SANS NewsBites

FBI Pushes Warrant Boundaries in Cyclops Blink Takedown; Microsoft Offers Progressive Windows Autopatch Service; Bogus AV Apps That Actually Spread Malware Made It Into Google Play Store

April 12, 2022  |  Volume XXIV - Issue #29

Top of the News


2022-04-08

FBI’s Cyclops Blink Action Raises Questions

The FBI’s recent takedown of Cyclops Blink command-and-control infrastructure raises questions about the US government’s reach regarding search and seizure. The government obtained a warrant allowing them to gain remote access to privately owned devices without notifying the owners and take steps to dismantle the botnet’s command and control operations. The FBI also used an amendment to Rule 41 of the Federal Rules of Criminal Procedure to access computers outside the jurisdiction of the court granting the warrant.

Editor's Note

I find physical analogues instructive. We expect fire and police departments to gain entry to our homes and businesses when there's an emergency, and whether or not we're present. Infected machines can constitute an emergency, especially when they're being used to attack other victims. However, police and firefighters will go to greater lengths to notify property owners. It might be ideal, instead, to take over attacker-owned C2 servers and issue kill orders to infected systems, but opportunities like that can't be common.

Christopher Elgee
Christopher Elgee

The FBI did a great service to the reckless owners of unpatched devices. Did they even access the infected devices, or did they just access the C&C server? Of course the Internet usually plays a bit by Florida traffic rules where we do not like things like safety inspections.

Johannes Ullrich
Johannes Ullrich

We need to be wary of law enforcement using powers such as these to tackle malware and botnets. While it may technically make sense to take this approach, we have to take into account people’s privacy rights and ensure there is appropriate transparency and governance in place to manage any such actions.

Brian Honan
Brian Honan

The amendment to Rule 41 of the Federal Rules of Criminal Procedure was the result of three years of debate and public input, adopted by the Supreme Court and approved by Congress in 2016 and was intended to handle a large-scale event. This is the broadest application of that rule not only for investigation but also for disruption of criminal activities. The risk is that multiple warrants were not obtained, just one, which was used in jurisdictions outside the one which issued it. One hopes this case helps strike a balance between taking remote action to remediate known infected systems versus reliance on system owners to take action. As we all get better at communicating with federal agencies such as the FBI, CISA, etc. one hopes that can be leveraged to allow local action versus remote unexpected intervention.

Lee Neely
Lee Neely

2022-04-10

Microsoft Windows Autopatch

Microsoft plans to launch Windows Autopatch in July 2022. The managed service will be available to Microsoft users with Windows 10/11 Enterprise E3 or above licenses. Autopatch was created to ensure that Windows and Office software are up-to-date. It divides organizations’ devices into four rings: the test ring, which has a small number of devices; the first ring, which has about 1 percent of endpoints; the fast right, which has another 9 percent of devices; and the broad ring, which accounts for 90 percent of an organization’s devices. Autopatch will apply updates progressively; the service also has Halt and Rollback features.

Editor's Note

Sounds like a neat idea and well thought out feature. Now let’s see if this will work or if someone will figure out it is less of a problem to have your infrastructure pw0n3d by ransomware than have a system misbehave every so often due to a bad patch.

Johannes Ullrich
Johannes Ullrich

There is a lot of mythology around how often apps break after Windows patches are pushed out these days. Try this out and see what your halt and rollback percentages are – I’m betting they will be pretty low. The apps that do break should be candidates for sunsetting.

John Pescatore
John Pescatore

It is interesting to see how Microsoft is becoming a one-stop-shop for enterprise wise security solutions, however I am concerned that many of these features are not as readily available to smaller firms and SMEs. Security should not be the preserve of well-funded organisations, similar to how automobile safety should not be the preserve of those who can afford brakes, seat belts, and air bags.

Brian Honan
Brian Honan

Even if you are not interested in autopatch or have E3+, the four rings explained here are a great strategy for your patch management process. We implemented this years ago and it has many benefits. Consider it.

Jorge Orchilles
Jorge Orchilles

This service targets desktop users rather than servers. Many of us have worked to implement a similar phased update approach. This basically turns that into a commodity activity for Microsoft products, freeing some resources to address servers and other high-value assets. Note you're still going to need to have a solution for other installed products, Adobe, Chrome, Java, etc.

Lee Neely
Lee Neely

2022-04-08

Google Pulls Malware-Spreading Apps Disguised as Anti-Virus from Google Play Store

Google has pulled half a dozen malicious Android apps from the Google Play Store after they were found to spread info-stealing malware. The apps were installed a total of 15,000 times. The malware, known as Sharkbot, steals credentials and banking data. Researchers from Check Point discovered the malware-laced apps.

Editor's Note

Beware of software bearing gifts, in this case applications purporting to be anti-virus solutions that install malware instead. Even more dangerous: a user installing what they think is AV is more likely to grant that application all requested permissions. Provide users with approved device security tools and profiles rather than letting them choose their own. Note that these apps themselves didn't contain the malware; instead, they downloaded it after fooling the user with a pretty icon and otherwise legitimate looking app. As the apps have been pulled from the Play Store, Play Protect will remove them on installed devices, but the damage is likely done, and infected devices will likely need a factory reset.

Lee Neely
Lee Neely

I’d like to see two things: (1) Good data from Google Play Store and Apple App Store on the average time before a bad app is detected and removed; and (2) a security settings switch that filters app store view to only show apps have been published longer than that average. I guess the third thing would be to that average time decrease to hours, then minutes, vs. days.

John Pescatore
John Pescatore

The Rest of the Week's News


2022-04-08

New GitHub Dependency Review Action

GitHub has introduced dependency-review-action, which scans pull requests and raise an error if a new dependency contains known vulnerabilities. “The action is supported by an API endpoint that diffs the dependencies between any two revisions.”

Editor's Note

Nice! This will be free for use in public repositories on GitHub.com, but for private ones you’ll need to license GitHub Advanced Security. Definitely worth it for critical codebases, especially those with high commit frequency.

John Pescatore
John Pescatore

This new feature, which is in public beta, leverages the GitHub Advisory Database to see if these new dependencies introduce vulnerabilities, raising an error if they do. Dependency review is enabled in public repositories and is available in private repositories which use GitHub Enterprise Cloud including a license for GitHub Advanced Security. Given recent issues with malicious included code of late, this is one more step you can take to reduce those risks.

Lee Neely
Lee Neely

Read more in

Bleeping Computer: GitHub can now alert of supply-chain bugs in new dependencies

GitHub: dependency-review-action





[[10]] Spring4Shell is being Exploited to Spread Mirai

Trend Micro: CVE-2022-22965: Analyzing the Exploitation of Spring4Shell Vulnerability in Weaponizing and Executing the Mirai Botnet Malware

ZDNet: Spring4Shell flaw is now being used to spread this botnet malware

Ars Technica: Trend says hackers have weaponized SpringShell to install Mirai malware

Bleeping Computer: Mirai malware now delivered using Spring4Shell exploits

The Hacker News: Hackers Exploiting Spring4Shell Vulnerability to Deploy Mirai Botnet Malware

The Register: Attackers exploit Spring4Shell flaw to let loose the Mirai botnet



[[100]] CISA Adds Eight Security Flaws to Known Exploited Vulnerability Catalog

CISA: CISA Adds Eight Known Exploited Vulnerabilities to Catalog

CISA: Known Exploited Vulnerabilities Catalog

Bleeping Computer: CISA warns orgs of WatchGuard bug exploited by Russian state hackers


2022-04-09

Finnish Government Websites Disrupted by DDoS Attack

The Finnish Foreign Ministry and Defense Ministry websites were knocked offline on Friday, April 8, while Ukrainian President Volodymyr Zelenskyy was addressing Finland’s members of parliament. The distributed denial-of-service (DDoS) attacks hit the websites at noon on Friday; an hour later the sites were operating as usual.

Editor's Note

DDoS attacks are becoming SOP retaliatory actions, as well as common cover to distract responders from other attacks. Make sure that you've got active DDoS protections, particularly if you are in the Public, Energy, or Critical Infrastructure sectors. Shared environments, such as hosting facilities or multi-tenant cloud services could result in collateral damage if one of the other tenants is a target. Verify you're protected and to what level.

Lee Neely
Lee Neely

2022-04-11

Atlassian Outage

Several Atlassian cloud services have been down for nearly a week. The company says it may take another two weeks to restore service to all users. As of 15:34 UTC on April 11, Atlassian has “rebuilt functionality for over 35% of the users who are impacted by the service outage, with no reported data loss.”

Editor's Note

This is a great example of why companies need to conduct robust risk assessments before moving services into the cloud. Those risk assessments should include what the business’s alternatives are in the event the cloud service provider has an outage or issue that impacts the ability to access data or the service. Just because it is in the cloud does not mean you can forget about your business continuity planning.

Brian Honan
Brian Honan

While this doesn't seem to bode well for a company discontinuing on-premises licenses (they stopped in February 2021), it shows that their recovery objective is full restoration with no data loss. Unfortunately, that recovery point means the recovery time objective can be indefinite. When using a third-party, outsource or cloud, have an in-depth discussion on recovery, to include what they are designing for, recovery time and recovery point objectives, and what steps, if any, you should take in addition to their processes to guarantee success. When comparing to your legacy in-sourced solutions, be realistic about your own capabilities and their shortfalls. E.g., a pile of tapes media in the trunk of the CEO's car isn't as reliable or secure as you may think.

Lee Neely
Lee Neely

2022-04-11

CISA Adds Eight Security Flaws to Known Exploited Vulnerability Catalog

The US Cybersecurity and Infrastructure Security Agency (CISA) has added eight more vulnerabilities to its Known Exploited Vulnerabilities Catalog. The list on new entries includes the WatchGuard privilege elevation flaw that affects the company’s Firebox and XTM products. All eight of the new vulnerabilities have remediation due dates of May 2, 2022.

Editor's Note

For regular updates on this activity, subscribe to CISA's weekly update summary. Many of the items listed have the action of applying the updates according to vendor instructions and/or updating to the current version. Having a current, auto-generated software inventory can help you keep your arms around where vulnerable software is hanging out in your enterprise. Many of your endpoint management and protection tools can already generate that list for you.

Lee Neely
Lee Neely

2022-04-08

Healthcare Data Breaches

Recent US healthcare data breaches include a network server hacking incident at California-based SuperCare; a network server hacking/IT incident at Georgia-based CSI Laboratories; an “IT security issue” at East Tennessee Children’s Hospital; a cyberattack at Oklahoma City Indian Clinic; and a ransomware attack on Cancer and Hematology Centers of Western Michigan.

Editor's Note

Healthcare was already a target, increasingly so with the pandemic, and the Russia-Ukraine war has escalated attacks even further. If you're in the healthcare industry, make sure that security comes from the top, that it is not just an “IT problem” or worse – “someone else's problem.” If you don't have the resources, hire a reputable firm to perform a vulnerability assessment and help you target needed improvements. You're going to need that support from the top to get improvements implemented, not bypassed, and to continue to have a seat at the table to keep security factored into the equation.

Lee Neely
Lee Neely

2022-04-11

State Auditor Did Not Require Connecticut Health Insurance Exchange to Fix Security Issues

Connecticut’s Access Health health insurance exchange experienced 44 data security breaches over a three-and-a-half year period. Audit report lists Access Health’s security shortcomings, but the state auditor recommended that it mitigate the problems, but did not issue a mandate.

Editor's Note

While not having required follow-up actions with deficiencies is a dream outcome, it's not ideal, and possibly does a disservice to the entity being audited. Requiring or mandating fixes not only provides a raised bar to check on future audits, but also can be leveraged to get the funding, resources and attention needed to keep systems properly secured.

Lee Neely
Lee Neely

2022-04-11

Spring4Shell is Being Exploited to Spread Mirai

Researchers from Trend Micro say that the Spring4Shell vulnerability is being actively exploited to spread Mirai botnet malware. The US Cybersecurity and Infrastructure Security Agency (CISA) added the Spring4Shell vulnerability to its Known Exploited Vulnerabilities Catalog last week.

Editor's Note

While this has widely been reported as Mirai exploiting Spring4Shell, evidence presented only shows Mirai going after the default backdoor, using the default password, left behind by the PoC exploit. It is highly unlikely that this leads to a significant growth of the Mirai botnet, or is of any consequence at all.

Johannes Ullrich
Johannes Ullrich

There are two vulnerabilities relating to Spring - CVE-2022-22963, which is a resource exposure flaw specific to the Spring Cloud Foundation where the routing functionality is used; not specifically related to Spring4Shell and CVE-2022-22965 which can be used for RCE on any Java application using the Spring Core under non-default configurations. The best mitigation is to update to the Spring Framework versions greater than 5.3.18 or 5.2.20, Spring Boot versions higher than 2.6.6 and 2.5.12. As a workaround, you could update to Apache Tomcat 10.0.20, 9.0.62 or 8.5.78, which close the attack vector, or you could downgrade to Java 8 which may cause issues if you're using features which don't exist in Java 8. Note that Java 8 and 9+ have different licensing models you need to consider.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Spring: It isn't just about Spring4Shell.

https://isc.sans.edu/forums/diary/Spring+It+isnt+just+about+Spring4Shell+Spring+Cloud+Function+Vulnerabilities+are+being+probed+too/28538/


Microsoft Windows Autopatch

https://techcommunity.microsoft.com/t5/windows-it-pro-blog/get-current-and-stay-current-with-windows-autopatch/ba-p/3271839


More npm protestware

https://github.com/Yaffle/EventSource/commit/de137927e13d8afac153d2485152ccec48948a7a


Raspberry Pi Update

https://www.raspberrypi.com/news/raspberry-pi-bullseye-update-april-2022/


Misc Spring4Shell Items

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67

https://www.trendmicro.com/en_us/research/22/d/cve-2022-22965-analyzing-the-exploitation-of-spring4shell-vulner.html

https://github.com/AgainstTheWest/NginxDay


Russian Certificate Authority Update

https://koen.engineer/russias-certificate-authority-for-sanctioned-organizations-645d61af8ac6


Conti Source Code Leak Leads to Copycats

https://www.bleepingcomputer.com/news/security/hackers-use-contis-leaked-ransomware-to-attack-russian-companies/