SANS NewsBites

Educate Users to Recognize MFA “Prompt Bombing”; Don’t Expose UPS Devices to the internet; Install Apple Patches ASAP

April 1, 2022  |  Volume XXIV - Issue #26

Top of the News


2022-03-29

Lapsus$, SolarWinds and MFA

The Lapsus$ cyber extortion group uses the same technique to bypass multi-factor authentication (MFA) that was used by the state-sponsored threat actors who launched the SolarWinds attack. Known as prompt-bombing, the technique involves inundating users with authentication requests via mobile phones.

Editor's Note

No legitimate business would ever communicate to customers in a manner that even came close to “prompt-bombing.” That makes this a good attack technique to educate users on, as it is pretty easy for them to recognize. More modern FIDO2-based MFA approaches are more resistant to this, but every form of authentication will have to have backup approaches that can be “bombed” as well.

John Pescatore
John Pescatore

Red Teams have been using this technique for years as part of testing people and process in addition to the MFA implementation itself. Offense needs to continue to inform defense and defense inform offense. There is no reason this should be news or considered novel. If it is, your Red Team did not do their job.

Jorge Orchilles
Jorge Orchilles

here are two forms of this technique. The first overwhelms you with requests to approve a login and hopes you ultimately relent and let it in. The second is a few requests spread out in hopes you won’t notice and approve it without question. Make sure to train users to accept or allow only authentication permission requests they know are legitimate.

Lee Neely
Lee Neely

UK Police arrested 7 males suspected of being part of the Lapsus$ gang. All but two have been released. The remaining two individuals are aged 16 and 17. They have been charged with various cyber-crime related offences and will appear in court. https://www.bbc.com/news/technology-60953527

Brian Honan
Brian Honan

2022-03-30

CISA Insights: UPS Device Attacks

The US Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Energy have released a joint alert about attacks against Uninterruptible Power Supply (UPS) devices. The alert recommends that agencies identify all UPS and similar devices and ensure that they are not Internet accessible. If the devices need to be Internet accessible, they should be behind a VPN and protected with multi-factor authentication. Agencies are also urged to make sure that usernames and passwords are not still set to factory default.

Editor's Note

I have seen systems like this exposed to the Internet to obtain the ability to reboot systems without having to rely on VPNs or other security devices that may require to be rebooted. At the VERY LEAST, use TLS and limit the IP addresses that are able to reach the UPS (or power controller). TLS can be a bit tricky with these devices as they are usually just slapping a standard TLS library on minimal hardware that is years old. You may need to limit what ciphers are being used to get a reliable connection. But a little bit of TLS is better than no TLS (and well... I guess if a couple hundred $$ for a secondary VPN/FW is too expensive, you probably stopped caring anyway).

Johannes Ullrich
Johannes Ullrich

The target is large sized UPSs which are Internet reachable with the goal of causing large outages. If your UPS is network connected, isolate that traffic to make sure only legitimate devices and users can access it. Ideally never expose control interfaces directly to the Internet.

Lee Neely
Lee Neely

Good advice and practice for all appliances and controls connected to the public networks.

William Hugh Murray
William Hugh Murray

2022-03-31

Apple Updates Include Fixes for Zero-Days

Apple has released software updates for macOS, iOS, iPadOS, tvOS, and watchOS. The macOS, iOS, and iPadOS updates include fixes for two vulnerabilities that are being actively exploited. The iOS update also fixes a battery-drain problem that appears to have been introduced in iOS 15.4. Users are urged to update to macOS 2.3.1, iOS 15.4.1 iPadOS 15.4.1, tvOS 15.4.1, and watchOS 8.5.1.

Editor's Note

We do not have a lot of details to go by here, but update your Apple devices over the weekend. Just be careful if you still using macOS 12.1 (instead of 12.2): macOS 12.2 removes Python 2 which MAY be required by some software you are using. One example being the Indigodomo home automation software.

Johannes Ullrich
Johannes Ullrich

Seems like we just kicked off rolling out 15.4. This update primarily addresses CVE-2022-22675 which is being exploited for RCE, so reset the process for 15.4.1. The last two iOS updates have resulted a noticeable battery drain when using push notifications for mail and calendar messages. A workaround was to switch to fetch instead. It is far simpler to apply the update fixing both issues.

Lee Neely
Lee Neely

The Rest of the Week's News


2022-03-30

Viasat: KA-SAT Network Attacker Exploited Misconfigured VPN Appliance

Viasat has published “an overview and incident report on the cyber-attack against the KA-SAT network, which occurred on 24 February 2022, and resulted in a partial interruption of KA-SAT's consumer-oriented satellite broadband service.” Viasat says that the attacker exploited a misconfigured VPN appliance to remotely access the KA-SAT network’s trusted management segment.

Editor's Note

VPN appliances are turning up in more and more high-profile attacks. Monitoring VPN access, patching appliances and regular configuration reviews should be on your "to do" list. (But don't worry if you are not going STRONG MFA and still relying on passwords to authenticate. You are behind the curve too far already.)

Johannes Ullrich
Johannes Ullrich

Viasat has confirmed the attack was due to new wiper malware with possible ties to the Russian government. https://arstechnica.com/information-technology/2022/03/mystery-solved-in-destructive-attack-that-knocked-out-10k-viasat-modems/:

Brian Honan
Brian Honan

When faced with a significant outage, make sure that you have closed the attack vector prior to taking steps to restore service (such as deployment of replacement devices) so the replacements don’t immediately suffer the same fate as their predecessors.

Lee Neely
Lee Neely

2022-03-31

Patches Available for Spring4Shell RCE Vulnerability

Spring has released updates to address a vulnerability that “impacts Spring MVC and Spring WebFlux applications running on JDK 9+.” The flaw, which has been dubbed Spring4Shell or SpringShell, was disclosed to Spring earlier this week. After someone published full details of the vulnerability, Spring accelerated the release of their patches.

Editor's Note

If lessons learned from Struts, Log4j, and others were implemented, your organization should have a decent inventory of which applications leverage the impacted frameworks.

Jorge Orchilles
Jorge Orchilles

Recent efforts have focused on providing open-source projects with secure coding reviews and tools. But open-source projects also need the ability to quickly respond to security issues and publish meaningful guidance for users. 24 hours isn't bad, but in this case too slow.

Johannes Ullrich
Johannes Ullrich

2022-03-30

Globant is a Victim of Lapsus$ Cyber Extortion Group

International IT and software development company Globant has acknowledged that its systems were breached by the Lapsus$ cyber extortion group. The attackers have leaked data stolen from Globant, including admin credentials and source code.


2022-03-28

BGP Error Routed Some Twitter Traffic Through Russian ISP

An ISP’s misconfigured routing table led to some Twitter traffic being routed through Russia. The border gateway protocol (BGP) issue lasted less than an hour. At least one analyst suggested that the incident may have been due to an attempt to block Russian citizens from accessing Twitter.

Editor's Note

There is a good news side to this story: Secure BGP configurations by Twitter as well as by ISPs around the globe prevented this issue from spreading much beyond the initial misconfiguration. BGP security is improving.

Johannes Ullrich
Johannes Ullrich

2022-03-31

QNAP Says Devices Affected by OpenSSL Vulnerability

Most QNAP network-attached storage (NAS) devices are affected by a high-severity infinite loop vulnerability in OpenSSL. OpenSSL issued a patch for the issue in mid-March. QNAP has not yet released a fix.

Editor's Note

This is not a big deal because your QNAP device should not be exposed to the public anyway, and it is just a DDOS. It is only making the news because QNAP cares enough to let its users know.

Johannes Ullrich
Johannes Ullrich

The ultimate fix is to apply the QNAP update when it it released. While you’re waiting, make sure that you’re not exposing these devices to the Internet, and only authorized devices can reach the administration interfaces. Review for and remove any unexpected user accounts and applications.

Lee Neely
Lee Neely

2022-03-30

Patch Available for Zlib Flaw

A 17-year-old vulnerability in the Zlib data-compression library now has a patch. The flaw could be exploited to crash applications and services. Google Project Zero’s Tavis Ormandy reported the flaw “but it turns out the issue has been public since 2018, but the patch never made it into a release.” Additionally, when the vulnerability was reported four years ago, it was noted that the issue had already existed for 13 years.

Editor's Note

I’m reminded of projects that didn’t have clear ownership and commitment to deliver. Make sure you’re tracking flaw remediation activities, whether code reviews or monthly patch application, to ensure nothing falls through the cracks.

Lee Neely
Lee Neely

2022-03-31

VA Cybersecurity Bill Introduced in US Congress

A new bill that aims to improve cybersecurity at the US Department of Veterans Affairs (VA) requires the agency to conduct an independent cybersecurity assessment of its critical systems. The bill also calls for the VA to review shadow IT – systems, apps, and services that are being used on the agency’s network without approval from the agency’s IT department.

Editor's Note

The bill requires VA to use a Federally Funded Research and Development Center (FFRDC) to perform the assessment. No offense to FFRDCs, but some are very good at cybersecurity, and some are very good at cancer research or optical-infrared astronomy – but cybersecurity, not so much. The bill’s language says the FFRDCs must “… take into account industry best practices and the current state-of-the-art in cybersecurity evaluation and review.” The bill should just allow private security firms that are setting those best practice/state-of-the-art standards to compete for the assessment.

John Pescatore
John Pescatore

Can you detect unauthorized services on your network? How about cloud services - do you allow all of them or only those authorized? The VA is already tasked with authorization of all systems processing their data, including shutting down or blocking rogue or unauthorized devices and applications. In either case, what’s your response? Make sure you know your risk tolerance.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Spring Vulnerability Update - Exploitation Attempts CVE-2022-22965

https://isc.sans.edu/forums/diary/Spring+Vulnerability+Update+Exploitation+Attempts+CVE202222965/28504/


Java Springtime Confusion: What Vulnerability are We Talking About

https://isc.sans.edu/forums/diary/Java+Springtime+Confusion+What+Vulnerability+are+We+Talking+About/28500/


Apple Patches 0 Day Vulnerability

https://isc.sans.edu/forums/diary/Apple+Patches+Actively+Exploited+Vulnerability+in+macOS+iOS+and+iPadOS/28506/


Quickie: Parsing XLSB Documents

https://isc.sans.edu/forums/diary/Quickie+Parsing+XLSB+Documents/28496/


More Fake/Typosquatting Twitter Accounts Asking for Ukraine Cryptocurrency Donations

https://isc.sans.edu/forums/diary/More+FakeTyposquatting+Twitter+Accounts+Asking+for+Ukraine+Crytocurrency+Donations/28492/


Wyze Cam Vulnerabilities

https://www.bitdefender.com/files/News/CaseStudies/study/413/Bitdefender-PR-Whitepaper-WCam-creat5991-en-EN.pdf


Mitigating Attacks Against Uninterruptible Power Supply Devices

https://www.cisa.gov/sites/default/files/publications/CISA-DOE_Insights-Mitigating_Vulnerabilities_Affecting_Uninterruptible_Power_Supply_Devices_Mar_29.pdf


Zyxel Security Advisory

https://www.zyxel.com/support/forgery-vulnerabilities-of-select-Armor-home-routers.shtml


Pwning 3CX Phone Management Backends from the Internet

https://medium.com/@frycos/pwning-3cx-phone-management-backends-from-the-internet-d0096339dd88


MFA Bypass Attacks

https://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html


Google Advertises Mars Stealer

https://blog.morphisec.com/threat-research-mars-stealer


Hackers Gaining Power of Subpoena Via Fake "Emergency Data Requests"

https://krebsonsecurity.com/2022/03/hackers-gaining-power-of-subpoena-via-fake-emergency-data-requests/