SANS NewsBites

Commerce Department Audit Finds Many Discrepancies Between Data in CSAM Tool and Reality; More Reason Not to Expose Your NAS Devices to the Internet; Warn Employees Going to Beijing Winter Olympics: Only Bring Temporary or One Time Devices

February 1, 2022  |  Volume XXIV - Issue #09

Top of the News


2022-01-31

Commerce OIG Report Finds Deficiencies in System Security Assessment and Continuous Monitoring Program

The US Commerce Department Office of Inspector General conducted an audit “to assess the effectiveness of the Department’s system security assessment and continuous monitoring program to ensure security deficiencies were identified, monitored, and adequately resolved.” The report concluded that the Commerce Department fell short in planning system assessments and in conducting effective assessments. In addition, the department did not resolve security control deficiencies within scheduled deadlines.

Editor's Note

Most of the report points to problems with accuracy and completeness of the data in the CSAM tool Commerce (and many other government agencies) uses to meet reporting requirements. This often happens when operational tools are used for vulnerability scanning and inventory discovery and the customization and integration required has not been done in the reporting system to support direct import of timely and accurate data. You can push the button on the reporting tool and creates pages and pages of reports, but any audit finds these same problems.

John Pescatore
John Pescatore

Assessing the security posture of our information systems to ensure the security posture remains appropriate is a challenge for everyone and is easy to postpone. With the advent of more tools to verify security against baselines, it’s tempting to just install and walk away, rather than integrating them fully into your processes. Make sure that you not only have a view into the current security posture but also are tracking remediation efforts. Don’t forget to monitor your cloud services as well. Figure out how you’re going to track and remediate cloud and outsourced system security as part of the onboarding process, then verify they are being monitored and reviewed at least annually.

Lee Neely
Lee Neely

2022-02-01

QNAP Pushes Out NAS Firmware Update

QNAP has pushed out a firmware update for a vulnerability in kits network-attached storage (NAS) devices that is being targeted by DeadBolt ransomware operators. Although QNAP released the update in late December 2021, not all users had applied it.

Editor's Note

Yet again, network storage devices are affected by ransomware. In response to this recurring problem, QNAP started to "push" firmware updates to users who had automatic updates enabled. An interesting side effect of the update was that it may have removed ransomware from devices, preventing recovery for users who had paid for the decryption key (or intended to do so). Never ever, ever expose your NAS to the Internet. It will get compromised and yes, you will lose all your data.

Johannes Ullrich
Johannes Ullrich

Because NAS remains a top target for attackers, you need to aggressively keep them updated and regularly verify security settings, user lists, and application lists, removing unneeded or unrecognized items.

Lee Neely
Lee Neely

2022-01-31

FBI Cybersecurity Warning for 2022 Olympics and Paralympics

The FBI has released a Private Industry Notification urging athletes competing at the Beijing Winter Olympics and Paralympics and travelers to those events to take precautions to protect themselves from potential cyberattacks. The FBI advises people to use temporary phones rather than bring their personal devices to China. The alert also warns of the potential for “a broad range of cyber activities to disrupt these events, … includ[ing] distributed denial of service (DDoS) attacks, ransomware, malware, social engineering, data theft or leaks, phishing campaigns, [and] disinformation campaigns.”

Editor's Note

Using clean or throwaway devices for any travel to China (and some other countries) has long been standard practice for high level business executives. There has been plenty of evidence of China broadening its cybersurveillance across broader civilian targets – good to pass this warning along to any employees that may be attending the Olympics in China.

John Pescatore
John Pescatore

Consider this a hostile environment, another place to carry a burner phone. Keep devices in airplane mode where possible, don’t trust any unknown WiFi, particularly open/free WiFi. Use caution transferring information from the burner device to any other systems. This may be a good time to use a camera for taking photos.

Lee Neely
Lee Neely

We must assume that the young athletes may be targeted, that many will not receive or heed warnings, that they will use their phones to memorialize their experience, and that some of those memorials will be compromising. A small number may be exploited. However, government, business, media, and activist travelers are targeted by the Chinese and other nation states. The cost of travel to China includes the cost of a burner device that can be discarded after returning. Store files, photos, and messages in the cloud or on your home system: do not store anything on the burner device. Consider removing the cloud clients when not in use and re-loading them from the store when needed. Arrange for a secure connection to your home or work system before departing.

William Hugh Murray
William Hugh Murray

The Rest of the Week's News


2022-01-28

Malicious Hybrid Cloud Campaign

Researchers from Proofpoint have detected a malicious hybrid cloud campaign that is being used to target C-level executives. The campaign involves hijacked Office 365 accounts, malicious OAuth apps, and spear phishing attacks.

Editor's Note

Pentesters and red teamers: If your attack methodology does not already include OAuth token abuse, now is the time for an update. Credential and MFA phishing are still fine but be sure to measure your clients' cloud identity/access risk too.

Christopher Elgee
Christopher Elgee

Beware of unrecognized apps requesting permissions, particularly “Consent on behalf of your organization.” In this case, the attackers are manipulating the reply URL such that clicking cancel will just redirect back, sessions will need to be positively closed, possibly closing the calling client or browser. Make sure your CASB, URL rewriting, or other attack prevention solution has incorporated rules for this attack.

Lee Neely
Lee Neely

2022-01-31

FBI Considered Using Pegasus Spyware

The FBI considered using NSO Group’s Pegasus spyware. NSIO Group had initially developed Pegasus so that it could not be used against US phones; in its pitch to the FBI, NSIO Group offered a workaround known as Phantom that would allow US phones to be targeted Ultimately, the FBI decided not to move forward with the plan.

Editor's Note

Assume intelligence agencies have tools like Pegasus and Phantom; take actions to mitigate the risk, even if you don’t think you’re targeted. This means use loaner phones with minimal data, strong authentication, current OS and applications and verified security settings when going to risky foreign locations. Don’t update the devices while on those trips and consider them suspect upon return. This scenario is not a time for BYOD.

Lee Neely
Lee Neely

One should not be surprised that such discussions took place. One would like to think that the FBI would use such a tool only with warrants based upon probable cause. However, recent experience with airborne IMSI-catchers raises some doubt. Even the “good guys” are vulnerable to temptation. The “usual suspects” must take into account the security limitations that all technology, but particularly general purpose communication devices, has.

William Hugh Murray
William Hugh Murray

2022-01-31

Finland Says Diplomats Phones Infected with Pegasus Spyware

Finnish officials say that phones belonging to Finnish diplomats serving outside the country have been infected with Pegasus spyware. Finland’s Ministry for Foreign Affairs says that the espionage campaign is “no longer active.”

Editor's Note

Apple released fixes in iOS 15 which address NSO’s ForcedEntry exploit, make sure your devices are updated. While Apple says they will notify those targeted with this exploit, in accordance with best practices, take proactive steps to minimize the risk before heading abroad.

Lee Neely
Lee Neely

2022-01-31

CISA Known Exploited Vulnerabilities Catalog Additions

The US Cybersecurity and Infrastructure Security Agency (CISA) has added eight vulnerabilities to its Known Exploited Vulnerabilities Catalog. Two of the recently added flaws – the Apple IOMobileFrameBuffer memory corruption vulnerability (CVE-2022-22587) and the SonicWall SMA 100 Appliances Stack-Based Buffer Overflow Vulnerability (CVE-2021-20038) – have remediation deadlines of February 11.

Editor's Note

Agencies are required to evaluate the catalog against installed products and report findings as well as remediate per the published remediation deadlines. The problem that is trying to be solved is long lead time on remediation for US government systems. With the impending Zero Trust model from EO 14028, timely remediation and monitoring is going to be a key component for keeping systems secure. If you’re using a risk-based approach to applying updates, make sure that you’ve documented those decisions, and prepare to revisit them with an eye to Zero Trust.

Lee Neely
Lee Neely

2022-01-31

Samba Addresses Critical RCE Flaw

Samba has released a fix to address a critical out-of-bounds heap read/write vulnerability in the vfs_fruit module. The flaw could be exploited to allow remote code execution with root privileges. The issue affects all versions of Samba prior to 4.13.17.

Editor's Note

Exploitation of this flaw is likely going to be a bit tricky. The attacker needs to have write access to the EA metadata. There are however configuration options to provide guest/unauthenticated users with this ability. This flaw is most likely going to affect Linux based network storage devices, which you should never ever, ever expose to the Internet.

Johannes Ullrich
Johannes Ullrich

The best fix is to update to the patched version of Samba. The attack requires access to a file’s extended attributes, which is present in the default configuration. A workaround is to disable the “fruit” VFS module from the list of configured VFS object; this does block access to those attributes, and has the side effect of causing all stored information to be inaccessible to macOS client, giving the impression the information is lost.

Lee Neely
Lee Neely

2022-01-31

Microsoft Stopped Massive DDoS Late Last Year

Microsoft’s Azure DDoS Protection team thwarted a 3,47 Tbps distributed denial-of-service (DDoS) attack in November 2021. The attack, which targeted an unnamed Asian organization, came from more than 10,000 sources in at least 10 different countries.

Editor's Note

Make sure you have a DDoS strategy which includes web application firewalls as well as considerations for any workloads which are sensitive to increased latency. The Microsoft guide on a DDoS response strategy (https://docs.microsoft.com/en-us/azure/ddos-protection/ddos-response-strategy) can be leveraged in your assessment process, whether or not you’re using Azure services.

Lee Neely
Lee Neely

2022-01-24

Andorra Experiences Widespread Internet Outages Due to DDoS Attack

The sole Internet provider for the country of Andorra fell prey to a distributed denial-of-service (DDoS) attack last week. Users experienced connectivity issues over a four-day stretch. The dates of the attack (January 21-24) coincide with a Minecraft tournament.

Editor's Note

While the attack appears to have been targeting the players in Andorra, this small country effectively only has one ISP, so the attacks took out businesses, home users, and government agencies as well. Understand the limitations of your ISP, have a conversation specific to their DDoS protections, evaluate the need for a secondary connection, even if only for small bandwidth operations such as PoS transactions.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Malicious ISO Embedded in an HTML Page

https://isc.sans.edu/forums/diary/Malicious+ISO+Embedded+in+an+HTML+Page/28282/


YARA Console Module

https://isc.sans.edu/forums/diary/YARAs+Console+Module/28288/


Be Careful with RPMSG Files

https://isc.sans.edu/forums/diary/Be+careful+with+RPMSG+files/28292/


QNAP Auto Update Clarification

https://www.qnap.com/en/security-news/2022/descriptions-and-explanations-of-the-qts-quts-hero-recommended-version-feature


QNAP Forced Updates

https://www.reddit.com/r/qnap/comments/sdsf02/i_just_suffered_what_i_believe_to_be_a_forced/huhfmjc/


Samba Vulnerability

https://kb.cert.org/vuls/id/119678


Exposed Datacenter Management

https://www.bleepingcomputer.com/news/security/over-20-000-data-center-management-systems-exposed-to-hackers/


Expat Vulnerability

https://github.com/libexpat/libexpat/blob/master/expat/Changes


Attackers Attaching Devices to Azure AD

https://www.microsoft.com/security/blog/2022/01/26/evolved-phishing-device-registration-trick-adds-to-phishers-toolbox-for-victims-without-mfa/