SANS NewsBites

Warnings of Possible Spillover of HermeticWiper and WhisperGate Malware; Starlink Satellite Service Providing Connectivity for Ukraine; Viasat Claims Widespread European Outages Due to a Cyberattack

March 1, 2022  |  Volume XXIV - Issue #17

Top of the News


2022-02-28

CISA and FBI Warning on HermeticWiper and WhisperGate

In a joint cybersecurity advisory, the FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) provide technical details about the WhisperGate and HermeticWiper malware strains that have been used against organizations in Ukraine. The advisory cautions that “Further disruptive cyberattacks against organizations in Ukraine are likely to occur and may unintentionally spill over to organizations in other countries.” The advisory also includes a list of mitigations.

Editor's Note

Spend 5 minutes hunting for the specific IOCs mentioned (file hashes and the like). The rest of the day: Try to understand the infection chain and verify how you would detect similar techniques in your environment. Look for gaps in visibility (host or network-based logging).

Johannes Ullrich
Johannes Ullrich

Unlike other malware, focused on quietly stealing IP or PII, this kind of incident is a DR/BCP issue that requires strategic thinking about continuity (how do we keep payroll, AR/AP, logistics, sales going) and recovery (access offline backups and start restoring business processes). Backups and backup applications are themselves targets for destruction/encryption, unlike in other critical incidents, natural or of the cyber variety.

Gal Shpantzer
Gal Shpantzer

Attacks targeting Ukraine have featured disk wipers of one form or another as far back as 2013. The issue here is that attacks are spilling over into other areas, not just including Ukrainian supporters, but also in response to attacks on behalf of Ukraine, such as Anonymous promises, so we all need to brush up on our mitigations to make sure nobody just checked the box. Add examining systems for atypical malware delivery paths, resiliency for common points of failure, such as your SAN or network switches, robust physical and logical access controls, active monitoring and response to your list of services to verify are up to the task at hand.

Lee Neely
Lee Neely

We learned about similar disruptive attacks and how to mitigate them after the North Korean attack on Sony. Here we have another opportunity to learn and be prepared for future attacks. Kudos for an actionable advisory from CISA and FBI.

Jorge Orchilles
Jorge Orchilles

2022-02-27

SpaceX Starlink Satellite Service is Now Active in Ukraine

In response to requests from Ukrainian leaders, SpaceX has activated its Starlink satellite service in Ukraine. The organization has also sent Starlink user terminals to Ukraine.

Editor's Note

Starlink does provide high bandwidth connectivity, but in its current design still requires ground stations in the same region as the user. But Starlink's ability to provide easy to use ad-hoc connectivity has proven to be invaluable during various disasters in the past. Some pointed out that the terminals may be located by their EM emissions. I am not sure how practical that is, but the terminal can also be placed some distance from the user.

Johannes Ullrich
Johannes Ullrich

Starlink has about 2,200 satellites in low-earth-orbit and is designed as a high-bandwidth, low-latency alternative to broadband. The terminals arrived about 48 hours after Elon promised them for free to Ukrainian users who getting about 137mbps download speeds. When available, Starlink’s premium option will offer speeds between 150 and 500mbps download, with 20-40mbps upload speeds.

Lee Neely
Lee Neely

Good stuff to help Ukraine is popping up as in this example.

Gal Shpantzer
Gal Shpantzer

I have been testing the Starlink service and it is a game changer for areas that do not have reliable Internet service providers. The equipment only requires one power outlet meaning you can have Internet connectivity from a backup battery or generator even if the entire area is out of power.

Jorge Orchilles
Jorge Orchilles

2022-02-28

Viasat Says European Broadband Outages Caused by Cyberattack

Satellite communications company Viasat says that a cyberattack has been causing broadband outages across eastern Europe. The attack appears to have begun on February 24. The investigation into the situation is ongoing.

Editor's Note

In Germany, about 6,000 wind turbines lost connectivity. These wind turbines used Ka-SAT satellite connections and the event may be related to the Viasat outage. At this point, the root cause is unclear. Some reports also suspect a rogue firmware update to the turbines network equipment. But while satellite connectivity is less susceptible to ground based issues (see SpaceX story), it can be very difficult to recover if geographically dispersed systems like Wind turbines (or the satellite itself) are affected.

Johannes Ullrich
Johannes Ullrich

This is a good time to investigate alternate or fail-over ISP options. If possible, have the secondary ready to go, including testing, prior to needing it. Determine what capabilities will operate over the fail-over connection to ensure that even with a change in bandwidth the business remains viable, for example the Starlink terminals in the Ukraine are getting 137mbps download speeds.

Lee Neely
Lee Neely

Viasat is also a satellite provider, like Starlink. SpaceX should keep an eye on this attack and learn from the competitors.

Jorge Orchilles
Jorge Orchilles

The Rest of the Week's News


2022-02-28

Toyota Suspends Operations at Multiple Plants Following Supply Chain Cyberattack

Toyota has halted operations at one-third of its factories after a supplier was reportedly hit with a cyberattack. Kojima Industries makes multiple vehicle components for Toyota. In all, Toyota has suspended operations at 14 plants. The company did not speculate about how long the downtime will last.

Editor's Note

All our supply-chains have been very challenged as of late and hacking a key supplier doesn’t help it recover. In some cases you may have no alternative but to “stop and wait” for a supplier to recover. Examine backup sources, particularly for key suppliers, to include startup activities and make recorded decisions about the viability of utilizing them, and the associated processes.

Lee Neely
Lee Neely

If corporate executives weren’t re-evaluating their Just-In-Time, zero inventory, single-point-of-failure supply chains for resilience, of the physical and digital (is there a difference anymore?), then perhaps it’s that time of the century.

Gal Shpantzer
Gal Shpantzer

When reviewing incident response plans many organisations tend to focus their response based on their own company assets being compromised. However, in today’s interconnected world, it's good practice to review your Incident Response and Business Continuity Plans to include the impacts incidents within your supply chain.

Brian Honan
Brian Honan

This is not the first supply chain attack you have heard of. These are tougher to red team (play devil’s advocate) but with proper planning, you can tabletop and perform technical exercises to test, measure, and improve your resilience to supply chain attacks.

Jorge Orchilles
Jorge Orchilles

2022-02-28

HHS Office for Civil Rights Director Tells Healthcare Providers to Strengthen Cyber Posture

In a blog post, US Department of Health and Human Services Director for Office for Civil Rights (OCR) Lisa Pino urges all HIPAA-covered entities to improve their cyber posture in 2022. Pino notes that rather than focusing only on electronic health records (EHRs), “risk management strategies need to be comprehensive in scope. You should fully understand where all electronic protected health information (ePHI) exists across your organization – from software, to connected devices, legacy systems, and elsewhere across your network.” The post includes suggested best practices and additional guidance and resources.

Editor's Note

Really no new information here, but the Director’s blog post does emphasize basic security hygiene and training/education. However, in emphasizing risks assessment, the post includes a link to the old HHS Security Risk Assessment application which expects the user of the tools to enter voluminous IT asset and vendor information and make an assessment of the likelihood of attack success and the impact of successful attacks. This old approach of multiplying two imaginary numbers to create a third imaginary number creates many pages of documentation but nothing useful in actually identifying or reducing critical risks.

John Pescatore
John Pescatore

The last two years have put healthcare providers on notice for attacks. The trick is providing actionable guidance which is easy to consume. The HHS includes recommendations we should all be following irrespective of the data sensitivity, from knowing where your data is, making sure it’s securely backed up in an immutable form, judicious application of patches and updates, to relevant, updated, user training. They also include links to resources for more information which can help you deep dive when planning to address any of these recommendations.

Lee Neely
Lee Neely

2022-02-25

Zabbix Flaws Added to CISA’s Known Exploited Vulnerabilities Catalog

The US Cybersecurity and Infrastructure Security Agency (CISA) has added two Zabbix vulnerabilities to its Known Exploited Vulnerabilities catalog. Zabbix released fixes for the authentication bypass and improper access control vulnerabilities in December 2021. CISA has given federal civilian agencies until March 8 to install the patches.

Editor's Note

If you’re using Zabbix with SAML SSO authentication enabled, you are potentially vulnerable. With the pressure to “MFA all the things” using SAML with an IDP which supports MFA, SSO, etc. across your organization is the easy button, but this also necessitates being on the lookout for security flaws in SAML implementations. This also means that mitigations such as disabling SAML authentication are not viable. In this case CVE-2022-23131, unsafe client-side session storage, has a CVSS score of 9.1, Zabbix has released patches, update to either 5.4.9rc2, 6.0beta1 or 6.0 (plan) as earlier patches didn’t fully address the issue.

Lee Neely
Lee Neely

IT and cybersecurity tools can be exploited, especially when they’re approved and deemed safe. Monitoring with read rights is one thing, write is another… From the Zabbix page https://www.zabbix.com/features “Execute a script directly from a dashboard and remediate an issue or display additional information.”

Gal Shpantzer
Gal Shpantzer

2022-02-28

FCC Notice of Inquiry Seeks Comments on Border Gateway Protocol Security

In a Notice of Inquiry, the US Federal Communications Commission (FCC) says it is “seek[ing] comment on vulnerabilities threatening the security and integrity of the Border Gateway Protocol (BGP).” The notice says that “BGP’s initial design, which remains widely deployed today, does not include security features to ensure trust in the information that it is used to exchange.”

Editor's Note

This should increase the support for updates to BGP, turning BGP best practices into requirements. If you’re wrestling with BGP security issues, take a moment to contribute. In the meantime, make sure you’re following best common practices with BGP to reduce risks of route hijacking or other disruptions.

Lee Neely
Lee Neely

This talk by Wim Remes in 2015 is a good primer on BGP for security professionals. www.blackhat.com/docs/us-15/materials/us-15-Remes-Internet-Plumbing-For-Security-Professionals-The-State-Of-BGP-Security-wp.pdf: Internet Plumbing for Security Professionals: The State of BGP Security (PDF) Video: https://youtu.be/po_9p6XxK2E

Gal Shpantzer
Gal Shpantzer

Richard Clarke was complaining about BGP in the Clinton Administration.

William Hugh Murray
William Hugh Murray

2022-02-28

CISA Warns of SCADA Flaws in Schneider Products

The US Cybersecurity and Infrastructure Security Agency (CISA) has published an advisory warning of multiple vulnerabilities affecting Schneider Electric’s Easergy medium voltage protection relays. The flaws could be exploited to cause denial-of-service conditions, reboot devices, disclose device credentials, or allow attackers to gain control of vulnerable devices. Schneider addressed the flaws in updates released on January 11, 2022.

Editor's Note

Right now ICS systems are a prime target as attackers are focusing on disrupting services not only in the Ukraine, but also areas perceived to be supporting or of benefit to Ukraine. The flaws addressed include two classic buffer overflows (CVE-2022022725 and CVE-2022-22723) as well as hard coded credentials (CVE-2022-22722). Fix by applying the updates or at least disabling or restricting the GOOSE service. Additionally make sure that your ICS systems are isolated, not exposed to the Internet only communicating with authorized services and users. Scan all media before introduction to the isolated network, don’t allow remote access to directly terminate to the isolated network. Check the CISA alert for additional mitigations.

Lee Neely
Lee Neely

2022-02-28

Microsoft Says FoxBlade Malware Infected Ukrainian Networks

In a blog post, Microsoft President and Vice-Chair Brad Smith writes that researchers with Microsoft Threat Intelligence Center recently detected cyberattacks using a new strain of malware, dubbed FoxBlade, against Ukrainian networks. Microsoft notified the Ukrainian government about the malware and offered technical advice. In the blog, Smith notes “These recent and ongoing cyberattacks have been precisely targeted, and we have not seen the use of the indiscriminate malware technology that spread across Ukraine’s economy and beyond its borders in the 2017 NotPetya attack.”

Editor's Note

Microsoft has also decided to follow the EU’s decision to block Russian state sponsored disinformation outlets from their social networks, app store and search engine. Facebook, Instagram, YouTube and Tik Tok have taken similar steps. This is a complex area but as the disinformation attacks during the recent US presidential election show, those and other similar commercial services need to have the processes and capabilities to do this kind of filtering. Many legislative and regulatory efforts are underway to force them to do so, but as we have seen threats move faster and always will.

John Pescatore
John Pescatore

Note RT is a brand of TV-Nososti, founded by the Russian state-owned news agency RIA Novosti. It is listed by Putin as one of the core organizations of strategic importance to Russia. FoxBlade allows systems to be used for a DDoS attack, unbeknownst to their owner. Microsoft Defender has been updated with signatures to detect and block FoxBlade. Make sure your endpoint protection solution includes these protections. Microsoft is also removing RT’s apps from their app store, blocking ads from RT and Sputnik sources and de-ranking their sites in Bing such that unless you’re explicitly looking for them they won’t appear in your search results.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Ukraine Update

https://www.bleepingcomputer.com/news/security/ransomware-gangs-hackers-pick-sides-over-russia-invading-ukraine/

https://ddosecrets.com/wiki/Tetraedr

https://twitter.com/YourAnonOne/status/1496965766435926039

https://www.wired.com/story/ukraine-it-army-russia-war-cyberattacks-ddos/


Odd Windows Behaviour with Fixed Addresses

https://isc.sans.edu/forums/diary/Windows+Fixed+IPv4+Addresses+and+APIPA/28380/


Using Snort IDS Rules in NetWitness Packet Decoder

https://isc.sans.edu/forums/diary/Using+Snort+IDS+Rules+with+NetWitness+PacketDecoder/28382/


TShark Multiple IPs

https://isc.sans.edu/forums/diary/TShark+Multiple+IP+Addresses/28386/


Nvidia Breach

https://www.bloomberg.com/news/articles/2022-02-25/nvidia-is-investigating-cyber-attack-but-business-uninterrupted


Windows 11 Reset Not Removing All Data

https://docs.microsoft.com/en-us/windows/release-health/status-windows-11-21h2#2783msgdesc


PHP Patches Code Injection Flaw

https://nvd.nist.gov/vuln/detail/CVE-2021-21708

https://bugs.php.net/bug.php?id=81708


Mozilla VPN Local Privilege Escalation

https://www.mozilla.org/en-US/security/advisories/mfsa2022-08/


Google Captcha Breaking

https://east-ee.com/2022/02/28/1367/


Samsung Encryption Vulnerability

https://eprint.iacr.org/2022/208.pdf