SANS NewsBites

Massive Amplified DDoS Attacks; Russia Creates TSL Certificate Authority

March 11, 2022  |  Volume XXIV - Issue #20

Top of the News


2022-03-10

Mitel Collaboration Systems Exploited to Launch Amplified DDoS Attacks

Attackers have been exploiting incorrectly provisioned Mitel MiCollab and MiVoice Business Express collaboration systems to launch massive amplified distributed denial-of-service (DDoS) attacks against financial institutions, logistics companies, broadband ISPs, and other organizations. The issue reportedly allows for an amplification factor as high as 4.3 billion to one.

Editor's Note

Luckily, the number of vulnerable systems is rather limited. But the amplification factor still makes this a debilitating attack. Make sure you are not part of the problem and update your devices! Efforts are under way to notify organizations exposing vulnerable devices.

Johannes Ullrich
Johannes Ullrich

Packet amplification ratio of 4,294,967,296:1 is mind blowing. Anyone that has defended against a DDoS attack is very familiar with what amplification is and this ratio is unheard of.

Jorge Orchilles
Jorge Orchilles

This technique, dubbed TP240PhoneHome (CVE-2022-26143), leverages UDP port 10074, a system test service, which should not be Internet accessible. If you have the Mitel products, verify that you’re restricting access to that service. The most recent software update from Mitel makes sure this port is locked down. Even so, verify that you’re protecting and monitoring use of that service. All this attack takes is a single malicious command to release a flood of 4.3 billion packets over about 14 hours, or about 2.5TB of traffic at about 393mb/sec from a single amplifier.

Lee Neely
Lee Neely

2022-03-10

Russia Creates TLS Certificate Authority

Russia has created its own TLS certificate authority to issue certificates for Russian sites whose TLS certificates have expired or been revoked. Yandex and Atom are currently the only browsers that recognize the new certificate authority as trustworthy.

Editor's Note

Certificate authorities have also been revoking some certificates for Russian organizations. As a result, you may get warnings when visiting affected sites. Do not add the new Russian CA as a trusted CA in your browser/operating system. This new CA operates outside the rules governing CAs in current trusted CA lists. Currently, free certificates from Let’s Encrypt should still work for Russian sites.

Johannes Ullrich
Johannes Ullrich

The current sanctions prevent certificate renewals with certificate issuers outside Russia and vetting a new issuer for inclusion in browsers is a lengthy process unlikely to commence until those sanctions are lifted. If you must interact with a site that uses these certificates e.g. Sherbank, VTB, or the Russian Central Bank, you will need to both verify you will not run afoul of sanctions and either add the CA’s public cert to your browser or use the Russian browsers which already support it. Time will tell where this goes.

Lee Neely
Lee Neely

The Rest of the Week's News


2022-03-09

Securities and Exchange Commission Proposes Breach Disclosure Rule

The US Securities and Exchange Commission (SEC) has proposed a rule that would require publicly-traded companies to report cyberattacks. The rule would amend the SEC-s Form 8-K reporting requirements to include disclosure of cyberattacks “within four business days after the registrant determines that it has experienced a material cybersecurity incident.”

Editor's Note

This rule proposes reporting in four days, versus recent legislation proposing 72 hours. What is needed is both a consistent timeframe and reporting format so companies aren’t confused about which rules apply. For investors, disclosure has to use the same measurement across companies, perhaps leveraging a maturity model, to provide a meaningful designation of risk for decision making.

Lee Neely
Lee Neely

“Material cybersecurity incident” is mentioned 64 times in the 129 page rule but I could not find the actual definition.

Jorge Orchilles
Jorge Orchilles

This wording is well-intentioned and the minimum that an investor user of the Form 8-K might expect. However, given the time between such incidents and their detection, as reported in the Verizon Data Breach Incident Report, it acts late and will not do much to limit or explicate the investor's risk. Perhaps the SEC might ask management for an expression of its exposure to and tolerance for cyber risk.

William Hugh Murray
William Hugh Murray

2022-03-09

Mandiant: APT41 Broke into US State Government Networks

According to a report from Mandiant, threat actors affiliated with the APT41 hacking group infiltrated networks at numerous US state governments using the Log4j vulnerability and bugs in a livestock app. Mandiant detected and tracked the groups activity between May 2021 and February 2022. APT41 is a Chinese state-sponsored espionage group.

Editor's Note

APT41, based in China, was exploiting a zero-day flaw in the USAHerds application, taking advantage of hard-coded credentials, and has now added leveraging Log4j vulnerabilities to their access techniques. Acclaim released an update to the USAHerds application in November of 2021. If you’re running the application, make sure you applied the patch. While you’ve been addressing Log4j on your Internet facing systems, don’t lose sight of it on your internal/trusted systems.

Lee Neely
Lee Neely

2022-03-08

Access:7 Vulnerabilities

A group of vulnerabilities collectively identified as Access:7 put hundreds of thousands of medical devices and ATMs at risk of denial-of-service attacks and data alteration and exfiltration. The flaws exist in the PTC Axeda Internet of Things (IoT) remote access tool. Three of the seven vulnerabilities are crated critical and could be exploited to remotely execute code.

Editor's Note

Note that PTC phased out Axeda, replacing it with their ThingWorx platform. If you’re still using the Axeda solution you need to migrate after either applying the released patches or mitigations. The patches address these vulnerabilities. Note the mitigations include limiting where you’re running ERemoteServer.exe process, configuring agents and services to only listen on localhost, allowing communication only from trusted hosts.

Lee Neely
Lee Neely

2022-03-09

Microsoft Patch Tuesday

On Tuesday, March 8, Microsoft released updates to address more than 70 security issues in multiple products. Three of the vulnerabilities are rated critical. The updates include a fix for an issue that was preventing some data from being erased after resetting Windows 10 and Windows 11.

Editor's Note

CVE-2022-23277 is another RCE for Exchange servers. It’s time, actually past time, to stop running Exchange on-premise. Remember to consider the burden of keeping up not only with flaws and remediation, but also with continuously applying the latest techniques to repel boarders when evaluating cloud migration.

Lee Neely
Lee Neely

2022-03-10

Qakbot is Hijacking eMail Threads

According to a report from Sophos, the Qakbot botnet is now hijacking email conversations to spread malware. The malware operators inject messages into existing email threads in an attempt to trick users into downloading the malware. Qakbot has been known since 2008, when it was a Trojan designed to steal bank account access credentials.

Editor's Note

Qakbot operates on the endpoint, stealing credentials for accessing email, as well as accessing websites to upload their malware payloads to help spread itself or added functions on behalf of other malicious actors. Enable MFA on your email accounts, make sure authentication tokens expire, triggering a re-authentication. Do not allow reusable passwords when accessing services from non-corporate systems or the Internet.

Lee Neely
Lee Neely

Qakbot focuses on initial access and brokers that access to other threat actors with varying objectives spanning from ransomware to intellectual property theft. Keeping up with the latest tactics, techniques, and procedures is important so your organization can test, measure, and improve the detection and response.

Jorge Orchilles
Jorge Orchilles

2022-03-09

CISA Updates Conti Warning

The US Cybersecurity and Infrastructure Security Agency (CISA) has updated its Conti Ransomware alert to include indicators of compromise. The alert provides a list of “domains have [that] registration and naming characteristics similar to domains used by groups that have distributed Conti ransomware.”

Editor's Note

Nothing net-new on the tactics, techniques, and procedures leveraged by Conti but very happy to see CISA providing those behaviors on top of indicators of compromise (IoC). Organizations should be evolving from consuming only IoCs to leveraging the indicators of behaviors (TTPs).

Jorge Orchilles
Jorge Orchilles

Conti gains initial access via spearphishing (with malicious attachments), stolen/weak RDP credentials, fake software – leveraging SEO, social engineering over the phone, CVEs and other malware distribution networks. You know how to mitigate most of these; make sure your users are aware of their stake in the game. Then grab your CIO and initiate actions to finish your comprehensive MFA rollout. Have your SOC check the alert for any new IOCs.

Lee Neely
Lee Neely

2022-03-10

Ransomware-Related Extraditions

Two individuals have been extradited to the US to face ransomware-related charges. Yaroslav Vasinskyi of Ukraine was extradited to face charges related to the attack that targeted Kaseya; Vasinskyi was arraigned in Texas on Wednesday, March 9. Sebastien Vachon-Desjardins was extradited from Canada to face charged related to NetWalker ransomware attacks. His case is being handled in Florida.

Editor's Note

These actors are behind the Revil Kaseya supply chain and NetWalker attacks. NetWalker was a RaaS service, recruiting affiliates to use their malware to attack sites, while the Kaseya leveraged a zero-day flaw in their remote management software, stole their signing key to sign malware, and used many interesting techniques including DLL sideloading to place a spoofed DLL in the Windows WinSxS directory, which gets loaded instead of the legitimate one. At this point endpoint protection systems and patches remediate these flaws and detection of these attempted exploits.

Lee Neely
Lee Neely

While the Conti Leaks may suggest ransomware and illegal/unethical activity pays, it does not! Very happy (understatement) to see law enforcement working to get some of the people behind REvil and NetWalker through due process.

Jorge Orchilles
Jorge Orchilles

2022-03-09

WordPress Security Whitepaper

According to a whitepaper from Patchstack, nearly 30 percent of critical flaws in WordPress plugins have never been patched. Patchstack also notes a 150 percent increase in reported vulnerabilities between 2020 and 2021.

Editor's Note

Take a look at your WordPress site health dashboard to double check your security posture. Pay attention to both themes and plugins which are not being updated. If you have items which are not being updated, have the hard conversation about moving to replacements which are, particularly ones that are end-of-life. Make sure that you have a properly configured WAF which is getting regular updates. Note that getting regular updates of plugins, themes, or your WAF may require using the paid versions.

Lee Neely
Lee Neely

This report explicates and documents the problem with WordPress plugins. Most come with no representation of quality, should be used only by design and intent, never by default, and must be rigorously policed and patched. While patching is expensive, in this case it is part of the cost of the quality and security for these plugins.

William Hugh Murray
William Hugh Murray

Internet Storm Center Tech Corner

Microsoft Patch Tuesday

https://isc.sans.edu/forums/diary/Microsoft+March+2022+Patch+Tuesday/28418/


Infostealer in a Batch File

https://isc.sans.edu/forums/diary/Infostealer+in+a+Batch+File/28422/


Credential Leaks on Virustotal

https://isc.sans.edu/forums/diary/Credentials+Leaks+on+VirusTotal/28426/


Critical APC UPS Vulnerability

https://www.armis.com/research/tlstorm/


Vulnerabilities in Firmware Affecting HP Devices

https://www.binarly.io/news/BinarlyDiscovers16NewHighImpactVulnerabilitiesinFirmwareAffectingHPEnterpriseDevices/index.html


TP240PhoneHome reflection/amplification DDoS Attack Vector

https://blog.cloudflare.com/cve-2022-26143/


Malware Disguises as Pro Ukrainian Cybertools

https://blog.talosintelligence.com/2022/03/threat-advisory-cybercriminals.html#more


Russian Government Sites Hacked in Supply Chain Attack

https://www.bleepingcomputer.com/news/security/russian-government-sites-hacked-in-supply-chain-attack/


Third Party Vulnerabilities in RUGGEDCOM ROS

https://cert-portal.siemens.com/productcert/pdf/ssa-256353.pdf


Adobe Bulletins

https://helpx.adobe.com/security/security-bulletin.html


GPS Issues Around Finnish-Russian Border

https://www.straitstimes.com/world/europe/finland-detects-gps-disturbance-near-russias-kaliningrad


Russia Considering Internal Certificate Authority

https://www.bleepingcomputer.com/news/security/russia-creates-its-own-tls-certificate-authority-to-bypass-sanctions/


New Spectre Variant

https://www.vusec.net/projects/bhi-spectre-bhb/


Package Manager Vulnerabilities (yarn, pip, composer...)

https://blog.sonarsource.com/securing-developer-tools-package-managers