SANS NewsBites

US Justice Department Cybercrime InitiativesFocus on International Cooperation; More Details About Red Cross Breach

February 18, 2022  |  Volume XXIV - Issue #14

Top of the News


2022-02-17

US Department of Justice’s New Cybercrime Initiatives Focus on International Cooperation

Speaking at the Munich Cyber Security Conference, Deputy US Attorney General Lisa Monaco announced several new Department of Justice (DoJ) cybercrime initiatives, including an FBI unit that will focus of crime related to cryptocurrency. The Virtual Asset Exploitation Unit will work closely with the DoJ’s National Cryptocurrency Enforcement Team (NCET). In addition, the DoJ is launching an International Virtual Currency Initiative as well as establishing the post of Cyber Operations International Liaison, who will be embedded in Europe “to work with U.S. prosecutors and European partners.” Monaco also noted that “prosecutors handling significant cyber investigations will now be required to consult with the department’s international and cybercrime specialists to identify international actions that might be able to help stop a threat. International cooperation will not be an afterthought.”

Editor's Note

As the Attorney General noted “.. it’s the rare cyber investigation that doesn’t have an international dimension.” It is good to see the US is back being involved in international cybersecurity efforts. Also, good to see they will take advantage of the ability to disrupt cybercrime in-process vs. only monitor and prosecute after damage has occurred. On the downside, the AG mentioned numerous task forces, like the Ransomware and Digital Extortion task force. Rather than chase the threat o’ the year, it would be much more effective to have one big “Force” and use something like the Mitre ATT&CK Framework to prioritize “Tasks.”

John Pescatore
John Pescatore

Inter-agency cooperation is key to thwarting modern threat actors. Tracking cryptocurrency requires added data and correlation of data collected from multiple sources and actions. Not only do transactions need to be tracked, but also wallets mapped to their owner.

Lee Neely
Lee Neely

2022-02-16

More Red Cross Breach Details

The International Committee of the Rede Cross (ICRC) has released additional information about the November 2021 breach that compromised sensitive information of more than 500,000 people. The ICRC said that attackers used offensive hacking tools often used by advanced persistent threat groups, and that some attack code was created specifically to be used on the ICRC servers. The attackers exploited an unpatched critical flaw in Zoho ManageEngine ADSelfService authentication module. A fix for the flaw was released in September 2021.

Editor's Note

The time of accepting the risk of delayed or skipping patches ended with the Equifax breach. Make sure you’re not only regularly scanning for flaws, but also reviewing those results and taking action. Don’t neglect to include thorough web application scans.

Lee Neely
Lee Neely

The Rest of the Week's News


2022-02-17

Proofpoint: Threat Actor Has Been Targeting Transportation and Defense Sectors

Researchers at Proofpoint have found that an advanced persistent threat (APT) group known as TA2541 has been targeting organizations in the aviation, aerospace, transportation, manufacturing, and defense sectors. The group has been active since at least 2017. TA2541 uses remote access trojans (RATs) to infect systems at targeted companies.

Editor's Note

The group adapts to current threats and technologies, switching from Google Drive, to OneDrive to Discord links to deliver malicious VBS files. Leverage your phishing awareness as well as URL rewrite or blocking capabilities to slow this attack vector.

Lee Neely
Lee Neely

2022-02-17

CISA, FBI, NSA: Russia Stole US Defense Data

In a joint advisory, the FBI, the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) said that Russian cyber actors have been targeting US cleared defense contractors (CDCs). Since January 2020 and continuing through this month, the cyber “actors have maintained persistent access to multiple CDC networks, in some cases for at least six months.” On systems that were accessed, the intruders exfiltrated email and data. They were able to “acquire sensitive, unclassified information, as well as CDC-proprietary and export-controlled technology.”

Editor's Note

If you’re cleared, you are used to protections and behavior when traveling abroad, including getting a current threat briefing before doing so. Now make sure that you’re plugged into threat intelligence relating to your in-country systems. Make sure you’re assessing your network and systems regularly. Make sure your vulNerability assessment includes both internally and externally accessible systems. CISA and other agencies have expertise, tools and guides you can use to augment your capabilities.

Lee Neely
Lee Neely

Read more in


2022-02-16

Ukraine’s Ministry of Defense, Banks, Hit with DDoS Attacks

Ukraine’s Ministry of Defense, its Armed Forces, and two state-run banks are being targeted by distributed denial-of-service (DDoS) attacks. Security experts have weighed in on the situation. Sandra Joyce, Mandiant’s executive vice president of global intelligence writes that while there are concerns that related cyber incidents might spread beyond Ukraine, organizations “should prepare but not panic.” Adam Meyers, CrowdStrike’s senior vice president of intelligence said, “while there is no evidence of any targeting of western entities at this time, there is certainly potential for collateral impact as a result of disruptive or destructive attacks targeting Ukraine – this could impact companies that have a presence in Ukraine, those that do business with Ukrainian companies, or have a supply chain component in Ukraine such as code development/offshoring.”

Editor's Note

It does usually not take much to launch a DoS attack, and they are often used by less sophisticated attackers. In this case, reports indicate that the attacks took advantage of specific application vulnerabilities. These are often hard to avoid in web applications where some features may take up more resources (like for example complex search features). To defend an application, anti-DoS solutions should consider application layer inspection and if you are aware of specific features that could be abused for DoS: Setup a plan to possibly disable these features or require additional authentication (maybe even a CAPTCHA) in case of high load.

Johannes Ullrich
Johannes Ullrich

While you may not have considered this in the past, cyber attacks are a component of a conflict between countries. Irrespective of nation state supported or not, make sure you have plans for communication with employees, offices or business partners who may be isolated by such actions. Also make sure you’re using available DDOS protections offered by your ISP and or cloud service providers.

Lee Neely
Lee Neely

2022-02-15

Advisory Offers BlackByte IoCs and Mitigations

A joint advisory from the FBI and the US Secret Service warns that BlackByte ransomware has been used against organizations in at least three US critical infrastructure sectors. The advisory includes a list of indicators of compromise as well as recommended mitigations.

Editor's Note

The BlackByte malware bag of tricks includes exploiting unpatched vulnerabilities, particularly on Exchange, and printing ransom notes on all your printers hourly. Ingest the provided IOCs and scan for signs of activity. Also review the mitigations; beyond patching, MFA, and segmentation, consider marking external email and either disabling or adding a hyperlink rewrite security capability.

Lee Neely
Lee Neely

2022-02-17

Man Pleads Guilty to Conspiracy to Sell Hacking Tools

Carlos Guerrero has pleaded guilty to conspiring to sell and use hacking tools. Guerrero admitted to brokering data interception and surveillance tools deals to governments and to private individuals. The products included IMSI catchers, signal jammers, and Wi-Fi interception tools.

Editor's Note

The trick is that these tools can be used for assessments or for hacking, (good or evil if you prefer); the case hinges on knowingly selling these tools to those wishing to use them for malfeasance. Care must be taken to not criminalize their use by cyber researchers to ensure security is as intended.

Lee Neely
Lee Neely

2022-02-17

Apache Fixes High-Severity Flaw in Cassandra Database

Apache has fixed a high-severity vulnerability in its Cassandra distributed NoSQL database. While the issue affects only instances with non-standard configurations, the flaw is easy to exploit. Users are urged to update to versions 3.0.26, 3.11.12, 4.0.2, or later.

Editor's Note

Apply the update irrespective of your configuration being standard If you don’t need it, ensure the [enable_user_defined_functions_threads] option is set to false. If you need those functions, update right away.

Lee Neely
Lee Neely

2022-02-17

WordPress UpdraftPlus Flaw Patched

The UpdraftPlus WordPress plug-in has been updated to address a missing permissions-level check vulnerability. The flaw could allow logged-in users to download backups made with the UpdraftPlus plug-in. UpdraftPlus has more than 3 million installations; users are urged to update to the newest versions of UpdraftPlus.

Editor's Note

This flaw requires an active account to exploit. This is a good time to review your accounts and remove unneeded ones as well as verifying the only have the permissions absolutely required. Additionally make sure you really need this plugin, uninstall if you are using a different backup method, make sure auto update is enabled if you’re keeping it. Wordfence scheduled rule updates for theIr paid and free WAF on Feb 17 and March 19 respectively.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Who Are Those Bots?

https://isc.sans.edu/forums/diary/Who+Are+Those+Bots/28342/


Astaroth (Guildma) Infection

https://isc.sans.edu/forums/diary/Astaroth+Guildma+infection/28346/


More Packet Fu With Zeek

https://isc.sans.edu/forums/diary/More+packet+fu+with+zeek/28350/


Hackers Attach Malicious .exe Files to Teams Conversations

https://www.avanan.com/blog/hackers-attach-malicious-.exe-files-to-teams-conversations


Thunderbird Patches

https://www.mozilla.org/en-US/security/advisories/mfsa2022-07/


Cisco Secure Email Gateway Update

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-dos-MxZvGtgU


GitHub Code Scanning Finds More Vulnerabilities Using Machine Learning

https://github.blog/2022-02-17-code-scanning-finds-vulnerabilities-using-machine-learning/


Exploit for Magento Vulnerability (CVE-2022-24086) Available

https://twitter.com/ptswarm/status/1494240197915123713


Atlassian Jira Updates

https://jira.atlassian.com/browse/CONFSERVER-66550


VMWare Updates

https://www.vmware.com/security/advisories/VMSA-2022-0004.html


FBI Warns of BEC Using Virtual Meeting Platforms

https://www.ic3.gov/Media/Y2022/PSA220216


SquirrelWaffle Adds a Twist of Fraud to Exchange Server Malspamming

https://news.sophos.com/en-us/2022/02/15/vulnerable-exchange-server-hit-by-squirrelwaffle-and-financial-fraud/


Details About Western Digital MyCloud Flaw

https://www.iot-inspector.com/blog/advisory-western-digital-my-cloud-pro-series-pr4100-rce/


Nooie Baby Monitor Vulnerabilities

https://www.bitdefender.com/blog/labs/vulnerabilities-identified-in-nooie-baby-monitor/