SANS NewsBites

Warn Users of the Risks of Malicious QR Codes; Patch Rust and Then Check Your Other Apps for Similar Flaws; IRS Moves to Facial Recognition to Secure Online Accounts from Attackers

January 25, 2022  |  Volume XXIV - Issue #07

Top of the News


2022-01-24

FBI Warns of Malicious QR Codes

The FBI’s Internet Cyber Crime Center (IC3) has published a public service announcement warning that “Cybercriminals are tampering with QR codes to redirect victims to malicious sites that steal login and financial information.” The PSA includes tips for users to protect themselves, which include not downloading apps from QR codes and not making payments on sites that have been navigated to with a QR code.

Editor's Note

Data from independent sources usually show QR code usage is pretty low, in the 5-10% of users, though the QR code industry shows much higher numbers. Good to warn users that QR codes are just like clickable links in email or text message – may have some convenience but carries risk. I think more importantly: never download a random app to read QR codes. If the camera app in your device doesn’t do QR codes, just don’t use them.

John Pescatore
John Pescatore

Treat QR codes like any other clickable link; only scan trusted codes. The native iOS and Android apps provide a pop-up with the site referenced by the QR code; if you’re not familiar with the site, don’t proceed. There is often an alternative to using the provided QR code. For example, many restaurants are now primarily providing menus by QR code, even so, they still have physical menus for those who don’t have a smartphone or are uncomfortable with the link.

Lee Neely
Lee Neely

While QR codes have been around for quite a while it was not until the pandemic hit that their use became more mainstream and people more familiar with using them. This is a good example of cybercriminals taking advantage of growing popularity in technology solutions and why cybersecurity pros need to keep abreast of how technologies are being utilized and subsequently abused so they can ensure the appropriate controls are in place.

Brian Honan
Brian Honan

I do not believe that it is helpful to tell users not to download apps using QR codes. Too often, there are legitimate apps that are offered via QR codes. But users should be considering what they are downloading, and where they are finding the QR code. The alternative, offering short URLs for users to type in, has the same problems as QR codes.

Johannes Ullrich
Johannes Ullrich

QR code adoption has increased since the pandemic; everyone knows how to scan a QR code at a restaurant. Unfortunately, this convenience is being exploited to direct end users to malicious sites. Count this as another feature that requires user awareness training.

Jorge Orchilles
Jorge Orchilles

2022-01-23

Rust Update Addresses High-Severity Vulnerability

An update for the Rust programming language fixes a bug that could be exploited to delete files and directories from unpatched systems. According to the security advisory, the issue affects Rust versions 1.0.0 through 1.58.0; the maintainers have released Rust version 1.58.1 to address the flaw.

Editor's Note

This vulnerability is an interesting race condition, but can only be useful if an unprivileged user is calling a privileged (e.g. setuid/setgid) program. The sky is certainly not falling with this one, but there are two key takeaways from the example. First, TOCTOU (time of check/time of use) vulnerabilities are all over the place in code. Many Windows kernel vulnerabilities are TOCTOU. If you run an SDLC program, ensure you educate your developers on how to write code resistant to TOCTOU bugs. With increasing numbers of processing cores on our systems, these are especially problematic in multithreaded applications. The second takeaway is that vulnerabilities aren't going away. Rust is widely celebrated for its security in defeating memory related bugs. But no programming language is immune to logic flaws such as race conditions and this is a primary example of that in action.

Jake Williams
Jake Williams

This was due to a time-of-check/time-of-use race condition, which may not always work. Updating to version 1.58.1 is the fix, as adding code to check prior to calling the “remove_dir_all” function will not mitigate the problem as those calls will also be subject to the same race condition.

Lee Neely
Lee Neely

On a penetration test, vulnerabilities like this usually fall into the “I didn't know we had that!” category. If you aren't small/technical enough to maintain full inventories with scripts and elbow grease, it may be time to invest in an automated solution. Not sure it's worth the time/money spend? How long did it take you to find all the Log4J in your environment?

Christopher Elgee
Christopher Elgee

2022-01-21

IRS Plans to Adopt Facial Identification to Access Accounts Online

The US Internal Revenue Service (IRS) plans to start using ID.me online identification service later this year, which requires users to submit bills and identity documents. While the ID.me service does not require users to submit photos of themselves, the IRS presents facial recognition as the default option. Civil liberties proponents have expressed concerns about the technology’s privacy and cybersecurity implications.

Editor's Note

The IRS is already using the service. I went through the procedure last week, and it appeared to be very thorough but of course, not very convenient. It required uploading various documents (passport, driver’s license) and in the end a video call to verify the information. The IRS also sent a letter a few days later verifying that I accessed the site online, which is a nice touch to prevent fraud. It is likely best to setup access yourself before someone else does it for you.

Johannes Ullrich
Johannes Ullrich

Fraudsters and criminals have long swarmed online IRS services to steal tax refunds, so good to see strong authentication finally being required here and that should pave the way for more federal, state and local government and contractor requirements for strong authentication. The government needs to do strong vetting and testing of the ID.me service.

John Pescatore
John Pescatore

Civil liberty groups are right to be concerned about the implementation of such technology for authentication means. Biometric data is one of the most sensitive type of personal data there is and why under the EU’s General Data Protection Regulation (GDPR) there are many prohibitions on its use.

Brian Honan
Brian Honan

ID.me is set up to do strong identity validation with the intent of preventing fraudulent account creation. As party of that, biometric and other sensitive information is needed to fully verify your identity. Additionally, ID.me supports multiple forms of MFA; when prompted, select the strongest form possible, steering away from SMS or phone calls as a second factor. The ID.me site says you can delete your biometric information; this appears to require deletion of your account. If you’re setting up an account, expect any interaction with the help desk to include a significant delay as they’re ramping up dramatically.

Lee Neely
Lee Neely

I love the idea of the IRS requiring strong validation/authentication for access to its databases. Ultimately a process/solution like this should be used for any public access to sensitive government resources.

Lance Spitzner
Lance Spitzner

The Rest of the Week's News


2022-01-24

FERC Soliciting Comments on New Rule

The Federal Energy Regulatory Commission (FERC) is soliciting comments on a proposed rule that would require the North American Electric Reliability Corporation to develop and adopt bulk power system cyber reliability standards. Current standards do not include network security monitoring.

Editor's Note

The lack of requirements for internal network monitoring is definitely a gap in NERC/FERC standards. Years ago, IDS products weren’t all that useful in SCADA/OT environments and networks but that has changed over the years. However, there are definitely specific skills needed to architect, deploy, and make effective use of monitoring those networks. Collecting data or even producing alerts isn’t the goal, quickly acting on potentially dangerous conditions is – and that takes more than technology.

John Pescatore
John Pescatore

CISA and others have been publishing best practices for securing these systems you can already leverage to get a jump on this. Check to see what protections you have in place, including monitoring, separation to include local and remote access restrictions for these systems.

Lee Neely
Lee Neely

The power grid is unique in the potential for a failure in one provider to spread to others.

William Hugh Murray
William Hugh Murray

2022-01-24

DHS Warns of Potential for Russian Cyberattacks Against US Targets

In a bulletin sent to local governments and operators of the country’s critical infrastructure, the Department of Homeland Security (DHS) warned of the potential for cyberattacks launched on behalf of Russia’s government. The January 23 bulletin echoes warnings in recent alerts from the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the National Security Agency (NSA).

Editor's Note

Review the CISA Insights document on implementing cybersecurity measures to protect against potential critical threats (https://www.cisa.gov/sites/default/files/publications/CISA_Insights-Implement_Cybersecurity_Measures_Now_to_Protect_Against_Critical_Threats_508C.pdf). This is a checklist of the fundamentals, irrespective of threat actor; covering reduction of attack steps, rapid detection and response as well as resilience to an incident. When verifying your capabilities make sure there is supporting evidence, don’t accept someone just checking the box.

Lee Neely
Lee Neely

Given the heightened geo-political tensions I recommend that organizations outside of the US take heed to these warnings too. We live in an ever more interconnected world and your organization could easily be targeted as part of the supply chain to an ultimate target located elsewhere.

Brian Honan
Brian Honan

2022-01-24

CWP Bugs Could be Chained to Allow RCE

A pair of critical vulnerabilities in the Control Web Panel (CWP) open source control panel software could be chained together to allow remote code execution with root privileges on Linux servers. CWP is used on more than 200,000 servers.

Editor's Note

Web based admin portals, not just CWP, should never be exposed to the public internet.

Johannes Ullrich
Johannes Ullrich

Make sure that you’re running the latest version of CWP 7 - 0.9.8.1122. CWP 6 (0.9.8.918) is definitely EOL; it is time to upgrade.

Lee Neely
Lee Neely

Another vulnerability in open-source software. Having an inventory of assets, including libraries and plugins, is a must. These should have been lessons learned by Log4j, Struts, and Heartbleed.

Jorge Orchilles
Jorge Orchilles

2022-01-24

Critical SonicWall Flaw is Being Actively Exploited

Attackers are actively exploiting a critical unauthenticated stack-based buffer overflow vulnerability in SonicWall’s Secure Mobile Access gateways. The flaw can be exploited even when the web application firewall is enabled. SonicWall released fixes for this vulnerability and others in December 2021.

Editor's Note

We continue to see rapid exploitation of flaws in perimeter security devices. This has been a problem for the last few years now, and you need to apply updates to these devices quickly. Updating devices can be risky and you may need hands-on-site to recover, but the alternative is having the device exploited.

Johannes Ullrich
Johannes Ullrich

Make sure that you didn’t postpone deploying the patches because of the holidays. Remember the SMA 100 series of appliances include the SMA 200, 210, 400, 500v products. Double check and address any missed devices soonest. Also check your logs for any signs of successful exploit.

Lee Neely
Lee Neely

With our greater dependency on remote access solutions and gateways resulting from the pandemic, these security solutions are in turn being targeted by criminals, particularly ransomware gangs. So ensure you keep all such devices, not just those from SonicWall, updated, that you regularly review their rules and configurations to ensure they are valid, and most importantly that you proactively monitor them for any suspicious activity.

Brian Honan
Brian Honan

Your organization should have an inventory of all assets and monitor them for vulnerabilities and patches. Edge devices, that are accessible from anywhere on the Internet, should be top of the list when remote code execution patches are released.

Jorge Orchilles
Jorge Orchilles

2022-01-21

Apple is Reportedly Working on a Fix for Data Leak Bug in Safari

Apple appears to be developing a fix for the data leak issue in Safari. Updates provided to developers – iOS 15.3 RC and macOS 12.2 RC – have addressed the vulnerability .The flaw is due to a problematic implementation of IndexedDB API that violates the Same-origin policy.

Editor's Note

The fix has been incorporated into the release candidate for the next iOS and macOS update. It may be released as soon as this week. The iOS security architecture doesn't allow for a more granular quick update of Safari. All updates need to include a complete iOS image.

Johannes Ullrich
Johannes Ullrich

I expect Apple to release iOS and iPadOS 15.3, macOS 12.2 and Safari 15 updates this week. If you’ve not finished you prior update cycle, particularly for mobile devices, you may need to stop where you are and change the target as soon as the new versions drop.

Lee Neely
Lee Neely

2022-01-21

Memorial Health Says Information Was Stolen Prior to Ransomware Attack

Ohio’s Memorial Health System has disclosed that personal information, including medical data, was taken from its systems prior to a ransomware attack that occurred last summer. The breach affects information belonging to more than 200,000 patients.

Editor's Note

Initial access occurred around July 10, but the investigation did not complete, and notification did not occur until December 9. Testing, measuring, and improving your resilience to ransomware threats should be part of your plan for this year if you have not started already. The best time to start already passed, the second-best time is now.

Jorge Orchilles
Jorge Orchilles

2022-01-24

Man Pleads Guilty to Hacking College Networks

Timothy Spillane has admitted to breaking into computer networks at two suburban Philadelphia colleges. Spillane stole information and used it to file fraudulent tax returns. Spillane has pleaded guilty to accessing a protected computer without authorization.

Editor's Note

Remember when schools were hacked to alter grades? This attack targeted PII, W-2s, and financial information with the intent to file returns to fraudulently obtain tax returns. Fortunately, the attacker couldn’t guess the victims’ adjusted gross income for the prior year and was subsequently caught. Make sure your systems with this type of data are isolated and monitored, that information is encrypted in transit, storage, and if possible, when not in use (think encrypted fields). Review your network architecture. Make sure you no longer have a flat network when it comes to accessing systems, only exposing needed interfaces for self-service operations.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Obscure Wininet.dll Feature

https://isc.sans.edu/forums/diary/Obscure+Wininetdll+Feature/28262/


Mixed VBA and Excel 4 Macro in Targeted Excel Sheet

https://isc.sans.edu/forums/diary/Mixed+VBA+Excel4+Macro+In+a+Targeted+Excel+Sheet/28264/

https://techcommunity.microsoft.com/t5/excel-blog/excel-4-0-xlm-macros-now-restricted-by-default-for-customer/ba-p/3057905


F5 January 2022 Patches

https://support.f5.com/csp/article/K40084114


McAfee Privilege Escalation

https://kc.mcafee.com/corporate/index?page=content&id=SB10378


Moonbound UEFI Malware

https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/


Exploit of SonicWall CVE-2021-20038

https://twitter.com/buffaloverflow/status/1485671824725786633


Dell EMC AppSync Vulnerability

https://www.dell.com/support/kbdoc/de-de/000195377/dsa-2022-003-dell-emc-appsync-security-update-for-multiple-vulnerabilities


Twitter API Keys Leaked in GitHub

https://incognitatech.medium.com/using-twitter-to-notify-careless-developers-the-unorthodox-way-d71478ad367a