SANS NewsBites

Check SOHO Routers from ASUS, Cisco, DrayTek and NETGEAR for ZuoRAT Malware; Can Your Protect Your CEO With Apple’s New Lockdown Mode?; Patch OpenSSL

July 8, 2022  |  Volume XXIV - Issue #52

Top of the News


2022-06-30

ZuoRAT Malware Targets SOHO Routers

A remote access trojan (RAT) known as ZuoRAT has been detected attacking small office/home office (SOHO) routers. Black Lotus Labs have been tracking the campaign, which has been active since 2020. ZuoRAT takes complete control of SOHO routers in North America and Europe.

Editor's Note

Usually as we talk about attacks against home routers and similar "IoT" devices, we talk about nuisance malware like Mirai. But among the background noise are some more sophisticated attacks using the same simple exploits to turn these devices into a powerful distributed attack platform. This has been done in the past with MikroTik routers and others as well.

Johannes Ullrich
Johannes Ullrich

This malware is operating under the pretext that SOHO routers are not maintained or secured. Make sure that your routers are configured for automatic firmware updates, that remote management is either disabled or restricted to very specific authorized devices, and pay attention to any vendor provided security posture check. Lastly, make sure the device is still supported and replace it if not. This RAT cannot survive reboots, so if you're thinking your infected, reboot your router; then you need to perform a factory reset to make sure only the settings you intend are in effect.

Lee Neely
Lee Neely

These routers are the first line of defense line of defense in "work from home" applications. Yet, as with many smart appliances ("things"), keeping them current is costly and rarely routine.

William Hugh Murray
William Hugh Murray

2022-07-06

Apple’s Lockdown Mode Will Protect Users from Mercenary Spyware

Apple has announced a new feature that will help protect users’ devices from spyware. Lockdown Mode will be introduced in iOS 16, iPadOS 16, and macOS Venture, which are scheduled to be released later this year. Apple says, “Lockdown Mode offers an extreme, optional level of security for the very few users who, because of who they are or what they do, may be personally targeted by some of the most sophisticated digital threats.” Users will be able to enable the feature in the Settings menu.

Editor's Note

Interesting move by Apple to give users the option to prioritize security over functionality. Also interesting as only a very small number of users will benefit from it. We will have to see how many attacks are actually disrupted by this setting. (I don't doubt it will work, but the real question will be if the right target group will take advantage of it.)

Johannes Ullrich
Johannes Ullrich

I think we will be surprised how many CEOs might be willing to lockdown their phone this way. If your CEO wears an analog watch that does NOT show altitude, phases of the moon or beep on every Instagram post, configure an iPhone in this Lockdown Mode when it comes out and do a demo to CEOs and even the Board.

John Pescatore
John Pescatore

Something to consider for potential targets (VIPs?) working in risky areas. Read and test the impacts carefully and review them with your possible user to ensure they don't wind up turning this off because they are not able to work. Impacts blocking most attachment types other than images, disablement of link preview, Java JIT compiling on non-trusted websites, blocking MDM profile updates and inbound service requests such as calls, or FaceTime being blocked if you haven't connected previously.

Lee Neely
Lee Neely

One should add international travelers to the list of those that may find this mode useful. (Everyone might want to turn it on in such hostile environments as Starbucks, airports, or Washington DC.)

William Hugh Murray
William Hugh Murray

2022-07-06

OpenSSL Patches Two Vulnerabilities

OpenSSL maintainers have released updates to address two vulnerabilities, including a high-severity memory corruption flaw that could be exploited to allow remote code execution. Users are urged to upgrade to OpenSSL 3.0.5.

Editor's Note

These are two interesting vulnerabilities and I think they may have gotten a bit lost during the short work week. CVE-2022-2274 could have huge impact, but luckily it only affects OpenSSL on specific CPUs, and more importantly, it was caught immediately after the bug was introduced so the footprint of installed vulnerable OpenSSL versions is negligible. The second issue is also CPU version dependent, but it affects a much larger range. It could potentially affect a lot of data that was encrypted and is now considered "safe" even though a very small part of the data has not been encrypted.

Johannes Ullrich
Johannes Ullrich

Good to see fast reaction by OpenSSL. That needs to become the norm for open source software, medical devices, etc.

John Pescatore
John Pescatore

The flaw was introduced in OpenSSL 3.0.4, so make sure that when you're updating, particularly if you're playing catch-up, you move to at least 3.0.5. While you're waiting on vendor provided patches, it'd be a good time to take stock of the versions of OpenSSL you have installed to see what your risk levels are.

Lee Neely
Lee Neely

The Rest of the Week's News


2022-06-29

FBI: Deepfakes and Stolen PII are Being Used to Apply for Jobs

The US FBI says it has received an increasing number of complaints about people applying for remote work employment using stolen personally identifiable information and deepfake video. The phony job applicants are seeking remote or work-from-home positions that would allow then to access “customer PII, financial data, corporate IT databases and/or proprietary information.” Some reports include the applicants submitting stolen PII for background checks.

Editor's Note

Economic conditions mean many HR organizations are dealing with layoffs/redundancy while also hiring in key areas – busy HR people often take shortcuts. As a minimum, use this item to touch base with HR and IT management to make sure hires in positions that will be given sensitive access get thorough reference and background checks.

John Pescatore
John Pescatore

Trust but verify. Part of the scheme is using doctored videos, but the audio doesn't match the video exactly, particularly for coughs or sneezes. Use employment background screening processes to verify that the person is truly who they claim to be. The cost of an in-person meet and greet may offset the cost of damage from a fake hire.

Lee Neely
Lee Neely

2022-07-05

Cyberattack Against Geographic Solutions Affects Multiple States’ Unemployment Benefits

A cyberattack against an IT services provider has disrupted unemployment and work benefits for people in multiple US states. Geographic Solutions has not yet made a public statement, but it has notified state agencies affected by the incident.

Editor's Note

This is a good reminder that we need to look at the supply chain for all business services to an organization for its Business Continuity Planning. If you have not done so already, you should review what key functions your organization has outsourced to third parties and how you would continue to provide that service should that provider become a victim of a cyber-attack or other issue that results in them being offline.

Brian Honan
Brian Honan

Using companies like Geographic Solutions provides easy access services you may not be able to otherwise deliver, and they are able to achieve economies of scale, which is a boon to your business. Make sure that you're incorporating the risks of outsourced services being offline for the time needed to recover from a ransomware attack. Make sure that interdependencies are also understood then develop your response plan.

Lee Neely
Lee Neely

2022-07-07

IconBurst NPM Supply Chain Attack

Researchers at ReversingLabs have detected a software supply chain attack involving maliciously-crafted NPM packages. The attack has been ongoing since at least December 2021. The attacks use typo-squatting to trick users into downloading the malicious packages.

Editor's Note

These typos which result in the incorrect package are incredibly easy to make, particularly with pressure to deliver rapidly. Make sure your build/integration process is validating that the packages intended are what is loaded. Name, version, checksum, and that you're responding to exceptions.

Lee Neely
Lee Neely

2022-07-06

North Korean Hackers Targeting US Healthcare Sector

In a joint alert, the US Treasury Department, the FBI, and the Cybersecurity and Infrastructure Security Agency (CISA) warn that north Korean state-sponsored cyberthreat actors are targeting US healthcare sector organizations. The hackers have been using Maui ransomware since at least May 2021. “The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, bitcoin wallet information, the decryptor file, and/or benign samples of encrypted files.”

Editor's Note

No matter what sector you're in, add the IOCs from the CISA bulletin to your SIEM. The attack vector is not yet known, mitigations include making sure you have MFA on your entry points, only authorized systems and individuals can access sensitive data and encryption of sensitive data at rest wherever possible.

Lee Neely
Lee Neely

2022-07-07

National Defense Authorization Act Cybersecurity-Related Amendments

US Representative Jim Langevin (D-Rhode Island) has introduced several cybersecurity-related provisions to the National Defense Authorization Act (NDAA). One of the amendments would create an Office of Cybersecurity Statistics within the Cybersecurity and Infrastructure Security Agency (CISA). Another amendment includes provisions suggested by the Cyberspace Solarium Commission to bolster cybersecurity for “systemically important critical infrastructure.”

Editor's Note

I don’t see any game changers, mostly a lot more data collection and reporting requirements – more pages of documents have never equated to reduction in risk. Game changers would be requiring DoD (and by extension those who sell to DoD) to upgrade IT operations to meet basic security hygiene requirements, vs. more documents on how to spackle security on top of badly developed and administered systems in data centers and in the cloud.

John Pescatore
John Pescatore

Key to the Office of Cybersecurity Statistics will be the capability to process, store and analyze data in an expeditious fashion, while an exciting capability, expeditious funding is critical. Expect this to change in committee. This also includes attempting to insulate the CISA to political swings by limiting the term of the CISA director to five years and requirement for military leaders to report on acceleration of domestic production of rare-earth metals.

Lee Neely
Lee Neely

2022-07-05

Google Updates Chrome to Fix Actively Exploited Vulnerability

Google has updated the Chrome Stable Channel for Desktop to version 103.0.5060.114. The newest version of the browser addresses four security issues, including a high-severity flaw that is being actively exploited. This is the fourth zero-day flaw in Chrome that Google has patched this year.

Editor's Note

Chrome, like most other browsers, will update automatically as long as you close and reopen. Even so, this is a good reminder that client-side attacks should be part of the scope of work in red team and pen testing engagements.

Christopher Elgee
Christopher Elgee

Heap overflow, use-after-free and type confusion issues are addressed. Chrome updates continue to hone our ability to push out-of-band patches. Don't forget to set a time limit on users relaunching browsers to load the updated version. Be sure to check, and update, chromium-based browsers in your environment.

Lee Neely
Lee Neely

2022-07-05

NIST’s Quantum-Resistant Algorithms

The US National Institute of Standards and Technology (NIST has identified four candidate quantum-resistant encryption algorithms. The four algorithms will be incorporated into NIST’s post-quantum encryption standard. The algorithms are CRYSTALS-Kyber, CRYSTALS-Dilithium, FALCON, and SPHINCS+.

Editor's Note

The quest for quantum-resistant algorithms started in 2016. CRYSTALS-Kyber is intended for general key-establishment, CRYSTALS-Dilithium for digital signatures, FALCON as a fallback for cases where the CRYSTALS-Dilithium signatures are too large, and SPHINCS+ is the slowest of the bunch, but is suggested as an alternative where you want to use alternate mathematical models. Don't expect to find these in vendor products right away. Once they are available, you're going to want to do regression testing to not only ensure that you're functional, but also for other operational or performance impacts.

Lee Neely
Lee Neely

We have ample time to replace RSA. There will be no "Quantum Apocalypse." However, it is important to keep in mind that attacks against modern cryptography are rarely against the algorithms but rather against implementations and applications. We still have a long way to go.

William Hugh Murray
William Hugh Murray

Internet Storm Center Tech Corner

Possible Scans for HiByMusic Devices

https://isc.sans.edu/forums/diary/Possible+Scans+for+HiByMusic+Devices/28796/


Case Study: Cobalt Strike Server Lives on After its Domain is Suspended

https://isc.sans.edu/forums/diary/Case+Study+Cobalt+Strike+Server+Lives+on+After+Its+Domain+Is+Suspended/28804/


7Zip Mark of the Web For Office Files

https://isc.sans.edu/forums/diary/7Zip+MoW+For+Office+files/28812/


EternalBlue 5 Years After WannaCry and NotPetya

https://isc.sans.edu/forums/diary/EternalBlue+5+years+after+WannaCry+and+NotPetya/28816/


How Many SANs are Insane

https://isc.sans.edu/forums/diary/How+Many+SANs+are+Insane/28820/


It's New Phone Day: Time to Migrate Your MFA

https://isc.sans.edu/forums/diary/Its+New+Phone+Day+Time+to+migrate+your+MFA/28800/


Phishing Attacks Getting Trickier

https://www.sans.org/newsletters/ouch/phishing-attacks-getting-trickier


Managing Human Risk Security Awareness Report

https://go.sans.org/lp-wp-2022-sans-security-awareness-report


OpenSSL Patches Two Vulnerabilities

https://www.openssl.org/news/secadv/20220705.txt


OpenSSL Heap Overflow

https://guidovranken.com/2022/06/27/notes-on-openssl-remote-memory-corruption/

https://github.com/openssl/openssl/issues/18625#issuecomment-1165012549


ZuoRat MalwareHijacking Home Office Routers

https://blog.lumen.com/zuorat-hijacks-soho-routers-to-silently-stalk-networks/


Iconburst NPM Software Supply Chain Attack

https://blog.reversinglabs.com/blog/iconburst-npm-software-supply-chain-attack-grabs-data-from-apps-websites


CVE-2022-28219: Unauthenticated XXE to RCE and Domain Compromise in ManageEngine ADAudit Plus

https://www.horizon3.ai/red-team-blog-cve-2022-28219/


CWE Top 25 Update

https://cwe.mitre.org/top25/archive/2022/2022_cwe_top25.html#analysis


SessionManager Backdoor Seen with IIS

https://securelist.com/the-sessionmanager-iis-backdoor/106868/


Google Chrome Stable Channel Update

https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_25.html


Fortinet July Updates

https://fortiguard.fortinet.com/psirt?date=07-2022


Quantum Safe Ciphers

https://csrc.nist.gov/News/2022/pqc-candidates-to-be-standardized-and-round-4


Apple Proposes Lockdown Mode

https://www.apple.com/newsroom/2022/07/apple-expands-commitment-to-protect-users-from-mercenary-spyware/


Microsoft Azure Service Fabric Container Elevation of Privilege Vulnerability

https://unit42.paloaltonetworks.com/fabricscape-cve-2022-30137/#The-Vulnerability

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30137


Zimbra RCE Vulnerability

https://blog.sonarsource.com/zimbra-pre-auth-rce-via-unrar-0day/


FBI Warns of Deep Fakes Being Used in Job Interviews

https://www.ic3.gov/Media/Y2022/PSA220628