SANS NewsBites

Deploy Updated AWS Log4j Hot Patches; Google/Mandiant Data Shows Zero Day Exploits Doubled in 2021, Cybercrime Largest Growth Area; Sitel Customers Should Check if They Were Exploited Via Same Weakness in Sitel that Okta Attackers Used

April 22, 2022  |  Volume XXIV - Issue #32

Top of the News


2022-04-20

AWS Releases Updated Log4j Hot Patches

Amazon Web Services (AWS) has released updated hot patches to address the Log4j security issues. Initially released in December 2021, the patches were found to contain security issues themselves. The vulnerabilities in the original patches were detected by researchers from Palo Alto Networks’ Unit 42.

Editor's Note

The vulnerability addressed here is not log4j, but a problem that resulted from Amazon's hotpatch process "patching" unrelated code that could lead to privilege escalation as the patching process ran with elevated privileges. Overall, the hotpatch was likely still better compared to not patching a critical vulnerability like log4j.

Johannes Ullrich
Johannes Ullrich

The December patches introduced flaws which can lead to container escape, so apply the new patches now. For Kubernetes clusters, make sure to deploy the current daemonset, for Hotdog users need to update to the latest version and standalone ec2 hosts apply the latest log4j-cve rpm.

Lee Neely
Lee Neely

2022-04-21

Mandiant, Google: Number of Exploited Zero-days in 2021 was Up Significantly

According to reports from both Mandiant Threat Intelligence and Google Project Zero, more zero-day vulnerabilities were exploited in 2021 than in any previous year. Mandiant “identified 80 zero-days exploited in the wild, which is more than double the previous record volume in 2019.” Google reported “the detection and disclosure of 58 in-the-wild 0-days.” Mandiant found that the majority of the zero-days were being exploited by state sponsored threat actors.

Editor's Note

Google points out more entities are being credited with finding zero days as an indication that more threat hunting and early code testing is happening. Mandiant (owned by Google) data shows a wider range of threat actors, especially financially motivated attackers, are exploiting zero days. Use both of these facts to convince management that immediate patching and proactive threat hunting is required on all high value systems, especially where the “we are not a target of Russia/China” pushback has been happening.

John Pescatore
John Pescatore

These exploits have resulted in more frequent updates tied to zero-day exploits. As such, you need to be not only tuned to apply updates across your enterprise, but also be able to monitor and respond to activities which may not yet have patches. Robust authentication, ideally MFA, endpoint security and application security to include WAF have to be SOP.

Lee Neely
Lee Neely

Poor software quality control is leaving us with a porous infrastructure, inviting to increasingly organized crime and state adversaries. We need new tools (e.g., programming languages, SDKs, platforms), methods, and processes.

William Hugh Murray
William Hugh Murray

2022-04-20

Okta Finishes Up Lapsus$ Investigation

Okta has completed its investigation into the January 2022 compromise by Lapsus$ threat actors. Okta says that the attackers had control of a single workstation for 25 minutes on January 21, 2022, accessed two active customer tenants, and was unable to make configuration changes, multi-factor authentication and/or password resets, or impersonate customer support. Okta has also ended its professional relationship with Sitel, the third-party customer support provider whose systems were breached.

Editor's Note

Rapid and transparent response by Okta. Sitel customers need to see the same or look to change providers, who blames their breach on weaknesses in the network of an acquisition they made in August 2021.

John Pescatore
John Pescatore

Notice the duration of the interval that was involved here. This is where your monitoring and automation has to be sufficient to not only capture information but also tuned to provide near-realtime alerts of anomalous behavior. And then you not only have to know what is normal, but also be aware of data feeds not working.

Lee Neely
Lee Neely

The Rest of the Week's News


2022-04-21

CISA Expands Joint Cyber Defense Collaborative to Include ICS Experts

The US Cybersecurity and Infrastructure Security Agency (CISA) has announced the expansion of the Joint Cyber Defense Collaborative (JCDC) to include Industrial Control Systems (ICS) experts. CISA established JCDC in August 2021 “to transform traditional public-private partnerships into real-time private-public operational collaboration and shift the paradigm from reacting to threats and vulnerabilities to proactively planning and taking steps to mitigate them.”

Editor's Note

Good to see many of the high market share ICS device vendors on in ICS expert list. While this effort will have an immediate wartime focus, it needs to continue the immediacy to ICS vendors building more secure and more easily updated (buzzword: resilient) products.

John Pescatore
John Pescatore

Threat actors continue to target ICS/OT systems, in part, because it works, as well as the disruption that can cause. One hopes that by ICS specific expertise to the JCDC will help with added relevant recommendations to further raise the bar to defend critical infrastructure and ICS.

Lee Neely
Lee Neely

Read more in

CISA: CISA Expands the Joint Cyber Defense Collaborative to Include Industrial Control Systems Industry Expertise

FCW: CISA expands Joint Cyber Defense Collaborative

Healthcare IT News: CISA expands Joint Cyber Defense Collaborative to include GE, Siemens

CISA: Joint Cyber Defense Collaborative







[[70]] FBI Warns of Potential Ransomware Attacks Against Agricultural Sector

IC3: Ransomware Attacks on Agricultural Cooperatives Potentially Timed to Critical Seasons (PDF)

ZDNet: FBI warning: Ransomware gangs are going after this lucrative but unexpected target

Bleeping Computer: FBI warns of ransomware attacks targeting US agriculture sector

Cyberscoop: FBI warns agricultural sector of heightened risk of ransomware attacks





[[80]] Okta Finishes Up Lapsus$ Investigation

Okta: Okta Concludes its Investigation Into the January 2022 Compromise

Dark Reading: Okta Wraps Up Lapsus$ Investigation, Pledges More Third-Party Controls

Bleeping Computer: Okta: Lapsus$ breach lasted only 25 minutes, hit 2 customers

The Verge: Okta ends Lapsus$ hack investigation, says breach lasted just 25 minutes





[[90]] FBI: Black Cat Ransomware IoCs

FBI: BlackCat/ALPHV Ransomware Indicators of Compromise (PDF)

SC Magazine: FBI seeks information on ALPHV ransomware group, aka BlackCat

Security Week: FBI Shares Information on BlackCat Ransomware Attacks

Bleeping Computer: FBI: BlackCat ransomware breached at least 60 entities worldwide


2022-04-21

Five Eyes Alert Warns of Russian Threats to Critical Infrastructure

The Five Eyes countries – the US, the UK, Canada, Australia, and New Zealand – have published a joint cybersecurity advisory warning of potential Russian state-sponsored and criminal malicious cyber activity. The advisory includes technical details about Russian state-sponsored operations, and Russian-aligned cyber threat and cybercrime groups, as well as suggested mitigations and advice on preparing for cyber incidents.

Editor's Note

Whether the attacks originate from Russian state sponsored threat actors or sympathetic threat actors, your preparations remain the same, particularly if you’re in the critical infrastructure business. Verify that your defensive measures cover both your ICS/OT systems as well as your conventional IT systems which could be used for recon or pivot points. The CISA alert includes not only mitigations, patches/updates, MFA all entry points, segmentation and appropriate VPN configuration, but also resource and contact links for all of the Five Eyes members.

Lee Neely
Lee Neely

2022-04-20

Oracle Fixes Vulnerability in ECDSA Implementation in Java

Oracle has released a fix for a critical flaw affecting the Elliptic Curve Digital Signature Algorithm (ECDSA) signature validation in Java versions 15-18. The issue was introduced in a rewrite of Java 15’s signature verification code.

Editor's Note

Encryption is hard, and all about details. Read the original blog discussing the vulnerability. ECDSA is used for many different purposes including to verify web server certificates. A proof-of-concept exploit has been published implementing a web server with a fake google.com certificate. But note that it only works if the client is written in Java 15 and later. Most enterprise applications are using older versions.

Johannes Ullrich
Johannes Ullrich

This flaw allows a fake digitally signed transaction or application to appear to be legitimate and is easy to exploit. The fix is included in the current CPU from Oracle, so make sure that you’ve deployed this update.

Lee Neely
Lee Neely

2022-04-20

Lawsuit Alleges Vendor Hid Ransomware Attack

Eye Care Leaders (ECL), a provider of “ophthalmology-specific EHR and practice management systems,” is being sued by three medical practices for allegedly concealing a cyberattack against its systems that had significant negative impacts on the medical practices and for misrepresenting the situation when the practices sought additional information. ECL later disclosed that the attack corrupted and encrypted some databases, rendering certain data unrecoverable.

Editor's Note

Timely and responsible disclosure of security incidents may be legal requirement, not just a best practice. For example, some state privacy laws require breach notification in 24 hours. Check the requirements for the data you’re handling in every location you’re doing business in. Make sure that your contracts with third-party providers include relevant language for notification, and that your legal department can support that language. if a breach happens, be prepared for the tough conversations about preserving or severing those relationships.

Lee Neely
Lee Neely

2022-04-21

FBI Warns of Potential Ransomware Attacks Against Agricultural Sector

The FBI has published a TLP: White Private Industry Notification warning organizations within the agricultural sector “that ransomware actors may be more likely to attack agricultural cooperatives during critical planting and harvest seasons, disrupting operations, causing financial loss, and negatively impacting the food supply chain.” The alert includes descriptions of previous cyberattacks against agricultural entities and recommendations for mitigation.

Editor's Note

There is no such thing as being too small or too obscure to be a target. If you don’t know where to start, contact your local CISA, FBI or other professional security organizations for resources, guides and advice.

Lee Neely
Lee Neely

2022-04-21

FBI: Black Cat Ransomware IoCs

The FBI has published a TLP: White Flash alert that includes indicators of compromise (IoCs) for Black Cat, also known as ALPHV, ransomware-as-a-service. Black Cat is the first known ransomware to be written in Rust. The ransomware’s operators appear to be focusing on industrial organizations. In addition to the IoCs, the Flash alert includes technical details and recommended mitigations. In addition, “the FBI is seeking any information that can be shared, to include IP logs showing callbacks from foreign IP addresses, Bitcoin or Monero addresses and transaction IDs, communications with the threat actors, the decryptor file, and/or a benign sample of an encrypted file.”

Editor's Note

The FBI wants to hear from you if you’re seeing this activity. Make sure that you know your local FBI office and who to contact with. Build that relationship now before you need their help.

Lee Neely
Lee Neely

Early detection is essential if the IoCs are to be useful. Given hours, the compromise ransomware will announce itself.

William Hugh Murray
William Hugh Murray

Internet Storm Center Tech Corner

u-boot Password Reset

https://isc.sans.edu/forums/diary/Resetting+Linux+Passwords+with+UBoot+Bootloaders/28564/


AA Distribution Quakbot (Qbot) infection with DarkVNC

https://isc.sans.edu/forums/diary/aa+distribution+Qakbot+Qbot+infection+with+DarkVNC+traffic/28568/


Multi Cryptocurrency Clipboard Swapper

https://isc.sans.edu/forums/diary/MultiCryptocurrency+Clipboard+Swapper/28574/


Psychic Signature PoC

https://github.com/khalednassar/CVE-2022-21449-TLS-PoC


Java Psychic Signatures

https://neilmadden.blog/2022/04/19/psychic-signatures-in-java/


Oracle CPU

https://www.oracle.com/security-alerts/cpuapr2022.html


Amazon Fixes AWS Log4j Fix

https://aws.amazon.com/security/security-bulletins/AWS-2022-006/


Cisco Fixes

https://tools.cisco.com/security/center/publicationListing.x


ALAC Audio Decoder Bug

https://blog.checkpoint.com/2022/04/21/largest-mobile-chipset-manufacturers-used-vulnerable-audio-decoder-2-3-of-android-users-privacy-around-the-world-were-at-risk/


Snort DoS Vulnerability

https://claroty.com/2022/04/14/blog-research-blinding-snort-breaking-the-modbus-ot-preprocessor/


MetaMask iCloud Phishing

https://www.bleepingcomputer.com/news/security/hackers-steal-655k-after-picking-metamask-seed-from-icloud-backup/


SMB1 Gone From Windows 11 Home

https://techcommunity.microsoft.com/t5/storage-at-microsoft/smb1-now-disabled-by-default-for-windows-11-home-insiders-builds/ba-p/3289473


Lenovo UEFI/BIOS Vulnerability

https://support.lenovo.com/us/en/product_security/ps500483-lenovo-system-update-privilege-escalation-vulnerability

https://support.lenovo.com/de/de/product_security/LEN-84943