SANS NewsBites

Singapore Tells Banks to Stop Using Clickable Links in Text Messages; Zoom Fixes Input Validation Flaws That Enabled Zero Click Attacks; Just Like On Servers, Hospitals Have a Problem Patching IoT Devices

January 21, 2022  |  Volume XXIV - Issue #06

Top of the News


2022-01-20

SMS Phishing Campaign Prompts Singapore to Introduce Internet Banking Security Measures

In the wake of an SMS phishing campaign that targeted the Oversea-Chinese Banking Corporation, the Monetary Authority of Singapore (MAS) and the Association of Banks in Singapore (ABS) are requiring financial institutions to implement security measures. The organizations will be required to take clickable links out of text messages and emails sent to customers; set default funds transfer thresholds to SG $100 (US $74); and impose a 12-hour delay for activating mobile software tokens. In a separate story, UnionBank of the Philippines is also adopting stronger security practices to protect its customers from fraud. UnionBank says it will no longer use clickable website links in promotional materials.

Editor's Note

These are interesting security measures in that they really strike at the intersection of confidentiality, integrity, and availability. Here, they're protecting the integrity of the accounts by limiting availability of some features. On the issue of clickable links in text and emails, that train has unfortunately already left the station. While this will definitely stop some cybercrime, it will take some time to get people to adjust to the idea that any clickable link is an attack. That said, this is a gold mine for security awareness. Instead of trying to train users on which links are safe to click (which I think we can all agree has been an abject failure), end users can now be trained that *any* link from participating institutions is an attack. This heuristic will certainly be easier for users to apply reliably and consistently.

Jake Williams
Jake Williams

While these are good security measures, they also impact usability and remove the risk-based decision from the individual financial institution. The challenge to the FI is to train users to use alternative more secure methods, such as non-SMS authentication verification, out of band verification for transactions which exceed risk thresholds to support the expected transaction volume of modern banking users.

Lee Neely
Lee Neely

This measure from MAS/ABS along with the Philippines bank to no longer use clickable links in SMS and emails is an interesting strategy. Inconvenient from a user perspective but the extra steps to copy and paste the URL may give the user time to think about what they are about to do. This is, of course, if it does not become a habit.

Jorge Orchilles
Jorge Orchilles

Modern email clients (including browsers) and secure web gateways all give some level of protection to users when they click on embedded links in email. SMS messaging does not go through such protection which is why “smishing” is increasing. Until phone number spoofing is stopped or until such protections are available, it is a very good thing to make it clear that no responsible institution would include clickable links in a text message.

John Pescatore
John Pescatore

2022-01-20

Zoom Fixes Zero-Click Vulnerabilities

Researchers from Google’s Project Zero have discovered two zero-click vulnerabilities affecting Zoom clients and Multimedia Router Services. The flaws were disclosed to Zoom in October 2021; they were addressed by November 24.

Editor's Note

This is a fantastic write-up exploring the zero-click attack surface of Zoom and the attacker opportunity for client-to-client exploitation. Zoom has fixed these vulnerabilities and significantly improved defenses against future attacks on their servers. Many thanks to Natalie Silvanovich from Google Project Zero for the write-up, and for motivating Zoom to make positive security changes.

Joshua Wright
Joshua Wright

While I certainly don’t recommend asking board members or CEOs to read the 8 page Google Project Zero blog entry, it is great example of the complexity of a commonly used service (Zoom) and how a skilled attacker (or pen tester/researcher) with tools and time can keep poking and prodding and find weak spots. In my briefings to boards, the closest analogy I have found that seemed to connect is deer eating my landscaping: they are hungry, devious and have lots of time. If I don’t regularly monitor and mitigate my vulnerabilities, sooner or later the damn things will get in and wreak havoc. And, if someone tells you this software is hacker proof or that deer don’t eat that type of shrub, don’t believe them.

John Pescatore
John Pescatore

Make sure you’re pushing out updated desktop clients to your users. If you’re not a zoom shop, make sure any endpoints with the application installed are also updated; while removing the app in this scenario is tempting, you need to understand the impact and have an exception process to mitigate business impact. If you’ve been ignoring the update zoom prompt, now would be a good time to click install and relaunch.

Lee Neely
Lee Neely

Zoom’s security, their team, and response process to vulnerabilities and threats have come a long way since the start of the pandemic.

Jorge Orchilles
Jorge Orchilles

2022-01-20

Report Says Half of IoT Devices in Hospital Settings Contain Critical Vulnerabilities

According to a report from Cynerio, more than 50 percent of Internet-connected medical devices and other IoT devices in hospital settings have critical security issues. The report notes that IV pumps account for 38 percent of hospitals’ IoT footprints, and that 73 percent of those devices have vulnerabilities that could pose a threat to patient safety or expose data. In addition, many departments are running devices that are based on operating systems older than Windows 10.

Editor's Note

Not to downplay these results, but in 2020 a Rapid7 survey showed 80% of Exchange servers were missing critical patches overall and 60% in the healthcare vertical – and those vulnerabilities are much easier to exploit. That said, where lives are at stake, much higher standards are required. The biggest problem is the procurement of devices from vendors who claim they are restricted from patching them, or update the underlying OS, despite years of FDA guidance saying that is not true.

John Pescatore
John Pescatore

As anyone who has worked in healthcare can tell you, this is no surprise. And the “lots of medical equipment has unpatched vulnerabilities and many healthcare providers run legacy operating systems” is evergreen. Given the realities of technology and patient care, we need to start thinking of patient care equipment as operational technology (OT) and segment these networks appropriately. This should be done with the understanding that just like most utilities and manufacturing, healthcare will always have devices on the OT network with known vulnerabilities. Zero trust networking in the patient care networks can help mitigate some risk as well. I'm not advocating giving up on vulnerability management in patient care networks, but I look forward to the day when stories like this stop getting written because there's just no realistic impact.

Jake Williams
Jake Williams

Shock and awe numbers like this are hardly useful without context. They sell clicks, but do not promote change. Healthcare IT is a complex multi stakeholder operation and needs to prioritize resources. Ransomware attacks significantly affected hospital operation and patient safety, but they did not take advantage of IoT vulnerabilities; they may have affected IoT devices, but not due to these vulnerabilities.

Johannes Ullrich
Johannes Ullrich

Like OT, these systems need proper segmentation and isolation as patching intervals are infrequent and will not only require regression testing, but also careful scheduling to not impact patients. Consider network layer protections that connect devices to the proper segment regardless of how they are connected. These protections can also be used to auto-quarantine unauthorized or rogue devices.

Lee Neely
Lee Neely

Sadly, this isn’t surprising in the slightest. Having worked with many medical orgs, we’ve seen these systems aren’t touched. Often no updates or people looking at the (in)security of these systems. Even if the updates exist, most organizations don’t have the buy-in to perform updates or the staff to manage it (again, buy-in). Ideally, if you’re in a situation like this (no ability to update), segment these systems from others.

Tim Medin
Tim Medin

Many, not to say most, of these appliances should not be visible to Cynerio.

William Hugh Murray
William Hugh Murray

The Rest of the Week's News


2022-01-20

SolarWinds Fixes Serv-U Vulnerability

SolarWinds has released updates to address a Serv-U vulnerability that was reportedly discovered when attackers attempted to use a Log4j attack to access the multi-protocol file server. SolarWinds issues fixes for the improper input validation vulnerability earlier this week.

Editor's Note

Input validation must be fundamental for all application development. Don’t solely rely on an external service, as they can be bypassed or misconfigured. Leverage testing harnesses which include fuzzing to insure you didn’t miss anything.

Lee Neely
Lee Neely

Input validation vulnerabilities are to information security as fat/salt/sugar is to nutrition: we could avoid them and be really healthy, but then we would be forced to only eat kale. Validation errors is simple use cases like forms are easily avoidable. In things like queries, not so easy to avoid but modern software testing tools used by skilled testers can find them. After all, the bad guys do just that – vendors need to be driven to be doing more of that before the bad guys.

John Pescatore
John Pescatore

This story is interesting because of how the vulnerability was identified.

Jorge Orchilles
Jorge Orchilles

The supply chain remains a way for attackers to insert vulnerabilities into many enterprise networks at the same time. Until we begin to hold suppliers responsible for distributing malicious code (does not now seem likely any time soon), consider quarantining supplier updates long enough for malicious code to be detected by others.

William Hugh Murray
William Hugh Murray

2022-01-20

Biden National Security Memorandum Aims to Strengthen National Security Systems

On Wednesday, January 19, US President Joe Biden signed a National Security memorandum that provides details about how the May 20-21 executive order on cybersecurity applies to national security systems. The memo authorizes the national Security Agency (NSA) to issue binding operational directives that require federal agencies to take certain steps to mitigate threats to national security systems. The memo also directs the NSA to collect reports regarding incidents affecting national security systems.

Editor's Note

There was a lot of discussion in the EO about cross domain solutions (CDS) that are used to segment networks of different sensitivities (typically different levels of classification) and only allow specific data types/content to flow in each direction. Commercially, similar systems (often termed "data diodes") are used to separate some IT and operational technology (OT) networks.

Jake Williams
Jake Williams

NSS systems are already held to a higher standard than unclassified systems, particularly cross domain components which require specific certifications and validations before they are authorized to operate. These systems are isolated and have many controls on how information enters or exits them. Care must be taken to not introduce impractical requirements which may cause a loosening of existing security measures.

Lee Neely
Lee Neely

2022-01-20

CISA Insights Document Published in Response to Ukraine Attacks

The recent cyberattacks against targets in Ukraine have prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to publish an Insights document urging organizations to bolster their cybersecurity. The document urges to reduce the likelihood of a damaging cyber intrusion; take steps to quickly detect a potential intrusion, ensure that the organization is prepared to respond if an intrusion occurs, and maximize the organization's resilience to a destructive cyber incident.

Editor's Note

A nice list of common-sense steps to take. They will protect you against many common attacks.If a new article about Ukraine can get you management attention and funding don't let the crisis go to waste! Pick one item that you had difficulties getting resources for (e.g. 2FA for VPNs is one of my favorites, something you should be doing anyway).

Johannes Ullrich
Johannes Ullrich

2022-01-18

Cooperative International Effort Takes Down VPNLab Infrastructure

Law enforcement authorities have seized and/or disrupted the servers that were used to host the VPNLab<dot>net service. The service has been used by actors to facilitate criminal activity, including spreading ransomware. The takedown was a joint effort of law enforcement authorities from Europe and the US.

Editor's Note

It's important to note that this isn't just a service that was used by cybercriminals (I'm confident that pretty much every public VPN service is used by cybercriminals at some point). VPNLab was designed for use by and marketed to cybercriminals, a significant difference.

Jake Williams
Jake Williams

Always happy to hear collaboration, takedown, and ransomware in the same story. Kudos to the law enforcement working across borders as we all work together to fight the ransomware threats.

Jorge Orchilles
Jorge Orchilles

2022-01-20

Information Disclosure Bug Affects Safari and iOS

An information disclosure bug in Safari and iOS is a violation of the same-origin policy. The issue has been present since the release of Safari 15 and iOS and iPadOS 15 in September 2021. A nosy website could obtain information about other abs a user has open.

Editor's Note

This is a serious, easily exploitable, vulnerability. Apple will hopefully release a patch shortly (a release candidate was made public yesterday). The underlying WebKit vulnerability was patched this week, but to update iOS/MacOS, a patch from Apple is required.

Johannes Ullrich
Johannes Ullrich

This vulnerability in Safari leaks information about the websites you visit. Private mode browsing helps, but does not fully mitigate this flaw. Compared to other browser same-origin policy bypass vulnerabilities, this one is mild, but it still warrants rapid patching due to the ease of attacker exploitation.

Joshua Wright
Joshua Wright

The flaw can be used to discover the names of services used, not their content. The fix requires an update to WebKit, which means all browsers used in iOS or iPadOS are vulnerable. Apple has not released a date for the update, but has reportedly made the necessary fixes and marked the issue closed, so I expect the next patch cycle to include it.

Lee Neely
Lee Neely

2022-01-20

Cisco Fixes Critical Flaw in RCM for StarOS

Cisco has released updates to address multiple vulnerabilities in Cisco Redundancy Configuration Manager (RCM) for its StarOS Software. One of the flaws is a critical issue in the StarOS debugging service that could be exploited to “allow an unauthenticated, remote attacker to perform remote code execution on the application with root-level privileges in the context of the configured container.”

Internet Storm Center Tech Corner

Phishing E-Mail With an Advertisement

https://isc.sans.edu/forums/diary/Phishing+email+withan+advertisement/28250/


0.0.0.0 in Emotet Spambot Traffic

https://isc.sans.edu/forums/diary/0000+in+Emotet+Spambot+Traffic/28254/


Linux Patch to Make 0.0.0.0/8 Routable

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=96125bf9985a


RedLine Stealer Delivered Through FTP

https://isc.sans.edu/forums/diary/RedLine+Stealer+Delivered+Through+FTP/28258/


Crypto.com 2FA Bypass

https://threatpost.com/2fa-bypassed-crypto-com-heist/177846/


Windows Policies to Avoid

https://techcommunity.microsoft.com/t5/windows-it-pro-blog/why-you-shouldn-t-set-these-25-windows-policies/ba-p/3066178


Linux Kernel Privilege Escalation / Container Escape

https://seclists.org/oss-sec/2022/q1/54

https://access.redhat.com/security/cve/cve-2022-0185


Google Camera Alters QR Codes

https://www.heise.de/hintergrund/Googles-Kamera-verfaelscht-Links-in-QR-Codes-6332669.html

https://www.androidpolice.com/google-camera-randomly-changes-some-qr-code-urls-on-android-12/


WebKit Patch for Cross Origin Database Name Leak

https://trac.webkit.org/changeset/288078/webkit


ACER Care Center Privilege Escalation

https://aptw.tf/2022/01/20/acer-care-center-privesc.html


Improper Input Validation Vulnerability in Serv-U

https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35247


Virustotal Credential

https://www.safebreach.com/blog/2022/the-perfect-cyber-crime/


Oracle Quarterly Critical Patch Update

https://www.oracle.com/security-alerts/cpujan2022.html


Box MFA Bypass

https://www.varonis.com/blog/box-mfa-bypass-sms