SANS NewsBites

Prioritize Patching Seven Critical CVEs in Microsoft Patch Tuesday Release; Look for Webshells and Backdoors on Your F5 BIG-IP Installs; FDA Moves to Drive Security Requirements into Medical Device Product Approval Process

May 13, 2022  |  Volume XXIV - Issue #38

Top of the News


2022-05-11

Microsoft’s Patch Tuesday for May 2022

On Tuesday, May 10, Microsoft released fixes for more than 70 security issues, including seven that are rated critical. One of the patched flaws, a Windows Local Security Authority (LSA) spoofing vulnerability, is being actively exploited. In a related story, some users have reported authentication failures after installing the May updates. Microsoft is investigating.

Editor's Note

CVE-2022-26923, while “only” a privilege escalation vulnerability, is relatively easy to exploit and exploits have been well documented. Do not overlook this issue. CVE-2022-26925: Take it as another reason to review the configuration of your Windows systems and make sure NTLM is no longer used.

Johannes Ullrich
Johannes Ullrich

The LSA vulnerability (CVE-2022-26925) is kind of a big deal. While the raw CVSS score is 8.1, Microsoft suggests it warrants a 9.8 in some situations. This flaw allows attackers to exploit a MITM condition to force domain controllers to authenticate with NTLM authentication. Which, in summary, means you’re going to need to roll this one out, but do some testing, you're messing with the authentication stack.

Lee Neely
Lee Neely

2022-05-11

CISA Adds BIG-IP Flaw to Known Exploited Vulnerabilities Catalog

Earlier this week, the US Cybersecurity and Infrastructure Security Agency (CISA) added the F5 BIG-IP missing authentication vulnerability to its Known Exploited Vulnerabilities catalog. The flaw is being actively exploited; federal agencies are required to apply updated by May 31.

Editor's Note

As reported earlier, this vulnerability is heavily exploited and the pool of exposed vulnerable systems has likely been completely compromised by now. Look for webshells and backdoors. If exposed, you will likely find several by now. We also noted some destructive attacks and the system may not reboot cleanly (but function reasonably well otherwise for a while) if affected by them.

Johannes Ullrich
Johannes Ullrich

You're reading this and saying “We so totally fixed that flaw last week,” right? For real, you need to patch your BIG-IPs and lock down access to their management interfaces. Don't skip your internal devices. Scan your network for devices which may be overlooked, possibly really old, and patch/update/lifecycle them as needed. If you're determined to redeploy old (still working) hardware to lower tier environments, make sure that it still includes a lifecycle plan.

Lee Neely
Lee Neely

2022-05-11

FDA Medical Device User Fee Legislation Includes Security Requirements

A bill introduced in the US House of Representatives would amend the Federal Food, Drug, and Cosmetic Act. The amendment would require medical device manufacturers to “design, develop, and maintain processes and procedures to ensure the device and related systems are cybersecure, and shall make available updates and patches to the cyber device and related systems throughout the lifecycle of the cyber device.”

Editor's Note

A law was enacted in 1992 to allow the FDA to charge manufacturers fees when they submitted applications for product approval – these funds allowed the FDA to shorten the review cycle by increasing staff and other resources required to review applications. This cybersecurity language follows that model and is badly needed – it mainly requires the vendors to demonstrate the product will be under a vulnerability discovery and disclosure program and (finally) products must have the ability to be updated/patched if vulnerabilities are discovered. Good stuff.

John Pescatore
John Pescatore

This bill dovetails on the PATCH act which also requires SBOMs, regular testing and assurance as well as the lifecycle plan above prior to pre-market approval from the FDA. This raises the bar on both the production of medical devices and drugs, but also the lifecycle of those in the field and/or implanted. SBOMS are seen as a critical mitigation for software supply chain security risks related to those devices.

Lee Neely
Lee Neely

The Rest of the Week's News


2022-05-11

Five Eyes Alert Warns of Attacks Against Managed Service Providers

Cybersecurity authorities from the Five Eyes countries – the UK, the US, Canada, Australia, and New Zealand – have issued a joint advisory warning that they “are aware of recent reports that observe an increase in malicious cyber activity targeting managed service providers (MSPs) and expect this trend to continue.” The advisory includes recommendations of security measures and operational controls MSPs and their customers can implement.

Editor's Note

The back-end management platforms built by many Managed Service Providers often use a lot of open source tools and libraries, putting them at risk to attacks like we’ve seen against Log4J. There are many, many forms of MSPs and all should be subject to demonstrating at least basic security hygiene, but MSPs with remote access to high privilege accounts on internal systems should be required to demonstrate higher levels of security and their connections monitored.

John Pescatore
John Pescatore

This is third-party risk. Your MSP has a trust relationship with you and all their other customers. This means you need to have assessed their security posture and practices, including how they are separating access to customers. Understand how they vet and maintain the products they use. Ask to see their latest external assessment/audit, including actions taken on any issues. Verify these are conducted on a regular basis.

Lee Neely
Lee Neely

2022-05-13

Sucuri Analysts Find JavaScript Injection Attacks Against WordPress Sites

Analysts at Sucuri have observed a malware campaign involving malicious JavaScript injected into WordPress websites. The code redirects site visitors to third-party domains that host scams and malware.

Editor's Note

Attackers have been taking advantage of WordPress vulnerabilities to inject malicious CharCode obfuscated JavaScript into the wp-includes with JQuery in the name, which are incorporated into every rendered page with those elements; odds are they are on every rendered page of your WP site. You'll want to make sure that you’re on full-auto update, verify your site is clean using a scanner, like the free Sucuri scanner (https://sitecheck.sucuri.net), address any issues found, then make sure that you’ve got a WAF, like Wordfence, pay for security profile updates, to help prevent malfeasance.

Lee Neely
Lee Neely

2022-05-10

US, EU, UK: Russia Launched Viasat Attack

The US, the EU, and the UK say that Russia was the perpetrator of a cyberattack on Viasat in the days before it invaded Ukraine. The attack against the satellite network deployed wiper malware that disrupted communications and wind farms.

Editor's Note

This is an important step in the attribution stakes as it is the first time that the EU has openly identified the source of a cyber attack. It is also important to note that while this attack was aimed at Viasat to disrupt the communications capabilities of the Ukrainian army, it also disrupted businesses outside of Ukraine. It is a good example of why organisations located outside of Ukraine need to be vigilant for cyber attacks that may result in collateral damage against them. So do follow the Shields Up guidance from US Cybersecurity and Infrastructure Security Agency (CISA) and other government agencies.

Brian Honan
Brian Honan

For those, like me, who said that was obvious, step back and remember attribution can be tricky and can have serious ramifications if incorrectly done. Further, it’s possible to fake the fingerprint in malware, as was demonstrated in a project John Strand lead where he and his team offered a service which would inject “telltale” fingerprints into an uploaded executable, so it looked like it came from the selected entity. Be patient with those tasked with attribution, provide them tools and information needed, don’t delay mitigation and remediation activities for their result.

Lee Neely
Lee Neely

2022-05-11

Pushback Against Incident Reporting Requirements

The Information Technology Industry Council (ITI) is asking the Securities and Exchange Commission (SEC) to postpone its implementation of regulations that require publicly traded companies and investment firms to report of cybersecurity incidents. In public comments, ITI says the rule’s implementation should be delayed “to ensure [it] does not undermine cybersecurity and create additional security risks.” In a separate story, ITI sent a letter to India’s Computer Emergency Response Team (CERT-In) saying that the organizations six-hour incident reporting rule is not feasible.

Editor's Note

The major point of ITI’s “undermine cybersecurity” comment is that quickly reporting an incident may give away technical details of vulnerabilities before they are mitigated. This is a pretty low risk – most corporate disclosures of cybersecurity incidents stay at very high levels that make them barely understandable, let alone useful to attackers.

John Pescatore
John Pescatore

With the plethora of cyber security reporting initiatives of late, it is easy to lose track of what’s required and assess if you’re meeting them. Work to develop the needed disclosure processes and relationships to build assurance that information will be properly protected, whether you’re sending information to the CISA, FBI or SEC. Where possible, provide feedback on what timelines are workable, such as India’s six-hour reporting requirement. The goal is to encourage regulators to have a common/consistent requirement.

Lee Neely
Lee Neely

2022-05-12

Zyxel Releases Patches OS Command Injection Vulnerability

Zyxel has released fixes for a command injection vulnerability that affects Zyxel firewalls that have the zero-touch provisioning feature. Researchers from Rapid7 detected the flaw and disclosed it to Zyxel in mid-April. Rapid7 “suggested a coordinated disclosure date in June. Instead, Zyxel released patches to address this issue on April 28, 2022.”

Editor's Note

Still waiting for exploitation to start, but the vulnerability is trivial to exploit and will likely be added to bots in the next couple days.

Johannes Ullrich
Johannes Ullrich

These are firewalls designed for small business and branch office deployments. On the one hand, this is an easily exploited flaw which doesn't require authentication and can be weaponized easily. Rapid 7 has a Metasploit module to exploit this flaw. On the other hand, Zyxel released a fix two weeks after the flaw was disclosed to them, which is awesome! If you have Zyxel firewalls, update the firmware and enable automatic updates. Shodan queries indicate only about 25% of these devices are running updated firmware.

Lee Neely
Lee Neely

2022-05-12

US DEA Investigating Breach

The US Drug Enforcement Agency (DEA) is investigating reports that attackers breached an agency portal that accesses 16 federal law enforcement databases. The incident appears to be linked to a group of attackers that impersonates police and government officials to gather information.

Editor's Note

The databases provide access to various records including aircraft, firearms, motor vehicles, boats, drones, etc. While the portal is configured to primarily accept Personal Identity Verification (PIV) cards, it also can accept reusable passwords. This is how the site was compromised and why you need to make sure your MFA is comprehensive. If you must enable fallback to password authentication, limit what those weaker credentials can access; better still, provide rapid credential issuance and recovery negating the need for the fallback.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Microsoft May 2022 Patch Tuesday

https://isc.sans.edu/forums/diary/Microsoft+May+2022+Patch+Tuesday/28632/


TA578 Using Thread-Hijacked Emails to Push ISO Files for Bumblebee Malware

https://isc.sans.edu/forums/diary/TA578+using+threadhijacked+emails+to+push+ISO+files+for+Bumblebee+malware/28636/


When Get-WebRequest Fails You

https://isc.sans.edu/forums/diary/When+GetWebRequest+Fails+You/28640/


HP PC BIOS Security Updates

https://support.hp.com/us-en/document/ish_6184733-6184761-16/hpsbhf03788


INTEL BIOS Advisory

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00601.html


Zyxel RCE Vulnerability

https://www.rapid7.com/blog/post/2022/05/12/cve-2022-30525-fixed-zyxel-firewall-unauthenticated-remote-command-injection/


Google Drive Emerges as Top App for Malware Downloads

https://www.helpnetsecurity.com/2022/05/11/malicious-pdf-search-engines/


Vanity URL Abuse

https://www.varonis.com/blog/url-spoofing


npm Supply Chain Attack Turns Out to be Part of Penetration Test

https://jfrog.com/blog/npm-supply-chain-attack-targets-german-based-companies/


Adobe Updates

https://helpx.adobe.com/security/security-bulletin.html


npm "foreach" package domain takeover

https://www.theregister.com/2022/05/10/security_npm_email/