 14, several Ukrainian government websites were defaced with identical threatening messages in Russian, Ukrainian and Polish. These defacements come after tensions between Ukraine and Russia escalated the day before.

Editor's Note

These types of defacements are often the work of hacktivists and it is not clear at this point if these attacks abused a specific vulnerability common to these websites.

Johannes Ullrich
Johannes Ullrich

While it isn't yet clear whether this is a state-affiliated attack, many have noted that the arrest of REvil ransomware operators may be top cover to get media attention away from these defacements. At this point, there's no clear connection between these events. Kim Zetter reported that these attacks used a known CMS vulnerability, well within the reach of any script kiddie or hacktivist.

Jake Williams
Jake Williams

While this isn't new, it is news because of the timing. With cyber attacks on top of land and sea posturing (strikingly reminiscent of 2014!), Ukraine and its allies have plenty of justification for concern.

Christopher Elgee
Christopher Elgee

While it can be argued that with sufficient time and resources any target can be compromised, don’t make it any easier than it has to be. Keep your services patched, make sure that only authorized accounts have access, and you’re using MFA for authentication.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Microsoft Patch Tuesday - January 2022

https://isc.sans.edu/forums/diary/Microsoft+Patch+Tuesday+January+2022/28230/


MSFT Patch Issues

https://borncity.com/win/2022/01/12/patchday-windows-8-1-server-2012-r2-updates-11-januar-2022-mgliche-boot-probleme/

https://support.microsoft.com/en-us/topic/january-11-2022-kb5009624-monthly-rollup-23f4910b-6bdd-475c-bb4d-c0e961aff0bc

https://support.microsoft.com/en-us/topic/january-11-2022-kb5009595-security-only-update-060870c2-ad08-40e5-b000-a9f6d40c0831


A Quick CVE-2022-21907 FAQ

https://isc.sans.edu/forums/diary/A+Quick+CVE202221907+FAQ+work+in+progress/28234/


Qakbot Configuration Decryptor

https://github.com/drole/qakbot-registry-decrypt


Android allows Disabling 2G

https://www.bleepingcomputer.com/news/security/android-users-can-now-disable-2g-to-block-stingray-attacks/


Nanocore, Netwire and AsyncRAT Spreading Campaign Uses Public Cloud Infrastructure

https://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html


Adobe Updates

https://helpx.adobe.com/security.html


Jenkins Security Advisory 2022-01-1

https://www.jenkins.io/security/advisory/2022-01-12/


Details Released Regarding Patched SonicWall Vulnerabilities

https://www.rapid7.com/blog/post/2022/01/11/cve-2021-20038-42-sonicwall-sma-100-multiple-vulnerabilities-fixed-2/


iOS/iPad OS Fixing HomeKit Vulnerability / Private Relay issues

https://support.apple.com/en-us/HT201222

https://www.macrumors.com/2022/01/12/apple-icloud-private-relay-ios-15-2/


Attacking RDP From Inside

https://www.cyberark.com/resources/threat-research-blog/attacking-rdp-from-inside


Weakness in Microsoft Defender

https://twitter.com/splinter_code/status/1481073265380581381