SANS NewsBites

Australia, UK, and US Issue Joint Warning on Critical Infrastructure Attacks; Turning Stolen Cryptocurrency into Real Money Provides Opening for $3.6B Seizure by US DoJ; SEC Proposes Requiring Investment Advisers, Companies and Funds to Follow Risk Management and Incident Reporting Guidelines

February 11, 2022  |  Volume XXIV - Issue #12

Top of the News


2022-02-09

Joint Advisory Warns of Ransomware Attacks Targeting Critical Infrastructure

A joint advisory issued by cybersecurity authorities in the UK, the US, and Australia that they have “observed an increase in sophisticated, high-impact ransomware incidents against critical infrastructure organizations globally.” The advisory includes technical details about the observed attacks as well as suggested mitigations.

Editor's Note

While the targets change as we deploy new services and technologies, the mitigations remain essentially the same – keep devices updated; MFA all the external entry points; segment systems, particularly OT and legacy systems which are running older applications and operating systems; turn off or disable insecure or unnecessary services; train the users; use immutable backups; monitor for maleficence.

Lee Neely
Lee Neely

It’s fantastic to see countries working together to address ransomware. Global challenges require global solutions. Keep in mind that ransomware is not a new type of attack, it is simply a new way to monetize a successful attack. The reason we have seen an explosion of ransomware is because it is so profitable - fast (and relatively safe) return on investments. According to the report, and no surprise here, the three steps to mitigating ransomware are focusing on the fundamentals - phishing, passwords and updating.

Lance Spitzner
Lance Spitzner

2022-02-09

DoJ Seizes $3.6B in Cryptocurrency

Two people have been arrested in New York; Ilya Lichtenstein and Heather Morgan allegedly conspired to launder $4.5 billion in cryptocurrency that was stolen in 2016. The US Department of Justice (DoJ) has so far managed to recover $3.6 billion worth of the cryptocurrency.

Editor's Note

The use of crypto currencies often comes with the promise of anonymity. But this anonymity is lost as soon as cryptocurrency is converted in to “real money.” With few non-criminal services accepting cryptocurrency, the actual value of cryptocurrency is very limited. In particular, currencies focusing on anonymity need to be at least converted into more traceable currencies like bitcoin.

Johannes Ullrich
Johannes Ullrich

There are so many aspects to this story, but one we should definitely not lose sight of is the fact that it is difficult to launder significant amounts of cryptocurrency when exchanges follow know your customer (KYC) regulations. Many have traditionally relied on cryptocurrency mixers, but when law enforcement seizes mixing operations (as happened in the AlphaBay takedown), those transactions are relatively trivially to deanonymize. Even without law enforcement actions against mixing operators, it's clear the Department of Justice is getting much better at tracking the flow of cryptocurrency. This certainly won't be the last large-scale recovery we see.

Jake Williams
Jake Williams

Good to see the FBI has the tools for tracing crypto transactions. While the couple did use options such as “chain-hopping,” mixer or tumbler services and “privacy coins,” which are intended to make tracking the digital transactions difficult, the investigators were still able to “follow the chain” to the couple. They had the address of the wallet funds were exfiltrated to from Bitfinex in 2016 ultimately working back to the couple, not only leveraging transactions from identified wallets, but also data discovered in the AlphaBay takedown which allowed wallets to be connected to their owners.

Lee Neely
Lee Neely

2022-02-10

SEC Proposed Cybersecurity Risk Management Rules

The US Securities and Exchange Commission (SEC) has proposed new rules that would require registered investment advisers, companies, and funds to report cybersecurity incidents to the SEC. The proposed rule would also require those entities to disclose cybersecurity risks and incidents to clients and prospective clients. The rule is open for public comment.

Editor's Note

I think the SEC issued its first cybersecurity guidance in 2011 and since then has slowly increased disclosure and incident response requirements across the financial food chain. While there will be the usual negative reactions to the burden this may place on small advisors and funds, bringing registered investment advisors and funds up these basic minimum requirements is a good thing. The impact to their customers of lax information security processes and controls can be catastrophic and not just via breaches. Stock market volatility means attacks causing very short duration outages can be used to manipulate stock prices and trading with serious financial impact.

John Pescatore
John Pescatore

Disclosure of incidents in SEC filings has provided visibility into issues otherwise obfuscated by business practices. With the current threat environment having transparency on cyber security posture should help raise the bar, much as the increased requirements from cyber insurance providers seeks to do. One hopes this also becomes one more tool for savvy investors to leverage when considering their wealth management strategy.

Lee Neely
Lee Neely

The Rest of the Week's News


2022-02-09

Android February Security Update

The Android Security Bulletin for February 2022 includes a fix for a critical flaw in Android 12. The vulnerability could be exploited to remotely gain elevated privileges with no user interaction.

Editor's Note

This update addresses multiple issues, and there is a separate set of patches from February 5th which address a high-severity flaw in System. If you don’t see the update for your devices, your Android hardware vendor may not have finished qualifying these updates for your platform, don’t forget to check again. Note this is also the final official update for Google’s Pixel 3 smartphones, launched in October 2018. Keep an eye on the support lifecycle for your smartphones, Android devices typically only get OS updates for two years and security updates for three, don’t wait until the end of year three to start your update process.

Lee Neely
Lee Neely

2022-02-09

Microsoft Patch Tuesday for February 2022

On Tuesday, February 8, Microsoft released security updates to address dozens of vulnerabilities. The maximum severity rating for the flaws in “important.” Just one of the vulnerabilities was previously disclosed, and none are being actively exploited.

Editor's Note

You should have these queued to push this weekend, even though there are only 51 flaws addressed. Notice there are fixes for DNS and SharePoint server RCE flaws as well as for a Win33K privilege escalation flaw.

Lee Neely
Lee Neely

Interesting to not have a critical (or an already exploited) vulnerability this month. The lack of an emergency may give you some time to hone your patching / vulnerability management process.

Johannes Ullrich
Johannes Ullrich

2022-02-10

Sites Running Older Versions of Magento Hit with MageCart Attacks

More than 500 e-commerce sites running outdated versions of Magento have been hit with MageCart card skimming attacks. Adobe is urging customers still running Magento 1 to upgrade to Adobe Commerce; Adobe discontinued support for Magento 1 in June 2020.

Editor's Note

The attack leverages a flaw in the Quickview plugin to run code on the server. When exploited, the attackers leave multiple back doors into the server, so if detected you’re going to have to fully scan and analyze the system to discover all of them; possibly building a new server based on a clean install. If you’re still using Magento 1, you need to be migrating to the newest version of Magneto Open Source which is based on Magneto 2, or to a commercially supported platform such as Adobe Commerce, there are not going to be updates or fixes for Magento 1.

Lee Neely
Lee Neely

2022-02-09

Vodafone Portugal Cyberattack

Vodafone Portugal suffered a cyberattack earlier this week. Outages affected availability of 4G and 5G networks, SMS messaging, and television services. The attack also affected services used by emergency services. Vodafone Portugal has called the incident “a deliberate and malicious attack intended to cause damage.”

Editor's Note

With the deployment and move to 5G, 3G and earlier networks are being shut down, decommissioned and the frequencies reallocated, fortunately Vodafone was able to reactivate their 3G network and provide some relief to customers. This is intended to restore voice services as the data rates are much lower. Customers relying on cellular data will need to wait for the full restoration to achieve the expected data rates. Watch the Vodaphone site below for status updates. Note the site is in Portuguese.

Lee Neely
Lee Neely

2022-02-10

Microsoft is Retiring WMIC Tool

Microsoft has begun deprecating the WMIC command line management tool in Windows. In a list of Windows 10 features Microsoft is no longer developing, they write, “the WMIC tool is deprecated in Windows 10, version 21H1 and the 21H1 General Availability Channel release of Windows Server. This tool is superseded by Windows PowerShell for WMI. Note: This deprecation only applies to the command-line management tool. WMI itself is not affected.”

Editor's Note

WMIC was a blessing back when I was a sysadmin, and it was released. Note that WMI is not affected. If you want to understand WMI, it is MITRE ATT&CK T1047: https://attack.mitre.org/techniques/T1047/

Jorge Orchilles
Jorge Orchilles

Read that again – the WMI itself is not deprecated, you just need to use PowerShell for WMI instead of WMIC. If you haven’t looked recently, the Microsoft link below addresses many features which are being removed and when, such as IE11 and the BitLocker To Go Reader.

Lee Neely
Lee Neely

Practitioner's note: This will mean eventually replacing cmd.exe commands like <wmic service where (displayname like "hyper%") get name,displayname> with PowerShell equivalents like <Get-CimInstance Win32_Service -filter "displayname like 'hyper%'" | select Name, DisplayName>

Christopher Elgee
Christopher Elgee

2022-02-10

Siemens Issues Patches and Mitigations for Vulnerabilities

Siemens has released advisories to address a total of 27 security issued affecting its SIMATIC S7-1200 and S7-1500 PLCs, SIMATIC Drive Controller, ET 200SP Open Controller, S7-1500 Software Controller, SIMATIC S7-PLCSIM Advanced, the TIM 1531 IRC communication module, as well as SIPLUS extreme products. Some of the vulnerabilities could be remotely exploited without authentication to cause denial-of-service conditions.

Editor's Note

These are flaws in PLCs and exploiting these flaws can crash them. As such, you should be isolating them and only allowing connections from authorized devices and users. Note there are no mitigations to these flaws and your firewall likely cannot parse the S7CommPlus_TLS protocol to discover malicious content, use the Siemens General Security Recommendations for a defense-in-depth approach to cover hardening, network and physical security. See Siemens Operational Guidelines for Industrial Security https://cert-portal.siemens.com/operational-guidelines-industrial-security.pdf

Lee Neely
Lee Neely

2022-02-10

Temple University Critical Infrastructure Cyberattack Research Project

Researchers at Temple University have been gathering information about ransomware attacks targeting critical infrastructure. The dataset includes records for 1,137 incidents that have been reported between November 2013 and the end of January 2022.

Editor's Note

You can download the entire dataset as an Excel file. The dataset continues to evolve and additional fields, such as point of attack, are being requested and considered. Note that while the number of incidents reported for 2021 is lower than 2020, it is likely due to focus on other incidents or on roll-up reporting versus indicating a trend towards fewer attacks.

Lee Neely
Lee Neely

When viewing these numbers, keep in mind that extortion is only one of the bad things that could result from these breaches. While some of the breaches exploited human error, the indication is that the cost of attack for far too many systems is much lower than the value of success to the attackers. Collectively we need to raise the cost of attack. Please do your part.

William Hugh Murray
William Hugh Murray

2022-02-10

Apple Releases Updates to Address Actively Exploited Zero-Day

Apple released updates to macOS Monterey, WatchOS, Sarari, iOS and iPadOS to address CVE-2022-22620, a WebKit use after free memory corruption flaw that is being actively exploited. Processing maliciously formatted content can result in remote code execution. The flaw is fixed in macOS 12.2.1, Safari 15.3, Watch OS 8.4.2 and iOS/iPadOS 15.3.1.

Editor's Note

While you just started pushing iOS 15.3, you need to regroup and push 15.3.1. The update is small for devices already on 15.3. MacOS 10 & 11 users need only apply the update to Safari while Monterey users need to install 12.2.1. While Apple seems to be responding to more vulnerability disclosure reports in an effort to maintain the security of their products, the out-of-cycle updates are a bit disruptive, they are calling these flaws actively exploited. One hopes that doesn’t become so commonplace as to be regarded like the boy who cried wolf.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Example of Cobalt Strike form Emotet Infection

https://isc.sans.edu/forums/diary/Example+of+Cobalt+Strike+from+Emotet+infection/28318/


Microsoft Patch Tuesday

https://isc.sans.edu/forums/diary/Microsoft+February+2022+Patch+Tuesday/28316/


Zyxel Network Storage Devices Hunted By Mirai Variant

https://isc.sans.edu/forums/diary/Zyxel+Network+Storage+Devices+Hunted+By+Mirai+Variant/28324/


Podcast 13 Year Anniversary

https://isc.sans.edu/podcastdetail.html?id=25


WMIC Removal

https://docs.microsoft.com/en-us/windows/deployment/planning/windows-10-deprecated-features


iOS/iPadOS/macOS/Safari 0-Day Vulnerability in WebKit

https://support.apple.com/en-us/HT213091


Zoom Uses Microphone after Meeting is Over

https://community.zoom.com/t5/Meetings/Why-is-the-Zoom-app-listening-on-my-microphone-when-not-in-a/td-p/29019


Evidence Planted to Implicate Innocent Activists

https://www.sentinelone.com/labs/modifiedelephant-apt-and-a-decade-of-fabricating-evidence/


Google Cloud Virtual Machine Threat Detection

https://cloud.google.com/security-command-center/docs/concepts-vm-threat-detection-overview


Android Patches

https://source.android.com/security/bulletin/2022-02-01


SAP Patches

https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+February+2022


Adobe Patches

https://helpx.adobe.com/security/security-bulletin.html


Intel Updates

https://www.intel.com/content/www/us/en/security-center/default.html


NaturalFreshMall: A Mass Store Attack

https://sansec.io/research/naturalfreshmall-mass-hack