SANS NewsBites

Educate Employees Working from Home About Video Doorbell Storage Risks; First US Cyber Safety Review Board Focuses on Log4j Risk; Another Form of MFA Bypass Does Not Change Advice to Eliminate Reusable Passwords

July 15, 2022  |  Volume XXIV - Issue #54

Top of the News


2022-07-14

Amazon Acknowledges Sharing Ring Data With Police Without Informing Users

Amazon has provided US law enforcement agencies with data from Ring video doorbells nearly a dozen times since the start of 2022. While Amazon’s policy states that police may not view recordings without the explicit permission of the devices’ owners, that policy is superseded by subpoenas and emergency requests. Amazon confirmed that they had shared Ring footage in a letter responding to questions posed by US Senator Ed Markey (D-Massachusetts).

Editor's Note

Amazon’s response to the Senator shows Amazon has evolved to a balanced response between user demands for privacy and law enforcement (and often user) demands for using stored doorbell video to catch thieves and criminals. Worth showing your Chief Legal Counsel if your company provides any product or service storing such data. From a Work at Home security viewpoint, Amazon Ring is the largest vendor but only has about a 15% market share. The top 5 vendors overall only represent 30% of the market – 70% of devices are sold by dozens of tiny vendors who are likely not being as diligent as Amazon. The good news from WAH point of view is many of the smaller ones don’t offer long cloud storage of video/audio but most will over time. WAH security awareness should include tips on how employees can minimize risk.

John Pescatore
John Pescatore

Make sure that you understand who can view your doorbell or other security footage, and under what conditions. And this reminds us that they have direct access to the data to override those processes if needed. Amazon has their Neighbors Public Safety Service which allows users to elect to share footage with law enforcement as well as a process where they will share footage in response to a court order or emergency request. In this instance, Amazon (Ring) made a good faith determination that sharing the footage was warranted, but those requests cannot be linked to a court or emergency order. If you're uncomfortable consider solutions where the footage is stored locally and only you have access to view it.

Lee Neely
Lee Neely

Police and other government agencies will always look to gather whatever data they can when investigating crimes or individuals. That is why strong privacy laws are so important to ensure that any such access is provided in a controlled, informed, and transparent manner and it is beyond time that the US introduced strong federal privacy laws. Privacy laws are not there to hinder police or government agencies, they are there to protect the human rights of us all.

Brian Honan
Brian Honan

Their "terms of service" almost universally permit holders of data to respond to "lawful" requests, i.e. warrants and subpoenas. If that is a problem for you, then do not share the data. Holders of data should be transparent about the number of such requests it receives and how they responded. Such transparency is essential to maintaining the necessary level of public trust.

William Hugh Murray
William Hugh Murray

2022-07-14

US Cyber Safety Review Board: Log4j Will be an Issue for Years to Come

The US Department of Homeland Security’s (DHS) Cyber Safety Review Board (CSRB) has determined that the Log4j vulnerabilities are going to pose a risk for at least a decade. CSRB’s report, Review of the December 2021 Log4j Event, includes recommendations for user to help mitigate the risks.

Editor's Note

Log4j is a bit of a tricky vulnerability. Initially, we saw a big surge in scans for the vulnerability and these scans dropped off quickly as attackers realized that the standard attack tools only worked for a few specific applications. In many cases attacks against log4j need to be customized for a particular application based on how it where it uses log4j. But the application is still vulnerable and as more specific exploits are released for these use cases, we will see new flare ups.

Johannes Ullrich
Johannes Ullrich

The good news quote in the CSRB’s first report since being established: “At the time of writing, the Board is not aware of any significant Log4j-based attacks on critical infrastructure systems. Somewhat surprisingly, the Board also found that to date, generally speaking, exploitation of Log4j occurred at lower levels than many experts predicted, given the severity of the vulnerability.” This first output from the CSRB was focused on a vulnerability vs. an incident. The idea of a Cyber Safety Review Board came from trying to get similar “lessons learned” that have for years come from the US National Transportation Safety Board that investigates plane, train, vehicle, etc. crashes. The “Organizational Reponses” section of this initial report is just a few paragraphs of lessons learned. The Enterprise Risk Management recommendations section has a bit more, but at a much higher level. I’d like to see the next CSRB report focus on an investigation of one of the continuing stream of successful attacks we are always commenting on in NewsBites.

John Pescatore
John Pescatore

As we are still having breaches due to SQL injection and other vulnerabilities identified decades ago I have no doubt that we will still be dealing with recently discovered vulnerabilities for decades to come, and yes I won’t be surprised to still see SQL injection attacks over the coming decades. Security engineering needs to become the default for all systems and applications from their very beginning and not something added on as a nice to have or to keep regulators happy.

Brian Honan
Brian Honan

The first task on the CSRB agenda was a report on Log4J. The executive summary includes a number of recommendations which apply to more than just Log4j, even if you're not developing applications, to include being aware of the components you're integrating, keeping good software inventories so you know where those components are located. SBOMs are a step to aid this: remember that they represent a point-in-time, so make sure they are maintained/updated.

Lee Neely
Lee Neely

2022-07-13

Phishing Campaign Bypasses MFA

Researchers from Microsoft has discovered a phishing campaign that can bypass multi-factor authentication (MFA). The attacks are targeting Office 365 users; more than 10,000 organizations have been targeted since September 2021. Microsoft says the campaign uses adversary-in-the-middle phishing sites to steal passwords, hijack sign-in sessions, and bypass the authentication process.

Editor's Note

At the SANS New Threats and Attacks keynote presentation at the RSA Conference, SANS instructor Katie Nickels covered MFA Bypass attacks but also said “Multifactor auth remains an incredibly powerful force for security. You should still use it.” Successful attacks (like airplane crashes) make the headlines, blocked attacks (like safe plane landings) do not – you will not see publicity around the 99.9% of credential stealing attacks that don’t work if MFA is done right. MFA does have to be done right, Katie points that out, and even done right doesn’t mean the end of successful attacks. But raising the bar against credential stealing that takes advantage of reusable passwords is mandatory if you are even talking about achieving anything close to “zero trust.”

John Pescatore
John Pescatore

The attack isn't particularly new, but the write up does also cover what attackers are doing after the phishing is successful. Good read and maybe a motivation to not allow "remember browser" cookies to bypass MFA for critical applications.

Johannes Ullrich
Johannes Ullrich

Just to clarify, ‘advisory-in-the-middle’ attacks have been going on for almost twenty years now, nothing new. Second, this is not an attack specifically against MFA. In this version, the attackers’ goal is to steal the session-cookie, not the actual authentication credentials. In other words, the attackers wait for / assist you to authenticate first, steal the authenticated session cookie and then replay that to gain access. A similar attack happens with “trojaned” M365 plugins that you approve and install AFTER authenticating to your M365 account. Strong authentication mechanisms like MFA are highly effective, something I still strongly recommend and use actively for my own personal accounts. The Microsoft post has good details about how the attack works and mitigation steps.

Lance Spitzner
Lance Spitzner

While we have been raising the bar by implementing some form, any form, of MFA, attackers have been working on how to exploit these efforts. You should be starting to hear the term phishing-resistant MFA. These leverage both cryptographic (public-private key pairs) as well as verification the requesting site is genuine. FIDO2 is one example. From an infrastructure perspective, pursue a strategic roadmap from your current MFA to phishing resistant MFA, while taking tactical steps to phase out SMS or phone call MFA quickly. From an end-user perspective, continue to educate them on being skeptical and checking that the site they are interacting with is truly genuine.

Lee Neely
Lee Neely

MFA has raised the bar for criminals to hijack user accounts but it should not be seen by itself to be a panacea. Other mitigations should be put in place to reinforce the protection offered by MFA solutions. The Microsoft blog included in the links to this story offers some very good additional mitigation steps to help defend against this type of attack.

Brian Honan
Brian Honan

Unlike the fraudulent re-use of passwords, which is cheap and enables session creation, attacks against strong authentication are expensive and only enable session stealing. We must not permit the limitations of a security mechanism to discourage its use, the perfect to be the enemy of the good.

William Hugh Murray
William Hugh Murray

The Rest of the Week's News


2022-07-14

Lenovo Releases Firmware Updates to Fix RCE Flaws

Three vulnerabilities in UEFI (Unified Extensible Firmware Interface) firmware affect more than 70 models of Lenovo laptops. All three vulnerabilities are buffer overflow flaws that could be exploited to allow arbitrary code execution. Lenovo has made firmware updates available.

Editor's Note

The Lenovo site includes a table of models and which of the three vulnerabilities impact them. All 70 are impacted by CVE-2022-1892, a buffer overflow in the SystemBootManagerDxe driver. The fix, in all cases, is to update your firmware. In April Lenovo addressed three UEFI vulnerabilities with firmware updates. It's a good time to make sure your entire fleet of Lenovo systems are running updated firmware.

Lee Neely
Lee Neely

2022-07-12

CISA Adds Another Flaw to Known Exploited Vulnerabilities Catalog

The US Cybersecurity and Infrastructure Security Agency (CISA) has added another vulnerability to its Known Exploited Vulnerabilities Catalog. The local privilege elevation vulnerability affects Microsoft Windows Client Server Runtime Subsystem (CSRSS). The flaw was fixed in Microsoft’s July Patch Tuesday earlier this week. Federal agencies have until August 2 to mitigate the vulnerability.

Editor's Note

The good news is the fix is in the July patch bundle. The bad news is this impacts client and server operating systems, through Windows 11/Server 2022, and is a zero-day to boot. While you're already pushing out your client updates, you're going to want to expedite your regression testing for server deployment.

Lee Neely
Lee Neely

2022-07-13

Microsoft Patch Tuesday

On Tuesday, July 12, Microsoft released fixes for more than 80 vulnerabilities. Four of the flaws are rated critical; one is being actively exploited. The zero-day privilege elevation flaw in Windows' Client Server Runtime Subsystem (CSRSS) affects all supported versions of Windows. CISA has added the CSRSS flaw to its Known Exploited Vulnerabilities catalog.

Editor's Note

Overall, a pretty "average" patch Tuesday. The CSRSS vulnerability is already exploited, but it is "only" a privilege escalation vulnerability, so nothing to lose too much sleep over. Also note that Microsoft did release the new auto-patch in general release now. Maybe start experimenting with it to take the busy work out of patch Tuesday.

Johannes Ullrich
Johannes Ullrich

While it sometimes feels we can't catch a break, it's nice to see a fix released for all impacted platforms rather than having to wait for patches for different OS versions. The CSRSS vulnerability is a zero-day and allows an attacker to execute code as System. Note this update also includes another round of patches for the print spooler (CVE-2022-22022, CVE-2022-22041, CVE-2022-30206, and CVE-2022-30226) which can be leveraged to delete files or gain System privileges.

Lee Neely
Lee Neely

2022-07-13

Retbleed Speculative Execution Attack

Researchers from ETH Zurich have discovered a speculative execution attack that affects certain Intel and AMD processors. The attack could leak sensitive data. Dubbed Retbleed, the attack exploited the retpoline software defense, which was introduced in 2018 to mitigate speculative execution attacks. The researchers will present their paper at the Usenix conference in August.

Editor's Note

Spectre variant 2 is back - while it was argued that the retpoline mitigation to that attack was insufficient, it was countered that those attacks were impractical. This is that impractical attack. The good news is there are mitigations, and Windows systems are not vulnerable as they are by default using Indirect Branch Restricted Speculation. Mitigations for other operating systems come at a 12-28% overhead so research carefully before deploying.

Lee Neely
Lee Neely

2022-07-14

macOS App Sandbox Escape Flaw

A vulnerability in macOS could be exploited to bypass the operating system’s App Sandbox. Apple fixed the flaw in a security update on May 1. Microsoft detected the vulnerability while looking for ways to run malicious macros in Office docs on macOS; they notified Apple in October 2021. Microsoft has released proof-of-concept exploit code for the flaw.

Editor's Note

You're not still treating your Macs as non-targeted are you? While we can chuckle about Microsoft finding a flaw in macOS, we need to quickly acknowledge that disclosure to Apple was made and fixes incorporated in the May 16 updates to Catalina, Big Sur and Monterey. Make sure those updates have been deployed, particularly as it's going to get busy with iOS 15.6 likely next week and Ventura/iOS 16 in a couple of months.

Lee Neely
Lee Neely

So called "proof-of-concept" code should not be released; it lowers the cost of attack to the rogues. I, for one, am more than willing to take Microsoft's word that there is a vulnerability, that it can be exploited, and should be mitigated. Microsoft should not lower the cost of attack against vulnerabilities in its competitors’ products. Rather it should focus on putting its own house in order.

William Hugh Murray
William Hugh Murray

2022-07-14

Tenet Healthcare Sued Over Data Theft

Tenet Healthcare and its Baptist Health System (BHS) affiliate are facing a $1M class action lawsuit over a cyberattack that led to patient data theft. The incident affected 1.2 million patients. The lawsuit alleges that the stolen data were not encrypted and that “BHS and its employees failed to properly monitor the computer network and IT systems that housed the private information.”

Editor's Note

The claim is hitting both on timely notification and encryption of sensitive data. HIPAA allows data to not be encrypted at rest if you have other mitigations; it will be interesting to see how this plays against that plan. Make sure that you're prepared to notify users and/or partners in a timely fashion in the event of a breach. Take a moment to review contractual or regulatory requirements to make sure that you're meeting those obligations. As to encryption, it's become increasingly easy to encrypt at rest and in transit, make sure that you've not overlooked options to facilitate this not previously available, particularly for services you migrated to the cloud. Then document and track gaps.

Lee Neely
Lee Neely

These class action lawsuits after breaches have been tried many times over the past 10 years and they rarely seem to succeed. That may change in the future as the broad loopholes in regulations get narrowed at the state level, but I think today it is more important to convince CXOs and Boards that the cost of preventing or minimizing the damage from breaches is almost invariably less than incurring a breach – and cybersecurity insurance rarely changes that.

John Pescatore
John Pescatore

Internet Storm Center Tech Corner

Microsoft Patch Tuesday

https://isc.sans.edu/diary/Microsoft+July+2022+Patch+Tuesday/28838


Using Referrers to Detect Phishing Attacks

https://isc.sans.edu/diary/Using+Referers+to+Detect+Phishing+Attacks/28836


Debugging Broadcast Storms

https://isc.sans.edu/diary/A+%22DHCP+is+Broken%22+story%2C+and+a+Blast+from+the+Past+%28or+should+I+say+%22Storm%22+from+the+past%29/28844


Adobe Updates

https://helpx.adobe.com/security/security-bulletin.html


SAP Patches

https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10


IBM Patches

https://www.ibm.com/support/pages/node/6602255

https://www.ibm.com/support/pages/node/6602259

https://www.ibm.com/support/pages/node/6602251


Callback Phishing Campaigns Impersonating Security Companies

https://www.crowdstrike.com/blog/callback-malware-campaigns-impersonate-crowdstrike-and-other-cybersecurity-companies/


Retbleed Spectre Attack

https://comsec.ethz.ch/wp-content/files/retbleed_sec22.pdf


Uncovering a macOS App Sandbox escape vulnerability: A deep dive into CVE-2022-26706

https://www.microsoft.com/security/blog/2022/07/13/uncovering-a-macos-app-sandbox-escape-vulnerability-a-deep-dive-into-cve-2022-26706/


Buffer Overflow Vulnerabilities in UEFI firmware of several Lenovo Notebook

https://twitter.com/ESETresearch/status/1547166334651334657


Targeted Deanonymization via Side Channel Attacks

https://leakuidatorplusteam.github.io/preprint.pdf


Cookie Theft to BEC

https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-financial-fraud/


VMWare Patch

https://www.vmware.com/security/advisories/VMSA-2021-0025.html