SANS NewsBites

Singapore Banks Urge Customers to Uses Mobile Apps for Safer Banking; Segment and Patch All Atlassian Confluence Servers; FBI Info Prevents Damage from Attack on Boston Hospital

June 3, 2022  |  Volume XXIV - Issue #44

Top of the News


2022-06-02

Banks in Singapore Must Take Steps to Protect Customers from Online Fraud

Banks in Singapore are being required to take steps to help protect customers from online fraud. The new measures require that the banks provide customers with a kill switch that lets them suspend their accounts in the event of a breach. They also have to improve their fraud surveillance systems. Customers are being urged to use mobile banking aps instead of visiting bank sites in browsers.

Editor's Note

Many of the steps required earlier are remedial measures to get up to common practice levels of fraud reduction. The self-service kill switch in place of a phone call seems likely to have unintended consequences of driving calls up when hit accidentally. The move to more use of mobile banking apps reinforces the importance of the mobile telecom service providers and cell phone vendors stepping up the pace of pushing out security updates to all devices, and for Apple and Google to reduce the quantity of fraudulent or “leaky” apps that make it into the Apple App Store and Google Play.

John Pescatore
John Pescatore

This is an interesting option, there will be some user training as all parties also learn when not to use this feature. Too often legitimate transactions are mistaken for fraud when the supporting details are inaccurate or truncated, such as POS systems still including test or outdated information in their name. Note the user is expected to call the help desk or use an ATM to initiate the lock. Increased functionality in mobile applications is welcome, don't overlook weaknesses in the web interface, APIs or other entry points needed to support online users. Make sure users can equally access supporting details for transactions from all provided entry points.

Lee Neely
Lee Neely

2022-06-03

Atlassian Warns of Confluence Server Vulnerability

Atlassian has released an advisory warning of a critical unauthenticated remote code execution vulnerability in its Confluence Server and Data Center. The flaw, which affects all currently supported versions of Confluence Server and Confluence Data Center, is being actively exploited. There are currently no fixes available for the vulnerability. Atlassian Cloud sites are not affected.

Editor's Note

This vulnerability was found after it was used in an attack against two different companies. So far, there is no patch for this vulnerability. Do not expose your Confluence server to the public. If you find a server exposed: Take it out back and rm -rf it.

Johannes Ullrich
Johannes Ullrich

The advisory notes that all supported versions of Confluence are affected, and hints that unsupported versions are as well. Don't take a chance, implement the mitigations on all instances of Confluence. Apply the update when released and update unsupported versions or migrate to the Atlassian Cloud service. The mitigations are to either restrict access from the Internet or shutdown your instances. The CISA bulletin on CVE-2022-26134 recommends blocking Internet access. Make sure that you are monitoring activity for malfeasance. https://www.cisa.gov/uscert/ncas/current-activity/2022/06/02/atlassian-releases-security-updates-confluence-server-and-data

Lee Neely
Lee Neely

2022-06-02

FBI Blocked Cyberattack Against Boston Children’s Hospital

In a speech at Boston College earlier this week, FBI Director Christopher Wray said that his agency helped to thwart a cyberattack that was targeting Boston Children’s Hospital in 2021. The FBI learned of the impending attack from an intelligence partner.

Editor's Note

All too often notification to law enforcement is the first indication to organizations that they have already been compromised. Good to see the FBI taking timely action to aid in prevention of damage.

John Pescatore
John Pescatore

Chalk one up for the good guys. The hospital was able to partner with the FBI and take needed steps to stop the attack. This information triggered the production of subsequent advisories on both healthcare and critical infrastructure protection. Make sure that you have relationships with the FBI, CISA and/or relevant ISOC partners before you need them to facilitate a timely response. Ensure you aren't overlooking key component security on devices labelled as appliances which silently “just work.”

Lee Neely
Lee Neely

The Rest of the Week's News


2022-06-02

VPN Company Will Move Servers Out of India

ExpressVPN says it will move its servers out of India due to new rules recently introduced by India’s Computer Emergency Response Team (CERT-In). ExpressVPN says it cannot comply with the rule’s requirement to retain customers’ names and activity because it does not retain logs of users’ activity. The company also describes the new rule as “incompatible with the purpose of VPNs.”

Editor's Note

This implies that any VPN company still operating in India will comply with data retention laws.

Johannes Ullrich
Johannes Ullrich

Keep an eye to regulations for the regions and countries where you operate services. Not all regulators are willing to accept a response of not technically feasible. Or you may wind up in a perpetual cycle of explaining the impossibility of compliance. Either way, removing operation from that area may be the best overall solution; don't make that decision in a vacuum, make sure the C-Suite and board are behind you.

Lee Neely
Lee Neely

2022-06-02

FluBot Takedown

Law enforcement agents from 11 countries have taken down the infrastructure that was supporting the FluBot malware. FluBot has been infecting Android devices since December 2020. The malware disables security features and steals banking app credentials and cryptocurrency account information. FluBot can spread quickly because it accesses contact lists of infected devices.

Editor's Note

The contact list in mobile devices has become a lifeblood for maintaining connections with our friends, partners, and businesses, synchronization with desktop tools for consistency is now SOP. As such attention should be paid as to what has been granted access to your contacts. Look at application permissions, particularly mobile apps, restricting them to the minimum set. Check for applications you don't use any longer and remove them. Resist the temptation to install a new app to view a unique content type. Make sure that content type is legitimate long-term, and not a lure.

Lee Neely
Lee Neely

2022-06-02

Foxconn Plant Hit with Ransomware

Electronics manufacturer Foxconn disclosed that one of its production facilities in Mexico was the target of a ransomware attack in late May. The affected plant in Tijuana is “gradually returning to normal,” according to a Foxconn spokesperson.

Editor's Note

The LockBit ransomware group is taking credit for the attack and threatening to publish the exfiltrated information on June 11th. It is expected that the demand is a substantial as LockBit only targets large businesses with the ability to pay large ransom demands. Foxconn manufactures electronics, LCD TVs, mobile devices, computers for many brands, so there is a risk of substantial IP disclosure. This creates an interesting dilemma as you're dealing with disclosure of customer data, not just yours. Consider the actions you would need in this scenario, not just to prevent recurrence, or redistribute workload to meet customer demand, but also to retain their business.

Lee Neely
Lee Neely

2022-06-01

US Dept. of Justice Seizes Domain Names Used for Cybercrime

Earlier this week, the US Department of Justice (DoJ) seized three domain names that were being used to sell stolen personal information and provide distributed denial-of-service (DDoS) attacks for hire. The WeLeakInfo site claimed to be offering about 7 billion stolen records that contained personally identifiable information (PII).

Editor's Note

In 2020, the WeLeakInfo<dot>com domain was seized, and two suspects were arrested in Ireland and Netherlands. This action seized the WeLeakInfo<dot>to, ipstress<dot>in and ovh-booter<dot>com domains. The latter two provided booster or stressor services used for a DDoS attack. The FBI is still seeking information on any individuals connected with any of these domains.

Lee Neely
Lee Neely

2022-06-02

Dutch Police Used Pegasus Spyware

According to a news report, Dutch law enforcement used Pegasus spyware to keep tabs on the country’s most-wanted criminal in 2019. Dutch daily newspaper Volkskrant said the spyware was used against other targets as well, but did not identify them.

Editor's Note

This highlights the struggle between using available tools to support a legitimate investigation and ethical or legal constraints. Making certain a clear authorization has been granted, particularly as these tools may violate relevant privacy laws, as well as careful consideration that collateral damage, or otherwise exceeding that permission doesn't happen; may not be sufficient to prevent blow-back when the investigation becomes known. Be sure to consider the worst-case scenario as well as every legal option; triple check those giving permission truly can.

Lee Neely
Lee Neely

2022-06-02

Nakasone: US Conducted Offensive Cyber Ops

General Paul Nakasone, Director of US Cyber Command, said that the US has ”conducted a series of operations across the full spectrum: offensive, defensive, [and] information operations.” Nakasone also said that his agency conducted a “hunt forward” cyber operation in Ukraine shortly before the Russian invasion.

Editor's Note

Use extreme caution with offensive cyber operations. Not only can you become a target if discovered, but you also put affiliated parties at risk. Understand the value and purpose of disclosing these activities. It's safer to learn from the ongoing battle between Russian threat actors and the Ukraine; applying lessons learned to your area than to actively participate, even though that participation is alluring.

Lee Neely
Lee Neely

2022-06-02

CISA Says Dominion Voting Machine Flaws Were Not Exploited

The US Cybersecurity and Infrastructure Security Agency (CISA) says that while several vulnerabilities were found in Dominion Voting Systems machines, there is no evidence that the flaws were ever exploited. CISA has notified election officials in states that use the equipment and has provided mitigations.

Editor's Note

The key quote is “Of note, states’ standard election security procedures would detect exploitation of these vulnerabilities and in many cases would prevent attempts entirely.” So, the key is making sure that standard election security procedures are being followed by the large and small government election authorities and that vulnerabilities in processes are being remediated before any exploitation attempt.

John Pescatore
John Pescatore

A lot of success can be attributed to defense-in-depth of the procedures, cyber, physical, and operational, supporting the voting process. If you're a steward of electronic voting machines, make sure that you're applying updates whenever they are released, not waiting until the last minute because they're all in storage.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Follina Update

https://isc.sans.edu/forums/diary/First+Exploitation+of+Follina+Seen+in+the+Wild/28698/

https://isc.sans.edu/forums/diary/New+Microsoft+Office+Attack+Vector+via+msmsdt+Protocol+Scheme+CVE202230190/28694/


HTML Phishing Attachments - Now With Anti-Analysis Features

https://isc.sans.edu/forums/diary/HTML+phishing+attachments+now+with+antianalysis+features/28702/


Quick Answers in Incident Response RECmd.exe

https://isc.sans.edu/forums/diary/Quick+Answers+in+Incident+Response+RECmdexe/28706/


Zero-Day Exploitation of Atlassian Confluence

https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/

https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html


Korenix Technology JetPort Backdoor

https://sec-consult.com/vulnerability-lab/advisory/backdoor-account-in-korenix-technology-jetport-series/


Elasticsearch Data Wiped

https://www.secureworks.com/blog/unsecured-elasticsearch-data-replaced-with-ransom-note


Unofficial Patch for CVE-2022-30190 (Follina)

https://blog.0patch.com/2022/06/free-micropatches-for-follina-microsoft.html


Windows Search Vulnerability

https://www.bleepingcomputer.com/news/security/new-windows-search-zero-day-added-to-microsoft-protocol-nightmare/


Call Forwarding Used to Compromise WhatsApp Accounts

https://www.linkedin.com/posts/fb1h2s_beware-here-is-how-whatsapp-accounts-are-activity-6934386561048264704-NnFf/


Badkeys in Fuji Xerox and Canon Printers

https://fermatattack.secvuln.info


Open Automation Software Platform Vulnerability

https://blog.talosintelligence.com/2022/05/vuln-spotlight-open-automation-platform.html


Over 3.6 million MySQL servers found exposed on the Internet

https://www.bleepingcomputer.com/news/security/over-36-million-mysql-servers-found-exposed-on-the-internet/