SANS NewsBites

Turn on Zoom Client AutoUpdate; Verizon Report Hits and Misses; Check If Your Cloud Service Provider is Using Unpatched Quanta Servers

May 27, 2022  |  Volume XXIV - Issue #42

Top of the News


2022-05-25

Zoom Vulnerabilities Fixed

Zoom has fixed six vulnerabilities that were discovered by Google Project Zero. The vulnerabilities could be exploited by sending a message through Zoom chat over the Extensible Messaging and Presence Protocol (XMPP) to allow remote code execution; no user interaction is required. Users are urged to update to Zoom version 5.10.0.

Editor's Note

The client-side fix was out in April. All Zoom client software now supports auto-update for faster patching – make sure it is turned on for managed devices and encourage users to enable auto update on personal devices. Same advice applies to most PC/Mac client software these days.

John Pescatore
John Pescatore

A few things happening here: XMPP parsing inconsistencies allowed inclusion of malicious content, known as XMPP Stanza Smuggling) and could be used to cause the client to connect to another server which could be a MITM; the update installer didn't fully check that what was being installed was really an update, allowing the client to be tricked into installing an older version with known vulnerabilities. The good news is Zoom has auto-update capabilities working on Mac and Windows now, the bad news is you may have to manually update to get to that version. Make sure your systems are running at least 5.10.0.

Lee Neely
Lee Neely

Enable the auto-update feature in your Zoom and every other piece of software that allows it. Do it for your friends and family as well.

Jorge Orchilles
Jorge Orchilles

2022-05-26

Verizon 2022 Data Breach Investigations Report

Verizon Business has released its 2022 Data Breach Investigations Report (DBIR). Key findings include: ransomware attacks increased 13 percent over the past year; roughly 80 percent of breaches are the work of organized crime; and “the human element accounts for 82 percent of analyzed breaches over the past year.”

Editor's Note

Verizon no longer includes the most valuable data they have from their investigations – what vulnerabilities enabled the attacks to succeed? They used to show this in a table mapping the exploited vulnerabilities to the Critical Security Controls. It was a great graphic to use in explaining the critical need to at least get to basic security hygiene levels and avoid 70% or more of those attacks. Another point: the DBIR and others often show phishing and “use of stolen credential” statistics separately, where a high percentage of stolen credentials were obtained through phishing. Don’t underestimate the urgency of reducing used of reusable passwords on high value accounts.

John Pescatore
John Pescatore

In 2022, we as security professionals should all reject the idea of “human element” as something that “accounts for” 82% of breaches, especially of a breach that is worthy of inclusion in the DBIR. Yes, individual people will click a link, or click an attachment, or enter their password into a fake form. That's gonna happen, and the job of the security profession is to make those basically as low impact as possible. Security professionals are failing to properly architect and implement basic controls (in some cases, for legitimate reasons, such as lack of budget, etc), and then blame users for clicking links that make it through the corporate email filters, then saw through the entire network from an unprivileged user laptop... This is not a good statistic to bandy around. All the awareness training won't remove the click, it just reduces the CLICK RATE, which, even if low, the click eventually happens. Then what? Controls beyond the user's scope of work should kick in.

Gal Shpantzer
Gal Shpantzer

The human element, as in problem exists between keyboard and chair, is our greatest and best challenge. This doesn't mean we need to stop raising the bar on technology to reduce the opportunities for error, it means we need to work just as diligently on relevant training and support. Pay attention to feedback. Don't ignore reports of people checking out in the middle of a session, or questions of relevance to life the universe and everything, rather partner and pull the thread to find out why your message and their mission don't match, then team up to fix it.

Lee Neely
Lee Neely

For the past 4 years the VZ DBIR has identified people as the primary attack vector and top driver of breaches. For the past two years they even put a number on it (over 80% of breaches for past two reports). Cybersecurity is no longer just a technology challenge but also a human one. Until we start also addressing the human side of cybersecurity, to include security culture, we are going to continue to lose this battle.

Lance Spitzner
Lance Spitzner

That 82% of breaches are due to human issues demonstrates how badly we are failing as an industry and highlights the fallacy that many vendors and security practitioners have on focusing on APT and/or zero day attacks. Similar to how modern automobile safety features protect drivers when they make a mistake, our security controls should act as the equivalent of crumple zones, seat belts, and airbags to protect people when they are duped into clicking on a link or an attachment.

Brian Honan
Brian Honan

Must reading. One of the best open sources of intelligence for security professionals. Other key findings: Insider risk is far greater from error than from malice. Credential compromise is far more likely from social engineering than from brute force attacks. Therefore, prefer strong authentication to strong passwords. I asked the authors if they could see the impact of Strong Authentication. They responded “Not really. If one is using MFA one is not likely to be in the database of breaches.” Finally, healthcare and finance stand out in the data. For different reasons, each industry may be better at reporting than others.

William Hugh Murray
William Hugh Murray

2022-05-26

Quanta Cloud Technology Servers Still Vulnerable to Critical Pantsdown BMC Vulnerability

The Pantsdown vulnerability affects baseboard management controllers (BMCs) from a variety of manufacturers. The flaw could be exploited to gain superadmin privileges for an entire data center. After the vulnerability was discovered in January 2019, vendors released patches and urged customers to apply them. However, researchers from Eclypsium found that data center solution from Quanta Cloud Technology remained unpatched as recently as April 2022. Quanta says it is providing fixes privately on a customer-by-customer basis.

Editor's Note

Do not assume that systems arrive from OEMs fully patched and "secure." Sadly, in this case, you will not even be offered a patched firmware for update. What makes this worse is that attacks against BMCs can be very difficult to recover from (if you are even able to detect them).

Johannes Ullrich
Johannes Ullrich

Firmware security is a real thing and it's underappreciated. Imagine a chip maker putting a null-auth webserver in the firmware, for example.... From 2017 https://www.intel.com/content/www/us/en/architecture-and-technology/intel-amt-vulnerability-announcement.html

Gal Shpantzer
Gal Shpantzer

Any procurements for cloud services, especially if going outside the major providers like Google, and Microsoft, should include questions about vendor patch status/practices and clauses for cloud service provider liability. None of that protects you or your customers but it raises the visibility of security to smaller/less expensive cloud services providers and can point out the danger of selecting them.

John Pescatore
John Pescatore

BMCs are leveraged to manage systems at scale, allow for raw-iron management for activities like a full OS reinstall, about as close as you can get to physically accessing the box, which makes certain attacks much easier. (Such as a single-user boot.) As such, addressing vulnerabilities and lifecycle replacements where updates are not available are critical. Quanta's model of quietly working customer by customer is not sufficiently transparent for you to truly assess your risk envelope.

Lee Neely
Lee Neely

The Rest of the Week's News


2022-05-25

Indian Stock Exchanges Must Report Breaches Within 10 Days

The Securities and Exchange Board of India says that stock exchanges, clearing corporations, and depositories must report cybersecurity incidents within 10 days of detection. The modification to the board’s Cyber Security and Cyber Resilience Framework also expands the definition of critical systems, which must undergo security reviews and testing.

Editor's Note

India's businesses were already facing the task of implementing the new incident response orders within 60 days; this directive is focused on market infrastructure institutions (MIIs), aka stock exchanges, clearing corporations and depositories, which must have their board sign off on their critical systems and report status of the larger requirements in the circular within ten days. Most boards I know need significantly more time before voting on a significant issue, let alone reporting on the progress towards implementation. The intent of the framework is to raise the bar consistent with the modern threat landscape, which is to be commended, and a more realistic timeframe is appropriate, such as 100 or more days. We all should have accurate hardware, software, and vulnerability data, and be performing regular security testing and reviews to make sure we're not overlooking.

Lee Neely
Lee Neely

I welcome the focus on detection and response vs. the goal of preventing an attack. Assume breach and focus on testing, measuring, and improving your people, process, and technology – make sure your team is trained in Purple Team processes and techniques.

Jorge Orchilles
Jorge Orchilles

2022-05-26

Ransomware Delayed SpiceJet Flights in India

India’s SpiceJet airline said that a ransomware attack was to blame for flight delays earlier this week. Customers reported that they could not reach SpiceJet customer service on the phone and that online booking was unavailable.

Editor's Note

Ransomware is the final action on objectives. You have multiple detection opportunities before the malicious actors get to that step. Tabletops are a great resource but go further with a data and evidence-based approach by actually testing yourself. Train like you will fight the adversaries.

Jorge Orchilles
Jorge Orchilles

Good news: they were able to contain and remediate the ransomware attack quickly. The bad news is interdependent systems were impacted, resulting in delays and confusion from passengers who were not aware of what was happening. Two takeaways - first, communicate fully and as comprehensively as possible when you know what is going on; second, make sure dependencies are not only documented but understood. Sometimes recovery of one system may need another to roll back transactions, or have transactions manually applied to achieve full recovery to operational status. Trust me, you don't want to discover this during an incident.

Lee Neely
Lee Neely

2022-05-24

IBM Expands School Cybersecurity Program

IBM is expanding its Education Security Preparedness Grant that helps K-12 schools improve their cybersecurity posture. The grants, which are provided as in-kind support, went to six US schools this year. Next year, the program will provide help for 10 schools in the US, Costa Rica, Brazil, Ireland, and the United Arab Emirates.

Editor's Note

Last year applicants came from over 250 school districts, which is an indicator we have a gap that companies like IBM can fill. IBM is not just sending money, they are sending tools and resources, which not only aids success, but also is a model you could follow to help your local schools by leveraging existing staff, products, and processes, no matter which country you're in.

Lee Neely
Lee Neely

I welcome this and other initiatives that teach security earlier in life. NewsBites readers: challenge yourself to share what you know to the next generation. Every little thing helps, from career day presentations to demos to teaching. We need a security focused culture from the beginning.

Jorge Orchilles
Jorge Orchilles

2022-05-23

UK ICO Fines Clearview, Orders Them to Delete Citizens’ Data

The UK’s Information Commissioner’s Office (ICO) has fined face recognition technology company Clearview £7.5 million ($9.4 million) for violations of the country’s data protection laws. The ICO has also ordered Clearview to stop collecting and using UK citizens’ data and to delete any UK citizens’ data it currently holds on its systems.

Editor's Note

Lesson here is to make sure that when scraping data make sure that operation is allowed by the sources you're obtaining information from, and, more importantly, make sure that your use and storage of that data is consistent with the regulations in the area you're operating in. As more privacy laws are enacted, their relevance/applicability is going to become increasingly important to avoid legal entanglements.

Lee Neely
Lee Neely

2022-05-25

Suspected Business eMail Compromise Operation Ringleader Arrested

Police in Nigeria have arrested an individual believed to be the head of a massive phishing and business email compromise (BEC) operation. The group has been active since 2015 and has been launching attacks in countries around the world.

Editor's Note

The team at Palo Alto's Unit 42 have been tracking this individual since 2017, meaning that apprehending parties behind BEC can take a lot longer that you expect. In the meantime, double down on making sure you and your staff are prepared to recognize and avoid BEC attempts. Don't forget to talk to your service providers, internal or external, to ensure you're leveraging all the tools in their arsenal.

Lee Neely
Lee Neely

We don’t hear much about BEC even though it is one of the most profitable attacks by adversaries. Kudos to law enforcement for this arrest.

Jorge Orchilles
Jorge Orchilles

A big well done to all those involved in this operation and in making the online world a little bit safer.

Brian Honan
Brian Honan

2022-05-24

CISA adds 75 Vulnerabilities to Known Exploited Vulnerabilities Catalog

This week, the US Cybersecurity and Infrastructure Security Agency (CISA) added more than 70 security issues to its Known Exploited Vulnerabilities catalog. The vulnerabilities include a Cisco IOS XR open port flaw and a pair of Android Linux Kernel flaws. The newly-added items have required mitigation dates between June 13 and 15.

Editor's Note

The trick is to filter both for products you're using and for updates you're already applying to spot gaps. Separately, you should be checking post-patch that the updates you think are applied are really applied.

Lee Neely
Lee Neely

2022-05-20

EPA Asks for Funds for Water Systems Cybersecurity

The US Environmental Protection Agency (EPA) is asking Congress for $4B to upgrade the country’s water infrastructure. More than $100M of the requested funds would go toward programs that provide support for resiliency and sustainability, establishing and building cyber capabilities, and technical assistance.

Editor's Note

This is a start, DHS CISA will also have to provide funds and expertise to make progress improving cybersecurity at state/local managed critical services like water, just as they had to do for election systems.

John Pescatore
John Pescatore

The trick is enlisting water companies both large and small. Small operations will need to leverage external services. If you don't have sufficient support for your operation, reach out to your local ISAC or CISA branch to get connected with resources. Remember CISA services are taxpayer funded.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

ctx Python Library Updated with "Extra" Features

https://isc.sans.edu/forums/diary/ctx+Python+Library+Updated+with+Extra+Features/28678/


Using NMAP to Assess Hosts in Load Balanced Clusters

https://isc.sans.edu/forums/diary/Using+NMAP+to+Assess+Hosts+in+Load+Balanced+Clusters/28682/


Huge Signed PE Files

https://isc.sans.edu/forums/diary/Huge+Signed+PE+File/28686/


Nate Street: Advancing SIEM Log Management Strategies through Vendor-Agnostic Measurement

https://www.sans.edu/cyber-research/38685/


VMWare Authentication Bypass PoC

https://www.horizon3.ai/vmware-authentication-bypass-vulnerability-cve-2022-22972-technical-deep-dive/


Quanta Server BMC Vulnerability

https://eclypsium.com/2022/05/26/quanta-servers-still-vulnerable-to-pantsdown/


Attacker Modifying Libraries Claims "Research"

https://www.bleepingcomputer.com/news/security/hacker-says-hijacking-libraries-stealing-aws-keys-was-ethical-research/


Windows 11 and Server 2022 Update Prevent Trend Micro Ransomware Protection

https://success.trendmicro.com/dcx/s/solution/000291066?language=en_US


Heroku GitHub Integration Re-Enabled Again

https://blog.heroku.com/github-integration-update


Serious security vulnerability in Tails 5.0

https://tails.boum.org/security/prototype_pollution/index.en.html


Google Chrome Update

https://chromereleases.googleblog.com/2022/05/stable-channel-update-for-desktop_24.html


Zoom Updates

https://explore.zoom.us/en/trust/security/security-bulletin/


VMWare Exploit About to Be Released

https://twitter.com/Horizon3Attack/status/1528935531333177344


Zyxel Firewalls, AP Controllers, APs Patch

https://www.zyxel.com/support/multiple-vulnerabilities-of-firewalls-AP-controllers-and-APs.shtml