SANS NewsBites

Free Tool from Microsoft to Scan for Compromised MikroTik Devices; Misconfigured MFA Compromised by Attackers; US Department of Justice Uses False Claims Act to Fine Contractor for Failing to Disclose Known Security Issues

March 22, 2022  |  Volume XXIV - Issue #22

Top of the News


2022-03-17

Microsoft Releases Scanner to Detect TrickBot-Infected Devices

In a blog post, the Microsoft Defender for IoT research team shares its analysis of how MikroTik devices are used in TrickBot’s command and control framework. Microsoft has published a tool that can be used to detect MikroTik Internet-of-Things (IoT) devices that are infected with TrickBot.

Editor's Note

Great work by Microsoft. But a bit sad that this didn't come from MikroTik. Like many similar devices, MikroTik routers had their share of vulnerabilities (or just simple misconfigurations) in the past. But vendors need to step up and provide users with tools to avoid and detect configuration errors and compromise. This could start with a simple standardized API to request firmware versions for easier vulnerability scanning (and an API to find the most recent version easily). Currently, scripts to accomplish this often have to scrape data from ever changing webpages. (Prove me wrong and let me know of vendors doing this well.)

Johannes Ullrich
Johannes Ullrich

It still blows my mind when looking at all the cool cyber research Microsoft is publishing, to include free tools for prevention and detection. If you have any MikroTik devices you need to read this. Essentially the TrickBot malware is using the routers as a proxy on a non-standard port to access their C2 servers. Then adds a persistence layer which obfuscates malicious IPs to avoid many detection systems. Make sure that you have changed default passwords on your MikroTik devices, use good passphrases – ideally checked against data breaches and keep the firmware updated. Only allow management from authorized systems making sure you restrict access to port 8291 and 22. Grab the forensic tool and cross-check your devices for any areas of concern.

Lee Neely
Lee Neely

2022-03-16

CISA, FBI: Hackers Exploited Misconfigured MFA

In a joint cybersecurity advisory, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) “warn … that Russian state-sponsored cyber actors have gained network access through exploitation of default MFA protocols and a known vulnerability.”

Editor's Note

This issue is getting to some of the core challenges of MFA: How to deal with lost/expired tokens efficiently.

Johannes Ullrich
Johannes Ullrich

Headlines are making this sound like MFA has been hacked and is no longer reliable, which is NOT the case; it’s something much more boring: MFA mis-configuration. The cyber attackers were able to gain control of a forgotten account via simple password brute forcing. This account had been ‘expired’ from the MFA server, but was still able to re-enroll. Once the attackers re-enrolled and gained access to the internal environment, they disabled the domain controllers MFA configuration by pointing to itself (localhost) which caused MFA authentication to fail. Unfortunately, it was configured for ‘fail-open’ mode which means if MFA is not working, users can gain access with just their password. Is MFA still a viable and recommend method for protecting accounts, absolutely. Are there steps we can do on the server end to lock it down even more? It appears so. The CISA write-up has the best technical details of the attack.

Lance Spitzner
Lance Spitzner

Does your MFA fail open or closed? MFA which fails open is being discovered and exploited. Sometimes old accounts are identified which haven’t been converted to MFA, so a password attack works, or somehow are trivially reactivated. Make sure that your MFA is comprehensive, fully disable inactive accounts - removing them is best, make sure all components are patched to mitigate risks on all the components involved in MFA. If you have emergency/”break glass” accounts monitor them closely; it is very tempting to for system administers to use these instead of the MFA “everyone else” has to use. Make sure their credentials are strong and changed after each authorized use. Don’t allow for non-MFA accounts for special/VIP users.

Lee Neely
Lee Neely

Another good report from FBI and CISA. This one maps to ATT&CK and provides some TTPs that you should be able to easily detect regardless of what vulnerability or misconfiguration is exploited. As we say in SEC504, prevention is a goal, detection and response are the reality.

Jorge Orchilles
Jorge Orchilles

2022-03-16

Florida Medical Services Contractor to Pay Penalty for Misrepresenting its Cybersecurity Posture

Florida-based Comprehensive Health Services (CHS) will pay $930,000 to settle allegations that it violated the False Claims Act. CHS falsely represented its electronic medical record cybersecurity compliance to the US State Department and Air Force. The DoJ press release notes that “This is the Department of Justice’s first resolution of a False Claims Act case involving cyber fraud since the launch of the department’s Civil Cyber-Fraud Initiative.”

Editor's Note

If you are a contractor or supplier to the US federal government, or a federal grant recipient, this is an important item to show to Chief Legal Counsel and management. The False Claims Act is a long-used mechanism to fine offenders for misuse of government funds. This case is the first of the 2021 Civil Cyber Fraud Initiative being applied to instances where companies did not disclose incidents or known high risk issues while accepting government funding – there will be more. The message is “much less expensive to follow regulations for disclosure than try to hide incidents, lowest cost is to avoid incidents in the first place.”

John Pescatore
John Pescatore

While this case is specific to medical/health industry activities, it foreshadows the expectations of federal government contractors. Make sure that your licensing and knowledge of regulatory requirements is up to current requirements, to include NIST, CMMC and incident reporting requirements. Use this incident to reinforce support meeting and ongoing monitoring of these requirements.

Lee Neely
Lee Neely

The Rest of the Week's News


2022-03-15

ICO Fines Law Firm Over Unsecured Legal Data

The UK’s Information Commissioner’s Office (ICO) has fined a London criminal defense law firm for failing to protect information about legal cases; the data were stolen in a 2020 ransomware attack. Tuckers Solicitors has been fined £98,000 for violating the General Data Protection Regulation. While a fix for the vulnerability was made available in January 2020, Tuckers did not apply the patch until June 2020.

Editor's Note

While the exploit wasn’t discovered until August of 2020, it’s believed the attack happened during the five months the vulnerability was unpatched. Make sure that you are prioritizing application of updates with high CVSS scores, 9.8 in this case. This is even more critical as many services now have customer facing interfaces allowing for potential exploitation or abuse. Remind management reluctant to incur downtime or complete regression testing that with the GDPR and other privacy legislation such as the CCPA, there are real fines at stake which can quickly offset any costs associated with staying secure.

Lee Neely
Lee Neely

2022-03-15

Israeli Government Websites Affected by DDoS

Israel’s National Cyber Directorate has acknowledged that a massive distributed denial-of-service (DDoS) attack hit communications service providers and caused numerous government websites to be unavailable. The sites are now operating as usual.

Editor's Note

Adversaries shooting bullets ‘over the fences’ has been replaced with cyber-attacks, and DDoS seems to be a favorite lately, not only as a mission disruptor, but also to disguise other activities such as a ransomware attack. DDoS protection, particularly in the public sector, needs to be added to the SOP list. Talk to your ISP, CDN and cloud service providers to not only ensure available DDoS protections are enabled, but also to determine what they are to see if they are sufficient or if you need to seek added protections.

Lee Neely
Lee Neely

2022-03-15

Linux Dirty Pipe Vulnerability Affects QNAP NAS Devices

The Dirty Pipe Linux vulnerability affects QNAP network attached storage (NAS) devices running QTS 5.0.x and QuTS hero h5.0.x. The flaw does not affect QNAP NAS devices running QTS 4.x. There are currently no mitigations for the issue.

Editor's Note

This vulnerability affects all devices based on Linux, not just QNAP. QNAP was just nice enough to release a patch and point out that they are vulnerable.

Johannes Ullrich
Johannes Ullrich

Linux privilege escalation vulnerabilities, like Dirty Pipe, tend to affect many products and solutions and stick around for a very long time.

Jorge Orchilles
Jorge Orchilles

You already know what I’m going to say – so say it along with me “I solemnly swear I won’t expose NAS devices to the Internet.” Do keep your NAS devices patched, monitor for unauthorized accounts or applications, change default credentials, use another option for sharing content externally. Cloud based file sharing is not all that expensive, particularly when compared to recovery of your compromised content.

Lee Neely
Lee Neely

2022-03-17

Internet Explorer 11 is Being Retired in June

Microsoft is reminding users that it will be retiring Internet Explorer 11 (IE 11) in June. Microsoft will replace the browser with Edge. Legacy IE-based websites and applications will be supported with Edge’s IE mode feature.

Editor's Note

Internet Explorer 11 is Being Retired in June

Jorge Orchilles
Jorge Orchilles

If you’ve not been pushing out and testing Chromium Edge you really need to get moving. Chromium Edge does include an IE mode for IE dependent applications you can toggle the “Allow sites to be reloaded in Internet Explorer” At this point you may not need that as many applications are now fully functional in Chrome/Chromium based browsers. If you need it, Microsoft is planning to support IE mode through 2029. Microsoft has published a transition guide. https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWEHMs

Lee Neely
Lee Neely

2022-03-17

Cyclops Blink Now Targeting ASUS Routers

Researchers from Trend Micro say that the Cyclops Blink malware is targeting ASUS routers. Several weeks ago, it was noted that the malware was targeting WatchGuard Firebox devices. Cyclops Blink has been linked to the Sandworm advanced persistent threat (APT) group.

Editor's Note

See my comment about the MikroTik tool released by Microsoft. We need an easier way to identify out of date or misconfigured routers.

Johannes Ullrich
Johannes Ullrich

Initial reports of Cyclops Blink included speculation that the Sandworm group would be porting it to other platforms. There is not a firmware update from ASUS to resolve the vulnerability, as such affected routers will need to be factory reset. Mitigations, which apply to most routers, include replacing any end of life devices, disabling remote management, changing default admin passwords, and keeping your firmware updated. If you have any doubts, go through the factory reset and recreate your configuration including the mitigating steps above. Don’t forget to really get rid of the old unsupported devices you’ve got on the shelf “just in case.” It’s no good if your service restoration is followed by a compromise.

Lee Neely
Lee Neely

2022-03-17

European Union Aviation Safety Agency Warns Navigation Satellite Outages

The European Union Aviation Safety Agency (EASA) has warned of Global Navigation Satellite Systems (GNSS) outages related to Russia’s invasion of Ukraine. Last week, Finland’s Traficom warned of GPS outages near its eastern border with Russia; those issues appear to be affecting other countries in the area, including Poland, Lithuania, and Latvia.

Editor's Note

This may in some cases affect devices using GPS to synchronize time.

Johannes Ullrich
Johannes Ullrich

These are jamming or spoofing attacks. The EASA bulletin has both issues aviation authorities, service providers and operators may face as well as possible mitigations/recommendations. They include both validation and testing of contingency plans. How viable is it really to grab a map and look out the window when you don’t have aids such as a GPS? While the best defense is to stay away from affected areas, not all flights have that option making preparation and planning crucial.

Lee Neely
Lee Neely

2022-03-17

CISA, FBI Warning of Potential SATCOM Threats

The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have issued a joint alert with information about strengthening the cybersecurity of SATCOM networks. The alert says that “Given the current geopolitical situation, CISA’s Shields Up initiative requests that all organizations significantly lower their threshold for reporting and sharing indications of malicious cyber activity.” It also lists mitigations for organizations to employ.

Editor's Note

Recommended mitigations include reviewing trust relationships, use of MFA, principle of least privilege, increased monitoring, shortened update/patch intervals and use of strong encryption wherever possible. These are good mitigations for non-SATCOM networks too – consider how they apply to your enterprise.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Clean Binaries with Suspicious Behaviour

https://isc.sans.edu/forums/diary/Clean+Binaries+with+Suspicious+Behaviour/28444/


Qakbot Infection With Cobalt Strike and VNC Activity

https://isc.sans.edu/forums/diary/Qakbot+infection+with+Cobalt+Strike+and+VNC+activity/28448/


Misconfigured Multi-Factor Authentication Abused

https://www.cisa.gov/uscert/ncas/alerts/aa22-074a


German Office of Information Security Warns Kaspersky Users

https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse2022/220315_Kaspersky-Warnung.html


Caddy Wiper Targeting Ukraine

https://www.welivesecurity.com/2022/03/15/caddywiper-new-wiper-malware-discovered-ukraine/


Fake Antivirus Targeting Ukraine

https://twitter.com/malwrhunterteam/status/1502302718140035080


Gh0stCringe RAT Being Distributed to Vulnerable Database Servers

https://asec.ahnlab.com/en/32572/


dompdf 0 day

https://positive.security/blog/dompdf-rce


OpenSSL DoS Vulnerability

https://www.openssl.org/news/secadv/20220315.txt


npm Package Sabotaged for Belarus/Russian Users

https://snyk.io/blog/peacenotwar-malicious-npm-node-ipc-package-vulnerability/


President Zelensky Deepfakes

https://twitter.com/ngleicher/status/1504186935291506693


ATM Rootkit

https://www.mandiant.com/resources/unc2891-overview


Scanner for Backdoored Mikrotik Routers

https://github.com/microsoft/routeros-scanner


SANS.edu Student: Ron Grohman; Network Access Control and ICS: A Practical Guide

https://www.sans.edu/cyber-research/network-access-control-and-ics-a-practical-guide/