SANS NewsBites

Tech Giants Commit Funding to Increase Open Source Supply Chain Security; Turn on Detections for Powershell-based APT35 Active Attacks

May 17, 2022  |  Volume XXIV - Issue #39

Top of the News


2022-05-13

Open Source Security Foundation and Linux Foundation Call for $150 Million to Improve Open Source Security

In response to President Biden's executive order on supply chain security, the Open Source Security Foundation (OpenSSF) and Linux Foundation are calling for $150 million in funding over two years to fix ten major open-source security problems. Amazon, Ericsson, Google, Intel, Microsoft, and VMWare have pledged $40M in support of the effort to address issues such as replacing non-memory-safe programming languages, expanded and improved code audits, increased penetration of Software Bills of Materials (SBOM) and a focus on enhancing the security the 10 most critical open-source software build systems, package managers, and distribution systems.

Editor's Note

From Heartbleed to Log4j, progress in this area has long been badly needed and it would be good to see more big tech companies step up and join Amazon, AWS. Ericsson, Google, Intel, Microsoft, and VMWare in committing funding. Start now educating app dev and IT about the areas of improvement that will be rolling out over the next two years and push for rapid adoption. (See Google’s Open-Source Maintenance Crew related news item.)

John Pescatore
John Pescatore

The ten goals they hope to address include security education, risk assessment, digital signatures (for code), memory safety, incident response, better (security) scanning, code audits, data sharing, SBOMs and improved supply chains. The last being the 10 most critical build systems and includes the C and Rust languages, subsequently this is a huge undertaking. Some of the other areas are already being addressed by emerging standards such as Sigstore for code signing, which is backed by RedHat, Perdue University and Google. Using this approach in multiple areas should help meet the aggressive timeline.

Lee Neely
Lee Neely

2022-05-13

Google’s Open-Source Maintenance Crew

Google on Thursday announced the creation of its “’Open Source Maintenance Crew’ – a dedicated staff of Google engineers who will work closely with upstream maintainers on improving the security of critical open source projects.” Google made the announcement at a meeting with the Open Source Security Foundation, the Linux Foundation, and industry leaders.

Editor's Note

Great move by Google to put money and bodies behind open source. Google is one of the big commercial users of open source and most of its services would not exist without open source.

Johannes Ullrich
Johannes Ullrich

Active participation by Google and others is needed to raise the bar on software supply chain security. Google has pledged $10 billion USD over the next five years, including $100 million for third-party foundations, including the OpenSSF, which help manage open source security and fix vulnerabilities. Expect updates to Google's Know, Prevent, Fix framework to make it more encompassing and accessible, allowing your developers, as well as open-source providers to better leverage it and produce better code.

Lee Neely
Lee Neely

2022-05-12

Iranian APT Group Launching Ransomware Attacks Against US

Over the past several months, Iran-linked cyberespionage group Charming Kitten, aka APT35, Magic Hound, Phosphorus, NewsBeef, Newscaster and TA—453, has been engaging in financially-motivated activities, the SecureWorks Counter Threat Unit (CTU) reports. In December 2021, the group was acquiring exploits that leveraged Log4J vulnerabilities; in January 2022 they were observed using a new PowerShell backdoor and most recently the group has turned to financially motivated attacks including ransomware deployment.

Editor's Note

At this time the group appears to be small, using manual operations rather than an automated system to map victims to their specific encryption keys; which increases the likelihood of unsuccessful recovery even if the ransom is paid. It is expected that they are also going to, if they haven't already, be posting exfiltrated data as additional leverage to entice customers to pay. Know where your data is and be prepared to decide the value before someone else puts a price tag on it. If you're not comfortable with the protection or location, take steps before an incident happens.

Lee Neely
Lee Neely

We published multiple detection opportunities for APT35 in this Threat Thursday blog post. While prevention is a goal, detection and response are a requirement. These detections cover a number of TTPs used by other threat actors as well: https://www.scythe.io/library/threat-actor-apt35

Jorge Orchilles
Jorge Orchilles

The Rest of the Week's News


2022-05-13

European Union Agrees on NIS2 Language for Updated EU Cybersecurity Regulatory Requirements

The European Council and the European Parliament agreed on updated measures for a common level of cybersecurity across the EU, known as NIS2 (Directive on Security of Network and Information Systems). The revised directive aims to remove divergences in cybersecurity requirements and in implementation of cybersecurity measures in different member states. It sets out minimum rules for a regulatory framework and defines mechanisms for cooperation among authorities in each member state. It updates the list of sectors and activities subject to cybersecurity obligations, and provides for common remedies and sanctions. NIS 2 will formally establish the European Cyber Crises Liaison Organisation Network, EU-CyCLONe, which will support the coordinated management of large-scale cybersecurity incidents.

Editor's Note

NIS2 is mostly about standardizing governance, enforcement and incident reporting/response across the EU. It includes a list of seven key elements addressing incident response, supply chain security, encryption and vulnerability disclosure. Organizations will have 24 hours after detection of an incident to submit an initial report. A full report will be required in 30 days. NIS2 expands the number of sectors covered, and specifically identifies social media platforms. If previous NIS rollout timelines hold for NIS2, compliance is likely to be required in 2024.

John Pescatore
John Pescatore

Having consistent cybersecurity requirements across the EU will help with not only a consistent implementation, but also simplify requirements needed when doing business in or with EU based partners.

Lee Neely
Lee Neely

2022-05-12

Maryland Governor Signs Bills to Assist Local Governments Increasing Cybersecurity

Maryland Gov. Larry Hogan signed measures to strengthen cybersecurity in state and local governments in Maryland on Thursday, after lawmakers approved legislation and big investments earlier this year to protect vital systems against cyberattacks. The measures include the Maryland Emergency Management Agency supporting local governments in developing vulnerability assessments and response plans, and reporting requirements for state agencies and local governments, including reporting of cybersecurity incidents. Agencies will be required to complete a cybersecurity assessment and to remediate findings.

Editor's Note

Maryland had its largest and smallest counties hit hard by ransomware and learned that not all counties are equally able to reach basic security hygiene. That applies to most organizations – centralized support focused on the “security-needy” BUs in a distributed organization can often reduce the risk of potential weak links.

John Pescatore
John Pescatore

Even if you're not in Maryland, you should be performing assessments, both internal and external, to identify issues and then remediate them, using a risk-based approach. Seek support from your local CISA or ISAC, or even reach out to local IT security chapters (ISSA, ISC2, ISACA, etc.) for expertise and resources.

Lee Neely
Lee Neely

There's still much to be done via federal legislation to make mutual support easier, establish privacy standard, etc. States like Maryland should be commended for the work they're doing!

Christopher Elgee
Christopher Elgee

2022-05-16

Microsoft Alerting Customers that Patch Tuesday Updates are Causing Authentication Errors

Microsoft is warning its customers that the May Patch Tuesday update is causing authentications errors. Microsoft noted that “An issue has been found related to how the mapping of certificates to machine accounts is being handled by the domain controller.”

Editor's Note

This update, when applied to domain controllers, impacts certificate-based authentication. Microsoft's KB5014754 provides guidance, review before applying the update. The patch addressed a privilege escalation vulnerability (CVE-2022-26391 and CVE-2022-26923) which can occur when the KDC is servicing a certificate-based authentication request. Essentially after applying the update, make sure the authentication is in compatibility mode (the default), and watch for events in your log, following the remediation guidance. Wait at least a month without issues before planning on turning on enforcement mode.

Lee Neely
Lee Neely

2022-05-16

CISA Temporarily Pulls Vulnerability From KEV Catalog

CISA is temporarily removing CVE-2022-26925 from its Known Exploited Vulnerability Catalog due to a risk of authentication failures when the May 10, 2022 Microsoft rollup update is applied to domain controllers. After application of the patch to Domain Controllers, organizations might experience authentication failures on the server or client for services, such as Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP).

Editor's Note

Note the issue does not exist on workstations and non-domain controller windows servers, so apply the patch to everything but your domain controllers. Review Microsoft KB5014754 if you're using certificate based authentication for configuration guidance. https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16

Lee Neely
Lee Neely

2022-05-16

Critical Zyxel Flaw is Being Actively Exploited

Attackers are exploiting a recently patched critical vulnerability affecting Zyxel firewall and VPN devices. Zyxel released an advisory last week urging administrators to install the patched updates. The vulnerability can be exploited to remotely inject arbitrary code without authentication and can allow attackers to set up a reverse shell.

Editor's Note

The flaw is trivial to exploit and it is no surprise that it is already being used. Did I mention lately to not expose administrative interfaces to the Internet? This isn't the last trivial to exploit remote code execution vulnerability in a Firewall, VPN Concentrator, Load Balancer, NAS or other device people just love to expose to make live easier for the bad guys.

Johannes Ullrich
Johannes Ullrich

Given that last week Shodan queries showed only 25 percent of Zyxel devices were running updated firmware, it comes as no surprise that these are now being attacked and exploited. Don't overlook your boundary protection devices in branches or other remote locations, verify that they are being updated and, while you're asking, ensure they have lifecycle plans. Share the one-line exploit code in the Rapid7 report (also in the article below) if anyone doubts how easily this flaw can be exploited.

Lee Neely
Lee Neely

2022-05-16

Study Looks at US Federal Government Zero Trust Implementation

According to a study commissioned by General Dynamics Information Technology (GDIT), US federal agencies are making progress in their efforts to implement zero-trust. An executive order requires that the agencies attain certain zero-trust goals by the end of fiscal year 2024. While more than 60 percent of the federal officials surveyed said they expected to meet those goals on schedule or ahead of time, more than half said that building or replacing legacy infrastructure poses a challenge to meeting those goals.

Editor's Note

A key challenge to zero-trust will be modernizing legacy systems, followed by implementing needed (micro) segmentation and other attack surface reduction activities. Remember agencies are making the move to zero-trust with no relief on existing mission deliverables as well as little to no added funding so far. To get this right, specific funding and resources are needed beyond the status quo. Additionally leveraging external assessments to identify gaps and remediation requirements should also be planned and funded.

Lee Neely
Lee Neely

2022-05-13

Oklahoma City Indian Clinic Data Breach

Oklahoma City Indian Clinic (OKCIC) this week announced that it experienced a “data security incident” exposing personally identifiable information (PII) of nearly 40,000 individuals. OKCIC reports the data breached included name, dates of birth, treatment information, prescription information, medical records, physician information, health insurance policy numbers, phone numbers, Tribal ID numbers, Social Security numbers and driver’s license numbers. They have notified affected customers and engaged a third-party forensic firm.

Editor's Note

OKCIC’s notification of affected parties, as well as their posted advice, reinforced the value of proactive, rapid, and transparent communication. Not only are they providing identity theft and credit monitoring services to affected individuals, but they also encourage all potentially impacted individuals to take steps to protect their identity and credit, including providing resources and guidance we should all be following.

Lee Neely
Lee Neely

2022-05-16

Apple Releases Multiple Updates

Apple released iOS and iPadOS 15.5, watchOS 8.6, macOS 12.4, macOS 11.6.6, Catalina updated 2022-004, Xcode 13.4 and tvOS 15.5. The macOS, iOS/iPadOS updates address 34 CVEs, tvOS and watchOS, 27 & 21 respectively. Kernel, WebKit, and other flaws addressed which can lead to arbitrary code execution.

Editor's Note

These updates are more about security and bug fixes than adding new functionality. With 20-34 CVEs each, you’re going to want to push the updates. With nominal new features, the impact will be minimal to end-users. macOS 12.4 communication safety now allows parents to configure notification in messages for images which contain porn or nudity, iOS/iPadOS 15.5 adds functions to Wallet to allow Apple Cash users to send and request money from their Apple Cash card, Apple Podcasts adds settings to limit number of episodes stored on your iPhone, auto-deleting older ones, and fixes some home automation bugs.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner