SANS NewsBites

Background Checks are Critical for All With Privileged Access; Google Data Shows Major OS Providers Are Reducing Time to Fix; Move Away from Magento if You Can, Assume Current Installations Are Compromised

February 15, 2022  |  Volume XXIV - Issue #13

Top of the News


2022-02-11

21-Month Sentence for Cyberattacks Against School, IT Firm

A UK court has sentenced a former IT tech to 21 months in jail for launching cyberattacks against a school and an IT firm. Adam Georgeson had worked for the school, but was fired after they learned of prior fraud convictions. He launched the attack against the school while employed at an IT firm. After he lost his job at that firm, he launched an attack against its network.

Editor's Note

Good reminder for security teams and IT teams: background checks should be a regular part of hiring anyone who will be given privileged system access. Not a popular topic, but critical. While you’re working with human resources/employment, make sure that when the decision is made to terminate an employee turning off all internal and remote access is part of the process.

John Pescatore
John Pescatore

The employee had two prior convictions for fraud which, when discovered, resulted in his termination. It is better to do background checks up front, even though they may slow the onboarding processes, rather than having to deal with a disgruntled employee who may have privileged access. For those already doing background checks, how many of you are revisiting them at some interval? I have seen good people make bad choices; I’ve seen employers help that employee retain their job and recover from those decisions.

Lee Neely
Lee Neely

A privileged, insider threat is one of the toughest to detect and respond to. I am familiar with only a few organizations that have dedicated insider threat programs and teams. As usual, consider your threat model and maturity level without focusing on only a single type of threat.

Jorge Orchilles
Jorge Orchilles

2022-02-11

Google’s Project Zero 2021 Metrics

Google’s Project Zero says that vendors took an average of 52 days to fix reported vulnerabilities. Three years ago, the average time to fix was 80 days. The companies with the shortest average time to fixes were Linux, Mozilla, and Google.

Editor's Note

Great to see that vendors are responding faster to vulnerabilities, and great to see open-source software leading the pack. Looks like "bullying" by Google with its hard 90-day disclosure timeline works. But as an end user, you will still have to apply these patches to mitigate vulnerabilities.

Johannes Ullrich
Johannes Ullrich

The good news is time to fix has been trending down across the board. However, at Google’s level of data collection, you can’t see the reason for the length of time to fix. In the old days of much longer software life cycles, easy to find/quick to fix bugs happened early and hard to find/long time to fix bugs were expected later in the life cycle. When time to fix is low because input validation errors (and other OWASP top 10 vulnerabilities) are still being built into software, that is not really a good thing.

John Pescatore
John Pescatore

This is a great improvement. One wonders what the trend for vulnerabilities introduced via third-party or local coding flaws looks like. As suppliers get a handle on remediation and we’ve got mad skills testing and deploying updates, emphasis on secure coding and assessing included components needs to increase to reduce the likelihood of flaw inclusion in the first place.

Lee Neely
Lee Neely

This is a great report that is easy to read and understand; highly recommend taking a couple of minutes to read it. I love the transparency and look for more vendors to share this type of data.

Jorge Orchilles
Jorge Orchilles

2022-02-14

Adobe Releases Emergency Patches for Commerce and Magento

Adobe has released emergency updates for AdobeCommerce and Magento Open Source to fix a critical law that is being actively exploited. The improper input validation vulnerability could be exploited without authentication to allow arbitrary code execution.

Editor's Note

Patching may already be too late by the time you read this. Treat any unpatched systems as compromised. This vulnerability was discovered and reported to Adobe after it already had been exploited. Exploitation is pretty straightforward. Web application firewalls will likely not protect you. Magento is the gift that keeps on giving for attackers. Also noteworthy that the patch arrived as an actual “patch” file, and needs to be applied manually. If you can: Take Magento out back and put it out of its misery while replacing it with something... anything... else.

Johannes Ullrich
Johannes Ullrich

This corrects an improper input validation flaw (CVE-2022-24086) with a CVSS base score of 9.8. Note that this is for the 2.4.3-p1 or 2.3.7-p2 and earlier versions of Adobe Commerce or Magento Open Source. If you’re on Magento 1.x, you still need to update to Magento version 2 to get the fix.

Lee Neely
Lee Neely

The Rest of the Week's News


2022-02-11

CISA Adds 15 More Flaws to Known Exploited Vulnerability Database

The US Cybersecurity and Infrastructure Security Agency (CISA) has added 15 more vulnerabilities to its Known Exploited Vulnerability database. The new entries include vulnerabilities in products from Apple, Microsoft, Apache, and Oracle. One of the flaws – a Windows SAM local privilege elevation vulnerability – has a remediation due date of February 24, 2022; the other 14 vulnerabilities need to be remediated by August 10, 2022.

Editor's Note

Each addition to the database includes a remediation date. Some of these flaws date back to 2017; they are included because they are still being exploited. Don’t forget to capture the due dates as you’re digesting the new flaws.

Lee Neely
Lee Neely

Kudos to CISA for developing the Known Exploited Vulnerability Database. All companies should ensure that they have the Known Exploited Vulnerability Database included as part of their vulnerability management program.

Brian Honan
Brian Honan

One hopes that actual remediation will be measured in days, rather than weeks to months.

William Hugh Murray
William Hugh Murray

2022-02-14

Missouri Journalist Won’t be Charged with Hacking

The journalist who found and responsibly disclosed a vulnerability in a state government website will not face hacking charges. Josh Renaud viewed the site’s publicly available HTML code and found that it exposed sensitive information of school employees.

Editor's Note

Viewing the source of a web page and discovering a flaw cannot be characterized as hacking nor committing an illegal act. The journalist is to be commended for responsibly reporting what they found. And while nobody likes being told they have a flaw in their code (particularly me), I would rather learn via a disclosure process than by reading an incident response or data loss report.

Lee Neely
Lee Neely

2022-02-11

Spanish Police Arrest Alleged SIM Swappers

Spanish police have arrested eight people in connection with a SIM-swapping scheme. The suspects allegedly impersonated bank officials to gather customer information, which they used to obtain duplicate SIM cards from phone stores and then steal funds from targeted accounts.

Editor's Note

And this is why SMS as a validator is dangerous. In this scenario, your coverage drops when the duplicate SIM is activated but depending on timing, you don’t notice the interruption, and by then it’s all over. Beyond ensuring all the security for your mobile carrier is in place to prevent unauthorized porting/etc., configure SMS or phone calls for account validation only as a last resort.

Lee Neely
Lee Neely

The carriers have made SIM swapping harder, but as this item points out it is still possible. While SMS messaging does not reduce risk to zero, it is far better than staying at reusable passwords. As Microsoft’s report pointed out, 99.9% of successful phishing attacks would have failed if just SMS messaging was in use. Use authenticator apps and biometrics wherever possible but don’t stay with reusable passwords if those are not options.

John Pescatore
John Pescatore

2022-02-14

Moxa MXview Vulnerabilities

Researchers at Claroty have found five vulnerabilities in Moxa MXview web-based network management system. Several of the flaws could be chained together to allow remote unauthenticated users to execute code. Users are urged to upgrade to MXview version 3.2.4 or later.

Editor's Note

The fixes were made last September and the ICS Advisory (ICSA-21-278-03) was released October 5, 2021. The primary mitigation is to update to version 3.2.4; additionally, use strong passwords rotated regularly and restrict access to the system, particularly port 8883 to known authorized systems. Make sure that you’re properly segmenting these systems away from business systems.

Lee Neely
Lee Neely

2022-02-14

State Dept. Orders Staff to Destroy IT Equipment at Embassy in Ukraine

The US State Department has ordered staff at the US embassy in Kyiv, Ukraine, to destroy IT equipment there. The State Department is temporarily relocating its Ukrainian embassy from Kyiv to Lviv. Many embassy staff members have been withdrawn from Ukraine altogether.

Editor's Note

Should the escalating tensions in that region turn into an outright conflict there will be a cyber dimension to that conflict. That cyber dimension won’t be restricted by borders or regions so I recommend you check your supply chain to see how dependent you are on any providers based in Ukraine and how you can continue your operations in the event they become unavailable. I also recommend you heighten your cybersecurity preparedness to prevent your organisation from becoming a collateral victim by following the guidelines issued by the UK government’s NCSC at https://www.ncsc.gov.uk/news/uk-organisations-encouraged-to-take-action-around-ukraine-situation

Brian Honan
Brian Honan

When abandoning, exchanging, or otherwise surrendering equipment, making sure it is fully purged of data is a critical step. Don’t forget copiers, printers, phones, and anything else that has data storage. Additionally, destruction of equipment may be necessary to prevent an adversary from obtaining unwanted technical advantages or insight.

Lee Neely
Lee Neely

2022-02-11

Colorado‘s New Election Security Rules

Colorado’s Secretary of State has announced new, temporary rules for voting systems security. “The rules include measures restricting physical and electronic access to the voting system and outline the enforcement mechanisms necessary to ensure election security compliance.” the rules address password and user account security; acceptable use policy; hard drive imaging; trusted build procedures; seal requirements; access to secures areas and voting systems; and access to election management systems.

Editor's Note

Two Colorado counties have had serious violations of maintaining the integrity of election systems and data. These violations pointed out that politically motivated insider malicious behavior is a bigger threat than external hacking. The temporary rules seems like they should have been in place before and as a part of an overall review would likely become permanent.

John Pescatore
John Pescatore

Much publicity has focused on validating those wishing to cast a ballot; these measures will increase the integrity and security of the systems used to count and process ballots once cast. These measures are appropriate for any system processing sensitive data where integrity is a core requirement. While password complexity is called for, it’s time to phase out passwords in favor of replay and phishing resistant authenticators.

Lee Neely
Lee Neely

As practitioners, we often forget that for the security of systems of public trust, there are two important qualities: actual security and the perception of security. Here's hoping this commendable move by Colorado brings both!

Christopher Elgee
Christopher Elgee

Internet Storm Center Tech Corner

Reminder: Decoding TLS Client Hello to Non TLS Servers

https://isc.sans.edu/forums/diary/Reminder+Decoding+TLS+Client+Hellos+to+non+TLS+servers/28338/


CinaRAT Delivered Through HTML ID Attributes

https://isc.sans.edu/forums/diary/CinaRAT+Delivered+Through+HTML+ID+Attributes/28330/


Magento 2 Critical Vulnerability

https://sansec.io/research/magento-2-cve-2022-24086


BigSur/Catalina Mystery Update

https://support.apple.com/en-us/HT201222


MacOS Monterey Patch and Microsoft Defender

https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/mde-apparently-blocks-macos-monterey-12-1-12-2-upgrades/m-p/3078793


Google Chrome 0-Day Fixed

https://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop_14.html


Moxa MXview Vulnerabilities and Patch

https://www.claroty.com/2022/02/10/blog-research-securing-network-management-systems-moxa-mxview/


Windows Defender ASR Blocks LSASS Credential Stealing

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-credential-stealing-from-the-windows-local-security-authority-subsystem


Brave Blocking Credential Leaking Extension

https://www.theregister.com/2022/02/12/facebook_god_mode/


Project Zero Summary of Zero Day Bugs

https://googleprojectzero.blogspot.com/2022/02/a-walk-through-project-zero-metrics.html