SANS NewsBites

T-Mobile Confirms Lapsus$ Breached its Network; Costa Rican Government Networks Hit with Ransomware; Known Exploited Vulnerabilities Catalog Updated

April 26, 2022  |  Volume XXIV - Issue #33

Top of the News


2022-04-25

Lapsus$ Breached T-Mobile Network

T-Mobile has confirmed that the Lapsus$ extortion group accessed its systems “several weeks ago.” The company says that it has taken steps to block the attackers’ access to the T-Mobile network and has disabled the credentials that were used in the attack.

Editor's Note

A key challenge for the Lapsus$ gang was getting devices enrolled or otherwise under their control so they could get SMS or other OTP messages to allow authentication for their targeted services. Lapsus$ success hinges on buying or socially engineering credentials for services they need. They were leveraging the T-Mobile credentials to complete hassle-free SIM swaps which transferred the devices phone number to a hacker controlled device. While leveraging the credentials of your cellular provider bypasses some controls designed to prevent swapping, it's still important to login to your account and make sure that you've enabled the controls at your disposal to raise the bar as much as possible.

Lee Neely
Lee Neely

Rumors about this breach had been circulating for weeks, so it is refreshing to see T-Mobile confirming it. Like with the NVIDIA breach, Lapsus$ relied on purchasing credentials and generating MFA requests to the user (a new MITRE ATT&CK Technique published yesterday with version 11, T1621. https://attack.mitre.org/techniques/T1621/

Jorge Orchilles
Jorge Orchilles

The attacks targeted T-Mobile employees with provisioning privileges. This gave them the capability to SIM swap" to change the destination phone for a cell phone number, a number perhaps used for strong authentication. To resist such attacks T-Mobile should ensure that all such privileged employees use token-based (not SMS based) strong authentication. It should also confirm all number change orders both in and out of band and delay implementation of such orders. Other employers should consider token-based authentication for employees in sensitive positions. End users and consumers, especially those using their phones for strong authentication, should contact their carries immediately if they do not receive messages or calls that they expect or cannot make outgoing calls.

William Hugh Murray
William Hugh Murray

2022-04-23

Costa Rica Government Networks Hit with Ransomware

Costa Rican government computer systems have been debilitated by a ransomware attack. The government has so far refused to pay the ransom. The attackers stole more than a terabyte of data and have published a large portion of it on the dark web.

Editor's Note

The Conti ransomware gang is taking credit for the attack on the Costa Rican customs and tax systems and claims to have released 80% of the pilfered data on the dark web. Further, they state they will continue to attack their systems until paid. Think about how you'd fare under this sort of continued attack, what resources you could call upon, and what motivations would be behind it. Make sure your DR plans support your assumptions. It is projected this attack is about destabilizing the country as their newly elected president transitions into place on May 8th.

Lee Neely
Lee Neely

Conti is one of the top ransomware threats. Your organization should understand how they operate and practice/train how to detect and respond to these attacks. Tabletops at the executive level combined with hands-on keyboard purple team exercises is one of the most efficient ways to test, measure, and improve your people, process, and security controls.

Jorge Orchilles
Jorge Orchilles

2022-04-25

CISA Adds Seven Flaws to Known Exploited Vulnerabilities Catalog

On Monday, April 25, the US Cybersecurity and Infrastructure Security Agency (CISA) added seven security issues to its Known Exploited Vulnerabilities catalog. The flaws affect products from Jenkins, Microsoft, Linux, and WSO2. Binding Operational Directive 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities requires Federal Civilian Executive Branch agencies to fix flaws added to the catalog within a specified amount of time. All seven of the most recently added vulnerabilities have remediation dates of May 16.

Editor's Note

Exploitation of one of the vulnerabilities added, CVE-2022-29464 affecting WSO2 products, was observed by one of our SANS ISC handlers. He wrote up his observation here: https://isc.sans.edu/forums/diary/WSO2+RCE+exploited+in+the+wild/28586/. The vulnerability was patched on April 1st and proof-of-concept exploits were made available a week later.

Johannes Ullrich
Johannes Ullrich

Take a look at these. You may want to prioritize vulnerabilities related to file uploaded and RCE. Operate under the assumption that being in the catalog will motivate attackers to attempt exploits before the mandated patch dates.

Lee Neely
Lee Neely

Patching these vulnerabilities is urgent. The mandatory date should not be taken as license to accept the risk until then.

William Hugh Murray
William Hugh Murray

The Rest of the Week's News


2022-04-25

DHS Bug Bounty Program

The US Department of Homeland Security (DHS) has disclosed the results of its first bug bounty program involving external researchers. DHS invited 450 “vetted security researchers” to participate. The researchers turned up 122 vulnerabilities; of those, 27 were found to be critical.

Editor's Note

Organizations should consider implementing a bug bounty program to amplify the vulnerability management process. These programs can be implemented in phases such as Coordinated Vulnerability Disclosure, private bug bounty, and public bug bounty. There are numerous platforms available to assist on the technology side, but these programs also need internal people and process. NIST has a nice site with multiple references for guidance: https://csrc.nist.gov/Projects/vdg/related-guidance

Jorge Orchilles
Jorge Orchilles

BOD 20-01 (https://www.cisa.gov/binding-operational-directive-20-01) required the implementation of a vulnerability disclosure program with all externally facing systems included by September 2022. DHS is leading by example, not only having their systems incorporated into their VDP, but also inviting teams to discover vulnerabilities. I predict flaws will be remediated expeditiously driving revisions to expected vulnerability response timelines as well as refinements in their overall VDP program.

Lee Neely
Lee Neely

2022-04-25

Atlassian Patches Critical Jira Vulnerability

Atlassian has released an advisory warning of a critical authentication bypass vulnerability in its Jira and Jira Service Management products. The flaw affects certain versions of Jira Core Server, Software Data Center, Software Server, the Service Management Server, and the Management Data Center. It does not affect the cloud versions of Jira and Jira Service Management.

Editor's Note

DevOps tools are presenting a large attack surface. Between plugins, authenticating to various external services, and vulnerabilities in the tools themselves they need to be carefully watched and secured (and not exposed to the world).

Johannes Ullrich
Johannes Ullrich

The vulnerability applies to a specific configuration of Jira, affecting first and third-party apps specifying “roles-required” at the action namespace level but not at the action level. Even so, apply the updates if you're running Jira in your infrastructure. Make sure that you're updating all the related products you've deployed.

Lee Neely
Lee Neely

2022-04-25

VirusTotal RCE Flaw is Fixed

VirusTotal maintainers fixed a remote code execution vulnerability affecting the platform in an April 13 security update. The problem is due to ExifTool’s mishandling of DjVu files.

Editor's Note

Real nice case study on how dangerous file uploads can be. Unlike widely reported, this vulnerability did not affect Virustotal itself. Instead, third parties downloading (and processing) sample from Virustotal were affected. The exploited tool (exiftool) is very commonly used in file upload systems to pre-scan the file for metadata and is often considered harmless/low risk. But anything touching untrusted data needs to be carefully maintained and updated. Make sure your developers read the very detailed write-up.

Johannes Ullrich
Johannes Ullrich

This is very similar to embedding a macro in an Office document. The ExifTool was tricked into executing the provided code when analyzing the image. If you've got ExifTool in your environment, make sure that you've deployed their April 13th update even if you think it's not processing DjVu files.

Lee Neely
Lee Neely

2022-04-26

US Dept. of Energy Funds Grid Cybersecurity Research

The US Department of Energy has funded $12 million in grants for six university research projects focusing on securely designing and building the next generation power grid. “Three of the projects primarily deal with building or designing artificial intelligence solutions that can automate parts of the cybersecurity operations for energy systems, help absorb cyberattacks without disrupting power and recover more quickly when they do. …The other three projects deal with enhancing the security of specific, critical systems relied on by energy owners and operators to keep the lights running.”

Editor's Note

Critical Infrastructure providers have mad skills when it comes to delivering network and control signals over great distances. Now comes the time to help them with cost-effective prevention, detection, and response capabilities, particularly for services which cover large geographic areas, oftentimes remote, where physical and environmental challenges make in-person detection and response impractical.

Lee Neely
Lee Neely

2022-04-25

French Hospital Cyberattack

A France hospital group has severed Internet connections following a cyberattack. The GHT Coeur Grand Est. Hospitals and Health Care group has nine facilities. GHT said that the attackers stole administrative data.

Editor's Note

How effective would your business be if you severed these connections, particularly with today's use of cloud and outsourced services? Allowing and denying applications has to be not just at the system executable level, but also at the services level for comprehensive protection. Look to see if you can leverage layer 7 protections for allowed and disallowed services, irrespective of port, protocol, or address. Only allow access to approved services and applications, effectively blocking (or reducing) access to C2, malicious sites or other maleficence. Note that you will need to have to implement an exception and change management process and implementing this is not a finger-snap, and the result is worth it.

Lee Neely
Lee Neely

2022-04-22

Jisc: Ransomware is a Threat to UK Universities

In a revised Cyber Impact Report, UK non-profit Jisc indicates that UK universities are facing an increased risk of ransomware attacks. Jisc’s initial report was published in 2020; the revised report “include[s] anonymised case studies of more recent incidents that underline the increased threat of ransomware attacks.” The report also includes updated guidance for leaders.

Editor's Note

We all worked hard to quickly retool to provide remote services during the pandemic. The attackers continue to exploit any weaknesses in those services. Two issues continue to surface - don't expose RDP to the Internet and use MFA. When it comes to strong authentication MFA doesn't have to be a budget buster, leverage soft tokens and capabilities built into modern IDPs. Don't skip System Administrator and VIP accounts, you need full coverage. Where "break glass" accounts (with reusable passwords) are kept for "emergencies" monitor and restrict their use to be certain that is the only situation where they are used.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Analyzing Word Phishing Document

https://isc.sans.edu/forums/diary/Analyzing+a+Phishing+Word+Document/28562/


Targeting Roku Streaming Devices

https://isc.sans.edu/forums/diary/Are+Roku+Streaming+Devices+Safe+from+Exploitation/28578/


Simple PDF Linking to Malicious Content

https://isc.sans.edu/forums/diary/Simple+PDF+Linking+to+Malicious+Content/28582/


VirusTotal Remote Code Execution

https://www.cysrc.com/blog/virus-total-blog


Emotet Breaks and Later Fixes Installer

https://www.bleepingcomputer.com/news/security/emotet-malware-infects-users-again-after-fixing-broken-installer/


Apple's Private Relay can Cause the System to Ignore Firewall Rules

https://mullvad.net/en/blog/2022/4/25/apples-private-relay-can-cause-the-system-to-ignore-firewall-rules/


JWT Null Signature Vulnerability PoC

https://github.com/DataDog/security-labs-pocs/tree/main/proof-of-concept-exploits/jwt-null-signature-vulnerable-app


Expat XML Vulnerabilities

https://www.ibm.com/support/pages/node/6573293


Jira Vulnerability

https://confluence.atlassian.com/jira/jira-security-advisory-2022-04-20-1115127899.html