SANS NewsBites

GitHub Notifies Victims of Third Party OAuth Token Theft; Patch Cisco Wireless LAN Controller Products; Draft Legislation Proposed to Drive US Government to Address Future Quantum Crypto Risks

April 19, 2022  |  Volume XXIV - Issue #31

Top of the News


2022-04-18

GitHub: Stolen OAuth User Tokens Used to Steal Data

GitHub says that stolen OAuth user tokens that were initially issued to two third-party integrators have been used to download data from other organizations. GitHub has notified organizations that were compromised.

Editor's Note

OAuth is a great tool to create "valet keys" that provide CI/CD tools with just the access needed to do their job. But they still need to be safeguarded. Make sure your tools are able to rotate these keys periodically. From time to time, review which tools have access to your accounts. Services supporting OAuth should make it easy to review which applications have been approved for access.

Johannes Ullrich
Johannes Ullrich

To further protect users, GitHub revoked the tokens associated with their and npm's use of the compromised Travis CI and Heroku Dashboard applications. The attackers believed to be mining private repositories downloaded using the pilfered OAuth tokens looking for opportunities to pivot into other systems using additional discovered credentials. With OAuth keys being an essential component of remote/cloud based services, their use is a risk you need to actively manage to prevent malfeasance. Make sure you're auditing, monitoring and appropriately expiring OAuth keys to minimize abuse.

Lee Neely
Lee Neely

2022-04-15

Cisco Fixes Critical Flaw in WLC Software

Cisco has released updates for its Wireless LAN Controller (WLC) software that fix a critical authentication bypass vulnerability. The issue has a CVSS score of 10; it exists because the password authentication algorithm is improperly implemented. The vulnerability affects Cisco’s 3504 Wireless Controller, 5520 Wireless Controller, 8540 Wireless Controller, Mobility Express, and Virtual Wireless Controller (vWLC).

Editor's Note

This flaw will only affect you if you are using a non-standard configuration for Radius authentication. Review Cisco's bulletin to see if you are affected. But probably best to just patch in case you modify your configuration later.

Johannes Ullrich
Johannes Ullrich

If you have one of these controllers, with RADIUS compatibility mode set (check your macfilter summary) to other, you're vulnerable. The best move is to apply the update; workarounds entail changing the RADIUS compatibility to Cisco or free which may have operational impacts you'll want to test first.

Lee Neely
Lee Neely

2022-04-18

US Legislators Introduce Quantum Computing Cybersecurity Preparedness Act

Legislators in the US House of Representatives have introduced the Quantum Computing Cybersecurity Preparedness Act, a bill that would require the civilian federal government to develop a strategy to protect systems from attacks conducted by quantum computers. One of the bill’s sponsors, rep. Ro Khanna (D-California), who said “Even though classical computers can’t break encryption now, our adversaries can still steal our data in the hopes of decrypting it later. That’s why I believe that the federal government must begin strategizing immediately about the best ways to move our encrypted data to algorithms that use post-quantum cryptography.”

Editor's Note

It may not be clear how much of a threat quantum computing will present in the future. But upgrading encryption algorithms takes time, and it is important to start the process well before the threat is apparent. Encryption isn't like a good wine, it doesn't get better with age. Always implement systems with the best possible encryption algorithms you can afford at the time you create software.

Johannes Ullrich
Johannes Ullrich

This type of legislation was needed back in the 1990’s to get the federal government moving around Y2K preparedness. Quantum computing security issues are much more complex technically and the lack of a hard deadline makes it too easy to keep kicking the can down the road. So, good to see this bipartisan legislation initiated.

John Pescatore
John Pescatore

The trick is phasing out old cryptography, such as 3DES or SHA1, which often requires not only updated hardware, software, and applications, but also intentionally disabling the old crypto which is left for compatibility. This is exacerbated by external collaboration where getting agreement to no longer support that compatibility is neither a technical nor a cyber security decision. Enlist the C-Suite to move the bar, track the progress and record the risk decisions.

Lee Neely
Lee Neely

The Rest of the Week's News


2022-04-15

Chrome Updates to Fix Actively Exploited Flaw

Google has updated the Chrome Stable channel for Desktop to version 100.0.4896.127 for Windows, Mac and Linux. The newest version of the Chrome will be rolled out over the next few weeks. It includes fixes for two security flaws, including a type confusion vulnerability that is being actively exploited. The flaw affects Chrome’s JavaScript and WebAssembly engine.

Editor's Note

Here is another emergency update for Chrome. If I'm tracking, this is the third for 2022 that also includes a Zero-Day fix. The updates to Chrome and Chromium, which address CVE-2022-1364 and CVE-2022-1096, are already available for deployment; make sure Edge, Brave and other Chromium based browsers are also updated. This is a good time to make sure that you're actively managing updates to all Chrome and Chromium based browsers in your environment. Don't overlook mobile.

Lee Neely
Lee Neely

2022-04-18

Citizen Lab: NSO Spyware Found on Devices of Catalan Groups, UK PM’s Office

The Citizen Lab says it found NSO Pegasus spyware on devices of at least 65 individuals, including “Members of the European Parliament, Catalan Presidents, legislators, jurists, and members of civil society organisations. Family members were also infected in some cases.” The spyware was also found on devices associated with the UK Prime Minister’s Office and Foreign Commonwealth and development office.

Editor's Note

While the spotlight is currently on NSO Spyware, we should take these stories as a reminder that there are groups actively looking for weaknesses in the security of mobile devices. NSO are not the only threat actors at play here; they happen to be the one that has been recently caught out. As such, we need to ensure that we have appropriate security mechanisms and controls in place, be they technical, personal, and process driven, to secure mobile devices.

Brian Honan
Brian Honan

Catalan is a community in north-eastern Spain and its economy represents a significant portion of Spain's GDP. This seems to be the latest step in the dispute between Catalan and Spain for full autonomy. Attackers used multiple initial attack vectors including HOMAGE or Kismet which leveraged a zero-click iMessage flaw in version of iOS 13, SMS and the 2019 WhatsApp exploit to deliver Pegasus. These weaknesses were fixed in newer iOS and App updates. Even if you're not a target, some off-target infections have been noted. Make sure that you're keeping your device and apps updated. Consider using loaner/burner devices when traveling to foreign countries of higher risk.

Lee Neely
Lee Neely

2022-04-15

CISA Adds More Flaws to Known Exploited Vulnerability Database

On Friday, April 15, the US Cybersecurity and Infrastructure Security Agency (CISA) added nine more security flaws to its Known Exploited Vulnerabilities catalog. All nine have mitigation due dates of May 6, 2022.

Editor's Note

On Thursday, the CISA also added the VMware exploit (CVE-2022-22954) is being used to deploy cryptominer payloads, which is good to know if you're a VMware shop. While this may feel like painting a bridge, if you filter out the products you don't have, and products you've already patched, this should give you a manageable list of things to make sure you've not overlooked.

Lee Neely
Lee Neely

2022-04-18

US Officials Warn on Russian Cyberattacks

On the US television news show 60 Minutes, Deputy Attorney General Lisa Monaco and Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly spoke about the potential for Russian cyberattacks on critical infrastructure. Monaco said, “We are seeing Russian state actors scanning, probing, looking for opportunities, looking for weaknesses in our systems on critical infrastructure, on businesses.” Easterly noted that the Russian hackers appear to be focusing on the energy and financial sectors.

Editor's Note

Ukraine has been inundated with various attacks against critical infrastructure, government and businesses. Many of the tools deployed so far are "wipers" created to just destroy data. But other malware, like credential stealers, has been seen as well with very targeted lures. A possible expansion of the Russian war effort to include countries supplying Ukraine may very well mean that these attacks will be attempted against a larger list of targets.

Johannes Ullrich
Johannes Ullrich

Imagine a burglar jiggling all the locks in the neighborhood looking for a way in. Then using a possibly unrelated entrance point to pivot to a higher value target using partnership or other trust relationships. Extend your definition of third-party risk to include the environments where you have remote workers as well as business partnerships, including cloud. Ask what added resources could access your network after you conceded to allow access to local resources on the far end such as printers and file servers, then look to means to minimize those risks.

Lee Neely
Lee Neely

2022-04-17

IcedID Malware and Zimbra Exploits are Being Used Against Ukrainian Government Systems

Ukraine’s Computer Emergency Response Team (CERT-UA) is warning of social engineering campaigns that aim to spread IcedID malware and use Zimbra exploits to steal data. The attacks are targeting Ukrainian government agency networks.

Editor's Note

This attack relies on an infected MS Excel document which requests you to enable macros and then leads to the deployment of IcedID, aka BokBot. Being mindful of macros, particularly from external or unknown senders remains prudent. Disable macros unless you absolutely know that the document is not only legitimate, but also they are needed. Question macros that are there “because we always did it that way” or don't make sense, even from trusted sources.

Lee Neely
Lee Neely

2022-04-18

US CISA, FBI, and Treasury Warn of Lazarus Hackers Targeting Cryptocurrency Companies

In a joint alert, the US Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Treasury Department warn that the Lazarus hacking group is targeting cryptocurrency and blockchain organizations. The hackers use social engineering to get cryptocurrency company employees to download and run apps that have been laced with malware. The Lazarus group has been linked to North Korea.

Editor's Note

Crypto is still not insured, nor regulated for safety and soundness. That means increased reliance on the user, and when working with an exchange it also means you really need to read the EULA and other terms. In this case the target is those organizations you would be reliant on to properly manage the transactions, so you need a clear understanding of what happens if that is successful. As a developer, of any sort, one needs to always be careful of new and improved libraries bearing extra features, particularly when accompanied by alluring messages which lead you to think their deployment is urgently required. Make sure your staff is fully trained on detecting and thwarting social engineering attempts, as they can be compelling. If you have any doubt, visit a social engineering village at a conference and prepare to be amazed.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Office Now Protects You From Malicious ISO Files

https://isc.sans.edu/forums/diary/Office+Protects+You+From+Malicious+ISO+Files/28554/


Sysmon's ReigstryEvent (Value Set) and Binary Data

https://isc.sans.edu/forums/diary/Sysmons+RegistryEvent+Value+Set/28558/


Ukraine CERT Posts: IcedID and Zimbra Flaw

https://cert.gov.ua/article/39606

https://cert.gov.ua/article/39609


New NSO Pegasus Exploit Spotted in the Wild

https://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/


Unofficial Windows 11 Upgrade Delivers Spyware

https://www.bleepingcomputer.com/news/security/unofficial-windows-11-upgrade-installs-info-stealing-malware/


Github Stolen OAUTH User Tokens

https://github.blog/2022-04-15-security-alert-stolen-oauth-user-tokens/


Git For Windows Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2022-24765


Cisco Wireless Controller Bug

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wlc-auth-bypass-JRNhV4fF